Libgcrypt 1.10.1 released

Geoffrey S. Knauth geoff at knauth.org
Mon Mar 28 17:33:01 CEST 2022 

Thank you!

On Mon, Mar 28, 2022, at 10:40, Werner Koch wrote:
> Hello!
>
> We are pleased to announce the availability of Libgcrypt version 1.10.1.
> This release starts a new stable branch of Libgcrypt with full API and
> ABI compatibility to the 1.9 series.  Over the last year Jussi Kivilinna
> put again a lot of work into speeding up the algorithms for the most
> commonly used CPUs.  See below for a list of improvements and new
> features in 1.10.
>
> Libgcrypt is a general purpose library of cryptographic building blocks.
> It is originally based on code used by GnuPG.  It does not provide any
> implementation of OpenPGP or other protocols.  Thorough understanding of
> applied cryptography is required to use Libgcrypt.
>
>
> Noteworthy changes in Libgcrypt 1.10.0 and 1.10.1
> =================================================
>
>  * New and extended interfaces:
>
>    - New control codes to check for FIPS 140-3 approved algorithms.
>
>    - New control code to switch into non-FIPS mode.
>
>    - New cipher modes SIV and GCM-SIV as specified by RFC-5297.
>
>    - Extended cipher mode AESWRAP with padding as specified by
>      RFC-5649.  [T5752]
>
>    - New set of KDF functions.
>
>    - New KDF modes Argon2 and Balloon.
>
>    - New functions for combining hashing and signing/verification.  [T4894]
>
>  * Performance:
>
>    - Improved support for PowerPC architectures.
>
>    - Improved ECC performance on zSeries/s390x by using accelerated
>      scalar multiplication.
>
>    - Many more assembler performance improvements for several
>      architectures.
>
>  * Bug fixes:
>
>    - Fix Elgamal encryption for other implementations.
>      [R5328,CVE-2021-40528]
>
>    - Fix alignment problem on macOS.  [T5440]
>
>    - Check the input length of the point in ECDH.  [T5423]
>
>    - Fix an abort in gcry_pk_get_param for "Curve25519".  [T5490]
>
>    - Fix minor memory leaks in FIPS mode.
>
>    - Build fixes for MUSL libc.  [rCffaef0be61]
>
>  * Other features:
>
>    - The control code GCRYCTL_SET_ENFORCED_FIPS_FLAG is ignored
>      because it is useless with the FIPS 140-3 related changes.
>
>    - Update of the jitter entropy RNG code.  [T5523]
>
>    - Simplification of the entropy gatherer when using the getentropy
>      system call.
>
>    - More portable integrity check in FIPS mode.  [rC9fa4c8946a,T5835]
>
>    - Add X9.62 OIDs to sha256 and sha512 modules.  [rC52fd2305ba]
>
>  Note that 1.10.0 was already released on 2022-02-01 without a public
>  announcement to allow for some extra test time.
>
>  For a list of links to commits and bug numbers see the release info at
>  https://dev.gnupg.org/T5691 and https://dev.gnupg.org/T5810
>
>
>
> Download
> ========
>
> Source code is hosted at the GnuPG FTP server and its mirrors as listed
> at https://gnupg.org/download/mirrors.html.  On the primary server
> the source tarball and its digital signature are:
>
>  https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.bz2
>  https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.bz2.sig
>
> or gzip compressed:
>
>  https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.gz
>  https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.gz.sig
>
> In order to check that the version of Libgcrypt you downloaded is an
> original and unmodified file please follow the instructions found at
> https://gnupg.org/download/integrity_check.html.  In short, you may
> use one of the following methods:
>
>  - Check the supplied OpenPGP signature.  For example to check the
>    signature of the file libgcrypt-1.10.1.tar.bz2 you would use this
>    command:
>
>      gpg --verify libgcrypt-1.10.1.tar.bz2.sig libgcrypt-1.10.1.tar.bz2
>
>    This checks whether the signature file matches the source file.
>    You should see a message indicating that the signature is good and
>    made by one or more of the release signing keys.  Make sure that
>    this is a valid key, either by matching the shown fingerprint
>    against a trustworthy list of valid release signing keys or by
>    checking that the key has been signed by trustworthy other keys.
>    See the end of this mail for information on the signing keys.
>
>  - If you are not able to use an existing version of GnuPG, you have
>    to verify the SHA-1 checksum.  On Unix systems the command to do
>    this is either "sha1sum" or "shasum".  Assuming you downloaded the
>    file libgcrypt-1.10.1.tar.bz2, you run the command like this:
>
>      sha1sum libgcrypt-1.10.1.tar.bz2
>
>    and check that the output matches the first line from the
>    this list:
>
> de2cc32e7538efa376de7bf5d3eafa85626fb95f  libgcrypt-1.10.1.tar.bz2
> 9db3ef0ec74bd2915fa7ca6f32ea9ba7e013e1a1  libgcrypt-1.10.1.tar.gz
>
>    You should also verify that the checksums above are authentic by
>    matching them with copies of this announcement.  Those copies can be
>    found at other mailing lists, web sites, and search engines.
>
>
> Copying
> =======
>
> Libgcrypt is distributed under the terms of the GNU Lesser General
> Public License (LGPLv2.1+).  The helper programs as well as the
> documentation are distributed under the terms of the GNU General Public
> License (GPLv2+).  The file LICENSES has notices about contributions
> that require that these additional notices are distributed.
>
>
> Support
> =======
>
> For help on developing with Libgcrypt you should read the included
> manual and if needed ask on the gcrypt-devel mailing list.
>
> In case of problems specific to this release please first check
> https://dev.gnupg.org/T5810 for updated information.
>
> Please also consult the archive of the gcrypt-devel mailing list before
> reporting a bug: https://gnupg.org/documentation/mailing-lists.html .
> We suggest to send bug reports for a new release to this list in favor
> of filing a bug at https://bugs.gnupg.org.  If you need commercial
> support go to https://gnupg.com or https://gnupg.org/service.html .
>
> If you are a developer and you need a certain feature for your project,
> please do not hesitate to bring it to the gcrypt-devel mailing list for
> discussion.
>
>
>
> Thanks
> ======
>
> Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH
> and has mostly been financed by donations.  Three full-time employed
> developers as well as two contractors exclusively work on GnuPG and
> closely related software like Libgcrypt, GPGME and Gpg4win.
>
> Fortunately, and this is still not common with free software, we have
> now established a way of financing the development while keeping all our
> software free and freely available for everyone.  Our model is similar
> to the way RedHat manages RHEL and Fedora: Except for the actual binary
> of the MSI installer for Windows and client specific configuration
> files, all the software is available under the GNU GPL and other Open
> Source licenses.  Thus customers may even build and distribute their own
> version of the software as long as they do not use our trademark
> GnuPG VS-Desktop®.
>
> We like to thank all the nice people who are helping the GnuPG project,
> be it testing, coding, translating, suggesting, auditing, administering
> the servers, spreading the word, answering questions on the mailing
> lists, or helping with donations.
>
> *Thank you all*
>
>    Your Libgcrypt hackers
>
>
>
> p.s.
> This is an announcement only mailing list.  Please send replies only to
> the gnupg-users'at'gnupg.org mailing list.
>
> List of Release Signing Keys:
> To guarantee that a downloaded GnuPG version has not been tampered by
> malicious entities we provide signature files for all tarballs and
> binary versions.  The keys are also signed by the long term keys of
> their respective owners.  Current releases are signed by one or more
> of these keys:
>
>   rsa3072 2017-03-17 [expires: 2027-03-15]
>   5B80 C575 4298 F0CB 55D8  ED6A BCEF 7E29 4B09 2E28
>   Andre Heinecke (Release Signing Key)
>
>   ed25519 2020-08-24 [expires: 2030-06-30]
>   6DAA 6E64 A76D 2840 571B  4902 5288 97B8 2640 3ADA
>   Werner Koch (dist signing 2020)
>
>   ed25519 2021-05-19 [expires: 2027-04-04]
>   AC8E 115B F73E 2D8D 47FA  9908 E98E 9B2D 19C6 C8BD
>   Niibe Yutaka (GnuPG Release Key)
>
>   brainpoolP256r1 2021-10-15 [expires: 2029-12-31]
>   02F3 8DFF 731F F97C B039  A1DA 549E 695E 905B A208
>   GnuPG.com (Release Signing Key 2021)
>
> The keys are available at https://gnupg.org/signature_key.html and
> in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
> Note that this mail has been signed by a different key.
>
>
> --
> The pioneers of a warless world are the youth that
> refuse military service.             - A. Einstein
>
> Attachments:
> * signature.asc

-- 
Geoffrey S. Knauth | https://knauth.org/gsk

More information about the Gcrypt-devel mailing list