Libgcrypt 1.10.1 released
Geoffrey S. Knauth
geoff at knauth.org
Mon Mar 28 17:33:01 CEST 2022
Thank you!
On Mon, Mar 28, 2022, at 10:40, Werner Koch wrote:
> Hello!
>
> We are pleased to announce the availability of Libgcrypt version 1.10.1.
> This release starts a new stable branch of Libgcrypt with full API and
> ABI compatibility to the 1.9 series. Over the last year Jussi Kivilinna
> put again a lot of work into speeding up the algorithms for the most
> commonly used CPUs. See below for a list of improvements and new
> features in 1.10.
>
> Libgcrypt is a general purpose library of cryptographic building blocks.
> It is originally based on code used by GnuPG. It does not provide any
> implementation of OpenPGP or other protocols. Thorough understanding of
> applied cryptography is required to use Libgcrypt.
>
>
> Noteworthy changes in Libgcrypt 1.10.0 and 1.10.1
> =================================================
>
> * New and extended interfaces:
>
> - New control codes to check for FIPS 140-3 approved algorithms.
>
> - New control code to switch into non-FIPS mode.
>
> - New cipher modes SIV and GCM-SIV as specified by RFC-5297.
>
> - Extended cipher mode AESWRAP with padding as specified by
> RFC-5649. [T5752]
>
> - New set of KDF functions.
>
> - New KDF modes Argon2 and Balloon.
>
> - New functions for combining hashing and signing/verification. [T4894]
>
> * Performance:
>
> - Improved support for PowerPC architectures.
>
> - Improved ECC performance on zSeries/s390x by using accelerated
> scalar multiplication.
>
> - Many more assembler performance improvements for several
> architectures.
>
> * Bug fixes:
>
> - Fix Elgamal encryption for other implementations.
> [R5328,CVE-2021-40528]
>
> - Fix alignment problem on macOS. [T5440]
>
> - Check the input length of the point in ECDH. [T5423]
>
> - Fix an abort in gcry_pk_get_param for "Curve25519". [T5490]
>
> - Fix minor memory leaks in FIPS mode.
>
> - Build fixes for MUSL libc. [rCffaef0be61]
>
> * Other features:
>
> - The control code GCRYCTL_SET_ENFORCED_FIPS_FLAG is ignored
> because it is useless with the FIPS 140-3 related changes.
>
> - Update of the jitter entropy RNG code. [T5523]
>
> - Simplification of the entropy gatherer when using the getentropy
> system call.
>
> - More portable integrity check in FIPS mode. [rC9fa4c8946a,T5835]
>
> - Add X9.62 OIDs to sha256 and sha512 modules. [rC52fd2305ba]
>
> Note that 1.10.0 was already released on 2022-02-01 without a public
> announcement to allow for some extra test time.
>
> For a list of links to commits and bug numbers see the release info at
> https://dev.gnupg.org/T5691 and https://dev.gnupg.org/T5810
>
>
>
> Download
> ========
>
> Source code is hosted at the GnuPG FTP server and its mirrors as listed
> at https://gnupg.org/download/mirrors.html. On the primary server
> the source tarball and its digital signature are:
>
> https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.bz2
> https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.bz2.sig
>
> or gzip compressed:
>
> https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.gz
> https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.gz.sig
>
> In order to check that the version of Libgcrypt you downloaded is an
> original and unmodified file please follow the instructions found at
> https://gnupg.org/download/integrity_check.html. In short, you may
> use one of the following methods:
>
> - Check the supplied OpenPGP signature. For example to check the
> signature of the file libgcrypt-1.10.1.tar.bz2 you would use this
> command:
>
> gpg --verify libgcrypt-1.10.1.tar.bz2.sig libgcrypt-1.10.1.tar.bz2
>
> This checks whether the signature file matches the source file.
> You should see a message indicating that the signature is good and
> made by one or more of the release signing keys. Make sure that
> this is a valid key, either by matching the shown fingerprint
> against a trustworthy list of valid release signing keys or by
> checking that the key has been signed by trustworthy other keys.
> See the end of this mail for information on the signing keys.
>
> - If you are not able to use an existing version of GnuPG, you have
> to verify the SHA-1 checksum. On Unix systems the command to do
> this is either "sha1sum" or "shasum". Assuming you downloaded the
> file libgcrypt-1.10.1.tar.bz2, you run the command like this:
>
> sha1sum libgcrypt-1.10.1.tar.bz2
>
> and check that the output matches the first line from the
> this list:
>
> de2cc32e7538efa376de7bf5d3eafa85626fb95f libgcrypt-1.10.1.tar.bz2
> 9db3ef0ec74bd2915fa7ca6f32ea9ba7e013e1a1 libgcrypt-1.10.1.tar.gz
>
> You should also verify that the checksums above are authentic by
> matching them with copies of this announcement. Those copies can be
> found at other mailing lists, web sites, and search engines.
>
>
> Copying
> =======
>
> Libgcrypt is distributed under the terms of the GNU Lesser General
> Public License (LGPLv2.1+). The helper programs as well as the
> documentation are distributed under the terms of the GNU General Public
> License (GPLv2+). The file LICENSES has notices about contributions
> that require that these additional notices are distributed.
>
>
> Support
> =======
>
> For help on developing with Libgcrypt you should read the included
> manual and if needed ask on the gcrypt-devel mailing list.
>
> In case of problems specific to this release please first check
> https://dev.gnupg.org/T5810 for updated information.
>
> Please also consult the archive of the gcrypt-devel mailing list before
> reporting a bug: https://gnupg.org/documentation/mailing-lists.html .
> We suggest to send bug reports for a new release to this list in favor
> of filing a bug at https://bugs.gnupg.org. If you need commercial
> support go to https://gnupg.com or https://gnupg.org/service.html .
>
> If you are a developer and you need a certain feature for your project,
> please do not hesitate to bring it to the gcrypt-devel mailing list for
> discussion.
>
>
>
> Thanks
> ======
>
> Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH
> and has mostly been financed by donations. Three full-time employed
> developers as well as two contractors exclusively work on GnuPG and
> closely related software like Libgcrypt, GPGME and Gpg4win.
>
> Fortunately, and this is still not common with free software, we have
> now established a way of financing the development while keeping all our
> software free and freely available for everyone. Our model is similar
> to the way RedHat manages RHEL and Fedora: Except for the actual binary
> of the MSI installer for Windows and client specific configuration
> files, all the software is available under the GNU GPL and other Open
> Source licenses. Thus customers may even build and distribute their own
> version of the software as long as they do not use our trademark
> GnuPG VS-Desktop®.
>
> We like to thank all the nice people who are helping the GnuPG project,
> be it testing, coding, translating, suggesting, auditing, administering
> the servers, spreading the word, answering questions on the mailing
> lists, or helping with donations.
>
> *Thank you all*
>
> Your Libgcrypt hackers
>
>
>
> p.s.
> This is an announcement only mailing list. Please send replies only to
> the gnupg-users'at'gnupg.org mailing list.
>
> List of Release Signing Keys:
> To guarantee that a downloaded GnuPG version has not been tampered by
> malicious entities we provide signature files for all tarballs and
> binary versions. The keys are also signed by the long term keys of
> their respective owners. Current releases are signed by one or more
> of these keys:
>
> rsa3072 2017-03-17 [expires: 2027-03-15]
> 5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28
> Andre Heinecke (Release Signing Key)
>
> ed25519 2020-08-24 [expires: 2030-06-30]
> 6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
> Werner Koch (dist signing 2020)
>
> ed25519 2021-05-19 [expires: 2027-04-04]
> AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD
> Niibe Yutaka (GnuPG Release Key)
>
> brainpoolP256r1 2021-10-15 [expires: 2029-12-31]
> 02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208
> GnuPG.com (Release Signing Key 2021)
>
> The keys are available at https://gnupg.org/signature_key.html and
> in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
> Note that this mail has been signed by a different key.
>
>
> --
> The pioneers of a warless world are the youth that
> refuse military service. - A. Einstein
>
> Attachments:
> * signature.asc
--
Geoffrey S. Knauth | https://knauth.org/gsk
More information about the Gcrypt-devel
mailing list