Pedro Monreal Gonzalez
d539c287c5
- Update to 2.2.18 [bsc#1157900, CVE-2019-14855]
* gpg: Changed the way keys are detected on a smartcards; this
allows the use of non-OpenPGP cards. In the case of a not very
likely regression the new option --use-only-openpgp-card is
available. [#4681]
* gpg: The commands --full-gen-key and --quick-gen-key now allow
direct key generation from supported cards. [#4681]
* gpg: Prepare against chosen-prefix SHA-1 collisions in key
signatures. This change removes all SHA-1 based key signature
newer than 2019-01-19 from the web-of-trust. Note that this
includes all key signature created with dsa1024 keys. The new
option --allow-weak-key-signatues can be used to override the new
and safer behaviour. [#4755,CVE-2019-14855]
* gpg: Improve performance for import of large keyblocks. [#4592]
* gpg: Implement a keybox compression run. [#4644]
* gpg: Show warnings from dirmngr about redirect and certificate
problems (details require --verbose as usual).
* gpg: Allow to pass the empty string for the passphrase if the
'--passphase=' syntax is used. [#4633]
* gpg: Fix printing of the KDF object attributes.
* gpg: Avoid surprises with --locate-external-key and certain
--auto-key-locate settings. [#4662]
* gpg: Improve selection of best matching key. [#4713]
* gpg: Delete key binding signature when deletring a subkey.
[#4665,#4457]
* gpg: Fix a potential loss of key sigantures during import with
self-sigs-only active. [#4628]
* gpg: Silence "marked as ultimately trusted" diagnostics if
option --quiet is used. [#4634]
* gpg: Silence some diagnostics during in key listsing even with
OBS-URL: https://build.opensuse.org/request/show/751408
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=237
69 lines
2.6 KiB
Diff
69 lines
2.6 KiB
Diff
---
|
|
doc/gpg.texi | 18 ++++++++++++++++++
|
|
g10/gpg.c | 9 +++++++++
|
|
2 files changed, 27 insertions(+)
|
|
|
|
Index: gnupg-2.2.18/doc/gpg.texi
|
|
===================================================================
|
|
--- gnupg-2.2.18.orig/doc/gpg.texi
|
|
+++ gnupg-2.2.18/doc/gpg.texi
|
|
@@ -2115,6 +2115,24 @@ implies, this option is for experts only
|
|
understand the implications of what it allows you to do, leave this
|
|
off. @option{--no-expert} disables this option.
|
|
|
|
+@item --set-legacy-fips
|
|
+@itemx --set-legacy-fips
|
|
+@opindex set-legacy-fips
|
|
+Enable legacy support even when the libgcrypt library is in FIPS 140-2
|
|
+mode. The legacy mode of libgcrypt allows the use of all ciphers,
|
|
+including non-approved ciphers. This mode is needed when for legacy
|
|
+reasons a message must be encrypted or decrypted. Legacy reasons for
|
|
+decryptions include the decryption of old messages created with a
|
|
+public key that use cipher settings which do not meet FIPS 140-2
|
|
+requirements. Legacy reasons for encryption include the encryption
|
|
+of messages with a recipients public key where the recipient is not
|
|
+bound to FIPS 140-2 regulation and therefore provided a key using
|
|
+non-approved ciphers. Although the legacy mode is a violation of strict
|
|
+FIPS 140-2 rule interpretations, it is wise to use this mode or
|
|
+either not being able to access old messages or not being able
|
|
+to create encrypted messages to a recipient that is not adhering
|
|
+to FIPS 140-2 rules.
|
|
+
|
|
@end table
|
|
|
|
|
|
Index: gnupg-2.2.18/g10/gpg.c
|
|
===================================================================
|
|
--- gnupg-2.2.18.orig/g10/gpg.c
|
|
+++ gnupg-2.2.18/g10/gpg.c
|
|
@@ -425,6 +425,7 @@ enum cmd_and_opt_values
|
|
oRequestOrigin,
|
|
oNoSymkeyCache,
|
|
oUseOnlyOpenPGPCard,
|
|
+ oSetLegacyFips,
|
|
|
|
oNoop
|
|
};
|
|
@@ -870,6 +871,7 @@ static ARGPARSE_OPTS opts[] = {
|
|
ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"),
|
|
ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
|
|
ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
|
|
+ ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
|
|
|
|
ARGPARSE_s_s (oDefaultNewKeyAlgo, "default-new-key-algo", "@"),
|
|
|
|
@@ -3600,6 +3602,13 @@ main (int argc, char **argv)
|
|
opt.flags.use_only_openpgp_card = 1;
|
|
break;
|
|
|
|
+ case oSetLegacyFips:
|
|
+ if(gcry_fips_mode_active())
|
|
+ gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG, "Enable legacy support in FIPS 140-2 mode");
|
|
+ else
|
|
+ log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
|
|
+ break;
|
|
+
|
|
case oNoop: break;
|
|
|
|
default:
|