gpg2/gnupg-detect_FIPS_mode.patch

Index: gnupg-2.1.0/g10/encrypt.c
===================================================================
--- gnupg-2.1.0.orig/g10/encrypt.c	2014-11-06 18:27:35.176659675 +0100
+++ gnupg-2.1.0/g10/encrypt.c	2014-11-06 18:29:10.987883901 +0100
@@ -783,7 +783,10 @@ encrypt_filter (void *opaque, int contro
                   /* Because 3DES is implicitly in the prefs, this can
                      only happen if we do not have any public keys in
                      the list.  */
-                  efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;
+		   /* Libgcrypt manual says that gcry_version_check must be called
+		      before calling gcry_fips_mode_active. */
+		    gcry_check_version (NULL);
+		    efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;
                 }
 
               /* In case 3DES has been selected, print a warning if
Index: gnupg-2.1.0/g10/mainproc.c
===================================================================
--- gnupg-2.1.0.orig/g10/mainproc.c	2014-11-06 18:27:33.243634973 +0100
+++ gnupg-2.1.0/g10/mainproc.c	2014-11-06 18:27:35.178659700 +0100
@@ -690,9 +690,15 @@ proc_plaintext( CTX c, PACKET *pkt )
 	   often.  There is no good way to specify what algorithms to
 	   use in that case, so these three are the historical
 	   answer. */
-	gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
+
+	/* Libgcrypt manual says that gcry_version_check must be called
+	   before calling gcry_fips_mode_active. */
+	gcry_check_version (NULL);
+	if( !gcry_fips_mode_active() )
+	  gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
 	gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 );
-	gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
+	if( !gcry_fips_mode_active() )
+	  gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
       }
     if (opt.pgp2_workarounds && only_md5 && !opt.skip_verify
         && opt.flags.allow_weak_digest_algos) {
Accepting request 260826 from home:vitezslav_cizek:branches:Base:System - upgrade to 2.1.0 (modern) - The file "secring.gpg" is not anymore used to store the secret keys. Merging of secret keys is now supported. - All support for PGP-2 keys has been removed for security reasons. - The standard key generation interface is now much leaner. This will help a new user to quickly generate a suitable key. - Support for Elliptic Curve Cryptography (ECC) is now available. - Commands to create and sign keys from the command line without any extra prompts are now available. - The Pinentry may now show the new passphrase entry and the passphrase confirmation entry in one dialog. - There is no more need to manually start the gpg-agent. It is now started by any part of GnuPG as needed. - Problems with importing keys with the same long key id have been addressed. - The Dirmngr is now part of GnuPG proper and also takes care of accessing keyserver. - Keyserver pools are now handled in a smarter way. - A new format for locally storing the public keys is now used. This considerable speeds up operations on large keyrings. - Revocation certificates are now created by default. - Card support has been updated, new readers and token types are supported. - The format of the key listing has been changed to better identify the properties of a key. - The gpg-agent may now be used on Windows as a Pageant replacement for Putty in the same way it is used for years on Unix as ssh-agent replacement. - Creation of X.509 certificates has been improved. It is now also possible to export them directly in PKCS#8 and PEM format for use OBS-URL: https://build.opensuse.org/request/show/260826 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=79 2014-11-11 11:52:31 +01:00			`Index: gnupg-2.1.0/g10/encrypt.c`
Accepting request 175573 from home:vitezslav_cizek:branches:Base:System - set safe umask before creating a plaintext file (bnc#780943) added gpg2-set_umask_before_open_outfile.patch - select proper ciphers when running in FIPS mode (bnc#808958) added gnupg-detect_FIPS_mode.patch OBS-URL: https://build.opensuse.org/request/show/175573 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=56 2013-05-16 12:06:39 +02:00			`===================================================================`
Accepting request 260826 from home:vitezslav_cizek:branches:Base:System - upgrade to 2.1.0 (modern) - The file "secring.gpg" is not anymore used to store the secret keys. Merging of secret keys is now supported. - All support for PGP-2 keys has been removed for security reasons. - The standard key generation interface is now much leaner. This will help a new user to quickly generate a suitable key. - Support for Elliptic Curve Cryptography (ECC) is now available. - Commands to create and sign keys from the command line without any extra prompts are now available. - The Pinentry may now show the new passphrase entry and the passphrase confirmation entry in one dialog. - There is no more need to manually start the gpg-agent. It is now started by any part of GnuPG as needed. - Problems with importing keys with the same long key id have been addressed. - The Dirmngr is now part of GnuPG proper and also takes care of accessing keyserver. - Keyserver pools are now handled in a smarter way. - A new format for locally storing the public keys is now used. This considerable speeds up operations on large keyrings. - Revocation certificates are now created by default. - Card support has been updated, new readers and token types are supported. - The format of the key listing has been changed to better identify the properties of a key. - The gpg-agent may now be used on Windows as a Pageant replacement for Putty in the same way it is used for years on Unix as ssh-agent replacement. - Creation of X.509 certificates has been improved. It is now also possible to export them directly in PKCS#8 and PEM format for use OBS-URL: https://build.opensuse.org/request/show/260826 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=79 2014-11-11 11:52:31 +01:00			`--- gnupg-2.1.0.orig/g10/encrypt.c 2014-11-06 18:27:35.176659675 +0100`
			`+++ gnupg-2.1.0/g10/encrypt.c 2014-11-06 18:29:10.987883901 +0100`
			`@@ -783,7 +783,10 @@ encrypt_filter (void *opaque, int contro`
			`/* Because 3DES is implicitly in the prefs, this can`
			`only happen if we do not have any public keys in`
			`the list. */`
			`- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;`
Accepting request 175573 from home:vitezslav_cizek:branches:Base:System - set safe umask before creating a plaintext file (bnc#780943) added gpg2-set_umask_before_open_outfile.patch - select proper ciphers when running in FIPS mode (bnc#808958) added gnupg-detect_FIPS_mode.patch OBS-URL: https://build.opensuse.org/request/show/175573 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=56 2013-05-16 12:06:39 +02:00			`+ /* Libgcrypt manual says that gcry_version_check must be called`
			`+ before calling gcry_fips_mode_active. */`
			`+ gcry_check_version (NULL);`
			`+ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;`
			`}`

Accepting request 260826 from home:vitezslav_cizek:branches:Base:System - upgrade to 2.1.0 (modern) - The file "secring.gpg" is not anymore used to store the secret keys. Merging of secret keys is now supported. - All support for PGP-2 keys has been removed for security reasons. - The standard key generation interface is now much leaner. This will help a new user to quickly generate a suitable key. - Support for Elliptic Curve Cryptography (ECC) is now available. - Commands to create and sign keys from the command line without any extra prompts are now available. - The Pinentry may now show the new passphrase entry and the passphrase confirmation entry in one dialog. - There is no more need to manually start the gpg-agent. It is now started by any part of GnuPG as needed. - Problems with importing keys with the same long key id have been addressed. - The Dirmngr is now part of GnuPG proper and also takes care of accessing keyserver. - Keyserver pools are now handled in a smarter way. - A new format for locally storing the public keys is now used. This considerable speeds up operations on large keyrings. - Revocation certificates are now created by default. - Card support has been updated, new readers and token types are supported. - The format of the key listing has been changed to better identify the properties of a key. - The gpg-agent may now be used on Windows as a Pageant replacement for Putty in the same way it is used for years on Unix as ssh-agent replacement. - Creation of X.509 certificates has been improved. It is now also possible to export them directly in PKCS#8 and PEM format for use OBS-URL: https://build.opensuse.org/request/show/260826 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=79 2014-11-11 11:52:31 +01:00			`/* In case 3DES has been selected, print a warning if`
			`Index: gnupg-2.1.0/g10/mainproc.c`
Accepting request 175573 from home:vitezslav_cizek:branches:Base:System - set safe umask before creating a plaintext file (bnc#780943) added gpg2-set_umask_before_open_outfile.patch - select proper ciphers when running in FIPS mode (bnc#808958) added gnupg-detect_FIPS_mode.patch OBS-URL: https://build.opensuse.org/request/show/175573 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=56 2013-05-16 12:06:39 +02:00			`===================================================================`
Accepting request 260826 from home:vitezslav_cizek:branches:Base:System - upgrade to 2.1.0 (modern) - The file "secring.gpg" is not anymore used to store the secret keys. Merging of secret keys is now supported. - All support for PGP-2 keys has been removed for security reasons. - The standard key generation interface is now much leaner. This will help a new user to quickly generate a suitable key. - Support for Elliptic Curve Cryptography (ECC) is now available. - Commands to create and sign keys from the command line without any extra prompts are now available. - The Pinentry may now show the new passphrase entry and the passphrase confirmation entry in one dialog. - There is no more need to manually start the gpg-agent. It is now started by any part of GnuPG as needed. - Problems with importing keys with the same long key id have been addressed. - The Dirmngr is now part of GnuPG proper and also takes care of accessing keyserver. - Keyserver pools are now handled in a smarter way. - A new format for locally storing the public keys is now used. This considerable speeds up operations on large keyrings. - Revocation certificates are now created by default. - Card support has been updated, new readers and token types are supported. - The format of the key listing has been changed to better identify the properties of a key. - The gpg-agent may now be used on Windows as a Pageant replacement for Putty in the same way it is used for years on Unix as ssh-agent replacement. - Creation of X.509 certificates has been improved. It is now also possible to export them directly in PKCS#8 and PEM format for use OBS-URL: https://build.opensuse.org/request/show/260826 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=79 2014-11-11 11:52:31 +01:00			`--- gnupg-2.1.0.orig/g10/mainproc.c 2014-11-06 18:27:33.243634973 +0100`
			`+++ gnupg-2.1.0/g10/mainproc.c 2014-11-06 18:27:35.178659700 +0100`
			`@@ -690,9 +690,15 @@ proc_plaintext( CTX c, PACKET *pkt )`
Accepting request 175573 from home:vitezslav_cizek:branches:Base:System - set safe umask before creating a plaintext file (bnc#780943) added gpg2-set_umask_before_open_outfile.patch - select proper ciphers when running in FIPS mode (bnc#808958) added gnupg-detect_FIPS_mode.patch OBS-URL: https://build.opensuse.org/request/show/175573 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=56 2013-05-16 12:06:39 +02:00			`often. There is no good way to specify what algorithms to`
			`use in that case, so these three are the historical`
			`answer. */`
			`- gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );`
			`+`
			`+ /* Libgcrypt manual says that gcry_version_check must be called`
			`+ before calling gcry_fips_mode_active. */`
			`+ gcry_check_version (NULL);`
			`+ if( !gcry_fips_mode_active() )`
			`+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );`
			`gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 );`
			`- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );`
			`+ if( !gcry_fips_mode_active() )`
			`+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );`
			`}`
Accepting request 260826 from home:vitezslav_cizek:branches:Base:System - upgrade to 2.1.0 (modern) - The file "secring.gpg" is not anymore used to store the secret keys. Merging of secret keys is now supported. - All support for PGP-2 keys has been removed for security reasons. - The standard key generation interface is now much leaner. This will help a new user to quickly generate a suitable key. - Support for Elliptic Curve Cryptography (ECC) is now available. - Commands to create and sign keys from the command line without any extra prompts are now available. - The Pinentry may now show the new passphrase entry and the passphrase confirmation entry in one dialog. - There is no more need to manually start the gpg-agent. It is now started by any part of GnuPG as needed. - Problems with importing keys with the same long key id have been addressed. - The Dirmngr is now part of GnuPG proper and also takes care of accessing keyserver. - Keyserver pools are now handled in a smarter way. - A new format for locally storing the public keys is now used. This considerable speeds up operations on large keyrings. - Revocation certificates are now created by default. - Card support has been updated, new readers and token types are supported. - The format of the key listing has been changed to better identify the properties of a key. - The gpg-agent may now be used on Windows as a Pageant replacement for Putty in the same way it is used for years on Unix as ssh-agent replacement. - Creation of X.509 certificates has been improved. It is now also possible to export them directly in PKCS#8 and PEM format for use OBS-URL: https://build.opensuse.org/request/show/260826 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=79 2014-11-11 11:52:31 +01:00			`if (opt.pgp2_workarounds && only_md5 && !opt.skip_verify`
			`&& opt.flags.allow_weak_digest_algos) {`