Accepting request 1029595 from Base:System

OBS-URL: https://build.opensuse.org/request/show/1029595 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/gpg2?expand=0&rev=163
2022-10-18 10:44:45 +00:00 · 2022-10-18 10:44:45 +00:00 · c2d783816a
commit c2d783816a
parent 0fc8cb4de7 1567d49408
8 changed files with 49 additions and 89 deletions
--- a/gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
+++ b/gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
@ -1,61 +0,0 @@
 From f34b9147eb3070bce80d53febaa564164cd6c977 Mon Sep 17 00:00:00 2001
 From: NIIBE Yutaka <gniibe@fsij.org>
 Date: Wed, 13 Jul 2022 10:40:55 +0900
 Subject: [PATCH] scd:openpgp: Fix workaround for Yubikey heuristics.
 References: https://bugzilla.opensuse.org/show_bug.cgi?id=1202201
 * scd/app-openpgp.c (parse_algorithm_attribute): Handle the case
 of firmware 5.4, too.
 --
 GnuPG-bug-id: 6070
 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 ---
 scd/app-openpgp.c | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)
 diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
 index 8bb346a86..4667416df 100644
 --- a/scd/app-openpgp.c
 +++ b/scd/app-openpgp.c
@@ -6259,15 +6259,28 @@ parse_algorithm_attribute (app_t app, int keyno)
       app->app_local->keyattr[keyno].ecc.algo = *buffer;
       app->app_local->keyattr[keyno].ecc.flags = 0;
 -      if (APP_CARD(app)->cardtype == CARDTYPE_YUBIKEY
 -	  || buffer[buflen-1] == 0x00 || buffer[buflen-1] == 0xff)
 -        { /* Found "pubkey required"-byte for private key template.  */
 -          oidlen--;
 -          if (buffer[buflen-1] == 0xff)
 -            app->app_local->keyattr[keyno].ecc.flags |= ECC_FLAG_PUBKEY;
 +      if (APP_CARD(app)->cardtype == CARDTYPE_YUBIKEY)
 +        {
 +          /* Yubikey implementations vary.
 +           * Firmware version 5.2 returns "pubkey required"-byte with
 +           * 0x00, but after removal and second time insertion, it
 +           * returns bogus value there.
 +           * Firmware version 5.4 returns none.
 +           */
 +          curve = ecc_curve (buffer + 1, oidlen);
 +          if (!curve)
 +            curve = ecc_curve (buffer + 1, oidlen - 1);
 +        }
 +      else
 +        {
 +          if (buffer[buflen-1] == 0x00 || buffer[buflen-1] == 0xff)
 +            { /* Found "pubkey required"-byte for private key template.  */
 +              oidlen--;
 +              if (buffer[buflen-1] == 0xff)
 +                app->app_local->keyattr[keyno].ecc.flags |= ECC_FLAG_PUBKEY;
 +            }
 +          curve = ecc_curve (buffer + 1, oidlen);
         }
 -
 -      curve = ecc_curve (buffer + 1, oidlen);
       if (!curve)
         {
 -- 
 2.37.1
--- a/gnupg-2.3.7.tar.bz2
+++ b/gnupg-2.3.7.tar.bz2
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:ee163a5fb9ec99ffc1b18e65faef8d086800c5713d15a672ab57d3799da83669
 size 7599853
--- a/gnupg-2.3.7.tar.bz2.sig
+++ b/gnupg-2.3.7.tar.bz2.sig
--- a/gnupg-2.3.8.tar.bz2
+++ b/gnupg-2.3.8.tar.bz2
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:540b7a40e57da261fb10ef521a282e0021532a80fd023e75fb71757e8a4969ed
 size 7644926
--- a/gnupg-2.3.8.tar.bz2.sig
+++ b/gnupg-2.3.8.tar.bz2.sig
--- a/gnupg-detect_FIPS_mode.patch
+++ b/gnupg-detect_FIPS_mode.patch
@ -1,34 +1,18 @@
-Index: gnupg-2.1.1/g10/encrypt.c
+Index: gnupg-2.3.8/g10/mainproc.c
 ===================================================================
--- gnupg-2.1.1.orig/g10/encrypt.c
+--- gnupg-2.3.8.orig/g10/mainproc.c
-+++ gnupg-2.1.1/g10/encrypt.c
+++ gnupg-2.3.8/g10/mainproc.c
-@@ -783,7 +783,10 @@ encrypt_filter (void *opaque, int contro
+@@ -1011,7 +1011,12 @@ proc_plaintext( CTX c, PACKET *pkt )
                   /* Because 3DES is implicitly in the prefs, this can
                      only happen if we do not have any public keys in
                      the list.  */
 -                  efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;
 +		   /* Libgcrypt manual says that gcry_version_check must be called
 +		      before calling gcry_fips_mode_active. */
 +		    gcry_check_version (NULL);
 +		    efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;
                 }
               /* In case 3DES has been selected, print a warning if
 Index: gnupg-2.1.1/g10/mainproc.c
 ===================================================================
 --- gnupg-2.1.1.orig/g10/mainproc.c
 +++ gnupg-2.1.1/g10/mainproc.c
@@ -719,7 +719,12 @@ proc_plaintext( CTX c, PACKET *pkt )
          according to 2440, so hopefully it won't come up that often.
          There is no good way to specify what algorithms to use in
          that case, so these there are the historical answer. */
 -	gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
 +
 +	/* Libgcrypt manual says that gcry_version_check must be called
-+	   before calling gcry_fips_mode_active. */
+	 * before calling gcry_fips_mode_active. */
 +	gcry_check_version (NULL);
-+	if( !gcry_fips_mode_active() )
+	if(!gcry_fips_mode_active())
-+	  gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
+	  gcry_md_enable(c->mfx.md, DIGEST_ALGO_RMD160);
 	gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
     }
   if (DBG_HASHING)
--- a/gpg2.changes
+++ b/gpg2.changes
@ -1,3 +1,41 @@
 -------------------------------------------------------------------
 Mon Oct 17 11:35:11 UTC 2022 - Pedro Monreal <pmonreal@suse.com>
 - GnuPG 2.3.8:
  * gpg: Do not consider unknown public keys as non-compliant while
    decrypting.
  * gpg: Avoid to emit a compliance mode line if Libgcrypt is
    non-compliant.
  * gpg: Improve --edit-key setpref command to ease c+p.
  * gpg: Emit an ERROR status if --quick-set-primary-uid fails and
    allow to pass the user ID by hash.
  * gpg: Actually show symmetric+pubkey encrypted data as de-vs
    compliant.  Add extra compliance checks for symkey_enc packets.
  * gpg: In de-vs mode use SHA-256 instead of SHA-1 as implicit
    preference.
  * gpgsm: Fix reporting of bad passphrase error during PKCS#11
    import.
  * agent: Fix a regression in "READKEY --format=ssh".
  * agent: New option --need-attr for KEYINFO.
  * agent: New attribute "Remote-list" for use by KEYINFO.
  * scd: Fix problem with Yubikey 5.4 firmware.
  * dirmngr: Fix CRL Distribution Point fallback to other schemes.
  * dirmngr: New LDAP server flag "areconly" (A-record-only).
  * dirmngr: Fix upload of multiple keys for an LDAP server specified
    using the colon format.
  * dirmngr: Use LDAP schema v2 when a Base DN is specified.
  * dirmngr: Avoid caching expired certificates.
  * wkd: Fix path traversal attack in gpg-wks-server. Add the mail
    address to the pending request data.
  * wkd: New command --mirror for gpg-wks-client.
  * gpg-auth: New tool for authentication.
  * New common.conf option no-autostart.
  * Silence warnings from AllowSetForegroundWindow unless
    GNUPG_EXEC_DEBUG_FLAGS is used.
  * Rebase gnupg-detect_FIPS_mode.patch
  * Remove patch upstream:
    - gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
 -------------------------------------------------------------------
 Mon Aug  8 18:00:44 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>
--- a/gpg2.spec
+++ b/gpg2.spec
@ -17,7 +17,7 @@
 Name:           gpg2
-Version:        2.3.7
+Version:        2.3.8
 Release:        0
 Summary:        File encryption, decryption, signature creation and verification utility
 License:        GPL-3.0-or-later
@ -39,7 +39,6 @@ Patch7:         gnupg-2.2.16-secmem.patch
 Patch8:         gnupg-accept_subkeys_with_a_good_revocation_but_no_self-sig_during_import.patch
 Patch9:         gnupg-add-test-cases-for-import-without-uid.patch
 Patch10:        gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
 Patch11:        gnupg-2.3.7-scd-openpgp-Fix-workaround-for-Yubikey-heuristics.patch
 BuildRequires:  expect
 BuildRequires:  fdupes
 BuildRequires:  ibmswtpm2