use AES as default crypto algorithm in FIPS mode (#879047)

2012-11-22 20:17:38 +01:00 · 2012-11-22 20:17:38 +01:00 · 5eb4571a5e
commit 5eb4571a5e
parent 82d4b0c846
2 changed files with 47 additions and 1 deletions
--- a/gnupg-2.0.19-fips-algo.patch
+++ b/gnupg-2.0.19-fips-algo.patch
@ -0,0 +1,41 @@
+diff -up gnupg-2.0.19/g10/encode.c.fips gnupg-2.0.19/g10/encode.c
+--- gnupg-2.0.19/g10/encode.c.fips	2012-03-27 10:00:37.000000000 +0200
+++ gnupg-2.0.19/g10/encode.c	2012-11-22 15:51:23.314371267 +0100
+@@ -732,7 +732,7 @@ encrypt_filter( void *opaque, int contro
+ 		if( efx->cfx.dek->algo == -1 ) {
+                     /* because 3DES is implicitly in the prefs, this can only
+                      * happen if we do not have any public keys in the list */
+-		    efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;
+		    efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;
+                 }
+ 
+                 /* In case 3DES has been selected, print a warning if
+diff -up gnupg-2.0.19/g10/gpg.c.fips gnupg-2.0.19/g10/gpg.c
+--- gnupg-2.0.19/g10/gpg.c.fips	2012-11-22 15:51:23.308371138 +0100
+++ gnupg-2.0.19/g10/gpg.c	2012-11-22 15:51:23.315371289 +0100
+@@ -1973,7 +1973,7 @@ main (int argc, char **argv)
+     opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */
+     opt.s2k_mode = 3; /* iterated+salted */
+     opt.s2k_count = 0; /* Auto-calibrate when needed.  */
+-    opt.s2k_cipher_algo = CIPHER_ALGO_CAST5;
+    opt.s2k_cipher_algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_CAST5;
+     opt.completes_needed = 1;
+     opt.marginals_needed = 3;
+     opt.max_cert_depth = 5;
+diff -up gnupg-2.0.19/g10/mainproc.c.fips gnupg-2.0.19/g10/mainproc.c
+--- gnupg-2.0.19/g10/mainproc.c.fips	2012-03-27 10:00:37.000000000 +0200
+++ gnupg-2.0.19/g10/mainproc.c	2012-11-22 16:43:51.876084682 +0100
+@@ -685,9 +685,11 @@ proc_plaintext( CTX c, PACKET *pkt )
+ 	   often.  There is no good way to specify what algorithms to
+ 	   use in that case, so these three are the historical
+ 	   answer. */
+-	gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
+	if( !gcry_fips_mode_active() )
+	  gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
+ 	gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 );
+-	gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
+	if( !gcry_fips_mode_active() )
+	  gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
+       }
+     if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) {
+ 	/* This is a kludge to work around a bug in pgp2.  It does only
--- a/gnupg2.spec
+++ b/gnupg2.spec
@ -1,7 +1,7 @@
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
 Version: 2.0.19
-Release: 5%{?dist}
+Release: 6%{?dist}

 License: GPLv3+
 Group:   Applications/System
@ -14,6 +14,7 @@ Patch2:  gnupg-2.0.16-tests-s2kcount.patch
 Patch3:  gnupg-2.0.18-secmem.patch
 Patch4:  gnupg-2.0.18-protect-tool-env.patch
 Patch5:  gnupg-2.0.16-ocsp-keyusage.patch
+Patch6:  gnupg-2.0.19-fips-algo.patch

 URL:     http://www.gnupg.org/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -79,6 +80,7 @@ to the base GnuPG package
 %patch3 -p1 -b .secmem
 %patch4 -p1 -b .ptool-env
 %patch5 -p1 -b .keyusage
+%patch6 -p1 -b .fips

 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@ -196,6 +198,9 @@ rm -rf %{buildroot}


 %changelog
+* Thu Nov 22 2012 Tomas Mraz <tmraz@redhat.com> - 2.0.19-6
+- use AES as default crypto algorithm in FIPS mode (#879047)
+
 * Fri Nov 16 2012 Jamie Nguyen <jamielinux@fedoraproject.org> - 2.0.19-5
 - rebuild for <f18 (#877106)