pool/gpg2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
90cb1f61d3
gpg2/gnupg-add_legacy_FIPS_mode_option.patch
Pedro Monreal Gonzalez 90cb1f61d3 Accepting request 1046530 from home:david.anes:branches:Base:System 
- Updated to require libgpg-error-devel >= 1.46
- Rebased patches:
  * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
  * gnupg-add_legacy_FIPS_mode_option.patch
- GnuPG 2.4.0:
  * common: Fix translations in --help for gpgrt < 1.47.
  * gpg: Do not continue the export after a cancel for the primary key.
  * gpg: Replace use of PRIu64 in log_debug.
  * Update NEWS for 2.4.0.
  * tests: Fix make check with GPGME.
  * agent: Allow arguments to "scd serialno" in restricted mode.
  * scd:p15: Skip deleted records.
  * build: Remove Windows CE support.
  * wkd: Do not send/install/mirror expired user ids.
  * gpgsm: Print the revocation time also with --verify.
  * gpgsm: Fix "problem re-searching certificate" case.
  * gpgsm: Print revocation date and reason in cert listings.
  * gpgsm: Silence the "non-critical certificate policy not allowed".
  * gpgsm: Always use the chain model if the root-CA requests this.
  * gpg: New export option "mode1003".
  * gpg: Remove a mostly duplicated function.
  * tests: Simplify fake-pinentry to use the option only.
  * tests: Fix fake-pinentry for Windows.
  * tests: Fix make check-all.
  * agent: Fix import of protected v5 keys.
  * gpgsm: Change default algo to AES-256.
  * tests: Put a workaround for semihosted environment.
  * tests: More fix for semihosted environment.
  * tests: Support semihosted environment.
  * tests: Fix tests under cms.

OBS-URL: https://build.opensuse.org/request/show/1046530
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=282
2023-01-03 14:26:43 +00:00

70 lines
2.6 KiB
Diff
Raw Blame History

---
doc/gpg.texi | 18 ++++++++++++++++++
g10/gpg.c | 9 +++++++++
2 files changed, 27 insertions(+)
Index: gnupg-2.4.0/doc/gpg.texi
===================================================================
--- gnupg-2.4.0.orig/doc/gpg.texi
+++ gnupg-2.4.0/doc/gpg.texi
@@ -2218,6 +2218,24 @@ implies, this option is for experts only
understand the implications of what it allows you to do, leave this
off. @option{--no-expert} disables this option.
+@item --set-legacy-fips
+@itemx --set-legacy-fips
+@opindex set-legacy-fips
+Enable legacy support even when the libgcrypt library is in FIPS 140-2
+mode. The legacy mode of libgcrypt allows the use of all ciphers,
+including non-approved ciphers. This mode is needed when for legacy
+reasons a message must be encrypted or decrypted. Legacy reasons for
+decryptions include the decryption of old messages created with a
+public key that use cipher settings which do not meet FIPS 140-2
+requirements. Legacy reasons for encryption include the encryption
+of messages with a recipients public key where the recipient is not
+bound to FIPS 140-2 regulation and therefore provided a key using
+non-approved ciphers. Although the legacy mode is a violation of strict
+FIPS 140-2 rule interpretations, it is wise to use this mode or
+either not being able to access old messages or not being able
+to create encrypted messages to a recipient that is not adhering
+to FIPS 140-2 rules.
+
@end table
Index: gnupg-2.4.0/g10/gpg.c
===================================================================
--- gnupg-2.4.0.orig/g10/gpg.c
+++ gnupg-2.4.0/g10/gpg.c
@@ -443,6 +443,7 @@ enum cmd_and_opt_values
oForceSignKey,
oForbidGenKey,
oRequireCompliance,
+ oSetLegacyFips,
oCompatibilityFlags,
oNoop
@@ -879,6 +880,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"),
ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"),
ARGPARSE_s_n (oOverrideComplianceCheck, "override-compliance-check", "@"),
+ ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
ARGPARSE_header (NULL, N_("Options for unattended use")),
@@ -3711,6 +3713,14 @@ main (int argc, char **argv)
opt.flags.require_compliance = 1;
break;
+ case oSetLegacyFips:
+ if(gcry_fips_mode_active())
+ gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG,
+ "Enable legacy support in FIPS 140-2 mode");
+ else
+ log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
+ break;
+
case oNoop: break;
default:
Reference in New Issue View Git Blame Copy Permalink