diff --git a/gnupg-2.0.19-fips-algo.patch b/gnupg-2.0.19-fips-algo.patch new file mode 100644 index 0000000..4eaea75 --- /dev/null +++ b/gnupg-2.0.19-fips-algo.patch @@ -0,0 +1,41 @@ +diff -up gnupg-2.0.19/g10/encode.c.fips gnupg-2.0.19/g10/encode.c +--- gnupg-2.0.19/g10/encode.c.fips 2012-03-27 10:00:37.000000000 +0200 ++++ gnupg-2.0.19/g10/encode.c 2012-11-22 15:51:23.314371267 +0100 +@@ -732,7 +732,7 @@ encrypt_filter( void *opaque, int contro + if( efx->cfx.dek->algo == -1 ) { + /* because 3DES is implicitly in the prefs, this can only + * happen if we do not have any public keys in the list */ +- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO; ++ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO; + } + + /* In case 3DES has been selected, print a warning if +diff -up gnupg-2.0.19/g10/gpg.c.fips gnupg-2.0.19/g10/gpg.c +--- gnupg-2.0.19/g10/gpg.c.fips 2012-11-22 15:51:23.308371138 +0100 ++++ gnupg-2.0.19/g10/gpg.c 2012-11-22 15:51:23.315371289 +0100 +@@ -1973,7 +1973,7 @@ main (int argc, char **argv) + opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */ + opt.s2k_mode = 3; /* iterated+salted */ + opt.s2k_count = 0; /* Auto-calibrate when needed. */ +- opt.s2k_cipher_algo = CIPHER_ALGO_CAST5; ++ opt.s2k_cipher_algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_CAST5; + opt.completes_needed = 1; + opt.marginals_needed = 3; + opt.max_cert_depth = 5; +diff -up gnupg-2.0.19/g10/mainproc.c.fips gnupg-2.0.19/g10/mainproc.c +--- gnupg-2.0.19/g10/mainproc.c.fips 2012-03-27 10:00:37.000000000 +0200 ++++ gnupg-2.0.19/g10/mainproc.c 2012-11-22 16:43:51.876084682 +0100 +@@ -685,9 +685,11 @@ proc_plaintext( CTX c, PACKET *pkt ) + often. There is no good way to specify what algorithms to + use in that case, so these three are the historical + answer. */ +- gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); ++ if( !gcry_fips_mode_active() ) ++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); + gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 ); +- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 ); ++ if( !gcry_fips_mode_active() ) ++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 ); + } + if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) { + /* This is a kludge to work around a bug in pgp2. It does only diff --git a/gnupg2.spec b/gnupg2.spec index 26cbad2..f68ef4c 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -1,7 +1,7 @@ Summary: Utility for secure communication and data storage Name: gnupg2 Version: 2.0.19 -Release: 5%{?dist} +Release: 6%{?dist} License: GPLv3+ Group: Applications/System @@ -14,6 +14,7 @@ Patch2: gnupg-2.0.16-tests-s2kcount.patch Patch3: gnupg-2.0.18-secmem.patch Patch4: gnupg-2.0.18-protect-tool-env.patch Patch5: gnupg-2.0.16-ocsp-keyusage.patch +Patch6: gnupg-2.0.19-fips-algo.patch URL: http://www.gnupg.org/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -79,6 +80,7 @@ to the base GnuPG package %patch3 -p1 -b .secmem %patch4 -p1 -b .ptool-env %patch5 -p1 -b .keyusage +%patch6 -p1 -b .fips # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper) # Note: this is just the name of the default shared lib to load in scdaemon, @@ -196,6 +198,9 @@ rm -rf %{buildroot} %changelog +* Thu Nov 22 2012 Tomas Mraz - 2.0.19-6 +- use AES as default crypto algorithm in FIPS mode (#879047) + * Fri Nov 16 2012 Jamie Nguyen - 2.0.19-5 - rebuild for