rpms
/
gnupg2
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Compare commits

merge into: rpms:c8
Branches Tags
rpms:c8
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:c8-beta
rpms:c8s
rpms:imports/c9/gnupg2-2.3.3-4.el9
rpms:imports/c9-beta/gnupg2-2.3.3-4.el9
rpms:imports/c9-beta/gnupg2-2.3.3-2.el9_0
rpms:imports/c8-beta/gnupg2-2.2.20-3.el8_6
rpms:imports/c9/gnupg2-2.3.3-2.el9_0
rpms:imports/c8/gnupg2-2.2.20-3.el8_6
rpms:imports/c8s/gnupg2-2.2.20-3.el8_6
rpms:imports/c9/gnupg2-2.3.3-1.el9
rpms:imports/c9-beta/gnupg2-2.3.3-1.el9
rpms:imports/c9-beta/gnupg2-2.3.1-3.el9_b
rpms:imports/c8-beta/gnupg2-2.2.20-2.el8
rpms:imports/c8-beta/gnupg2-2.2.9-1.el8
rpms:imports/c8s/gnupg2-2.2.20-2.el8
rpms:imports/c8/gnupg2-2.2.20-2.el8
rpms:imports/c8/gnupg2-2.2.9-1.el8
...
pull from: rpms:c9s
Branches Tags
rpms:c9
rpms:c9-beta
rpms:c9s
rpms:c8-beta
rpms:c8
rpms:c8s
rpms:imports/c9/gnupg2-2.3.3-4.el9
rpms:imports/c9-beta/gnupg2-2.3.3-4.el9
rpms:imports/c9-beta/gnupg2-2.3.3-2.el9_0
rpms:imports/c8-beta/gnupg2-2.2.20-3.el8_6
rpms:imports/c9/gnupg2-2.3.3-2.el9_0
rpms:imports/c8/gnupg2-2.2.20-3.el8_6
rpms:imports/c8s/gnupg2-2.2.20-3.el8_6
rpms:imports/c9/gnupg2-2.3.3-1.el9
rpms:imports/c9-beta/gnupg2-2.3.3-1.el9
rpms:imports/c9-beta/gnupg2-2.3.1-3.el9_b
rpms:imports/c8-beta/gnupg2-2.2.20-2.el8
rpms:imports/c8-beta/gnupg2-2.2.9-1.el8
rpms:imports/c8s/gnupg2-2.2.20-2.el8
rpms:imports/c8/gnupg2-2.2.20-2.el8
rpms:imports/c8/gnupg2-2.2.9-1.el8

No commits in common. "c8" and "c9s" have entirely different histories.
c8 ... c9s

24 changed files with 1159 additions and 655 deletions
Show Stats Expand all files Collapse all files

111
.gitignore vendored
View File

@ -1 +1,110 @@
SOURCES/gnupg-2.2.20.tar.bz2
gnupg-2.0.16.tar.bz2
gnupg-2.0.16.tar.bz2.sig
/gnupg-2.0.17.tar.bz2
/gnupg-2.0.17.tar.bz2.sig
/gnupg-2.0.18.tar.bz2
/gnupg-2.0.18.tar.bz2.sig
/gnupg-2.0.19.tar.bz2
/gnupg-2.0.19.tar.bz2.sig
/gnupg-2.0.20.tar.bz2
/gnupg-2.0.20.tar.bz2.sig
/gnupg-2.0.21.tar.bz2
/gnupg-2.0.21.tar.bz2.sig
/gnupg-2.0.22.tar.bz2
/gnupg-2.0.22.tar.bz2.sig
/gnupg-2.0.24.tar.bz2
/gnupg-2.0.24.tar.bz2.sig
/gnupg-2.0.25.tar.bz2
/gnupg-2.0.25.tar.bz2.sig
/gnupg-2.1.1.tar.bz2
/gnupg-2.1.1.tar.bz2.sig
/gnupg-2.1.2.tar.bz2
/gnupg-2.1.2.tar.bz2.sig
/gnupg-2.1.3.tar.bz2
/gnupg-2.1.3.tar.bz2.sig
/gnupg-2.1.4.tar.bz2
/gnupg-2.1.4.tar.bz2.sig
/gnupg-2.1.5.tar.bz2
/gnupg-2.1.5.tar.bz2.sig
/gnupg-2.1.6.tar.bz2
/gnupg-2.1.6.tar.bz2.sig
/gnupg-2.1.7.tar.bz2
/gnupg-2.1.7.tar.bz2.sig
/gnupg-2.1.8.tar.bz2
/gnupg-2.1.8.tar.bz2.sig
/gnupg-2.1.9.tar.bz2
/gnupg-2.1.9.tar.bz2.sig
/gnupg-2.1.10.tar.bz2
/gnupg-2.1.10.tar.bz2.sig
/gnupg-2.1.11.tar.bz2
/gnupg-2.1.11.tar.bz2.sig
/gnupg-2.1.12.tar.bz2
/gnupg-2.1.12.tar.bz2.sig
/gnupg-2.1.13.tar.bz2
/gnupg-2.1.13.tar.bz2.sig
/gnupg-2.1.16.tar.bz2
/gnupg-2.1.16.tar.bz2.sig
/gnupg-2.1.17.tar.bz2
/gnupg-2.1.17.tar.bz2.sig
/gnupg-2.1.18.tar.bz2
/gnupg-2.1.18.tar.bz2.sig
/gnupg-2.1.19.tar.bz2
/gnupg-2.1.19.tar.bz2.sig
/gnupg-2.1.20.tar.bz2
/gnupg-2.1.20.tar.bz2.sig
/gnupg-2.1.21.tar.bz2
/gnupg-2.1.21.tar.bz2.sig
/gnupg-2.1.22.tar.bz2
/gnupg-2.1.22.tar.bz2.sig
/gnupg-2.2.0.tar.bz2
/gnupg-2.2.0.tar.bz2.sig
/gnupg-2.2.1.tar.bz2
/gnupg-2.2.1.tar.bz2.sig
/gnupg-2.2.2.tar.bz2
/gnupg-2.2.2.tar.bz2.sig
/gnupg-2.2.3.tar.bz2
/gnupg-2.2.3.tar.bz2.sig
/gnupg-2.2.4.tar.bz2
/gnupg-2.2.4.tar.bz2.sig
/gnupg-2.2.5.tar.bz2
/gnupg-2.2.5.tar.bz2.sig
/gnupg-2.2.6.tar.bz2
/gnupg-2.2.6.tar.bz2.sig
/gnupg-2.2.8.tar.bz2
/gnupg-2.2.8.tar.bz2.sig
/gnupg-2.2.9.tar.bz2
/gnupg-2.2.9.tar.bz2.sig
/gnupg-2.2.11.tar.bz2
/gnupg-2.2.11.tar.bz2.sig
/gnupg-2.2.12.tar.bz2
/gnupg-2.2.12.tar.bz2.sig
/gnupg-2.2.13.tar.bz2
/gnupg-2.2.13.tar.bz2.sig
/gnupg-2.2.16.tar.bz2
/gnupg-2.2.16.tar.bz2.sig
/gnupg-2.2.17.tar.bz2
/gnupg-2.2.17.tar.bz2.sig
/gnupg-2.2.18.tar.bz2
/gnupg-2.2.18.tar.bz2.sig
/gnupg-2.2.19.tar.bz2
/gnupg-2.2.19.tar.bz2.sig
/gnupg-2.2.20.tar.bz2
/gnupg-2.2.20.tar.bz2.sig
/gnupg-2.2.21.tar.bz2
/gnupg-2.2.21.tar.bz2.sig
/gnupg-2.2.23.tar.bz2
/gnupg-2.2.23.tar.bz2.sig
/gnupg-2.2.24.tar.bz2
/gnupg-2.2.24.tar.bz2.sig
/gnupg-2.2.25.tar.bz2
/gnupg-2.2.25.tar.bz2.sig
/gnupg-2.2.26.tar.bz2
/gnupg-2.2.26.tar.bz2.sig
/gnupg-2.2.27.tar.bz2
/gnupg-2.2.27.tar.bz2.sig
/gnupg-2.3.0.tar.bz2
/gnupg-2.3.0.tar.bz2.sig
/gnupg-2.3.1.tar.bz2
/gnupg-2.3.1.tar.bz2.sig
/gnupg-2.3.3.tar.bz2
/gnupg-2.3.3.tar.bz2.sig

3
.gnupg2.metadata
View File

@ -1 +1,2 @@
d5290f0781df5dc83302127d6065fb59b35e53d7 SOURCES/gnupg-2.2.20.tar.bz2
b19a407076424704f1b00e8265254de1b3061659 gnupg-2.3.3.tar.bz2
38fed91a8c4b3ba09977ab06567395448b6f1242 gnupg-2.3.3.tar.bz2.sig

13
SOURCES/gnupg-2.1.1-fips-algo.patch
View File

@ -1,13 +0,0 @@
diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c
--- gnupg-2.1.1/g10/mainproc.c.fips 2015-01-29 17:19:49.266031504 +0100
+++ gnupg-2.1.1/g10/mainproc.c 2015-01-29 17:27:13.938088122 +0100
@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt )
according to 2440, so hopefully it won't come up that often.
There is no good way to specify what algorithms to use in
that case, so these there are the historical answer. */
- gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
+ if (!gcry_fips_mode_active())
+ gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
}
if (DBG_HASHING)

62
SOURCES/gnupg-2.1.21-insttools.patch
View File

@ -1,62 +0,0 @@
diff -up gnupg-2.1.21/tools/Makefile.am.insttools gnupg-2.1.21/tools/Makefile.am
--- gnupg-2.1.21/tools/Makefile.am.insttools 2017-04-03 17:13:56.000000000 +0200
+++ gnupg-2.1.21/tools/Makefile.am 2017-07-18 12:10:59.431729640 +0200
@@ -35,8 +35,8 @@ AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ER
sbin_SCRIPTS = addgnupghome applygnupgdefaults
if HAVE_USTAR
-# bin_SCRIPTS += gpg-zip
-noinst_SCRIPTS = gpg-zip
+bin_PROGRAMS += gpg-zip
+#noinst_SCRIPTS = gpg-zip
endif
if BUILD_SYMCRYPTRUN
@@ -53,7 +53,7 @@ endif
libexec_PROGRAMS = gpg-wks-client
-bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun}
+bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun} gpgsplit
if !HAVE_W32_SYSTEM
bin_PROGRAMS += watchgnupg gpgparsemail ${gpg_wks_server}
endif
@@ -63,7 +63,7 @@ libexec_PROGRAMS += gpg-check-pattern
endif
if !HAVE_W32CE_SYSTEM
-noinst_PROGRAMS = clean-sat make-dns-cert gpgsplit
+noinst_PROGRAMS = clean-sat make-dns-cert
endif
if !HAVE_W32CE_SYSTEM
diff -up gnupg-2.1.21/tools/Makefile.in.insttools gnupg-2.1.21/tools/Makefile.in
--- gnupg-2.1.21/tools/Makefile.in.insttools 2017-05-15 16:15:04.000000000 +0200
+++ gnupg-2.1.21/tools/Makefile.in 2017-07-18 12:12:17.907734745 +0200
@@ -137,13 +137,13 @@ DIST_COMMON = $(top_srcdir)/am/cmacros.a
@GNUPG_DIRMNGR_LDAP_PGM_TRUE@am__append_7 = -DGNUPG_DEFAULT_DIRMNGR_LDAP="\"@GNUPG_DIRMNGR_LDAP_PGM@\""
@HAVE_W32_SYSTEM_TRUE@am__append_8 = gpg-connect-agent-w32info.o
libexec_PROGRAMS = gpg-wks-client$(EXEEXT) $(am__EXEEXT_5)
-bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) \
+bin_PROGRAMS = gpgconf$(EXEEXT) gpg-connect-agent$(EXEEXT) gpgsplit$(EXEEXT) \
$(am__EXEEXT_1) $(am__EXEEXT_3) $(am__EXEEXT_4)
@HAVE_W32_SYSTEM_FALSE@am__append_9 = watchgnupg gpgparsemail ${gpg_wks_server}
@DISABLE_REGEX_FALSE@am__append_10 = gpg-check-pattern
@HAVE_W32CE_SYSTEM_FALSE@noinst_PROGRAMS = clean-sat$(EXEEXT) \
@HAVE_W32CE_SYSTEM_FALSE@ make-dns-cert$(EXEEXT) \
-@HAVE_W32CE_SYSTEM_FALSE@ gpgsplit$(EXEEXT) $(am__EXEEXT_6)
+@HAVE_W32CE_SYSTEM_FALSE@ $(am__EXEEXT_6)
@BUILD_GPGTAR_TRUE@@HAVE_W32CE_SYSTEM_FALSE@am__append_11 = gpgtar
@BUILD_GPGTAR_FALSE@@HAVE_W32CE_SYSTEM_FALSE@am__append_12 = gpgtar
subdir = tools
@@ -582,8 +582,8 @@ libcommontlsnpth = ../common/libcommontl
AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) $(LIBASSUAN_CFLAGS)
sbin_SCRIPTS = addgnupghome applygnupgdefaults
-# bin_SCRIPTS += gpg-zip
-@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip
+@HAVE_USTAR_TRUE@bin_PROGRAMS += gpg-zip
+#@HAVE_USTAR_TRUE@noinst_SCRIPTS = gpg-zip
@BUILD_SYMCRYPTRUN_FALSE@symcryptrun =
@BUILD_SYMCRYPTRUN_TRUE@symcryptrun = symcryptrun
@BUILD_WKS_TOOLS_FALSE@gpg_wks_server =

12
SOURCES/gnupg-2.1.21-large-rsa.patch
View File

@ -1,12 +0,0 @@
diff -up gnupg-2.1.21/g10/keygen.c.large-rsa gnupg-2.1.21/g10/keygen.c
--- gnupg-2.1.21/g10/keygen.c.large-rsa 2017-05-15 14:13:22.000000000 +0200
+++ gnupg-2.1.21/g10/keygen.c 2017-07-18 16:12:37.738895016 +0200
@@ -2091,7 +2091,7 @@ get_keysize_range (int algo, unsigned in
default:
*min = opt.compliance == CO_DE_VS ? 2048: 1024;
- *max = 4096;
+ *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
def = 2048;
break;
}

17
SOURCES/gnupg-2.2.16-ocsp-keyusage.patch
View File

@ -1,17 +0,0 @@
diff -up gnupg-2.2.16/sm/certlist.c.keyusage gnupg-2.2.16/sm/certlist.c
--- gnupg-2.2.16/sm/certlist.c.keyusage 2019-07-01 17:17:06.925254065 +0200
+++ gnupg-2.2.16/sm/certlist.c 2019-07-01 17:24:15.665759322 +0200
@@ -147,10 +147,9 @@ cert_usage_p (ksba_cert_t cert, int mode
if (mode == 5)
{
- if (use != ~0
- && (have_ocsp_signing
- || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
- |KSBA_KEYUSAGE_CRL_SIGN))))
+ if (have_ocsp_signing
+ || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
+ |KSBA_KEYUSAGE_CRL_SIGN)))
return 0;
if (!silent)
log_info (_("certificate should not have "

319
SOURCES/gnupg-2.2.20-coverity.patch
View File

@ -1,319 +0,0 @@
diff -up gnupg-2.2.20/common/server-help.c.coverity gnupg-2.2.20/common/server-help.c
--- gnupg-2.2.20/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100
+++ gnupg-2.2.20/common/server-help.c 2020-05-04 12:00:01.085945639 +0200
@@ -156,7 +156,7 @@ get_option_value (char *line, const char
*pend = 0;
*r_value = xtrystrdup (p);
*pend = c;
- if (!p)
+ if (!*r_value)
return my_error_from_syserror ();
return 0;
}
diff -up gnupg-2.2.20/dirmngr/dns.c.coverity gnupg-2.2.20/dirmngr/dns.c
--- gnupg-2.2.20/dirmngr/dns.c.coverity 2019-07-09 11:08:45.000000000 +0200
+++ gnupg-2.2.20/dirmngr/dns.c 2020-05-04 18:04:12.285521661 +0200
@@ -10106,9 +10106,8 @@ static const struct {
{ "AR", DNS_S_ADDITIONAL },
};
-const char *(dns_strsection)(enum dns_section section) {
- char _dst[DNS_STRMAXLEN + 1] = { 0 };
- struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
+const char *(dns_strsection)(enum dns_section section, void *_dst, size_t lim) {
+ struct dns_buf dst = DNS_B_INTO(_dst, lim);
unsigned i;
for (i = 0; i < lengthof(dns_sections); i++) {
@@ -10156,9 +10155,8 @@ static const struct {
{ "IN", DNS_C_IN },
};
-const char *(dns_strclass)(enum dns_class type) {
- char _dst[DNS_STRMAXLEN + 1] = { 0 };
- struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
+const char *(dns_strclass)(enum dns_class type, void *_dst, size_t lim) {
+ struct dns_buf dst = DNS_B_INTO(_dst, lim);
unsigned i;
for (i = 0; i < lengthof(dns_classes); i++) {
@@ -10193,9 +10191,8 @@ enum dns_class dns_iclass(const char *na
} /* dns_iclass() */
-const char *(dns_strtype)(enum dns_type type) {
- char _dst[DNS_STRMAXLEN + 1] = { 0 };
- struct dns_buf dst = DNS_B_INTO(_dst, sizeof _dst);
+const char *(dns_strtype)(enum dns_type type, void *_dst, size_t lim) {
+ struct dns_buf dst = DNS_B_INTO(_dst, lim);
unsigned i;
for (i = 0; i < lengthof(dns_rrtypes); i++) {
diff -up gnupg-2.2.20/dirmngr/dns.h.coverity gnupg-2.2.20/dirmngr/dns.h
--- gnupg-2.2.20/dirmngr/dns.h.coverity 2019-03-07 13:03:26.000000000 +0100
+++ gnupg-2.2.20/dirmngr/dns.h 2020-05-04 18:04:12.287521625 +0200
@@ -272,15 +272,25 @@ enum dns_rcode {
*/
#define DNS_STRMAXLEN 47 /* "QUESTION|ANSWER|AUTHORITY|ADDITIONAL" */
-DNS_PUBLIC const char *dns_strsection(enum dns_section);
+DNS_PUBLIC const char *dns_strsection(enum dns_section, void *, size_t);
+#define dns_strsection3(a, b, c) \
+ dns_strsection((a), (b), (c))
+#define dns_strsection1(a) dns_strsection((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
+#define dns_strsection(...) DNS_PP_CALL(DNS_PP_XPASTE(dns_strsection, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
DNS_PUBLIC enum dns_section dns_isection(const char *);
-DNS_PUBLIC const char *dns_strclass(enum dns_class);
+DNS_PUBLIC const char *dns_strclass(enum dns_class, void *, size_t);
+#define dns_strclass3(a, b, c) dns_strclass((a), (b), (c))
+#define dns_strclass1(a) dns_strclass((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
+#define dns_strclass(...) DNS_PP_CALL(DNS_PP_XPASTE(dns_strclass, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
DNS_PUBLIC enum dns_class dns_iclass(const char *);
-DNS_PUBLIC const char *dns_strtype(enum dns_type);
+DNS_PUBLIC const char *dns_strtype(enum dns_type, void *, size_t);
+#define dns_strtype3(a, b, c) dns_strtype((a), (b), (c))
+#define dns_strtype1(a) dns_strtype((a), (char [DNS_STRMAXLEN + 1]){ 0 }, DNS_STRMAXLEN + 1)
+#define dns_strtype(...) DNS_PP_CALL(DNS_PP_XPASTE(dns_strtype, DNS_PP_NARG(__VA_ARGS__)), __VA_ARGS__)
DNS_PUBLIC enum dns_type dns_itype(const char *);
diff -up gnupg-2.2.20/dirmngr/domaininfo.c.coverity gnupg-2.2.20/dirmngr/domaininfo.c
--- gnupg-2.2.20/dirmngr/domaininfo.c.coverity 2019-07-09 11:08:45.000000000 +0200
+++ gnupg-2.2.20/dirmngr/domaininfo.c 2020-05-04 17:54:30.800899152 +0200
@@ -193,6 +193,7 @@ insert_or_update (const char *domain,
log_error ("domaininfo: error allocating helper array: %s\n",
gpg_strerror (gpg_err_code_from_syserror ()));
drop_extra = bucket;
+ xfree (di_new);
goto leave;
}
narray = 0;
@@ -258,6 +259,8 @@ insert_or_update (const char *domain,
* sensible strategy. */
drop_extra = domainbuckets[hash];
domainbuckets[hash] = keep;
+
+ xfree (array);
}
/* Insert */
diff -up gnupg-2.2.20/dirmngr/http.c.coverity gnupg-2.2.20/dirmngr/http.c
--- gnupg-2.2.20/dirmngr/http.c.coverity 2019-11-18 18:44:33.000000000 +0100
+++ gnupg-2.2.20/dirmngr/http.c 2020-05-04 17:00:47.826878715 +0200
@@ -3656,7 +3656,6 @@ http_prepare_redirect (http_redir_info_t
if (!newurl)
{
err = gpg_error_from_syserror ();
- http_release_parsed_uri (locuri);
return err;
}
}
@@ -3675,7 +3674,6 @@ http_prepare_redirect (http_redir_info_t
if (!newurl)
{
err = gpg_error_from_syserror ();
- http_release_parsed_uri (locuri);
return err;
}
}
diff -up gnupg-2.2.20/dirmngr/ks-engine-hkp.c.coverity gnupg-2.2.20/dirmngr/ks-engine-hkp.c
--- gnupg-2.2.20/dirmngr/ks-engine-hkp.c.coverity 2019-11-18 18:44:33.000000000 +0100
+++ gnupg-2.2.20/dirmngr/ks-engine-hkp.c 2020-05-04 12:39:49.970920664 +0200
@@ -1426,7 +1426,7 @@ ks_hkp_search (ctrl_t ctrl, parsed_uri_t
int reselect;
unsigned int httpflags;
char *httphost = NULL;
- unsigned int http_status;
+ unsigned int http_status = 0;
unsigned int tries = SEND_REQUEST_RETRIES;
unsigned int extra_tries = SEND_REQUEST_EXTRA_RETRIES;
diff -up gnupg-2.2.20/g10/card-util.c.coverity gnupg-2.2.20/g10/card-util.c
--- gnupg-2.2.20/g10/card-util.c.coverity 2020-03-03 13:33:22.000000000 +0100
+++ gnupg-2.2.20/g10/card-util.c 2020-05-04 16:56:47.788157786 +0200
@@ -704,7 +704,7 @@ card_status (ctrl_t ctrl, estream_t fp,
{
int err;
strlist_t card_list, sl;
- char *serialno0, *serialno1;
+ char *serialno0, *serialno1 = NULL;
int all_cards = 0;
int any_card = 0;
@@ -749,6 +749,7 @@ card_status (ctrl_t ctrl, estream_t fp,
current_card_status (ctrl, fp, NULL, 0);
xfree (serialno1);
+ serialno1 = NULL;
if (!all_cards)
goto leave;
diff -up gnupg-2.2.20/g10/import.c.coverity gnupg-2.2.20/g10/import.c
--- gnupg-2.2.20/g10/import.c.coverity 2020-05-04 12:34:39.820379830 +0200
+++ gnupg-2.2.20/g10/import.c 2020-05-04 12:34:55.366106195 +0200
@@ -1888,7 +1888,7 @@ import_one_real (ctrl_t ctrl,
if (opt.interactive && !silent)
{
- if (is_status_enabled())
+ if (uidnode && is_status_enabled())
print_import_check (pk, uidnode->pkt->pkt.user_id);
merge_keys_and_selfsig (ctrl, keyblock);
tty_printf ("\n");
diff -up gnupg-2.2.20/g10/keygen.c.coverity gnupg-2.2.20/g10/keygen.c
--- gnupg-2.2.20/g10/keygen.c.coverity 2020-05-04 12:23:04.852613017 +0200
+++ gnupg-2.2.20/g10/keygen.c 2020-05-04 17:33:18.923891110 +0200
@@ -3075,7 +3075,7 @@ parse_key_parameter_part (ctrl_t ctrl,
char *endp;
const char *curve = NULL;
int ecdh_or_ecdsa = 0;
- unsigned int size;
+ unsigned int size = 0;
int keyuse;
int i;
const char *s;
@@ -5719,12 +5719,20 @@ gen_card_key (int keyno, int algo, int i
the self-signatures. */
err = agent_readkey (NULL, 1, keyid, &public);
if (err)
- return err;
+ {
+ xfree (pkt);
+ xfree (pk);
+ return err;
+ }
err = gcry_sexp_sscan (&s_key, NULL, public,
gcry_sexp_canon_len (public, 0, NULL, NULL));
xfree (public);
if (err)
- return err;
+ {
+ xfree (pkt);
+ xfree (pk);
+ return err;
+ }
if (algo == PUBKEY_ALGO_RSA)
err = key_from_sexp (pk->pkey, s_key, "public-key", "ne");
@@ -5739,6 +5747,7 @@ gen_card_key (int keyno, int algo, int i
if (err)
{
log_error ("key_from_sexp failed: %s\n", gpg_strerror (err) );
+ xfree (pkt);
free_public_key (pk);
return err;
}
diff -up gnupg-2.2.20/g10/sig-check.c.coverity gnupg-2.2.20/g10/sig-check.c
--- gnupg-2.2.20/g10/sig-check.c.coverity 2020-05-04 12:18:18.515653963 +0200
+++ gnupg-2.2.20/g10/sig-check.c 2020-05-04 12:18:33.599388425 +0200
@@ -902,6 +902,7 @@ check_signature_over_key_or_uid (ctrl_t
{
/* Issued by a subkey. */
signer = subk;
+ *is_selfsig = 1;
break;
}
}
diff -up gnupg-2.2.20/g10/sign.c.coverity gnupg-2.2.20/g10/sign.c
--- gnupg-2.2.20/g10/sign.c.coverity 2020-04-30 11:56:43.909360043 +0200
+++ gnupg-2.2.20/g10/sign.c 2020-05-04 12:08:56.651544958 +0200
@@ -823,7 +823,7 @@ write_signature_packets (ctrl_t ctrl,
PKT_public_key *pk;
PKT_signature *sig;
gcry_md_hd_t md;
- gpg_error_t err;
+ gpg_error_t err = 0;
pk = sk_rover->pk;
diff -up gnupg-2.2.20/kbx/keybox-dump.c.coverity gnupg-2.2.20/kbx/keybox-dump.c
--- gnupg-2.2.20/kbx/keybox-dump.c.coverity 2019-08-23 15:59:06.000000000 +0200
+++ gnupg-2.2.20/kbx/keybox-dump.c 2020-05-04 17:25:53.365946213 +0200
@@ -786,11 +786,15 @@ _keybox_dump_cut_records (const char *fi
while ( !(rc = _keybox_read_blob (&blob, fp, NULL)) )
{
if (recno > to)
- break; /* Ready. */
+ {
+ _keybox_release_blob (blob);
+ break; /* Ready. */
+ }
if (recno >= from)
{
if ((rc = _keybox_write_blob (blob, outfp)))
{
+ _keybox_release_blob (blob);
fprintf (stderr, "error writing output: %s\n",
gpg_strerror (rc));
goto leave;
diff -up gnupg-2.2.20/tools/gpg-wks-server.c.coverity gnupg-2.2.20/tools/gpg-wks-server.c
--- gnupg-2.2.20/tools/gpg-wks-server.c.coverity 2020-02-10 16:12:13.000000000 +0100
+++ gnupg-2.2.20/tools/gpg-wks-server.c 2020-05-04 11:52:42.547643198 +0200
@@ -890,15 +890,18 @@ store_key_as_pending (const char *dir, e
}
leave:
- if (err)
+ if (fname)
{
- es_fclose (outfp);
- gnupg_remove (fname);
- }
- else if (es_fclose (outfp))
- {
- err = gpg_error_from_syserror ();
- log_error ("error closing '%s': %s\n", fname, gpg_strerror (err));
+ if (err)
+ {
+ es_fclose (outfp);
+ gnupg_remove (fname);
+ }
+ else if (es_fclose (outfp))
+ {
+ err = gpg_error_from_syserror ();
+ log_error ("error closing '%s': %s\n", fname, gpg_strerror (err));
+ }
}
if (!err)
diff -up gnupg-2.2.20/tools/wks-util.c.coverity gnupg-2.2.20/tools/wks-util.c
--- gnupg-2.2.20/tools/wks-util.c.coverity 2020-05-04 12:02:21.839475031 +0200
+++ gnupg-2.2.20/tools/wks-util.c 2020-05-04 17:23:19.552726949 +0200
@@ -948,7 +948,7 @@ ensure_policy_file (const char *addrspec
static gpg_error_t
install_key_from_spec_file (const char *fname)
{
- gpg_error_t err;
+ gpg_error_t err = 0;
estream_t fp;
char *line = NULL;
size_t linelen = 0;
@@ -1195,10 +1195,8 @@ wks_cmd_print_wkd_hash (const char *user
char *addrspec, *fname;
err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
- if (err)
- return err;
-
- es_printf ("%s %s\n", fname, addrspec);
+ if (!err)
+ es_printf ("%s %s\n", fname, addrspec);
xfree (fname);
xfree (addrspec);
@@ -1216,7 +1214,10 @@ wks_cmd_print_wkd_url (const char *useri
err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
if (err)
- return err;
+ {
+ xfree (addrspec);
+ return err;
+ }
domain = strchr (addrspec, '@');
if (domain)

191
SOURCES/gnupg-2.2.20-file-is-digest.patch
View File

@ -1,191 +0,0 @@
diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
--- gnupg-2.2.20/g10/gpg.c.file-is-digest 2020-04-14 16:33:42.630269318 +0200
+++ gnupg-2.2.20/g10/gpg.c 2020-04-14 16:34:46.455100086 +0200
@@ -380,6 +380,7 @@ enum cmd_and_opt_values
oTTYtype,
oLCctype,
oLCmessages,
+ oFileIsDigest,
oXauthority,
oGroup,
oUnGroup,
@@ -831,6 +832,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oPersonalCompressPreferences,
"personal-compress-preferences", "@"),
ARGPARSE_s_s (oFakedSystemTime, "faked-system-time", "@"),
+ ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
ARGPARSE_s_s (oWeakDigest, "weak-digest","@"),
ARGPARSE_s_n (oUnwrap, "unwrap", "@"),
ARGPARSE_s_n (oOnlySignTextIDs, "only-sign-text-ids", "@"),
@@ -2419,6 +2421,7 @@ main (int argc, char **argv)
opt.keyid_format = KF_NONE;
opt.def_sig_expire = "0";
opt.def_cert_expire = "0";
+ opt.file_is_digest = 0;
gnupg_set_homedir (NULL);
opt.passphrase_repeat = 1;
opt.emit_version = 0;
@@ -2997,6 +3000,7 @@ main (int argc, char **argv)
opt.verify_options&=~VERIFY_SHOW_PHOTOS;
break;
case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
+ case oFileIsDigest: opt.file_is_digest = 1; break;
case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
case oIncludeKeyBlock: opt.flags.include_key_block = 1; break;
diff -up gnupg-2.2.20/g10/options.h.file-is-digest gnupg-2.2.20/g10/options.h
--- gnupg-2.2.20/g10/options.h.file-is-digest 2020-03-14 19:54:05.000000000 +0100
+++ gnupg-2.2.20/g10/options.h 2020-04-14 16:33:42.634269245 +0200
@@ -202,6 +202,7 @@ struct
int no_auto_check_trustdb;
int preserve_permissions;
int no_homedir_creation;
+ int file_is_digest;
struct groupitem *grouplist;
int mangle_dos_filenames;
int enable_progress_filter;
diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
--- gnupg-2.2.20/g10/sign.c.file-is-digest 2020-03-14 19:35:46.000000000 +0100
+++ gnupg-2.2.20/g10/sign.c 2020-04-14 16:36:54.661751422 +0200
@@ -40,6 +40,7 @@
#include "pkglue.h"
#include "../common/sysutils.h"
#include "call-agent.h"
+#include "../common/host2net.h"
#include "../common/mbox-util.h"
#include "../common/compliance.h"
@@ -834,6 +835,8 @@ write_signature_packets (ctrl_t ctrl,
if (duration || opt.sig_policy_url
|| opt.sig_notations || opt.sig_keyserver_url)
sig->version = 4;
+ else if (opt.file_is_digest)
+ sig->version = 3;
else
sig->version = pk->version;
@@ -860,8 +863,11 @@ write_signature_packets (ctrl_t ctrl,
else
err = 0;
}
- hash_sigversion_to_magic (md, sig);
- gcry_md_final (md);
+
+ if (!opt.file_is_digest) {
+ hash_sigversion_to_magic (md, sig);
+ gcry_md_final (md);
+ }
if (!err)
err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -924,6 +930,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
SK_LIST sk_rover = NULL;
int multifile = 0;
u32 duration=0;
+ int sigclass = 0x00;
+ u32 timestamp = 0;
pfx = new_progress_context ();
afx = new_armor_context ();
@@ -941,7 +949,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
fname = NULL;
if( fname && filenames->next && (!detached || encryptflag) )
- log_bug("multiple files can only be detached signed");
+ log_bug("multiple files can only be detached signed\n");
+
+ if (opt.file_is_digest && (multifile || !fname))
+ log_bug("file-is-digest only works with one file\n");
+ if (opt.file_is_digest && !detached)
+ log_bug("file-is-digest can only write detached signatures\n");
+ if (opt.file_is_digest && !opt.def_digest_algo)
+ log_bug("file-is-digest needs --digest-algo\n");
+ if (opt.file_is_digest && opt.textmode)
+ log_bug("file-is-digest doesn't work with --textmode\n");
if(encryptflag==2
&& (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek)))
@@ -962,7 +979,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
goto leave;
/* prepare iobufs */
- if( multifile ) /* have list of filenames */
+ if( multifile || opt.file_is_digest) /* have list of filenames */
inp = NULL; /* we do it later */
else {
inp = iobuf_open(fname);
@@ -1100,7 +1117,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
- if( !multifile )
+ if( !multifile && !opt.file_is_digest )
iobuf_push_filter( inp, md_filter, &mfx );
if( detached && !encryptflag)
@@ -1155,6 +1172,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
write_status_begin_signing (mfx.md);
+ sigclass = opt.textmode && !outfile? 0x01 : 0x00;
+
/* Setup the inner packet. */
if( detached ) {
if( multifile ) {
@@ -1195,6 +1214,45 @@ sign_file (ctrl_t ctrl, strlist_t filena
if( opt.verbose )
log_printf ("\n");
}
+ else if (opt.file_is_digest) {
+ byte *mdb, ts[5];
+ size_t mdlen;
+ const char *fp;
+ int c, d;
+
+ gcry_md_final(mfx.md);
+ /* this assumes gcry_md_read returns the same buffer */
+ mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
+ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
+ if (strlen(fname) != mdlen * 2 + 11)
+ log_bug("digests must be %zu + @ + 5 bytes\n", mdlen);
+ d = -1;
+ for (fp = fname ; *fp; ) {
+ c = *fp++;
+ if (c >= '0' && c <= '9')
+ c -= '0';
+ else if (c >= 'a' && c <= 'f')
+ c -= 'a' - 10;
+ else if (c >= 'A' && c <= 'F')
+ c -= 'A' - 10;
+ else
+ log_bug("filename is not hex\n");
+ if (d >= 0) {
+ *mdb++ = d << 4 | c;
+ c = -1;
+ if (--mdlen == 0) {
+ mdb = ts;
+ if (*fp++ != '@')
+ log_bug("missing time separator\n");
+ }
+ }
+ d = c;
+ }
+ sigclass = ts[0];
+ if (sigclass != 0x00 && sigclass != 0x01)
+ log_bug("bad cipher class\n");
+ timestamp = buf32_to_u32(ts + 1);
+ }
else {
/* read, so that the filter can calculate the digest */
while( iobuf_get(inp) != -1 )
@@ -1213,8 +1271,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
/* write the signatures */
rc = write_signature_packets (ctrl, sk_list, out, mfx.md,
- opt.textmode && !outfile? 0x01 : 0x00,
- 0, duration, detached ? 'D':'S', NULL);
+ sigclass,
+ timestamp, duration, detached ? 'D':'S', NULL);
if( rc )
goto leave;

BIN
SOURCES/gnupg-2.2.20.tar.bz2.sig
View File

Binary file not shown.

7
gating.yaml Normal file
View File

@ -0,0 +1,7 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tier1.functional}
- !PassingTestCaseRule {test_case_name: baseos-ci.brew-build.tedude.validation}

54
gnupg-2.1.1-fips-algo.patch Normal file
View File

@ -0,0 +1,54 @@
diff -up gnupg-2.1.1/g10/mainproc.c.fips gnupg-2.1.1/g10/mainproc.c
--- gnupg-2.1.1/g10/mainproc.c.fips 2015-01-29 17:19:49.266031504 +0100
+++ gnupg-2.1.1/g10/mainproc.c 2015-01-29 17:27:13.938088122 +0100
@@ -719,7 +719,8 @@ proc_plaintext( CTX c, PACKET *pkt )
according to 2440, so hopefully it won't come up that often.
There is no good way to specify what algorithms to use in
that case, so these there are the historical answer. */
- gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
+ if (!gcry_fips_mode_active())
+ gcry_md_enable (c->mfx.md, DIGEST_ALGO_RMD160);
gcry_md_enable (c->mfx.md, DIGEST_ALGO_SHA1);
}
if (DBG_HASHING)
diff --git a/common/t-sexputil.c b/common/t-sexputil.c
index d75090c5b..be5eb2122 100644
--- a/common/t-sexputil.c
+++ b/common/t-sexputil.c
@@ -291,36 +291,6 @@ test_ecc_uncompress (void)
const char *b; /* Compressed. */
}
tests[] = {
- {
- "(public-key"
- " (ecc"
- " (curve brainpoolP256r1)"
- " (q #042ECD8679930BE2DB4AD42B8600BA3F80"
- /* */"2D4D539BFF2F69B83EC9B7BBAA7F3406"
- /* */"436DD11A1756AFE56CD93408410FCDA9"
- /* */"BA95024EB613BD481A14FCFEC27A448A#)))",
- /* The same in compressed form. */
- "(public-key"
- " (ecc"
- " (curve brainpoolP256r1)"
- " (q #022ECD8679930BE2DB4AD42B8600BA3F80"
- /* */"2D4D539BFF2F69B83EC9B7BBAA7F3406#)))"
- },
- {
- "(public-key"
- " (ecc"
- " (curve brainpoolP256r1)"
- " (q #045B784CA008EE64AB3D85017EE0D2BE87"
- /* */"558762C7300E0C8E06B1F9AF7C031458"
- /* */"9EBBA41915313417BA54218EB0569C59"
- /* */"0B156C76DBCAB6E84575E6EF68CE7B87#)))",
- /* The same in compressed form. */
- "(public-key"
- " (ecc"
- " (curve brainpoolP256r1)"
- " (q #035B784CA008EE64AB3D85017EE0D2BE87"
- /* */"558762C7300E0C8E06B1F9AF7C031458#)))"
- },
{ /* A key which does not require a conversion. */
"(public-key"
" (ecdsa"

0
SOURCES/gnupg-2.1.10-secmem.patch → gnupg-2.1.10-secmem.patch
View File

0
SOURCES/gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch → gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
View File

11
SOURCES/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch → gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
View File

@ -33,7 +33,7 @@ index 5d3162c..f9acf95 100644
}
-
- if (!uidnode )
- if (!uidnode)
- {
- if (!silent)
- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));
@ -43,16 +43,17 @@ index 5d3162c..f9acf95 100644
if (screener && screener (keyblock, screener_arg))
{
log_error (_("key %s: %s\n"), keystr_from_pk (pk),
@@ -1907,17 +1898,10 @@ import_one_real (ctrl_t ctrl,
@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl,
}
}
- if (!delete_inv_parts (ctrl, keyblock, keyid, options ) )
- /* Delete invalid parts and bail out if there are no user ids left. */
- if (!delete_inv_parts (ctrl, keyblock, keyid, options))
- {
- if (!silent)
- {
- log_error( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet )
- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));
- if (!opt.quiet)
- log_info(_("this may be caused by a missing self-signature\n"));
- }
- stats->no_user_id++;

0
SOURCES/gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch → gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
View File

212
gnupg-2.2.20-file-is-digest.patch Normal file
View File

@ -0,0 +1,212 @@
diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
--- gnupg-2.2.20/g10/gpg.c.file-is-digest 2020-04-14 16:33:42.630269318 +0200
+++ gnupg-2.2.20/g10/gpg.c 2020-04-14 16:34:46.455100086 +0200
@@ -380,6 +380,7 @@ enum cmd_and_opt_values
oTTYtype,
oLCctype,
oLCmessages,
+ oFileIsDigest,
oXauthority,
oGroup,
oUnGroup,
@@ -831,6 +832,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oTempDir, "temp-directory", "@"),
ARGPARSE_s_s (oExecPath, "exec-path", "@"),
ARGPARSE_s_n (oExpert, "expert", "@"),
+ ARGPARSE_s_n (oFileIsDigest, "file-is-digest", "@"),
ARGPARSE_s_n (oNoExpert, "no-expert", "@"),
ARGPARSE_s_n (oNoSecmemWarn, "no-secmem-warning", "@"),
ARGPARSE_s_n (oRequireSecmem, "require-secmem", "@"),
@@ -2419,6 +2421,7 @@ main (int argc, char **argv)
opt.keyid_format = KF_NONE;
opt.def_sig_expire = "0";
opt.def_cert_expire = "0";
+ opt.file_is_digest = 0;
opt.passphrase_repeat = 1;
opt.emit_version = 0;
opt.weak_digests = NULL;
@@ -2997,6 +3000,7 @@ main (int argc, char **argv)
case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
case oForceAEAD: opt.force_aead = 1; break;
+ case oFileIsDigest: opt.file_is_digest = 1; break;
case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
case oIncludeKeyBlock: opt.flags.include_key_block = 1; break;
diff -up gnupg-2.2.20/g10/options.h.file-is-digest gnupg-2.2.20/g10/options.h
--- gnupg-2.2.20/g10/options.h.file-is-digest 2020-03-14 19:54:05.000000000 +0100
+++ gnupg-2.2.20/g10/options.h 2020-04-14 16:33:42.634269245 +0200
@@ -202,6 +202,7 @@ struct
int no_auto_check_trustdb;
int preserve_permissions;
int no_homedir_creation;
+ int file_is_digest;
struct groupitem *grouplist;
int mangle_dos_filenames;
int enable_progress_filter;
diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
--- gnupg-2.2.20/g10/sign.c.file-is-digest 2020-03-14 19:35:46.000000000 +0100
+++ gnupg-2.2.20/g10/sign.c 2020-04-14 16:36:54.661751422 +0200
@@ -40,6 +40,7 @@
#include "pkglue.h"
#include "../common/sysutils.h"
#include "call-agent.h"
+#include "../common/host2net.h"
#include "../common/mbox-util.h"
#include "../common/compliance.h"
@@ -834,6 +835,8 @@ write_signature_packets (ctrl_t ctrl,
if (pk->version >= 5)
sig->version = 5; /* Required for v5 keys. */
+ else if (opt.file_is_digest)
+ sig->version = 3;
else
sig->version = 4; /* Required. */
@@ -860,14 +863,22 @@ write_signature_packets (ctrl_t ctrl,
if (gcry_md_copy (&md, hash))
BUG ();
- build_sig_subpkt_from_sig (sig, pk);
- mk_notation_policy_etc (ctrl, sig, NULL, pk);
- if (opt.flags.include_key_block && IS_SIG (sig))
- err = mk_sig_subpkt_key_block (ctrl, sig, pk);
- else
- err = 0;
- hash_sigversion_to_magic (md, sig, extrahash);
- gcry_md_final (md);
+ if (!opt.file_is_digest)
+ {
+ build_sig_subpkt_from_sig (sig, pk);
+ mk_notation_policy_etc (ctrl, sig, NULL, pk);
+ if (opt.flags.include_key_block && IS_SIG (sig))
+ err = mk_sig_subpkt_key_block (ctrl, sig, pk);
+ else
+ err = 0;
+
+ hash_sigversion_to_magic (md, sig, extrahash);
+ gcry_md_final (md);
+ }
+ else if (sig->version >= 4)
+ {
+ log_bug("file-is-digest doesn't work with v4 sigs\n");
+ }
if (!err)
err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -924,6 +930,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
SK_LIST sk_rover = NULL;
int multifile = 0;
u32 duration=0;
+ int sigclass = 0x00;
+ u32 timestamp = 0;
pt_extra_hash_data_t extrahash = NULL;
pfx = new_progress_context ();
@@ -941,7 +949,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
fname = NULL;
if (fname && filenames->next && (!detached || encryptflag))
- log_bug ("multiple files can only be detached signed");
+ log_bug ("multiple files can only be detached signed\n");
+
+ if (opt.file_is_digest && (multifile || !fname))
+ log_bug ("file-is-digest only works with one file\n");
+ if (opt.file_is_digest && !detached)
+ log_bug ("file-is-digest can only write detached signatures\n");
+ if (opt.file_is_digest && !opt.def_digest_algo)
+ log_bug ("file-is-digest needs --digest-algo\n");
+ if (opt.file_is_digest && opt.textmode)
+ log_bug ("file-is-digest doesn't work with --textmode\n");
if (encryptflag == 2
&& (rc = setup_symkey (&efx.symkey_s2k, &efx.symkey_dek)))
@@ -962,7 +979,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
goto leave;
/* Prepare iobufs. */
- if (multifile) /* have list of filenames */
+ if (multifile || opt.file_is_digest) /* have list of filenames */
inp = NULL; /* we do it later */
else
{
@@ -1100,7 +1117,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
- if (!multifile)
+ if (!multifile && !opt.file_is_digest)
iobuf_push_filter (inp, md_filter, &mfx);
if (detached && !encryptflag)
@@ -1155,6 +1172,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
write_status_begin_signing (mfx.md);
+ sigclass = opt.textmode && !outfile? 0x01 : 0x00;
+
/* Setup the inner packet. */
if (detached)
{
@@ -1195,6 +1214,49 @@ sign_file (ctrl_t ctrl, strlist_t filena
if (opt.verbose)
log_printf ("\n");
}
+ else if (opt.file_is_digest)
+ {
+ byte *mdb, ts[5];
+ size_t mdlen;
+ const char *fp;
+ int c, d;
+
+ gcry_md_final(mfx.md);
+ /* this assumes gcry_md_read returns the same buffer */
+ mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
+ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
+ if (strlen(fname) != mdlen * 2 + 11)
+ log_bug("digests must be %zu + @ + 5 bytes\n", mdlen);
+ d = -1;
+ for (fp = fname ; *fp; )
+ {
+ c = *fp++;
+ if (c >= '0' && c <= '9')
+ c -= '0';
+ else if (c >= 'a' && c <= 'f')
+ c -= 'a' - 10;
+ else if (c >= 'A' && c <= 'F')
+ c -= 'A' - 10;
+ else
+ log_bug("filename is not hex\n");
+ if (d >= 0)
+ {
+ *mdb++ = d << 4 | c;
+ c = -1;
+ if (--mdlen == 0)
+ {
+ mdb = ts;
+ if (*fp++ != '@')
+ log_bug("missing time separator\n");
+ }
+ }
+ d = c;
+ }
+ sigclass = ts[0];
+ if (sigclass != 0x00 && sigclass != 0x01)
+ log_bug("bad cipher class\n");
+ timestamp = buf32_to_u32(ts + 1);
+ }
else
{
/* Read, so that the filter can calculate the digest. */
@@ -1213,8 +1271,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
/* Write the signatures. */
rc = write_signature_packets (ctrl, sk_list, out, mfx.md, extrahash,
- opt.textmode && !outfile? 0x01 : 0x00,
- 0, duration, detached ? 'D':'S', NULL);
+ sigclass,
+ timestamp, duration, detached ? 'D':'S', NULL);
if (rc)
goto leave;

352
gnupg-2.2.21-coverity.patch Normal file
View File

@ -0,0 +1,352 @@
diff -up gnupg-2.2.21/common/server-help.c.coverity gnupg-2.2.21/common/server-help.c
--- gnupg-2.2.21/common/server-help.c.coverity 2019-02-11 10:59:34.000000000 +0100
+++ gnupg-2.2.21/common/server-help.c 2020-07-20 17:09:57.416148768 +0200
@@ -156,7 +156,7 @@ get_option_value (char *line, const char
*pend = 0;
*r_value = xtrystrdup (p);
*pend = c;
- if (!p)
+ if (!*r_value)
return my_error_from_syserror ();
return 0;
}
From 912e77f07d8a42d7ad001eb3df76f6932ccfa857 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 7 Apr 2021 17:37:51 +0200
Subject: [PATCH GnuPG 01/19] agent: Avoid memory leaks
* agent/command.c (cmd_genkey): use goto leave instead of return
* agent/cvt-openpgp.c (convert_from_openpgp_main): use goto leave
instead of return
* agent/genkey.c (agent_ask_new_passphrase): fix typo to free correct
pointer
(agent_genkey): release memory
* agent/gpg-agent.c (check_own_socket): free sockname
* agent/protect-tool.c (read_key): free buf
(agent_askpin): free passphrase
* agent/protect.c (merge_lists): free newlist
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
agent/command.c | 2 +-
agent/cvt-openpgp.c | 5 ++++-
agent/genkey.c | 7 +++++--
agent/gpg-agent.c | 10 ++++++++--
agent/protect-tool.c | 6 +++++-
agent/protect.c | 5 ++++-
6 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/agent/protect.c b/agent/protect.c
index 76ead444b..50b10eb26 100644
--- a/agent/protect.c
+++ b/agent/protect.c
@@ -949,7 +949,10 @@ merge_lists (const unsigned char *protectedkey,
/* Copy the cleartext. */
s = cleartext;
if (*s != '(' && s[1] != '(')
- return gpg_error (GPG_ERR_BUG); /*we already checked this */
+ {
+ xfree (newlist);
+ return gpg_error (GPG_ERR_BUG); /*we already checked this */
+ }
s += 2;
startpos = s;
while ( *s == '(' )
--
2.30.2
From 7a707a3eff1c3fbe17a74337776871f408377cee Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 9 Apr 2021 16:13:07 +0200
Subject: [PATCH GnuPG 03/19] g10: Fix memory leaks
* g10/card-util.c (change_pin): free answer on errors
(ask_card_keyattr): free answer on error
* g10/cpr.c (do_get_from_fd): free string
* g10/gpg.c (check_permissions): free dir on weird error
* g10/import.c (append_new_uid): release knode
* g10/keyedit.c (menu_set_keyserver_url): free answer
(menu_set_keyserver_url): free user
* g10/keygen.c (print_status_key_not_created): move allocation after
sanity check
(ask_expire_interval): free answer
(card_store_key_with_backup): goto leave instaed of return
* g10/keyserver.c (parse_keyserver_uri): goto fail instead of return
* g10/revoke.c (gen_desig_revoke): release kdbhd
(gen_desig_revoke): free answer
* g10/tofu.c (ask_about_binding): free sqerr and response
* g10/trustdb.c (ask_ownertrust): free pk
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
g10/card-util.c | 14 +++++++++++---
g10/cpr.c | 6 +++++-
g10/gpg.c | 1 +
g10/import.c | 5 ++++-
g10/keyedit.c | 8 +++++++-
g10/keygen.c | 15 +++++++++++----
g10/keyserver.c | 2 +-
g10/revoke.c | 6 +++++-
g10/tofu.c | 4 ++++
g10/trustdb.c | 1 +
10 files changed, 50 insertions(+), 12 deletions(-)
diff --git a/g10/card-util.c b/g10/card-util.c
index 36f096f06..c7df8380d 100644
--- a/g10/card-util.c
+++ b/g10/card-util.c
@@ -127,7 +127,7 @@ change_pin (int unblock_v2, int allow_admin)
else
for (;;)
{
- char *answer;
+ char *answer = NULL;
tty_printf ("\n");
tty_printf ("1 - change PIN\n"
diff --git a/g10/tofu.c b/g10/tofu.c
index f49083844..83786a08d 100644
--- a/g10/tofu.c
+++ b/g10/tofu.c
@@ -1687,6 +1687,8 @@ ask_about_binding (ctrl_t ctrl,
GPGSQL_ARG_END);
if (rc)
{
+ sqlite3_free (sqerr);
+ sqerr = NULL;
rc = gpg_error (GPG_ERR_GENERAL);
break;
}
--
2.30.2
From febbe77870b51e4e1158ae9efeaa0f3aad69a495 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Mon, 12 Apr 2021 14:48:59 +0200
Subject: [PATCH GnuPG 05/19] tools: Avoid memory leak sfrom gpgspilt
* tools/gpgsplit.c (write_part): free blob
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tools/gpgsplit.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/tools/gpgsplit.c b/tools/gpgsplit.c
index cc7bf8ef5..93458068c 100644
--- a/tools/gpgsplit.c
+++ b/tools/gpgsplit.c
@@ -620,6 +620,7 @@ write_part (FILE *fpin, unsigned long pktlen,
}
}
+ xfree (blob);
goto ready;
}
--
2.30.2
From 7c8048b686a6e811d0b24febf3c5e2528e7881f1 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Apr 2021 16:23:31 +0200
Subject: [PATCH GnuPG 14/19] dirmgr: Avoid memory leaks
* dirmngr/domaininfo.c (insert_or_update): free di_new
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
dirmngr/domaininfo.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/dirmngr/domaininfo.c b/dirmngr/domaininfo.c
index b41aef366..87782b4b1 100644
--- a/dirmngr/domaininfo.c
+++ b/dirmngr/domaininfo.c
@@ -193,6 +193,7 @@ insert_or_update (const char *domain,
log_error ("domaininfo: error allocating helper array: %s\n",
gpg_strerror (gpg_err_code_from_syserror ()));
drop_extra = bucket;
+ xfree (di_new);
goto leave;
}
narray = 0;
--
2.30.2
From ab3b8c53993b3305088efde756a44bac6e6492d4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Apr 2021 16:34:40 +0200
Subject: [PATCH GnuPG 15/19] scd: Avoid memory leaks and uninitialized memory
* scd/app-piv.c (do_decipher): goto leave, initialize outdatalen
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
scd/app-piv.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scd/app-piv.c b/scd/app-piv.c
index 143cc047a..94257f0ee 100644
--- a/scd/app-piv.c
+++ b/scd/app-piv.c
@@ -2483,7 +2483,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
gpg_error_t err;
data_object_t dobj;
unsigned char *outdata = NULL;
- size_t outdatalen;
+ size_t outdatalen = 0;
const unsigned char *s;
size_t n;
int keyref, mechanism;
@@ -2582,7 +2582,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
/* Now verify the Application PIN. */
err = verify_chv (app, ctrl, 0x80, 0, pincb, pincb_arg);
if (err)
- return err;
+ goto leave;
/* Build the Dynamic Authentication Template. */
err = concat_tlv_list (0, &apdudata, &apdudatalen,
--
2.30.2
From f182bf91443618323e34261039045a6bde269be5 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 13 Apr 2021 16:44:48 +0200
Subject: [PATCH GnuPG 16/19] tools: Avoid memory leaks
* tools/wks-util.c (wks_cmd_print_wkd_url): Free addrspec on error
(wks_cmd_print_wkd_hash): Free addrspec on error
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
tools/wks-util.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/tools/wks-util.c b/tools/wks-util.c
index 516c7fe00..38dd194ff 100644
--- a/tools/wks-util.c
+++ b/tools/wks-util.c
@@ -1192,11 +1192,14 @@ gpg_error_t
wks_cmd_print_wkd_hash (const char *userid)
{
gpg_error_t err;
- char *addrspec, *fname;
+ char *addrspec = NULL, *fname;
err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
if (err)
- return err;
+ {
+ xfree (addrspec);
+ return err;
+ }
es_printf ("%s %s\n", fname, addrspec);
@@ -1211,12 +1214,15 @@ gpg_error_t
wks_cmd_print_wkd_url (const char *userid)
{
gpg_error_t err;
- char *addrspec, *fname;
+ char *addrspec = NULL, *fname;
char *domain;
err = wks_fname_from_userid (userid, 1, &fname, &addrspec);
if (err)
- return err;
+ {
+ xfree (addrspec);
+ return err;
+ }
domain = strchr (addrspec, '@');
if (domain)
--
2.30.2
From 600fabd8268c765d45d48873e7a8610e6dae0966 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 14 Apr 2021 15:59:12 +0200
Subject: [PATCH GnuPG 17/19] scd: Use the same allocator to free memory
* scd/command.c (cmd_getinfo): Use free instead of gcry_free to match
the original allocator
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
scd/command.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/scd/command.c b/scd/command.c
index cb0dd379a..9d85c5a41 100644
--- a/scd/command.c
+++ b/scd/command.c
@@ -1832,7 +1832,8 @@ cmd_getinfo (assuan_context_t ctx, char *line)
rc = assuan_send_data (ctx, p, strlen (p));
else
rc = gpg_error (GPG_ERR_NO_DATA);
- xfree (p);
+ /* allocated by scd/ccid-driver.c which is not using x*alloc/gcry_* */
+ free (p);
}
else if (!strcmp (line, "deny_admin"))
rc = opt.allow_admin? gpg_error (GPG_ERR_GENERAL) : 0;
--
2.30.2
From a94b0deab7c2ece2e512f87a52142454354d77b5 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 14 Apr 2021 18:49:03 +0200
Subject: [PATCH GnuPG 19/19] g10: Do not allocate memory when we can't return
it
* g10/keyid.c (fpr20_from_pk): Do not allocate memory when we can't
return it
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
g10/keyid.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/g10/keyid.c b/g10/keyid.c
index 522cc9cda..f1af2fd90 100644
--- a/g10/keyid.c
+++ b/g10/keyid.c
@@ -899,7 +899,7 @@ fpr20_from_pk (PKT_public_key *pk, byte array[20])
compute_fingerprint (pk);
if (!array)
- array = xmalloc (pk->fprlen);
+ return;
if (pk->fprlen == 32) /* v5 fingerprint */
{
--
2.30.2

12
gnupg-2.2.23-large-rsa.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up gnupg-2.2.23/g10/keygen.c.large-rsa gnupg-2.2.23/g10/keygen.c
--- gnupg-2.2.23/g10/keygen.c.large-rsa 2020-09-04 13:53:42.030486671 +0200
+++ gnupg-2.2.23/g10/keygen.c 2020-09-04 13:55:52.896669542 +0200
@@ -2262,7 +2262,7 @@ get_keysize_range (int algo, unsigned in
default:
*min = opt.compliance == CO_DE_VS ? 2048: 1024;
- *max = 4096;
+ *max = opt.flags.large_rsa == 1 ? 8192 : 4096;
def = 3072;
break;
}

162
gnupg-2.3.1-revert-default-eddsa.patch Normal file
View File

@ -0,0 +1,162 @@
From ff31dde456f32950f0df6c974b4c41f1d650d68f Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 5 Oct 2020 14:21:31 +0200
Subject: [PATCH GnuPG] gpg: Switch to ed25519+cv25519 as default algo.
* g10/keygen.c (DEFAULT_STD_KEY_PARAM): Change to former future
default ago.
(ask_algo): Change default and also the way we indicate the default
algo in the list of algos.
(ask_curve): Indicate the default curve.
Signed-off-by: Werner Koch <wk@gnupg.org>
---
g10/keygen.c | 57 ++++++++++++++++++++++++++--------------------------
1 file changed, 29 insertions(+), 28 deletions(-)
diff --git a/g10/keygen.c b/g10/keygen.c
index 16e4e58ea..b510525e3 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -47,10 +47,11 @@
#include "../common/mbox-util.h"
-/* The default algorithms. If you change them, you should ensure the value
- is inside the bounds enforced by ask_keysize and gen_xxx. See also
- get_keysize_range which encodes the allowed ranges. */
-#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr"
+/* The default algorithms. If you change them, you should ensure the
+ value is inside the bounds enforced by ask_keysize and gen_xxx.
+ See also get_keysize_range which encodes the allowed ranges. The
+ default answer in ask_algo also needs to be adjusted. */
+#define DEFAULT_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr"
#define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr"
/* When generating keys using the streamlined key generation dialog,
@@ -2112,50 +2113,49 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
#if GPG_USE_RSA
if (!addmode)
- tty_printf (_(" (%d) RSA and RSA (default)\n"), 1 );
+ tty_printf (_(" (%d) RSA and RSA%s\n"), 1, "");
#endif
if (!addmode && opt.compliance != CO_DE_VS)
- tty_printf (_(" (%d) DSA and Elgamal\n"), 2 );
+ tty_printf (_(" (%d) DSA and Elgamal%s\n"), 2, "");
if (opt.compliance != CO_DE_VS)
- tty_printf (_(" (%d) DSA (sign only)\n"), 3 );
+ tty_printf (_(" (%d) DSA (sign only)%s\n"), 3, "");
#if GPG_USE_RSA
- tty_printf (_(" (%d) RSA (sign only)\n"), 4 );
+ tty_printf (_(" (%d) RSA (sign only)%s\n"), 4, "");
#endif
if (addmode)
{
if (opt.compliance != CO_DE_VS)
- tty_printf (_(" (%d) Elgamal (encrypt only)\n"), 5 );
+ tty_printf (_(" (%d) Elgamal (encrypt only)%s\n"), 5, "");
#if GPG_USE_RSA
- tty_printf (_(" (%d) RSA (encrypt only)\n"), 6 );
+ tty_printf (_(" (%d) RSA (encrypt only)%s\n"), 6, "");
#endif
}
if (opt.expert)
{
if (opt.compliance != CO_DE_VS)
- tty_printf (_(" (%d) DSA (set your own capabilities)\n"), 7 );
+ tty_printf (_(" (%d) DSA (set your own capabilities)%s\n"), 7, "");
#if GPG_USE_RSA
- tty_printf (_(" (%d) RSA (set your own capabilities)\n"), 8 );
+ tty_printf (_(" (%d) RSA (set your own capabilities)%s\n"), 8, "");
#endif
}
#if GPG_USE_ECDSA || GPG_USE_ECDH || GPG_USE_EDDSA
- if (opt.expert && !addmode)
- tty_printf (_(" (%d) ECC and ECC\n"), 9 );
- if (opt.expert)
- tty_printf (_(" (%d) ECC (sign only)\n"), 10 );
+ if (!addmode)
+ tty_printf (_(" (%d) ECC (sign and encrypt)%s\n"), 9, _(" *default*") );
+ tty_printf (_(" (%d) ECC (sign only)\n"), 10 );
if (opt.expert)
- tty_printf (_(" (%d) ECC (set your own capabilities)\n"), 11 );
- if (opt.expert && addmode)
- tty_printf (_(" (%d) ECC (encrypt only)\n"), 12 );
+ tty_printf (_(" (%d) ECC (set your own capabilities)%s\n"), 11, "");
+ if (addmode)
+ tty_printf (_(" (%d) ECC (encrypt only)%s\n"), 12, "");
#endif
if (opt.expert && r_keygrip)
- tty_printf (_(" (%d) Existing key\n"), 13 );
+ tty_printf (_(" (%d) Existing key%s\n"), 13, "");
if (r_keygrip)
- tty_printf (_(" (%d) Existing key from card\n"), 14 );
+ tty_printf (_(" (%d) Existing key from card%s\n"), 14, "");
for (;;)
{
@@ -2164,7 +2164,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
xfree (answer);
answer = cpr_get ("keygen.algo", _("Your selection? "));
cpr_kill_prompt ();
- algo = *answer? atoi (answer) : 1;
+ algo = *answer? atoi (answer) : 9; /* Default algo is 9 */
if (opt.compliance == CO_DE_VS
&& (algo == 2 || algo == 3 || algo == 5 || algo == 7))
@@ -2220,13 +2220,13 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
break;
}
else if ((algo == 9 || !strcmp (answer, "ecc+ecc"))
- && opt.expert && !addmode)
+ && !addmode)
{
algo = PUBKEY_ALGO_ECDSA;
*r_subkey_algo = PUBKEY_ALGO_ECDH;
break;
}
- else if ((algo == 10 || !strcmp (answer, "ecc/s")) && opt.expert)
+ else if ((algo == 10 || !strcmp (answer, "ecc/s")))
{
algo = PUBKEY_ALGO_ECDSA;
*r_usage = PUBKEY_USAGE_SIG;
@@ -2239,7 +2239,7 @@ ask_algo (ctrl_t ctrl, int addmode, int *r_subkey_algo, unsigned int *r_usage,
break;
}
else if ((algo == 12 || !strcmp (answer, "ecc/e"))
- && opt.expert && addmode)
+ && addmode)
{
algo = PUBKEY_ALGO_ECDH;
*r_usage = PUBKEY_USAGE_ENC;
@@ -2616,7 +2616,7 @@ ask_curve (int *algo, int *subkey_algo, const char *current)
{ "NIST P-256", NULL, NULL, MY_USE_ECDSADH, 0, 1, 0 },
{ "NIST P-384", NULL, NULL, MY_USE_ECDSADH, 0, 0, 0 },
{ "NIST P-521", NULL, NULL, MY_USE_ECDSADH, 0, 1, 0 },
- { "brainpoolP256r1", NULL, "Brainpool P-256", MY_USE_ECDSADH, 1, 1, 0 },
+ { "brainpoolP256r1", NULL, "Brainpool P-256", MY_USE_ECDSADH, 1, 0, 0 },
{ "brainpoolP384r1", NULL, "Brainpool P-384", MY_USE_ECDSADH, 1, 1, 0 },
{ "brainpoolP512r1", NULL, "Brainpool P-512", MY_USE_ECDSADH, 1, 1, 0 },
{ "secp256k1", NULL, NULL, MY_USE_ECDSADH, 0, 1, 0 },
@@ -2672,9 +2672,10 @@ ask_curve (int *algo, int *subkey_algo, const char *current)
}
curves[idx].available = 1;
- tty_printf (" (%d) %s\n", idx + 1,
+ tty_printf (" (%d) %s%s\n", idx + 1,
curves[idx].pretty_name?
- curves[idx].pretty_name:curves[idx].name);
+ curves[idx].pretty_name:curves[idx].name,
+ idx == 0? _(" *default*"):"");
}
gcry_sexp_release (keyparms);
--
2.31.1

0
SOURCES/gnupg-2.2.20-CVE-2022-34903.patch → gnupg-2.3.3-CVE-2022-34903.patch
View File

30
gnupg-2.3.3-aead-packet.patch Normal file
View File

@ -0,0 +1,30 @@
commit eadf12a52c2e230174e076a0dcae68132094cefe
Author: Jakub Jelen <jjelen@redhat.com>
Date: Thu Feb 24 09:02:53 2022 +0100
sign: Construct valid AEAD packets.
* g10/sign.c (sign_symencrypt_file): Insert correct version and AEAD
information into symkey packet.
--
GnuPG-bug-id: 5856
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
diff --git a/g10/sign.c b/g10/sign.c
index bbcfabdb7..2ab76c99b 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -1660,8 +1660,9 @@ sign_symencrypt_file (ctrl_t ctrl, const char *fname, strlist_t locusr)
{
PKT_symkey_enc *enc = xmalloc_clear( sizeof *enc );
- enc->version = 4;
+ enc->version = cfx.dek->use_aead ? 5 : 4;
enc->cipher_algo = cfx.dek->algo;
+ enc->aead_algo = cfx.dek->use_aead;
enc->s2k = *s2k;
pkt.pkttype = PKT_SYMKEY_ENC;
pkt.pkt.symkey_enc = enc;

42
gnupg-2.3.3-ssh-fips.patch Normal file
View File

@ -0,0 +1,42 @@
From c4436ebfa58f219190f1244928001b4293293343 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Tue, 12 Apr 2022 16:26:58 +0200
Subject: [PATCH GnuPG] agent: Ignore MD5 Fingerprints for ssh keys
--
* agent/command-ssh.c (add_control_entry): Ignore failure of the MD5
digest
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
---
agent/command-ssh.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/agent/command-ssh.c b/agent/command-ssh.c
index a7784e728..46821e3c8 100644
--- a/agent/command-ssh.c
+++ b/agent/command-ssh.c
@@ -1095,8 +1095,9 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
time_t atime = time (NULL);
err = ssh_get_fingerprint_string (key, GCRY_MD_MD5, &fpr_md5);
+ /* ignore the errors as MD5 is not available in FIPS mode */
if (err)
- goto out;
+ fpr_md5 = NULL;
err = ssh_get_fingerprint_string (key, GCRY_MD_SHA256, &fpr_sha256);
if (err)
@@ -1113,7 +1114,8 @@ add_control_entry (ctrl_t ctrl, ssh_key_type_spec_t *spec,
spec->name,
1900+tp->tm_year, tp->tm_mon+1, tp->tm_mday,
tp->tm_hour, tp->tm_min, tp->tm_sec,
- fpr_md5, fpr_sha256, hexgrip, ttl, confirm? " confirm":"");
+ fpr_md5? fpr_md5:"", fpr_sha256, hexgrip, ttl,
+ confirm? " confirm":"");
}
out:
--
2.39.2

202
SPECS/gnupg2.spec → gnupg2.spec
View File

@ -1,34 +1,45 @@
%if 0%{?fedora} && 0%{?fedora} < 30
%bcond_with unversioned_gpg
%else
%bcond_without unversioned_gpg
%endif
Summary: Utility for secure communication and data storage
Name: gnupg2
Version: 2.2.20
Release: 3%{?dist}
Version: 2.3.3
Release: 4%{?dist}
License: GPLv3+
Source0: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
Source1: ftp://ftp.gnupg.org/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig
Patch1: gnupg-2.1.21-insttools.patch
Source0: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2
Source1: https://gnupg.org/ftp/gcrypt/%{?pre:alpha/}gnupg/gnupg-%{version}%{?pre}.tar.bz2.sig
# needed for compatibility with system FIPS mode
Patch3: gnupg-2.1.10-secmem.patch
# non-upstreamable patch adding file-is-digest option needed for Copr
# https://dev.gnupg.org/T1646
Patch4: gnupg-2.2.20-file-is-digest.patch
# fix handling of missing key usage on ocsp replies - upstream T1333
Patch5: gnupg-2.2.16-ocsp-keyusage.patch
Patch6: gnupg-2.1.1-fips-algo.patch
# allow 8192 bit RSA keys in keygen UI with large RSA
Patch9: gnupg-2.1.21-large-rsa.patch
Patch9: gnupg-2.2.23-large-rsa.patch
# fix missing uid on refresh from keys.openpgp.org
# https://salsa.debian.org/debian/gnupg2/commit/f292beac1171c6c77faf41d1f88c2e0942ed4437
Patch20: gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
Patch21: gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
Patch22: gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
Patch23: gnupg-2.2.20-CVE-2022-34903.patch
# Fixes for issues found in Coverity scan - reported upstream
Patch30: gnupg-2.2.20-coverity.patch
Patch30: gnupg-2.2.21-coverity.patch
# Revert default EdDSA key types
Patch31: gnupg-2.3.1-revert-default-eddsa.patch
# Revert default EdDSA key types
Patch32: gnupg-2.3.3-CVE-2022-34903.patch
# Fix AEAD packet construction
# https://dev.gnupg.org/T5856
Patch34: gnupg-2.3.3-aead-packet.patch
# Fix ssh-agent behavior in FIPS mode
# https://dev.gnupg.org/T5929
Patch35: gnupg-2.3.3-ssh-fips.patch
URL: http://www.gnupg.org/
URL: https://www.gnupg.org/
#BuildRequires: automake libtool texinfo transfig
BuildRequires: gcc
@ -37,8 +48,8 @@ BuildRequires: curl-devel
BuildRequires: docbook-utils
BuildRequires: gettext
BuildRequires: libassuan-devel >= 2.1.0
BuildRequires: libgcrypt-devel >= 1.7.0
BuildRequires: libgpg-error-devel >= 1.31
BuildRequires: libgcrypt-devel >= 1.9.1
BuildRequires: libgpg-error-devel >= 1.38
BuildRequires: libksba-devel >= 1.3.0
BuildRequires: openldap-devel
BuildRequires: libusb-devel
@ -49,20 +60,24 @@ BuildRequires: zlib-devel
BuildRequires: gnutls-devel
BuildRequires: sqlite-devel
BuildRequires: fuse
BuildRequires: make
Requires: libgcrypt >= 1.7.0
Requires: libgpg-error >= 1.31
Requires: libgpg-error >= 1.38
Recommends: pinentry
Suggests: pinentry
Recommends: gnupg2-smime
Suggests: gnupg2-smime
# for USB smart card support
Suggests: pcsc-lite-ccid
%if %{with unversioned_gpg}
# pgp-tools, perl-GnuPG-Interface requires 'gpg' (not sure why) -- Rex
Provides: gpg = %{version}-%{release}
# Obsolete GnuPG-1 package
Provides: gnupg = %{version}-%{release}
Obsoletes: gnupg <= 1.4.10
Obsoletes: gnupg < 1.4.24
%endif
Provides: dirmngr = %{version}-%{release}
@ -72,7 +87,7 @@ Obsoletes: dirmngr < 1.2.0-1
%package smime
Summary: CMS encryption and signing tool and smart card support for GnuPG
Requires: gnupg2 = %{version}-%{release}
Requires: gnupg2%{?_isa} = %{version}-%{release}
%description
@ -95,21 +110,20 @@ to the base GnuPG package
%prep
%setup -q -n gnupg-%{version}
%if %{with unversioned_gpg}
%patch1 -p1 -b .insttools
%endif
%patch3 -p1 -b .secmem
%patch4 -p1 -b .file-is-digest
%patch5 -p1 -b .keyusage
%patch6 -p1 -b .fips
%patch9 -p1 -b .large-rsa
%patch20 -p1 -b .test_missing_uid
%patch21 -p1 -b .prev_known_key
%patch22 -p1 -b .good_revoc
%patch23 -p1 -b .CVE-2022-34903
%patch30 -p1 -b .coverity
%patch31 -p1 -R -b .eddsa
%patch32 -p1 -b .CVE-2022-34903
%patch34 -p1 -b .aead
%patch35 -p1 -b .ssh-fips
# pcsc-lite library major: 0 in 1.2.0, 1 in 1.2.9+ (dlopen()'d in pcsc-wrapper)
# Note: this is just the name of the default shared lib to load in scdaemon,
@ -120,25 +134,25 @@ sed -i -e 's/"libpcsclite\.so"/"%{pcsclib}"/' scd/scdaemon.c
%build
# can not regenerate makefiles because of automake-1.16.3 requirement
# ./autogen.sh
%configure \
%if %{without unversioned_gpg}
--enable-gpg-is-gpg2 \
%endif
--disable-gpgtar \
--disable-rpath \
--enable-g13 \
--disable-ccid-driver \
--enable-large-secmem
# need scratch gpg database for tests
mkdir -p $HOME/.gnupg
make %{?_smp_mflags}
%make_build
%install
make install DESTDIR=%{buildroot} \
INSTALL="install -p" \
%make_install \
docdir=%{_pkgdocdir}
%if %{without unversioned_gpg}
@ -183,7 +197,6 @@ make -k check
%files -f %{name}.lang
%{!?_licensedir:%global license %%doc}
%license COPYING
#doc AUTHORS NEWS README THANKS TODO
%{_pkgdocdir}
@ -192,10 +205,13 @@ make -k check
## docs say to install suid root, but fedora/rh security folk say not to
%{_bindir}/gpg2
%{_bindir}/gpgv2
%{_bindir}/gpg-card
%{_bindir}/gpg-connect-agent
%{_bindir}/gpg-agent
%{_bindir}/gpg-wks-client
%{_bindir}/gpgconf
%{_bindir}/gpgparsemail
%{_bindir}/gpgtar
%{_bindir}/g13
%{_bindir}/dirmngr
%{_bindir}/dirmngr-client
@ -203,7 +219,6 @@ make -k check
%{_bindir}/gpg
%{_bindir}/gpgv
%{_bindir}/gpgsplit
%{_bindir}/gpg-zip
%endif
%{_bindir}/watchgnupg
%{_bindir}/gpg-wks-server
@ -222,18 +237,137 @@ make -k check
%changelog
* Wed Aug 03 2022 Jakub Jelen <jjelen@redhat.com> - 2.2.20-3
- Fix CVE-2022-34903 (#2108447)
* Wed Apr 19 2023 Jakub Jelen <jjelen@redhat.com> - 2.3.3-4
- Revert marking the SHA-1 digest as weak (#2184640)
* Mon May 4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-2
* Thu Mar 30 2023 Jakub Jelen <jjelen@redhat.com> - 2.3.3-3
- Mark SHA-1 digest as weak to follow SHA-1 disablement in RHEL9 (#2070722)
- Fix interaction with SSH by not requiring the MD5 digest (#2073567)
- Fix creation of AEAD packets (#2128058)
* Wed Aug 03 2022 Jakub Jelen <jjelen@redhat.com> - 2.3.3-2
- Fix CVE-2022-34903 (#2108449)
* Fri Nov 19 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.3-1
- Rebase to 2.3.1 to address random tests failures (#1984842)
* Thu Nov 18 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-4
- Fix --file-is-digest patch (#2024710)
* Wed Sep 08 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-3
- Revernt default key type back to RSA for FIPS compatibility (#2001937)
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.3.1-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Wed Apr 21 2021 Jakub Jelen <jjelen@redhat.com> - 2.3.1-1
- New upstream release (#1947159)
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 2.2.27-5
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Mon Mar 29 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-4
- Add a configuration to not require exclusive access to PCSC
* Thu Feb 18 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-3
- Bump required libgpg-error version (#1930110)
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.27-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jan 12 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.27-1
- New upstream release (#1909825)
* Mon Jan 04 2021 Jakub Jelen <jjelen@redhat.com> - 2.2.26-1
- New upstream release (#1909825)
* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.25-2
- Enable gpgtar (#1901103)
* Tue Nov 24 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.25-1
- Update to 2.2.25 (#1900815)
* Thu Nov 19 2020 Jakub Jelen <jjelen@redhat.com> - 2.2.24-1
- Update to 2.2.24 (#1898504)
* Fri Sep 4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.23-1
- upgrade to 2.2.23
* Sat Aug 01 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.21-4
- Second attempt - Rebuilt for
https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.21-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 21 2020 Tom Stellard <tstellar@redhat.com> - 2.2.21-2
- Use make macros
- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro
* Mon Jul 20 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.21-1
- upgrade to 2.2.21
* Mon May 4 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-3
- fixes for issues found in Coverity scan
* Thu Apr 30 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-1
* Thu Apr 30 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-2
- move systemd user units to _userunitdir (no activation by default)
* Tue Apr 14 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.20-1
- upgrade to 2.2.20
* Wed Jan 29 2020 Tomáš Mráz <tmraz@redhat.com> - 2.2.19-1
- upgrade to 2.2.19
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.18-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Sat Jan 4 2020 Marcel Härry <mh+fedora@scrit.ch> - 2.2.18-3
- Add patches to be able to deal with keys without uids (#1787708)
* Fri Dec 6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-2
- fix abort when decrypting data with anonymous recipient (#1780057)
* Tue Dec 3 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.18-1
- upgrade to 2.2.18
* Wed Nov 6 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.17-3
- fix the gnupg(7) manual page (#1769072)
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.17-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Mon Jul 15 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.17-1
- upgrade to 2.2.17
* Mon Jul 1 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.16-1
- upgrade to 2.2.16
* Tue Feb 26 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.13-1
- upgrade to 2.2.13
* Sun Feb 17 2019 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.12-3
- Rebuild for readline 8.0
* Mon Feb 4 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.12-2
- make it build with gcc-9
* Tue Jan 8 2019 Tomáš Mráz <tmraz@redhat.com> - 2.2.12-1
- upgrade to 2.2.12
* Sat Dec 08 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.2.11-2
- Provide unversioned GPG on F30+
* Fri Nov 30 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.11-1
- upgrade to 2.2.11
* Wed Aug 1 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.9-1
- upgrade to 2.2.9
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.2.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Mon Jun 11 2018 Tomáš Mráz <tmraz@redhat.com> - 2.2.8-1
- upgrade to 2.2.8 fixing CVE 2018-12020

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (gnupg-2.3.3.tar.bz2) = 12d500e6b45910d5f7bfd4916bcee37ac988a58a35563fcf425a65b88c0cf92c2af2e94d3e31e9e5e19094c8beb5ec3779cf90bfe43d1555c4196f69eee2f102
SHA512 (gnupg-2.3.3.tar.bz2.sig) = 87bcf668c13ffad35c0815a237669b9e3cc002604a11937e7d303d80e7ec6f32669422d217c2c403306bc84d4e0a36adba3e5967c48356c4cab835463a344e50