[gnupg2: 2/2] use AES as default crypto algorithm in FIPS mode (#879047)
Tomáš Mráz
tmraz at fedoraproject.org
Thu Nov 22 19:17:49 UTC 2012
commit 5eb4571a5e19177a3d6521be66cd36478fc4bfa7
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Thu Nov 22 20:17:38 2012 +0100
use AES as default crypto algorithm in FIPS mode (#879047)
gnupg-2.0.19-fips-algo.patch | 41 +++++++++++++++++++++++++++++++++++++++++
gnupg2.spec | 7 ++++++-
2 files changed, 47 insertions(+), 1 deletions(-)
---
diff --git a/gnupg-2.0.19-fips-algo.patch b/gnupg-2.0.19-fips-algo.patch
new file mode 100644
index 0000000..4eaea75
--- /dev/null
+++ b/gnupg-2.0.19-fips-algo.patch
@@ -0,0 +1,41 @@
+diff -up gnupg-2.0.19/g10/encode.c.fips gnupg-2.0.19/g10/encode.c
+--- gnupg-2.0.19/g10/encode.c.fips 2012-03-27 10:00:37.000000000 +0200
++++ gnupg-2.0.19/g10/encode.c 2012-11-22 15:51:23.314371267 +0100
+@@ -732,7 +732,7 @@ encrypt_filter( void *opaque, int contro
+ if( efx->cfx.dek->algo == -1 ) {
+ /* because 3DES is implicitly in the prefs, this can only
+ * happen if we do not have any public keys in the list */
+- efx->cfx.dek->algo = DEFAULT_CIPHER_ALGO;
++ efx->cfx.dek->algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : DEFAULT_CIPHER_ALGO;
+ }
+
+ /* In case 3DES has been selected, print a warning if
+diff -up gnupg-2.0.19/g10/gpg.c.fips gnupg-2.0.19/g10/gpg.c
+--- gnupg-2.0.19/g10/gpg.c.fips 2012-11-22 15:51:23.308371138 +0100
++++ gnupg-2.0.19/g10/gpg.c 2012-11-22 15:51:23.315371289 +0100
+@@ -1973,7 +1973,7 @@ main (int argc, char **argv)
+ opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */
+ opt.s2k_mode = 3; /* iterated+salted */
+ opt.s2k_count = 0; /* Auto-calibrate when needed. */
+- opt.s2k_cipher_algo = CIPHER_ALGO_CAST5;
++ opt.s2k_cipher_algo = gcry_fips_mode_active() ? CIPHER_ALGO_AES : CIPHER_ALGO_CAST5;
+ opt.completes_needed = 1;
+ opt.marginals_needed = 3;
+ opt.max_cert_depth = 5;
+diff -up gnupg-2.0.19/g10/mainproc.c.fips gnupg-2.0.19/g10/mainproc.c
+--- gnupg-2.0.19/g10/mainproc.c.fips 2012-03-27 10:00:37.000000000 +0200
++++ gnupg-2.0.19/g10/mainproc.c 2012-11-22 16:43:51.876084682 +0100
+@@ -685,9 +685,11 @@ proc_plaintext( CTX c, PACKET *pkt )
+ often. There is no good way to specify what algorithms to
+ use in that case, so these three are the historical
+ answer. */
+- gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
++ if( !gcry_fips_mode_active() )
++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_RMD160 );
+ gcry_md_enable( c->mfx.md, DIGEST_ALGO_SHA1 );
+- gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
++ if( !gcry_fips_mode_active() )
++ gcry_md_enable( c->mfx.md, DIGEST_ALGO_MD5 );
+ }
+ if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) {
+ /* This is a kludge to work around a bug in pgp2. It does only
diff --git a/gnupg2.spec b/gnupg2.spec
index 26cbad2..f68ef4c 100644
--- a/gnupg2.spec
+++ b/gnupg2.spec
@@ -1,7 +1,7 @@
Summary: Utility for secure communication and data storage
Name: gnupg2
Version: 2.0.19
-Release: 5%{?dist}
+Release: 6%{?dist}
License: GPLv3+
Group: Applications/System
@@ -14,6 +14,7 @@ Patch2: gnupg-2.0.16-tests-s2kcount.patch
Patch3: gnupg-2.0.18-secmem.patch
Patch4: gnupg-2.0.18-protect-tool-env.patch
Patch5: gnupg-2.0.16-ocsp-keyusage.patch
+Patch6: gnupg-2.0.19-fips-algo.patch
URL: http://www.gnupg.org/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -79,6 +80,7 @@ to the base GnuPG package
%patch3 -p1 -b .secmem
%patch4 -p1 -b .ptool-env
%patch5 -p1 -b .keyusage
+%patch6 -p1 -b .fips
# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
# Note: this is just the name of the default shared lib to load in scdaemon,
@@ -196,6 +198,9 @@ rm -rf %{buildroot}
%changelog
+* Thu Nov 22 2012 Tomas Mraz <tmraz at redhat.com> - 2.0.19-6
+- use AES as default crypto algorithm in FIPS mode (#879047)
+
* Fri Nov 16 2012 Jamie Nguyen <jamielinux at fedoraproject.org> - 2.0.19-5
- rebuild for <f18 (#877106)
More information about the scm-commits
mailing list