Cryptographic library that exclusively contains
Quantum resistant cryptographic algorithms. It is lean has minimal dependencies,
supports stack-only operation and provides optimized implementations for
ML-KEM (Kyber), ML-DSA (Dilithium), SLH-DSA (Sphincs+) and many more
Signed-off-by: Ayoub Zaki <ayoub.zaki@embetrix.com>
Signed-off-by: Khem Raj <khem.raj@oss.qualcomm.com>
Details: https://nvd.nist.gov/vuln/detail/CVE-2025-69277
The vulnerability has been fixed[1] since version 1.0.20, but NVD
tracks it without version info. Mark it patched explicitly.
[1]: f2da4cd8cb
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: copyright years refreshed
Removed patch included in this release
Add path to fix compilation with gcc on aarch64
Changelog:
https://github.com/jedisct1/libsodium/releases/tag/1.0.21-RELEASE
Changes:
Version 1.0.21
- security fix for the crypto_core_ed25519_is_valid_point() function
- new crypto_ipcrypt_* functions
- sodium_bin2ip and sodium_ip2bin helper functions
- XOF: the crypto_xof_shake* and crypto_xof_turboshake* functions
Version 1.0.20-stable
- XCFramework: cross-compilation is now forced on Apple Silicon to avoid Rosetta-related build issues
- The Fil-C compiler is supported out of the box
- The CompCert compiler is supported out of the box
- MSVC 2026 (Visual Studio 2026) is now supported
- Zig builds now support FreeBSD targets
- Performance of AES256-GCM and AEGIS on ARM has been improved with some compilers
- Android binaries have been added to the NuGet package
- Windows ARM binaries have been added to the NuGet package
- The Android build script has been improved. The base SDK is now 27c, and the default platform is 21, supporting 16 KB page sizes.
- The library can now be compiled with Zig 0.15 and Zig 0.16
- Zig builds now generate position-independent static libraries by default on targets that support PIC
- arm64e builds have been added to the XCFramework packages
- XCFramework packages are now full builds instead of minimal builds
- MSVC builds have been enabled for ARM64
- iOS 32-bit (armv7/armv7s) support has been removed from the XCFramework build script
- Security: optblockers have been introduced in critical code paths to prevent compilers from introducing unwanted side channels via conditional jumps. This was observed on RISC-V targets with specific compilers and options.
- Security: crypto_core_ed25519_is_valid_point() now properly rejects small-order points that are not in the main subgroup
- ((nonnull)) attributes have been relaxed on some crypto_stream* functions to allow NULL output buffers when the output length is zero
- A cross-compilation issue with old clang versions has been fixed
- JavaScript: support for Cloudflare Workers has been added
- JavaScript: WASM_BIGINT is forcibly disabled to retain compatibility with older runtimes
- A compilation issue with old toolchains on Solaris has been fixed
- crypto_aead_aes256gcm_is_available is exported to JavaScript
- libsodium is now compatible with Emscripten 4.x
- Security: memory fences have been added after MAC verification in AEAD to prevent speculative access to plaintext before authentication is complete
- Assembly files now include .gnu.property notes for proper IBT and Shadow Stack support when building with CET instrumentation.
Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
* Allowed fsverity-utils to build when PKCS#11 support is not available in
OpenSSL. In that case, 'fsverity sign' just won't support that feature.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The project's readme indicates that some parts of the code is covered
by Apache license - add it to the RECIPE accordingly.
Reported-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The below reference clearly states that GPL-2.0-with-OpenSSL-exception
is to be used with GPL 2.0 or GPL3.0 and not as a standalone license.
Therefore, update the correct license.
Reference:
569d72e13e/docs/openssl-exception-gpl-2.0.yml (L7)
Signed-off-by: Sana Kazi <Sana.Kazi@bmwtechworks.in>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Please see
https://git.yoctoproject.org/poky/commit/?id=4dd321f8b83afecd962393101b2a6861275b5265
for what changes are needed, and sed commands that can be used to make them en masse.
I've verified that bitbake -c patch world works with these, but did not run a world
build; the majority of recipes shouldn't need further fixups, but if there are
some that still fall out, they can be fixed in followups.
Signed-off-by: Alexander Kanavin <alex@linutronix.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* see more details: http://errors.yoctoproject.org/Errors/Details/850150/
des.c:199:9: error: too many arguments to function 'spinit'; expected 0, have 1
199 | spinit(key);
| ^~~~~~ ~~~
des.c:38:56: note: declared here
38 | static void permute_ip(), permute_fp(), perminit_ip(), spinit(),
| ^~~~~~
* Move function forward declarations to .h file to fix the following errors:
tripledes.c: In function '_mcrypt_desinit':
tripledes.c:198:18: error: passing argument 1 of 'perminit' from incompatible pointer type [-Wincompatible-pointer-types]
198 | perminit(&key->iperm, ip);
| ^~~~~~~~~~~
| |
| char (*)[16][16][8]
In file included from tripledes.c:23:
tripledes.h:11:27: note: expected 'char (*)[16][8]' but argument is of type 'char (*)[16][16][8]'
11 | static void perminit(char perm[][16][8], char p[64]);
| ~~~~~^~~~~~~~~~~~~
tripledes.c:199:18: error: passing argument 1 of 'perminit' from incompatible pointer type [-Wincompatible-pointer-types]
199 | perminit(&key->fperm, fp);
| ^~~~~~~~~~~
| |
| char (*)[16][16][8]
tripledes.h:11:27: note: expected 'char (*)[16][8]' but argument is of type 'char (*)[16][16][8]'
11 | static void perminit(char perm[][16][8], char p[64]);
| ~~~~~^~~~~~~~~~~~~
Changed parameter from &key to key
perminit(key->iperm, ip);
perminit(key->fperm, fp);
Signed-off-by: mark.yang <mark.yang@lge.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
We use veritysetup in our custom initramfs to verify the rootfs before
mounting it. We do not use udev or run systemd as PID1 in that
initramfs. This RDEPENDS on udev and lvm2, and everything that udev
ends up pulling in, thus bloats the initramfs by more than 10MiB.
Removing udev from PACKAGECONFIG is not really an option, because we
do want the udev integration in the real rootfs.
Demote it to a recommendation so that the initramfs recipe can avoid
udev and lvm2 using BAD_RECOMMENDATIONS or NO_RECOMMENDATIONS.
Signed-off-by: Rasmus Villemoes <ravi@prevas.dk>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit removed the lvm2-udevrules package.
[https://git.openembedded.org/meta-openembedded/commit/?h=master-next&id=c37c867e1adddd6fa39cf3f3d4c6688ea6dc825a]
Align accordingly to avoid error at do_rootfs
Error:
Problem 1: package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libbd_utils.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev >= 3.2.0, but none of the providers can be installed
- package gvfs-1.56.0-r0.corei7_64 from oe-repo requires udisks2, but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12()(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.4)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.7)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires cryptsetup >= 2.7.5, but none of the providers can be installed
- conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup-2.7.5-r0.corei7_64 from oe-repo
Problem 2: package gvfs-1.56.0-r0.corei7_64 from oe-repo requires udisks2, but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libbd_utils.so.3()(64bit), but none of the providers can be installed
- package udisks2-2.10.1-r0.corei7_64 from oe-repo requires libblockdev >= 3.2.0, but none of the providers can be installed
- package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires libgvfscommon.so()(64bit), but none of the providers can be installed
- package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires libgvfsdaemon.so()(64bit), but none of the providers can be installed
- package gvfsd-trash-1.56.0-r0.corei7_64 from oe-repo requires gvfs >= 1.56.0, but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12()(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.0)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.4)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires libcryptsetup.so.12(CRYPTSETUP_2.7)(64bit), but none of the providers can be installed
- package libblockdev-3.2.0-r0.corei7_64 from oe-repo requires cryptsetup >= 2.7.5, but none of the providers can be installed
- conflicting requests
- nothing provides lvm2-udevrules needed by cryptsetup-2.7.5-r0.corei7_64 from oe-repo
(try to add '--skip-broken' to skip uninstallable packages)
Signed-off-by: Markus Volk <f_l_k@t-online.de>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Copyright year updated to 2024.
Changelog:
==========
* CVE-2024-34702: Fix a DoS caused by excessive name constraints.
* CVE-2024-39312: Fix a name constraint processing error, where if
permitted and excluded rules both applied to a certificate, only the
permitted rules would be checked.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
* Do not allow formatting LUKS2 with Opal SED (hardware encryption)
* Fixes to wiping LUKS2 headers after Opal locking area erase.
* Mention the need for possible PSID revert before Opal format for some
drives (man page).
* Fix Bitlocker-compatible code to ignore newly seen metadata entries.
* Fix interactive query retry if LUKS2 unbound keyslot is present.
* Detect unsupported zoned devices for LUKS header devices.
* Allow "capi" cipher format for benchmark command and fix parsing
of plain IV in "capi" format.
* Add support for HCTR2 encryption mode.
* Source code now uses SPDX license identifiers instead of full
license preambles.
* Fix missing includes for cryptographic backend that could cause
compilation errors for some systems.
* Fix tests to work correctly in FIPS mode with recent OpenSSL 3.2.
* Fix various (mostly false positive) issues detected by Coverity.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Copyright year updated to 2024.
0001-fix-aarch64-Move-target-pragma-after-arm_neon.h-incl.patch
removed since it's included in 1.0.20
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
- Add Ed448 signatures and X448 key exchange
- X.509 certificate verification now can optionally ignore the expiration date of root certificates.
- Support for "hybrid" EC point encoding is now deprecated.
- Support for creating EC_Group objects with parameters larger than 521 bits is now deprecated
- Add new build options to disable deprecated features, and to enable experimental features.
- Fix a bug affecting use of SIV and CCM ciphers in the FFI interface.
- Add new FFI interface botan_cipher_requires_entire_message
- Internal refactorings of the mp layer to support a new elliptic curve library.
- Use a new method for constant time division in Kyber to avoid a possible side channel where the compiler inserts use of a variable time division.
- Refactor test RNG usage to improve reproducibility.
- Add std::span interfaces to BigInt
- Refactorings and improvements to low level load/store utility functions.
- Fix the amalgamation build on ARM64
- Add Mac ARM based CI build
- Fix a thread serialization bug that caused sporadic test failures.
- Update GH Actions to v4
- Add examples of password based encryption and HTTPS+ASIO client.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
==========
* Fix activation of OPAL-only encrypted LUKS device with tokens.
* Fix formatting of OPAL devices with 4096-byte sector size.
* Fix incorrect OPAL locking range alignment calculation if used
over an unaligned device partition.
* Add --hw-opal-factory-reset option description to the manual page.
* Do not check the passphrase quality for OPAL Admin PIN,
as this passphrase already exists.
* Update license for FAQ document to CC BY-SA 4.0.
Signed-off-by: Wang Mingyu <wangmy@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Cryptsetup 2.7.1 Release Notes
==============================
Stable bug-fix release with minor extensions.
Changes since version 2.7.0
* Fix interrupted LUKS1 decryption resume.
With the replacement of the cryptsetup-reencrypt tool by the cryptsetup
reencrypt command, resuming the interrupted LUKS1 decryption operation
could fail. LUKS2 was not affected.
* Allow --link-vk-to-keyring with --test-passphrase option.
This option allows uploading the volume key in a user-specified kernel
keyring without activating the device.
* Fix crash when --active-name was used in decryption initialization.
* Updates and changes to man pages, including indentation, sorting options
alphabetically, fixing mistakes in crypt_set_keyring_to_link, and
fixing some typos.
* Fix compilation with libargon2 when --disable-internal-argon2 was used.
* Do not require installed argon2.h header and never compile internal
libargon2 code if the crypto library directly supports Argon2.
* Fixes to regression tests to support older Linux distributions.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
License-Update: Copyright years change
Changelog:
move all sha* applications to the libexec directory to allow them to coexist with other packages sha* applications - the caller is expected to make a symlink to them
add sha3sum
add kcapi_md_sha3_* wrapper APIs
various small fixes
Signed-off-by: alperak <alperyasinak1@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Monocypher has two recipes and a release tarball in home page and in github
Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* fixes:
ERROR: monocypher-4.0.2-r0 do_package: QA Issue: monocypher: Files/directories were installed but not shipped in any package:
/usr/lib/libmonocypher.so
/usr/lib/libmonocypher.so.4
/usr/lib/libmonocypher.a
/usr/lib/pkgconfig
/usr/lib/pkgconfig/monocypher.pc
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
monocypher: 5 installed and not shipped files. [installed-vs-shipped]
this only fixes the above issues, to make it usable with other
libdir values the .pc files would need to be fixed to respect passed
LIBDIR value as well as now they expect just lib:
monocypher.pc:libdir=${exec_prefix}/lib
tests/speed/libhydrogen.pc:libdir=${exec_prefix}/lib
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Adds monocypher, an easy to use, easy to deploy, auditable crypto library written in portable C. It approaches the size of TweetNaCl and the speed of libsodium
Signed-off-by: BELOUARGA Mohamed <m.belouarga@technologyandstrategy.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It fails to install libmcrypt-dev and lib32-libmcrypt-dev at same time:
Error: Transaction test error:
file /usr/bin/libmcrypt-config conflicts between attempted installs of
libmcrypt-dev-2.5.8-r0.core2_64 and lib32-libmcrypt-dev-2.5.8-r0.i586
Use MULTILIB_SCRIPTS from multilib_script.bbclass to handle them.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
* enabled by default, because that's what dropbear expects and fails
without as shown in:
http://errors.yoctoproject.org/Errors/Details/720460/
dropbear/2022.83-r0/crypto_desc.c:72: undefined reference to `ltm_desc'
* add comment about the LICENSE
* use EXTRA_OEMAKE
* FYI: if you need to use this in dunfell (for whatever reason e.g. to
avoid CVE-2019-17362 in dropbear which contains bundled libtomcrypt),
then you need to add:
# Only needed for dunfell, fixed in kirkstone with:
# https://git.openembedded.org/openembedded-core/commit/?h=kirkstone&id=4b308773eca7570ce5007e8f953b56252c17fdb1
DEPENDS += "libtool-cross"
EXTRA_OEMAKE += "'LIBTOOL=${HOST_SYS}-libtool'"
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
