Page MenuHome GnuPG
Feed Advanced Search

Mon, Mar 11

gniibe claimed T7035: libgcrypt: New function gcry_md_hash_buffers_ext (for extendable-output function).
Mon, Mar 11, 3:28 AM · libgcrypt, Feature Request, Bug Report
gniibe created T7035: libgcrypt: New function gcry_md_hash_buffers_ext (for extendable-output function).
Mon, Mar 11, 3:28 AM · libgcrypt, Feature Request, Bug Report

Mon, Mar 4

thesamesam added a comment to T7022: libgcrypt-1.10.3 regression on hppa.

Thank you!

Mon, Mar 4, 3:46 AM · libgcrypt, Gentoo, hppa, Bug Report
gniibe added a comment to T7022: libgcrypt-1.10.3 regression on hppa.

Applied to both (master and 1.10 branch).

Mon, Mar 4, 1:11 AM · libgcrypt, Gentoo, hppa, Bug Report

Fri, Mar 1

jukivili added a comment to T7022: libgcrypt-1.10.3 regression on hppa.

Looks good to me. __CLOBBER_CC is needed as PA-RISC has carry/borrow bits in status register for add/sub instructions.

Fri, Mar 1, 8:02 PM · libgcrypt, Gentoo, hppa, Bug Report
gniibe changed the status of T7022: libgcrypt-1.10.3 regression on hppa from Open to Testing.

Since I don't like to introduce hppa specific workaround in a way like pragma (and I have no time to fix compiler itself), I tried to improve the ec-nist.c for hppa so that register pressure can be lower.
Here is my solution.

Fri, Mar 1, 2:34 AM · libgcrypt, Gentoo, hppa, Bug Report

Thu, Feb 29

gniibe added a comment to T7022: libgcrypt-1.10.3 regression on hppa.

Alternatively (more narrow workaround), when I add a line:

#pragma GCC optimize("O1")

before the function _gcry_mpi_ec_nist256_mod in mpi/ec-nist.c, it works for me on panama.debian.net (Debian porterbox for hppa).

Thu, Feb 29, 5:27 AM · libgcrypt, Gentoo, hppa, Bug Report

Wed, Feb 28

jukivili added a comment to T7022: libgcrypt-1.10.3 regression on hppa.

No, hardware barrier is not needed here. Compiler barrier is used here to prevent optimization removing mask generation and usage in following constant-time code.

Wed, Feb 28, 9:34 PM · libgcrypt, Gentoo, hppa, Bug Report
matoro added a comment to T7022: libgcrypt-1.10.3 regression on hppa.

Clarification from Dave:

Wed, Feb 28, 7:32 PM · libgcrypt, Gentoo, hppa, Bug Report
matoro added a comment to T7022: libgcrypt-1.10.3 regression on hppa.

Thanks, I can confirm that this patch fixes the issue. I'll let Sam decide if this is how we want to handle it downstream or wait for confirmation from gcc.

Wed, Feb 28, 4:37 PM · libgcrypt, Gentoo, hppa, Bug Report

Feb 28 2024

gniibe added a project to T7022: libgcrypt-1.10.3 regression on hppa: libgcrypt.
Feb 28 2024, 2:57 AM · libgcrypt, Gentoo, hppa, Bug Report

Feb 22 2024

werner added a comment to T6755: libgcrypt: KEM API.

A way to generated keys in the usual s-expression way has been added. This allows us to get the keygrip for the key.

Feb 22 2024, 4:33 PM · PQC, libgcrypt

Feb 21 2024

werner added a comment to T6637: PQC for Libgcrypt.

FWIW, I posted some ideas at https://lists.gnupg.org/pipermail/librepgp-discuss/2024/000043.html . For official use in Germany we will very likely also add Brainpool curves as a replacement for the IETF curves.

Feb 21 2024, 2:52 PM · PQC, libgcrypt

Feb 15 2024

werner added a comment to T6755: libgcrypt: KEM API.

Although, we don't use our usual s-expressions we need to add a way to derive a keygrip from Kyber et al and also to wrap the key into an s-expression to that it can be stored by gpg-agent in its usual files. An exported new API to get the keygrip of a KEM key would be good to avoid encapsulation but for other purposes an encapsulation is still required.

Feb 15 2024, 6:00 PM · PQC, libgcrypt

Feb 9 2024

gniibe changed the status of T6976: RSA PKCS#1v1.5 signatures with SHA3 use invalid encoding from Open to Testing.

Applied the change. I write the ChangeLog entry by commit message.

Feb 9 2024, 8:32 AM · FIPS, libgcrypt, Bug Report

Feb 7 2024

werner triaged T6976: RSA PKCS#1v1.5 signatures with SHA3 use invalid encoding as Normal priority.
Feb 7 2024, 9:20 AM · FIPS, libgcrypt, Bug Report
werner added projects to T6976: RSA PKCS#1v1.5 signatures with SHA3 use invalid encoding: libgcrypt, FIPS.
Feb 7 2024, 9:17 AM · FIPS, libgcrypt, Bug Report

Jan 30 2024

gniibe changed the status of T6858: libgcrypt fails to be cross-compiled. from Open to Testing.

Fixed in master.

Jan 30 2024, 5:25 AM · libgcrypt
gniibe claimed T6858: libgcrypt fails to be cross-compiled..

Thanks for your report. It seems the linker for Android is more strict.

Jan 30 2024, 5:24 AM · libgcrypt

Jan 29 2024

gniibe changed the status of T6964: don't use deprecated grep aliases from Open to Testing.

Fixed in rC128121e74b66: build: Use @FGREP@ by configure for libgcrypt-config..

Jan 29 2024, 2:54 AM · libgcrypt
gniibe claimed T6964: don't use deprecated grep aliases.

Thank you. I recently fixed for use of egrep rC656ca459e3d8: m4: Update acinclude.m4 to use $GREP., but overlooked this one.

Jan 29 2024, 2:20 AM · libgcrypt

Jan 27 2024

dirkmueller added a project to T6964: don't use deprecated grep aliases: libgcrypt.
Jan 27 2024, 12:52 PM · libgcrypt

Jan 17 2024

werner added a comment to T6637: PQC for Libgcrypt.

Regading Kyber in GnuPG, there are a couple of open questions. For example whether the implicit lengths used for the key parameters match well with the overall protocol structure. Thus, as soon as we have finished the Libgcrypt part we will address this and implement it in some way. Before we do this we have to do a couple of changes to GnuPG required for FIPS compliance.

Jan 17 2024, 4:17 PM · PQC, libgcrypt
fse added a comment to T6637: PQC for Libgcrypt.

I just saw that Niibe is already working on the integration of the ML-KEM code into the master branch of libgcrypt. Apparently, this is an entirely new code base. Currently we are working on the integration of our ML-KEM implementation in libgcrypt into GnuPG. But based on what I see now it seems that apparently another approach is planned and already underway for libgcrypt and probably later also for GnuPG. It would be helpful if you could give us a pointer what your exact plans are, this makes it easier for us to direct our efforts in the optimal way.

Jan 17 2024, 2:24 PM · PQC, libgcrypt

Dec 21 2023

jukivili added a comment to T6892: libgcrypt-1.10.3 build failure on x86 with -Og.

Fix for i386 assembly pushed to master and 1.10 branch.

Dec 21 2023, 8:18 PM · libgcrypt, Bug Report

Dec 19 2023

jukivili added a comment to T6892: libgcrypt-1.10.3 build failure on x86 with -Og.

It looks that this is a bit more problematic case than I thought. Now building i386 with "-O2 -fsanitize=undefined" flags fails. I need to think little bit more how to handle this.

Dec 19 2023, 7:00 AM · libgcrypt, Bug Report
gniibe changed the status of T6892: libgcrypt-1.10.3 build failure on x86 with -Og from Open to Testing.
Dec 19 2023, 12:44 AM · libgcrypt, Bug Report

Dec 18 2023

werner triaged T6892: libgcrypt-1.10.3 build failure on x86 with -Og as Normal priority.
Dec 18 2023, 11:42 AM · libgcrypt, Bug Report
gniibe added a comment to T6892: libgcrypt-1.10.3 build failure on x86 with -Og.

@jukivili Thanks a lot. Please push the change to 1.10 branch and master.

Dec 18 2023, 7:51 AM · libgcrypt, Bug Report

Dec 16 2023

jukivili added a project to T6892: libgcrypt-1.10.3 build failure on x86 with -Og: libgcrypt.
Dec 16 2023, 6:57 PM · libgcrypt, Bug Report

Dec 13 2023

ametzler1 added a comment to T6863: [patch] libgcrypt copyright header cleanup.

Sorry for the fallout and thank you for taking care of it.

Dec 13 2023, 6:25 PM · patch, libgcrypt, Bug Report

Dec 12 2023

gniibe added a comment to T6863: [patch] libgcrypt copyright header cleanup.

Ah... it fails by make check because it does change the text in tests/basic.c which requires update of hash value.
I'm going to take care of this regressions.

Dec 12 2023, 7:42 AM · patch, libgcrypt, Bug Report
gniibe changed the status of T6863: [patch] libgcrypt copyright header cleanup from Open to Testing.

Thank you. All applied and pushed to master.

Dec 12 2023, 6:38 AM · patch, libgcrypt, Bug Report

Dec 4 2023

werner triaged T6858: libgcrypt fails to be cross-compiled. as Normal priority.

You may better ask on gcrypt-devel at gnupg.org for help.

Dec 4 2023, 4:57 PM · libgcrypt

Dec 1 2023

ametzler1 created T6863: [patch] libgcrypt copyright header cleanup.
Dec 1 2023, 6:21 PM · patch, libgcrypt, Bug Report

Nov 30 2023

twaik created T6858: libgcrypt fails to be cross-compiled..
Nov 30 2023, 2:04 PM · libgcrypt

Nov 28 2023

fse added a comment to T6637: PQC for Libgcrypt.

And another question: in the GnuPG code on the master branch I saw that algorithm identifiers for ML-KEM with Ed25519 and Ed448 are already defined in the code base. Do I understand correctly that the maintainers prefer the inclusion of these two algorithms and not necessarily the inclusion of the ones based on ML-KEM with ECDH using NIST or Brainpool curves?

Nov 28 2023, 1:21 PM · PQC, libgcrypt

Nov 27 2023

fse added a comment to T6637: PQC for Libgcrypt.

We have addressed all comments regarding ML-KEM (Kyber) and KMAC. Currently I am working on the GnuPG integration of the the ML-KEM composites. For that purpose I will need a branch of libgcrypt with both ML-KEM and KMAC. I am not sure if you are considering to integrate the ML-KEM version already now before the final NIST standards are release. Some libraries do it, for instance Botan. Appropriate naming of the algorithms can ensure that there arises no confusion which version of the algorithm one is using.

Nov 27 2023, 4:30 PM · PQC, libgcrypt

Nov 16 2023

werner closed T6335: Release Libgcrypt 1.8.11 as Resolved.
Nov 16 2023, 10:55 AM · libgcrypt, Release Info

Nov 15 2023

gniibe closed T3264: Possible RSA improvement as Invalid.

RSA improvement is not that worth now.

Nov 15 2023, 1:14 AM · libgcrypt
gniibe closed T3269: (Constant-time) modular reduction as Resolved.

OK. When we will need and do, I will open new one.

Nov 15 2023, 1:12 AM · libgcrypt
gniibe closed T3269: (Constant-time) modular reduction, a subtask of T3264: Possible RSA improvement, as Resolved.
Nov 15 2023, 1:12 AM · libgcrypt
gniibe closed T6539: The digest&sign/verify API with SHAKE-class digests does not work as Resolved.

The fix is in 1.10.3.

Nov 15 2023, 1:02 AM · libgcrypt, FIPS, Bug Report
gniibe closed T6507: SCRYPT does not work in FIPS mode as Resolved.

Fix is in 1.10.3.

Nov 15 2023, 12:54 AM · libgcrypt, FIPS, Bug Report

Nov 14 2023

werner moved T3269: (Constant-time) modular reduction from For 1.10 to Backlog on the libgcrypt board.

@gniibe: This is a pretty old bug; given all the changes of the last year, should we close it now?

Nov 14 2023, 1:21 PM · libgcrypt
werner closed T6747: sexp string including \0 as Resolved.
Nov 14 2023, 1:18 PM · libgcrypt, Bug Report
werner closed T6217: sha3: wrong results for large inputs as Resolved.
Nov 14 2023, 1:18 PM · libgcrypt, FIPS, Bug Report
werner closed T4873: Enable AES GCM in FIPS mode as Resolved.
Nov 14 2023, 1:17 PM · FIPS, libgcrypt, Feature Request
werner closed T4873: Enable AES GCM in FIPS mode, a subtask of T5870: libgcrypt: AEAD API for FIPS 140 (in future), as Resolved.
Nov 14 2023, 1:17 PM · Feature Request, FIPS, libgcrypt
werner moved T6747: sexp string including \0 from Backlog to For 1.10 on the libgcrypt board.
Nov 14 2023, 1:15 PM · libgcrypt, Bug Report
werner moved T6217: sha3: wrong results for large inputs from Backlog to For 1.10 on the libgcrypt board.
Nov 14 2023, 1:14 PM · libgcrypt, FIPS, Bug Report
werner closed T6817: Release Libgcrypt 1.10.3 as Resolved.
Nov 14 2023, 1:13 PM · Release Info, libgcrypt
werner closed T5905: Release Libgcrypt 1.10.2 as Resolved.
Nov 14 2023, 12:55 PM · Release Info, libgcrypt
werner created T6817: Release Libgcrypt 1.10.3.
Nov 14 2023, 12:54 PM · Release Info, libgcrypt

Oct 31 2023

gniibe added a comment to T6637: PQC for Libgcrypt.

In master, when fixing padding issue, libgcrypt/src/const-time.h is just introduced.
I will replace your functions.

Oct 31 2023, 7:41 AM · PQC, libgcrypt

Oct 24 2023

fse added a comment to T6637: PQC for Libgcrypt.

Yes, int8_t/int16_t/int32_t/uint8_t/uint16_t/uint32_t should not be used. There is size-specific integer types defined in src/types.h which can be used instead (byte/u16/u32). This header does not yet have signed integer types, but those can be added (for example, s8/s16/s32).

Oct 24 2023, 1:34 PM · PQC, libgcrypt

Oct 23 2023

aheinecke added a comment to T6637: PQC for Libgcrypt.
In T6637#176910, @fse wrote:

OK, fine, however, in order to be able keep an overview of our tasks I would still keep track of them in our GitHub, where I can create a sub-issue from the list of tasks with one click. But we will post our comments and results here as well as far relevant for the purpose of documentation. I think most of the points Jussi raised are more or less clear to me anyway.

Oct 23 2023, 7:23 PM · PQC, libgcrypt
jukivili added a comment to T6637: PQC for Libgcrypt.

Yes, int8_t/int16_t/int32_t/uint8_t/uint16_t/uint32_t should not be used. There is size-specific integer types defined in src/types.h which can be used instead (byte/u16/u32). This header does not yet have signed integer types, but those can be added (for example, s8/s16/s32).

Oct 23 2023, 7:00 PM · PQC, libgcrypt
jukivili closed T6451: libgcrypt | gcry_cipher_setkey: 3DES-CBC key returns GPG_ERR_WEAK even with GCRYCTL_SET_ALLOW_WEAK_KEY as Resolved.
Oct 23 2023, 6:56 PM · Debian, libgcrypt, Bug Report

Oct 18 2023

fse added a comment to T6637: PQC for Libgcrypt.

@jukivilli I have addressed a number of your comments now. You find my comments inline.

Oct 18 2023, 1:33 PM · PQC, libgcrypt

Oct 17 2023

jukivili updated the task description for T4460: libgcrypt performance TODOs.
Oct 17 2023, 5:57 PM · libgcrypt

Oct 16 2023

fse added a comment to T6755: libgcrypt: KEM API.

Yes, apparently I confused uint8_t and unsigned char here because the former appears in Simon's comments. We also kept to the use of unsigned char* in our implementations (that is even part of the GNU coding guidelines if I remember correctly).

Oct 16 2023, 1:43 PM · PQC, libgcrypt
werner added a comment to T6755: libgcrypt: KEM API.

Actually we never use uint8_t* because that is c99 and very uncommon except for some MCU projects. Instead we use unsigned char *. The use of void* is often used because this allows to pass arbitrary types to a function without requiring ugly and error-prone casting at the caller site.

Oct 16 2023, 1:14 PM · PQC, libgcrypt
werner added a comment to T6637: PQC for Libgcrypt.

You don't need a library but just one object file.

Oct 16 2023, 12:57 PM · PQC, libgcrypt
fse added a comment to T6637: PQC for Libgcrypt.

OK, fine, however, in order to be able keep an overview of our tasks I would still keep track of them in our GitHub, where I can create a sub-issue from the list of tasks with one click. But we will post our comments and results here as well as far relevant for the purpose of documentation. I think most of the points Jussi raised are more or less clear to me anyway.

Oct 16 2023, 12:07 PM · PQC, libgcrypt
fse added a comment to T6755: libgcrypt: KEM API.

With respect to the function signatures, I see the following issues with the API you reference via the provided link:

Oct 16 2023, 12:01 PM · PQC, libgcrypt
werner added a comment to T6637: PQC for Libgcrypt.

@fse: Github is not an option here. We don't use it and thus everything relevant to Libgcrypt needs to be documented here and not at some external platform.

Oct 16 2023, 11:53 AM · PQC, libgcrypt
gniibe added a comment to T6755: libgcrypt: KEM API.

For length information, we can find that Simon's patch (let me call it v1) has length argument:
https://gitlab.com/jas/libgcrypt/-/commit/3af635afca052a9575912b257fe7518a58bfe810

Oct 16 2023, 10:24 AM · PQC, libgcrypt
fse added a comment to T6637: PQC for Libgcrypt.

Hi Jussi,

Oct 16 2023, 8:37 AM · PQC, libgcrypt

Oct 15 2023

jukivili added a comment to T6637: PQC for Libgcrypt.
  • There's many functions that use buffers on stack. Do those contain secrets? Should those buffers be wiped before returning from function (with wipememory())? For example, "mlkem_check_secret_key" has two buffers "shared_secret_1" and "shared_secret_2" which are not wiped.
  • mlkem.c: mlkem_check_secret_key: "memcmp" is used to compare shared secrets. Should this use constant time comparison instead?
  • mlkem-common.c: _gcry_mlkem_mlkem_shake256_rkprf:
    • _gcry_md_hash_buffers_extract can be used here instead of _gcry_md_open&write&extract&close.
  • mlkem-symmetric.c: _gcry_mlkem_shake256_prf:
    • _gcry_md_hash_buffers_extract can be used here instead of _gcry_md_open&write&extract&close. Temporary buffer usage can be avoided by passing input buffers through two IOV to _gcry_md_hash_buffers_extract.
Oct 15 2023, 5:08 PM · PQC, libgcrypt
jukivili added a comment to T6637: PQC for Libgcrypt.

Few comments on the patches.

Oct 15 2023, 4:38 PM · PQC, libgcrypt

Oct 11 2023

fse added a comment to T6755: libgcrypt: KEM API.

Our own internal function signatures is not necessarily a good refernce. The main objection to all what you list above is the lack of explicit length information. For each uint8_t* there should also be a size_t ...len in my opinion. Otherwise the API will be highly prone to memory access errors.

Oct 11 2023, 8:34 AM · PQC, libgcrypt
gniibe added a comment to T6755: libgcrypt: KEM API.

@fse Thank you for your comment (quick ! :-).

Oct 11 2023, 6:47 AM · PQC, libgcrypt

Oct 10 2023

fse added a comment to T6755: libgcrypt: KEM API.

The API that you quote at the end is indeed what is comonly understood as how a KEM functions and is exactly what fits to ML-KEM.

Oct 10 2023, 9:11 AM · PQC, libgcrypt
gniibe triaged T6755: libgcrypt: KEM API as Wishlist priority.
Oct 10 2023, 8:23 AM · PQC, libgcrypt

Oct 9 2023

gniibe added a comment to T6637: PQC for Libgcrypt.

Please send us patches (to this branch).

Oct 9 2023, 10:29 AM · PQC, libgcrypt
fse added a comment to T6637: PQC for Libgcrypt.

One question on the future cooperation: is it from now on possible to directly commit to these branches or will we continue to work with uploading patches to this task?

Oct 9 2023, 8:18 AM · PQC, libgcrypt

Oct 6 2023

gniibe added a comment to T6637: PQC for Libgcrypt.

Pushed the change into kem-kyber branch.
https://dev.gnupg.org/source/libgcrypt/history/kem-kyber/

Oct 6 2023, 6:42 AM · PQC, libgcrypt

Oct 5 2023

werner triaged T6747: sexp string including \0 as Normal priority.
Oct 5 2023, 11:41 AM · libgcrypt, Bug Report
gniibe changed the status of T6747: sexp string including \0 from Open to Testing.
Oct 5 2023, 8:38 AM · libgcrypt, Bug Report
gniibe claimed T6747: sexp string including \0.
Oct 5 2023, 8:30 AM · libgcrypt, Bug Report
gniibe created T6747: sexp string including \0.
Oct 5 2023, 8:30 AM · libgcrypt, Bug Report
gniibe claimed T6637: PQC for Libgcrypt.

I'll create a branch for this work. Then, I'll incorporate changes to master.

Oct 5 2023, 7:15 AM · PQC, libgcrypt

Oct 4 2023

fse added a comment to T6637: PQC for Libgcrypt.

Uploading two patches for review:

Oct 4 2023, 8:11 AM · PQC, libgcrypt

Oct 2 2023

werner changed the edit policy for T6637: PQC for Libgcrypt.
Oct 2 2023, 4:43 PM · PQC, libgcrypt

Aug 8 2023

werner added a project to T6637: PQC for Libgcrypt: PQC.
Aug 8 2023, 11:50 AM · PQC, libgcrypt
werner added a project to T6636: PQC Implementation: PQC.
Aug 8 2023, 11:49 AM · PQC, gnupg, libgcrypt
werner triaged T6637: PQC for Libgcrypt as Wishlist priority.
Aug 8 2023, 11:47 AM · PQC, libgcrypt
werner triaged T6636: PQC Implementation as Normal priority.
Aug 8 2023, 11:46 AM · PQC, gnupg, libgcrypt

Jul 20 2023

gniibe added a comment to T6271: The old FSF address in libgcrypt source code.

Fixed in: rP66abf7cb1e1b: Update GPL2 for new FSF address. Use URL for license.

Jul 20 2023, 6:56 AM · Documentation, libgcrypt, Bug Report

Jun 28 2023

gniibe changed the status of T6539: The digest&sign/verify API with SHAKE-class digests does not work from Open to Testing.

Add the check of digest algorithm for EdDSA in: rCd15fe6aac10b: cipher:ecc:fips: Only allow defined digest algo for EdDSA.

Jun 28 2023, 7:23 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

No, there are use cases in GnuPG, where we specify the hash algo for signing, and our own tests/benchmark.c.

Jun 28 2023, 3:54 AM · libgcrypt, FIPS, Bug Report
gniibe added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

For the first issue, I added a check in: rCf65c30d470f5: cipher:ecc:fips: Reject use of SHAKE when it's ECDSA with RFC6979.

Jun 28 2023, 3:52 AM · libgcrypt, FIPS, Bug Report

Jun 27 2023

Jakuje added a comment to T6539: The digest&sign/verify API with SHAKE-class digests does not work.

From the FIPS 186-5 there are some limitations to use the SHAKE in FIPS Mode that we will have to reflect:

Jun 27 2023, 5:22 PM · libgcrypt, FIPS, Bug Report

Jun 23 2023

gniibe added a comment to T6557: Support of SHAKE in MGF function of RSA.

Pushed a change in master.

Jun 23 2023, 6:00 AM · libgcrypt, FIPS, Bug Report
gniibe changed the status of T6557: Support of SHAKE in MGF function of RSA, a subtask of T6539: The digest&sign/verify API with SHAKE-class digests does not work, from Open to Testing.
Jun 23 2023, 6:00 AM · libgcrypt, FIPS, Bug Report
gniibe changed the status of T6557: Support of SHAKE in MGF function of RSA from Open to Testing.
Jun 23 2023, 6:00 AM · libgcrypt, FIPS, Bug Report
gniibe updated the task description for T6557: Support of SHAKE in MGF function of RSA.
Jun 23 2023, 3:28 AM · libgcrypt, FIPS, Bug Report
gniibe renamed T6557: Support of SHAKE in MGF function of RSA from Support of SHAKE in MGF1 function of RSA to Support of SHAKE in MGF function of RSA.
Jun 23 2023, 3:27 AM · libgcrypt, FIPS, Bug Report
gniibe triaged T6557: Support of SHAKE in MGF function of RSA as Normal priority.
Jun 23 2023, 2:41 AM · libgcrypt, FIPS, Bug Report