Sync from SUSE:SLFO:Main libgcrypt revision 6131224c98fce16f17b1c1644f7697f3

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

baselibs.conf

@@ -0,0 +1,8 @@
+libgcrypt20
+  provides "libgcrypt-<targettype> = <version>"
+  obsoletes "libgcrypt-<targettype> <= <version>"
+  provides "libgcrypt20-hmac-<targettype> = <version>-%release"
+  obsoletes "libgcrypt20-hmac-<targettype> < <version>-%release"
+libgcrypt-devel
+  requires -libgcrypt-<targettype>
+  requires "libgcrypt20-<targettype> = <version>"

hwf.deny

@@ -0,0 +1,34 @@
+# This file can be used to globally disable the use of hardware
+# based optimizations. Supported options are:
+# padlock-rng
+# padlock-aes
+# padlock-sha
+# padlock-mmul
+# intel-cpu
+# intel-fast-shld
+# intel-bmi2
+# intel-ssse3
+# intel-sse4.1
+# intel-pclmul
+# intel-aesni
+# intel-rdrand
+# intel-avx
+# intel-avx2
+# intel-fast-vpgather
+# intel-rdtsc
+# intel-shaext
+# intel-vaes-vpclmul
+# arm-neon
+# arm-aes
+# arm-sha1
+# arm-sha2
+# arm-pmull
+# ppc-vcrypto
+# ppc-arch_3_00
+# ppc-arch_2_07
+# ppc-arch_3_10
+# s390x-msa
+# s390x-msa-4
+# s390x-msa-8
+# s390x-msa-9
+# s390x-vx

libgcrypt-1.10.0-allow_FSM_same_state.patch

@@ -0,0 +1,15 @@
+Index: libgcrypt-1.10.0/src/fips.c
+===================================================================
+--- libgcrypt-1.10.0.orig/src/fips.c
++++ libgcrypt-1.10.0/src/fips.c
+@@ -890,6 +890,10 @@ fips_new_state (enum module_states new_s
+ 
+     }
+ 
++  /* Allow a transition to the current state */
++  if (current_state == new_state)
++    ok = 1;
++
+   if (ok)
+     {
+       current_state = new_state;

libgcrypt-FIPS-SLI-hash-mac.patch

@@ -0,0 +1,172 @@
+Index: libgcrypt-1.10.2/doc/gcrypt.texi
+===================================================================
+--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
++++ libgcrypt-1.10.2/doc/gcrypt.texi
+@@ -985,13 +985,21 @@ certification. If the function is approv
+ @code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
+ Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+ 
+-@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos
++@item GCRYCTL_FIPS_SERVICE_INDICATOR_HASH; Arguments: enum gcry_md_algos
+ 
+-Check if the given MAC is approved under the current FIPS 140-3
+-certification. If the MAC is approved, this function returns
+-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
++Check if the given HASH is approved under the current FIPS 140-3
++certification. If the HASH is approved, this function returns
++@code{GPS_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
+ is returned.
+ 
++@item GCRYCTL_FIPS_SERVICE_INDICATOR_MAC; Arguments: enum gcry_mac_algos [, unsigned int]
++
++Check if the given MAC is approved under the current FIPS 140-3
++certification. The second parameter provides the keylen (if the
++algorithm supports different key sizes). If the MAC is approved,
++this function returns @code{GPS_ERR_NO_ERROR}. Otherwise
++@code{GPG_ERR_NOT_SUPPORTED} is returned.
++
+ @item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
+ 
+ Check if the given message digest algorithm is approved under the current
+Index: libgcrypt-1.10.2/src/fips.c
+===================================================================
+--- libgcrypt-1.10.2.orig/src/fips.c
++++ libgcrypt-1.10.2/src/fips.c
+@@ -377,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg
+     }
+ }
+ 
+-int
+-_gcry_fips_indicator_mac (va_list arg_ptr)
+-{
+-  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
+-
+-  switch (alg)
+-    {
+-    case GCRY_MAC_CMAC_AES:
+-    case GCRY_MAC_HMAC_SHA1:
+-    case GCRY_MAC_HMAC_SHA224:
+-    case GCRY_MAC_HMAC_SHA256:
+-    case GCRY_MAC_HMAC_SHA384:
+-    case GCRY_MAC_HMAC_SHA512:
+-    case GCRY_MAC_HMAC_SHA512_224:
+-    case GCRY_MAC_HMAC_SHA512_256:
+-    case GCRY_MAC_HMAC_SHA3_224:
+-    case GCRY_MAC_HMAC_SHA3_256:
+-    case GCRY_MAC_HMAC_SHA3_384:
+-    case GCRY_MAC_HMAC_SHA3_512:
+-      return GPG_ERR_NO_ERROR;
+-    default:
+-      return GPG_ERR_NOT_SUPPORTED;
+-    }
+-}
+-
+ /* FIPS approved curves, extracted from:
+  *   cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
+ static const struct
+@@ -598,6 +574,62 @@ _gcry_fips_indicator_pk_flags (va_list a
+   return GPG_ERR_NOT_SUPPORTED;
+ }
+ 
++int
++_gcry_fips_indicator_hash (va_list arg_ptr)
++{
++  enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
++
++  switch (alg)
++    {
++    case GCRY_MD_SHA1:
++    case GCRY_MD_SHA224:
++    case GCRY_MD_SHA256:
++    case GCRY_MD_SHA384:
++    case GCRY_MD_SHA512:
++    case GCRY_MD_SHA512_224:
++    case GCRY_MD_SHA512_256:
++    case GCRY_MD_SHA3_224:
++    case GCRY_MD_SHA3_256:
++    case GCRY_MD_SHA3_384:
++    case GCRY_MD_SHA3_512:
++    case GCRY_MD_SHAKE128:
++    case GCRY_MD_SHAKE256:
++      return GPG_ERR_NO_ERROR;
++    default:
++      return GPG_ERR_NOT_SUPPORTED;
++    }
++}
++
++int
++_gcry_fips_indicator_mac (va_list arg_ptr)
++{
++  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
++  unsigned int keylen = va_arg (arg_ptr, unsigned int);
++
++  switch (alg)
++    {
++    case GCRY_MAC_HMAC_SHA1:
++    case GCRY_MAC_HMAC_SHA224:
++    case GCRY_MAC_HMAC_SHA256:
++    case GCRY_MAC_HMAC_SHA384:
++    case GCRY_MAC_HMAC_SHA512:
++    case GCRY_MAC_HMAC_SHA512_224:
++    case GCRY_MAC_HMAC_SHA512_256:
++    case GCRY_MAC_HMAC_SHA3_224:
++    case GCRY_MAC_HMAC_SHA3_256:
++    case GCRY_MAC_HMAC_SHA3_384:
++    case GCRY_MAC_HMAC_SHA3_512:
++        if (keylen >= 112) {
++          return GPG_ERR_NO_ERROR;
++        }
++    case GCRY_MAC_CMAC_AES:
++        if (keylen == 128 || keylen == 192 || keylen == 256) {
++          return GPG_ERR_NO_ERROR;
++        }
++    default:
++      return GPG_ERR_NOT_SUPPORTED;
++    }
++}
+ 
+ /* This is a test on whether the library is in the error or
+    operational state. */
+Index: libgcrypt-1.10.2/src/g10lib.h
+===================================================================
+--- libgcrypt-1.10.2.orig/src/g10lib.h
++++ libgcrypt-1.10.2/src/g10lib.h
+@@ -456,6 +456,7 @@ void _gcry_fips_signal_error (const char
+ #endif
+ 
+ int _gcry_fips_indicator_cipher (va_list arg_ptr);
++int _gcry_fips_indicator_hash (va_list arg_ptr);
+ int _gcry_fips_indicator_mac (va_list arg_ptr);
+ int _gcry_fips_indicator_md (va_list arg_ptr);
+ int _gcry_fips_indicator_kdf (va_list arg_ptr);
+Index: libgcrypt-1.10.2/src/gcrypt.h.in
+===================================================================
+--- libgcrypt-1.10.2.orig/src/gcrypt.h.in
++++ libgcrypt-1.10.2/src/gcrypt.h.in
+@@ -335,7 +335,8 @@ enum gcry_ctl_cmds
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
+-    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
++    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88,
++    GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 89
+   };
+ 
+ /* Perform various operations defined by CMD. */
+Index: libgcrypt-1.10.2/src/global.c
+===================================================================
+--- libgcrypt-1.10.2.orig/src/global.c
++++ libgcrypt-1.10.2/src/global.c
+@@ -791,6 +791,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+       rc = _gcry_fips_indicator_cipher (arg_ptr);
+       break;
+ 
++    case GCRYCTL_FIPS_SERVICE_INDICATOR_HASH:
++      /* Get FIPS Service Indicator for a given HASH. Returns GPG_ERR_NO_ERROR
++       * if algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise */
++      rc = _gcry_fips_indicator_hash (arg_ptr);
++      break;
++
+     case GCRYCTL_FIPS_SERVICE_INDICATOR_MAC:
+       /* Get FIPS Service Indicator for a given message authentication code.
+        * Returns GPG_ERR_NO_ERROR if algorithm is allowed or

libgcrypt-FIPS-SLI-kdf-leylength.patch

@@ -0,0 +1,42 @@
+Index: libgcrypt-1.10.2/src/fips.c
+===================================================================
+--- libgcrypt-1.10.2.orig/src/fips.c
++++ libgcrypt-1.10.2/src/fips.c
+@@ -520,10 +520,15 @@ int
+ _gcry_fips_indicator_kdf (va_list arg_ptr)
+ {
+   enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
++  unsigned int keylen = 0;
+ 
+   switch (alg)
+     {
+     case GCRY_KDF_PBKDF2:
++      keylen = va_arg (arg_ptr, unsigned int);
++      if (keylen < 112) {
++        return GPG_ERR_NOT_SUPPORTED;
++      }
+       return GPG_ERR_NO_ERROR;
+     default:
+       return GPG_ERR_NOT_SUPPORTED;
+Index: libgcrypt-1.10.2/doc/gcrypt.texi
+===================================================================
+--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
++++ libgcrypt-1.10.2/doc/gcrypt.texi
+@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3
+ combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
+ Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+ 
+-@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos
++@item GCRYCTL_FIPS_SERVICE_INDICATOR_KDF; Arguments: enum gcry_kdf_algos [, unsigned int]
+ 
+ Check if the given KDF is approved under the current FIPS 140-3
+-certification. If the KDF is approved, this function returns
+-@code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
+-is returned.
++certification. The second parameter provides the keylength in bits.
++Keylength values of less that 112 bits are considered non-approved.
++If the KDF is approved, this function returns @code{GPG_ERR_NO_ERROR}.
++Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+ 
+ @item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
+ 

libgcrypt-FIPS-SLI-pk.patch

@@ -0,0 +1,177 @@
+Index: libgcrypt-1.10.2/src/fips.c
+===================================================================
+--- libgcrypt-1.10.2.orig/src/fips.c
++++ libgcrypt-1.10.2/src/fips.c
+@@ -38,6 +38,7 @@
+ 
+ #include "g10lib.h"
+ #include "cipher-proto.h"
++#include "cipher.h"
+ #include "../random/random.h"
+ 
+ /* The states of the finite state machine used in fips mode.  */
+@@ -399,6 +400,94 @@ _gcry_fips_indicator_mac (va_list arg_pt
+     default:
+       return GPG_ERR_NOT_SUPPORTED;
+     }
++}
++
++/* FIPS approved curves, extracted from:
++ *   cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
++static const struct
++{
++  const char *name;  /* Our name.  */
++  const char *other; /* Other name. */
++} fips_approved_curve[] =
++  {
++    /* "NIST P-192" is non-approved if FIPS 140-3 */
++    /* { "NIST P-192", "1.2.840.10045.3.1.1" }, /\* X9.62 OID  *\/ */
++    /* { "NIST P-192", "prime192v1" },          /\* X9.62 name.  *\/ */
++    /* { "NIST P-192", "secp192r1"  },          /\* SECP name.  *\/ */
++    /* { "NIST P-192", "nistp192"   },          /\* rfc5656.  *\/ */
++
++    { "NIST P-224", "secp224r1" },
++    { "NIST P-224", "1.3.132.0.33" },        /* SECP OID.  */
++    { "NIST P-224", "nistp224"   },          /* rfc5656.  */
++
++    { "NIST P-256", "1.2.840.10045.3.1.7" }, /* From NIST SP 800-78-1.  */
++    { "NIST P-256", "prime256v1" },
++    { "NIST P-256", "secp256r1"  },
++    { "NIST P-256", "nistp256"   },          /* rfc5656.  */
++
++    { "NIST P-384", "secp384r1" },
++    { "NIST P-384", "1.3.132.0.34" },
++    { "NIST P-384", "nistp384"   },          /* rfc5656.  */
++
++    { "NIST P-521", "secp521r1" },
++    { "NIST P-521", "1.3.132.0.35" },
++    { "NIST P-521", "nistp521"   },          /* rfc5656.  */
++    { NULL, NULL}
++  };
++
++enum pk_operation convert_from_pk_usage(unsigned int pk_usage)
++{
++  switch (pk_usage)
++    {
++    case GCRY_PK_USAGE_SIGN:
++      return PUBKEY_OP_SIGN;
++    case GCRY_PK_USAGE_ENCR:
++      return PUBKEY_OP_ENCRYPT;
++    default:
++      return PUBKEY_OP_DECRYPT;
++    }
++}
++
++int
++_gcry_fips_indicator_pk (va_list arg_ptr)
++{
++  enum gcry_pk_algos alg = va_arg (arg_ptr, enum gcry_pk_algos);
++  enum pk_operation oper;
++  unsigned int keylen;
++  const char *curve_name;
++
++  switch (alg)
++    {
++    case GCRY_PK_RSA:
++    case GCRY_PK_RSA_E:
++    case GCRY_PK_RSA_S:
++      oper = convert_from_pk_usage(va_arg (arg_ptr, unsigned int));
++      switch (oper)
++        {
++        case PUBKEY_OP_ENCRYPT:
++        case PUBKEY_OP_DECRYPT:
++          return GPG_ERR_NOT_SUPPORTED;
++        default:
++          keylen = va_arg (arg_ptr, unsigned int);
++          if (keylen < 2048)
++            return GPG_ERR_NOT_SUPPORTED;
++          return GPG_ERR_NO_ERROR;
++        }
++    case GCRY_PK_ECC:
++    case GCRY_PK_ECDH:
++    case GCRY_PK_ECDSA:
++      curve_name = va_arg (arg_ptr, const char *);
++      for (int idx = 0; fips_approved_curve[idx].name; ++idx)
++        {
++          /* Check for the usual name and an alias. */
++          if (!strcmp (curve_name, fips_approved_curve[idx].name) ||
++              !strcmp (curve_name, fips_approved_curve[idx].other))
++            return GPG_ERR_NO_ERROR;
++        }
++      return GPG_ERR_NOT_SUPPORTED;
++    default:
++      return GPG_ERR_NOT_SUPPORTED;
++    }
+ }
+ 
+ int
+Index: libgcrypt-1.10.2/src/gcrypt.h.in
+===================================================================
+--- libgcrypt-1.10.2.orig/src/gcrypt.h.in
++++ libgcrypt-1.10.2/src/gcrypt.h.in
+@@ -334,7 +334,8 @@ enum gcry_ctl_cmds
+     GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
+-    GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87
++    GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
++    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 88
+   };
+ 
+ /* Perform various operations defined by CMD. */
+Index: libgcrypt-1.10.2/doc/gcrypt.texi
+===================================================================
+--- libgcrypt-1.10.2.orig/doc/gcrypt.texi
++++ libgcrypt-1.10.2/doc/gcrypt.texi
+@@ -997,6 +997,19 @@ Check if the given message digest algori
+ FIPS 140-3 certification. If the algorithm is approved, this function returns
+ @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
+ 
++@item GCRYCTL_FIPS_SERVICE_INDICATOR_PK; Arguments: enum gcry_pk_algos [, constantsGCRY_PK_USAGE_ENCR or GCRY_PK_USAGE_SIGN, unsigned int (only for GCRY_PK_RSA)] [, const char * (only for GCRY_PK_ECC, GCRY_PK_ECDH or GCRY_PK_ECDSA)]
++
++Check if the given asymmetric cipher is approved under the current
++FIPS 140-3 certification. For GCRY_PK_RSA, two additional parameter
++are required: first describes the purpose of the algorithm through one
++of the constants (GCRY_PK_USAGE_ENCR for encryption or decryption
++operations; GCRY_PK_USAGE_SIGN for sign or verify operations). Second
++one is the key length. For GCRY_PK_ECC, GCRY_PK_ECDH and
++GCRY_PK_ECDSA, only a single parameter is needed: the curve name or
++its alias as @code{const char *}. If the combination is approved, this
++function returns @code{GPG_ERR_NO_ERROR}. Otherwise
++@code{GPG_ERR_NOT_SUPPORTED} is returned.
++
+ @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
+ 
+ Check if the given public key operation flag or s-expression object name is
+Index: libgcrypt-1.10.2/src/g10lib.h
+===================================================================
+--- libgcrypt-1.10.2.orig/src/g10lib.h
++++ libgcrypt-1.10.2/src/g10lib.h
+@@ -460,6 +460,7 @@ int _gcry_fips_indicator_mac (va_list ar
+ int _gcry_fips_indicator_md (va_list arg_ptr);
+ int _gcry_fips_indicator_kdf (va_list arg_ptr);
+ int _gcry_fips_indicator_function (va_list arg_ptr);
++int _gcry_fips_indicator_pk (va_list arg_ptr);
+ int _gcry_fips_indicator_pk_flags (va_list arg_ptr);
+ 
+ int _gcry_fips_is_operational (void);
+Index: libgcrypt-1.10.2/src/global.c
+===================================================================
+--- libgcrypt-1.10.2.orig/src/global.c
++++ libgcrypt-1.10.2/src/global.c
+@@ -825,6 +834,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+       rc = _gcry_fips_indicator_pk_flags (arg_ptr);
+       break;
+ 
++    case GCRYCTL_FIPS_SERVICE_INDICATOR_PK:
++      /* Get FIPS Service Indicator for a given asymmetric algorithm. For
++       * GCRY_PK_RSA, an additional parameter for the operation mode is
++       * required. For ECC, ECDH and ECDSA, the additional parameter is the
++       * curve name or its alias. Returns GPG_ERR_NO_ERROR if the
++       * algorithm is allowed or GPG_ERR_NOT_SUPPORTED otherwise. */
++      rc = _gcry_fips_indicator_pk (arg_ptr);
++      break;
++
+     case PRIV_CTL_INIT_EXTRNG_TEST:  /* Init external random test.  */
+       rc = GPG_ERR_NOT_SUPPORTED;
+       break;

libgcrypt-FIPS-rndjent_poll.patch

@@ -0,0 +1,114 @@
+Index: libgcrypt-1.10.0/random/rndoldlinux.c
+===================================================================
+--- libgcrypt-1.10.0.orig/random/rndoldlinux.c
++++ libgcrypt-1.10.0/random/rndoldlinux.c
+@@ -132,7 +132,7 @@ _gcry_rndoldlinux_gather_random (void (*
+   volatile pid_t apid;
+   int fd;
+   int n;
+-  byte buffer[768];
++  byte buffer[256];
+   size_t n_hw;
+   size_t want = length;
+   size_t last_so_far = 0;
+@@ -187,26 +187,43 @@ _gcry_rndoldlinux_gather_random (void (*
+       my_pid = apid;
+     }
+ 
++  if (fips_mode())
++    {
++      if (level >= GCRY_VERY_STRONG_RANDOM)
++        {
++          size_t n;
+ 
+-  /* First read from a hardware source.  Note that _gcry_rndhw_poll_slow lets
+-     it account only for up to 50% (or 25% for RDRAND) of the requested
+-     bytes.  */
+-  n_hw = _gcry_rndhw_poll_slow (add, origin, length);
+-  if (length > 1)
+-    length -= n_hw;
+-
+-  /* When using a blocking random generator try to get some entropy
+-   * from the jitter based RNG.  In this case we take up to 50% of the
+-   * remaining requested bytes.  */
+-  if (level >= GCRY_VERY_STRONG_RANDOM)
+-    {
+-      n_hw = _gcry_rndjent_poll (add, origin, length/2);
+-      if (n_hw > length/2)
+-        n_hw = length/2;
++          n = _gcry_rndjent_poll (add, origin, length);
++          if (n == 0)
++            log_fatal ("unexpected error from rndjent: %s\n",
++                       strerror (errno));
++          if (n > length)
++            n = length;
++          if (length > 1)
++            length -= n;
++        }
++    }
++  else
++    {
++      /* First read from a hardware source.  Note that _gcry_rndhw_poll_slow lets
++         it account only for up to 50% (or 25% for RDRAND) of the requested
++         bytes.  */
++      n_hw = _gcry_rndhw_poll_slow (add, origin, length);
+       if (length > 1)
+         length -= n_hw;
+-    }
+ 
++      /* When using a blocking random generator try to get some entropy
++       * from the jitter based RNG.  In this case we take up to 50% of the
++       * remaining requested bytes.  */
++      if (level >= GCRY_VERY_STRONG_RANDOM)
++        {
++          n_hw = _gcry_rndjent_poll (add, origin, length/2);
++          if (n_hw > length/2)
++            n_hw = length/2;
++          if (length > 1)
++            length -= n_hw;
++        }
++    }
+ 
+   /* Open the requested device.  The first time a device is to be
+      opened we fail with a fatal error if the device does not exists.
+@@ -262,8 +279,6 @@ _gcry_rndoldlinux_gather_random (void (*
+           do
+             {
+               nbytes = length < sizeof(buffer)? length : sizeof(buffer);
+-              if (nbytes > 256)
+-                nbytes = 256;
+               _gcry_pre_syscall ();
+               ret = getentropy (buffer, nbytes);
+               _gcry_post_syscall ();
+Index: libgcrypt-1.10.0/random/rndjent.c
+===================================================================
+--- libgcrypt-1.10.0.orig/random/rndjent.c
++++ libgcrypt-1.10.0/random/rndjent.c
+@@ -279,13 +279,24 @@ _gcry_rndjent_poll (void (*add)(const vo
+       if (!jent_rng_is_initialized)
+         {
+           /* Auto-initialize.  */
+-          jent_rng_is_initialized = 1;
+           jent_entropy_collector_free (jent_rng_collector);
+           jent_rng_collector = NULL;
+           if ( !(_gcry_random_read_conf () & RANDOM_CONF_DISABLE_JENT))
+             {
+-              if (!jent_entropy_init ())
+-                jent_rng_collector = jent_entropy_collector_alloc (1, 0);
++              if (!jent_entropy_init_ex (1, 0))
++                {
++                  jent_rng_collector = jent_entropy_collector_alloc (1, 0);
++                  jent_rng_is_initialized = 1;
++                }
++            }
++        }
++
++      if (!jent_rng_collector)
++        {
++          if (!jent_entropy_init_ex (1, 0))
++            {
++               jent_rng_collector = jent_entropy_collector_alloc (1, 0);
++               jent_rng_is_initialized = 1;
+             }
+         }
+ 

libgcrypt-jitterentropy-3.4.0.patch

@@ -0,0 +1,618 @@
+Index: libgcrypt-1.10.0/random/jitterentropy-base.c
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy-base.c
++++ libgcrypt-1.10.0/random/jitterentropy-base.c
+@@ -42,7 +42,7 @@
+ 		      * require consumer to be updated (as long as this number
+ 		      * is zero, the API is not considered stable and can
+ 		      * change without a bump of the major version) */
+-#define MINVERSION 3 /* API compatible, ABI may change, functional
++#define MINVERSION 4 /* API compatible, ABI may change, functional
+ 		      * enhancements only, consumer can be left unchanged if
+ 		      * enhancements are not considered */
+ #define PATCHLEVEL 0 /* API / ABI compatible, no functional changes, no
+@@ -200,29 +200,38 @@ ssize_t jent_read_entropy(struct rand_da
+ 			tocopy = (DATA_SIZE_BITS / 8);
+ 		else
+ 			tocopy = len;
+-		memcpy(p, &ec->data, tocopy);
++
++		jent_read_random_block(ec, p, tocopy);
+ 
+ 		len -= tocopy;
+ 		p += tocopy;
+ 	}
+ 
+ 	/*
+-	 * To be on the safe side, we generate one more round of entropy
+-	 * which we do not give out to the caller. That round shall ensure
+-	 * that in case the calling application crashes, memory dumps, pages
+-	 * out, or due to the CPU Jitter RNG lingering in memory for long
+-	 * time without being moved and an attacker cracks the application,
+-	 * all he reads in the entropy pool is a value that is NEVER EVER
+-	 * being used for anything. Thus, he does NOT see the previous value
+-	 * that was returned to the caller for cryptographic purposes.
++	 * Enhanced backtracking support: At this point, the hash state
++	 * contains the digest of the previous Jitter RNG collection round
++	 * which is inserted there by jent_read_random_block with the SHA
++	 * update operation. At the current code location we completed
++	 * one request for a caller and we do not know how long it will
++	 * take until a new request is sent to us. To guarantee enhanced
++	 * backtracking resistance at this point (i.e. ensure that an attacker
++	 * cannot obtain information about prior random numbers we generated),
++	 * but still stirring the hash state with old data the Jitter RNG
++	 * obtains a new message digest from its state and re-inserts it.
++	 * After this operation, the Jitter RNG state is still stirred with
++	 * the old data, but an attacker who gets access to the memory after
++	 * this point cannot deduce the random numbers produced by the
++	 * Jitter RNG prior to this point.
+ 	 */
+ 	/*
+-	 * If we use secured memory, do not use that precaution as the secure
+-	 * memory protects the entropy pool. Moreover, note that using this
+-	 * call reduces the speed of the RNG by up to half
++	 * If we use secured memory, where backtracking support may not be
++	 * needed because the state is protected in a different method,
++	 * it is permissible to drop this support. But strongly weigh the
++	 * pros and cons considering that the SHA3 operation is not that
++	 * expensive.
+ 	 */
+ #ifndef JENT_CPU_JITTERENTROPY_SECURE_MEMORY
+-	jent_random_data(ec);
++	jent_read_random_block(ec, NULL, 0);
+ #endif
+ 
+ err:
+@@ -379,6 +388,7 @@ static struct rand_data
+ *jent_entropy_collector_alloc_internal(unsigned int osr, unsigned int flags)
+ {
+ 	struct rand_data *entropy_collector;
++	uint32_t memsize = 0;
+ 
+ 	/*
+ 	 * Requesting disabling and forcing of internal timer
+@@ -405,7 +415,7 @@ static struct rand_data
+ 		return NULL;
+ 
+ 	if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) {
+-		uint32_t memsize = jent_memsize(flags);
++		memsize = jent_memsize(flags);
+ 
+ 		entropy_collector->mem = _gcry_calloc (1, memsize);
+ 
+@@ -431,13 +441,19 @@ static struct rand_data
+ 		entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS;
+ 	}
+ 
++	if (sha3_alloc(&entropy_collector->hash_state))
++		goto err;
++
++	/* Initialize the hash state */
++	sha3_256_init(entropy_collector->hash_state);
++
+ 	/* verify and set the oversampling rate */
+ 	if (osr < JENT_MIN_OSR)
+ 		osr = JENT_MIN_OSR;
+ 	entropy_collector->osr = osr;
+ 	entropy_collector->flags = flags;
+ 
+-	if (jent_fips_enabled() || (flags & JENT_FORCE_FIPS))
++	if ((flags & JENT_FORCE_FIPS) || jent_fips_enabled())
+ 		entropy_collector->fips_enabled = 1;
+ 
+ 	/* Initialize the APT */
+@@ -469,7 +485,7 @@ static struct rand_data
+ 
+ err:
+ 	if (entropy_collector->mem != NULL)
+-		jent_zfree(entropy_collector->mem, JENT_MEMORY_SIZE);
++		jent_zfree(entropy_collector->mem, memsize);
+ 	jent_zfree(entropy_collector, sizeof(struct rand_data));
+ 	return NULL;
+ }
+@@ -511,6 +527,7 @@ JENT_PRIVATE_STATIC
+ void jent_entropy_collector_free(struct rand_data *entropy_collector)
+ {
+ 	if (entropy_collector != NULL) {
++		sha3_dealloc(entropy_collector->hash_state);
+ 		jent_notime_disable(entropy_collector);
+ 		if (entropy_collector->mem != NULL) {
+ 			jent_zfree(entropy_collector->mem,
+@@ -664,6 +681,7 @@ static inline int jent_entropy_init_comm
+ 	int ret;
+ 
+ 	jent_notime_block_switch();
++	jent_health_cb_block_switch();
+ 
+ 	if (sha3_tester())
+ 		return EHASH;
+@@ -710,6 +728,8 @@ int jent_entropy_init_ex(unsigned int os
+ 	if (ret)
+ 		return ret;
+ 
++	ret = ENOTIME;
++
+ 	/* Test without internal timer unless caller does not want it */
+ 	if (!(flags & JENT_FORCE_INTERNAL_TIMER))
+ 		ret = jent_time_entropy_init(osr,
+@@ -732,3 +752,9 @@ int jent_entropy_switch_notime_impl(stru
+ 	return jent_notime_switch(new_thread);
+ }
+ #endif
++
++JENT_PRIVATE_STATIC
++int jent_set_fips_failure_callback(jent_fips_failure_cb cb)
++{
++	return jent_set_fips_failure_callback_internal(cb);
++}
+Index: libgcrypt-1.10.0/random/jitterentropy-gcd.c
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy-gcd.c
++++ libgcrypt-1.10.0/random/jitterentropy-gcd.c
+@@ -113,12 +113,8 @@ int jent_gcd_analyze(uint64_t *delta_his
+ 		goto out;
+ 	}
+ 
+-	/*
+-	 * Ensure that we have variations in the time stamp below 100 for at
+-	 * least 10% of all checks -- on some platforms, the counter increments
+-	 * in multiples of 100, but not always
+-	 */
+-	if (running_gcd >= 100) {
++	/* Set a sensible maximum value. */
++	if (running_gcd >= UINT32_MAX / 2) {
+ 		ret = ECOARSETIME;
+ 		goto out;
+ 	}
+Index: libgcrypt-1.10.0/random/jitterentropy-health.c
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy-health.c
++++ libgcrypt-1.10.0/random/jitterentropy-health.c
+@@ -19,9 +19,24 @@
+  * DAMAGE.
+  */
+ 
+-#include "jitterentropy.h"
+ #include "jitterentropy-health.h"
+ 
++static jent_fips_failure_cb fips_cb = NULL;
++static int jent_health_cb_switch_blocked = 0;
++
++void jent_health_cb_block_switch(void)
++{
++	jent_health_cb_switch_blocked = 1;
++}
++
++int jent_set_fips_failure_callback_internal(jent_fips_failure_cb cb)
++{
++	if (jent_health_cb_switch_blocked)
++		return -EAGAIN;
++	fips_cb = cb;
++	return 0;
++}
++
+ /***************************************************************************
+  * Lag Predictor Test
+  *
+@@ -434,5 +449,9 @@ unsigned int jent_health_failure(struct
+ 	if (!ec->fips_enabled)
+ 		return 0;
+ 
++	if (fips_cb && ec->health_failure) {
++		fips_cb(ec, ec->health_failure);
++	}
++
+ 	return ec->health_failure;
+ }
+Index: libgcrypt-1.10.0/random/jitterentropy-health.h
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy-health.h
++++ libgcrypt-1.10.0/random/jitterentropy-health.h
+@@ -20,11 +20,16 @@
+ #ifndef JITTERENTROPY_HEALTH_H
+ #define JITTERENTROPY_HEALTH_H
+ 
++#include "jitterentropy.h"
++
+ #ifdef __cplusplus
+ extern "C"
+ {
+ #endif
+ 
++void jent_health_cb_block_switch(void);
++int jent_set_fips_failure_callback_internal(jent_fips_failure_cb cb);
++
+ static inline uint64_t jent_delta(uint64_t prev, uint64_t next)
+ {
+ 	return (next - prev);
+Index: libgcrypt-1.10.0/random/jitterentropy-noise.c
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy-noise.c
++++ libgcrypt-1.10.0/random/jitterentropy-noise.c
+@@ -33,7 +33,7 @@
+  * Update of the loop count used for the next round of
+  * an entropy collection.
+  *
+- * @ec [in] entropy collector struct -- may be NULL
++ * @ec [in] entropy collector struct
+  * @bits [in] is the number of low bits of the timer to consider
+  * @min [in] is the number of bits we shift the timer value to the right at
+  *	     the end to make sure we have a guaranteed minimum value
+@@ -61,16 +61,13 @@ static uint64_t jent_loop_shuffle(struct
+ 	 * Mix the current state of the random number into the shuffle
+ 	 * calculation to balance that shuffle a bit more.
+ 	 */
+-	if (ec) {
+-		jent_get_nstime_internal(ec, &time);
+-		time ^= ec->data[0];
+-	}
++	jent_get_nstime_internal(ec, &time);
+ 
+ 	/*
+ 	 * We fold the time value as much as possible to ensure that as many
+ 	 * bits of the time stamp are included as possible.
+ 	 */
+-	for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) {
++	for (i = 0; (((sizeof(time) << 3) + bits - 1) / bits) > i; i++) {
+ 		shuffle ^= time & mask;
+ 		time = time >> bits;
+ 	}
+@@ -91,11 +88,11 @@ static uint64_t jent_loop_shuffle(struct
+  * This function injects the individual bits of the time value into the
+  * entropy pool using a hash.
+  *
+- * @ec [in] entropy collector struct -- may be NULL
+- * @time [in] time stamp to be injected
++ * @ec [in] entropy collector struct
++ * @time [in] time delta to be injected
+  * @loop_cnt [in] if a value not equal to 0 is set, use the given value as
+  *		  number of loops to perform the hash operation
+- * @stuck [in] Is the time stamp identified as stuck?
++ * @stuck [in] Is the time delta identified as stuck?
+  *
+  * Output:
+  * updated hash context
+@@ -104,17 +101,19 @@ static void jent_hash_time(struct rand_d
+ 			   uint64_t loop_cnt, unsigned int stuck)
+ {
+ 	HASH_CTX_ON_STACK(ctx);
+-	uint8_t itermediary[SHA3_256_SIZE_DIGEST];
++	uint8_t intermediary[SHA3_256_SIZE_DIGEST];
+ 	uint64_t j = 0;
+-	uint64_t hash_loop_cnt;
+ #define MAX_HASH_LOOP 3
+ #define MIN_HASH_LOOP 0
+ 
+ 	/* Ensure that macros cannot overflow jent_loop_shuffle() */
+ 	BUILD_BUG_ON((MAX_HASH_LOOP + MIN_HASH_LOOP) > 63);
+-	hash_loop_cnt =
++	uint64_t hash_loop_cnt =
+ 		jent_loop_shuffle(ec, MAX_HASH_LOOP, MIN_HASH_LOOP);
+ 
++	/* Use the memset to shut up valgrind */
++	memset(intermediary, 0, sizeof(intermediary));
++
+ 	sha3_256_init(&ctx);
+ 
+ 	/*
+@@ -125,35 +124,54 @@ static void jent_hash_time(struct rand_d
+ 		hash_loop_cnt = loop_cnt;
+ 
+ 	/*
+-	 * This loop basically slows down the SHA-3 operation depending
+-	 * on the hash_loop_cnt. Each iteration of the loop generates the
+-	 * same result.
++	 * This loop fills a buffer which is injected into the entropy pool.
++	 * The main reason for this loop is to execute something over which we
++	 * can perform a timing measurement. The injection of the resulting
++	 * data into the pool is performed to ensure the result is used and
++	 * the compiler cannot optimize the loop away in case the result is not
++	 * used at all. Yet that data is considered "additional information"
++	 * considering the terminology from SP800-90A without any entropy.
++	 *
++	 * Note, it does not matter which or how much data you inject, we are
++	 * interested in one Keccack1600 compression operation performed with
++	 * the sha3_final.
+ 	 */
+ 	for (j = 0; j < hash_loop_cnt; j++) {
+-		sha3_update(&ctx, ec->data, SHA3_256_SIZE_DIGEST);
+-		sha3_update(&ctx, (uint8_t *)&time, sizeof(uint64_t));
++		sha3_update(&ctx, intermediary, sizeof(intermediary));
++		sha3_update(&ctx, (uint8_t *)&ec->rct_count,
++			    sizeof(ec->rct_count));
++		sha3_update(&ctx, (uint8_t *)&ec->apt_cutoff,
++			    sizeof(ec->apt_cutoff));
++		sha3_update(&ctx, (uint8_t *)&ec->apt_observations,
++			    sizeof(ec->apt_observations));
++		sha3_update(&ctx, (uint8_t *)&ec->apt_count,
++			    sizeof(ec->apt_count));
++		sha3_update(&ctx,(uint8_t *) &ec->apt_base,
++			    sizeof(ec->apt_base));
+ 		sha3_update(&ctx, (uint8_t *)&j, sizeof(uint64_t));
++		sha3_final(&ctx, intermediary);
++	}
+ 
+-		/*
+-		 * If the time stamp is stuck, do not finally insert the value
+-		 * into the entropy pool. Although this operation should not do
+-		 * any harm even when the time stamp has no entropy, SP800-90B
+-		 * requires that any conditioning operation to have an identical
+-		 * amount of input data according to section 3.1.5.
+-		 */
++	/*
++	 * Inject the data from the previous loop into the pool. This data is
++	 * not considered to contain any entropy, but it stirs the pool a bit.
++	 */
++	sha3_update(ec->hash_state, intermediary, sizeof(intermediary));
+ 
+-		/*
+-		 * The sha3_final operations re-initialize the context for the
+-		 * next loop iteration.
+-		 */
+-		if (stuck || (j < hash_loop_cnt - 1))
+-			sha3_final(&ctx, itermediary);
+-		else
+-			sha3_final(&ctx, ec->data);
+-	}
++	/*
++	 * Insert the time stamp into the hash context representing the pool.
++	 *
++	 * If the time stamp is stuck, do not finally insert the value into the
++	 * entropy pool. Although this operation should not do any harm even
++	 * when the time stamp has no entropy, SP800-90B requires that any
++	 * conditioning operation to have an identical amount of input data
++	 * according to section 3.1.5.
++	 */
++	if (!stuck)
++		sha3_update(ec->hash_state, (uint8_t *)&time, sizeof(uint64_t));
+ 
+ 	jent_memset_secure(&ctx, SHA_MAX_CTX_SIZE);
+-	jent_memset_secure(itermediary, sizeof(itermediary));
++	jent_memset_secure(intermediary, sizeof(intermediary));
+ }
+ 
+ #define MAX_ACC_LOOP_BIT 7
+@@ -184,13 +202,12 @@ static inline uint32_t xoshiro128starsta
+ 
+ static void jent_memaccess(struct rand_data *ec, uint64_t loop_cnt)
+ {
+-	uint64_t i = 0;
++	uint64_t i = 0, time = 0;
+ 	union {
+ 		uint32_t u[4];
+ 		uint8_t b[sizeof(uint32_t) * 4];
+ 	} prngState = { .u = {0x8e93eec0, 0xce65608a, 0xa8d46b46, 0xe83cef69} };
+ 	uint32_t addressMask;
+-        uint64_t acc_loop_cnt;
+ 
+ 	if (NULL == ec || NULL == ec->mem)
+ 		return;
+@@ -199,7 +216,7 @@ static void jent_memaccess(struct rand_d
+ 
+ 	/* Ensure that macros cannot overflow jent_loop_shuffle() */
+ 	BUILD_BUG_ON((MAX_ACC_LOOP_BIT + MIN_ACC_LOOP_BIT) > 63);
+-	acc_loop_cnt =
++	uint64_t acc_loop_cnt =
+ 		jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT);
+ 
+ 	/*
+@@ -213,8 +230,10 @@ static void jent_memaccess(struct rand_d
+ 	 * "per-update: timing, it gets you mostly independent "per-update"
+ 	 * timing, so we can now benefit from the Central Limit Theorem!
+ 	 */
+-	for (i = 0; i < sizeof(prngState); i++)
+-		prngState.b[i] ^= ec->data[i];
++	for (i = 0; i < sizeof(prngState); i++) {
++		jent_get_nstime_internal(ec, &time);
++		prngState.b[i] ^= (uint8_t)(time & 0xff);
++	}
+ 
+ 	/*
+ 	 * testing purposes -- allow test app to set the counter, not
+@@ -358,21 +377,21 @@ unsigned int jent_measure_jitter(struct
+ 
+ /**
+  * Generator of one 256 bit random number
+- * Function fills rand_data->data
++ * Function fills rand_data->hash_state
+  *
+  * @ec [in] Reference to entropy collector
+  */
+ void jent_random_data(struct rand_data *ec)
+ {
+-	unsigned int k = 0, safety_factor = ENTROPY_SAFETY_FACTOR;
++	unsigned int k = 0, safety_factor = 0;
+ 
+-	if (!ec->fips_enabled)
+-		safety_factor = 0;
++	if (ec->fips_enabled)
++		safety_factor = ENTROPY_SAFETY_FACTOR;
+ 
+ 	/* priming of the ->prev_time value */
+ 	jent_measure_jitter(ec, 0, NULL);
+ 
+-	while (1) {
++	while (!jent_health_failure(ec)) {
+ 		/* If a stuck measurement is received, repeat measurement */
+ 		if (jent_measure_jitter(ec, 0, NULL))
+ 			continue;
+@@ -385,3 +404,22 @@ void jent_random_data(struct rand_data *
+ 			break;
+ 	}
+ }
++
++void jent_read_random_block(struct rand_data *ec, char *dst, size_t dst_len)
++{
++	uint8_t jent_block[SHA3_256_SIZE_DIGEST];
++
++	BUILD_BUG_ON(SHA3_256_SIZE_DIGEST != (DATA_SIZE_BITS / 8));
++
++	/* The final operation automatically re-initializes the ->hash_state */
++	sha3_final(ec->hash_state, jent_block);
++	if (dst_len)
++		memcpy(dst, jent_block, dst_len);
++
++	/*
++	 * Stir the new state with the data from the old state - the digest
++	 * of the old data is not considered to have entropy.
++	 */
++	sha3_update(ec->hash_state, jent_block, sizeof(jent_block));
++	jent_memset_secure(jent_block, sizeof(jent_block));
++}
+Index: libgcrypt-1.10.0/random/jitterentropy-noise.h
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy-noise.h
++++ libgcrypt-1.10.0/random/jitterentropy-noise.h
+@@ -31,6 +31,7 @@ unsigned int jent_measure_jitter(struct
+ 				 uint64_t loop_cnt,
+ 				 uint64_t *ret_current_delta);
+ void jent_random_data(struct rand_data *ec);
++void jent_read_random_block(struct rand_data *ec, char *dst, size_t dst_len);
+ 
+ #ifdef __cplusplus
+ }
+Index: libgcrypt-1.10.0/random/jitterentropy-sha3.c
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy-sha3.c
++++ libgcrypt-1.10.0/random/jitterentropy-sha3.c
+@@ -19,6 +19,7 @@
+  */
+ 
+ #include "jitterentropy-sha3.h"
++#include "jitterentropy.h"
+ 
+ /***************************************************************************
+  * Message Digest Implementation
+@@ -380,3 +381,23 @@ int sha3_tester(void)
+ 
+ 	return 0;
+ }
++
++int sha3_alloc(void **hash_state)
++{
++	struct sha_ctx *tmp;
++
++	tmp = jent_zalloc(SHA_MAX_CTX_SIZE);
++	if (!tmp)
++		return 1;
++
++	*hash_state = tmp;
++
++	return 0;
++}
++
++void sha3_dealloc(void *hash_state)
++{
++	struct sha_ctx *ctx = (struct sha_ctx *)hash_state;
++
++	jent_zfree(ctx, SHA_MAX_CTX_SIZE);
++}
+Index: libgcrypt-1.10.0/random/jitterentropy-sha3.h
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy-sha3.h
++++ libgcrypt-1.10.0/random/jitterentropy-sha3.h
+@@ -47,6 +47,8 @@ struct sha_ctx {
+ void sha3_256_init(struct sha_ctx *ctx);
+ void sha3_update(struct sha_ctx *ctx, const uint8_t *in, size_t inlen);
+ void sha3_final(struct sha_ctx *ctx, uint8_t *digest);
++int sha3_alloc(void **hash_state);
++void sha3_dealloc(void *hash_state);
+ int sha3_tester(void);
+ 
+ #ifdef __cplusplus
+Index: libgcrypt-1.10.0/random/jitterentropy-timer.c
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy-timer.c
++++ libgcrypt-1.10.0/random/jitterentropy-timer.c
+@@ -202,8 +202,8 @@ int jent_notime_enable(struct rand_data
+ 	if (jent_force_internal_timer || (flags & JENT_FORCE_INTERNAL_TIMER)) {
+ 		/* Self test not run yet */
+ 		if (!jent_force_internal_timer &&
+-		    jent_time_entropy_init(flags | JENT_FORCE_INTERNAL_TIMER,
+-					   ec->osr))
++		    jent_time_entropy_init(ec->osr,
++					   flags | JENT_FORCE_INTERNAL_TIMER))
+ 			return EHEALTH;
+ 
+ 		ec->enable_notime = 1;
+Index: libgcrypt-1.10.0/random/jitterentropy.h
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy.h
++++ libgcrypt-1.10.0/random/jitterentropy.h
+@@ -49,7 +49,7 @@
+  ***************************************************************************/
+ 
+ /*
+- * Enable timer-less timer support
++ * Enable timer-less timer support with JENT_CONF_ENABLE_INTERNAL_TIMER
+  *
+  * In case the hardware is identified to not provide a high-resolution time
+  * stamp, this option enables a built-in high-resolution time stamp mechanism.
+@@ -166,7 +166,7 @@ struct rand_data
+ 	 * of the RNG are marked as SENSITIVE. A user must not
+ 	 * access that information while the RNG executes its loops to
+ 	 * calculate the next random value. */
+-	uint8_t data[SHA3_256_SIZE_DIGEST]; /* SENSITIVE Actual random number */
++	void *hash_state;		/* SENSITIVE hash state entropy pool */
+ 	uint64_t prev_time;		/* SENSITIVE Previous time stamp */
+ #define DATA_SIZE_BITS (SHA3_256_SIZE_DIGEST_BITS)
+ 
+@@ -378,28 +378,34 @@ int jent_entropy_init(void);
+ JENT_PRIVATE_STATIC
+ int jent_entropy_init_ex(unsigned int osr, unsigned int flags);
+ 
++/*
++ * Set a callback to run on health failure in FIPS mode.
++ * This function will take an action determined by the caller.
++ */
++typedef void (*jent_fips_failure_cb)(struct rand_data *ec,
++				     unsigned int health_failure);
++JENT_PRIVATE_STATIC
++int jent_set_fips_failure_callback(jent_fips_failure_cb cb);
++
+ /* return version number of core library */
+ JENT_PRIVATE_STATIC
+ unsigned int jent_version(void);
+ 
+-#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER
+ /* Set a different thread handling logic for the notimer support */
+ JENT_PRIVATE_STATIC
+ int jent_entropy_switch_notime_impl(struct jent_notime_thread *new_thread);
+-#endif
+ 
+ /* -- END of Main interface functions -- */
+ 
+ /* -- BEGIN timer-less threading support functions to prevent code dupes -- */
+ 
+-struct jent_notime_ctx {
+ #ifdef JENT_CONF_ENABLE_INTERNAL_TIMER
++
++struct jent_notime_ctx {
+ 	pthread_attr_t notime_pthread_attr;	/* pthreads library */
+ 	pthread_t notime_thread_id;		/* pthreads thread ID */
+-#endif
+ };
+ 
+-#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER
+ 
+ JENT_PRIVATE_STATIC
+ int jent_notime_init(void **ctx);
+Index: libgcrypt-1.10.0/random/jitterentropy-base-user.h
+===================================================================
+--- libgcrypt-1.10.0.orig/random/jitterentropy-base-user.h
++++ libgcrypt-1.10.0/random/jitterentropy-base-user.h
+@@ -213,12 +213,12 @@ static inline void jent_get_cachesize(lo
+ 		ext = strstr(buf, "K");
+ 		if (ext) {
+ 			shift = 10;
+-			ext = '\0';
++			*ext = '\0';
+ 		} else {
+ 			ext = strstr(buf, "M");
+ 			if (ext) {
+ 				shift = 20;
+-				ext = '\0';
++				*ext = '\0';
+ 			}
+ 		}
+ 

libgcrypt-nobetasuffix.patch

@@ -0,0 +1,24 @@
+Index: libgcrypt-1.10.2/autogen.sh
+===================================================================
+--- libgcrypt-1.10.2.orig/autogen.sh
++++ libgcrypt-1.10.2/autogen.sh
+@@ -249,7 +249,7 @@ if [ "$myhost" = "find-version" ]; then
+     fi
+ 
+     beta=no
+-    if [ -e .git ]; then
++    if false; then
+       ingit=yes
+       tmp=$(git describe --match "${matchstr1}" --long 2>/dev/null)
+       tmp=$(echo "$tmp" | sed s/^"$package"//)
+@@ -265,8 +265,8 @@ if [ "$myhost" = "find-version" ]; then
+       rvd=$((0x$(echo ${rev} | dd bs=1 count=4 2>/dev/null)))
+     else
+       ingit=no
+-      beta=yes
+-      tmp="-unknown"
++      beta=no
++      tmp=""
+       rev="0000000"
+       rvd="0"
+     fi

libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch

@@ -0,0 +1,76 @@
+commit 2c5e5ab6843d747c4b877d2c6f47226f61e9ff14
+Author: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date:   Sun Jun 12 21:51:34 2022 +0300
+
+    ppc enable P10 assembly with ENABLE_FORCE_SOFT_HWFEATURES on arch 3.00
+    
+    * cipher/chacha20.c (chacha20_do_setkey) [USE_PPC_VEC]: Enable
+    P10 assembly for HWF_PPC_ARCH_3_00 if ENABLE_FORCE_SOFT_HWFEATURES is
+    defined.
+    * cipher/poly1305.c (poly1305_init) [POLY1305_USE_PPC_VEC]: Likewise.
+    * cipher/rijndael.c (do_setkey) [USE_PPC_CRYPTO_WITH_PPC9LE]: Likewise.
+    ---
+    
+    This change allows testing P10 implementations with P9 and with QEMU-PPC.
+    
+    GnuPG-bug-id: 6006
+    Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+
+Index: libgcrypt-1.10.2/cipher/chacha20.c
+===================================================================
+--- libgcrypt-1.10.2.orig/cipher/chacha20.c
++++ libgcrypt-1.10.2/cipher/chacha20.c
+@@ -484,6 +484,11 @@ chacha20_do_setkey (CHACHA20_context_t *
+   ctx->use_ppc = (features & HWF_PPC_ARCH_2_07) != 0;
+ # ifndef WORDS_BIGENDIAN
+   ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0;
++#  ifdef ENABLE_FORCE_SOFT_HWFEATURES
++  /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10.
++   * Actual implementation works with HWF_PPC_ARCH_3_00 also. */
++  ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0;
++#  endif
+ # endif
+ #endif
+ #ifdef USE_S390X_VX
+Index: libgcrypt-1.10.2/cipher/poly1305.c
+===================================================================
+--- libgcrypt-1.10.2.orig/cipher/poly1305.c
++++ libgcrypt-1.10.2/cipher/poly1305.c
+@@ -90,11 +90,19 @@ static void poly1305_init (poly1305_cont
+ 			   const byte key[POLY1305_KEYLEN])
+ {
+   POLY1305_STATE *st = &ctx->state;
++  unsigned int features = _gcry_get_hw_features ();
+ 
+ #ifdef POLY1305_USE_PPC_VEC
+-  ctx->use_p10 = (_gcry_get_hw_features () & HWF_PPC_ARCH_3_10) != 0;
++  ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0;
++# ifdef ENABLE_FORCE_SOFT_HWFEATURES
++  /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10.
++   * Actual implementation works with HWF_PPC_ARCH_3_00 also. */
++  ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0;
++# endif
+ #endif
+ 
++  (void)features;
++
+   ctx->leftover = 0;
+ 
+   st->h[0] = 0;
+Index: libgcrypt-1.10.2/cipher/rijndael.c
+===================================================================
+--- libgcrypt-1.10.2.orig/cipher/rijndael.c
++++ libgcrypt-1.10.2/cipher/rijndael.c
+@@ -605,6 +605,12 @@ do_setkey (RIJNDAEL_context *ctx, const
+       bulk_ops->xts_crypt = _gcry_aes_ppc9le_xts_crypt;
+       if (hwfeatures & HWF_PPC_ARCH_3_10)  /* for P10 */
+         bulk_ops->gcm_crypt = _gcry_aes_p10le_gcm_crypt;
++# ifdef ENABLE_FORCE_SOFT_HWFEATURES
++      /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10.
++       * Actual implementation works with HWF_PPC_ARCH_3_00 also. */
++      if (hwfeatures & HWF_PPC_ARCH_3_00)
++        bulk_ops->gcm_crypt = _gcry_aes_p10le_gcm_crypt;
++# endif
+     }
+ #endif
+ #ifdef USE_PPC_CRYPTO

libgcrypt.keyring

@@ -0,0 +1,86 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531
+3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB
+a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb
+LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO
+MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD
+ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ
+hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ
+F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV
++wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o
+BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL
+/0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg
+dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg
+xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ
+hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K
+ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z
+QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn
+ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz
+iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47
+CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+
+FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ
+CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs
+IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl
+fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ
+6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu
+ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo
+sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x
+/jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/
+Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE
+o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7aviQGzBBABCAAdFiEElKXJoDwv
+5co7CV2OH99yPPRitrEFAljLv5sACgkQH99yPPRitrFw4gv/XFMFN+/LHsn9hJOP
+4rCwl1yUuxXuYmZgc0sRoY3EpeQkJVyKurQuqqKoy2VuoMiF0O1kAQmGoFtVPUk7
+b8hCoutqB5GyeyKcoLP+WINgVhB2gXg7TSp3MPLBKkgqvSDvPitgRxBqFb4LW8LJ
+bDbfwGrzIvXfDV3WvsrHVPbc2fhlWdL8d+3AE6mFiXF3eTpgmV3ApSBQV12MkkCk
+icLIPmp+ZxZON+OP52ZXkRtfMgOy4Oa/41agrViDAZdMOGeGkhPertQheQZgXzmo
+GF5Wz498HPM80Kv35X91l3iGzL+icEtO+tWea2YscsZ6qpRe2lfVPHk3B+anlmCj
+m4kM4cBd39xa4HHSVh/bRHbZNtgVr7slQCKxlHgQOGVI5vCxPCwEsgJ2KBk03Nk/
+IA9EKO+czfh3/bHW6uMbEqrYDCnt+hmzZrpKDSGcwS/KOhvMUIMlb7/8vDKum6mp
+/8xAtVZ6IAxYZNt3qg7Y7aLRtzCTyqm8rJQrZPtRaQcgLoEimDMEX0PliRYJKwYB
+BAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5l
+ciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJ
+AlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe
+BwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0
+EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaIbQQQEQsAHRYh
+BIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthaweQrNnIZkA3jG6LcZv
+V/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gblvjFIPJPAhDBAU37
+c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0KBQJfQ/IlAAoJEGMR
+OuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+zeymp/UvlPAQDErCLZ
+l0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgAHRYhBNhpISPEBl3q
+Xg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9if66ph6FJrgr+A/W
+HNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544xGbIU/aCTJsWw9zi
+UE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJnnDm29QjYEGd2Hi8
+7npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+msjBzCD5VKJgr0CR8
+wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1yL4L8oRH0950hQljP
+C7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQVZMBMIkNC0tXOu10V
+bdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJfQ/P8AAoJEOP9/yGO
+Rbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4zIwC9AQCy0nnazVNt
+VQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsGAQQB2kcPAQEHQJmd
+fwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWliZSBZdXRha2EgKEdu
+dVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H+pkI6Y6bLRnGyL0F
+AmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEOmO
+my0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9VHEsEwdgmAQD2BtiX
+7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAdFiEEJJyzdxdQdF1c
+3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1UVdQTGHMyvHwZocS
+QjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+RbkeCtmQJ/c8v5ieF
+vW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4FAmFAQ7cACgkQALRe
+vUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT9Nx1yb4WJKY7ElPM
+YkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6ciIOryssRx2G4kCZ
+t+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+phxyR8KyYCpkwKRxY
+eK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGHCa2ul8sD6vA9C4mM
+4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUztr7eD4bCRdG+QlSh+
+7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/JhTBGFpSqMTCSskAwMCCAEBBwIDBF6X
+D9NmUQDgiyYNbhs1DMJ14mIw812wY1HVx/4QWYWiBunhrvSFxVbzsjD7/Wv+v3bm
+MPrL+M2DLyFiSewNmcS0JEdudVBHLmNvbSAoUmVsZWFzZSBTaWduaW5nIEtleSAy
+MDIxKYiaBBMTCABCFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmFpSqMCGwMFCQ9x
+14oFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFSeaV6QW6IITkoA/RYa
+jaTl1eEBU/Gdm12o3jrI55N5xZK2XTqSx25clVyjAP0XwMW/Og5+ND1ri3bAqADV
+WlBDUswz8wYxsb0C4kYBkoh1BBAWCgAdFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoF
+AmFpTvEACgkQUoiXuCZAOtrJQAEAh7YyykjAy/Qs1yC3ji8iBfIVnPXvblrIx3SR
+RyDwRC8BAKtZbEuKTtPlgkLUgMleTcZJ/vEhJE+GvfQ9o5gWCqEFiHUEEBYKAB0W
+IQTB00tpIZ5K7sC6HCHj/f8hjkW3KwUCYWlPWgAKCRDj/f8hjkW3Kx4eAQDp6aGS
+N/fU4xLl8RSvQUVjVA+aCTrMQR3hRwqw8liF2wEA3O3ECxz6e1+DoItYoJBBLKLw
+eiInsGZ/+h5XYrpXTgA=
+=4+Sn
+-----END PGP PUBLIC KEY BLOCK-----

libgcrypt.spec

@@ -0,0 +1,186 @@
+#
+# spec file for package libgcrypt
+#
+# Copyright (c) 2023 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+%define libsover 20
+%define libsoname %{name}%{libsover}
+%define hmac_key orboDeJITITejsirpADONivirpUkvarP
+Name:           libgcrypt
+Version:        1.10.3
+Release:        0
+Summary:        The GNU Crypto Library
+License:        GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
+Group:          Development/Libraries/C and C++
+URL:            https://gnupg.org/software/libgcrypt
+Source:         https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2
+Source1:        https://gnupg.org/ftp/gcrypt/libgcrypt/%{name}-%{version}.tar.bz2.sig
+Source2:        baselibs.conf
+Source3:        random.conf
+Source4:        hwf.deny
+# https://gnupg.org/signature_key.asc
+Source5:        libgcrypt.keyring
+Source99:       libgcrypt.changes
+Patch1:         libgcrypt-1.10.0-allow_FSM_same_state.patch
+#PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run
+Patch2:         libgcrypt-nobetasuffix.patch
+# FIPS patches:
+#PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK
+Patch100:       libgcrypt-FIPS-SLI-pk.patch
+#PATCH-FIX-SUSE bsc#1190700 FIPS: Check keylength in gcry_fips_indicator_kdf()
+Patch101:       libgcrypt-FIPS-SLI-kdf-leylength.patch
+#PATCH-FIX-SUSE bsc#1190700 FIPS add indicators
+Patch102:       libgcrypt-FIPS-SLI-hash-mac.patch
+#PATCH-FIX-SUSE bsc#1202117 jsc#SLE-24941 FIPS: Port libgcrypt to use jitterentropy
+Patch103:       libgcrypt-jitterentropy-3.4.0.patch
+#PATCH-FIX-SUSE bsc#1202117 FIPS: Get most of the entropy from rndjent_poll
+Patch104:       libgcrypt-FIPS-rndjent_poll.patch
+# POWER patches [jsc#PED-5088] POWER performance enhancements for cryptography
+Patch200:       libgcrypt-Chacha20-poly1305-Optimized-chacha20-poly1305.patch
+Patch201:       libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch
+BuildRequires:  automake >= 1.14
+BuildRequires:  libgpg-error-devel >= 1.27
+BuildRequires:  libtool
+BuildRequires:  makeinfo
+BuildRequires:  pkgconfig
+%{?suse_build_hwcaps_libs}
+
+%description
+Libgcrypt is a general purpose library of cryptographic building
+blocks.  It is originally based on code used by GnuPG.  It does not
+provide any implementation of OpenPGP or other protocols.  Thorough
+understanding of applied cryptography is required to use Libgcrypt.
+
+%package -n %{libsoname}
+Summary:        The GNU Crypto Library
+License:        GPL-2.0-or-later AND LGPL-2.1-or-later
+Group:          System/Libraries
+Provides:       %{libsoname}-hmac = %{version}-%{release}
+Obsoletes:      %{libsoname}-hmac < %{version}-%{release}
+
+%description -n %{libsoname}
+Libgcrypt is a general purpose crypto library based on the code used in
+GnuPG (alpha version).
+
+%package devel
+Summary:        The GNU Crypto Library
+License:        GFDL-1.1-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
+Group:          Development/Libraries/C and C++
+Requires:       %{libsoname} = %{version}
+Requires:       glibc-devel
+Requires:       libgpg-error-devel >= 1.27
+
+%description devel
+Libgcrypt is a general purpose library of cryptographic building
+blocks.  It is originally based on code used by GnuPG.  It does not
+provide any implementation of OpenPGP or other protocols.  Thorough
+understanding of applied cryptography is required to use Libgcrypt.
+
+This package contains needed files to compile and link against the
+library.
+
+%prep
+%autosetup -p1
+
+# Rename the internal .hmac file to include the so library version
+sed -i "s/libgcrypt\.so\.hmac/\.libgcrypt\.so\.%{libsover}\.hmac/g" src/Makefile.am src/Makefile.in
+
+%build
+export PUBKEYS="dsa elgamal rsa ecc"
+export CIPHERS="arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20 sm4"
+export DIGESTS="crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2 sm3"
+export KDFS="s2k pkdf2 scrypt"
+
+autoreconf -fi
+date=$(date -u '+%%Y-%%m-%%dT%%H:%%M+0000' -r %{SOURCE99})
+sed -e "s,BUILD_TIMESTAMP=.*,BUILD_TIMESTAMP=$date," -i configure
+export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
+%configure \
+           --with-fips-module-version="Libgcrypt version %{version}-%{release}" \
+           --enable-hmac-binary-check="%{hmac_key}" \
+           --enable-ciphers="$CIPHERS" \
+           --enable-pubkey-ciphers="$PUBKEYS" \
+           --enable-digests="$DIGESTS" \
+           --enable-kdfs="$KDFS" \
+           --enable-noexecstack \
+           --disable-static \
+           --enable-m-guard \
+%ifarch %{sparc}
+           --disable-asm \
+%endif
+           --enable-random=getentropy \
+           %{nil}
+
+%make_build
+
+%check
+make -k check
+# run the regression tests also in FIPS mode
+LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true
+
+%install
+%make_install
+
+# this is a hack that re-defines the __spec_install_post macro
+# for a simple reason: the macro strips the binaries and thereby
+# invalidates a HMAC that may have been created earlier.
+# solution: create the hashes _after_ the macro runs.
+
+%define libpath %{buildroot}%{_libdir}/libgcrypt.so.%{libsover}.?.?
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    cd src \
+    sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \
+    READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath} > %{libpath}.hmac \
+    objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath} %{libpath}.new \
+    mv -f %{libpath}.new %{libpath} \
+    rm -f %{libpath}.hmac \
+%{nil}
+
+rm %{buildroot}%{_libdir}/%{name}.la
+
+# Create /etc/gcrypt directory and install random.conf
+mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt
+install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
+install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/gcrypt/hwf.deny
+
+%post -n %{libsoname} -p /sbin/ldconfig
+%postun -n %{libsoname} -p /sbin/ldconfig
+
+%files -n %{libsoname}
+%license COPYING COPYING.LIB LICENSES
+%doc AUTHORS ChangeLog NEWS README THANKS TODO
+%{_libdir}/%{name}.so.*
+%dir %{_sysconfdir}/gcrypt
+%config(noreplace) %{_sysconfdir}/gcrypt/random.conf
+%config(noreplace) %{_sysconfdir}/gcrypt/hwf.deny
+
+%files devel
+%license COPYING COPYING.LIB LICENSES
+%{_bindir}/dumpsexp
+%{_bindir}/hmac256
+%{_bindir}/mpicalc
+%{_bindir}/%{name}-config
+%{_libdir}/%{name}.so
+%{_libdir}/pkgconfig/libgcrypt.pc
+%{_datadir}/aclocal/%{name}.m4
+%{_includedir}/gcrypt*.h
+%{_infodir}/gcrypt.info*%{ext_info}*
+%{_mandir}/man1/*
+
+%changelog

random.conf

@@ -0,0 +1,9 @@
+# This file can be used to globally change parameters of
+# the random generator. Supported options are:
+
+# Always use the non-blocking /dev/urandom or the respective
+# system call instead of the blocking /dev/random.
+# only-urandom
+
+# Disable the use of the jitter based entropy generator.
+# disable-jent