pool/gpg2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
fb0ed03b15
gpg2/gnupg-add_legacy_FIPS_mode_option.patch
Pedro Monreal Gonzalez fb0ed03b15 Accepting request 1112814 from home:pmonrealgonzalez:branches:Base:System 
- Install the systemd user units in the _userunitdir [bsc#1201564]
  * Note that, there is no activation by default.

- Temporarily revert back to the pre-2.4 default for key generation.
  The new rfc4880bis has been set as the default in 2.4 version and
  might create incompatible keys. Note that, rfc4880bis can still
  be used with the option flag --rfc4880bis as in previous versions.
  * More info in the gnupg-devel ML:
    https://lists.gnupg.org/pipermail/gnupg-devel/2022-December/035183.html
  * Reverted commit https://dev.gnupg.org/rGcaf4b3fc16e9
  * Add gnupg-revert-rfc4880bis.patch

- Allow 8192 bit RSA keys in keygen UI when large_rsa is set
  * Add gnupg-allow-large-rsa.patch

- Fix broken GPGME QT tests: Upstram dev task dev.gnupg.org/T6313
  * The original patch has been modified to expand the changes
    also to the tests/gpgme/Makefile.in file.
  * Add gnupg-tests-Fix-tests-gpgme-for-in-source-tree-builds.patch

- Updated to require libgpg-error-devel >= 1.46
- Rebased patches:
  * gnupg-allow-import-of-previously-known-keys-even-without-UIDs.patch
  * gnupg-add_legacy_FIPS_mode_option.patch
- GnuPG 2.4.0:
  * common: Fix translations in --help for gpgrt < 1.47.
  * gpg: Do not continue the export after a cancel for the primary key.
  * gpg: Replace use of PRIu64 in log_debug.
  * Update NEWS for 2.4.0.
  * tests: Fix make check with GPGME.

OBS-URL: https://build.opensuse.org/request/show/1112814
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=289
2023-09-25 10:24:20 +00:00

70 lines
2.6 KiB
Diff
Raw Blame History

---
doc/gpg.texi | 18 ++++++++++++++++++
g10/gpg.c | 9 +++++++++
2 files changed, 27 insertions(+)
Index: gnupg-2.4.0/doc/gpg.texi
===================================================================
--- gnupg-2.4.0.orig/doc/gpg.texi
+++ gnupg-2.4.0/doc/gpg.texi
@@ -2218,6 +2218,24 @@ implies, this option is for experts only
understand the implications of what it allows you to do, leave this
off. @option{--no-expert} disables this option.
+@item --set-legacy-fips
+@itemx --set-legacy-fips
+@opindex set-legacy-fips
+Enable legacy support even when the libgcrypt library is in FIPS 140-2
+mode. The legacy mode of libgcrypt allows the use of all ciphers,
+including non-approved ciphers. This mode is needed when for legacy
+reasons a message must be encrypted or decrypted. Legacy reasons for
+decryptions include the decryption of old messages created with a
+public key that use cipher settings which do not meet FIPS 140-2
+requirements. Legacy reasons for encryption include the encryption
+of messages with a recipients public key where the recipient is not
+bound to FIPS 140-2 regulation and therefore provided a key using
+non-approved ciphers. Although the legacy mode is a violation of strict
+FIPS 140-2 rule interpretations, it is wise to use this mode or
+either not being able to access old messages or not being able
+to create encrypted messages to a recipient that is not adhering
+to FIPS 140-2 rules.
+
@end table
Index: gnupg-2.4.0/g10/gpg.c
===================================================================
--- gnupg-2.4.0.orig/g10/gpg.c
+++ gnupg-2.4.0/g10/gpg.c
@@ -443,6 +443,7 @@ enum cmd_and_opt_values
oForceSignKey,
oForbidGenKey,
oRequireCompliance,
+ oSetLegacyFips,
oCompatibilityFlags,
oNoop
@@ -879,6 +880,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"),
ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"),
ARGPARSE_s_n (oOverrideComplianceCheck, "override-compliance-check", "@"),
+ ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
ARGPARSE_header (NULL, N_("Options for unattended use")),
@@ -3711,6 +3714,14 @@ main (int argc, char **argv)
opt.flags.require_compliance = 1;
break;
+ case oSetLegacyFips:
+ if(gcry_fips_mode_active())
+ gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG,
+ "Enable legacy support in FIPS 140-2 mode");
+ else
+ log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
+ break;
+
case oNoop: break;
default:
Reference in New Issue View Git Blame Copy Permalink