rpm/gpg2
SHA256
1
0
Fork 0
forked from pool/gpg2
Code Pull Requests Activity
4c7be29c4c
gpg2/gnupg-add_legacy_FIPS_mode_option.patch
Marcus Meissner b4e8b7fb1e Accepting request 260826 from home:vitezslav_cizek:branches:Base:System 
- upgrade to 2.1.0 (modern)
  - The file "secring.gpg" is not anymore used to store the secret
    keys.  Merging of secret keys is now supported.
  - All support for PGP-2 keys has been removed for security reasons.
  - The standard key generation interface is now much leaner.  This
    will help a new user to quickly generate a suitable key.
  - Support for Elliptic Curve Cryptography (ECC) is now available.
  - Commands to create and sign keys from the command line without any
    extra prompts are now available.
  - The Pinentry may now show the new passphrase entry and the
    passphrase confirmation entry in one dialog.
  - There is no more need to manually start the gpg-agent.  It is now
    started by any part of GnuPG as needed.
  - Problems with importing keys with the same long key id have been
    addressed.
  - The Dirmngr is now part of GnuPG proper and also takes care of
    accessing keyserver.
  - Keyserver pools are now handled in a smarter way.
  - A new format for locally storing the public keys is now used.
    This considerable speeds up operations on large keyrings.
  - Revocation certificates are now created by default.
  - Card support has been updated, new readers and token types are
    supported.
  - The format of the key listing has been changed to better identify
    the properties of a key.
  - The gpg-agent may now be used on Windows as a Pageant replacement
    for Putty in the same way it is used for years on Unix as
    ssh-agent replacement.
  - Creation of X.509 certificates has been improved.  It is now also
    possible to export them directly in PKCS#8 and PEM format for use

OBS-URL: https://build.opensuse.org/request/show/260826
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=79
2014-11-11 10:52:31 +00:00

69 lines
2.7 KiB
Diff
Raw Blame History

---
doc/gpg.texi | 18 ++++++++++++++++++
g10/gpg.c | 9 +++++++++
2 files changed, 27 insertions(+)
Index: gnupg-2.1.0/doc/gpg.texi
===================================================================
--- gnupg-2.1.0.orig/doc/gpg.texi 2014-11-06 18:31:32.218688065 +0100
+++ gnupg-2.1.0/doc/gpg.texi 2014-11-06 18:31:33.871709178 +0100
@@ -1828,6 +1828,24 @@ implies, this option is for experts only
understand the implications of what it allows you to do, leave this
off. @option{--no-expert} disables this option.
+@item --set-legacy-fips
+@itemx --set-legacy-fips
+@opindex set-legacy-fips
+Enable legacy support even when the libgcrypt library is in FIPS 140-2
+mode. The legacy mode of libgcrypt allows the use of all ciphers,
+including non-approved ciphers. This mode is needed when for legacy
+reasons a message must be encrypted or decrypted. Legacy reasons for
+decryptions include the decryption of old messages created with a
+public key that use cipher settings which do not meet FIPS 140-2
+requirements. Legacy reasons for encryption include the encryption
+of messages with a recipients public key where the recipient is not
+bound to FIPS 140-2 regulation and therefore provided a key using
+non-approved ciphers. Although the legacy mode is a violation of strict
+FIPS 140-2 rule interpretations, it is wise to use this mode or
+either not being able to access old messages or not being able
+to create encrypted messages to a recipient that is not adhering
+to FIPS 140-2 rules.
+
@end table
Index: gnupg-2.1.0/g10/gpg.c
===================================================================
--- gnupg-2.1.0.orig/g10/gpg.c 2014-11-06 18:31:32.220688090 +0100
+++ gnupg-2.1.0/g10/gpg.c 2014-11-06 18:32:03.833091859 +0100
@@ -380,6 +380,7 @@ enum cmd_and_opt_values
oNoAllowMultipleMessages,
oAllowWeakDigestAlgos,
oFakedSystemTime,
+ oSetLegacyFips,
oNoop
};
@@ -772,6 +773,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"),
ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
+ ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
/* These two are aliases to help users of the PGP command line
product use gpg with minimal pain. Many commands are common
@@ -3138,6 +3140,13 @@ main (int argc, char **argv)
}
break;
+ case oSetLegacyFips:
+ if(gcry_fips_mode_active())
+ gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG, "Enable legacy support in FIPS 140-2 mode");
+ else
+ log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
+ break;
+
case oNoop: break;
default:
View Git Blame Copy Permalink