File gnupg-add_legacy_FIPS_mode_option.patch of Package gpg2

 doc/gpg.texi |   18 ++++++++++++++++++
 g10/gpg.c    |    9 +++++++++
 2 files changed, 27 insertions(+)

Index: gnupg-2.0.23/doc/gpg.texi
--- gnupg-2.0.23.orig/doc/gpg.texi	2014-06-03 22:22:56.000000000 +0100
+++ gnupg-2.0.23/doc/gpg.texi	2014-06-03 22:25:03.000000000 +0100
@@ -1851,6 +1851,24 @@ implies, this option is for experts only
 understand the implications of what it allows you to do, leave this
 off. @option{--no-expert} disables this option.
+@item --set-legacy-fips
+@itemx --set-legacy-fips
+@opindex set-legacy-fips
+Enable legacy support even when the libgcrypt library is in FIPS 140-2
+mode. The legacy mode of libgcrypt allows the use of all ciphers,
+including non-approved ciphers. This mode is needed when for legacy
+reasons a message must be encrypted or decrypted. Legacy reasons for
+decryptions include the decryption of old messages created with a
+public key that use cipher settings which do not meet FIPS 140-2
+requirements. Legacy reasons for encryption include the encryption
+of messages with a recipients public key where the recipient is not
+bound to FIPS 140-2 regulation and therefore provided a key using
+non-approved ciphers. Although the legacy mode is a violation of strict
+FIPS 140-2 rule interpretations, it is wise to use this mode or
+either not being able to access old messages or not being able
+to create encrypted messages to a recipient that is not adhering
+to FIPS 140-2 rules.
 @end table
Index: gnupg-2.0.23/g10/gpg.c
--- gnupg-2.0.23.orig/g10/gpg.c	2014-06-03 22:24:52.000000000 +0100
+++ gnupg-2.0.23/g10/gpg.c	2014-06-03 22:25:56.000000000 +0100
@@ -369,6 +369,7 @@ enum cmd_and_opt_values
+    oSetLegacyFips,
@@ -746,6 +747,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oAllowMultipleMessages,      "allow-multiple-messages", "@"),
   ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
   ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
+  ARGPARSE_s_n (oSetLegacyFips, "set-legacy-fips", "@"),
   /* These two are aliases to help users of the PGP command line
      product use gpg with minimal pain.  Many commands are common
@@ -2959,6 +2961,13 @@ main (int argc, char **argv)
             opt.flags.allow_weak_digest_algos = 1;
+	  case oSetLegacyFips:
+	    if(gcry_fips_mode_active())
+	      gcry_control (GCRYCTL_INACTIVATE_FIPS_FLAG, "Enable legacy support in FIPS 140-2 mode");
+	    else
+	      log_info ("Command set-legacy-fips ignored as libgcrypt is not in FIPS mode\n");
+	    break;
 	  case oNoop: break;
openSUSE Build Service is sponsored by