pool/gpg2
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 232310 from Base:System

Browse Source 
- add patch by Stephan Mueller which adds an option to enable
  legacy ciphers in FIPS mode
  * added gnupg-add_legacy_FIPS_mode_option.patch
  (part of bnc#856312)
- added BuildRequires: makeinfo (to build info pages from the
  patched gnupg.texi) (forwarded request 232207 from vitezslav_cizek)

OBS-URL: https://build.opensuse.org/request/show/232310
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=75
This commit is contained in:
Stephan Kulow 2014-05-02 17:21:25 +00:00 committed by Git OBS Bridge
commit 90a9368344
3 changed files with 76 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
gnupg-add_legacy_FIPS_mode_option.patch Normal file
View File

@ -0,0 +1,63 @@
Index: gnupg-2.0.22/doc/gpg.texi
===================================================================
--- gnupg-2.0.22.orig/doc/gpg.texi 2013-10-04 19:08:32.000000000 +0200
+++ gnupg-2.0.22/doc/gpg.texi 2014-04-30 12:42:35.129468147 +0200
@@ -1795,6 +1795,24 @@ implies, this option is for experts only
understand the implications of what it allows you to do, leave this
off. @option{--no-expert} disables this option.
+@item --set-legacy-fips
+@itemx --set-legacy-fips
+@opindex set-legacy-fips
+Enable legacy support even when the libgcrypt library is in FIPS 140-2
+mode. The legacy mode of libgcrypt allows the use of all ciphers,
+including non-approved ciphers. This mode is needed when for legacy
+reasons a message must be encrypted or decrypted. Legacy reasons for
+decryptions include the decryption of old messages created with a
+public key that use cipher settings which do not meet FIPS 140-2
+requirements. Legacy reasons for encryption include the encryption
+of messages with a recipients public key where the recipient is not
+bound to FIPS 140-2 regulation and therefore provided a key using
+non-approved ciphers. Although the legacy mode is a violation of strict
+FIPS 140-2 rule interpretations, it is wise to use this mode or
+either not being able to access old messages or not being able
+to create encrypted messages to a recipient that is not adhering
+to FIPS 140-2 rules.
+
@end table
Index: gnupg-2.0.22/g10/gpg.c
===================================================================
--- gnupg-2.0.22.orig/g10/gpg.c 2014-04-30 12:42:35.117468014 +0200
+++ gnupg-2.0.22/g10/gpg.c 2014-04-30 12:42:35.129468147 +0200
@@ -368,6 +368,7 @@ enum cmd_and_opt_values
oDisableDSA2,
oAllowMultipleMessages,
oNoAllowMultipleMessages,
+ oSetLegacyFips,
oNoop
};
@@ -744,6 +745,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_n (oDisableDSA2, "disable-dsa2", "@"),
ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"),
ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
+ ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
/* These two are aliases to help users of the PGP command line
product use gpg with minimal pain. Many commands are common
@@ -2948,6 +2950,13 @@ main (int argc, char **argv)
opt.flags.allow_multiple_messages=0;
break;
+ case oSetLegacyFips:
+ if(gcry_fips_mode_active())
+ gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG, "Enable legacy support in FIPS 140-2 mode");
+ else
+ log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
+ break;
+
case oNoop: break;
default:

10
gpg2.changes
View File

@ -1,3 +1,13 @@
-------------------------------------------------------------------
Tue Apr 29 12:06:03 UTC 2014 - vcizek@suse.com
- add patch by Stephan Mueller which adds an option to enable
legacy ciphers in FIPS mode
* added gnupg-add_legacy_FIPS_mode_option.patch
(part of bnc#856312)
- added BuildRequires: makeinfo (to build info pages from the
patched gnupg.texi)
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Feb 14 16:14:14 UTC 2014 - vcizek@suse.com Fri Feb 14 16:14:14 UTC 2014 - vcizek@suse.com

3
gpg2.spec
View File

@ -30,6 +30,7 @@ BuildRequires: libgcrypt-devel >= 1.4.0
BuildRequires: libgpg-error-devel >= 1.11 BuildRequires: libgpg-error-devel >= 1.11
BuildRequires: libksba-devel >= 1.0.7 BuildRequires: libksba-devel >= 1.0.7
BuildRequires: libusb-devel BuildRequires: libusb-devel
BuildRequires: makeinfo
BuildRequires: openldap2-devel BuildRequires: openldap2-devel
BuildRequires: readline-devel BuildRequires: readline-devel
BuildRequires: zlib-devel BuildRequires: zlib-devel
@ -64,6 +65,7 @@ Patch8: gnupg-set_umask_before_open_outfile.patch
Patch9: gnupg-detect_FIPS_mode.patch Patch9: gnupg-detect_FIPS_mode.patch
# PATCH-FIX-OPENSUSE coolo@suse.de -- automake 1.13 already includes $SHELL # PATCH-FIX-OPENSUSE coolo@suse.de -- automake 1.13 already includes $SHELL
Patch10: gnupg-2.0.20-automake113.diff Patch10: gnupg-2.0.20-automake113.diff
Patch11: gnupg-add_legacy_FIPS_mode_option.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRoot: %{_tmppath}/%{name}-%{version}-build
@ -83,6 +85,7 @@ gpg-agent, and a keybox library.
%patch8 -p1 %patch8 -p1
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1
%build %build
autoreconf -fi autoreconf -fi