From dd3835954b637ac65e43ff6a6e0de5b900e609e0f6c906dd8a490c4bbea5b789 Mon Sep 17 00:00:00 2001
From: Stephan Kulow <coolo@suse.com>
Date: Thu, 1 May 2014 10:48:32 +0000
Subject: [PATCH] Accepting request 232207 from
 home:vitezslav_cizek:branches:Base:System

- add patch by Stephan Mueller which adds an option to enable
  legacy ciphers in FIPS mode
  * added gnupg-add_legacy_FIPS_mode_option.patch
  (part of bnc#856312)
- added BuildRequires: makeinfo (to build info pages from the
  patched gnupg.texi)

OBS-URL: https://build.opensuse.org/request/show/232207
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=69
---
 gnupg-add_legacy_FIPS_mode_option.patch | 63 +++++++++++++++++++++++++
 gpg2.changes                            | 10 ++++
 gpg2.spec                               |  3 ++
 3 files changed, 76 insertions(+)
 create mode 100644 gnupg-add_legacy_FIPS_mode_option.patch

diff --git a/gnupg-add_legacy_FIPS_mode_option.patch b/gnupg-add_legacy_FIPS_mode_option.patch
new file mode 100644
index 0000000..bbaccf5
--- /dev/null
+++ b/gnupg-add_legacy_FIPS_mode_option.patch
@@ -0,0 +1,63 @@
+Index: gnupg-2.0.22/doc/gpg.texi
+===================================================================
+--- gnupg-2.0.22.orig/doc/gpg.texi	2013-10-04 19:08:32.000000000 +0200
++++ gnupg-2.0.22/doc/gpg.texi	2014-04-30 12:42:35.129468147 +0200
+@@ -1795,6 +1795,24 @@ implies, this option is for experts only
+ understand the implications of what it allows you to do, leave this
+ off. @option{--no-expert} disables this option.
+ 
++@item --set-legacy-fips
++@itemx --set-legacy-fips
++@opindex set-legacy-fips
++Enable legacy support even when the libgcrypt library is in FIPS 140-2
++mode. The legacy mode of libgcrypt allows the use of all ciphers,
++including non-approved ciphers. This mode is needed when for legacy
++reasons a message must be encrypted or decrypted. Legacy reasons for
++decryptions include the decryption of old messages created with a
++public key that use cipher settings which do not meet FIPS 140-2
++requirements. Legacy reasons for encryption include the encryption
++of messages with a recipients public key where the recipient is not
++bound to FIPS 140-2 regulation and therefore provided a key using
++non-approved ciphers. Although the legacy mode is a violation of strict
++FIPS 140-2 rule interpretations, it is wise to use this mode or
++either not being able to access old messages or not being able
++to create encrypted messages to a recipient that is not adhering
++to FIPS 140-2 rules.
++
+ @end table
+ 
+ 
+Index: gnupg-2.0.22/g10/gpg.c
+===================================================================
+--- gnupg-2.0.22.orig/g10/gpg.c	2014-04-30 12:42:35.117468014 +0200
++++ gnupg-2.0.22/g10/gpg.c	2014-04-30 12:42:35.129468147 +0200
+@@ -368,6 +368,7 @@ enum cmd_and_opt_values
+     oDisableDSA2,
+     oAllowMultipleMessages,
+     oNoAllowMultipleMessages,
++    oSetLegacyFips,
+ 
+     oNoop
+   };
+@@ -744,6 +745,7 @@ static ARGPARSE_OPTS opts[] = {
+   ARGPARSE_s_n (oDisableDSA2, "disable-dsa2", "@"),
+   ARGPARSE_s_n (oAllowMultipleMessages,      "allow-multiple-messages", "@"),
+   ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
++  ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
+ 
+   /* These two are aliases to help users of the PGP command line
+      product use gpg with minimal pain.  Many commands are common
+@@ -2948,6 +2950,13 @@ main (int argc, char **argv)
+ 	    opt.flags.allow_multiple_messages=0;
+ 	    break;
+ 
++	  case oSetLegacyFips:
++	    if(gcry_fips_mode_active())
++	      gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG, "Enable legacy support in FIPS 140-2 mode");
++	    else
++	      log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
++	    break;
++
+ 	  case oNoop: break;
+ 
+ 	  default:
diff --git a/gpg2.changes b/gpg2.changes
index 8d3ed20..0845f19 100644
--- a/gpg2.changes
+++ b/gpg2.changes
@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Tue Apr 29 12:06:03 UTC 2014 - vcizek@suse.com
+
+- add patch by Stephan Mueller which adds an option to enable
+  legacy ciphers in FIPS mode
+  * added gnupg-add_legacy_FIPS_mode_option.patch
+  (part of bnc#856312)
+- added BuildRequires: makeinfo (to build info pages from the
+  patched gnupg.texi)
+
 -------------------------------------------------------------------
 Fri Feb 14 16:14:14 UTC 2014 - vcizek@suse.com
 
diff --git a/gpg2.spec b/gpg2.spec
index ae6193e..f61cc28 100644
--- a/gpg2.spec
+++ b/gpg2.spec
@@ -30,6 +30,7 @@ BuildRequires:  libgcrypt-devel >= 1.4.0
 BuildRequires:  libgpg-error-devel >= 1.11
 BuildRequires:  libksba-devel >= 1.0.7
 BuildRequires:  libusb-devel
+BuildRequires:  makeinfo
 BuildRequires:  openldap2-devel
 BuildRequires:  readline-devel
 BuildRequires:  zlib-devel
@@ -64,6 +65,7 @@ Patch8:         gnupg-set_umask_before_open_outfile.patch
 Patch9:         gnupg-detect_FIPS_mode.patch
 # PATCH-FIX-OPENSUSE coolo@suse.de -- automake 1.13 already includes $SHELL
 Patch10:        gnupg-2.0.20-automake113.diff
+Patch11:        gnupg-add_legacy_FIPS_mode_option.patch
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
@@ -83,6 +85,7 @@ gpg-agent, and a keybox library.
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 %build
 autoreconf -fi