-
Notifications
You must be signed in to change notification settings - Fork 28
/
NEWS
1863 lines (1267 loc) · 59.7 KB
/
NEWS
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Noteworthy changes in version 1.11.0 (2024-06-19) [C25/A5/R0]
-------------------------------------------------
* New and extended interfaces:
- Add an API for Key Encapsulation Mechanism (KEM). [T6755]
- Add Streamlined NTRU Prime sntrup761 algorithm. [rCcf9923e1a5]
- Add Kyber algorithm according to FIPS 203 ipd 2023-08-24.
[rC18e5c0d268]
- Add Classic McEliece algorithm. [rC003367b912]
- Add One-Step KDF with hash and MAC. [T5964]
- Add KDF algorithm HKDF of RFC-5869. [T5964]
- Add KDF algorithm X963KDF for use in CMS. [rC3abac420b3]
- Add GMAC-SM4 and Poly1305-SM4. [rCd1ccc409d4]
- Add ARIA block cipher algorithm. [rC316c6d7715]
- Add explicit FIPS indicators for MD and MAC algorithms. [T6376]
- Add support for SHAKE as MGF in RSA. [T6557]
- Add gcry_md_read support for SHAKE algorithms. [T6539]
- Add gcry_md_hash_buffers_ext function. [T7035]
- Add cSHAKE hash algorithm. [rC065b3f4e02]
- Support internal generation of IV for AEAD cipher mode. [T4873]
* Performance:
- Add SM3 ARMv8/AArch64/CE assembly implementation. [rCfe891ff4a3]
- Add SM4 ARMv8/AArch64 assembly implementation. [rCd8825601f1]
- Add SM4 GFNI/AVX2 and GFI/AVX512 implementation.
[rC5095d60af4,rCeaed633c16]
- Add SM4 ARMv9 SVE CE assembly implementation. [rC2dc2654006]
- Add PowerPC vector implementation of SM4. [rC0b2da804ee]
- Optimize ChaCha20 and Poly1305 for PPC P10 LE. [T6006]
- Add CTR32LE bulk acceleration for AES on PPC. [rC84f2e2d0b5]
- Add generic bulk acceleration for CTR32LE mode (GCM-SIV) for SM4
and Camellia. [rCcf956793af]
- Add GFNI/AVX2 implementation of Camellia. [rC4e6896eb9f]
- Add AVX2 and AVX512 accelerated implementations for GHASH (GCM)
and POLYVAL (GCM-SIV). [rCd857e85cb4, rCe6f3600193]
- Add AVX512 implementation for SHA512. [rC089223aa3b]
- Add AVX512 implementation for Serpent. [rCce95b6ec35]
- Add AVX512 implementation for Poly1305 and ChaCha20
[rCcd3ed49770, rC9a63cfd617]
- Add AVX512 accelerated implementation for SHA3 and Blake2
[rCbeaad75f46,rC909daa700e]
- Add VAES/AVX2 accelerated i386 implementation for AES.
[rC4a42a042bc]
- Add bulk processing for XTS mode of Camellia and SM4.
[rC32b18cdb87, rCaad3381e93]
- Accelerate XTS and ECB modes for Twofish and Serpent.
[rCd078a928f5,rC8a1fe5f78f]
- Add AArch64 crypto/SHA512 extension implementation for
SHA512. [rCe51d3b8330]
- Add AArch64 crypto-extension implementation for Camellia.
[rC898c857206]
- Accelerate OCB authentication on AMD with AVX2. [rC6b47e85d65]
* Bug fixes:
- For PowerPC check for missing optimization level for vector
register usage. [T5785]
- Fix EdDSA secret key check. [T6511]
- Fix decoding of PKCS#1-v1.5 and OAEP padding. [rC34c2042792]
- Allow use of PKCS#1-v1.5 with SHA3 algorithms. [T6976]
- Fix AESWRAP padding length check. [T7130]
* Other:
- Allow empty password for Argon2 KDF. [rCa20700c55f]
- Various constant time operation imporvements.
- Add "bp256", "bp384", "bp512" aliases for Brainpool curves.
- Support for the random server has been removed. [T5811]
- The control code GCRYCTL_ENABLE_M_GUARD is deprecated and not
supported any more. Please use valgrind or other tools. [T5822]
- Logging is now done via the libgpg-error logging functions.
[rCab0bdc72c7]
Changes also found in 1.10.3:
* Bug fixes:
- Fix public key computation for other EdDSA curves.
[rC469919751d6e]
- Remove out of core handler diagnostic in FIPS mode. [T6515]
- Check that the digest size is not zero in gcry_pk_sign_md and
gcry_pk_verify_md. [T6539]
- Make store an s-exp with \0 is considered to be binary. [T6747]
- Various constant-time improvements.
* Portability:
- Use getrandom call only when supported by the platform. [T6442]
- Change the default for --with-libtool-modification to never.
[T6619]
Changes also found in 1.10.2
* Bug fixes:
- Fix Argon2 for the case output > 64. [rC13b5454d26]
- Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44]
- Fix RSA key generation failure in forced FIPS mode. [T5919]
- Fix gcry_pk_hash_verify for explicit hash. [T6066]
- Fix a wrong result of gcry_mpi_invm. [T5970]
- Allow building with --disable-asm for HPPA. [T5976]
- Fix Jitter RNG for building native on Windows. [T5891]
- Allow building with -Oz. [T6432]
- Enable the fast path to ChaCha20 only when supported. [T6384]
- Use size_t to avoid counter overflow in Keccak when directly
feeding more than 4GiB. [T6217]
* Other:
- Do not use secure memory for a DRBG instance. [T5933]
- Do not allow PKCS#1.5 padding for encryption in FIPS mode.
[T5918]
- Fix the behaviour for child process re-seeding in the DRBG.
[rC019a40c990]
- Allow verification of small RSA signatures in FIPS mode. [T5975]
- Allow the use of a shorter salt for KDFs in FIPS mode. [T6039]
- Run digest+sign self tests for RSA and ECC in FIPS mode.
[rC06c9350165]
- Add function-name based FIPS indicator function.
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered
an ABI changes because the new FIPS features were not yet
approved. [rC822ee57f07]
- Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397]
- Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9]
- Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a]
- Check minimum allowed key size in PBKDF in FIPS mode.
[T6039,T6219]
- Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba]
- Prefer gpgrt-config when available. [T5034]
- Mark AESWRAP as approved FIPS algorithm. [T5512]
- Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332]
- Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25]
- Remove GCM mode from the allowed FIPS indicators. [rC1540698389]
- Add explicit FIPS indicators for hash and MAC algorithms. [T6376]
Changes also found in 1.10.1:
* Bug fixes:
- Fix minor memory leaks in FIPS mode.
- Build fixes for MUSL libc. [rCffaef0be61]
* Other:
- More portable integrity check in FIPS mode. [rC9fa4c8946a,T5835]
- Add X9.62 OIDs to sha256 and sha512 modules. [rC52fd2305ba]
* Interface changes relative to the 1.10.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GCRY_CIPHER_ARIA128 NEW cipher algo.
GCRY_CIPHER_ARIA192 NEW cipher algo.
GCRY_CIPHER_ARIA256 NEW cipher algo.
gcry_cipher_geniv_methods NEW type.
gcry_cipher_setup_geniv NEW function.
gcry_cipher_geniv NEW function.
GCRY_PK_KEM NEW constant.
GCRY_MD_CSHAKE128 NEW hash algo.
GCRY_MD_CSHAKE256 NEW hash algo.
GCRYCTL_MD_CUSTOMIZE NEW control code.
gcry_cshake_customization NEW type.
GCRY_MAC_CMAC_ARIA NEW mac algo.
GCRY_MAC_GMAC_SM4 NEW mac algo.
GCRY_MAC_GMAC_ARIA NEW mac algo.
GCRY_MAC_POLY1305_SM4 NEW mac algo.
GCRY_MAC_POLY1305_ARIA NEW mac algo.
GCRY_KDF_ONESTEP_KDF NEW kdf algo.
GCRY_KDF_ONESTEP_KDF_MAC NEW kdf algo.
GCRY_KDF_X963_KDF NEW kdf algo.
gcry_kem_algos NEW type.
gcry_kem_keypair NEW function.
gcry_kem_encap NEW function.
gcry_kem_decap NEW function.
GCRY_KEM_SNTRUP761 NEW kem algo.
GCRY_KEM_CM6688128F NEW kem algo.
GCRY_KEM_MLKEM512 NEW kem algo.
GCRY_KEM_MLKEM768 NEW kem algo.
GCRY_KEM_MLKEM1024 NEW kem algo.
GCRY_KEM_RAW_X25519 NEW kem algo.
GCRY_KEM_RAW_X448 NEW kem algo.
GCRY_KEM_RAW_BP256 NEW kem algo.
GCRY_KEM_RAW_BP384 NEW kem algo.
GCRY_KEM_RAW_BP512 NEW kem algo.
GCRY_KEM_RAW_P256R1 NEW kem algo.
GCRY_KEM_RAW_P384R1 NEW kem algo.
GCRY_KEM_RAW_P521R1 NEW kem algo.
GCRY_KEM_DHKEM25519 NEW kem algo.
GCRY_KEM_DHKEM448 NEW kem algo.
GCRY_KEM_DHKEMP256R1 NEW kem algo.
GCRY_KEM_DHKEMP384R1 NEW kem algo.
GCRY_KEM_DHKEMP521R1 NEW kem algo.
GCRY_KEM_*_SECKEY_LEN NEW constants.
GCRY_KEM_*_PUBKEY_LEN NEW constants.
GCRY_KEM_*_ENCAPS_LEN NEW constants.
GCRY_KEM_*_CIPHER_LEN NEW constants.
GCRY_KEM_*_SHARED_LEN NEW constants.
gcry_md_hash_buffers_ext NEW function.
gcry_pk_input_data_push NEW macro.
GCRYCTL_ENABLE_M_GUARD DEPRECATED feature.
gcry_handler_log_t DEPRECATED type.
gcry_set_log_handler DEPRECATED function.
Release dates of 1.10 versions
------------------------------
Version 1.10.3 (2023-11-14) https://dev.gnupg.org/T6817
Version 1.10.2 (2023-04-06) https://dev.gnupg.org/T5905
Version 1.10.1 (2022-03-28) https://dev.gnupg.org/T5810
Noteworthy changes in version 1.10.0 (2022-02-01) [C24/A4/R0]
-------------------------------------------------
* New and extended interfaces:
- New control codes to check for FIPS 140-3 approved algorithms.
- New control code to switch into non-FIPS mode.
- New cipher modes SIV and GCM-SIV as specified by RFC-5297.
- Extended cipher mode AESWRAP with padding as specified by
RFC-5649. [T5752]
- New set of KDF functions.
- New KDF modes Argon2 and Balloon.
- New functions for combining hashing and signing/verification. [T4894]
* Performance:
- Improved support for PowerPC architectures.
- Improved ECC performance on zSeries/s390x by using accelerated
scalar multiplication.
- Many more assembler performance improvements for several
architectures.
* Bug fixes:
- Fix Elgamal encryption for other implementations.
[R5328,CVE-2021-40528]
- Fix alignment problem on macOS. [T5440]
- Check the input length of the point in ECDH. [T5423]
- Fix an abort in gcry_pk_get_param for "Curve25519". [T5490]
* Other features:
- The control code GCRYCTL_SET_ENFORCED_FIPS_FLAG is ignored
because it is useless with the FIPS 140-3 related changes.
- Update of the jitter entropy RNG code. [T5523]
- Simplification of the entropy gatherer when using the getentropy
system call.
* Interface changes relative to the 1.9.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
GCRYCTL_SET_DECRYPTION_TAG NEW control code.
GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER NEW control code.
GCRYCTL_FIPS_SERVICE_INDICATOR_KDF NEW control code.
GCRYCTL_NO_FIPS_MODE = 83 NEW control code.
GCRY_CIPHER_MODE_SIV NEW mode.
GCRY_CIPHER_MODE_GCM_SIV NEW mode.
GCRY_CIPHER_EXTENDED NEW flag.
GCRY_SIV_BLOCK_LEN NEW macro.
gcry_cipher_set_decryption_tag NEW macro.
GCRY_KDF_ARGON2 NEW constant.
GCRY_KDF_BALLOON NEW constant.
GCRY_KDF_ARGON2D NEW constant.
GCRY_KDF_ARGON2I NEW constant.
GCRY_KDF_ARGON2ID NEW constant.
gcry_kdf_hd_t NEW type.
gcry_kdf_job_fn_t NEW type.
gcry_kdf_dispatch_job_fn_t NEW type.
gcry_kdf_wait_all_jobs_fn_t NEW type.
struct gcry_kdf_thread_ops NEW struct.
gcry_kdf_open NEW function.
gcry_kdf_compute NEW function.
gcry_kdf_final NEW function.
gcry_kdf_close NEW function.
gcry_pk_hash_sign NEW function.
gcry_pk_hash_verify NEW function.
gcry_pk_random_override_new NEW function.
Release-info: https://dev.gnupg.org/T5691
Release dates of 1.9 versions
-----------------------------
Version 1.9.4 (2021-08-22) https://dev.gnupg.org/T5402
Noteworthy changes in version 1.9.3 (2021-04-19) [C23/A3/R3]
------------------------------------------------
* Bug fixes:
- Fix build problems on i386 using gcc-4.7.
- Fix checksum calculation in OCB decryption for AES on s390.
[#5356]
- Fix a regression in gcry_mpi_ec_add related to certain usages of
curve 25519. [#5372]
- Fix a symbol not found problem on Apple M1. [#5370]
- Fix for Apple iOS getentropy peculiarity. [#5375]
- Make keygrip computation work for compressed points. [#4961]
* Performance:
- Add x86_64 VAES/AVX2 accelerated implementation of Camellia.
[0e7e60241a]
- Add x86_64 VAES/AVX2 accelerated implementation of AES.
[e72498a54f]
- Add VPMSUMD acceleration for GCM mode on PPC. [#5040]
* Internal changes.
- Harden MPI conditional code against EM leakage. [#5330]
- Harden Elgamal by introducing exponent blinding. [#5328]
- Fix memory leaks in the error code paths of EdDSA. [#5385]
Release-info: https://dev.gnupg.org/T5305
Noteworthy changes in version 1.9.2 (2021-02-17) [C23/A3/R2]
------------------------------------------------
* Bug fixes:
- Fix build problem for macOS in the random code. [#5268]
- Fix building with --disable-asm on x86. [#5277]
- Check public key for ECDSA verify operation. [#5282]
- Make sure gcry_get_config (NULL) returns a nul-terminated string.
[8716e4b2ad]
- Fix a memory leak in the ECDH code. [289543544e]
- Fix a reading beyond end of input buffer in SHA2-avx2.
[24af2a55d8]
* Other features:
- New test driver to allow for standalone regression
tests. [b142da4c88]
Release-info: https://dev.gnupg.org/T5276
Noteworthy changes in version 1.9.1 (2021-01-29) [C23/A3/R1]
------------------------------------------------
* Bug fixes:
- Fix exploitable bug in hash functions introduced with 1.9.0.
[#5275]
- Return an error if a negative MPI is used with sexp scan
functions. [#4964]
- Check for operational FIPS in the random and KDF functions.
[#5243]
- Fix compile error on ARMv7 with NEON disabled. [#5251]
- Fix self-test in KDF module. [#5254]
- Improve assembler checks for better LTO support. [#5255]
- Fix assember problem on macOS running on M1. [#5157]
- Support older macOS without posix_spawn. [#5159]
- Fix 32-bit cross build on x86. [#5257]
- Fix non-NEON ARM assembly implementation for SHA512. [#5263]
- Fix build problems with the cipher_bulk_ops_t typedef. [#5264]
- Fix Ed25519 private key handling for preceding ZEROs. [#5267]
- Fix overflow in modular inverse implementation. [#5269]
- Fix register access for AVX/AVX2 implementations of Blake2.
[#5271].
* Performance:
- Add optimized cipher and hash functions for s390x/zSeries.
- Use hardware bit counting functions when available.
* Internal changes:
- The macOS getentropy syscall is used when available. [#5268]
- Update DSA functions to match FIPS 186-3. [30ed9593f6]
- New self-tests for CMACs and KDFs. [385a89e35b,7a0da24925]
- Add bulk cipher functions for OFB and GCM modes.
[f12b6788f2,f4e63e92dc]
Release-info: https://dev.gnupg.org/T5259
Noteworthy changes in version 1.9.0 (2021-01-19) [C23/A3/R0]
------------------------------------------------
* New and extended interfaces:
- New curves Ed448, X448, and SM2.
- New cipher mode EAX.
- New cipher algo SM4.
- New hash algo SM3.
- New hash algo variants SHA512/224 and SHA512/256.
- New MAC algos for Blake-2 algorithms, the new SHA512 variants,
SM3, SM4 and for a GOST variant.
- New convenience function gcry_mpi_get_ui.
- gcry_sexp_extract_param understands new format specifiers to
directly store to integers and strings.
- New function gcry_ecc_mul_point and curve constants for Curve448
and Curve25519. [#4293]
- New function gcry_ecc_get_algo_keylen.
- New control code GCRYCTL_AUTO_EXPAND_SECMEM to allow growing the
secure memory area. Also in 1.8.2 as an undocumented feature.
* Performance:
- Optimized implementations for Aarch64.
- Faster implementations for Poly1305 and ChaCha. Also for
PowerPC. [b9a471ccf5,172ad09cbe,#4460]
- Optimized implementations of AES and SHA-256 on PowerPC.
[#4529,#4530]
- Improved use of AES-NI to speed up AES-XTS (6 times faster).
[a00c5b2988]
- Improved use of AES-NI for OCB. [eacbd59b13,e924ce456d]
- Speedup AES-XTS on ARMv8/CE (2.5 times faster). [93503c127a]
- New AVX and AVX2 implementations for Blake-2 (1.3/1.4 times
faster). [af7fc732f9, da58a62ac1]
- Use Intel SHA extension for SHA-1 and SHA-256 (4.0/3.7 times
faster). [d02958bd30, 0b3ec359e2]
- Use ARMv7/NEON accelerated GCM implementation (3 times faster).
[2445cf7431]
- Use of i386/SSSE3 for SHA-512 (4.5 times faster on Ryzen 7).
[b52dde8609]
- Use 64 bit ARMv8/CE PMULL for CRC (7 times faster). [14c8a593ed]
- Improve CAST5 (40% to 70% faster). [4ec566b368]
- Improve Blowfish (60% to 80% faster). [ced7508c85]
* Bug fixes:
- Fix infinite loop due to applications using fork the wrong
way. [#3491][also in 1.8.4]
- Fix possible leak of a few bits of secret primes to pageable
memory. [#3848][also in 1.8.4]
- Fix possible hang in the RNG (1.8.3 only). [#4034][also in 1.8.4]
- Several minor fixes. [#4102,#4208,#4209,#4210,#4211,#4212]
[also in 1.8.4]
- On Linux always make use of getrandom if possible and then use
its /dev/urandom behaviour. [#3894][also in 1.8.4]
- Use blinding for ECDSA signing to mitigate a novel side-channel
attack. [#4011,CVE-2018-0495] [also in 1.8.3, 1.7.10]
- Fix incorrect counter overflow handling for GCM when using an IV
size other than 96 bit. [#3764] [also in 1.8.3, 1.7.10]
- Fix incorrect output of AES-keywrap mode for in-place encryption
on some platforms. [also in 1.8.3, 1.7.10]
- Fix the gcry_mpi_ec_curve_point point validation function.
[also in 1.8.3, 1.7.10]
- Fix rare assertion failure in gcry_prime_check. [also in 1.8.3]
- Do not use /dev/srandom on OpenBSD. [also in 1.8.2]
- Fix test suite failure on systems with large pages. [#3351]
[also in 1.8.2]
- Fix test suite to not use mmap on Windows. [also in 1.8.2]
- Fix fatal out of secure memory status in the s-expression parser
on heavy loaded systems. [also in 1.8.2]
- Fix build problems on OpenIndiana et al. [#4818, also in 1.8.6]
- Fix GCM bug on arm64 which troubles for example OMEMO. [#4986,
also in 1.8.6]
- Detect a div-by-zero in a debug helper tool. [#4868, also in 1.8.6]
- Use a constant time mpi_inv and related changes. [#4869, partly
also in 1.8.6]
- Fix mpi_copy to correctly handle flags of opaque MPIs.
[also in 1.8.6]
- Fix mpi_cmp to consider +0 and -0 the same. [also in 1.8.6]
- Fix extra entropy collection via clock_gettime. Note that this
fallback code path is not used on any decent hardware. [#4966,
also in 1.8.7]
- Support opaque MPI with gcry_mpi_print. [#4872, also in 1.8.7]
- Allow for a Unicode random seed file on Windows. [#5098, also in
1.8.7]
* Other features:
- Add OIDs from RFC-8410 as aliases for Ed25519 and Curve25519.
[also in 1.8.6]
- Add mitigation against ECC timing attack CVE-2019-13627. [#4626]
- Internal cleanup of the ECC implementation.
- Support reading EC point in compressed format for some curves.
[#4951]
* Interface changes relative to the 1.8.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcry_mpi_get_ui NEW function.
GCRYCTL_AUTO_EXPAND_SECMEM NEW control code.
gcry_sexp_extract_param EXTENDED.
GCRY_CIPHER_GOST28147_MESH NEW cipher algo.
GCRY_CIPHER_SM4 NEW cipher algo.
GCRY_CIPHER_MODE_EAX NEW mode.
GCRY_ECC_CURVE25519 NEW curve id.
GCRY_ECC_CURVE448 NEW curve id.
gcry_ecc_get_algo_keylen NEW function.
gcry_ecc_mul_point NEW function.
GCRY_MD_SM3 NEW hash algo.
GCRY_MD_SHA512_256 NEW hash algo.
GCRY_MD_SHA512_224 NEW hash algo.
GCRY_MAC_GOST28147_IMIT NEW mac algo.
GCRY_MAC_HMAC_GOSTR3411_CP NEW mac algo.
GCRY_MAC_HMAC_BLAKE2B_512 NEW mac algo.
GCRY_MAC_HMAC_BLAKE2B_384 NEW mac algo.
GCRY_MAC_HMAC_BLAKE2B_256 NEW mac algo.
GCRY_MAC_HMAC_BLAKE2B_160 NEW mac algo.
GCRY_MAC_HMAC_BLAKE2S_256 NEW mac algo.
GCRY_MAC_HMAC_BLAKE2S_224 NEW mac algo.
GCRY_MAC_HMAC_BLAKE2S_160 NEW mac algo.
GCRY_MAC_HMAC_BLAKE2S_128 NEW mac algo.
GCRY_MAC_HMAC_SM3 NEW mac algo.
GCRY_MAC_HMAC_SHA512_256 NEW mac algo.
GCRY_MAC_HMAC_SHA512_224 NEW mac algo.
GCRY_MAC_CMAC_SM4 NEW mac algo.
Release-info: https://dev.gnupg.org/T4294
Release dates of 1.8 versions
-----------------------------
Version 1.8.7 (2020-10-23)
Version 1.8.6 (2020-07-06)
Version 1.8.5 (2019-08-29)
Version 1.8.4 (2018-10-26)
Version 1.8.3 (2018-06-13)
Version 1.8.2 (2017-12-13)
Noteworthy changes in version 1.8.1 (2017-08-27) [C22/A2/R1]
------------------------------------------------
* Bug fixes:
- Mitigate a local side-channel attack on Curve25519 dubbed "May
the Fourth be With You". [CVE-2017-0379] [also in 1.7.9]
- Add more extra bytes to the pool after reading a seed file.
- Add the OID SHA384WithECDSA from RFC-7427 to SHA-384.
- Fix build problems with the Jitter RNG
- Fix assembler code build problems on Rasbian (ARMv8/AArch32-CE).
Noteworthy changes in version 1.8.0 (2017-07-18) [C22/A2/R0]
------------------------------------------------
* New interfaces:
- New cipher mode XTS
- New hash function Blake-2
- New function gcry_mpi_point_copy.
- New function gcry_get_config.
- GCRYCTL_REINIT_SYSCALL_CLAMP allows to init nPth after Libgcrypt.
- New global configuration file /etc/gcrypt/random.conf.
* Extended interfaces:
- GCRYCTL_PRINT_CONFIG does now also print build information for
libgpg-error and the used compiler version.
- GCRY_CIPHER_MODE_CFB8 is now supported.
- Add Stribog OIDs. [also in 1.7.4]
* Performance:
- A jitter based entropy collector is now used in addition to the
other entropy collectors.
- Optimized gcry_md_hash_buffers for SHA-256 and SHA-512.
- More ARMv8/AArch32 improvements for AES, GCM, SHA-256, and SHA-1.
[also in 1.7.4]
- Add ARMv8/AArch32 assembly implementation for Twofish and
Camellia. [also in 1.7.4]
- Add bulk processing implementation for ARMv8/AArch32.
[also in 1.7.4]
- Improve the DRBG performance and sync the code with the Linux
version. [also in 1.7.4]
* Internal changes:
- Libgpg-error 1.25 is now required. This avoids stalling of nPth
threads due to contention on internal Libgcrypt locks (e.g. the
random pool lock).
- The system call clamp of libgpg-error is now used to wrap the
blocking read of /dev/random. This allows other nPth threads to
run while Libgcrypt is gathering entropy.
- When secure memory is requested by the MPI functions or by
gcry_xmalloc_secure, they do not anymore lead to a fatal error if
the secure memory pool is used up. Instead new pools are
allocated as needed. These new pools are not protected against
being swapped out (mlock can't be used). However, these days
this is considered a minor issue and can easily be mitigated by
using encrypted swap space. [also in 1.7.4]
* Bug fixes:
- Fix AES CTR self-check detected failure in the SSSE3 based
implementation. [also in 1.7.6]
- Remove gratuitous select before the getrandom syscall.
[also in 1.7.6]
- Fix regression in mlock detection. [bug#2870] [also in 1.7.5]
- Fix GOST 28147 CryptoPro-B S-box. [also in 1.7.4]
- Fix error code handling of mlock calls. [also in 1.7.4]
- Fix possible timing attack on EdDSA session key. [also in 1.7.7]
- Fix long standing bug in secure memory implementation which could
lead to a segv on free. [bug#3027] [also in 1.7.7]
- Mitigate a flush+reload side-channel attack on RSA secret keys
dubbed "Sliding right into disaster". For details see
<https://eprint.iacr.org/2017/627>. [CVE-2017-7526] [also in 1.7.8]
* Interface changes relative to the 1.7.0 release:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
gcry_get_config NEW function.
gcry_mpi_point_copy NEW function.
GCRYCTL_REINIT_SYSCALL_CLAMP NEW macro.
GCRY_MD_BLAKE2B_512 NEW constant.
GCRY_MD_BLAKE2B_384 NEW constant.
GCRY_MD_BLAKE2B_256 NEW constant.
GCRY_MD_BLAKE2B_160 NEW constant.
GCRY_MD_BLAKE2S_256 NEW constant.
GCRY_MD_BLAKE2S_224 NEW constant.
GCRY_MD_BLAKE2S_160 NEW constant.
GCRY_MD_BLAKE2S_128 NEW constant.
GCRY_CIPHER_MODE_XTS NEW constant.
gcry_md_info DEPRECATED.
Release dates of 1.7 versions
-----------------------------
Version 1.7.10 (2018-06-13) [C21/A1/R10]
Version 1.7.9 (2017-08-27) [C21/A1/R9]
Version 1.7.8 (2017-06-29) [C21/A1/R8]
Version 1.7.7 (2017-06-02) [C21/A1/R7]
Version 1.7.6 (2017-01-18) [C21/A1/R6]
Version 1.7.5 (2016-12-15) [C21/A1/R5]
Version 1.7.4 (2016-12-09) [C21/A1/R4]
Noteworthy changes in version 1.7.3 (2016-08-17) [C21/A1/R3]
------------------------------------------------
* Bug fixes:
- Fix critical security bug in the RNG [CVE-2016-6313]. An
attacker who obtains 580 bytes from the standard RNG can
trivially predict the next 20 bytes of output. Problem
detected by Felix Dörre and Vladimir Klebanov, KIT.
- Fix building of some asm modules with older compilers and CPUs.
* Performance:
- ARMv8/AArch32 improvements for AES, GCM, SHA-256, and SHA-1.
Noteworthy changes in version 1.7.2 (2016-07-14) [C21/A1/R2]
------------------------------------------------
* Bug fixes:
- Fix setting of the ECC cofactor if parameters are specified.
- Fix memory leak in the ECC code.
- Remove debug message about unsupported getrandom syscall.
- Fix build problems related to AVX use.
- Fix bus errors on ARM for Poly1305, ChaCha20, AES, and SHA-512.
* Internal changes:
- Improved fatal error message for wrong use of gcry_md_read.
- Disallow symmetric encryption/decryption if key is not set.
Noteworthy changes in version 1.7.1 (2016-06-15) [C21/A1/R1]
------------------------------------------------
* Bug fixes:
- Fix ecc_verify for cofactor support.
- Fix portability bug when using gcc with Solaris 9 SPARC.
- Build fix for OpenBSD/amd64
- Add OIDs to the Serpent ciphers.
* Internal changes:
- Use getrandom system call on Linux if available.
- Blinding is now also used for RSA signature creation.
- Changed names of debug envvars
Noteworthy changes in version 1.7.0 (2016-04-15) [C21/A1/R0]
------------------------------------------------
* New algorithms and modes:
- SHA3-224, SHA3-256, SHA3-384, SHA3-512, and MD2 hash algorithms.
- SHAKE128 and SHAKE256 extendable-output hash algorithms.
- ChaCha20 stream cipher.
- Poly1305 message authentication algorithm
- ChaCha20-Poly1305 Authenticated Encryption with Associated Data
mode.
- OCB mode.
- HMAC-MD2 for use by legacy applications.
* New curves for ECC:
- Curve25519.
- sec256k1.
- GOST R 34.10-2001 and GOST R 34.10-2012.
* Performance:
- Improved performance of KDF functions.
- Assembler optimized implementations of Blowfish and Serpent on
ARM.
- Assembler optimized implementation of 3DES on x86.
- Improved AES using the SSSE3 based vector permutation method by
Mike Hamburg.
- AVX/BMI is used for SHA-1 and SHA-256 on x86. This is for SHA-1
about 20% faster than SSSE3 and more than 100% faster than the
generic C implementation.
- 40% speedup for SHA-512 and 72% for SHA-1 on ARM Cortex-A8.
- 60-90% speedup for Whirlpool on x86.
- 300% speedup for RIPE MD-160.
- Up to 11 times speedup for CRC functions on x86.
* Other features:
- Improved ECDSA and FIPS 186-4 compliance.
- Support for Montgomery curves.
- gcry_cipher_set_sbox to tweak S-boxes of the gost28147 cipher
algorithm.
- gcry_mpi_ec_sub to subtract two points on a curve.
- gcry_mpi_ec_decode_point to decode an MPI into a point object.
- Emulation for broken Whirlpool code prior to 1.6.0. [from 1.6.1]
- Flag "pkcs1-raw" to enable PCKS#1 padding with a user supplied
hash part.
- Parameter "saltlen" to set a non-default salt length for RSA PSS.
- A SP800-90A conforming DRNG replaces the former X9.31 alternative
random number generator.
- Map deprecated RSA algo number to the RSA algo number for better
backward compatibility. [from 1.6.2]
- Use ciphertext blinding for Elgamal decryption [CVE-2014-3591].
See http://www.cs.tau.ac.il/~tromer/radioexp/ for details.
[from 1.6.3]
- Fixed data-dependent timing variations in modular exponentiation
[related to CVE-2015-0837, Last-Level Cache Side-Channel Attacks
are Practical]. [from 1.6.3]
- Flag "no-keytest" for ECC key generation. Due to a bug in
the parser that flag will also be accepted but ignored by older
version of Libgcrypt. [from 1.6.4]
- Speed up the random number generator by requiring less extra
seeding. [from 1.6.4]
- Always verify a created RSA signature to avoid private key leaks
due to hardware failures. [from 1.6.4]
- Mitigate side-channel attack on ECDH with Weierstrass curves
[CVE-2015-7511]. See http://www.cs.tau.ac.IL/~tromer/ecdh/ for
details. [from 1.6.5]
* Internal changes:
- Moved locking out to libgpg-error.
- Support of the SYSROOT envvar in the build system.
- Refactor some code.
- The availability of a 64 bit integer type is now mandatory.
* Bug fixes:
- Fixed message digest lookup by OID (regression in 1.6.0).
- Fixed a build problem on NetBSD
- Fixed memory leaks in ECC code.