diff --git a/backport-CVE-2022-34903.patch b/backport-CVE-2022-34903.patch deleted file mode 100644 index 42fa16e..0000000 --- a/backport-CVE-2022-34903.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 34c649b3601383cd11dbc76221747ec16fd68e1b Mon Sep 17 00:00:00 2001 -From: Werner Koch -Date: Tue, 14 Jun 2022 11:33:27 +0200 -Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA - -* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one --- - -Depending on the escaping and line wrapping the computed remaining -buffer length could be wrong. Fixed by always using a break to -terminate the escape detection loop. Might have happened for all -status lines which may wrap. - -GnuPG-bug-id: T6027 ---- - g10/cpr.c | 13 ++++--------- - 1 file changed, 4 insertions(+), 9 deletions(-) - -diff --git a/g10/cpr.c b/g10/cpr.c -index 9bfdd3c34..fa8005d6f 100644 ---- a/g10/cpr.c -+++ b/g10/cpr.c -@@ -372,20 +372,15 @@ write_status_text_and_buffer (int no, const char *string, - } - first = 0; - } -- for (esc=0, s=buffer, n=len; n && !esc; s++, n--) -+ for (esc=0, s=buffer, n=len; n; s++, n--) - { - if (*s == '%' || *(const byte*)s <= lower_limit - || *(const byte*)s == 127 ) - esc = 1; - if (wrap && ++count > wrap) -- { -- dowrap=1; -- break; -- } -- } -- if (esc) -- { -- s--; n++; -+ dowrap=1; -+ if (esc || dowrap) -+ break; - } - if (s != buffer) - es_fwrite (buffer, s-buffer, 1, statusfp); --- -2.27.0 - diff --git a/backport-common-Protect-against-a-theoretical-integer-overflow.patch b/backport-common-Protect-against-a-theoretical-integer-overflow.patch deleted file mode 100644 index 4719577..0000000 --- a/backport-common-Protect-against-a-theoretical-integer-overflow.patch +++ /dev/null @@ -1,34 +0,0 @@ -From c300253181cfc591cbcae9251eda5296ed29591b Mon Sep 17 00:00:00 2001 -From: Werner Koch -Date: Fri, 7 Oct 2022 14:12:33 +0200 -Subject: [PATCH] common: Protect against a theoretical integer overflow in - tlv.c - -* common/tlv.c (parse_ber_header): Protect agains integer overflow. --- - -Although there is no concrete case where we use the (nhdr + length), -it is better to protect against this already here. ---- - common/tlv.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/common/tlv.c b/common/tlv.c -index abef83a37..9618d04cb 100644 ---- a/common/tlv.c -+++ b/common/tlv.c -@@ -222,6 +222,11 @@ parse_ber_header (unsigned char const **buffer, size_t *size, - *r_length = len; - } - -+ if (*r_length > *r_nhdr && (*r_nhdr + *r_length) < *r_length) -+ { -+ return gpg_err_make (default_errsource, GPG_ERR_EOVERFLOW); -+ } -+ - /* Without this kludge some example certs can't be parsed. */ - if (*r_class == CLASS_UNIVERSAL && !*r_tag) - *r_length = 0; --- -2.27.0 - diff --git a/backport-dirmngr-Enable-the-call-of-ks_ldap_help_variables-wh.patch b/backport-dirmngr-Enable-the-call-of-ks_ldap_help_variables-wh.patch new file mode 100644 index 0000000..6e66914 --- /dev/null +++ b/backport-dirmngr-Enable-the-call-of-ks_ldap_help_variables-wh.patch @@ -0,0 +1,35 @@ +From 9ae3cfcabec9252c22d67b7a15c36f0a8cf22f0f Mon Sep 17 00:00:00 2001 +From: NIIBE Yutaka +Date: Wed, 5 Jul 2023 09:29:54 +0900 +Subject: [PATCH] dirmngr: Enable the call of ks_ldap_help_variables when + USE_LDAP. + +* dirmngr/server.c [USE_LDAP] (cmd_ad_query): Conditionalize. + +-- + +Cherry-pick master commit of: + dc13361524c1477b2106c7385f2059f9ea111b84 + +Signed-off-by: NIIBE Yutaka +--- + dirmngr/server.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/dirmngr/server.c b/dirmngr/server.c +index 51a149cb2..ee61f63d6 100644 +--- a/dirmngr/server.c ++++ b/dirmngr/server.c +@@ -2776,7 +2776,9 @@ cmd_ad_query (assuan_context_t ctx, char *line) + + if (opt_help) + { ++#if USE_LDAP + ks_ldap_help_variables (ctrl); ++#endif + err = 0; + goto leave; + } +-- +2.27.0 + diff --git a/gnupg-2.2.16-ocsp-keyusage.patch b/gnupg-2.2.16-ocsp-keyusage.patch deleted file mode 100644 index eeed053..0000000 --- a/gnupg-2.2.16-ocsp-keyusage.patch +++ /dev/null @@ -1,17 +0,0 @@ -diff -up gnupg-2.2.16/sm/certlist.c.keyusage gnupg-2.2.16/sm/certlist.c ---- gnupg-2.2.16/sm/certlist.c.keyusage 2019-07-01 17:17:06.925254065 +0200 -+++ gnupg-2.2.16/sm/certlist.c 2019-07-01 17:24:15.665759322 +0200 -@@ -147,10 +147,9 @@ cert_usage_p (ksba_cert_t cert, int mode - - if (mode == 5) - { -- if (use != ~0 -- && (have_ocsp_signing -- || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN -- |KSBA_KEYUSAGE_CRL_SIGN)))) -+ if (have_ocsp_signing -+ || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN -+ |KSBA_KEYUSAGE_CRL_SIGN))) - return 0; - if (!silent) - log_info (_("certificate should not have " diff --git a/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch b/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch index 98dda54..3af14ba 100644 --- a/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch +++ b/gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch @@ -1,3 +1,4 @@ +From c9485d59f735dbf7509a0136a896fe76f9cc915a Mon Sep 17 00:00:00 2001 From: Vincent Breitmoser Date: Thu, 13 Jun 2019 21:27:42 +0200 Subject: gpg: allow import of previously known keys, even without UIDs @@ -13,14 +14,14 @@ This fixes two of the three broken tests in import-incomplete.scm. GnuPG-Bug-id: 4393 Signed-off-by: Daniel Kahn Gillmor --- - g10/import.c | 44 +++++++++++--------------------------------- - 1 file changed, 11 insertions(+), 33 deletions(-) + g10/import.c | 45 +++++++++++---------------------------------- + 1 file changed, 11 insertions(+), 34 deletions(-) diff --git a/g10/import.c b/g10/import.c -index 5d3162c..f9acf95 100644 +index 9fab46ca6..c70a6221c 100644 --- a/g10/import.c +++ b/g10/import.c -@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl, +@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl, size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; int merge_keys_done = 0; @@ -28,7 +29,7 @@ index 5d3162c..f9acf95 100644 KEYDB_HANDLE hd = NULL; if (r_valid) -@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl, +@@ -1991,14 +1990,6 @@ import_one_real (ctrl_t ctrl, log_printf ("\n"); } @@ -43,12 +44,12 @@ index 5d3162c..f9acf95 100644 if (screener && screener (keyblock, screener_arg)) { log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl, +@@ -2078,18 +2069,10 @@ import_one_real (ctrl_t ctrl, } } - /* Delete invalid parts and bail out if there are no user ids left. */ -- if (!delete_inv_parts (ctrl, keyblock, keyid, options)) +- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) - { - if (!silent) - { @@ -62,11 +63,11 @@ index 5d3162c..f9acf95 100644 + /* Delete invalid parts, and note if we have any valid ones left. + * We will later abort import if this key is new but contains + * no valid uids. */ -+ delete_inv_parts (ctrl, keyblock, keyid, options); ++ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); /* Get rid of deleted nodes. */ commit_kbnode (&keyblock); -@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl, +@@ -2099,24 +2082,11 @@ import_one_real (ctrl_t ctrl, { apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); commit_kbnode (&keyblock); @@ -91,7 +92,7 @@ index 5d3162c..f9acf95 100644 } /* The keyblock is valid and ready for real import. */ -@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl, +@@ -2174,6 +2144,13 @@ import_one_real (ctrl_t ctrl, err = 0; stats->skipped_new_keys++; } diff --git a/gnupg-2.2.20-file-is-digest.patch b/gnupg-2.2.20-file-is-digest.patch index c2bf7c3..d8e774f 100644 --- a/gnupg-2.2.20-file-is-digest.patch +++ b/gnupg-2.2.20-file-is-digest.patch @@ -1,7 +1,19 @@ -diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c ---- gnupg-2.2.20/g10/gpg.c.file-is-digest 2020-04-14 16:33:42.630269318 +0200 -+++ gnupg-2.2.20/g10/gpg.c 2020-04-14 16:34:46.455100086 +0200 -@@ -380,6 +380,7 @@ enum cmd_and_opt_values +From cdd5082a9e3bdfc8de4aee4835dbdd607b4510be Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= +Date: Tue, 5 Aug 2014 17:04:08 +0200 +Subject: [PATCH gnupg] add --file-is-digest option needed for copr + +--- + g10/gpg.c | 4 +++ + g10/options.h | 1 + + g10/sign.c | 93 ++++++++++++++++++++++++++++++++++++++++++++------- + 3 files changed, 85 insertions(+), 13 deletions(-) + +diff --git a/g10/gpg.c b/g10/gpg.c +index f9bc8395f..dcab0a11a 100644 +--- a/g10/gpg.c ++++ b/g10/gpg.c +@@ -395,6 +395,7 @@ enum cmd_and_opt_values oTTYtype, oLCctype, oLCmessages, @@ -9,7 +21,7 @@ diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c oXauthority, oGroup, oUnGroup, -@@ -831,6 +832,7 @@ static ARGPARSE_OPTS opts[] = { +@@ -656,6 +657,7 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_s (oTempDir, "temp-directory", "@"), ARGPARSE_s_s (oExecPath, "exec-path", "@"), ARGPARSE_s_n (oExpert, "expert", "@"), @@ -17,7 +29,7 @@ diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c ARGPARSE_s_n (oNoExpert, "no-expert", "@"), ARGPARSE_s_n (oNoSecmemWarn, "no-secmem-warning", "@"), ARGPARSE_s_n (oRequireSecmem, "require-secmem", "@"), -@@ -2419,6 +2421,7 @@ main (int argc, char **argv) +@@ -2484,6 +2486,7 @@ main (int argc, char **argv) opt.keyid_format = KF_NONE; opt.def_sig_expire = "0"; opt.def_cert_expire = "0"; @@ -25,7 +37,7 @@ diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c opt.passphrase_repeat = 1; opt.emit_version = 0; opt.weak_digests = NULL; -@@ -2997,6 +3000,7 @@ main (int argc, char **argv) +@@ -3111,6 +3114,7 @@ main (int argc, char **argv) case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; case oForceAEAD: opt.force_aead = 1; break; @@ -33,10 +45,11 @@ diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break; case oIncludeKeyBlock: opt.flags.include_key_block = 1; break; -diff -up gnupg-2.2.20/g10/options.h.file-is-digest gnupg-2.2.20/g10/options.h ---- gnupg-2.2.20/g10/options.h.file-is-digest 2020-03-14 19:54:05.000000000 +0100 -+++ gnupg-2.2.20/g10/options.h 2020-04-14 16:33:42.634269245 +0200 -@@ -202,6 +202,7 @@ struct +diff --git a/g10/options.h b/g10/options.h +index 9015e321f..10852046c 100644 +--- a/g10/options.h ++++ b/g10/options.h +@@ -219,6 +219,7 @@ struct int no_auto_check_trustdb; int preserve_permissions; int no_homedir_creation; @@ -44,9 +57,10 @@ diff -up gnupg-2.2.20/g10/options.h.file-is-digest gnupg-2.2.20/g10/options.h struct groupitem *grouplist; int mangle_dos_filenames; int enable_progress_filter; -diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c ---- gnupg-2.2.20/g10/sign.c.file-is-digest 2020-03-14 19:35:46.000000000 +0100 -+++ gnupg-2.2.20/g10/sign.c 2020-04-14 16:36:54.661751422 +0200 +diff --git a/g10/sign.c b/g10/sign.c +index b5e9d422d..7ad143649 100644 +--- a/g10/sign.c ++++ b/g10/sign.c @@ -40,6 +40,7 @@ #include "pkglue.h" #include "../common/sysutils.h" @@ -55,7 +69,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c #include "../common/mbox-util.h" #include "../common/compliance.h" -@@ -834,6 +835,8 @@ write_signature_packets (ctrl_t ctrl, +@@ -945,6 +946,8 @@ write_signature_packets (ctrl_t ctrl, if (pk->version >= 5) sig->version = 5; /* Required for v5 keys. */ @@ -64,11 +78,11 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c else sig->version = 4; /* Required. */ -@@ -860,14 +863,22 @@ write_signature_packets (ctrl_t ctrl, +@@ -962,14 +965,22 @@ write_signature_packets (ctrl_t ctrl, if (gcry_md_copy (&md, hash)) BUG (); -- build_sig_subpkt_from_sig (sig, pk); +- build_sig_subpkt_from_sig (sig, pk, 0); - mk_notation_policy_etc (ctrl, sig, NULL, pk); - if (opt.flags.include_key_block && IS_SIG (sig)) - err = mk_sig_subpkt_key_block (ctrl, sig, pk); @@ -78,7 +92,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c - gcry_md_final (md); + if (!opt.file_is_digest) + { -+ build_sig_subpkt_from_sig (sig, pk); ++ build_sig_subpkt_from_sig (sig, pk, 0); + mk_notation_policy_etc (ctrl, sig, NULL, pk); + if (opt.flags.include_key_block && IS_SIG (sig)) + err = mk_sig_subpkt_key_block (ctrl, sig, pk); @@ -95,16 +109,16 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c if (!err) err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0); -@@ -924,6 +930,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1034,6 +1045,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, SK_LIST sk_rover = NULL; int multifile = 0; u32 duration=0; + int sigclass = 0x00; + u32 timestamp = 0; pt_extra_hash_data_t extrahash = NULL; - - pfx = new_progress_context (); -@@ -941,7 +949,16 @@ sign_file (ctrl_t ctrl, strlist_t filena + char peekbuf[32]; + int peekbuflen = 0; +@@ -1056,7 +1069,16 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, fname = NULL; if (fname && filenames->next && (!detached || encryptflag)) @@ -122,7 +136,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c if (encryptflag == 2 && (rc = setup_symkey (&efx.symkey_s2k, &efx.symkey_dek))) -@@ -962,7 +979,7 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1077,7 +1099,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, goto leave; /* Prepare iobufs. */ @@ -131,7 +145,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c inp = NULL; /* we do it later */ else { -@@ -1100,7 +1117,7 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1240,7 +1262,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) gcry_md_enable (mfx.md, hash_for (sk_rover->pk)); @@ -140,7 +154,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c iobuf_push_filter (inp, md_filter, &mfx); if (detached && !encryptflag) -@@ -1155,6 +1172,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1306,6 +1328,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, write_status_begin_signing (mfx.md); @@ -149,47 +163,47 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c /* Setup the inner packet. */ if (detached) { -@@ -1195,6 +1214,49 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1353,6 +1377,49 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, if (opt.verbose) log_printf ("\n"); } + else if (opt.file_is_digest) + { -+ byte *mdb, ts[5]; ++ byte *mdb, ts[5] = {0}; + size_t mdlen; + const char *fp; + int c, d; -+ ++ + gcry_md_final(mfx.md); + /* this assumes gcry_md_read returns the same buffer */ + mdb = gcry_md_read(mfx.md, opt.def_digest_algo); + mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo); + if (strlen(fname) != mdlen * 2 + 11) -+ log_bug("digests must be %zu + @ + 5 bytes\n", mdlen); ++ log_bug("digests must be %zu + '@' + 5 bytes\n", mdlen); + d = -1; + for (fp = fname ; *fp; ) + { -+ c = *fp++; -+ if (c >= '0' && c <= '9') -+ c -= '0'; -+ else if (c >= 'a' && c <= 'f') -+ c -= 'a' - 10; -+ else if (c >= 'A' && c <= 'F') -+ c -= 'A' - 10; -+ else -+ log_bug("filename is not hex\n"); -+ if (d >= 0) ++ c = *fp++; ++ if (c >= '0' && c <= '9') ++ c -= '0'; ++ else if (c >= 'a' && c <= 'f') ++ c -= 'a' - 10; ++ else if (c >= 'A' && c <= 'F') ++ c -= 'A' - 10; ++ else ++ log_bug("filename is not hex\n"); ++ if (d >= 0) + { -+ *mdb++ = d << 4 | c; -+ c = -1; -+ if (--mdlen == 0) ++ *mdb++ = d << 4 | c; ++ c = -1; ++ if (--mdlen == 0) + { -+ mdb = ts; -+ if (*fp++ != '@') -+ log_bug("missing time separator\n"); -+ } -+ } -+ d = c; ++ mdb = ts; ++ if (*fp++ != '@') ++ log_bug("missing time separator\n"); ++ } ++ } ++ d = c; + } + sigclass = ts[0]; + if (sigclass != 0x00 && sigclass != 0x01) @@ -199,7 +213,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c else { /* Read, so that the filter can calculate the digest. */ -@@ -1213,8 +1271,8 @@ sign_file (ctrl_t ctrl, strlist_t filena +@@ -1374,8 +1441,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, /* Write the signatures. */ rc = write_signature_packets (ctrl, sk_list, out, mfx.md, extrahash, diff --git a/gnupg-2.3.6.tar.bz2 b/gnupg-2.3.6.tar.bz2 deleted file mode 100644 index 22d67cf..0000000 Binary files a/gnupg-2.3.6.tar.bz2 and /dev/null differ diff --git a/gnupg-2.3.6.tar.bz2.sig b/gnupg-2.3.6.tar.bz2.sig deleted file mode 100644 index e2ab1a2..0000000 Binary files a/gnupg-2.3.6.tar.bz2.sig and /dev/null differ diff --git a/gnupg-2.4.3.tar.bz2 b/gnupg-2.4.3.tar.bz2 new file mode 100644 index 0000000..cb51a1d Binary files /dev/null and b/gnupg-2.4.3.tar.bz2 differ diff --git a/gnupg-2.4.3.tar.bz2.sig b/gnupg-2.4.3.tar.bz2.sig new file mode 100644 index 0000000..f5cbf44 Binary files /dev/null and b/gnupg-2.4.3.tar.bz2.sig differ diff --git a/gnupg2-revert-rfc4880bis.patch b/gnupg2-revert-rfc4880bis.patch new file mode 100644 index 0000000..8bc65ed --- /dev/null +++ b/gnupg2-revert-rfc4880bis.patch @@ -0,0 +1,200 @@ +From 1e4f1550996334d2a631a5d769e937d29ace47bb Mon Sep 17 00:00:00 2001 +From: Jakub Jelen +Date: Thu, 9 Feb 2023 16:38:58 +0100 +Subject: [PATCH gnupg] Revert the introduction of the RFC4880bis draft into + defaults + +This reverts commit 4583f4fe2 (gpg: Merge --rfc4880bis features into +--gnupg, 2022-10-31). +--- + g10/gpg.c | 35 ++++++++++++++++++++++++++++++++--- + g10/keygen.c | 30 ++++++++++++++++++------------ + 2 files changed, 50 insertions(+), 15 deletions(-) + +diff --git a/g10/gpg.c b/g10/gpg.c +index dcab0a11a..796888013 100644 +--- a/g10/gpg.c ++++ b/g10/gpg.c +@@ -247,6 +247,7 @@ enum cmd_and_opt_values + oGnuPG, + oRFC2440, + oRFC4880, ++ oRFC4880bis, + oOpenPGP, + oPGP7, + oPGP8, +@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"), + ARGPARSE_s_n (oRFC2440, "rfc2440", "@"), + ARGPARSE_s_n (oRFC4880, "rfc4880", "@"), ++ ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"), + ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")), + ARGPARSE_s_n (oPGP7, "pgp6", "@"), + ARGPARSE_s_n (oPGP7, "pgp7", "@"), +@@ -978,7 +980,6 @@ static gpgrt_opt_t opts[] = { + ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"), + ARGPARSE_s_s (oNoop, "aead-algo", "@"), + ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"), +- ARGPARSE_s_n (oNoop, "rfc4880bis", "@"), + ARGPARSE_s_n (oNoop, "override-compliance-check", "@"), + + +@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option compliance_options[] = + { + { "gnupg", oGnuPG }, + { "openpgp", oOpenPGP }, +- { "rfc4880bis", oGnuPG }, ++ { "rfc4880bis", oRFC4880bis }, + { "rfc4880", oRFC4880 }, + { "rfc2440", oRFC2440 }, + { "pgp6", oPGP7 }, +@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option compliance_options[] = + static void + set_compliance_option (enum cmd_and_opt_values option) + { ++ opt.flags.rfc4880bis = 0; /* Clear because it is initially set. */ ++ + switch (option) + { ++ case oRFC4880bis: ++ opt.flags.rfc4880bis = 1; ++ opt.compliance = CO_RFC4880; ++ opt.flags.dsa2 = 1; ++ opt.flags.require_cross_cert = 1; ++ opt.rfc2440_text = 0; ++ opt.allow_non_selfsigned_uid = 1; ++ opt.allow_freeform_uid = 1; ++ opt.escape_from = 1; ++ opt.not_dash_escaped = 0; ++ opt.def_cipher_algo = 0; ++ opt.def_digest_algo = 0; ++ opt.cert_digest_algo = 0; ++ opt.compress_algo = -1; ++ opt.s2k_mode = 3; /* iterated+salted */ ++ opt.s2k_digest_algo = DIGEST_ALGO_SHA256; ++ opt.s2k_cipher_algo = CIPHER_ALGO_AES256; ++ break; + case oOpenPGP: + case oRFC4880: + /* This is effectively the same as RFC2440, but with +@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_values option) + case oPGP8: opt.compliance = CO_PGP8; break; + case oGnuPG: + opt.compliance = CO_GNUPG; ++ opt.flags.rfc4880bis = 1; + break; + + case oDE_VS: +@@ -2491,6 +2513,7 @@ main (int argc, char **argv) + opt.emit_version = 0; + opt.weak_digests = NULL; + opt.compliance = CO_GNUPG; ++ opt.flags.rfc4880bis = 1; + + /* Check special options given on the command line. */ + orig_argc = argc; +@@ -3033,6 +3056,7 @@ main (int argc, char **argv) + case oOpenPGP: + case oRFC2440: + case oRFC4880: ++ case oRFC4880bis: + case oPGP7: + case oPGP8: + case oGnuPG: +@@ -3862,6 +3886,11 @@ main (int argc, char **argv) + if( may_coredump && !opt.quiet ) + log_info(_("WARNING: program may create a core file!\n")); + ++ if (!opt.flags.rfc4880bis) ++ { ++ opt.mimemode = 0; /* This will use text mode instead. */ ++ } ++ + if (eyes_only) { + if (opt.set_filename) + log_info(_("WARNING: %s overrides %s\n"), +@@ -4078,7 +4107,7 @@ main (int argc, char **argv) + /* Check our chosen algorithms against the list of legal + algorithms. */ + +- if(!GNUPG) ++ if(!GNUPG && !opt.flags.rfc4880bis) + { + const char *badalg=NULL; + preftype_t badtype=PREFTYPE_NONE; +diff --git a/g10/keygen.c b/g10/keygen.c +index a2cfe3ccf..2a1dd1f81 100644 +--- a/g10/keygen.c ++++ b/g10/keygen.c +@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string,int personal) + strcat(dummy_string,"S7 "); + strcat(dummy_string,"S2 "); /* 3DES */ + +- if (!openpgp_aead_test_algo (AEAD_ALGO_OCB)) ++ if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB)) + strcat(dummy_string,"A2 "); + + if (personal) +@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig, void *opaque) + /* Make sure that the MDC feature flag is set if needed. */ + add_feature_mdc (sig,mdc_available); + add_feature_aead (sig, aead_available); +- add_feature_v5 (sig, 1); ++ add_feature_v5 (sig, opt.flags.rfc4880bis); + add_keyserver_modify (sig,ks_modify); + keygen_add_keyserver_url(sig,NULL); + +@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl, + } + } + else if (!ascii_strcasecmp (s, "v5")) +- keyversion = 5; ++ { ++ if (opt.flags.rfc4880bis) ++ keyversion = 5; ++ } + else if (!ascii_strcasecmp (s, "v4")) + keyversion = 4; + else +@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl, + * ecdsa := Use algorithm ECDSA. + * eddsa := Use algorithm EdDSA. + * ecdh := Use algorithm ECDH. +- * v5 := Create version 5 key ++ * v5 := Create version 5 key (requires option --rfc4880bis) + * + * There are several defaults and fallbacks depending on the + * algorithm. PART can be used to select which part of STRING is +@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const char *fname ) + } + } + +- if ((keywords[i].key == pVERSION +- || keywords[i].key == pSUBVERSION)) +- ; /* Ignore version. */ ++ if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION ++ || keywords[i].key == pSUBVERSION)) ++ ; /* Ignore version unless --rfc4880bis is active. */ + else + { + r = xmalloc_clear( sizeof *r + strlen( value ) ); +@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *para, int for_subkey, + para = r; + } + +- r = xmalloc_clear (sizeof *r + 20); +- r->key = for_subkey? pSUBVERSION : pVERSION; +- snprintf (r->u.value, 20, "%d", version); +- r->next = para; +- para = r; ++ if (opt.flags.rfc4880bis) ++ { ++ r = xmalloc_clear (sizeof *r + 20); ++ r->key = for_subkey? pSUBVERSION : pVERSION; ++ snprintf (r->u.value, 20, "%d", version); ++ r->next = para; ++ para = r; ++ } + + if (keytime) + { diff --git a/gnupg2.spec b/gnupg2.spec index 022fbc5..99f9172 100644 --- a/gnupg2.spec +++ b/gnupg2.spec @@ -1,6 +1,6 @@ Name: gnupg2 -Version: 2.3.6 -Release: 4 +Version: 2.4.3 +Release: 1 Summary: Utility for secure communication and data storage License: GPLv3+ @@ -11,26 +11,25 @@ Source1: https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig Patch0: gnupg-2.1.10-secmem.patch Patch1: gnupg-2.1.1-fips-algo.patch Patch2: gnupg-2.2.23-large-rsa.patch -Patch3: gnupg-2.2.16-ocsp-keyusage.patch Patch4: gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch Patch5: gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch Patch6: gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch Patch7: gnupg-2.2.20-file-is-digest.patch Patch8: gnupg-2.2.21-coverity.patch -Patch9: backport-CVE-2022-34903.patch -Patch10: backport-common-Protect-against-a-theoretical-integer-overflow.patch +Patch9: gnupg2-revert-rfc4880bis.patch +Patch10: backport-dirmngr-Enable-the-call-of-ks_ldap_help_variables-wh.patch BuildRequires: gcc BuildRequires: zlib-devel, npth-devel, texinfo -BuildRequires: libgpg-error-devel >= 1.41 +BuildRequires: libgpg-error-devel >= 1.46 BuildRequires: libgcrypt-devel >= 1.9.4 -BuildRequires: libksba-devel >= 1.3.0 -BuildRequires: libassuan-devel >= 2.1.0 +BuildRequires: libksba-devel >= 1.6.3 +BuildRequires: libassuan-devel >= 2.5.0 # compile dirmngr module, need gnutls BuildRequires: gnutls-devel Requires: libgcrypt >= 1.9.4 -Requires: libgpg-error >= 1.41 +Requires: libgpg-error >= 1.46 Recommends: pinentry Recommends: gnupg2-smime @@ -38,11 +37,11 @@ Recommends: gnupg2-smime Provides: gpg = %{version}-%{release} Provides: gnupg = %{version}-%{release} Provides: dirmngr = %{version}-%{release} -Provides: gnupg2-smime +Provides: gnupg2-smime = %{version}-%{release} Obsoletes: gnupg <= 1.4.24 Obsoletes: dirmngr < 1.2.0-1 -Obsoletes: gnupg2-smime +Obsoletes: gnupg2-smime < %{version}-%{release} %description GnuPG is a complete and free implementation of the OpenPGP standard @@ -121,6 +120,9 @@ make check %changelog +* Mon Jul 17 2023 yixiangzhike - 2.4.3-1 +- update to 2.4.3 + * Wed Jun 14 2023 yixiangzhike - 2.3.6-4 - backport upstream patch