Accepting request 1299109 from devel:libraries:c_c++

libgcrypt 1.11.2 (forwarded request 1298440 from AndreasStieger)

OBS-URL: https://build.opensuse.org/request/show/1299109
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libgcrypt?expand=0&rev=110

libgcrypt-1.11.1-public-SLI-API.patch

@@ -0,0 +1,37 @@
+Index: libgcrypt-1.11.1/src/gcrypt.h.in
+===================================================================
+--- libgcrypt-1.11.1.orig/src/gcrypt.h.in
++++ libgcrypt-1.11.1/src/gcrypt.h.in
+@@ -335,12 +335,9 @@ enum gcry_ctl_cmds
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
+-    GCRYCTL_MD_CUSTOMIZE = 88
+-#ifdef _GCRYPT_IN_LIBGCRYPT  /* This is not yet part of the public API.  */
+-    ,
++    GCRYCTL_MD_CUSTOMIZE = 88,
+     GCRYCTL_FIPS_SERVICE_INDICATOR = 89,
+     GCRYCTL_FIPS_REJECT_NON_FIPS = 90
+-#endif /*_GCRYPT_IN_LIBGCRYPT*/
+   };
+ 
+ /* Perform various operations defined by CMD. */
+@@ -1977,8 +1974,6 @@ void gcry_log_debugsxp (const char *text
+ char *gcry_get_config (int mode, const char *what);
+ 
+ /* Convinience macro to access the FIPS service indicator.  */
+-#ifdef _GCRYPT_IN_LIBGCRYPT  /* This is not yet part of the public API.  */
+-
+ #define gcry_get_fips_service_indicator()       \
+   gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR)
+ 
+@@ -2012,9 +2007,6 @@ char *gcry_get_config (int mode, const c
+ #define GCRY_FIPS_FLAG_REJECT_DEFAULT \
+   GCRY_FIPS_FLAG_REJECT_COMPAT110
+ 
+-#endif /*_GCRYPT_IN_LIBGCRYPT*/
+-
+-
+ /* Log levels used by the internal logging facility. */
+ enum gcry_log_levels
+   {

libgcrypt-1.11.2.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:6ba59dd192270e8c1d22ddb41a07d95dcdbc1f0fb02d03c4b54b235814330aac
+size 4237802

libgcrypt-FIPS-SLI-hash-mac.patch

@@ -1,7 +1,7 @@
-Index: libgcrypt-1.11.0/doc/gcrypt.texi
+Index: libgcrypt-1.11.1/doc/gcrypt.texi
 ===================================================================
---- libgcrypt-1.11.0.orig/doc/gcrypt.texi
-+++ libgcrypt-1.11.0/doc/gcrypt.texi
+--- libgcrypt-1.11.1.orig/doc/gcrypt.texi
++++ libgcrypt-1.11.1/doc/gcrypt.texi
 @@ -998,13 +998,21 @@ certification. If the function is approv
  @code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
  Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
@@ -28,15 +28,14 @@ Index: libgcrypt-1.11.0/doc/gcrypt.texi
  @item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
  
  Check if the given message digest algorithm is approved under the current
-Index: libgcrypt-1.11.0/src/fips.c
+Index: libgcrypt-1.11.1/src/fips.c
 ===================================================================
---- libgcrypt-1.11.0.orig/src/fips.c
-+++ libgcrypt-1.11.0/src/fips.c
-@@ -378,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg
-     }
+--- libgcrypt-1.11.1.orig/src/fips.c
++++ libgcrypt-1.11.1/src/fips.c
+@@ -512,31 +512,6 @@ _gcry_fips_indicator_pk (va_list arg_ptr
  }
  
--int
+ int
 -_gcry_fips_indicator_mac (va_list arg_ptr)
 -{
 -  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
@@ -61,10 +60,11 @@ Index: libgcrypt-1.11.0/src/fips.c
 -    }
 -}
 -
- /* FIPS approved curves, extracted from:
-  *   cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
- static const struct
-@@ -602,6 +577,62 @@ _gcry_fips_indicator_pk_flags (va_list a
+-int
+ _gcry_fips_indicator_md (va_list arg_ptr)
+ {
+   enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
+@@ -647,6 +622,62 @@ _gcry_fips_indicator_pk_flags (va_list a
    return GPG_ERR_NOT_SUPPORTED;
  }
  
@@ -127,37 +127,37 @@ Index: libgcrypt-1.11.0/src/fips.c
  
  /* This is a test on whether the library is in the error or
     operational state. */
-Index: libgcrypt-1.11.0/src/g10lib.h
+Index: libgcrypt-1.11.1/src/g10lib.h
 ===================================================================
---- libgcrypt-1.11.0.orig/src/g10lib.h
-+++ libgcrypt-1.11.0/src/g10lib.h
-@@ -469,6 +469,7 @@ void _gcry_fips_signal_error (const char
- #endif
+--- libgcrypt-1.11.1.orig/src/g10lib.h
++++ libgcrypt-1.11.1/src/g10lib.h
+@@ -478,6 +478,7 @@ void _gcry_fips_signal_error (const char
+ gpg_err_code_t _gcry_fips_indicator (void);
  
  int _gcry_fips_indicator_cipher (va_list arg_ptr);
 +int _gcry_fips_indicator_hash (va_list arg_ptr);
  int _gcry_fips_indicator_mac (va_list arg_ptr);
  int _gcry_fips_indicator_md (va_list arg_ptr);
  int _gcry_fips_indicator_kdf (va_list arg_ptr);
-Index: libgcrypt-1.11.0/src/gcrypt.h.in
+Index: libgcrypt-1.11.1/src/gcrypt.h.in
 ===================================================================
---- libgcrypt-1.11.0.orig/src/gcrypt.h.in
-+++ libgcrypt-1.11.0/src/gcrypt.h.in
-@@ -336,7 +336,8 @@ enum gcry_ctl_cmds
-     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
-     GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
+--- libgcrypt-1.11.1.orig/src/gcrypt.h.in
++++ libgcrypt-1.11.1/src/gcrypt.h.in
+@@ -338,7 +338,8 @@ enum gcry_ctl_cmds
      GCRYCTL_MD_CUSTOMIZE = 88,
--    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89
-+    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89,
-+    GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 90
+     GCRYCTL_FIPS_SERVICE_INDICATOR = 89,
+     GCRYCTL_FIPS_REJECT_NON_FIPS = 90,
+-    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 91
++    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 91,
++    GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 92
    };
  
  /* Perform various operations defined by CMD. */
-Index: libgcrypt-1.11.0/src/global.c
+Index: libgcrypt-1.11.1/src/global.c
 ===================================================================
---- libgcrypt-1.11.0.orig/src/global.c
-+++ libgcrypt-1.11.0/src/global.c
-@@ -794,6 +794,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+--- libgcrypt-1.11.1.orig/src/global.c
++++ libgcrypt-1.11.1/src/global.c
+@@ -808,6 +808,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
        rc = _gcry_fips_indicator_cipher (arg_ptr);
        break;
  

libgcrypt-FIPS-SLI-kdf-leylength.patch

@@ -1,8 +1,8 @@
-Index: libgcrypt-1.10.2/src/fips.c
+Index: libgcrypt-1.11.0/src/fips.c
 ===================================================================
---- libgcrypt-1.10.2.orig/src/fips.c
-+++ libgcrypt-1.10.2/src/fips.c
-@@ -520,10 +520,15 @@ int
+--- libgcrypt-1.11.0.orig/src/fips.c
++++ libgcrypt-1.11.0/src/fips.c
+@@ -523,10 +523,15 @@ int
  _gcry_fips_indicator_kdf (va_list arg_ptr)
  {
    enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
@@ -18,11 +18,11 @@ Index: libgcrypt-1.10.2/src/fips.c
        return GPG_ERR_NO_ERROR;
      default:
        return GPG_ERR_NOT_SUPPORTED;
-Index: libgcrypt-1.10.2/doc/gcrypt.texi
+Index: libgcrypt-1.11.0/doc/gcrypt.texi
 ===================================================================
---- libgcrypt-1.10.2.orig/doc/gcrypt.texi
-+++ libgcrypt-1.10.2/doc/gcrypt.texi
-@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3
+--- libgcrypt-1.11.0.orig/doc/gcrypt.texi
++++ libgcrypt-1.11.0/doc/gcrypt.texi
+@@ -983,12 +983,13 @@ is approved under the current FIPS 140-3
  combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
  Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
  
@@ -40,3 +40,21 @@ Index: libgcrypt-1.10.2/doc/gcrypt.texi
  
  @item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
  
+Index: libgcrypt-1.11.0/tests/t-kdf.c
+===================================================================
+--- libgcrypt-1.11.0.orig/tests/t-kdf.c
++++ libgcrypt-1.11.0/tests/t-kdf.c
+@@ -1889,7 +1889,12 @@ check_fips_indicators (void)
+   for (i = 0; i < sizeof(kdf_algos) / sizeof(*kdf_algos); i++)
+     {
+       int is_fips_kdf_algo = 0;
+-      gcry_error_t err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]);
++      gcry_error_t err;
++      // On SUSE/openSUSE builds PBKDF2 with keysize < 112 is not allowed
++      if (kdf_algos[i] == GCRY_KDF_PBKDF2)
++          err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i], 112);
++      else
++          err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]);
+ 
+       if (verbose)
+         fprintf (stderr, "checking FIPS indicator for KDF %d: %s\n",

libgcrypt-FIPS-SLI-pk.patch

@@ -1,7 +1,7 @@
-Index: libgcrypt-1.11.0/src/fips.c
+Index: libgcrypt-1.11.1/src/fips.c
 ===================================================================
---- libgcrypt-1.11.0.orig/src/fips.c
-+++ libgcrypt-1.11.0/src/fips.c
+--- libgcrypt-1.11.1.orig/src/fips.c
++++ libgcrypt-1.11.1/src/fips.c
 @@ -38,6 +38,7 @@
  
  #include "g10lib.h"
@@ -10,7 +10,7 @@ Index: libgcrypt-1.11.0/src/fips.c
  #include "../random/random.h"
  
  /* The states of the finite state machine used in fips mode.  */
-@@ -400,6 +401,94 @@ _gcry_fips_indicator_mac (va_list arg_pt
+@@ -420,6 +421,94 @@ _gcry_fips_indicator_cipher (va_list arg
      default:
        return GPG_ERR_NOT_SUPPORTED;
      }
@@ -105,24 +105,24 @@ Index: libgcrypt-1.11.0/src/fips.c
  }
  
  int
-Index: libgcrypt-1.11.0/src/gcrypt.h.in
+Index: libgcrypt-1.11.1/src/gcrypt.h.in
 ===================================================================
---- libgcrypt-1.11.0.orig/src/gcrypt.h.in
-+++ libgcrypt-1.11.0/src/gcrypt.h.in
-@@ -335,7 +335,8 @@ enum gcry_ctl_cmds
-     GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
-     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
+--- libgcrypt-1.11.1.orig/src/gcrypt.h.in
++++ libgcrypt-1.11.1/src/gcrypt.h.in
+@@ -337,7 +337,8 @@ enum gcry_ctl_cmds
      GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
--    GCRYCTL_MD_CUSTOMIZE = 88
-+    GCRYCTL_MD_CUSTOMIZE = 88,
-+    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89
+     GCRYCTL_MD_CUSTOMIZE = 88,
+     GCRYCTL_FIPS_SERVICE_INDICATOR = 89,
+-    GCRYCTL_FIPS_REJECT_NON_FIPS = 90
++    GCRYCTL_FIPS_REJECT_NON_FIPS = 90,
++    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 91
    };
  
  /* Perform various operations defined by CMD. */
-Index: libgcrypt-1.11.0/doc/gcrypt.texi
+Index: libgcrypt-1.11.1/doc/gcrypt.texi
 ===================================================================
---- libgcrypt-1.11.0.orig/doc/gcrypt.texi
-+++ libgcrypt-1.11.0/doc/gcrypt.texi
+--- libgcrypt-1.11.1.orig/doc/gcrypt.texi
++++ libgcrypt-1.11.1/doc/gcrypt.texi
 @@ -1010,6 +1010,19 @@ Check if the given message digest algori
  FIPS 140-3 certification. If the algorithm is approved, this function returns
  @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
@@ -143,11 +143,11 @@ Index: libgcrypt-1.11.0/doc/gcrypt.texi
  @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
  
  Check if the given public key operation flag or s-expression object name is
-Index: libgcrypt-1.11.0/src/g10lib.h
+Index: libgcrypt-1.11.1/src/g10lib.h
 ===================================================================
---- libgcrypt-1.11.0.orig/src/g10lib.h
-+++ libgcrypt-1.11.0/src/g10lib.h
-@@ -473,6 +473,7 @@ int _gcry_fips_indicator_mac (va_list ar
+--- libgcrypt-1.11.1.orig/src/g10lib.h
++++ libgcrypt-1.11.1/src/g10lib.h
+@@ -482,6 +482,7 @@ int _gcry_fips_indicator_mac (va_list ar
  int _gcry_fips_indicator_md (va_list arg_ptr);
  int _gcry_fips_indicator_kdf (va_list arg_ptr);
  int _gcry_fips_indicator_function (va_list arg_ptr);
@@ -155,11 +155,11 @@ Index: libgcrypt-1.11.0/src/g10lib.h
  int _gcry_fips_indicator_pk_flags (va_list arg_ptr);
  
  int _gcry_fips_is_operational (void);
-Index: libgcrypt-1.11.0/src/global.c
+Index: libgcrypt-1.11.1/src/global.c
 ===================================================================
---- libgcrypt-1.11.0.orig/src/global.c
-+++ libgcrypt-1.11.0/src/global.c
-@@ -828,6 +828,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+--- libgcrypt-1.11.1.orig/src/global.c
++++ libgcrypt-1.11.1/src/global.c
+@@ -842,6 +842,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
        rc = _gcry_fips_indicator_pk_flags (arg_ptr);
        break;
  

libgcrypt-FIPS-jitter-standalone.patch

@@ -1,7 +1,7 @@
-Index: libgcrypt-1.10.3/random/Makefile.am
+Index: libgcrypt-1.11.1/random/Makefile.am
 ===================================================================
---- libgcrypt-1.10.3.orig/random/Makefile.am
-+++ libgcrypt-1.10.3/random/Makefile.am
+--- libgcrypt-1.11.1.orig/random/Makefile.am
++++ libgcrypt-1.11.1/random/Makefile.am
 @@ -21,7 +21,7 @@
  # Need to include ../src in addition to top_srcdir because gcrypt.h is
  # a built header.
@@ -11,11 +11,11 @@ Index: libgcrypt-1.10.3/random/Makefile.am
  
  noinst_LTLIBRARIES = librandom.la
  
-@@ -45,14 +45,7 @@ rndoldlinux.c \
+@@ -44,14 +44,7 @@ rndgetentropy.c \
+ rndoldlinux.c \
  rndegd.c \
  rndunix.c \
- rndw32.c  \
--rndw32ce.c \
+-rndw32.c  \
 -jitterentropy-gcd.c jitterentropy-gcd.h \
 -jitterentropy-health.c jitterentropy-health.h \
 -jitterentropy-noise.c jitterentropy-noise.h \
@@ -23,11 +23,11 @@ Index: libgcrypt-1.10.3/random/Makefile.am
 -jitterentropy-timer.c jitterentropy-timer.h \
 -jitterentropy-base.h \
 -jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h
-+rndw32ce.c
++rndw32.c
  
  # The rndjent module needs to be compiled without optimization.  */
  if ENABLE_O_FLAG_MUNGING
-@@ -61,20 +54,8 @@ else
+@@ -60,20 +53,8 @@ else
  o_flag_munging = cat
  endif
  
@@ -50,10 +50,10 @@ Index: libgcrypt-1.10.3/random/Makefile.am
 -            $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h
 +rndjent.lo: $(srcdir)/rndjent.c
  	`echo $(LTCOMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) `
-Index: libgcrypt-1.10.3/random/rndjent.c
+Index: libgcrypt-1.11.1/random/rndjent.c
 ===================================================================
---- libgcrypt-1.10.3.orig/random/rndjent.c
-+++ libgcrypt-1.10.3/random/rndjent.c
+--- libgcrypt-1.11.1.orig/random/rndjent.c
++++ libgcrypt-1.11.1/random/rndjent.c
 @@ -94,17 +94,12 @@
   * jitterentropy-user-base.h file.   */
  
@@ -74,10 +74,10 @@ Index: libgcrypt-1.10.3/random/rndjent.c
  
  /* This is the lock we use to serialize access to this RNG.  The extra
   * integer variable is only used to check the locking state; that is,
-Index: libgcrypt-1.10.3/random/Makefile.in
+Index: libgcrypt-1.11.1/random/Makefile.in
 ===================================================================
---- libgcrypt-1.10.3.orig/random/Makefile.in
-+++ libgcrypt-1.10.3/random/Makefile.in
+--- libgcrypt-1.11.1.orig/random/Makefile.in
++++ libgcrypt-1.11.1/random/Makefile.in
 @@ -147,12 +147,7 @@ am__v_at_1 =
  DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
  depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
@@ -92,7 +92,7 @@ Index: libgcrypt-1.10.3/random/Makefile.in
  	./$(DEPDIR)/random-csprng.Plo ./$(DEPDIR)/random-drbg.Plo \
  	./$(DEPDIR)/random-system.Plo ./$(DEPDIR)/random.Plo \
  	./$(DEPDIR)/rndegd.Plo ./$(DEPDIR)/rndgetentropy.Plo \
-@@ -378,7 +373,7 @@ top_srcdir = @top_srcdir@
+@@ -375,7 +370,7 @@ top_srcdir = @top_srcdir@
  # Need to include ../src in addition to top_srcdir because gcrypt.h is
  # a built header.
  AM_CPPFLAGS = -I../src -I$(top_srcdir)/src
@@ -101,11 +101,11 @@ Index: libgcrypt-1.10.3/random/Makefile.in
  noinst_LTLIBRARIES = librandom.la
  GCRYPT_MODULES = @GCRYPT_RANDOM@
  librandom_la_DEPENDENCIES = $(GCRYPT_MODULES)
-@@ -398,14 +393,7 @@ rndoldlinux.c \
+@@ -394,14 +389,7 @@ rndgetentropy.c \
+ rndoldlinux.c \
  rndegd.c \
  rndunix.c \
- rndw32.c  \
--rndw32ce.c \
+-rndw32.c  \
 -jitterentropy-gcd.c jitterentropy-gcd.h \
 -jitterentropy-health.c jitterentropy-health.h \
 -jitterentropy-noise.c jitterentropy-noise.h \
@@ -113,11 +113,11 @@ Index: libgcrypt-1.10.3/random/Makefile.in
 -jitterentropy-timer.c jitterentropy-timer.h \
 -jitterentropy-base.h \
 -jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h
-+rndw32ce.c
++rndw32.c
  
  @ENABLE_O_FLAG_MUNGING_FALSE@o_flag_munging = cat
  
-@@ -465,12 +453,6 @@ mostlyclean-compile:
+@@ -461,12 +449,6 @@ mostlyclean-compile:
  distclean-compile:
  	-rm -f *.tab.c
  
@@ -130,7 +130,7 @@ Index: libgcrypt-1.10.3/random/Makefile.in
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-csprng.Plo@am__quote@ # am--include-marker
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-drbg.Plo@am__quote@ # am--include-marker
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-system.Plo@am__quote@ # am--include-marker
-@@ -641,12 +623,6 @@ clean-am: clean-generic clean-libtool cl
+@@ -636,12 +618,6 @@ clean-am: clean-generic clean-libtool cl
  	mostlyclean-am
  
  distclean: distclean-am
@@ -143,7 +143,7 @@ Index: libgcrypt-1.10.3/random/Makefile.in
  	-rm -f ./$(DEPDIR)/random-csprng.Plo
  	-rm -f ./$(DEPDIR)/random-drbg.Plo
  	-rm -f ./$(DEPDIR)/random-system.Plo
-@@ -704,12 +680,6 @@ install-ps-am:
+@@ -698,12 +674,6 @@ install-ps-am:
  installcheck-am:
  
  maintainer-clean: maintainer-clean-am
@@ -156,7 +156,7 @@ Index: libgcrypt-1.10.3/random/Makefile.in
  	-rm -f ./$(DEPDIR)/random-csprng.Plo
  	-rm -f ./$(DEPDIR)/random-drbg.Plo
  	-rm -f ./$(DEPDIR)/random-system.Plo
-@@ -759,22 +729,10 @@ uninstall-am:
+@@ -752,22 +722,10 @@ uninstall-am:
  .PRECIOUS: Makefile
  
  

libgcrypt-jitterentropy-3.4.0.patch

@@ -1,618 +0,0 @@
-Index: libgcrypt-1.10.0/random/jitterentropy-base.c
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy-base.c
-+++ libgcrypt-1.10.0/random/jitterentropy-base.c
-@@ -42,7 +42,7 @@
- 		      * require consumer to be updated (as long as this number
- 		      * is zero, the API is not considered stable and can
- 		      * change without a bump of the major version) */
--#define MINVERSION 3 /* API compatible, ABI may change, functional
-+#define MINVERSION 4 /* API compatible, ABI may change, functional
- 		      * enhancements only, consumer can be left unchanged if
- 		      * enhancements are not considered */
- #define PATCHLEVEL 0 /* API / ABI compatible, no functional changes, no
-@@ -200,29 +200,38 @@ ssize_t jent_read_entropy(struct rand_da
- 			tocopy = (DATA_SIZE_BITS / 8);
- 		else
- 			tocopy = len;
--		memcpy(p, &ec->data, tocopy);
-+
-+		jent_read_random_block(ec, p, tocopy);
- 
- 		len -= tocopy;
- 		p += tocopy;
- 	}
- 
- 	/*
--	 * To be on the safe side, we generate one more round of entropy
--	 * which we do not give out to the caller. That round shall ensure
--	 * that in case the calling application crashes, memory dumps, pages
--	 * out, or due to the CPU Jitter RNG lingering in memory for long
--	 * time without being moved and an attacker cracks the application,
--	 * all he reads in the entropy pool is a value that is NEVER EVER
--	 * being used for anything. Thus, he does NOT see the previous value
--	 * that was returned to the caller for cryptographic purposes.
-+	 * Enhanced backtracking support: At this point, the hash state
-+	 * contains the digest of the previous Jitter RNG collection round
-+	 * which is inserted there by jent_read_random_block with the SHA
-+	 * update operation. At the current code location we completed
-+	 * one request for a caller and we do not know how long it will
-+	 * take until a new request is sent to us. To guarantee enhanced
-+	 * backtracking resistance at this point (i.e. ensure that an attacker
-+	 * cannot obtain information about prior random numbers we generated),
-+	 * but still stirring the hash state with old data the Jitter RNG
-+	 * obtains a new message digest from its state and re-inserts it.
-+	 * After this operation, the Jitter RNG state is still stirred with
-+	 * the old data, but an attacker who gets access to the memory after
-+	 * this point cannot deduce the random numbers produced by the
-+	 * Jitter RNG prior to this point.
- 	 */
- 	/*
--	 * If we use secured memory, do not use that precaution as the secure
--	 * memory protects the entropy pool. Moreover, note that using this
--	 * call reduces the speed of the RNG by up to half
-+	 * If we use secured memory, where backtracking support may not be
-+	 * needed because the state is protected in a different method,
-+	 * it is permissible to drop this support. But strongly weigh the
-+	 * pros and cons considering that the SHA3 operation is not that
-+	 * expensive.
- 	 */
- #ifndef JENT_CPU_JITTERENTROPY_SECURE_MEMORY
--	jent_random_data(ec);
-+	jent_read_random_block(ec, NULL, 0);
- #endif
- 
- err:
-@@ -379,6 +388,7 @@ static struct rand_data
- *jent_entropy_collector_alloc_internal(unsigned int osr, unsigned int flags)
- {
- 	struct rand_data *entropy_collector;
-+	uint32_t memsize = 0;
- 
- 	/*
- 	 * Requesting disabling and forcing of internal timer
-@@ -405,7 +415,7 @@ static struct rand_data
- 		return NULL;
- 
- 	if (!(flags & JENT_DISABLE_MEMORY_ACCESS)) {
--		uint32_t memsize = jent_memsize(flags);
-+		memsize = jent_memsize(flags);
- 
- 		entropy_collector->mem = _gcry_calloc (1, memsize);
- 
-@@ -431,13 +441,19 @@ static struct rand_data
- 		entropy_collector->memaccessloops = JENT_MEMORY_ACCESSLOOPS;
- 	}
- 
-+	if (sha3_alloc(&entropy_collector->hash_state))
-+		goto err;
-+
-+	/* Initialize the hash state */
-+	sha3_256_init(entropy_collector->hash_state);
-+
- 	/* verify and set the oversampling rate */
- 	if (osr < JENT_MIN_OSR)
- 		osr = JENT_MIN_OSR;
- 	entropy_collector->osr = osr;
- 	entropy_collector->flags = flags;
- 
--	if (jent_fips_enabled() || (flags & JENT_FORCE_FIPS))
-+	if ((flags & JENT_FORCE_FIPS) || jent_fips_enabled())
- 		entropy_collector->fips_enabled = 1;
- 
- 	/* Initialize the APT */
-@@ -469,7 +485,7 @@ static struct rand_data
- 
- err:
- 	if (entropy_collector->mem != NULL)
--		jent_zfree(entropy_collector->mem, JENT_MEMORY_SIZE);
-+		jent_zfree(entropy_collector->mem, memsize);
- 	jent_zfree(entropy_collector, sizeof(struct rand_data));
- 	return NULL;
- }
-@@ -511,6 +527,7 @@ JENT_PRIVATE_STATIC
- void jent_entropy_collector_free(struct rand_data *entropy_collector)
- {
- 	if (entropy_collector != NULL) {
-+		sha3_dealloc(entropy_collector->hash_state);
- 		jent_notime_disable(entropy_collector);
- 		if (entropy_collector->mem != NULL) {
- 			jent_zfree(entropy_collector->mem,
-@@ -664,6 +681,7 @@ static inline int jent_entropy_init_comm
- 	int ret;
- 
- 	jent_notime_block_switch();
-+	jent_health_cb_block_switch();
- 
- 	if (sha3_tester())
- 		return EHASH;
-@@ -710,6 +728,8 @@ int jent_entropy_init_ex(unsigned int os
- 	if (ret)
- 		return ret;
- 
-+	ret = ENOTIME;
-+
- 	/* Test without internal timer unless caller does not want it */
- 	if (!(flags & JENT_FORCE_INTERNAL_TIMER))
- 		ret = jent_time_entropy_init(osr,
-@@ -732,3 +752,9 @@ int jent_entropy_switch_notime_impl(stru
- 	return jent_notime_switch(new_thread);
- }
- #endif
-+
-+JENT_PRIVATE_STATIC
-+int jent_set_fips_failure_callback(jent_fips_failure_cb cb)
-+{
-+	return jent_set_fips_failure_callback_internal(cb);
-+}
-Index: libgcrypt-1.10.0/random/jitterentropy-gcd.c
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy-gcd.c
-+++ libgcrypt-1.10.0/random/jitterentropy-gcd.c
-@@ -113,12 +113,8 @@ int jent_gcd_analyze(uint64_t *delta_his
- 		goto out;
- 	}
- 
--	/*
--	 * Ensure that we have variations in the time stamp below 100 for at
--	 * least 10% of all checks -- on some platforms, the counter increments
--	 * in multiples of 100, but not always
--	 */
--	if (running_gcd >= 100) {
-+	/* Set a sensible maximum value. */
-+	if (running_gcd >= UINT32_MAX / 2) {
- 		ret = ECOARSETIME;
- 		goto out;
- 	}
-Index: libgcrypt-1.10.0/random/jitterentropy-health.c
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy-health.c
-+++ libgcrypt-1.10.0/random/jitterentropy-health.c
-@@ -19,9 +19,24 @@
-  * DAMAGE.
-  */
- 
--#include "jitterentropy.h"
- #include "jitterentropy-health.h"
- 
-+static jent_fips_failure_cb fips_cb = NULL;
-+static int jent_health_cb_switch_blocked = 0;
-+
-+void jent_health_cb_block_switch(void)
-+{
-+	jent_health_cb_switch_blocked = 1;
-+}
-+
-+int jent_set_fips_failure_callback_internal(jent_fips_failure_cb cb)
-+{
-+	if (jent_health_cb_switch_blocked)
-+		return -EAGAIN;
-+	fips_cb = cb;
-+	return 0;
-+}
-+
- /***************************************************************************
-  * Lag Predictor Test
-  *
-@@ -434,5 +449,9 @@ unsigned int jent_health_failure(struct
- 	if (!ec->fips_enabled)
- 		return 0;
- 
-+	if (fips_cb && ec->health_failure) {
-+		fips_cb(ec, ec->health_failure);
-+	}
-+
- 	return ec->health_failure;
- }
-Index: libgcrypt-1.10.0/random/jitterentropy-health.h
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy-health.h
-+++ libgcrypt-1.10.0/random/jitterentropy-health.h
-@@ -20,11 +20,16 @@
- #ifndef JITTERENTROPY_HEALTH_H
- #define JITTERENTROPY_HEALTH_H
- 
-+#include "jitterentropy.h"
-+
- #ifdef __cplusplus
- extern "C"
- {
- #endif
- 
-+void jent_health_cb_block_switch(void);
-+int jent_set_fips_failure_callback_internal(jent_fips_failure_cb cb);
-+
- static inline uint64_t jent_delta(uint64_t prev, uint64_t next)
- {
- 	return (next - prev);
-Index: libgcrypt-1.10.0/random/jitterentropy-noise.c
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy-noise.c
-+++ libgcrypt-1.10.0/random/jitterentropy-noise.c
-@@ -33,7 +33,7 @@
-  * Update of the loop count used for the next round of
-  * an entropy collection.
-  *
-- * @ec [in] entropy collector struct -- may be NULL
-+ * @ec [in] entropy collector struct
-  * @bits [in] is the number of low bits of the timer to consider
-  * @min [in] is the number of bits we shift the timer value to the right at
-  *	     the end to make sure we have a guaranteed minimum value
-@@ -61,16 +61,13 @@ static uint64_t jent_loop_shuffle(struct
- 	 * Mix the current state of the random number into the shuffle
- 	 * calculation to balance that shuffle a bit more.
- 	 */
--	if (ec) {
--		jent_get_nstime_internal(ec, &time);
--		time ^= ec->data[0];
--	}
-+	jent_get_nstime_internal(ec, &time);
- 
- 	/*
- 	 * We fold the time value as much as possible to ensure that as many
- 	 * bits of the time stamp are included as possible.
- 	 */
--	for (i = 0; ((DATA_SIZE_BITS + bits - 1) / bits) > i; i++) {
-+	for (i = 0; (((sizeof(time) << 3) + bits - 1) / bits) > i; i++) {
- 		shuffle ^= time & mask;
- 		time = time >> bits;
- 	}
-@@ -91,11 +88,11 @@ static uint64_t jent_loop_shuffle(struct
-  * This function injects the individual bits of the time value into the
-  * entropy pool using a hash.
-  *
-- * @ec [in] entropy collector struct -- may be NULL
-- * @time [in] time stamp to be injected
-+ * @ec [in] entropy collector struct
-+ * @time [in] time delta to be injected
-  * @loop_cnt [in] if a value not equal to 0 is set, use the given value as
-  *		  number of loops to perform the hash operation
-- * @stuck [in] Is the time stamp identified as stuck?
-+ * @stuck [in] Is the time delta identified as stuck?
-  *
-  * Output:
-  * updated hash context
-@@ -104,17 +101,19 @@ static void jent_hash_time(struct rand_d
- 			   uint64_t loop_cnt, unsigned int stuck)
- {
- 	HASH_CTX_ON_STACK(ctx);
--	uint8_t itermediary[SHA3_256_SIZE_DIGEST];
-+	uint8_t intermediary[SHA3_256_SIZE_DIGEST];
- 	uint64_t j = 0;
--	uint64_t hash_loop_cnt;
- #define MAX_HASH_LOOP 3
- #define MIN_HASH_LOOP 0
- 
- 	/* Ensure that macros cannot overflow jent_loop_shuffle() */
- 	BUILD_BUG_ON((MAX_HASH_LOOP + MIN_HASH_LOOP) > 63);
--	hash_loop_cnt =
-+	uint64_t hash_loop_cnt =
- 		jent_loop_shuffle(ec, MAX_HASH_LOOP, MIN_HASH_LOOP);
- 
-+	/* Use the memset to shut up valgrind */
-+	memset(intermediary, 0, sizeof(intermediary));
-+
- 	sha3_256_init(&ctx);
- 
- 	/*
-@@ -125,35 +124,54 @@ static void jent_hash_time(struct rand_d
- 		hash_loop_cnt = loop_cnt;
- 
- 	/*
--	 * This loop basically slows down the SHA-3 operation depending
--	 * on the hash_loop_cnt. Each iteration of the loop generates the
--	 * same result.
-+	 * This loop fills a buffer which is injected into the entropy pool.
-+	 * The main reason for this loop is to execute something over which we
-+	 * can perform a timing measurement. The injection of the resulting
-+	 * data into the pool is performed to ensure the result is used and
-+	 * the compiler cannot optimize the loop away in case the result is not
-+	 * used at all. Yet that data is considered "additional information"
-+	 * considering the terminology from SP800-90A without any entropy.
-+	 *
-+	 * Note, it does not matter which or how much data you inject, we are
-+	 * interested in one Keccack1600 compression operation performed with
-+	 * the sha3_final.
- 	 */
- 	for (j = 0; j < hash_loop_cnt; j++) {
--		sha3_update(&ctx, ec->data, SHA3_256_SIZE_DIGEST);
--		sha3_update(&ctx, (uint8_t *)&time, sizeof(uint64_t));
-+		sha3_update(&ctx, intermediary, sizeof(intermediary));
-+		sha3_update(&ctx, (uint8_t *)&ec->rct_count,
-+			    sizeof(ec->rct_count));
-+		sha3_update(&ctx, (uint8_t *)&ec->apt_cutoff,
-+			    sizeof(ec->apt_cutoff));
-+		sha3_update(&ctx, (uint8_t *)&ec->apt_observations,
-+			    sizeof(ec->apt_observations));
-+		sha3_update(&ctx, (uint8_t *)&ec->apt_count,
-+			    sizeof(ec->apt_count));
-+		sha3_update(&ctx,(uint8_t *) &ec->apt_base,
-+			    sizeof(ec->apt_base));
- 		sha3_update(&ctx, (uint8_t *)&j, sizeof(uint64_t));
-+		sha3_final(&ctx, intermediary);
-+	}
- 
--		/*
--		 * If the time stamp is stuck, do not finally insert the value
--		 * into the entropy pool. Although this operation should not do
--		 * any harm even when the time stamp has no entropy, SP800-90B
--		 * requires that any conditioning operation to have an identical
--		 * amount of input data according to section 3.1.5.
--		 */
-+	/*
-+	 * Inject the data from the previous loop into the pool. This data is
-+	 * not considered to contain any entropy, but it stirs the pool a bit.
-+	 */
-+	sha3_update(ec->hash_state, intermediary, sizeof(intermediary));
- 
--		/*
--		 * The sha3_final operations re-initialize the context for the
--		 * next loop iteration.
--		 */
--		if (stuck || (j < hash_loop_cnt - 1))
--			sha3_final(&ctx, itermediary);
--		else
--			sha3_final(&ctx, ec->data);
--	}
-+	/*
-+	 * Insert the time stamp into the hash context representing the pool.
-+	 *
-+	 * If the time stamp is stuck, do not finally insert the value into the
-+	 * entropy pool. Although this operation should not do any harm even
-+	 * when the time stamp has no entropy, SP800-90B requires that any
-+	 * conditioning operation to have an identical amount of input data
-+	 * according to section 3.1.5.
-+	 */
-+	if (!stuck)
-+		sha3_update(ec->hash_state, (uint8_t *)&time, sizeof(uint64_t));
- 
- 	jent_memset_secure(&ctx, SHA_MAX_CTX_SIZE);
--	jent_memset_secure(itermediary, sizeof(itermediary));
-+	jent_memset_secure(intermediary, sizeof(intermediary));
- }
- 
- #define MAX_ACC_LOOP_BIT 7
-@@ -184,13 +202,12 @@ static inline uint32_t xoshiro128starsta
- 
- static void jent_memaccess(struct rand_data *ec, uint64_t loop_cnt)
- {
--	uint64_t i = 0;
-+	uint64_t i = 0, time = 0;
- 	union {
- 		uint32_t u[4];
- 		uint8_t b[sizeof(uint32_t) * 4];
- 	} prngState = { .u = {0x8e93eec0, 0xce65608a, 0xa8d46b46, 0xe83cef69} };
- 	uint32_t addressMask;
--        uint64_t acc_loop_cnt;
- 
- 	if (NULL == ec || NULL == ec->mem)
- 		return;
-@@ -199,7 +216,7 @@ static void jent_memaccess(struct rand_d
- 
- 	/* Ensure that macros cannot overflow jent_loop_shuffle() */
- 	BUILD_BUG_ON((MAX_ACC_LOOP_BIT + MIN_ACC_LOOP_BIT) > 63);
--	acc_loop_cnt =
-+	uint64_t acc_loop_cnt =
- 		jent_loop_shuffle(ec, MAX_ACC_LOOP_BIT, MIN_ACC_LOOP_BIT);
- 
- 	/*
-@@ -213,8 +230,10 @@ static void jent_memaccess(struct rand_d
- 	 * "per-update: timing, it gets you mostly independent "per-update"
- 	 * timing, so we can now benefit from the Central Limit Theorem!
- 	 */
--	for (i = 0; i < sizeof(prngState); i++)
--		prngState.b[i] ^= ec->data[i];
-+	for (i = 0; i < sizeof(prngState); i++) {
-+		jent_get_nstime_internal(ec, &time);
-+		prngState.b[i] ^= (uint8_t)(time & 0xff);
-+	}
- 
- 	/*
- 	 * testing purposes -- allow test app to set the counter, not
-@@ -358,21 +377,21 @@ unsigned int jent_measure_jitter(struct
- 
- /**
-  * Generator of one 256 bit random number
-- * Function fills rand_data->data
-+ * Function fills rand_data->hash_state
-  *
-  * @ec [in] Reference to entropy collector
-  */
- void jent_random_data(struct rand_data *ec)
- {
--	unsigned int k = 0, safety_factor = ENTROPY_SAFETY_FACTOR;
-+	unsigned int k = 0, safety_factor = 0;
- 
--	if (!ec->fips_enabled)
--		safety_factor = 0;
-+	if (ec->fips_enabled)
-+		safety_factor = ENTROPY_SAFETY_FACTOR;
- 
- 	/* priming of the ->prev_time value */
- 	jent_measure_jitter(ec, 0, NULL);
- 
--	while (1) {
-+	while (!jent_health_failure(ec)) {
- 		/* If a stuck measurement is received, repeat measurement */
- 		if (jent_measure_jitter(ec, 0, NULL))
- 			continue;
-@@ -385,3 +404,22 @@ void jent_random_data(struct rand_data *
- 			break;
- 	}
- }
-+
-+void jent_read_random_block(struct rand_data *ec, char *dst, size_t dst_len)
-+{
-+	uint8_t jent_block[SHA3_256_SIZE_DIGEST];
-+
-+	BUILD_BUG_ON(SHA3_256_SIZE_DIGEST != (DATA_SIZE_BITS / 8));
-+
-+	/* The final operation automatically re-initializes the ->hash_state */
-+	sha3_final(ec->hash_state, jent_block);
-+	if (dst_len)
-+		memcpy(dst, jent_block, dst_len);
-+
-+	/*
-+	 * Stir the new state with the data from the old state - the digest
-+	 * of the old data is not considered to have entropy.
-+	 */
-+	sha3_update(ec->hash_state, jent_block, sizeof(jent_block));
-+	jent_memset_secure(jent_block, sizeof(jent_block));
-+}
-Index: libgcrypt-1.10.0/random/jitterentropy-noise.h
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy-noise.h
-+++ libgcrypt-1.10.0/random/jitterentropy-noise.h
-@@ -31,6 +31,7 @@ unsigned int jent_measure_jitter(struct
- 				 uint64_t loop_cnt,
- 				 uint64_t *ret_current_delta);
- void jent_random_data(struct rand_data *ec);
-+void jent_read_random_block(struct rand_data *ec, char *dst, size_t dst_len);
- 
- #ifdef __cplusplus
- }
-Index: libgcrypt-1.10.0/random/jitterentropy-sha3.c
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy-sha3.c
-+++ libgcrypt-1.10.0/random/jitterentropy-sha3.c
-@@ -19,6 +19,7 @@
-  */
- 
- #include "jitterentropy-sha3.h"
-+#include "jitterentropy.h"
- 
- /***************************************************************************
-  * Message Digest Implementation
-@@ -380,3 +381,23 @@ int sha3_tester(void)
- 
- 	return 0;
- }
-+
-+int sha3_alloc(void **hash_state)
-+{
-+	struct sha_ctx *tmp;
-+
-+	tmp = jent_zalloc(SHA_MAX_CTX_SIZE);
-+	if (!tmp)
-+		return 1;
-+
-+	*hash_state = tmp;
-+
-+	return 0;
-+}
-+
-+void sha3_dealloc(void *hash_state)
-+{
-+	struct sha_ctx *ctx = (struct sha_ctx *)hash_state;
-+
-+	jent_zfree(ctx, SHA_MAX_CTX_SIZE);
-+}
-Index: libgcrypt-1.10.0/random/jitterentropy-sha3.h
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy-sha3.h
-+++ libgcrypt-1.10.0/random/jitterentropy-sha3.h
-@@ -47,6 +47,8 @@ struct sha_ctx {
- void sha3_256_init(struct sha_ctx *ctx);
- void sha3_update(struct sha_ctx *ctx, const uint8_t *in, size_t inlen);
- void sha3_final(struct sha_ctx *ctx, uint8_t *digest);
-+int sha3_alloc(void **hash_state);
-+void sha3_dealloc(void *hash_state);
- int sha3_tester(void);
- 
- #ifdef __cplusplus
-Index: libgcrypt-1.10.0/random/jitterentropy-timer.c
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy-timer.c
-+++ libgcrypt-1.10.0/random/jitterentropy-timer.c
-@@ -202,8 +202,8 @@ int jent_notime_enable(struct rand_data
- 	if (jent_force_internal_timer || (flags & JENT_FORCE_INTERNAL_TIMER)) {
- 		/* Self test not run yet */
- 		if (!jent_force_internal_timer &&
--		    jent_time_entropy_init(flags | JENT_FORCE_INTERNAL_TIMER,
--					   ec->osr))
-+		    jent_time_entropy_init(ec->osr,
-+					   flags | JENT_FORCE_INTERNAL_TIMER))
- 			return EHEALTH;
- 
- 		ec->enable_notime = 1;
-Index: libgcrypt-1.10.0/random/jitterentropy.h
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy.h
-+++ libgcrypt-1.10.0/random/jitterentropy.h
-@@ -49,7 +49,7 @@
-  ***************************************************************************/
- 
- /*
-- * Enable timer-less timer support
-+ * Enable timer-less timer support with JENT_CONF_ENABLE_INTERNAL_TIMER
-  *
-  * In case the hardware is identified to not provide a high-resolution time
-  * stamp, this option enables a built-in high-resolution time stamp mechanism.
-@@ -166,7 +166,7 @@ struct rand_data
- 	 * of the RNG are marked as SENSITIVE. A user must not
- 	 * access that information while the RNG executes its loops to
- 	 * calculate the next random value. */
--	uint8_t data[SHA3_256_SIZE_DIGEST]; /* SENSITIVE Actual random number */
-+	void *hash_state;		/* SENSITIVE hash state entropy pool */
- 	uint64_t prev_time;		/* SENSITIVE Previous time stamp */
- #define DATA_SIZE_BITS (SHA3_256_SIZE_DIGEST_BITS)
- 
-@@ -378,28 +378,34 @@ int jent_entropy_init(void);
- JENT_PRIVATE_STATIC
- int jent_entropy_init_ex(unsigned int osr, unsigned int flags);
- 
-+/*
-+ * Set a callback to run on health failure in FIPS mode.
-+ * This function will take an action determined by the caller.
-+ */
-+typedef void (*jent_fips_failure_cb)(struct rand_data *ec,
-+				     unsigned int health_failure);
-+JENT_PRIVATE_STATIC
-+int jent_set_fips_failure_callback(jent_fips_failure_cb cb);
-+
- /* return version number of core library */
- JENT_PRIVATE_STATIC
- unsigned int jent_version(void);
- 
--#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER
- /* Set a different thread handling logic for the notimer support */
- JENT_PRIVATE_STATIC
- int jent_entropy_switch_notime_impl(struct jent_notime_thread *new_thread);
--#endif
- 
- /* -- END of Main interface functions -- */
- 
- /* -- BEGIN timer-less threading support functions to prevent code dupes -- */
- 
--struct jent_notime_ctx {
- #ifdef JENT_CONF_ENABLE_INTERNAL_TIMER
-+
-+struct jent_notime_ctx {
- 	pthread_attr_t notime_pthread_attr;	/* pthreads library */
- 	pthread_t notime_thread_id;		/* pthreads thread ID */
--#endif
- };
- 
--#ifdef JENT_CONF_ENABLE_INTERNAL_TIMER
- 
- JENT_PRIVATE_STATIC
- int jent_notime_init(void **ctx);
-Index: libgcrypt-1.10.0/random/jitterentropy-base-user.h
-===================================================================
---- libgcrypt-1.10.0.orig/random/jitterentropy-base-user.h
-+++ libgcrypt-1.10.0/random/jitterentropy-base-user.h
-@@ -213,12 +213,12 @@ static inline void jent_get_cachesize(lo
- 		ext = strstr(buf, "K");
- 		if (ext) {
- 			shift = 10;
--			ext = '\0';
-+			*ext = '\0';
- 		} else {
- 			ext = strstr(buf, "M");
- 			if (ext) {
- 				shift = 20;
--				ext = '\0';
-+				*ext = '\0';
- 			}
- 		}
- 

libgcrypt-no-deprecated-grep-alias.patch

@@ -1,35 +0,0 @@
---- libgcrypt-1.10.3.orig/acinclude.m4
-+++ libgcrypt-1.10.3/acinclude.m4
-@@ -130,10 +130,10 @@ EOF
-     ac_nlist=conftest.nm
-     if AC_TRY_EVAL(NM conftest.$ac_objext \| $lt_cv_sys_global_symbol_pipe \| cut -d \' \' -f 2 \> $ac_nlist) && test -s "$ac_nlist"; then
-       # See whether the symbols have a leading underscore.
--      if egrep '^_nm_test_func' "$ac_nlist" >/dev/null; then
-+      if grep -E '^_nm_test_func' "$ac_nlist" >/dev/null; then
-         ac_cv_sys_symbol_underscore=yes
-       else
--        if egrep '^nm_test_func ' "$ac_nlist" >/dev/null; then
-+        if grep -E '^nm_test_func ' "$ac_nlist" >/dev/null; then
-           :
-         else
-           echo "configure: cannot find nm_test_func in $ac_nlist" >&AS_MESSAGE_LOG_FD
---- libgcrypt-1.10.3.orig/src/libgcrypt-config.in
-+++ libgcrypt-1.10.3/src/libgcrypt-config.in
-@@ -154,7 +154,7 @@ if test "$echo_cflags" = "yes"; then
- 
-     tmp=""
-     for i in $includes $cflags_final; do
--       if echo "$tmp" | fgrep -v -- "$i" >/dev/null; then
-+       if echo "$tmp" | @GREP@ -F -v -- "$i" >/dev/null; then
-            tmp="$tmp $i"
-        fi
-     done
-@@ -175,7 +175,7 @@ if test "$echo_libs" = "yes"; then
- 
-     tmp=""
-     for i in $libdirs $libs_final; do
--       if echo "$tmp" | fgrep -v -- "$i" >/dev/null; then
-+       if echo "$tmp" | @GREP@ -F -v -- "$i" >/dev/null; then
-            tmp="$tmp $i"
-        fi
-     done

libgcrypt-ppc-enable-P10-assembly-with-ENABLE_FORCE_SOF.patch

@@ -1,76 +0,0 @@
-commit 2c5e5ab6843d747c4b877d2c6f47226f61e9ff14
-Author: Jussi Kivilinna <jussi.kivilinna@iki.fi>
-Date:   Sun Jun 12 21:51:34 2022 +0300
-
-    ppc enable P10 assembly with ENABLE_FORCE_SOFT_HWFEATURES on arch 3.00
-    
-    * cipher/chacha20.c (chacha20_do_setkey) [USE_PPC_VEC]: Enable
-    P10 assembly for HWF_PPC_ARCH_3_00 if ENABLE_FORCE_SOFT_HWFEATURES is
-    defined.
-    * cipher/poly1305.c (poly1305_init) [POLY1305_USE_PPC_VEC]: Likewise.
-    * cipher/rijndael.c (do_setkey) [USE_PPC_CRYPTO_WITH_PPC9LE]: Likewise.
-    ---
-    
-    This change allows testing P10 implementations with P9 and with QEMU-PPC.
-    
-    GnuPG-bug-id: 6006
-    Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
-
-Index: libgcrypt-1.10.2/cipher/chacha20.c
-===================================================================
---- libgcrypt-1.10.2.orig/cipher/chacha20.c
-+++ libgcrypt-1.10.2/cipher/chacha20.c
-@@ -484,6 +484,11 @@ chacha20_do_setkey (CHACHA20_context_t *
-   ctx->use_ppc = (features & HWF_PPC_ARCH_2_07) != 0;
- # ifndef WORDS_BIGENDIAN
-   ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0;
-+#  ifdef ENABLE_FORCE_SOFT_HWFEATURES
-+  /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10.
-+   * Actual implementation works with HWF_PPC_ARCH_3_00 also. */
-+  ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0;
-+#  endif
- # endif
- #endif
- #ifdef USE_S390X_VX
-Index: libgcrypt-1.10.2/cipher/poly1305.c
-===================================================================
---- libgcrypt-1.10.2.orig/cipher/poly1305.c
-+++ libgcrypt-1.10.2/cipher/poly1305.c
-@@ -90,11 +90,19 @@ static void poly1305_init (poly1305_cont
- 			   const byte key[POLY1305_KEYLEN])
- {
-   POLY1305_STATE *st = &ctx->state;
-+  unsigned int features = _gcry_get_hw_features ();
- 
- #ifdef POLY1305_USE_PPC_VEC
--  ctx->use_p10 = (_gcry_get_hw_features () & HWF_PPC_ARCH_3_10) != 0;
-+  ctx->use_p10 = (features & HWF_PPC_ARCH_3_10) != 0;
-+# ifdef ENABLE_FORCE_SOFT_HWFEATURES
-+  /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10.
-+   * Actual implementation works with HWF_PPC_ARCH_3_00 also. */
-+  ctx->use_p10 |= (features & HWF_PPC_ARCH_3_00) != 0;
-+# endif
- #endif
- 
-+  (void)features;
-+
-   ctx->leftover = 0;
- 
-   st->h[0] = 0;
-Index: libgcrypt-1.10.2/cipher/rijndael.c
-===================================================================
---- libgcrypt-1.10.2.orig/cipher/rijndael.c
-+++ libgcrypt-1.10.2/cipher/rijndael.c
-@@ -605,6 +605,12 @@ do_setkey (RIJNDAEL_context *ctx, const
-       bulk_ops->xts_crypt = _gcry_aes_ppc9le_xts_crypt;
-       if (hwfeatures & HWF_PPC_ARCH_3_10)  /* for P10 */
-         bulk_ops->gcm_crypt = _gcry_aes_p10le_gcm_crypt;
-+# ifdef ENABLE_FORCE_SOFT_HWFEATURES
-+      /* HWF_PPC_ARCH_3_10 above is used as soft HW-feature indicator for P10.
-+       * Actual implementation works with HWF_PPC_ARCH_3_00 also. */
-+      if (hwfeatures & HWF_PPC_ARCH_3_00)
-+        bulk_ops->gcm_crypt = _gcry_aes_p10le_gcm_crypt;
-+# endif
-     }
- #endif
- #ifdef USE_PPC_CRYPTO

libgcrypt-rol64-redefinition.patch

@@ -0,0 +1,16 @@
+Index: libgcrypt-1.11.0/cipher/bithelp.h
+===================================================================
+--- libgcrypt-1.11.0.orig/cipher/bithelp.h
++++ libgcrypt-1.11.0/cipher/bithelp.h
+@@ -35,11 +35,6 @@ static inline u32 ror(u32 x, int n)
+ 	return ( (x >> (n&(32-1))) | (x << ((32-n)&(32-1))) );
+ }
+ 
+-static inline u64 rol64(u64 x, int n)
+-{
+-  return ( (x << (n&(64-1))) | (x >> ((64-n)&(64-1))) );
+-}
+-
+ /* Byte swap for 32-bit and 64-bit integers.  If available, use compiler
+    provided helpers.  */
+ #ifdef HAVE_BUILTIN_BSWAP32

libgcrypt.changes

@@ -1,3 +1,174 @@
+-------------------------------------------------------------------
+Fri Aug  8 20:05:34 UTC 2025 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- Update to 1.11.2:
+  * portability fixes
+  * Support secp256k1 by KEM API.  GnuPG has recently switched to
+     use the KEM interface and a few folks are using this curve
+  * Fix a missing initialization in RSA's generate_fips.
+  * Use '.rodata' section for read-only data of poly1305-p10le
+
+-------------------------------------------------------------------
+Thu Jun  5 13:23:03 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Security fix [bsc#1221107, CVE-2024-2236]
+  * Add --enable-marvin-workaround to spec to enable workaround
+  * Fix  timing based side-channel in RSA implementation ( Marvin attack ) 
+  * Add libgcrypt-CVE-2024-2236.patch
+
+-------------------------------------------------------------------
+Thu May  8 14:28:42 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Update to 1.11.1: [jsc#PED-12227]
+  * Bug fixes:
+    - Fix Kyber secret-dependent branch introduced by recent versions of Clang. [rCf765778e82]
+    - Fix build regression due to the use of AVX512 in Blake. [T7184]
+    - Do not build i386 asm on amd64 and vice versa. [T7220]
+    - Fix build regression on armhf with gcc-14. [T7226]
+    - Return the proper error code on malloc failure in hex2buffer. [rCc51151f5b0]
+    - Fix long standing bug for PRIME % 2 == 0. [rC639b0fca15]
+  * Performance:
+    - Add AES Vector Permute intrinsics implementation for AArch64. [rC94a63aedbb]
+    - Add GHASH AArch64/SIMD intrinsics implementation. [rCfec871fd18]
+    - Add RISC-V vector permute AES. [rCb24ebd6163]
+    - Add GHASH RISC-V Zbb+Zbc implementation. [rC0f1fec12b0]
+    - Add ChaCha20 RISC-V vector intrinsics implementation. [rC8dbee93ac2]
+    - Add SHA3 acceleration for RISC-V Zbb extension. [rC1a660068ba]
+  * Other:
+    - Add CET support for i386 and amd64 assembly. [T7220]
+    - Add PAC/BTI support for AArch64 asm. [T7220]
+    - Apply changes to Kyber from upstream for final FIPS 203. [rCcc95c36e7f]
+    - Introduce an internal API for a revampled FIPS service indicator. [T7340]
+    - Several improvements for constant time operation by the introduction of
+      Least Leak Intended (LLI) variants of internal functions. [T7519,T7490]
+  * Add libgcrypt-1.11.1-public-SLI-API.patch
+  * Rebase patches:
+    - libgcrypt-FIPS-SLI-hash-mac.patch
+    - libgcrypt-FIPS-SLI-pk.patch
+    - libgcrypt-FIPS-jitter-standalone.patch
+  * Remove patches:
+    - libgcrypt-fips-Introduce-an-internal-API-for-FIPS-service-indicator.patch
+    - libgcrypt-fips-Introduce-GCRYCTL_FIPS_SERVICE_INDICATOR-and-the-macro.patch
+    - libgcrypt-fips-kdf-Implement-new-FIPS-service-indicator-for-gcry_kdf_derive.patch
+    - libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_hash_.patch
+    - libgcrypt-fips-tests-Add-t-digest.patch
+    - libgcrypt-fips-Change-the-internal-API-for-new-FIPS-service-indicator.patch
+    - libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_open-API.patch
+    - libgcrypt-fips-tests-Add-tests-for-md_open-write-read-close-for-t-digest.patch
+    - libgcrypt-fips-mac-Implement-new-FIPS-service-indicator-for-gcry_mac_open.patch
+    - libgcrypt-fips-cipher-Implement-new-FIPS-service-indicator-for-cipher_open.patch
+    - libgcrypt-tests-fips-Add-gcry_mac_open-tests.patch
+    - libgcrypt-tests-fips-Rename-t-fips-service-ind.patch
+    - libgcrypt-tests-fips-Move-KDF-tests-to-t-fips-service-ind.patch
+    - libgcrypt-tests-fips-Add-gcry_cipher_open-tests.patch
+    - libgcrypt-fips-md-gcry_md_copy-should-care-about-FIPS-service-indicator.patch
+    - libgcrypt-fips-cipher-Implement-FIPS-service-indicator-for-gcry_pk_hash_-API.patch
+    - libgcrypt-fips-Introduce-GCRYCTL_FIPS_REJECT_NON_FIPS.patch
+    - libgcrypt-Fix-the-previous-change.patch
+    - libgcrypt-fips-Rejection-by-GCRYCTL_FIPS_REJECT_NON_FIPS-not-by-open-flags.patch
+    - libgcrypt-fips-cipher-Add-behavior-not-to-reject-but-mark-non-compliant.patch
+    - libgcrypt-fips-ecc-Add-rejecting-or-marking-for-gcry_pk_get_curve.patch
+    - libgcrypt-tests-Add-more-tests-to-tests-t-fips-service-ind.patch
+    - libgcrypt-fips-ecc-Check-DATA-in-gcry_pk_sign-verify-in-FIPS-mode.patch
+    - libgcrypt-fips-cipher-Fix-memory-leak-for-gcry_pk_hash_sign.patch
+    - libgcrypt-build-Improve-__thread-specifier-check.patch
+    - libgcrypt-cipher-Check-and-mark-non-compliant-cipher-modes-in-the-SLI.patch
+    - libgcrypt-cipher-Rename-_gcry_cipher_is_mode_fips_compliant.patch
+    - libgcrypt-cipher-Don-t-differentiate-GCRY_CIPHER_MODE_CMAC-in-FIPS-mode.patch
+    - libgcrypt-cipher-rsa-Mark-reject-SHA1-unknown-with-RSA-signature-generation.patch
+    - libgcrypt-md-Fix-gcry_md_algo_info-to-mark-reject-under-FIPS-mode.patch
+    - libgcrypt-md-Use-check_digest_algo_spec-in-_gcry_md_selftest.patch
+    - libgcrypt-tests-Update-t-fips-service-ind-using-GCRY_MD_SHA256-for-KDF-tests.patch
+    - libgcrypt-fips-cipher-Do-the-computation-when-marking-non-compliant.patch
+    - libgcrypt-tests-Allow-tests-with-USE_RSA.patch
+    - libgcrypt-cipher-Add-KAT-for-non-rfc6979-ECDSA-with-fixed-k.patch
+    - libgcrypt-cipher-Differentiate-use-of-label-K-in-the-SLI.patch
+    - libgcrypt-cipher-Differentiate-igninvflag-in-the-SLI.patch
+    - libgcrypt-cipher-Differentiate-no-blinding-flag-in-the-SLI.patch
+    - libgcrypt-fips-cipher-Add-GCRY_FIPS_FLAG_REJECT_PK_FLAGS.patch
+    - libgcrypt-cipher-ecc-Fix-for-supplied-K.patch
+    - libgcrypt-cipher-visibility-Differentiate-use-of-random-override-in-the-SLI.patch
+    - libgcrypt-cipher-fips-Fix-for-random-override.patch
+    - libgcrypt-md-Make-SHA-1-non-FIPS-internally-for-1.12-API.patch
+    - libgcrypt-fips-Fix-GCRY_FIPS_FLAG_REJECT_MD.patch
+    - libgcrypt-doc-Add-about-GCRYCTL_FIPS_SERVICE_INDICATOR.patch
+    - libgcrypt-doc-Fix-syntax-error.patch
+    - libgcrypt-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
+
+-------------------------------------------------------------------
+Tue May  6 07:24:14 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- CSHAKE basic regression test failure in s390x [bsc#1242419]
+  * Disable SHA3 s390x acceleration for CSHAKE [rC2486d9b5ae01]
+  * Add libgcrypt-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
+
+-------------------------------------------------------------------
+Sun Apr 13 20:10:16 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Differentiate use of SHA1 in the service level indicator [jsc#PED-12227]
+  * Include upstream SLI revamp and fips certification fixes
+  * Add patches:
+    - libgcrypt-fips-Introduce-an-internal-API-for-FIPS-service-indicator.patch
+    - libgcrypt-fips-Introduce-GCRYCTL_FIPS_SERVICE_INDICATOR-and-the-macro.patch
+    - libgcrypt-fips-kdf-Implement-new-FIPS-service-indicator-for-gcry_kdf_derive.patch
+    - libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_hash_.patch
+    - libgcrypt-fips-tests-Add-t-digest.patch
+    - libgcrypt-fips-Change-the-internal-API-for-new-FIPS-service-indicator.patch
+    - libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_open-API.patch
+    - libgcrypt-fips-tests-Add-tests-for-md_open-write-read-close-for-t-digest.patch
+    - libgcrypt-fips-mac-Implement-new-FIPS-service-indicator-for-gcry_mac_open.patch
+    - libgcrypt-fips-cipher-Implement-new-FIPS-service-indicator-for-cipher_open.patch
+    - libgcrypt-tests-fips-Add-gcry_mac_open-tests.patch
+    - libgcrypt-tests-fips-Rename-t-fips-service-ind.patch
+    - libgcrypt-tests-fips-Move-KDF-tests-to-t-fips-service-ind.patch
+    - libgcrypt-tests-fips-Add-gcry_cipher_open-tests.patch
+    - libgcrypt-fips-md-gcry_md_copy-should-care-about-FIPS-service-indicator.patch
+    - libgcrypt-fips-cipher-Implement-FIPS-service-indicator-for-gcry_pk_hash_-API.patch
+    - libgcrypt-fips-Introduce-GCRYCTL_FIPS_REJECT_NON_FIPS.patch
+    - libgcrypt-Fix-the-previous-change.patch
+    - libgcrypt-fips-Rejection-by-GCRYCTL_FIPS_REJECT_NON_FIPS-not-by-open-flags.patch
+    - libgcrypt-fips-cipher-Add-behavior-not-to-reject-but-mark-non-compliant.patch
+    - libgcrypt-fips-ecc-Add-rejecting-or-marking-for-gcry_pk_get_curve.patch
+    - libgcrypt-tests-Add-more-tests-to-tests-t-fips-service-ind.patch
+    - libgcrypt-fips-ecc-Check-DATA-in-gcry_pk_sign-verify-in-FIPS-mode.patch
+    - libgcrypt-fips-cipher-Fix-memory-leak-for-gcry_pk_hash_sign.patch
+    - libgcrypt-build-Improve-__thread-specifier-check.patch
+    - libgcrypt-cipher-Check-and-mark-non-compliant-cipher-modes-in-the-SLI.patch
+    - libgcrypt-cipher-Rename-_gcry_cipher_is_mode_fips_compliant.patch
+    - libgcrypt-cipher-Don-t-differentiate-GCRY_CIPHER_MODE_CMAC-in-FIPS-mode.patch
+    - libgcrypt-cipher-rsa-Mark-reject-SHA1-unknown-with-RSA-signature-generation.patch
+    - libgcrypt-md-Fix-gcry_md_algo_info-to-mark-reject-under-FIPS-mode.patch
+    - libgcrypt-md-Use-check_digest_algo_spec-in-_gcry_md_selftest.patch
+    - libgcrypt-tests-Update-t-fips-service-ind-using-GCRY_MD_SHA256-for-KDF-tests.patch
+    - libgcrypt-fips-cipher-Do-the-computation-when-marking-non-compliant.patch
+    - libgcrypt-tests-Allow-tests-with-USE_RSA.patch
+    - libgcrypt-cipher-Add-KAT-for-non-rfc6979-ECDSA-with-fixed-k.patch
+    - libgcrypt-cipher-Differentiate-use-of-label-K-in-the-SLI.patch
+    - libgcrypt-cipher-Differentiate-igninvflag-in-the-SLI.patch
+    - libgcrypt-cipher-Differentiate-no-blinding-flag-in-the-SLI.patch
+    - libgcrypt-fips-cipher-Add-GCRY_FIPS_FLAG_REJECT_PK_FLAGS.patch
+    - libgcrypt-cipher-ecc-Fix-for-supplied-K.patch
+    - libgcrypt-cipher-visibility-Differentiate-use-of-random-override-in-the-SLI.patch
+    - libgcrypt-cipher-fips-Fix-for-random-override.patch
+    - libgcrypt-md-Make-SHA-1-non-FIPS-internally-for-1.12-API.patch
+    - libgcrypt-fips-Fix-GCRY_FIPS_FLAG_REJECT_MD.patch
+    - libgcrypt-doc-Add-about-GCRYCTL_FIPS_SERVICE_INDICATOR.patch
+    - libgcrypt-doc-Fix-syntax-error.patch
+  * Rebase patches:
+    - libgcrypt-FIPS-SLI-kdf-leylength.patch
+
+-------------------------------------------------------------------
+Tue Jan  7 09:28:25 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Fix redefinition error of 'rol64'. Remove not used rol64()
+  definition after removing the built-in jitter rng.
+  * Add libgcrypt-rol64-redefinition.patch
+
+-------------------------------------------------------------------
+Mon Dec  2 10:11:10 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Remove unrecognized option: --enable-m-guard
+
 -------------------------------------------------------------------
 Thu Jun 20 08:11:07 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 

libgcrypt.keyring

@@ -1,86 +1,82 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531
-3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB
-a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb
-LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO
-MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD
-ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ
-hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ
-F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV
-+wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o
-BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL
-/0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg
-dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg
-xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ
-hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K
-ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z
-QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn
-ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz
-iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47
-CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+
-FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ
-CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs
-IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl
-fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ
-6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu
-ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo
-sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x
-/jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/
-Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE
-o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7aviQGzBBABCAAdFiEElKXJoDwv
-5co7CV2OH99yPPRitrEFAljLv5sACgkQH99yPPRitrFw4gv/XFMFN+/LHsn9hJOP
-4rCwl1yUuxXuYmZgc0sRoY3EpeQkJVyKurQuqqKoy2VuoMiF0O1kAQmGoFtVPUk7
-b8hCoutqB5GyeyKcoLP+WINgVhB2gXg7TSp3MPLBKkgqvSDvPitgRxBqFb4LW8LJ
-bDbfwGrzIvXfDV3WvsrHVPbc2fhlWdL8d+3AE6mFiXF3eTpgmV3ApSBQV12MkkCk
-icLIPmp+ZxZON+OP52ZXkRtfMgOy4Oa/41agrViDAZdMOGeGkhPertQheQZgXzmo
-GF5Wz498HPM80Kv35X91l3iGzL+icEtO+tWea2YscsZ6qpRe2lfVPHk3B+anlmCj
-m4kM4cBd39xa4HHSVh/bRHbZNtgVr7slQCKxlHgQOGVI5vCxPCwEsgJ2KBk03Nk/
-IA9EKO+czfh3/bHW6uMbEqrYDCnt+hmzZrpKDSGcwS/KOhvMUIMlb7/8vDKum6mp
-/8xAtVZ6IAxYZNt3qg7Y7aLRtzCTyqm8rJQrZPtRaQcgLoEimDMEX0PliRYJKwYB
-BAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5l
-ciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJ
-AlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe
-BwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0
-EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaIbQQQEQsAHRYh
-BIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthaweQrNnIZkA3jG6LcZv
-V/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gblvjFIPJPAhDBAU37
-c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0KBQJfQ/IlAAoJEGMR
-OuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+zeymp/UvlPAQDErCLZ
-l0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgAHRYhBNhpISPEBl3q
-Xg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9if66ph6FJrgr+A/W
-HNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544xGbIU/aCTJsWw9zi
-UE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJnnDm29QjYEGd2Hi8
-7npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+msjBzCD5VKJgr0CR8
-wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1yL4L8oRH0950hQljP
-C7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQVZMBMIkNC0tXOu10V
-bdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJfQ/P8AAoJEOP9/yGO
-Rbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4zIwC9AQCy0nnazVNt
-VQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsGAQQB2kcPAQEHQJmd
-fwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWliZSBZdXRha2EgKEdu
-dVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H+pkI6Y6bLRnGyL0F
-AmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEOmO
-my0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9VHEsEwdgmAQD2BtiX
-7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAdFiEEJJyzdxdQdF1c
-3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1UVdQTGHMyvHwZocS
-QjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+RbkeCtmQJ/c8v5ieF
-vW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4FAmFAQ7cACgkQALRe
-vUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT9Nx1yb4WJKY7ElPM
-YkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6ciIOryssRx2G4kCZ
-t+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+phxyR8KyYCpkwKRxY
-eK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGHCa2ul8sD6vA9C4mM
-4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUztr7eD4bCRdG+QlSh+
-7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/JhTBGFpSqMTCSskAwMCCAEBBwIDBF6X
-D9NmUQDgiyYNbhs1DMJ14mIw812wY1HVx/4QWYWiBunhrvSFxVbzsjD7/Wv+v3bm
-MPrL+M2DLyFiSewNmcS0JEdudVBHLmNvbSAoUmVsZWFzZSBTaWduaW5nIEtleSAy
-MDIxKYiaBBMTCABCFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmFpSqMCGwMFCQ9x
-14oFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFSeaV6QW6IITkoA/RYa
-jaTl1eEBU/Gdm12o3jrI55N5xZK2XTqSx25clVyjAP0XwMW/Og5+ND1ri3bAqADV
-WlBDUswz8wYxsb0C4kYBkoh1BBAWCgAdFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoF
-AmFpTvEACgkQUoiXuCZAOtrJQAEAh7YyykjAy/Qs1yC3ji8iBfIVnPXvblrIx3SR
-RyDwRC8BAKtZbEuKTtPlgkLUgMleTcZJ/vEhJE+GvfQ9o5gWCqEFiHUEEBYKAB0W
-IQTB00tpIZ5K7sC6HCHj/f8hjkW3KwUCYWlPWgAKCRDj/f8hjkW3Kx4eAQDp6aGS
-N/fU4xLl8RSvQUVjVA+aCTrMQR3hRwqw8liF2wEA3O3ECxz6e1+DoItYoJBBLKLw
-eiInsGZ/+h5XYrpXTgA=
-=4+Sn
+mDMEX0PliRYJKwYBBAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6W
+MBAmNpe0H1dlcm5lciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYh
+BG2qbmSnbShAVxtJAlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYV
+CgkICwIEFgIDAQIeBwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJL
+s4bnaZaPIk9ARrU0EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5C
+jgaIbQQQEQsAHRYhBIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthawe
+QrNnIZkA3jG6LcZvV/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gb
+lvjFIPJPAhDBAU37c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0K
+BQJfQ/IlAAoJEGMROuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+ze
+ymp/UvlPAQDErCLZl0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgA
+HRYhBNhpISPEBl3qXg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9
+if66ph6FJrgr+A/WHNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544
+xGbIU/aCTJsWw9ziUE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJ
+nnDm29QjYEGd2Hi87npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+m
+sjBzCD5VKJgr0CR8wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1y
+L4L8oRH0950hQljPC7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQV
+ZMBMIkNC0tXOu10VbdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJf
+Q/P8AAoJEOP9/yGORbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4z
+IwC9AQCy0nnazVNtVQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsG
+AQQB2kcPAQEHQJmdfwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWli
+ZSBZdXRha2EgKEdudVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H
++pkI6Y6bLRnGyL0FAmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMB
+Ah4HAheAAAoJEOmOmy0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9V
+HEsEwdgmAQD2BtiX7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAd
+FiEEJJyzdxdQdF1c3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1
+UVdQTGHMyvHwZocSQjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+R
+bkeCtmQJ/c8v5ieFvW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4F
+AmFAQ7cACgkQALRevUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT
+9Nx1yb4WJKY7ElPMYkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6
+ciIOryssRx2G4kCZt+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+p
+hxyR8KyYCpkwKRxYeK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGH
+Ca2ul8sD6vA9C4mM4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUzt
+r7eD4bCRdG+QlSh+7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/Ih1BBAWCgAdFiEE
+bapuZKdtKEBXG0kCUoiXuCZAOtoFAmX776IACgkQUoiXuCZAOtpu9gEAxLOR8r83
+/CPPyTfFn4J/ILemaQOnvwqGxY8ipflN9IMBAM2ro+IsivaAqTzBHS8xgV/IwNyF
+Ir5iYGFbJBMO2mQOmQGNBGgeCBYBDACI80UNEv8tIsfuKA9GeTwDuEhg031dSzTD
+NFqkBPp8+srko6gSJ48fx2Agy7hPrT5Vls67WH5gJMPNubgPnVZkh9wXL27JNqFA
+nVF3cVfIKyQ6ZGD2JchXAHbyx6xIHNVtqMaaaRhAvflqt3BQAU3kyhc49TEAkLBU
+GyXT+plJFBO/u8uJoJ5+wRRSO/gp9O/L+60vJ6dZOabf6jJpnWyfjvcUm0jfK29g
+7S407kDjN6X8s4gSa53lCIiaANDKC/sfn7iEg78Ef3ZyM6aALyH9dAq7tsKdXPkO
+N5wU6kvcQi+diybd+GmshrthssCI4Zo/42TqwxkBX+n/dVL4xSbiL+DOZzLa5UcK
+z7wkey1OlnTeb/6IaNox/CXCJmNUozDH3Tr+dabWmTalpItv6CAutDh8f34cs5d1
+CK/IUTcj35XmUkot0X+xAydK6urAu0/ufuO7yDP/WBnGimBA9U5LUk6MN6jRXLm/
+deCNcthcxoxAui1CBvYXDLxLOxsI2dcAEQEAAYkBzgQfAQgAOBYhBDt2GuTmO/NR
+nOfWO+y2ZMvhMy7vBQJoHg0nFwyAEwLzjf9zH/l8sDmh2lSeaV6QW6IIAgcAAAoJ
+EOy2ZMvhMy7vXHIL/jRKRLz5rygny0P9ni6dfuL6trqUZEby2HFwRIRJLfyrbJyU
+Ayo6Uvu7r9pIgePNimQ0RCpVgimNKEuNAXoOgKt36K7rb81VjKSmLqE2K7v2QEJX
+1KY1ptwrR/zWKPD6QcBx1xL8yuuEX5ajdLXiG6k9AOJl0BP3s+TGbshGmiiT+92s
+PIyEcjoaP06R3vU3QzH1w9FImig9O4sRJ/iRlaY/qweqhRryQoRZib+xEHAgcgeM
+gpzufaQwCa9EBQtfa8Qp+OkKIFlE6P+MNmyXQhiHgGK3c1qLl+nhGFrRofEE4I7P
+M5QBWwmgmrsrZwVUQtwXBNHPz/vPR30yUEIH+MqUHwnIct7cRSkSYDkbFWmmcRU9
+xdasknnOvV4+l2H6ctSYxIFnpYmZIxInglRTC27XqCyZyoZ6r3n9t3Mzu5mkdSlm
+e0DIN997lolrkj2pLVuX+Q0dWbtS3EZ+7G+1cIdoKaDWrzMXieTFPkYZhofNynh0
+vvIZOfhFz4c/1VUherQoQWxleGFuZGVyIEt1bGJhcnRzY2ggKEdudVBHIFJlbGVh
+c2UgS2V5KYkB1wQTAQgAQRYhBDt2GuTmO/NRnOfWO+y2ZMvhMy7vBQJoHgohAhsD
+BQkOs1FeBQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEOy2ZMvhMy7vwmkL
+/RSsoJk/kPL++onjhuCg7YTtTFVoqUjSOP5m68eORg4XsbSuvQrHhaJwhc8gPyCt
+M3KKlHbrUNdpnrx9dJtgEleLB5UsrVkv02gvKTZfwXSWXHqQhCpril3TI0kziLTY
+Vrhtj7hEBTbXuOAVHZ5jsa+yVy1bjRobmaoIPbb0MRhXj4Z+FAYmdTDA4/bpVSPA
+tCYLkA8UDcPr3tCpcAcoUJ+pWuuEvIn9mjrQrwYp9EQX4Vkj/Bc1yfZttoXOqjJw
+76Rn9Xn7Zz+kmhr5OK81LNPZx1Du+M3z9nYfOnmk5eisdMiyiraFqREkwwOzzExJ
+eOe3eFDj9Oh3O1YRrErWz9prOiLdAmdCoCTodRG6JzvQmZoFbMW23npw3xNGr4lK
+V4+9t4gxuXuEVIVQN0c1w+BM9BEFOoTbs8BIyaLjfdXnh3ZPLpJEj7E2FLKnuaPx
+KdYretbGQwo+vXLXfWk9QKHXwF2IdkUSnL/IyFje/thujBW2UJZMTO3vD830px2G
+k4h1BBATCAAdFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmgeDcYACgkQVJ5pXpBb
+ogis0wD9H38UP4TH3Y19d7mnkSifeHkldKc4iUP/Ok3w/+Di5qkA/iA7xLTtiuhW
+jhnuwb68kTxh8Beg023EiqsJb9qWnY8umFMEYWlKoxMJKyQDAwIIAQEHAgMEXpcP
+02ZRAOCLJg1uGzUMwnXiYjDzXbBjUdXH/hBZhaIG6eGu9IXFVvOyMPv9a/6/duYw
++sv4zYMvIWJJ7A2ZxLQkR251UEcuY29tIChSZWxlYXNlIFNpZ25pbmcgS2V5IDIw
+MjEpiJoEExMIAEIWIQQC843/cx/5fLA5odpUnmlekFuiCAUCYWlKowIbAwUJD3HX
+igULCQgHAgMiAgEGFQoJCAsCBBYCAwECHgcCF4AACgkQVJ5pXpBboghOSgD9FhqN
+pOXV4QFT8Z2bXajeOsjnk3nFkrZdOpLHblyVXKMA/RfAxb86Dn40PWuLdsCoANVa
+UENSzDPzBjGxvQLiRgGSiHUEEBYKAB0WIQRtqm5kp20oQFcbSQJSiJe4JkA62gUC
+YWlO8QAKCRBSiJe4JkA62slAAQCHtjLKSMDL9CzXILeOLyIF8hWc9e9uWsjHdJFH
+IPBELwEAq1lsS4pO0+WCQtSAyV5Nxkn+8SEkT4a99D2jmBYKoQWIdQQQFgoAHRYh
+BMHTS2khnkruwLocIeP9/yGORbcrBQJhaU9aAAoJEOP9/yGORbcrHh4BAOnpoZI3
+99TjEuXxFK9BRWNUD5oJOsxBHeFHCrDyWIXbAQDc7cQLHPp7X4Ogi1igkEEsovB6
+IiewZn/6HldiuldOAA==
+=gHNs
 -----END PGP PUBLIC KEY BLOCK-----

libgcrypt.spec

@@ -1,7 +1,8 @@
 #
 # spec file for package libgcrypt
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +21,7 @@
 %define libsoname %{name}%{libsover}
 %define hmac_key orboDeJITITejsirpADONivirpUkvarP
 Name:           libgcrypt
-Version:        1.11.0
+Version:        1.11.2
 Release:        0
 Summary:        The GNU Crypto Library
 License:        GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -37,6 +38,8 @@ Source99:       libgcrypt.changes
 Patch1:         libgcrypt-1.10.0-allow_FSM_same_state.patch
 #PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run
 Patch2:         libgcrypt-nobetasuffix.patch
+#PATCH-FIX-SUSE: Make the revamped SLI api public
+Patch3:         libgcrypt-1.11.1-public-SLI-API.patch
 # FIPS patches:
 #PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK
 Patch100:       libgcrypt-FIPS-SLI-pk.patch
@@ -52,8 +55,13 @@ Patch105:       libgcrypt-FIPS-jitter-standalone.patch
 Patch106:       libgcrypt-FIPS-jitter-errorcodes.patch
 #PATCH-FIX-SUSE bsc#1220893 FIPS: Use Jitter RNG for the whole length entropy buffer
 Patch107:       libgcrypt-FIPS-jitter-whole-entropy.patch
+#PATCH-FIX-SUSE Remove not used rol64() definition after removing the built-in jitter rng
+Patch108:       libgcrypt-rol64-redefinition.patch
+#PATCH-FIX-CENTOS timing based side-channel in RSA implementation
+Patch109:       libgcrypt-CVE-2024-2236.patch
+
 BuildRequires:  automake >= 1.14
-BuildRequires:  libgpg-error-devel >= 1.49
+BuildRequires:  pkgconfig(gpg-error) >= 1.49
 BuildRequires:  libtool
 BuildRequires:  makeinfo
 BuildRequires:  pkgconfig
@@ -123,8 +131,8 @@ export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
            --enable-digests="$DIGESTS" \
            --enable-kdfs="$KDFS" \
            --enable-noexecstack \
+           --enable-marvin-workaround \
            --disable-static \
-           --enable-m-guard \
 %ifarch %{sparc}
            --disable-asm \
 %endif
@@ -135,9 +143,9 @@ export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
 %make_build
 
 %check
-make -k check
+%make_build check
 # run the regression tests also in FIPS mode
-LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true
+LIBGCRYPT_FORCE_FIPS_MODE=1 %make_build check
 
 %install
 %make_install
@@ -166,8 +174,7 @@ mkdir -p -m 0755 %{buildroot}%{_sysconfdir}/gcrypt
 install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/gcrypt/random.conf
 install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/gcrypt/hwf.deny
 
-%post -n %{libsoname} -p /sbin/ldconfig
-%postun -n %{libsoname} -p /sbin/ldconfig
+%ldconfig_scriptlets -n %{libsoname}
 
 %files -n %{libsoname}
 %license COPYING COPYING.LIB LICENSES