Accepting request 1284327 from devel:libraries:c_c++

OBS-URL: https://build.opensuse.org/request/show/1284327
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libgcrypt?expand=0&rev=109

libgcrypt-1.11.1-public-SLI-API.patch

@@ -0,0 +1,37 @@
+Index: libgcrypt-1.11.1/src/gcrypt.h.in
+===================================================================
+--- libgcrypt-1.11.1.orig/src/gcrypt.h.in
++++ libgcrypt-1.11.1/src/gcrypt.h.in
+@@ -335,12 +335,9 @@ enum gcry_ctl_cmds
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
+-    GCRYCTL_MD_CUSTOMIZE = 88
+-#ifdef _GCRYPT_IN_LIBGCRYPT  /* This is not yet part of the public API.  */
+-    ,
++    GCRYCTL_MD_CUSTOMIZE = 88,
+     GCRYCTL_FIPS_SERVICE_INDICATOR = 89,
+     GCRYCTL_FIPS_REJECT_NON_FIPS = 90
+-#endif /*_GCRYPT_IN_LIBGCRYPT*/
+   };
+ 
+ /* Perform various operations defined by CMD. */
+@@ -1977,8 +1974,6 @@ void gcry_log_debugsxp (const char *text
+ char *gcry_get_config (int mode, const char *what);
+ 
+ /* Convinience macro to access the FIPS service indicator.  */
+-#ifdef _GCRYPT_IN_LIBGCRYPT  /* This is not yet part of the public API.  */
+-
+ #define gcry_get_fips_service_indicator()       \
+   gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR)
+ 
+@@ -2012,9 +2007,6 @@ char *gcry_get_config (int mode, const c
+ #define GCRY_FIPS_FLAG_REJECT_DEFAULT \
+   GCRY_FIPS_FLAG_REJECT_COMPAT110
+ 
+-#endif /*_GCRYPT_IN_LIBGCRYPT*/
+-
+-
+ /* Log levels used by the internal logging facility. */
+ enum gcry_log_levels
+   {

libgcrypt-FIPS-SLI-hash-mac.patch

@@ -1,7 +1,7 @@
-Index: libgcrypt-1.11.0/doc/gcrypt.texi
+Index: libgcrypt-1.11.1/doc/gcrypt.texi
 ===================================================================
---- libgcrypt-1.11.0.orig/doc/gcrypt.texi
+--- libgcrypt-1.11.1.orig/doc/gcrypt.texi
-+++ libgcrypt-1.11.0/doc/gcrypt.texi
++++ libgcrypt-1.11.1/doc/gcrypt.texi
 @@ -998,13 +998,21 @@ certification. If the function is approv
  @code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
  Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
@@ -28,15 +28,14 @@ Index: libgcrypt-1.11.0/doc/gcrypt.texi
  @item GCRYCTL_FIPS_SERVICE_INDICATOR_MD; Arguments: enum gcry_md_algos
  
  Check if the given message digest algorithm is approved under the current
-Index: libgcrypt-1.11.0/src/fips.c
+Index: libgcrypt-1.11.1/src/fips.c
 ===================================================================
---- libgcrypt-1.11.0.orig/src/fips.c
+--- libgcrypt-1.11.1.orig/src/fips.c
-+++ libgcrypt-1.11.0/src/fips.c
++++ libgcrypt-1.11.1/src/fips.c
-@@ -378,31 +378,6 @@ _gcry_fips_indicator_cipher (va_list arg
+@@ -512,31 +512,6 @@ _gcry_fips_indicator_pk (va_list arg_ptr
-     }
  }
  
--int
+ int
 -_gcry_fips_indicator_mac (va_list arg_ptr)
 -{
 -  enum gcry_mac_algos alg = va_arg (arg_ptr, enum gcry_mac_algos);
@@ -61,10 +60,11 @@ Index: libgcrypt-1.11.0/src/fips.c
 -    }
 -}
 -
- /* FIPS approved curves, extracted from:
+-int
-  *   cipher/ecc-curves.c:curve_aliases[] and domain_parms[]. */
+ _gcry_fips_indicator_md (va_list arg_ptr)
- static const struct
+ {
-@@ -602,6 +577,62 @@ _gcry_fips_indicator_pk_flags (va_list a
+   enum gcry_md_algos alg = va_arg (arg_ptr, enum gcry_md_algos);
+@@ -647,6 +622,62 @@ _gcry_fips_indicator_pk_flags (va_list a
    return GPG_ERR_NOT_SUPPORTED;
  }
  
@@ -127,37 +127,37 @@ Index: libgcrypt-1.11.0/src/fips.c
  
  /* This is a test on whether the library is in the error or
     operational state. */
-Index: libgcrypt-1.11.0/src/g10lib.h
+Index: libgcrypt-1.11.1/src/g10lib.h
 ===================================================================
---- libgcrypt-1.11.0.orig/src/g10lib.h
+--- libgcrypt-1.11.1.orig/src/g10lib.h
-+++ libgcrypt-1.11.0/src/g10lib.h
++++ libgcrypt-1.11.1/src/g10lib.h
-@@ -469,6 +469,7 @@ void _gcry_fips_signal_error (const char
+@@ -478,6 +478,7 @@ void _gcry_fips_signal_error (const char
- #endif
+ gpg_err_code_t _gcry_fips_indicator (void);
  
  int _gcry_fips_indicator_cipher (va_list arg_ptr);
 +int _gcry_fips_indicator_hash (va_list arg_ptr);
  int _gcry_fips_indicator_mac (va_list arg_ptr);
  int _gcry_fips_indicator_md (va_list arg_ptr);
  int _gcry_fips_indicator_kdf (va_list arg_ptr);
-Index: libgcrypt-1.11.0/src/gcrypt.h.in
+Index: libgcrypt-1.11.1/src/gcrypt.h.in
 ===================================================================
---- libgcrypt-1.11.0.orig/src/gcrypt.h.in
+--- libgcrypt-1.11.1.orig/src/gcrypt.h.in
-+++ libgcrypt-1.11.0/src/gcrypt.h.in
++++ libgcrypt-1.11.1/src/gcrypt.h.in
-@@ -336,7 +336,8 @@ enum gcry_ctl_cmds
+@@ -338,7 +338,8 @@ enum gcry_ctl_cmds
-     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
-     GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
      GCRYCTL_MD_CUSTOMIZE = 88,
--    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89
+     GCRYCTL_FIPS_SERVICE_INDICATOR = 89,
-+    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89,
+     GCRYCTL_FIPS_REJECT_NON_FIPS = 90,
-+    GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 90
+-    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 91
++    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 91,
++    GCRYCTL_FIPS_SERVICE_INDICATOR_HASH = 92
    };
  
  /* Perform various operations defined by CMD. */
-Index: libgcrypt-1.11.0/src/global.c
+Index: libgcrypt-1.11.1/src/global.c
 ===================================================================
---- libgcrypt-1.11.0.orig/src/global.c
+--- libgcrypt-1.11.1.orig/src/global.c
-+++ libgcrypt-1.11.0/src/global.c
++++ libgcrypt-1.11.1/src/global.c
-@@ -794,6 +794,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+@@ -808,6 +808,12 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
        rc = _gcry_fips_indicator_cipher (arg_ptr);
        break;
  

libgcrypt-FIPS-SLI-kdf-leylength.patch

@@ -1,8 +1,8 @@
-Index: libgcrypt-1.10.2/src/fips.c
+Index: libgcrypt-1.11.0/src/fips.c
 ===================================================================
---- libgcrypt-1.10.2.orig/src/fips.c
+--- libgcrypt-1.11.0.orig/src/fips.c
-+++ libgcrypt-1.10.2/src/fips.c
++++ libgcrypt-1.11.0/src/fips.c
-@@ -520,10 +520,15 @@ int
+@@ -523,10 +523,15 @@ int
  _gcry_fips_indicator_kdf (va_list arg_ptr)
  {
    enum gcry_kdf_algos alg = va_arg (arg_ptr, enum gcry_kdf_algos);
@@ -18,11 +18,11 @@ Index: libgcrypt-1.10.2/src/fips.c
        return GPG_ERR_NO_ERROR;
      default:
        return GPG_ERR_NOT_SUPPORTED;
-Index: libgcrypt-1.10.2/doc/gcrypt.texi
+Index: libgcrypt-1.11.0/doc/gcrypt.texi
 ===================================================================
---- libgcrypt-1.10.2.orig/doc/gcrypt.texi
+--- libgcrypt-1.11.0.orig/doc/gcrypt.texi
-+++ libgcrypt-1.10.2/doc/gcrypt.texi
++++ libgcrypt-1.11.0/doc/gcrypt.texi
-@@ -970,12 +970,13 @@ is approved under the current FIPS 140-3
+@@ -983,12 +983,13 @@ is approved under the current FIPS 140-3
  combination is approved, this function returns @code{GPG_ERR_NO_ERROR}.
  Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
  
@@ -40,3 +40,21 @@ Index: libgcrypt-1.10.2/doc/gcrypt.texi
  
  @item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
  
+Index: libgcrypt-1.11.0/tests/t-kdf.c
+===================================================================
+--- libgcrypt-1.11.0.orig/tests/t-kdf.c
++++ libgcrypt-1.11.0/tests/t-kdf.c
+@@ -1889,7 +1889,12 @@ check_fips_indicators (void)
+   for (i = 0; i < sizeof(kdf_algos) / sizeof(*kdf_algos); i++)
+     {
+       int is_fips_kdf_algo = 0;
+-      gcry_error_t err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]);
++      gcry_error_t err;
++      // On SUSE/openSUSE builds PBKDF2 with keysize < 112 is not allowed
++      if (kdf_algos[i] == GCRY_KDF_PBKDF2)
++          err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i], 112);
++      else
++          err = gcry_control (GCRYCTL_FIPS_SERVICE_INDICATOR_KDF, kdf_algos[i]);
+ 
+       if (verbose)
+         fprintf (stderr, "checking FIPS indicator for KDF %d: %s\n",

libgcrypt-FIPS-SLI-pk.patch

@@ -1,7 +1,7 @@
-Index: libgcrypt-1.11.0/src/fips.c
+Index: libgcrypt-1.11.1/src/fips.c
 ===================================================================
---- libgcrypt-1.11.0.orig/src/fips.c
+--- libgcrypt-1.11.1.orig/src/fips.c
-+++ libgcrypt-1.11.0/src/fips.c
++++ libgcrypt-1.11.1/src/fips.c
 @@ -38,6 +38,7 @@
  
  #include "g10lib.h"
@@ -10,7 +10,7 @@ Index: libgcrypt-1.11.0/src/fips.c
  #include "../random/random.h"
  
  /* The states of the finite state machine used in fips mode.  */
-@@ -400,6 +401,94 @@ _gcry_fips_indicator_mac (va_list arg_pt
+@@ -420,6 +421,94 @@ _gcry_fips_indicator_cipher (va_list arg
      default:
        return GPG_ERR_NOT_SUPPORTED;
      }
@@ -105,24 +105,24 @@ Index: libgcrypt-1.11.0/src/fips.c
  }
  
  int
-Index: libgcrypt-1.11.0/src/gcrypt.h.in
+Index: libgcrypt-1.11.1/src/gcrypt.h.in
 ===================================================================
---- libgcrypt-1.11.0.orig/src/gcrypt.h.in
+--- libgcrypt-1.11.1.orig/src/gcrypt.h.in
-+++ libgcrypt-1.11.0/src/gcrypt.h.in
++++ libgcrypt-1.11.1/src/gcrypt.h.in
-@@ -335,7 +335,8 @@ enum gcry_ctl_cmds
+@@ -337,7 +337,8 @@ enum gcry_ctl_cmds
-     GCRYCTL_FIPS_SERVICE_INDICATOR_MAC = 85,
-     GCRYCTL_FIPS_SERVICE_INDICATOR_MD = 86,
      GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS = 87,
--    GCRYCTL_MD_CUSTOMIZE = 88
+     GCRYCTL_MD_CUSTOMIZE = 88,
-+    GCRYCTL_MD_CUSTOMIZE = 88,
+     GCRYCTL_FIPS_SERVICE_INDICATOR = 89,
-+    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 89
+-    GCRYCTL_FIPS_REJECT_NON_FIPS = 90
++    GCRYCTL_FIPS_REJECT_NON_FIPS = 90,
++    GCRYCTL_FIPS_SERVICE_INDICATOR_PK = 91
    };
  
  /* Perform various operations defined by CMD. */
-Index: libgcrypt-1.11.0/doc/gcrypt.texi
+Index: libgcrypt-1.11.1/doc/gcrypt.texi
 ===================================================================
---- libgcrypt-1.11.0.orig/doc/gcrypt.texi
+--- libgcrypt-1.11.1.orig/doc/gcrypt.texi
-+++ libgcrypt-1.11.0/doc/gcrypt.texi
++++ libgcrypt-1.11.1/doc/gcrypt.texi
 @@ -1010,6 +1010,19 @@ Check if the given message digest algori
  FIPS 140-3 certification. If the algorithm is approved, this function returns
  @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
@@ -143,11 +143,11 @@ Index: libgcrypt-1.11.0/doc/gcrypt.texi
  @item GCRYCTL_FIPS_SERVICE_INDICATOR_PK_FLAGS; Arguments: const char *
  
  Check if the given public key operation flag or s-expression object name is
-Index: libgcrypt-1.11.0/src/g10lib.h
+Index: libgcrypt-1.11.1/src/g10lib.h
 ===================================================================
---- libgcrypt-1.11.0.orig/src/g10lib.h
+--- libgcrypt-1.11.1.orig/src/g10lib.h
-+++ libgcrypt-1.11.0/src/g10lib.h
++++ libgcrypt-1.11.1/src/g10lib.h
-@@ -473,6 +473,7 @@ int _gcry_fips_indicator_mac (va_list ar
+@@ -482,6 +482,7 @@ int _gcry_fips_indicator_mac (va_list ar
  int _gcry_fips_indicator_md (va_list arg_ptr);
  int _gcry_fips_indicator_kdf (va_list arg_ptr);
  int _gcry_fips_indicator_function (va_list arg_ptr);
@@ -155,11 +155,11 @@ Index: libgcrypt-1.11.0/src/g10lib.h
  int _gcry_fips_indicator_pk_flags (va_list arg_ptr);
  
  int _gcry_fips_is_operational (void);
-Index: libgcrypt-1.11.0/src/global.c
+Index: libgcrypt-1.11.1/src/global.c
 ===================================================================
---- libgcrypt-1.11.0.orig/src/global.c
+--- libgcrypt-1.11.1.orig/src/global.c
-+++ libgcrypt-1.11.0/src/global.c
++++ libgcrypt-1.11.1/src/global.c
-@@ -828,6 +828,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
+@@ -842,6 +842,15 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd,
        rc = _gcry_fips_indicator_pk_flags (arg_ptr);
        break;
  

libgcrypt-FIPS-jitter-standalone.patch

@@ -1,7 +1,7 @@
-Index: libgcrypt-1.10.3/random/Makefile.am
+Index: libgcrypt-1.11.1/random/Makefile.am
 ===================================================================
---- libgcrypt-1.10.3.orig/random/Makefile.am
+--- libgcrypt-1.11.1.orig/random/Makefile.am
-+++ libgcrypt-1.10.3/random/Makefile.am
++++ libgcrypt-1.11.1/random/Makefile.am
 @@ -21,7 +21,7 @@
  # Need to include ../src in addition to top_srcdir because gcrypt.h is
  # a built header.
@@ -11,11 +11,11 @@ Index: libgcrypt-1.10.3/random/Makefile.am
  
  noinst_LTLIBRARIES = librandom.la
  
-@@ -45,14 +45,7 @@ rndoldlinux.c \
+@@ -44,14 +44,7 @@ rndgetentropy.c \
+ rndoldlinux.c \
  rndegd.c \
  rndunix.c \
- rndw32.c  \
+-rndw32.c  \
--rndw32ce.c \
 -jitterentropy-gcd.c jitterentropy-gcd.h \
 -jitterentropy-health.c jitterentropy-health.h \
 -jitterentropy-noise.c jitterentropy-noise.h \
@@ -23,11 +23,11 @@ Index: libgcrypt-1.10.3/random/Makefile.am
 -jitterentropy-timer.c jitterentropy-timer.h \
 -jitterentropy-base.h \
 -jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h
-+rndw32ce.c
++rndw32.c
  
  # The rndjent module needs to be compiled without optimization.  */
  if ENABLE_O_FLAG_MUNGING
-@@ -61,20 +54,8 @@ else
+@@ -60,20 +53,8 @@ else
  o_flag_munging = cat
  endif
  
@@ -50,10 +50,10 @@ Index: libgcrypt-1.10.3/random/Makefile.am
 -            $(srcdir)/jitterentropy-base.c $(srcdir)/jitterentropy.h
 +rndjent.lo: $(srcdir)/rndjent.c
  	`echo $(LTCOMPILE) -c $(srcdir)/rndjent.c | $(o_flag_munging) `
-Index: libgcrypt-1.10.3/random/rndjent.c
+Index: libgcrypt-1.11.1/random/rndjent.c
 ===================================================================
---- libgcrypt-1.10.3.orig/random/rndjent.c
+--- libgcrypt-1.11.1.orig/random/rndjent.c
-+++ libgcrypt-1.10.3/random/rndjent.c
++++ libgcrypt-1.11.1/random/rndjent.c
 @@ -94,17 +94,12 @@
   * jitterentropy-user-base.h file.   */
  
@@ -74,10 +74,10 @@ Index: libgcrypt-1.10.3/random/rndjent.c
  
  /* This is the lock we use to serialize access to this RNG.  The extra
   * integer variable is only used to check the locking state; that is,
-Index: libgcrypt-1.10.3/random/Makefile.in
+Index: libgcrypt-1.11.1/random/Makefile.in
 ===================================================================
---- libgcrypt-1.10.3.orig/random/Makefile.in
+--- libgcrypt-1.11.1.orig/random/Makefile.in
-+++ libgcrypt-1.10.3/random/Makefile.in
++++ libgcrypt-1.11.1/random/Makefile.in
 @@ -147,12 +147,7 @@ am__v_at_1 =
  DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
  depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
@@ -92,7 +92,7 @@ Index: libgcrypt-1.10.3/random/Makefile.in
  	./$(DEPDIR)/random-csprng.Plo ./$(DEPDIR)/random-drbg.Plo \
  	./$(DEPDIR)/random-system.Plo ./$(DEPDIR)/random.Plo \
  	./$(DEPDIR)/rndegd.Plo ./$(DEPDIR)/rndgetentropy.Plo \
-@@ -378,7 +373,7 @@ top_srcdir = @top_srcdir@
+@@ -375,7 +370,7 @@ top_srcdir = @top_srcdir@
  # Need to include ../src in addition to top_srcdir because gcrypt.h is
  # a built header.
  AM_CPPFLAGS = -I../src -I$(top_srcdir)/src
@@ -101,11 +101,11 @@ Index: libgcrypt-1.10.3/random/Makefile.in
  noinst_LTLIBRARIES = librandom.la
  GCRYPT_MODULES = @GCRYPT_RANDOM@
  librandom_la_DEPENDENCIES = $(GCRYPT_MODULES)
-@@ -398,14 +393,7 @@ rndoldlinux.c \
+@@ -394,14 +389,7 @@ rndgetentropy.c \
+ rndoldlinux.c \
  rndegd.c \
  rndunix.c \
- rndw32.c  \
+-rndw32.c  \
--rndw32ce.c \
 -jitterentropy-gcd.c jitterentropy-gcd.h \
 -jitterentropy-health.c jitterentropy-health.h \
 -jitterentropy-noise.c jitterentropy-noise.h \
@@ -113,11 +113,11 @@ Index: libgcrypt-1.10.3/random/Makefile.in
 -jitterentropy-timer.c jitterentropy-timer.h \
 -jitterentropy-base.h \
 -jitterentropy-base.c jitterentropy.h jitterentropy-base-user.h
-+rndw32ce.c
++rndw32.c
  
  @ENABLE_O_FLAG_MUNGING_FALSE@o_flag_munging = cat
  
-@@ -465,12 +453,6 @@ mostlyclean-compile:
+@@ -461,12 +449,6 @@ mostlyclean-compile:
  distclean-compile:
  	-rm -f *.tab.c
  
@@ -130,7 +130,7 @@ Index: libgcrypt-1.10.3/random/Makefile.in
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-csprng.Plo@am__quote@ # am--include-marker
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-drbg.Plo@am__quote@ # am--include-marker
  @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/random-system.Plo@am__quote@ # am--include-marker
-@@ -641,12 +623,6 @@ clean-am: clean-generic clean-libtool cl
+@@ -636,12 +618,6 @@ clean-am: clean-generic clean-libtool cl
  	mostlyclean-am
  
  distclean: distclean-am
@@ -143,7 +143,7 @@ Index: libgcrypt-1.10.3/random/Makefile.in
  	-rm -f ./$(DEPDIR)/random-csprng.Plo
  	-rm -f ./$(DEPDIR)/random-drbg.Plo
  	-rm -f ./$(DEPDIR)/random-system.Plo
-@@ -704,12 +680,6 @@ install-ps-am:
+@@ -698,12 +674,6 @@ install-ps-am:
  installcheck-am:
  
  maintainer-clean: maintainer-clean-am
@@ -156,7 +156,7 @@ Index: libgcrypt-1.10.3/random/Makefile.in
  	-rm -f ./$(DEPDIR)/random-csprng.Plo
  	-rm -f ./$(DEPDIR)/random-drbg.Plo
  	-rm -f ./$(DEPDIR)/random-system.Plo
-@@ -759,22 +729,10 @@ uninstall-am:
+@@ -752,22 +722,10 @@ uninstall-am:
  .PRECIOUS: Makefile
  
  

libgcrypt-rol64-redefinition.patch

@@ -0,0 +1,16 @@
+Index: libgcrypt-1.11.0/cipher/bithelp.h
+===================================================================
+--- libgcrypt-1.11.0.orig/cipher/bithelp.h
++++ libgcrypt-1.11.0/cipher/bithelp.h
+@@ -35,11 +35,6 @@ static inline u32 ror(u32 x, int n)
+ 	return ( (x >> (n&(32-1))) | (x << ((32-n)&(32-1))) );
+ }
+ 
+-static inline u64 rol64(u64 x, int n)
+-{
+-  return ( (x << (n&(64-1))) | (x >> ((64-n)&(64-1))) );
+-}
+-
+ /* Byte swap for 32-bit and 64-bit integers.  If available, use compiler
+    provided helpers.  */
+ #ifdef HAVE_BUILTIN_BSWAP32

libgcrypt.changes

@@ -1,3 +1,164 @@
+-------------------------------------------------------------------
+Thu Jun  5 13:23:03 UTC 2025 - Angel Yankov <angel.yankov@suse.com>
+
+- Security fix [bsc#1221107, CVE-2024-2236]
+  * Add --enable-marvin-workaround to spec to enable workaround
+  * Fix  timing based side-channel in RSA implementation ( Marvin attack ) 
+  * Add libgcrypt-CVE-2024-2236.patch
+
+-------------------------------------------------------------------
+Thu May  8 14:28:42 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Update to 1.11.1: [jsc#PED-12227]
+  * Bug fixes:
+    - Fix Kyber secret-dependent branch introduced by recent versions of Clang. [rCf765778e82]
+    - Fix build regression due to the use of AVX512 in Blake. [T7184]
+    - Do not build i386 asm on amd64 and vice versa. [T7220]
+    - Fix build regression on armhf with gcc-14. [T7226]
+    - Return the proper error code on malloc failure in hex2buffer. [rCc51151f5b0]
+    - Fix long standing bug for PRIME % 2 == 0. [rC639b0fca15]
+  * Performance:
+    - Add AES Vector Permute intrinsics implementation for AArch64. [rC94a63aedbb]
+    - Add GHASH AArch64/SIMD intrinsics implementation. [rCfec871fd18]
+    - Add RISC-V vector permute AES. [rCb24ebd6163]
+    - Add GHASH RISC-V Zbb+Zbc implementation. [rC0f1fec12b0]
+    - Add ChaCha20 RISC-V vector intrinsics implementation. [rC8dbee93ac2]
+    - Add SHA3 acceleration for RISC-V Zbb extension. [rC1a660068ba]
+  * Other:
+    - Add CET support for i386 and amd64 assembly. [T7220]
+    - Add PAC/BTI support for AArch64 asm. [T7220]
+    - Apply changes to Kyber from upstream for final FIPS 203. [rCcc95c36e7f]
+    - Introduce an internal API for a revampled FIPS service indicator. [T7340]
+    - Several improvements for constant time operation by the introduction of
+      Least Leak Intended (LLI) variants of internal functions. [T7519,T7490]
+  * Add libgcrypt-1.11.1-public-SLI-API.patch
+  * Rebase patches:
+    - libgcrypt-FIPS-SLI-hash-mac.patch
+    - libgcrypt-FIPS-SLI-pk.patch
+    - libgcrypt-FIPS-jitter-standalone.patch
+  * Remove patches:
+    - libgcrypt-fips-Introduce-an-internal-API-for-FIPS-service-indicator.patch
+    - libgcrypt-fips-Introduce-GCRYCTL_FIPS_SERVICE_INDICATOR-and-the-macro.patch
+    - libgcrypt-fips-kdf-Implement-new-FIPS-service-indicator-for-gcry_kdf_derive.patch
+    - libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_hash_.patch
+    - libgcrypt-fips-tests-Add-t-digest.patch
+    - libgcrypt-fips-Change-the-internal-API-for-new-FIPS-service-indicator.patch
+    - libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_open-API.patch
+    - libgcrypt-fips-tests-Add-tests-for-md_open-write-read-close-for-t-digest.patch
+    - libgcrypt-fips-mac-Implement-new-FIPS-service-indicator-for-gcry_mac_open.patch
+    - libgcrypt-fips-cipher-Implement-new-FIPS-service-indicator-for-cipher_open.patch
+    - libgcrypt-tests-fips-Add-gcry_mac_open-tests.patch
+    - libgcrypt-tests-fips-Rename-t-fips-service-ind.patch
+    - libgcrypt-tests-fips-Move-KDF-tests-to-t-fips-service-ind.patch
+    - libgcrypt-tests-fips-Add-gcry_cipher_open-tests.patch
+    - libgcrypt-fips-md-gcry_md_copy-should-care-about-FIPS-service-indicator.patch
+    - libgcrypt-fips-cipher-Implement-FIPS-service-indicator-for-gcry_pk_hash_-API.patch
+    - libgcrypt-fips-Introduce-GCRYCTL_FIPS_REJECT_NON_FIPS.patch
+    - libgcrypt-Fix-the-previous-change.patch
+    - libgcrypt-fips-Rejection-by-GCRYCTL_FIPS_REJECT_NON_FIPS-not-by-open-flags.patch
+    - libgcrypt-fips-cipher-Add-behavior-not-to-reject-but-mark-non-compliant.patch
+    - libgcrypt-fips-ecc-Add-rejecting-or-marking-for-gcry_pk_get_curve.patch
+    - libgcrypt-tests-Add-more-tests-to-tests-t-fips-service-ind.patch
+    - libgcrypt-fips-ecc-Check-DATA-in-gcry_pk_sign-verify-in-FIPS-mode.patch
+    - libgcrypt-fips-cipher-Fix-memory-leak-for-gcry_pk_hash_sign.patch
+    - libgcrypt-build-Improve-__thread-specifier-check.patch
+    - libgcrypt-cipher-Check-and-mark-non-compliant-cipher-modes-in-the-SLI.patch
+    - libgcrypt-cipher-Rename-_gcry_cipher_is_mode_fips_compliant.patch
+    - libgcrypt-cipher-Don-t-differentiate-GCRY_CIPHER_MODE_CMAC-in-FIPS-mode.patch
+    - libgcrypt-cipher-rsa-Mark-reject-SHA1-unknown-with-RSA-signature-generation.patch
+    - libgcrypt-md-Fix-gcry_md_algo_info-to-mark-reject-under-FIPS-mode.patch
+    - libgcrypt-md-Use-check_digest_algo_spec-in-_gcry_md_selftest.patch
+    - libgcrypt-tests-Update-t-fips-service-ind-using-GCRY_MD_SHA256-for-KDF-tests.patch
+    - libgcrypt-fips-cipher-Do-the-computation-when-marking-non-compliant.patch
+    - libgcrypt-tests-Allow-tests-with-USE_RSA.patch
+    - libgcrypt-cipher-Add-KAT-for-non-rfc6979-ECDSA-with-fixed-k.patch
+    - libgcrypt-cipher-Differentiate-use-of-label-K-in-the-SLI.patch
+    - libgcrypt-cipher-Differentiate-igninvflag-in-the-SLI.patch
+    - libgcrypt-cipher-Differentiate-no-blinding-flag-in-the-SLI.patch
+    - libgcrypt-fips-cipher-Add-GCRY_FIPS_FLAG_REJECT_PK_FLAGS.patch
+    - libgcrypt-cipher-ecc-Fix-for-supplied-K.patch
+    - libgcrypt-cipher-visibility-Differentiate-use-of-random-override-in-the-SLI.patch
+    - libgcrypt-cipher-fips-Fix-for-random-override.patch
+    - libgcrypt-md-Make-SHA-1-non-FIPS-internally-for-1.12-API.patch
+    - libgcrypt-fips-Fix-GCRY_FIPS_FLAG_REJECT_MD.patch
+    - libgcrypt-doc-Add-about-GCRYCTL_FIPS_SERVICE_INDICATOR.patch
+    - libgcrypt-doc-Fix-syntax-error.patch
+    - libgcrypt-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
+
+-------------------------------------------------------------------
+Tue May  6 07:24:14 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- CSHAKE basic regression test failure in s390x [bsc#1242419]
+  * Disable SHA3 s390x acceleration for CSHAKE [rC2486d9b5ae01]
+  * Add libgcrypt-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
+
+-------------------------------------------------------------------
+Sun Apr 13 20:10:16 UTC 2025 - Lucas Mulling <lucas.mulling@suse.com>
+
+- Differentiate use of SHA1 in the service level indicator [jsc#PED-12227]
+  * Include upstream SLI revamp and fips certification fixes
+  * Add patches:
+    - libgcrypt-fips-Introduce-an-internal-API-for-FIPS-service-indicator.patch
+    - libgcrypt-fips-Introduce-GCRYCTL_FIPS_SERVICE_INDICATOR-and-the-macro.patch
+    - libgcrypt-fips-kdf-Implement-new-FIPS-service-indicator-for-gcry_kdf_derive.patch
+    - libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_hash_.patch
+    - libgcrypt-fips-tests-Add-t-digest.patch
+    - libgcrypt-fips-Change-the-internal-API-for-new-FIPS-service-indicator.patch
+    - libgcrypt-fips-md-Implement-new-FIPS-service-indicator-for-gcry_md_open-API.patch
+    - libgcrypt-fips-tests-Add-tests-for-md_open-write-read-close-for-t-digest.patch
+    - libgcrypt-fips-mac-Implement-new-FIPS-service-indicator-for-gcry_mac_open.patch
+    - libgcrypt-fips-cipher-Implement-new-FIPS-service-indicator-for-cipher_open.patch
+    - libgcrypt-tests-fips-Add-gcry_mac_open-tests.patch
+    - libgcrypt-tests-fips-Rename-t-fips-service-ind.patch
+    - libgcrypt-tests-fips-Move-KDF-tests-to-t-fips-service-ind.patch
+    - libgcrypt-tests-fips-Add-gcry_cipher_open-tests.patch
+    - libgcrypt-fips-md-gcry_md_copy-should-care-about-FIPS-service-indicator.patch
+    - libgcrypt-fips-cipher-Implement-FIPS-service-indicator-for-gcry_pk_hash_-API.patch
+    - libgcrypt-fips-Introduce-GCRYCTL_FIPS_REJECT_NON_FIPS.patch
+    - libgcrypt-Fix-the-previous-change.patch
+    - libgcrypt-fips-Rejection-by-GCRYCTL_FIPS_REJECT_NON_FIPS-not-by-open-flags.patch
+    - libgcrypt-fips-cipher-Add-behavior-not-to-reject-but-mark-non-compliant.patch
+    - libgcrypt-fips-ecc-Add-rejecting-or-marking-for-gcry_pk_get_curve.patch
+    - libgcrypt-tests-Add-more-tests-to-tests-t-fips-service-ind.patch
+    - libgcrypt-fips-ecc-Check-DATA-in-gcry_pk_sign-verify-in-FIPS-mode.patch
+    - libgcrypt-fips-cipher-Fix-memory-leak-for-gcry_pk_hash_sign.patch
+    - libgcrypt-build-Improve-__thread-specifier-check.patch
+    - libgcrypt-cipher-Check-and-mark-non-compliant-cipher-modes-in-the-SLI.patch
+    - libgcrypt-cipher-Rename-_gcry_cipher_is_mode_fips_compliant.patch
+    - libgcrypt-cipher-Don-t-differentiate-GCRY_CIPHER_MODE_CMAC-in-FIPS-mode.patch
+    - libgcrypt-cipher-rsa-Mark-reject-SHA1-unknown-with-RSA-signature-generation.patch
+    - libgcrypt-md-Fix-gcry_md_algo_info-to-mark-reject-under-FIPS-mode.patch
+    - libgcrypt-md-Use-check_digest_algo_spec-in-_gcry_md_selftest.patch
+    - libgcrypt-tests-Update-t-fips-service-ind-using-GCRY_MD_SHA256-for-KDF-tests.patch
+    - libgcrypt-fips-cipher-Do-the-computation-when-marking-non-compliant.patch
+    - libgcrypt-tests-Allow-tests-with-USE_RSA.patch
+    - libgcrypt-cipher-Add-KAT-for-non-rfc6979-ECDSA-with-fixed-k.patch
+    - libgcrypt-cipher-Differentiate-use-of-label-K-in-the-SLI.patch
+    - libgcrypt-cipher-Differentiate-igninvflag-in-the-SLI.patch
+    - libgcrypt-cipher-Differentiate-no-blinding-flag-in-the-SLI.patch
+    - libgcrypt-fips-cipher-Add-GCRY_FIPS_FLAG_REJECT_PK_FLAGS.patch
+    - libgcrypt-cipher-ecc-Fix-for-supplied-K.patch
+    - libgcrypt-cipher-visibility-Differentiate-use-of-random-override-in-the-SLI.patch
+    - libgcrypt-cipher-fips-Fix-for-random-override.patch
+    - libgcrypt-md-Make-SHA-1-non-FIPS-internally-for-1.12-API.patch
+    - libgcrypt-fips-Fix-GCRY_FIPS_FLAG_REJECT_MD.patch
+    - libgcrypt-doc-Add-about-GCRYCTL_FIPS_SERVICE_INDICATOR.patch
+    - libgcrypt-doc-Fix-syntax-error.patch
+  * Rebase patches:
+    - libgcrypt-FIPS-SLI-kdf-leylength.patch
+
+-------------------------------------------------------------------
+Tue Jan  7 09:28:25 UTC 2025 - Pedro Monreal <pmonreal@suse.com>
+
+- Fix redefinition error of 'rol64'. Remove not used rol64()
+  definition after removing the built-in jitter rng.
+  * Add libgcrypt-rol64-redefinition.patch
+
+-------------------------------------------------------------------
+Mon Dec  2 10:11:10 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
+
+- Remove unrecognized option: --enable-m-guard
+
 -------------------------------------------------------------------
 Thu Jun 20 08:11:07 UTC 2024 - Pedro Monreal <pmonreal@suse.com>
 

libgcrypt.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libgcrypt
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %define libsoname %{name}%{libsover}
 %define hmac_key orboDeJITITejsirpADONivirpUkvarP
 Name:           libgcrypt
-Version:        1.11.0
+Version:        1.11.1
 Release:        0
 Summary:        The GNU Crypto Library
 License:        GPL-2.0-or-later AND LGPL-2.1-or-later AND GPL-3.0-or-later
@@ -37,6 +37,8 @@ Source99:       libgcrypt.changes
 Patch1:         libgcrypt-1.10.0-allow_FSM_same_state.patch
 #PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run
 Patch2:         libgcrypt-nobetasuffix.patch
+#PATCH-FIX-SUSE: Make the revamped SLI api public
+Patch3:         libgcrypt-1.11.1-public-SLI-API.patch
 # FIPS patches:
 #PATCH-FIX-SUSE bsc#1190700 FIPS: Provide a service-level indicator for PK
 Patch100:       libgcrypt-FIPS-SLI-pk.patch
@@ -52,6 +54,11 @@ Patch105:       libgcrypt-FIPS-jitter-standalone.patch
 Patch106:       libgcrypt-FIPS-jitter-errorcodes.patch
 #PATCH-FIX-SUSE bsc#1220893 FIPS: Use Jitter RNG for the whole length entropy buffer
 Patch107:       libgcrypt-FIPS-jitter-whole-entropy.patch
+#PATCH-FIX-SUSE Remove not used rol64() definition after removing the built-in jitter rng
+Patch108:       libgcrypt-rol64-redefinition.patch
+#PATCH-FIX-CENTOS timing based side-channel in RSA implementation
+Patch109:       libgcrypt-CVE-2024-2236.patch
+
 BuildRequires:  automake >= 1.14
 BuildRequires:  libgpg-error-devel >= 1.49
 BuildRequires:  libtool
@@ -123,8 +130,8 @@ export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
            --enable-digests="$DIGESTS" \
            --enable-kdfs="$KDFS" \
            --enable-noexecstack \
+           --enable-marvin-workaround \
            --disable-static \
-           --enable-m-guard \
 %ifarch %{sparc}
            --disable-asm \
 %endif
@@ -137,7 +144,7 @@ export CFLAGS="%{optflags} $(getconf LFS_CFLAGS)"
 %check
 make -k check
 # run the regression tests also in FIPS mode
-LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check || true
+LIBGCRYPT_FORCE_FIPS_MODE=1 make -k check
 
 %install
 %make_install