commit f1d7e763c9397fb9742a28bf6ffdb6f2680d68c7 Author: Adrian Schröter Date: Thu Dec 28 01:12:29 2023 +0100 Sync from SUSE:ALP:Source:Standard:1.0 libgcrypt revision 6131224c98fce16f17b1c1644f7697f3 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..fecc750 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..6e3f325 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,8 @@ +libgcrypt20 + provides "libgcrypt- = " + obsoletes "libgcrypt- <= " + provides "libgcrypt20-hmac- = -%release" + obsoletes "libgcrypt20-hmac- < -%release" +libgcrypt-devel + requires -libgcrypt- + requires "libgcrypt20- = " diff --git a/hwf.deny b/hwf.deny new file mode 100644 index 0000000..112cb83 --- /dev/null +++ b/hwf.deny @@ -0,0 +1,34 @@ +# This file can be used to globally disable the use of hardware +# based optimizations. Supported options are: +# padlock-rng +# padlock-aes +# padlock-sha +# padlock-mmul +# intel-cpu +# intel-fast-shld +# intel-bmi2 +# intel-ssse3 +# intel-sse4.1 +# intel-pclmul +# intel-aesni +# intel-rdrand +# intel-avx +# intel-avx2 +# intel-fast-vpgather +# intel-rdtsc +# intel-shaext +# intel-vaes-vpclmul +# arm-neon +# arm-aes +# arm-sha1 +# arm-sha2 +# arm-pmull +# ppc-vcrypto +# ppc-arch_3_00 +# ppc-arch_2_07 +# ppc-arch_3_10 +# s390x-msa +# s390x-msa-4 +# s390x-msa-8 +# s390x-msa-9 +# s390x-vx diff --git a/libgcrypt-1.10.0-allow_FSM_same_state.patch b/libgcrypt-1.10.0-allow_FSM_same_state.patch new file mode 100644 index 0000000..5b11feb --- /dev/null +++ b/libgcrypt-1.10.0-allow_FSM_same_state.patch @@ -0,0 +1,15 @@ +Index: libgcrypt-1.10.0/src/fips.c +=================================================================== +--- libgcrypt-1.10.0.orig/src/fips.c ++++ libgcrypt-1.10.0/src/fips.c +@@ -890,6 +890,10 @@ fips_new_state (enum module_states new_s + + } + ++ /* Allow a transition to the current state */ ++ if (current_state == new_state) ++ ok = 1; ++ + if (ok) + { + current_state = new_state; diff --git a/libgcrypt-1.10.3.tar.bz2 b/libgcrypt-1.10.3.tar.bz2 new file mode 100644 index 0000000..982da58 --- /dev/null +++ b/libgcrypt-1.10.3.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8b0870897ac5ac67ded568dcfadf45969cfa8a6beb0fd60af2a9eadc2a3272aa +size 3783827 diff --git a/libgcrypt-1.10.3.tar.bz2.sig b/libgcrypt-1.10.3.tar.bz2.sig new file mode 100644 index 0000000..1926136 Binary files /dev/null and b/libgcrypt-1.10.3.tar.bz2.sig differ diff --git a/libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch b/libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch new file mode 100644 index 0000000..2d1485d --- /dev/null +++ b/libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch @@ -0,0 +1,1993 @@ +commit 88fe7ac33eb4cb4dff76a5cc7fca50da5fb0ee3a +Author: Danny Tsen +Date: Sun Jun 12 21:30:19 2022 +0300 + + Chacha20 poly1305 Optimized chacha20 poly1305 for P10 operation + + * configure.ac: Added chacha20 and poly1305 assembly implementations. + * cipher/chacha20-p10le-8x.s: (New) - support 8 blocks (512 bytes) + unrolling. + * cipher/poly1305-p10le.s: (New) - support 4 blocks (128 bytes) + unrolling. + * cipher/Makefile.am: Added new chacha20 and poly1305 files. + * cipher/chacha20.c: Added PPC p10 le support for 8x chacha20. + * cipher/poly1305.c: Added PPC p10 le support for 4x poly1305. + * cipher/poly1305-internal.h: Added PPC p10 le support for poly1305. + --- + + GnuPG-bug-id: 6006 + Signed-off-by: Danny Tsen + [jk: cosmetic changes to C code] + [jk: fix building on ppc64be] + Signed-off-by: Jussi Kivilinna + +Index: libgcrypt-1.10.2/cipher/Makefile.am +=================================================================== +--- libgcrypt-1.10.2.orig/cipher/Makefile.am ++++ libgcrypt-1.10.2/cipher/Makefile.am +@@ -83,6 +83,7 @@ EXTRA_libcipher_la_SOURCES = \ + chacha20.c chacha20-amd64-ssse3.S chacha20-amd64-avx2.S \ + chacha20-armv7-neon.S chacha20-aarch64.S \ + chacha20-ppc.c chacha20-s390x.S \ ++ chacha20-p10le-8x.s \ + cipher-gcm-ppc.c cipher-gcm-intel-pclmul.c cipher-gcm-armv7-neon.S \ + cipher-gcm-armv8-aarch32-ce.S cipher-gcm-armv8-aarch64-ce.S \ + crc.c crc-intel-pclmul.c crc-armv8-ce.c \ +@@ -99,6 +100,7 @@ EXTRA_libcipher_la_SOURCES = \ + md4.c \ + md5.c \ + poly1305-s390x.S \ ++ poly1305-p10le.s \ + rijndael.c rijndael-internal.h rijndael-tables.h \ + rijndael-aesni.c rijndael-padlock.c \ + rijndael-amd64.S rijndael-arm.S \ +Index: libgcrypt-1.10.2/cipher/chacha20-p10le-8x.s +=================================================================== +--- /dev/null ++++ libgcrypt-1.10.2/cipher/chacha20-p10le-8x.s +@@ -0,0 +1,864 @@ ++# Copyright 2021- IBM Inc. All rights reserved ++# ++# This file is part of Libgcrypt. ++# ++# Libgcrypt is free software; you can redistribute it and/or modify ++# it under the terms of the GNU Lesser General Public License as ++# published by the Free Software Foundation; either version 2.1 of ++# the License, or (at your option) any later version. ++# ++# Libgcrypt is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU Lesser General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public ++# License along with this program; if not, see . ++# ++#=================================================================================== ++# Written by Danny Tsen ++# ++# This function handles multiple 64-byte block data length ++# and the length should be more than 512 bytes. ++# ++# unsigned int _gcry_chacha20_p10le_8x(u32 *state, byte *dst, const byte *src, size_t len); ++# ++# r1 - top of the stack ++# r3 to r10 input parameters ++# r3 - out ++# r4 - inp ++# r5 - len ++# r6 - key[8] ++# r7 - counter[4] ++# ++# do rounds, 8 quarter rounds ++# 1. a += b; d ^= a; d <<<= 16; ++# 2. c += d; b ^= c; b <<<= 12; ++# 3. a += b; d ^= a; d <<<= 8; ++# 4. c += d; b ^= c; b <<<= 7 ++# ++# row1 = (row1 + row2), row4 = row1 xor row4, row4 rotate each word by 16 ++# row3 = (row3 + row4), row2 = row3 xor row2, row2 rotate each word by 12 ++# row1 = (row1 + row2), row4 = row1 xor row4, row4 rotate each word by 8 ++# row3 = (row3 + row4), row2 = row3 xor row2, row2 rotate each word by 7 ++# ++# 4 blocks (a b c d) ++# ++# a0 b0 c0 d0 ++# a1 b1 c1 d1 ++# ... ++# a4 b4 c4 d4 ++# ... ++# a8 b8 c8 d8 ++# ... ++# a12 b12 c12 d12 ++# a13 ... ++# a14 ... ++# a15 b15 c15 d15 ++# ++# Column round (v0, v4, v8, v12, v1, v5, v9, v13, v2, v6, v10, v14, v3, v7, v11, v15) ++# Diagnal round (v0, v5, v10, v15, v1, v6, v11, v12, v2, v7, v8, v13, v3, v4, v9, v14) ++# ++.text ++ ++.macro QT_loop_8x ++ # QR(v0, v4, v8, v12, v1, v5, v9, v13, v2, v6, v10, v14, v3, v7, v11, v15) ++ xxlor 0, 32+25, 32+25 ++ xxlor 32+25, 20, 20 ++ vadduwm 0, 0, 4 ++ vadduwm 1, 1, 5 ++ vadduwm 2, 2, 6 ++ vadduwm 3, 3, 7 ++ vadduwm 16, 16, 20 ++ vadduwm 17, 17, 21 ++ vadduwm 18, 18, 22 ++ vadduwm 19, 19, 23 ++ ++ vpermxor 12, 12, 0, 25 ++ vpermxor 13, 13, 1, 25 ++ vpermxor 14, 14, 2, 25 ++ vpermxor 15, 15, 3, 25 ++ vpermxor 28, 28, 16, 25 ++ vpermxor 29, 29, 17, 25 ++ vpermxor 30, 30, 18, 25 ++ vpermxor 31, 31, 19, 25 ++ xxlor 32+25, 0, 0 ++ vadduwm 8, 8, 12 ++ vadduwm 9, 9, 13 ++ vadduwm 10, 10, 14 ++ vadduwm 11, 11, 15 ++ vadduwm 24, 24, 28 ++ vadduwm 25, 25, 29 ++ vadduwm 26, 26, 30 ++ vadduwm 27, 27, 31 ++ vxor 4, 4, 8 ++ vxor 5, 5, 9 ++ vxor 6, 6, 10 ++ vxor 7, 7, 11 ++ vxor 20, 20, 24 ++ vxor 21, 21, 25 ++ vxor 22, 22, 26 ++ vxor 23, 23, 27 ++ ++ xxlor 0, 32+25, 32+25 ++ xxlor 32+25, 21, 21 ++ vrlw 4, 4, 25 # ++ vrlw 5, 5, 25 ++ vrlw 6, 6, 25 ++ vrlw 7, 7, 25 ++ vrlw 20, 20, 25 # ++ vrlw 21, 21, 25 ++ vrlw 22, 22, 25 ++ vrlw 23, 23, 25 ++ xxlor 32+25, 0, 0 ++ vadduwm 0, 0, 4 ++ vadduwm 1, 1, 5 ++ vadduwm 2, 2, 6 ++ vadduwm 3, 3, 7 ++ vadduwm 16, 16, 20 ++ vadduwm 17, 17, 21 ++ vadduwm 18, 18, 22 ++ vadduwm 19, 19, 23 ++ ++ xxlor 0, 32+25, 32+25 ++ xxlor 32+25, 22, 22 ++ vpermxor 12, 12, 0, 25 ++ vpermxor 13, 13, 1, 25 ++ vpermxor 14, 14, 2, 25 ++ vpermxor 15, 15, 3, 25 ++ vpermxor 28, 28, 16, 25 ++ vpermxor 29, 29, 17, 25 ++ vpermxor 30, 30, 18, 25 ++ vpermxor 31, 31, 19, 25 ++ xxlor 32+25, 0, 0 ++ vadduwm 8, 8, 12 ++ vadduwm 9, 9, 13 ++ vadduwm 10, 10, 14 ++ vadduwm 11, 11, 15 ++ vadduwm 24, 24, 28 ++ vadduwm 25, 25, 29 ++ vadduwm 26, 26, 30 ++ vadduwm 27, 27, 31 ++ xxlor 0, 32+28, 32+28 ++ xxlor 32+28, 23, 23 ++ vxor 4, 4, 8 ++ vxor 5, 5, 9 ++ vxor 6, 6, 10 ++ vxor 7, 7, 11 ++ vxor 20, 20, 24 ++ vxor 21, 21, 25 ++ vxor 22, 22, 26 ++ vxor 23, 23, 27 ++ vrlw 4, 4, 28 # ++ vrlw 5, 5, 28 ++ vrlw 6, 6, 28 ++ vrlw 7, 7, 28 ++ vrlw 20, 20, 28 # ++ vrlw 21, 21, 28 ++ vrlw 22, 22, 28 ++ vrlw 23, 23, 28 ++ xxlor 32+28, 0, 0 ++ ++ # QR(v0, v5, v10, v15, v1, v6, v11, v12, v2, v7, v8, v13, v3, v4, v9, v14) ++ xxlor 0, 32+25, 32+25 ++ xxlor 32+25, 20, 20 ++ vadduwm 0, 0, 5 ++ vadduwm 1, 1, 6 ++ vadduwm 2, 2, 7 ++ vadduwm 3, 3, 4 ++ vadduwm 16, 16, 21 ++ vadduwm 17, 17, 22 ++ vadduwm 18, 18, 23 ++ vadduwm 19, 19, 20 ++ ++ vpermxor 15, 15, 0, 25 ++ vpermxor 12, 12, 1, 25 ++ vpermxor 13, 13, 2, 25 ++ vpermxor 14, 14, 3, 25 ++ vpermxor 31, 31, 16, 25 ++ vpermxor 28, 28, 17, 25 ++ vpermxor 29, 29, 18, 25 ++ vpermxor 30, 30, 19, 25 ++ ++ xxlor 32+25, 0, 0 ++ vadduwm 10, 10, 15 ++ vadduwm 11, 11, 12 ++ vadduwm 8, 8, 13 ++ vadduwm 9, 9, 14 ++ vadduwm 26, 26, 31 ++ vadduwm 27, 27, 28 ++ vadduwm 24, 24, 29 ++ vadduwm 25, 25, 30 ++ vxor 5, 5, 10 ++ vxor 6, 6, 11 ++ vxor 7, 7, 8 ++ vxor 4, 4, 9 ++ vxor 21, 21, 26 ++ vxor 22, 22, 27 ++ vxor 23, 23, 24 ++ vxor 20, 20, 25 ++ ++ xxlor 0, 32+25, 32+25 ++ xxlor 32+25, 21, 21 ++ vrlw 5, 5, 25 ++ vrlw 6, 6, 25 ++ vrlw 7, 7, 25 ++ vrlw 4, 4, 25 ++ vrlw 21, 21, 25 ++ vrlw 22, 22, 25 ++ vrlw 23, 23, 25 ++ vrlw 20, 20, 25 ++ xxlor 32+25, 0, 0 ++ ++ vadduwm 0, 0, 5 ++ vadduwm 1, 1, 6 ++ vadduwm 2, 2, 7 ++ vadduwm 3, 3, 4 ++ vadduwm 16, 16, 21 ++ vadduwm 17, 17, 22 ++ vadduwm 18, 18, 23 ++ vadduwm 19, 19, 20 ++ ++ xxlor 0, 32+25, 32+25 ++ xxlor 32+25, 22, 22 ++ vpermxor 15, 15, 0, 25 ++ vpermxor 12, 12, 1, 25 ++ vpermxor 13, 13, 2, 25 ++ vpermxor 14, 14, 3, 25 ++ vpermxor 31, 31, 16, 25 ++ vpermxor 28, 28, 17, 25 ++ vpermxor 29, 29, 18, 25 ++ vpermxor 30, 30, 19, 25 ++ xxlor 32+25, 0, 0 ++ ++ vadduwm 10, 10, 15 ++ vadduwm 11, 11, 12 ++ vadduwm 8, 8, 13 ++ vadduwm 9, 9, 14 ++ vadduwm 26, 26, 31 ++ vadduwm 27, 27, 28 ++ vadduwm 24, 24, 29 ++ vadduwm 25, 25, 30 ++ ++ xxlor 0, 32+28, 32+28 ++ xxlor 32+28, 23, 23 ++ vxor 5, 5, 10 ++ vxor 6, 6, 11 ++ vxor 7, 7, 8 ++ vxor 4, 4, 9 ++ vxor 21, 21, 26 ++ vxor 22, 22, 27 ++ vxor 23, 23, 24 ++ vxor 20, 20, 25 ++ vrlw 5, 5, 28 ++ vrlw 6, 6, 28 ++ vrlw 7, 7, 28 ++ vrlw 4, 4, 28 ++ vrlw 21, 21, 28 ++ vrlw 22, 22, 28 ++ vrlw 23, 23, 28 ++ vrlw 20, 20, 28 ++ xxlor 32+28, 0, 0 ++.endm ++ ++.macro QT_loop_4x ++ # QR(v0, v4, v8, v12, v1, v5, v9, v13, v2, v6, v10, v14, v3, v7, v11, v15) ++ vadduwm 0, 0, 4 ++ vadduwm 1, 1, 5 ++ vadduwm 2, 2, 6 ++ vadduwm 3, 3, 7 ++ vpermxor 12, 12, 0, 20 ++ vpermxor 13, 13, 1, 20 ++ vpermxor 14, 14, 2, 20 ++ vpermxor 15, 15, 3, 20 ++ vadduwm 8, 8, 12 ++ vadduwm 9, 9, 13 ++ vadduwm 10, 10, 14 ++ vadduwm 11, 11, 15 ++ vxor 4, 4, 8 ++ vxor 5, 5, 9 ++ vxor 6, 6, 10 ++ vxor 7, 7, 11 ++ vrlw 4, 4, 21 ++ vrlw 5, 5, 21 ++ vrlw 6, 6, 21 ++ vrlw 7, 7, 21 ++ vadduwm 0, 0, 4 ++ vadduwm 1, 1, 5 ++ vadduwm 2, 2, 6 ++ vadduwm 3, 3, 7 ++ vpermxor 12, 12, 0, 22 ++ vpermxor 13, 13, 1, 22 ++ vpermxor 14, 14, 2, 22 ++ vpermxor 15, 15, 3, 22 ++ vadduwm 8, 8, 12 ++ vadduwm 9, 9, 13 ++ vadduwm 10, 10, 14 ++ vadduwm 11, 11, 15 ++ vxor 4, 4, 8 ++ vxor 5, 5, 9 ++ vxor 6, 6, 10 ++ vxor 7, 7, 11 ++ vrlw 4, 4, 23 ++ vrlw 5, 5, 23 ++ vrlw 6, 6, 23 ++ vrlw 7, 7, 23 ++ ++ # QR(v0, v5, v10, v15, v1, v6, v11, v12, v2, v7, v8, v13, v3, v4, v9, v14) ++ vadduwm 0, 0, 5 ++ vadduwm 1, 1, 6 ++ vadduwm 2, 2, 7 ++ vadduwm 3, 3, 4 ++ vpermxor 15, 15, 0, 20 ++ vpermxor 12, 12, 1, 20 ++ vpermxor 13, 13, 2, 20 ++ vpermxor 14, 14, 3, 20 ++ vadduwm 10, 10, 15 ++ vadduwm 11, 11, 12 ++ vadduwm 8, 8, 13 ++ vadduwm 9, 9, 14 ++ vxor 5, 5, 10 ++ vxor 6, 6, 11 ++ vxor 7, 7, 8 ++ vxor 4, 4, 9 ++ vrlw 5, 5, 21 ++ vrlw 6, 6, 21 ++ vrlw 7, 7, 21 ++ vrlw 4, 4, 21 ++ vadduwm 0, 0, 5 ++ vadduwm 1, 1, 6 ++ vadduwm 2, 2, 7 ++ vadduwm 3, 3, 4 ++ vpermxor 15, 15, 0, 22 ++ vpermxor 12, 12, 1, 22 ++ vpermxor 13, 13, 2, 22 ++ vpermxor 14, 14, 3, 22 ++ vadduwm 10, 10, 15 ++ vadduwm 11, 11, 12 ++ vadduwm 8, 8, 13 ++ vadduwm 9, 9, 14 ++ vxor 5, 5, 10 ++ vxor 6, 6, 11 ++ vxor 7, 7, 8 ++ vxor 4, 4, 9 ++ vrlw 5, 5, 23 ++ vrlw 6, 6, 23 ++ vrlw 7, 7, 23 ++ vrlw 4, 4, 23 ++.endm ++ ++# Transpose ++.macro TP_4x a0 a1 a2 a3 ++ xxmrghw 10, 32+\a0, 32+\a1 # a0, a1, b0, b1 ++ xxmrghw 11, 32+\a2, 32+\a3 # a2, a3, b2, b3 ++ xxmrglw 12, 32+\a0, 32+\a1 # c0, c1, d0, d1 ++ xxmrglw 13, 32+\a2, 32+\a3 # c2, c3, d2, d3 ++ xxpermdi 32+\a0, 10, 11, 0 # a0, a1, a2, a3 ++ xxpermdi 32+\a1, 10, 11, 3 # b0, b1, b2, b3 ++ xxpermdi 32+\a2, 12, 13, 0 # c0, c1, c2, c3 ++ xxpermdi 32+\a3, 12, 13, 3 # d0, d1, d2, d3 ++.endm ++ ++# key stream = working state + state ++.macro Add_state S ++ vadduwm \S+0, \S+0, 16-\S ++ vadduwm \S+4, \S+4, 17-\S ++ vadduwm \S+8, \S+8, 18-\S ++ vadduwm \S+12, \S+12, 19-\S ++ ++ vadduwm \S+1, \S+1, 16-\S ++ vadduwm \S+5, \S+5, 17-\S ++ vadduwm \S+9, \S+9, 18-\S ++ vadduwm \S+13, \S+13, 19-\S ++ ++ vadduwm \S+2, \S+2, 16-\S ++ vadduwm \S+6, \S+6, 17-\S ++ vadduwm \S+10, \S+10, 18-\S ++ vadduwm \S+14, \S+14, 19-\S ++ ++ vadduwm \S+3, \S+3, 16-\S ++ vadduwm \S+7, \S+7, 17-\S ++ vadduwm \S+11, \S+11, 18-\S ++ vadduwm \S+15, \S+15, 19-\S ++.endm ++ ++# ++# write 256 bytes ++# ++.macro Write_256 S ++ add 9, 14, 5 ++ add 16, 14, 4 ++ lxvw4x 0, 0, 9 ++ lxvw4x 1, 17, 9 ++ lxvw4x 2, 18, 9 ++ lxvw4x 3, 19, 9 ++ lxvw4x 4, 20, 9 ++ lxvw4x 5, 21, 9 ++ lxvw4x 6, 22, 9 ++ lxvw4x 7, 23, 9 ++ lxvw4x 8, 24, 9 ++ lxvw4x 9, 25, 9 ++ lxvw4x 10, 26, 9 ++ lxvw4x 11, 27, 9 ++ lxvw4x 12, 28, 9 ++ lxvw4x 13, 29, 9 ++ lxvw4x 14, 30, 9 ++ lxvw4x 15, 31, 9 ++ ++ xxlxor \S+32, \S+32, 0 ++ xxlxor \S+36, \S+36, 1 ++ xxlxor \S+40, \S+40, 2 ++ xxlxor \S+44, \S+44, 3 ++ xxlxor \S+33, \S+33, 4 ++ xxlxor \S+37, \S+37, 5 ++ xxlxor \S+41, \S+41, 6 ++ xxlxor \S+45, \S+45, 7 ++ xxlxor \S+34, \S+34, 8 ++ xxlxor \S+38, \S+38, 9 ++ xxlxor \S+42, \S+42, 10 ++ xxlxor \S+46, \S+46, 11 ++ xxlxor \S+35, \S+35, 12 ++ xxlxor \S+39, \S+39, 13 ++ xxlxor \S+43, \S+43, 14 ++ xxlxor \S+47, \S+47, 15 ++ ++ stxvw4x \S+32, 0, 16 ++ stxvw4x \S+36, 17, 16 ++ stxvw4x \S+40, 18, 16 ++ stxvw4x \S+44, 19, 16 ++ ++ stxvw4x \S+33, 20, 16 ++ stxvw4x \S+37, 21, 16 ++ stxvw4x \S+41, 22, 16 ++ stxvw4x \S+45, 23, 16 ++ ++ stxvw4x \S+34, 24, 16 ++ stxvw4x \S+38, 25, 16 ++ stxvw4x \S+42, 26, 16 ++ stxvw4x \S+46, 27, 16 ++ ++ stxvw4x \S+35, 28, 16 ++ stxvw4x \S+39, 29, 16 ++ stxvw4x \S+43, 30, 16 ++ stxvw4x \S+47, 31, 16 ++ ++.endm ++ ++# ++# unsigned int _gcry_chacha20_p10le_8x(u32 *state, byte *dst, const byte *src, size_t len); ++# ++.global _gcry_chacha20_p10le_8x ++.align 5 ++_gcry_chacha20_p10le_8x: ++ cmpdi 6, 512 ++ blt Out_no_chacha ++ ++ stdu 1,-1024(1) ++ mflr 0 ++ ++ std 14,112(1) ++ std 15,120(1) ++ std 16,128(1) ++ std 17,136(1) ++ std 18,144(1) ++ std 19,152(1) ++ std 20,160(1) ++ std 21,168(1) ++ std 22,176(1) ++ std 23,184(1) ++ std 24,192(1) ++ std 25,200(1) ++ std 26,208(1) ++ std 27,216(1) ++ std 28,224(1) ++ std 29,232(1) ++ std 30,240(1) ++ std 31,248(1) ++ std 0, 1040(1) ++ ++ li 17, 16 ++ li 18, 32 ++ li 19, 48 ++ li 20, 64 ++ li 21, 80 ++ li 22, 96 ++ li 23, 112 ++ li 24, 128 ++ li 25, 144 ++ li 26, 160 ++ li 27, 176 ++ li 28, 192 ++ li 29, 208 ++ li 30, 224 ++ li 31, 240 ++ addi 9, 1, 256 ++ stvx 20, 0, 9 ++ stvx 21, 17, 9 ++ stvx 22, 18, 9 ++ stvx 23, 19, 9 ++ stvx 24, 20, 9 ++ stvx 25, 21, 9 ++ stvx 26, 22, 9 ++ stvx 27, 23, 9 ++ stvx 28, 24, 9 ++ stvx 29, 25, 9 ++ stvx 30, 26, 9 ++ stvx 31, 27, 9 ++ ++ add 9, 9, 27 ++ addi 14, 17, 16 ++ stxvx 14, 14, 9 ++ addi 14, 14, 16 ++ stxvx 15, 14, 9 ++ addi 14, 14, 16 ++ stxvx 16, 14, 9 ++ addi 14, 14, 16 ++ stxvx 17, 14, 9 ++ addi 14, 14, 16 ++ stxvx 18, 14, 9 ++ addi 14, 14, 16 ++ stxvx 19, 14, 9 ++ addi 14, 14, 16 ++ stxvx 20, 14, 9 ++ addi 14, 14, 16 ++ stxvx 21, 14, 9 ++ addi 14, 14, 16 ++ stxvx 22, 14, 9 ++ addi 14, 14, 16 ++ stxvx 23, 14, 9 ++ addi 14, 14, 16 ++ stxvx 24, 14, 9 ++ addi 14, 14, 16 ++ stxvx 25, 14, 9 ++ addi 14, 14, 16 ++ stxvx 26, 14, 9 ++ addi 14, 14, 16 ++ stxvx 27, 14, 9 ++ addi 14, 14, 16 ++ stxvx 28, 14, 9 ++ addi 14, 14, 16 ++ stxvx 29, 14, 9 ++ addi 14, 14, 16 ++ stxvx 30, 14, 9 ++ addi 14, 14, 16 ++ stxvx 31, 14, 9 ++ ++ mr 15, 6 # len ++ li 14, 0 # offset to inp and outp ++ ++ ld 10, sigma@got(2) ++ ++ lxvw4x 48, 0, 3 # vr16, constants ++ lxvw4x 49, 17, 3 # vr17, key 1 ++ lxvw4x 50, 18, 3 # vr18, key 2 ++ lxvw4x 51, 19, 3 # vr19, counter, nonce ++ ++ lxvw4x 62, 19, 10 # vr30, 4 ++ ++ vspltisw 21, 12 ++ vspltisw 23, 7 ++ ++ ld 11, permx@got(2) ++ lxvw4x 32+20, 0, 11 ++ lxvw4x 32+22, 17, 11 ++ ++ li 8, 10 ++ mtctr 8 ++ ++ xxlor 16, 48, 48 ++ xxlor 17, 49, 49 ++ xxlor 18, 50, 50 ++ xxlor 19, 51, 51 ++ ++ vspltisw 25, 4 ++ vspltisw 26, 8 ++ ++ xxlor 16, 48, 48 ++ xxlor 17, 49, 49 ++ xxlor 18, 50, 50 ++ xxlor 19, 51, 51 ++ ++ xxlor 25, 32+26, 32+26 ++ xxlor 24, 32+25, 32+25 ++ ++ vadduwm 31, 30, 25 # (0, 1, 2, 3) + (4, 4, 4, 4) ++ xxlor 30, 32+30, 32+30 ++ xxlor 31, 32+31, 32+31 ++ ++ xxlor 20, 32+20, 32+20 ++ xxlor 21, 32+21, 32+21 ++ xxlor 22, 32+22, 32+22 ++ xxlor 23, 32+23, 32+23 ++ ++Loop_8x: ++ lvx 0, 20, 10 ++ lvx 1, 21, 10 ++ lvx 2, 22, 10 ++ lvx 3, 23, 10 ++ xxspltw 32+4, 17, 0 ++ xxspltw 32+5, 17, 1 ++ xxspltw 32+6, 17, 2 ++ xxspltw 32+7, 17, 3 ++ xxspltw 32+8, 18, 0 ++ xxspltw 32+9, 18, 1 ++ xxspltw 32+10, 18, 2 ++ xxspltw 32+11, 18, 3 ++ xxspltw 32+12, 19, 0 ++ xxspltw 32+13, 19, 1 ++ xxspltw 32+14, 19, 2 ++ xxspltw 32+15, 19, 3 ++ vadduwm 12, 12, 30 # increase counter ++ ++ lvx 16, 20, 10 ++ lvx 17, 21, 10 ++ lvx 18, 22, 10 ++ lvx 19, 23, 10 ++ xxspltw 32+20, 17, 0 ++ xxspltw 32+21, 17, 1 ++ xxspltw 32+22, 17, 2 ++ xxspltw 32+23, 17, 3 ++ xxspltw 32+24, 18, 0 ++ xxspltw 32+25, 18, 1 ++ xxspltw 32+26, 18, 2 ++ xxspltw 32+27, 18, 3 ++ xxspltw 32+28, 19, 0 ++ xxspltw 32+29, 19, 1 ++ vadduwm 28, 28, 31 # increase counter ++ xxspltw 32+30, 19, 2 ++ xxspltw 32+31, 19, 3 ++ ++.align 5 ++quarter_loop_8x: ++ QT_loop_8x ++ ++ bdnz quarter_loop_8x ++ ++ xxlor 0, 32+30, 32+30 ++ xxlor 32+30, 30, 30 ++ vadduwm 12, 12, 30 ++ xxlor 32+30, 0, 0 ++ TP_4x 0, 1, 2, 3 ++ TP_4x 4, 5, 6, 7 ++ TP_4x 8, 9, 10, 11 ++ TP_4x 12, 13, 14, 15 ++ ++ xxlor 0, 48, 48 ++ xxlor 1, 49, 49 ++ xxlor 2, 50, 50 ++ xxlor 3, 51, 51 ++ xxlor 48, 16, 16 ++ xxlor 49, 17, 17 ++ xxlor 50, 18, 18 ++ xxlor 51, 19, 19 ++ Add_state 0 ++ xxlor 48, 0, 0 ++ xxlor 49, 1, 1 ++ xxlor 50, 2, 2 ++ xxlor 51, 3, 3 ++ Write_256 0 ++ addi 14, 14, 256 ++ addi 15, 15, -256 ++ ++ xxlor 5, 32+31, 32+31 ++ xxlor 32+31, 31, 31 ++ vadduwm 28, 28, 31 ++ xxlor 32+31, 5, 5 ++ TP_4x 16+0, 16+1, 16+2, 16+3 ++ TP_4x 16+4, 16+5, 16+6, 16+7 ++ TP_4x 16+8, 16+9, 16+10, 16+11 ++ TP_4x 16+12, 16+13, 16+14, 16+15 ++ ++ xxlor 32, 16, 16 ++ xxlor 33, 17, 17 ++ xxlor 34, 18, 18 ++ xxlor 35, 19, 19 ++ Add_state 16 ++ Write_256 16 ++ addi 14, 14, 256 ++ addi 15, 15, -256 ++ ++ # should update counter before out? ++ xxlor 32+24, 24, 24 ++ xxlor 32+25, 25, 25 ++ xxlor 32+30, 30, 30 ++ vadduwm 30, 30, 25 ++ vadduwm 31, 30, 24 ++ xxlor 30, 32+30, 32+30 ++ xxlor 31, 32+31, 32+31 ++ ++ cmpdi 15, 0 ++ beq Out_loop ++ ++ cmpdi 15, 512 ++ blt Loop_last ++ ++ mtctr 8 ++ b Loop_8x ++ ++Loop_last: ++ lxvw4x 48, 0, 3 # vr16, constants ++ lxvw4x 49, 17, 3 # vr17, key 1 ++ lxvw4x 50, 18, 3 # vr18, key 2 ++ lxvw4x 51, 19, 3 # vr19, counter, nonce ++ ++ vspltisw 21, 12 ++ vspltisw 23, 7 ++ lxvw4x 32+20, 0, 11 ++ lxvw4x 32+22, 17, 11 ++ ++ li 8, 10 ++ mtctr 8 ++ ++Loop_4x: ++ lvx 0, 20, 10 ++ lvx 1, 21, 10 ++ lvx 2, 22, 10 ++ lvx 3, 23, 10 ++ vspltw 4, 17, 0 ++ vspltw 5, 17, 1 ++ vspltw 6, 17, 2 ++ vspltw 7, 17, 3 ++ vspltw 8, 18, 0 ++ vspltw 9, 18, 1 ++ vspltw 10, 18, 2 ++ vspltw 11, 18, 3 ++ vspltw 12, 19, 0 ++ vadduwm 12, 12, 30 # increase counter ++ vspltw 13, 19, 1 ++ vspltw 14, 19, 2 ++ vspltw 15, 19, 3 ++ ++.align 5 ++quarter_loop: ++ QT_loop_4x ++ ++ bdnz quarter_loop ++ ++ vadduwm 12, 12, 30 ++ TP_4x 0, 1, 2, 3 ++ TP_4x 4, 5, 6, 7 ++ TP_4x 8, 9, 10, 11 ++ TP_4x 12, 13, 14, 15 ++ ++ Add_state 0 ++ Write_256 0 ++ addi 14, 14, 256 ++ addi 15, 15, -256 ++ ++ # Update state counter ++ vspltisw 25, 4 ++ vadduwm 30, 30, 25 ++ ++ cmpdi 15, 0 ++ beq Out_loop ++ ++ mtctr 8 ++ b Loop_4x ++ ++Out_loop: ++ # ++ # Update state counter ++ # ++ vspltisb 16, -1 # first 16 bytes - 0xffff...ff ++ vspltisb 17, 0 # second 16 bytes - 0x0000...00 ++ vsldoi 18, 16, 17, 12 ++ vand 18, 18, 30 ++ xxlor 32+19, 19, 19 ++ vadduwm 18, 19, 18 ++ stxvw4x 32+18, 19, 3 ++ li 3, 0 ++ ++ addi 9, 1, 256 ++ lvx 20, 0, 9 ++ lvx 21, 17, 9 ++ lvx 22, 18, 9 ++ lvx 23, 19, 9 ++ lvx 24, 20, 9 ++ lvx 25, 21, 9 ++ lvx 26, 22, 9 ++ lvx 27, 23, 9 ++ lvx 28, 24, 9 ++ lvx 29, 25, 9 ++ lvx 30, 26, 9 ++ lvx 31, 27, 9 ++ ++ add 9, 9, 27 ++ addi 14, 17, 16 ++ lxvx 14, 14, 9 ++ addi 14, 14, 16 ++ lxvx 15, 14, 9 ++ addi 14, 14, 16 ++ lxvx 16, 14, 9 ++ addi 14, 14, 16 ++ lxvx 17, 14, 9 ++ addi 14, 14, 16 ++ lxvx 18, 14, 9 ++ addi 14, 14, 16 ++ lxvx 19, 14, 9 ++ addi 14, 14, 16 ++ lxvx 20, 14, 9 ++ addi 14, 14, 16 ++ lxvx 21, 14, 9 ++ addi 14, 14, 16 ++ lxvx 22, 14, 9 ++ addi 14, 14, 16 ++ lxvx 23, 14, 9 ++ addi 14, 14, 16 ++ lxvx 24, 14, 9 ++ addi 14, 14, 16 ++ lxvx 25, 14, 9 ++ addi 14, 14, 16 ++ lxvx 26, 14, 9 ++ addi 14, 14, 16 ++ lxvx 27, 14, 9 ++ addi 14, 14, 16 ++ lxvx 28, 14, 9 ++ addi 14, 14, 16 ++ lxvx 29, 14, 9 ++ addi 14, 14, 16 ++ lxvx 30, 14, 9 ++ addi 14, 14, 16 ++ lxvx 31, 14, 9 ++ ++ ld 0, 1040(1) ++ ld 14,112(1) ++ ld 15,120(1) ++ ld 16,128(1) ++ ld 17,136(1) ++ ld 18,144(1) ++ ld 19,152(1) ++ ld 20,160(1) ++ ld 21,168(1) ++ ld 22,176(1) ++ ld 23,184(1) ++ ld 24,192(1) ++ ld 25,200(1) ++ ld 26,208(1) ++ ld 27,216(1) ++ ld 28,224(1) ++ ld 29,232(1) ++ ld 30,240(1) ++ ld 31,248(1) ++ ++ mtlr 0 ++ addi 1, 1, 1024 ++ blr ++ ++Out_no_chacha: ++ li 3, 0 ++ blr ++ ++.data ++.align 4 ++sigma: ++.long 0x61707865, 0x3320646e, 0x79622d32, 0x6b206574 ++.long 0x0c0d0e0f, 0x08090a0b, 0x04050607, 0x00010203 ++.long 1, 0, 0, 0 ++.long 0, 1, 2, 3 ++.long 0x61707865, 0x61707865, 0x61707865, 0x61707865 ++.long 0x3320646e, 0x3320646e, 0x3320646e, 0x3320646e ++.long 0x79622d32, 0x79622d32, 0x79622d32, 0x79622d32 ++.long 0x6b206574, 0x6b206574, 0x6b206574, 0x6b206574 ++permx: ++.long 0x22330011, 0x66774455, 0xaabb8899, 0xeeffccdd ++.long 0x11223300, 0x55667744, 0x99aabb88, 0xddeeffcc +Index: libgcrypt-1.10.2/cipher/chacha20.c +=================================================================== +--- libgcrypt-1.10.2.orig/cipher/chacha20.c ++++ libgcrypt-1.10.2/cipher/chacha20.c +@@ -125,6 +125,7 @@ typedef struct CHACHA20_context_s + unsigned int use_avx2:1; + unsigned int use_neon:1; + unsigned int use_ppc:1; ++ unsigned int use_p10:1; + unsigned int use_s390x:1; + } CHACHA20_context_t; + +@@ -163,6 +164,12 @@ unsigned int _gcry_chacha20_poly1305_amd + + #ifdef USE_PPC_VEC + ++#ifndef WORDS_BIGENDIAN ++unsigned int _gcry_chacha20_p10le_8x(u32 *state, byte *dst, ++ const byte *src, ++ size_t len); ++#endif ++ + unsigned int _gcry_chacha20_ppc8_blocks4(u32 *state, byte *dst, + const byte *src, + size_t nblks); +@@ -475,6 +482,9 @@ chacha20_do_setkey (CHACHA20_context_t * + #endif + #ifdef USE_PPC_VEC + ctx->use_ppc = (features & HWF_PPC_ARCH_2_07) != 0; ++# ifndef WORDS_BIGENDIAN ++ ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0; ++# endif + #endif + #ifdef USE_S390X_VX + ctx->use_s390x = (features & HWF_S390X_VX) != 0; +@@ -571,7 +581,22 @@ do_chacha20_encrypt_stream_tail (CHACHA2 + { + size_t nblocks = length / CHACHA20_BLOCK_SIZE; + nblocks -= nblocks % 4; +- nburn = _gcry_chacha20_ppc8_blocks4(ctx->input, outbuf, inbuf, nblocks); ++#ifndef WORDS_BIGENDIAN ++ /* ++ * A workaround to skip counter overflow. This is rare. ++ */ ++ if (ctx->use_p10 && nblocks >= 8 ++ && ((u64)ctx->input[12] + nblocks) <= 0xffffffffU) ++ { ++ size_t len = nblocks * CHACHA20_BLOCK_SIZE; ++ nburn = _gcry_chacha20_p10le_8x(ctx->input, outbuf, inbuf, len); ++ } ++ else ++#endif ++ { ++ nburn = _gcry_chacha20_ppc8_blocks4(ctx->input, outbuf, inbuf, ++ nblocks); ++ } + burn = nburn > burn ? nburn : burn; + length -= nblocks * CHACHA20_BLOCK_SIZE; + outbuf += nblocks * CHACHA20_BLOCK_SIZE; +@@ -760,6 +785,11 @@ _gcry_chacha20_poly1305_encrypt(gcry_cip + } + #endif + #ifdef USE_PPC_VEC_POLY1305 ++ else if (ctx->use_ppc && ctx->use_p10) ++ { ++ /* Skip stitched chacha20-poly1305 for P10. */ ++ authptr = NULL; ++ } + else if (ctx->use_ppc && length >= CHACHA20_BLOCK_SIZE * 4) + { + nburn = _gcry_chacha20_ppc8_blocks4(ctx->input, outbuf, inbuf, 4); +@@ -998,6 +1028,7 @@ _gcry_chacha20_poly1305_decrypt(gcry_cip + { + CHACHA20_context_t *ctx = (void *) &c->context.c; + unsigned int nburn, burn = 0; ++ int skip_stitched = 0; + + if (!length) + return 0; +@@ -1049,6 +1080,13 @@ _gcry_chacha20_poly1305_decrypt(gcry_cip + inbuf += nblocks * CHACHA20_BLOCK_SIZE; + } + #endif ++#ifdef USE_PPC_VEC_POLY1305 ++ if (ctx->use_ppc && ctx->use_p10) ++ { ++ /* Skip stitched chacha20-poly1305 for P10. */ ++ skip_stitched = 1; ++ } ++#endif + + #ifdef USE_SSSE3 + if (ctx->use_ssse3) +@@ -1102,7 +1140,8 @@ _gcry_chacha20_poly1305_decrypt(gcry_cip + #endif + + #ifdef USE_PPC_VEC_POLY1305 +- if (ctx->use_ppc && length >= 4 * CHACHA20_BLOCK_SIZE) ++ /* skip stitch for p10 */ ++ if (!skip_stitched && ctx->use_ppc && length >= 4 * CHACHA20_BLOCK_SIZE) + { + size_t nblocks = length / CHACHA20_BLOCK_SIZE; + nblocks -= nblocks % 4; +Index: libgcrypt-1.10.2/cipher/poly1305-internal.h +=================================================================== +--- libgcrypt-1.10.2.orig/cipher/poly1305-internal.h ++++ libgcrypt-1.10.2/cipher/poly1305-internal.h +@@ -33,6 +33,17 @@ + #define POLY1305_KEYLEN 32 + #define POLY1305_BLOCKSIZE 16 + ++/* POLY1305_USE_PPC_VEC indicates whether to enable PowerPC vector code. */ ++#undef POLY1305_USE_PPC_VEC ++#ifdef ENABLE_PPC_CRYPTO_SUPPORT ++# if defined(HAVE_COMPATIBLE_CC_PPC_ALTIVEC) && \ ++ defined(HAVE_GCC_INLINE_ASM_PPC_ALTIVEC) && \ ++ !defined(WORDS_BIGENDIAN) ++# if __GNUC__ >= 4 ++# define POLY1305_USE_PPC_VEC 1 ++# endif ++# endif ++#endif + + typedef struct + { +@@ -46,6 +57,9 @@ typedef struct poly1305_context_s + POLY1305_STATE state; + byte buffer[POLY1305_BLOCKSIZE]; + unsigned int leftover; ++#ifdef POLY1305_USE_PPC_VEC ++ unsigned int use_p10:1; ++#endif + } poly1305_context_t; + + +Index: libgcrypt-1.10.2/cipher/poly1305-p10le.s +=================================================================== +--- /dev/null ++++ libgcrypt-1.10.2/cipher/poly1305-p10le.s +@@ -0,0 +1,841 @@ ++# Copyright 2021- IBM Inc. All rights reserved ++# ++# This file is part of Libgcrypt. ++# ++# Libgcrypt is free software; you can redistribute it and/or modify ++# it under the terms of the GNU Lesser General Public License as ++# published by the Free Software Foundation; either version 2.1 of ++# the License, or (at your option) any later version. ++# ++# Libgcrypt is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU Lesser General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public ++# License along with this program; if not, see . ++# ++#=================================================================================== ++# Written by Danny Tsen ++# ++# Poly1305 - this version mainly using vector/VSX/Scalar ++# - 26 bits limbs ++# - Handle multiple 64 byte blcoks but need at least 2 64 bytes block ++# ++# Improve performance by breaking down polynominal to the sum of products with ++# h4 = m1 * r⁴ + m2 * r³ + m3 * r² + m4 * r ++# ++# 07/22/21 - this revison based on the above sum of products. Setup r^4, r^3, r^2, r and s3, s2, s1, s0 ++# to 9 vectors for multiplications. ++# ++# setup r^4, r^3, r^2, r vectors ++# vs [r^1, r^3, r^2, r^4] ++# vs0 = [r0,.....] ++# vs1 = [r1,.....] ++# vs2 = [r2,.....] ++# vs3 = [r3,.....] ++# vs4 = [r4,.....] ++# vs5 = [r1*5,...] ++# vs6 = [r2*5,...] ++# vs7 = [r2*5,...] ++# vs8 = [r4*5,...] ++# ++# Each word in a vector consists a member of a "r/s" in [a * r/s]. ++# ++# r0, r4*5, r3*5, r2*5, r1*5; ++# r1, r0, r4*5, r3*5, r2*5; ++# r2, r1, r0, r4*5, r3*5; ++# r3, r2, r1, r0, r4*5; ++# r4, r3, r2, r1, r0 ; ++# ++# ++# gcry_poly1305_p10le_4blocks( uint8_t *k, uint32_t mlen, uint8_t *m) ++# k = 32 bytes key ++# r3 = k (r, s) ++# r4 = mlen ++# r5 = m ++# ++.text ++ ++# Block size 16 bytes ++# key = (r, s) ++# clamp r &= 0x0FFFFFFC0FFFFFFC 0x0FFFFFFC0FFFFFFF ++# p = 2^130 - 5 ++# a += m ++# a = (r + a) % p ++# a += s ++# 16 bytes (a) ++# ++# p[0] = a0*r0 + a1*r4*5 + a2*r3*5 + a3*r2*5 + a4*r1*5; ++# p[1] = a0*r1 + a1*r0 + a2*r4*5 + a3*r3*5 + a4*r2*5; ++# p[2] = a0*r2 + a1*r1 + a2*r0 + a3*r4*5 + a4*r3*5; ++# p[3] = a0*r3 + a1*r2 + a2*r1 + a3*r0 + a4*r4*5; ++# p[4] = a0*r4 + a1*r3 + a2*r2 + a3*r1 + a4*r0 ; ++# ++# [r^2, r^3, r^1, r^4] ++# [m3, m2, m4, m1] ++# ++# multiply odd and even words ++.macro mul_odd ++ vmulouw 14, 4, 26 ++ vmulouw 10, 5, 3 ++ vmulouw 11, 6, 2 ++ vmulouw 12, 7, 1 ++ vmulouw 13, 8, 0 ++ vmulouw 15, 4, 27 ++ vaddudm 14, 14, 10 ++ vaddudm 14, 14, 11 ++ vmulouw 10, 5, 26 ++ vmulouw 11, 6, 3 ++ vaddudm 14, 14, 12 ++ vaddudm 14, 14, 13 # x0 ++ vaddudm 15, 15, 10 ++ vaddudm 15, 15, 11 ++ vmulouw 12, 7, 2 ++ vmulouw 13, 8, 1 ++ vaddudm 15, 15, 12 ++ vaddudm 15, 15, 13 # x1 ++ vmulouw 16, 4, 28 ++ vmulouw 10, 5, 27 ++ vmulouw 11, 6, 26 ++ vaddudm 16, 16, 10 ++ vaddudm 16, 16, 11 ++ vmulouw 12, 7, 3 ++ vmulouw 13, 8, 2 ++ vaddudm 16, 16, 12 ++ vaddudm 16, 16, 13 # x2 ++ vmulouw 17, 4, 29 ++ vmulouw 10, 5, 28 ++ vmulouw 11, 6, 27 ++ vaddudm 17, 17, 10 ++ vaddudm 17, 17, 11 ++ vmulouw 12, 7, 26 ++ vmulouw 13, 8, 3 ++ vaddudm 17, 17, 12 ++ vaddudm 17, 17, 13 # x3 ++ vmulouw 18, 4, 30 ++ vmulouw 10, 5, 29 ++ vmulouw 11, 6, 28 ++ vaddudm 18, 18, 10 ++ vaddudm 18, 18, 11 ++ vmulouw 12, 7, 27 ++ vmulouw 13, 8, 26 ++ vaddudm 18, 18, 12 ++ vaddudm 18, 18, 13 # x4 ++.endm ++ ++.macro mul_even ++ vmuleuw 9, 4, 26 ++ vmuleuw 10, 5, 3 ++ vmuleuw 11, 6, 2 ++ vmuleuw 12, 7, 1 ++ vmuleuw 13, 8, 0 ++ vaddudm 14, 14, 9 ++ vaddudm 14, 14, 10 ++ vaddudm 14, 14, 11 ++ vaddudm 14, 14, 12 ++ vaddudm 14, 14, 13 # x0 ++ ++ vmuleuw 9, 4, 27 ++ vmuleuw 10, 5, 26 ++ vmuleuw 11, 6, 3 ++ vmuleuw 12, 7, 2 ++ vmuleuw 13, 8, 1 ++ vaddudm 15, 15, 9 ++ vaddudm 15, 15, 10 ++ vaddudm 15, 15, 11 ++ vaddudm 15, 15, 12 ++ vaddudm 15, 15, 13 # x1 ++ ++ vmuleuw 9, 4, 28 ++ vmuleuw 10, 5, 27 ++ vmuleuw 11, 6, 26 ++ vmuleuw 12, 7, 3 ++ vmuleuw 13, 8, 2 ++ vaddudm 16, 16, 9 ++ vaddudm 16, 16, 10 ++ vaddudm 16, 16, 11 ++ vaddudm 16, 16, 12 ++ vaddudm 16, 16, 13 # x2 ++ ++ vmuleuw 9, 4, 29 ++ vmuleuw 10, 5, 28 ++ vmuleuw 11, 6, 27 ++ vmuleuw 12, 7, 26 ++ vmuleuw 13, 8, 3 ++ vaddudm 17, 17, 9 ++ vaddudm 17, 17, 10 ++ vaddudm 17, 17, 11 ++ vaddudm 17, 17, 12 ++ vaddudm 17, 17, 13 # x3 ++ ++ vmuleuw 9, 4, 30 ++ vmuleuw 10, 5, 29 ++ vmuleuw 11, 6, 28 ++ vmuleuw 12, 7, 27 ++ vmuleuw 13, 8, 26 ++ vaddudm 18, 18, 9 ++ vaddudm 18, 18, 10 ++ vaddudm 18, 18, 11 ++ vaddudm 18, 18, 12 ++ vaddudm 18, 18, 13 # x4 ++.endm ++ ++# setup r^4, r^3, r^2, r vectors ++# [r, r^3, r^2, r^4] ++# vs0 = [r0,...] ++# vs1 = [r1,...] ++# vs2 = [r2,...] ++# vs3 = [r3,...] ++# vs4 = [r4,...] ++# vs5 = [r4*5,...] ++# vs6 = [r3*5,...] ++# vs7 = [r2*5,...] ++# vs8 = [r1*5,...] ++# ++# r0, r4*5, r3*5, r2*5, r1*5; ++# r1, r0, r4*5, r3*5, r2*5; ++# r2, r1, r0, r4*5, r3*5; ++# r3, r2, r1, r0, r4*5; ++# r4, r3, r2, r1, r0 ; ++# ++.macro poly1305_setup_r ++ ++ # save r ++ xxlor 26, 58, 58 ++ xxlor 27, 59, 59 ++ xxlor 28, 60, 60 ++ xxlor 29, 61, 61 ++ xxlor 30, 62, 62 ++ ++ xxlxor 31, 31, 31 ++ ++# [r, r^3, r^2, r^4] ++ # compute r^2 ++ vmr 4, 26 ++ vmr 5, 27 ++ vmr 6, 28 ++ vmr 7, 29 ++ vmr 8, 30 ++ bl do_mul # r^2 r^1 ++ xxpermdi 58, 58, 36, 0x3 # r0 ++ xxpermdi 59, 59, 37, 0x3 # r1 ++ xxpermdi 60, 60, 38, 0x3 # r2 ++ xxpermdi 61, 61, 39, 0x3 # r3 ++ xxpermdi 62, 62, 40, 0x3 # r4 ++ xxpermdi 36, 36, 36, 0x3 ++ xxpermdi 37, 37, 37, 0x3 ++ xxpermdi 38, 38, 38, 0x3 ++ xxpermdi 39, 39, 39, 0x3 ++ xxpermdi 40, 40, 40, 0x3 ++ vspltisb 13, 2 ++ vsld 9, 27, 13 ++ vsld 10, 28, 13 ++ vsld 11, 29, 13 ++ vsld 12, 30, 13 ++ vaddudm 0, 9, 27 ++ vaddudm 1, 10, 28 ++ vaddudm 2, 11, 29 ++ vaddudm 3, 12, 30 ++ ++ bl do_mul # r^4 r^3 ++ vmrgow 26, 26, 4 ++ vmrgow 27, 27, 5 ++ vmrgow 28, 28, 6 ++ vmrgow 29, 29, 7 ++ vmrgow 30, 30, 8 ++ vspltisb 13, 2 ++ vsld 9, 27, 13 ++ vsld 10, 28, 13 ++ vsld 11, 29, 13 ++ vsld 12, 30, 13 ++ vaddudm 0, 9, 27 ++ vaddudm 1, 10, 28 ++ vaddudm 2, 11, 29 ++ vaddudm 3, 12, 30 ++ ++ # r^2 r^4 ++ xxlor 0, 58, 58 ++ xxlor 1, 59, 59 ++ xxlor 2, 60, 60 ++ xxlor 3, 61, 61 ++ xxlor 4, 62, 62 ++ xxlor 5, 32, 32 ++ xxlor 6, 33, 33 ++ xxlor 7, 34, 34 ++ xxlor 8, 35, 35 ++ ++ vspltw 9, 26, 3 ++ vspltw 10, 26, 2 ++ vmrgow 26, 10, 9 ++ vspltw 9, 27, 3 ++ vspltw 10, 27, 2 ++ vmrgow 27, 10, 9 ++ vspltw 9, 28, 3 ++ vspltw 10, 28, 2 ++ vmrgow 28, 10, 9 ++ vspltw 9, 29, 3 ++ vspltw 10, 29, 2 ++ vmrgow 29, 10, 9 ++ vspltw 9, 30, 3 ++ vspltw 10, 30, 2 ++ vmrgow 30, 10, 9 ++ ++ vsld 9, 27, 13 ++ vsld 10, 28, 13 ++ vsld 11, 29, 13 ++ vsld 12, 30, 13 ++ vaddudm 0, 9, 27 ++ vaddudm 1, 10, 28 ++ vaddudm 2, 11, 29 ++ vaddudm 3, 12, 30 ++.endm ++ ++do_mul: ++ mul_odd ++ ++ # do reduction ( h %= p ) ++ # carry reduction ++ vspltisb 9, 2 ++ vsrd 10, 14, 31 ++ vsrd 11, 17, 31 ++ vand 7, 17, 25 ++ vand 4, 14, 25 ++ vaddudm 18, 18, 11 ++ vsrd 12, 18, 31 ++ vaddudm 15, 15, 10 ++ ++ vsrd 11, 15, 31 ++ vand 8, 18, 25 ++ vand 5, 15, 25 ++ vaddudm 4, 4, 12 ++ vsld 10, 12, 9 ++ vaddudm 6, 16, 11 ++ ++ vsrd 13, 6, 31 ++ vand 6, 6, 25 ++ vaddudm 4, 4, 10 ++ vsrd 10, 4, 31 ++ vaddudm 7, 7, 13 ++ ++ vsrd 11, 7, 31 ++ vand 7, 7, 25 ++ vand 4, 4, 25 ++ vaddudm 5, 5, 10 ++ vaddudm 8, 8, 11 ++ blr ++ ++# ++# init key ++# ++do_poly1305_init: ++ ld 10, rmask@got(2) ++ ld 11, 0(10) ++ ld 12, 8(10) ++ ++ li 14, 16 ++ li 15, 32 ++ ld 10, cnum@got(2) ++ lvx 25, 0, 10 # v25 - mask ++ lvx 31, 14, 10 # v31 = 1a ++ lvx 19, 15, 10 # v19 = 1 << 24 ++ lxv 24, 48(10) # vs24 ++ lxv 25, 64(10) # vs25 ++ ++ # initialize ++ # load key from r3 to vectors ++ ld 9, 16(3) ++ ld 10, 24(3) ++ ld 11, 0(3) ++ ld 12, 8(3) ++ ++ # break 26 bits ++ extrdi 14, 9, 26, 38 ++ extrdi 15, 9, 26, 12 ++ extrdi 16, 9, 12, 0 ++ mtvsrdd 58, 0, 14 ++ insrdi 16, 10, 14, 38 ++ mtvsrdd 59, 0, 15 ++ extrdi 17, 10, 26, 24 ++ mtvsrdd 60, 0, 16 ++ extrdi 18, 10, 24, 0 ++ mtvsrdd 61, 0, 17 ++ mtvsrdd 62, 0, 18 ++ ++ # r1 = r1 * 5, r2 = r2 * 5, r3 = r3 * 5, r4 = r4 * 5 ++ li 9, 5 ++ mtvsrdd 36, 0, 9 ++ vmulouw 0, 27, 4 # v0 = rr0 ++ vmulouw 1, 28, 4 # v1 = rr1 ++ vmulouw 2, 29, 4 # v2 = rr2 ++ vmulouw 3, 30, 4 # v3 = rr3 ++ blr ++ ++# ++# gcry_poly1305_p10le_4blocks( uint8_t *k, uint32_t mlen, uint8_t *m) ++# k = 32 bytes key ++# r3 = k (r, s) ++# r4 = mlen ++# r5 = m ++# ++.global gcry_poly1305_p10le_4blocks ++.align 5 ++gcry_poly1305_p10le_4blocks: ++_gcry_poly1305_p10le_4blocks: ++ cmpdi 5, 128 ++ blt Out_no_poly1305 ++ ++ stdu 1,-1024(1) ++ mflr 0 ++ ++ std 14,112(1) ++ std 15,120(1) ++ std 16,128(1) ++ std 17,136(1) ++ std 18,144(1) ++ std 19,152(1) ++ std 20,160(1) ++ std 21,168(1) ++ std 31,248(1) ++ li 14, 256 ++ stvx 20, 14, 1 ++ addi 14, 14, 16 ++ stvx 21, 14, 1 ++ addi 14, 14, 16 ++ stvx 22, 14, 1 ++ addi 14, 14, 16 ++ stvx 23, 14, 1 ++ addi 14, 14, 16 ++ stvx 24, 14, 1 ++ addi 14, 14, 16 ++ stvx 25, 14, 1 ++ addi 14, 14, 16 ++ stvx 26, 14, 1 ++ addi 14, 14, 16 ++ stvx 27, 14, 1 ++ addi 14, 14, 16 ++ stvx 28, 14, 1 ++ addi 14, 14, 16 ++ stvx 29, 14, 1 ++ addi 14, 14, 16 ++ stvx 30, 14, 1 ++ addi 14, 14, 16 ++ stvx 31, 14, 1 ++ ++ addi 14, 14, 16 ++ stxvx 14, 14, 1 ++ addi 14, 14, 16 ++ stxvx 15, 14, 1 ++ addi 14, 14, 16 ++ stxvx 16, 14, 1 ++ addi 14, 14, 16 ++ stxvx 17, 14, 1 ++ addi 14, 14, 16 ++ stxvx 18, 14, 1 ++ addi 14, 14, 16 ++ stxvx 19, 14, 1 ++ addi 14, 14, 16 ++ stxvx 20, 14, 1 ++ addi 14, 14, 16 ++ stxvx 21, 14, 1 ++ addi 14, 14, 16 ++ stxvx 22, 14, 1 ++ addi 14, 14, 16 ++ stxvx 23, 14, 1 ++ addi 14, 14, 16 ++ stxvx 24, 14, 1 ++ addi 14, 14, 16 ++ stxvx 25, 14, 1 ++ addi 14, 14, 16 ++ stxvx 26, 14, 1 ++ addi 14, 14, 16 ++ stxvx 27, 14, 1 ++ addi 14, 14, 16 ++ stxvx 28, 14, 1 ++ addi 14, 14, 16 ++ stxvx 29, 14, 1 ++ addi 14, 14, 16 ++ stxvx 30, 14, 1 ++ addi 14, 14, 16 ++ stxvx 31, 14, 1 ++ std 0, 1040(1) ++ ++ bl do_poly1305_init ++ ++ li 21, 0 # counter to message ++ ++ poly1305_setup_r ++ ++ # load previous state ++ # break/convert r6 to 26 bits ++ ld 9, 32(3) ++ ld 10, 40(3) ++ lwz 19, 48(3) ++ sldi 19, 19, 24 ++ mtvsrdd 41, 0, 19 ++ extrdi 14, 9, 26, 38 ++ extrdi 15, 9, 26, 12 ++ extrdi 16, 9, 12, 0 ++ mtvsrdd 36, 0, 14 ++ insrdi 16, 10, 14, 38 ++ mtvsrdd 37, 0, 15 ++ extrdi 17, 10, 26, 24 ++ mtvsrdd 38, 0, 16 ++ extrdi 18, 10, 24, 0 ++ mtvsrdd 39, 0, 17 ++ mtvsrdd 40, 0, 18 ++ vor 8, 8, 9 ++ ++ # input m1 m2 ++ add 20, 4, 21 ++ xxlor 49, 24, 24 ++ xxlor 50, 25, 25 ++ lxvw4x 43, 0, 20 ++ addi 17, 20, 16 ++ lxvw4x 44, 0, 17 ++ vperm 14, 11, 12, 17 ++ vperm 15, 11, 12, 18 ++ vand 9, 14, 25 # a0 ++ vsrd 10, 14, 31 # >> 26 ++ vsrd 11, 10, 31 # 12 bits left ++ vand 10, 10, 25 # a1 ++ vspltisb 13, 12 ++ vand 16, 15, 25 ++ vsld 12, 16, 13 ++ vor 11, 11, 12 ++ vand 11, 11, 25 # a2 ++ vspltisb 13, 14 ++ vsrd 12, 15, 13 # >> 14 ++ vsrd 13, 12, 31 # >> 26, a4 ++ vand 12, 12, 25 # a3 ++ ++ vaddudm 20, 4, 9 ++ vaddudm 21, 5, 10 ++ vaddudm 22, 6, 11 ++ vaddudm 23, 7, 12 ++ vaddudm 24, 8, 13 ++ ++ # m3 m4 ++ addi 17, 17, 16 ++ lxvw4x 43, 0, 17 ++ addi 17, 17, 16 ++ lxvw4x 44, 0, 17 ++ vperm 14, 11, 12, 17 ++ vperm 15, 11, 12, 18 ++ vand 9, 14, 25 # a0 ++ vsrd 10, 14, 31 # >> 26 ++ vsrd 11, 10, 31 # 12 bits left ++ vand 10, 10, 25 # a1 ++ vspltisb 13, 12 ++ vand 16, 15, 25 ++ vsld 12, 16, 13 ++ vspltisb 13, 14 ++ vor 11, 11, 12 ++ vand 11, 11, 25 # a2 ++ vsrd 12, 15, 13 # >> 14 ++ vsrd 13, 12, 31 # >> 26, a4 ++ vand 12, 12, 25 # a3 ++ ++ # Smash 4 message blocks into 5 vectors of [m4, m2, m3, m1] ++ vmrgow 4, 9, 20 ++ vmrgow 5, 10, 21 ++ vmrgow 6, 11, 22 ++ vmrgow 7, 12, 23 ++ vmrgow 8, 13, 24 ++ vaddudm 8, 8, 19 ++ ++ addi 5, 5, -64 ++ addi 21, 21, 64 ++ ++ li 9, 64 ++ divdu 31, 5, 9 ++ ++ mtctr 31 ++ ++# h4 = m1 * r⁴ + m2 * r³ + m3 * r² + m4 * r ++# Rewrite the polynominal sum of product as follows, ++# h1 = (h0 + m1) * r^2, h2 = (h0 + m2) * r^2 ++# h3 = (h1 + m3) * r^2, h4 = (h2 + m4) * r^2 --> (h0 + m1) r*4 + (h3 + m3) r^2, (h0 + m2) r^4 + (h0 + m4) r^2 ++# .... Repeat ++# h5 = (h3 + m5) * r^2, h6 = (h4 + m6) * r^2 --> ++# h7 = (h5 + m7) * r^2, h8 = (h6 + m8) * r^1 --> m5 * r^4 + m6 * r^3 + m7 * r^2 + m8 * r ++# ++loop_4blocks: ++ ++ # Multiply odd words and even words ++ mul_odd ++ mul_even ++ # carry reduction ++ vspltisb 9, 2 ++ vsrd 10, 14, 31 ++ vsrd 11, 17, 31 ++ vand 7, 17, 25 ++ vand 4, 14, 25 ++ vaddudm 18, 18, 11 ++ vsrd 12, 18, 31 ++ vaddudm 15, 15, 10 ++ ++ vsrd 11, 15, 31 ++ vand 8, 18, 25 ++ vand 5, 15, 25 ++ vaddudm 4, 4, 12 ++ vsld 10, 12, 9 ++ vaddudm 6, 16, 11 ++ ++ vsrd 13, 6, 31 ++ vand 6, 6, 25 ++ vaddudm 4, 4, 10 ++ vsrd 10, 4, 31 ++ vaddudm 7, 7, 13 ++ ++ vsrd 11, 7, 31 ++ vand 7, 7, 25 ++ vand 4, 4, 25 ++ vaddudm 5, 5, 10 ++ vaddudm 8, 8, 11 ++ ++ # input m1 m2 m3 m4 ++ add 20, 4, 21 ++ xxlor 49, 24, 24 ++ xxlor 50, 25, 25 ++ lxvw4x 43, 0, 20 ++ addi 17, 20, 16 ++ lxvw4x 44, 0, 17 ++ vperm 14, 11, 12, 17 ++ vperm 15, 11, 12, 18 ++ addi 17, 17, 16 ++ lxvw4x 43, 0, 17 ++ addi 17, 17, 16 ++ lxvw4x 44, 0, 17 ++ vperm 17, 11, 12, 17 ++ vperm 18, 11, 12, 18 ++ ++ vand 20, 14, 25 # a0 ++ vand 9, 17, 25 # a0 ++ vsrd 21, 14, 31 # >> 26 ++ vsrd 22, 21, 31 # 12 bits left ++ vsrd 10, 17, 31 # >> 26 ++ vsrd 11, 10, 31 # 12 bits left ++ ++ vand 21, 21, 25 # a1 ++ vand 10, 10, 25 # a1 ++ ++ vspltisb 13, 12 ++ vand 16, 15, 25 ++ vsld 23, 16, 13 ++ vor 22, 22, 23 ++ vand 22, 22, 25 # a2 ++ vand 16, 18, 25 ++ vsld 12, 16, 13 ++ vor 11, 11, 12 ++ vand 11, 11, 25 # a2 ++ vspltisb 13, 14 ++ vsrd 23, 15, 13 # >> 14 ++ vsrd 24, 23, 31 # >> 26, a4 ++ vand 23, 23, 25 # a3 ++ vsrd 12, 18, 13 # >> 14 ++ vsrd 13, 12, 31 # >> 26, a4 ++ vand 12, 12, 25 # a3 ++ ++ vaddudm 4, 4, 20 ++ vaddudm 5, 5, 21 ++ vaddudm 6, 6, 22 ++ vaddudm 7, 7, 23 ++ vaddudm 8, 8, 24 ++ ++ # Smash 4 message blocks into 5 vectors of [m4, m2, m3, m1] ++ vmrgow 4, 9, 4 ++ vmrgow 5, 10, 5 ++ vmrgow 6, 11, 6 ++ vmrgow 7, 12, 7 ++ vmrgow 8, 13, 8 ++ vaddudm 8, 8, 19 ++ ++ addi 5, 5, -64 ++ addi 21, 21, 64 ++ ++ bdnz loop_4blocks ++ ++ xxlor 58, 0, 0 ++ xxlor 59, 1, 1 ++ xxlor 60, 2, 2 ++ xxlor 61, 3, 3 ++ xxlor 62, 4, 4 ++ xxlor 32, 5, 5 ++ xxlor 33, 6, 6 ++ xxlor 34, 7, 7 ++ xxlor 35, 8, 8 ++ ++ # Multiply odd words and even words ++ mul_odd ++ mul_even ++ ++ # Sum the products. ++ xxpermdi 41, 31, 46, 0 ++ xxpermdi 42, 31, 47, 0 ++ vaddudm 4, 14, 9 ++ xxpermdi 36, 31, 36, 3 ++ vaddudm 5, 15, 10 ++ xxpermdi 37, 31, 37, 3 ++ xxpermdi 43, 31, 48, 0 ++ vaddudm 6, 16, 11 ++ xxpermdi 38, 31, 38, 3 ++ xxpermdi 44, 31, 49, 0 ++ vaddudm 7, 17, 12 ++ xxpermdi 39, 31, 39, 3 ++ xxpermdi 45, 31, 50, 0 ++ vaddudm 8, 18, 13 ++ xxpermdi 40, 31, 40, 3 ++ ++ # carry reduction ++ vspltisb 9, 2 ++ vsrd 10, 4, 31 ++ vsrd 11, 7, 31 ++ vand 7, 7, 25 ++ vand 4, 4, 25 ++ vaddudm 8, 8, 11 ++ vsrd 12, 8, 31 ++ vaddudm 5, 5, 10 ++ ++ vsrd 11, 5, 31 ++ vand 8, 8, 25 ++ vand 5, 5, 25 ++ vaddudm 4, 4, 12 ++ vsld 10, 12, 9 ++ vaddudm 6, 6, 11 ++ ++ vsrd 13, 6, 31 ++ vand 6, 6, 25 ++ vaddudm 4, 4, 10 ++ vsrd 10, 4, 31 ++ vaddudm 7, 7, 13 ++ ++ vsrd 11, 7, 31 ++ vand 7, 7, 25 ++ vand 4, 4, 25 ++ vaddudm 5, 5, 10 ++ vaddudm 8, 8, 11 ++ ++ b do_final_update ++ ++do_final_update: ++ # v4, v5, v6, v7 and v8 are 26 bit vectors ++ vsld 5, 5, 31 ++ vor 20, 4, 5 ++ vspltisb 11, 12 ++ vsrd 12, 6, 11 ++ vsld 6, 6, 31 ++ vsld 6, 6, 31 ++ vor 20, 20, 6 ++ vspltisb 11, 14 ++ vsld 7, 7, 11 ++ vor 21, 7, 12 ++ mfvsrld 16, 40 # save last 2 bytes ++ vsld 8, 8, 11 ++ vsld 8, 8, 31 ++ vor 21, 21, 8 ++ mfvsrld 17, 52 ++ mfvsrld 19, 53 ++ srdi 16, 16, 24 ++ ++ std 17, 32(3) ++ std 19, 40(3) ++ stw 16, 48(3) ++ ++Out_loop: ++ li 3, 0 ++ ++ li 14, 256 ++ lvx 20, 14, 1 ++ addi 14, 14, 16 ++ lvx 21, 14, 1 ++ addi 14, 14, 16 ++ lvx 22, 14, 1 ++ addi 14, 14, 16 ++ lvx 23, 14, 1 ++ addi 14, 14, 16 ++ lvx 24, 14, 1 ++ addi 14, 14, 16 ++ lvx 25, 14, 1 ++ addi 14, 14, 16 ++ lvx 26, 14, 1 ++ addi 14, 14, 16 ++ lvx 27, 14, 1 ++ addi 14, 14, 16 ++ lvx 28, 14, 1 ++ addi 14, 14, 16 ++ lvx 29, 14, 1 ++ addi 14, 14, 16 ++ lvx 30, 14, 1 ++ addi 14, 14, 16 ++ lvx 31, 14, 1 ++ ++ addi 14, 14, 16 ++ lxvx 14, 14, 1 ++ addi 14, 14, 16 ++ lxvx 15, 14, 1 ++ addi 14, 14, 16 ++ lxvx 16, 14, 1 ++ addi 14, 14, 16 ++ lxvx 17, 14, 1 ++ addi 14, 14, 16 ++ lxvx 18, 14, 1 ++ addi 14, 14, 16 ++ lxvx 19, 14, 1 ++ addi 14, 14, 16 ++ lxvx 20, 14, 1 ++ addi 14, 14, 16 ++ lxvx 21, 14, 1 ++ addi 14, 14, 16 ++ lxvx 22, 14, 1 ++ addi 14, 14, 16 ++ lxvx 23, 14, 1 ++ addi 14, 14, 16 ++ lxvx 24, 14, 1 ++ addi 14, 14, 16 ++ lxvx 25, 14, 1 ++ addi 14, 14, 16 ++ lxvx 26, 14, 1 ++ addi 14, 14, 16 ++ lxvx 27, 14, 1 ++ addi 14, 14, 16 ++ lxvx 28, 14, 1 ++ addi 14, 14, 16 ++ lxvx 29, 14, 1 ++ addi 14, 14, 16 ++ lxvx 30, 14, 1 ++ addi 14, 14, 16 ++ lxvx 31, 14, 1 ++ ++ ld 0, 1040(1) ++ ld 14,112(1) ++ ld 15,120(1) ++ ld 16,128(1) ++ ld 17,136(1) ++ ld 18,144(1) ++ ld 19,152(1) ++ ld 20,160(1) ++ ld 21,168(1) ++ ld 31,248(1) ++ ++ mtlr 0 ++ addi 1, 1, 1024 ++ blr ++ ++Out_no_poly1305: ++ li 3, 0 ++ blr ++ ++.data ++.align 5 ++rmask: ++.byte 0xff, 0xff, 0xff, 0x0f, 0xfc, 0xff, 0xff, 0x0f, 0xfc, 0xff, 0xff, 0x0f, 0xfc, 0xff, 0xff, 0x0f ++cnum: ++.long 0x03ffffff, 0x00000000, 0x03ffffff, 0x00000000 ++.long 0x1a, 0x00, 0x1a, 0x00 ++.long 0x01000000, 0x01000000, 0x01000000, 0x01000000 ++.long 0x00010203, 0x04050607, 0x10111213, 0x14151617 ++.long 0x08090a0b, 0x0c0d0e0f, 0x18191a1b, 0x1c1d1e1f ++.long 0x05, 0x00, 0x00, 0x00 ++.long 0x02020202, 0x02020202, 0x02020202, 0x02020202 ++.long 0xffffffff, 0xffffffff, 0x00000000, 0x00000000 +Index: libgcrypt-1.10.2/cipher/poly1305.c +=================================================================== +--- libgcrypt-1.10.2.orig/cipher/poly1305.c ++++ libgcrypt-1.10.2/cipher/poly1305.c +@@ -78,11 +78,23 @@ poly1305_blocks (poly1305_context_t *ctx + #endif /* USE_S390X_ASM */ + + ++#ifdef POLY1305_USE_PPC_VEC ++ ++extern unsigned int ++gcry_poly1305_p10le_4blocks(unsigned char *key, const byte *m, size_t len); ++ ++#endif /* POLY1305_USE_PPC_VEC */ ++ ++ + static void poly1305_init (poly1305_context_t *ctx, + const byte key[POLY1305_KEYLEN]) + { + POLY1305_STATE *st = &ctx->state; + ++#ifdef POLY1305_USE_PPC_VEC ++ ctx->use_p10 = (_gcry_get_hw_features () & HWF_PPC_ARCH_3_10) != 0; ++#endif ++ + ctx->leftover = 0; + + st->h[0] = 0; +@@ -533,6 +545,7 @@ _gcry_poly1305_update_burn (poly1305_con + size_t bytes) + { + unsigned int burn = 0; ++ unsigned int nburn; + + /* handle leftover */ + if (ctx->leftover) +@@ -546,15 +559,31 @@ _gcry_poly1305_update_burn (poly1305_con + ctx->leftover += want; + if (ctx->leftover < POLY1305_BLOCKSIZE) + return 0; +- burn = poly1305_blocks (ctx, ctx->buffer, POLY1305_BLOCKSIZE, 1); ++ nburn = poly1305_blocks (ctx, ctx->buffer, POLY1305_BLOCKSIZE, 1); ++ burn = nburn > burn ? nburn : burn; + ctx->leftover = 0; + } + ++#ifdef POLY1305_USE_PPC_VEC ++ /* PPC-P10/little-endian: bulk process multiples of eight blocks */ ++ if (ctx->use_p10 && bytes >= POLY1305_BLOCKSIZE * 8) ++ { ++ size_t nblks = bytes / (POLY1305_BLOCKSIZE * 8); ++ size_t len = nblks * (POLY1305_BLOCKSIZE * 8); ++ POLY1305_STATE *st = &ctx->state; ++ nburn = gcry_poly1305_p10le_4blocks ((unsigned char *) st, m, len); ++ burn = nburn > burn ? nburn : burn; ++ m += len; ++ bytes -= len; ++ } ++#endif /* POLY1305_USE_PPC_VEC */ ++ + /* process full blocks */ + if (bytes >= POLY1305_BLOCKSIZE) + { + size_t nblks = bytes / POLY1305_BLOCKSIZE; +- burn = poly1305_blocks (ctx, m, nblks * POLY1305_BLOCKSIZE, 1); ++ nburn = poly1305_blocks (ctx, m, nblks * POLY1305_BLOCKSIZE, 1); ++ burn = nburn > burn ? nburn : burn; + m += nblks * POLY1305_BLOCKSIZE; + bytes -= nblks * POLY1305_BLOCKSIZE; + } +Index: libgcrypt-1.10.2/configure.ac +=================================================================== +--- libgcrypt-1.10.2.orig/configure.ac ++++ libgcrypt-1.10.2/configure.ac +@@ -2779,6 +2779,11 @@ if test "$found" = "1" ; then + powerpc64le-*-*) + # Build with the ppc8 vector implementation + GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-ppc.lo" ++ # Build with the assembly implementation ++ if test "$gcry_cv_gcc_inline_asm_ppc_altivec" = "yes" && ++ test "$gcry_cv_gcc_inline_asm_ppc_arch_3_00" = "yes" ; then ++ GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS chacha20-p10le-8x.lo" ++ fi + ;; + powerpc64-*-*) + # Build with the ppc8 vector implementation +@@ -3117,6 +3122,13 @@ case "${host}" in + s390x-*-*) + GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS poly1305-s390x.lo" + ;; ++ powerpc64le-*-*) ++ # Build with the assembly implementation ++ if test "$gcry_cv_gcc_inline_asm_ppc_altivec" = "yes" && ++ test "$gcry_cv_gcc_inline_asm_ppc_arch_3_00" = "yes" ; then ++ GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS poly1305-p10le.lo" ++ fi ++ ;; + esac + + LIST_MEMBER(scrypt, $enabled_kdfs) diff --git a/libgcrypt-FIPS-SLI-hash-mac.patch b/libgcrypt-FIPS-SLI-hash-mac.patch new file mode 100644 index 0000000..9057fe5 --- /dev/null +++ b/libgcrypt-FIPS-SLI-hash-mac.patch @@ -0,0 +1,172 @@ +Index: libgcrypt-1.10.2/doc/gcrypt.texi +=================================================================== +--- libgcrypt-1.10.2.orig/doc/gcrypt.texi ++++ libgcrypt-1.10.2/doc/gcrypt.texi +@@ -985,13 +985,21 @@ certification. If the function is approv + @code{GPG_ERR_NO_ERROR} (other restrictions might still apply). + Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + +-@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos ++@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos + +-Check if the given MAC is approved under the current FIPS 140-3 +-certification. If the MAC is approved, this function returns +-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} ++Check if the given HASH is approved under the current FIPS 140-3 ++certification. If the HASH is approved, this function returns ++@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} + is returned. + ++@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int] ++ ++Check if the given MAC is approved under the current FIPS 140-3 ++certification. The second parameter provides the keylen (if the ++algorithm supports different key sizes). If the MAC is approved, ++this function returns @code{GPS_ERR_NO_ERROR}. Otherwise ++@code{GPG_ERR_NOT_SUPPORTED} is returned. ++ + @item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos + + Check if the given message digest algorithm is approved under the current +Index: libgcrypt-1.10.2/src/fips.c +=================================================================== +--- libgcrypt-1.10.2.orig/src/fips.c ++++ libgcrypt-1.10.2/src/fips.c +@@ -377,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg + } + } + +-int +-_gcry_fips_indicator_mac (va_list arg_ptr) +-{ +- enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos); +- +- switch (alg) +- { +- case GCRY_MAC_CMAC_AES: +- case GCRY_MAC_HMAC_SHA1: +- case GCRY_MAC_HMAC_SHA224: +- case GCRY_MAC_HMAC_SHA256: +- case GCRY_MAC_HMAC_SHA384: +- case GCRY_MAC_HMAC_SHA512: +- case GCRY_MAC_HMAC_SHA512_224: +- case GCRY_MAC_HMAC_SHA512_256: +- case GCRY_MAC_HMAC_SHA3_224: +- case GCRY_MAC_HMAC_SHA3_256: +- case GCRY_MAC_HMAC_SHA3_384: +- case GCRY_MAC_HMAC_SHA3_512: +- return GPG_ERR_NO_ERROR; +- default: +- return GPG_ERR_NOT_SUPPORTED; +- } +-} +- + /* FIPS approved curves, extracted from: + * cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */ + static const struct +@@ -598,6 +574,62 @@ _gcry_fips_indicator_pk_flags (va_list a + return GPG_ERR_NOT_SUPPORTED; + } + ++int ++_gcry_fips_indicator_hash (va_list arg_ptr) ++{ ++ enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos); ++ ++ switch (alg) ++ { ++ case GCRY_MD_SHA1: ++ case GCRY_MD_SHA224: ++ case GCRY_MD_SHA256: ++ case GCRY_MD_SHA384: ++ case GCRY_MD_SHA512: ++ case GCRY_MD_SHA512_224: ++ case GCRY_MD_SHA512_256: ++ case GCRY_MD_SHA3_224: ++ case GCRY_MD_SHA3_256: ++ case GCRY_MD_SHA3_384: ++ case GCRY_MD_SHA3_512: ++ case GCRY_MD_SHAKE128: ++ case GCRY_MD_SHAKE256: ++ return GPG_ERR_NO_ERROR; ++ default: ++ return GPG_ERR_NOT_SUPPORTED; ++ } ++} ++ ++int ++_gcry_fips_indicator_mac (va_list arg_ptr) ++{ ++ enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos); ++ unsigned int keylen = va_arg (arg_ptr, unsigned int); ++ ++ switch (alg) ++ { ++ case GCRY_MAC_HMAC_SHA1: ++ case GCRY_MAC_HMAC_SHA224: ++ case GCRY_MAC_HMAC_SHA256: ++ case GCRY_MAC_HMAC_SHA384: ++ case GCRY_MAC_HMAC_SHA512: ++ case GCRY_MAC_HMAC_SHA512_224: ++ case GCRY_MAC_HMAC_SHA512_256: ++ case GCRY_MAC_HMAC_SHA3_224: ++ case GCRY_MAC_HMAC_SHA3_256: ++ case GCRY_MAC_HMAC_SHA3_384: ++ case GCRY_MAC_HMAC_SHA3_512: ++ if (keylen >= 112) { ++ return GPG_ERR_NO_ERROR; ++ } ++ case GCRY_MAC_CMAC_AES: ++ if (keylen == 128 || keylen == 192 || keylen == 256) { ++ return GPG_ERR_NO_ERROR; ++ } ++ default: ++ return GPG_ERR_NOT_SUPPORTED; ++ } ++} + + /* This is a test on whether the library is in the error or + operational state. */ +Index: libgcrypt-1.10.2/src/g10lib.h +=================================================================== +--- libgcrypt-1.10.2.orig/src/g10lib.h ++++ libgcrypt-1.10.2/src/g10lib.h +@@ -456,6 +456,7 @@ void _gcry_fips_signal_error (const char + #endif + + int _gcry_fips_indicator_cipher (va_list arg_ptr); ++int _gcry_fips_indicator_hash (va_list arg_ptr); + int _gcry_fips_indicator_mac (va_list arg_ptr); + int _gcry_fips_indicator_md (va_list arg_ptr); + int _gcry_fips_indicator_kdf (va_list arg_ptr); +Index: libgcrypt-1.10.2/src/gcrypt.h.in +=================================================================== +--- libgcrypt-1.10.2.orig/src/gcrypt.h.in ++++ libgcrypt-1.10.2/src/gcrypt.h.in +@@ -335,7 +335,8 @@ enum gcry_ctl_cmds + GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, + GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86, + GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87, +- GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88 ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88, ++ GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 89 + }; + + /* Perform various operations defined by CMD. */ +Index: libgcrypt-1.10.2/src/global.c +=================================================================== +--- libgcrypt-1.10.2.orig/src/global.c ++++ libgcrypt-1.10.2/src/global.c +@@ -791,6 +791,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, + rc = _gcry_fips_indicator_cipher (arg_ptr); + break; + ++ case GCRYCTL_FIPS_SERVICE_INDICATOR_HASH: ++ /* Get FIPS Service Indicator for a given HASH. Returns GPG_ERR_NO_ERROR ++ * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */ ++ rc = _gcry_fips_indicator_hash (arg_ptr); ++ break; ++ + case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC: + /* Get FIPS Service Indicator for a given message authentication code. + * Returns GPG_ERR_NO_ERROR if algorithm is allowed or diff --git a/libgcrypt-FIPS-SLI-kdf-leylength.patch b/libgcrypt-FIPS-SLI-kdf-leylength.patch new file mode 100644 index 0000000..8bb0a7d --- /dev/null +++ b/libgcrypt-FIPS-SLI-kdf-leylength.patch @@ -0,0 +1,42 @@ +Index: libgcrypt-1.10.2/src/fips.c +=================================================================== +--- libgcrypt-1.10.2.orig/src/fips.c ++++ libgcrypt-1.10.2/src/fips.c +@@ -520,10 +520,15 @@ int + _gcry_fips_indicator_kdf (va_list arg_ptr) + { + enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos); ++ unsigned int keylen = 0; + + switch (alg) + { + case GCRY_KDF_PBKDF2: ++ keylen = va_arg (arg_ptr, unsigned int); ++ if (keylen < 112) { ++ return GPG_ERR_NOT_SUPPORTED; ++ } + return GPG_ERR_NO_ERROR; + default: + return GPG_ERR_NOT_SUPPORTED; +Index: libgcrypt-1.10.2/doc/gcrypt.texi +=================================================================== +--- libgcrypt-1.10.2.orig/doc/gcrypt.texi ++++ libgcrypt-1.10.2/doc/gcrypt.texi +@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3 + combination is approved, this function returns @code{GPG_ERR_NO_ERROR}. + Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + +-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos ++@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int] + + Check if the given KDF is approved under the current FIPS 140-3 +-certification. If the KDF is approved, this function returns +-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} +-is returned. ++certification. The second parameter provides the keylength in bits. ++Keylength values of less that 112 bits are considered non-approved. ++If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}. ++Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + + @item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char * + diff --git a/libgcrypt-FIPS-SLI-pk.patch b/libgcrypt-FIPS-SLI-pk.patch new file mode 100644 index 0000000..a7565d2 --- /dev/null +++ b/libgcrypt-FIPS-SLI-pk.patch @@ -0,0 +1,177 @@ +Index: libgcrypt-1.10.2/src/fips.c +=================================================================== +--- libgcrypt-1.10.2.orig/src/fips.c ++++ libgcrypt-1.10.2/src/fips.c +@@ -38,6 +38,7 @@ + + #include "g10lib.h" + #include "cipher-proto.h" ++#include "cipher.h" + #include "../random/random.h" + + /* The states of the finite state machine used in fips mode. */ +@@ -399,6 +400,94 @@ _gcry_fips_indicator_mac (va_list arg_pt + default: + return GPG_ERR_NOT_SUPPORTED; + } ++} ++ ++/* FIPS approved curves, extracted from: ++ * cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */ ++static const struct ++{ ++ const char *name; /* Our name. */ ++ const char *other; /* Other name. */ ++} fips_approved_curve[] = ++ { ++ /* "NIST P-192" is non-approved if FIPS 140-3 */ ++ /* { "NIST P-192", "1.2.840.10045.3.1.1" }, /\* X9.62 OID *\/ */ ++ /* { "NIST P-192", "prime192v1" }, /\* X9.62 name. *\/ */ ++ /* { "NIST P-192", "secp192r1" }, /\* SECP name. *\/ */ ++ /* { "NIST P-192", "nistp192" }, /\* rfc5656. *\/ */ ++ ++ { "NIST P-224", "secp224r1" }, ++ { "NIST P-224", "1.3.132.0.33" }, /* SECP OID. */ ++ { "NIST P-224", "nistp224" }, /* rfc5656. */ ++ ++ { "NIST P-256", "1.2.840.10045.3.1.7" }, /* From NIST SP 800-78-1. */ ++ { "NIST P-256", "prime256v1" }, ++ { "NIST P-256", "secp256r1" }, ++ { "NIST P-256", "nistp256" }, /* rfc5656. */ ++ ++ { "NIST P-384", "secp384r1" }, ++ { "NIST P-384", "1.3.132.0.34" }, ++ { "NIST P-384", "nistp384" }, /* rfc5656. */ ++ ++ { "NIST P-521", "secp521r1" }, ++ { "NIST P-521", "1.3.132.0.35" }, ++ { "NIST P-521", "nistp521" }, /* rfc5656. */ ++ { NULL, NULL} ++ }; ++ ++enum pk_operation convert_from_pk_usage(unsigned int pk_usage) ++{ ++ switch (pk_usage) ++ { ++ case GCRY_PK_USAGE_SIGN: ++ return PUBKEY_OP_SIGN; ++ case GCRY_PK_USAGE_ENCR: ++ return PUBKEY_OP_ENCRYPT; ++ default: ++ return PUBKEY_OP_DECRYPT; ++ } ++} ++ ++int ++_gcry_fips_indicator_pk (va_list arg_ptr) ++{ ++ enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos); ++ enum pk_operation oper; ++ unsigned int keylen; ++ const char *curve_name; ++ ++ switch (alg) ++ { ++ case GCRY_PK_RSA: ++ case GCRY_PK_RSA_E: ++ case GCRY_PK_RSA_S: ++ oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int)); ++ switch (oper) ++ { ++ case PUBKEY_OP_ENCRYPT: ++ case PUBKEY_OP_DECRYPT: ++ return GPG_ERR_NOT_SUPPORTED; ++ default: ++ keylen = va_arg (arg_ptr, unsigned int); ++ if (keylen < 2048) ++ return GPG_ERR_NOT_SUPPORTED; ++ return GPG_ERR_NO_ERROR; ++ } ++ case GCRY_PK_ECC: ++ case GCRY_PK_ECDH: ++ case GCRY_PK_ECDSA: ++ curve_name = va_arg (arg_ptr, const char *); ++ for (int idx = 0; fips_approved_curve[idx].name; ++idx) ++ { ++ /* Check for the usual name and an alias. */ ++ if (!strcmp (curve_name, fips_approved_curve[idx].name) || ++ !strcmp (curve_name, fips_approved_curve[idx].other)) ++ return GPG_ERR_NO_ERROR; ++ } ++ return GPG_ERR_NOT_SUPPORTED; ++ default: ++ return GPG_ERR_NOT_SUPPORTED; ++ } + } + + int +Index: libgcrypt-1.10.2/src/gcrypt.h.in +=================================================================== +--- libgcrypt-1.10.2.orig/src/gcrypt.h.in ++++ libgcrypt-1.10.2/src/gcrypt.h.in +@@ -334,7 +334,8 @@ enum gcry_ctl_cmds + GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84, + GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85, + GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86, +- GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87 ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87, ++ GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88 + }; + + /* Perform various operations defined by CMD. */ +Index: libgcrypt-1.10.2/doc/gcrypt.texi +=================================================================== +--- libgcrypt-1.10.2.orig/doc/gcrypt.texi ++++ libgcrypt-1.10.2/doc/gcrypt.texi +@@ -997,6 +997,19 @@ Check if the given message digest algori + FIPS 140-3 certification. If the algorithm is approved, this function returns + @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned. + ++@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos [, constantsGCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)] [, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)] ++ ++Check if the given asymmetric cipher is approved under the current ++FIPS 140-3 certification. For GCRY_PK_RSA, two additional parameter ++are required: first describes the purpose of the algorithm through one ++of the constants (GCRY_PK_USAGE_ENCR for encryption or decryption ++operations; GCRY_PK_USAGE_SIGN for sign or verify operations). Second ++one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and ++GCRY_PK_ECDSA, only a single parameter is needed: the curve name or ++its alias as @code{const char *}. If the combination is approved, this ++function returns @code{GPG_ERR_NO_ERROR}. Otherwise ++@code{GPG_ERR_NOT_SUPPORTED} is returned. ++ + @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char * + + Check if the given public key operation flag or s-expression object name is +Index: libgcrypt-1.10.2/src/g10lib.h +=================================================================== +--- libgcrypt-1.10.2.orig/src/g10lib.h ++++ libgcrypt-1.10.2/src/g10lib.h +@@ -460,6 +460,7 @@ int _gcry_fips_indicator_mac (va_list ar + int _gcry_fips_indicator_md (va_list arg_ptr); + int _gcry_fips_indicator_kdf (va_list arg_ptr); + int _gcry_fips_indicator_function (va_list arg_ptr); ++int _gcry_fips_indicator_pk (va_list arg_ptr); + int _gcry_fips_indicator_pk_flags (va_list arg_ptr); + + int _gcry_fips_is_operational (void); +Index: libgcrypt-1.10.2/src/global.c +=================================================================== +--- libgcrypt-1.10.2.orig/src/global.c ++++ libgcrypt-1.10.2/src/global.c +@@ -825,6 +834,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, + rc = _gcry_fips_indicator_pk_flags (arg_ptr); + break; + ++ case GCRYCTL_FIPS_SERVICE_INDICATOR_PK: ++ /* Get FIPS Service Indicator for a given asymmetric algorithm. For ++ * GCRY_PK_RSA, an additional parameter for the operation mode is ++ * required. For ECC, ECDH and ECDSA, the additional parameter is the ++ * curve name or its alias. Returns GPG_ERR_NO_ERROR if the ++ * algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise. */ ++ rc = _gcry_fips_indicator_pk (arg_ptr); ++ break; ++ + case PRIV_CTL_INIT_EXTRNG_TEST: /* Init external random test. */ + rc = GPG_ERR_NOT_SUPPORTED; + break; diff --git a/libgcrypt-FIPS-rndjent_poll.patch b/libgcrypt-FIPS-rndjent_poll.patch new file mode 100644 index 0000000..7619473 --- /dev/null +++ b/libgcrypt-FIPS-rndjent_poll.patch @@ -0,0 +1,114 @@ +Index: libgcrypt-1.10.0/random/rndoldlinux.c +=================================================================== +--- libgcrypt-1.10.0.orig/random/rndoldlinux.c ++++ libgcrypt-1.10.0/random/rndoldlinux.c +@@ -132,7 +132,7 @@ _gcry_rndoldlinux_gather_random (void (* + volatile pid_t apid; + int fd; + int n; +- byte buffer[768]; ++ byte buffer[256]; + size_t n_hw; + size_t want = length; + size_t last_so_far = 0; +@@ -187,26 +187,43 @@ _gcry_rndoldlinux_gather_random (void (* + my_pid = apid; + } + ++ if (fips_mode()) ++ { ++ if (level >= GCRY_VERY_STRONG_RANDOM) ++ { ++ size_t n; + +- /* First read from a hardware source. Note that _gcry_rndhw_poll_slow lets +- it account only for up to 50% (or 25% for RDRAND) of the requested +- bytes. */ +- n_hw = _gcry_rndhw_poll_slow (add, origin, length); +- if (length > 1) +- length -= n_hw; +- +- /* When using a blocking random generator try to get some entropy +- * from the jitter based RNG. In this case we take up to 50% of the +- * remaining requested bytes. */ +- if (level >= GCRY_VERY_STRONG_RANDOM) +- { +- n_hw = _gcry_rndjent_poll (add, origin, length/2); +- if (n_hw > length/2) +- n_hw = length/2; ++ n = _gcry_rndjent_poll (add, origin, length); ++ if (n == 0) ++ log_fatal ("unexpected error from rndjent: %s\n", ++ strerror (errno)); ++ if (n > length) ++ n = length; ++ if (length > 1) ++ length -= n; ++ } ++ } ++ else ++ { ++ /* First read from a hardware source. Note that _gcry_rndhw_poll_slow lets ++ it account only for up to 50% (or 25% for RDRAND) of the requested ++ bytes. */ ++ n_hw = _gcry_rndhw_poll_slow (add, origin, length); + if (length > 1) + length -= n_hw; +- } + ++ /* When using a blocking random generator try to get some entropy ++ * from the jitter based RNG. In this case we take up to 50% of the ++ * remaining requested bytes. */ ++ if (level >= GCRY_VERY_STRONG_RANDOM) ++ { ++ n_hw = _gcry_rndjent_poll (add, origin, length/2); ++ if (n_hw > length/2) ++ n_hw = length/2; ++ if (length > 1) ++ length -= n_hw; ++ } ++ } + + /* Open the requested device. The first time a device is to be + opened we fail with a fatal error if the device does not exists. +@@ -262,8 +279,6 @@ _gcry_rndoldlinux_gather_random (void (* + do + { + nbytes = length < sizeof(buffer)? length : sizeof(buffer); +- if (nbytes > 256) +- nbytes = 256; + _gcry_pre_syscall (); + ret = getentropy (buffer, nbytes); + _gcry_post_syscall (); +Index: libgcrypt-1.10.0/random/rndjent.c +=================================================================== +--- libgcrypt-1.10.0.orig/random/rndjent.c ++++ libgcrypt-1.10.0/random/rndjent.c +@@ -279,13 +279,24 @@ _gcry_rndjent_poll (void (*add)(const vo + if (!jent_rng_is_initialized) + { + /* Auto-initialize. */ +- jent_rng_is_initialized = 1; + jent_entropy_collector_free (jent_rng_collector); + jent_rng_collector = NULL; + if ( !(_gcry_random_read_conf () & RANDOM_CONF_DISABLE_JENT)) + { +- if (!jent_entropy_init ()) +- jent_rng_collector = jent_entropy_collector_alloc (1, 0); ++ if (!jent_entropy_init_ex (1, 0)) ++ { ++ jent_rng_collector = jent_entropy_collector_alloc (1, 0); ++ jent_rng_is_initialized = 1; ++ } ++ } ++ } ++ ++ if (!jent_rng_collector) ++ { ++ if (!jent_entropy_init_ex (1, 0)) ++ { ++ jent_rng_collector = jent_entropy_collector_alloc (1, 0); ++ jent_rng_is_initialized = 1; + } + } + diff --git a/libgcrypt-jitterentropy-3.4.0.patch b/libgcrypt-jitterentropy-3.4.0.patch new file mode 100644 index 0000000..8b01886 --- /dev/null +++ b/libgcrypt-jitterentropy-3.4.0.patch @@ -0,0 +1,618 @@ +Index: libgcrypt-1.10.0/random/jitterentropy-base.c +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy-base.c ++++ libgcrypt-1.10.0/random/jitterentropy-base.c +@@ -42,7 +42,7 @@ + * require consumer to be updated (as long as this number + * is zero, the API is not considered stable and can + * change without a bump of the major version) */ +-#define MINVERSION 3 /* API compatible, ABI may change, functional ++#define MINVERSION 4 /* API compatible, ABI may change, functional + * enhancements only, consumer can be left unchanged if + * enhancements are not considered */ + #define PATCHLEVEL 0 /* API / ABI compatible, no functional changes, no +@@ -200,29 +200,38 @@ ssize_t jent_read_entropy(struct rand_da + tocopy = (DATA_SIZE_BITS / 8); + else + tocopy = len; +- memcpy(p, &ec->data, tocopy); ++ ++ jent_read_random_block(ec, p, tocopy); + + len -= tocopy; + p += tocopy; + } + + /* +- * To be on the safe side, we generate one more round of entropy +- * which we do not give out to the caller. That round shall ensure +- * that in case the calling application crashes, memory dumps, pages +- * out, or due to the CPU Jitter RNG lingering in memory for long +- * time without being moved and an attacker cracks the application, +- * all he reads in the entropy pool is a value that is NEVER EVER +- * being used for anything. Thus, he does NOT see the previous value +- * that was returned to the caller for cryptographic purposes. ++ * Enhanced backtracking support: At this point, the hash state ++ * contains the digest of the previous Jitter RNG collection round ++ * which is inserted there by jent_read_random_block with the SHA ++ * update operation. At the current code location we completed ++ * one request for a caller and we do not know how long it will ++ * take until a new request is sent to us. To guarantee enhanced ++ * backtracking resistance at this point (i.e. ensure that an attacker ++ * cannot obtain information about prior random numbers we generated), ++ * but still stirring the hash state with old data the Jitter RNG ++ * obtains a new message digest from its state and re-inserts it. ++ * After this operation, the Jitter RNG state is still stirred with ++ * the old data, but an attacker who gets access to the memory after ++ * this point cannot deduce the random numbers produced by the ++ * Jitter RNG prior to this point. + */ + /* +- * If we use secured memory, do not use that precaution as the secure +- * memory protects the entropy pool. Moreover, note that using this +- * call reduces the speed of the RNG by up to half ++ * If we use secured memory, where backtracking support may not be ++ * needed because the state is protected in a different method, ++ * it is permissible to drop this support. But strongly weigh the ++ * pros and cons considering that the SHA3 operation is not that ++ * expensive. + */ + #ifndef JENT_CPU_JITTERENTROPY_SECURE_MEMORY +- jent_random_data(ec); ++ jent_read_random_block(ec, NULL, 0); + #endif + + err: +@@ -379,6 +388,7 @@ static struct rand_data + *jent_entropy_collector_alloc_internal(unsigned int osr, unsigned int flags) + { + struct rand_data *entropy_collector; ++ uint32_t memsize = 0; + + /* + * Requesting disabling and forcing of internal timer +@@ -405,7 +415,7 @@ static struct rand_data + return NULL; + + if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) { +- uint32_t memsize = jent_memsize(flags); ++ memsize = jent_memsize(flags); + + entropy_collector->mem = _gcry_calloc (1, memsize); + +@@ -431,13 +441,19 @@ static struct rand_data + entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS; + } + ++ if (sha3_alloc(&entropy_collector->hash_state)) ++ goto err; ++ ++ /* Initialize the hash state */ ++ sha3_256_init(entropy_collector->hash_state); ++ + /* verify and set the oversampling rate */ + if (osr < JENT_MIN_OSR) + osr = JENT_MIN_OSR; + entropy_collector->osr = osr; + entropy_collector->flags = flags; + +- if (jent_fips_enabled() || (flags & JENT_FORCE_FIPS)) ++ if ((flags & JENT_FORCE_FIPS) || jent_fips_enabled()) + entropy_collector->fips_enabled = 1; + + /* Initialize the APT */ +@@ -469,7 +485,7 @@ static struct rand_data + + err: + if (entropy_collector->mem != NULL) +- jent_zfree(entropy_collector->mem, JENT_MEMORY_SIZE); ++ jent_zfree(entropy_collector->mem, memsize); + jent_zfree(entropy_collector, sizeof(struct rand_data)); + return NULL; + } +@@ -511,6 +527,7 @@ JENT_PRIVATE_STATIC + void jent_entropy_collector_free(struct rand_data *entropy_collector) + { + if (entropy_collector != NULL) { ++ sha3_dealloc(entropy_collector->hash_state); + jent_notime_disable(entropy_collector); + if (entropy_collector->mem != NULL) { + jent_zfree(entropy_collector->mem, +@@ -664,6 +681,7 @@ static inline int jent_entropy_init_comm + int ret; + + jent_notime_block_switch(); ++ jent_health_cb_block_switch(); + + if (sha3_tester()) + return EHASH; +@@ -710,6 +728,8 @@ int jent_entropy_init_ex(unsigned int os + if (ret) + return ret; + ++ ret = ENOTIME; ++ + /* Test without internal timer unless caller does not want it */ + if (!(flags & JENT_FORCE_INTERNAL_TIMER)) + ret = jent_time_entropy_init(osr, +@@ -732,3 +752,9 @@ int jent_entropy_switch_notime_impl(stru + return jent_notime_switch(new_thread); + } + #endif ++ ++JENT_PRIVATE_STATIC ++int jent_set_fips_failure_callback(jent_fips_failure_cb cb) ++{ ++ return jent_set_fips_failure_callback_internal(cb); ++} +Index: libgcrypt-1.10.0/random/jitterentropy-gcd.c +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy-gcd.c ++++ libgcrypt-1.10.0/random/jitterentropy-gcd.c +@@ -113,12 +113,8 @@ int jent_gcd_analyze(uint64_t *delta_his + goto out; + } + +- /* +- * Ensure that we have variations in the time stamp below 100 for at +- * least 10% of all checks -- on some platforms, the counter increments +- * in multiples of 100, but not always +- */ +- if (running_gcd >= 100) { ++ /* Set a sensible maximum value. */ ++ if (running_gcd >= UINT32_MAX / 2) { + ret = ECOARSETIME; + goto out; + } +Index: libgcrypt-1.10.0/random/jitterentropy-health.c +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy-health.c ++++ libgcrypt-1.10.0/random/jitterentropy-health.c +@@ -19,9 +19,24 @@ + * DAMAGE. + */ + +-#include "jitterentropy.h" + #include "jitterentropy-health.h" + ++static jent_fips_failure_cb fips_cb = NULL; ++static int jent_health_cb_switch_blocked = 0; ++ ++void jent_health_cb_block_switch(void) ++{ ++ jent_health_cb_switch_blocked = 1; ++} ++ ++int jent_set_fips_failure_callback_internal(jent_fips_failure_cb cb) ++{ ++ if (jent_health_cb_switch_blocked) ++ return -EAGAIN; ++ fips_cb = cb; ++ return 0; ++} ++ + /*************************************************************************** + * Lag Predictor Test + * +@@ -434,5 +449,9 @@ unsigned int jent_health_failure(struct + if (!ec->fips_enabled) + return 0; + ++ if (fips_cb && ec->health_failure) { ++ fips_cb(ec, ec->health_failure); ++ } ++ + return ec->health_failure; + } +Index: libgcrypt-1.10.0/random/jitterentropy-health.h +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy-health.h ++++ libgcrypt-1.10.0/random/jitterentropy-health.h +@@ -20,11 +20,16 @@ + #ifndef JITTERENTROPY_HEALTH_H + #define JITTERENTROPY_HEALTH_H + ++#include "jitterentropy.h" ++ + #ifdef __cplusplus + extern "C" + { + #endif + ++void jent_health_cb_block_switch(void); ++int jent_set_fips_failure_callback_internal(jent_fips_failure_cb cb); ++ + static inline uint64_t jent_delta(uint64_t prev, uint64_t next) + { + return (next - prev); +Index: libgcrypt-1.10.0/random/jitterentropy-noise.c +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy-noise.c ++++ libgcrypt-1.10.0/random/jitterentropy-noise.c +@@ -33,7 +33,7 @@ + * Update of the loop count used for the next round of + * an entropy collection. + * +- * @ec [in] entropy collector struct -- may be NULL ++ * @ec [in] entropy collector struct + * @bits [in] is the number of low bits of the timer to consider + * @min [in] is the number of bits we shift the timer value to the right at + * the end to make sure we have a guaranteed minimum value +@@ -61,16 +61,13 @@ static uint64_t jent_loop_shuffle(struct + * Mix the current state of the random number into the shuffle + * calculation to balance that shuffle a bit more. + */ +- if (ec) { +- jent_get_nstime_internal(ec, &time); +- time ^= ec->data[0]; +- } ++ jent_get_nstime_internal(ec, &time); + + /* + * We fold the time value as much as possible to ensure that as many + * bits of the time stamp are included as possible. + */ +- for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) { ++ for (i = 0; (((sizeof(time) << 3) + bits - 1) / bits) > i; i++) { + shuffle ^= time & mask; + time = time >> bits; + } +@@ -91,11 +88,11 @@ static uint64_t jent_loop_shuffle(struct + * This function injects the individual bits of the time value into the + * entropy pool using a hash. + * +- * @ec [in] entropy collector struct -- may be NULL +- * @time [in] time stamp to be injected ++ * @ec [in] entropy collector struct ++ * @time [in] time delta to be injected + * @loop_cnt [in] if a value not equal to 0 is set, use the given value as + * number of loops to perform the hash operation +- * @stuck [in] Is the time stamp identified as stuck? ++ * @stuck [in] Is the time delta identified as stuck? + * + * Output: + * updated hash context +@@ -104,17 +101,19 @@ static void jent_hash_time(struct rand_d + uint64_t loop_cnt, unsigned int stuck) + { + HASH_CTX_ON_STACK(ctx); +- uint8_t itermediary[SHA3_256_SIZE_DIGEST]; ++ uint8_t intermediary[SHA3_256_SIZE_DIGEST]; + uint64_t j = 0; +- uint64_t hash_loop_cnt; + #define MAX_HASH_LOOP 3 + #define MIN_HASH_LOOP 0 + + /* Ensure that macros cannot overflow jent_loop_shuffle() */ + BUILD_BUG_ON((MAX_HASH_LOOP + MIN_HASH_LOOP) > 63); +- hash_loop_cnt = ++ uint64_t hash_loop_cnt = + jent_loop_shuffle(ec, MAX_HASH_LOOP, MIN_HASH_LOOP); + ++ /* Use the memset to shut up valgrind */ ++ memset(intermediary, 0, sizeof(intermediary)); ++ + sha3_256_init(&ctx); + + /* +@@ -125,35 +124,54 @@ static void jent_hash_time(struct rand_d + hash_loop_cnt = loop_cnt; + + /* +- * This loop basically slows down the SHA-3 operation depending +- * on the hash_loop_cnt. Each iteration of the loop generates the +- * same result. ++ * This loop fills a buffer which is injected into the entropy pool. ++ * The main reason for this loop is to execute something over which we ++ * can perform a timing measurement. The injection of the resulting ++ * data into the pool is performed to ensure the result is used and ++ * the compiler cannot optimize the loop away in case the result is not ++ * used at all. Yet that data is considered "additional information" ++ * considering the terminology from SP800-90A without any entropy. ++ * ++ * Note, it does not matter which or how much data you inject, we are ++ * interested in one Keccack1600 compression operation performed with ++ * the sha3_final. + */ + for (j = 0; j < hash_loop_cnt; j++) { +- sha3_update(&ctx, ec->data, SHA3_256_SIZE_DIGEST); +- sha3_update(&ctx, (uint8_t *)&time, sizeof(uint64_t)); ++ sha3_update(&ctx, intermediary, sizeof(intermediary)); ++ sha3_update(&ctx, (uint8_t *)&ec->rct_count, ++ sizeof(ec->rct_count)); ++ sha3_update(&ctx, (uint8_t *)&ec->apt_cutoff, ++ sizeof(ec->apt_cutoff)); ++ sha3_update(&ctx, (uint8_t *)&ec->apt_observations, ++ sizeof(ec->apt_observations)); ++ sha3_update(&ctx, (uint8_t *)&ec->apt_count, ++ sizeof(ec->apt_count)); ++ sha3_update(&ctx,(uint8_t *) &ec->apt_base, ++ sizeof(ec->apt_base)); + sha3_update(&ctx, (uint8_t *)&j, sizeof(uint64_t)); ++ sha3_final(&ctx, intermediary); ++ } + +- /* +- * If the time stamp is stuck, do not finally insert the value +- * into the entropy pool. Although this operation should not do +- * any harm even when the time stamp has no entropy, SP800-90B +- * requires that any conditioning operation to have an identical +- * amount of input data according to section 3.1.5. +- */ ++ /* ++ * Inject the data from the previous loop into the pool. This data is ++ * not considered to contain any entropy, but it stirs the pool a bit. ++ */ ++ sha3_update(ec->hash_state, intermediary, sizeof(intermediary)); + +- /* +- * The sha3_final operations re-initialize the context for the +- * next loop iteration. +- */ +- if (stuck || (j < hash_loop_cnt - 1)) +- sha3_final(&ctx, itermediary); +- else +- sha3_final(&ctx, ec->data); +- } ++ /* ++ * Insert the time stamp into the hash context representing the pool. ++ * ++ * If the time stamp is stuck, do not finally insert the value into the ++ * entropy pool. Although this operation should not do any harm even ++ * when the time stamp has no entropy, SP800-90B requires that any ++ * conditioning operation to have an identical amount of input data ++ * according to section 3.1.5. ++ */ ++ if (!stuck) ++ sha3_update(ec->hash_state, (uint8_t *)&time, sizeof(uint64_t)); + + jent_memset_secure(&ctx, SHA_MAX_CTX_SIZE); +- jent_memset_secure(itermediary, sizeof(itermediary)); ++ jent_memset_secure(intermediary, sizeof(intermediary)); + } + + #define MAX_ACC_LOOP_BIT 7 +@@ -184,13 +202,12 @@ static inline uint32_t xoshiro128starsta + + static void jent_memaccess(struct rand_data *ec, uint64_t loop_cnt) + { +- uint64_t i = 0; ++ uint64_t i = 0, time = 0; + union { + uint32_t u[4]; + uint8_t b[sizeof(uint32_t) * 4]; + } prngState = { .u = {0x8e93eec0, 0xce65608a, 0xa8d46b46, 0xe83cef69} }; + uint32_t addressMask; +- uint64_t acc_loop_cnt; + + if (NULL == ec || NULL == ec->mem) + return; +@@ -199,7 +216,7 @@ static void jent_memaccess(struct rand_d + + /* Ensure that macros cannot overflow jent_loop_shuffle() */ + BUILD_BUG_ON((MAX_ACC_LOOP_BIT + MIN_ACC_LOOP_BIT) > 63); +- acc_loop_cnt = ++ uint64_t acc_loop_cnt = + jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT); + + /* +@@ -213,8 +230,10 @@ static void jent_memaccess(struct rand_d + * "per-update: timing, it gets you mostly independent "per-update" + * timing, so we can now benefit from the Central Limit Theorem! + */ +- for (i = 0; i < sizeof(prngState); i++) +- prngState.b[i] ^= ec->data[i]; ++ for (i = 0; i < sizeof(prngState); i++) { ++ jent_get_nstime_internal(ec, &time); ++ prngState.b[i] ^= (uint8_t)(time & 0xff); ++ } + + /* + * testing purposes -- allow test app to set the counter, not +@@ -358,21 +377,21 @@ unsigned int jent_measure_jitter(struct + + /** + * Generator of one 256 bit random number +- * Function fills rand_data->data ++ * Function fills rand_data->hash_state + * + * @ec [in] Reference to entropy collector + */ + void jent_random_data(struct rand_data *ec) + { +- unsigned int k = 0, safety_factor = ENTROPY_SAFETY_FACTOR; ++ unsigned int k = 0, safety_factor = 0; + +- if (!ec->fips_enabled) +- safety_factor = 0; ++ if (ec->fips_enabled) ++ safety_factor = ENTROPY_SAFETY_FACTOR; + + /* priming of the ->prev_time value */ + jent_measure_jitter(ec, 0, NULL); + +- while (1) { ++ while (!jent_health_failure(ec)) { + /* If a stuck measurement is received, repeat measurement */ + if (jent_measure_jitter(ec, 0, NULL)) + continue; +@@ -385,3 +404,22 @@ void jent_random_data(struct rand_data * + break; + } + } ++ ++void jent_read_random_block(struct rand_data *ec, char *dst, size_t dst_len) ++{ ++ uint8_t jent_block[SHA3_256_SIZE_DIGEST]; ++ ++ BUILD_BUG_ON(SHA3_256_SIZE_DIGEST != (DATA_SIZE_BITS / 8)); ++ ++ /* The final operation automatically re-initializes the ->hash_state */ ++ sha3_final(ec->hash_state, jent_block); ++ if (dst_len) ++ memcpy(dst, jent_block, dst_len); ++ ++ /* ++ * Stir the new state with the data from the old state - the digest ++ * of the old data is not considered to have entropy. ++ */ ++ sha3_update(ec->hash_state, jent_block, sizeof(jent_block)); ++ jent_memset_secure(jent_block, sizeof(jent_block)); ++} +Index: libgcrypt-1.10.0/random/jitterentropy-noise.h +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy-noise.h ++++ libgcrypt-1.10.0/random/jitterentropy-noise.h +@@ -31,6 +31,7 @@ unsigned int jent_measure_jitter(struct + uint64_t loop_cnt, + uint64_t *ret_current_delta); + void jent_random_data(struct rand_data *ec); ++void jent_read_random_block(struct rand_data *ec, char *dst, size_t dst_len); + + #ifdef __cplusplus + } +Index: libgcrypt-1.10.0/random/jitterentropy-sha3.c +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy-sha3.c ++++ libgcrypt-1.10.0/random/jitterentropy-sha3.c +@@ -19,6 +19,7 @@ + */ + + #include "jitterentropy-sha3.h" ++#include "jitterentropy.h" + + /*************************************************************************** + * Message Digest Implementation +@@ -380,3 +381,23 @@ int sha3_tester(void) + + return 0; + } ++ ++int sha3_alloc(void **hash_state) ++{ ++ struct sha_ctx *tmp; ++ ++ tmp = jent_zalloc(SHA_MAX_CTX_SIZE); ++ if (!tmp) ++ return 1; ++ ++ *hash_state = tmp; ++ ++ return 0; ++} ++ ++void sha3_dealloc(void *hash_state) ++{ ++ struct sha_ctx *ctx = (struct sha_ctx *)hash_state; ++ ++ jent_zfree(ctx, SHA_MAX_CTX_SIZE); ++} +Index: libgcrypt-1.10.0/random/jitterentropy-sha3.h +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy-sha3.h ++++ libgcrypt-1.10.0/random/jitterentropy-sha3.h +@@ -47,6 +47,8 @@ struct sha_ctx { + void sha3_256_init(struct sha_ctx *ctx); + void sha3_update(struct sha_ctx *ctx, const uint8_t *in, size_t inlen); + void sha3_final(struct sha_ctx *ctx, uint8_t *digest); ++int sha3_alloc(void **hash_state); ++void sha3_dealloc(void *hash_state); + int sha3_tester(void); + + #ifdef __cplusplus +Index: libgcrypt-1.10.0/random/jitterentropy-timer.c +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy-timer.c ++++ libgcrypt-1.10.0/random/jitterentropy-timer.c +@@ -202,8 +202,8 @@ int jent_notime_enable(struct rand_data + if (jent_force_internal_timer || (flags & JENT_FORCE_INTERNAL_TIMER)) { + /* Self test not run yet */ + if (!jent_force_internal_timer && +- jent_time_entropy_init(flags | JENT_FORCE_INTERNAL_TIMER, +- ec->osr)) ++ jent_time_entropy_init(ec->osr, ++ flags | JENT_FORCE_INTERNAL_TIMER)) + return EHEALTH; + + ec->enable_notime = 1; +Index: libgcrypt-1.10.0/random/jitterentropy.h +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy.h ++++ libgcrypt-1.10.0/random/jitterentropy.h +@@ -49,7 +49,7 @@ + ***************************************************************************/ + + /* +- * Enable timer-less timer support ++ * Enable timer-less timer support with JENT_CONF_ENABLE_INTERNAL_TIMER + * + * In case the hardware is identified to not provide a high-resolution time + * stamp, this option enables a built-in high-resolution time stamp mechanism. +@@ -166,7 +166,7 @@ struct rand_data + * of the RNG are marked as SENSITIVE. A user must not + * access that information while the RNG executes its loops to + * calculate the next random value. */ +- uint8_t data[SHA3_256_SIZE_DIGEST]; /* SENSITIVE Actual random number */ ++ void *hash_state; /* SENSITIVE hash state entropy pool */ + uint64_t prev_time; /* SENSITIVE Previous time stamp */ + #define DATA_SIZE_BITS (SHA3_256_SIZE_DIGEST_BITS) + +@@ -378,28 +378,34 @@ int jent_entropy_init(void); + JENT_PRIVATE_STATIC + int jent_entropy_init_ex(unsigned int osr, unsigned int flags); + ++/* ++ * Set a callback to run on health failure in FIPS mode. ++ * This function will take an action determined by the caller. ++ */ ++typedef void (*jent_fips_failure_cb)(struct rand_data *ec, ++ unsigned int health_failure); ++JENT_PRIVATE_STATIC ++int jent_set_fips_failure_callback(jent_fips_failure_cb cb); ++ + /* return version number of core library */ + JENT_PRIVATE_STATIC + unsigned int jent_version(void); + +-#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER + /* Set a different thread handling logic for the notimer support */ + JENT_PRIVATE_STATIC + int jent_entropy_switch_notime_impl(struct jent_notime_thread *new_thread); +-#endif + + /* -- END of Main interface functions -- */ + + /* -- BEGIN timer-less threading support functions to prevent code dupes -- */ + +-struct jent_notime_ctx { + #ifdef JENT_CONF_ENABLE_INTERNAL_TIMER ++ ++struct jent_notime_ctx { + pthread_attr_t notime_pthread_attr; /* pthreads library */ + pthread_t notime_thread_id; /* pthreads thread ID */ +-#endif + }; + +-#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER + + JENT_PRIVATE_STATIC + int jent_notime_init(void **ctx); +Index: libgcrypt-1.10.0/random/jitterentropy-base-user.h +=================================================================== +--- libgcrypt-1.10.0.orig/random/jitterentropy-base-user.h ++++ libgcrypt-1.10.0/random/jitterentropy-base-user.h +@@ -213,12 +213,12 @@ static inline void jent_get_cachesize(lo + ext = strstr(buf, "K"); + if (ext) { + shift = 10; +- ext = '\0'; ++ *ext = '\0'; + } else { + ext = strstr(buf, "M"); + if (ext) { + shift = 20; +- ext = '\0'; ++ *ext = '\0'; + } + } + diff --git a/libgcrypt-nobetasuffix.patch b/libgcrypt-nobetasuffix.patch new file mode 100644 index 0000000..740b6fe --- /dev/null +++ b/libgcrypt-nobetasuffix.patch @@ -0,0 +1,24 @@ +Index: libgcrypt-1.10.2/autogen.sh +=================================================================== +--- libgcrypt-1.10.2.orig/autogen.sh ++++ libgcrypt-1.10.2/autogen.sh +@@ -249,7 +249,7 @@ if [ "$myhost" = "find-version" ]; then + fi + + beta=no +- if [ -e .git ]; then ++ if false; then + ingit=yes + tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null) + tmp=$(echo "$tmp" | sed s/^"$package"//) +@@ -265,8 +265,8 @@ if [ "$myhost" = "find-version" ]; then + rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null))) + else + ingit=no +- beta=yes +- tmp="-unknown" ++ beta=no ++ tmp="" + rev="0000000" + rvd="0" + fi diff --git a/libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch b/libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch new file mode 100644 index 0000000..4a9aa48 --- /dev/null +++ b/libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch @@ -0,0 +1,76 @@ +commit 2c5e5ab6843d747c4b877d2c6f47226f61e9ff14 +Author: Jussi Kivilinna +Date: Sun Jun 12 21:51:34 2022 +0300 + + ppc enable P10 assembly with ENABLE_FORCE_SOFT_HWFEATURES on arch 3.00 + + * cipher/chacha20.c (chacha20_do_setkey) [USE_PPC_VEC]: Enable + P10 assembly for HWF_PPC_ARCH_3_00 if ENABLE_FORCE_SOFT_HWFEATURES is + defined. + * cipher/poly1305.c (poly1305_init) [POLY1305_USE_PPC_VEC]: Likewise. + * cipher/rijndael.c (do_setkey) [USE_PPC_CRYPTO_WITH_PPC9LE]: Likewise. + --- + + This change allows testing P10 implementations with P9 and with QEMU-PPC. + + GnuPG-bug-id: 6006 + Signed-off-by: Jussi Kivilinna + +Index: libgcrypt-1.10.2/cipher/chacha20.c +=================================================================== +--- libgcrypt-1.10.2.orig/cipher/chacha20.c ++++ libgcrypt-1.10.2/cipher/chacha20.c +@@ -484,6 +484,11 @@ chacha20_do_setkey (CHACHA20_context_t * + ctx->use_ppc = (features & HWF_PPC_ARCH_2_07) != 0; + # ifndef WORDS_BIGENDIAN + ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0; ++# ifdef ENABLE_FORCE_SOFT_HWFEATURES ++ /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10. ++ * Actual implementation works with HWF_PPC_ARCH_3_00 also. */ ++ ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0; ++# endif + # endif + #endif + #ifdef USE_S390X_VX +Index: libgcrypt-1.10.2/cipher/poly1305.c +=================================================================== +--- libgcrypt-1.10.2.orig/cipher/poly1305.c ++++ libgcrypt-1.10.2/cipher/poly1305.c +@@ -90,11 +90,19 @@ static void poly1305_init (poly1305_cont + const byte key[POLY1305_KEYLEN]) + { + POLY1305_STATE *st = &ctx->state; ++ unsigned int features = _gcry_get_hw_features (); + + #ifdef POLY1305_USE_PPC_VEC +- ctx->use_p10 = (_gcry_get_hw_features () & HWF_PPC_ARCH_3_10) != 0; ++ ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0; ++# ifdef ENABLE_FORCE_SOFT_HWFEATURES ++ /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10. ++ * Actual implementation works with HWF_PPC_ARCH_3_00 also. */ ++ ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0; ++# endif + #endif + ++ (void)features; ++ + ctx->leftover = 0; + + st->h[0] = 0; +Index: libgcrypt-1.10.2/cipher/rijndael.c +=================================================================== +--- libgcrypt-1.10.2.orig/cipher/rijndael.c ++++ libgcrypt-1.10.2/cipher/rijndael.c +@@ -605,6 +605,12 @@ do_setkey (RIJNDAEL_context *ctx, const + bulk_ops->xts_crypt = _gcry_aes_ppc9le_xts_crypt; + if (hwfeatures & HWF_PPC_ARCH_3_10) /* for P10 */ + bulk_ops->gcm_crypt = _gcry_aes_p10le_gcm_crypt; ++# ifdef ENABLE_FORCE_SOFT_HWFEATURES ++ /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10. ++ * Actual implementation works with HWF_PPC_ARCH_3_00 also. */ ++ if (hwfeatures & HWF_PPC_ARCH_3_00) ++ bulk_ops->gcm_crypt = _gcry_aes_p10le_gcm_crypt; ++# endif + } + #endif + #ifdef USE_PPC_CRYPTO diff --git a/libgcrypt.changes b/libgcrypt.changes new file mode 100644 index 0000000..91d680c --- /dev/null +++ b/libgcrypt.changes @@ -0,0 +1,1753 @@ +------------------------------------------------------------------- +Tue Nov 21 10:36:09 UTC 2023 - Otto Hollmann + +- Re-create HMAC checksum after RPM build strips the library + (bsc#1217058) + +------------------------------------------------------------------- +Wed Nov 15 09:54:00 UTC 2023 - Pedro Monreal + +- Update to 1.10.3: + * Bug fixes: + - Fix public key computation for other EdDSA curves. [rC469919751d6e] + - Remove out of core handler diagnostic in FIPS mode. [T6515] + - Check that the digest size is not zero in gcry_pk_sign_md and + gcry_pk_verify_md. [T6539] + - Make store an s-exp with \0 is considered to be binary. [T6747] + - Various constant-time improvements. + * Portability: + - Use getrandom call only when supported by the platform. [T6442] + - Change the default for --with-libtool-modification to never. [T6619] + * Release-info: https://dev.gnupg.org/T6817 + * Remove patch upstream libgcrypt-1.10.0-out-of-core-handler.patch + +------------------------------------------------------------------- +Tue Oct 17 10:27:15 UTC 2023 - Pedro Monreal + +- Do not pull revision info from GIT when autoconf is run. This + removes the -unknown suffix after the version number. + * Add libgcrypt-nobetasuffix.patch [bsc#1216334] + +------------------------------------------------------------------- +Tue Oct 3 12:58:41 UTC 2023 - Pedro Monreal + +- POWER: performance enhancements for cryptography [jsc#PED-5088] + * Optimize Chacha20 and Poly1305 for PPC P10 LE: [T6006] + - Chacha20/poly1305: Optimized chacha20/poly1305 for + P10 operation [rC88fe7ac33eb4] + - ppc: enable P10 assembly with ENABLE_FORCE_SOFT_HWFEATURES + on arch-3.00 [rC2c5e5ab6843d] + * Add patches: + - libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch + - libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch + +------------------------------------------------------------------- +Mon May 22 11:32:53 UTC 2023 - Pedro Monreal + +- FIPS: Merge the libgcrypt20-hmac package into the library and + remove the "module is complete" trigger file .fips [bsc#1185116] + * Remove libgcrypt-1.10.0-use-fipscheck.patch + +------------------------------------------------------------------- +Tue Apr 11 14:08:24 UTC 2023 - Pedro Monreal + +- Update to 1.10.2: + * Bug fixes: + - Fix Argon2 for the case output > 64. [rC13b5454d26] + - Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44] + - Fix RSA key generation failure in forced FIPS mode. [T5919] + - Fix gcry_pk_hash_verify for explicit hash. [T6066] + - Fix a wrong result of gcry_mpi_invm. [T5970] + - Allow building with --disable-asm for HPPA. [T5976] + - Allow building with -Oz. [T6432] + - Enable the fast path to ChaCha20 only when supported. [T6384] + - Use size_t to avoid counter overflow in Keccak when directly + feeding more than 4GiB. [T6217] + * Other: + - Do not use secure memory for a DRBG instance. [T5933] + - Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918] + - Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990] + - Allow verification of small RSA signatures in FIPS mode. [T5975] + - Allow the use of a shorter salt for KDFs in FIPS mode. [T6039] + - Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165] + - Add function-name based FIPS indicator function. + GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered + an ABI changes because the new FIPS features were not yet + approved. [rC822ee57f07] + - Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397] + - Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9] + - Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a] + - Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219] + - Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba] + - Prefer gpgrt-config when available. [T5034] + - Mark AESWRAP as approved FIPS algorithm. [T5512] + - Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332] + - Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25] + - Remove GCM mode from the allowed FIPS indicators. [rC1540698389] + - Add explicit FIPS indicators for hash and MAC algorithms. [T6376] + * Release-info: https://dev.gnupg.org/T5905 + * Rebase FIPS patches: + - libgcrypt-FIPS-SLI-hash-mac.patch + - libgcrypt-FIPS-SLI-kdf-leylength.patch + - libgcrypt-FIPS-SLI-pk.patch + +------------------------------------------------------------------- +Wed Mar 8 10:34:34 UTC 2023 - Martin Pluskal + +- Build AVX2 enabled hwcaps library for x86_64-v3 + +------------------------------------------------------------------- +Wed Oct 19 14:01:24 UTC 2022 - Pedro Monreal + +- Update to 1.10.1: + * Bug fixes: + - Fix minor memory leaks in FIPS mode. + - Build fixes for MUSL libc. + * Other: + - More portable integrity check in FIPS mode. + - Add X9.62 OIDs to sha256 and sha512 modules. + * Add the hardware optimizations config file hwf.deny to + the /etc/gcrypt/ directory. This file can be used to globally + disable the use of hardware based optimizations. + * Remove not needed separate_hmac256_binary hmac256 package + +------------------------------------------------------------------- +Wed Sep 14 13:34:13 UTC 2022 - Pedro Monreal + +- Update to 1.10.0: + * New and extended interfaces: + - New control codes to check for FIPS 140-3 approved algorithms. + - New control code to switch into non-FIPS mode. + - New cipher modes SIV and GCM-SIV as specified by RFC-5297. + - Extended cipher mode AESWRAP with padding as specified by + RFC-5649. + - New set of KDF functions. + - New KDF modes Argon2 and Balloon. + - New functions for combining hashing and signing/verification. + * Performance: + - Improved support for PowerPC architectures. + - Improved ECC performance on zSeries/s390x by using accelerated + scalar multiplication. + - Many more assembler performance improvements for several + architectures. + * Bug fixes: + - Fix Elgamal encryption for other implementations. + [bsc#1190239, CVE-2021-40528] + - Check the input length of the point in ECDH. + - Fix an abort in gcry_pk_get_param for "Curve25519". + * Other features: + - The control code GCRYCTL_SET_ENFORCED_FIPS_FLAG is ignored + because it is useless with the FIPS 140-3 related changes. + - Update of the jitter entropy RNG code. + - Simplification of the entropy gatherer when using the getentropy + system call. + * Interface changes relative to the 1.10.0 release: + - GCRYCTL_SET_DECRYPTION_TAG NEW control code. + - GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER NEW control code. + - GCRYCTL_FIPS_SERVICE_INDICATOR_KDF NEW control code. + - GCRYCTL_NO_FIPS_MODE = 83 NEW control code. + - GCRY_CIPHER_MODE_SIV NEW mode. + - GCRY_CIPHER_MODE_GCM_SIV NEW mode. + - GCRY_CIPHER_EXTENDED NEW flag. + - GCRY_SIV_BLOCK_LEN NEW macro. + - gcry_cipher_set_decryption_tag NEW macro. + - GCRY_KDF_ARGON2 NEW constant. + - GCRY_KDF_BALLOON NEW constant. + - GCRY_KDF_ARGON2D NEW constant. + - GCRY_KDF_ARGON2I NEW constant. + - GCRY_KDF_ARGON2ID NEW constant. + - gcry_kdf_hd_t NEW type. + - gcry_kdf_job_fn_t NEW type. + - gcry_kdf_dispatch_job_fn_t NEW type. + - gcry_kdf_wait_all_jobs_fn_t NEW type. + - struct gcry_kdf_thread_ops NEW struct. + - gcry_kdf_open NEW function. + - gcry_kdf_compute NEW function. + - gcry_kdf_final NEW function. + - gcry_kdf_close NEW function. + - gcry_pk_hash_sign NEW function. + - gcry_pk_hash_verify NEW function. + - gcry_pk_random_override_new NEW function. + * Rebase libgcrypt-1.8.4-allow_FSM_same_state.patch and rename + to libgcrypt-1.10.0-allow_FSM_same_state.patch + * Remove unused CAVS tests and related patches: + - cavs_driver.pl cavs-test.sh + - libgcrypt-1.6.1-fips-cavs.patch + - drbg_test.patch + * Remove DSA sign/verify patches for the FIPS CAVS test since DSA + has been disabled in FIPS mode: + - libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch + - libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch + * Rebase libgcrypt-FIPS-SLI-pk.patch + * Rebase libgcrypt_indicators_changes.patch and + libgcrypt-indicate-shake.patch and merge both into + libgcrypt-FIPS-SLI-hash-mac.patch + * Rebase libgcrypt-FIPS-kdf-leylength.patch and rename to + libgcrypt-FIPS-SLI-kdf-leylength.patch + * Rebase libgcrypt-jitterentropy-3.4.0.patch + * Rebase libgcrypt-FIPS-rndjent_poll.patch + * Rebase libgcrypt-out-of-core-handler.patch and rename to + libgcrypt-1.10.0-out-of-core-handler.patch + * Since the FIPS .hmac file is now calculated with the internal + tool hmac256, only the "module is complete" trigger .fips file + is checked. Rename libgcrypt-1.6.1-use-fipscheck.patch + to libgcrypt-1.10.0-use-fipscheck.patch + * Remove patches fixed upstream: + - libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch + - libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff + - libgcrypt-fix-rng.patch + - libgcrypt-1.8.3-fips-ctor.patch + - libgcrypt-1.8.4-use_xfree.patch + - libgcrypt-1.8.4-getrandom.patch + - libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch + - libgcrypt-dsa-rfc6979-test-fix.patch + - libgcrypt-fix-tests-fipsmode.patch + - libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch + - libgcrypt-1.8.4-fips-keygen.patch + - libgcrypt-invoke-global_init-from-constructor.patch + - libgcrypt-Restore-self-tests-from-constructor.patch + - libgcrypt-FIPS-GMAC_AES-benckmark.patch + - libgcrypt-global_init-constructor.patch + - libgcrypt-random_selftests-testentropy.patch + - libgcrypt-rsa-no-blinding.patch + - libgcrypt-ecc-ecdsa-no-blinding.patch + - libgcrypt-PCT-DSA.patch + - libgcrypt-PCT-ECC.patch + - libgcrypt-PCT-RSA.patch + - libgcrypt-fips_selftest_trigger_file.patch + - libgcrypt-pthread-in-t-lock-test.patch + - libgcrypt-FIPS-hw-optimizations.patch + - libgcrypt-FIPS-module-version.patch + - libgcrypt-FIPS-disable-3DES.patch + - libgcrypt-FIPS-fix-regression-tests.patch + - libgcrypt-FIPS-RSA-keylen.patch + - libgcrypt-FIPS-RSA-keylen-tests.patch + - libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch + - libgcrypt-FIPS-verify-unsupported-KDF-test.patch + - libgcrypt-FIPS-HMAC-short-keylen.patch + - libgcrypt-FIPS-service-indicators.patch + - libgcrypt-FIPS-disable-DSA.patch + - libgcrypt-jitterentropy-3.3.0.patch + - libgcrypt-FIPS-Zeroize-hmac.patch + * Update libgcrypt.keyring + +------------------------------------------------------------------- +Thu Sep 8 10:34:53 UTC 2022 - Pedro Monreal + +- FIPS: Get most of the entropy from rndjent_poll [bsc#1202117] + * Add libgcrypt-FIPS-rndjent_poll.patch + * Rebase libgcrypt-jitterentropy-3.4.0.patch + +------------------------------------------------------------------- +Wed Sep 7 22:03:51 UTC 2022 - Pedro Monreal + +- FIPS: Check keylength in gcry_fips_indicator_kdf() [bsc#1190700] + * Consider approved keylength greater or equal to 112 bits. + * Add libgcrypt-FIPS-kdf-leylength.patch + +------------------------------------------------------------------- +Wed Sep 7 12:53:14 UTC 2022 - Pedro Monreal + +- FIPS: Zeroize buffer and digest in check_binary_integrity() + * Add libgcrypt-FIPS-Zeroize-hmac.patch [bsc#1191020] + +------------------------------------------------------------------- +Tue Aug 23 09:19:00 UTC 2022 - Pedro Monreal + +- FIPS: gpg/gpg2 gets out of core handler in FIPS mode while + typing Tab key to Auto-Completion. [bsc#1182983] + * Add libgcrypt-out-of-core-handler.patch + +------------------------------------------------------------------- +Mon Aug 8 11:33:03 UTC 2022 - Pedro Monreal + +- FIPS: Port libgcrypt to use jitterentropy [bsc#1202117, jsc#SLE-24941] + * Enable the jitter based entropy generator by default in random.conf + - Add libgcrypt-jitterentropy-3.3.0.patch + * Update the internal jitterentropy to version 3.4.0 + - Add libgcrypt-jitterentropy-3.4.0.patch + +------------------------------------------------------------------- +Mon Aug 1 07:27:35 UTC 2022 - Stephan Kulow + +- Fix reproducible build problems: + - Do not use %release in binaries (but use SOURCE_DATE_EPOCH) + - Fix date call messed up by spec-cleaner + +------------------------------------------------------------------- +Thu Apr 14 12:30:36 UTC 2022 - Dennis Knorr + +- FIPS: extend the service indicator [bsc#1190700] + * introduced a pk indicator function + * adapted the approved and non approved ciphersuites + * Add libgcrypt_indicators_changes.patch + * Add libgcrypt-indicate-shake.patch + +------------------------------------------------------------------- +Tue Mar 22 12:32:09 UTC 2022 - Pedro Monreal + +- FIPS: Implement a service indicator for asymmetric ciphers [bsc#1190700] + * Mark RSA public key encryption and private key decryption with + padding (e.g. OAEP, PKCS) as non-approved since RSA-OAEP lacks + peer key assurance validation requirements per SP800-56Brev2. + * Mark ECC as approved only for NIST curves P-224, P-256, P-384 + and P-521 with check for common NIST names and aliases. + * Mark DSA, ELG, EDDSA, ECDSA and ECDH as non-approved. + * Add libgcrypt-FIPS-SLI-pk.patch + * Rebase libgcrypt-FIPS-service-indicators.patch +- Run the regression tests also in FIPS mode. + * Disable tests for non-FIPS approved algos. + * Rebase: libgcrypt-FIPS-verify-unsupported-KDF-test.patch + +------------------------------------------------------------------- +Tue Feb 1 11:28:51 UTC 2022 - Pedro Monreal + +- FIPS: Disable DSA in FIPS mode [bsc#1195385] + * Upstream task: https://dev.gnupg.org/T5710 + * Add libgcrypt-FIPS-disable-DSA.patch + +------------------------------------------------------------------- +Wed Jan 19 08:36:58 UTC 2022 - Pedro Monreal + +- FIPS: Service level indicator [bsc#1190700] + * Provide an indicator to check wether the service utilizes an + approved cryptographic algorithm or not. + * Add patches: + - libgcrypt-FIPS-service-indicators.patch + - libgcrypt-FIPS-verify-unsupported-KDF-test.patch + - libgcrypt-FIPS-HMAC-short-keylen.patch + +------------------------------------------------------------------- +Tue Dec 7 09:41:01 UTC 2021 - Pedro Monreal + +- FIPS: Fix gcry_mpi_sub_ui subtraction [bsc#1193480] + * gcry_mpi_sub_ui: fix subtracting from negative value + * Add libgcrypt-FIPS-fix-gcry_mpi_sub_ui.patch + +------------------------------------------------------------------- +Tue Nov 30 09:42:23 UTC 2021 - Pedro Monreal + +- FIPS: Define an entropy source SP800-90B compliant [bsc#1185140] + * Disable jitter entropy by default in random.conf + * Disable only-urandom option by default in random.conf + +------------------------------------------------------------------- +Fri Nov 26 13:10:29 UTC 2021 - Pedro Monreal + +- FIPS: RSA KeyGen/SigGen fail with 4096 bit key sizes [bsc#1192240] + * rsa: Check RSA keylen constraints for key operations. + * rsa: Fix regression in not returning an error for prime generation. + * tests: Add 2k RSA key working in FIPS mode. + * tests: pubkey: Replace RSA key to one of 2k. + * tests: pkcs1v2: Skip tests with small keys in FIPS. + * Add patches: + - libgcrypt-FIPS-RSA-keylen.patch + - libgcrypt-FIPS-RSA-keylen-tests.patch + +------------------------------------------------------------------- +Mon Nov 8 10:21:39 UTC 2021 - Pedro Monreal + +- FIPS: Disable 3DES/Triple-DES in FIPS mode [bsc#1185138] + * Add libgcrypt-FIPS-disable-3DES.patch + +------------------------------------------------------------------- +Tue Nov 2 11:31:19 UTC 2021 - Pedro Monreal + +- FIPS: PBKDF requirements [bsc#1185137] + * The PBKDF2 selftests were introduced in libgcrypt version + 1.9.1 in the function selftest_pbkdf2() + * Upstream task: https://dev.gnupg.org/T5182 + +------------------------------------------------------------------- +Thu Oct 28 19:48:06 UTC 2021 - Pedro Monreal + +- FIPS: Fix regression tests in FIPS mode [bsc#1192131] + * Add libgcrypt-FIPS-fix-regression-tests.patch + * Upstream task: https://dev.gnupg.org/T5520 + +------------------------------------------------------------------- +Thu Sep 21 11:25:06 UTC 2021 - Pedro Monreal + +- FIPS: Provide a module name/identifier and version that can be + mapped to the validation records. [bsc#1190706] + * Add libgcrypt-FIPS-module-version.patch + * Upstream task: https://dev.gnupg.org/T5600 + +------------------------------------------------------------------- +Thu Sep 21 10:23:44 UTC 2021 - Pedro Monreal + +- FIPS: Enable hardware support also in FIPS mode [bsc#1187110] + * Add libgcrypt-FIPS-hw-optimizations.patch + * Upstream task: https://dev.gnupg.org/T5508 + +------------------------------------------------------------------- +Mon Aug 23 12:08:24 UTC 2021 - Pedro Monreal + +- Update to 1.9.4: + * Bug fixes: + - Fix Elgamal encryption for other implementations. [CVE-2021-33560] + - Fix alignment problem on macOS. + - Check the input length of the point in ECDH. + - Fix an abort in gcry_pk_get_param for "Curve25519". + * Other features: + - Add GCM and CCM to OID mapping table for AES. + * Upstream libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch + +------------------------------------------------------------------- +Mon Aug 23 10:11:55 UTC 2021 - Pedro Monreal + +- Remove not needed patch libgcrypt-sparcv9.diff + +------------------------------------------------------------------- +Thu Jul 15 12:53:45 UTC 2021 - Pedro Monreal + +- Fix building test t-lock with pthread. [bsc#1189745] + * Explicitly add -lpthread to compile the t-lock test. + * Add libgcrypt-pthread-in-t-lock-test.patch + +------------------------------------------------------------------- +Fri Jun 11 13:17:54 UTC 2021 - Pedro Monreal + +- Security fix: [bsc#1187212, CVE-2021-33560] + * cipher: Fix ElGamal encryption for other implementations. + * Exponent blinding was added in version 1.9.3. This patch + fixes ElGamal encryption, see: https://dev.gnupg.org/T5328 +- Add libgcrypt-CVE-2021-33560-fix-ElGamal-enc.patch + +------------------------------------------------------------------- +Tue Apr 20 08:46:11 UTC 2021 - Paolo Stivanin + +- libgcrypt 1.9.3: + * Bug fixes: + - Fix build problems on i386 using gcc-4.7. + - Fix checksum calculation in OCB decryption for AES on s390. + - Fix a regression in gcry_mpi_ec_add related to certain usages + of curve 25519. + - Fix a symbol not found problem on Apple M1. + - Fix for Apple iOS getentropy peculiarity. + - Make keygrip computation work for compressed points. + * Performance: + - Add x86_64 VAES/AVX2 accelerated implementation of Camellia. + - Add x86_64 VAES/AVX2 accelerated implementation of AES. + - Add VPMSUMD acceleration for GCM mode on PPC. + * Internal changes. + - Harden MPI conditional code against EM leakage. + - Harden Elgamal by introducing exponent blinding. + +------------------------------------------------------------------- +Wed Feb 17 09:49:55 UTC 2021 - Andreas Stieger + +- libgcrypt 1.9.2: + * Fix building with --disable-asm on x86 + * Check public key for ECDSA verify operation + * Make sure gcry_get_config (NULL) returns a nul-terminated + string + * Fix a memory leak in the ECDH code + * Fix a reading beyond end of input buffer in SHA2-avx2 +- remove obsolete texinfo packaging macros + +------------------------------------------------------------------- +Tue Feb 2 01:06:47 UTC 2021 - Pedro Monreal + +- Update to 1.9.1 + * *Fix exploitable bug* in hash functions introduced with + 1.9.0. [bsc#1181632, CVE-2021-3345] + * Return an error if a negative MPI is used with sexp scan + functions. + * Check for operational FIPS in the random and KDF functions. + * Fix compile error on ARMv7 with NEON disabled. + * Fix self-test in KDF module. + * Improve assembler checks for better LTO support. + * Fix 32-bit cross build on x86. + * Fix non-NEON ARM assembly implementation for SHA512. + * Fix build problems with the cipher_bulk_ops_t typedef. + * Fix Ed25519 private key handling for preceding ZEROs. + * Fix overflow in modular inverse implementation. + * Fix register access for AVX/AVX2 implementations of Blake2. + * Add optimized cipher and hash functions for s390x/zSeries. + * Use hardware bit counting functionx when available. + * Update DSA functions to match FIPS 186-3. + * New self-tests for CMACs and KDFs. + * Add bulk cipher functions for OFB and GCM modes. +- Update libgpg-error required version + +------------------------------------------------------------------- +Tue Feb 1 12:03:31 UTC 2021 - Pedro Monreal + +- Use the suffix variable correctly in get_hmac_path() +- Rebase libgcrypt-fips_selftest_trigger_file.patch + +------------------------------------------------------------------- +Mon Jan 25 12:38:35 UTC 2021 - Pedro Monreal + +- Add the global config file /etc/gcrypt/random.conf + * This file can be used to globally change parameters of the random + generator with the options: only-urandom and disable-jent. + +------------------------------------------------------------------- +Thu Jan 21 15:42:15 UTC 2021 - Pedro Monreal + +- Update to 1.9.0: + New stable branch of Libgcrypt with full API and ABI compatibility + to the 1.8 series. Release-info: https://dev.gnupg.org/T4294 + * New and extended interfaces: + - New curves Ed448, X448, and SM2. + - New cipher mode EAX. + - New cipher algo SM4. + - New hash algo SM3. + - New hash algo variants SHA512/224 and SHA512/256. + - New MAC algos for Blake-2 algorithms, the new SHA512 variants, + SM3, SM4 and for a GOST variant. + - New convenience function gcry_mpi_get_ui. + - gcry_sexp_extract_param understands new format specifiers to + directly store to integers and strings. + - New function gcry_ecc_mul_point and curve constants for Curve448 + and Curve25519. + - New function gcry_ecc_get_algo_keylen. + - New control code GCRYCTL_AUTO_EXPAND_SECMEM to allow growing the + secure memory area. + * Performance optimizations and bug fixes: See Release-info. + * Other features: + - Add OIDs from RFC-8410 as aliases for Ed25519 and Curve25519. + - Add mitigation against ECC timing attack CVE-2019-13627. + - Internal cleanup of the ECC implementation. + - Support reading EC point in compressed format for some curves. +- Rebase patches: + * libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch + * libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff + * libgcrypt-1.6.1-use-fipscheck.patch + * drbg_test.patch + * libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch + * libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch + * libgcrypt-1.8.4-fips-keygen.patch + * libgcrypt-1.8.4-getrandom.patch + * libgcrypt-fix-tests-fipsmode.patch + * libgcrypt-global_init-constructor.patch + * libgcrypt-ecc-ecdsa-no-blinding.patch + * libgcrypt-PCT-RSA.patch + * libgcrypt-PCT-ECC.patch +- Remove patches: + * libgcrypt-unresolved-dladdr.patch + * libgcrypt-CVE-2019-12904-GCM-Prefetch.patch + * libgcrypt-CVE-2019-12904-GCM.patch + * libgcrypt-CVE-2019-12904-AES.patch + * libgcrypt-CMAC-AES-TDES-selftest.patch + * libgcrypt-1.6.1-fips-cfgrandom.patch + * libgcrypt-fips_rsa_no_enforced_mode.patch + +------------------------------------------------------------------- +Sat Oct 24 10:25:13 UTC 2020 - Andreas Stieger + +- libgcrypt 1.8.7: + * Support opaque MPI with gcry_mpi_print + * Fix extra entropy collection via clock_gettime, a fallback code + path for legacy hardware + +------------------------------------------------------------------- +Tue Jul 7 09:12:27 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 1.8.6 + * mpi: Consider +0 and -0 the same in mpi_cmp + * mpi: Fix flags in mpi_copy for opaque MPI + * mpi: Fix the return value of mpi_invm_generic + * mpi: DSA,ECDSA: Fix use of mpi_invm + - Call mpi_invm before _gcry_dsa_modify_k + - Call mpi_invm before _gcry_ecc_ecdsa_sign + * mpi: Constant time mpi_inv with some conditions + - mpi/mpi-inv.c (mpih_add_n_cond, mpih_sub_n_cond, mpih_swap_cond) + - New: mpih_abs_cond, mpi_invm_odd + - Rename from _gcry_mpi_invm: mpi_invm_generic + - Use mpi_invm_odd for usual odd cases: _gcry_mpi_invm + * mpi: Abort on division by zero also in _gcry_mpi_tdiv_qr + * Fix wrong code execution in Poly1305 ARM/NEON implementation + - Set r14 to -1 at function entry: (_gcry_poly1305_armv7_neon_init_ext) + * Set vZZ.16b register to zero before use in armv8 gcm implementation + * random: Fix include of config.h + * Fix declaration of internal function _gcry_mpi_get_ui: Don't use ulong + * ecc: Fix wrong handling of shorten PK bytes + - Zeros are already recovered: (_gcry_ecc_mont_decodepoint) +- Update libgcrypt-ecc-ecdsa-no-blinding.patch + +------------------------------------------------------------------- +Tue May 19 11:25:37 UTC 2020 - Pedro Monreal Gonzalez + +- FIPS: RSA/DSA/ECC test_keys() print out debug messages [bsc#1171872] + * Print the debug messages in test_keys() only in debug mode. +- Update patches: libgcrypt-PCT-RSA.patch libgcrypt-PCT-DSA.patch + libgcrypt-PCT-ECC.patch + +------------------------------------------------------------------- +Mon Apr 27 08:55:12 UTC 2020 - Pedro Monreal Gonzalez + +- FIPS: libgcrypt: Double free in test_keys() on failed signature + verification [bsc#1169944] + * Use safer gcry_mpi_release() instead of mpi_free() +- Update patches: + * libgcrypt-PCT-DSA.patch + * libgcrypt-PCT-RSA.patch + * libgcrypt-PCT-ECC.patch + +------------------------------------------------------------------- +Thu Apr 16 16:45:23 UTC 2020 - Vítězslav Čížek + +- Ship the FIPS checksum file in the shared library package and + create a separate trigger file for the FIPS selftests (bsc#1169569) + * add libgcrypt-fips_selftest_trigger_file.patch + * refresh libgcrypt-global_init-constructor.patch +- Remove libgcrypt-binary_integrity_in_non-FIPS.patch obsoleted + by libgcrypt-global_init-constructor.patch + +------------------------------------------------------------------- +Wed Apr 15 13:55:27 UTC 2020 - Pedro Monreal Gonzalez + +- FIPS: Verify that the generated signature and the original input + differ in test_keys function for RSA, DSA and ECC: [bsc#1165539] +- Add zero-padding when qx and qy have different lengths when + assembling the Q point from affine coordinates. +- Refreshed patches: + * libgcrypt-PCT-DSA.patch + * libgcrypt-PCT-RSA.patch + * libgcrypt-PCT-ECC.patch + +------------------------------------------------------------------- +Mon Mar 30 10:48:02 UTC 2020 - Pedro Monreal Gonzalez + +- FIPS: Switch the PCT to use the new signature operation [bsc#1165539] + * Patches for DSA, RSA and ECDSA test_keys functions: + - libgcrypt-PCT-DSA.patch + - libgcrypt-PCT-RSA.patch + - libgcrypt-PCT-ECC.patch +- Update patch: libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch + +------------------------------------------------------------------- +Thu Mar 26 18:09:47 UTC 2020 - Pedro Monreal Gonzalez + +- FIPS: Run self-tests from constructor during power-on [bsc#1166748] + * Set up global_init as the constructor function: + - libgcrypt-global_init-constructor.patch + * Relax the entropy requirements on selftest. This is especially + important for virtual machines to boot properly before the RNG + is available: + - libgcrypt-random_selftests-testentropy.patch + - libgcrypt-rsa-no-blinding.patch + - libgcrypt-ecc-ecdsa-no-blinding.patch + * Fix benchmark regression test in FIPS mode: + - libgcrypt-FIPS-GMAC_AES-benckmark.patch + +------------------------------------------------------------------- +Thu Mar 12 16:54:33 UTC 2020 - Pedro Monreal Gonzalez + +- Remove check not needed in _gcry_global_constructor [bsc#1164950] + * Update libgcrypt-Restore-self-tests-from-constructor.patch + +------------------------------------------------------------------- +Tue Feb 25 22:13:24 UTC 2020 - Pedro Monreal Gonzalez + +- FIPS: Run the self-tests from the constructor [bsc#1164950] + * Add libgcrypt-invoke-global_init-from-constructor.patch + +------------------------------------------------------------------- +Fri Jan 17 17:35:15 UTC 2020 - Pedro Monreal Gonzalez + +- FIPS: libgcrypt DSA PQG parameter generation: Missing value [bsc#1161219] +- FIPS: libgcrypt DSA PQG verification incorrect results [bsc#1161215] +- FIPS: libgcrypt RSA siggen/keygen: 4k not supported [bsc#1161220] + * Add patch from Fedora libgcrypt-1.8.4-fips-keygen.patch + +------------------------------------------------------------------- +Wed Dec 11 10:18:23 UTC 2019 - Pedro Monreal Gonzalez + +- FIPS: RSA/DSA/ECDSA are missing hashing operation [bsc#1155337] + * Add libgcrypt-FIPS-RSA-DSA-ECDSA-hashing-operation.patch + +------------------------------------------------------------------- +Wed Nov 27 14:01:01 UTC 2019 - Pedro Monreal Gonzalez + +- Fix tests in FIPS mode: + * Fix tests: basic benchmark bench-slope pubkey t-cv25519 t-secmem + * Add patch libgcrypt-fix-tests-fipsmode.patch + +------------------------------------------------------------------- +Tue Nov 26 18:48:20 UTC 2019 - Pedro Monreal Gonzalez + +- Fix test dsa-rfc6979 in FIPS mode: + * Disable tests in elliptic curves with 192 bits which are not + recommended in FIPS mode + * Add patch libgcrypt-dsa-rfc6979-test-fix.patch + +------------------------------------------------------------------- +Tue Nov 12 11:05:02 UTC 2019 - Pedro Monreal Gonzalez + +- CMAC AES and TDES FIPS self-tests: + * CMAC AES self test missing [bsc#1155339] + * CMAC TDES self test missing [bsc#1155338] +- Add libgcrypt-CMAC-AES-TDES-selftest.patch + +------------------------------------------------------------------- +Fri Aug 30 14:17:48 UTC 2019 - Andreas Stieger + +- libgcrypt 1.8.5: + * CVE-2019-13627: mitigation against an ECDSA timing attack (boo#1148987) + * Improve ECDSA unblinding + * Provide a pkg-config file + +------------------------------------------------------------------- +Wed Jun 26 06:52:54 UTC 2019 - Jason Sikes + +- Fixed redundant fips tests in some situations causing sudo to stop + working when pam-kwallet is installed. bsc#1133808 + * Added libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch + * Removed libgcrypt-fips_run_selftest_at_constructor.patch + because it was obsoleted by libgcrypt-1.8.3-fips-ctor.patch + * Removed libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch + because it was obsoleted by libgcrypt-1.8.4-fips_ctor_skip_integrity_check.patch + +------------------------------------------------------------------- +Fri Jun 21 16:53:07 UTC 2019 - Pedro Monreal Gonzalez + +- Fixed env-script-interpreter in cavs_driver.pl + +------------------------------------------------------------------- +Fri Jun 21 16:39:00 UTC 2019 - Pedro Monreal Gonzalez + +- Security fix: [bsc#1138939, CVE-2019-12904] + * The C implementation of AES is vulnerable to a flush-and-reload + side-channel attack because physical addresses are available to + other processes. (The C implementation is used on platforms where + an assembly-language implementation is unavailable.) + * Added patches: + - libgcrypt-CVE-2019-12904-GCM-Prefetch.patch + - libgcrypt-CVE-2019-12904-GCM.patch + - libgcrypt-CVE-2019-12904-AES.patch + +------------------------------------------------------------------- +Fri Apr 26 06:47:45 UTC 2019 - Jason Sikes + +- do not try to open /dev/urandom if getrandom() works + * Added libgcrypt-1.8.4-getrandom.patch +- Drop libgcrypt-init-at-elf-load-fips.patch obsoleted + by libgcrypt-1.8.3-fips-ctor.patch + +------------------------------------------------------------------- +Tue Apr 23 12:38:40 UTC 2019 - Jason Sikes + +- Restored libgcrypt-binary_integrity_in_non-FIPS.patch sans section that + was partially causing bsc#1131183. +- Fixed race condition in multi-threaded applications by allowing a FSM state + transition to the current state. This means some tests are run twice. + * Added libgcrypt-1.8.4-allow_FSM_same_state.patch +- Fixed an issue in malloc/free wrappers so that memory created by the malloc() + wrappers will be destroyed using the free() wrappers. + * Added libgcrypt-1.8.4-use_xfree.patch + +------------------------------------------------------------------- +Fri Apr 5 21:56:00 UTC 2019 - Jason Sikes + +- removed libgcrypt-binary_integrity_in_non-FIPS.patch since it was breaking + libotr. bsc#1131183 + +------------------------------------------------------------------- +Tue Mar 26 16:30:23 UTC 2019 - Vítězslav Čížek + +- libgcrypt-1.8.3-fips-ctor.patch changed the way the fips selftests + are invoked as well as the state transition, adjust the code so + a missing checksum file is not an issue in non-FIPS mode (bsc#1097073) + * update libgcrypt-binary_integrity_in_non-FIPS.patch + +------------------------------------------------------------------- +Tue Mar 26 16:25:18 UTC 2019 - Vítězslav Čížek + +- Enforce the minimal RSA keygen size in fips mode (bsc#1125740) + * add libgcrypt-fips_rsa_no_enforced_mode.patch + +------------------------------------------------------------------- +Fri Mar 22 14:13:05 UTC 2019 - Vítězslav Čížek + +- Don't run full self-tests from constructor (bsc#1097073) + * Don't call global_init() from the constructor, _gcry_global_constructor() + from libgcrypt-1.8.3-fips-ctor.patch takes care of the binary + integrity check instead. + * Only the binary checksum will be verified, the remaining + self-tests will be run upon the library initialization +- Add libgcrypt-fips_ignore_FIPS_MODULE_PATH.patch +- Drop libgcrypt-init-at-elf-load-fips.patch and + libgcrypt-fips_run_selftest_at_constructor.patch obsoleted + by libgcrypt-1.8.3-fips-ctor.patch + +------------------------------------------------------------------- +Thu Mar 7 10:53:40 UTC 2019 - Pedro Monreal Gonzalez + +- Skip all the self-tests except for binary integrity when called + from the constructor (bsc#1097073) + * Added libgcrypt-1.8.3-fips-ctor.patch from Fedora + +------------------------------------------------------------------- +Mon Nov 26 17:09:47 UTC 2018 - Vítězslav Čížek + +- Fail selftests when checksum file is missing in FIPS mode only + (bsc#1117355) + * add libgcrypt-binary_integrity_in_non-FIPS.patch + +------------------------------------------------------------------- +Sun Oct 28 18:57:53 UTC 2018 - astieger@suse.com + +- libgcrypt 1.8.4: + * Fix infinite loop with specific application implementations + * Fix possible leak of a few bits of secret primes to pageable + memory + * Fix possible hang in the RNG (1.8.3) + * Always make use of getrandom if possible and then use + its /dev/urandom behaviour + +------------------------------------------------------------------- +Mon Jul 2 10:38:42 UTC 2018 - schwab@suse.de + +- libgcrypt-1.6.3-aliasing.patch, libgcrypt-ppc64.patch, + libgcrypt-strict-aliasing.patch: Remove obsolete patches +- libgcrypt-1.4.1-rijndael_no_strict_aliasing.patch: Rediff +- Reenable testsuite + +------------------------------------------------------------------- +Wed Jun 13 10:46:33 UTC 2018 - kbabioch@suse.com + +- Update to version 1.8.3: + - Use blinding for ECDSA signing to mitigate a novel side-channel + attack. (CVE-2018-0495 bsc#1097410) + - Fix incorrect counter overflow handling for GCM when using an IV + size other than 96 bit. + - Fix incorrect output of AES-keywrap mode for in-place encryption + on some platforms. + - Fix the gcry_mpi_ec_curve_point point validation function. + - Fix rare assertion failure in gcry_prime_check. +- Applied spec-cleaner + +------------------------------------------------------------------- +Wed May 2 14:31:07 UTC 2018 - pmonrealgonzalez@suse.com + +- Suggest libgcrypt20-hmac for package libgcrypt20 to ensure they + are installed in the right order. [bsc#1090766] + +------------------------------------------------------------------- +Thu Mar 29 06:37:44 UTC 2018 - pmonrealgonzalez@suse.com + +- Extended the fipsdrv dsa-sign and dsa-verify commands with the + --algo parameter for the FIPS testing of DSA SigVer and SigGen + (bsc#1064455). + * Added libgcrypt-fipsdrv-enable-algo-for-dsa-sign.patch + * Added libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch + +------------------------------------------------------------------- +Thu Feb 22 15:10:36 UTC 2018 - fvogt@suse.com + +- Use %license (boo#1082318) + +------------------------------------------------------------------- +Wed Dec 13 20:09:28 UTC 2017 - astieger@suse.com + +- libgcrypt 1.8.2: + * Fix fatal out of secure memory status in the s-expression + parser on heavy loaded systems. + * Add auto expand secmem feature or use by GnuPG 2.2.4 + +------------------------------------------------------------------- +Mon Aug 28 17:54:24 UTC 2017 - astieger@suse.com + +- libgcrypt 1.8.1: + * Mitigate a local side-channel attack on Curve25519 dubbed "May + the Fourth be With You" CVE-2017-0379 bsc#1055837 + * Add more extra bytes to the pool after reading a seed file + * Add the OID SHA384WithECDSA from RFC-7427 to SHA-384 + * Fix build problems with the Jitter RNG + * Fix assembler code build problems on Rasbian (ARMv8/AArch32-CE) + +------------------------------------------------------------------- +Mon Jul 24 23:43:40 UTC 2017 - jengelh@inai.de + +- RPM group fixes. + +------------------------------------------------------------------- +Fri Jul 21 15:50:14 UTC 2017 - astieger@suse.com + +- libgcrypt 1.8.0: + * New cipher mode XTS + * New hash function Blake-2 + * New function gcry_mpi_point_copy. + * New function gcry_get_config. + * GCRYCTL_REINIT_SYSCALL_CLAMP allows to init nPth after Libgcrypt. + * New gobal configuration file /etc/gcrypt/random.conf. + * GCRYCTL_PRINT_CONFIG does now also print build information for + libgpg-error and the used compiler version. + * GCRY_CIPHER_MODE_CFB8 is now supported. + * A jitter based entropy collector is now used in addition to the + other entropy collectors. + * Optimized gcry_md_hash_buffers for SHA-256 and SHA-512. + random pool lock). + * Interface changes relative to the 1.7.0 release: + gcry_get_config NEW function. + gcry_mpi_point_copy NEW function. + GCRYCTL_REINIT_SYSCALL_CLAMP NEW macro. + GCRY_MD_BLAKE2B_512 NEW constant. + GCRY_MD_BLAKE2B_384 NEW constant. + GCRY_MD_BLAKE2B_256 NEW constant. + GCRY_MD_BLAKE2B_160 NEW constant. + GCRY_MD_BLAKE2S_256 NEW constant. + GCRY_MD_BLAKE2S_224 NEW constant. + GCRY_MD_BLAKE2S_160 NEW constant. + GCRY_MD_BLAKE2S_128 NEW constant. + GCRY_CIPHER_MODE_XTS NEW constant. + gcry_md_info DEPRECATED. +- Refresh patch libgcrypt-1.6.3-aliasing.patch + +------------------------------------------------------------------- +Thu Jun 29 09:49:44 UTC 2017 - astieger@suse.com + +- libgcrypt 1.7.8: + * CVE-2017-7526: Mitigate a flush+reload side-channel attack on + RSA secret keys (bsc#1046607) + +------------------------------------------------------------------- +Sun Jun 4 19:26:12 UTC 2017 - astieger@suse.com + +- libgcrypt 1.7.7: + * Fix possible timing attack on EdDSA session key (previously + patched, drop libgcrypt-secure-EdDSA-session-key.patch) + * Fix long standing bug in secure memory implementation which + could lead to a segv on free + +------------------------------------------------------------------- +Fri Jun 2 10:05:18 UTC 2017 - pmonrealgonzalez@suse.com + +- Added libgcrypt-secure-EdDSA-session-key.patch [bsc#1042326] + * Store the session key in secure memory to ensure that constant + time point operations are used in the MPI library. + +------------------------------------------------------------------- +Fri Jan 20 09:41:15 UTC 2017 - rmaliska@suse.com + +- libgcrypt 1.7.6: + * Fix counter operand from read-only to read/write + * Fix too large jump alignment in mpih-rshift + +------------------------------------------------------------------- +Thu Dec 15 10:32:18 UTC 2016 - astieger@suse.com + +- libgcrypt 1.7.5: + * Fix regression in mlock detection introduced with 1.7.4 + +------------------------------------------------------------------- +Tue Dec 13 12:20:47 UTC 2016 - astieger@suse.com + +- libgcrypt 1.7.4: + * ARMv8/AArch32 performance improvements for AES, GCM, SHA-256, + and SHA-1. + * Add ARMv8/AArch32 assembly implementation for Twofish and + Camellia. + * Add bulk processing implementation for ARMv8/AArch32. + * Add Stribog OIDs. + * Improve the DRBG performance and sync the code with the Linux + version. + * When secure memory is requested by the MPI functions or by + gcry_xmalloc_secure, they do not anymore lead to a fatal error + if the secure memory pool is used up. Instead new pools are + allocated as needed. These new pools are not protected against + being swapped out (mlock can't be used). Mitigation for + minor confidentiality issues is encryption swap space. + * Fix GOST 28147 CryptoPro-B S-box. + * Fix error code handling of mlock calls. + +------------------------------------------------------------------- +Sat Aug 20 10:38:15 UTC 2016 - mpluskal,vcizek,astieger}@suse.com + +- libgcrypt 1.7.3: + * security issue already fixes with 1.6.6 + * Fix building of some asm modules with older compilers and CPUs. + * ARMv8/AArch32 improvements for AES, GCM, SHA-256, and SHA-1. +- includes changes from libgcrypt 1.7.2: + * Bug fixes: + - Fix setting of the ECC cofactor if parameters are specified. + - Fix memory leak in the ECC code. + - Remove debug message about unsupported getrandom syscall. + - Fix build problems related to AVX use. + - Fix bus errors on ARM for Poly1305, ChaCha20, AES, and SHA-512. + * Internal changes: + - Improved fatal error message for wrong use of gcry_md_read. + - Disallow symmetric encryption/decryption if key is not set. +- includes changes from 1.7.1: + * Bug fixes: + - Fix ecc_verify for cofactor support. + - Fix portability bug when using gcc with Solaris 9 SPARC. + - Build fix for OpenBSD/amd64 + - Add OIDs to the Serpent ciphers. + * Internal changes: + - Use getrandom system call on Linux if available. + - Blinding is now also used for RSA signature creation. + - Changed names of debug envvars +- includes changes from 1.7.0: + * New algorithms and modes: + - SHA3-224, SHA3-256, SHA3-384, SHA3-512, and MD2 hash algorithms. + - SHAKE128 and SHAKE256 extendable-output hash algorithms. + - ChaCha20 stream cipher. + - Poly1305 message authentication algorithm + - ChaCha20-Poly1305 Authenticated Encryption with Associated Data + mode. + - OCB mode. + - HMAC-MD2 for use by legacy applications. + * New curves for ECC: + - Curve25519. + - sec256k1. + - GOST R 34.10-2001 and GOST R 34.10-2012. + * Performance: + - Improved performance of KDF functions. + - Assembler optimized implementations of Blowfish and Serpent on + ARM. + - Assembler optimized implementation of 3DES on x86. + - Improved AES using the SSSE3 based vector permutation method by + Mike Hamburg. + - AVX/BMI is used for SHA-1 and SHA-256 on x86. This is for SHA-1 + about 20% faster than SSSE3 and more than 100% faster than the + generic C implementation. + - 40% speedup for SHA-512 and 72% for SHA-1 on ARM Cortex-A8. + - 60-90% speedup for Whirlpool on x86. + - 300% speedup for RIPE MD-160. + - Up to 11 times speedup for CRC functions on x86. + * Other features: + - Improved ECDSA and FIPS 186-4 compliance. + - Support for Montgomery curves. + - gcry_cipher_set_sbox to tweak S-boxes of the gost28147 cipher + algorithm. + - gcry_mpi_ec_sub to subtract two points on a curve. + - gcry_mpi_ec_decode_point to decode an MPI into a point object. + - Emulation for broken Whirlpool code prior to 1.6.0. [from 1.6.1] + - Flag "pkcs1-raw" to enable PCKS#1 padding with a user supplied + hash part. + - Parameter "saltlen" to set a non-default salt length for RSA PSS. + - A SP800-90A conforming DRNG replaces the former X9.31 alternative + random number generator. + - Map deprecated RSA algo number to the RSA algo number for better + backward compatibility. [from 1.6.2] + - Use ciphertext blinding for Elgamal decryption [CVE-2014-3591]. + See http://www.cs.tau.ac.il/~tromer/radioexp/ for details. + [from 1.6.3] + - Fixed data-dependent timing variations in modular exponentiation + [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks + are Practical]. [from 1.6.3] + - Flag "no-keytest" for ECC key generation. Due to a bug in + the parser that flag will also be accepted but ignored by older + version of Libgcrypt. [from 1.6.4] + - Speed up the random number generator by requiring less extra + seeding. [from 1.6.4] + - Always verify a created RSA signature to avoid private key leaks + due to hardware failures. [from 1.6.4] + - Mitigate side-channel attack on ECDH with Weierstrass curves + [CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for + details. [from 1.6.5] + * Internal changes: + - Moved locking out to libgpg-error. + - Support of the SYSROOT envvar in the build system. + - Refactor some code. + - The availability of a 64 bit integer type is now mandatory. + * Bug fixes: + - Fixed message digest lookup by OID (regression in 1.6.0). + - Fixed a build problem on NetBSD + - Fixed some asm build problems and feature detection bugs. + * Interface changes relative to the 1.6.0 release: + gcry_cipher_final NEW macro. + GCRY_CIPHER_MODE_CFB8 NEW constant. + GCRY_CIPHER_MODE_OCB NEW. + GCRY_CIPHER_MODE_POLY1305 NEW. + gcry_cipher_set_sbox NEW macro. + gcry_mac_get_algo NEW. + GCRY_MAC_HMAC_MD2 NEW. + GCRY_MAC_HMAC_SHA3_224 NEW. + GCRY_MAC_HMAC_SHA3_256 NEW. + GCRY_MAC_HMAC_SHA3_384 NEW. + GCRY_MAC_HMAC_SHA3_512 NEW. + GCRY_MAC_POLY1305 NEW. + GCRY_MAC_POLY1305_AES NEW. + GCRY_MAC_POLY1305_CAMELLIA NEW. + GCRY_MAC_POLY1305_SEED NEW. + GCRY_MAC_POLY1305_SERPENT NEW. + GCRY_MAC_POLY1305_TWOFISH NEW. + gcry_md_extract NEW. + GCRY_MD_FLAG_BUGEMU1 NEW [from 1.6.1]. + GCRY_MD_GOSTR3411_CP NEW. + GCRY_MD_SHA3_224 NEW. + GCRY_MD_SHA3_256 NEW. + GCRY_MD_SHA3_384 NEW. + GCRY_MD_SHA3_512 NEW. + GCRY_MD_SHAKE128 NEW. + GCRY_MD_SHAKE256 NEW. + gcry_mpi_ec_decode_point NEW. + gcry_mpi_ec_sub NEW. + GCRY_PK_EDDSA NEW constant. + GCRYCTL_GET_TAGLEN NEW. + GCRYCTL_SET_SBOX NEW. + GCRYCTL_SET_TAGLEN NEW. +- Apply libgcrypt-1.6.3-aliasing.patch only on big-endian + architectures +- update drbg_test.patch and install cavs testing directory again +- As DRBG is upstream, drop pateches: + v9-0001-SP800-90A-Deterministic-Random-Bit-Generator.patch + 0002-Compile-DRBG.patch + 0003-Function-definitions-of-interfaces-for-random.c.patch + 0004-Invoke-DRBG-from-common-libgcrypt-RNG-code.patch + 0005-Function-definitions-for-gcry_control-callbacks.patch + 0006-DRBG-specific-gcry_control-requests.patch + v9-0007-User-interface-to-DRBG.patch + libgcrypt-fix-rng.patch +- drop obsolete: + libgcrypt-fips-dsa.patch + libgcrypt-fips_ecdsa.patch + +------------------------------------------------------------------- +Wed Aug 17 18:21:44 UTC 2016 - astieger@suse.com + +- libgcrypt 1.6.6: + * fix CVE-2016-6313: Issue in the mixing functions of the random + number generators allowed an attacker who obtained a number of + bytes from the standard RNG to predict some of the next ouput. + (bsc#994157) + +------------------------------------------------------------------- +Mon May 16 14:37:45 UTC 2016 - pjanouch@suse.de + +- remove conditionals for unsupported distributions (before 13.2), + it would not build anyway because of new dependencies + +------------------------------------------------------------------- +Mon May 16 12:36:14 UTC 2016 - pjanouch@suse.de + +- make the -hmac package depend on the same version of the library, + fixing bsc#979629 FIPS: system fails to reboot after installing + fips pattern + +------------------------------------------------------------------- +Tue Feb 9 20:51:59 UTC 2016 - astieger@suse.com + +- update to 1.6.5: + * CVE-2015-7511: Mitigate side-channel attack on ECDH with + Weierstrass curves (boo#965902) + +------------------------------------------------------------------- +Sat Oct 10 11:56:08 UTC 2015 - astieger@suse.com + +- follow-up to libgcrypt 1.6.4 update: sosuffix is 20.0.4 + +------------------------------------------------------------------- +Tue Sep 8 08:03:19 UTC 2015 - vcizek@suse.com + +- update to 1.6.4 +- fixes libgcrypt equivalent of CVE-2015-5738 (bsc#944456) + * Speed up the random number generator by requiring less extra + seeding. + * New flag "no-keytest" for ECC key generation. Due to a bug in the + parser that flag will also be accepted but ignored by older version + of Libgcrypt. + * Always verify a created RSA signature to avoid private key leaks + due to hardware failures. + * Other minor bug fixes. + +------------------------------------------------------------------- +Tue Jun 23 15:15:30 UTC 2015 - dvaleev@suse.com + +- Fix gpg2 tests on BigEndian architectures: s390x ppc64 + libgcrypt-1.6.3-aliasing.patch + +------------------------------------------------------------------- +Sun Mar 1 21:16:26 UTC 2015 - astieger@suse.com + +- fix sosuffix for 1.6.3 (20.0.3) + +------------------------------------------------------------------- +Sat Feb 28 19:31:10 UTC 2015 - astieger@suse.com + +- libgcrypt 1.6.3 [bnc#920057]: + * Use ciphertext blinding for Elgamal decryption [CVE-2014-3591]. + * Fixed data-dependent timing variations in modular exponentiation + [related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks + are Practical]. +- update upstream signing keyring + +------------------------------------------------------------------- +Fri Feb 6 18:42:28 UTC 2015 - coolo@suse.com + +- making the build reproducible - see + http://lists.gnupg.org/pipermail/gnupg-commits/2014-September/010683.html + for a very similiar problem + +------------------------------------------------------------------- +Fri Feb 6 18:38:55 UTC 2015 - dimstar@opensuse.org + +- Move %install_info_delete calls from postun to preun: the files + must still be present to be parsed. +- Fix the names passed to install_info for gcrypt.info-[12].gz + instead of gcrypt-[12].info.gz. + +------------------------------------------------------------------- +Fri Feb 6 18:30:26 UTC 2015 - coolo@suse.com + +- fix filename for info pages in %post scripts + +------------------------------------------------------------------- +Wed Nov 5 20:37:24 UTC 2014 - andreas.stieger@gmx.de + +- libgcrypt 1.6.2: + * Map deprecated RSA algo number to the RSA algo number for better + backward compatibility. + * Support a 0x40 compression prefix for EdDSA. + * Improve ARM hardware feature detection and building. + * Fix building for the x32 ABI platform. + * Fix some possible NULL deref bugs. +- remove libgcrypt-1.6.0-use-intenal-functions.patch, upstream + via xtrymalloc macro +- remove libgcrypt-fixed-sizet.patch, upstream +- adjust libgcrypt-1.6.1-use-fipscheck.patch for xtrymalloc change + +------------------------------------------------------------------- +Sun Sep 21 10:08:39 UTC 2014 - vcizek@suse.com + +- disabled curve P-192 in FIPS mode (bnc#896202) + * added libgcrypt-fips_ecdsa.patch +- don't use SHA-1 for ECDSA in FIPS mode +- also run the fips self tests only in FIPS mode + +------------------------------------------------------------------- +Tue Sep 16 13:56:01 UTC 2014 - vcizek@suse.com + +- run the fips self tests at the constructor code + * added libgcrypt-fips_run_selftest_at_constructor.patch + +------------------------------------------------------------------- +Tue Sep 16 12:17:17 UTC 2014 - vcizek@suse.com + +- rewrite the DSA-2 code to be FIPS 186-4 compliant (bnc#894216) + * added libgcrypt-fips-dsa.patch + * install fips186_dsa +- use 2048 bit keys in selftests_dsa + +------------------------------------------------------------------- +Mon Sep 1 10:57:06 UTC 2014 - vcizek@suse.com + +- fix an issue in DRBG patchset + * size_t type is 32-bit on 32-bit systems +- fix a potential NULL pointer deference in DRBG patchset + * patches from https://bugs.g10code.com/gnupg/issue1701 +- added v9-0001-SP800-90A-Deterministic-Random-Bit-Generator.patch +- added v9-0007-User-interface-to-DRBG.patch +- removed v7-0001-SP800-90A-Deterministic-Random-Bit-Generator.patch +- removed v7-0007-User-interface-to-DRBG.patch +- add a subpackage for CAVS testing + * add cavs_driver.pl and cavs-test.sh from the kernel cavs package + * added drbg_test.patch + +------------------------------------------------------------------- +Tue Aug 12 07:43:19 UTC 2014 - meissner@suse.com + +- split off the -hmac package that contains the checksums + +------------------------------------------------------------------- +Mon May 26 12:05:17 UTC 2014 - meissner@suse.com + +- libgcrypt-fix-rng.patch: make drbg work again in FIPS mode. +- libgcrypt-1.6.1-use-fipscheck.patch: library to test is libgcrypt.so.20 + and not libgcrypt.so.11 +- libgcrypt-init-at-elf-load-fips.patch: initialize globally on ELF + DSO loading to meet FIPS requirements. + +------------------------------------------------------------------- +Tue May 13 10:47:51 UTC 2014 - vcizek@suse.com + +- add new 0007-User-interface-to-DRBG.patch from upstream + * fixes bnc#877233 + * supersedes the patch from previous entry + +------------------------------------------------------------------- +Sun May 12 13:25:33 UTC 2014 - tittiatcoke@gmail.com + +- Correct patch 0007-User-interface-to-DRBG.patch so that the + struct used in the route matches the header of the function + +------------------------------------------------------------------- +Tue May 6 13:28:33 UTC 2014 - vcizek@suse.com + +- add support for SP800-90A DRBG (fate#316929, bnc#856312) + * patches by Stephan Mueller (http://www.chronox.de/drbg.html): + 0001-SP800-90A-Deterministic-Random-Bit-Generator.patch.bz2 + 0002-Compile-DRBG.patch + 0003-Function-definitions-of-interfaces-for-random.c.patch + 0004-Invoke-DRBG-from-common-libgcrypt-RNG-code.patch + 0005-Function-definitions-for-gcry_control-callbacks.patch + 0006-DRBG-specific-gcry_control-requests.patch + 0007-User-interface-to-DRBG.patch + * only after 13.1 (the patches need libgpg-error 1.13) +- drop libgcrypt-fips-allow-legacy.patch (not needed and wasn't + applied anyway) + +------------------------------------------------------------------- +Thu Apr 3 12:04:46 UTC 2014 - tchvatal@suse.com + +- Cleanup with spec-cleaner to sort out. +- Really apply ppc64 patch as it was ommited probably by mistake. + +------------------------------------------------------------------- +Thu Mar 27 14:57:22 UTC 2014 - meissner@suse.com + +- FIPS changes (from Fedora): + - replaced libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff by + libgcrypt-1.6.1-fips-cfgrandom.patch + - libgcrypt-fixed-sizet.patch: fixed an int type for -flto + - libgcrypt-1.6.1-use-fipscheck.patch: use the fipscheck binary + - libgcrypt-1.6.1-fips-cavs.patch: add CAVS tests +- use fipscheck only after 13.1 +- libgcrypt-fips-allow-legacy.patch: attempt to allow some + legacy algorithms for gpg2 usage even in FIPS mode. + (currently not applied) + +------------------------------------------------------------------- +Thu Jan 30 13:29:49 UTC 2014 - idonmez@suse.com + +- Drop arm-missing-files.diff, fixed upstream + +------------------------------------------------------------------- +Wed Jan 29 18:40:49 UTC 2014 - andreas.stieger@gmx.de + +- libgcrypt 1.6.1, a bugfix release with the folloging fixes: + * Added emulation for broken Whirlpool code prior to 1.6.0. + * Improved performance of KDF functions. + * Improved ECDSA compliance. + * Fixed message digest lookup by OID (regression in 1.6.0). + * Fixed memory leaks in ECC code. + * Fixed some asm build problems and feature detection bugs. + * Interface changes relative to the 1.6.0 release: + GCRY_MD_FLAG_BUGEMU1 NEW (minor API change). + +------------------------------------------------------------------- +Fri Jan 3 16:36:21 UTC 2014 - dmueller@suse.com + +- add arm-missing-files.diff: Add missing files to fix build + +------------------------------------------------------------------- +Fri Jan 3 09:43:39 UTC 2014 - mvyskocil@suse.com + +- fix bnc#856915: can't open /dev/urandom + * correct libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff +- require libgpg-error 1.11 or higher + +------------------------------------------------------------------- +Thu Dec 19 13:53:21 UTC 2013 - mvyskocil@suse.com + +- fix dependency for 32bit devel package +- name hmac files according soname +- fix hmac subpackage dependency + +------------------------------------------------------------------- +Thu Dec 19 09:03:21 UTC 2013 - mvyskocil@suse.com + +- update to 1.6. + * Removed the long deprecated gcry_ac interface. Thus Libgcrypt is + not anymore ABI compatible to previous versions if they used the ac + interface. Check NEWS in libgcrypt-devel for removed interfaces. + * Removed the module register subsystem. + * The deprecated message digest debug macros have been removed. Use + gcry_md_debug instead. + * Removed deprecated control codes. + * Improved performance of most cipher algorithms as well as for the + SHA family of hash functions. + * Added support for the IDEA cipher algorithm. + * Added support for the Salsa20 and reduced Salsa20/12 stream ciphers. + * Added limited support for the GOST 28147-89 cipher algorithm. + * Added support for the GOST R 34.11-94 and R 34.11-2012 (Stribog) + hash algorithms. + * Added a random number generator to directly use the system's RNG. + Also added an interface to prefer the use of a specified RNG. + * Added support for the SCRYPT algorithm. + * Mitigated the Yarom/Falkner flush+reload side-channel attack on RSA + secret keys. See [CVE-2013-4242]. + * Added support for Deterministic DSA as per RFC-6969. + * Added support for curve Ed25519. + * Added a scatter gather hash convenience function. + * Added several MPI amd SEXP helper functions. + * Added support for negative numbers to gcry_mpi_print, + gcry_mpi_aprint and gcry_mpi_scan. + * The algorithm ids GCRY_PK_ECDSA and GCRY_PK_ECDH are now + deprecated. Use GCRY_PK_ECC if you need an algorithm id. + * Changed gcry_pk_genkey for "ecc" to only include the curve name and + not the parameters. The flag "param" may be used to revert this. + * Added a feature to globally disable selected hardware features. + * Added debug helper functions. +- rebased patches + * libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff + * libgcrypt-ppc64.patch +- add libgcrypt-1.6.0-use-intenal-functions.patch to fix fips.c build +- Move all documentation to -devel package + +------------------------------------------------------------------- +Fri Jul 26 22:05:46 UTC 2013 - andreas.stieger@gmx.de + +- update to 1.5.3 [bnc#831359] CVE-2013-4242 + * Mitigate the Yarom/Falkner flush+reload side-channel attack on + RSA secret keys. See . + +------------------------------------------------------------------- +Thu Jul 25 09:15:43 UTC 2013 - mvyskocil@suse.com + +- port SLE enhancenments to Factory (bnc#831028) + * add libgcrypt-unresolved-dladdr.patch (bnc#701267) + * add libgcrypt-1.5.0-etc_gcrypt_rngseed-symlink.diff (bnc#724841) + * add libgcrypt-1.5.0-LIBGCRYPT_FORCE_FIPS_MODE-env.diff +- install .hmac256.hmac (bnc#704068) +- enable varuous new options in configure (m-guard, hmac binary check and + random device linux) +- build with all ciphers, pubkeys and digest by default as whitelist + simply allowed them all + +------------------------------------------------------------------- +Mon Jun 17 13:22:33 UTC 2013 - coolo@suse.com + +- avoid gpg-offline in bootstrap packages + +------------------------------------------------------------------- +Sun Jun 16 22:56:56 UTC 2013 - crrodriguez@opensuse.org + +- Library must be built with large file support in + 32 bit archs. + +------------------------------------------------------------------- +Thu Apr 18 18:23:36 UTC 2013 - andreas.stieger@gmx.de + +- update to 1.5.2 + * The upstream sources now contain the IDEA algorithm, dropping: + idea.c.gz + libgcrypt-1.5.0-idea.patch + libgcrypt-1.5.0-idea_codecleanup.patch + * Made the Padlock code work again (regression since 1.5.0). + * Fixed alignment problems for Serpent. + * Fixed two bugs in ECC computations. + +------------------------------------------------------------------- +Fri Mar 22 09:31:11 UTC 2013 - mvyskocil@suse.com + +- add GPL3.0+ to License tag because of dumpsexp (bnc#810759) + +------------------------------------------------------------------- +Mon Mar 18 20:41:00 UTC 2013 - andreas.stieger@gmx.de + +- update to 1.5.1 + * Allow empty passphrase with PBKDF2. + * Do not abort on an invalid algorithm number in + gcry_cipher_get_algo_keylen and gcry_cipher_get_algo_blklen. + * Fixed some Valgrind warnings. + * Fixed a problem with select and high fd numbers. + * Improved the build system + * Various minor bug fixes. + * Interface changes relative to the 1.5.0 release: + GCRYCTL_SET_ENFORCED_FIPS_FLAG NEW. + GCRYPT_VERSION_NUMBER NEW. +- add verification of source code signatures +- now requires automake 1.11 to build + +------------------------------------------------------------------- +Sat Feb 2 18:51:33 UTC 2013 - coolo@suse.com + +- update license to new format + +------------------------------------------------------------------- +Tue Jun 12 21:19:18 UTC 2012 - chris@computersalat.de + +- fix deps + * libgpg-error-devel >= 1.8 +- add libsoname macro + +------------------------------------------------------------------- +Sun Feb 12 15:23:56 UTC 2012 - crrodriguez@opensuse.org + +- Libraries back into %{_libdir}, /usr merge project + +------------------------------------------------------------------- +Sat Dec 24 23:51:26 UTC 2011 - opensuse@dstoecker.de + +- add the missing IDEA algorithm after the patent is no longer relevant + +------------------------------------------------------------------ +Sun Nov 13 14:37:29 UTC 2011 - jengelh@medozas.de + +- Remove redundant/unwanted tags/section (cf. specfile guidelines) + +------------------------------------------------------------------- +Sun Nov 13 09:16:36 UTC 2011 - coolo@suse.com + +- add libtool as explicit buildrequire to avoid implicit dependency from prjconf + +------------------------------------------------------------------- +Sun Oct 2 18:38:28 UTC 2011 - crrodriguez@opensuse.org + +- Update to version 1.5.0, most important changes + * Uses the Intel AES-NI instructions if available + * Support ECDH. + +------------------------------------------------------------------- +Fri Nov 19 09:59:41 UTC 2010 - mvyskocil@suse.cz + +- update to 1.4.6 + * Fixed minor memory leak in DSA key generation. + * No more switching to FIPS mode if /proc/version is not readable. + * Fixed a sigill during Padlock detection on old CPUs. + * Boosted SHA-512 performance by 30% on ia32 boxes and gcc 4.3; + SHA-256 went up by 25%. + * New variants of the TIGER algorithm. + * New cipher algorithm mode for AES-WRAP. + * Interface changes relative to the 1.4.2 release: + GCRY_MD_TIGER1 NEW + GCRY_MD_TIGER2 NEW + GCRY_CIPHER_MODE_AESWRAP NEW + +------------------------------------------------------------------- +Sun Jul 4 19:07:16 UTC 2010 - jengelh@medozas.de + +- add missing definition of udiv_qrnnd for sparcv9:32 +- use %_smp_mflags + +------------------------------------------------------------------- +Sat Dec 19 12:58:20 CET 2009 - jengelh@medozas.de + +- add baselibs.conf as a source +- disable the use of hand-coded assembler functions on sparc - + this is giving me an infinite loop with ./tests/prime + (specifically ./sparc32v8/mpih-mul1.S:_gcry_mpih_mul_1. + Fedora disables this too. + +------------------------------------------------------------------- +Tue Apr 7 15:45:06 CEST 2009 - crrodriguez@suse.de + +- update to version 1.4.4 + * Publish GCRY_MODULE_ID_USER and GCRY_MODULE_ID_USER_LAST constants. + This functionality has been in Libgcrypt since 1.3.0. + * MD5 may now be used in non-enforced fips mode. + * Fixed HMAC for SHA-384 and SHA-512 with keys longer than 64 bytes. + * In fips mode, RSA keys are now generated using the X9.31 algorithm + and DSA keys using the FIPS 186-2 algorithm. + * The transient-key flag is now also supported for DSA key + generation. DSA domain parameters may be given as well. + +------------------------------------------------------------------- +Thu Jan 29 10:57:01 CET 2009 - olh@suse.de + +- obsolete libgcrypt-error-XXbit in the library subpackage + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Tue Nov 11 17:23:54 CET 2008 - mkoenig@suse.de + +- build rijndael.c with -fno-strict-aliasing [bnc#443693] + +------------------------------------------------------------------- +Thu Oct 30 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Mon Jun 30 11:47:59 CEST 2008 - mkoenig@suse.de + +- update to version 1.4.1 + * Fixed a bug which led to the comsumption of far too much + entropy for the intial seeding + * Improved AES performance for CFB and CBC modes + +------------------------------------------------------------------- +Sun May 11 11:54:39 CEST 2008 - coolo@suse.de + +- fix rename of xxbit packages + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Thu Jan 17 12:20:25 CET 2008 - mkoenig@suse.de + +- update to version 1.4.0: + * The entire library is now under the LGPL. The helper programs and + the manual are under the GPL + * New control code GCRYCTL_PRINT_CONFIG + * Experimental support for ECDSA + * Assembler support for the AMD64 architecture + * Non executable stack support is now used by default + * New configure option --enable-random-daemon + * The new function gcry_md_debug should be used instead of the + gcry_md_start_debug and gcry_md_stop_debug macros. + * Support for DSA2 + * Reserved algorithm ranges for use by applications + * gcry_mpi_rshift does not anymore truncate the shift count + * Support for OFB encryption mode + * Support for the Camellia cipher + * Support for the SEED cipher + * Support for SHA-224 and HMAC using SHA-384 and SHA-512 + * Reading and writing the random seed file is now protected by a + fcntl style file lock + * Made the RNG immune against fork without exec + * Changed the way the RNG gets initialized + * The ASN.1 DER template for SHA-224 has been fixed + * The ACE engine of VIA processors is now used for AES-128 +- changed package layout to conform shlib policy: + new subpackage libgcrypt11 +- disable static library +- for reference: bugzilla entry of last change #304749 + +------------------------------------------------------------------- +Thu Sep 13 01:28:53 CEST 2007 - ltinkl@suse.cz + +- add sanity check for mpi of size 0 (#304479) + +------------------------------------------------------------------- +Mon Feb 5 10:25:21 CET 2007 - mkoenig@suse.de + +- update to version 1.2.4: + * Fixed a bug in the memory allocator which could have been the + reason for some of non-duplicable bugs. + * Other minor bug fixes. + +------------------------------------------------------------------- +Wed Dec 13 12:47:48 CET 2006 - mkoenig@suse.de + +- get rid of .la file and fix devel so link + +------------------------------------------------------------------- +Tue Dec 5 18:30:30 CET 2006 - mkoenig@suse.de + +- move shared lib to /%_lib + +------------------------------------------------------------------- +Thu Aug 31 14:29:56 CEST 2006 - mkoenig@suse.de + +- update to version 1.2.3: + * Rewrote gcry_mpi_rshift to allow arbitrary shift counts. + * Minor bug fixes. +- added libgpg-error-devel and glibc-devel to Requires tag + of devel subpackage + +------------------------------------------------------------------- +Wed Jan 25 21:37:28 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Wed Nov 2 16:44:48 CET 2005 - hvogel@suse.de + +- enable noexecstack +- build ac.c with fno-strict-aliasing + +------------------------------------------------------------------- +Tue Oct 25 13:40:15 CEST 2005 - hvogel@suse.de + +- update to version 1.2.2 + +------------------------------------------------------------------- +Thu Jun 23 11:26:58 CEST 2005 - hvogel@suse.de + +- call install_info macro in post/postun of the devel package +- depend on libgcrypt +- add clean section + +------------------------------------------------------------------- +Tue Jan 18 11:51:51 CET 2005 - hvogel@suse.de + +- update to version 1.2.1 + +------------------------------------------------------------------- +Tue Jan 11 16:48:10 CET 2005 - schwab@suse.de + +- Fix info dir entry. + +------------------------------------------------------------------- +Wed Nov 17 11:22:44 CET 2004 - hvogel@suse.de + +- require libgpg-error-devel (Bug #48271) +- get rid of the NLD parts + +------------------------------------------------------------------- +Wed Jul 14 11:12:54 CEST 2004 - adrian@suse.de + +- create -devel subpackage +- prepare for nld + +------------------------------------------------------------------- +Wed May 19 14:57:45 CEST 2004 - hvogel@suse.de + +- update to version 1.2.0 + +------------------------------------------------------------------- +Mon Mar 22 16:48:53 CET 2004 - meissner@suse.de + +- disable make check, because it uses /dev/random whihc is + not filled on some server machines. + +------------------------------------------------------------------- +Wed Mar 17 15:01:51 CET 2004 - meissner@suse.de + +- fixed too over enthusiastic powerpc switches to make it work + on ppc64. (It compiled before, but did not work). +- enabled make check. + +------------------------------------------------------------------- +Wed Feb 18 12:14:36 CET 2004 - kukuk@suse.de + +- Build against system pthread library, not pth. + +------------------------------------------------------------------- +Tue Feb 17 21:11:40 CET 2004 - hvogel@suse.de + +- update to version 1.1.91 +- fix autoconf quotations + +------------------------------------------------------------------- +Sat Jan 10 19:20:41 CET 2004 - adrian@suse.de + +- add %run_ldconfig to %postun + +------------------------------------------------------------------- +Sun Jul 27 16:12:54 CEST 2003 - poeml@suse.de + +- add libgcrypt-1.1.12-sexp-valgrind-error.patch from SLEC + +------------------------------------------------------------------- +Thu Apr 24 12:20:23 CEST 2003 - ro@suse.de + +- fix install_info --delete call and move from preun to postun + +------------------------------------------------------------------- +Mon Feb 10 22:51:26 CET 2003 - mmj@suse.de + +- Use %install_info macro [#23433] + +------------------------------------------------------------------- +Mon Feb 10 16:11:55 CET 2003 - mc@suse.de + +- switch to version 1.1.12 +- gcry_pk_sign, gcry_pk_verify and gcry_pk_encrypt can now handle an + optional pkcs1 flags parameter in the S-expression. A similar flag + may be passed to gcry_pk_decrypt but it is only syntactically + implemented. +- New convenience macro gcry_md_get_asnoid. +- There is now some real stuff in the manual. +- New algorithm: MD4 +- Implemented ciphertext stealing. +- Support for plain old DES +- Smaller bugs fixes and a few new OIDs. + +------------------------------------------------------------------- +Tue Jan 14 14:03:27 CET 2003 - nadvornik@suse.cz + +- fixed multi-line string literals + +------------------------------------------------------------------- +Thu Aug 1 23:51:10 CEST 2002 - poeml@suse.de + +- create package + diff --git a/libgcrypt.keyring b/libgcrypt.keyring new file mode 100644 index 0000000..151e8fa --- /dev/null +++ b/libgcrypt.keyring @@ -0,0 +1,86 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531 +3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB +a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb +LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO +MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD +ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ +hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ +F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV ++wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o +BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL +/0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg +dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg +xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ +hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K +ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z +QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn +ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz +iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47 +CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+ +FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ +CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs +IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl +fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ +6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu +ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo +sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x +/jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/ +Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE +o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7aviQGzBBABCAAdFiEElKXJoDwv +5co7CV2OH99yPPRitrEFAljLv5sACgkQH99yPPRitrFw4gv/XFMFN+/LHsn9hJOP +4rCwl1yUuxXuYmZgc0sRoY3EpeQkJVyKurQuqqKoy2VuoMiF0O1kAQmGoFtVPUk7 +b8hCoutqB5GyeyKcoLP+WINgVhB2gXg7TSp3MPLBKkgqvSDvPitgRxBqFb4LW8LJ +bDbfwGrzIvXfDV3WvsrHVPbc2fhlWdL8d+3AE6mFiXF3eTpgmV3ApSBQV12MkkCk +icLIPmp+ZxZON+OP52ZXkRtfMgOy4Oa/41agrViDAZdMOGeGkhPertQheQZgXzmo +GF5Wz498HPM80Kv35X91l3iGzL+icEtO+tWea2YscsZ6qpRe2lfVPHk3B+anlmCj +m4kM4cBd39xa4HHSVh/bRHbZNtgVr7slQCKxlHgQOGVI5vCxPCwEsgJ2KBk03Nk/ +IA9EKO+czfh3/bHW6uMbEqrYDCnt+hmzZrpKDSGcwS/KOhvMUIMlb7/8vDKum6mp +/8xAtVZ6IAxYZNt3qg7Y7aLRtzCTyqm8rJQrZPtRaQcgLoEimDMEX0PliRYJKwYB +BAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5l +ciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJ +AlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe +BwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0 +EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaIbQQQEQsAHRYh +BIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthaweQrNnIZkA3jG6LcZv +V/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gblvjFIPJPAhDBAU37 +c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0KBQJfQ/IlAAoJEGMR +OuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+zeymp/UvlPAQDErCLZ +l0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgAHRYhBNhpISPEBl3q +Xg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9if66ph6FJrgr+A/W +HNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544xGbIU/aCTJsWw9zi +UE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJnnDm29QjYEGd2Hi8 +7npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+msjBzCD5VKJgr0CR8 +wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1yL4L8oRH0950hQljP +C7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQVZMBMIkNC0tXOu10V +bdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJfQ/P8AAoJEOP9/yGO +Rbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4zIwC9AQCy0nnazVNt +VQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsGAQQB2kcPAQEHQJmd +fwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWliZSBZdXRha2EgKEdu +dVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H+pkI6Y6bLRnGyL0F +AmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEOmO +my0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9VHEsEwdgmAQD2BtiX +7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAdFiEEJJyzdxdQdF1c +3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1UVdQTGHMyvHwZocS +QjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+RbkeCtmQJ/c8v5ieF +vW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4FAmFAQ7cACgkQALRe +vUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT9Nx1yb4WJKY7ElPM +YkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6ciIOryssRx2G4kCZ +t+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+phxyR8KyYCpkwKRxY +eK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGHCa2ul8sD6vA9C4mM +4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUztr7eD4bCRdG+QlSh+ +7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/JhTBGFpSqMTCSskAwMCCAEBBwIDBF6X +D9NmUQDgiyYNbhs1DMJ14mIw812wY1HVx/4QWYWiBunhrvSFxVbzsjD7/Wv+v3bm +MPrL+M2DLyFiSewNmcS0JEdudVBHLmNvbSAoUmVsZWFzZSBTaWduaW5nIEtleSAy +MDIxKYiaBBMTCABCFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmFpSqMCGwMFCQ9x +14oFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFSeaV6QW6IITkoA/RYa +jaTl1eEBU/Gdm12o3jrI55N5xZK2XTqSx25clVyjAP0XwMW/Og5+ND1ri3bAqADV +WlBDUswz8wYxsb0C4kYBkoh1BBAWCgAdFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoF +AmFpTvEACgkQUoiXuCZAOtrJQAEAh7YyykjAy/Qs1yC3ji8iBfIVnPXvblrIx3SR +RyDwRC8BAKtZbEuKTtPlgkLUgMleTcZJ/vEhJE+GvfQ9o5gWCqEFiHUEEBYKAB0W +IQTB00tpIZ5K7sC6HCHj/f8hjkW3KwUCYWlPWgAKCRDj/f8hjkW3Kx4eAQDp6aGS +N/fU4xLl8RSvQUVjVA+aCTrMQR3hRwqw8liF2wEA3O3ECxz6e1+DoItYoJBBLKLw +eiInsGZ/+h5XYrpXTgA= +=4+Sn +-----END PGP PUBLIC KEY BLOCK----- diff --git a/libgcrypt.spec b/libgcrypt.spec new file mode 100644 index 0000000..00d3a5a --- /dev/null +++ b/libgcrypt.spec @@ -0,0 +1,186 @@ +# +# spec file for package libgcrypt +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define libsover 20 +%define libsoname %{name}%{libsover} +%define hmac_key orboDeJITITejsirpADONivirpUkvarP +Name: libgcrypt +Version: 1.10.3 +Release: 0 +Summary: The GNU Crypto Library +License: GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later +Group: Development/Libraries/C and C++ +URL: https://gnupg.org/software/libgcrypt +Source: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2 +Source1: https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig +Source2: baselibs.conf +Source3: random.conf +Source4: hwf.deny +# https://gnupg.org/signature_key.asc +Source5: libgcrypt.keyring +Source99: libgcrypt.changes +Patch1: libgcrypt-1.10.0-allow_FSM_same_state.patch +#PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run +Patch2: libgcrypt-nobetasuffix.patch +# FIPS patches: +#PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK +Patch100: libgcrypt-FIPS-SLI-pk.patch +#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf() +Patch101: libgcrypt-FIPS-SLI-kdf-leylength.patch +#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators +Patch102: libgcrypt-FIPS-SLI-hash-mac.patch +#PATCH-FIX-SUSE bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy +Patch103: libgcrypt-jitterentropy-3.4.0.patch +#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll +Patch104: libgcrypt-FIPS-rndjent_poll.patch +# POWER patches [jsc#PED-5088] POWER performance enhancements for cryptography +Patch200: libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch +Patch201: libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch +BuildRequires: automake >= 1.14 +BuildRequires: libgpg-error-devel >= 1.27 +BuildRequires: libtool +BuildRequires: makeinfo +BuildRequires: pkgconfig +%{?suse_build_hwcaps_libs} + +%description +Libgcrypt is a general purpose library of cryptographic building +blocks. It is originally based on code used by GnuPG. It does not +provide any implementation of OpenPGP or other protocols. Thorough +understanding of applied cryptography is required to use Libgcrypt. + +%package -n %{libsoname} +Summary: The GNU Crypto Library +License: GPL-2.0-or-later AND LGPL-2.1-or-later +Group: System/Libraries +Provides: %{libsoname}-hmac = %{version}-%{release} +Obsoletes: %{libsoname}-hmac < %{version}-%{release} + +%description -n %{libsoname} +Libgcrypt is a general purpose crypto library based on the code used in +GnuPG (alpha version). + +%package devel +Summary: The GNU Crypto Library +License: GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT +Group: Development/Libraries/C and C++ +Requires: %{libsoname} = %{version} +Requires: glibc-devel +Requires: libgpg-error-devel >= 1.27 + +%description devel +Libgcrypt is a general purpose library of cryptographic building +blocks. It is originally based on code used by GnuPG. It does not +provide any implementation of OpenPGP or other protocols. Thorough +understanding of applied cryptography is required to use Libgcrypt. + +This package contains needed files to compile and link against the +library. + +%prep +%autosetup -p1 + +# Rename the internal .hmac file to include the so library version +sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g" src/Makefile.am src/Makefile.in + +%build +export PUBKEYS="dsa elgamal rsa ecc" +export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4" +export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3" +export KDFS="s2k pkdf2 scrypt" + +autoreconf -fi +date=$(date -u '+%%Y-%%m-%%dT%%H:%%M+0000' -r %{SOURCE99}) +sed -e "s,BUILD_TIMESTAMP=.*,BUILD_TIMESTAMP=$date," -i configure +export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)" +%configure \ + --with-fips-module-version="Libgcrypt version %{version}-%{release}" \ + --enable-hmac-binary-check="%{hmac_key}" \ + --enable-ciphers="$CIPHERS" \ + --enable-pubkey-ciphers="$PUBKEYS" \ + --enable-digests="$DIGESTS" \ + --enable-kdfs="$KDFS" \ + --enable-noexecstack \ + --disable-static \ + --enable-m-guard \ +%ifarch %{sparc} + --disable-asm \ +%endif + --enable-random=getentropy \ + %{nil} + +%make_build + +%check +make -k check +# run the regression tests also in FIPS mode +LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true + +%install +%make_install + +# this is a hack that re-defines the __spec_install_post macro +# for a simple reason: the macro strips the binaries and thereby +# invalidates a HMAC that may have been created earlier. +# solution: create the hashes _after_ the macro runs. + +%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.? +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + cd src \ + sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \ + READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath} > %{libpath}.hmac \ + objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath} %{libpath}.new \ + mv -f %{libpath}.new %{libpath} \ + rm -f %{libpath}.hmac \ +%{nil} + +rm %{buildroot}%{_libdir}/%{name}.la + +# Create /etc/gcrypt directory and install random.conf +mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt +install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf +install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/gcrypt/hwf.deny + +%post -n %{libsoname} -p /sbin/ldconfig +%postun -n %{libsoname} -p /sbin/ldconfig + +%files -n %{libsoname} +%license COPYING COPYING.LIB LICENSES +%doc AUTHORS ChangeLog NEWS README THANKS TODO +%{_libdir}/%{name}.so.* +%dir %{_sysconfdir}/gcrypt +%config(noreplace) %{_sysconfdir}/gcrypt/random.conf +%config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny + +%files devel +%license COPYING COPYING.LIB LICENSES +%{_bindir}/dumpsexp +%{_bindir}/hmac256 +%{_bindir}/mpicalc +%{_bindir}/%{name}-config +%{_libdir}/%{name}.so +%{_libdir}/pkgconfig/libgcrypt.pc +%{_datadir}/aclocal/%{name}.m4 +%{_includedir}/gcrypt*.h +%{_infodir}/gcrypt.info*%{ext_info}* +%{_mandir}/man1/* + +%changelog diff --git a/random.conf b/random.conf new file mode 100644 index 0000000..980efc8 --- /dev/null +++ b/random.conf @@ -0,0 +1,9 @@ +# This file can be used to globally change parameters of +# the random generator. Supported options are: + +# Always use the non-blocking /dev/urandom or the respective +# system call instead of the blocking /dev/random. +# only-urandom + +# Disable the use of the jitter based entropy generator. +# disable-jent