please stage with a link of GNUTLS to see if it works now
- Update to version 1.4.0
* fix: ensure that LTO is supported (by Simo Sorce)
* fix: add LTO regression testing (by Ondrej Mosnacek)
* enhancement: add sm3sum, sm3hmac tools, add APIs kcapi_md_sm3, kcapi_md_hmac_sm3
* enhancement: add SM4 convenience functions
* fix: support AEAD encryption of arbitrary size with kcapi-enc
- removed libkcapi-fix-lto.patch (upstream)
- use https url
- Update to version 1.3.1
* fix: fix -Wconversion warnings (by Ondrej Mosnacek)
* fix: fix bad data types in _kcapi_common_send_meta (by Ondrej Mosnacek)
* fix: Version symbols to maintain ABI compatibility (by Simo Sorce)
* fix: disable io_getevents on systems that do not support it (by Khem Raj)
* fix: remove prctl PR_SET_DUMPABLE to allow library to be debugged - as the
library does not store any sensitive data in data structures it owns, such
security precautions may not be necessary considering the benefit of
allowing regular debugging
* fix: ensure that sendmsg is always used as fallback when vmsplice cannot be
used
* enhancement: add kcapi_set_maxsplicesize and kcapi_get_maxsplicesize
* enhancement: the variable types are changed from int32_t to ssize_t and
from uint32_t to size_t to match common POSIX and Linux APIs
- Added libkcapi-fix-lto.patch
OBS-URL: https://build.opensuse.org/request/show/972887
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libkcapi?expand=0&rev=8
- Update to version 1.3.1
* fix: fix -Wconversion warnings (by Ondrej Mosnacek)
* fix: fix bad data types in _kcapi_common_send_meta (by Ondrej Mosnacek)
* fix: Version symbols to maintain ABI compatibility (by Simo Sorce)
* fix: disable io_getevents on systems that do not support it (by Khem Raj)
* fix: remove prctl PR_SET_DUMPABLE to allow library to be debugged - as the
library does not store any sensitive data in data structures it owns, such
security precautions may not be necessary considering the benefit of
allowing regular debugging
* fix: ensure that sendmsg is always used as fallback when vmsplice cannot be
used
* enhancement: add kcapi_set_maxsplicesize and kcapi_get_maxsplicesize
* enhancement: the variable types are changed from int32_t to ssize_t and
from uint32_t to size_t to match common POSIX and Linux APIs
- Added libkcapi-fix-lto.patch
OBS-URL: https://build.opensuse.org/request/show/908535
OBS-URL: https://build.opensuse.org/package/show/security/libkcapi?expand=0&rev=37
- update to 1.2.0:
* enhancement: kcapi-hasher: add madvise and 64 bit support by Brandur Simonsen
* fix: fix clang warnding in KDF implementation by Khem Raj
* fix: fix inverted logic in kcapi-main test logic reported by Ondrej Mosnáček
* fix: return error when iteration count is zero for PBKDF as reported by
Guido Vranken
* enhancement: add function kcapi_cipher_stream_update_last to indicate the
last block of a symmetric cipher stream operation
* disable XTS multithreaded tests as it triggers a race discussed in
https://github.com/smuellerDD/libkcapi/issues/92. The conclusion is
the following: xts(aes) doesn't support chaining requests like for other
ciphers such as CBC (at least as implemented in the kernel Crypto API).
That can be seen in `crypto/testmgr.h` - the ciphers that are expected to
return IVs usable for chaining have the `.iv_out` entries filled in in their
test vectors (and those that don't support it do not). One can see that only
CTR and CBC test vectors have them, not XTS.
Looking again at how XTS is defined, it seems one could implement
transparent chaining by simply decrypting the final tweak using the tweak
key and return it as the output IV... but I believe this has never been
mandated nor implemented in the Crypto API (likely because of the overhead
of the final tweak decryption, which would be pointless if you're not going
to use the output IV - and there is currently no way to signal to the driver
that you are going to need it).
* disable AIO parallel tests due to undefined behavior (forwarded request 830821 from dirkmueller)
OBS-URL: https://build.opensuse.org/request/show/831601
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libkcapi?expand=0&rev=7
- update to 1.2.0:
* enhancement: kcapi-hasher: add madvise and 64 bit support by Brandur Simonsen
* fix: fix clang warnding in KDF implementation by Khem Raj
* fix: fix inverted logic in kcapi-main test logic reported by Ondrej Mosnáček
* fix: return error when iteration count is zero for PBKDF as reported by
Guido Vranken
* enhancement: add function kcapi_cipher_stream_update_last to indicate the
last block of a symmetric cipher stream operation
* disable XTS multithreaded tests as it triggers a race discussed in
https://github.com/smuellerDD/libkcapi/issues/92. The conclusion is
the following: xts(aes) doesn't support chaining requests like for other
ciphers such as CBC (at least as implemented in the kernel Crypto API).
That can be seen in `crypto/testmgr.h` - the ciphers that are expected to
return IVs usable for chaining have the `.iv_out` entries filled in in their
test vectors (and those that don't support it do not). One can see that only
CTR and CBC test vectors have them, not XTS.
Looking again at how XTS is defined, it seems one could implement
transparent chaining by simply decrypting the final tweak using the tweak
key and return it as the output IV... but I believe this has never been
mandated nor implemented in the Crypto API (likely because of the overhead
of the final tweak decryption, which would be pointless if you're not going
to use the output IV - and there is currently no way to signal to the driver
that you are going to need it).
* disable AIO parallel tests due to undefined behavior
OBS-URL: https://build.opensuse.org/request/show/830821
OBS-URL: https://build.opensuse.org/package/show/security/libkcapi?expand=0&rev=35
- updated to 1.1.5:
- Fix invocation of ansi_cprng in FIPS mode during testing
- Fix testing on kernels >= 5.0
- Add virtualization test for kernel 5.1
- Fix the limit between vmsplice() and sendmsg() by Christophe Leroy
- Fix remove code duplication by Ondrej MosnáÄek
- Fix potential memleak in speed-test
- updated to 1.1.4:
- Fix: use sendmsg when processing more than 1<<16 bytes input data which improves performance on some architectures
- updated to 1.1.3:
- Fix: default location of FIPS 140-2 HMAC control file is .<orig file>.hmac (was accidentally moved to <orig file>.hmac with 1.1.0)
- updated to 1.1.2:
- Fix: Bug fixes for GCC 8.1.0 regarding string length checks by Krzysztof Kozlowski
- Enhancement: ensure that tests execute on architectures other than X86 by Ondrej MosnáÄek
- Fix: Bug fix to initialize FDs at the correct time in kcapi-kernel-if.c by Ondrej MosnáÄek
- Test fix: Support test execution outside build environment by Ondrej MosnáÄek
- updated to 1.1.1:
- Fix: Bug fixes for kcapi_hasher by Ondrej MosnáÄek
- updated to 1.1.0:
- API Enhancement: Addition of kcapi_handle_reinit
- Fix: simplify code by removing the internal *_fd functions from kcapi-kernel-if.c
- Test enhancement: add IIV speed testing
- Fix: add a loop around the read system call to always obtain all generated data
- Fix: use host compiler for compiling docproc (reported by Christophe LEROY, fixed by Björn Esser)
- Fix: make error handling of hashing applications consistent with coreutils applications (reported by Christophe LEROY)
- Fix: support for zero length files (patched by Ondrej MosnáÄek)
- Fix: support for zero message hashes on kernels <= 4.9 (patched by Ondrej MosnáÄek)
- Fix: Add Travis CI test system provided by Ondrej MosnáÄek
- Fix: Add several fixes to kcapi-hasher by Ondrej MosnáÄek
- Fix: Add additional tests for kcapi-hasher by Ondrej MosnáÄek
OBS-URL: https://build.opensuse.org/request/show/788020
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libkcapi?expand=0&rev=6
- updated to 1.1.5:
- Fix invocation of ansi_cprng in FIPS mode during testing
- Fix testing on kernels >= 5.0
- Add virtualization test for kernel 5.1
- Fix the limit between vmsplice() and sendmsg() by Christophe Leroy
- Fix remove code duplication by Ondrej MosnáÄek
- Fix potential memleak in speed-test
- updated to 1.1.4:
- Fix: use sendmsg when processing more than 1<<16 bytes input data which improves performance on some architectures
- updated to 1.1.3:
- Fix: default location of FIPS 140-2 HMAC control file is .<orig file>.hmac (was accidentally moved to <orig file>.hmac with 1.1.0)
- updated to 1.1.2:
- Fix: Bug fixes for GCC 8.1.0 regarding string length checks by Krzysztof Kozlowski
- Enhancement: ensure that tests execute on architectures other than X86 by Ondrej MosnáÄek
- Fix: Bug fix to initialize FDs at the correct time in kcapi-kernel-if.c by Ondrej MosnáÄek
- Test fix: Support test execution outside build environment by Ondrej MosnáÄek
- updated to 1.1.1:
- Fix: Bug fixes for kcapi_hasher by Ondrej MosnáÄek
- updated to 1.1.0:
- API Enhancement: Addition of kcapi_handle_reinit
- Fix: simplify code by removing the internal *_fd functions from kcapi-kernel-if.c
- Test enhancement: add IIV speed testing
- Fix: add a loop around the read system call to always obtain all generated data
- Fix: use host compiler for compiling docproc (reported by Christophe LEROY, fixed by Björn Esser)
- Fix: make error handling of hashing applications consistent with coreutils applications (reported by Christophe LEROY)
- Fix: support for zero length files (patched by Ondrej MosnáÄek)
- Fix: support for zero message hashes on kernels <= 4.9 (patched by Ondrej MosnáÄek)
- Fix: Add Travis CI test system provided by Ondrej MosnáÄek
- Fix: Add several fixes to kcapi-hasher by Ondrej MosnáÄek
- Fix: Add additional tests for kcapi-hasher by Ondrej MosnáÄek
OBS-URL: https://build.opensuse.org/request/show/765261
OBS-URL: https://build.opensuse.org/package/show/security/libkcapi?expand=0&rev=20
