diff --git a/SOURCES/gnupg-2.0.19-fips-algo.patch b/SOURCES/gnupg-2.0.19-fips-algo.patch
deleted file mode 100644
index 4eaea75..0000000
--- a/SOURCES/gnupg-2.0.19-fips-algo.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-diff -up gnupg-2.0.19/g10/encode.c.fips gnupg-2.0.19/g10/encode.c
---- gnupg-2.0.19/g10/encode.c.fips 2012-03-27 10:00:37.000000000 +0200
-+++ gnupg-2.0.19/g10/encode.c 2012-11-22 15:51:23.314371267 +0100
-@@ -732,7 +732,7 @@ encrypt_filter( void *opaque, int contro
- if( efx->cfx.dek->algo == -1 ) {
- /* because 3DES is implicitly in the prefs, this can only
- * happen if we do not have any public keys in the list */
-- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;
-+ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;
- }
-
- /* In case 3DES has been selected, print a warning if
-diff -up gnupg-2.0.19/g10/gpg.c.fips gnupg-2.0.19/g10/gpg.c
---- gnupg-2.0.19/g10/gpg.c.fips 2012-11-22 15:51:23.308371138 +0100
-+++ gnupg-2.0.19/g10/gpg.c 2012-11-22 15:51:23.315371289 +0100
-@@ -1973,7 +1973,7 @@ main (int argc, char **argv)
- opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */
- opt.s2k_mode = 3; /* iterated+salted */
- opt.s2k_count = 0; /* Auto-calibrate when needed. */
-- opt.s2k_cipher_algo = CIPHER_ALGO_CAST5;
-+ opt.s2k_cipher_algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_CAST5;
- opt.completes_needed = 1;
- opt.marginals_needed = 3;
- opt.max_cert_depth = 5;
-diff -up gnupg-2.0.19/g10/mainproc.c.fips gnupg-2.0.19/g10/mainproc.c
---- gnupg-2.0.19/g10/mainproc.c.fips 2012-03-27 10:00:37.000000000 +0200
-+++ gnupg-2.0.19/g10/mainproc.c 2012-11-22 16:43:51.876084682 +0100
-@@ -685,9 +685,11 @@ proc_plaintext( CTX c, PACKET *pkt )
- often. There is no good way to specify what algorithms to
- use in that case, so these three are the historical
- answer. */
-- gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
-+ if( !gcry_fips_mode_active() )
-+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
- gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 );
-- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
-+ if( !gcry_fips_mode_active() )
-+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
- }
- if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) {
- /* This is a kludge to work around a bug in pgp2. It does only
diff --git a/SOURCES/gnupg-2.0.22-fips-algo.patch b/SOURCES/gnupg-2.0.22-fips-algo.patch
new file mode 100644
index 0000000..450d92b
--- /dev/null
+++ b/SOURCES/gnupg-2.0.22-fips-algo.patch
@@ -0,0 +1,78 @@
+diff -up gnupg-2.0.22/g10/encode.c.fips gnupg-2.0.22/g10/encode.c
+--- gnupg-2.0.22/g10/encode.c.fips 2013-10-04 14:32:53.000000000 +0200
++++ gnupg-2.0.22/g10/encode.c 2013-10-11 10:35:29.779420279 +0200
+@@ -732,7 +732,7 @@ encrypt_filter( void *opaque, int contro
+ if( efx->cfx.dek->algo == -1 ) {
+ /* because 3DES is implicitly in the prefs, this can only
+ * happen if we do not have any public keys in the list */
+- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;
++ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;
+ }
+
+ /* In case 3DES has been selected, print a warning if
+diff -up gnupg-2.0.22/g10/gpg.c.fips gnupg-2.0.22/g10/gpg.c
+--- gnupg-2.0.22/g10/gpg.c.fips 2013-10-11 10:35:29.775420188 +0200
++++ gnupg-2.0.22/g10/gpg.c 2013-10-11 10:35:29.780420301 +0200
+@@ -1973,7 +1973,7 @@ main (int argc, char **argv)
+ opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */
+ opt.s2k_mode = 3; /* iterated+salted */
+ opt.s2k_count = 0; /* Auto-calibrate when needed. */
+- opt.s2k_cipher_algo = CIPHER_ALGO_CAST5;
++ opt.s2k_cipher_algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_CAST5;
+ opt.completes_needed = 1;
+ opt.marginals_needed = 3;
+ opt.max_cert_depth = 5;
+diff -up gnupg-2.0.22/g10/mainproc.c.fips gnupg-2.0.22/g10/mainproc.c
+--- gnupg-2.0.22/g10/mainproc.c.fips 2013-10-04 15:00:22.000000000 +0200
++++ gnupg-2.0.22/g10/mainproc.c 2016-03-24 12:52:24.463174830 +0100
+@@ -696,9 +696,11 @@ proc_plaintext( CTX c, PACKET *pkt )
+ often. There is no good way to specify what algorithms to
+ use in that case, so these three are the historical
+ answer. */
+- gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
++ if( !gcry_fips_mode_active() )
++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 );
+- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
++ if( !gcry_fips_mode_active() )
++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
+ }
+ if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) {
+ /* This is a kludge to work around a bug in pgp2. It does only
+@@ -2160,24 +2162,30 @@ proc_tree( CTX c, KBNODE node )
+ else if( !c->any.data ) {
+ /* detached signature */
+ free_md_filter_context( &c->mfx );
+- if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0))
+- BUG ();
++ if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0)) {
++ log_error("Digest algorithm not available probably due to FIPS mode.\n");
++ return;
++ }
+
+ if( !opt.pgp2_workarounds )
+ ;
+ else if( sig->digest_algo == DIGEST_ALGO_MD5
+ && is_RSA( sig->pubkey_algo ) ) {
+ /* enable a workaround for a pgp2 bug */
+- if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0))
+- BUG ();
++ if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0)) {
++ log_error("Digest algorithm not available probably due to FIPS mode.\n");
++ return;
++ }
+ }
+ else if( sig->digest_algo == DIGEST_ALGO_SHA1
+ && sig->pubkey_algo == PUBKEY_ALGO_DSA
+ && sig->sig_class == 0x01 ) {
+ /* enable the workaround also for pgp5 when the detached
+ * signature has been created in textmode */
+- if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 ))
+- BUG ();
++ if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 )) {
++ log_error("Digest algorithm not available.\n");
++ return;
++ }
+ }
+ #if 0 /* workaround disabled */
+ /* Here we have another hack to work around a pgp 2 bug
diff --git a/SOURCES/gnupg-2.0.22-rsa-es.patch b/SOURCES/gnupg-2.0.22-rsa-es.patch
new file mode 100644
index 0000000..73c7f0b
--- /dev/null
+++ b/SOURCES/gnupg-2.0.22-rsa-es.patch
@@ -0,0 +1,21 @@
+diff -up gnupg-2.0.22/g10/misc.c.bz1233182 gnupg-2.0.22/g10/misc.c
+--- gnupg-2.0.22/g10/misc.c.bz1233182 2015-06-17 13:15:32.930000000 +0200
++++ gnupg-2.0.22/g10/misc.c 2015-06-19 13:56:28.246000000 +0200
+@@ -421,6 +421,8 @@ openpgp_cipher_algo_name (int algo)
+ int
+ map_pk_openpgp_to_gcry (int algo)
+ {
++ if (is_RSA (algo))
++ return (GCRY_PK_RSA);
+ switch (algo)
+ {
+ case PUBKEY_ALGO_ECDSA: return 301 /*GCRY_PK_ECDSA*/;
+@@ -1417,7 +1419,7 @@ pubkey_nbits( int algo, gcry_mpi_t *key
+ "(public-key(elg(p%m)(g%m)(y%m)))",
+ key[0], key[1], key[2] );
+ }
+- else if( algo == GCRY_PK_RSA ) {
++ else if( is_RSA (algo) ) {
+ rc = gcry_sexp_build ( &sexp, NULL,
+ "(public-key(rsa(n%m)(e%m)))",
+ key[0], key[1] );
diff --git a/SPECS/gnupg2.spec b/SPECS/gnupg2.spec
index 918cd55..8f2c857 100644
--- a/SPECS/gnupg2.spec
+++ b/SPECS/gnupg2.spec
@@ -1,7 +1,7 @@
Summary: Utility for secure communication and data storage
Name: gnupg2
Version: 2.0.22
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv3+
Group: Applications/System
@@ -13,7 +13,8 @@ Patch1: gnupg-2.0.20-insttools.patch
Patch3: gnupg-2.0.20-secmem.patch
Patch4: gnupg-2.0.18-protect-tool-env.patch
Patch5: gnupg-2.0.20-ocsp-keyusage.patch
-Patch6: gnupg-2.0.19-fips-algo.patch
+Patch6: gnupg-2.0.22-fips-algo.patch
+Patch7: gnupg-2.0.22-rsa-es.patch
URL: http://www.gnupg.org/
@@ -78,6 +79,7 @@ to the base GnuPG package
%patch4 -p1 -b .ptool-env
%patch5 -p1 -b .keyusage
%patch6 -p1 -b .fips
+%patch7 -p1 -b .rsa-es
# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
# Note: this is just the name of the default shared lib to load in scdaemon,
@@ -193,6 +195,10 @@ fi
%changelog
+* Thu Mar 24 2016 Tomáš Mráz <tmraz@redhat.com> - 2.0.22-4
+- allow import of RSA-E and RSA-S keys (patch by Marcel Kolaja) (#1233182)
+- do not abort when missing hash algorithm in FIPS mode (#1078962)
+
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.0.22-3
- Mass rebuild 2014-01-24