diff --git a/SOURCES/gnupg-2.0.19-fips-algo.patch b/SOURCES/gnupg-2.0.19-fips-algo.patch deleted file mode 100644 index 4eaea75..0000000 --- a/SOURCES/gnupg-2.0.19-fips-algo.patch +++ /dev/null @@ -1,41 +0,0 @@ -diff -up gnupg-2.0.19/g10/encode.c.fips gnupg-2.0.19/g10/encode.c ---- gnupg-2.0.19/g10/encode.c.fips 2012-03-27 10:00:37.000000000 +0200 -+++ gnupg-2.0.19/g10/encode.c 2012-11-22 15:51:23.314371267 +0100 -@@ -732,7 +732,7 @@ encrypt_filter( void *opaque, int contro - if( efx->cfx.dek->algo == -1 ) { - /* because 3DES is implicitly in the prefs, this can only - * happen if we do not have any public keys in the list */ -- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO; -+ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO; - } - - /* In case 3DES has been selected, print a warning if -diff -up gnupg-2.0.19/g10/gpg.c.fips gnupg-2.0.19/g10/gpg.c ---- gnupg-2.0.19/g10/gpg.c.fips 2012-11-22 15:51:23.308371138 +0100 -+++ gnupg-2.0.19/g10/gpg.c 2012-11-22 15:51:23.315371289 +0100 -@@ -1973,7 +1973,7 @@ main (int argc, char **argv) - opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */ - opt.s2k_mode = 3; /* iterated+salted */ - opt.s2k_count = 0; /* Auto-calibrate when needed. */ -- opt.s2k_cipher_algo = CIPHER_ALGO_CAST5; -+ opt.s2k_cipher_algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_CAST5; - opt.completes_needed = 1; - opt.marginals_needed = 3; - opt.max_cert_depth = 5; -diff -up gnupg-2.0.19/g10/mainproc.c.fips gnupg-2.0.19/g10/mainproc.c ---- gnupg-2.0.19/g10/mainproc.c.fips 2012-03-27 10:00:37.000000000 +0200 -+++ gnupg-2.0.19/g10/mainproc.c 2012-11-22 16:43:51.876084682 +0100 -@@ -685,9 +685,11 @@ proc_plaintext( CTX c, PACKET *pkt ) - often. There is no good way to specify what algorithms to - use in that case, so these three are the historical - answer. */ -- gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); -+ if( !gcry_fips_mode_active() ) -+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); - gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 ); -- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 ); -+ if( !gcry_fips_mode_active() ) -+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 ); - } - if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) { - /* This is a kludge to work around a bug in pgp2. It does only diff --git a/SOURCES/gnupg-2.0.22-fips-algo.patch b/SOURCES/gnupg-2.0.22-fips-algo.patch new file mode 100644 index 0000000..450d92b --- /dev/null +++ b/SOURCES/gnupg-2.0.22-fips-algo.patch @@ -0,0 +1,78 @@ +diff -up gnupg-2.0.22/g10/encode.c.fips gnupg-2.0.22/g10/encode.c +--- gnupg-2.0.22/g10/encode.c.fips 2013-10-04 14:32:53.000000000 +0200 ++++ gnupg-2.0.22/g10/encode.c 2013-10-11 10:35:29.779420279 +0200 +@@ -732,7 +732,7 @@ encrypt_filter( void *opaque, int contro + if( efx->cfx.dek->algo == -1 ) { + /* because 3DES is implicitly in the prefs, this can only + * happen if we do not have any public keys in the list */ +- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO; ++ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO; + } + + /* In case 3DES has been selected, print a warning if +diff -up gnupg-2.0.22/g10/gpg.c.fips gnupg-2.0.22/g10/gpg.c +--- gnupg-2.0.22/g10/gpg.c.fips 2013-10-11 10:35:29.775420188 +0200 ++++ gnupg-2.0.22/g10/gpg.c 2013-10-11 10:35:29.780420301 +0200 +@@ -1973,7 +1973,7 @@ main (int argc, char **argv) + opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */ + opt.s2k_mode = 3; /* iterated+salted */ + opt.s2k_count = 0; /* Auto-calibrate when needed. */ +- opt.s2k_cipher_algo = CIPHER_ALGO_CAST5; ++ opt.s2k_cipher_algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_CAST5; + opt.completes_needed = 1; + opt.marginals_needed = 3; + opt.max_cert_depth = 5; +diff -up gnupg-2.0.22/g10/mainproc.c.fips gnupg-2.0.22/g10/mainproc.c +--- gnupg-2.0.22/g10/mainproc.c.fips 2013-10-04 15:00:22.000000000 +0200 ++++ gnupg-2.0.22/g10/mainproc.c 2016-03-24 12:52:24.463174830 +0100 +@@ -696,9 +696,11 @@ proc_plaintext( CTX c, PACKET *pkt ) + often. There is no good way to specify what algorithms to + use in that case, so these three are the historical + answer. */ +- gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); ++ if( !gcry_fips_mode_active() ) ++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); + gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 ); +- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 ); ++ if( !gcry_fips_mode_active() ) ++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 ); + } + if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) { + /* This is a kludge to work around a bug in pgp2. It does only +@@ -2160,24 +2162,30 @@ proc_tree( CTX c, KBNODE node ) + else if( !c->any.data ) { + /* detached signature */ + free_md_filter_context( &c->mfx ); +- if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0)) +- BUG (); ++ if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0)) { ++ log_error("Digest algorithm not available probably due to FIPS mode.\n"); ++ return; ++ } + + if( !opt.pgp2_workarounds ) + ; + else if( sig->digest_algo == DIGEST_ALGO_MD5 + && is_RSA( sig->pubkey_algo ) ) { + /* enable a workaround for a pgp2 bug */ +- if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0)) +- BUG (); ++ if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0)) { ++ log_error("Digest algorithm not available probably due to FIPS mode.\n"); ++ return; ++ } + } + else if( sig->digest_algo == DIGEST_ALGO_SHA1 + && sig->pubkey_algo == PUBKEY_ALGO_DSA + && sig->sig_class == 0x01 ) { + /* enable the workaround also for pgp5 when the detached + * signature has been created in textmode */ +- if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 )) +- BUG (); ++ if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 )) { ++ log_error("Digest algorithm not available.\n"); ++ return; ++ } + } + #if 0 /* workaround disabled */ + /* Here we have another hack to work around a pgp 2 bug diff --git a/SOURCES/gnupg-2.0.22-rsa-es.patch b/SOURCES/gnupg-2.0.22-rsa-es.patch new file mode 100644 index 0000000..73c7f0b --- /dev/null +++ b/SOURCES/gnupg-2.0.22-rsa-es.patch @@ -0,0 +1,21 @@ +diff -up gnupg-2.0.22/g10/misc.c.bz1233182 gnupg-2.0.22/g10/misc.c +--- gnupg-2.0.22/g10/misc.c.bz1233182 2015-06-17 13:15:32.930000000 +0200 ++++ gnupg-2.0.22/g10/misc.c 2015-06-19 13:56:28.246000000 +0200 +@@ -421,6 +421,8 @@ openpgp_cipher_algo_name (int algo) + int + map_pk_openpgp_to_gcry (int algo) + { ++ if (is_RSA (algo)) ++ return (GCRY_PK_RSA); + switch (algo) + { + case PUBKEY_ALGO_ECDSA: return 301 /*GCRY_PK_ECDSA*/; +@@ -1417,7 +1419,7 @@ pubkey_nbits( int algo, gcry_mpi_t *key + "(public-key(elg(p%m)(g%m)(y%m)))", + key[0], key[1], key[2] ); + } +- else if( algo == GCRY_PK_RSA ) { ++ else if( is_RSA (algo) ) { + rc = gcry_sexp_build ( &sexp, NULL, + "(public-key(rsa(n%m)(e%m)))", + key[0], key[1] ); diff --git a/SPECS/gnupg2.spec b/SPECS/gnupg2.spec index 918cd55..8f2c857 100644 --- a/SPECS/gnupg2.spec +++ b/SPECS/gnupg2.spec @@ -1,7 +1,7 @@ Summary: Utility for secure communication and data storage Name: gnupg2 Version: 2.0.22 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv3+ Group: Applications/System @@ -13,7 +13,8 @@ Patch1: gnupg-2.0.20-insttools.patch Patch3: gnupg-2.0.20-secmem.patch Patch4: gnupg-2.0.18-protect-tool-env.patch Patch5: gnupg-2.0.20-ocsp-keyusage.patch -Patch6: gnupg-2.0.19-fips-algo.patch +Patch6: gnupg-2.0.22-fips-algo.patch +Patch7: gnupg-2.0.22-rsa-es.patch URL: http://www.gnupg.org/ @@ -78,6 +79,7 @@ to the base GnuPG package %patch4 -p1 -b .ptool-env %patch5 -p1 -b .keyusage %patch6 -p1 -b .fips +%patch7 -p1 -b .rsa-es # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper) # Note: this is just the name of the default shared lib to load in scdaemon, @@ -193,6 +195,10 @@ fi %changelog +* Thu Mar 24 2016 Tomáš Mráz - 2.0.22-4 +- allow import of RSA-E and RSA-S keys (patch by Marcel Kolaja) (#1233182) +- do not abort when missing hash algorithm in FIPS mode (#1078962) + * Fri Jan 24 2014 Daniel Mach - 2.0.22-3 - Mass rebuild 2014-01-24