packages/gnupg2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 2.4.3

Browse Source
This commit is contained in:
yixiangzhike 2023-07-17 10:32:44 +08:00
parent dccf255c75
commit a5584690bd
12 changed files with 322 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
backport-CVE-2022-34903.patch
View File

@ -1,50 +0,0 @@
From 34c649b3601383cd11dbc76221747ec16fd68e1b Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 14 Jun 2022 11:33:27 +0200
Subject: [PATCH] g10: Fix garbled status messages in NOTATION_DATA
* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--
Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong. Fixed by always using a break to
terminate the escape detection loop. Might have happened for all
status lines which may wrap.
GnuPG-bug-id: T6027
---
g10/cpr.c | 13 ++++---------
1 file changed, 4 insertions(+), 9 deletions(-)
diff --git a/g10/cpr.c b/g10/cpr.c
index 9bfdd3c34..fa8005d6f 100644
--- a/g10/cpr.c
+++ b/g10/cpr.c
@@ -372,20 +372,15 @@ write_status_text_and_buffer (int no, const char *string,
}
first = 0;
}
- for (esc=0, s=buffer, n=len; n && !esc; s++, n--)
+ for (esc=0, s=buffer, n=len; n; s++, n--)
{
if (*s == '%' || *(const byte*)s <= lower_limit
|| *(const byte*)s == 127 )
esc = 1;
if (wrap && ++count > wrap)
- {
- dowrap=1;
- break;
- }
- }
- if (esc)
- {
- s--; n++;
+ dowrap=1;
+ if (esc || dowrap)
+ break;
}
if (s != buffer)
es_fwrite (buffer, s-buffer, 1, statusfp);
--
2.27.0

34
backport-common-Protect-against-a-theoretical-integer-overflow.patch
View File

@ -1,34 +0,0 @@
From c300253181cfc591cbcae9251eda5296ed29591b Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 7 Oct 2022 14:12:33 +0200
Subject: [PATCH] common: Protect against a theoretical integer overflow in
tlv.c
* common/tlv.c (parse_ber_header): Protect agains integer overflow.
--
Although there is no concrete case where we use the (nhdr + length),
it is better to protect against this already here.
---
common/tlv.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/common/tlv.c b/common/tlv.c
index abef83a37..9618d04cb 100644
--- a/common/tlv.c
+++ b/common/tlv.c
@@ -222,6 +222,11 @@ parse_ber_header (unsigned char const **buffer, size_t *size,
*r_length = len;
}
+ if (*r_length > *r_nhdr && (*r_nhdr + *r_length) < *r_length)
+ {
+ return gpg_err_make (default_errsource, GPG_ERR_EOVERFLOW);
+ }
+
/* Without this kludge some example certs can't be parsed. */
if (*r_class == CLASS_UNIVERSAL && !*r_tag)
*r_length = 0;
--
2.27.0

35
backport-dirmngr-Enable-the-call-of-ks_ldap_help_variables-wh.patch Normal file
View File

@ -0,0 +1,35 @@
From 9ae3cfcabec9252c22d67b7a15c36f0a8cf22f0f Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Wed, 5 Jul 2023 09:29:54 +0900
Subject: [PATCH] dirmngr: Enable the call of ks_ldap_help_variables when
USE_LDAP.
* dirmngr/server.c [USE_LDAP] (cmd_ad_query): Conditionalize.
--
Cherry-pick master commit of:
dc13361524c1477b2106c7385f2059f9ea111b84
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
dirmngr/server.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/dirmngr/server.c b/dirmngr/server.c
index 51a149cb2..ee61f63d6 100644
--- a/dirmngr/server.c
+++ b/dirmngr/server.c
@@ -2776,7 +2776,9 @@ cmd_ad_query (assuan_context_t ctx, char *line)
if (opt_help)
{
+#if USE_LDAP
ks_ldap_help_variables (ctrl);
+#endif
err = 0;
goto leave;
}
--
2.27.0

17
gnupg-2.2.16-ocsp-keyusage.patch
View File

@ -1,17 +0,0 @@
diff -up gnupg-2.2.16/sm/certlist.c.keyusage gnupg-2.2.16/sm/certlist.c
--- gnupg-2.2.16/sm/certlist.c.keyusage 2019-07-01 17:17:06.925254065 +0200
+++ gnupg-2.2.16/sm/certlist.c 2019-07-01 17:24:15.665759322 +0200
@@ -147,10 +147,9 @@ cert_usage_p (ksba_cert_t cert, int mode
if (mode == 5)
{
- if (use != ~0
- && (have_ocsp_signing
- || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
- |KSBA_KEYUSAGE_CRL_SIGN))))
+ if (have_ocsp_signing
+ || (use & (KSBA_KEYUSAGE_KEY_CERT_SIGN
+ |KSBA_KEYUSAGE_CRL_SIGN)))
return 0;
if (!silent)
log_info (_("certificate should not have "

21
gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
View File

@ -1,3 +1,4 @@
From c9485d59f735dbf7509a0136a896fe76f9cc915a Mon Sep 17 00:00:00 2001
From: Vincent Breitmoser <look@my.amazin.horse>
Date: Thu, 13 Jun 2019 21:27:42 +0200
Subject: gpg: allow import of previously known keys, even without UIDs
@ -13,14 +14,14 @@ This fixes two of the three broken tests in import-incomplete.scm.
GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
---
g10/import.c | 44 +++++++++++---------------------------------
1 file changed, 11 insertions(+), 33 deletions(-)
g10/import.c | 45 +++++++++++----------------------------------
1 file changed, 11 insertions(+), 34 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index 5d3162c..f9acf95 100644
index 9fab46ca6..c70a6221c 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,
@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl,
size_t an;
char pkstrbuf[PUBKEY_STRING_SIZE];
int merge_keys_done = 0;
@ -28,7 +29,7 @@ index 5d3162c..f9acf95 100644
KEYDB_HANDLE hd = NULL;
if (r_valid)
@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,
@@ -1991,14 +1990,6 @@ import_one_real (ctrl_t ctrl,
log_printf ("\n");
}
@ -43,12 +44,12 @@ index 5d3162c..f9acf95 100644
if (screener && screener (keyblock, screener_arg))
{
log_error (_("key %s: %s\n"), keystr_from_pk (pk),
@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl,
@@ -2078,18 +2069,10 @@ import_one_real (ctrl_t ctrl,
}
}
- /* Delete invalid parts and bail out if there are no user ids left. */
- if (!delete_inv_parts (ctrl, keyblock, keyid, options))
- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))
- {
- if (!silent)
- {
@ -62,11 +63,11 @@ index 5d3162c..f9acf95 100644
+ /* Delete invalid parts, and note if we have any valid ones left.
+ * We will later abort import if this key is new but contains
+ * no valid uids. */
+ delete_inv_parts (ctrl, keyblock, keyid, options);
+ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);
/* Get rid of deleted nodes. */
commit_kbnode (&keyblock);
@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,
@@ -2099,24 +2082,11 @@ import_one_real (ctrl_t ctrl,
{
apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);
commit_kbnode (&keyblock);
@ -91,7 +92,7 @@ index 5d3162c..f9acf95 100644
}
/* The keyblock is valid and ready for real import. */
@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,
@@ -2174,6 +2144,13 @@ import_one_real (ctrl_t ctrl,
err = 0;
stats->skipped_new_keys++;
}

110
gnupg-2.2.20-file-is-digest.patch
View File

@ -1,7 +1,19 @@
diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
--- gnupg-2.2.20/g10/gpg.c.file-is-digest 2020-04-14 16:33:42.630269318 +0200
+++ gnupg-2.2.20/g10/gpg.c 2020-04-14 16:34:46.455100086 +0200
@@ -380,6 +380,7 @@ enum cmd_and_opt_values
From cdd5082a9e3bdfc8de4aee4835dbdd607b4510be Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= <tmraz@fedoraproject.org>
Date: Tue, 5 Aug 2014 17:04:08 +0200
Subject: [PATCH gnupg] add --file-is-digest option needed for copr
---
g10/gpg.c | 4 +++
g10/options.h | 1 +
g10/sign.c | 93 ++++++++++++++++++++++++++++++++++++++++++++-------
3 files changed, 85 insertions(+), 13 deletions(-)
diff --git a/g10/gpg.c b/g10/gpg.c
index f9bc8395f..dcab0a11a 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -395,6 +395,7 @@ enum cmd_and_opt_values
oTTYtype,
oLCctype,
oLCmessages,
@ -9,7 +21,7 @@ diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
oXauthority,
oGroup,
oUnGroup,
@@ -831,6 +832,7 @@ static ARGPARSE_OPTS opts[] = {
@@ -656,6 +657,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oTempDir, "temp-directory", "@"),
ARGPARSE_s_s (oExecPath, "exec-path", "@"),
ARGPARSE_s_n (oExpert, "expert", "@"),
@ -17,7 +29,7 @@ diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
ARGPARSE_s_n (oNoExpert, "no-expert", "@"),
ARGPARSE_s_n (oNoSecmemWarn, "no-secmem-warning", "@"),
ARGPARSE_s_n (oRequireSecmem, "require-secmem", "@"),
@@ -2419,6 +2421,7 @@ main (int argc, char **argv)
@@ -2484,6 +2486,7 @@ main (int argc, char **argv)
opt.keyid_format = KF_NONE;
opt.def_sig_expire = "0";
opt.def_cert_expire = "0";
@ -25,7 +37,7 @@ diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
opt.passphrase_repeat = 1;
opt.emit_version = 0;
opt.weak_digests = NULL;
@@ -2997,6 +3000,7 @@ main (int argc, char **argv)
@@ -3111,6 +3114,7 @@ main (int argc, char **argv)
case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
case oForceAEAD: opt.force_aead = 1; break;
@ -33,10 +45,11 @@ diff -up gnupg-2.2.20/g10/gpg.c.file-is-digest gnupg-2.2.20/g10/gpg.c
case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
case oIncludeKeyBlock: opt.flags.include_key_block = 1; break;
diff -up gnupg-2.2.20/g10/options.h.file-is-digest gnupg-2.2.20/g10/options.h
--- gnupg-2.2.20/g10/options.h.file-is-digest 2020-03-14 19:54:05.000000000 +0100
+++ gnupg-2.2.20/g10/options.h 2020-04-14 16:33:42.634269245 +0200
@@ -202,6 +202,7 @@ struct
diff --git a/g10/options.h b/g10/options.h
index 9015e321f..10852046c 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -219,6 +219,7 @@ struct
int no_auto_check_trustdb;
int preserve_permissions;
int no_homedir_creation;
@ -44,9 +57,10 @@ diff -up gnupg-2.2.20/g10/options.h.file-is-digest gnupg-2.2.20/g10/options.h
struct groupitem *grouplist;
int mangle_dos_filenames;
int enable_progress_filter;
diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
--- gnupg-2.2.20/g10/sign.c.file-is-digest 2020-03-14 19:35:46.000000000 +0100
+++ gnupg-2.2.20/g10/sign.c 2020-04-14 16:36:54.661751422 +0200
diff --git a/g10/sign.c b/g10/sign.c
index b5e9d422d..7ad143649 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -40,6 +40,7 @@
#include "pkglue.h"
#include "../common/sysutils.h"
@ -55,7 +69,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
#include "../common/mbox-util.h"
#include "../common/compliance.h"
@@ -834,6 +835,8 @@ write_signature_packets (ctrl_t ctrl,
@@ -945,6 +946,8 @@ write_signature_packets (ctrl_t ctrl,
if (pk->version >= 5)
sig->version = 5; /* Required for v5 keys. */
@ -64,11 +78,11 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
else
sig->version = 4; /* Required. */
@@ -860,14 +863,22 @@ write_signature_packets (ctrl_t ctrl,
@@ -962,14 +965,22 @@ write_signature_packets (ctrl_t ctrl,
if (gcry_md_copy (&md, hash))
BUG ();
- build_sig_subpkt_from_sig (sig, pk);
- build_sig_subpkt_from_sig (sig, pk, 0);
- mk_notation_policy_etc (ctrl, sig, NULL, pk);
- if (opt.flags.include_key_block && IS_SIG (sig))
- err = mk_sig_subpkt_key_block (ctrl, sig, pk);
@ -78,7 +92,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
- gcry_md_final (md);
+ if (!opt.file_is_digest)
+ {
+ build_sig_subpkt_from_sig (sig, pk);
+ build_sig_subpkt_from_sig (sig, pk, 0);
+ mk_notation_policy_etc (ctrl, sig, NULL, pk);
+ if (opt.flags.include_key_block && IS_SIG (sig))
+ err = mk_sig_subpkt_key_block (ctrl, sig, pk);
@ -95,16 +109,16 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
if (!err)
err = do_sign (ctrl, pk, sig, md, hash_for (pk), cache_nonce, 0);
@@ -924,6 +930,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
@@ -1034,6 +1045,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
SK_LIST sk_rover = NULL;
int multifile = 0;
u32 duration=0;
+ int sigclass = 0x00;
+ u32 timestamp = 0;
pt_extra_hash_data_t extrahash = NULL;
pfx = new_progress_context ();
@@ -941,7 +949,16 @@ sign_file (ctrl_t ctrl, strlist_t filena
char peekbuf[32];
int peekbuflen = 0;
@@ -1056,7 +1069,16 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
fname = NULL;
if (fname && filenames->next && (!detached || encryptflag))
@ -122,7 +136,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
if (encryptflag == 2
&& (rc = setup_symkey (&efx.symkey_s2k, &efx.symkey_dek)))
@@ -962,7 +979,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
@@ -1077,7 +1099,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
goto leave;
/* Prepare iobufs. */
@ -131,7 +145,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
inp = NULL; /* we do it later */
else
{
@@ -1100,7 +1117,7 @@ sign_file (ctrl_t ctrl, strlist_t filena
@@ -1240,7 +1262,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next)
gcry_md_enable (mfx.md, hash_for (sk_rover->pk));
@ -140,7 +154,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
iobuf_push_filter (inp, md_filter, &mfx);
if (detached && !encryptflag)
@@ -1155,6 +1172,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
@@ -1306,6 +1328,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
write_status_begin_signing (mfx.md);
@ -149,13 +163,13 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
/* Setup the inner packet. */
if (detached)
{
@@ -1195,6 +1214,49 @@ sign_file (ctrl_t ctrl, strlist_t filena
@@ -1353,6 +1377,49 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
if (opt.verbose)
log_printf ("\n");
}
+ else if (opt.file_is_digest)
+ {
+ byte *mdb, ts[5];
+ byte *mdb, ts[5] = {0};
+ size_t mdlen;
+ const char *fp;
+ int c, d;
@ -165,31 +179,31 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
+ mdb = gcry_md_read(mfx.md, opt.def_digest_algo);
+ mdlen = gcry_md_get_algo_dlen(opt.def_digest_algo);
+ if (strlen(fname) != mdlen * 2 + 11)
+ log_bug("digests must be %zu + @ + 5 bytes\n", mdlen);
+ log_bug("digests must be %zu + '@' + 5 bytes\n", mdlen);
+ d = -1;
+ for (fp = fname ; *fp; )
+ {
+ c = *fp++;
+ if (c >= '0' && c <= '9')
+ c -= '0';
+ else if (c >= 'a' && c <= 'f')
+ c -= 'a' - 10;
+ else if (c >= 'A' && c <= 'F')
+ c -= 'A' - 10;
+ else
+ log_bug("filename is not hex\n");
+ if (d >= 0)
+ c = *fp++;
+ if (c >= '0' && c <= '9')
+ c -= '0';
+ else if (c >= 'a' && c <= 'f')
+ c -= 'a' - 10;
+ else if (c >= 'A' && c <= 'F')
+ c -= 'A' - 10;
+ else
+ log_bug("filename is not hex\n");
+ if (d >= 0)
+ {
+ *mdb++ = d << 4 | c;
+ c = -1;
+ if (--mdlen == 0)
+ *mdb++ = d << 4 | c;
+ c = -1;
+ if (--mdlen == 0)
+ {
+ mdb = ts;
+ if (*fp++ != '@')
+ log_bug("missing time separator\n");
+ }
+ }
+ d = c;
+ mdb = ts;
+ if (*fp++ != '@')
+ log_bug("missing time separator\n");
+ }
+ }
+ d = c;
+ }
+ sigclass = ts[0];
+ if (sigclass != 0x00 && sigclass != 0x01)
@ -199,7 +213,7 @@ diff -up gnupg-2.2.20/g10/sign.c.file-is-digest gnupg-2.2.20/g10/sign.c
else
{
/* Read, so that the filter can calculate the digest. */
@@ -1213,8 +1271,8 @@ sign_file (ctrl_t ctrl, strlist_t filena
@@ -1374,8 +1441,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
/* Write the signatures. */
rc = write_signature_packets (ctrl, sk_list, out, mfx.md, extrahash,

BIN
gnupg-2.3.6.tar.bz2
View File

Binary file not shown.

BIN
gnupg-2.3.6.tar.bz2.sig
View File

Binary file not shown.

BIN
gnupg-2.4.3.tar.bz2 Normal file
View File

Binary file not shown.

BIN
gnupg-2.4.3.tar.bz2.sig Normal file
View File

Binary file not shown.

200
gnupg2-revert-rfc4880bis.patch Normal file
View File

@ -0,0 +1,200 @@
From 1e4f1550996334d2a631a5d769e937d29ace47bb Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 9 Feb 2023 16:38:58 +0100
Subject: [PATCH gnupg] Revert the introduction of the RFC4880bis draft into
defaults
This reverts commit 4583f4fe2 (gpg: Merge --rfc4880bis features into
--gnupg, 2022-10-31).
---
g10/gpg.c | 35 ++++++++++++++++++++++++++++++++---
g10/keygen.c | 30 ++++++++++++++++++------------
2 files changed, 50 insertions(+), 15 deletions(-)
diff --git a/g10/gpg.c b/g10/gpg.c
index dcab0a11a..796888013 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -247,6 +247,7 @@ enum cmd_and_opt_values
oGnuPG,
oRFC2440,
oRFC4880,
+ oRFC4880bis,
oOpenPGP,
oPGP7,
oPGP8,
@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"),
ARGPARSE_s_n (oRFC2440, "rfc2440", "@"),
ARGPARSE_s_n (oRFC4880, "rfc4880", "@"),
+ ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"),
ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")),
ARGPARSE_s_n (oPGP7, "pgp6", "@"),
ARGPARSE_s_n (oPGP7, "pgp7", "@"),
@@ -978,7 +980,6 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"),
ARGPARSE_s_s (oNoop, "aead-algo", "@"),
ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"),
- ARGPARSE_s_n (oNoop, "rfc4880bis", "@"),
ARGPARSE_s_n (oNoop, "override-compliance-check", "@"),
@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option compliance_options[] =
{
{ "gnupg", oGnuPG },
{ "openpgp", oOpenPGP },
- { "rfc4880bis", oGnuPG },
+ { "rfc4880bis", oRFC4880bis },
{ "rfc4880", oRFC4880 },
{ "rfc2440", oRFC2440 },
{ "pgp6", oPGP7 },
@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option compliance_options[] =
static void
set_compliance_option (enum cmd_and_opt_values option)
{
+ opt.flags.rfc4880bis = 0; /* Clear because it is initially set. */
+
switch (option)
{
+ case oRFC4880bis:
+ opt.flags.rfc4880bis = 1;
+ opt.compliance = CO_RFC4880;
+ opt.flags.dsa2 = 1;
+ opt.flags.require_cross_cert = 1;
+ opt.rfc2440_text = 0;
+ opt.allow_non_selfsigned_uid = 1;
+ opt.allow_freeform_uid = 1;
+ opt.escape_from = 1;
+ opt.not_dash_escaped = 0;
+ opt.def_cipher_algo = 0;
+ opt.def_digest_algo = 0;
+ opt.cert_digest_algo = 0;
+ opt.compress_algo = -1;
+ opt.s2k_mode = 3; /* iterated+salted */
+ opt.s2k_digest_algo = DIGEST_ALGO_SHA256;
+ opt.s2k_cipher_algo = CIPHER_ALGO_AES256;
+ break;
case oOpenPGP:
case oRFC4880:
/* This is effectively the same as RFC2440, but with
@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_values option)
case oPGP8: opt.compliance = CO_PGP8; break;
case oGnuPG:
opt.compliance = CO_GNUPG;
+ opt.flags.rfc4880bis = 1;
break;
case oDE_VS:
@@ -2491,6 +2513,7 @@ main (int argc, char **argv)
opt.emit_version = 0;
opt.weak_digests = NULL;
opt.compliance = CO_GNUPG;
+ opt.flags.rfc4880bis = 1;
/* Check special options given on the command line. */
orig_argc = argc;
@@ -3033,6 +3056,7 @@ main (int argc, char **argv)
case oOpenPGP:
case oRFC2440:
case oRFC4880:
+ case oRFC4880bis:
case oPGP7:
case oPGP8:
case oGnuPG:
@@ -3862,6 +3886,11 @@ main (int argc, char **argv)
if( may_coredump && !opt.quiet )
log_info(_("WARNING: program may create a core file!\n"));
+ if (!opt.flags.rfc4880bis)
+ {
+ opt.mimemode = 0; /* This will use text mode instead. */
+ }
+
if (eyes_only) {
if (opt.set_filename)
log_info(_("WARNING: %s overrides %s\n"),
@@ -4078,7 +4107,7 @@ main (int argc, char **argv)
/* Check our chosen algorithms against the list of legal
algorithms. */
- if(!GNUPG)
+ if(!GNUPG && !opt.flags.rfc4880bis)
{
const char *badalg=NULL;
preftype_t badtype=PREFTYPE_NONE;
diff --git a/g10/keygen.c b/g10/keygen.c
index a2cfe3ccf..2a1dd1f81 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string,int personal)
strcat(dummy_string,"S7 ");
strcat(dummy_string,"S2 "); /* 3DES */
- if (!openpgp_aead_test_algo (AEAD_ALGO_OCB))
+ if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB))
strcat(dummy_string,"A2 ");
if (personal)
@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig, void *opaque)
/* Make sure that the MDC feature flag is set if needed. */
add_feature_mdc (sig,mdc_available);
add_feature_aead (sig, aead_available);
- add_feature_v5 (sig, 1);
+ add_feature_v5 (sig, opt.flags.rfc4880bis);
add_keyserver_modify (sig,ks_modify);
keygen_add_keyserver_url(sig,NULL);
@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl,
}
}
else if (!ascii_strcasecmp (s, "v5"))
- keyversion = 5;
+ {
+ if (opt.flags.rfc4880bis)
+ keyversion = 5;
+ }
else if (!ascii_strcasecmp (s, "v4"))
keyversion = 4;
else
@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl,
* ecdsa := Use algorithm ECDSA.
* eddsa := Use algorithm EdDSA.
* ecdh := Use algorithm ECDH.
- * v5 := Create version 5 key
+ * v5 := Create version 5 key (requires option --rfc4880bis)
*
* There are several defaults and fallbacks depending on the
* algorithm. PART can be used to select which part of STRING is
@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const char *fname )
}
}
- if ((keywords[i].key == pVERSION
- || keywords[i].key == pSUBVERSION))
- ; /* Ignore version. */
+ if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION
+ || keywords[i].key == pSUBVERSION))
+ ; /* Ignore version unless --rfc4880bis is active. */
else
{
r = xmalloc_clear( sizeof *r + strlen( value ) );
@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *para, int for_subkey,
para = r;
}
- r = xmalloc_clear (sizeof *r + 20);
- r->key = for_subkey? pSUBVERSION : pVERSION;
- snprintf (r->u.value, 20, "%d", version);
- r->next = para;
- para = r;
+ if (opt.flags.rfc4880bis)
+ {
+ r = xmalloc_clear (sizeof *r + 20);
+ r->key = for_subkey? pSUBVERSION : pVERSION;
+ snprintf (r->u.value, 20, "%d", version);
+ r->next = para;
+ para = r;
+ }
if (keytime)
{

24
gnupg2.spec
View File

@ -1,6 +1,6 @@
Name: gnupg2
Version: 2.3.6
Release: 4
Version: 2.4.3
Release: 1
Summary: Utility for secure communication and data storage
License: GPLv3+
@ -11,26 +11,25 @@ Source1: https://www.gnupg.org/ftp/gcrypt/gnupg/gnupg-%{version}.tar.bz2.sig
Patch0: gnupg-2.1.10-secmem.patch
Patch1: gnupg-2.1.1-fips-algo.patch
Patch2: gnupg-2.2.23-large-rsa.patch
Patch3: gnupg-2.2.16-ocsp-keyusage.patch
Patch4: gnupg-2.2.18-gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch
Patch5: gnupg-2.2.18-gpg-allow-import-of-previously-known-keys-even-without-UI.patch
Patch6: gnupg-2.2.18-tests-add-test-cases-for-import-without-uid.patch
Patch7: gnupg-2.2.20-file-is-digest.patch
Patch8: gnupg-2.2.21-coverity.patch
Patch9: backport-CVE-2022-34903.patch
Patch10: backport-common-Protect-against-a-theoretical-integer-overflow.patch
Patch9: gnupg2-revert-rfc4880bis.patch
Patch10: backport-dirmngr-Enable-the-call-of-ks_ldap_help_variables-wh.patch
BuildRequires: gcc
BuildRequires: zlib-devel, npth-devel, texinfo
BuildRequires: libgpg-error-devel >= 1.41
BuildRequires: libgpg-error-devel >= 1.46
BuildRequires: libgcrypt-devel >= 1.9.4
BuildRequires: libksba-devel >= 1.3.0
BuildRequires: libassuan-devel >= 2.1.0
BuildRequires: libksba-devel >= 1.6.3
BuildRequires: libassuan-devel >= 2.5.0
# compile dirmngr module, need gnutls
BuildRequires: gnutls-devel
Requires: libgcrypt >= 1.9.4
Requires: libgpg-error >= 1.41
Requires: libgpg-error >= 1.46
Recommends: pinentry
Recommends: gnupg2-smime
@ -38,11 +37,11 @@ Recommends: gnupg2-smime
Provides: gpg = %{version}-%{release}
Provides: gnupg = %{version}-%{release}
Provides: dirmngr = %{version}-%{release}
Provides: gnupg2-smime
Provides: gnupg2-smime = %{version}-%{release}
Obsoletes: gnupg <= 1.4.24
Obsoletes: dirmngr < 1.2.0-1
Obsoletes: gnupg2-smime
Obsoletes: gnupg2-smime < %{version}-%{release}
%description
GnuPG is a complete and free implementation of the OpenPGP standard
@ -121,6 +120,9 @@ make check
%changelog
* Mon Jul 17 2023 yixiangzhike <yixiangzhike007@163.com> - 2.4.3-1
- update to 2.4.3
* Wed Jun 14 2023 yixiangzhike <yixiangzhike007@163.com> - 2.3.6-4
- backport upstream patch