diff options
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | NEWS | 8 | ||||
| -rw-r--r-- | README | 2 | ||||
| -rw-r--r-- | TODO | 5 | ||||
| -rw-r--r-- | configure.ac | 4 | ||||
| -rw-r--r-- | doc/ChangeLog | 1 | ||||
| -rw-r--r-- | doc/announce.txt | 54 | ||||
| -rw-r--r-- | doc/gcrypt.texi | 21 | ||||
| -rw-r--r-- | src/ChangeLog | 2 | ||||
| -rw-r--r-- | src/gcrypt.h.in | 4 | ||||
| -rw-r--r-- | tests/basic.c | 2 |
11 files changed, 58 insertions, 51 deletions
@@ -1,3 +1,9 @@ +2008-09-18 Werner Koch <wk@g10code.com> + + Release 1.4.3. + + * configure.ac: Bump LT version to C16/A5/R1. + 2008-09-15 Werner Koch <wk@g10code.com> * configure.ac: Cehck for syslog. @@ -1,4 +1,4 @@ -Noteworthy changes in version 1.4.3 +Noteworthy changes in version 1.4.3 (2008-09-18) ------------------------------------------------ * Try to auto-initialize Libgcrypt to minimize the effect of @@ -8,13 +8,15 @@ Noteworthy changes in version 1.4.3 cases. Folks, please read the manual to learn how to properly initialize Libgcrypt! - * Log fatal errors via syslog. - * Auto-initialize the secure memory to 32k instead of aborting the process. + * Log fatal errors via syslog. + * Changed the name and the semantics of the fips mode config file. + * Add convenience macro gcry_fips_mode_active. + * More self-tests. * Documentation cleanups. @@ -1,6 +1,6 @@ Libgcrypt - The GNU Crypto Library ------------------------------------ - Version 1.4.2 + Version 1.4.4 Copyright 2000, 2002, 2003, 2004, 2007, @@ -36,11 +36,6 @@ What's left to do -*- outline -*- collectros need to run that bunch of Unix utilities we don't waste their precious results. -* Out of memory handler for secure memory should do proper logging - - There is no shortage of standard memory, so logging is most likely - possible. - * mpi_print does not use secure memory for internal variables. diff --git a/configure.ac b/configure.ac index e8faa318..4b735991 100644 --- a/configure.ac +++ b/configure.ac @@ -27,7 +27,7 @@ min_automake_version="1.10" # Set my_issvn to "yes" for non-released code. Remember to run an # "svn up" and "autogen.sh" right before creating a distribution. m4_define([my_version], [1.4.3]) -m4_define([my_issvn], [yes]) +m4_define([my_issvn], [no]) m4_define([svn_revision], m4_esyscmd([printf "%d" $(svn info 2>/dev/null \ | sed -n '/^Revision:/ s/[^0-9]//gp'|head -1)])) @@ -40,7 +40,7 @@ AC_INIT([libgcrypt], # (No interfaces changed: REVISION++) LIBGCRYPT_LT_CURRENT=16 LIBGCRYPT_LT_AGE=5 -LIBGCRYPT_LT_REVISION=0 +LIBGCRYPT_LT_REVISION=1 # If the API is changed in an incompatible way: increment the next counter. diff --git a/doc/ChangeLog b/doc/ChangeLog index d312ce2f..903081ff 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -2,6 +2,7 @@ * gcrypt.texi: Add a couple of index items. (FIPS Mode): Reflect recent changes. + (Controlling the library): Describe gcry_fips_mode_active. 2008-09-16 Werner Koch <wk@g10code.com> diff --git a/doc/announce.txt b/doc/announce.txt index 398278da..6f2925f2 100644 --- a/doc/announce.txt +++ b/doc/announce.txt @@ -5,67 +5,55 @@ Cc: gcrypt-devel@gnupg.org Hello! The GNU project is pleased to announce the availability of Libgcrypt -version 1.4.2. +version 1.4.3. Libgcrypt is a general purpose library of cryptographic building blocks. It is originally based on code used by GnuPG. It does not provide any implementation of OpenPGP or other protocols. Thorough understanding of applied cryptography is required to use Libgcrypt. -Noteworthy changes in version 1.4.2: +Noteworthy changes in version 1.4.3: - * The long missing gcry_mpi_lshift function has been added. + * Try to auto-initialize Libgcrypt to minimize the effect of + applications not doing that correctly. This is not a perfect + solution but given that many applicationion would totally fail + without such a hack, we try to help at least with the most common + cases. Folks, please read the manual to learn how to properly + initialize Libgcrypt! - * RSA key generation now supports a "transient-key" flag. + * Auto-initialize the secure memory to 32k instead of aborting the + process. - * The keygrip computation for ECDSA has been implemented thus ECDSA - is now fully supported. + * Log fatal errors via syslog. - * A few macros have been replaced by functions for better type - checking. + * Changed the name and the semantics of the fips mode config file. - * The thread initialization structure now carries version - information. + * Add convenience macro gcry_fips_mode_active. - * The manual describes more clearly how to initialize Libgcrypt. + * More self-tests. - * The library may now be switched into a FIPS mode. - - * Interface changes relative to the 1.3.0 release: - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - GCRYCTL_OPERATIONAL_P NEW. - GCRYCTL_FIPS_MODE_P NEW. - GCRYCTL_FORCE_FIPS_MODE NEW. - gcry_cipher_setkey NEW: Replaces macro. - gcry_cipher_setiv NEW: Replaces macro. - gcry_cipher_setctr NEW: Replaces macro. - gcry_mpi_lshift NEW. - ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + * Documentation cleanups. Source code is hosted at the GnuPG FTP server and its mirrors as listed at http://www.gnupg.org/download/mirrors.html . On the primary server the source file and its digital signatures is: - ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.2.tar.bz2 (1049k) - ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.2.tar.bz2.sig + ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.3.tar.bz2 (k) + ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.3.tar.bz2.sig This file is bzip2 compressed. A gzip compressed version is also available: - ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.1.tar.gz (1301k) - ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.1.tar.gz.sig + ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.3.tar.gz (k) + ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.3.tar.gz.sig -Alternativley you may upgrade version 1.4.1 using this patch file: +Alternativley you may upgrade version 1.4.2 using this patch file: - ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.1-1.4.2.diff.bz2 (171k) + ftp://ftp.gnupg.org/gcrypt/libgcrypt/libgcrypt-1.4.2-1.4.3.diff.bz2 (k) The SHA-1 checksums are: -f4eda0d4a63905aef3bcdf24bb3dad787ef4b918 libgcrypt-1.4.2.tar.gz -e9c65688e3191c4cad2910bda2f6c69fc05997a2 libgcrypt-1.4.2.tar.bz2 -e0e5e4192f144ae0fc093d08aff50b725f46c0f9 libgcrypt-1.4.1-1.4.2.diff.bz2 - For help on developing with Libgcrypt you should read the included manual and optional ask on the gcrypt-devel mailing list [1]. diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index 9be66d6a..f1a02bc4 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -626,8 +626,8 @@ after initialization. @item GCRYCTL_DISABLE_SECMEM; Arguments: none This command disables the use of secure memory. If this command is -used in FIPS mode, FIPS mode will be disabled and the command -@code{GCRYCTL_FIPS_MODE_P} returns false. However, in Enforced FIPS +used in FIPS mode, FIPS mode will be disabled and the fucntion +@code{gcry_fips_mode_active} returns false. However, in Enforced FIPS mode this command has no effect at all. Many applications do not require secure memory, so they should disable @@ -776,8 +776,17 @@ the intialization has been finished but not before a gcry_version_check. This command returns true if the library is in FIPS mode. Note, that this is no indication about the current state of the library. This command may be used before the intialization has been finished but not -before a gcry_version_check. An application may use this function to -check whether FIPS mode is still active. +before a gcry_version_check. An application may use this command or +the convenience macro below to check whether FIPS mode is actually +active. + +@deftypefun int gcry_fips_mode_active (void) + +Returns true if the FIPS mode is active. Note that this is +implemented as a macro. +@end deftypefun + + @item GCRYCTL_FORCE_FIPS_MODE; Arguments: none Running this command puts the library into FIPS mode. If the library is @@ -5499,8 +5508,8 @@ A handler set by @code{gcry_set_fatalerror_handler} is ignored. @end itemize Note that when we speak about disabling FIPS mode, it merely means -that the command @code{GCRYCTL_FIPS_MODE_P} returns false; it does not -mean that any non FIPS algorithms are allowed. +that the fucntion @code{gcry_fips_mode_active} returns false; it does +not mean that any non FIPS algorithms are allowed. @c ******************************************** diff --git a/src/ChangeLog b/src/ChangeLog index e29f05ee..3371ca34 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,5 +1,7 @@ 2008-09-18 Werner Koch <wk@g10code.com> + * gcrypt.h.in (gcry_fips_mode_active): New. + * secmem.c (_gcry_secmem_init): Factor most code out to .. (secmem_init): .. new. (DEFAULT_POOL_SIZE): Rename to MINIMUM_POOL_SIZE. diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index af6f85db..f040ed84 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -1815,6 +1815,10 @@ void gcry_free (void *a); /* Return true if A is allocated in "secure" memory. */ int gcry_is_secure (const void *a) _GCRY_GCC_ATTR_PURE; +/* Return true if Libgcrypt is in FIPS mode. */ +#define gcry_fips_mode_active() !!gcry_control (GCRYCTL_FIPS_MODE_P, 0) + + /* Include support for Libgcrypt modules. */ #include <gcrypt-module.h> diff --git a/tests/basic.c b/tests/basic.c index e33a0431..b735e0f1 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -2089,7 +2089,7 @@ main (int argc, char **argv) if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); - if ( gcry_control (GCRYCTL_FIPS_MODE_P, 0) ) + if ( gcry_fips_mode_active () ) in_fips_mode = 1; if (!in_fips_mode) |