libgcrypt: updated to 1.10.2 Noteworthy changes in version 1.10.2 (2023-04-06) [C24/A4/R2] ------------------------------------------------- * Bug fixes: - Fix Argon2 for the case output > 64. [rC13b5454d26] - Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44] - Fix RSA key generation failure in forced FIPS mode. [T5919] - Fix gcry_pk_hash_verify for explicit hash. [T6066] - Fix a wrong result of gcry_mpi_invm. [T5970] - Allow building with --disable-asm for HPPA. [T5976] - Fix Jitter RNG for building native on Windows. [T5891] - Allow building with -Oz. [T6432] - Enable the fast path to ChaCha20 only when supported. [T6384] - Use size_t to avoid counter overflow in Keccak when directly feeding more than 4GiB. [T6217] * Other: - Do not use secure memory for a DRBG instance. [T5933] - Do not allow PKCS#1.5 padding for encryption in FIPS mode. [T5918] - Fix the behaviour for child process re-seeding in the DRBG. [rC019a40c990] - Allow verification of small RSA signatures in FIPS mode. [T5975] - Allow the use of a shorter salt for KDFs in FIPS mode. [T6039] - Run digest+sign self tests for RSA and ECC in FIPS mode. [rC06c9350165] - Add function-name based FIPS indicator function. GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered an ABI changes because the new FIPS features were not yet approved. [rC822ee57f07] - Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397] - Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9] - Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a] - Check minimum allowed key size in PBKDF in FIPS mode. [T6039,T6219] - Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba] - Prefer gpgrt-config when available. [T5034] - Mark AESWRAP as approved FIPS algorithm. [T5512] - Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332] - Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25] - Remove GCM mode from the allowed FIPS indicators. [rC1540698389] - Add explicit FIPS indicators for hash and MAC algorithms. [T6376]diff -r1.107 -r1.108 pkgsrc/security/libgcrypt/Makefile
(adam)
@@ -1,16 +1,16 @@ | @@ -1,16 +1,16 @@ | |||
1 | # $NetBSD: Makefile,v 1.107 2022/09/18 08:50:59 nros Exp $ | 1 | # $NetBSD: Makefile,v 1.108 2023/04/07 09:15:55 adam Exp $ | |
2 | 2 | |||
3 | DISTNAME= libgcrypt-1.10.1 | 3 | DISTNAME= libgcrypt-1.10.2 | |
4 | CATEGORIES= security | 4 | CATEGORIES= security | |
5 | MASTER_SITES= https://gnupg.org/ftp/gcrypt/libgcrypt/ | 5 | MASTER_SITES= https://gnupg.org/ftp/gcrypt/libgcrypt/ | |
6 | EXTRACT_SUFX= .tar.bz2 | 6 | EXTRACT_SUFX= .tar.bz2 | |
7 | 7 | |||
8 | MAINTAINER= pkgsrc-users@NetBSD.org | 8 | MAINTAINER= pkgsrc-users@NetBSD.org | |
9 | HOMEPAGE= https://gnupg.org/software/libgcrypt/ | 9 | HOMEPAGE= https://gnupg.org/software/libgcrypt/ | |
10 | COMMENT= GNU cryptographic library | 10 | COMMENT= GNU cryptographic library | |
11 | LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2.1 | 11 | LICENSE= gnu-gpl-v2 AND gnu-lgpl-v2.1 | |
12 | 12 | |||
13 | USE_LIBTOOL= yes | 13 | USE_LIBTOOL= yes | |
14 | GNU_CONFIGURE= yes | 14 | GNU_CONFIGURE= yes | |
15 | TEST_TARGET= check | 15 | TEST_TARGET= check | |
16 | TEXINFO_REQD= 4.0 | 16 | TEXINFO_REQD= 4.0 |
@@ -1,11 +1,12 @@ | @@ -1,11 +1,12 @@ | |||
1 | $NetBSD: distinfo,v 1.96 2022/09/18 08:42:45 nros Exp $ | 1 | $NetBSD: distinfo,v 1.97 2023/04/07 09:15:55 adam Exp $ | |
2 | 2 | |||
3 | BLAKE2s (libgcrypt-1.10.1.tar.bz2) = 9c70b204486365abb3b4731e14078d284952df672215d72f9d0ac6b508f82a8d | 3 | BLAKE2s (libgcrypt-1.10.2.tar.bz2) = 4a2899cc51263592dbf0de725522679c7cbaebd123906bd602b4382bf0c51f41 | |
4 | SHA512 (libgcrypt-1.10.1.tar.bz2) = e5ca7966624fff16c3013795836a2c4377f0193dbb4ac5ad2b79654b1fa8992e17d83816569a402212dc8367a7980d4141f5d6ac282bae6b9f02186365b61f13 | 4 | SHA512 (libgcrypt-1.10.2.tar.bz2) = 3a850baddfe8ffe8b3e96dc54af3fbb9e1dab204db1f06b9b90b8fbbfb7fb7276260cd1e61ba4dde5a662a2385385007478834e62e95f785d2e3d32652adb29e | |
5 | Size (libgcrypt-1.10.1.tar.bz2) = 3778457 bytes | 5 | Size (libgcrypt-1.10.2.tar.bz2) = 3795164 bytes | |
6 | SHA1 (patch-aa) = 60b3f4453b217ed8879a2ffd8d485c0195ffb5f8 | 6 | SHA1 (patch-aa) = 60b3f4453b217ed8879a2ffd8d485c0195ffb5f8 | |
7 | SHA1 (patch-cipher_rijndael-arm.S) = ef3cb7f481022440780eb48ae31cbfad0a3ec115 | 7 | SHA1 (patch-cipher_rijndael-arm.S) = ef3cb7f481022440780eb48ae31cbfad0a3ec115 | |
8 | SHA1 (patch-configure) = edc92453a0843ab0442da7f1b9df2ef4c219bdf5 | 8 | SHA1 (patch-config.h.in) = b065aca0c4bf11cd45507b14d60b682be10ab8c9 | |
9 | SHA1 (patch-configure) = 5987b397f5fb49598b936eb328f43c9e8a824425 | |||
9 | SHA1 (patch-mpi_config.links) = 0e87480ead46914653405bb9c693554180ccd126 | 10 | SHA1 (patch-mpi_config.links) = 0e87480ead46914653405bb9c693554180ccd126 | |
10 | SHA1 (patch-random_Makefile.in) = c72c5bcd2e0d5eee9c14b1ee04a683bc9ccec958 | 11 | SHA1 (patch-random_rndgetentropy.c) = b927090beb3e109fb2e00bd3c6cfeff9d9c6a9f0 | |
11 | SHA1 (patch-src_visibility.h) = 8cbbf6803ab34b4b7dda832aa8ee18247aa89518 | 12 | SHA1 (patch-src_visibility.h) = 8cbbf6803ab34b4b7dda832aa8ee18247aa89518 |
@@ -1,25 +1,25 @@ | @@ -1,25 +1,25 @@ | |||
1 | # $NetBSD: options.mk,v 1.8 2013/04/21 14:44:53 wiz Exp $ | 1 | # $NetBSD: options.mk,v 1.9 2023/04/07 09:15:55 adam Exp $ | |
2 | 2 | |||
3 | PKG_OPTIONS_VAR= PKG_OPTIONS.libgcrypt | 3 | PKG_OPTIONS_VAR= PKG_OPTIONS.libgcrypt | |
4 | PKG_SUPPORTED_OPTIONS= | 4 | PKG_SUPPORTED_OPTIONS= | |
5 | 5 | |||
6 | .include "../../mk/bsd.prefs.mk" | 6 | .include "../../mk/bsd.prefs.mk" | |
7 | 7 | |||
8 | .if ${MACHINE_ARCH} == "i386" && ${OPSYS} != "Darwin" | 8 | .if ${MACHINE_ARCH} == "i386" && ${OPSYS} != "Darwin" | |
9 | . include "../../mk/compiler.mk" | 9 | . include "../../mk/compiler.mk" | |
10 | # GCC 3.x (at least 3.3.3 on NetBSD) fails to compile asm() call in | 10 | # GCC 3.x (at least 3.3.3 on NetBSD) fails to compile asm() call in | |
11 | # cipher/rijndael.c:do_padlock() | 11 | # cipher/rijndael.c:do_padlock() | |
12 | . if empty(CC_VERSION:Mgcc-3.*) | 12 | . if !${CC_VERSION:Mgcc-3.*} | |
13 | PKG_SUPPORTED_OPTIONS+= via-padlock | 13 | PKG_SUPPORTED_OPTIONS+= via-padlock | |
14 | # With GCC 4.1.3 on NetBSD, do_padlock() crashes with signal 11 | 14 | # With GCC 4.1.3 on NetBSD, do_padlock() crashes with signal 11 | |
15 | . if ${OPSYS} != "NetBSD" | 15 | . if ${OPSYS} != "NetBSD" | |
16 | PKG_SUGGESTED_OPTIONS+= via-padlock | 16 | PKG_SUGGESTED_OPTIONS+= via-padlock | |
17 | . endif | 17 | . endif | |
18 | . endif | 18 | . endif | |
19 | .endif | 19 | .endif | |
20 | 20 | |||
21 | .include "../../mk/bsd.options.mk" | 21 | .include "../../mk/bsd.options.mk" | |
22 | 22 | |||
23 | .if empty(PKG_OPTIONS:Mvia-padlock) | 23 | .if empty(PKG_OPTIONS:Mvia-padlock) | |
24 | # Disable VIA Padlock support. | 24 | # Disable VIA Padlock support. | |
25 | CONFIGURE_ARGS+= --disable-padlock-support | 25 | CONFIGURE_ARGS+= --disable-padlock-support |
$NetBSD: patch-config.h.in,v 1.1 2023/04/07 09:15:55 adam Exp $
Detect presence of getrandom(2). https://dev.gnupg.org/T6442
--- config.h.in.orig 2023-04-07 08:54:23.000000000 +0000
+++ config.h.in
@@ -294,6 +294,9 @@
/* Define to 1 if you have the `getpid' function. */
#undef HAVE_GETPID
+/* Define to 1 if you have the `getrandom' function. */
+#undef HAVE_GETRANDOM
+
/* Define to 1 if you have the `getrusage' function. */
#undef HAVE_GETRUSAGE
$NetBSD: patch-random_rndgetentropy.c,v 1.1 2023/04/07 09:15:55 adam Exp $
Use getrandom(2) conditionally. https://dev.gnupg.org/T6442
--- random/rndgetentropy.c.orig 2023-04-07 08:56:42.000000000 +0000
+++ random/rndgetentropy.c
@@ -81,6 +81,7 @@ _gcry_rndgetentropy_gather_random (void
do
{
_gcry_pre_syscall ();
+#ifdef HAVE_GETRANDOM
if (fips_mode ())
{
/* DRBG chaining defined in SP 800-90A (rev 1) specify
@@ -98,6 +99,7 @@ _gcry_rndgetentropy_gather_random (void
ret = getrandom (buffer, nbytes, GRND_RANDOM);
}
else
+#endif
{
nbytes = length < sizeof (buffer) ? length : sizeof (buffer);
ret = getentropy (buffer, nbytes);
@@ -1,15 +1,26 @@ | @@ -1,15 +1,26 @@ | |||
1 | $NetBSD: patch-configure,v 1.8 2021/01/25 09:59:50 wiz Exp $ | 1 | $NetBSD: patch-configure,v 1.9 2023/04/07 09:15:55 adam Exp $ | |
2 | 2 | |||
3 | Fix unportable test(1) operator. | 3 | Fix unportable test(1) operator. | |
4 | 4 | |||
5 | --- configure.orig 2021-01-19 12:39:59.000000000 +0000 | 5 | Detect presence of getrandom(2). https://dev.gnupg.org/T6442 | |
6 | ||||
7 | --- configure.orig 2023-04-06 19:07:18.000000000 +0000 | |||
6 | +++ configure | 8 | +++ configure | |
7 | @@ -17178,7 +17178,7 @@ CFLAGS="$CFLAGS -maltivec -mvsx -mcrypto | 9 | @@ -18444,7 +18444,7 @@ CFLAGS="$CFLAGS -maltivec -mvsx -mcrypto | |
8 | 10 | |||
9 | if test "$gcry_cv_cc_ppc_altivec" = "no" && | 11 | if test "$gcry_cv_cc_ppc_altivec" = "no" && | |
10 | test "$mpi_cpu_arch" = "ppc" && | 12 | test "$mpi_cpu_arch" = "ppc" && | |
11 | - test "$try_asm_modules" == "yes" ; then | 13 | - test "$try_asm_modules" == "yes" ; then | |
12 | + test "$try_asm_modules" = "yes" ; then | 14 | + test "$try_asm_modules" = "yes" ; then | |
13 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiler supports PowerPC AltiVec/VSX/crypto intrinsics with extra GCC flags" >&5 | 15 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compiler supports PowerPC AltiVec/VSX/crypto intrinsics with extra GCC flags" >&5 | |
14 | $as_echo_n "checking whether compiler supports PowerPC AltiVec/VSX/crypto intrinsics with extra GCC flags... " >&6; } | 16 | $as_echo_n "checking whether compiler supports PowerPC AltiVec/VSX/crypto intrinsics with extra GCC flags... " >&6; } | |
15 | if ${gcry_cv_cc_ppc_altivec_cflags+:} false; then : | 17 | if ${gcry_cv_cc_ppc_altivec_cflags+:} false; then : | |
18 | @@ -18809,7 +18809,7 @@ _ACEOF | |||
19 | fi | |||
20 | done | |||
21 | ||||
22 | -for ac_func in explicit_bzero explicit_memset getentropy | |||
23 | +for ac_func in explicit_bzero explicit_memset getentropy getrandom | |||
24 | do : | |||
25 | as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` | |||
26 | ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" |