From c1034e435b77c951345810ed0d50f95dbcc97fc0 Mon Sep 17 00:00:00 2001
From: eabdullin <eabdullin@almalinux.org>
Date: Thu, 21 Sep 2023 18:41:20 +0000
Subject: [PATCH] import CS gnupg2-2.3.3-4.el9

---
 .gitignore                            |   1 +
 .gnupg2.metadata                      |   1 +
 SOURCES/gnupg-2.3.3-aead-packet.patch |  30 ++++++++++++++++++
 SOURCES/gnupg-2.3.3-ssh-fips.patch    |  42 ++++++++++++++++++++++++++
 SOURCES/gnupg-2.3.3.tar.bz2.sig       | Bin 119 -> 0 bytes
 SPECS/gnupg2.spec                     |  18 ++++++++++-
 6 files changed, 91 insertions(+), 1 deletion(-)
 create mode 100644 SOURCES/gnupg-2.3.3-aead-packet.patch
 create mode 100644 SOURCES/gnupg-2.3.3-ssh-fips.patch
 delete mode 100644 SOURCES/gnupg-2.3.3.tar.bz2.sig

diff --git a/.gitignore b/.gitignore
index ffb32bd..6eb3ed5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 SOURCES/gnupg-2.3.3.tar.bz2
+SOURCES/gnupg-2.3.3.tar.bz2.sig
diff --git a/.gnupg2.metadata b/.gnupg2.metadata
index b761d69..0c49608 100644
--- a/.gnupg2.metadata
+++ b/.gnupg2.metadata
@@ -1 +1,2 @@
 b19a407076424704f1b00e8265254de1b3061659 SOURCES/gnupg-2.3.3.tar.bz2
+38fed91a8c4b3ba09977ab06567395448b6f1242 SOURCES/gnupg-2.3.3.tar.bz2.sig
diff --git a/SOURCES/gnupg-2.3.3-aead-packet.patch b/SOURCES/gnupg-2.3.3-aead-packet.patch
new file mode 100644
index 0000000..cd4ff9b
--- /dev/null
+++ b/SOURCES/gnupg-2.3.3-aead-packet.patch
@@ -0,0 +1,30 @@
+commit eadf12a52c2e230174e076a0dcae68132094cefe
+Author: Jakub Jelen <jjelen@redhat.com>
+Date:   Thu Feb 24 09:02:53 2022 +0100
+
+    sign: Construct valid AEAD packets.
+    
+    * g10/sign.c (sign_symencrypt_file): Insert correct version and AEAD
+      information into symkey packet.
+    
+    --
+    
+    GnuPG-bug-id: 5856
+    Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+
+diff --git a/g10/sign.c b/g10/sign.c
+index bbcfabdb7..2ab76c99b 100644
+--- a/g10/sign.c
++++ b/g10/sign.c
+@@ -1660,8 +1660,9 @@ sign_symencrypt_file (ctrl_t ctrl, const char *fname, strlist_t locusr)
+   {
+     PKT_symkey_enc *enc = xmalloc_clear( sizeof *enc );
+ 
+-    enc->version = 4;
++    enc->version = cfx.dek->use_aead ? 5 : 4;
+     enc->cipher_algo = cfx.dek->algo;
++    enc->aead_algo = cfx.dek->use_aead;
+     enc->s2k = *s2k;
+     pkt.pkttype = PKT_SYMKEY_ENC;
+     pkt.pkt.symkey_enc = enc;
+
diff --git a/SOURCES/gnupg-2.3.3-ssh-fips.patch b/SOURCES/gnupg-2.3.3-ssh-fips.patch
new file mode 100644
index 0000000..4d71d61
--- /dev/null
+++ b/SOURCES/gnupg-2.3.3-ssh-fips.patch
@@ -0,0 +1,42 @@
+From c4436ebfa58f219190f1244928001b4293293343 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 12 Apr 2022 16:26:58 +0200
+Subject: [PATCH GnuPG] agent: Ignore MD5 Fingerprints for ssh keys
+
+--
+* agent/command-ssh.c (add_control_entry): Ignore failure of the MD5
+  digest
+
+Signed-off-by: Jakub Jelen <jjelen@redhat.com>
+---
+ agent/command-ssh.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/agent/command-ssh.c b/agent/command-ssh.c
+index a7784e728..46821e3c8 100644
+--- a/agent/command-ssh.c
++++ b/agent/command-ssh.c
+@@ -1095,8 +1095,9 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
+       time_t atime = time (NULL);
+ 
+       err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr_md5);
++      /* ignore the errors as MD5 is not available in FIPS mode */
+       if (err)
+-        goto out;
++        fpr_md5 = NULL;
+ 
+       err = ssh_get_fingerprint_string (key, GCRY_MD_SHA256, &fpr_sha256);
+       if (err)
+@@ -1113,7 +1114,8 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
+                spec->name,
+                1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday,
+                tp->tm_hour, tp->tm_min, tp->tm_sec,
+-               fpr_md5, fpr_sha256, hexgrip, ttl, confirm? " confirm":"");
++               fpr_md5? fpr_md5:"", fpr_sha256, hexgrip, ttl,
++               confirm? " confirm":"");
+ 
+     }
+  out:
+-- 
+2.39.2
+
diff --git a/SOURCES/gnupg-2.3.3.tar.bz2.sig b/SOURCES/gnupg-2.3.3.tar.bz2.sig
deleted file mode 100644
index ddd8744fe770d5d774783923a2eb9ece354ba64c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 119
zcmeAuWnmEGV2~A4WXWBXm$E!p!y#PSlPRcU`VKV*t6Qv0iK*-27`QkEU?M^34F7%J
zy6n<QUva6bia}u4?CpoHTo;}(_3z}RtLMGHxko@Fp5YIt=LD9LM-o-N5~i#b?Cd9I
V?)>pD=e5F=yWcLaQ9iVi3jjV}GGG7z

diff --git a/SPECS/gnupg2.spec b/SPECS/gnupg2.spec
index 8e0a1a7..96c3623 100644
--- a/SPECS/gnupg2.spec
+++ b/SPECS/gnupg2.spec
@@ -7,7 +7,7 @@
 Summary: Utility for secure communication and data storage
 Name:    gnupg2
 Version: 2.3.3
-Release: 2%{?dist}
+Release: 4%{?dist}
 
 License: GPLv3+
 Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
@@ -31,6 +31,12 @@ Patch30: gnupg-2.2.21-coverity.patch
 Patch31: gnupg-2.3.1-revert-default-eddsa.patch
 # Revert default EdDSA key types
 Patch32: gnupg-2.3.3-CVE-2022-34903.patch
+# Fix AEAD packet construction
+# https://dev.gnupg.org/T5856
+Patch34: gnupg-2.3.3-aead-packet.patch
+# Fix ssh-agent behavior in FIPS mode
+# https://dev.gnupg.org/T5929
+Patch35: gnupg-2.3.3-ssh-fips.patch
 
 
 URL:     https://www.gnupg.org/
@@ -116,6 +122,8 @@ to the base GnuPG package
 %patch30 -p1 -b .coverity
 %patch31 -p1 -R -b .eddsa
 %patch32 -p1 -b .CVE-2022-34903
+%patch34 -p1 -b .aead
+%patch35 -p1 -b .ssh-fips
 
 # pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
 # Note: this is just the name of the default shared lib to load in scdaemon,
@@ -229,6 +237,14 @@ make -k check
 
 
 %changelog
+* Wed Apr 19 2023 Jakub Jelen <jjelen@redhat.com> - 2.3.3-4
+- Revert marking the SHA-1 digest as weak (#2184640)
+
+* Thu Mar 30 2023 Jakub Jelen <jjelen@redhat.com> - 2.3.3-3
+- Mark SHA-1 digest as weak to follow SHA-1 disablement in RHEL9 (#2070722)
+- Fix interaction with SSH by not requiring the MD5 digest (#2073567)
+- Fix creation of AEAD packets (#2128058)
+
 * Wed Aug 03 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.3-2
 - Fix CVE-2022-34903 (#2108449)