12 files changed, 159 insertions, 30 deletions
diff --git a/meta-oe/recipes-crypto/botan/botan_2.19.2.bb b/meta-oe/recipes-crypto/botan/botan_3.2.0.bb
index 5261367db2..5eff2d383e 100644
--- a/meta-oe/recipes-crypto/botan/botan_2.19.2.bb
+++ b/meta-oe/recipes-crypto/botan/botan_3.2.0.bb
@@ -1,11 +1,11 @@
 SUMMARY = "Crypto and TLS for C++11"
 HOMEPAGE = "https://botan.randombit.net"
 LICENSE = "BSD-2-Clause"
-LIC_FILES_CHKSUM = "file://license.txt;md5=f4ce98476c07c34e1793daa036960fad"
+LIC_FILES_CHKSUM = "file://license.txt;md5=f5254d3abe90ec5bb82c5694ff751546"
 SECTION = "libs"
 
 SRC_URI = "https://botan.randombit.net/releases/Botan-${PV}.tar.xz"
-SRC_URI[sha256sum] = "3af5f17615c6b5cd8b832d269fb6cb4d54ec64f9eb09ddbf1add5093941b4d75"
+SRC_URI[sha256sum] = "049c847835fcf6ef3a9e206b33de05dd38999c325e247482772a5598d9e5ece3"
 
 S = "${WORKDIR}/Botan-${PV}"
 
@@ -40,7 +40,7 @@ do_compile() {
 }
 do_install() {
 	oe_runmake install
-	sed -i -e "s|${D}||g" ${D}${libdir}/pkgconfig/botan-2.pc
+	sed -i -e "s|${D}||g" ${D}${libdir}/pkgconfig/botan-3.pc
 }
 
 PACKAGES += "${PN}-python3"
diff --git a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.7.2.bb
index 652fd66614..504c718b96 100644
--- a/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.4.3.bb
+++ b/meta-oe/recipes-crypto/cryptsetup/cryptsetup_2.7.2.bb
@@ -20,7 +20,7 @@ DEPENDS:append:libc-musl = " argp-standalone"
 LDFLAGS:append:libc-musl = " -largp"
 
 SRC_URI = "${KERNELORG_MIRROR}/linux/utils/${BPN}/v${@d.getVar('PV').split('.')[0]}.${@d.getVar('PV').split('.')[1]}/${BP}.tar.xz"
-SRC_URI[sha256sum] = "fc0df945188172264ec5bf1d0bda08264fadc8a3f856d47eba91f31fe354b507"
+SRC_URI[sha256sum] = "219ebf74e8eddf96624a0376477e5a6f8f350a67aaf36e7dadb114d94b3afef4"
 
 inherit autotools gettext pkgconfig
 
@@ -30,7 +30,7 @@ PACKAGECONFIG ??= " \
     keyring \
     cryptsetup \
     veritysetup \
-    cryptsetup-reencrypt \
+    luks2-reencryption \
     integritysetup \
     ${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)} \
     kernel_crypto \
@@ -50,7 +50,7 @@ PACKAGECONFIG[pwquality] = "--enable-pwquality,--disable-pwquality,libpwquality"
 PACKAGECONFIG[passwdqc] = "--enable-passwdqc,--disable-passwdqc,passwdqc"
 PACKAGECONFIG[cryptsetup] = "--enable-cryptsetup,--disable-cryptsetup"
 PACKAGECONFIG[veritysetup] = "--enable-veritysetup,--disable-veritysetup"
-PACKAGECONFIG[cryptsetup-reencrypt] = "--enable-cryptsetup-reencrypt,--disable-cryptsetup-reencrypt"
+PACKAGECONFIG[luks2-reencryption] = "--enable-luks2-reencryption,--disable-luks2-reencryption"
 PACKAGECONFIG[integritysetup] = "--enable-integritysetup,--disable-integritysetup"
 PACKAGECONFIG[selinux] = "--enable-selinux,--disable-selinux"
 PACKAGECONFIG[udev] = "--enable-udev,--disable-udev,,udev lvm2-udevrules"
@@ -78,7 +78,8 @@ EXTRA_OECONF += "--enable-largefile"
 EXTRA_OECONF += "--disable-static-cryptsetup"
 # There's no recipe for libargon2 yet
 EXTRA_OECONF += "--disable-libargon2"
-
+# Disable documentation, there is no asciidoctor-native available in OE
+EXTRA_OECONF += "--disable-asciidoc"
 # libcryptsetup default PBKDF algorithm, Argon2 memory cost (KB), parallel threads and iteration time (ms)
 LUKS2_PBKDF ?= "argon2i"
 LUKS2_MEMORYKB ?= "1048576"
diff --git a/meta-oe/recipes-crypto/fsverity-utils/fsverity-utils_1.5.bb b/meta-oe/recipes-crypto/fsverity-utils/fsverity-utils_1.5.bb
index c95a5b2d32..1c2c6e21e0 100644
--- a/meta-oe/recipes-crypto/fsverity-utils/fsverity-utils_1.5.bb
+++ b/meta-oe/recipes-crypto/fsverity-utils/fsverity-utils_1.5.bb
@@ -16,7 +16,7 @@ S = "${WORKDIR}/git"
 
 DEPENDS = "openssl"
 
-EXTRA_OEMAKE:append = "PREFIX=${prefix} LIBDIR=${libdir} USE_SHARED_LIB=1"
+EXTRA_OEMAKE:append = " PREFIX=${prefix} LIBDIR=${libdir} USE_SHARED_LIB=1"
 # We want to statically link the binary to libfsverity on native Windows
 EXTRA_OEMAKE:remove:mingw32:class-nativesdk = "USE_SHARED_LIB=1"
 EXTRA_OEMAKE:remove:mingw32:class-native = "USE_SHARED_LIB=1"
diff --git a/meta-oe/recipes-crypto/libkcapi/libkcapi_1.4.0.bb b/meta-oe/recipes-crypto/libkcapi/libkcapi_1.5.0.bb
index 3be8c76b54..a34614dd9d 100644
--- a/meta-oe/recipes-crypto/libkcapi/libkcapi_1.4.0.bb
+++ b/meta-oe/recipes-crypto/libkcapi/libkcapi_1.5.0.bb
@@ -1,10 +1,10 @@
 SUMMARY = "Linux Kernel Crypto API User Space Interface Library"
-HOMEPAGE = "http://www.chronox.de/libkcapi.html"
+HOMEPAGE = "https://www.chronox.de/libkcapi/index.html"
 LICENSE = "BSD-3-Clause | GPL-2.0-only"
-LIC_FILES_CHKSUM = "file://COPYING;md5=a2562899bc38f1735868f0bf0c1dd1a5"
+LIC_FILES_CHKSUM = "file://COPYING;md5=3d8a091d797491204567185a6efce70f"
 
 S = "${WORKDIR}/git"
-SRCREV = "1429ab42d48123cc8f73b96c69a87fb9c6d8a7c9"
+SRCREV = "fc937358e71253a6efaa3ba74885364976b040ea"
 SRC_URI = "git://github.com/smuellerDD/libkcapi.git;branch=master;protocol=https \
           "
 
diff --git a/meta-oe/recipes-crypto/libmcrypt/libmcrypt_2.5.8.bb b/meta-oe/recipes-crypto/libmcrypt/libmcrypt_2.5.8.bb
index 50cdf229e6..cfa056d71d 100644
--- a/meta-oe/recipes-crypto/libmcrypt/libmcrypt_2.5.8.bb
+++ b/meta-oe/recipes-crypto/libmcrypt/libmcrypt_2.5.8.bb
@@ -12,7 +12,9 @@ SRC_URI[sha256sum] = "e4eb6c074bbab168ac47b947c195ff8cef9d51a211cdd18ca9c9ef34d2
 UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/mcrypt/files/Libmcrypt/"
 UPSTREAM_CHECK_REGEX = "Libmcrypt/(?P<pver>\d+(\.\d+)+)/"
 
-inherit autotools-brokensep gettext binconfig
+inherit autotools-brokensep gettext binconfig multilib_script
+
+CFLAGS += "-Wno-error=implicit-int"
 
 do_configure() {
         install -m 0755 ${STAGING_DATADIR_NATIVE}/gnu-config/config.guess ${S}
@@ -26,3 +28,5 @@ do_configure() {
 }
 
 CLEANBROKEN = "1"
+
+MULTILIB_SCRIPTS = "${PN}-dev:${bindir}/libmcrypt-config"
diff --git a/meta-oe/recipes-crypto/libsodium/libsodium/0001-fix-aarch64-Move-target-pragma-after-arm_neon.h-incl.patch b/meta-oe/recipes-crypto/libsodium/libsodium/0001-fix-aarch64-Move-target-pragma-after-arm_neon.h-incl.patch
new file mode 100644
index 0000000000..7a6fae7997
--- /dev/null
+++ b/meta-oe/recipes-crypto/libsodium/libsodium/0001-fix-aarch64-Move-target-pragma-after-arm_neon.h-incl.patch
@@ -0,0 +1,49 @@
+From d3253310f7c0fc0f1aad6864e3b57958ea1bb9c5 Mon Sep 17 00:00:00 2001
+From: tux3 <barrdetwix@gmail.com>
+Date: Mon, 16 Oct 2023 16:42:04 +0200
+Subject: [PATCH] fix(aarch64): Move target #pragma after arm_neon.h include
+
+Fix per https://github.com/android/ndk/issues/1945
+
+If the pragma is done before the header include,
+in NDK 26 the attribute may apply to the functions in arm_neon.h
+
+Upstream-Status: Backport [https://github.com/jedisct1/libsodium/pull/1321]
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+ .../aes256gcm/armcrypto/aead_aes256gcm_armcrypto.c   | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/src/libsodium/crypto_aead/aes256gcm/armcrypto/aead_aes256gcm_armcrypto.c b/src/libsodium/crypto_aead/aes256gcm/armcrypto/aead_aes256gcm_armcrypto.c
+index 0a5a128..aa76f5c 100644
+--- a/src/libsodium/crypto_aead/aes256gcm/armcrypto/aead_aes256gcm_armcrypto.c
++++ b/src/libsodium/crypto_aead/aes256gcm/armcrypto/aead_aes256gcm_armcrypto.c
+@@ -19,12 +19,6 @@
+ #define __vectorcall
+ #endif
+ 
+-#ifdef __clang__
+-#pragma clang attribute push(__attribute__((target("neon,crypto,aes"))), apply_to = function)
+-#elif defined(__GNUC__)
+-#pragma GCC target("+simd+crypto")
+-#endif
+-
+ #ifndef __ARM_FEATURE_CRYPTO
+ #define __ARM_FEATURE_CRYPTO 1
+ #endif
+@@ -34,6 +28,12 @@
+ 
+ #include <arm_neon.h>
+ 
++#ifdef __clang__
++#pragma clang attribute push(__attribute__((target("neon,crypto,aes"))), apply_to = function)
++#elif defined(__GNUC__)
++#pragma GCC target("+simd+crypto")
++#endif
++
+ #define ABYTES    crypto_aead_aes256gcm_ABYTES
+ #define NPUBBYTES crypto_aead_aes256gcm_NPUBBYTES
+ #define KEYBYTES  crypto_aead_aes256gcm_KEYBYTES
+-- 
+2.42.1
+
diff --git a/meta-oe/recipes-crypto/libsodium/libsodium_1.0.18.bb b/meta-oe/recipes-crypto/libsodium/libsodium_1.0.18.bb
deleted file mode 100644
index 53b3ddc26f..0000000000
--- a/meta-oe/recipes-crypto/libsodium/libsodium_1.0.18.bb
+++ /dev/null
@@ -1,13 +0,0 @@
-SUMMARY = "The Sodium crypto library"
-HOMEPAGE = "http://libsodium.org/"
-BUGTRACKER = "https://github.com/jedisct1/libsodium/issues"
-LICENSE = "ISC"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=47203c753972e855179dfffe15188bee"
-
-SRC_URI = "https://download.libsodium.org/libsodium/releases/${BPN}-${PV}.tar.gz"
-SRC_URI[md5sum] = "3ca9ebc13b6b4735acae0a6a4c4f9a95"
-SRC_URI[sha256sum] = "6f504490b342a4f8a4c4a02fc9b866cbef8622d5df4e5452b46be121e46636c1"
-
-inherit autotools
-
-BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-oe/recipes-crypto/libsodium/libsodium_1.0.19.bb b/meta-oe/recipes-crypto/libsodium/libsodium_1.0.19.bb
new file mode 100644
index 0000000000..2e678f3f0f
--- /dev/null
+++ b/meta-oe/recipes-crypto/libsodium/libsodium_1.0.19.bb
@@ -0,0 +1,14 @@
+SUMMARY = "The Sodium crypto library"
+HOMEPAGE = "http://libsodium.org/"
+BUGTRACKER = "https://github.com/jedisct1/libsodium/issues"
+LICENSE = "ISC"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=49ce3b426e6a002e23a1387248e6dbe9"
+
+SRC_URI = "https://download.libsodium.org/libsodium/releases/${BPN}-${PV}.tar.gz \
+           file://0001-fix-aarch64-Move-target-pragma-after-arm_neon.h-incl.patch"
+SRC_URI[sha256sum] = "018d79fe0a045cca07331d37bd0cb57b2e838c51bc48fd837a1472e50068bbea"
+
+inherit autotools
+
+S = "${WORKDIR}/libsodium-stable"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt/CVE-2019-17362.patch b/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt/CVE-2019-17362.patch
new file mode 100644
index 0000000000..8b7348a11f
--- /dev/null
+++ b/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt/CVE-2019-17362.patch
@@ -0,0 +1,25 @@
+From 25c26a3b7a9ad8192ccc923e15cf62bf0108ef94 Mon Sep 17 00:00:00 2001
+From: werew <werew@ret2libc.com>
+Date: Thu, 3 Oct 2019 19:57:10 +0200
+Subject: [PATCH] Fixes #507
+
+Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
+---
+Upstream-Status: Backport [https://github.com/libtom/libtomcrypt/commit/64d1153e5a515740ab56f39c46baf4cf6991a9d3]
+
+ src/pk/asn1/der/utf8/der_decode_utf8_string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/pk/asn1/der/utf8/der_decode_utf8_string.c b/src/pk/asn1/der/utf8/der_decode_utf8_string.c
+index 94555b99f..d3ed82bea 100644
+--- a/src/pk/asn1/der/utf8/der_decode_utf8_string.c
++++ b/src/pk/asn1/der/utf8/der_decode_utf8_string.c
+@@ -65,7 +65,7 @@ int der_decode_utf8_string(const unsigned char *in,  unsigned long inlen,
+       /* count number of bytes */
+       for (z = 0; (tmp & 0x80) && (z <= 4); z++, tmp = (tmp << 1) & 0xFF);
+ 
+-      if (z > 4 || (x + (z - 1) > inlen)) {
++      if (z == 1 || z > 4 || (x + (z - 1) > inlen)) {
+          return CRYPT_INVALID_PACKET;
+       }
+ 
diff --git a/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt_1.18.2.bb b/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt_1.18.2.bb
index 357fd0ab8d..5479007d92 100644
--- a/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt_1.18.2.bb
+++ b/meta-oe/recipes-crypto/libtomcrypt/libtomcrypt_1.18.2.bb
@@ -1,21 +1,41 @@
 SUMMARY = "LibTomCrypt is a public domain open source cryptographic toolkit"
 HOMEPAGE = "https://www.libtom.net/LibTomCrypt"
 SECTION = "libs"
+# Unlicense isn't very accurate for this revision, it was WTFPL in 0.18.0-rc1:
+# https://github.com/libtom/libtomcrypt/commit/77e31fb6a980212e90b9a50f116dc5a7bd91e527
+# then updated to dual license PD and WTFPL also in 0.18.0-rc1:
+# https://github.com/libtom/libtomcrypt/commit/412b2ee1fccc3a0df58f93f372c90d6d0f93bfc9
+# and then updated again to Unlicense after the 0.18.2 tag (it's only in develop branch):
+# https://github.com/libtom/libtomcrypt/commit/3630bee6fc0f73dd9c7923fd43f8ae15a2c0fb70
+# but keep using Unlicense to avoid triggering people with WTFPL license:
+# https://groups.google.com/g/libtom/c/17Z7xkECULM
+# and this comment can be removed next time libtomcrypt is updated
 LICENSE = "Unlicense"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=71baacc459522324ef3e2b9e052e8180"
 
-DEPENDS += "libtool-cross"
+DEPENDS = "libtool-cross"
 
-SRC_URI = "git://github.com/libtom/libtomcrypt.git;protocol=https;branch=master"
+SRC_URI = "git://github.com/libtom/libtomcrypt.git;protocol=https;branch=master \
+   file://CVE-2019-17362.patch \
+"
 
 SRCREV = "7e7eb695d581782f04b24dc444cbfde86af59853"
 
 S = "${WORKDIR}/git"
 
+inherit pkgconfig
+
+PACKAGECONFIG ??= "ltm"
+PACKAGECONFIG[ltm] = ",,libtommath"
+
+CFLAGS += "${@bb.utils.contains('PACKAGECONFIG', 'ltm', '-DUSE_LTM -DLTM_DESC', '', d)}"
+
+EXTRA_OEMAKE = "'PREFIX=${prefix}' 'DESTDIR=${D}' 'LIBPATH=${libdir}' 'CFLAGS=${CFLAGS}'"
+
 do_compile() {
     oe_runmake -f makefile.shared
 }
 
 do_install() {
-    oe_runmake -f makefile.shared 'PREFIX=${prefix}' 'DESTDIR=${D}' install
+    oe_runmake -f makefile.shared install
 }
diff --git a/meta-oe/recipes-crypto/monocypher/monocypher_4.0.2.bb b/meta-oe/recipes-crypto/monocypher/monocypher_4.0.2.bb
new file mode 100644
index 0000000000..813c6ec4c8
--- /dev/null
+++ b/meta-oe/recipes-crypto/monocypher/monocypher_4.0.2.bb
@@ -0,0 +1,28 @@
+SUMMARY = "Monocypher is an easy-to-use crypto library"
+DESCRIPTION = "Monocypher is an easy to use, easy to deploy, \
+auditable crypto library written in portable C. It approaches the size of TweetNaCl and the speed of libsodium."
+HOMEPAGE = "https://monocypher.org/"
+SECTION = "libs"
+LICENSE = "BSD-2-Clause | CC0-1.0"
+LIC_FILES_CHKSUM = "file://LICENCE.md;md5=ff30a1c41dfd9e6fa559a9e45ee98302"
+
+SRC_URI = "https://monocypher.org/download/${BPN}-${PV}.tar.gz"
+SRC_URI[sha512sum] = "bf275d4c53ff94af6cdc723a4e002e9f080f4d1436c86c76bb37870b34807f1d7b32331d8ff8a1aeb369e946f3769021e03e63efac25b82efc5abf54dc084714"
+
+MIRRORS = "https://.*/.* https://github.com/LoupVaillant/Monocypher/releases/download/${PV}/${BPN}-${PV}.tar.gz "
+
+S = "${WORKDIR}/${BPN}-${PV}"
+
+CFLAGS += "-pedantic -Wall -Wextra -O3"
+EXTRA_OEMAKE = "'PREFIX=${prefix}' 'DESTDIR=${D}' 'CFLAGS=${CFLAGS}' 'LIBDIR=${libdir}'"
+
+do_compile() {
+    oe_runmake library
+}
+
+do_install() {
+    oe_runmake install-lib
+    oe_runmake install-pc
+}
+
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.29.0.bb b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.30.0.bb
index a34a4b9140..d3922cf79e 100644
--- a/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.29.0.bb
+++ b/meta-oe/recipes-crypto/pkcs11-helper/pkcs11-helper_1.30.0.bb
@@ -18,8 +18,9 @@ LIC_FILES_CHKSUM = " \
 SRC_URI = "git://github.com/OpenSC/${BPN}.git;branch=master;protocol=https"
 
 S = "${WORKDIR}/git"
-# v1.27
-SRCREV = "2306f896c2f3c147792300155316fd65825aabad"
+# master
+SRCREV = "8bed16034f629a0361fa8ff89deed2b43dc45d8b"
+PV .= "+1.30.0+git"
 
 UPSTREAM_CHECK_GITTAGREGEX = "pkcs11-helper-(?P<pver>\d+(\.\d+)+)"