grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v6 3/6] Adjust import script, definitions and API users for l


From: Glenn Washburn
Subject: Re: [PATCH v6 3/6] Adjust import script, definitions and API users for libgcrypt 1.11
Date: Fri, 27 Sep 2024 16:28:39 -0500

On Wed, 11 Sep 2024 12:34:18 +0300
Vladimir Serbinenko <phcoder@gmail.com> wrote:

> Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
> ---
>  autogen.sh                                    |   5 +
>  conf/Makefile.common                          |   4 +-
>  grub-core/Makefile.core.def                   |  36 ++-
>  grub-core/commands/hashsum.c                  |   2 +-
>  grub-core/commands/legacycfg.c                |   6 +-
>  grub-core/commands/pgp.c                      | 114 +++-----
>  grub-core/commands/xnu_uuid.c                 |   2 +-
>  grub-core/disk/cryptodisk.c                   |   2 +-
>  grub-core/io/gzio.c                           |   2 +-
>  grub-core/io/lzopio.c                         |   2 +-
>  grub-core/lib/adler32.c                       |  21 +-
>  grub-core/lib/crc64.c                         |  24 +-
>  grub-core/lib/crypto.c                        | 245 +++++++++++++++-
>  grub-core/lib/libgcrypt-patches/01_md.patch   | 207 ++++++++++++++
>  .../03_disable_rsa_shake.patch                |  34 +++
>  .../libgcrypt-patches/04_aria_static.patch    |  22 ++
>  grub-core/lib/libgcrypt/src/gcrypt-int.h      |  51 ----
>  grub-core/lib/libgcrypt_wrap/cipher_wrap.h    |  13 +-
>  grub-core/lib/libgcrypt_wrap/mem.c            |  83 +++++-
>  grub-core/lib/posix_wrap/sys/types.h          |   4 +
>  grub-core/lib/xzembed/xz_dec_stream.c         |  18 +-
>  include/grub/crypto.h                         | 263 +++++++++++++++---
>  include/grub/gcrypt/gpg-error.h               |  29 ++
>  util/grub-fstest.c                            |   2 +-
>  util/import_gcry.py                           | 193 +++++++++----
>  util/import_gcrypt_inth.sed                   |  17 ++
>  util/import_gcrypth.sed                       |   2 -
>  27 files changed, 1121 insertions(+), 282 deletions(-)
>  create mode 100644 grub-core/lib/libgcrypt-patches/01_md.patch
>  create mode 100644 grub-core/lib/libgcrypt-patches/03_disable_rsa_shake.patch
>  create mode 100644 grub-core/lib/libgcrypt-patches/04_aria_static.patch
>  create mode 100644 util/import_gcrypt_inth.sed
> 
> diff --git a/autogen.sh b/autogen.sh
> index 195daa541..05bc9b2f0 100755
> --- a/autogen.sh
> +++ b/autogen.sh
> @@ -35,6 +35,7 @@ ${PYTHON} util/import_unicode.py unicode/UnicodeData.txt 
> unicode/BidiMirroring.t
>  echo "Importing libgcrypt..."
>  ${PYTHON} util/import_gcry.py grub-core/lib/libgcrypt/ grub-core
>  sed -n -f util/import_gcrypth.sed < grub-core/lib/libgcrypt/src/gcrypt.h.in 
> > include/grub/gcrypt/gcrypt.h
> +sed -n -f util/import_gcrypt_inth.sed < 
> grub-core/lib/libgcrypt/src/gcrypt-int.h >> include/grub/gcrypt/gcrypt.h
>  if [ -f include/grub/gcrypt/g10lib.h ]; then
>      rm include/grub/gcrypt/g10lib.h
>  fi
> @@ -51,6 +52,10 @@ for x in mpi-asm-defs.h mpih-add1.c mpih-sub1.c 
> mpih-mul1.c mpih-mul2.c mpih-mul
>      cp grub-core/lib/libgcrypt-grub/mpi/generic/"$x" 
> grub-core/lib/libgcrypt-grub/mpi/"$x"
>  done
>  
> +for x in grub-core/lib/libgcrypt-patches/*.patch; do
> +    patch -i $x -p1
> +done
> +
>  echo "Generating Automake input..."
>  
>  # Automake doesn't like including files from a path outside the project.
> diff --git a/conf/Makefile.common b/conf/Makefile.common
> index c60f55386..5cada4568 100644
> --- a/conf/Makefile.common
> +++ b/conf/Makefile.common
> @@ -81,8 +81,8 @@ CPPFLAGS_GNULIB = -I$(top_builddir)/grub-core/lib/gnulib 
> -I$(top_srcdir)/grub-co
>  CFLAGS_POSIX = -fno-builtin
>  CPPFLAGS_POSIX = -I$(top_srcdir)/grub-core/lib/posix_wrap
>  
> -CFLAGS_GCRY = -Wno-error -Wno-missing-field-initializers 
> -Wno-redundant-decls -Wno-undef $(CFLAGS_POSIX)
> -CPPFLAGS_GCRY = -I$(top_srcdir)/grub-core/lib/libgcrypt_wrap 
> $(CPPFLAGS_POSIX) -D_GCRYPT_IN_LIBGCRYPT=1 -I$(top_srcdir)/include/grub/gcrypt
> +CFLAGS_GCRY = -Wno-error=sign-compare -Wno-missing-field-initializers 
> -Wno-redundant-decls -Wno-undef $(CFLAGS_POSIX)
> +CPPFLAGS_GCRY = -I$(top_srcdir)/grub-core/lib/libgcrypt_wrap 
> $(CPPFLAGS_POSIX) -D_GCRYPT_IN_LIBGCRYPT=1 -D_GCRYPT_CONFIG_H_INCLUDED=1 
> -DHAVE_STRTOUL=1 -I$(top_srcdir)/include/grub/gcrypt
>  
>  CPPFLAGS_EFIEMU = -I$(top_srcdir)/grub-core/efiemu/runtime
>  
> diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> index 705d73fab..799e4d471 100644
> --- a/grub-core/Makefile.core.def
> +++ b/grub-core/Makefile.core.def
> @@ -975,8 +975,8 @@ module = {
>  module = {
>    name = pgp;
>    common = commands/pgp.c;
> -  cflags = '$(CFLAGS_POSIX)';
> -  cppflags = '-I$(srcdir)/lib/posix_wrap';
> +  cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls -Wno-sign-compare';
> +  cppflags = '$(CPPFLAGS_GCRY)';
>  };
>  
>  module = {
> @@ -2175,6 +2175,22 @@ module = {
>    common = tests/setjmp_test.c;
>  };
>  
> +module = {
> +  name = dsa_sexp_test;
> +  common = tests/dsa_sexp_test.c;
> +
> +  cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls -Wno-sign-compare';
> +  cppflags = '$(CPPFLAGS_GCRY)';
> +};
> +
> +module = {
> +  name = rsa_sexp_test;
> +  common = tests/rsa_sexp_test.c;
> +
> +  cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls -Wno-sign-compare';
> +  cppflags = '$(CPPFLAGS_GCRY)';
> +};
> +
>  module = {
>    name = signature_test;
>    common = tests/signature_test.c;
> @@ -2529,7 +2545,23 @@ module = {
>    common = lib/libgcrypt-grub/mpi/mpicoder.c;
>    common = lib/libgcrypt-grub/mpi/mpih-rshift.c;
>    common = lib/libgcrypt-grub/mpi/mpi-inline.c;
> +  common = lib/libgcrypt-grub/mpi/mpih-const-time.c;
> +  common = lib/libgcrypt-grub/mpi/mpi-scan.c;
> +  common = lib/libgcrypt-grub/src/const-time.c;
>    common = lib/libgcrypt_wrap/mem.c;
> +  common = lib/libgcrypt-grub/cipher/md.c;
> +
> +  cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls -Wno-sign-compare 
> -Wno-unused-but-set-variable';
> +  cppflags = '$(CPPFLAGS_GCRY)';
> +};
> +
> +module = {
> +  name = pubkey;
> +  common = lib/libgcrypt-grub/cipher/pubkey-util.c;
> +  common = lib/libgcrypt-grub/cipher/rsa-common.c;
> +  common = lib/libgcrypt-grub/cipher/dsa-common.c;
> +  common = lib/libgcrypt-grub/src/sexp.c;
> +  common = lib/b64dec.c;
>  
>    cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls -Wno-sign-compare';
>    cppflags = '$(CPPFLAGS_GCRY)';
> diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c
> index d56b5b0bb..b6f8e3d1a 100644
> --- a/grub-core/commands/hashsum.c
> +++ b/grub-core/commands/hashsum.c
> @@ -73,7 +73,7 @@ hash_file (grub_file_t file, const gcry_md_spec_t *hash, 
> void *result)
>    if (!readbuf || !context)
>      goto fail;
>  
> -  hash->init (context);
> +  hash->init (context, 0);
>    while (1)
>      {
>        grub_ssize_t r;
> diff --git a/grub-core/commands/legacycfg.c b/grub-core/commands/legacycfg.c
> index e9e9d94ef..052bb110d 100644
> --- a/grub-core/commands/legacycfg.c
> +++ b/grub-core/commands/legacycfg.c
> @@ -625,7 +625,7 @@ check_password_md5_real (const char *entered,
>    if (!ctx)
>      return 0;
>  
> -  GRUB_MD_MD5->init (ctx);
> +  GRUB_MD_MD5->init (ctx, 0);
>    GRUB_MD_MD5->write (ctx, entered, enteredlen);
>    GRUB_MD_MD5->write (ctx, pw->salt + 3, pw->saltlen - 3);
>    GRUB_MD_MD5->write (ctx, entered, enteredlen);
> @@ -633,7 +633,7 @@ check_password_md5_real (const char *entered,
>    GRUB_MD_MD5->final (ctx);
>    grub_memcpy (alt_result, digest, MD5_HASHLEN);
>  
> -  GRUB_MD_MD5->init (ctx);
> +  GRUB_MD_MD5->init (ctx, 0);
>    GRUB_MD_MD5->write (ctx, entered, enteredlen);
>    GRUB_MD_MD5->write (ctx, pw->salt, pw->saltlen); /* include the $1$ header 
> */
>    for (i = enteredlen; i > 16; i -= 16)
> @@ -649,7 +649,7 @@ check_password_md5_real (const char *entered,
>      {
>        grub_memcpy (alt_result, digest, 16);
>  
> -      GRUB_MD_MD5->init (ctx);
> +      GRUB_MD_MD5->init (ctx, 0);
>        if ((i & 1) != 0)
>       GRUB_MD_MD5->write (ctx, entered, enteredlen);
>        else
> diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
> index c6766f044..22eca97ff 100644
> --- a/grub-core/commands/pgp.c
> +++ b/grub-core/commands/pgp.c
> @@ -136,41 +136,27 @@ struct signature_v4_header
>    grub_uint16_t hashed_sub;
>  } GRUB_PACKED;
>  
> -const char *hashes[] = {
> -  [0x01] = "md5",
> -  [0x02] = "sha1",
> -  [0x03] = "ripemd160",
> -  [0x08] = "sha256",
> -  [0x09] = "sha384",
> -  [0x0a] = "sha512",
> -  [0x0b] = "sha224"
> -};
> -
>  struct gcry_pk_spec *grub_crypto_pk_dsa;
>  struct gcry_pk_spec *grub_crypto_pk_ecdsa;
>  struct gcry_pk_spec *grub_crypto_pk_rsa;
>  
> -static int
> -dsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
> -      const gcry_md_spec_t *hash, struct grub_public_subkey *sk);
> -static int
> -rsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
> -      const gcry_md_spec_t *hash, struct grub_public_subkey *sk);
> -
>  struct
>  {
>    const char *name;
> +  const char *sigsexp;
>    grub_size_t nmpisig;
> +  const char *pubsexp;
>    grub_size_t nmpipub;
>    struct gcry_pk_spec **algo;
> -  int (*pad) (gcry_mpi_t *hmpi, grub_uint8_t *hval,
> -           const gcry_md_spec_t *hash, struct grub_public_subkey *sk);
> +  const char *padding;
>    const char *module;
>  } pkalgos[] =
>    {
> -    [1] = { "rsa", 1, 2, &grub_crypto_pk_rsa, rsa_pad, "gcry_rsa" },
> -    [3] = { "rsa", 1, 2, &grub_crypto_pk_rsa, rsa_pad, "gcry_rsa" },
> -    [17] = { "dsa", 2, 4, &grub_crypto_pk_dsa, dsa_pad, "gcry_dsa" },
> +    [1] = { "rsa", "(sig-val (rsa (s %M)))", 1, "(public-key (dsa (n %M) (e 
> %M)))", 2, &grub_crypto_pk_rsa, "pkcs1", "gcry_rsa" },
> +    [3] = { "rsa", "(sig-val (rsa (s %M)))", 1, "(public-key (dsa (n %M) (e 
> %M)))", 2, &grub_crypto_pk_rsa, "pkcs1", "gcry_rsa" },
> +    [17] = { "dsa", "(sig-val (dsa (r %M) (s %M)))", 2,
> +          "(public-key (dsa (p %M) (q %M) (g %M) (y %M)))",
> +          4, &grub_crypto_pk_dsa, "raw", "gcry_dsa" },
>    };
>  
>  struct grub_public_key
> @@ -196,7 +182,7 @@ free_pk (struct grub_public_key *pk)
>        grub_size_t i;
>        for (i = 0; i < ARRAY_SIZE (sk->mpis); i++)
>       if (sk->mpis[i])
> -       gcry_mpi_release (sk->mpis[i]);
> +       _gcry_mpi_release (sk->mpis[i]);
>        nsk = sk->next;
>        grub_free (sk);
>      }
> @@ -303,7 +289,7 @@ grub_load_public_key (grub_file_t f)
>       goto fail;
>  
>        grub_memset (fingerprint_context, 0, GRUB_MD_SHA1->contextsize);
> -      GRUB_MD_SHA1->init (fingerprint_context);
> +      GRUB_MD_SHA1->init (fingerprint_context, 0);
>        GRUB_MD_SHA1->write (fingerprint_context, "\x99", 1);
>        len_be = grub_cpu_to_be16 (len);
>        GRUB_MD_SHA1->write (fingerprint_context, &len_be, sizeof (len_be));
> @@ -336,7 +322,7 @@ grub_load_public_key (grub_file_t f)
>  
>         GRUB_MD_SHA1->write (fingerprint_context, buffer, lb + sizeof 
> (grub_uint16_t));
>  
> -       if (gcry_mpi_scan (&sk->mpis[i], GCRYMPI_FMT_PGP,
> +       if (_gcry_mpi_scan (&sk->mpis[i], GCRYMPI_FMT_PGP,
>                            buffer, lb + sizeof (grub_uint16_t), 0))
>           {
>             grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
> @@ -394,51 +380,6 @@ grub_crypto_pk_locate_subkey_in_trustdb (grub_uint64_t 
> keyid)
>    return 0;
>  }
>  
> -
> -static int
> -dsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
> -      const gcry_md_spec_t *hash, struct grub_public_subkey *sk)
> -{
> -  unsigned nbits = gcry_mpi_get_nbits (sk->mpis[1]);
> -  grub_dprintf ("crypt", "must be %u bits got %d bits\n", nbits,
> -             (int)(8 * hash->mdlen));
> -  return gcry_mpi_scan (hmpi, GCRYMPI_FMT_USG, hval,
> -                     nbits / 8 < (unsigned) hash->mdlen ? nbits / 8
> -                     : (unsigned) hash->mdlen, 0);
> -}
> -
> -static int
> -rsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
> -      const gcry_md_spec_t *hash, struct grub_public_subkey *sk)
> -{
> -  grub_size_t tlen, emlen, fflen;
> -  grub_uint8_t *em, *emptr;
> -  unsigned nbits = gcry_mpi_get_nbits (sk->mpis[0]);
> -  int ret;
> -  tlen = hash->mdlen + hash->asnlen;
> -  emlen = (nbits + 7) / 8;
> -  if (emlen < tlen + 11)
> -    return 1;
> -
> -  em = grub_malloc (emlen);
> -  if (!em)
> -    return 1;
> -
> -  em[0] = 0x00;
> -  em[1] = 0x01;
> -  fflen = emlen - tlen - 3;
> -  for (emptr = em + 2; emptr < em + 2 + fflen; emptr++)
> -    *emptr = 0xff;
> -  *emptr++ = 0x00;
> -  grub_memcpy (emptr, hash->asnoid, hash->asnlen);
> -  emptr += hash->asnlen;
> -  grub_memcpy (emptr, hval, hash->mdlen);
> -
> -  ret = gcry_mpi_scan (hmpi, GCRYMPI_FMT_USG, em, emlen, 0);
> -  grub_free (em);
> -  return ret;
> -}
> -
>  struct grub_pubkey_context
>  {
>    grub_file_t sig;
> @@ -483,15 +424,12 @@ grub_verify_signature_init (struct grub_pubkey_context 
> *ctxt, grub_file_t sig)
>    if (t != 0)
>      return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
>  
> -  if (h >= ARRAY_SIZE (hashes) || hashes[h] == NULL)
> -    return grub_error (GRUB_ERR_BAD_SIGNATURE, "unknown hash");
> -
>    if (pk >= ARRAY_SIZE (pkalgos) || pkalgos[pk].name == NULL)
>      return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad signature"));
>  
> -  ctxt->hash = grub_crypto_lookup_md_by_name (hashes[h]);
> +  ctxt->hash = grub_crypto_lookup_md_by_algo (h);
>    if (!ctxt->hash)
> -    return grub_error (GRUB_ERR_BAD_SIGNATURE, "hash `%s' not loaded", 
> hashes[h]);
> +    return grub_error (GRUB_ERR_BAD_SIGNATURE, "hash `%d' not loaded", h);
>  
>    grub_dprintf ("crypt", "alive\n");
>  
> @@ -499,7 +437,7 @@ grub_verify_signature_init (struct grub_pubkey_context 
> *ctxt, grub_file_t sig)
>    if (!ctxt->hash_context)
>      return grub_errno;
>  
> -  ctxt->hash->init (ctxt->hash_context);
> +  ctxt->hash->init (ctxt->hash_context, 0);
>    ctxt->sig = sig;
>  
>    return GRUB_ERR_NONE;
> @@ -528,7 +466,6 @@ grub_verify_signature_real (struct grub_pubkey_context 
> *ctxt,
>    grub_uint16_t unhashed_sub;
>    grub_ssize_t r;
>    grub_uint8_t hash_start[2];
> -  gcry_mpi_t hmpi;
>    grub_uint64_t keyid = 0;
>    struct grub_public_subkey *sk;
>  
> @@ -620,7 +557,7 @@ grub_verify_signature_real (struct grub_pubkey_context 
> *ctxt,
>        grub_memcpy (readbuf, &l, sizeof (l));
>        grub_dprintf ("crypt", "alive\n");
>  
> -      if (gcry_mpi_scan (&mpis[i], GCRYMPI_FMT_PGP,
> +      if (_gcry_mpi_scan (&mpis[i], GCRYMPI_FMT_PGP,
>                        readbuf, lb + sizeof (grub_uint16_t), 0))
>       goto fail;
>        grub_dprintf ("crypt", "alive\n");
> @@ -638,8 +575,6 @@ grub_verify_signature_real (struct grub_pubkey_context 
> *ctxt,
>        goto fail;
>      }
>  
> -  if (pkalgos[pk].pad (&hmpi, hval, ctxt->hash, sk))
> -    goto fail;
>    if (!*pkalgos[pk].algo)
>      {
>        grub_dl_load (pkalgos[pk].module);
> @@ -652,7 +587,24 @@ grub_verify_signature_real (struct grub_pubkey_context 
> *ctxt,
>                 pkalgos[pk].module);
>        goto fail;
>      }
> -  if ((*pkalgos[pk].algo)->verify (0, hmpi, mpis, sk->mpis, 0, 0))
> +
> +  gcry_sexp_t hsexp, pubkey, sig;
> +  grub_size_t errof;
> +
> +  if(_gcry_sexp_build(&hsexp, &errof, "(data (flags %s) (hash %s %b))", 
> pkalgos[pk].padding, ctxt->hash->name, ctxt->hash->mdlen, hval))
> +    goto fail;
> +
> +  if(_gcry_sexp_build(&pubkey, &errof, pkalgos[pk].pubsexp, sk->mpis[0], 
> sk->mpis[1], sk->mpis[2], sk->mpis[3]))
> +    goto fail;
> +
> +  if(_gcry_sexp_build(&sig, &errof, pkalgos[pk].sigsexp, mpis[0], mpis[1]))
> +    goto fail;
> +
> +  _gcry_sexp_dump(sig);
> +  _gcry_sexp_dump(hsexp);
> +  _gcry_sexp_dump(pubkey);
> +
> +  if ((*pkalgos[pk].algo)->verify (sig, hsexp, pubkey))
>      goto fail;
>  
>    grub_free (readbuf);
> diff --git a/grub-core/commands/xnu_uuid.c b/grub-core/commands/xnu_uuid.c
> index ae4b3a415..1406c43f5 100644
> --- a/grub-core/commands/xnu_uuid.c
> +++ b/grub-core/commands/xnu_uuid.c
> @@ -68,7 +68,7 @@ grub_cmd_xnu_uuid (grub_command_t cmd __attribute__ 
> ((unused)),
>    ctx = grub_zalloc (GRUB_MD_MD5->contextsize);
>    if (!ctx)
>      return grub_errno;
> -  GRUB_MD_MD5->init (ctx);
> +  GRUB_MD_MD5->init (ctx, 0);
>    GRUB_MD_MD5->write (ctx, hash_prefix, sizeof (hash_prefix));
>    GRUB_MD_MD5->write (ctx, &serial, sizeof (serial));
>    GRUB_MD_MD5->final (ctx);
> diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
> index 5e1eb2743..e52a7ebb5 100644
> --- a/grub-core/disk/cryptodisk.c
> +++ b/grub-core/disk/cryptodisk.c
> @@ -297,7 +297,7 @@ grub_cryptodisk_endecrypt (struct grub_cryptodisk *dev,
>             return GPG_ERR_OUT_OF_MEMORY;
>  
>           tmp = grub_cpu_to_le64 (sector << log_sector_size);
> -         dev->iv_hash->init (ctx);
> +         dev->iv_hash->init (ctx, 0);
>           dev->iv_hash->write (ctx, dev->iv_prefix, dev->iv_prefix_len);
>           dev->iv_hash->write (ctx, &tmp, sizeof (tmp));
>           dev->iv_hash->final (ctx);
> diff --git a/grub-core/io/gzio.c b/grub-core/io/gzio.c
> index cb7eb1fe3..fa9d942b2 100644
> --- a/grub-core/io/gzio.c
> +++ b/grub-core/io/gzio.c
> @@ -1201,7 +1201,7 @@ initialize_tables (grub_gzio_t gzio)
>    gzio->td = NULL;
>  
>    if (gzio->hcontext)
> -    gzio->hdesc->init(gzio->hcontext);
> +    gzio->hdesc->init(gzio->hcontext, 0);
>  }
>  
>  
> diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c
> index a7d442543..cea942308 100644
> --- a/grub-core/io/lzopio.c
> +++ b/grub-core/io/lzopio.c
> @@ -345,7 +345,7 @@ test_header (grub_file_t file)
>      if (! context)
>        return 0;
>  
> -    hcheck->init(context);
> +    hcheck->init(context, 0);
>  
>      /* MAGIC is not included in check calculation.  */
>      hcheck->write(context, &header.lzop_version, sizeof(header)- 
> LZOP_MAGIC_SIZE);
> diff --git a/grub-core/lib/adler32.c b/grub-core/lib/adler32.c
> index 43b68af62..f849ccee6 100644
> --- a/grub-core/lib/adler32.c
> +++ b/grub-core/lib/adler32.c
> @@ -29,10 +29,12 @@ struct adler32_context
>  };
>  
>  static void
> -adler32_init (void *context)
> +adler32_init (void *context, unsigned int flags)
>  {
>    struct adler32_context *ctx = context;
>  
> +  (void) flags;
> +
>    ctx->a = 1;
>    ctx->b = 0;
>  }
> @@ -81,13 +83,22 @@ adler32_read (void *context)
>  
>  static gcry_md_spec_t spec_adler32 =
>    {
> -    "ADLER32", 0, 0, 0, 4,
> -    adler32_init, adler32_write, adler32_final, adler32_read,
> -    sizeof (struct adler32_context),
> +    .algo = GCRY_MD_ADLER32,
> +    .flags = {.disabled = 0, .fips = 0},
> +    .name = "ADLER32",
> +    .asnoid = NULL,
> +    .asnlen = 0,
> +    .oids = NULL,
> +    .mdlen = 4,
> +    .init = adler32_init,
> +    .write = adler32_write,
> +    .final = adler32_final,
> +    .read = adler32_read,
> +    .contextsize = sizeof (struct adler32_context),
> +    .blocksize = 64,
>  #ifdef GRUB_UTIL
>      .modname = "adler32",
>  #endif
> -    .blocksize = 64
>    };
>  
>  
> diff --git a/grub-core/lib/crc64.c b/grub-core/lib/crc64.c
> index 4960f3f89..c231fa97c 100644
> --- a/grub-core/lib/crc64.c
> +++ b/grub-core/lib/crc64.c
> @@ -61,8 +61,10 @@ init_crc64_table (void)
>  }
>  
>  static void
> -crc64_init (void *context)
> +crc64_init (void *context, unsigned int flags)
>  {
> +  (void) flags;
> +
>    if (! crc64_table[1])
>      init_crc64_table ();
>    *(grub_uint64_t *) context = 0;
> @@ -97,10 +99,22 @@ crc64_final (void *context __attribute__ ((unused)))
>  
>  gcry_md_spec_t _gcry_digest_spec_crc64 =
>    {
> -    "CRC64", 0, 0, 0, 8,
> -    crc64_init, crc64_write, crc64_final, crc64_read,
> -    sizeof (grub_uint64_t),
> -    .blocksize = 64
> +    .algo = GCRY_MD_CRC64,
> +    .flags = {.disabled = 0, .fips = 0},
> +    .name = "CRC64",
> +    .asnoid = NULL,
> +    .asnlen = 0,
> +    .oids = NULL,
> +    .mdlen = 8,
> +    .init = crc64_init,
> +    .write = crc64_write,
> +    .final = crc64_final,
> +    .read = crc64_read,
> +    .contextsize = sizeof (grub_uint64_t),
> +    .blocksize = 64,
> +#ifdef GRUB_UTIL
> +    .modname = "crc64",
> +#endif
>    };
>  
>  GRUB_MOD_INIT(crc64)
> diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
> index 396f76410..dd60dd4ac 100644
> --- a/grub-core/lib/crypto.c
> +++ b/grub-core/lib/crypto.c
> @@ -37,6 +37,8 @@ struct grub_crypto_hmac_handle
>  static gcry_cipher_spec_t *grub_ciphers = NULL;
>  static gcry_md_spec_t *grub_digests = NULL;
>  
> +int _gcry_no_fips_mode_required = 1;
> +
>  void (*grub_crypto_autoload_hook) (const char *name) = NULL;
>  
>  /* Based on libgcrypt-1.4.4/src/misc.c.  */
> @@ -56,6 +58,17 @@ _gcry_burn_stack (int size)
>    grub_burn_stack (size);
>  }
>  
> +void
> +__gcry_burn_stack (unsigned int size)
> +{
> +  grub_burn_stack (size);
> +}
> +
> +void
> +__gcry_burn_stack_dummy (void)
> +{
> +}
> +
>  void __attribute__ ((noreturn))
>  _gcry_assert_failed (const char *expr, const char *file, int line,
>                    const char *func)
> @@ -64,6 +77,12 @@ _gcry_assert_failed (const char *expr, const char *file, 
> int line,
>    grub_fatal ("assertion %s at %s:%d (%s) failed\n", expr, file, line, func);
>  }
>  
> +void
> +_gcry_bug( const char *file, int line, const char *func )
> +{
> +    grub_fatal ("... this is a bug (%s:%d:%s)\n", file, line, func);
> +}
> +
>  
>  void _gcry_log_error (const char *fmt, ...)
>  {
> @@ -83,6 +102,36 @@ void _gcry_log_error (const char *fmt, ...)
>      }
>  }
>  
> +void _gcry_log_info (const char *fmt, ...)
> +{
> +  va_list args;
> +  const char *debug = grub_env_get ("debug");
> +
> +  if (! debug)
> +    return;
> +
> +  if (grub_strword (debug, "all") || grub_strword (debug, "gcrypt"))
> +    {
> +      grub_printf ("gcrypt info: ");
> +      va_start (args, fmt);
> +      grub_vprintf (fmt, args);
> +      va_end (args);
> +      grub_refresh ();
> +    }
> +}
> +
> +void
> +_gcry_fast_wipememory2 (void *ptr, int set, grub_size_t len)
> +{
> +  grub_memset(ptr, set, len);
> +}
> +
> +void
> +_gcry_fast_wipememory (void *ptr, grub_size_t len)
> +{
> +  grub_memset(ptr, 0, len);
> +}
> +
>  void
>  grub_cipher_register (gcry_cipher_spec_t *cipher)
>  {
> @@ -129,7 +178,7 @@ grub_crypto_hash (const gcry_md_spec_t *hash, void *out, 
> const void *in,
>  
>    if (hash->contextsize > sizeof (ctx))
>      grub_fatal ("Too large md context");
> -  hash->init (&ctx);
> +  hash->init (&ctx, 0);
>    hash->write (&ctx, in, inlen);
>    hash->final (&ctx);
>    grub_memcpy (out, hash->read (&ctx), hash->mdlen);
> @@ -153,6 +202,91 @@ grub_crypto_lookup_md_by_name (const char *name)
>      }
>  }
>  
> +const gcry_md_spec_t *
> +grub_crypto_lookup_md_by_oid (const char *oid)
> +{
> +  const gcry_md_spec_t *md;
> +
> +  if (!oid)
> +    return NULL;
> +
> +  if (grub_strncmp (oid, "oid.", 4) == 0 || grub_strncmp (oid, "OID.", 4) == 
> 0)
> +    oid += 4;
> +
> +
> +  for (md = grub_digests; md; md = md->next)
> +    {
> +      const gcry_md_oid_spec_t *oid_specs = md->oids;
> +      if (oid_specs)
> +        {
> +          for (int j = 0; oid_specs[j].oidstring; j++)
> +            if (grub_strcasecmp (oid, oid_specs[j].oidstring) == 0)
> +              return md;
> +        }
> +    }
> +
> +  return NULL;
> +}
> +
> +static const char *md_algos[] = {
> +    [1] = "MD5",
> +    [2] = "SHA1",
> +    [3] = "RIPEMD160",
> +    [6] = "TIGER",
> +    [8] = "SHA256",
> +    [9] = "SHA384",
> +    [10] = "SHA512",
> +    [11] = "SHA224",
> +
> +    [301] = "MD4",
> +    [302] = "CRC32",
> +    [303] = "CRC32RFC1510",
> +    [304] = "CRC24RFC2440",
> +    [305] = "WHIRLPOOL",
> +    [306] = "TIGER1",
> +    [307] = "TIGER2",
> +    [308] = "GOSTR3411_94",
> +    [309] = "STRIBOG256",
> +    [310] = "STRIBOG512",
> +    [311] = "GOSTR3411_CP",
> +    [312] = "SHA3-224",
> +    [313] = "SHA3-256",
> +    [314] = "SHA3-384",
> +    [315] = "SHA3-512",
> +    [316] = "SHAKE128",
> +    [317] = "SHAKE256",
> +    [318] = "BLAKE2B_512",
> +    [319] = "BLAKE2B_384",
> +    [320] = "BLAKE2B_256",
> +    [321] = "BLAKE2B_160",
> +    [322] = "BLAKE2S_256",
> +    [323] = "BLAKE2S_224",
> +    [324] = "BLAKE2S_160",
> +    [325] = "BLAKE2S_128",
> +    [326] = "SM3",
> +    [327] = "SHA512_256",
> +    [328] = "SHA512_224",
> +};
> +
> +
> +const gcry_md_spec_t *
> +grub_crypto_lookup_md_by_algo (int algo)
> +{
> +  const gcry_md_spec_t *md;
> +  int first = 1;
> +  while (1)
> +    {
> +      for (md = grub_digests; md; md = md->next)
> +     if (algo == md->algo)
> +       return md;
> +      if (grub_crypto_autoload_hook && first && algo > 0 && algo < 
> (int)ARRAY_SIZE(md_algos) && md_algos[algo]) {
> +     grub_crypto_autoload_hook (md_algos[algo]);
> +      } else
> +     return NULL;
> +      first = 0;
> +    }
> +}
> +
>  const gcry_cipher_spec_t *
>  grub_crypto_lookup_cipher_by_name (const char *name)
>  {
> @@ -196,7 +330,9 @@ grub_crypto_cipher_set_key (grub_crypto_cipher_handle_t 
> cipher,
>                           const unsigned char *key,
>                           unsigned keylen)
>  {
> -  return cipher->cipher->setkey (cipher->ctx, key, keylen);
> +  /* TODO: Fix this. It's ugly as hell.  */
> +  void *bulk_ops[100];
> +  return cipher->cipher->setkey (cipher->ctx, key, keylen, (void *) 
> bulk_ops);
>  }
>  
>  gcry_err_code_t
> @@ -343,7 +479,7 @@ grub_crypto_hmac_init (const struct gcry_md_spec *md,
>    grub_free (helpkey);
>    helpkey = NULL;
>  
> -  md->init (ctx);
> +  md->init (ctx, 0);
>  
>    md->write (ctx, ipad, md->blocksize); /* inner pad */
>    grub_memset (ipad, 0, md->blocksize);
> @@ -390,7 +526,7 @@ grub_crypto_hmac_fini (struct grub_crypto_hmac_handle 
> *hnd, void *out)
>    hnd->md->read (hnd->ctx);
>    p = hnd->md->read (hnd->ctx);
>  
> -  hnd->md->init (ctx2);
> +  hnd->md->init (ctx2, 0);
>    hnd->md->write (ctx2, hnd->opad, hnd->md->blocksize);
>    hnd->md->write (ctx2, p, hnd->md->mdlen);
>    hnd->md->final (ctx2);
> @@ -433,19 +569,106 @@ grub_crypto_gcry_error (gcry_err_code_t in)
>    return GRUB_ACCESS_DENIED;
>  }
>  
> +
> +/*
> + * Compare byte arrays of length LEN, return 1 if it's not same,
> + * 0, otherwise.
> + */
>  int
> -grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)
> +grub_crypto_memcmp (const void *b1, const void *b2, grub_size_t len)
>  {
> -  register grub_size_t counter = 0;
> -  const grub_uint8_t *pa, *pb;
> +  const grub_uint8_t *a = b1;
> +  const grub_uint8_t *b = b2;
> +  int ab, ba;
> +  grub_size_t i;
>  
> -  for (pa = a, pb = b; n; pa++, pb++, n--)
> +  /* Constant-time compare. */
> +  for (i = 0, ab = 0, ba = 0; i < len; i++)
>      {
> -      if (*pa != *pb)
> -     counter++;
> +      /* If a[i] != b[i], either ab or ba will be negative. */
> +      ab |= a[i] - b[i];
> +      ba |= b[i] - a[i];
>      }
>  
> -  return !!counter;
> +  /* 'ab | ba' is negative when buffers are not equal, extract sign bit.  */
> +  return ((unsigned int)(ab | ba) >> (sizeof(unsigned int) * 8 - 1)) & 1;
> +}
> +
> +
> +void *
> +_gcry_malloc_secure (grub_size_t n)
> +{
> +  return grub_malloc(n);
> +}
> +
> +void *
> +_gcry_malloc (grub_size_t n)
> +{
> +  return grub_malloc(n);
> +}
> +
> +void *
> +_gcry_xmalloc(grub_size_t n)
> +{
> +  void *ret = grub_malloc(n);
> +  if (ret == NULL)
> +    grub_fatal("_gcry_xmalloc failed");
> +  return ret;
> +}
> +
> +void *
> +_gcry_xmalloc_secure(grub_size_t n)
> +{
> +  void *ret = grub_malloc(n);
> +  if (ret == NULL)
> +    grub_fatal("_gcry_xmalloc_secure failed");
> +  return ret;
> +}
> +
> +void _gcry_free (void *p)
> +{
> +  grub_free (p);
> +}
> +
> +void *
> +_gcry_xrealloc (void *a, grub_size_t n)
> +{
> +  void *ret = grub_realloc(a, n);
> +  if (ret == NULL)
> +    grub_fatal("_gcry_xrealloc failed");
> +  return ret;
> +}
> +
> +void *
> +_gcry_xcalloc (grub_size_t n, grub_size_t m)
> +{
> +  void *ret = grub_calloc(n, m);
> +  if (ret == NULL)
> +    grub_fatal("_gcry_xcalloc failed");
> +  return ret;
> +}
> +
> +void *
> +_gcry_xcalloc_secure (grub_size_t n, grub_size_t m)
> +{
> +  void *ret = grub_calloc(n, m);
> +  if (ret == NULL)
> +    grub_fatal("_gcry_xcalloc_secure failed");
> +  return ret;
> +}
> +
> +
> +int
> +_gcry_is_secure (const void *a)
> +{
> +  (void) a;
> +
> +  return 0;
> +}
> +
> +void _gcry_divide_by_zero (void)
> +{
> +  grub_fatal("gcrypt division by zero");
>  }
>  
>  #ifndef GRUB_UTIL
> diff --git a/grub-core/lib/libgcrypt-patches/01_md.patch 
> b/grub-core/lib/libgcrypt-patches/01_md.patch
> new file mode 100644
> index 000000000..dbb493dfc
> --- /dev/null
> +++ b/grub-core/lib/libgcrypt-patches/01_md.patch
> @@ -0,0 +1,207 @@
> +--- a/grub-core/lib/libgcrypt-grub/cipher/md.c 2024-05-21 01:22:04.222084773 
> +0300
> ++++ b/grub-core/lib/libgcrypt-grub/cipher/md.c 2024-05-21 01:22:07.368099961 
> +0300
> +@@ -20,11 +20,25 @@
> +  * You should have received a copy of the GNU Lesser General Public
> +  * License along with this program; if not, see 
> <http://www.gnu.org/licenses/>.
> +  */
> ++#include <config.h>
> ++#include <stdio.h>
> ++#include <stdlib.h>
> ++#include <string.h>
> ++#include <errno.h>
> + 
> + 
> + #include "g10lib.h"
> + #include "cipher.h"
> + 
> ++#define _gcry_md_selftest(a,b,c) 0
> ++typedef struct gcry_md_list
> ++{
> ++  const gcry_md_spec_t *spec;
> ++  struct gcry_md_list *next;
> ++  size_t actual_struct_size;     /* Allocated size of this structure. */
> ++  PROPERLY_ALIGNED_TYPE context[1];
> ++} GcryDigestEntry;
> ++
> + 
> + /* This is the list of the digest implementations included in
> +    libgcrypt.  */
> +@@ -53,7 +67,6 @@
> + static void md_close (gcry_md_hd_t a);
> + static void md_write (gcry_md_hd_t a, const void *inbuf, size_t inlen);
> + static byte *md_read( gcry_md_hd_t a, int algo );
> +-static int md_get_algo( gcry_md_hd_t a );
> + static int md_digest_length( int algo );
> + static void md_start_debug ( gcry_md_hd_t a, const char *suffix );
> + static void md_stop_debug ( gcry_md_hd_t a );
> +@@ -186,9 +199,6 @@
> + 
> +   if (! err)
> +     {
> +-      /* Hmmm, should we really do that? - yes [-wk] */
> +-      _gcry_fast_random_poll ();
> +-
> +       if (algo)
> +     {
> +       err = md_enable (hd, algo);
> +@@ -437,14 +447,6 @@
> + {
> +   GcryDigestEntry *r;
> + 
> +-  if (a->ctx->debug)
> +-    {
> +-      if (a->bufpos && fwrite (a->buf, a->bufpos, 1, a->ctx->debug) != 1)
> +-    BUG();
> +-      if (inlen && fwrite (inbuf, inlen, 1, a->ctx->debug) != 1)
> +-    BUG();
> +-    }
> +-
> +   for (r = a->ctx->list; r; r = r->next)
> +     {
> +       if (a->bufpos)
> +@@ -520,55 +522,6 @@
> + 
> + 
> + 
> +-static gcry_err_code_t
> +-md_customize (gcry_md_hd_t h, void *buffer, size_t buflen)
> +-{
> +-  gcry_err_code_t rc = 0;
> +-  GcryDigestEntry *r;
> +-  int algo_had_customize = 0;
> +-
> +-  if (!h->ctx->list)
> +-    return GPG_ERR_DIGEST_ALGO; /* Might happen if no algo is enabled.  */
> +-
> +-  for (r = h->ctx->list; r; r = r->next)
> +-    {
> +-      switch (r->spec->algo)
> +-        {
> +-        case GCRY_MD_CSHAKE128:
> +-        case GCRY_MD_CSHAKE256:
> +-          algo_had_customize = 1;
> +-          if (buflen != sizeof (struct gcry_cshake_customization))
> +-            rc = GPG_ERR_INV_ARG;
> +-          else
> +-            rc = _gcry_cshake_customize (r->context, buffer);
> +-          break;
> +-        default:
> +-          rc = GPG_ERR_DIGEST_ALGO;
> +-          break;
> +-        }
> +-
> +-      if (rc)
> +-        break;
> +-    }
> +-
> +-  if (rc && !algo_had_customize)
> +-    {
> +-      /* None of algorithms had customize implementation, so contexts were 
> not
> +-       * modified. Just return error. */
> +-      return rc;
> +-    }
> +-  else if (rc && algo_had_customize)
> +-    {
> +-      /* Some of the contexts have been modified, but got error. Reset
> +-       * all contexts. */
> +-      _gcry_md_reset (h);
> +-      return rc;
> +-    }
> +-
> +-  return 0;
> +-}
> +-
> +-
> + gcry_err_code_t
> + _gcry_md_ctl (gcry_md_hd_t hd, int cmd, void *buffer, size_t buflen)
> + {
> +@@ -587,9 +540,6 @@
> +     case GCRYCTL_STOP_DUMP:
> +       md_stop_debug ( hd );
> +       break;
> +-    case GCRYCTL_MD_CUSTOMIZE:
> +-      rc = md_customize (hd, buffer, buflen);
> +-      break;
> +     default:
> +       rc = GPG_ERR_INV_OP;
> +     }
> +@@ -695,6 +645,7 @@
> +       return;
> +     }
> + 
> ++#if 0
> +   if (spec->hash_buffers != NULL)
> +     {
> +       gcry_buffer_t iov;
> +@@ -711,6 +662,7 @@
> +       spec->hash_buffers (digest, spec->mdlen, &iov, 1);
> +     }
> +   else
> ++#endif
> +     {
> +       /* For the others we do not have a fast function, so we use the
> +          normal functions. */
> +@@ -746,7 +698,7 @@
> +    DIGESTLEN may also be the appropriate length or, in case of XOF
> +    algorithms, DIGESTLEN indicates number bytes to extract from XOF
> +    to DIGEST.  */
> +-#define _gcry_md_hash_buffers 0
> ++
> + 
> + /* Shortcut function to hash multiple buffers with a given algo.  In
> +    contrast to gcry_md_hash_buffer, this function returns an error on
> +@@ -762,7 +714,6 @@
> +    On success 0 is returned and resulting hash or HMAC is stored at
> +    DIGEST which must have been provided by the caller with an
> +    appropriate length.  */
> +-#define _gcry_md_hash_buffers 0
> + 
> + 
> + 
> +@@ -893,43 +844,15 @@
> + static void
> + md_start_debug ( gcry_md_hd_t md, const char *suffix )
> + {
> +-  static int idx=0;
> +-  char buf[50];
> +-
> +-  if (fips_mode ())
> +-    return;
> +-
> +-  if ( md->ctx->debug )
> +-    {
> +-      log_debug("Oops: md debug already started\n");
> +-      return;
> +-    }
> +-  idx++;
> +-  snprintf (buf, DIM(buf)-1, "dbgmd-%05d.%.10s", idx, suffix );
> +-  md->ctx->debug = fopen(buf, "w");
> +-  if ( !md->ctx->debug )
> +-    log_debug("md debug: can't open %s\n", buf );
> ++  (void) md;
> ++  (void) suffix;
> + }
> + 
> + 
> + static void
> + md_stop_debug( gcry_md_hd_t md )
> + {
> +-  if ( md->ctx->debug )
> +-    {
> +-      if ( md->bufpos )
> +-        md_write ( md, NULL, 0 );
> +-      fclose (md->ctx->debug);
> +-      md->ctx->debug = NULL;
> +-    }
> +-
> +-  {  /* a kludge to pull in the __muldi3 for Solaris */
> +-    volatile u32 a = (u32)(uintptr_t)md;
> +-    volatile u64 b = 42;
> +-    volatile u64 c;
> +-    c = a * b;
> +-    (void)c;
> +-  }
> ++  (void) md;
> + }
> + 
> + 
> diff --git a/grub-core/lib/libgcrypt-patches/03_disable_rsa_shake.patch 
> b/grub-core/lib/libgcrypt-patches/03_disable_rsa_shake.patch
> new file mode 100644
> index 000000000..cf43f0451
> --- /dev/null
> +++ b/grub-core/lib/libgcrypt-patches/03_disable_rsa_shake.patch
> @@ -0,0 +1,34 @@
> +--- a/grub-core/lib/libgcrypt-grub/cipher/rsa-common.c       2024-09-08 
> 18:08:47.095956852 +0300
> ++++ b/grub-core/lib/libgcrypt-grub/cipher/rsa-common.c       2024-09-08 
> 18:10:23.849959591 +0300
> +@@ -912,6 +912,7 @@
> +   memcpy (p, salt, saltlen);
> + 
> +   /* Step 9: dbmask = MGF(H, emlen - hlen - 1).  */
> ++#if 0 // Not supported yet
> +   if (algo == GCRY_MD_SHAKE128 || algo == GCRY_MD_SHAKE256)
> +     {
> +       gcry_buffer_t iov;
> +@@ -925,6 +926,7 @@
> +                                      &iov, 1);
> +     }
> +   else
> ++#endif
> +     mgf1 (dbmask, emlen - hlen - 1, h, hlen, algo);
> + 
> +   /* Step 10: maskedDB = DB ^ dbMask */
> +@@ -1086,6 +1088,7 @@
> +     }
> + 
> +   /* Step 7: dbmask = MGF(H, emlen - hlen - 1).  */
> ++#if 0 // Not supported yet
> +   if (algo == GCRY_MD_SHAKE128 || algo == GCRY_MD_SHAKE256)
> +     {
> +       gcry_buffer_t iov;
> +@@ -1099,6 +1102,7 @@
> +                                      &iov, 1);
> +     }
> +   else
> ++#endif
> +     mgf1 (dbmask, emlen - hlen - 1, h, hlen, algo);
> + 
> +   /* Step 8: maskedDB = DB ^ dbMask.  */
> diff --git a/grub-core/lib/libgcrypt-patches/04_aria_static.patch 
> b/grub-core/lib/libgcrypt-patches/04_aria_static.patch
> new file mode 100644
> index 000000000..bca7e8062
> --- /dev/null
> +++ b/grub-core/lib/libgcrypt-patches/04_aria_static.patch
> @@ -0,0 +1,22 @@
> +Mark aria_encrypt and aria_decrypt as static
> +
> +--- a/grub-core/lib/libgcrypt-grub/cipher/aria.c     2024-09-08 
> 18:20:57.926977479 +0300
> ++++ b/grub-core/lib/libgcrypt-grub/cipher/aria.c     2024-09-08 
> 18:21:09.731977812 +0300
> +@@ -1013,7 +1013,7 @@
> +   return 4 * sizeof(void *) + 4 * sizeof(u32); /* stack burn depth */
> + }
> + 
> +-unsigned int
> ++static unsigned int
> + aria_encrypt(void *c, byte *outbuf, const byte *inbuf)
> + {
> +   ARIA_context *ctx = (ARIA_context *)c;
> +@@ -1023,7 +1023,7 @@
> +   return aria_crypt (ctx, outbuf, inbuf, ctx->enc_key);
> + }
> + 
> +-unsigned int
> ++static unsigned int
> + aria_decrypt(void *c, byte *outbuf, const byte *inbuf)
> + {
> +   ARIA_context *ctx = (ARIA_context *)c;
> diff --git a/grub-core/lib/libgcrypt/src/gcrypt-int.h 
> b/grub-core/lib/libgcrypt/src/gcrypt-int.h
> index 1b4492818..701081680 100644
> --- a/grub-core/lib/libgcrypt/src/gcrypt-int.h
> +++ b/grub-core/lib/libgcrypt/src/gcrypt-int.h
> @@ -297,57 +297,6 @@ void _gcry_set_log_handler (gcry_handler_log_t f, void 
> *opaque);
>  void _gcry_set_gettext_handler (const char *(*f)(const char*));
>  void _gcry_set_progress_handler (gcry_handler_progress_t cb, void *cb_data);
>  
> -
> -/* Return a pointer to a string containing a description of the error
> -   code in the error value ERR.  */
> -static inline const char *
> -_gcry_strerror (gcry_error_t err)
> -{
> -  return gpg_strerror (err);
> -}
> -
> -/* Return a pointer to a string containing a description of the error
> -   source in the error value ERR.  */
> -static inline const char *
> -_gcry_strsource (gcry_error_t err)
> -{
> -  return gpg_strsource (err);
> -}
> -
> -/* Retrieve the error code for the system error ERR.  This returns
> -   GPG_ERR_UNKNOWN_ERRNO if the system error is not mapped (report
> -   this).  */
> -static inline gcry_err_code_t
> -_gcry_err_code_from_errno (int err)
> -{
> -  return gpg_err_code_from_errno (err);
> -}
> -
> -/* Retrieve the system error for the error code CODE.  This returns 0
> -   if CODE is not a system error code.  */
> -static inline int
> -_gcry_err_code_to_errno (gcry_err_code_t code)
> -{
> -  return gpg_err_code_to_errno (code);
> -}
> -
> -/* Return an error value with the error source SOURCE and the system
> -   error ERR.  */
> -static inline gcry_error_t
> -_gcry_err_make_from_errno (gpg_err_source_t source, int err)
> -{
> -  return gpg_err_make_from_errno (source, err);
> -}
> -
> -
> -/* Return an error value with the system error ERR.  */
> -static inline gcry_error_t
> -_gcry_error_from_errno (int err)
> -{
> -  return gpg_error (gpg_err_code_from_errno (err));
> -}
> -
> -
>  
>  gpg_err_code_t _gcry_sexp_new (gcry_sexp_t *retsexp,
>                                 const void *buffer, size_t length,
> diff --git a/grub-core/lib/libgcrypt_wrap/cipher_wrap.h 
> b/grub-core/lib/libgcrypt_wrap/cipher_wrap.h
> index 42835493d..08efb30b3 100644
> --- a/grub-core/lib/libgcrypt_wrap/cipher_wrap.h
> +++ b/grub-core/lib/libgcrypt_wrap/cipher_wrap.h
> @@ -19,6 +19,8 @@
>  #ifndef GRUB_GCRY_WRAP_HEADER
>  #define GRUB_GCRY_WRAP_HEADER 1
>  
> +#define USE_SHA512 1
> +
>  #include <grub/types.h>
>  #include <grub/mm.h>
>  #include <grub/misc.h>
> @@ -35,10 +37,9 @@
>  #undef __GNU_LIBRARY__
>  #define __GNU_LIBRARY__ 1
>  
> +#define UINT64_C(c) (c ## ULL)
>  #define U64_C(c) (c ## ULL)

I think the define of U64_C above needs to be removed. As is, I get
this error when building the x86_64-efi target:

/home/g10/grub-tests-uml.libgcrypt/grub/grub-core/lib/libgcrypt-grub/src/types.h:106:
 error: "U64_C" redefined [-Werror]
  106 | #  define U64_C(c) (UINT64_C(c))
      |
/home/g10/grub-tests-uml.libgcrypt/grub/grub-core/lib/libgcrypt_wrap/cipher_wrap.h:41:
 note: this is the location of the previous definition
   41 | #define U64_C(c) (c ## ULL)
      |

After removing the line the build succeeded. I've run the test suite on an
x86_64-efi build with this change and these changes don't appear to cause
any failures (LUKS1/2, cryptomount, and sha1sum tests pass). I've yet to
test this live though.

Glenn

>  
> -#define PUBKEY_FLAG_NO_BLINDING    (1 << 0)
> -
>  #define CIPHER_INFO_NO_WEAK_KEY    1
>  
>  #define HAVE_U64_TYPEDEF 1
> @@ -74,4 +75,12 @@ _gcry_fips_mode (void)
>  
>  #define gcry_mpi_mod _gcry_mpi_mod
>  
> +#define strtol grub_strtol
> +#define strtoul grub_strtoul
> +#define atoi(nptr) (strtol((nptr), NULL, 10))
> +
> +#define stpcpy grub_stpcpy
> +
> +#define spec_from_algo grub_crypto_lookup_md_by_algo
> +
>  #endif
> diff --git a/grub-core/lib/libgcrypt_wrap/mem.c 
> b/grub-core/lib/libgcrypt_wrap/mem.c
> index 74c6eafe5..e947dc998 100644
> --- a/grub-core/lib/libgcrypt_wrap/mem.c
> +++ b/grub-core/lib/libgcrypt_wrap/mem.c
> @@ -46,6 +46,15 @@ gcry_xcalloc (size_t n, size_t m)
>    return ret;
>  }
>  
> +void *
> +_gcry_calloc (size_t n, size_t m)
> +{
> +  size_t sz;
> +  if (grub_mul (n, m, &sz))
> +    return NULL;
> +  return grub_zalloc (sz);
> +}
> +
>  void *
>  gcry_xmalloc_secure (size_t n)
>  {
> @@ -69,6 +78,15 @@ gcry_xcalloc_secure (size_t n, size_t m)
>    return ret;
>  }
>  
> +void *
> +_gcry_calloc_secure (size_t n, size_t m)
> +{
> +  size_t sz;
> +  if (grub_mul (n, m, &sz))
> +    return NULL;
> +  return grub_zalloc (sz);
> +}
> +
>  void *
>  gcry_xmalloc (size_t n)
>  {
> @@ -89,10 +107,10 @@ gcry_xrealloc (void *a, size_t n)
>    return ret;
>  }
>  
> -void
> -_gcry_check_heap (const void *a __attribute__ ((unused)))
> +void *
> +_gcry_realloc (void *a, size_t n)
>  {
> -
> +  return grub_realloc (a, n);
>  }
>  
>  void _gcry_log_printf (const char *fmt, ...)
> @@ -113,6 +131,24 @@ void _gcry_log_printf (const char *fmt, ...)
>      }
>  }
>  
> +void _gcry_log_debug (const char *fmt, ...)
> +{
> +  va_list args;
> +  const char *debug = grub_env_get ("debug");
> +
> +  if (! debug)
> +    return;
> +
> +  if (grub_strword (debug, "all") || grub_strword (debug, "gcrypt"))
> +    {
> +      grub_printf ("gcrypt: ");
> +      va_start (args, fmt);
> +      grub_vprintf (fmt, args);
> +      va_end (args);
> +      grub_refresh ();
> +    }
> +}
> +
>  void _gcry_log_bug (const char *fmt, ...)
>  {
>    va_list args;
> @@ -126,9 +162,9 @@ void _gcry_log_bug (const char *fmt, ...)
>  }
>  
>  gcry_err_code_t
> -gpg_error_from_syserror (void)
> +gpg_err_code_from_errno (int err)
>  {
> -  switch (grub_errno)
> +  switch (err)
>      {
>      case GRUB_ERR_NONE:
>        return GPG_ERR_NO_ERROR;
> @@ -138,3 +174,40 @@ gpg_error_from_syserror (void)
>        return GPG_ERR_GENERAL;
>      }
>  }
> +
> +gcry_err_code_t
> +gpg_error_from_syserror (void)
> +{
> +  return gpg_err_code_from_errno(grub_errno);
> +}
> +
> +gcry_err_code_t
> +gpg_err_code_from_syserror (void)
> +{
> +  return gpg_error_from_syserror ();
> +}
> +
> +void _gcry_fatal_error(int rc, const char *text )
> +{
> +  grub_fatal("gcry fatal %d: %s", rc, text);
> +}
> +
> +
> +void _gcry_randomize (void *buffer __attribute__((unused)), size_t length 
> __attribute__((unused)),
> +                      enum gcry_random_level level __attribute__((unused)))
> +{
> +  grub_fatal("Attempt to get secure random numbers");
> +}
> +
> +
> +void *_gcry_random_bytes_secure (size_t nbytes __attribute__((unused)), enum 
> gcry_random_level level __attribute__((unused)))
> +{
> +  grub_fatal("Attempt to get secure random numbers");
> +}
> +
> +const char *gpg_strerror (gpg_error_t err)
> +{
> +  static char buf[256];
> +  grub_snprintf(buf, sizeof(buf) - 5, "gpg error %d\n", err);
> +  return buf;
> +}
> diff --git a/grub-core/lib/posix_wrap/sys/types.h 
> b/grub-core/lib/posix_wrap/sys/types.h
> index eeda543c4..9f7e22531 100644
> --- a/grub-core/lib/posix_wrap/sys/types.h
> +++ b/grub-core/lib/posix_wrap/sys/types.h
> @@ -39,12 +39,16 @@ typedef grub_int32_t int32_t;
>  typedef grub_int64_t int64_t;
>  
>  #define HAVE_U64_TYPEDEF 1
> +#define HAVE_TYPE_U64 1
>  typedef grub_uint64_t u64;
>  #define HAVE_U32_TYPEDEF 1
> +#define HAVE_TYPE_U32 1
>  typedef grub_uint32_t u32;
>  #define HAVE_U16_TYPEDEF 1
> +#define HAVE_TYPE_U16 1
>  typedef grub_uint16_t u16;
>  #define HAVE_BYTE_TYPEDEF 1
> +#define HAVE_TYPE_BYTE 1
>  typedef grub_uint8_t byte;
>  
>  typedef grub_addr_t uintptr_t;
> diff --git a/grub-core/lib/xzembed/xz_dec_stream.c 
> b/grub-core/lib/xzembed/xz_dec_stream.c
> index 832d8af9a..f2dd42dc2 100644
> --- a/grub-core/lib/xzembed/xz_dec_stream.c
> +++ b/grub-core/lib/xzembed/xz_dec_stream.c
> @@ -425,9 +425,9 @@ static enum xz_ret hash_validate(struct xz_dec *s, struct 
> xz_buf *b,
>  
>  #ifndef GRUB_EMBED_DECOMPRESSOR
>       if (s->hash)
> -             s->hash->init(s->hash_context);
> +             s->hash->init(s->hash_context, 0);
>       if (s->crc32)
> -             s->crc32->init(s->crc32_context);
> +             s->crc32->init(s->crc32_context, 0);
>  #endif
>       s->have_hash_value = 0;
>       s->pos = 0;
> @@ -493,7 +493,7 @@ static enum xz_ret dec_stream_header(struct xz_dec *s)
>               s->crc32_context = kmalloc(s->crc32->contextsize, GFP_KERNEL);
>               if (s->crc32_context == NULL)
>                       return XZ_MEMLIMIT_ERROR;
> -             s->crc32->init(s->crc32_context);
> +             s->crc32->init(s->crc32_context, 0);
>       }
>  #endif
>  
> @@ -531,9 +531,9 @@ static enum xz_ret dec_stream_header(struct xz_dec *s)
>                               return XZ_MEMLIMIT_ERROR;
>                       }
>  
> -                     s->hash->init(s->hash_context);
> -                     s->hash->init(s->index.hash.hash_context);
> -                     s->hash->init(s->block.hash.hash_context);
> +                     s->hash->init(s->hash_context, 0);
> +                     s->hash->init(s->index.hash.hash_context, 0);
> +                     s->hash->init(s->block.hash.hash_context, 0);
>               }
>  #endif
>       }
> @@ -1014,9 +1014,9 @@ void xz_dec_reset(struct xz_dec *s)
>  #ifndef GRUB_EMBED_DECOMPRESSOR
>       if (s->hash)
>       {
> -             s->hash->init(s->hash_context);
> -             s->hash->init(s->index.hash.hash_context);
> -             s->hash->init(s->block.hash.hash_context);
> +             s->hash->init(s->hash_context, 0);
> +             s->hash->init(s->index.hash.hash_context, 0);
> +             s->hash->init(s->block.hash.hash_context, 0);
>       }
>  #endif
>       s->have_hash_value = 0;
> diff --git a/include/grub/crypto.h b/include/grub/crypto.h
> index 31c87c302..c0b42a735 100644
> --- a/include/grub/crypto.h
> +++ b/include/grub/crypto.h
> @@ -65,7 +65,33 @@ typedef enum
>      GPG_ERR_WRONG_PUBKEY_ALGO,
>      GPG_ERR_OUT_OF_MEMORY,
>      GPG_ERR_TOO_LARGE,
> -    GPG_ERR_ENOMEM
> +    GPG_ERR_ENOMEM,
> +    GPG_ERR_CHECKSUM,
> +    GPG_ERR_INV_LENGTH,
> +    GPG_ERR_VALUE_NOT_FOUND,
> +    GPG_ERR_ERANGE,
> +    GPG_ERR_INV_DATA,
> +    GPG_ERR_ENCODING_PROBLEM,
> +    GPG_ERR_BUFFER_TOO_SHORT,
> +    GPG_ERR_SYNTAX,
> +    GPG_ERR_SEXP_INV_LEN_SPEC,
> +    GPG_ERR_SEXP_UNMATCHED_DH,
> +    GPG_ERR_SEXP_UNMATCHED_PAREN,
> +    GPG_ERR_SEXP_ZERO_PREFIX,
> +    GPG_ERR_SEXP_NESTED_DH,
> +    GPG_ERR_SEXP_UNEXPECTED_PUNC,
> +    GPG_ERR_SEXP_BAD_CHARACTER,
> +    GPG_ERR_SEXP_NOT_CANONICAL,
> +    GPG_ERR_SEXP_STRING_TOO_LONG,
> +    GPG_ERR_SEXP_BAD_QUOTATION,
> +    GPG_ERR_SEXP_ODD_HEX_NUMBERS,
> +    GPG_ERR_SEXP_BAD_HEX_CHAR,
> +    GPG_ERR_LIMIT_REACHED,
> +    GPG_ERR_EOF,
> +    GPG_ERR_BAD_DATA,
> +    GPG_ERR_EINVAL,
> +    GPG_ERR_INV_STATE,
> +    GPG_ERR_UNKNOWN_ALGORITHM,
>    } gpg_err_code_t;
>  typedef gpg_err_code_t gpg_error_t;
>  typedef gpg_error_t gcry_error_t;
> @@ -84,37 +110,60 @@ enum gcry_cipher_modes
>    };
>  #endif
>  
> +/* Extra algo IDs not coming from gcrypt.  */
> +#define GCRY_MD_ADLER32 10301
> +#define GCRY_MD_CRC64 10302
> +
>  /* Don't rely on this. Check!  */
>  #define GRUB_CRYPTO_MAX_MDLEN 64
>  #define GRUB_CRYPTO_MAX_CIPHER_BLOCKSIZE 16
>  #define GRUB_CRYPTO_MAX_MD_CONTEXT_SIZE 256
>  
>  /* Type for the cipher_setkey function.  */
> +struct cipher_bulk_ops;
> +
>  typedef gcry_err_code_t (*gcry_cipher_setkey_t) (void *c,
>                                                const unsigned char *key,
> -                                              unsigned keylen);
> +                                              unsigned keylen,
> +                                              struct cipher_bulk_ops 
> *bulk_ops);
>  
>  /* Type for the cipher_encrypt function.  */
> -typedef void (*gcry_cipher_encrypt_t) (void *c,
> -                                    unsigned char *outbuf,
> -                                    const unsigned char *inbuf);
> +typedef unsigned int (*gcry_cipher_encrypt_t) (void *c,
> +                                            unsigned char *outbuf,
> +                                            const unsigned char *inbuf);
>  
>  /* Type for the cipher_decrypt function.  */
> -typedef void (*gcry_cipher_decrypt_t) (void *c,
> -                                    unsigned char *outbuf,
> -                                    const unsigned char *inbuf);
> +typedef unsigned int (*gcry_cipher_decrypt_t) (void *c,
> +                                            unsigned char *outbuf,
> +                                            const unsigned char *inbuf);
>  
>  /* Type for the cipher_stencrypt function.  */
>  typedef void (*gcry_cipher_stencrypt_t) (void *c,
>                                        unsigned char *outbuf,
>                                        const unsigned char *inbuf,
> -                                      unsigned int n);
> +                                      grub_size_t n);
>  
>  /* Type for the cipher_stdecrypt function.  */
>  typedef void (*gcry_cipher_stdecrypt_t) (void *c,
>                                        unsigned char *outbuf,
>                                        const unsigned char *inbuf,
> -                                      unsigned int n);
> +                                      grub_size_t n);
> +
> +typedef void (*selftest_report_func_t)(const char *domain,
> +                                       int algo,
> +                                       const char *what,
> +                                       const char *errdesc);
> +
> +/* The type used to convey additional information to a cipher.  */
> +typedef gpg_err_code_t (*gcry_cipher_set_extra_info_t)
> +     (void *c, int what, const void *buffer, grub_size_t buflen);
> +
> +/* The type used to set an IV directly in the algorithm module.  */
> +typedef void (*gcry_cipher_setiv_func_t)(void *c, const grub_uint8_t *iv, 
> grub_size_t ivlen);
> +
> +/* Definition of the selftest functions.  */
> +typedef gpg_err_code_t (*gcry_selftest_func_t)
> +     (int algo, int extended, selftest_report_func_t report);
>  
>  typedef struct gcry_cipher_oid_spec
>  {
> @@ -125,9 +174,14 @@ typedef struct gcry_cipher_oid_spec
>  /* Module specification structure for ciphers.  */
>  typedef struct gcry_cipher_spec
>  {
> +  int algo;
> +  struct {
> +    unsigned int disabled:1;
> +    unsigned int fips:1;
> +  } flags;
>    const char *name;
>    const char **aliases;
> -  gcry_cipher_oid_spec_t *oids;
> +  const gcry_cipher_oid_spec_t *oids;
>    grub_size_t blocksize;
>    grub_size_t keylen;
>    grub_size_t contextsize;
> @@ -136,6 +190,10 @@ typedef struct gcry_cipher_spec
>    gcry_cipher_decrypt_t decrypt;
>    gcry_cipher_stencrypt_t stencrypt;
>    gcry_cipher_stdecrypt_t stdecrypt;
> +  gcry_selftest_func_t selftest;
> +  gcry_cipher_set_extra_info_t set_extra_info;
> +  gcry_cipher_setiv_func_t setiv;
> +
>  #ifdef GRUB_UTIL
>    const char *modname;
>  #endif
> @@ -143,7 +201,7 @@ typedef struct gcry_cipher_spec
>  } gcry_cipher_spec_t;
>  
>  /* Type for the md_init function.  */
> -typedef void (*gcry_md_init_t) (void *c);
> +typedef void (*gcry_md_init_t) (void *c, unsigned int flags);
>  
>  /* Type for the md_write function.  */
>  typedef void (*gcry_md_write_t) (void *c, const void *buf, grub_size_t 
> nbytes);
> @@ -162,16 +220,24 @@ typedef struct gcry_md_oid_spec
>  /* Module specification structure for message digests.  */
>  typedef struct gcry_md_spec
>  {
> +  int algo;
> +  struct {
> +    unsigned int disabled:1;
> +    unsigned int fips:1;
> +  } flags;
>    const char *name;
> -  unsigned char *asnoid;
> +  const unsigned char *asnoid;
>    int asnlen;
> -  gcry_md_oid_spec_t *oids;
> +  const gcry_md_oid_spec_t *oids;
>    grub_size_t mdlen;
>    gcry_md_init_t init;
>    gcry_md_write_t write;
>    gcry_md_final_t final;
>    gcry_md_read_t read;
> +  void *extract;
> +  void *hash_buffers;
>    grub_size_t contextsize; /* allocate this amount of context */
> +
>    /* Block size, needed for HMAC.  */
>    grub_size_t blocksize;
>  #ifdef GRUB_UTIL
> @@ -180,54 +246,123 @@ typedef struct gcry_md_spec
>    struct gcry_md_spec *next;
>  } gcry_md_spec_t;
>  
> +typedef struct gcry_md_handle*gcry_md_hd_t;
> +
>  struct gcry_mpi;
>  typedef struct gcry_mpi *gcry_mpi_t;
>  
> +struct gcry_sexp;
> +typedef struct gcry_sexp *gcry_sexp_t;
> +
> +
> +#define PUBKEY_FLAG_NO_BLINDING    (1 << 0)
> +#define PUBKEY_FLAG_RFC6979        (1 << 1)
> +#define PUBKEY_FLAG_FIXEDLEN       (1 << 2)
> +#define PUBKEY_FLAG_LEGACYRESULT   (1 << 3)
> +#define PUBKEY_FLAG_RAW_FLAG       (1 << 4)
> +#define PUBKEY_FLAG_TRANSIENT_KEY  (1 << 5)
> +#define PUBKEY_FLAG_USE_X931       (1 << 6)
> +#define PUBKEY_FLAG_USE_FIPS186    (1 << 7)
> +#define PUBKEY_FLAG_USE_FIPS186_2  (1 << 8)
> +#define PUBKEY_FLAG_PARAM          (1 << 9)
> +#define PUBKEY_FLAG_COMP           (1 << 10)
> +#define PUBKEY_FLAG_NOCOMP         (1 << 11)
> +#define PUBKEY_FLAG_EDDSA          (1 << 12)
> +#define PUBKEY_FLAG_GOST           (1 << 13)
> +#define PUBKEY_FLAG_NO_KEYTEST     (1 << 14)
> +#define PUBKEY_FLAG_DJB_TWEAK      (1 << 15)
> +#define PUBKEY_FLAG_SM2            (1 << 16)
> +#define PUBKEY_FLAG_PREHASH        (1 << 17)
> +
> +enum pk_operation
> +  {
> +    PUBKEY_OP_ENCRYPT,
> +    PUBKEY_OP_DECRYPT,
> +    PUBKEY_OP_SIGN,
> +    PUBKEY_OP_VERIFY
> +  };
> +
> +enum pk_encoding
> +  {
> +    PUBKEY_ENC_RAW,
> +    PUBKEY_ENC_PKCS1,
> +    PUBKEY_ENC_PKCS1_RAW,
> +    PUBKEY_ENC_OAEP,
> +    PUBKEY_ENC_PSS,
> +    PUBKEY_ENC_UNKNOWN
> +  };
> +
> +struct pk_encoding_ctx
> +{
> +  enum pk_operation op;
> +  unsigned int nbits;
> +
> +  enum pk_encoding encoding;
> +  int flags;
> +
> +  int hash_algo;
> +
> +  /* for OAEP */
> +  unsigned char *label;
> +  grub_size_t labellen;
> +
> +  /* for PSS */
> +  grub_size_t saltlen;
> +
> +  int (* verify_cmp) (void *opaque, gcry_mpi_t tmp);
> +  void *verify_arg;
> +};
> +
>  /* Type for the pk_generate function.  */
> -typedef gcry_err_code_t (*gcry_pk_generate_t) (int algo,
> -                                            unsigned int nbits,
> -                                            unsigned long use_e,
> -                                            gcry_mpi_t *skey,
> -                                            gcry_mpi_t **retfactors);
> +typedef gcry_err_code_t (*gcry_pk_generate_t) (gcry_sexp_t genparms,
> +                                               gcry_sexp_t *r_skey);
>  
>  /* Type for the pk_check_secret_key function.  */
> -typedef gcry_err_code_t (*gcry_pk_check_secret_key_t) (int algo,
> -                                                    gcry_mpi_t *skey);
> +typedef gcry_err_code_t (*gcry_pk_check_secret_key_t) (gcry_sexp_t keyparms);
>  
>  /* Type for the pk_encrypt function.  */
> -typedef gcry_err_code_t (*gcry_pk_encrypt_t) (int algo,
> -                                           gcry_mpi_t *resarr,
> -                                           gcry_mpi_t data,
> -                                           gcry_mpi_t *pkey,
> -                                           int flags);
> +typedef gcry_err_code_t (*gcry_pk_encrypt_t) (gcry_sexp_t *r_ciph,
> +                                              gcry_sexp_t s_data,
> +                                              gcry_sexp_t keyparms);
>  
>  /* Type for the pk_decrypt function.  */
> -typedef gcry_err_code_t (*gcry_pk_decrypt_t) (int algo,
> -                                           gcry_mpi_t *result,
> -                                           gcry_mpi_t *data,
> -                                           gcry_mpi_t *skey,
> -                                           int flags);
> +typedef gcry_err_code_t (*gcry_pk_decrypt_t) (gcry_sexp_t *r_plain,
> +                                              gcry_sexp_t s_data,
> +                                              gcry_sexp_t keyparms);
>  
>  /* Type for the pk_sign function.  */
> -typedef gcry_err_code_t (*gcry_pk_sign_t) (int algo,
> -                                        gcry_mpi_t *resarr,
> -                                        gcry_mpi_t data,
> -                                        gcry_mpi_t *skey);
> +typedef gcry_err_code_t (*gcry_pk_sign_t) (gcry_sexp_t *r_sig,
> +                                           gcry_sexp_t s_data,
> +                                           gcry_sexp_t keyparms);
>  
>  /* Type for the pk_verify function.  */
> -typedef gcry_err_code_t (*gcry_pk_verify_t) (int algo,
> -                                          gcry_mpi_t hash,
> -                                          gcry_mpi_t *data,
> -                                          gcry_mpi_t *pkey,
> -                                          int (*cmp) (void *, gcry_mpi_t),
> -                                          void *opaquev);
> +typedef gcry_err_code_t (*gcry_pk_verify_t) (gcry_sexp_t s_sig,
> +                                             gcry_sexp_t s_data,
> +                                             gcry_sexp_t keyparms);
>  
>  /* Type for the pk_get_nbits function.  */
> -typedef unsigned (*gcry_pk_get_nbits_t) (int algo, gcry_mpi_t *pkey);
> +typedef unsigned (*gcry_pk_get_nbits_t) (gcry_sexp_t keyparms);
> +
> +/* The type used to compute the keygrip.  */
> +typedef gpg_err_code_t (*pk_comp_keygrip_t) (gcry_md_hd_t md,
> +                                             gcry_sexp_t keyparm);
> +
> +/* The type used to query an ECC curve name.  */
> +typedef const char *(*pk_get_curve_t)(gcry_sexp_t keyparms, int iterator,
> +                                      unsigned int *r_nbits);
> +
> +/* The type used to query ECC curve parameters by name.  */
> +typedef gcry_sexp_t (*pk_get_curve_param_t)(const char *name);
>  
>  /* Module specification structure for message digests.  */
>  typedef struct gcry_pk_spec
>  {
> +  int algo;
> +  struct {
> +    unsigned int disabled:1;
> +    unsigned int fips:1;
> +  } flags;
> +  int use;
>    const char *name;
>    const char **aliases;
>    const char *elements_pkey;
> @@ -235,7 +370,6 @@ typedef struct gcry_pk_spec
>    const char *elements_enc;
>    const char *elements_sig;
>    const char *elements_grip;
> -  int use;
>    gcry_pk_generate_t generate;
>    gcry_pk_check_secret_key_t check_secret_key;
>    gcry_pk_encrypt_t encrypt;
> @@ -243,6 +377,10 @@ typedef struct gcry_pk_spec
>    gcry_pk_sign_t sign;
>    gcry_pk_verify_t verify;
>    gcry_pk_get_nbits_t get_nbits;
> +  pk_comp_keygrip_t comp_keygrip;
> +  pk_get_curve_t get_curve;
> +  pk_get_curve_param_t get_curve_param;
> +
>  #ifdef GRUB_UTIL
>    const char *modname;
>  #endif
> @@ -345,6 +483,10 @@ grub_crypto_hash (const gcry_md_spec_t *hash, void *out, 
> const void *in,
>                 grub_size_t inlen);
>  const gcry_md_spec_t *
>  grub_crypto_lookup_md_by_name (const char *name);
> +const gcry_md_spec_t *
> +grub_crypto_lookup_md_by_algo (int algo);
> +const gcry_md_spec_t *
> +grub_crypto_lookup_md_by_oid (const char *oid);
>  
>  grub_err_t
>  grub_crypto_gcry_error (gcry_err_code_t in);
> @@ -408,7 +550,35 @@ void _gcry_assert_failed (const char *expr, const char 
> *file, int line,
>  
>  void _gcry_burn_stack (int bytes);
>  void _gcry_log_error( const char *fmt, ... )  __attribute__ ((format 
> (__printf__, 1, 2)));
> +void _gcry_log_info (const char *fmt, ...);
> +void __gcry_burn_stack (unsigned int size);
> +void __gcry_burn_stack_dummy (void);
> +void _gcry_bug( const char *file, int line, const char *func );
> +void
> +_gcry_fast_wipememory (void *ptr, grub_size_t len);
> +void
> +_gcry_fast_wipememory2 (void *ptr, int set, grub_size_t len);
> +unsigned int
> +_gcry_ct_memequal (const void *b1, const void *b2, grub_size_t len);
> +unsigned int
> +_gcry_ct_not_memequal (const void *b1, const void *b2, grub_size_t len);
> +
> +
> +static inline unsigned int _gcry_get_hw_features(void)
> +{
> +  return 0;
> +}
>  
> +void *_gcry_malloc(grub_size_t n);
> +void *_gcry_malloc_secure(grub_size_t n);
> +void *_gcry_xmalloc(grub_size_t n);
> +void *_gcry_xmalloc_secure(grub_size_t n);
> +void _gcry_free (void *p);
> +void *_gcry_xrealloc (void *a, grub_size_t n);
> +int _gcry_is_secure (const void *a);
> +void *_gcry_xcalloc (grub_size_t n, grub_size_t m);
> +void *_gcry_xcalloc_secure (grub_size_t n, grub_size_t m);
> +void _gcry_divide_by_zero (void);
>  
>  #ifdef GRUB_UTIL
>  void grub_gcry_init_all (void);
> @@ -419,4 +589,11 @@ grub_get_random (void *out, grub_size_t len);
>  
>  #endif
>  
> +typedef struct _gpgrt_b64state *gpgrt_b64state_t;
> +gpgrt_b64state_t gpgrt_b64dec_start (const char *title);
> +gpg_error_t      gpgrt_b64dec_proc (gpgrt_b64state_t state,
> +                                 void *buffer, grub_size_t length,
> +                                    grub_size_t *r_nbytes);
> +gpg_error_t      gpgrt_b64dec_finish (gpgrt_b64state_t state);
> +const char *gpg_strerror (gpg_error_t err);
>  #endif
> diff --git a/include/grub/gcrypt/gpg-error.h b/include/grub/gcrypt/gpg-error.h
> index 1e4250284..966ebf82d 100644
> --- a/include/grub/gcrypt/gpg-error.h
> +++ b/include/grub/gcrypt/gpg-error.h
> @@ -29,4 +29,33 @@ gpg_err_source (gpg_error_t err __attribute__ ((unused)))
>  gcry_err_code_t
>  gpg_error_from_syserror (void);
>  
> +gcry_err_code_t
> +gpg_err_code_from_syserror (void);
> +
> +gcry_err_code_t
> +gpg_error_from_errno (int err);
> +
> +gcry_err_code_t
> +gpg_err_code_from_errno (int err);
> +
> +static inline const char *
> +gpg_strsource (gcry_error_t err __attribute__ ((unused)))
> +{
> +  return NULL;
> +}
> +
> +static inline int
> +gpg_err_code_to_errno (gcry_err_code_t code)
> +{
> +  return code ? 1 : 0;
> +}
> +
> +static inline gcry_error_t
> +gpg_err_make_from_errno (gpg_err_source_t source __attribute__ ((unused)), 
> int err)
> +{
> +  return gpg_err_code_from_errno (err);
> +}
> +
> +#define gpg_error(x) (x)
> +
>  #endif
> diff --git a/util/grub-fstest.c b/util/grub-fstest.c
> index 7ff9037b8..24b20ab91 100644
> --- a/util/grub-fstest.c
> +++ b/util/grub-fstest.c
> @@ -365,7 +365,7 @@ static void
>  cmd_crc (char *pathname)
>  {
>    grub_uint8_t *crc32_context = xmalloc (GRUB_MD_CRC32->contextsize);
> -  GRUB_MD_CRC32->init(crc32_context);
> +  GRUB_MD_CRC32->init(crc32_context, 0);
>  
>    read_file (pathname, crc_hook, crc32_context);
>    GRUB_MD_CRC32->final(crc32_context);
> diff --git a/util/import_gcry.py b/util/import_gcry.py
> index 2b3322d3a..e3f6d65a1 100644
> --- a/util/import_gcry.py
> +++ b/util/import_gcry.py
> @@ -22,6 +22,23 @@ import os
>  import datetime
>  import codecs
>  
> +def removesuffix(base: str, suffix: str) -> str:
> +    """ Backport of `removesuffix` from PEP-616 (Python 3.9+) """
> +
> +    if base.endswith(suffix):
> +        return base[:-len(suffix)]
> +    else:
> +        return base
> +
> +
> +def removeprefix(base: str, prefix: str) -> str:
> +    """ Backport of `removeprefix` from PEP-616 (Python 3.9+) """
> +
> +    if base.startswith(prefix):
> +        return base[len(prefix):]
> +    else:
> +        return base
> +
>  if len (sys.argv) < 3:
>      print ("Usage: %s SOURCE DESTINATION" % sys.argv[0])
>      exit (0)
> @@ -62,6 +79,12 @@ confutil.write ("  cflags = '$(CFLAGS_GCRY)';\n");
>  confutil.write ("  cppflags = '$(CPPFLAGS_GCRY)';\n");
>  confutil.write ("  extra_dist = 
> grub-core/lib/libgcrypt-grub/cipher/ChangeLog;\n");
>  confutil.write ("\n");
> +
> +for src in ['src/const-time.c']:
> +    confutil.write ("  common = grub-core/lib/libgcrypt-grub/%s;\n" % src)
> +
> +confutil.write ("\n");
> +
>  chlog = ""
>  modules_sym_md = []
>  
> @@ -71,6 +94,8 @@ modules_sym_md = []
>  mdblocksizes = {"_gcry_digest_spec_crc32" : 64,
>                  "_gcry_digest_spec_crc32_rfc1510" : 64,
>                  "_gcry_digest_spec_crc24_rfc2440" : 64,
> +                "_gcry_digest_spec_cshake128": 64,
> +                "_gcry_digest_spec_cshake256": 64,
>                  "_gcry_digest_spec_md4" : 64,
>                  "_gcry_digest_spec_md5" : 64,
>                  "_gcry_digest_spec_rmd160" : 64,
> @@ -79,10 +104,23 @@ mdblocksizes = {"_gcry_digest_spec_crc32" : 64,
>                  "_gcry_digest_spec_sha256" : 64,
>                  "_gcry_digest_spec_sha384" : 128,
>                  "_gcry_digest_spec_sha512" : 128,
> +                "_gcry_digest_spec_sha512_256": 128,
> +                "_gcry_digest_spec_sha512_224": 128,
>                  "_gcry_digest_spec_tiger" : 64,
>                  "_gcry_digest_spec_tiger1" : 64,
>                  "_gcry_digest_spec_tiger2" : 64,
> -                "_gcry_digest_spec_whirlpool" : 64}
> +                "_gcry_digest_spec_whirlpool" : 64,
> +                "_gcry_digest_spec_shake128": 64,
> +                "_gcry_digest_spec_shake256": 64,
> +                "_gcry_digest_spec_sm3": 64,
> +                "_gcry_digest_spec_stribog_256": 64,
> +                "_gcry_digest_spec_stribog_512": 64,
> +                "_gcry_digest_spec_sha3_224": 1152 / 8,
> +                "_gcry_digest_spec_sha3_256": 1088 / 8,
> +                "_gcry_digest_spec_sha3_384": 832 / 8,
> +                "_gcry_digest_spec_sha3_512": 576 / 8,
> +                "_gcry_digest_spec_gost3411_94": 32,
> +                "_gcry_digest_spec_gost3411_cp": 32}
>  
>  cryptolist = codecs.open (os.path.join (cipher_dir_out, "crypto.lst"), "w", 
> "utf-8")
>  
> @@ -99,26 +137,60 @@ cryptolist.write ("AES-256: gcry_rijndael\n");
>  cryptolist.write ("ADLER32: adler32\n");
>  cryptolist.write ("CRC64: crc64\n");
>  
> +extra_files = {
> +    "gcry_camellia": ["camellia.c"], # Main file is camellia-glue.c
> +    "gcry_sha512"  : ["hash-common.c"],
> +}
> +extra_files_list = [x for xs in extra_files.values() for x in xs] + 
> ["pubkey-util.c", "rsa-common.c", "dsa-common.c", "md.c"]
> +
>  for cipher_file in cipher_files:
>      infile = os.path.join (cipher_dir_in, cipher_file)
>      outfile = os.path.join (cipher_dir_out, cipher_file)
>      if cipher_file == "ChangeLog" or cipher_file == "ChangeLog-2011":
>          continue
>      chlognew = "     * %s" % cipher_file
> -    if re.match 
> ("(Manifest|Makefile\.am|ac\.c|cipher\.c|hash-common\.c|hmac-tests\.c|md\.c|pubkey\.c)$",
>  cipher_file) or cipher_file == "kdf.c" or cipher_file == "elgamal.c" or 
> cipher_file == "primegen.c" or cipher_file == "ecc.c" or cipher_file == 
> "test-getrusage.c":
> +    # Unused generic support files
> +    if re.match 
> (r"(Makefile\.am|cipher\.c|cipher-.*\.c|mac-.*\.c|mac\.c|pubkey\.c|primegen\.c)$",
>  cipher_file):
> +        chlog = "%s%s: Removed\n" % (chlog, chlognew)
> +        continue
> +    # TODO: Support KDF
> +    if re.match (r"(kdf\.c|scrypt\.c)$", cipher_file):
> +        chlog = "%s%s: Removed\n" % (chlog, chlognew)
> +        continue
> +    # TODO: Support chacha20 and poly1305
> +    if cipher_file in ["chacha20.c", "poly1305.c"]:
> +        chlog = "%s%s: Removed\n" % (chlog, chlognew)
> +        continue
> +    # TODO: Support blake2
> +    if cipher_file == "blake2.c":
> +        chlog = "%s%s: Removed\n" % (chlog, chlognew)
> +        continue        
> +
> +    # TODO: Use optimized versions
> +    if re.match 
> (r"(.*\.[sS]|.*-aarch64-ce.c|.*-intel-shaext\.c|.*-ssse3-i386\.c|.*-ppc\.c|.*-ssse3-amd64\.c|.*-s390x\.c|rijndael-aesni\.c|crc-intel-pclmul\.c|.*-armv8-ce\.c|.*-p10le\.c|rijndael-padlock.c|.*-ppc8le.c|.*-ppc9le.c|rijndael-vaes\.c|.*-vaes-i386\.c|.*-avx512-x86\.c)$",
>  cipher_file):
> +        chlog = "%s%s: Removed\n" % (chlog, chlognew)
> +        continue
> +    # TODO: Support ECC, Elgamal and post-quantum
> +    if re.match 
> (r"^(ecc-.*\.c|ecc\.c|elgamal\.c|kem\.c|kem-ecc\.c|sntrup761\.c|mceliece6688128f\.c|kyber\.c|kyber-.*\.c)$",
>  cipher_file):
> +        chlog = "%s%s: Removed\n" % (chlog, chlognew)
> +        continue
> +    # Not part of the code
> +    if cipher_file in ["gost-s-box.c"]:
>          chlog = "%s%s: Removed\n" % (chlog, chlognew)
>          continue
>      # Autogenerated files. Not even worth mentionning in ChangeLog
> -    if re.match ("Makefile\.in$", cipher_file):
> +    if re.match (r"Makefile\.in$", cipher_file):
>          continue
>      nch = False
> -    if re.match (".*\.[ch]$", cipher_file):
> -        isc = re.match (".*\.c$", cipher_file)
> +    if re.match (r".*\.[ch]$", cipher_file):
> +        isc = re.match (r".*\.c$", cipher_file)
>          f = codecs.open (infile, "r", "utf-8")
>          fw = codecs.open (outfile, "w", "utf-8")
>          fw.write ("/* This file was automatically imported with \n")
>          fw.write ("   import_gcry.py. Please don't modify it */\n")
> -        fw.write ("#include <grub/dl.h>\n")
> +        add_license = cipher_file == "pubkey-util.c" or (isc and not 
> cipher_file in extra_files_list)
> +        if add_license:
> +            fw.write ("#include <grub/dl.h>\n")
>          if cipher_file == "camellia.h":
>              fw.write ("#include <grub/misc.h>\n")
>              fw.write ("void camellia_setup128(const unsigned char *key, 
> grub_uint32_t *subkey);\n")
> @@ -132,7 +204,7 @@ for cipher_file in cipher_files:
>              fw.write ("void camellia_decrypt256(const grub_uint32_t *subkey, 
> grub_uint32_t *io);\n")                      
>              fw.write ("#define memcpy grub_memcpy\n")
>          # Whole libgcrypt is distributed under GPLv3+ or compatible
> -        if isc:
> +        if add_license:
>              fw.write ("GRUB_MOD_LICENSE (\"GPLv3+\");\n")
>  
>          ciphernames = []
> @@ -148,14 +220,10 @@ for cipher_file in cipher_files:
>          iscipher = False
>          iscryptostart = False
>          iscomma = False
> -        isglue = False
>          skip_statement = False
> +        skip_comma = False
>          if isc:
> -            modname = cipher_file [0:len(cipher_file) - 2]
> -            if re.match (".*-glue$", modname):
> -                modname = modname.replace ("-glue", "")
> -                isglue = True
> -            modname = "gcry_%s" % modname
> +            modname = "gcry_%s" % removesuffix(removesuffix(cipher_file, 
> ".c"), "-glue").replace("-", "_")
>          for line in f:
>              line = line
>              if skip_statement:
> @@ -171,7 +239,7 @@ for cipher_file in cipher_files:
>                      skip2 = False
>                  continue
>              if iscryptostart:
> -                s = re.search (" *\"([A-Z0-9_a-z]*)\"", line)
> +                s = re.search (" *\"([A-Z0-9_a-z-]*)\"", line)
>                  if not s is None:
>                      sg = s.groups()[0]
>                      cryptolist.write (("%s: %s\n") % (sg, modname))
> @@ -201,7 +269,7 @@ for cipher_file in cipher_files:
>                      ispk = False
>                  iscomma = not re.search (",$", line) is None
>              # Used only for selftests.
> -            m = re.match ("(static byte|static unsigned char) 
> (weak_keys_chksum)\[[0-9]*\] =", line)
> +            m = re.match (r"(static byte|static unsigned char|static const 
> gcry_md_spec_t \* const) (weak_keys_chksum|digest_list)\[[0-9]*\] =", line)
>              if not m is None:
>                  skip = 1
>                  fname = m.groups ()[1]
> @@ -212,11 +280,15 @@ for cipher_file in cipher_files:
>                      chlognew = "%s %s" % (chlognew, chmsg)
>                      nch = True
>                  continue
> +            if (not hold) and (re.match (r"[ 
> \t]*(run_selftests|do_tripledes_set_extra_info),?", line) is not None):
> +                iscomma = True
> +                line = ""
>              if hold:
>                  hold = False
>                  # We're optimising for size and exclude anything needing good
>                  # randomness.
> -                if not re.match 
> ("(run_selftests|selftest|_gcry_aes_c.._..c|_gcry_[a-z0-9]*_hash_buffer|tripledes_set2keys|do_tripledes_set_extra_info|_gcry_rmd160_mixblock|serpent_test|dsa_generate_ext|test_keys|gen_k|sign|gen_x931_parm_xp|generate_x931|generate_key|dsa_generate|dsa_sign|ecc_sign|generate|generate_fips186|_gcry_register_pk_dsa_progress|_gcry_register_pk_ecc_progress|progress|scanval|ec2os|ecc_generate_ext|ecc_generate|compute_keygrip|ecc_get_param|_gcry_register_pk_dsa_progress|gen_x931_parm_xp|gen_x931_parm_xi|rsa_decrypt|rsa_sign|rsa_generate_ext|rsa_generate|secret|check_exponent|rsa_blind|rsa_unblind|extract_a_from_sexp|curve_free|curve_copy|point_set)",
>  line) is None:
> +                # TODO: Support shake2+rsa (Needs md_extract)
> +                if re.match 
> ("(_gcry_hash_selftest_check_one|bulk_selftest_setkey|run_selftests|do_tripledes_set_extra_info|selftest|sm4_selftest|cshake_hash_buffers|_gcry_[a-z0-9_]*_hash_buffers|_gcry_sha1_hash_buffer|tripledes_set2keys|_gcry_rmd160_mixblock|serpent_test|dsa_generate_ext|test_keys|gen_k|sign|gen_x931_parm_xp|generate_x931|generate_key|dsa_generate|dsa_sign|ecc_sign|generate|generate_fips186|_gcry_register_pk_dsa_progress|_gcry_register_pk_ecc_progress|progress|scanval|ec2os|ecc_generate_ext|ecc_generate|ecc_get_param|_gcry_register_pk_dsa_progress|gen_x931_parm_xp|gen_x931_parm_xi|rsa_decrypt|rsa_sign|rsa_generate_ext|rsa_generate|secret|check_exponent|rsa_blind|rsa_unblind|extract_a_from_sexp|curve_free|curve_copy|point_set|_gcry_dsa_gen_rfc6979_k|bits2octets|int2octets|md_extract|_gcry_md_debug|_gcry_md_selftest|_gcry_md_is_enabled|_gcry_md_is_secure|_gcry_md_init|_gcry_md_info|_gcry_md_get_algo
>  |md_get_algo |_gcry_md_get 
> |_gcry_md_extract|_gcry_md_setkey|md_setkey|prepare_macpads|_gcry_md_algo_name|search_oid|spec_from_oid|spec_from_name|spec_from_algo|map_algo|_gcry_cshake_customize|cshake_input_[sn])",
>  line) is not None:
>  
>                      skip = 1
>                      if not re.match ("selftest", line) is None and 
> cipher_file == "idea.c":
> @@ -224,6 +296,11 @@ for cipher_file in cipher_files:
>  
>                      if not re.match ("serpent_test", line) is None:
>                          fw.write ("static const char *serpent_test (void) { 
> return 0; }\n");
> +                    if not re.match ("sm4_selftest", line) is None:
> +                        fw.write ("static const char *sm4_selftest (void) { 
> return 0; }\n");
> +                    hash_buf = re.match ("(_gcry_[a-z0-9_]*_hash_buffers)", 
> line)
> +                    if hash_buf is not None:
> +                        fw.write ("#define %s 0" % (hash_buf.group(0)))
>                      if not re.match ("dsa_generate", line) is None:
>                          fw.write ("#define dsa_generate 0");
>                      if not re.match ("ecc_generate", line) is None:
> @@ -238,6 +315,10 @@ for cipher_file in cipher_files:
>                          fw.write ("#define dsa_sign 0");
>                      if not re.match ("ecc_sign", line) is None:
>                          fw.write ("#define ecc_sign 0");
> +                    if not re.match ("search_oid", line) is None:
> +                        fw.write ("#define search_oid(a,b) 
> grub_crypto_lookup_md_by_oid(a)")
> +                    if not re.match ("spec_from_name", line) is None:
> +                        fw.write ("#define spec_from_name 
> grub_crypto_lookup_md_by_name")
>                      fname = re.match ("[a-zA-Z0-9_]*", line).group ()
>                      chmsg = "(%s): Removed." % fname
>                      if nch:
> @@ -257,45 +338,46 @@ for cipher_file in cipher_files:
>                      chlognew = "%s: %s" % (chlognew, chmsg)
>                      nch = True
>                  continue
> -            m = re.match ("gcry_cipher_spec_t", line)
> +            m = re.match ("(const )?gcry_cipher_spec_t", line)
>              if isc and not m is None:
>                  assert (not ismd)
>                  assert (not ispk)
>                  assert (not iscipher)
>                  assert (not iscryptostart)
> -                ciphername = line [len ("gcry_cipher_spec_t"):].strip ()
> +                ciphername = removeprefix(removeprefix(line, "const "), 
> "gcry_cipher_spec_t").strip ()
>                  ciphername = re.match("[a-zA-Z0-9_]*",ciphername).group ()
>                  ciphernames.append (ciphername)
>                  iscipher = True
>                  iscryptostart = True
>  
> -            m = re.match ("gcry_pk_spec_t", line)
> +            m = re.match ("(const )?gcry_pk_spec_t", line)
>              if isc and not m is None:
>                  assert (not ismd)
>                  assert (not ispk)
>                  assert (not iscipher)
>                  assert (not iscryptostart)
> -                pkname = line [len ("gcry_pk_spec_t"):].strip ()
> +                pkname = removeprefix(removeprefix(line, "const "), 
> "gcry_pk_spec_t").strip ()
>                  pkname = re.match("[a-zA-Z0-9_]*",pkname).group ()
>                  pknames.append (pkname)
>                  ispk = True
>                  iscryptostart = True
>  
> -            m = re.match ("gcry_md_spec_t", line)
> +            m = re.match ("(const )?gcry_md_spec_t", line)
>              if isc and not m is None:
>                  assert (not ismd)
>                  assert (not ispk)
>                  assert (not iscipher)
>                  assert (not iscryptostart)
> -                mdname = line [len ("gcry_md_spec_t"):].strip ()
> +                line = removeprefix(line, "const ")
> +                mdname = removeprefix(removeprefix(line, "const "), 
> "gcry_md_spec_t").strip ()
>                  mdname = re.match("[a-zA-Z0-9_]*",mdname).group ()
>                  mdnames.append (mdname)
>                  ismd = True
>                  mdarg = 0
>                  iscryptostart = True
> -            m = re.match ("static const char \*selftest.*;$", line)
> +            m = re.match (r"static const char \*selftest.*;$", line)
>              if not m is None:
> -                fname = line[len ("static const char \*"):]
> +                fname = line[len (r"static const char \*"):]
>                  fname = re.match ("[a-zA-Z0-9_]*", fname).group ()
>                  chmsg = "(%s): Removed declaration." % fname
>                  if nch:
> @@ -331,7 +413,7 @@ for cipher_file in cipher_files:
>                      chlognew = "%s %s" % (chlognew, chmsg)
>                      nch = True
>                  continue
> -            m = re.match ("static void \(\*progress_cb\).*;$", line)
> +            m = re.match (r"static void \(\*progress_cb\).*;$", line)
>              if not m is None:
>                  chmsg = "(progress_cb): Removed declaration."
>                  if nch:
> @@ -340,7 +422,7 @@ for cipher_file in cipher_files:
>                      chlognew = "%s %s" % (chlognew, chmsg)
>                      nch = True
>                  continue
> -            m = re.match ("static void \*progress_cb_data.*;$", line)
> +            m = re.match (r"static void \*progress_cb_data.*;$", line)
>              if not m is None:
>                  chmsg = "(progress_cb): Removed declaration."
>                  if nch:
> @@ -350,22 +432,22 @@ for cipher_file in cipher_files:
>                      nch = True
>                  continue
>  
> -            m = re.match ("(static const char( |)\*|static 
> gpg_err_code_t|void|static int|static gcry_err_code_t|static 
> gcry_mpi_t|static void|void|static elliptic_curve_t) *$", line)
> +            m = re.match (r"((static )?const char( |)\*|static const 
> gcry_md_spec_t \*|(static )?gpg_err_code_t|gpg_error_t|void|(static 
> )?(unsigned )?int|(static )?gcry_err_code_t|static gcry_mpi_t|static 
> void|void|static elliptic_curve_t) *$", line)
>              if not m is None:
>                  hold = True
>                  holdline = line
>                  continue
> -            m = re.match ("static int tripledes_set2keys \(.*\);", line)
> +            m = re.match (r"static int tripledes_set2keys \(.*\);", line)
>              if not m is None:
>                  continue
> -            m = re.match ("static int tripledes_set3keys \(.*\);", line)
> +            m = re.match (r"static int tripledes_set3keys \(.*\);", line)
>              if not m is None:
>                  continue
> -            m = re.match ("static int tripledes_set2keys \(", line)
> +            m = re.match (r"static int tripledes_set2keys \(", line)
>              if not m is None:
>                  skip_statement = True
>                  continue
> -            m = re.match ("static int tripledes_set3keys \(", line)
> +            m = re.match (r"static int tripledes_set3keys \(", line)
>              if not m is None:
>                  skip_statement = True
>                  continue
> @@ -421,11 +503,9 @@ for cipher_file in cipher_files:
>                  continue
>              fw.write (line)
>          if len (ciphernames) > 0 or len (mdnames) > 0 or len (pknames) > 0:
> -            if isglue:
> -                modfiles = "lib/libgcrypt-grub/cipher/%s 
> lib/libgcrypt-grub/cipher/%s" \
> -                    % (cipher_file, cipher_file.replace ("-glue.c", ".c"))
> -            else:
> -                modfiles = "lib/libgcrypt-grub/cipher/%s" % cipher_file
> +            modfiles = [cipher_file]
> +            if modname in extra_files.keys():
> +                modfiles += extra_files[modname]
>              if len (ciphernames) > 0 or len (mdnames) > 0:
>                  modules_sym_md.append (modname)
>              chmsg = "(GRUB_MOD_INIT(%s)): New function\n" % modname
> @@ -447,7 +527,7 @@ for cipher_file in cipher_files:
>                  chlognew = "%s\n     %s" % (chlognew, chmsg)
>                  fw.write ("  grub_md_register (&%s);\n" % mdname)
>              for pkname in pknames:
> -                chmsg = "Register pk %s" % mdname
> +                chmsg = "Register pk %s" % pkname
>                  chlognew = "%s\n     %s" % (chlognew, chmsg)
>                  fw.write ("  grub_crypto_pk_%s = &%s;\n"
>                            % (pkname.replace ("_gcry_pubkey_spec_", ""), 
> pkname))
> @@ -465,17 +545,17 @@ for cipher_file in cipher_files:
>                  chlognew = "%s\n     %s" % (chlognew, chmsg)
>                  fw.write ("  grub_md_unregister (&%s);\n" % mdname)
>              for pkname in pknames:
> -                chmsg = "Unregister pk %s" % mdname
> +                chmsg = "Unregister pk %s" % pkname
>                  chlognew = "%s\n     %s" % (chlognew, chmsg)
>                  fw.write ("  grub_crypto_pk_%s = 0;\n"
>                            % (pkname.replace ("_gcry_pubkey_spec_", "")))
>              fw.write ("}\n")
>              conf.write ("module = {\n")
>              conf.write ("  name = %s;\n" % modname)
> -            for src in modfiles.split():
> -                conf.write ("  common = %s;\n" % src)
> +            for src in modfiles:
> +                conf.write ("  common = lib/libgcrypt-grub/cipher/%s;\n" % 
> src)
>                  if len (ciphernames) > 0 or len (mdnames) > 0:
> -                    confutil.write ("  common = grub-core/%s;\n" % src)
> +                    confutil.write ("  common = 
> grub-core/lib/libgcrypt-grub/cipher/%s;\n" % src)
>              if modname == "gcry_ecc":
>                  conf.write ("  common = lib/libgcrypt-grub/mpi/ec.c;\n")
>                  conf.write ("  cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls 
> -Wno-sign-compare';\n")
> @@ -490,7 +570,7 @@ for cipher_file in cipher_files:
>              fw.close ()
>              if nch:
>                  chlog = "%s%s\n" % (chlog, chlognew)
> -        elif isc and cipher_file != "camellia.c":
> +        elif isc and cipher_file not in extra_files_list:
>              print ("WARNING: C file isn't a module: %s" % cipher_file)
>              f.close ()
>              fw.close ()
> @@ -512,7 +592,7 @@ for src in sorted (os.listdir (os.path.join (indir, 
> "src"))):
>              or src == "libgcrypt.vers" or src == "Makefile.am" \
>              or src == "Manifest" or src == "misc.c" \
>              or src == "missing-string.c" or src == "module.c" \
> -            or src == "secmem.c" or src == "sexp.c" \
> +            or src == "secmem.c" \
>              or src == "stdmem.c" or src == "visibility.c":
>          continue
>      outfile = os.path.join (basedir, "src", src)
> @@ -534,8 +614,17 @@ for src in sorted (os.listdir (os.path.join (indir, 
> "src"))):
>          fw.close ()
>          continue
>  
> +    if src == "cipher-proto.h":
> +        fw.write("#include <grub/crypto.h>\n")
> +        fw.write("typedef gcry_selftest_func_t selftest_func_t;")
> +        f.close ()
> +        fw.close ()
> +        continue
> +
>      if src == "g10lib.h":
> -        fw.write (f.read ().replace ("(printf,f,a)", "(__printf__,f,a)"))
> +        fw.write("#include <cipher_wrap.h>\n")
> +        fw.write("#include <grub/crypto.h>\n")
> +        fw.write (f.read ().replace ("(printf,f,a)", 
> "(__printf__,f,a)").replace ("#include \"../compat/libcompat.h\"", 
> "").replace("#define N_(a) (a)", ""))
>          f.close ()
>          fw.close ()
>          continue
> @@ -546,7 +635,7 @@ for src in sorted (os.listdir (os.path.join (indir, 
> "src"))):
>  
>  for src in sorted (os.listdir (os.path.join (indir, "mpi"))):
>      if src == "config.links" or src == "ChangeLog-2011" \
> -            or src == "mpi-scan.c" or src == "Manifest" \
> +            or src == "Manifest" \
>              or src == "Makefile.am":
>          continue
>      infile = os.path.join (indir, "mpi", src)
> @@ -568,17 +657,17 @@ for src in sorted (os.listdir (os.path.join (indir, 
> "mpi"))):
>              hold = False
>              # We're optimising for size and exclude anything needing good
>              # randomness.
> -            if not re.match ("(_gcry_mpi_get_hw_config|gcry_mpi_randomize)", 
> line) is None:
> +            if not re.match 
> ("(_gcry_mpi_get_hw_config|gcry_mpi_randomize|_gcry_mpi_randomize)", line) is 
> None:
>                  skip = 1
>                  continue
>              else:
>                  fw.write (holdline)
> -        m = re.match ("(const char( |)\*|void) *$", line)
> +        m = re.match (r"(const char( |)\*|void) *$", line)
>          if not m is None:
>              hold = True
>              holdline = line
>              continue
> -        m = re.match ("#include \"mod-source-info\.h\"", line)
> +        m = re.match (r"#include \"mod-source-info\.h\"", line)
>          if not m is None:
>              continue
>          fw.write (line)
> @@ -612,9 +701,6 @@ fw.write ("#include <cipher_wrap.h>\n")
>  chlog = "%s  * g10lib.h: Likewise.\n" % chlog
>  fw.close ()
>  
> -infile = os.path.join (cipher_dir_in, "ChangeLog")
> -outfile = os.path.join (cipher_dir_out, "ChangeLog")
> -
>  conf.close ();
>  
>  initfile = codecs.open (os.path.join (cipher_dir_out, "init.c"), "w", 
> "utf-8")
> @@ -643,7 +729,7 @@ confutil.write ("};\n");
>  confutil.close ();
>  
>  
> -f=codecs.open (infile, "r", "utf-8")
> +outfile = os.path.join (cipher_dir_out, "ChangeLog")
>  fw=codecs.open (outfile, "w", "utf-8")
>  dt = datetime.date.today ()
>  fw.write ("%04d-%02d-%02d  Automatic import tool\n" % \
> @@ -653,7 +739,4 @@ fw.write ("       Imported ciphers to GRUB\n")
>  fw.write ("\n")
>  fw.write (chlog)
>  fw.write ("\n")
> -for line in f:
> -    fw.write (line)
> -f.close ()
>  fw.close ()
> diff --git a/util/import_gcrypt_inth.sed b/util/import_gcrypt_inth.sed
> new file mode 100644
> index 000000000..ebe9371ee
> --- /dev/null
> +++ b/util/import_gcrypt_inth.sed
> @@ -0,0 +1,17 @@
> +/^#@INSERT_SYS_SELECT_H@/ d
> +/^@FALLBACK_SOCKLEN_T@/ d
> +/^# *include <stdlib\.h>/ d
> +/^# *include <string\.h>/ d
> +/^# *include <winsock2\.h>/ d
> +/^# *include <ws2tcpip\.h>/ d
> +/^# *include <time\.h>/ d
> +/^# *include <sys\/socket\.h>/ d
> +/^# *include <sys\/time\.h>/ d
> +/^  typedef long ssize_t;/ d
> +/^  typedef int  pid_t;/ d
> +/^# *include <gpg-error\.h>/ s,#include <gpg-error.h>,#include 
> <grub/gcrypt/gpg-error.h>,
> +/^typedef gpg_error_t gcry_error_t;/ d
> +/^typedef gpg_err_code_t gcry_err_code_t;/ d
> +/^typedef struct gcry_mpi \*gcry_mpi_t;/ d
> +/^#error  gcrypt.h already included/ d
> +p
> diff --git a/util/import_gcrypth.sed b/util/import_gcrypth.sed
> index fe6d1a072..503b4b547 100644
> --- a/util/import_gcrypth.sed
> +++ b/util/import_gcrypth.sed
> @@ -13,6 +13,4 @@
>  /^typedef gpg_error_t gcry_error_t;/ d
>  /^typedef gpg_err_code_t gcry_err_code_t;/ d
>  /^typedef struct gcry_mpi \*gcry_mpi_t;/ d
> -/^struct gcry_thread_cbs/ d
> -s,_gcry_mpi_invm,gcry_mpi_invm,g
>  p
> \ No newline at end of file



reply via email to

[Prev in Thread] Current Thread [Next in Thread]