commit d53360c602d3175a0476f5218ed2e3762da94066
Author: MSVSphere Packaging Team <packager@msvsphere-os.ru>
Date:   Tue Nov 26 17:02:39 2024 +0300

    import libgcrypt-1.11.0-3.el10

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..a126f3f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+SOURCES/libgcrypt-1.11.0.tar.bz2
+SOURCES/libgcrypt-1.11.0.tar.bz2.sig
diff --git a/.libgcrypt.metadata b/.libgcrypt.metadata
new file mode 100644
index 0000000..8288416
--- /dev/null
+++ b/.libgcrypt.metadata
@@ -0,0 +1,2 @@
+dd2c68e0685bb99249efeeb06046fae15b5214ba SOURCES/libgcrypt-1.11.0.tar.bz2
+48af54df87466ae3aa0c6db805aa0462e9bcb77e SOURCES/libgcrypt-1.11.0.tar.bz2.sig
diff --git a/SOURCES/libgcrypt-1.10.1-annobin.patch b/SOURCES/libgcrypt-1.10.1-annobin.patch
new file mode 100644
index 0000000..c333c4e
--- /dev/null
+++ b/SOURCES/libgcrypt-1.10.1-annobin.patch
@@ -0,0 +1,22 @@
+diff -rup libgcrypt.orig/src/Makefile.am libgcrypt-1.8.3/src/Makefile.am
+--- libgcrypt.orig/src/Makefile.am	2021-10-18 16:36:20.914025497 +0100
++++ libgcrypt-1.8.3/src/Makefile.am	2021-10-19 12:23:08.652960618 +0100
+@@ -108,6 +108,7 @@ endif !HAVE_W32_SYSTEM
+ 
+ 
+ libgcrypt_la_LDFLAGS = $(no_undefined) $(export_symbols) $(extra_ltoptions) \
++	-Wc,-fplugin=annobin \
+ 	$(libgcrypt_version_script_cmd) -version-info \
+ 	@LIBGCRYPT_LT_CURRENT@:@LIBGCRYPT_LT_REVISION@:@LIBGCRYPT_LT_AGE@
+ libgcrypt_la_DEPENDENCIES = \
+Only in libgcrypt-1.8.3/src: Makefile.am.annobin
+diff -rup libgcrypt.orig/src/Makefile.in libgcrypt-1.8.3/src/Makefile.in
+--- libgcrypt.orig/src/Makefile.in	2021-10-18 16:36:20.914025497 +0100
++++ libgcrypt-1.8.3/src/Makefile.in	2021-10-19 12:23:37.791875325 +0100
+@@ -483,6 +483,7 @@ gcrypt_hwf_modules = @GCRYPT_HWF_MODULES
+ @HAVE_W32_SYSTEM_TRUE@gcrypt_deps = $(gcrypt_res) libgcrypt.def
+ @HAVE_W32_SYSTEM_FALSE@gcrypt_res_ldflag = 
+ libgcrypt_la_LDFLAGS = $(no_undefined) $(export_symbols) $(extra_ltoptions) \
++	-Wc,-fplugin=annobin \
+ 	$(libgcrypt_version_script_cmd) -version-info \
+ 	@LIBGCRYPT_LT_CURRENT@:@LIBGCRYPT_LT_REVISION@:@LIBGCRYPT_LT_AGE@
diff --git a/SOURCES/libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch b/SOURCES/libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
new file mode 100644
index 0000000..0267ea0
--- /dev/null
+++ b/SOURCES/libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
@@ -0,0 +1,63 @@
+From 2486d9b5ae015c1786cb84466a751da4bc0d7122 Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Thu, 20 Jun 2024 20:10:09 +0300
+Subject: [PATCH] Disable SHA3 s390x acceleration for CSHAKE
+
+* cipher/keccak.c (keccak_final_s390x): Add assert check for
+expected SHAKE suffix.
+(_gcry_cshake_customize, cshake_hash_buffers): Disable s390x
+acceleration when selecting CSHAKE suffix.
+--
+
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ cipher/keccak.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/cipher/keccak.c b/cipher/keccak.c
+index aaf83a62..44cc9f71 100644
+--- a/cipher/keccak.c
++++ b/cipher/keccak.c
+@@ -745,6 +745,8 @@ keccak_final_s390x (void *context)
+     }
+   else
+     {
++      gcry_assert(ctx->suffix == SHAKE_DELIMITED_SUFFIX);
++
+       klmd_shake_execute (ctx->kimd_func, &ctx->state, NULL, 0, ctx->buf,
+ 			  ctx->count);
+       ctx->count = 0;
+@@ -1497,9 +1499,14 @@ _gcry_cshake_customize (void *context, struct gcry_cshake_customization *p)
+     /* No customization */
+     return 0;
+ 
++  ctx->suffix = CSHAKE_DELIMITED_SUFFIX;
++#ifdef USE_S390X_CRYPTO
++  /* CSHAKE suffix is not supported by s390x/kimd. */
++  ctx->kimd_func = 0;
++#endif
++
+   len_written = cshake_input_n (ctx, p->n, p->n_len);
+   cshake_input_s (ctx, p->s, p->s_len, len_written);
+-  ctx->suffix = CSHAKE_DELIMITED_SUFFIX;
+   return 0;
+ }
+ 
+@@ -1536,9 +1543,14 @@ cshake_hash_buffers (const gcry_md_spec_t *spec, void *outbuf, size_t nbytes,
+           size_t s_len = iov[1].len;
+           size_t len;
+ 
++          ctx.suffix = CSHAKE_DELIMITED_SUFFIX;
++#ifdef USE_S390X_CRYPTO
++          /* CSHAKE suffix is not supported by s390x/kimd. */
++          ctx.kimd_func = 0;
++#endif
++
+           len = cshake_input_n (&ctx, n, n_len);
+           cshake_input_s (&ctx, s, s_len, len);
+-          ctx.suffix = CSHAKE_DELIMITED_SUFFIX;
+         }
+       iovcnt -= 2;
+       iov += 2;
+-- 
+2.43.0
diff --git a/SOURCES/libgcrypt-1.11.0-cf-protection.patch b/SOURCES/libgcrypt-1.11.0-cf-protection.patch
new file mode 100644
index 0000000..e7ead95
--- /dev/null
+++ b/SOURCES/libgcrypt-1.11.0-cf-protection.patch
@@ -0,0 +1,191 @@
+From de3a04203b33c2248400392b535d2ab133bcd752 Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Sat, 27 Jul 2024 08:16:56 +0300
+Subject: [PATCH] Do not build rijndael-vaes-avx2-i386 on x86-64
+
+* configure.ac: Enable building i386 "rijndael-vaes" only
+on i?86 host instead of x86 MPI arch ("i?86 + x86-64").
+--
+
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ configure.ac | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d3dffb4b..1e182552 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -3025,6 +3025,11 @@ if test "$found" = "1" ; then
+    AC_DEFINE(USE_AES, 1, [Defined if this module should be included])
+ 
+    case "${host}" in
++      i?86-*-*)
++         # Build with the VAES/AVX2 implementation
++         GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-i386.lo"
++         GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-avx2-i386.lo"
++      ;;
+       x86_64-*-*)
+          # Build with the assembly implementation
+          GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-amd64.lo"
+@@ -3089,10 +3094,6 @@ if test "$found" = "1" ; then
+ 
+          # Build with the Padlock implementation
+          GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-padlock.lo"
+-
+-         # Build with the VAES/AVX2 implementation
+-         GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-i386.lo"
+-         GCRYPT_ASM_CIPHERS="$GCRYPT_ASM_CIPHERS rijndael-vaes-avx2-i386.lo"
+       ;;
+    esac
+ fi
+-- 
+2.43.0
+
+
+From 9178af96038acd295d02a4c405c19435dce92ad8 Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Fri, 26 Jul 2024 10:59:12 +0300
+Subject: [PATCH 1/2] Add CET support for x86-64 assembly
+
+* cipher/asm-common-amd64.h (ENDBRANCH): New.
+(CFI_STARTPROC): Add ENDBRANCH.
+[__CET__] (note.gnu.property): Add CET property section.
+--
+
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ cipher/asm-common-amd64.h | 30 ++++++++++++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/cipher/asm-common-amd64.h b/cipher/asm-common-amd64.h
+index 3fa065e8..465ef62b 100644
+--- a/cipher/asm-common-amd64.h
++++ b/cipher/asm-common-amd64.h
+@@ -76,9 +76,15 @@
+ #  endif
+ #endif
+ 
++#ifdef __CET__
++#define ENDBRANCH endbr64
++#else
++#define ENDBRANCH /*_*/
++#endif
++
+ #ifdef HAVE_GCC_ASM_CFI_DIRECTIVES
+ /* CFI directives to emit DWARF stack unwinding information. */
+-# define CFI_STARTPROC()            .cfi_startproc
++# define CFI_STARTPROC()            .cfi_startproc; ENDBRANCH
+ # define CFI_ENDPROC()              .cfi_endproc
+ # define CFI_REMEMBER_STATE()       .cfi_remember_state
+ # define CFI_RESTORE_STATE()        .cfi_restore_state
+@@ -146,7 +152,7 @@
+ 	    DW_SLEB128_28BIT(rsp_offs)
+ 
+ #else
+-# define CFI_STARTPROC()
++# define CFI_STARTPROC() ENDBRANCH
+ # define CFI_ENDPROC()
+ # define CFI_REMEMBER_STATE()
+ # define CFI_RESTORE_STATE()
+@@ -214,4 +220,24 @@
+ 	vpopcntb xmm16, xmm16; /* Supported only by newer AVX512 CPUs. */ \
+ 	vpxord ymm16, ymm16, ymm16;
+ 
++#ifdef __CET__
++/* Generate CET property for all assembly files including this header. */
++ELF(.section .note.gnu.property,"a")
++ELF(.align 8)
++ELF(.long 1f - 0f)
++ELF(.long 4f - 1f)
++ELF(.long 5)
++ELF(0:)
++ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */
++ELF(1:)
++ELF(.align 8)
++ELF(.long 0xc0000002)
++ELF(.long 3f - 2f)
++ELF(2:)
++ELF(.long 0x3)
++ELF(3:)
++ELF(.align 8)
++ELF(4:)
++#endif
++
+ #endif /* GCRY_ASM_COMMON_AMD64_H */
+-- 
+2.43.0
+
+From e7c81e64b1a81455ce72c54607ce6ab35c24f407 Mon Sep 17 00:00:00 2001
+From: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+Date: Fri, 26 Jul 2024 11:09:37 +0300
+Subject: [PATCH 2/2] Add CET support for i386 assembly
+
+* cipher/asm-common-i386.h (ENDBRANCH): New.
+(CFI_STARTPROC): Add ENDBRANCH.
+[__CET__] (note.gnu.property): Add CET property section.
+--
+
+Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
+---
+ cipher/asm-common-i386.h | 30 ++++++++++++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/cipher/asm-common-i386.h b/cipher/asm-common-i386.h
+index d746ebc4..346a8ff2 100644
+--- a/cipher/asm-common-i386.h
++++ b/cipher/asm-common-i386.h
+@@ -59,9 +59,15 @@
+ 	movl name##@GOT(%reg), %reg;
+ #endif
+ 
++#ifdef __CET__
++#define ENDBRANCH endbr32
++#else
++#define ENDBRANCH /*_*/
++#endif
++
+ #ifdef HAVE_GCC_ASM_CFI_DIRECTIVES
+ /* CFI directives to emit DWARF stack unwinding information. */
+-# define CFI_STARTPROC()            .cfi_startproc
++# define CFI_STARTPROC()            .cfi_startproc; ENDBRANCH
+ # define CFI_ENDPROC()              .cfi_endproc
+ # define CFI_REMEMBER_STATE()       .cfi_remember_state
+ # define CFI_RESTORE_STATE()        .cfi_restore_state
+@@ -121,7 +127,7 @@
+ 	    DW_SLEB128_28BIT(esp_offs)
+ 
+ #else
+-# define CFI_STARTPROC()
++# define CFI_STARTPROC() ENDBRANCH
+ # define CFI_ENDPROC()
+ # define CFI_REMEMBER_STATE()
+ # define CFI_RESTORE_STATE()
+@@ -158,4 +164,24 @@
+ 	vpopcntb xmm7, xmm7; /* Supported only by newer AVX512 CPUs. */ \
+ 	vpxord ymm7, ymm7, ymm7;
+ 
++#ifdef __CET__
++/* Generate CET property for all assembly files including this header. */
++ELF(.section .note.gnu.property,"a")
++ELF(.align 4)
++ELF(.long 1f - 0f)
++ELF(.long 4f - 1f)
++ELF(.long 5)
++ELF(0:)
++ELF(.byte 0x47, 0x4e, 0x55, 0) /* string "GNU" */
++ELF(1:)
++ELF(.align 4)
++ELF(.long 0xc0000002)
++ELF(.long 3f - 2f)
++ELF(2:)
++ELF(.long 0x3)
++ELF(3:)
++ELF(.align 4)
++ELF(4:)
++#endif
++
+ #endif /* GCRY_ASM_COMMON_AMD64_H */
+-- 
+2.43.0
+
diff --git a/SOURCES/libgcrypt-1.11.0-covscan.patch b/SOURCES/libgcrypt-1.11.0-covscan.patch
new file mode 100644
index 0000000..43905e1
--- /dev/null
+++ b/SOURCES/libgcrypt-1.11.0-covscan.patch
@@ -0,0 +1,109 @@
+From 03a0535661186ba1cf853a6b43ff2b2a5e42a3ea Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 25 Jul 2024 14:21:04 +0200
+Subject: [PATCH 2/3] sexp: Avoid memory leaks on invalid input
+
+* src/sexp.c (_gcry_hex2buffer): Free buffer on error.
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ src/sexp.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/sexp.c b/src/sexp.c
+index b15cb486..60ddcbc3 100644
+--- a/src/sexp.c
++++ b/src/sexp.c
+@@ -2715,7 +2715,10 @@ _gcry_hex2buffer (const char *string, size_t *r_length)
+   for (s=string; *s; s +=2 )
+     {
+       if (!hexdigitp (s) || !hexdigitp (s+1))
+-        return NULL;           /* Invalid hex digits. */
++        {
++          xfree(buffer);
++          return NULL;           /* Invalid hex digits. */
++        }
+       ((unsigned char*)buffer)[length++] = xtoi_2 (s);
+     }
+   *r_length = length;
+-- 
+GitLab
+
+
+From 45d77a0ed6dcacbfaf6e72f6402705f4635e5cf8 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 25 Jul 2024 14:32:19 +0200
+Subject: [PATCH 3/3] ecdh: Avoid memory leaks
+
+* cipher/ecc-ecdh.c (_gcry_ecc_curve_keypair): Free buffer on exit path.
+  (_gcry_ecc_curve_mul_point): Free buffer on all exit paths.
+--
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ cipher/ecc-ecdh.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/cipher/ecc-ecdh.c b/cipher/ecc-ecdh.c
+index 8be57b72..c690d221 100644
+--- a/cipher/ecc-ecdh.c
++++ b/cipher/ecc-ecdh.c
+@@ -153,6 +153,7 @@ _gcry_ecc_curve_keypair (const char *curve,
+           buf = _gcry_mpi_get_buffer (mpi_k, 0, &len, NULL);
+           memset (seckey, 0, nbytes - len);
+           memcpy (seckey + nbytes - len, buf, len);
++          xfree (buf);
+         }
+       else /* p - y >= p */
+         mpi_free (negative);
+@@ -168,15 +169,14 @@ _gcry_ecc_curve_keypair (const char *curve,
+           if (len != 1 + 2*nbytes)
+             {
+               err = GPG_ERR_INV_ARG;
+-              mpi_free (y);
+             }
+           else
+             {
+               /* (x,y) in SEC1 point encoding.  */
+               memcpy (pubkey, buf, len);
+-              xfree (buf);
+-              mpi_free (y);
+             }
++          xfree (buf);
++          mpi_free (y);
+         }
+     }
+   else /* MPI_EC_MONTGOMERY */
+@@ -293,15 +293,14 @@ _gcry_ecc_curve_mul_point (const char *curve,
+           if (len != 1 + 2*nbytes)
+             {
+               err = GPG_ERR_INV_ARG;
+-              mpi_free (y);
+             }
+           else
+             {
+               /* (x,y) in SEC1 point encoding.  */
+               memcpy (result, buf, len);
+-              xfree (buf);
+-              mpi_free (y);
+             }
++          xfree (buf);
++          mpi_free (y);
+         }
+     }
+   else                          /* MPI_EC_MONTGOMERY */
+@@ -318,8 +317,8 @@ _gcry_ecc_curve_mul_point (const char *curve,
+             {
+               /* x in little endian.  */
+               memcpy (result, buf, nbytes);
+-              xfree (buf);
+             }
++          xfree (buf);
+         }
+     }
+   mpi_free (x);
+-- 
+GitLab
+
+
diff --git a/SOURCES/signature_key.asc b/SOURCES/signature_key.asc
new file mode 100644
index 0000000..151e8fa
--- /dev/null
+++ b/SOURCES/signature_key.asc
@@ -0,0 +1,86 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQGNBFjLuq4BDACnM7zNSIaVMAacTwjXa5TGYe13i6ilHe4VL0NShzrgzjcQg531
+3cRgiiiNA7OSOypMqVs73Jez6ZUctn2GVsHBrS/io9NcuC9pVwf8a61WlcEa+EtB
+a3G7HlBmEWnwaUdAtWKNuAi9Xn+Ir7H2xEdksmmd5a0/QnL+sX705boVPF/tpYtb
+LGpPxa78tNrtxDkSwy8Wmi0IADYLI5yI7/yUGeJd8RSCU/fLRKC9fG7YOZRq0tsO
+MhVNWmtUjbG6e73Lu8LKnCZgs1/fC8hvPyARieSV5mdN8s1oWd7oYctfgL4uBleD
+ItAA8GhjKejutzHN8Ei/APw6AiiSyEjnPg+cTX8OgvLGJWjks0H6mPZeB1v/kGyZ
+hBS9vm540h2/MmlVN2ntiCK5TZGeSWpqddiqusfVXotMRpN4HeLKoZh4RAncaCbZ
+F/S+YLeN+kMXY4k3Fqt1fjTX6veFCbthI9pDdHzU9LfUVNp9D/5ktC/tYMORMegV
++wSMxi9G2YWKJkMAEQEAAYkBzgQfAQgAOBYhBFuAxXVCmPDLVdjtarzvfilLCS4o
+BQJYy8DdFwyAAZSlyaA8L+XKOwldjh/fcjz0YraxAgcAAAoJELzvfilLCS4oNgoL
+/0+K1xIx8JW7Lk5M6bYCvNA4fdlEcwQIT4UidJFM9m+suxYFWIGfebvHpRlEuJTg
+dBjkEit8uLAoJXU0BRkKTLrzTF+qDUE79Wfx/R+0nOgJ7aMykQOi0AvuwzMYz4dg
+xIVS2Daou4DF7bh/KF8+fqrmq8P8W1ZrkuFDanMWpHeAPx1uj2skYbo7uPqFdvlJ
+hlNHrcxlcCkjf1InAt0Xt5lMvEsCRUPf9xAH4mNEhs0lh9c+200YPRmtnLWAzc1K
+ckLIC8Q+mUR3DjZDqBlDBEPegXkrI0+MlvRA+9AnAm4YPqTMUfpZ6ZOAWeFjC/6Z
+QYxG/AdWGkb4WFindzklQfybEuiekP8vU07ACQwSwH8PYe0UCom1YrlRUjX7QLkn
+ZLWoeZg8BZy9GTM1Ut7Q1Q2uTw6mxxISuef+RFgYOHjWwLpFWZpqC88xERl7o/iz
+iERJRt/593IctbjO9wenWt2peIAwzR4nz7LqM6ZFTdRAETmcdSvYRhg2Qt8hUE47
+CbQkQW5kcmUgSGVpbmVja2UgKFJlbGVhc2UgU2lnbmluZyBLZXkpiQHUBBMBCAA+
+FiEEW4DFdUKY8MtV2O1qvO9+KUsJLigFAljLuq4CGwMFCRLMAwAFCwkIBwIGFQgJ
+CgsCBBYCAwECHgECF4AACgkQvO9+KUsJLihC/QwAhCC+SEvcFLcutgZ8HfcCtoZs
+IoVzZEy7DjqIvGgnTssD8HCLnIAHCDvnP7dJW3uMuLCdSqym3cjlEIiQMsaGywkl
+fzJISAwJrGQdWSKRd535jXpEXQlXDKal/IwMKAUt0PZtlCc9S3gwixQryxdJ28lJ
+6h2T9fVDr8ZswMmTAFG91uctfhjKOMgPt8UhSPGW484WsIsQgkbOvf+Kfswl0eHu
+ywX+pKAB5ZQ/9GVC6Ug4xfrdiJL0azJTPnvjMY5JYp6/L9RURs5hP5AnHR2j/PPo
+sAtsFCjmbRbOMiASzklnUJPbSz5kfLloDWZmrUScjbzmsXehGyt433JGyRhZJl4x
+/jPbzKhaaAHsGd+fRao6vlLOwFywDDVMp6JuyK7UeUb7I8ekTbSkGFA+l2Oa3O6/
+Y7PYhq7hwwAFuZckYI98IpHNCG1fS9W07FyKdvQbK1PbF1JFRKfsUCWYMKqDnbqE
+o5jivPEHZImw6iYhhXcyEYl8fjcb9T6/S+wOP7aviQGzBBABCAAdFiEElKXJoDwv
+5co7CV2OH99yPPRitrEFAljLv5sACgkQH99yPPRitrFw4gv/XFMFN+/LHsn9hJOP
+4rCwl1yUuxXuYmZgc0sRoY3EpeQkJVyKurQuqqKoy2VuoMiF0O1kAQmGoFtVPUk7
+b8hCoutqB5GyeyKcoLP+WINgVhB2gXg7TSp3MPLBKkgqvSDvPitgRxBqFb4LW8LJ
+bDbfwGrzIvXfDV3WvsrHVPbc2fhlWdL8d+3AE6mFiXF3eTpgmV3ApSBQV12MkkCk
+icLIPmp+ZxZON+OP52ZXkRtfMgOy4Oa/41agrViDAZdMOGeGkhPertQheQZgXzmo
+GF5Wz498HPM80Kv35X91l3iGzL+icEtO+tWea2YscsZ6qpRe2lfVPHk3B+anlmCj
+m4kM4cBd39xa4HHSVh/bRHbZNtgVr7slQCKxlHgQOGVI5vCxPCwEsgJ2KBk03Nk/
+IA9EKO+czfh3/bHW6uMbEqrYDCnt+hmzZrpKDSGcwS/KOhvMUIMlb7/8vDKum6mp
+/8xAtVZ6IAxYZNt3qg7Y7aLRtzCTyqm8rJQrZPtRaQcgLoEimDMEX0PliRYJKwYB
+BAHaRw8BAQdAz75Hlekc16JhhfI0MKdEVxLdkxhcMCO0ZG6WMBAmNpe0H1dlcm5l
+ciBLb2NoIChkaXN0IHNpZ25pbmcgMjAyMCmImgQTFgoAQhYhBG2qbmSnbShAVxtJ
+AlKIl7gmQDraBQJfQ+w1AhsDBQkShccRBQsJCAcCAyICAQYVCgkICwIEFgIDAQIe
+BwIXgAAKCRBSiJe4JkA62nmuAP9uL/HOdB0gvwWrH+FpURJLs4bnaZaPIk9ARrU0
+EXRgJgD/YCGfHQXpIPT0ZaXuwJexK04Z+qMFR/bM1q1Leo5CjgaIbQQQEQsAHRYh
+BIBhWHD1utaQMzaG0PKthaweQrNnBQJfQ/HmAAoJEPKthaweQrNnIZkA3jG6LcZv
+V/URn8Y8OJqsyYa4C3NI4nN+OhEvYhgA4PHzMnALeXIpA2gblvjFIPJPAhDBAU37
+c5PA6+6IdQQQFggAHRYhBK6oTtzwGthsRwHIXGMROuhmWH0KBQJfQ/IlAAoJEGMR
+OuhmWH0K1+MA/0uJ5AHcnSfIBEWHNJwwVVLGyrxAWtS2U+zeymp/UvlPAQDErCLZ
+l0dBiPG3vlowFx5TNep7tanBs6ZJn8F1ao1tAIkBMwQQAQgAHRYhBNhpISPEBl3q
+Xg86tSSbOdJPJeO2BQJfQ/OuAAoJECSbOdJPJeO2DVoH/0o9if66ph6FJrgr+A/W
+HNVeHxmM5tUQhpL1wpRS70SKcsJgolf5CxO5iTQf3HlZe544xGbIU/aCTJsWw9zi
+UE8KmhAtKV4eL/7oQ7xx4nxPnABLpudtM8A44nsM1x/XiYrJnnDm29QjYEGd2Hi8
+7npc7VWKzLoj+I/WcXquynJi5O9TUxW9Bknd1pjpxFkf8v+msjBzCD5VKJgr0CR8
+wA6peQBWeGZX2HacosMIZH4TfL0r0TFla6LJIkNBz9DyIm1yL4L8oRH0950hQljP
+C7TM3L7aRpX+4Kph6llFz6g7MALGFP95kyJ6o+XED9ORuuQVZMBMIkNC0tXOu10V
+bdqIdQQQFgoAHRYhBMHTS2khnkruwLocIeP9/yGORbcrBQJfQ/P8AAoJEOP9/yGO
+Rbcr3lQBAMas8Vl3Hdl3g2I283lz1uHiGvlwcnk2TLeB+U4zIwC9AQCy0nnazVNt
+VQPID1ZCMoaOX7AzOjaqQDLf4j+dVTxgBJgzBGCkgocWCSsGAQQB2kcPAQEHQJmd
+fwp8jEN5P3eEjhQiWk6zQi8utvgOvYD57XmE+H8+tCBOaWliZSBZdXRha2EgKEdu
+dVBHIFJlbGVhc2UgS2V5KYiaBBMWCgBCFiEErI4RW/c+LY1H+pkI6Y6bLRnGyL0F
+AmCkgocCGwMFCQsNBpkFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEOmO
+my0Zxsi9/4IA/1rvSr3MU+Sv4jhNDzD+CeC3gmHkPew6pi9VHEsEwdgmAQD2BtiX
+7w1sJL/CBylGWv5jxj4345mP9YfZm0RsgzPjDIh1BBAWCAAdFiEEJJyzdxdQdF1c
+3TI84mewUjZPAo0FAmFAQ54ACgkQ4mewUjZPAo1CiAD+KTT1UVdQTGHMyvHwZocS
+QjU8xhcZrTet+dvvjrE5+4MA/RBdJPZgFevUKu68NEy0Lo+RbkeCtmQJ/c8v5ieF
+vW0AiQEzBBABCAAdFiEEEkEkvTtIYq96CkLxALRevUynur4FAmFAQ7cACgkQALRe
+vUynur4kaAgAolPR8TNWVS0vXMKrr0k0l2M/8QkZTaLZx1GT9Nx1yb4WJKY7ElPM
+YkhGDxetvFBETx0pH/6R3jtj6Crmur+NKHVSRY+rCYpFPDn6ciIOryssRx2G4kCZ
+t+nFB9JyDbBOZAR8DK4pN1mAxG/yLDt4oKcUQsP2xlEFum+phxyR8KyYCpkwKRxY
+eK+6lfilQuveoUwp/Xx5wXPNUy6q4eOOovCW7gS7I7288NGHCa2ul8sD6vA9C4mM
+4Zxaole9P9wwJe1zZFtCIy88zHM9vqv+YM9DxMCaW24+rUztr7eD4bCRdG+QlSh+
+7R/TaqSxY1eAAd1J5tma9CNJO73pTKU+/JhTBGFpSqMTCSskAwMCCAEBBwIDBF6X
+D9NmUQDgiyYNbhs1DMJ14mIw812wY1HVx/4QWYWiBunhrvSFxVbzsjD7/Wv+v3bm
+MPrL+M2DLyFiSewNmcS0JEdudVBHLmNvbSAoUmVsZWFzZSBTaWduaW5nIEtleSAy
+MDIxKYiaBBMTCABCFiEEAvON/3Mf+XywOaHaVJ5pXpBboggFAmFpSqMCGwMFCQ9x
+14oFCwkIBwIDIgIBBhUKCQgLAgQWAgMBAh4HAheAAAoJEFSeaV6QW6IITkoA/RYa
+jaTl1eEBU/Gdm12o3jrI55N5xZK2XTqSx25clVyjAP0XwMW/Og5+ND1ri3bAqADV
+WlBDUswz8wYxsb0C4kYBkoh1BBAWCgAdFiEEbapuZKdtKEBXG0kCUoiXuCZAOtoF
+AmFpTvEACgkQUoiXuCZAOtrJQAEAh7YyykjAy/Qs1yC3ji8iBfIVnPXvblrIx3SR
+RyDwRC8BAKtZbEuKTtPlgkLUgMleTcZJ/vEhJE+GvfQ9o5gWCqEFiHUEEBYKAB0W
+IQTB00tpIZ5K7sC6HCHj/f8hjkW3KwUCYWlPWgAKCRDj/f8hjkW3Kx4eAQDp6aGS
+N/fU4xLl8RSvQUVjVA+aCTrMQR3hRwqw8liF2wEA3O3ECxz6e1+DoItYoJBBLKLw
+eiInsGZ/+h5XYrpXTgA=
+=4+Sn
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/SPECS/libgcrypt.spec b/SPECS/libgcrypt.spec
new file mode 100644
index 0000000..f4d90f1
--- /dev/null
+++ b/SPECS/libgcrypt.spec
@@ -0,0 +1,691 @@
+# This is taken from gnutls.spec
+%define srpmhash() %{lua:
+local files = rpm.expand("%_specdir/libgcrypt.spec")
+for i, p in ipairs(patches) do
+   files = files.." "..p
+end
+for i, p in ipairs(sources) do
+   files = files.." "..p
+end
+local sha256sum = assert(io.popen("cat "..files.."| sha256sum"))
+local hash = sha256sum:read("*a")
+sha256sum:close()
+print(string.sub(hash, 0, 16))
+}
+
+Name: libgcrypt
+Version: 1.11.0
+Release: 3%{?dist}
+URL: https://www.gnupg.org/
+Source0: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2
+Source1: https://www.gnupg.org/ftp/gcrypt/libgcrypt/libgcrypt-%{version}.tar.bz2.sig
+Source2: https://gnupg.org/signature_key.asc
+# Pass the annobin flags to the libgcrypt.so (#2016349)
+Patch1: libgcrypt-1.10.1-annobin.patch
+# https://dev.gnupg.org/T7167
+Patch2: libgcrypt-1.11.0-Disable-SHA3-s390x-acceleration-for-CSHAKE.patch
+# https://gitlab.com/redhat-crypto/libgcrypt/libgcrypt-mirror/-/merge_requests/20
+Patch3: libgcrypt-1.11.0-covscan.patch
+# https://dev.gnupg.org/T7220
+Patch4: libgcrypt-1.11.0-cf-protection.patch
+
+%global gcrylibdir %{_libdir}
+%global gcrysoname libgcrypt.so.20
+%global hmackey orboDeJITITejsirpADONivirpUkvarP
+
+License: BSD-3-Clause AND (BSD-3-Clause OR GPL-2.0-only) AND GPL-2.0-or-later AND LGPL-2.1-or-later AND LGPL-2.0-or-later AND MIT-Modern-Variant
+Summary: A general-purpose cryptography library
+BuildRequires: gcc
+BuildRequires: gawk, libgpg-error-devel >= 1.11, pkgconfig
+# This is needed only when patching the .texi doc.
+BuildRequires: texinfo
+BuildRequires: autoconf, automake, libtool
+BuildRequires: make
+BuildRequires: gnupg2
+
+%package devel
+Summary: Development files for the %{name} package
+Requires: libgpg-error-devel
+Requires: %{name}%{?_isa} = %{version}-%{release}
+Requires: pkgconfig
+
+%description
+Libgcrypt is a general purpose crypto library based on the code used
+in GNU Privacy Guard.  This is a development version.
+
+%description devel
+Libgcrypt is a general purpose crypto library based on the code used
+in GNU Privacy Guard.  This package contains files needed to develop
+applications using libgcrypt.
+
+%prep
+%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
+%setup -q
+%patch 1 -p1
+%patch 2 -p1
+%patch 3 -p1
+%patch 4 -p1
+
+%build
+# should be all algorithms except SM3 and SM4, aria
+export DIGESTS='crc gostr3411-94 md4 md5 rmd160 sha1 sha256 sha512 sha3 tiger whirlpool stribog blake2'
+export CIPHERS='arcfour blowfish cast5 des aes twofish serpent rfc2268 seed camellia idea salsa20 gost28147 chacha20'
+
+eval $(sed -n 's/^\(\(NAME\|VERSION_ID\)=.*\)/OS_\1/p' /etc/os-release)
+export FIPS_MODULE_NAME="$OS_NAME ${OS_VERSION_ID%%.*} %name"
+
+autoreconf -f
+%configure --disable-static \
+%ifarch sparc64
+     --disable-asm \
+%endif
+     --enable-noexecstack \
+     --enable-hmac-binary-check=%{hmackey} \
+     --disable-jent-support \
+     --disable-O-flag-munging \
+     --enable-digests="$DIGESTS" \
+     --enable-ciphers="$CIPHERS" \
+     --with-fips-module-version="$FIPS_MODULE_NAME %{version}-%{srpmhash}"
+sed -i -e '/^sys_lib_dlsearch_path_spec/s,/lib /usr/lib,/usr/lib /lib64 /usr/lib64 /lib,g' libtool
+%make_build
+
+%check
+make check
+# try in faked FIPS mode too
+LIBGCRYPT_FORCE_FIPS_MODE=1 make check
+
+# Add generation of HMAC checksums of the final stripped binaries 
+%define libpath $RPM_BUILD_ROOT%{gcrylibdir}/%{gcrysoname}.?.?
+%define __spec_install_post \
+    %{?__debug_package:%{__debug_install_post}} \
+    %{__arch_install_post} \
+    %{__os_install_post} \
+    cd src \
+    sed -i -e 's|FILE=.*|FILE=\\\$1|' gen-note-integrity.sh \
+    READELF=readelf AWK=awk ECHO_N="-n" bash gen-note-integrity.sh %{libpath} > %{libpath}.hmac \
+    objcopy --update-section .note.fdo.integrity=%{libpath}.hmac %{libpath} %{libpath}.new \
+    mv -f %{libpath}.new %{libpath} \
+    rm -f %{libpath}.hmac
+%{nil}
+
+%install
+%make_install
+
+# Change /usr/lib64 back to /usr/lib.  This saves us from having to patch the
+# script to "know" that -L/usr/lib64 should be suppressed, and also removes
+# a file conflict between 32- and 64-bit versions of this package.
+# Also replace my_host with none.
+sed -i -e 's,^libdir="/usr/lib.*"$,libdir="/usr/lib",g' $RPM_BUILD_ROOT/%{_bindir}/libgcrypt-config
+sed -i -e 's,^my_host=".*"$,my_host="none",g' $RPM_BUILD_ROOT/%{_bindir}/libgcrypt-config
+
+rm -f ${RPM_BUILD_ROOT}/%{_infodir}/dir ${RPM_BUILD_ROOT}/%{_libdir}/*.la
+/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_libdir}
+
+%if "%{gcrylibdir}" != "%{_libdir}"
+# Relocate the shared libraries to %{gcrylibdir}.
+mkdir -p $RPM_BUILD_ROOT%{gcrylibdir}
+for shlib in $RPM_BUILD_ROOT%{_libdir}/*.so* ; do
+	if test -L "$shlib" ; then
+		rm "$shlib"
+	else
+		mv "$shlib" $RPM_BUILD_ROOT%{gcrylibdir}/
+	fi
+done
+
+# Add soname symlink.
+/sbin/ldconfig -n $RPM_BUILD_ROOT/%{_lib}/
+%endif
+
+# Overwrite development symlinks.
+pushd $RPM_BUILD_ROOT/%{gcrylibdir}
+for shlib in lib*.so.?? ; do
+	target=$RPM_BUILD_ROOT/%{_libdir}/`echo "$shlib" | sed -e 's,\.so.*,,g'`.so
+%if "%{gcrylibdir}" != "%{_libdir}"
+	shlib=%{gcrylibdir}/$shlib
+%endif
+	ln -sf $shlib $target
+done
+popd
+
+# Create /etc/gcrypt (hardwired, not dependent on the configure invocation) so
+# that _someone_ owns it.
+mkdir -p -m 755 $RPM_BUILD_ROOT/etc/gcrypt
+
+%ldconfig_scriptlets
+
+%files
+%dir /etc/gcrypt
+%{gcrylibdir}/libgcrypt.so.*.*
+%{gcrylibdir}/%{gcrysoname}
+%license COPYING.LIB
+%doc AUTHORS NEWS THANKS
+
+%files devel
+%{_bindir}/%{name}-config
+%{_bindir}/dumpsexp
+%{_bindir}/hmac256
+%{_bindir}/mpicalc
+%{_includedir}/*
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/libgcrypt.pc
+%{_datadir}/aclocal/*
+%{_mandir}/man1/*
+
+%{_infodir}/gcrypt.info*
+%license COPYING
+
+%changelog
+* Fri Jul 26 2024 Jakub Jelen <jjelen@redhat.com> - 1.11.0-3
+- Add CF protection on x86_64
+
+* Thu Jul 25 2024 Jakub Jelen <jjelen@redhat.com> - 1.11.0-2
+- Clean up flags to pass rpminspect checks
+- Fix memory leaks reported by static analysis
+
+* Wed Jul 03 2024 Jakub Jelen <jjelen@redhat.com> - 1.11.0-1
+- New upstream release (#2293064)
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 1.10.3-4
+- Bump release for June 2024 mass rebuild
+
+* Thu Jan 25 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Sun Jan 21 2024 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Tue Nov 14 2023 Jakub Jelen <jjelen@redhat.com> - 1.10.3-1
+- New upstream release (#2249639)
+
+* Thu Jul 20 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.2-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Tue Apr 11 2023 Jakub Jelen <jjelen@redhat.com> - 1.10.2-1
+- New upstream release (#2185084)
+
+* Thu Jan 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Sat Dec  3 2022 Florian Weimer <fweimer@redhat.com> - 1.10.1-6
+- Port configure script to C99
+
+* Tue Nov 08 2022 Todd Zullinger <tmz@pobox.com> - 1.10.1-5
+- enable brainpool by default (#1413618)
+- fix sporadic failures generating RSA keys in FIPS mode
+
+* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.10.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Sun May 29 2022 Todd Zullinger <tmz@pobox.com> - 1.10.1-3
+- improve --disable-brainpool configure output
+- use %%bcond_with to disable brainpool curves
+
+* Fri Apr 08 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.1-2
+- Adjust integrity check creation to match upstream (#2073018)
+
+* Tue Mar 29 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.1-1
+- Final release (#2069263)
+
+* Wed Feb 02 2022 Jakub Jelen <jjelen@redhat.com> - 1.10.0-1
+- New upstream release (#2049322)
+
+* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Mon Aug 23 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.4-1
+- New upstream release (#1996467)
+
+* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.9.3-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jun 15 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-3
+- Fix for CVE-2021-33560 (#1970098)
+
+* Wed Apr 28 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-2
+- Restore the CET protection (#1954049)
+
+* Tue Apr 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.3-1
+- New upstream release (#1951325)
+
+* Thu Apr 15 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-3
+- Fix issues reported by coverity
+
+* Mon Mar 29 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-2
+- Fix OCB tag creation on s390x (failing gnupg2 tests)
+
+* Wed Feb 17 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.2-1
+- New upstream release (#1929630)
+
+* Fri Jan 29 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.1-1
+- New upstream release (#1922156, #1922097)
+
+* Wed Jan 20 2021 Jakub Jelen <jjelen@redhat.com> - 1.9.0-1
+- New upstream release (#1917878)
+
+* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 1.8.7-1
+- new upstream release (#1891123)
+
+* Fri Aug 21 2020 Jeff Law <law@redhat.com> - 1.8.6-4
+- Re-enable LTO
+
+* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 1.8.6-2
+- Use make macros
+- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
+
+* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.6-1
+- new upstream version 1.8.6
+
+* Wed Jul  1 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-7
+- use the hmac256 tool to calculate the library hmac
+
+* Tue Jun 30 2020 Jeff Law <law@redhat.com>
+- Disable LTO
+
+* Thu Apr 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-6
+- Fix regression - missing -ldl linkage
+
+* Wed Apr 22 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-5
+- AES performance improvements backported from master branch
+
+* Mon Apr 20 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-4
+- FIPS selftest is run directly from the constructor
+- FIPS module is implicit with kernel FIPS flag
+
+* Thu Jan 30 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-3
+- fix the build on ARMv7
+
+* Thu Jan 23 2020 Tomáš Mráz <tmraz@redhat.com> 1.8.5-2
+- Intel CET support by H. J. Lu
+
+* Tue Sep  3 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.5-1
+- new upstream version 1.8.5
+- add CMAC selftest for FIPS POST
+- add continuous FIPS entropy test
+- disable non-approved FIPS hashes in the enforced FIPS mode
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Tue Feb 12 2019 Tomáš Mráz <tmraz@redhat.com> 1.8.4-3
+- fix the build tests to pass in the FIPS mode
+
+* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Nov 20 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.4-1
+- new upstream version 1.8.4
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.8.3-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Thu Jul 12 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.3-2
+- make only_urandom a default in non-presence of configuration file
+- run the full FIPS selftests only when the library is called from
+  application
+
+* Thu Jun 14 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.3-1
+- new upstream version 1.8.3
+
+* Tue Feb  6 2018 Tomáš Mráz <tmraz@redhat.com> 1.8.2-2
+- fix behavior when getrandom syscall is not present (#1542453)
+
+* Thu Dec 21 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.2-1
+- new upstream version 1.8.2
+
+* Tue Dec  5 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-3
+- do not try to access() /dev/urandom either if getrandom() works
+
+* Mon Dec  4 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-2
+- do not try to open /dev/urandom if getrandom() works (#1380866)
+
+* Tue Sep  5 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.1-1
+- new upstream version 1.8.1
+
+* Wed Aug 16 2017 Tomáš Mráz <tmraz@redhat.com> 1.8.0-1
+- new upstream version 1.8.0
+
+* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.8-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.8-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Jun 29 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.8-1
+- new upstream version 1.7.8
+
+* Fri Jun  2 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.7-1
+- new upstream version 1.7.7
+- GOST is now enabled
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1.7.6-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Mon Jan 30 2017 Tomáš Mráz <tmraz@redhat.com> 1.7.6-1
+- new upstream version 1.7.6
+
+* Fri Dec 16 2016 Tomáš Mráz <tmraz@redhat.com> 1.7.5-1
+- new upstream version 1.7.5
+
+* Wed Nov 23 2016 Tomáš Mráz <tmraz@redhat.com> 1.7.3-1
+- new upstream version 1.7.3
+
+* Wed Aug 17 2016 Tomáš Mráz <tmraz@redhat.com> 1.6.6-1
+- new upstream version with important security fix (CVE-2016-6316)
+
+* Thu Jul 21 2016 Tomáš Mráz <tmraz@redhat.com> 1.6.5-1
+- new upstream version fixing low impact issue CVE-2015-7511
+
+* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1.6.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
+
+* Wed Sep  9 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.4-1
+- new upstream version
+
+* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.3-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
+
+* Fri Apr  3 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-4
+- deinitialize the RNG after the selftest is run
+
+* Tue Mar 24 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-3
+- touch only urandom in the selftest and when /dev/random is
+  unavailable for example by SELinux confinement
+- fix the RSA selftest key (p q swap) (#1204517)
+
+* Fri Mar 13 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-2
+- do not use strict aliasing for bufhelp functions (#1201219)
+
+* Fri Mar  6 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.3-1
+- new upstream version
+
+* Wed Feb 25 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.2-4
+- do not initialize secure memory during the selftest (#1195850)
+
+* Sat Feb 21 2015 Till Maas <opensource@till.name> - 1.6.2-3
+- Rebuilt for Fedora 23 Change
+  https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code
+
+* Wed Jan 14 2015 Tomáš Mráz <tmraz@redhat.com> 1.6.2-2
+- fix buildability of programs using gcrypt.h with -ansi (#1182200)
+
+* Mon Dec  8 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.2-1
+- new upstream version
+
+* Sun Aug 17 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+
+* Thu Jul 17 2014 Tom Callaway <spot@fedoraproject.org> - 1.6.1-6
+- fix license handling
+
+* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.6.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
+
+* Tue May 20 2014 Kyle McMartin <kyle@fedoraproject.org> 1.6.1-4
+- Re-enable below algos, apply patch from upstream list to make
+  that code -fPIC friendly. (rhbz#1069792)
+
+* Mon May 19 2014 Kyle McMartin <kyle@fedoraproject.org> 1.6.1-3
+- Disable rijndael, cast5, camellia ARM assembly, as it's non-PIC as
+  presently written, which results in .text relocations in the shared
+  library. (rhbz#1069792)
+
+* Thu Apr 24 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.1-2
+- drop the temporary compat shared library version
+- fix the soname version in -use-fipscheck.patch
+
+* Fri Feb 28 2014 Tomáš Mráz <tmraz@redhat.com> 1.6.1-1
+- new upstream version breaking ABI compatibility
+- this release temporarily includes old compatibility .so
+
+* Tue Jan 21 2014 Tomáš Mráz <tmraz@redhat.com> 1.5.3-3
+- add back the nistp521r1 EC curve
+- fix a bug in the Whirlpool hash implementation
+- speed up the PBKDF2 computation
+
+* Sun Oct 20 2013 Tom Callaway <spot@fedoraproject.org> - 1.5.3-2
+- add cleared ECC support
+
+* Fri Jul 26 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.3-1
+- new upstream version fixing cache side-channel attack on RSA private keys
+
+* Thu Jun 20 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-3
+- silence false error detected by valgrind (#968288)
+
+* Thu Apr 25 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-2
+- silence strict aliasing warning in Rijndael
+- apply UsrMove
+- spec file cleanups
+
+* Fri Apr 19 2013 Tomáš Mráz <tmraz@redhat.com> 1.5.2-1
+- new upstream version
+
+* Wed Mar 20 2013 Tomas Mraz <tmraz@redhat.com> 1.5.1-1
+- new upstream version
+
+* Tue Mar  5 2013 Tomas Mraz <tmraz@redhat.com> 1.5.0-11
+- use poll() instead of select() when gathering randomness (#913773)
+
+* Thu Feb 14 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild
+
+* Thu Jan  3 2013 Tomas Mraz <tmraz@redhat.com> 1.5.0-9
+- allow empty passphrase in PBKDF2 needed for cryptsetup (=891266)
+
+* Mon Dec  3 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-8
+- fix multilib conflict in libgcrypt-config
+- fix minor memory leaks and other bugs found by Coverity scan
+
+* Thu Jul 19 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
+
+* Thu Apr  5 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-5
+- Correctly rebuild the info documentation
+
+* Wed Apr  4 2012 Tomas Mraz <tmraz@redhat.com> 1.5.0-4
+- Add GCRYCTL_SET_ENFORCED_FIPS_FLAG command
+
+* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.5.0-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
+
+* Mon Aug 15 2011 Kalev Lember <kalevlember@gmail.com> 1.5.0-2
+- Rebuilt for rpm bug #728707
+
+* Thu Jul 21 2011 Tomas Mraz <tmraz@redhat.com> 1.5.0-1
+- new upstream version
+
+* Mon Jun 20 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-4
+- Always xor seed from /dev/urandom over /etc/gcrypt/rngseed
+
+* Mon May 30 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-3
+- Make the FIPS-186-3 DSA implementation CAVS testable
+- add configurable source of RNG seed /etc/gcrypt/rngseed
+  in the FIPS mode (#700388)
+
+* Fri Feb 11 2011 Tomas Mraz <tmraz@redhat.com> 1.4.6-1
+- new upstream version with minor changes
+
+* Mon Feb 07 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.5-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
+
+* Fri Feb  4 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-6
+- fix a bug in the fips-186-3 dsa parameter generation code
+
+* Tue Feb  1 2011 Tomas Mraz <tmraz@redhat.com> 1.4.5-5
+- use /dev/urandom for seeding in the FIPS mode
+- make the tests to pass in the FIPS mode also fixing
+  the FIPS-186-3 DSA keygen
+
+* Sun Feb 14 2010 Rex Dieter <rdieter@fedoraproject.org> 1.4.5-4
+- FTBFS libgcrypt-1.4.5-3.fc13: ImplicitDSOLinking (#564973)
+
+* Wed Feb  3 2010 Tomas Mraz <tmraz@redhat.com> 1.4.5-3
+- drop the S390 build workaround as it is no longer needed
+- additional spec file cleanups for merge review (#226008)
+
+* Mon Dec 21 2009 Tomas Mraz <tmraz@redhat.com> 1.4.5-1
+- workaround for build on S390 (#548825)
+- spec file cleanups
+- upgrade to new minor upstream release
+
+* Tue Aug 11 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-8
+- fix warning when installed with --excludedocs (#515961)
+
+* Fri Jul 24 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.4-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild
+
+* Thu Jun 18 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-6
+- and now really apply the padlock patch
+
+* Wed Jun 17 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-5
+- fix VIA padlock RNG inline assembly call (#505724)
+
+* Thu Mar  5 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-4
+- with the integrity verification check the library needs to link to libdl
+  (#488702)
+
+* Tue Mar  3 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-3
+- add hmac FIPS integrity verification check
+
+* Wed Feb 25 2009 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.4.4-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild
+
+* Fri Jan 30 2009 Tomas Mraz <tmraz@redhat.com> 1.4.4-1
+- update to 1.4.4
+- do not abort when the fips mode kernel flag is inaccessible
+  due to permissions (#470219)
+- hobble the library to drop the ECC support
+
+* Mon Oct 20 2008 Dennis Gilmore <dennis@ausil.us> 1.4.3-2
+- disable asm on sparc64
+
+* Thu Sep 18 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.3-1
+- update to 1.4.3
+- own /etc/gcrypt
+
+* Mon Sep 15 2008 Nalin Dahyabhai <nalin@redhat.com>
+- invoke make with %%{?_smp_mflags} to build faster on multi-processor
+  systems (Steve Grubb)
+
+* Mon Sep  8 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.2-1
+- update to 1.4.2
+
+* Tue Apr 29 2008 Nalin Dahyabhai <nalin@redhat.com> 1.4.1-1
+- update to 1.4.1
+- bump libgpgerror-devel requirement to 1.4, matching the requirement enforced
+  by the configure script
+
+* Thu Apr  3 2008 Joe Orton <jorton@redhat.com> 1.4.0-3
+- add patch from upstream to fix severe performance regression
+  in entropy gathering
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng@fedoraproject.org> - 1.4.0-2
+- Autorebuild for GCC 4.3
+
+* Mon Dec 10 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.4.0-1
+- update to 1.4.0
+
+* Tue Oct 16 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-6
+- use ldconfig to build the soname symlink for packaging along with the
+  shared library (#334731)
+
+* Wed Aug 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-5
+- add missing gawk buildrequirement
+- switch from explicitly specifying the /dev/random RNG to just verifying
+  that the non-LGPL ones were disabled by the configure script
+
+* Thu Aug 16 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-4
+- clarify license
+- force use of the linux /dev/random RNG, to avoid accidentally falling back
+  to others which would affect the license of the resulting library
+
+* Mon Jul 30 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-3
+- disable static libraries (part of #249815)
+
+* Fri Jul 27 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-2
+- move libgcrypt shared library to /%%{_lib} (#249815)
+
+* Tue Feb  6 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.4-1
+- update to 1.2.4
+
+* Mon Jan 22 2007 Nalin Dahyabhai <nalin@redhat.com> - 1.2.3-2
+- make use of install-info more failsafe (Ville Skyttä, #223705)
+
+* Fri Sep  1 2006 Nalin Dahyabhai <nalin@redhat.com> - 1.2.3-1
+- update to 1.2.3
+
+* Wed Jul 12 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-3.1
+- rebuild
+
+* Mon Jun 05 2006 Jesse Keating <jkeating@redhat.com> 1.2.2-3
+- Added missing buildreq pkgconfig
+
+* Tue May 16 2006 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-2
+- remove file conflicts in libgcrypt-config by making the 64-bit version
+  think the libraries are in /usr/lib (which is wrong, but which it also
+  prunes from the suggest --libs output, so no harm done, hopefully)
+
+* Fri Feb 10 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-1.2.1
+- bump again for double-long bug on ppc(64)
+
+* Tue Feb 07 2006 Jesse Keating <jkeating@redhat.com> - 1.2.2-1.2
+- rebuilt for new gcc4.1 snapshot and glibc changes
+
+* Fri Dec 09 2005 Jesse Keating <jkeating@redhat.com>
+- rebuilt
+
+* Wed Oct  5 2005 Nalin Dahyabhai <nalin@redhat.com> 1.2.2-1
+- update to 1.2.2
+
+* Wed Mar 16 2005 Nalin Dahyabhai <nalin@redhat.com> 1.2.1-1
+- update to 1.2.1
+
+* Fri Jul 30 2004 Florian La Roche <Florian.LaRoche@redhat.de>
+- another try to package the symlink
+
+* Tue Jun 15 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sun May  2 2004 Bill Nottingham <notting@redhat.com> - 1.2.0-1
+- update to official 1.2.0
+
+* Fri Apr 16 2004 Bill Nottingham <notting@redhat.com> - 1.1.94-1
+- update to 1.1.94
+
+* Tue Mar 02 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Sat Feb 21 2004 Florian La Roche <Florian.LaRoche@redhat.de>
+- add symlinks to shared libs at compile time
+
+* Fri Feb 13 2004 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Wed Jun 04 2003 Elliot Lee <sopwith@redhat.com>
+- rebuilt
+
+* Thu Mar 20 2003 Jeff Johnson <jbj@redhat.com> 1.1.12-1
+- upgrade to 1.1.12 (beta).
+
+* Fri Jun 21 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Sun May 26 2002 Tim Powers <timp@redhat.com>
+- automated rebuild
+
+* Tue May 21 2002 Jeff Johnson <jbj@redhat.com>
+- update to 1.1.7
+- change license to LGPL.
+- include splint annotations patch.
+- install info pages.
+
+* Tue Apr  2 2002 Nalin Dahyabhai <nalin@redhat.com> 1.1.6-1
+- update to 1.1.6
+
+* Thu Jan 10 2002 Nalin Dahyabhai <nalin@redhat.com> 1.1.5-1
+- fix the Source tag so that it's a real URL
+
+* Thu Dec 20 2001 Nalin Dahyabhai <nalin@redhat.com>
+- initial package