Hubbry Logo
LibgcryptLibgcryptMain
Open search
Libgcrypt
Community hub
Libgcrypt
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Libgcrypt
Libgcrypt
Libgcrypt
View on Wikipedia
from Wikipedia
Libgcrypt
Original authorWerner Koch
DeveloperGnuPG community[1]
Stable release(s) [±]
stable1.12.0 / January 29, 2026; 7 days ago (2026-01-29)[2]
LTS1.8.11 / November 16, 2023; 2 years ago (2023-11-16)[3]
Repository
Written inC
Operating systemCross-platform
TypeCryptographic library
LicenseGNU Lesser General Public License (LGPLv2.1+) / GNU General Public License (GPLv2+)[4]
Websitegnupg.org/software/libgcrypt/

Libgcrypt is a cryptography library developed as a separated module of GnuPG.[5] It can also be used independently of GnuPG, but depends on its error-reporting library Libgpg-error.[6]

It provides functions for all fundamental cryptographic building blocks:

Primitive or Operation Algorithms or Implementation[7]
symmetric ciphers:[8] AES (128, 192, 256 bits), DES, 3DES, IDEA, CAST5, Blowfish, Twofish (128, 256 bits), Ron's Cipher 2 / RC2 (40, 128 bits), ARCfour / RC4, SEED (RFC 4269), Serpent (128, 192, 256 bits), Camellia (128, 192, 256 bits), Salsa20, Salsa20/12, ChaCha20, GOST 28147-89 (RFC 5830) / GOST R 34.12-2015 (Magma: RFC 8891 & Kuznyechik: RFC 7801), SM4, ARIA
cipher modes:[9] ECB, CFB, CBC, OFB, CTR, CCM, GCM, OCB, EAX, XTS, Stream, AES Key Wrap (RFC 3394), AES Key Wrap with padding (RFC 5649), SIV (RFC 5297) and GCM-SIV (RFC 8452)
public key algorithms:[10][11] RSA, ElGamal, DSA, ECDSA, EdDSA, Ed448, DH, EDH, ECDH
hash algorithms:[12] MD2, MD4, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128, SHAKE256, RIPEMD-160, TIGER/192, TIGER1, TIGER2, Whirlpool, CRC-24 (as in RFC 2440), CRC-32 (as in ISO 3309), CRC-32 (as in RFC 1510), GOST R 34.11-94 / GOST 34.311-95, GOST R 34.11-2012 (Stribog) / RFC 6986, BLAKE2b (128, 160, 224, 256 Bits), BLAKE2s (160, 256, 384, 512 Bits), SM3[13]
message authentication codes (MACs):[14] HMAC for all hash algorithms, CMAC for all cipher algorithms, GMAC for some cipher algorithms, Poly1305
key derivation functions (KDFs):[15] S2K (as in RFC 4880: simple, salted, iterated+salted), PBKDF2, SCRYPT, Argon2d, Argon2i, Argon2id, Balloon
elliptic curves: NIST (P-256, P-384, P-521), SECG (secp256k1), ECC Brainpool / RFC 5639 (P256r1, P384r1, P512r1), Bernstein (Curve25519, Curve448), GOST R 34.10-2012 (RFC 7091), SM2[16]

Libgcrypt features its own multiple precision arithmetic implementation, with assembler implementations for a variety of processors, including Alpha, AMD64, HP PA-RISC, i386, i586, M68K, MIPS 3, PowerPC, and SPARC. It also features an entropy gathering utility, coming in different versions for Unix-like and Windows machines.

Usually multiple, stable branches of Libgcrypt are maintained in parallel; since 2022-03-28 this is the Libgrypt 1.10 branch as stable branch, plus the 1.8 branch as LTS ("long-term support") branch, which will be maintained at least until 2024-12-31.[17]

See also

[edit]

References

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Libgcrypt

View on Grokipedia
from Grokipedia
Libgcrypt is a cryptographic library developed by the GNU Project as a general-purpose collection of building blocks for implementing secure encryption, hashing, and authentication in applications. Originally derived from the code used in GnuPG, it provides portable, efficient implementations of symmetric ciphers such as AES, ChaCha20, and ; hash algorithms including , , and ; message authentication codes like and CMAC; and support for algorithms such as RSA, ECDSA, and . The library emphasizes security and compliance with modern cryptographic standards, offering modes of operation for ciphers (e.g., GCM, OCB) and additional utilities for random number generation, large integer arithmetic, and key derivation functions, making it suitable for both low-level and high-level cryptographic needs across systems and Windows. It depends on the companion library libgpg-error for error handling and maintains /ABI compatibility since version 1.2 to ensure seamless integration in software projects. Licensed under the GNU Lesser General Public License version 2.1 or later (LGPLv2.1+), Libgcrypt allows linking with while requiring availability for modifications. Development of Libgcrypt began as a modular extraction from GnuPG to promote reusability, with the project hosted under the GnuPG umbrella and distributed via the official GnuPG servers due to historical U.S. export restrictions on . The current stable release is version 1.11.2, issued on August 4, 2025, following a series of updates that include long-term support for version 1.8 and end-of-life designations for earlier branches like 1.7 in 2019. and documentation are maintained in a public repository, encouraging community contributions while adhering to GNU's principles.

Introduction

Overview

Libgcrypt is a general-purpose cryptographic that provides essential building blocks for implementing secure applications, including symmetric ciphers, hash algorithms, message authentication codes (MACs), public-key algorithms, key derivation functions, and . Originally derived from the code used in GnuPG, it serves as a modular component that can operate independently while sharing foundational elements with the GNU Privacy Guard ecosystem. The library's primary use cases include performing standalone cryptographic operations in software applications, integrating with GnuPG tools for enhanced security features, and supporting broader needs such as secure communications protocols and data protection mechanisms. Libgcrypt requires the companion libgpg-error library for standardized error handling across GnuPG-related components. As of November 2025, the current stable version is 1.11.2, released on August 4, 2025. It offers cross-platform compatibility, running natively on most POSIX-compliant systems and pre-POSIX environments, with support for Windows through cross-compilation, and architectures such as x86 and ARM.

Design Principles

Libgcrypt emphasizes modularity by providing a collection of low-level cryptographic primitives, such as symmetric ciphers, hash functions, message authentication codes, public-key algorithms, multi-precision integer operations, and random number generation, without implementing higher-level protocols like OpenPGP or S/MIME. This design allows developers to integrate these building blocks flexibly into custom applications or larger systems, avoiding the constraints of protocol-specific libraries. Originally extracted as a modular component from the GnuPG codebase, Libgcrypt enables reuse across the GNU ecosystem while maintaining independence. A security-first approach guides Libgcrypt's development, prioritizing robust protections against common threats. The library includes deprecated or insecure algorithms for compatibility but deprecates them and favors modern standards such as AES and SHA-256 over weak options like or SHA-1. Recent versions include various constant-time operation improvements, with ongoing development for critical functions such as RSA decryption and using techniques like Barrett or Montgomery reduction where applicable. Version 1.11.0 introduced support for quantum-resistant algorithms like and Classic McEliece, along with new APIs for Key Encapsulation Mechanisms (KEMs), enhancing preparedness for . For randomness, Libgcrypt employs a (CSPRNG) with dedicated entropy gathering modules that collect high-quality from sources like /dev/random, getentropy(), or hardware, ensuring sufficient mixing before output and including fork detection for . Portability and efficiency are core to Libgcrypt's implementation, written in to ensure compatibility across systems, Windows, and other platforms without reliance on non-standard features. To optimize performance, the library includes hand-optimized assembler code for specific architectures, such as AMD64 for processors, for embedded and mobile devices, and PowerPC, accelerating operations like AES encryption and elliptic curve computations where hardware support allows. This balance enables broad deployment while delivering efficient execution suitable for both resource-constrained environments and high-performance servers. Libgcrypt maintains API stability through backward compatibility since version 1.2.0, preserving the (ABI) and ensuring that applications built against earlier stable releases continue to function without modification across subsequent updates. As part of the Project, it is developed under the GNU Lesser License (LGPLv2.1+), promoting open-source principles that facilitate code auditability, security reviews by the community, and collaborative contributions via public repositories. This ethos supports ongoing scrutiny and improvement, aligning with guidelines for accessibility and trustworthiness.

History

Origins and Development

Libgcrypt originated as the cryptographic component within , an open-source implementation of the OpenPGP standard developed by Werner Koch and first released on September 7, 1999. The library's code was initially embedded in to handle symmetric and asymmetric , hashing, and other , but it was extracted into a standalone module around 2000–2001 to facilitate reuse in other software projects independent of . This separation was motivated by the need for a modular, general-purpose cryptographic backend, particularly in the context of U.S. export controls on cryptographic software during the late 1990s and early 2000s, allowing distribution through servers without the full package. The initial standalone release, version 1.1.0, arrived in April 2001, representing the first distinct version detached from GnuPG's and designated as alpha quality. Subsequent alpha releases, such as 1.1.3 in 2001, refined the library while emphasizing its experimental status. Libgcrypt is maintained by the GnuPG Project under Project umbrella, with development coordinated through contributions from researchers and distributed via GNU's infrastructure. Version control transitioned to in the mid-2000s, enabling collaborative enhancements while preserving backward compatibility. Key early milestones include the integration with libgpg-error in the early 2000s, which standardized error reporting across GnuPG-related libraries. Around 2017, the project adopted a for , exemplified by the 1.8 series as an LTS branch, alongside shorter development cycles to balance stability and .

Major Releases

Libgcrypt's development follows a that includes stable branches for ongoing maintenance, (LTS) branches for extended enterprise use, and end-of-life (EOL) designations for older series. The 1.8 series serves as an LTS branch, receiving security and stability updates. The current stable branch, 1.11, began with version 1.11.0 in June 2024 and remains ABI-stable, with patch releases like 1.11.2 in August 2025 addressing bug fixes. Earlier series, such as 1.6 and 1.7, reached EOL on June 30, 2017, and June 30, 2019, respectively, after which no further updates were provided. Major releases occur approximately every 1-2 years, with patch releases issued more frequently for security and stability enhancements. The 1.2.0 release on April 16, 2004, marked the first version with full and ABI compatibility, establishing a foundation for subsequent development while transitioning to LGPL licensing. Version 1.4.0, released on December 10, 2007, introduced experimental support including ECDSA and enhanced compliance options for enterprise environments, while maintaining upward compatibility with the 1.2 series. The 1.5.0 release on June 29, 2011, focused on performance and security improvements, incorporating AES-NI instructions for side-channel mitigations and adding support for ECDH, OAEP, and PSS padding schemes. In December 2013, version 1.6.0 added Ed25519 support and mitigations against the Yarom/Falkner (CVE-2013-4242), alongside performance boosts for ciphers and hashes. The 1.7.0 release on April 15, 2016, expanded algorithm support with variants, , and additional ECC curves like and secp256k1. Version 1.8.0, released on July 18, 2017, introduced XTS mode and Blake-2 hashing as part of its LTS designation, emphasizing long-term stability for production systems. The 1.9.0 release on January 19, 2021, added Ed448 and X448 curves along with , though it was quickly superseded by 1.9.1 due to a critical bug. In March 2022, 1.10.1 launched the 1.10 stable branch, incorporating and Balloon KDF modes while preparing infrastructure for through new control codes for algorithm validation. The most recent major release, 1.11.0 on June 19, 2024, advanced post-quantum readiness with a new and support for algorithms like , (FIPS 203), and Classic McEliece, alongside aliases for Brainpool curves (bp256, bp384, bp512). This version maintains full API/ABI compatibility with prior series, ensuring seamless upgrades.

Technical Features

Supported Algorithms

Libgcrypt provides a comprehensive set of , including symmetric and asymmetric algorithms, hash functions, message authentication codes, and key derivation functions, all implemented to support secure applications within ecosystem.

Symmetric Ciphers

Libgcrypt supports a variety of symmetric block and stream ciphers, enabling and decryption operations for data protection. The library includes AES in all standard variants (128, 192, and 256-bit keys), which operates on 128-bit blocks and is widely used for its efficiency and security. Other block ciphers encompass Blowfish (key sizes from 8 to 576 bits in 8-bit increments, 64-bit blocks), (128, 192, and 256-bit keys, 128-bit blocks), CAST5 (128-bit keys, 64-bit blocks), DES and 3DES (56-bit effective key for DES, 168-bit for 3DES, 64-bit blocks), (128 and 256-bit keys, 128-bit blocks), Serpent (128, 192, and 256-bit keys, 128-bit blocks), (128-bit keys, 128-bit blocks), and Arcfour ( stream cipher with variable key sizes up to 256 bits). Stream ciphers like ChaCha20 (256-bit keys, ) are also available for high-speed applications. These ciphers can be operated in multiple modes to suit different security requirements, including ECB (Electronic Codebook), CBC (Cipher Block Chaining), CFB (Cipher Feedback), OFB (Output Feedback), CTR (Counter), GCM (Galois/Counter Mode for ), CCM (Counter with ), OCB (Offset Codebook Mode), and XTS (XEX-based Tweaked Codebook for ). Advanced AEAD ( with Associated Data) modes such as EAX, , GCM-SIV, and Poly1305 are likewise supported, providing alongside .

Hash Functions

The library implements a broad range of hash algorithms for and digital signatures, covering legacy, standard, and modern variants. Supported hashes include the SHA family: (160-bit output), SHA-224/256/384/512 (224 to 512-bit outputs), SHA-512/224 and SHA-512/256 (truncated variants), and SHA3-224/256/384/512 (Keccak-based, 224 to 512-bit outputs). Additionally, SHAKE128 and SHAKE256 (extendable-output functions with 128- and 256-bit security levels) enable variable-length outputs. The MD family features MD2, , and (128-bit outputs, though MD2 is reserved without implementation). Other hashes comprise RIPEMD-160 (160-bit), Tiger and its variants (Tiger1, Tiger2, 192-bit), (512-bit), and newer additions like Blake2b (160 to 512-bit variants) and Blake2s (128 to 256-bit variants), along with SM3 (256-bit) and (256/512-bit).

Message Authentication

Libgcrypt facilitates message authentication through several mechanisms to verify and authenticity. (Hash-based Message Authentication Code) is supported with all aforementioned hash functions, such as and , allowing flexible construction based on the underlying hash's properties. (Cipher-based MAC) is available for block ciphers including AES, 3DES, , CAST5, , , Serpent, , and SM4, providing a standards-compliant alternative to . Poly1305, a high-speed , operates in standalone mode or combined with ciphers like AES (as in Poly1305-AES), , , Serpent, and , adhering to RFC 8439 for AEAD constructions. Further options include GMAC with AES, , , Serpent, and , as well as GOST28147_IMIT for legacy compatibility.

Public-Key Algorithms

Public-key cryptography in Libgcrypt supports , , and signing for and . RSA is implemented with key sizes up to 8192 bits, suitable for both and signatures. DSA (Digital Signature Algorithm) and ElGamal are provided for signing and , respectively, with standard parameter sets. (ECC) is extensively supported, including ECDSA () and (Edwards-curve DSA) for signatures, as well as ECDH for key agreement. Specific curves include NIST standards (P-192, P-224, P-256, P-384, P-521), Brainpool curves (P256r1, P384r1, P512r1), and ed25519 (per RFC 7748 and RFC 8032), and secp256k1 for broader compatibility.

Key Derivation

To derive keys from passphrases or other inputs, Libgcrypt includes robust key derivation functions (KDFs) resistant to brute-force attacks. (PKCS#5 v2.0) supports iterations and salting with underlying hashes like SHA-256. provides memory-hard derivation with parameters for cost (N), parallelization (p), and salt size. variants—Argon2i (data-independent), Argon2d (data-dependent), and Argon2id (hybrid)—offer advanced memory-hard protection, configurable with memory, time, and parallelism costs, as added in version 1.11.0. OpenPGP S2K modes (simple, salted, and iterated+salted) are also available for legacy compatibility.

Other Primitives

Beyond core algorithms, Libgcrypt incorporates a Multi-Precision Integer (MPI) library for , essential for public-key operations and . This enables efficient handling of large integers in cryptographic computations. Elliptic curve operations are integrated via the ECC framework, leveraging the aforementioned curves for optimized performance in constrained environments.

Random Number Generation

Libgcrypt employs a multi-layered random number generation system designed to provide cryptographically secure randomness for various applications, including and nonce creation. The library supports multiple (PRNG) types to balance security, performance, and compliance requirements. The standard DRNG, based on Peter Gutmann's continuous seeding PRNG using , serves as the default mechanism and is continuously reseeded with fresh to maintain unpredictability. For compliance, Libgcrypt implements a deterministic random number generator (DRNG) adhering to , utilizing AES in X9.31 mode, which undergoes power-up self-tests and restricts operations to approved algorithms. Additionally, a system-dependent secure random option wraps native operating system interfaces, such as /dev/urandom on systems, while a weak random variant is available for non-cryptographic purposes, often mapping to the strong random pool or using nonce generation techniques to avoid depleting high-quality . Entropy collection in Libgcrypt draws from diverse sources to ensure a robust pool of unpredictable bits, mitigating risks from single-point failures. Primary sources include system calls like getrandom() or /dev/urandom on Unix systems, which provide kernel-generated entropy based on hardware events and interrupts. Hardware random number generators (RNGs), such as Intel's instruction on x86 processors or VIA engines, are integrated when available to inject high-entropy bits directly from physical noise sources like thermal variations. In legacy modes, particularly on older Unix systems, entropy can be gathered via the Entropy Gathering Daemon (EGD) or Unix-specific collectors that poll process timings and system statistics, historically including inputs from devices like keyboards and mice for additional variability, though modern implementations prioritize more reliable kernel and hardware methods. These sources are modular, allowing configuration to disable or prioritize certain collectors for environmental adaptability. Initialization of the subsystem occurs automatically upon library startup, but users can accelerate it using gcry_control(GCRYCTL_ENABLE_QUICK_RANDOM), which permits faster access to the strong random pool by relaxing initial requirements, though this is disabled in FIPS mode to enforce strict compliance. Automatic reseeding happens periodically through polling, ensuring the PRNG remains resistant to state exhaustion or . In FIPS mode, the deterministic DRNG requires explicit derivation functions and reseeds only after a fixed number of outputs (e.g., 1000 blocks), preventing reliance on continuous external while maintaining forward . To address security threats like prediction attacks, Libgcrypt implements periodic entropy polling from configured sources, continuously refreshing the internal pool to exceed the entropy needed for the requested security level and thwarting attempts to infer future outputs from observed ones. The FIPS-mode DRNG further enhances this by operating deterministically post-seed, avoiding vulnerabilities inherent in some continuous-seeding designs. Configuration is handled via the gcry_random_level_t , offering levels such as GCRY_WEAK_RANDOM for low-security needs (e.g., nonces), GCRY_STRONG_RANDOM (or normal) for general cryptographic use like session keys, GCRY_VERY_STRONG_RANDOM for high-stakes operations like long-term keys, and secure variants that allocate output in tamper-resistant memory to prevent side-channel leaks. These levels allow applications to tailor randomness quality without altering the underlying PRNG .

Architecture

Core Components

Libgcrypt's architecture centers on a core engine that handles algorithm dispatching and state management through dedicated subsystems for symmetric encryption, hashing, public-key operations, and more. This engine provides a unified interface for selecting and invoking , routing requests to the appropriate implementation based on the chosen and mode. Context handles, such as gcry_cipher_hd_t for symmetric ciphers and gcry_hash_hd_t for message digests, encapsulate the operational state, including keys, initialization vectors, and partial computations, ensuring that operations like or hashing maintain continuity across multiple calls without global state pollution. These handles are created via functions like gcry_cipher_open or gcry_hash_open, used for data, and released with gcry_cipher_close or gcry_hash_close, forming an open-use-close paradigm that interconnects the subsystems efficiently. Error handling in Libgcrypt is tightly integrated with the libgpg-error library, which standardizes error codes across GnuPG components for consistent reporting. All library functions return gcry_error_t values, which combine an error source (e.g., GCRYERR_SOURCE) and a code (e.g., GPG_ERR_NO_ERROR for success or GPG_ERR_INV_VALUE for invalid arguments), allowing precise diagnosis without information loss during propagation from internal engines to the application. This integration ensures that errors from algorithm dispatching or context operations are uniformly managed, with aliases provided for libgpg-error functions to maintain namespace consistency within Libgcrypt. The library employs a reentrant design to support multi-threading, relying on user-registered callbacks to synchronize access across threads () or Pth. Thread safety is enabled by calling gcry_control(GCRYCTL_SET_THREAD_CBS, &gcry_threads_pthread) during initialization, which installs mutex operations like gcry_pthread_mutex_lock and gcry_pthread_mutex_unlock to protect shared resources such as pools and context handles. This callback mechanism allows the core engine to wrap blocking calls and coordinate with the application's threading model, ensuring that algorithm dispatching and state management remain safe in concurrent environments while avoiding inherent non-thread-safe operations like certain in-place modifications. Memory management emphasizes security through dedicated allocation functions that interconnect with the core engine and context handles. The gcry_malloc_secure function allocates memory from a protected pool designed for sensitive data, such as keys and intermediates, using constant-time wiping via gcry_free to mitigate timing attacks by preventing residual data leakage even if the operating system swaps or reuses pages. Standard allocations via gcry_malloc suffice for non-sensitive buffers, but secure memory integrates seamlessly with handles—e.g., cipher keys passed to gcry_cipher_setkey are copied into secure space if allocated accordingly—enhancing overall resistance to side-channel exploits during dispatching and processing. Applications can override these allocators via gcry_control for custom secure handling. Platform adaptations are facilitated by an Autoconf-based build system that detects and enables CPU-specific accelerations during configuration, optimizing the core engine's dispatching to hardware features like AES-NI for faster symmetric operations. The ./configure script probes for instructions such as intel-aesni, arm-aes, or ppc-altivec, compiling assembly-optimized implementations accordingly and exposing them through runtime checks via gcry_control(GCRYCTL_GET_HWFEATURES). This ensures handles leverage native accelerations transparently, with options to disable features post-build (e.g., via /etc/gcrypt/hwf.deny) for compatibility or policies, interconnecting hardware awareness across error handling, threading, and memory subsystems without altering the .

Multi-Precision Arithmetic

Libgcrypt's multi-precision (MPI) library provides the foundational arithmetic capabilities required for asymmetric , enabling operations on arbitrarily large integers through the gcry_mpi_t . This type represents multi-precision integers as opaque handles, internally structured as arrays of limbs—machine-word-sized units, typically 32 bits on 32-bit systems or 64 bits on 64-bit architectures—to facilitate efficient storage and computation. The library supports integers of arbitrary size, constrained primarily by available . The MPI library offers a comprehensive set of operations, including basic arithmetic such as via gcry_mpi_add, which computes the sum of two MPIs and stores the result in a third; through gcry_mpi_mul; and subtraction with gcry_mpi_sub. For cryptographic needs, it includes with gcry_mpi_powm, essential for like RSA and DSA, where the result is reduced a specified base; and modular inverse computation using gcry_mpi_invm, which finds the under a modulus. Primality testing is supported by gcry_prime_check, a probabilistic function using the Miller-Rabin that returns 0 if the MPI is likely prime and GPG_ERR_NO_PRIME otherwise. Allocation and deallocation are handled by gcry_mpi_new (or its secure-memory variant gcry_mpi_snew) for creating new MPIs with an optional initial bit length, and gcry_mpi_release for cleanup. The implementation consists of portable C code derived from an early version of the GNU Multi-Precision Library (GMP), extensively modified for security and reduced footprint, with assembler accelerations to enhance performance on specific architectures. For instance, benefits from optimized assembly for operations like Karatsuba multiplication, while processors utilize tailored code for Montgomery reduction, enabling faster critical for . These low-level optimizations are selectively enabled at runtime based on CPU detection, balancing portability with speed gains of up to several times over pure C implementations. Internally, the MPI library integrates seamlessly with higher-level cryptographic primitives, such as (ECC) point arithmetic—using structures like gcry_mpi_point_t built on MPIs for point addition and —and routines that rely on primality testing and modular operations to produce secure parameters. This backend ensures consistent, side-channel-resistant arithmetic across Libgcrypt's public-key algorithms.

Usage

Initialization and Configuration

To use Libgcrypt in an application, the library must first be loaded and initialized by calling the function gcry_check_version, which verifies the library version against a required minimum and performs initial subsystem setup, including for multi-threaded access. This function must be invoked as the first Libgcrypt operation, before any cryptographic functions, and it returns a string with the actual version (e.g., "1.10.2") or NULL if the version is incompatible. For example, the following code checks for a minimum version:

c

#include <gcrypt.h> if (!gcry_check_version (GCRYPT_VERSION)) { fputs ("libgcrypt is too old (need " GCRYPT_VERSION ")\n", stderr); exit (2); }

#include <gcrypt.h> if (!gcry_check_version (GCRYPT_VERSION)) { fputs ("libgcrypt is too old (need " GCRYPT_VERSION ")\n", stderr); exit (2); }

Failure to call this function early can lead to , such as warnings about missing initialization in logs. Configuration of Libgcrypt occurs primarily through the gcry_control function, which allows fine-tuning of library behavior before full operational use. To enable FIPS 140-2 mode, which restricts the library to approved algorithms and enforces stricter security checks, invoke gcry_control(GCRYCTL_FORCE_FIPS_MODE, 1) prior to gcry_check_version; this mode can also be triggered via the environment variable LIBGCRYPT_FORCE_FIPS_MODE=1 or system files like /etc/gcrypt/fips_enabled. For multi-threaded applications, is handled automatically since version 1.6, but older setups may require gcry_control(GCRYCTL_SET_THREAD_CBS, &callbacks) to register custom thread callbacks, though this is now obsolete. Hardware acceleration features, such as or VIA , can be disabled with gcry_control(GCRYCTL_DISABLE_HWF, "feature_name", NULL) before initialization to ensure portability or compliance; these features are detected via system interfaces like /proc/cpuinfo on . After configuration, signal the end of setup with gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0) to notify the that no further changes are expected. Error handling during initialization involves checking return values from these functions, which are of type gcry_error_t; a value of GPG_ERR_NO_ERROR (0) indicates success, while GPG_ERR_GENERAL (1) or other codes like GPG_ERR_ENOMEM signal failures such as version mismatches or memory allocation issues. Applications should use gcry_strerror(err) to obtain human-readable descriptions for logging or user feedback. Secure memory, used for sensitive data like keys, must be allocated early via gcry_control(GCRYCTL_INIT_SECMEM, size, 0) (e.g., 16384 bytes), potentially requiring elevated privileges on some systems, and can be disabled with GCRYCTL_DISABLE_SECMEM if not needed. For long-running applications, resource cleanup is recommended at shutdown by calling gcry_control(GCRYCTL_TERM_SECMEM, 0) to zeroize and release secure memory, ensuring sensitive data is securely wiped; this operation is safe in signal handlers or exit routines but not thread-safe. Environment variables like GCRY_DEBUG can enable debug output during setup for troubleshooting, while HOME influences default paths for configuration files such as /etc/gcrypt/. To promote locale-independent behavior, especially for error messages and string handling, applications should set LC_ALL=C before loading the library.

Programming Interfaces

Libgcrypt provides a C-based for cryptographic operations, designed for ease of use while maintaining security through secure memory allocation and error reporting. The follows a handle-based model where contexts are created for specific operations, configured, used, and then closed to ensure proper and data wiping. This interface assumes that the library has been initialized via functions like gcry_check_version and gcry_control, as detailed in prior configuration steps.

Cipher API

The symmetric cipher API enables encryption and decryption using block and stream ciphers such as AES. To perform operations, a handle is first allocated with gcry_cipher_open, which takes the algorithm ID (e.g., GCRY_CIPHER_AES), mode (e.g., GCRY_CIPHER_MODE_CBC), and flags (e.g., GCRY_CIPHER_SECURE for secure ). The function returns a gcry_error_t; success yields 0 and populates the handle pointer, while errors include invalid algorithm (GPG_ERR_INV_ALGO) or memory failure. Next, gcry_cipher_setkey configures the key by providing the handle, a key buffer, and its in bytes; it returns an if the mismatches the algorithm's requirements, such as 128–256 bits for AES. For modes requiring an (IV), gcry_cipher_setiv sets it similarly, ensuring the matches the block size (e.g., 16 bytes for AES). Encryption proceeds with gcry_cipher_encrypt, which processes input into an output buffer (or in-place if output is null), requiring input to be multiples of the block size in certain modes; it returns 0 on success or errors like buffer overlap (GPG_ERR_INV_ARG). Decryption uses gcry_cipher_decrypt analogously. Finally, gcry_cipher_close releases the , zeroizing sensitive without return value. A basic AES-256-CBC pseudocode snippet illustrates the flow:

gcry_cipher_hd_t hd; gcry_error_t err = gcry_cipher_open(&hd, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CBC, 0); if (err) { /* [handle](/page/Handle) error */ } err = gcry_cipher_setkey(hd, key, 32); err = gcry_cipher_setiv(hd, iv, 16); err = gcry_cipher_encrypt(hd, outbuf, outlen, inbuf, inlen); gcry_cipher_close(hd);

gcry_cipher_hd_t hd; gcry_error_t err = gcry_cipher_open(&hd, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CBC, 0); if (err) { /* [handle](/page/Handle) error */ } err = gcry_cipher_setkey(hd, key, 32); err = gcry_cipher_setiv(hd, iv, 16); err = gcry_cipher_encrypt(hd, outbuf, outlen, inbuf, inlen); gcry_cipher_close(hd);

Hash API

Hashing operations compute message digests using like SHA-256 via a multi-step process. gcry_md_open creates a for the specified ID (e.g., GCRY_MD_SHA256) and flags, returning an error for unsupported or allocation issues; it allows multiple in one via subsequent gcry_md_enable calls. Data is fed incrementally with gcry_md_write, which appends a buffer of given length to the digest without return value, supporting efficient streaming for large inputs. To retrieve the digest, gcry_md_read extracts the result for a specific algorithm (or the primary if unspecified), returning a pointer to the fixed-size output (e.g., 32 bytes for SHA-256) valid until the handle changes; it returns NULL if the algorithm was not enabled. The handle is freed with gcry_md_close, which zeroizes internals and ignores null inputs. This API also supports by setting the GCRY_MD_FLAG_HMAC flag and a key via gcry_md_setkey.

Public-Key API

Public-key cryptography in Libgcrypt uses S-expressions (gcry_sexp_t) to represent keys, data, and parameters, providing a structured, human-readable format for asymmetric operations like RSA. Key generation occurs with gcry_pk_genkey, which takes a parameter S-expression (e.g., (genkey (rsa (nbits 2048)))) and outputs the keypair S-expression; it returns 0 on success or errors for invalid parameters or insufficient randomness. Encryption employs gcry_pk_encrypt, passing data as an S-expression (e.g., (data (flags pkcs1)(value %m))), the public key S-expression, and receiving the ciphertext S-expression; errors include invalid key format (GPG_ERR_INV_OBJ). Decryption mirrors this with gcry_pk_decrypt using the private key, yielding the plaintext S-expression. These functions ensure padding schemes like PKCS#1 are applied correctly. A simple RSA signing pseudocode (using gcry_pk_sign analogously to encrypt) might look like:

gcry_sexp_t keypair, data_sexp, sig_sexp; gcry_pk_genkey(&keypair, parm_sexp); // parm_sexp defines RSA params gcry_sexp_build(&data_sexp, NULL, "(data (flags raw)(value %s))", hash_data); gcry_pk_sign(&sig_sexp, data_sexp, keypair); // Uses private key component gcry_sexp_release(keypair); gcry_sexp_release(data_sexp); gcry_sexp_release(sig_sexp);

gcry_sexp_t keypair, data_sexp, sig_sexp; gcry_pk_genkey(&keypair, parm_sexp); // parm_sexp defines RSA params gcry_sexp_build(&data_sexp, NULL, "(data (flags raw)(value %s))", hash_data); gcry_pk_sign(&sig_sexp, data_sexp, keypair); // Uses private key component gcry_sexp_release(keypair); gcry_sexp_release(data_sexp); gcry_sexp_release(sig_sexp);

MAC and KDF

Message authentication codes (MACs) such as and CMAC are handled through a dedicated . gcry_mac_open allocates a handle for an algorithm ID (e.g., GCRY_MAC_HMAC_SHA256 or GCRY_MAC_CMAC_AES), with flags for secure , returning an for unsupported algorithms; the key is set via gcry_mac_setkey with no length restrictions for but block-cipher aligned for CMAC. Data is processed with gcry_mac_write (similar to hashing), and the tag retrieved via gcry_mac_read; the handle closes with gcry_mac_close. For key derivation, gcry_pbkdf2 (via the general gcry_kdf_derive with GCRY_KDF_PBKDF2) derives keys from s, taking the , hash sub-algorithm (e.g., SHA-256), salt, count, and desired key size, outputting to a buffer; it enforces high s (e.g., 100,000+) for resistance to brute-force attacks and returns errors for invalid parameters like zero s.

Error Handling

All API functions return a gcry_error_t, a composite of source and code, checked via macros like gcry_err_code(err) for values such as GPG_ERR_NO_ERROR (0) or GPG_ERR_INV_VALUE for out-of-range parameters (e.g., invalid key lengths). Common issues include GPG_ERR_INV_ARG for buffer overlaps or GPG_ERR_INV_OPHR for unsupported operations on handles; descriptive strings are obtainable via gcry_strerror. Developers must verify returns immediately to prevent , with the library using libgpg-error for standardized codes across GnuPG components.

Security Considerations

Known Vulnerabilities

Libgcrypt has experienced several notable security vulnerabilities, primarily involving side-channel attacks, buffer overflows, and implementation flaws in . A heap buffer overflow vulnerability was discovered in 2021, stemming from an incorrect assumption in the block buffer management code during decryption operations, which could lead to . This issue, designated CVE-2021-3345, affected Libgcrypt version 1.9.0 and was fixed in version 1.9.1. In 2019, the C implementation of AES in Libgcrypt was found vulnerable to a flush-and-reload , as physical addresses were accessible to other processes, potentially leaking the cipher key. Known as CVE-2019-12904, this flaw impacted versions up to 1.8.4, with assembler implementations unaffected. A cache-timing on RSA key operations was identified in 2017, enabling recovery of 1024-bit RSA private keys through monitoring of cache behavior during left-to-right . This vulnerability, CVE-2017-7526, was mitigated in Libgcrypt 1.7.8 by adopting a right-to-left sliding-window method. In 2024, a timing-based side-channel in the RSA implementation was discovered, allowing a Bleichenbacher-style to recover from PKCS#1 v1.5 encrypted ciphertexts. Designated CVE-2024-2236, this affects Libgcrypt versions before 1.10.2, 1.9.1, and 1.8.8, and was fixed in those releases. These vulnerabilities were most exploitable in remote scenarios within GnuPG-based applications, such as , though no widespread breaches have been reported; they nonetheless triggered prompt security patches. Vulnerability disclosures for Libgcrypt are coordinated through the GnuPG project, with fixes developed upstream and backported to branches for broader compatibility.

Audits and Best Practices

Libgcrypt has been subject to ongoing security reviews through integration with automated testing frameworks and formal validation processes. In 2019, the library was integrated into Google's OSS-Fuzz project, enabling continuous to identify potential vulnerabilities in its and interfaces. This integration supports differential for algorithms, helping to detect implementation flaws early in development. Community-driven audits and code reviews continue via the project's repository, where contributors submit patches and security analyses. The library achieves partial compliance with standards in versions 1.4 and later, with validated configurations listed in the NIST Cryptographic Module Validation Program (CMVP) database, such as certificate #2657 for version 1.6.3. These validations cover core cryptographic functions but do not constitute full module certification, allowing Libgcrypt to be used within FIPS-certified systems like those in . More recent versions support mode, enforcing NIST-approved algorithms and self-tests, though enabling this mode does not automatically confer approval as a standalone module. Users should verify current certification status via the NIST database before deployment in regulated environments. To maximize security, enable FIPS mode explicitly for compliance-sensitive applications using runtime controls like GCRYCTL_FORCE_FIPS_MODE or environment variables such as LIBGCRYPT_FORCE_FIPS_MODE; this restricts operations to approved algorithms and requires successful self-tests on initialization. Avoid deprecated or weak algorithms, such as for hashing and DES for symmetric encryption, opting instead for stronger alternatives like SHA-256 and AES to prevent known cryptographic weaknesses. Implementations in Libgcrypt incorporate constant-time operations where possible, particularly for RSA decryption and ECC primitives, to resist timing-based side-channel attacks—developers should verify and enable these modes via configuration flags. Always validate inputs to cryptographic functions, such as key sizes and parameters, to mitigate oracle attacks and invalid data exploitation. For production deployments, update to the latest version in the 1.8 series, which includes security enhancements and bug fixes; the 1.7 series reached end-of-life in 2019. When building higher-level protocols, integrate Libgcrypt with libraries like for TLS/SSL handling, ensuring consistent cryptographic backends across components. In virtualized environments, explicitly test random number generator (RNG) entropy sources, as VMs may exhibit reduced hardware randomness—use gcry_random_bytes_secure and monitor pool quality with tools like rngd to maintain sufficient for key generation. Regularly monitor GnuPG project announcements for patches addressing newly discovered issues in Libgcrypt.

Licensing and Distribution

License Terms

Libgcrypt, the core cryptographic library, is released under the GNU Lesser General Public License version 2.1 or later (LGPLv2.1+), a permissive that explicitly allows developers to link the library into proprietary or closed-source applications without obligating the release of the application's , provided the library itself remains dynamically linked. This licensing choice facilitates broad integration into diverse software ecosystems, including commercial products, while ensuring the library's remains freely available for modification and redistribution. In contrast, the accompanying helper programs—such as tools for testing and configuration—and the associated documentation are distributed under the stricter version 2 or later (GPLv2+), which imposes requirements on any derivative works, mandating the distribution of for modifications. Key implications of the LGPLv2.1+ for users include the rights to freely redistribute the unmodified library, modify it for personal or internal use, and incorporate it into commercial offerings; however, if the library is modified and redistributed (e.g., as part of a larger software package), the modified must be made available under the same license, typically via a mechanism that allows relinking with the original or updated library. Dynamic linking preserves proprietary integrity by avoiding the need to disclose application source, whereas static linking would trigger full GPL-like obligations. As with all software, no is provided, and users assume all risk of use. This dual-licensing approach, with LGPL for the library to avoid stronger copyleft restrictions, was adopted to mirror the model of the GnuPG project—from which Libgcrypt's codebase was originally derived—while promoting wider adoption by enabling reuse in non-free software without compromising the GNU project's free software principles.

Availability and Ports

Libgcrypt source distributions are available from the official GnuPG FTP archive at gnupg.org/ftp/gcrypt/libgcrypt/, with the current stable release being version 1.11.2, issued on August 4, 2025, as the tarball libgcrypt-1.11.2.tar.bz2. Each release includes a corresponding .sig file containing a GnuPG signature, enabling users to verify the integrity and authenticity of the download using public keys from the GnuPG project. The library is widely packaged for major distributions, including Debian's libgcrypt20-dev for development files, Fedora's libgcrypt-devel package, and Alpine Linux's libgcrypt-dev, all providing version 1.11.2 in their repositories by late 2025. Libgcrypt compiles natively on and BSD platforms and supports cross-compilation for other environments, such as Windows via the MSYS2 toolchain, Android using the Native Development Kit (NDK), embedded systems including , and macOS through Homebrew; iOS builds are feasible via similar cross-compilation methods adapted from macOS toolchains. Developers can access the source code via the official repository at dev.gnupg.org/libgcrypt.git, with a web interface available for browsing, and report issues through the project's bug tracker hosted at dev.gnupg.org. Historically, Libgcrypt distributions have been hosted on GnuPG-specific mirrors rather than standard archives, a practice stemming from former U.S. export controls on cryptographic software, which were lifted in 2000.

References

  1. https://www.gnupg.org/software/libgcrypt/index.html
  2. https://www.gnupg.org/software/libraries.html
  3. https://www.gnupg.org/documentation/manuals/gcrypt/Error-Handling.html
  4. https://gnupg.org/documentation/manuals/gcrypt.pdf
  5. https://lists.gnupg.org/pipermail/gnutls-help/2016-January/004051.html
  6. https://dev.gnupg.org/T7136
  7. https://dev.gnupg.org/T3269
  8. https://lists.gnupg.org/pipermail/gnupg-announce/2024q2/000483.html
  9. https://gnupg.org/documentation/manuals/gcrypt/CSPRNG-Description.html
  10. https://www.gnupg.org/documentation/manuals/gcrypt/Random_002dNumber-Subsystem-Architecture.html
  11. https://lists.gnu.org/archive/html/info-gnu/2004-04/msg00006.html
  12. https://www.wikidata.org/wiki/Q3237868
  13. https://lists.gnupg.org/pipermail/gnutls-dev/2001-June/000121.html
  14. https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=summary
  15. https://www.gnupg.org/news.html
  16. https://gnupg.org/ftp/gcrypt/libgcrypt/
  17. https://lists.gnupg.org/pipermail/gnupg-announce/2004q2/000167.html
  18. https://lists.gnupg.org/pipermail/gnupg-announce/2007q4/000263.html
  19. https://www.gnupg.org/documentation/manuals/gcrypt-devel/Enabling-FIPS-mode.html
  20. https://lists.gnupg.org/pipermail/gnupg-announce/2011q2/000307.html
  21. https://lists.gnupg.org/pipermail/gnupg-announce/2013q4/000336.html
  22. https://lists.gnupg.org/pipermail/gnupg-announce/2016q2/000386.html
  23. https://lists.gnupg.org/pipermail/gnupg-announce/2017q3/000410.html
  24. https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000453.html
  25. https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html
  26. https://lists.gnupg.org/pipermail/gnupg-announce/2022q1/000471.html
  27. https://lists.gnu.org/archive/html/info-gnu/2022-03/msg00007.html
  28. https://www.gnupg.org/documentation/manuals/gcrypt/index.html
  29. https://www.gnupg.org/documentation/manuals/gcrypt/Available-ciphers.html
  30. https://www.gnupg.org/documentation/manuals/gcrypt/Available-cipher-modes.html
  31. https://www.gnupg.org/documentation/manuals/gcrypt/Available-hash-algorithms.html
  32. https://gnupg.org/documentation/manuals/gcrypt/Available-MAC-algorithms.html
  33. https://www.gnupg.org/documentation/manuals/gcrypt/Available-algorithms.html
  34. https://wiki.gnupg.org/ECC
  35. https://www.gnupg.org/documentation/manuals/gcrypt/Key-Derivation.html
  36. https://gnupg.org/software/libgcrypt/index.html
  37. https://www.gnupg.org/documentation/manuals/gcrypt.pdf
  38. https://www.gnupg.org/documentation/manuals/gcrypt/Random-002dNumber-Subsystem-Architecture.html
  39. https://www.gnupg.org/documentation/manuals/gcrypt/Architecture.html
  40. https://www.gnupg.org/documentation/manuals/gcrypt-devel/Multi_002dThreading.html
  41. https://www.gnupg.org/documentation/manuals/gcrypt/Memory-allocation.html
  42. https://www.gnupg.org/documentation/manuals/gcrypt/Hardware-features.html
  43. https://www.gnupg.org/documentation/manuals/gcrypt/MPI-library.html
  44. https://www.gnupg.org/documentation/manuals/gcrypt/Prime-numbers.html
  45. https://www.gnupg.org/documentation/manuals/gcrypt/
  46. https://www.gnupg.org/documentation/manuals/gcrypt/Working-with-cipher-handles.html
  47. https://www.gnupg.org/documentation/manuals/gcrypt/Working-with-hash-algorithms.html
  48. https://www.gnupg.org/documentation/manuals/gcrypt/Public-Key-cryptography.html
  49. https://www.gnupg.org/documentation/manuals/gcrypt/Working-with-MAC-algorithms.html
  50. https://www.gnupg.org/documentation/manuals/gcrypt/Error-Codes.html
  51. https://nvd.nist.gov/vuln/detail/CVE-2021-3345
  52. https://nvd.nist.gov/vuln/detail/CVE-2019-12904
  53. https://access.redhat.com/security/cve/CVE-2019-12904
  54. https://lists.gnu.org/archive/html/info-gnu/2017-07/msg00006.html
  55. https://nvd.nist.gov/vuln/detail/CVE-2024-2236
  56. https://securityaffairs.com/60677/hacking/crack-1024-bit-rsa-encryption-gnupg-library.html
  57. https://lists.gnupg.org/pipermail/gcrypt-devel/2019-May/004704.html
  58. https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/2657
  59. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/5/html/5.4_technical_notes/libgcrypt
  60. https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3902.pdf
  61. https://www.gnutls.org/manual/html_node/Cryptographic-Backend.html
  62. https://www.redhat.com/en/blog/understanding-red-hat-enterprise-linux-random-number-generator-interface
  63. https://www.gnupg.org/download/release_notes.html
  64. https://github.com/gpg/libgcrypt
  65. https://www.gnupg.org/download/integrity_check.html
  66. https://packages.debian.org/src:libgcrypt
  67. https://pkgs.alpinelinux.org/package/edge/main/x86/libgcrypt
  68. https://packages.msys2.org/package/mingw-w64-x86_64-libgcrypt
  69. https://stackoverflow.com/questions/45837496/compiling-libgcrypt-and-libgpgerror-for-android-with-cmake
  70. https://formulae.brew.sh/formula/libgcrypt
  71. https://dev.gnupg.org/projects/libgcrypt
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.