Mailing List Archive

[Announce] Libgcrypt 1.10.1 released
Hello!

We are pleased to announce the availability of Libgcrypt version 1.10.1.
This release starts a new stable branch of Libgcrypt with full API and
ABI compatibility to the 1.9 series. Over the last year Jussi Kivilinna
put again a lot of work into speeding up the algorithms for the most
commonly used CPUs. See below for a list of improvements and new
features in 1.10.

Libgcrypt is a general purpose library of cryptographic building blocks.
It is originally based on code used by GnuPG. It does not provide any
implementation of OpenPGP or other protocols. Thorough understanding of
applied cryptography is required to use Libgcrypt.


Noteworthy changes in Libgcrypt 1.10.0 and 1.10.1
=================================================

* New and extended interfaces:

- New control codes to check for FIPS 140-3 approved algorithms.

- New control code to switch into non-FIPS mode.

- New cipher modes SIV and GCM-SIV as specified by RFC-5297.

- Extended cipher mode AESWRAP with padding as specified by
RFC-5649. [T5752]

- New set of KDF functions.

- New KDF modes Argon2 and Balloon.

- New functions for combining hashing and signing/verification. [T4894]

* Performance:

- Improved support for PowerPC architectures.

- Improved ECC performance on zSeries/s390x by using accelerated
scalar multiplication.

- Many more assembler performance improvements for several
architectures.

* Bug fixes:

- Fix Elgamal encryption for other implementations.
[R5328,CVE-2021-40528]

- Fix alignment problem on macOS. [T5440]

- Check the input length of the point in ECDH. [T5423]

- Fix an abort in gcry_pk_get_param for "Curve25519". [T5490]

- Fix minor memory leaks in FIPS mode.

- Build fixes for MUSL libc. [rCffaef0be61]

* Other features:

- The control code GCRYCTL_SET_ENFORCED_FIPS_FLAG is ignored
because it is useless with the FIPS 140-3 related changes.

- Update of the jitter entropy RNG code. [T5523]

- Simplification of the entropy gatherer when using the getentropy
system call.

- More portable integrity check in FIPS mode. [rC9fa4c8946a,T5835]

- Add X9.62 OIDs to sha256 and sha512 modules. [rC52fd2305ba]

Note that 1.10.0 was already released on 2022-02-01 without a public
announcement to allow for some extra test time.

For a list of links to commits and bug numbers see the release info at
https://dev.gnupg.org/T5691 and https://dev.gnupg.org/T5810



Download
========

Source code is hosted at the GnuPG FTP server and its mirrors as listed
at https://gnupg.org/download/mirrors.html. On the primary server
the source tarball and its digital signature are:

https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.bz2
https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.bz2.sig

or gzip compressed:

https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.gz
https://gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-1.10.1.tar.gz.sig

In order to check that the version of Libgcrypt you downloaded is an
original and unmodified file please follow the instructions found at
https://gnupg.org/download/integrity_check.html. In short, you may
use one of the following methods:

- Check the supplied OpenPGP signature. For example to check the
signature of the file libgcrypt-1.10.1.tar.bz2 you would use this
command:

gpg --verify libgcrypt-1.10.1.tar.bz2.sig libgcrypt-1.10.1.tar.bz2

This checks whether the signature file matches the source file.
You should see a message indicating that the signature is good and
made by one or more of the release signing keys. Make sure that
this is a valid key, either by matching the shown fingerprint
against a trustworthy list of valid release signing keys or by
checking that the key has been signed by trustworthy other keys.
See the end of this mail for information on the signing keys.

- If you are not able to use an existing version of GnuPG, you have
to verify the SHA-1 checksum. On Unix systems the command to do
this is either "sha1sum" or "shasum". Assuming you downloaded the
file libgcrypt-1.10.1.tar.bz2, you run the command like this:

sha1sum libgcrypt-1.10.1.tar.bz2

and check that the output matches the first line from the
this list:

de2cc32e7538efa376de7bf5d3eafa85626fb95f libgcrypt-1.10.1.tar.bz2
9db3ef0ec74bd2915fa7ca6f32ea9ba7e013e1a1 libgcrypt-1.10.1.tar.gz

You should also verify that the checksums above are authentic by
matching them with copies of this announcement. Those copies can be
found at other mailing lists, web sites, and search engines.


Copying
=======

Libgcrypt is distributed under the terms of the GNU Lesser General
Public License (LGPLv2.1+). The helper programs as well as the
documentation are distributed under the terms of the GNU General Public
License (GPLv2+). The file LICENSES has notices about contributions
that require that these additional notices are distributed.


Support
=======

For help on developing with Libgcrypt you should read the included
manual and if needed ask on the gcrypt-devel mailing list.

In case of problems specific to this release please first check
https://dev.gnupg.org/T5810 for updated information.

Please also consult the archive of the gcrypt-devel mailing list before
reporting a bug: https://gnupg.org/documentation/mailing-lists.html .
We suggest to send bug reports for a new release to this list in favor
of filing a bug at https://bugs.gnupg.org. If you need commercial
support go to https://gnupg.com or https://gnupg.org/service.html .

If you are a developer and you need a certain feature for your project,
please do not hesitate to bring it to the gcrypt-devel mailing list for
discussion.



Thanks
======

Since 2001 maintenance and development of GnuPG is done by g10 Code GmbH
and has mostly been financed by donations. Three full-time employed
developers as well as two contractors exclusively work on GnuPG and
closely related software like Libgcrypt, GPGME and Gpg4win.

Fortunately, and this is still not common with free software, we have
now established a way of financing the development while keeping all our
software free and freely available for everyone. Our model is similar
to the way RedHat manages RHEL and Fedora: Except for the actual binary
of the MSI installer for Windows and client specific configuration
files, all the software is available under the GNU GPL and other Open
Source licenses. Thus customers may even build and distribute their own
version of the software as long as they do not use our trademark
GnuPG VS-DesktopĀ®.

We like to thank all the nice people who are helping the GnuPG project,
be it testing, coding, translating, suggesting, auditing, administering
the servers, spreading the word, answering questions on the mailing
lists, or helping with donations.

*Thank you all*

Your Libgcrypt hackers



p.s.
This is an announcement only mailing list. Please send replies only to
the gnupg-users'at'gnupg.org mailing list.

List of Release Signing Keys:
To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions. The keys are also signed by the long term keys of
their respective owners. Current releases are signed by one or more
of these keys:

rsa3072 2017-03-17 [expires: 2027-03-15]
5B80 C575 4298 F0CB 55D8 ED6A BCEF 7E29 4B09 2E28
Andre Heinecke (Release Signing Key)

ed25519 2020-08-24 [expires: 2030-06-30]
6DAA 6E64 A76D 2840 571B 4902 5288 97B8 2640 3ADA
Werner Koch (dist signing 2020)

ed25519 2021-05-19 [expires: 2027-04-04]
AC8E 115B F73E 2D8D 47FA 9908 E98E 9B2D 19C6 C8BD
Niibe Yutaka (GnuPG Release Key)

brainpoolP256r1 2021-10-15 [expires: 2029-12-31]
02F3 8DFF 731F F97C B039 A1DA 549E 695E 905B A208
GnuPG.com (Release Signing Key 2021)

The keys are available at https://gnupg.org/signature_key.html and
in any recently released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed by a different key.


--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein