commit: 2c7fc146765e207af7c2a5446fec364a43341749 Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Wed Feb 4 03:16:39 2026 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Wed Feb 4 03:21:14 2026 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2c7fc146
dev-libs/libgcrypt: backport two fixes from master A 1.12.1 release is in the offing but backport one fix (the corruption one) and then another build fix while at it. Signed-off-by: Sam James <sam <AT> gentoo.org> ...es-avx512-add-PIC-PLT-for-AVX2-function-j.patch | 106 ++++++++++++ ...t-modify-POINT-in-_gcry_mpi_ec_get_affine.patch | 52 ++++++ dev-libs/libgcrypt/libgcrypt-1.12.0-r2.ebuild | 187 +++++++++++++++++++++ 3 files changed, 345 insertions(+) diff --git a/dev-libs/libgcrypt/files/0001-rijndael-vaes-avx512-add-PIC-PLT-for-AVX2-function-j.patch b/dev-libs/libgcrypt/files/0001-rijndael-vaes-avx512-add-PIC-PLT-for-AVX2-function-j.patch new file mode 100644 index 000000000000..344277940841 --- /dev/null +++ b/dev-libs/libgcrypt/files/0001-rijndael-vaes-avx512-add-PIC-PLT-for-AVX2-function-j.patch @@ -0,0 +1,106 @@ +From 927850875c6254282697dbbed8aff65275bdeff5 Mon Sep 17 00:00:00 2001 +Message-ID: <927850875c6254282697dbbed8aff65275bdeff5.1770174288.git....@gentoo.org> +From: Jussi Kivilinna <[email protected]> +Date: Sun, 1 Feb 2026 09:50:50 +0200 +Subject: [PATCH 1/2] rijndael-vaes-avx512: add PIC @PLT for AVX2 function + jumps + +* cipher/asm-common-amd64.h (AT_PLT): New. +* cipher/rijndael-vaes-avx512-amd64.S: Use AT_PLT for jumps to +AVX2/VAES functions. +-- + +GnuPG-bug-id: 8071 +Signed-off-by: Jussi Kivilinna <[email protected]> +--- + cipher/asm-common-amd64.h | 6 ++++++ + cipher/rijndael-vaes-avx512-amd64.S | 14 +++++++------- + 2 files changed, 13 insertions(+), 7 deletions(-) + +diff --git a/cipher/asm-common-amd64.h b/cipher/asm-common-amd64.h +index 465ef62b..d0cc6426 100644 +--- a/cipher/asm-common-amd64.h ++++ b/cipher/asm-common-amd64.h +@@ -53,6 +53,12 @@ + # define ADD_RIP + #endif + ++#ifdef __PIC__ ++# define AT_PLT ELF(@PLT) ++#else ++# define AT_PLT ++#endif ++ + #if defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS) || !defined(__PIC__) + # define GET_EXTERN_POINTER(name, reg) movabsq $name, reg + #else +diff --git a/cipher/rijndael-vaes-avx512-amd64.S b/cipher/rijndael-vaes-avx512-amd64.S +index b7dba5e3..f20998b0 100644 +--- a/cipher/rijndael-vaes-avx512-amd64.S ++++ b/cipher/rijndael-vaes-avx512-amd64.S +@@ -277,7 +277,7 @@ _gcry_vaes_avx512_cbc_dec_amd64: + .Lcbc_dec_skip_avx512: + /* Handle trailing blocks with AVX2 implementation. */ + cmpq $0, %r8; +- ja _gcry_vaes_avx2_cbc_dec_amd64; ++ ja _gcry_vaes_avx2_cbc_dec_amd64 AT_PLT; + + ret_spec_stop + CFI_ENDPROC(); +@@ -491,7 +491,7 @@ _gcry_vaes_avx512_cfb_dec_amd64: + .Lcfb_dec_skip_avx512: + /* Handle trailing blocks with AVX2 implementation. */ + cmpq $0, %r8; +- ja _gcry_vaes_avx2_cfb_dec_amd64; ++ ja _gcry_vaes_avx2_cfb_dec_amd64 AT_PLT; + + ret_spec_stop + CFI_ENDPROC(); +@@ -813,7 +813,7 @@ _gcry_vaes_avx512_ctr_enc_amd64: + .Lctr_enc_skip_avx512: + /* Handle trailing blocks with AVX2 implementation. */ + cmpq $0, %r8; +- ja _gcry_vaes_avx2_ctr_enc_amd64; ++ ja _gcry_vaes_avx2_ctr_enc_amd64 AT_PLT; + + ret_spec_stop + CFI_ENDPROC(); +@@ -1037,7 +1037,7 @@ _gcry_vaes_avx512_ctr32le_enc_amd64: + .Lctr32le_enc_skip_avx512: + /* Handle trailing blocks with AVX2 implementation. */ + cmpq $0, %r8; +- ja _gcry_vaes_avx2_ctr32le_enc_amd64; ++ ja _gcry_vaes_avx2_ctr32le_enc_amd64 AT_PLT; + + ret_spec_stop + CFI_ENDPROC(); +@@ -1721,7 +1721,7 @@ _gcry_vaes_avx512_ocb_aligned_crypt_amd64: + .Locb_skip_avx512: + /* Handle trailing blocks with AVX2 implementation. */ + cmpq $0, %r8; +- ja _gcry_vaes_avx2_ocb_crypt_amd64; ++ ja _gcry_vaes_avx2_ocb_crypt_amd64 AT_PLT; + + xorl %eax, %eax; + ret_spec_stop +@@ -2084,7 +2084,7 @@ _gcry_vaes_avx512_xts_crypt_amd64: + .Lxts_crypt_skip_avx512: + /* Handle trailing blocks with AVX2 implementation. */ + cmpq $0, %r8; +- ja _gcry_vaes_avx2_xts_crypt_amd64; ++ ja _gcry_vaes_avx2_xts_crypt_amd64 AT_PLT; + + ret_spec_stop + CFI_ENDPROC(); +@@ -2347,7 +2347,7 @@ _gcry_vaes_avx512_ecb_crypt_amd64: + .Lecb_crypt_skip_avx512: + /* Handle trailing blocks with AVX2 implementation. */ + cmpq $0, %r8; +- ja _gcry_vaes_avx2_ecb_crypt_amd64; ++ ja _gcry_vaes_avx2_ecb_crypt_amd64 AT_PLT; + + ret_spec_stop + CFI_ENDPROC(); +-- +2.53.0 + diff --git a/dev-libs/libgcrypt/files/0002-mpi-ec-Don-t-modify-POINT-in-_gcry_mpi_ec_get_affine.patch b/dev-libs/libgcrypt/files/0002-mpi-ec-Don-t-modify-POINT-in-_gcry_mpi_ec_get_affine.patch new file mode 100644 index 000000000000..282faf989e95 --- /dev/null +++ b/dev-libs/libgcrypt/files/0002-mpi-ec-Don-t-modify-POINT-in-_gcry_mpi_ec_get_affine.patch @@ -0,0 +1,52 @@ +From 949557945cf806dfbc646c8919a398ae637f7c25 Mon Sep 17 00:00:00 2001 +Message-ID: <949557945cf806dfbc646c8919a398ae637f7c25.1770174288.git....@gentoo.org> +In-Reply-To: <927850875c6254282697dbbed8aff65275bdeff5.1770174288.git....@gentoo.org> +References: <927850875c6254282697dbbed8aff65275bdeff5.1770174288.git....@gentoo.org> +From: NIIBE Yutaka <[email protected]> +Date: Tue, 3 Feb 2026 15:10:41 +0900 +Subject: [PATCH 2/2] mpi:ec: Don't modify POINT in _gcry_mpi_ec_get_affine. + +* mpi/ec.c (_gcry_mpi_ec_get_affine): Don't modify POINT. + +-- + +GnuPG-bug-id: 8080 +Signed-off-by: NIIBE Yutaka <[email protected]> +--- + mpi/ec.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/mpi/ec.c b/mpi/ec.c +index d7bad4a6..b0b6f427 100644 +--- a/mpi/ec.c ++++ b/mpi/ec.c +@@ -1220,18 +1220,20 @@ _gcry_mpi_ec_get_affine (gcry_mpi_t x, gcry_mpi_t y, mpi_point_t point, + + if (x) + { +- mpi_resize (point->x, ctx->p->nlimbs); +- point->x->nlimbs = ctx->p->nlimbs; +- ec_mulm_lli (x, point->x, z2, ctx); ++ mpi_set (x, point->x); ++ mpi_resize (x, ctx->p->nlimbs); ++ x->nlimbs = ctx->p->nlimbs; ++ ec_mulm_lli (x, x, z2, ctx); + } + + if (y) + { +- mpi_resize (point->y, ctx->p->nlimbs); +- point->y->nlimbs = ctx->p->nlimbs; ++ mpi_set (y, point->y); ++ mpi_resize (y, ctx->p->nlimbs); ++ y->nlimbs = ctx->p->nlimbs; + z3 = mpi_new (0); + ec_mulm_lli (z3, z2, z1, ctx); /* z3 = z^(-3) mod p */ +- ec_mulm_lli (y, point->y, z3, ctx); ++ ec_mulm_lli (y, y, z3, ctx); + mpi_free (z3); + } + +-- +2.53.0 + diff --git a/dev-libs/libgcrypt/libgcrypt-1.12.0-r2.ebuild b/dev-libs/libgcrypt/libgcrypt-1.12.0-r2.ebuild new file mode 100644 index 000000000000..f733ab14dc31 --- /dev/null +++ b/dev-libs/libgcrypt/libgcrypt-1.12.0-r2.ebuild @@ -0,0 +1,187 @@ +# Copyright 1999-2026 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/gnupg.asc +inherit autotools flag-o-matic linux-info multilib-minimal toolchain-funcs verify-sig + +DESCRIPTION="General purpose crypto library based on the code used in GnuPG" +HOMEPAGE="https://www.gnupg.org/"; +SRC_URI="mirror://gnupg/${PN}/${P}.tar.bz2" +SRC_URI+=" verify-sig? ( mirror://gnupg/${PN}/${P}.tar.bz2.sig )" + +LICENSE="LGPL-2.1+ GPL-2+ MIT" +SLOT="0/20" # subslot = soname major version +KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~arm64-macos ~x64-macos ~x64-solaris" +IUSE="+asm doc +getentropy static-libs" +IUSE+=" cpu_flags_arm_neon cpu_flags_arm_aes cpu_flags_arm_sha1 cpu_flags_arm_sha2 cpu_flags_arm_sve" +IUSE+=" cpu_flags_ppc_altivec cpu_flags_ppc_vsx2 cpu_flags_ppc_vsx3" +IUSE+=" cpu_flags_x86_aes cpu_flags_x86_avx cpu_flags_x86_avx2 cpu_flags_x86_avx512f cpu_flags_x86_padlock cpu_flags_x86_sha cpu_flags_x86_sse4_1" + +# Build system only has --disable-arm-crypto-support right now +# If changing this, update src_configure logic too. +# ARM CPUs seem to, right now, support all-or-nothing for crypto extensions, +# but this looks like it might change in future. This is just a safety check +# in case people somehow do have a CPU which only supports some. They must +# for now disable them all if that's the case. +REQUIRED_USE=" + cpu_flags_arm_aes? ( cpu_flags_arm_sha1 cpu_flags_arm_sha2 ) + cpu_flags_arm_sha1? ( cpu_flags_arm_aes cpu_flags_arm_sha2 ) + cpu_flags_arm_sha2? ( cpu_flags_arm_aes cpu_flags_arm_sha1 ) + cpu_flags_ppc_vsx3? ( cpu_flags_ppc_altivec cpu_flags_ppc_vsx2 ) + cpu_flags_ppc_vsx2? ( cpu_flags_ppc_altivec ) +" + +RDEPEND=" + >=dev-libs/libgpg-error-1.56[${MULTILIB_USEDEP}] + getentropy? ( + kernel_linux? ( + elibc_glibc? ( >=sys-libs/glibc-2.25 ) + elibc_musl? ( >=sys-libs/musl-1.1.20 ) + ) + ) +" +DEPEND="${RDEPEND}" +BDEPEND=" + doc? ( virtual/texi2dvi ) + verify-sig? ( sec-keys/openpgp-keys-gnupg ) +" + +PATCHES=( + "${FILESDIR}"/${PN}-1.12.0-multilib-syspath.patch + "${FILESDIR}"/${PN}-powerpc-darwin.patch + "${FILESDIR}"/0001-rijndael-vaes-avx512-add-PIC-PLT-for-AVX2-function-j.patch + "${FILESDIR}"/0002-mpi-ec-Don-t-modify-POINT-in-_gcry_mpi_ec_get_affine.patch +) + +MULTILIB_CHOST_TOOLS=( + /usr/bin/libgcrypt-config +) + +pkg_pretend() { + if [[ ${MERGE_TYPE} == buildonly ]]; then + return + fi + if use kernel_linux && use getentropy; then + unset KV_FULL + get_running_version + if [[ -n ${KV_FULL} ]] && kernel_is -lt 3 17; then + eerror "The getentropy function requires the getrandom syscall." + eerror "This was introduced in Linux 3.17." + eerror "Your system is currently running Linux ${KV_FULL}." + eerror "Disable the 'getentropy' USE flag or upgrade your kernel." + die "Kernel is too old for getentropy" + fi + fi +} + +pkg_setup() { + : +} + +src_prepare() { + default + eautoreconf +} + +src_configure() { + # Temporary workaround for a build failure (known gcc issue): + # * https://bugs.gentoo.org/956605 + # * https://gcc.gnu.org/PR110812 + use riscv && filter-lto + + # Temporary workaround for mfpmath=sse on x86 causing issues when -msse is + # stripped as it's not clear cut on how to handle in flag-o-matic we can at + # least solve it the ebuild see https://bugs.gentoo.org/959349 + use x86 && filter-flags -mfpmath=sse + + # Hardcodes the path to FGREP in libgcrypt-config + export ac_cv_path_SED="sed" + export ac_cv_path_EGREP="grep -E" + export ac_cv_path_EGREP_TRADITIONAL="grep -E" + export ac_cv_path_FGREP="grep -F" + export ac_cv_path_GREP="grep" + + multilib-minimal_src_configure +} + +multilib_src_configure() { + if [[ ${CHOST} == powerpc* ]] ; then + # ./configure does a lot of automagic, prevent that + # generic ppc32+ppc64 altivec + use cpu_flags_ppc_altivec || local -x gcry_cv_cc_ppc_altivec=no + use cpu_flags_ppc_altivec || local -x gcry_cv_cc_ppc_altivec_cflags=no + # power8 vector extension, aka arch 2.07 ISA, also checked below via ppc-crypto-support + use cpu_flags_ppc_vsx2 || local -x gcry_cv_gcc_inline_asm_ppc_altivec=no + # power9 vector extension, aka arch 3.00 ISA + use cpu_flags_ppc_vsx3 || local -x gcry_cv_gcc_inline_asm_ppc_arch_3_00=no + fi + + append-ldflags $(test-flags-CCLD -Wl,--undefined-version) + + local myeconfargs=( + CC_FOR_BUILD="$(tc-getBUILD_CC)" + + --enable-noexecstack + $(use_enable cpu_flags_arm_neon neon-support) + # See REQUIRED_USE comment above + $(use_enable cpu_flags_arm_aes arm-crypto-support) + $(use_enable cpu_flags_arm_sve sve-support) + $(use_enable cpu_flags_ppc_vsx2 ppc-crypto-support) + $(use_enable cpu_flags_x86_aes aesni-support) + $(use_enable cpu_flags_x86_avx avx-support) + $(use_enable cpu_flags_x86_avx2 avx2-support) + $(use_enable cpu_flags_x86_avx512f avx512-support) + $(use_enable cpu_flags_x86_padlock padlock-support) + $(use_enable cpu_flags_x86_sha shaext-support) + $(use_enable cpu_flags_x86_sse4_1 sse41-support) + # required for sys-power/suspend[crypt], bug 751568 + $(use_enable static-libs static) + + # disabled due to various applications requiring privileges + # after libgcrypt drops them (bug #468616) + --without-capabilities + + $(use asm || echo "--disable-asm") + + GPG_ERROR_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpg-error-config" + GPGRT_CONFIG="${ESYSROOT}/usr/bin/${CHOST}-gpgrt-config" + ) + + if use kernel_linux; then + # --enable-random=getentropy requires getentropy/getrandom. + # --enable-random=linux enables legacy code that tries getrandom + # and falls back to reading /dev/random. + myeconfargs+=( --enable-random=$(usex getentropy getentropy linux) ) + fi + + ECONF_SOURCE="${S}" econf "${myeconfargs[@]}" \ + $("${S}/configure" --help | grep -o -- '--without-.*-prefix') +} + +multilib_src_compile() { + default + multilib_is_native_abi && use doc && VARTEXFONTS="${T}/fonts" emake -C doc gcrypt.pdf +} + +multilib_src_test() { + # t-secmem and t-sexp need mlock which requires extra privileges; nspawn + # at least disallows that by default. + local -x GCRYPT_IN_ASAN_TEST=1 + # Avoid running (very) expensive bench-slope test. On hppa, it + # takes at least 7 hours. + local -x GCRYPT_NO_BENCHMARKS=1 + + default +} + +multilib_src_install() { + emake DESTDIR="${D}" install + multilib_is_native_abi && use doc && dodoc doc/gcrypt.pdf +} + +multilib_src_install_all() { + default + find "${ED}" -type f -name '*.la' -delete || die +}
