initial package creation

Signed-off-by: Toshaan Bharvani <toshaan@powerel.org>

SOURCES/libgcrypt-1.10.0-allow-short-salt.patch

@@ -0,0 +1,51 @@
+From 58c92098d053aae7c78cc42bdd7c80c13efc89bb Mon Sep 17 00:00:00 2001
+From: NIIBE Yutaka <gniibe@fsij.org>
+Date: Fri, 24 Jun 2022 08:59:31 +0900
+Subject: [PATCH] hmac,hkdf: Allow use of shorter salt for HKDF.
+
+* cipher/md.c (prepare_macpads): Move the check to...
+* src/visibility.c (gcry_mac_setkey): ... here.
+* tests/t-kdf.c (check_hkdf): No failure is expected.
+
+--
+
+GnuPG-bug-id: 6039
+Fixes-commit: 76aad97dd312e83f2f9b8d086553f2b72ab6546f
+Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
+---
+ cipher/md.c      |  3 ---
+ src/visibility.c |  3 +++
+ tests/t-kdf.c    | 12 +-----------
+ 3 files changed, 4 insertions(+), 14 deletions(-)
+
+diff --git a/cipher/md.c b/cipher/md.c
+index 4f4fc9bf..34336b5c 100644
+--- a/cipher/md.c
++++ b/cipher/md.c
+@@ -903,9 +903,6 @@ prepare_macpads (gcry_md_hd_t a, const unsigned char *key, size_t keylen)
+ {
+   GcryDigestEntry *r;
+ 
+-  if (fips_mode () && keylen < 14)
+-    return GPG_ERR_INV_VALUE;
+-
+   if (!a->ctx->list)
+     return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled.  */
+ 
+diff --git a/src/visibility.c b/src/visibility.c
+index c98247d8..aee5bffb 100644
+--- a/src/visibility.c
++++ b/src/visibility.c
+@@ -946,6 +946,9 @@ gcry_mac_setkey (gcry_mac_hd_t hd, const void *key, size_t keylen)
+   if (!fips_is_operational ())
+     return gpg_error (fips_not_operational ());
+ 
++  if (fips_mode () && keylen < 14)
++    return GPG_ERR_INV_VALUE;
++
+   return gpg_error (_gcry_mac_setkey (hd, key, keylen));
+ }
+ 
+-- 
+2.37.1
+

SOURCES/libgcrypt-1.10.0-allow-small-RSA-verify.patch

@@ -0,0 +1,70 @@
+From ca2afc9fb64d9a9b2f8930ba505d9ab6c8a57667 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 12 May 2022 10:56:47 +0200
+Subject: [PATCH] cipher: Allow verification of small RSA signatures in FIPS
+ mode
+
+* cipher/rsa.c (rsa_check_keysize): Formatting.
+  (rsa_check_verify_keysize): New function.
+  (rsa_verify): Allow using smaller keys for verification.
+--
+
+GnuPG-bug-id: 5975
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/rsa.c | 26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index c6319b67..9f2b36e8 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -352,13 +352,35 @@ generate_std (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
+ static gpg_err_code_t
+ rsa_check_keysize (unsigned int nbits)
+ {
+-  if (fips_mode() && nbits < 2048)
++  if (fips_mode () && nbits < 2048)
+     return GPG_ERR_INV_VALUE;
+ 
+   return GPG_ERR_NO_ERROR;
+ }
+ 
+ 
++/* Check the RSA key length is acceptable for signature verification
++ *
++ * FIPS allows signature verification with RSA keys of size
++ * 1024, 1280, 1536 and 1792 in legacy mode, but this is up to the
++ * calling application to decide if the signature is legacy and
++ * should be accepted.
++ */
++static gpg_err_code_t
++rsa_check_verify_keysize (unsigned int nbits)
++{
++  if (fips_mode ())
++    {
++      if ((nbits >= 1024 && (nbits % 256) == 0) || nbits >= 2048)
++        return GPG_ERR_NO_ERROR;
++
++      return GPG_ERR_INV_VALUE;
++    }
++
++  return GPG_ERR_NO_ERROR;
++}
++
++
+ /****************
+  * Generate a key pair with a key of size NBITS.
+  * USE_E = 0 let Libcgrypt decide what exponent to use.
+@@ -1602,7 +1624,7 @@ rsa_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms)
+   gcry_mpi_t result = NULL;
+   unsigned int nbits = rsa_get_nbits (keyparms);
+ 
+-  rc = rsa_check_keysize (nbits);
++  rc = rsa_check_verify_keysize (nbits);
+   if (rc)
+     return rc;
+ 
+-- 
+2.37.1
+

SOURCES/libgcrypt-1.10.0-disable-brainpool.patch

@@ -0,0 +1,239 @@
+From d651e25be0bc0c11f4d3d7c72be8cfbbe82b3874 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 10 Sep 2021 18:39:00 +0200
+Subject: [PATCH] Allow building libgcrypt without Brainpool curves
+
+* README: Document possibility to build without brainpool curves
+* cipher/ecc-curves.c: Conditionalize brainpool curves definitions
+* configure.ac: Implement possibility to build without brainpool curves
+* tests/curves.c: Skip brainpool curves if they are not built-in
+* tests/keygrip.c: Skip brainpool curves if they are not built-in
+
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ README              |  3 +++
+ cipher/ecc-curves.c |  4 ++++
+ configure.ac        | 13 +++++++++++++
+ tests/curves.c      | 46 ++++++++++++++++++++++++++++++---------------
+ tests/keygrip.c     |  2 ++
+ 5 files changed, 53 insertions(+), 15 deletions(-)
+
+diff --git a/README b/README
+index 436b6cd4..1044109c 100644
+--- a/README
++++ b/README
+@@ -127,6 +127,9 @@
+                      the list used with the current build the program
+                      tests/version may be used.
+ 
++     --disable-brainpool
++                     Do not build in support for Brainpool curves.
++
+      --disable-endian-check
+                      Don't let configure test for the endianness but
+                      try to use the OS provided macros at compile
+diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c
+index 7c86e12c..8fd95a9c 100644
+--- a/cipher/ecc-curves.c
++++ b/cipher/ecc-curves.c
+@@ -77,6 +77,7 @@ static const struct
+     { "NIST P-521", "1.3.132.0.35" },
+     { "NIST P-521", "nistp521"   },          /* rfc5656.  */
+ 
++#ifdef ENABLE_BRAINPOOL
+     { "brainpoolP160r1", "1.3.36.3.3.2.8.1.1.1" },
+     { "brainpoolP192r1", "1.3.36.3.3.2.8.1.1.3" },
+     { "brainpoolP224r1", "1.3.36.3.3.2.8.1.1.5" },
+@@ -84,6 +85,7 @@ static const struct
+     { "brainpoolP320r1", "1.3.36.3.3.2.8.1.1.9" },
+     { "brainpoolP384r1", "1.3.36.3.3.2.8.1.1.11"},
+     { "brainpoolP512r1", "1.3.36.3.3.2.8.1.1.13"},
++#endif /* ENABLE_BRAINPOOL */
+ 
+     { "GOST2001-test", "1.2.643.2.2.35.0" },
+     { "GOST2001-CryptoPro-A", "1.2.643.2.2.35.1" },
+@@ -297,6 +299,7 @@ static const ecc_domain_parms_t domain_parms[] =
+       1
+     },
+ 
++#ifdef ENABLE_BRAINPOOL
+     { "brainpoolP160r1", 160, 0,
+       MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+       "0xe95e4a5f737059dc60dfc7ad95b3d8139515620f",
+@@ -391,6 +394,7 @@ static const ecc_domain_parms_t domain_parms[] =
+       "b2dcde494a5f485e5bca4bd88a2763aed1ca2b2fa8f0540678cd1e0f3ad80892",
+       1
+     },
++#endif /* ENABLE_BRAINPOOL */
+     {
+       "GOST2001-test", 256, 0,
+       MPI_EC_WEIERSTRASS, ECC_DIALECT_STANDARD,
+diff --git a/configure.ac b/configure.ac
+index 6efbf139..f4ac1887 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -614,6 +614,14 @@ AC_ARG_WITH(fips-module-version,
+ AC_DEFINE_UNQUOTED(FIPS_MODULE_VERSION, "$fips_module_version",
+                    [Define FIPS module version for certification])
+ 
++# Implementation of the --disable-brainpool switch.
++AC_MSG_CHECKING([whether we want to disable the use of brainpool curves])
++AC_ARG_ENABLE(brainpool,
++              AS_HELP_STRING([--disable-brainpool],
++                             [Disable the brainpool curves]),
++              use_brainpool="$enableval",use_brainpool=yes)
++AC_MSG_RESULT($use_brainpool)
++
+ # Implementation of the --disable-jent-support switch.
+ AC_MSG_CHECKING([whether jitter entropy support is requested])
+ AC_ARG_ENABLE(jent-support,
+@@ -2466,6 +2474,10 @@ if test x"$ppccryptosupport" = xyes ; then
+   AC_DEFINE(ENABLE_PPC_CRYPTO_SUPPORT,1,
+             [Enable support for POWER 8 (PowerISA 2.07) crypto extension.])
+ fi
++if test x"$use_brainpool" = xyes ; then
++  AC_DEFINE(ENABLE_BRAINPOOL, 1,
++            [Enable support for the brainpool curves.])
++fi
+ if test x"$jentsupport" = xyes ; then
+   AC_DEFINE(ENABLE_JENT_SUPPORT, 1,
+             [Enable support for the jitter entropy collector.])
+@@ -3296,6 +3308,7 @@ GCRY_MSG_WRAP([Enabled digest algorithms:],[$enabled_digests])
+ GCRY_MSG_WRAP([Enabled kdf algorithms:   ],[$enabled_kdfs])
+ GCRY_MSG_WRAP([Enabled pubkey algorithms:],[$enabled_pubkey_ciphers])
+ GCRY_MSG_SHOW([Random number generator:  ],[$random])
++GCRY_MSG_SHOW([Enabled Brainpool curves: ],[$use_brainpool])
+ GCRY_MSG_SHOW([Try using jitter entropy: ],[$jentsupport])
+ GCRY_MSG_SHOW([Using linux capabilities: ],[$use_capabilities])
+ GCRY_MSG_SHOW([FIPS module version:      ],[$fips_module_version])
+diff --git a/tests/curves.c b/tests/curves.c
+index 3c738171..8eb79565 100644
+--- a/tests/curves.c
++++ b/tests/curves.c
+@@ -33,7 +33,11 @@
+ #include "t-common.h"
+ 
+ /* Number of curves defined in ../cipher/ecc-curves.c */
+-#define N_CURVES 27
++#ifdef ENABLE_BRAINPOOL
++# define N_CURVES 27
++#else
++# define N_CURVES 20
++#endif
+ 
+ /* A real world sample public key.  */
+ static char const sample_key_1[] =
+@@ -52,6 +56,7 @@ static char const sample_key_1[] =
+ static char const sample_key_1_curve[] = "NIST P-256";
+ static unsigned int sample_key_1_nbits = 256;
+ 
++#ifdef ENABLE_BRAINPOOL
+ /* A made up sample public key.  */
+ static char const sample_key_2[] =
+ "(public-key\n"
+@@ -68,6 +73,7 @@ static char const sample_key_2[] =
+ "  ))";
+ static char const sample_key_2_curve[] = "brainpoolP160r1";
+ static unsigned int sample_key_2_nbits = 160;
++#endif /* ENABLE_BRAINPOOL */
+ 
+ static int in_fips_mode;
+ 
+@@ -113,6 +119,7 @@ check_matching (void)
+ 
+   gcry_sexp_release (key);
+ 
++#ifdef ENABLE_BRAINPOOL
+   if (!in_fips_mode)
+     {
+       err = gcry_sexp_new (&key, sample_key_2, 0, 1);
+@@ -130,6 +137,7 @@ check_matching (void)
+ 
+       gcry_sexp_release (key);
+     }
++#endif /* ENABLE_BRAINPOOL */
+ }
+ 
+ #define TEST_ERROR_EXPECTED (1 << 0)
+@@ -185,20 +193,26 @@ check_get_params (void)
+        { GCRY_PK_ECC, "1.3.132.0.35" },
+        { GCRY_PK_ECC, "nistp521"   },
+ 
+-       { GCRY_PK_ECC, "brainpoolP160r1",       TEST_NOFIPS },
+-       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1",  TEST_NOFIPS },
+-       { GCRY_PK_ECC, "brainpoolP192r1",       TEST_NOFIPS },
+-       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3",  TEST_NOFIPS },
+-       { GCRY_PK_ECC, "brainpoolP224r1",       TEST_NOFIPS },
+-       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5",  TEST_NOFIPS },
+-       { GCRY_PK_ECC, "brainpoolP256r1",       TEST_NOFIPS },
+-       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7",  TEST_NOFIPS },
+-       { GCRY_PK_ECC, "brainpoolP320r1",       TEST_NOFIPS },
+-       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9",  TEST_NOFIPS },
+-       { GCRY_PK_ECC, "brainpoolP384r1",       TEST_NOFIPS },
+-       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", TEST_NOFIPS },
+-       { GCRY_PK_ECC, "brainpoolP512r1",       TEST_NOFIPS },
+-       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", TEST_NOFIPS },
++#ifdef ENABLE_BRAINPOOL
++# define BRAINPOOL_FLAGS TEST_NOFIPS
++#else
++# define BRAINPOOL_FLAGS TEST_ERROR_EXPECTED
++#endif /* ENABLE_BRAINPOOL */
++       { GCRY_PK_ECC, "brainpoolP160r1",       BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.1",  BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "brainpoolP192r1",       BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.3",  BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "brainpoolP224r1",       BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.5",  BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "brainpoolP256r1",       BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.7",  BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "brainpoolP320r1",       BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.9",  BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "brainpoolP384r1",       BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.11", BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "brainpoolP512r1",       BRAINPOOL_FLAGS },
++       { GCRY_PK_ECC, "1.3.36.3.3.2.8.1.1.13", BRAINPOOL_FLAGS },
++#undef BRAINPOOL_ERROR_EXPECTED
+ 
+        { GCRY_PK_ECC, "GOST2001-test", TEST_NOFIPS },
+        { GCRY_PK_ECC, "1.2.643.2.2.35.0", TEST_NOFIPS },
+@@ -282,6 +296,7 @@ check_get_params (void)
+ 
+   gcry_sexp_release (param);
+ 
++#ifdef ENABLE_BRAINPOOL
+   if (!in_fips_mode)
+     {
+       param = gcry_pk_get_param (GCRY_PK_ECDSA, sample_key_2_curve);
+@@ -297,6 +312,7 @@ check_get_params (void)
+ 
+       gcry_sexp_release (param);
+     }
++#endif /* ENABLE_BRAINPOOL */
+ 
+   /* Some simple tests */
+   for (idx=0; idx < DIM (tv); idx++)
+diff --git a/tests/keygrip.c b/tests/keygrip.c
+index 49bd71bc..fc4c17be 100644
+--- a/tests/keygrip.c
++++ b/tests/keygrip.c
+@@ -149,6 +149,7 @@ static struct
+       " (q #04C8A4CEC2E9A9BC8E173531A67B0840DF345C32E261ADD780E6D83D56EFADFD5DE872F8B854819B59543CE0B7F822330464FBC4E6324DADDCD9D059554F63B344#)))",
+       "\xE6\xDF\x94\x2D\xBD\x8C\x77\x05\xA3\xDD\x41\x6E\xFC\x04\x01\xDB\x31\x0E\x99\xB6"
+     },
++#ifdef ENABLE_BRAINPOOL
+     {
+       GCRY_PK_ECC,
+       "(public-key"
+@@ -197,6 +198,7 @@ static struct
+       "\xD6\xE1\xBF\x43\xAC\x9B\x9A\x12\xE7\x3F",
+       1
+     },
++#endif /*ENABLE_BRAINPOOL */
+     { /* Ed25519 standard */
+       GCRY_PK_ECC,
+       "(public-key"
+-- 
+2.34.1
+

SOURCES/libgcrypt-1.10.0-fips-disable-oaep.patch

@@ -0,0 +1,151 @@
+From 34d8fc576b3a06dd205f45327a971eb6771e808c Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 17 Aug 2022 09:01:44 +0200
+Subject: [PATCH 1/2] Disable RSA-OAEP padding in FIPS mode
+
+* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block OAEP padding
+  in FIPS mode for encryption
+* cipher/rsa.c (rsa_decrypt): Block OAEP padding in FIPS mode for
+  decryption
+---
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/pubkey-util.c | 5 ++++-
+ cipher/rsa.c         | 3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c
+index 4953caf3..244dd5d4 100644
+--- a/cipher/pubkey-util.c
++++ b/cipher/pubkey-util.c
+@@ -1092,7 +1092,10 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
+       const void * value;
+       size_t valuelen;
+ 
+-      if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen )
++      /* The RSA OAEP encryption requires some more assurances in FIPS */
++      if (fips_mode ())
++        rc = GPG_ERR_INV_FLAG;
++      else if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen )
+ 	rc = GPG_ERR_INV_OBJ;
+       else
+ 	{
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 96dba090..87f57b55 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -1457,7 +1457,8 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
+       rc = GPG_ERR_INV_DATA;
+       goto leave;
+     }
+-  if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1))
++  if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1 ||
++                       ctx.encoding == PUBKEY_ENC_OAEP))
+     {
+       rc = GPG_ERR_INV_FLAG;
+       goto leave;
+-- 
+2.37.1
+
+
+From c6d64e697c2748a49e875060aa753fc568c5f772 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 17 Aug 2022 10:31:19 +0200
+Subject: [PATCH 2/2] tests: Expect the OEAP tests to fail in FIPS mode
+
+* tests/basic.c (check_pubkey_crypt): Expect the OAEP padding encryption
+  to fail in FIPS mode
+* tests/pkcs1v2.c (check_oaep): Expect the OAEP tests to fail in FIPS
+  mode
+---
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tests/basic.c   | 14 +++++++++-----
+ tests/pkcs1v2.c | 13 +++++++++++++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/tests/basic.c b/tests/basic.c
+index 26980e15..b4102c9f 100644
+--- a/tests/basic.c
++++ b/tests/basic.c
+@@ -16892,21 +16892,24 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	"(flags oaep)",
+ 	1,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       { GCRY_PK_RSA,
+         "(data\n (flags oaep)\n (hash-algo sha1)\n"
+ 	" (value #11223344556677889900AA#))\n",
+ 	"(flags oaep)(hash-algo sha1)",
+ 	1,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       { GCRY_PK_RSA,
+         "(data\n (flags oaep)\n (hash-algo sha1)\n (label \"test\")\n"
+ 	" (value #11223344556677889900AA#))\n",
+ 	"(flags oaep)(hash-algo sha1)(label \"test\")",
+ 	1,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       { GCRY_PK_RSA,
+         "(data\n (flags oaep)\n (hash-algo sha1)\n (label \"test\")\n"
+ 	" (value #11223344556677889900AA#)\n"
+@@ -16914,7 +16917,8 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	"(flags oaep)(hash-algo sha1)(label \"test\")",
+ 	1,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       {	0,
+         "(data\n (flags )\n" " (value #11223344556677889900AA#))\n",
+ 	NULL,
+@@ -16960,7 +16964,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	"(flags pkcs1)",
+ 	1,
+ 	0,
+-	GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL },
++	GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL | FLAG_NOFIPS },
+       {	0,
+         "(data\n (flags pss)\n"
+ 	" (value #11223344556677889900AA#))\n",
+diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c
+index 6c7f3d81..2fd495d5 100644
+--- a/tests/pkcs1v2.c
++++ b/tests/pkcs1v2.c
+@@ -186,11 +186,24 @@ check_oaep (void)
+           err = gcry_pk_encrypt (&ciph, plain, pub_key);
+           if (err)
+             {
++              if (in_fips_mode)
++                {
++                  gcry_sexp_release (plain);
++                  plain = NULL;
++                  continue;
++                }
+               show_sexp ("plain:\n", ciph);
+               fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (err));
+             }
+           else
+             {
++              if (in_fips_mode)
++                {
++                  fail ("The OAEP encryption unexpectedly worked in FIPS mode\n");
++                  gcry_sexp_release (plain);
++                  plain = NULL;
++                  continue;
++                }
+               if (extract_cmp_data (ciph, "a", tbl[tno].m[mno].encr,
+                                     tbl[tno].m[mno].desc))
+                 {
+-- 
+2.37.1
+

SOURCES/libgcrypt-1.10.0-fips-disable-pkcs1.5.patch

@@ -0,0 +1,219 @@
+From c7709f7b23848abf4ba65cb99cb2a9e9c7ebdefc Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 1 Apr 2022 18:29:08 +0200
+Subject: [PATCH 1/3] Do not allow PKCS #1.5 padding for encryption in FIPS
+
+* cipher/pubkey-util.c (_gcry_pk_util_data_to_mpi): Block PKCS #1.5
+  padding for encryption in FIPS mode
+* cipher/rsa.c (rsa_decrypt): Block PKCS #1.5 decryption in FIPS mode
+--
+
+GnuPG-bug-id: 5918
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/pubkey-util.c | 5 ++++-
+ cipher/rsa.c         | 5 +++++
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c
+index 68defea6..4953caf3 100644
+--- a/cipher/pubkey-util.c
++++ b/cipher/pubkey-util.c
+@@ -957,7 +957,10 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi,
+       void *random_override = NULL;
+       size_t random_override_len = 0;
+ 
+-      if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen )
++      /* The RSA PKCS#1.5 encryption is no longer supported by FIPS */
++      if (fips_mode ())
++        rc = GPG_ERR_INV_FLAG;
++      else if ( !(value=sexp_nth_data (lvalue, 1, &valuelen)) || !valuelen )
+         rc = GPG_ERR_INV_OBJ;
+       else
+         {
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 771413b3..c6319b67 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -1391,6 +1391,11 @@ rsa_decrypt (gcry_sexp_t *r_plain, gcry_sexp_t s_data, gcry_sexp_t keyparms)
+       rc = GPG_ERR_INV_DATA;
+       goto leave;
+     }
++  if (fips_mode () && (ctx.encoding == PUBKEY_ENC_PKCS1))
++    {
++      rc = GPG_ERR_INV_FLAG;
++      goto leave;
++    }
+ 
+   /* Extract the key.  */
+   rc = sexp_extract_param (keyparms, NULL, "nedp?q?u?",
+-- 
+2.34.1
+
+
+From 299e2f93415984919181e0ee651719bbf83bdd2f Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 1 Apr 2022 18:31:05 +0200
+Subject: [PATCH 2/3] tests: Replace custom bit with more generic flags
+
+* tests/basic.c (global): New flag FLAG_SPECIAL
+  (check_pubkey_crypt): Change to use bitfield flags
+
+--
+
+GnuPG-bug-id: 5918
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tests/basic.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+diff --git a/tests/basic.c b/tests/basic.c
+index a0ad33eb..1c6cb40b 100644
+--- a/tests/basic.c
++++ b/tests/basic.c
+@@ -55,11 +55,12 @@ typedef struct test_spec_pubkey
+ }
+ test_spec_pubkey_t;
+ 
+-#define FLAG_CRYPT  (1 << 0)
+-#define FLAG_SIGN   (1 << 1)
+-#define FLAG_GRIP   (1 << 2)
+-#define FLAG_NOFIPS (1 << 3)
+-#define FLAG_CFB8   (1 << 4)
++#define FLAG_CRYPT   (1 << 0)
++#define FLAG_SIGN    (1 << 1)
++#define FLAG_GRIP    (1 << 2)
++#define FLAG_NOFIPS  (1 << 3)
++#define FLAG_CFB8    (1 << 4)
++#define FLAG_SPECIAL (1 << 5)
+ 
+ static int in_fips_mode;
+ 
+@@ -15558,7 +15559,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+     int unpadded;
+     int encrypt_expected_rc;
+     int decrypt_expected_rc;
+-    int special;
++    int flags;
+   } datas[] =
+     {
+       {	GCRY_PK_RSA,
+@@ -15642,14 +15643,14 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	"(flags oaep)",
+ 	1,
+ 	0,
+-	GPG_ERR_ENCODING_PROBLEM, 1 },
++	GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL },
+       { GCRY_PK_RSA,
+         "(data\n (flags oaep)\n"
+ 	" (value #11223344556677889900AA#))\n",
+ 	"(flags pkcs1)",
+ 	1,
+ 	0,
+-	GPG_ERR_ENCODING_PROBLEM, 1 },
++	GPG_ERR_ENCODING_PROBLEM, FLAG_SPECIAL },
+       {	0,
+         "(data\n (flags pss)\n"
+ 	" (value #11223344556677889900AA#))\n",
+@@ -15725,7 +15726,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	      ciph = list;
+ 	    }
+ 	  rc = gcry_pk_decrypt (&plain, ciph, skey);
+-          if (!rc && datas[dataidx].special == 1)
++          if (!rc && (datas[dataidx].flags & FLAG_SPECIAL))
+             {
+               /* It may happen that OAEP formatted data which is
+                  decrypted as pkcs#1 data returns a valid pkcs#1
+-- 
+2.34.1
+
+
+From f736f3c70182d9c948f9105eb769c47c5578df35 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 1 Apr 2022 18:34:42 +0200
+Subject: [PATCH 3/3] tests: Expect the RSA PKCS #1.5 encryption to fail in
+ FIPS mode
+
+* tests/basic.c (check_pubkey_crypt): Expect RSA PKCS #1.5 encryption to
+  fail in FIPS mode. Expect failure when wrong padding is selected
+* tests/pkcs1v2.c (check_v15crypt): Expect RSA PKCS #1.5 encryption to
+  fail in FIPS mode
+--
+
+GnuPG-bug-id: 5918
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ tests/basic.c   | 11 +++++++----
+ tests/pkcs1v2.c | 14 +++++++++++++-
+ 2 files changed, 20 insertions(+), 5 deletions(-)
+
+diff --git a/tests/basic.c b/tests/basic.c
+index 1c6cb40b..85764591 100644
+--- a/tests/basic.c
++++ b/tests/basic.c
+@@ -15568,14 +15568,16 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	NULL,
+ 	0,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       {	GCRY_PK_RSA,
+         "(data\n (flags pkcs1)\n"
+ 	" (value #11223344556677889900AA#))\n",
+ 	"(flags pkcs1)",
+ 	1,
+ 	0,
+-	0 },
++	0,
++	FLAG_NOFIPS },
+       { GCRY_PK_RSA,
+         "(data\n (flags oaep)\n"
+ 	" (value #11223344556677889900AA#))\n",
+@@ -15677,7 +15679,8 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	die ("converting data failed: %s\n", gpg_strerror (rc));
+ 
+       rc = gcry_pk_encrypt (&ciph, data, pkey);
+-      if (in_fips_mode && (flags & FLAG_NOFIPS))
++      if (in_fips_mode && ((flags & FLAG_NOFIPS) ||
++                           (datas[dataidx].flags & FLAG_NOFIPS)))
+         {
+           if (!rc)
+             fail ("gcry_pk_encrypt did not fail as expected in FIPS mode\n");
+@@ -15726,7 +15729,7 @@ check_pubkey_crypt (int n, gcry_sexp_t skey, gcry_sexp_t pkey, int algo,
+ 	      ciph = list;
+ 	    }
+ 	  rc = gcry_pk_decrypt (&plain, ciph, skey);
+-          if (!rc && (datas[dataidx].flags & FLAG_SPECIAL))
++          if ((!rc || in_fips_mode) && (datas[dataidx].flags & FLAG_SPECIAL))
+             {
+               /* It may happen that OAEP formatted data which is
+                  decrypted as pkcs#1 data returns a valid pkcs#1
+diff --git a/tests/pkcs1v2.c b/tests/pkcs1v2.c
+index f26e779b..6c7f3d81 100644
+--- a/tests/pkcs1v2.c
++++ b/tests/pkcs1v2.c
+@@ -454,7 +454,19 @@ check_v15crypt (void)
+           gcry_free (seed);
+ 
+           err = gcry_pk_encrypt (&ciph, plain, pub_key);
+-          if (err)
++          if (in_fips_mode)
++            {
++              if (!err)
++                {
++                  fail ("gcry_pk_encrypt should have failed in FIPS mode:\n");
++                }
++              gcry_sexp_release (plain);
++              plain = NULL;
++              gcry_sexp_release (ciph);
++              ciph = NULL;
++              continue;
++            }
++          else if (err)
+             {
+               show_sexp ("plain:\n", ciph);
+               fail ("gcry_pk_encrypt failed: %s\n", gpg_strerror (err));
+-- 
+2.34.1
+

SOURCES/libgcrypt-1.10.0-fips-getrandom.patch

@@ -0,0 +1,41 @@
+From 0a5e608b8b18d4f41e4d7434c6262bf11507f859 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 16 Aug 2022 15:30:43 +0200
+Subject: [PATCH] random: Use getrandom (GRND_RANDOM) in FIPS mode
+
+The SP800-90C (clarified in IG D.K.) requires the following when
+different DRBGs are chained:
+ * the parent needs to be reseeded before generate operation
+ * the reseed & generate needs to be atomic
+
+In RHEL, this is addressed by change in the kernel, that will do this
+automatically, when the getentropy () is called with GRND_RANDOM flag.
+
+* random/rndgetentropy.c (_gcry_rndgetentropy_gather_random): Use
+  GRND_RANDOM in FIPS Mode
+---
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ random/rndgetentropy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/random/rndgetentropy.c b/random/rndgetentropy.c
+index 7580873e..db4b09ed 100644
+--- a/random/rndgetentropy.c
++++ b/random/rndgetentropy.c
+@@ -82,7 +82,10 @@ _gcry_rndgetentropy_gather_random (void (*add)(const void*, size_t,
+         {
+           nbytes = length < sizeof (buffer)? length : sizeof (buffer);
+           _gcry_pre_syscall ();
+-          ret = getentropy (buffer, nbytes);
++          if (fips_mode ())
++            ret = getrandom (buffer, nbytes, GRND_RANDOM);
++          else
++            ret = getentropy (buffer, nbytes);
+           _gcry_post_syscall ();
+         }
+       while (ret == -1 && errno == EINTR);
+-- 
+2.37.1
+

SOURCES/libgcrypt-1.10.0-fips-selftest.patch

@@ -0,0 +1,923 @@
+From e62829a907a7179ec6b0d9f47258185860f0a6c0 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 2 Aug 2022 20:53:31 +0200
+Subject: [PATCH 1/6] Run digest&sign self tests for RSA and ECC in FIPS mode
+
+* cipher/ecc.c (selftest_hash_sign): Implement digest & sign KAT
+ (selftests_ecdsa): Run the original basic test only with extended tests
+ (run_selftests): Pass-through the extended argument
+* cipher/rsa.c (selftest_hash_sign_2048): Implement digest & sign KAT
+ (selftests_rsa): Run the original basic test only with extended tests
+ (run_selftests): Pass-through the extended argument
+---
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/ecc.c | 138 ++++++++++++++++++++++++++++++++++++++++++++++++---
+ cipher/rsa.c | 108 +++++++++++++++++++++++++++++++++++++---
+ 2 files changed, 234 insertions(+), 12 deletions(-)
+
+diff --git a/cipher/ecc.c b/cipher/ecc.c
+index 9f0e7b11..63b0d05e 100644
+--- a/cipher/ecc.c
++++ b/cipher/ecc.c
+@@ -1678,6 +1678,126 @@ _gcry_pk_ecc_get_sexp (gcry_sexp_t *r_sexp, int mode, mpi_ec_t ec)
+      Self-test section.
+  */
+ 
++static const char *
++selftest_hash_sign (gcry_sexp_t pkey, gcry_sexp_t skey)
++{
++  int md_algo = GCRY_MD_SHA256;
++  gcry_md_hd_t hd = NULL;
++  const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
++  /* Sample data from RFC 6979 section A.2.5, hash is of message "sample" */
++  static const char sample_data[] = "sample";
++  static const char sample_data_bad[] = "sbmple";
++  static const char signature_r[] =
++    "efd48b2aacb6a8fd1140dd9cd45e81d69d2c877b56aaf991c34d0ea84eaf3716";
++  static const char signature_s[] =
++    "f7cb1c942d657c41d436c7a1b6e29f65f3e900dbb9aff4064dc4ab2f843acda8";
++
++  const char *errtxt = NULL;
++  gcry_error_t err;
++  gcry_sexp_t sig = NULL;
++  gcry_sexp_t l1 = NULL;
++  gcry_sexp_t l2 = NULL;
++  gcry_mpi_t r = NULL;
++  gcry_mpi_t s = NULL;
++  gcry_mpi_t calculated_r = NULL;
++  gcry_mpi_t calculated_s = NULL;
++  int cmp;
++
++  err = _gcry_md_open (&hd, md_algo, 0);
++  if (err)
++    {
++      errtxt = "gcry_md_open failed";
++      goto leave;
++    }
++
++  _gcry_md_write (hd, sample_data, strlen(sample_data));
++
++  err = _gcry_mpi_scan (&r, GCRYMPI_FMT_HEX, signature_r, 0, NULL);
++  if (!err)
++    err = _gcry_mpi_scan (&s, GCRYMPI_FMT_HEX, signature_s, 0, NULL);
++
++  if (err)
++    {
++      errtxt = "converting data failed";
++      goto leave;
++    }
++
++  err = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
++  if (err)
++    {
++      errtxt = "signing failed";
++      goto leave;
++    }
++
++  /* check against known signature */
++  errtxt = "signature validity failed";
++  l1 = _gcry_sexp_find_token (sig, "sig-val", 0);
++  if (!l1)
++    goto leave;
++  l2 = _gcry_sexp_find_token (l1, "ecdsa", 0);
++  if (!l2)
++    goto leave;
++
++  sexp_release (l1);
++  l1 = l2;
++
++  l2 = _gcry_sexp_find_token (l1, "r", 0);
++  if (!l2)
++    goto leave;
++  calculated_r = _gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
++  if (!calculated_r)
++    goto leave;
++
++  sexp_release (l2);
++  l2 = _gcry_sexp_find_token (l1, "s", 0);
++  if (!l2)
++    goto leave;
++  calculated_s = _gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG);
++  if (!calculated_s)
++    goto leave;
++
++  errtxt = "known sig check failed";
++
++  cmp = _gcry_mpi_cmp (r, calculated_r);
++  if (cmp)
++    goto leave;
++  cmp = _gcry_mpi_cmp (s, calculated_s);
++  if (cmp)
++    goto leave;
++
++  errtxt = NULL;
++
++  /* verify generated signature */
++  err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  if (err)
++    {
++      errtxt = "verify failed";
++      goto leave;
++    }
++
++  _gcry_md_reset(hd);
++  _gcry_md_write (hd, sample_data_bad, strlen(sample_data_bad));
++  err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE)
++    {
++      errtxt = "bad signature not detected";
++      goto leave;
++    }
++
++
++ leave:
++  _gcry_md_close (hd);
++  sexp_release (sig);
++  sexp_release (l1);
++  sexp_release (l2);
++  mpi_release (r);
++  mpi_release (s);
++  mpi_release (calculated_r);
++  mpi_release (calculated_s);
++  return errtxt;
++}
++
++
+ static const char *
+ selftest_sign (gcry_sexp_t pkey, gcry_sexp_t skey)
+ {
+@@ -1798,7 +1918,7 @@ selftest_sign (gcry_sexp_t pkey, gcry_sexp_t skey)
+ 
+ 
+ static gpg_err_code_t
+-selftests_ecdsa (selftest_report_func_t report)
++selftests_ecdsa (selftest_report_func_t report, int extended)
+ {
+   const char *what;
+   const char *errtxt;
+@@ -1826,8 +1946,16 @@ selftests_ecdsa (selftest_report_func_t report)
+       goto failed;
+     }
+ 
+-  what = "sign";
+-  errtxt = selftest_sign (pkey, skey);
++  if (extended)
++    {
++      what = "sign";
++      errtxt = selftest_sign (pkey, skey);
++      if (errtxt)
++        goto failed;
++    }
++
++  what = "digest sign";
++  errtxt = selftest_hash_sign (pkey, skey);
+   if (errtxt)
+     goto failed;
+ 
+@@ -1848,12 +1976,10 @@ selftests_ecdsa (selftest_report_func_t report)
+ static gpg_err_code_t
+ run_selftests (int algo, int extended, selftest_report_func_t report)
+ {
+-  (void)extended;
+-
+   if (algo != GCRY_PK_ECC)
+     return GPG_ERR_PUBKEY_ALGO;
+ 
+-  return selftests_ecdsa (report);
++  return selftests_ecdsa (report, extended);
+ }
+ 
+ 
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 9f2b36e8..34c8e490 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -1760,6 +1760,96 @@ compute_keygrip (gcry_md_hd_t md, gcry_sexp_t keyparam)
+      Self-test section.
+  */
+ 
++static const char *
++selftest_hash_sign_2048 (gcry_sexp_t pkey, gcry_sexp_t skey)
++{
++  int md_algo = GCRY_MD_SHA256;
++  gcry_md_hd_t hd = NULL;
++  const char *data_tmpl = "(data (flags pkcs1) (hash %s %b))";
++  static const char sample_data[] =
++    "11223344556677889900aabbccddeeff"
++    "102030405060708090a0b0c0d0f01121";
++  static const char sample_data_bad[] =
++    "11223344556677889900aabbccddeeff"
++    "802030405060708090a0b0c0d0f01121";
++
++  const char *errtxt = NULL;
++  gcry_error_t err;
++  gcry_sexp_t sig = NULL;
++  /* raw signature data reference */
++  const char ref_data[] =
++    "518f41dea3ad884e93eefff8d7ca68a6f4c30d923632e35673651d675cebd652"
++    "a44ed66f6879b18f3d48b2d235b1dd78f6189be1440352cc94231a55c1f93109"
++    "84616b2841c42fe9a6e37be34cd188207209bd028e2fa93e721fbac40c31a068"
++    "1253b312d4e07addb9c7f3d508fa89f218ea7c7f7b9f6a9b1e522c19fa1cd839"
++    "93f9d4ca2f16c3d0b9abafe5e63e848152afc72ce7ee19ea45353116f85209ea"
++    "b9de42129dbccdac8faa461e8e8cc2ae801101cc6add4ba76ccb752030b0e827"
++    "7352b11cdecebae9cdc9a626c4701cd9c85cd287618888c5fae8b4d0ba48915d"
++    "e5cc64e3aee2ba2862d04348ea71f65454f74f9fd1e3108005cc367ca41585a4";
++  gcry_mpi_t ref_mpi = NULL;
++  gcry_mpi_t sig_mpi = NULL;
++
++  err = _gcry_md_open (&hd, md_algo, 0);
++  if (err)
++    {
++      errtxt = "gcry_md_open failed";
++      goto leave;
++    }
++
++  _gcry_md_write (hd, sample_data, sizeof(sample_data));
++
++  err = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
++  if (err)
++    {
++      errtxt = "signing failed";
++      goto leave;
++    }
++
++  err = _gcry_mpi_scan(&ref_mpi, GCRYMPI_FMT_HEX, ref_data, 0, NULL);
++  if (err)
++    {
++      errtxt = "converting ref_data to mpi failed";
++      goto leave;
++    }
++
++  err = _gcry_sexp_extract_param(sig, "sig-val!rsa", "s", &sig_mpi, NULL);
++  if (err)
++    {
++      errtxt = "extracting signature data failed";
++      goto leave;
++    }
++
++  if (mpi_cmp (sig_mpi, ref_mpi))
++    {
++      errtxt = "signature does not match reference data";
++      goto leave;
++    }
++
++  err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  if (err)
++    {
++      errtxt = "verify failed";
++      goto leave;
++    }
++
++  _gcry_md_reset(hd);
++  _gcry_md_write (hd, sample_data_bad, sizeof(sample_data_bad));
++  err = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  if (gcry_err_code (err) != GPG_ERR_BAD_SIGNATURE)
++    {
++      errtxt = "bad signature not detected";
++      goto leave;
++    }
++
++
++ leave:
++  sexp_release (sig);
++  _gcry_md_close (hd);
++  _gcry_mpi_release (ref_mpi);
++  _gcry_mpi_release (sig_mpi);
++  return errtxt;
++}
++
+ static const char *
+ selftest_sign_2048 (gcry_sexp_t pkey, gcry_sexp_t skey)
+ {
+@@ -1996,7 +2086,7 @@ selftest_encr_2048 (gcry_sexp_t pkey, gcry_sexp_t skey)
+ 
+ 
+ static gpg_err_code_t
+-selftests_rsa (selftest_report_func_t report)
++selftests_rsa (selftest_report_func_t report, int extended)
+ {
+   const char *what;
+   const char *errtxt;
+@@ -2024,8 +2114,16 @@ selftests_rsa (selftest_report_func_t report)
+       goto failed;
+     }
+ 
+-  what = "sign";
+-  errtxt = selftest_sign_2048 (pkey, skey);
++  if (extended)
++    {
++      what = "sign";
++      errtxt = selftest_sign_2048 (pkey, skey);
++      if (errtxt)
++        goto failed;
++    }
++
++  what = "digest sign";
++  errtxt = selftest_hash_sign_2048 (pkey, skey);
+   if (errtxt)
+     goto failed;
+ 
+@@ -2053,12 +2151,10 @@ run_selftests (int algo, int extended, selftest_report_func_t report)
+ {
+   gpg_err_code_t ec;
+ 
+-  (void)extended;
+-
+   switch (algo)
+     {
+     case GCRY_PK_RSA:
+-      ec = selftests_rsa (report);
++      ec = selftests_rsa (report, extended);
+       break;
+     default:
+       ec = GPG_ERR_PUBKEY_ALGO;
+-- 
+2.37.1
+
+
+From b386e9862e7c3c0f6623fb1c43b0cf0481bbebc7 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 8 Aug 2022 13:50:15 +0200
+Subject: [PATCH 2/6] fips: Add function-name based FIPS indicator
+
+* doc/gcrypt.texi: Document the new function-based fips indicator
+  GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
+* src/fips.c (_gcry_fips_indicator_function): New function indicating
+  non-approved functions.
+* src/gcrypt.h.in (enum gcry_ctl_cmds): New symbol
+  GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION
+* src/global.c (_gcry_vcontrol): Handle new FIPS indicator.
+---
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ doc/gcrypt.texi |  7 +++++++
+ src/fips.c      | 12 ++++++++++++
+ src/g10lib.h    |  1 +
+ src/gcrypt.h.in |  3 ++-
+ src/global.c    |  7 +++++++
+ 5 files changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi
+index f2c1cc94..b608dba2 100644
+--- a/doc/gcrypt.texi
++++ b/doc/gcrypt.texi
+@@ -995,6 +995,13 @@ certification. If the KDF is approved, this function returns
+ @code{GPG_ERR_NO_ERROR}. Otherwise @code{GPG_ERR_NOT_SUPPORTED}
+ is returned.
+ 
++@item GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION; Arguments: const char *
++
++Check if the given function is approved under the current FIPS 140-3
++certification. If the function is approved, this function returns
++@code{GPG_ERR_NO_ERROR} (other restrictions might still apply).
++Otherwise @code{GPG_ERR_NOT_SUPPORTED} is returned.
++
+ @end table
+ 
+ @end deftypefun
+diff --git a/src/fips.c b/src/fips.c
+index a1958b14..9a524ea4 100644
+--- a/src/fips.c
++++ b/src/fips.c
+@@ -390,6 +390,18 @@ _gcry_fips_indicator_kdf (va_list arg_ptr)
+     }
+ }
+ 
++int
++_gcry_fips_indicator_function (va_list arg_ptr)
++{
++  const char *function = va_arg (arg_ptr, const char *);
++
++  if (strcmp (function, "gcry_sign") == 0 ||
++      strcmp (function, "gcry_verify") == 0)
++    return GPG_ERR_NOT_SUPPORTED;
++
++  return GPG_ERR_NO_ERROR;
++}
++
+ 
+ /* This is a test on whether the library is in the error or
+    operational state. */
+diff --git a/src/g10lib.h b/src/g10lib.h
+index 8ba0a5c2..eff6295f 100644
+--- a/src/g10lib.h
++++ b/src/g10lib.h
+@@ -468,6 +468,7 @@ void _gcry_fips_signal_error (const char *srcfile,
+ 
+ int _gcry_fips_indicator_cipher (va_list arg_ptr);
+ int _gcry_fips_indicator_kdf (va_list arg_ptr);
++int _gcry_fips_indicator_function (va_list arg_ptr);
+ 
+ int _gcry_fips_is_operational (void);
+ 
+diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in
+index 299261db..d6a1d516 100644
+--- a/src/gcrypt.h.in
++++ b/src/gcrypt.h.in
+@@ -329,7 +329,8 @@ enum gcry_ctl_cmds
+     GCRYCTL_SET_DECRYPTION_TAG = 80,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_CIPHER = 81,
+     GCRYCTL_FIPS_SERVICE_INDICATOR_KDF = 82,
+-    GCRYCTL_NO_FIPS_MODE = 83
++    GCRYCTL_NO_FIPS_MODE = 83,
++    GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION = 84
+   };
+ 
+ /* Perform various operations defined by CMD. */
+diff --git a/src/global.c b/src/global.c
+index 258ea4d1..debf6194 100644
+--- a/src/global.c
++++ b/src/global.c
+@@ -797,6 +797,13 @@ _gcry_vcontrol (enum gcry_ctl_cmds cmd, va_list arg_ptr)
+       rc = _gcry_fips_indicator_kdf (arg_ptr);
+       break;
+ 
++    case GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION:
++      /* Get FIPS Service Indicator for a given function from the API.
++       * Returns GPG_ERR_NO_ERROR if the function is allowed or
++       * GPG_ERR_NOT_SUPPORTED otherwise */
++      rc = _gcry_fips_indicator_function (arg_ptr);
++      break;
++
+     case PRIV_CTL_INIT_EXTRNG_TEST:  /* Init external random test.  */
+       rc = GPG_ERR_NOT_SUPPORTED;
+       break;
+-- 
+2.37.1
+
+
+From 756cdfaf30c2b12d2b2a931591089b1de22444f4 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 8 Aug 2022 15:58:16 +0200
+Subject: [PATCH 4/6] rsa: Run PCT in FIPS mode also with digest step
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/rsa.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 68 insertions(+), 1 deletion(-)
+
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 6e7be8e8..78c26f2f 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -177,6 +177,73 @@ test_keys (RSA_secret_key *sk, unsigned int nbits)
+   return result;
+ }
+ 
++static int
++test_keys_fips (RSA_secret_key *sk)
++{
++  int result = -1; /* Default to failure.  */
++  char plaintext[128];
++  gcry_sexp_t sig = NULL;
++  gcry_sexp_t skey = NULL, pkey = NULL;
++  const char *data_tmpl = "(data (flags pkcs1) (hash %s %b))";
++  gcry_md_hd_t hd = NULL;
++  int ec;
++
++  /* Put the relevant parameters into a public key structure.  */
++  ec = sexp_build (&pkey, NULL,
++                   "(key-data"
++                   " (public-key"
++                   "  (rsa(n%m)(e%m))))",
++                   sk->n, sk->e);
++  if (ec)
++    goto leave;
++
++  /* Put the relevant parameters into a secret key structure.  */
++  ec = sexp_build (&skey, NULL,
++                   "(key-data"
++                   " (public-key"
++                   "  (rsa(n%m)(e%m)))"
++                   " (private-key"
++                   "  (rsa(n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))",
++                   sk->n, sk->e,
++                   sk->n, sk->e, sk->d, sk->p, sk->q, sk->u);
++  if (ec)
++    goto leave;
++
++  /* Create a random plaintext.  */
++  _gcry_randomize (plaintext, sizeof plaintext, GCRY_WEAK_RANDOM);
++
++  /* Open MD context and feed the random data in */
++  ec = _gcry_md_open (&hd, GCRY_MD_SHA256, 0);
++  if (ec)
++    goto leave;
++  _gcry_md_write (hd, plaintext, sizeof(plaintext));
++
++  /* Use the RSA secret function to create a signature of the plaintext.  */
++  ec = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
++  if (ec)
++    goto leave;
++
++  /* Use the RSA public function to verify this signature.  */
++  ec = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  if (ec)
++    goto leave;
++
++  /* Modify the data and check that the signing fails.  */
++  _gcry_md_reset(hd);
++  plaintext[sizeof plaintext / 2] ^= 1;
++  _gcry_md_write (hd, plaintext, sizeof(plaintext));
++  ec = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  if (ec != GPG_ERR_BAD_SIGNATURE)
++    goto leave; /* Signature verification worked on modified data  */
++
++  result = 0; /* All tests succeeded.  */
++ leave:
++  sexp_release (sig);
++  _gcry_md_close (hd);
++  sexp_release (pkey);
++  sexp_release (skey);
++  return result;
++}
+ 
+ /* Callback used by the prime generation to test whether the exponent
+    is suitable. Returns 0 if the test has been passed. */
+@@ -648,7 +715,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
+   sk->u = u;
+ 
+   /* Now we can test our keys. */
+-  if (ec || (!testparms && test_keys (sk, nbits - 64)))
++  if (ec || (!testparms && test_keys_fips (sk)))
+     {
+       _gcry_mpi_release (sk->n); sk->n = NULL;
+       _gcry_mpi_release (sk->e); sk->e = NULL;
+-- 
+2.37.1
+
+
+From de7ad6375be11a0cef45c6e9aa8119c4ce7a3258 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 15 Aug 2022 19:55:33 +0200
+Subject: [PATCH 5/6] ecc: Run PCT also with the digest step
+
+* cipher/ecc.c (test_keys_fips): New function
+  (nist_generate_key): In FIPS mode, execute new PCT test
+---
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/ecc.c | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 81 insertions(+)
+
+diff --git a/cipher/ecc.c b/cipher/ecc.c
+index 63b0d05e..783e249d 100644
+--- a/cipher/ecc.c
++++ b/cipher/ecc.c
+@@ -101,6 +101,7 @@ static void *progress_cb_data;
+ 
+ /* Local prototypes. */
+ static void test_keys (mpi_ec_t ec, unsigned int nbits);
++static void test_keys_fips (mpi_ec_t ec, gcry_mpi_t x, gcry_mpi_t y);
+ static void test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags);
+ static unsigned int ecc_get_nbits (gcry_sexp_t parms);
+ 
+@@ -255,6 +256,8 @@ nist_generate_key (mpi_ec_t ec, int flags,
+     ; /* User requested to skip the test.  */
+   else if (ec->model == MPI_EC_MONTGOMERY)
+     test_ecdh_only_keys (ec, ec->nbits - 63, flags);
++  else if (fips_mode ())
++    test_keys_fips (ec, x, y);
+   else
+     test_keys (ec, ec->nbits - 64);
+ 
+@@ -304,6 +307,84 @@ test_keys (mpi_ec_t ec, unsigned int nbits)
+   mpi_free (test);
+ }
+ 
++/* We should get here only with the NIST curves as they are the only ones
++ * having the fips bit set in ecc_domain_parms_t struct so this is slightly
++ * simpler than the whole ecc_generate function */
++static void
++test_keys_fips (mpi_ec_t ec, gcry_mpi_t Qx, gcry_mpi_t Qy)
++{
++  gcry_md_hd_t hd = NULL;
++  const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
++  gcry_sexp_t skey = NULL, pkey = NULL;
++  gcry_sexp_t curve_info = NULL;
++  gcry_sexp_t sig = NULL;
++  gcry_mpi_t public = NULL;
++  char plaintext[128];
++  int rc;
++
++  /* Build keys structures */
++  if (ec->name)
++    {
++      rc = sexp_build (&curve_info, NULL, "(curve %s)", ec->name);
++      if (rc)
++        log_fatal ("ECDSA operation: failed to build curve_info\n");
++    }
++
++  public = _gcry_ecc_ec2os (Qx, Qy, ec->p);
++  rc = sexp_build (&pkey, NULL,
++                   "(key-data"
++                   " (public-key"
++                   "  (ecc%S(q%m)))"
++                   " )",
++                   curve_info,
++                   public);
++  if (rc)
++    log_fatal ("ECDSA operation: failed to build public key: %s\n", gpg_strerror (rc));
++  rc = sexp_build (&skey, NULL,
++                   "(key-data"
++                   " (private-key"
++                   "  (ecc%S(q%m)(d%m)))"
++                   " )",
++                   curve_info,
++                   public, ec->d);
++  if (rc)
++    log_fatal ("ECDSA operation: failed to build private key: %s\n", gpg_strerror (rc));
++
++  /* Create a random plaintext.  */
++  _gcry_randomize (plaintext, sizeof plaintext, GCRY_WEAK_RANDOM);
++
++  /* Open MD context and feed the random data in */
++  rc = _gcry_md_open (&hd, GCRY_MD_SHA256, 0);
++  if (rc)
++    log_fatal ("ECDSA operation: failed to initialize MD context: %s\n", gpg_strerror (rc));
++  _gcry_md_write (hd, plaintext, sizeof(plaintext));
++
++  /* Sign the data */
++  rc = _gcry_pk_sign_md (&sig, data_tmpl, hd, skey, NULL);
++  if (rc)
++    log_fatal ("ECDSA operation: signing failed: %s\n", gpg_strerror (rc));
++
++  /* Verify this signature.  */
++  rc = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  if (rc)
++    log_fatal ("ECDSA operation: verification failed: %s\n", gpg_strerror (rc));
++
++  /* Modify the data and check that the signing fails.  */
++  _gcry_md_reset(hd);
++  plaintext[sizeof plaintext / 2] ^= 1;
++  _gcry_md_write (hd, plaintext, sizeof(plaintext));
++  rc = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  if (rc != GPG_ERR_BAD_SIGNATURE)
++    log_fatal ("ECDSA operation: signature verification worked on modified data\n");
++
++  mpi_free (public);
++  sexp_release (curve_info);
++  _gcry_md_close (hd);
++  sexp_release (pkey);
++  sexp_release (skey);
++  sexp_release (sig);
++}
++
+ 
+ static void
+ test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags)
+-- 
+2.37.1
+
+
+From 2cca95e488d58ae79975dd867e7782504b155212 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 16 Aug 2022 10:27:46 +0200
+Subject: [PATCH 6/6] Simplify the PCT for RSA and ECDSA
+
+Could be squashed.
+
+* cipher/ecc.c (test_keys_fips): Simplify to accept key in SEXP format
+  (nist_generate_key): Skip call to test keys
+  (ecc_generate): Call test keys in FIPS mode later, when we have
+  complete SEXP key structure.
+* cipher/rsa.c (test_keys_fips): Simplify to accept key in SEXP format
+  (generate_fips): Skip selftest at this stage
+  (rsa_generate): Test the keys later when we already have key in SEXP
+  format
+---
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/ecc.c | 50 ++++++++------------------------------------------
+ cipher/rsa.c | 47 ++++++++++++-----------------------------------
+ 2 files changed, 20 insertions(+), 77 deletions(-)
+
+diff --git a/cipher/ecc.c b/cipher/ecc.c
+index 783e249d..1e80200e 100644
+--- a/cipher/ecc.c
++++ b/cipher/ecc.c
+@@ -101,7 +101,7 @@ static void *progress_cb_data;
+ 
+ /* Local prototypes. */
+ static void test_keys (mpi_ec_t ec, unsigned int nbits);
+-static void test_keys_fips (mpi_ec_t ec, gcry_mpi_t x, gcry_mpi_t y);
++static void test_keys_fips (gcry_sexp_t skey);
+ static void test_ecdh_only_keys (mpi_ec_t ec, unsigned int nbits, int flags);
+ static unsigned int ecc_get_nbits (gcry_sexp_t parms);
+ 
+@@ -256,9 +256,7 @@ nist_generate_key (mpi_ec_t ec, int flags,
+     ; /* User requested to skip the test.  */
+   else if (ec->model == MPI_EC_MONTGOMERY)
+     test_ecdh_only_keys (ec, ec->nbits - 63, flags);
+-  else if (fips_mode ())
+-    test_keys_fips (ec, x, y);
+-  else
++  else if (!fips_mode ())
+     test_keys (ec, ec->nbits - 64);
+ 
+   return 0;
+@@ -311,45 +309,14 @@ test_keys (mpi_ec_t ec, unsigned int nbits)
+  * having the fips bit set in ecc_domain_parms_t struct so this is slightly
+  * simpler than the whole ecc_generate function */
+ static void
+-test_keys_fips (mpi_ec_t ec, gcry_mpi_t Qx, gcry_mpi_t Qy)
++test_keys_fips (gcry_sexp_t skey)
+ {
+   gcry_md_hd_t hd = NULL;
+   const char *data_tmpl = "(data (flags rfc6979) (hash %s %b))";
+-  gcry_sexp_t skey = NULL, pkey = NULL;
+-  gcry_sexp_t curve_info = NULL;
+   gcry_sexp_t sig = NULL;
+-  gcry_mpi_t public = NULL;
+   char plaintext[128];
+   int rc;
+ 
+-  /* Build keys structures */
+-  if (ec->name)
+-    {
+-      rc = sexp_build (&curve_info, NULL, "(curve %s)", ec->name);
+-      if (rc)
+-        log_fatal ("ECDSA operation: failed to build curve_info\n");
+-    }
+-
+-  public = _gcry_ecc_ec2os (Qx, Qy, ec->p);
+-  rc = sexp_build (&pkey, NULL,
+-                   "(key-data"
+-                   " (public-key"
+-                   "  (ecc%S(q%m)))"
+-                   " )",
+-                   curve_info,
+-                   public);
+-  if (rc)
+-    log_fatal ("ECDSA operation: failed to build public key: %s\n", gpg_strerror (rc));
+-  rc = sexp_build (&skey, NULL,
+-                   "(key-data"
+-                   " (private-key"
+-                   "  (ecc%S(q%m)(d%m)))"
+-                   " )",
+-                   curve_info,
+-                   public, ec->d);
+-  if (rc)
+-    log_fatal ("ECDSA operation: failed to build private key: %s\n", gpg_strerror (rc));
+-
+   /* Create a random plaintext.  */
+   _gcry_randomize (plaintext, sizeof plaintext, GCRY_WEAK_RANDOM);
+ 
+@@ -365,7 +332,7 @@ test_keys_fips (mpi_ec_t ec, gcry_mpi_t Qx, gcry_mpi_t Qy)
+     log_fatal ("ECDSA operation: signing failed: %s\n", gpg_strerror (rc));
+ 
+   /* Verify this signature.  */
+-  rc = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  rc = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
+   if (rc)
+     log_fatal ("ECDSA operation: verification failed: %s\n", gpg_strerror (rc));
+ 
+@@ -373,15 +340,11 @@ test_keys_fips (mpi_ec_t ec, gcry_mpi_t Qx, gcry_mpi_t Qy)
+   _gcry_md_reset(hd);
+   plaintext[sizeof plaintext / 2] ^= 1;
+   _gcry_md_write (hd, plaintext, sizeof(plaintext));
+-  rc = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  rc = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
+   if (rc != GPG_ERR_BAD_SIGNATURE)
+     log_fatal ("ECDSA operation: signature verification worked on modified data\n");
+ 
+-  mpi_free (public);
+-  sexp_release (curve_info);
+   _gcry_md_close (hd);
+-  sexp_release (pkey);
+-  sexp_release (skey);
+   sexp_release (sig);
+ }
+ 
+@@ -714,6 +677,9 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
+         log_debug ("ecgen result  using Ed25519+EdDSA\n");
+     }
+ 
++  if (!(flags & PUBKEY_FLAG_NO_KEYTEST) && fips_mode ())
++    test_keys_fips (*r_skey);
++
+  leave:
+   mpi_free (public);
+   mpi_free (base);
+diff --git a/cipher/rsa.c b/cipher/rsa.c
+index 78c26f2f..9d14a474 100644
+--- a/cipher/rsa.c
++++ b/cipher/rsa.c
+@@ -178,37 +178,15 @@ test_keys (RSA_secret_key *sk, unsigned int nbits)
+ }
+ 
+ static int
+-test_keys_fips (RSA_secret_key *sk)
++test_keys_fips (gcry_sexp_t skey)
+ {
+   int result = -1; /* Default to failure.  */
+   char plaintext[128];
+   gcry_sexp_t sig = NULL;
+-  gcry_sexp_t skey = NULL, pkey = NULL;
+   const char *data_tmpl = "(data (flags pkcs1) (hash %s %b))";
+   gcry_md_hd_t hd = NULL;
+   int ec;
+ 
+-  /* Put the relevant parameters into a public key structure.  */
+-  ec = sexp_build (&pkey, NULL,
+-                   "(key-data"
+-                   " (public-key"
+-                   "  (rsa(n%m)(e%m))))",
+-                   sk->n, sk->e);
+-  if (ec)
+-    goto leave;
+-
+-  /* Put the relevant parameters into a secret key structure.  */
+-  ec = sexp_build (&skey, NULL,
+-                   "(key-data"
+-                   " (public-key"
+-                   "  (rsa(n%m)(e%m)))"
+-                   " (private-key"
+-                   "  (rsa(n%m)(e%m)(d%m)(p%m)(q%m)(u%m))))",
+-                   sk->n, sk->e,
+-                   sk->n, sk->e, sk->d, sk->p, sk->q, sk->u);
+-  if (ec)
+-    goto leave;
+-
+   /* Create a random plaintext.  */
+   _gcry_randomize (plaintext, sizeof plaintext, GCRY_WEAK_RANDOM);
+ 
+@@ -224,7 +202,7 @@ test_keys_fips (RSA_secret_key *sk)
+     goto leave;
+ 
+   /* Use the RSA public function to verify this signature.  */
+-  ec = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  ec = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
+   if (ec)
+     goto leave;
+ 
+@@ -232,7 +210,7 @@ test_keys_fips (RSA_secret_key *sk)
+   _gcry_md_reset(hd);
+   plaintext[sizeof plaintext / 2] ^= 1;
+   _gcry_md_write (hd, plaintext, sizeof(plaintext));
+-  ec = _gcry_pk_verify_md (sig, data_tmpl, hd, pkey, NULL);
++  ec = _gcry_pk_verify_md (sig, data_tmpl, hd, skey, NULL);
+   if (ec != GPG_ERR_BAD_SIGNATURE)
+     goto leave; /* Signature verification worked on modified data  */
+ 
+@@ -240,8 +218,6 @@ test_keys_fips (RSA_secret_key *sk)
+  leave:
+   sexp_release (sig);
+   _gcry_md_close (hd);
+-  sexp_release (pkey);
+-  sexp_release (skey);
+   return result;
+ }
+ 
+@@ -714,8 +690,7 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
+   sk->d = d;
+   sk->u = u;
+ 
+-  /* Now we can test our keys. */
+-  if (ec || (!testparms && test_keys_fips (sk)))
++  if (ec)
+     {
+       _gcry_mpi_release (sk->n); sk->n = NULL;
+       _gcry_mpi_release (sk->e); sk->e = NULL;
+@@ -723,11 +698,6 @@ generate_fips (RSA_secret_key *sk, unsigned int nbits, unsigned long use_e,
+       _gcry_mpi_release (sk->q); sk->q = NULL;
+       _gcry_mpi_release (sk->d); sk->d = NULL;
+       _gcry_mpi_release (sk->u); sk->u = NULL;
+-      if (!ec)
+-        {
+-          fips_signal_error ("self-test after key generation failed");
+-          return GPG_ERR_SELFTEST_FAILED;
+-        }
+     }
+ 
+   return ec;
+@@ -1306,7 +1276,7 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
+                      /**/    : NULL);
+ 
+       /* Generate.  */
+-      if (deriveparms || fips_mode())
++      if (deriveparms || fips_mode ())
+         {
+           ec = generate_fips (&sk, nbits, evalue, deriveparms,
+                               !!(flags & PUBKEY_FLAG_TRANSIENT_KEY));
+@@ -1341,6 +1311,13 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey)
+   mpi_free (sk.u);
+   sexp_release (swap_info);
+ 
++  if (!ec && fips_mode () && test_keys_fips (*r_skey))
++    {
++      sexp_release (*r_skey); *r_skey = NULL;
++      fips_signal_error ("self-test after key generation failed");
++      return GPG_ERR_SELFTEST_FAILED;
++    }
++
+   return ec;
+ }
+ 
+-- 
+2.37.1

SOURCES/libgcrypt-1.10.0-ppc-hwf.patch

@@ -0,0 +1,29 @@
+From 29bfb3ebbc63d7ed18b916c5c6946790fb3d15df Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Fri, 1 Apr 2022 09:49:20 +0300
+Subject: [PATCH] hwf-ppc: fix missing HWF_PPC_ARCH_3_10 in HW feature
+
+* src/hwf-ppc.c (ppc_features): Add HWF_PPC_ARCH_3_10.
+--
+
+GnuPG-bug-id: T5913
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ src/hwf-ppc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/hwf-ppc.c b/src/hwf-ppc.c
+index 7801f8b0..11d14dc1 100644
+--- a/src/hwf-ppc.c
++++ b/src/hwf-ppc.c
+@@ -103,6 +103,7 @@ static const struct feature_map_s ppc_features[] =
+     { 0, PPC_FEATURE2_VEC_CRYPTO, HWF_PPC_VCRYPTO },
+ #endif
+     { 0, PPC_FEATURE2_ARCH_3_00, HWF_PPC_ARCH_3_00 },
++    { 0, PPC_FEATURE2_ARCH_3_10, HWF_PPC_ARCH_3_10 },
+   };
+ #endif
+ 
+-- 
+2.34.1
+

SPECS/libgcrypt.spec

@@ -0,0 +1,684 @@
+# This is taken from gnutls.spec
+%define srpmhash() %{lua:
+local files = rpm.expand("%_specdir/libgcrypt.spec")
+for i, p in ipairs(patches) do
+   files = files.." "..p
+end
+for i, p in ipairs(sources) do
+   files = files.." "..p
+end
+local sha256sum = assert(io.popen("cat "..files.."| sha256sum"))
+local hash = sha256sum:read("*a")
+sha256sum:close()
+print(string.sub(hash, 0, 16))
+}
+
+
+Name: libgcrypt
+Version: 1.10.0
+Release: 5%{?dist}
+URL: https://www.gnupg.org/
+Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
+Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
+Source2: wk@g10code.com
+Patch1: libgcrypt-1.10.0-disable-brainpool.patch
+Patch2: libgcrypt-1.10.0-fips-disable-pkcs1.5.patch
+Patch3: libgcrypt-1.10.0-ppc-hwf.patch
+Patch4: libgcrypt-1.10.0-allow-small-RSA-verify.patch
+Patch5: libgcrypt-1.10.0-allow-short-salt.patch
+Patch6: libgcrypt-1.10.0-fips-getrandom.patch
+Patch7: libgcrypt-1.10.0-fips-selftest.patch
+Patch8: libgcrypt-1.10.0-fips-disable-oaep.patch
+
+%global gcrylibdir %{_libdir}
+%global gcrysoname libgcrypt.so.20
+%global hmackey orboDeJITITejsirpADONivirpUkvarP
+
+# Technically LGPLv2.1+, but Fedora's table doesn't draw a distinction.
+# Documentation and some utilities are GPLv2+ licensed. These files
+# are in the devel subpackage.
+License: LGPLv2+
+Summary: A general-purpose cryptography library
+BuildRequires: gcc
+BuildRequires: gawk, libgpg-error-devel >= 1.11, pkgconfig
+# This is needed only when patching the .texi doc.
+BuildRequires: texinfo
+BuildRequires: autoconf, automake, libtool
+BuildRequires: make
+
+%package devel
+Summary: Development files for the %{name} package
+License: LGPLv2+ and GPLv2+
+Requires: libgpg-error-devel
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: pkgconfig
+
+%description
+Libgcrypt is a general purpose crypto library based on the code used
+in GNU Privacy Guard.  This is a development version.
+
+%description devel
+Libgcrypt is a general purpose crypto library based on the code used
+in GNU Privacy Guard.  This package contains files needed to develop
+applications using libgcrypt.
+
+%prep
+%setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+
+%build
+# This package has a configure test which uses ASMs, but does not link the
+# resultant .o files.  As such the ASM test is always successful, even on
+# architectures were the ASM is not valid when compiling with LTO.
+#
+# -ffat-lto-objects is sufficient to address this issue.  It is the default
+# for F33, but is expected to only be enabled for packages that need it in
+# F34, so we use it here explicitly
+%define _lto_cflags -flto=auto -ffat-lto-objects
+
+# should be all algorithms except SM3 and SM4
+export DIGESTS='crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2'
+export CIPHERS='arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20'
+
+eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
+export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
+
+autoreconf -f
+%configure --disable-static \
+%ifarch sparc64
+     --disable-asm \
+%endif
+     --enable-noexecstack \
+     --enable-hmac-binary-check=%{hmackey} \
+     --disable-brainpool \
+     --enable-digests="$DIGESTS" \
+     --enable-ciphers="$CIPHERS" \
+     --with-fips-module-version="$FIPS_MODULE_NAME %{version}-%{srpmhash}"
+sed -i -e '/^sys_lib_dlsearch_path_spec/s,/lib /usr/lib,/usr/lib /lib64 /usr/lib64 /lib,g' libtool
+%make_build
+
+%check
+make check
+# try in faked FIPS mode too
+LIBGCRYPT_FORCE_FIPS_MODE=1 make check
+
+# Add generation of HMAC checksums of the final stripped binaries 
+%define libpath $RPM_BUILD_ROOT%{gcrylibdir}/%{gcrysoname}.?.?
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    dd if=/dev/zero of=%{libpath}.hmac bs=32 count=1 \
+    objcopy --update-section .rodata1=%{libpath}.hmac %{libpath} %{libpath}.empty \
+    src/hmac256 --binary %{hmackey} %{libpath}.empty > %{libpath}.hmac \
+    objcopy --update-section .rodata1=%{libpath}.hmac %{libpath}.empty %{libpath}.new \
+    mv -f %{libpath}.new %{libpath} \
+    rm -f %{libpath}.hmac %{libpath}.empty
+%{nil}
+
+%install
+%make_install
+
+# Change /usr/lib64 back to /usr/lib.  This saves us from having to patch the
+# script to "know" that -L/usr/lib64 should be suppressed, and also removes
+# a file conflict between 32- and 64-bit versions of this package.
+# Also replace my_host with none.
+sed -i -e 's,^libdir="/usr/lib.*"$,libdir="/usr/lib",g' $RPM_BUILD_ROOT/%{_bindir}/libgcrypt-config
+sed -i -e 's,^my_host=".*"$,my_host="none",g' $RPM_BUILD_ROOT/%{_bindir}/libgcrypt-config
+
+rm -f ${RPM_BUILD_ROOT}/%{_infodir}/dir ${RPM_BUILD_ROOT}/%{_libdir}/*.la
+/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_libdir}
+
+%if "%{gcrylibdir}" != "%{_libdir}"
+# Relocate the shared libraries to %{gcrylibdir}.
+mkdir -p $RPM_BUILD_ROOT%{gcrylibdir}
+for shlib in $RPM_BUILD_ROOT%{_libdir}/*.so* ; do
+	if test -L "$shlib" ; then
+		rm "$shlib"
+	else
+		mv "$shlib" $RPM_BUILD_ROOT%{gcrylibdir}/
+	fi
+done
+
+# Add soname symlink.
+/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}/
+%endif
+
+# Overwrite development symlinks.
+pushd $RPM_BUILD_ROOT/%{gcrylibdir}
+for shlib in lib*.so.?? ; do
+	target=$RPM_BUILD_ROOT/%{_libdir}/`echo "$shlib" | sed -e 's,\.so.*,,g'`.so
+%if "%{gcrylibdir}" != "%{_libdir}"
+	shlib=%{gcrylibdir}/$shlib
+%endif
+	ln -sf $shlib $target
+done
+popd
+
+# Create /etc/gcrypt (hardwired, not dependent on the configure invocation) so
+# that _someone_ owns it.
+mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
+
+%ldconfig_scriptlets
+
+%files
+%dir /etc/gcrypt
+%{gcrylibdir}/libgcrypt.so.*.*
+%{gcrylibdir}/%{gcrysoname}
+%license COPYING.LIB
+%doc AUTHORS NEWS THANKS
+
+%files devel
+%{_bindir}/%{name}-config
+%{_bindir}/dumpsexp
+%{_bindir}/hmac256
+%{_bindir}/mpicalc
+%{_includedir}/*
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/libgcrypt.pc
+%{_datadir}/aclocal/*
+%{_mandir}/man1/*
+
+%{_infodir}/gcrypt.info*
+%license COPYING
+
+%changelog
+* Wed Aug 17 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-5
+- Allow signature verification with smaller RSA keys (#2083846)
+- Allow short salt for KDF (#2114870)
+- Reseed the kernel DRBG by using GRND_RANDOM (#2118695)
+- Address FIPS review comments around selftests (#2118695)
+- Disable RSA-OAEP in FIPS mode (#2118695)
+
+* Fri May 06 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-4
+- Backport ppc hardware flags detection (#2051307)
+- Disable PKCS#1.5 encryption in FIPS mode (#2061328)
+
+* Thu Mar 31 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-3
+- Use correct FIPS module name (#2067123)
+
+* Thu Feb 17 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-2
+- Systematic FIPS module name with other FIPS modules
+
+* Wed Feb 02 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-1
+- Final release (#2026636)
+
+* Thu Jan 27 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-0.3
+- Fix broken soname in the previous beta
+
+* Thu Jan 27 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-0.2
+- Provide compat soname symlink as the new release is backward compatible
+
+* Wed Jan 26 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-0.1
+- New upstream pre-release (#2026636)
+- Upstream all patches
+- Implement FIPS 140-3 support
+
+* Tue Oct 12 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-5
+- Allow HW optimizations in FIPS mode (#1990059)
+
+* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.3-4
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+  Related: rhbz#1991688
+
+* Tue Jun 15 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-3
+- Fix for CVE-2021-33560 (#1970098)
+
+* Wed Apr 28 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-2
+- Restore the CET protection (#1954049)
+
+* Tue Apr 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-1
+- New upstream release (#1951325)
+
+* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.9.2-4
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Thu Apr 15 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-3
+- Fix issues reported by coverity
+
+* Mon Mar 29 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-2
+- Fix OCB tag creation on s390x (failing gnupg2 tests)
+
+* Wed Feb 17 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-1
+- New upstream release (#1929630)
+
+* Fri Jan 29 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.1-1
+- New upstream release (#1922156, #1922097)
+
+* Wed Jan 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.0-1
+- New upstream release (#1917878)
+
+* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 1.8.7-1
+- new upstream release (#1891123)
+
+* Fri Aug 21 2020 Jeff Law <law@redhat.com> - 1.8.6-4
+- Re-enable LTO
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.6-1
+- new upstream version 1.8.6
+
+* Wed Jul  1 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-7
+- use the hmac256 tool to calculate the library hmac
+
+* Tue Jun 30 2020 Jeff Law <law@redhat.com>
+- Disable LTO
+
+* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-6
+- Fix regression - missing -ldl linkage
+
+* Wed Apr 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-5
+- AES performance improvements backported from master branch
+
+* Mon Apr 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-4
+- FIPS selftest is run directly from the constructor
+- FIPS module is implicit with kernel FIPS flag
+
+* Thu Jan 30 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-3
+- fix the build on ARMv7
+
+* Thu Jan 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-2
+- Intel CET support by H. J. Lu
+
+* Tue Sep  3 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.5-1
+- new upstream version 1.8.5
+- add CMAC selftest for FIPS POST
+- add continuous FIPS entropy test
+- disable non-approved FIPS hashes in the enforced FIPS mode
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Feb 12 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.4-3
+- fix the build tests to pass in the FIPS mode
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Nov 20 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.4-1
+- new upstream version 1.8.4
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jul 12 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.3-2
+- make only_urandom a default in non-presence of configuration file
+- run the full FIPS selftests only when the library is called from
+  application
+
+* Thu Jun 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.3-1
+- new upstream version 1.8.3
+
+* Tue Feb  6 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.2-2
+- fix behavior when getrandom syscall is not present (#1542453)
+
+* Thu Dec 21 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.2-1
+- new upstream version 1.8.2
+
+* Tue Dec  5 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-3
+- do not try to access() /dev/urandom either if getrandom() works
+
+* Mon Dec  4 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-2
+- do not try to open /dev/urandom if getrandom() works (#1380866)
+
+* Tue Sep  5 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-1
+- new upstream version 1.8.1
+
+* Wed Aug 16 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.0-1
+- new upstream version 1.8.0
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Jun 29 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.8-1
+- new upstream version 1.7.8
+
+* Fri Jun  2 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.7-1
+- new upstream version 1.7.7
+- GOST is now enabled
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Jan 30 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.6-1
+- new upstream version 1.7.6
+
+* Fri Dec 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.7.5-1
+- new upstream version 1.7.5
+
+* Wed Nov 23 2016 Tomáš Mráz <tmraz@redhat.com> 1.7.3-1
+- new upstream version 1.7.3
+
+* Wed Aug 17 2016 Tomáš Mráz <tmraz@redhat.com> 1.6.6-1
+- new upstream version with important security fix (CVE-2016-6316)
+
+* Thu Jul 21 2016 Tomáš Mráz <tmraz@redhat.com> 1.6.5-1
+- new upstream version fixing low impact issue CVE-2015-7511
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Sep  9 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.4-1
+- new upstream version
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Apr  3 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-4
+- deinitialize the RNG after the selftest is run
+
+* Tue Mar 24 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-3
+- touch only urandom in the selftest and when /dev/random is
+  unavailable for example by SELinux confinement
+- fix the RSA selftest key (p q swap) (#1204517)
+
+* Fri Mar 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-2
+- do not use strict aliasing for bufhelp functions (#1201219)
+
+* Fri Mar  6 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-1
+- new upstream version
+
+* Wed Feb 25 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.2-4
+- do not initialize secure memory during the selftest (#1195850)
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1.6.2-3
+- Rebuilt for Fedora 23 Change
+  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Wed Jan 14 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.2-2
+- fix buildability of programs using gcrypt.h with -ansi (#1182200)
+
+* Mon Dec  8 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.2-1
+- new upstream version
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Jul 17 2014 Tom Callaway <spot@fedoraproject.org> - 1.6.1-6
+- fix license handling
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Tue May 20 2014 Kyle McMartin <kyle@fedoraproject.org> 1.6.1-4
+- Re-enable below algos, apply patch from upstream list to make
+  that code -fPIC friendly. (rhbz#1069792)
+
+* Mon May 19 2014 Kyle McMartin <kyle@fedoraproject.org> 1.6.1-3
+- Disable rijndael, cast5, camellia ARM assembly, as it's non-PIC as
+  presently written, which results in .text relocations in the shared
+  library. (rhbz#1069792)
+
+* Thu Apr 24 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.1-2
+- drop the temporary compat shared library version
+- fix the soname version in -use-fipscheck.patch
+
+* Fri Feb 28 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.1-1
+- new upstream version breaking ABI compatibility
+- this release temporarily includes old compatibility .so
+
+* Tue Jan 21 2014 Tomáš Mráz <tmraz@redhat.com> 1.5.3-3
+- add back the nistp521r1 EC curve
+- fix a bug in the Whirlpool hash implementation
+- speed up the PBKDF2 computation
+
+* Sun Oct 20 2013 Tom Callaway <spot@fedoraproject.org> - 1.5.3-2
+- add cleared ECC support
+
+* Fri Jul 26 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.3-1
+- new upstream version fixing cache side-channel attack on RSA private keys
+
+* Thu Jun 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-3
+- silence false error detected by valgrind (#968288)
+
+* Thu Apr 25 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-2
+- silence strict aliasing warning in Rijndael
+- apply UsrMove
+- spec file cleanups
+
+* Fri Apr 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-1
+- new upstream version
+
+* Wed Mar 20 2013 Tomas Mraz <tmraz@redhat.com> 1.5.1-1
+- new upstream version
+
+* Tue Mar  5 2013 Tomas Mraz <tmraz@redhat.com> 1.5.0-11
+- use poll() instead of select() when gathering randomness (#913773)
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Jan  3 2013 Tomas Mraz <tmraz@redhat.com> 1.5.0-9
+- allow empty passphrase in PBKDF2 needed for cryptsetup (=891266)
+
+* Mon Dec  3 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-8
+- fix multilib conflict in libgcrypt-config
+- fix minor memory leaks and other bugs found by Coverity scan
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu Apr  5 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-5
+- Correctly rebuild the info documentation
+
+* Wed Apr  4 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-4
+- Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Mon Aug 15 2011 Kalev Lember <kalevlember@gmail.com> 1.5.0-2
+- Rebuilt for rpm bug #728707
+
+* Thu Jul 21 2011 Tomas Mraz <tmraz@redhat.com> 1.5.0-1
+- new upstream version
+
+* Mon Jun 20 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-4
+- Always xor seed from /dev/urandom over /etc/gcrypt/rngseed
+
+* Mon May 30 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-3
+- Make the FIPS-186-3 DSA implementation CAVS testable
+- add configurable source of RNG seed /etc/gcrypt/rngseed
+  in the FIPS mode (#700388)
+
+* Fri Feb 11 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-1
+- new upstream version with minor changes
+
+* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.5-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Fri Feb  4 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-6
+- fix a bug in the fips-186-3 dsa parameter generation code
+
+* Tue Feb  1 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-5
+- use /dev/urandom for seeding in the FIPS mode
+- make the tests to pass in the FIPS mode also fixing
+  the FIPS-186-3 DSA keygen
+
+* Sun Feb 14 2010 Rex Dieter <rdieter@fedoraproject.org> 1.4.5-4
+- FTBFS libgcrypt-1.4.5-3.fc13: ImplicitDSOLinking (#564973)
+
+* Wed Feb  3 2010 Tomas Mraz <tmraz@redhat.com> 1.4.5-3
+- drop the S390 build workaround as it is no longer needed
+- additional spec file cleanups for merge review (#226008)
+
+* Mon Dec 21 2009 Tomas Mraz <tmraz@redhat.com> 1.4.5-1
+- workaround for build on S390 (#548825)
+- spec file cleanups
+- upgrade to new minor upstream release
+
+* Tue Aug 11 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-8
+- fix warning when installed with --excludedocs (#515961)
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.4-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Thu Jun 18 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-6
+- and now really apply the padlock patch
+
+* Wed Jun 17 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-5
+- fix VIA padlock RNG inline assembly call (#505724)
+
+* Thu Mar  5 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-4
+- with the integrity verification check the library needs to link to libdl
+  (#488702)
+
+* Tue Mar  3 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-3
+- add hmac FIPS integrity verification check
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Jan 30 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-1
+- update to 1.4.4
+- do not abort when the fips mode kernel flag is inaccessible
+  due to permissions (#470219)
+- hobble the library to drop the ECC support
+
+* Mon Oct 20 2008 Dennis Gilmore <dennis@ausil.us> 1.4.3-2
+- disable asm on sparc64
+
+* Thu Sep 18 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.3-1
+- update to 1.4.3
+- own /etc/gcrypt
+
+* Mon Sep 15 2008 Nalin Dahyabhai <nalin@redhat.com>
+- invoke make with %%{?_smp_mflags} to build faster on multi-processor
+  systems (Steve Grubb)
+
+* Mon Sep  8 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-1
+- update to 1.4.2
+
+* Tue Apr 29 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-1
+- update to 1.4.1
+- bump libgpgerror-devel requirement to 1.4, matching the requirement enforced
+  by the configure script
+
+* Thu Apr  3 2008 Joe Orton <jorton@redhat.com> 1.4.0-3
+- add patch from upstream to fix severe performance regression
+  in entropy gathering
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.4.0-2
+- Autorebuild for GCC 4.3
+
+* Mon Dec 10 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.4.0-1
+- update to 1.4.0
+
+* Tue Oct 16 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-6
+- use ldconfig to build the soname symlink for packaging along with the
+  shared library (#334731)
+
+* Wed Aug 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-5
+- add missing gawk buildrequirement
+- switch from explicitly specifying the /dev/random RNG to just verifying
+  that the non-LGPL ones were disabled by the configure script
+
+* Thu Aug 16 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-4
+- clarify license
+- force use of the linux /dev/random RNG, to avoid accidentally falling back
+  to others which would affect the license of the resulting library
+
+* Mon Jul 30 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-3
+- disable static libraries (part of #249815)
+
+* Fri Jul 27 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-2
+- move libgcrypt shared library to /%%{_lib} (#249815)
+
+* Tue Feb  6 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-1
+- update to 1.2.4
+
+* Mon Jan 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.3-2
+- make use of install-info more failsafe (Ville Skyttä, #223705)
+
+* Fri Sep  1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.2.3-1
+- update to 1.2.3
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-3.1
+- rebuild
+
+* Mon Jun 05 2006 Jesse Keating <jkeating@redhat.com> 1.2.2-3
+- Added missing buildreq pkgconfig
+
+* Tue May 16 2006 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-2
+- remove file conflicts in libgcrypt-config by making the 64-bit version
+  think the libraries are in /usr/lib (which is wrong, but which it also
+  prunes from the suggest --libs output, so no harm done, hopefully)
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-1.2.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-1.2
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Wed Oct  5 2005 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-1
+- update to 1.2.2
+
+* Wed Mar 16 2005 Nalin Dahyabhai <nalin@redhat.com> 1.2.1-1
+- update to 1.2.1
+
+* Fri Jul 30 2004 Florian La Roche <Florian.LaRoche@redhat.de>
+- another try to package the symlink
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sun May  2 2004 Bill Nottingham <notting@redhat.com> - 1.2.0-1
+- update to official 1.2.0
+
+* Fri Apr 16 2004 Bill Nottingham <notting@redhat.com> - 1.1.94-1
+- update to 1.1.94
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sat Feb 21 2004 Florian La Roche <Florian.LaRoche@redhat.de>
+- add symlinks to shared libs at compile time
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Thu Mar 20 2003 Jeff Johnson <jbj@redhat.com> 1.1.12-1
+- upgrade to 1.1.12 (beta).
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Sun May 26 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Tue May 21 2002 Jeff Johnson <jbj@redhat.com>
+- update to 1.1.7
+- change license to LGPL.
+- include splint annotations patch.
+- install info pages.
+
+* Tue Apr  2 2002 Nalin Dahyabhai <nalin@redhat.com> 1.1.6-1
+- update to 1.1.6
+
+* Thu Jan 10 2002 Nalin Dahyabhai <nalin@redhat.com> 1.1.5-1
+- fix the Source tag so that it's a real URL
+
+* Thu Dec 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- initial package