pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/security/gnupg Add improved patch for compromised ElGa...
details: https://anonhg.NetBSD.org/pkgsrc/rev/9ff6628a0a6b
branches: trunk
changeset: 463828:9ff6628a0a6b
user: heinz <heinz%pkgsrc.org@localhost>
date: Thu Nov 27 23:46:36 2003 +0000
description:
Add improved patch for compromised ElGamal signing keys from
gnupg-devel at gnupg org. The old patch didn't completely disable usage
of the compromised keys.
Move the old and new fix to the patches/ directory.
diffstat:
security/gnupg/Makefile | 8 +-----
security/gnupg/distinfo | 6 ++--
security/gnupg/patches/patch-ai | 35 +++++++++++++++++++++++++++++++++
security/gnupg/patches/patch-aj | 43 +++++++++++++++++++++++++++++++++++++++++
4 files changed, 83 insertions(+), 9 deletions(-)
diffs (130 lines):
diff -r 657b04924e72 -r 9ff6628a0a6b security/gnupg/Makefile
--- a/security/gnupg/Makefile Thu Nov 27 23:38:25 2003 +0000
+++ b/security/gnupg/Makefile Thu Nov 27 23:46:36 2003 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.54 2003/11/27 09:50:12 tron Exp $
+# $NetBSD: Makefile,v 1.55 2003/11/27 23:46:36 heinz Exp $
DISTNAME= gnupg-1.2.3
-PKGREVISION= 1
+PKGREVISION= 2
CATEGORIES= security
MASTER_SITES= ftp://ftp.gnupg.org/gcrypt/gnupg/ \
ftp://ftp.planetmirror.com/pub/gnupg/gnupg/ \
@@ -16,10 +16,6 @@
HOMEPAGE= http://www.gnupg.org/
COMMENT= Privacy Guard, public-Key encryption and digital signatures
-PATCH_SITES= http://www.heise.de/security/tools/
-PATCHFILES= gnupg_patch.diff
-PATCH_DIST_ARGS= -d ${WRKSRC}/g10 -E ${PATCH_DIST_STRIP}
-
BUILD_USES_MSGFMT= yes
CRYPTO= yes
GNU_CONFIGURE= yes
diff -r 657b04924e72 -r 9ff6628a0a6b security/gnupg/distinfo
--- a/security/gnupg/distinfo Thu Nov 27 23:38:25 2003 +0000
+++ b/security/gnupg/distinfo Thu Nov 27 23:46:36 2003 +0000
@@ -1,13 +1,13 @@
-$NetBSD: distinfo,v 1.22 2003/11/27 09:50:12 tron Exp $
+$NetBSD: distinfo,v 1.23 2003/11/27 23:46:36 heinz Exp $
SHA1 (gnupg-1.2.3.tar.bz2) = 1a5f68b52aa04f7370a80c2dfa708accfc64d854
Size (gnupg-1.2.3.tar.bz2) = 2294773 bytes
SHA1 (idea.c.gz) = 82fded4ec31b97b3b2dd22741880b67cfee40f84
Size (idea.c.gz) = 5216 bytes
-SHA1 (gnupg_patch.diff) = dfd00cb20efd6673d850ab57b1ddced92c9b8a45
-Size (gnupg_patch.diff) = 2381 bytes
SHA1 (patch-aa) = 3babbdc4386f0edaed4a6e1bb851312528d6ff9e
SHA1 (patch-ac) = ce5bbc1bb648f782ffc93704532fc8ca7f8a9524
SHA1 (patch-ad) = 2783ded1fa83c755b4fe8a544066da631b88db8e
SHA1 (patch-ae) = fdcda5736583ba3c5807928d1b958e10e1d8fc06
SHA1 (patch-af) = 0ddc5ad0692b365236e6bf643b44d8f70c5b6dd0
+SHA1 (patch-ai) = d590234e1fd272a0f7e7b30d7b885ca2f979daf4
+SHA1 (patch-aj) = 6e682cb89eb8ca185a6e0cc82ea9466b16f598b0
diff -r 657b04924e72 -r 9ff6628a0a6b security/gnupg/patches/patch-ai
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/gnupg/patches/patch-ai Thu Nov 27 23:46:36 2003 +0000
@@ -0,0 +1,35 @@
+$NetBSD: patch-ai,v 1.1 2003/11/27 23:46:36 heinz Exp $
+
+--- g10/keygen.c.orig Mon Jul 28 20:34:41 2003
++++ g10/keygen.c
+@@ -958,8 +958,6 @@ ask_algo (int addmode, unsigned int *r_u
+ tty_printf( _(" (%d) DSA (sign only)\n"), 2 );
+ if( addmode )
+ tty_printf( _(" (%d) ElGamal (encrypt only)\n"), 3 );
+- if (opt.expert)
+- tty_printf( _(" (%d) ElGamal (sign and encrypt)\n"), 4 );
+ tty_printf( _(" (%d) RSA (sign only)\n"), 5 );
+ if (addmode)
+ tty_printf( _(" (%d) RSA (encrypt only)\n"), 6 );
+@@ -989,21 +987,6 @@ ask_algo (int addmode, unsigned int *r_u
+ algo = PUBKEY_ALGO_RSA;
+ *r_usage = PUBKEY_USAGE_SIG;
+ break;
+- }
+- else if( algo == 4 && opt.expert)
+- {
+- tty_printf(_(
+-"The use of this algorithm is only supported by GnuPG. You will not be\n"
+-"able to use this key to communicate with PGP users. This algorithm is also\n"
+-"very slow, and may not be as secure as the other choices.\n"));
+-
+- if( cpr_get_answer_is_yes("keygen.algo.elg_se",
+- _("Create anyway? ")))
+- {
+- algo = PUBKEY_ALGO_ELGAMAL;
+- *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG;
+- break;
+- }
+ }
+ else if( algo == 3 && addmode ) {
+ algo = PUBKEY_ALGO_ELGAMAL_E;
diff -r 657b04924e72 -r 9ff6628a0a6b security/gnupg/patches/patch-aj
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/security/gnupg/patches/patch-aj Thu Nov 27 23:46:36 2003 +0000
@@ -0,0 +1,43 @@
+$NetBSD: patch-aj,v 1.1 2003/11/27 23:46:36 heinz Exp $
+
+--- g10/getkey.c.orig Mon Jul 28 20:34:41 2003
++++ g10/getkey.c
+@@ -1049,7 +1049,11 @@ get_seckey_byname2( GETKEY_CTX *retctx,
+ ctx.items[0].mode = KEYDB_SEARCH_MODE_FIRST;
+ rc = lookup( &ctx, &kb, 1 );
+ if (!rc && sk )
+- sk_from_block ( &ctx, sk, kb );
++ {
++ sk_from_block ( &ctx, sk, kb );
++ if(sk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++ rc=G10ERR_UNU_SECKEY;
++ }
+ release_kbnode ( kb );
+ get_seckey_end( &ctx );
+ }
+@@ -1655,6 +1659,11 @@ merge_selfsigs_main( KBNODE keyblock, in
+ if ( x ) /* mask it down to the actual allowed usage */
+ key_usage &= x;
+ }
++
++ /* Type 20 Elgamal keys are not usable. */
++ if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++ key_usage=0;
++
+ pk->pubkey_usage = key_usage;
+
+ if ( !key_expire_seen ) {
+@@ -1869,6 +1878,13 @@ merge_selfsigs_subkey( KBNODE keyblock,
+ if ( x ) /* mask it down to the actual allowed usage */
+ key_usage &= x;
+ }
++
++ /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are
++ not usable. */
++ if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL
++ || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++ key_usage=0;
++
+ subpk->pubkey_usage = key_usage;
+
+ p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL);
Home |
Main Index |
Thread Index |
Old Index