diff -pruN 1.8.7-2/debian/changelog 1.8.7-2ubuntu1/debian/changelog --- 1.8.7-2/debian/changelog 2020-10-28 07:00:01.000000000 +0000 +++ 1.8.7-2ubuntu1/debian/changelog 2020-11-10 09:20:19.000000000 +0000 @@ -1,3 +1,13 @@ +libgcrypt20 (1.8.7-2ubuntu1) hirsute; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Disable the library reading /proc/sys/crypto/fips_enabled file + and going into FIPS mode. libgcrypt is not a FIPS certified library. + (LP 1748310) + - Enable CET. + + -- Ɓukasz 'sil2100' Zemczak Tue, 10 Nov 2020 10:20:19 +0100 + libgcrypt20 (1.8.7-2) unstable; urgency=low * Upload to unstable. @@ -36,6 +46,21 @@ libgcrypt20 (1.8.6-1) experimental; urge -- Andreas Metzler Sat, 11 Jul 2020 13:08:25 +0200 +libgcrypt20 (1.8.5-5ubuntu2) groovy; urgency=medium + + * Enable CET. + + -- Dimitri John Ledkov Fri, 26 Jun 2020 14:12:25 +0100 + +libgcrypt20 (1.8.5-5ubuntu1) focal; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Disable the library reading /proc/sys/crypto/fips_enabled file + and going into FIPS mode. libgcrypt is not a FIPS certified library. + (LP 1748310) + + -- Steve Langasek Sun, 23 Feb 2020 12:38:22 -0800 + libgcrypt20 (1.8.5-5) unstable; urgency=low * Upload to unstable. @@ -64,6 +89,18 @@ libgcrypt20 (1.8.5-4) experimental; urge -- Andreas Metzler Sun, 16 Feb 2020 11:39:04 +0100 +libgcrypt20 (1.8.5-3ubuntu1) focal; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Disable the library reading /proc/sys/crypto/fips_enabled file + and going into FIPS mode. libgcrypt is not a FIPS certified library. + (LP 1748310) + * Dropped changes, included in Debian: + - Build-depend on texlive-plain-generic instead of obsolete texlive- + generic-recommended. + + -- Steve Langasek Fri, 18 Oct 2019 14:25:34 -0700 + libgcrypt20 (1.8.5-3) unstable; urgency=medium * Switch b-d from texlive-generic-recommended to texlive-plain-generic. @@ -89,6 +126,23 @@ libgcrypt20 (1.8.5-1) experimental; urge -- Andreas Metzler Fri, 30 Aug 2019 18:44:49 +0200 +libgcrypt20 (1.8.4-5ubuntu2) eoan; urgency=medium + + * Build-depend on texlive-plain-generic instead of obsolete texlive- + generic-recommended. + + -- Steve Langasek Tue, 01 Oct 2019 14:13:42 -0700 + +libgcrypt20 (1.8.4-5ubuntu1) eoan; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Disable the library reading /proc/sys/crypto/fips_enabled file + and going into FIPS mode. libgcrypt is not a FIPS certified library. + (LP 1748310) + * Fix spelling-error-in-patch-description "Decription" -> "Description" + + -- Julian Andres Klode Tue, 23 Apr 2019 11:41:31 +0200 + libgcrypt20 (1.8.4-5) unstable; urgency=medium * 30_doc-Fix-library-initialization-examples.patch from upstream @@ -108,6 +162,15 @@ libgcrypt20 (1.8.4-4) unstable; urgency= -- Andreas Metzler Sun, 02 Dec 2018 13:43:39 +0100 +libgcrypt20 (1.8.4-3ubuntu1) disco; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Disable the library reading /proc/sys/crypto/fips_enabled file + and going into FIPS mode. libgcrypt is not a FIPS certified library. + (LP 1748310) + + -- Julian Andres Klode Mon, 12 Nov 2018 11:24:05 +0100 + libgcrypt20 (1.8.4-3) unstable; urgency=medium * Fix arch-indep build error by running dh_auto_install for both -arch and @@ -145,6 +208,15 @@ libgcrypt20 (1.8.3-2) experimental; urge -- Andreas Metzler Fri, 26 Oct 2018 17:29:25 +0200 +libgcrypt20 (1.8.3-1ubuntu1) cosmic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Disable the library reading /proc/sys/crypto/fips_enabled file + and going into FIPS mode. libgcrypt is not a FIPS certified library. + (LP 1748310) + + -- Julian Andres Klode Tue, 10 Jul 2018 14:00:16 +0200 + libgcrypt20 (1.8.3-1) unstable; urgency=high * [lintian] Fix spelling-error-in-patch-description in @@ -156,6 +228,15 @@ libgcrypt20 (1.8.3-1) unstable; urgency= -- Andreas Metzler Wed, 13 Jun 2018 19:15:54 +0200 +libgcrypt20 (1.8.2-2ubuntu1) cosmic; urgency=low + + * Merge from Debian unstable. Remaining changes: + - Disable the library reading /proc/sys/crypto/fips_enabled file + and going into FIPS mode. libgcrypt is not a FIPS certified library. + (LP 1748310) + + -- Julian Andres Klode Tue, 29 May 2018 11:03:10 +0200 + libgcrypt20 (1.8.2-2) unstable; urgency=medium * Upload to unstable. @@ -178,6 +259,15 @@ libgcrypt20 (1.8.2-1) experimental; urge -- Andreas Metzler Sat, 16 Dec 2017 13:36:49 +0100 +libgcrypt20 (1.8.1-4ubuntu1) bionic; urgency=medium + + * Disable the library reading /proc/sys/crypto/fips_enabled file + and going into FIPS mode. libgcrypt is not a FIPS certified library. + (LP: #1748310) + - debian/patches/disable_fips_enabled_read.patch + + -- Vineetha Pai Fri, 16 Feb 2018 13:45:04 -0500 + libgcrypt20 (1.8.1-4) unstable; urgency=low * Upload to unstable. @@ -1473,3 +1563,4 @@ libgcrypt (1.1.4-1) unstable; urgency=lo * Initial Release. (Closes: #107498) -- Ivo Timmermans Sat, 4 Aug 2001 11:22:10 +0200 + diff -pruN 1.8.7-2/debian/control 1.8.7-2ubuntu1/debian/control --- 1.8.7-2/debian/control 2020-10-28 06:59:39.000000000 +0000 +++ 1.8.7-2ubuntu1/debian/control 2020-10-28 09:19:17.000000000 +0000 @@ -1,7 +1,8 @@ Source: libgcrypt20 Section: libs Priority: optional -Maintainer: Debian GnuTLS Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian GnuTLS Maintainers Uploaders: Andreas Metzler , Eric Dorland , diff -pruN 1.8.7-2/debian/patches/1806755cd7ae110b476c6d81ced3d0948792e784.patch 1.8.7-2ubuntu1/debian/patches/1806755cd7ae110b476c6d81ced3d0948792e784.patch --- 1.8.7-2/debian/patches/1806755cd7ae110b476c6d81ced3d0948792e784.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.8.7-2ubuntu1/debian/patches/1806755cd7ae110b476c6d81ced3d0948792e784.patch 2020-06-26 13:12:04.000000000 +0000 @@ -0,0 +1,205 @@ +From 1806755cd7ae110b476c6d81ced3d0948792e784 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 16 Jan 2020 11:19:40 -0800 +Subject: [PATCH] i386: Add _CET_ENDBR to indirect jump targets + +i386 mpih-add1.S and mpih-sub1.S use a trick to implment jump tables +with LEA. We can't use conditional branches nor normal jump tables +since jump table entries use EFLAGS set by jump table index. This +patch adds _CET_ENDBR to indirect jump targets and adjust destination +for _CET_ENDBR. + + * mpi/i386/mpih-add1.S (_gcry_mpih_add_n): Save and restore + %ebx if IBT is enabed. Add _CET_ENDBR to indirect jump targets + and adjust jump destination for _CET_ENDBR. + * mpi/i386/mpih-sub1.S (_gcry_mpih_sub_n): Likewise. +--- + mpi/i386/mpih-add1.S | 35 +++++++++++++++++++++++++++++++++++ + mpi/i386/mpih-sub1.S | 35 +++++++++++++++++++++++++++++++++++ + 2 files changed, 70 insertions(+) + +diff --git a/mpi/i386/mpih-add1.S b/mpi/i386/mpih-add1.S +index 652b2321..daf50868 100644 +--- a/mpi/i386/mpih-add1.S ++++ b/mpi/i386/mpih-add1.S +@@ -52,6 +52,10 @@ C_SYMBOL_NAME(_gcry_mpih_add_n:) + movl 20(%esp),%edx /* s2_ptr */ + movl 24(%esp),%ecx /* size */ + ++#if defined __CET__ && (__CET__ & 1) != 0 ++ pushl %ebx ++#endif ++ + movl %ecx,%eax + shrl $3,%ecx /* compute count for unrolled loop */ + negl %eax +@@ -63,6 +67,9 @@ C_SYMBOL_NAME(_gcry_mpih_add_n:) + subl %eax,%esi /* ... by a constant when we ... */ + subl %eax,%edx /* ... enter the loop */ + shrl $2,%eax /* restore previous value */ ++#if defined __CET__ && (__CET__ & 1) != 0 ++ leal -4(,%eax,4),%ebx /* Count for 4-byte endbr32 */ ++#endif + #ifdef PIC + /* Calculate start address in loop for PIC. Due to limitations in some + assemblers, Loop-L0-3 cannot be put into the leal */ +@@ -74,30 +81,54 @@ L0: leal (%eax,%eax,8),%eax + #else + /* Calculate start address in loop for non-PIC. */ + leal (Loop - 3)(%eax,%eax,8),%eax ++#endif ++#if defined __CET__ && (__CET__ & 1) != 0 ++ addl %ebx,%eax /* Adjust for endbr32 */ + #endif + jmp *%eax /* jump into loop */ + ALIGN (3) + Loop: movl (%esi),%eax + adcl (%edx),%eax + movl %eax,(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 4(%esi),%eax + adcl 4(%edx),%eax + movl %eax,4(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 8(%esi),%eax + adcl 8(%edx),%eax + movl %eax,8(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 12(%esi),%eax + adcl 12(%edx),%eax + movl %eax,12(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 16(%esi),%eax + adcl 16(%edx),%eax + movl %eax,16(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 20(%esi),%eax + adcl 20(%edx),%eax + movl %eax,20(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 24(%esi),%eax + adcl 24(%edx),%eax + movl %eax,24(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 28(%esi),%eax + adcl 28(%edx),%eax + movl %eax,28(%edi) +@@ -110,6 +141,10 @@ Loop: movl (%esi),%eax + sbbl %eax,%eax + negl %eax + ++#if defined __CET__ && (__CET__ & 1) != 0 ++ popl %ebx ++#endif ++ + popl %esi + popl %edi + ret +diff --git a/mpi/i386/mpih-sub1.S b/mpi/i386/mpih-sub1.S +index f447f7a6..e58fd96a 100644 +--- a/mpi/i386/mpih-sub1.S ++++ b/mpi/i386/mpih-sub1.S +@@ -53,6 +53,10 @@ C_SYMBOL_NAME(_gcry_mpih_sub_n:) + movl 20(%esp),%edx /* s2_ptr */ + movl 24(%esp),%ecx /* size */ + ++#if defined __CET__ && (__CET__ & 1) != 0 ++ pushl %ebx ++#endif ++ + movl %ecx,%eax + shrl $3,%ecx /* compute count for unrolled loop */ + negl %eax +@@ -64,6 +68,9 @@ C_SYMBOL_NAME(_gcry_mpih_sub_n:) + subl %eax,%esi /* ... by a constant when we ... */ + subl %eax,%edx /* ... enter the loop */ + shrl $2,%eax /* restore previous value */ ++#if defined __CET__ && (__CET__ & 1) != 0 ++ leal -4(,%eax,4),%ebx /* Count for 4-byte endbr32 */ ++#endif + #ifdef PIC + /* Calculate start address in loop for PIC. Due to limitations in some + assemblers, Loop-L0-3 cannot be put into the leal */ +@@ -75,30 +82,54 @@ L0: leal (%eax,%eax,8),%eax + #else + /* Calculate start address in loop for non-PIC. */ + leal (Loop - 3)(%eax,%eax,8),%eax ++#endif ++#if defined __CET__ && (__CET__ & 1) != 0 ++ addl %ebx,%eax /* Adjust for endbr32 */ + #endif + jmp *%eax /* jump into loop */ + ALIGN (3) + Loop: movl (%esi),%eax + sbbl (%edx),%eax + movl %eax,(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 4(%esi),%eax + sbbl 4(%edx),%eax + movl %eax,4(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 8(%esi),%eax + sbbl 8(%edx),%eax + movl %eax,8(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 12(%esi),%eax + sbbl 12(%edx),%eax + movl %eax,12(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 16(%esi),%eax + sbbl 16(%edx),%eax + movl %eax,16(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 20(%esi),%eax + sbbl 20(%edx),%eax + movl %eax,20(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 24(%esi),%eax + sbbl 24(%edx),%eax + movl %eax,24(%edi) ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + movl 28(%esi),%eax + sbbl 28(%edx),%eax + movl %eax,28(%edi) +@@ -111,6 +142,10 @@ Loop: movl (%esi),%eax + sbbl %eax,%eax + negl %eax + ++#if defined __CET__ && (__CET__ & 1) != 0 ++ popl %ebx ++#endif ++ + popl %esi + popl %edi + ret +-- +GitLab + diff -pruN 1.8.7-2/debian/patches/54e7de25b66f1bdf98b963b8e3eb340ac750dc7e.patch 1.8.7-2ubuntu1/debian/patches/54e7de25b66f1bdf98b963b8e3eb340ac750dc7e.patch --- 1.8.7-2/debian/patches/54e7de25b66f1bdf98b963b8e3eb340ac750dc7e.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.8.7-2ubuntu1/debian/patches/54e7de25b66f1bdf98b963b8e3eb340ac750dc7e.patch 2020-06-26 13:11:34.000000000 +0000 @@ -0,0 +1,67 @@ +From 54e7de25b66f1bdf98b963b8e3eb340ac750dc7e Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 16 Jan 2020 10:53:18 -0800 +Subject: [PATCH] amd64: Always include in cipher assembly codes + +When Intel CET is enabled, we need to include in assembly +codes to mark Intel CET support even if it is empty. We should +always include in cipher amd64 assembly codes so that +they will be marked for Intel CET support when compiling for i686. + + * cipher/camellia-aesni-avx-amd64.S: Always include . + * cipher/camellia-aesni-avx2-amd64.S: Likewise. + * cipher/serpent-avx2-amd64.S: Likewise. +--- + cipher/camellia-aesni-avx-amd64.S | 3 ++- + cipher/camellia-aesni-avx2-amd64.S | 3 ++- + cipher/serpent-avx2-amd64.S | 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/cipher/camellia-aesni-avx-amd64.S b/cipher/camellia-aesni-avx-amd64.S +index 8022934f..c4bd2989 100644 +--- a/cipher/camellia-aesni-avx-amd64.S ++++ b/cipher/camellia-aesni-avx-amd64.S +@@ -18,8 +18,9 @@ + * License along with this program; if not, see . + */ + +-#ifdef __x86_64 + #include ++ ++#ifdef __x86_64 + #if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ + defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \ + defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX_SUPPORT) +diff --git a/cipher/camellia-aesni-avx2-amd64.S b/cipher/camellia-aesni-avx2-amd64.S +index 897e4aee..5fdf7e8b 100644 +--- a/cipher/camellia-aesni-avx2-amd64.S ++++ b/cipher/camellia-aesni-avx2-amd64.S +@@ -18,8 +18,9 @@ + * License along with this program; if not, see . + */ + +-#ifdef __x86_64 + #include ++ ++#ifdef __x86_64 + #if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ + defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \ + defined(ENABLE_AESNI_SUPPORT) && defined(ENABLE_AVX2_SUPPORT) +diff --git a/cipher/serpent-avx2-amd64.S b/cipher/serpent-avx2-amd64.S +index 8d60a159..8c132c65 100644 +--- a/cipher/serpent-avx2-amd64.S ++++ b/cipher/serpent-avx2-amd64.S +@@ -18,8 +18,9 @@ + * License along with this program; if not, see . + */ + +-#ifdef __x86_64 + #include ++ ++#ifdef __x86_64 + #if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ + defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && defined(USE_SERPENT) && \ + defined(ENABLE_AVX2_SUPPORT) +-- +GitLab + diff -pruN 1.8.7-2/debian/patches/89835d58b515add0600024248de258d6e60a5e2f.patch 1.8.7-2ubuntu1/debian/patches/89835d58b515add0600024248de258d6e60a5e2f.patch --- 1.8.7-2/debian/patches/89835d58b515add0600024248de258d6e60a5e2f.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.8.7-2ubuntu1/debian/patches/89835d58b515add0600024248de258d6e60a5e2f.patch 2020-06-26 13:11:08.000000000 +0000 @@ -0,0 +1,37 @@ +From 89835d58b515add0600024248de258d6e60a5e2f Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 16 Jan 2020 10:25:45 -0800 +Subject: [PATCH] mpi: Add .note.gnu.property section for Intel CET + +When Intel CET is enabled, include in for +assembly codes to mark Intel CET support. + + * mpi/config.links: Include in . +--- + mpi/config.links | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/mpi/config.links b/mpi/config.links +index 3ead4f08..4f43b732 100644 +--- a/mpi/config.links ++++ b/mpi/config.links +@@ -382,6 +382,16 @@ if test x"$mpi_cpu_arch" = x ; then + mpi_cpu_arch="unknown" + fi + ++# Add .note.gnu.property section for Intel CET in assembler sources ++# when CET is enabled. */ ++if test x"$mpi_cpu_arch" = xx86 ; then ++ cat <> ./mpi/asm-syntax.h ++ ++#if defined(__ASSEMBLER__) && defined(__CET__) ++# include ++#endif ++EOF ++fi + + # Make sysdep.h + echo '/* created by config.links - do not edit */' >./mpi/sysdep.h +-- +GitLab + diff -pruN 1.8.7-2/debian/patches/8b22534a4282f13cc39bca45c06948b9506ad285.patch 1.8.7-2ubuntu1/debian/patches/8b22534a4282f13cc39bca45c06948b9506ad285.patch --- 1.8.7-2/debian/patches/8b22534a4282f13cc39bca45c06948b9506ad285.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.8.7-2ubuntu1/debian/patches/8b22534a4282f13cc39bca45c06948b9506ad285.patch 2020-06-26 13:11:20.000000000 +0000 @@ -0,0 +1,126 @@ +From 8b22534a4282f13cc39bca45c06948b9506ad285 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 16 Jan 2020 10:33:50 -0800 +Subject: [PATCH] amd64: Add _CET_ENDBR to cipher assembly codes + +If _CET_ENDBR is defined, add _CET_ENDBR to indirect branch targets in +cipher amd64 assembly codes. + + * cipher/chacha20-avx2-amd64.S (_gcry_chacha20_amd64_avx2_blocks): + Add _CET_ENDBR at entry if defined. + * cipher/chacha20-sse2-amd64.S (_gcry_chacha20_amd64_sse2_blocks): + Likewise. + * cipher/poly1305-avx2-amd64.S (_gcry_poly1305_amd64_avx2_init_ext): + Likewise. + (_gcry_poly1305_amd64_avx2_blocks): Likewise. + (_gcry_poly1305_amd64_avx2_finish_ext): Likewise. + * cipher/poly1305-sse2-amd64.S (_gcry_poly1305_amd64_sse2_init_ext): + Likewise. + (_gcry_poly1305_amd64_sse2_finish_ext): Likewise. + (_gcry_poly1305_amd64_sse2_blocks): Likewise. +--- + cipher/chacha20-avx2-amd64.S | 3 +++ + cipher/chacha20-sse2-amd64.S | 3 +++ + cipher/poly1305-avx2-amd64.S | 9 +++++++++ + cipher/poly1305-sse2-amd64.S | 9 +++++++++ + 4 files changed, 24 insertions(+) + +diff --git a/cipher/chacha20-avx2-amd64.S b/cipher/chacha20-avx2-amd64.S +index 8c085bad..796aa388 100644 +--- a/cipher/chacha20-avx2-amd64.S ++++ b/cipher/chacha20-avx2-amd64.S +@@ -48,6 +48,9 @@ + .globl _gcry_chacha20_amd64_avx2_blocks + ELF(.type _gcry_chacha20_amd64_avx2_blocks,@function;) + _gcry_chacha20_amd64_avx2_blocks: ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + .Lchacha_blocks_avx2_local: + vzeroupper + pushq %rbx +diff --git a/cipher/chacha20-sse2-amd64.S b/cipher/chacha20-sse2-amd64.S +index 2b9842c1..cb7add80 100644 +--- a/cipher/chacha20-sse2-amd64.S ++++ b/cipher/chacha20-sse2-amd64.S +@@ -41,6 +41,9 @@ + .globl _gcry_chacha20_amd64_sse2_blocks + ELF(.type _gcry_chacha20_amd64_sse2_blocks,@function;) + _gcry_chacha20_amd64_sse2_blocks: ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + .Lchacha_blocks_sse2_local: + pushq %rbx + pushq %rbp +diff --git a/cipher/poly1305-avx2-amd64.S b/cipher/poly1305-avx2-amd64.S +index 9362a5ae..9dd886a2 100644 +--- a/cipher/poly1305-avx2-amd64.S ++++ b/cipher/poly1305-avx2-amd64.S +@@ -43,6 +43,9 @@ + .globl _gcry_poly1305_amd64_avx2_init_ext + ELF(.type _gcry_poly1305_amd64_avx2_init_ext,@function;) + _gcry_poly1305_amd64_avx2_init_ext: ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + .Lpoly1305_init_ext_avx2_local: + xor %edx, %edx + vzeroupper +@@ -406,6 +409,9 @@ ELF(.size _gcry_poly1305_amd64_avx2_init_ext,.-_gcry_poly1305_amd64_avx2_init_ex + .globl _gcry_poly1305_amd64_avx2_blocks + ELF(.type _gcry_poly1305_amd64_avx2_blocks,@function;) + _gcry_poly1305_amd64_avx2_blocks: ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + .Lpoly1305_blocks_avx2_local: + vzeroupper + pushq %rbp +@@ -732,6 +738,9 @@ ELF(.size _gcry_poly1305_amd64_avx2_blocks,.-_gcry_poly1305_amd64_avx2_blocks;) + .globl _gcry_poly1305_amd64_avx2_finish_ext + ELF(.type _gcry_poly1305_amd64_avx2_finish_ext,@function;) + _gcry_poly1305_amd64_avx2_finish_ext: ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + .Lpoly1305_finish_ext_avx2_local: + vzeroupper + pushq %rbp +diff --git a/cipher/poly1305-sse2-amd64.S b/cipher/poly1305-sse2-amd64.S +index 219eb077..41163c9f 100644 +--- a/cipher/poly1305-sse2-amd64.S ++++ b/cipher/poly1305-sse2-amd64.S +@@ -42,6 +42,9 @@ + .globl _gcry_poly1305_amd64_sse2_init_ext + ELF(.type _gcry_poly1305_amd64_sse2_init_ext,@function;) + _gcry_poly1305_amd64_sse2_init_ext: ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + .Lpoly1305_init_ext_x86_local: + xor %edx, %edx + pushq %r12 +@@ -288,6 +291,9 @@ ELF(.size _gcry_poly1305_amd64_sse2_init_ext,.-_gcry_poly1305_amd64_sse2_init_ex + .globl _gcry_poly1305_amd64_sse2_finish_ext + ELF(.type _gcry_poly1305_amd64_sse2_finish_ext,@function;) + _gcry_poly1305_amd64_sse2_finish_ext: ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + .Lpoly1305_finish_ext_x86_local: + pushq %rbp + movq %rsp, %rbp +@@ -439,6 +445,9 @@ ELF(.size _gcry_poly1305_amd64_sse2_finish_ext,.-_gcry_poly1305_amd64_sse2_finis + .globl _gcry_poly1305_amd64_sse2_blocks + ELF(.type _gcry_poly1305_amd64_sse2_blocks,@function;) + _gcry_poly1305_amd64_sse2_blocks: ++#ifdef _CET_ENDBR ++ _CET_ENDBR ++#endif + .Lpoly1305_blocks_x86_local: + pushq %rbp + movq %rsp, %rbp +-- +GitLab + diff -pruN 1.8.7-2/debian/patches/b8c8deea7abf1af611ef251c5b68a78865263ca2.patch 1.8.7-2ubuntu1/debian/patches/b8c8deea7abf1af611ef251c5b68a78865263ca2.patch --- 1.8.7-2/debian/patches/b8c8deea7abf1af611ef251c5b68a78865263ca2.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.8.7-2ubuntu1/debian/patches/b8c8deea7abf1af611ef251c5b68a78865263ca2.patch 2020-06-26 13:10:56.000000000 +0000 @@ -0,0 +1,34 @@ +From b8c8deea7abf1af611ef251c5b68a78865263ca2 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Thu, 16 Jan 2020 10:24:39 -0800 +Subject: [PATCH] x86: Add .note.gnu.property section for Intel CET + +When Intel CET is enabled, include in for assembly +codes to mark Intel CET support. + + * configure.ac: Include in for assembly + codes. +--- + configure.ac | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/configure.ac b/configure.ac +index e3f78b49..09a31858 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -95,6 +95,12 @@ AH_TOP([ + AH_BOTTOM([ + #define _GCRYPT_IN_LIBGCRYPT 1 + ++/* Add .note.gnu.property section for Intel CET in assembler sources ++ when CET is enabled. */ ++#if defined(__ASSEMBLER__) && defined(__CET__) ++# include ++#endif ++ + /* If the configure check for endianness has been disabled, get it from + OS macros. This is intended for making fat binary builds on OS X. */ + #ifdef DISABLED_ENDIAN_CHECK +-- +GitLab + diff -pruN 1.8.7-2/debian/patches/disable_fips_enabled_read.patch 1.8.7-2ubuntu1/debian/patches/disable_fips_enabled_read.patch --- 1.8.7-2/debian/patches/disable_fips_enabled_read.patch 1970-01-01 00:00:00.000000000 +0000 +++ 1.8.7-2ubuntu1/debian/patches/disable_fips_enabled_read.patch 2019-04-23 09:41:31.000000000 +0000 @@ -0,0 +1,34 @@ +commit 94724c949b6ac8cfba18978d115458d2fa6154a9 +Author: Vineetha Hari Pai +Date: Fri Feb 16 13:41:13 2018 -0500 + +From: Vineetha Hari Pai +Description: Disable libgcrypt reading /proc/sys/crypto/fips_enabled +file and going into FIPS mode. libgcrypt is not a FIPS +certified library. +Bug-Ubuntu: http://bugs.launchpad.net/bugs/1748310 +Forwarded: not-needed + +diff --git a/src/fips.c b/src/fips.c +index af3fe2c..527fa2b 100644 +--- a/src/fips.c ++++ b/src/fips.c +@@ -133,6 +133,10 @@ _gcry_initialize_fips_mode (int force) + goto leave; + } + ++ /* Disabling reading fips_enabled file here to prevent ++ the library going automatically into FIPS mode. ++ LP: #1748310 */ ++#if 0 + /* Checking based on /proc file properties. */ + { + static const char procfname[] = "/proc/sys/crypto/fips_enabled"; +@@ -169,6 +173,7 @@ _gcry_initialize_fips_mode (int force) + abort (); + } + } ++#endif + + /* Fips not not requested, set flag. */ + no_fips_mode_required = 1; diff -pruN 1.8.7-2/debian/patches/series 1.8.7-2ubuntu1/debian/patches/series --- 1.8.7-2/debian/patches/series 2020-07-11 11:16:23.000000000 +0000 +++ 1.8.7-2ubuntu1/debian/patches/series 2020-11-10 09:18:46.000000000 +0000 @@ -2,3 +2,9 @@ 13_lessdeps_libgcrypt-pkgconfig.diff 15_multiarchpath_in_-L.diff 25_norevisionfromgit.diff +disable_fips_enabled_read.patch +b8c8deea7abf1af611ef251c5b68a78865263ca2.patch +89835d58b515add0600024248de258d6e60a5e2f.patch +8b22534a4282f13cc39bca45c06948b9506ad285.patch +54e7de25b66f1bdf98b963b8e3eb340ac750dc7e.patch +1806755cd7ae110b476c6d81ced3d0948792e784.patch