gpg2/gnupg-detect_FIPS_mode.patch

Index: gnupg-2.1.1/g10/encrypt.c
===================================================================
--- gnupg-2.1.1.orig/g10/encrypt.c
+++ gnupg-2.1.1/g10/encrypt.c
@@ -783,7 +783,10 @@ encrypt_filter (void *opaque, int contro
                   /* Because 3DES is implicitly in the prefs, this can
                      only happen if we do not have any public keys in
                      the list.  */
-                  efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;
+		   /* Libgcrypt manual says that gcry_version_check must be called
+		      before calling gcry_fips_mode_active. */
+		    gcry_check_version (NULL);
+		    efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;
                 }
 
               /* In case 3DES has been selected, print a warning if
Index: gnupg-2.1.1/g10/mainproc.c
===================================================================
--- gnupg-2.1.1.orig/g10/mainproc.c
+++ gnupg-2.1.1/g10/mainproc.c
@@ -719,7 +719,12 @@ proc_plaintext( CTX c, PACKET *pkt )
          according to 2440, so hopefully it won't come up that often.
          There is no good way to specify what algorithms to use in
          that case, so these there are the historical answer. */
-	gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
+
+	/* Libgcrypt manual says that gcry_version_check must be called
+	   before calling gcry_fips_mode_active. */
+	gcry_check_version (NULL);
+	if( !gcry_fips_mode_active() )
+	  gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
 	gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
     }
   if (DBG_HASHING)
Accepting request 266475 from home:AndreasStieger:branches:Base:System gnupg 2.1.1 OBS-URL: https://build.opensuse.org/request/show/266475 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=90 2014-12-29 07:05:14 +01:00			`Index: gnupg-2.1.1/g10/encrypt.c`
Accepting request 175573 from home:vitezslav_cizek:branches:Base:System - set safe umask before creating a plaintext file (bnc#780943) added gpg2-set_umask_before_open_outfile.patch - select proper ciphers when running in FIPS mode (bnc#808958) added gnupg-detect_FIPS_mode.patch OBS-URL: https://build.opensuse.org/request/show/175573 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=56 2013-05-16 12:06:39 +02:00			`===================================================================`
Accepting request 266475 from home:AndreasStieger:branches:Base:System gnupg 2.1.1 OBS-URL: https://build.opensuse.org/request/show/266475 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=90 2014-12-29 07:05:14 +01:00			`--- gnupg-2.1.1.orig/g10/encrypt.c`
			`+++ gnupg-2.1.1/g10/encrypt.c`
Accepting request 260826 from home:vitezslav_cizek:branches:Base:System - upgrade to 2.1.0 (modern) - The file "secring.gpg" is not anymore used to store the secret keys. Merging of secret keys is now supported. - All support for PGP-2 keys has been removed for security reasons. - The standard key generation interface is now much leaner. This will help a new user to quickly generate a suitable key. - Support for Elliptic Curve Cryptography (ECC) is now available. - Commands to create and sign keys from the command line without any extra prompts are now available. - The Pinentry may now show the new passphrase entry and the passphrase confirmation entry in one dialog. - There is no more need to manually start the gpg-agent. It is now started by any part of GnuPG as needed. - Problems with importing keys with the same long key id have been addressed. - The Dirmngr is now part of GnuPG proper and also takes care of accessing keyserver. - Keyserver pools are now handled in a smarter way. - A new format for locally storing the public keys is now used. This considerable speeds up operations on large keyrings. - Revocation certificates are now created by default. - Card support has been updated, new readers and token types are supported. - The format of the key listing has been changed to better identify the properties of a key. - The gpg-agent may now be used on Windows as a Pageant replacement for Putty in the same way it is used for years on Unix as ssh-agent replacement. - Creation of X.509 certificates has been improved. It is now also possible to export them directly in PKCS#8 and PEM format for use OBS-URL: https://build.opensuse.org/request/show/260826 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=79 2014-11-11 11:52:31 +01:00			`@@ -783,7 +783,10 @@ encrypt_filter (void *opaque, int contro`
			`/* Because 3DES is implicitly in the prefs, this can`
			`only happen if we do not have any public keys in`
			`the list. */`
			`- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;`
Accepting request 175573 from home:vitezslav_cizek:branches:Base:System - set safe umask before creating a plaintext file (bnc#780943) added gpg2-set_umask_before_open_outfile.patch - select proper ciphers when running in FIPS mode (bnc#808958) added gnupg-detect_FIPS_mode.patch OBS-URL: https://build.opensuse.org/request/show/175573 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=56 2013-05-16 12:06:39 +02:00			`+ /* Libgcrypt manual says that gcry_version_check must be called`
			`+ before calling gcry_fips_mode_active. */`
			`+ gcry_check_version (NULL);`
			`+ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;`
			`}`

Accepting request 260826 from home:vitezslav_cizek:branches:Base:System - upgrade to 2.1.0 (modern) - The file "secring.gpg" is not anymore used to store the secret keys. Merging of secret keys is now supported. - All support for PGP-2 keys has been removed for security reasons. - The standard key generation interface is now much leaner. This will help a new user to quickly generate a suitable key. - Support for Elliptic Curve Cryptography (ECC) is now available. - Commands to create and sign keys from the command line without any extra prompts are now available. - The Pinentry may now show the new passphrase entry and the passphrase confirmation entry in one dialog. - There is no more need to manually start the gpg-agent. It is now started by any part of GnuPG as needed. - Problems with importing keys with the same long key id have been addressed. - The Dirmngr is now part of GnuPG proper and also takes care of accessing keyserver. - Keyserver pools are now handled in a smarter way. - A new format for locally storing the public keys is now used. This considerable speeds up operations on large keyrings. - Revocation certificates are now created by default. - Card support has been updated, new readers and token types are supported. - The format of the key listing has been changed to better identify the properties of a key. - The gpg-agent may now be used on Windows as a Pageant replacement for Putty in the same way it is used for years on Unix as ssh-agent replacement. - Creation of X.509 certificates has been improved. It is now also possible to export them directly in PKCS#8 and PEM format for use OBS-URL: https://build.opensuse.org/request/show/260826 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=79 2014-11-11 11:52:31 +01:00			`/* In case 3DES has been selected, print a warning if`
Accepting request 266475 from home:AndreasStieger:branches:Base:System gnupg 2.1.1 OBS-URL: https://build.opensuse.org/request/show/266475 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=90 2014-12-29 07:05:14 +01:00			`Index: gnupg-2.1.1/g10/mainproc.c`
Accepting request 175573 from home:vitezslav_cizek:branches:Base:System - set safe umask before creating a plaintext file (bnc#780943) added gpg2-set_umask_before_open_outfile.patch - select proper ciphers when running in FIPS mode (bnc#808958) added gnupg-detect_FIPS_mode.patch OBS-URL: https://build.opensuse.org/request/show/175573 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=56 2013-05-16 12:06:39 +02:00			`===================================================================`
Accepting request 266475 from home:AndreasStieger:branches:Base:System gnupg 2.1.1 OBS-URL: https://build.opensuse.org/request/show/266475 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=90 2014-12-29 07:05:14 +01:00			`--- gnupg-2.1.1.orig/g10/mainproc.c`
			`+++ gnupg-2.1.1/g10/mainproc.c`
			`@@ -719,7 +719,12 @@ proc_plaintext( CTX c, PACKET *pkt )`
			`according to 2440, so hopefully it won't come up that often.`
			`There is no good way to specify what algorithms to use in`
			`that case, so these there are the historical answer. */`
			`- gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);`
Accepting request 175573 from home:vitezslav_cizek:branches:Base:System - set safe umask before creating a plaintext file (bnc#780943) added gpg2-set_umask_before_open_outfile.patch - select proper ciphers when running in FIPS mode (bnc#808958) added gnupg-detect_FIPS_mode.patch OBS-URL: https://build.opensuse.org/request/show/175573 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=56 2013-05-16 12:06:39 +02:00			`+`
			`+ /* Libgcrypt manual says that gcry_version_check must be called`
			`+ before calling gcry_fips_mode_active. */`
			`+ gcry_check_version (NULL);`
			`+ if( !gcry_fips_mode_active() )`
			`+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );`
Accepting request 266475 from home:AndreasStieger:branches:Base:System gnupg 2.1.1 OBS-URL: https://build.opensuse.org/request/show/266475 OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=90 2014-12-29 07:05:14 +01:00			`gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);`
			`}`
			`if (DBG_HASHING)`