pool/gpg2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 295423 from security:privacy

Browse Source 
1

OBS-URL: https://build.opensuse.org/request/show/295423
OBS-URL: https://build.opensuse.org/package/show/Base:System/gpg2?expand=0&rev=100
This commit is contained in:
Andreas Stieger 2015-04-11 19:08:10 +00:00 committed by Git OBS Bridge
parent 16ae325256
commit 036bc4ce34
10 changed files with 62 additions and 216 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch
View File

@ -1,76 +0,0 @@
From a8116aacd91b7e775762a62c268fab6cc3c77438 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 23 Feb 2015 16:37:57 +0100
Subject: [PATCH] gpg: Skip legacy keys while searching keyrings.
* g10/getkey.c (search_modes_are_fingerprint): New.
(lookup): Skip over legacy keys.
--
GnuPG-bug-id: 1847
Signed-off-by: Werner Koch <wk@gnupg.org>
---
g10/getkey.c | 39 +++++++++++++++++++++++++++++++++++++--
1 file changed, 37 insertions(+), 2 deletions(-)
diff --git a/g10/getkey.c b/g10/getkey.c
index 76ee493..116753c 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -2525,6 +2525,29 @@ found:
}
+/* Return true if all the search modes are fingerprints. */
+static int
+search_modes_are_fingerprint (getkey_ctx_t ctx)
+{
+ size_t n, found;
+
+ for (n=found=0; n < ctx->nitems; n++)
+ {
+ switch (ctx->items[n].mode)
+ {
+ case KEYDB_SEARCH_MODE_FPR16:
+ case KEYDB_SEARCH_MODE_FPR20:
+ case KEYDB_SEARCH_MODE_FPR:
+ found++;
+ break;
+ default:
+ break;
+ }
+ }
+ return found && found == ctx->nitems;
+}
+
+
/* The main function to lookup a key. On success the found keyblock
is stored at RET_KEYBLOCK and also in CTX. If WANT_SECRET is true
a corresponding secret key is required. */
@@ -2534,9 +2557,21 @@ lookup (getkey_ctx_t ctx, kbnode_t *ret_keyblock, int want_secret)
int rc;
int no_suitable_key = 0;
- rc = 0;
- while (!(rc = keydb_search (ctx->kr_handle, ctx->items, ctx->nitems, NULL)))
+ for (;;)
{
+ rc = keydb_search (ctx->kr_handle, ctx->items, ctx->nitems, NULL);
+ /* Skip over all legacy keys but only if they are not requested
+ by fingerprints.
+ Fixme: The lower level keydb code should actually do that but
+ then it would be harder to report the number of skipped
+ legacy keys during import. */
+ if (gpg_err_code (rc) == GPG_ERR_LEGACY_KEY
+ && !(ctx->nitems && ctx->items->mode == KEYDB_SEARCH_MODE_FIRST)
+ && !search_modes_are_fingerprint (ctx))
+ continue;
+ if (rc)
+ break;
+
/* If we are searching for the first key we have to make sure
that the next iteration does not do an implicit reset.
This can be triggered by an empty key ring. */
--
2.1.4

34
gnupg-2.0.18-files-are-digests.patch
View File

@ -1,14 +1,14 @@
---
g10/gpg.c | 4 +++
g10/options.h | 1
g10/sign.c | 66 +++++++++++++++++++++++++++++++++++++++++++++++++++++-----
3 files changed, 66 insertions(+), 5 deletions(-)
g10/sign.c | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++------
3 files changed, 67 insertions(+), 6 deletions(-)
Index: gnupg-2.1.2/g10/gpg.c
Index: gnupg-2.1.3/g10/gpg.c
===================================================================
--- gnupg-2.1.2.orig/g10/gpg.c
+++ gnupg-2.1.2/g10/gpg.c
@@ -349,6 +349,7 @@ enum cmd_and_opt_values
--- gnupg-2.1.3.orig/g10/gpg.c 2015-04-06 14:03:32.000000000 +0200
+++ gnupg-2.1.3/g10/gpg.c 2015-04-11 20:45:24.000000000 +0200
@@ -352,6 +352,7 @@ enum cmd_and_opt_values
oTTYtype,
oLCctype,
oLCmessages,
@ -16,7 +16,7 @@ Index: gnupg-2.1.2/g10/gpg.c
oXauthority,
oGroup,
oUnGroup,
@@ -730,6 +731,7 @@ static ARGPARSE_OPTS opts[] = {
@@ -738,6 +739,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oPersonalCompressPreferences,
"personal-compress-preferences", "@"),
ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
@ -24,7 +24,7 @@ Index: gnupg-2.1.2/g10/gpg.c
/* Aliases. I constantly mistype these, and assume other people do
as well. */
@@ -2127,6 +2129,7 @@ main (int argc, char **argv)
@@ -2148,6 +2150,7 @@ main (int argc, char **argv)
opt.def_cert_expire = "0";
set_homedir (default_homedir ());
opt.passphrase_repeat = 1;
@ -32,7 +32,7 @@ Index: gnupg-2.1.2/g10/gpg.c
opt.emit_version = 1; /* Limit to the major number. */
/* Check whether we have a config file on the command line. */
@@ -2632,6 +2635,7 @@ main (int argc, char **argv)
@@ -2661,6 +2664,7 @@ main (int argc, char **argv)
opt.verify_options&=~VERIFY_SHOW_PHOTOS;
break;
case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
@ -40,11 +40,11 @@ Index: gnupg-2.1.2/g10/gpg.c
case oForceMDC: opt.force_mdc = 1; break;
case oNoForceMDC: opt.force_mdc = 0; break;
Index: gnupg-2.1.2/g10/options.h
Index: gnupg-2.1.3/g10/options.h
===================================================================
--- gnupg-2.1.2.orig/g10/options.h
+++ gnupg-2.1.2/g10/options.h
@@ -192,6 +192,7 @@ struct
--- gnupg-2.1.3.orig/g10/options.h 2015-04-06 13:41:53.000000000 +0200
+++ gnupg-2.1.3/g10/options.h 2015-04-11 20:45:24.000000000 +0200
@@ -194,6 +194,7 @@ struct
int no_auto_check_trustdb;
int preserve_permissions;
int no_homedir_creation;
@ -52,10 +52,10 @@ Index: gnupg-2.1.2/g10/options.h
struct groupitem *grouplist;
int mangle_dos_filenames;
int enable_progress_filter;
Index: gnupg-2.1.2/g10/sign.c
Index: gnupg-2.1.3/g10/sign.c
===================================================================
--- gnupg-2.1.2.orig/g10/sign.c
+++ gnupg-2.1.2/g10/sign.c
--- gnupg-2.1.3.orig/g10/sign.c 2015-04-05 19:43:32.000000000 +0200
+++ gnupg-2.1.3/g10/sign.c 2015-04-11 20:45:24.000000000 +0200
@@ -41,7 +41,7 @@
#include "pkglue.h"
#include "sysutils.h"
@ -134,7 +134,7 @@ Index: gnupg-2.1.2/g10/sign.c
if( multifile ) {
@@ -1035,6 +1052,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
if( opt.verbose )
putc( '\n', stderr );
log_printf ("\n");
}
+ else if (opt.files_are_digests) {
+ byte *mdb, ts[5];

3
gnupg-2.1.2.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:404f5a43d591dfe41f0ffb204b49a1533b67d77bc1fd68febd7e447575616792
size 4832996

BIN
gnupg-2.1.2.tar.bz2.sig
View File

Binary file not shown.

3
gnupg-2.1.3.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:213e7fb0d74bb4e53a2d3153f309ddc077528f2cfffa2af85f2a20cc7875c8ed
size 4875813

BIN
gnupg-2.1.3.tar.bz2.sig Normal file
View File

Binary file not shown.

22
gnupg-add_legacy_FIPS_mode_option.patch
View File

@ -3,11 +3,11 @@
g10/gpg.c | 9 +++++++++
2 files changed, 27 insertions(+)
Index: gnupg-2.1.1/doc/gpg.texi
Index: gnupg-2.1.3/doc/gpg.texi
===================================================================
--- gnupg-2.1.1.orig/doc/gpg.texi
+++ gnupg-2.1.1/doc/gpg.texi
@@ -1842,6 +1842,24 @@ implies, this option is for experts only
--- gnupg-2.1.3.orig/doc/gpg.texi 2015-04-11 20:48:01.000000000 +0200
+++ gnupg-2.1.3/doc/gpg.texi 2015-04-11 20:48:22.000000000 +0200
@@ -1857,6 +1857,24 @@ implies, this option is for experts only
understand the implications of what it allows you to do, leave this
off. @option{--no-expert} disables this option.
@ -32,19 +32,19 @@ Index: gnupg-2.1.1/doc/gpg.texi
@end table
Index: gnupg-2.1.1/g10/gpg.c
Index: gnupg-2.1.3/g10/gpg.c
===================================================================
--- gnupg-2.1.1.orig/g10/gpg.c
+++ gnupg-2.1.1/g10/gpg.c
@@ -381,6 +381,7 @@ enum cmd_and_opt_values
oAllowWeakDigestAlgos,
--- gnupg-2.1.3.orig/g10/gpg.c 2015-04-11 20:48:01.000000000 +0200
+++ gnupg-2.1.3/g10/gpg.c 2015-04-11 20:48:48.000000000 +0200
@@ -385,6 +385,7 @@ enum cmd_and_opt_values
oFakedSystemTime,
oNoAutostart,
oPrintPKARecords,
+ oSetLegacyFips,
oNoop
};
@@ -769,6 +770,7 @@ static ARGPARSE_OPTS opts[] = {
@@ -777,6 +778,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"),
ARGPARSE_s_n (oNoAllowMultipleMessages, "no-allow-multiple-messages", "@"),
ARGPARSE_s_n (oAllowWeakDigestAlgos, "allow-weak-digest-algos", "@"),
@ -52,7 +52,7 @@ Index: gnupg-2.1.1/g10/gpg.c
/* These two are aliases to help users of the PGP command line
product use gpg with minimal pain. Many commands are common
@@ -3134,6 +3136,13 @@ main (int argc, char **argv)
@@ -3170,6 +3172,13 @@ main (int argc, char **argv)
case oNoAutostart: opt.autostart = 0; break;

30
gpg2.changes
View File

@ -1,3 +1,33 @@
-------------------------------------------------------------------
Sat Apr 11 18:59:42 UTC 2015 - astieger@suse.com
- update to 2.1.3:
* gpg: LDAP keyservers are now supported by 2.1.
* gpg: New option --with-icao-spelling.
* gpg: New option --print-pka-records. Changed the PKA method to
use CERT records and hashed names.
* gpg: New command --list-gcrypt-config. New parameter "curve"
for --list-config.
* gpg: Print a NEWSIG status line like gpgsm always did.
* gpg: Print MPI values with --list-packets and --verbose.
* gpg: Write correct MPI lengths with ECC keys.
* gpg: Skip legacy PGP-2 keys while searching.
(drop 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch
now upstream)
* gpg: Improved searching for mail addresses when using a keybox.
* gpgsm: Changed default algos to AES-128 and SHA-256.
* gpgtar: Fixed extracting files with sizes of a multiple of 512.
* dirmngr: Fixed SNI handling for hkps pools.
(drop hkps-fix-host-name-verification-when-using-pools.patch
now upstream)
* dirmngr: extra-certs and trusted-certs are now always loaded
from the sysconfig dir instead of the homedir.
* Fixed possible problems due to compiler optimization, two minor
regressions, and other bugs.
- refreshed for context changes:
* gnupg-2.0.18-files-are-digests.patch
* gnupg-add_legacy_FIPS_mode_option.patch
-------------------------------------------------------------------
Mon Mar 23 11:48:24 UTC 2015 - idonmez@suse.com

6
gpg2.spec
View File

@ -17,7 +17,7 @@
Name: gpg2
Version: 2.1.2
Version: 2.1.3
Release: 0
Summary: GnuPG 2
License: GPL-3.0+
@ -33,8 +33,6 @@ Patch6: gnupg-dont-fail-with-seahorse-agent.patch
Patch8: gnupg-set_umask_before_open_outfile.patch
Patch9: gnupg-detect_FIPS_mode.patch
Patch11: gnupg-add_legacy_FIPS_mode_option.patch
Patch15: 0001-gpg-Skip-legacy-keys-while-searching-keyrings.patch
Patch16: hkps-fix-host-name-verification-when-using-pools.patch
BuildRequires: expect
BuildRequires: fdupes
BuildRequires: gnutls-devel >= 3.0
@ -82,8 +80,6 @@ gpg-agent, and a keybox library.
%patch8 -p1
%patch9 -p1
%patch11 -p1
%patch15 -p1
%patch16 -p1
%build
# build PIEs (position independent executables) for address space randomisation:

104
hkps-fix-host-name-verification-when-using-pools.patch
View File

@ -1,104 +0,0 @@
From dc10d466bff53821f23d2cb4814c259d40c5d9c5 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 19 Mar 2015 15:37:05 +0100
Subject: [PATCH] hkps: Fix host name verification when using pools.
* common/http.c (send_request): Set the requested for SNI.
* dirmngr/ks-engine-hkp.c (map_host): Return the poolname and not
the selecting a host.
--
GnuPG-bug-id: 1792
Thanks to davidw for figuring out the problem.
Signed-off-by: Werner Koch <wk@gnupg.org>
---
common/http.c | 6 ++++--
dirmngr/ks-engine-hkp.c | 25 ++++++++++++++++++-------
2 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/common/http.c b/common/http.c
index 50c0692..12e3fcb 100644
--- a/common/http.c
+++ b/common/http.c
@@ -1443,7 +1443,8 @@ send_request (http_t hd, const char *httphost, const char *auth,
}
# if HTTP_USE_NTBTLS
- err = ntbtls_set_hostname (hd->session->tls_session, server);
+ err = ntbtls_set_hostname (hd->session->tls_session,
+ hd->session->servername);
if (err)
{
log_info ("ntbtls_set_hostname failed: %s\n", gpg_strerror (err));
@@ -1452,7 +1453,8 @@ send_request (http_t hd, const char *httphost, const char *auth,
# elif HTTP_USE_GNUTLS
rc = gnutls_server_name_set (hd->session->tls_session,
GNUTLS_NAME_DNS,
- server, strlen (server));
+ hd->session->servername,
+ strlen (hd->session->servername));
if (rc < 0)
log_info ("gnutls_server_name_set failed: %s\n", gnutls_strerror (rc));
# endif /*HTTP_USE_GNUTLS*/
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index ea607cb..0568094 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -521,6 +521,14 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
hi = hosttable[idx];
if (hi->pool)
{
+ /* Deal with the pool name before selecting a host. */
+ if (r_poolname && hi->cname)
+ {
+ *r_poolname = xtrystrdup (hi->cname);
+ if (!*r_poolname)
+ return gpg_error_from_syserror ();
+ }
+
/* If the currently selected host is now marked dead, force a
re-selection . */
if (force_reselect)
@@ -536,6 +544,11 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
if (hi->poolidx == -1)
{
log_error ("no alive host found in pool '%s'\n", name);
+ if (r_poolname)
+ {
+ xfree (*r_poolname);
+ *r_poolname = NULL;
+ }
return gpg_error (GPG_ERR_NO_KEYSERVER);
}
}
@@ -548,6 +561,11 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
if (hi->dead)
{
log_error ("host '%s' marked as dead\n", hi->name);
+ if (r_poolname)
+ {
+ xfree (*r_poolname);
+ *r_poolname = NULL;
+ }
return gpg_error (GPG_ERR_NO_KEYSERVER);
}
@@ -564,13 +582,6 @@ map_host (ctrl_t ctrl, const char *name, int force_reselect,
*r_httpflags |= HTTP_FLAG_IGNORE_IPv6;
}
- if (r_poolname && hi->pool && hi->cname)
- {
- *r_poolname = xtrystrdup (hi->cname);
- if (!*r_poolname)
- return gpg_error_from_syserror ();
- }
-
*r_host = xtrystrdup (hi->name);
if (!*r_host)
{
--
2.1.4