new upstream release

- this release now includes the dirmngr which is obsoleted as separate package
This commit is contained in:
Tomas Mraz 2015-01-29 18:00:00 +01:00
parent 08169c02ae
commit c26cee9bfb
7 changed files with 91 additions and 141 deletions

2
.gitignore vendored
View File

@ -16,3 +16,5 @@ gnupg-2.0.16.tar.bz2.sig
/gnupg-2.0.24.tar.bz2.sig
/gnupg-2.0.25.tar.bz2
/gnupg-2.0.25.tar.bz2.sig
/gnupg-2.1.1.tar.bz2
/gnupg-2.1.1.tar.bz2.sig

View File

@ -1,78 +0,0 @@
diff -up gnupg-2.0.19/g10/encode.c.fips gnupg-2.0.19/g10/encode.c
--- gnupg-2.0.19/g10/encode.c.fips 2012-03-27 10:00:37.000000000 +0200
+++ gnupg-2.0.19/g10/encode.c 2012-11-22 15:51:23.314371267 +0100
@@ -732,7 +732,7 @@ encrypt_filter( void *opaque, int contro
if( efx->cfx.dek->algo == -1 ) {
/* because 3DES is implicitly in the prefs, this can only
* happen if we do not have any public keys in the list */
- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;
+ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;
}
/* In case 3DES has been selected, print a warning if
diff -up gnupg-2.0.19/g10/gpg.c.fips gnupg-2.0.19/g10/gpg.c
--- gnupg-2.0.19/g10/gpg.c.fips 2012-11-22 15:51:23.308371138 +0100
+++ gnupg-2.0.19/g10/gpg.c 2012-11-22 15:51:23.315371289 +0100
@@ -1973,7 +1973,7 @@ main (int argc, char **argv)
opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */
opt.s2k_mode = 3; /* iterated+salted */
opt.s2k_count = 0; /* Auto-calibrate when needed. */
- opt.s2k_cipher_algo = CIPHER_ALGO_CAST5;
+ opt.s2k_cipher_algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_CAST5;
opt.completes_needed = 1;
opt.marginals_needed = 3;
opt.max_cert_depth = 5;
diff -up gnupg-2.0.19/g10/mainproc.c.fips gnupg-2.0.19/g10/mainproc.c
--- gnupg-2.0.19/g10/mainproc.c.fips 2012-03-27 10:00:37.000000000 +0200
+++ gnupg-2.0.19/g10/mainproc.c 2012-11-22 16:43:51.876084682 +0100
@@ -685,9 +685,11 @@ proc_plaintext( CTX c, PACKET *pkt )
often. There is no good way to specify what algorithms to
use in that case, so these three are the historical
answer. */
- gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
+ if( !gcry_fips_mode_active() )
+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 );
- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
+ if( !gcry_fips_mode_active() )
+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
}
if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) {
/* This is a kludge to work around a bug in pgp2. It does only
@@ -2157,24 +2159,30 @@ proc_tree( CTX c, KBNODE node )
else if( !c->any.data ) {
/* detached signature */
free_md_filter_context( &c->mfx );
- if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0))
- BUG ();
+ if (gcry_md_open (&c->mfx.md, sig->digest_algo, 0)) {
+ log_error("Digest algorithm not available probably due to FIPS mode.\n");
+ return;
+ }
if( !opt.pgp2_workarounds )
;
else if( sig->digest_algo == DIGEST_ALGO_MD5
&& is_RSA( sig->pubkey_algo ) ) {
/* enable a workaround for a pgp2 bug */
- if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0))
- BUG ();
+ if (gcry_md_open (&c->mfx.md2, DIGEST_ALGO_MD5, 0)) {
+ log_error("Digest algorithm not available probably due to FIPS mode.\n");
+ return;
+ }
}
else if( sig->digest_algo == DIGEST_ALGO_SHA1
&& sig->pubkey_algo == PUBKEY_ALGO_DSA
&& sig->sig_class == 0x01 ) {
/* enable the workaround also for pgp5 when the detached
* signature has been created in textmode */
- if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 ))
- BUG ();
+ if (gcry_md_open (&c->mfx.md2, sig->digest_algo, 0 )) {
+ log_error("Digest algorithm not available.\n");
+ return;
+ }
}
#if 0 /* workaround disabled */
/* Here we have another hack to work around a pgp 2 bug

View File

@ -1,7 +1,7 @@
diff -up gnupg-2.0.25/g10/gpg.c.file-is-digest gnupg-2.0.25/g10/gpg.c
--- gnupg-2.0.25/g10/gpg.c.file-is-digest 2014-08-05 16:46:28.865869320 +0200
+++ gnupg-2.0.25/g10/gpg.c 2014-08-05 16:49:27.520063937 +0200
@@ -345,6 +345,7 @@ enum cmd_and_opt_values
diff -up gnupg-2.1.1/g10/gpg.c.file-is-digest gnupg-2.1.1/g10/gpg.c
--- gnupg-2.1.1/g10/gpg.c.file-is-digest 2015-01-29 16:56:43.043680964 +0100
+++ gnupg-2.1.1/g10/gpg.c 2015-01-29 16:59:20.875250453 +0100
@@ -349,6 +349,7 @@ enum cmd_and_opt_values
oTTYtype,
oLCctype,
oLCmessages,
@ -9,34 +9,34 @@ diff -up gnupg-2.0.25/g10/gpg.c.file-is-digest gnupg-2.0.25/g10/gpg.c
oXauthority,
oGroup,
oUnGroup,
@@ -711,6 +712,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oPersonalDigestPreferences, "personal-digest-preferences","@"),
@@ -730,6 +731,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oPersonalCompressPreferences,
"personal-compress-preferences", "@"),
ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
+ ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
/* Aliases. I constantly mistype these, and assume other people do
as well. */
@@ -2003,6 +2005,7 @@ main (int argc, char **argv)
set_homedir ( default_homedir () );
opt.passphrase_repeat=1;
@@ -2126,6 +2128,7 @@ main (int argc, char **argv)
set_homedir (default_homedir ());
opt.passphrase_repeat = 1;
opt.emit_version = 1; /* Limit to the major number. */
+ opt.file_is_digest=0;
opt.list_options |= LIST_SHOW_UID_VALIDITY;
opt.verify_options |= LIST_SHOW_UID_VALIDITY;
@@ -2493,6 +2496,7 @@ main (int argc, char **argv)
/* Check whether we have a config file on the command line. */
orig_argc = argc;
@@ -2630,6 +2633,7 @@ main (int argc, char **argv)
opt.verify_options&=~VERIFY_SHOW_PHOTOS;
break;
case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
case oForceV3Sigs: opt.force_v3_sigs = 1; break;
case oNoForceV3Sigs: opt.force_v3_sigs = 0; break;
+ case oFileIsDigest: opt.file_is_digest = 1; break;
case oForceV4Certs: opt.force_v4_certs = 1; break;
case oNoForceV4Certs: opt.force_v4_certs = 0; break;
case oForceMDC: opt.force_mdc = 1; break;
diff -up gnupg-2.0.25/g10/options.h.file-is-digest gnupg-2.0.25/g10/options.h
--- gnupg-2.0.25/g10/options.h.file-is-digest 2014-06-30 17:28:52.000000000 +0200
+++ gnupg-2.0.25/g10/options.h 2014-08-05 16:46:28.869869414 +0200
@@ -198,6 +198,7 @@ struct
case oNoForceMDC: opt.force_mdc = 0; break;
diff -up gnupg-2.1.1/g10/options.h.file-is-digest gnupg-2.1.1/g10/options.h
--- gnupg-2.1.1/g10/options.h.file-is-digest 2014-12-08 15:06:10.000000000 +0100
+++ gnupg-2.1.1/g10/options.h 2015-01-29 16:56:43.046681031 +0100
@@ -192,6 +192,7 @@ struct
int no_auto_check_trustdb;
int preserve_permissions;
int no_homedir_creation;
@ -44,23 +44,25 @@ diff -up gnupg-2.0.25/g10/options.h.file-is-digest gnupg-2.0.25/g10/options.h
struct groupitem *grouplist;
int mangle_dos_filenames;
int enable_progress_filter;
diff -up gnupg-2.0.25/g10/sign.c.file-is-digest gnupg-2.0.25/g10/sign.c
--- gnupg-2.0.25/g10/sign.c.file-is-digest 2014-06-30 17:28:52.000000000 +0200
+++ gnupg-2.0.25/g10/sign.c 2014-08-05 16:46:28.870869438 +0200
@@ -665,8 +665,12 @@ write_signature_packets (SK_LIST sk_list
mk_notation_policy_etc (sig, NULL, sk);
}
diff -up gnupg-2.1.1/g10/sign.c.file-is-digest gnupg-2.1.1/g10/sign.c
--- gnupg-2.1.1/g10/sign.c.file-is-digest 2014-12-15 09:44:05.000000000 +0100
+++ gnupg-2.1.1/g10/sign.c 2015-01-29 17:12:20.820889554 +0100
@@ -706,8 +706,12 @@ write_signature_packets (SK_LIST sk_list
mk_notation_policy_etc (sig, NULL, pk);
}
+ if (!opt.file_is_digest) {
hash_sigversion_to_magic (md, sig);
gcry_md_final (md);
+ } else if (sig->version >= 4) {
+ log_bug("file-is-digest doesn't work with v4 sigs\n");
+ }
- hash_sigversion_to_magic (md, sig);
- gcry_md_final (md);
+ if (!opt.file_is_digest) {
+ hash_sigversion_to_magic (md, sig);
+ gcry_md_final (md);
+ } else if (sig->version >= 4) {
+ log_bug("file-is-digest doesn't work with v4 sigs\n");
+ }
rc = do_sign( sk, sig, md, hash_for (sk) );
gcry_md_close (md);
@@ -723,6 +727,8 @@ sign_file( strlist_t filenames, int deta
rc = do_sign (pk, sig, md, hash_for (pk), cache_nonce);
gcry_md_close (md);
@@ -765,6 +769,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
SK_LIST sk_rover = NULL;
int multifile = 0;
u32 duration=0;
@ -69,7 +71,7 @@ diff -up gnupg-2.0.25/g10/sign.c.file-is-digest gnupg-2.0.25/g10/sign.c
pfx = new_progress_context ();
afx = new_armor_context ();
@@ -739,7 +745,16 @@ sign_file( strlist_t filenames, int deta
@@ -781,7 +787,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
fname = NULL;
if( fname && filenames->next && (!detached || encryptflag) )
@ -87,7 +89,7 @@ diff -up gnupg-2.0.25/g10/sign.c.file-is-digest gnupg-2.0.25/g10/sign.c
if(encryptflag==2
&& (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
@@ -767,7 +782,7 @@ sign_file( strlist_t filenames, int deta
@@ -802,7 +817,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
goto leave;
/* prepare iobufs */
@ -96,16 +98,16 @@ diff -up gnupg-2.0.25/g10/sign.c.file-is-digest gnupg-2.0.25/g10/sign.c
inp = NULL; /* we do it later */
else {
inp = iobuf_open(fname);
@@ -900,7 +915,7 @@ sign_file( strlist_t filenames, int deta
gcry_md_enable (mfx.md, hash_for(sk));
}
@@ -940,7 +955,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
- if( !multifile )
+ if( !multifile && !opt.file_is_digest )
iobuf_push_filter( inp, md_filter, &mfx );
if( detached && !encryptflag && !RFC1991 )
@@ -955,6 +970,8 @@ sign_file( strlist_t filenames, int deta
if( detached && !encryptflag)
@@ -995,6 +1010,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
write_status_begin_signing (mfx.md);
@ -114,7 +116,7 @@ diff -up gnupg-2.0.25/g10/sign.c.file-is-digest gnupg-2.0.25/g10/sign.c
/* Setup the inner packet. */
if( detached ) {
if( multifile ) {
@@ -995,6 +1012,45 @@ sign_file( strlist_t filenames, int deta
@@ -1035,6 +1052,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
if( opt.verbose )
putc( '\n', stderr );
}
@ -160,14 +162,14 @@ diff -up gnupg-2.0.25/g10/sign.c.file-is-digest gnupg-2.0.25/g10/sign.c
else {
/* read, so that the filter can calculate the digest */
while( iobuf_get(inp) != -1 )
@@ -1012,8 +1068,8 @@ sign_file( strlist_t filenames, int deta
@@ -1052,8 +1108,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
/* write the signatures */
rc = write_signature_packets (sk_list, out, mfx.md,
- opt.textmode && !outfile? 0x01 : 0x00,
- 0, duration, detached ? 'D':'S');
- 0, duration, detached ? 'D':'S', NULL);
+ sigclass,
+ timestamp, duration, detached ? 'D':'S');
+ timestamp, duration, detached ? 'D':'S', NULL);
if( rc )
goto leave;

View File

@ -0,0 +1,13 @@
diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c
--- gnupg-2.1.1/g10/mainproc.c.fips 2015-01-29 17:19:49.266031504 +0100
+++ gnupg-2.1.1/g10/mainproc.c 2015-01-29 17:27:13.938088122 +0100
@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt )
according to 2440, so hopefully it won't come up that often.
There is no good way to specify what algorithms to use in
that case, so these there are the historical answer. */
- gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
+ if (!gcry_fips_mode_active())
+ gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
}
if (DBG_HASHING)

View File

@ -1,6 +1,6 @@
diff -up gnupg-2.0.20/sm/certlist.c.keyusage gnupg-2.0.20/sm/certlist.c
--- gnupg-2.0.20/sm/certlist.c.keyusage 2013-05-10 14:55:49.000000000 +0200
+++ gnupg-2.0.20/sm/certlist.c 2013-05-15 14:15:57.420276618 +0200
diff -up gnupg-2.1.1/sm/certlist.c.keyusage gnupg-2.1.1/sm/certlist.c
--- gnupg-2.1.1/sm/certlist.c.keyusage 2014-11-27 11:51:36.000000000 +0100
+++ gnupg-2.1.1/sm/certlist.c 2015-01-29 17:30:57.117135497 +0100
@@ -146,10 +146,9 @@ cert_usage_p (ksba_cert_t cert, int mode
if (mode == 5)

View File

@ -1,7 +1,7 @@
Summary: Utility for secure communication and data storage
Name: gnupg2
Version: 2.0.25
Release: 2%{?dist}
Version: 2.1.1
Release: 1%{?dist}
License: GPLv3+
Group: Applications/System
@ -12,9 +12,9 @@ Source1: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.
Patch1: gnupg-2.0.20-insttools.patch
Patch3: gnupg-2.0.20-secmem.patch
# non-upstreamable patch adding file-is-digest option needed for Copr
Patch4: gnupg-2.0.25-file-is-digest.patch
Patch5: gnupg-2.0.20-ocsp-keyusage.patch
Patch6: gnupg-2.0.19-fips-algo.patch
Patch4: gnupg-2.1.1-file-is-digest.patch
Patch5: gnupg-2.1.1-ocsp-keyusage.patch
Patch6: gnupg-2.1.1-fips-algo.patch
URL: http://www.gnupg.org/
@ -23,14 +23,14 @@ BuildRequires: bzip2-devel
BuildRequires: curl-devel
BuildRequires: docbook-utils
BuildRequires: gettext
BuildRequires: libassuan-devel >= 2.0.0
BuildRequires: libgcrypt-devel >= 1.4
BuildRequires: libgpg-error-devel => 1.4
BuildRequires: libksba-devel >= 1.0.2
BuildRequires: libassuan-devel >= 2.1.0
BuildRequires: libgcrypt-devel >= 1.6.0
BuildRequires: libgpg-error-devel >= 1.16
BuildRequires: libksba-devel >= 1.3.0
BuildRequires: openldap-devel
BuildRequires: libusb-devel
BuildRequires: pcsc-lite-libs
BuildRequires: pth-devel
BuildRequires: npth-devel
BuildRequires: readline-devel ncurses-devel
BuildRequires: zlib-devel
@ -46,6 +46,9 @@ Provides: gnupg = %{version}-%{release}
Obsoletes: gnupg <= 1.4.10
%endif
Provides: dirmngr = %{version}-%{release}
Obsoletes: dirmngr < 1.2.0-1
%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
%package smime
@ -87,13 +90,14 @@ to the base GnuPG package
# it can use other implementations too (including non-pcsc ones).
%global pcsclib %(basename $(ls -1 %{_libdir}/libpcsclite.so.? 2>/dev/null ) 2>/dev/null )
sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/{scdaemon,pcsc-wrapper}.c
sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c
%build
%configure \
--disable-rpath \
--disable-gpgtar \
--enable-standard-socket
# need scratch gpg database for tests
@ -166,6 +170,9 @@ fi
%{_bindir}/gpg-agent
%{_bindir}/gpgconf
%{_bindir}/gpgparsemail
%{_bindir}/g13
%{_bindir}/dirmngr
%{_bindir}/dirmngr-client
%if 0%{?rhel} > 5
%{_bindir}/gpg
%{_bindir}/gpgv
@ -196,6 +203,10 @@ fi
%changelog
* Thu Jan 29 2015 Tomáš Mráz <tmraz@redhat.com> - 2.1.1-1
- new upstream release
- this release now includes the dirmngr which is obsoleted as separate package
* Sat Aug 16 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.25-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild

View File

@ -1,2 +1,2 @@
048d8de797125f1d8e6cf3bdff9e2d12 gnupg-2.0.25.tar.bz2
d474ba42cba833734c6196b7e6f5d853 gnupg-2.0.25.tar.bz2.sig
9a314c3dcef0a091de90b6aa4d467db5 gnupg-2.1.1.tar.bz2
90128fcb4a2fefa81576666361b36aab gnupg-2.1.1.tar.bz2.sig