...
 
Commits (22)
gnupg2 (2.1.18-8~deb9u4) stretch; urgency=medium
* Avoid crash when importing without a TTY (Closes: #913614)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 07 Feb 2019 15:57:27 -0500
gnupg2 (2.1.18-8~deb9u3) stretch; urgency=medium
* block trivial access to scdaemon memory (Closes: #878952)
* Update crypto defaults for 2018 (new keys are RSA 3072, prefer AES256)
* d/control: move Vcs*: to salsa
* dirmngr: implement querying nameservers over IPv6 (Closes: #862682)
* use DEP-14 branch naming
* refresh patches
* backport --no-symkey-cache
* backport improved import and export filtering
* backport display of revocation certificates
* backport stripping unusable subkey material during export-minimal
* backport fix to make --dry-run work when listing secret keys
* backport fix showing secret keys when listing keys
* backport fix to clean keys before importing (Closes: #906545)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 05 Oct 2018 15:43:38 -0500
gnupg2 (2.1.18-8~deb9u2) stretch-security; urgency=high
* Non-maintainer upload by the Security Team.
* gpg: Sanitize diagnostic with the original file name (CVE-2018-12020)
-- Salvatore Bonaccorso <carnil@debian.org> Fri, 08 Jun 2018 20:12:24 +0200
gnupg2 (2.1.18-8~deb9u1) stretch; urgency=medium
* Bugfix update for debian stretch point release.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Mon, 18 Sep 2017 16:41:12 -0400
gnupg2 (2.1.18-8) unstable; urgency=medium
* updated scdaemon fix from gniibe (Closes: #862032)
......
......@@ -41,8 +41,8 @@ Build-Depends-Indep:
libnpth-mingw-w64-dev,
libz-mingw-w64-dev,
mingw-w64,
Vcs-Git: https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git
Vcs-Browser: https://anonscm.debian.org/git/pkg-gnupg/gnupg2.git
Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/stretch
Vcs-Browser: https://salsa.debian.org/debian/gnupg2
Homepage: https://www.gnupg.org/
Package: gnupg-agent
......
[DEFAULT]
pristine-tar = True
upstream-vcs-tag = gnupg-%(version)s
debian-branch = debian/stretch
[buildpackage]
compression = bzip2
[import-orig]
filter = [
......@@ -31,3 +35,6 @@ filter = [
'po/stamp-po',
]
filter-pristine-tar = False
[pq]
abbrev = 9
From: "Neal H. Walfield" <neal@g10code.com>
Date: Thu, 2 Feb 2017 13:24:57 +0100
Subject: gpg: Only print out TOFU statistics for conflicts in interactive mode
Subject: gpg: Only print out TOFU statistics for conflicts in interactive
mode
* g10/tofu.c (get_trust): Add arguments POLICYP and CONFLICT_SETP. If
they are not NULL, return the policy and conflict set (if there is
......
......@@ -20,7 +20,7 @@ Additionally, fix another bug when tested with 2.1.18-7 with PC/SC.
5 files changed, 102 insertions(+), 45 deletions(-)
diff --git a/scd/app-common.h b/scd/app-common.h
index b979f54..c7a0575 100644
index b979f5476..c7a057521 100644
--- a/scd/app-common.h
+++ b/scd/app-common.h
@@ -54,6 +54,7 @@ struct app_ctx_s {
......@@ -41,7 +41,7 @@ index b979f54..c7a0575 100644
gpg_error_t app_write_learn_status (app_t app, ctrl_t ctrl,
unsigned int flags);
diff --git a/scd/app.c b/scd/app.c
index 8fb0d45..3f3f3ef 100644
index 8fb0d4553..3f3f3ef84 100644
--- a/scd/app.c
+++ b/scd/app.c
@@ -136,40 +136,32 @@ check_application_conflict (const char *name, app_t app)
......@@ -204,7 +204,7 @@ index 8fb0d45..3f3f3ef 100644
npth_mutex_unlock (&app_list_lock);
}
diff --git a/scd/command.c b/scd/command.c
index 0ae6d29..b17c4a1 100644
index 0ae6d29aa..b17c4a109 100644
--- a/scd/command.c
+++ b/scd/command.c
@@ -227,7 +227,7 @@ open_card_with_request (ctrl_t ctrl, const char *apptype, const char *serialno)
......@@ -235,10 +235,10 @@ index 0ae6d29..b17c4a1 100644
if (!sl->event_signal || !sl->assuan_ctx)
diff --git a/scd/scdaemon.c b/scd/scdaemon.c
index 74fed44..02f0e72 100644
index 4d011c4c9..dda9ab445 100644
--- a/scd/scdaemon.c
+++ b/scd/scdaemon.c
@@ -52,6 +52,7 @@
@@ -55,6 +55,7 @@
#include "ccid-driver.h"
#include "gc-opt-flags.h"
#include "asshelp.h"
......@@ -246,7 +246,7 @@ index 74fed44..02f0e72 100644
#include "../common/init.h"
#ifndef ENAMETOOLONG
@@ -224,7 +225,8 @@ static assuan_sock_nonce_t socket_nonce;
@@ -227,7 +228,8 @@ static assuan_sock_nonce_t socket_nonce;
disabled but it won't perform any ticker specific actions. */
static int ticker_disabled;
......@@ -256,7 +256,7 @@ index 74fed44..02f0e72 100644
static char *create_socket_name (char *standard_name);
static gnupg_fd_t create_server_socket (const char *name,
@@ -1181,6 +1183,16 @@ start_connection_thread (void *arg)
@@ -1190,6 +1192,16 @@ start_connection_thread (void *arg)
}
......@@ -273,7 +273,7 @@ index 74fed44..02f0e72 100644
/* Connection handler loop. Wait for connection requests and spawn a
thread after accepting a connection. LISTEN_FD is allowed to be -1
in which case this code will only do regular timeouts and handle
@@ -1202,9 +1214,23 @@ handle_connections (int listen_fd)
@@ -1211,9 +1223,23 @@ handle_connections (int listen_fd)
#ifndef HAVE_W32_SYSTEM
int signo;
#endif
......@@ -298,7 +298,7 @@ index 74fed44..02f0e72 100644
npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED);
#ifndef HAVE_W32_SYSTEM
@@ -1233,6 +1259,8 @@ handle_connections (int listen_fd)
@@ -1242,6 +1268,8 @@ handle_connections (int listen_fd)
for (;;)
{
......@@ -307,7 +307,7 @@ index 74fed44..02f0e72 100644
if (shutdown_pending)
{
if (active_connections == 0)
@@ -1261,14 +1289,20 @@ handle_connections (int listen_fd)
@@ -1270,14 +1298,20 @@ handle_connections (int listen_fd)
thus a simple assignment is fine to copy the entire set. */
read_fdset = fdset;
......@@ -330,7 +330,7 @@ index 74fed44..02f0e72 100644
saved_errno = errno;
#endif
@@ -1284,6 +1318,13 @@ handle_connections (int listen_fd)
@@ -1293,6 +1327,13 @@ handle_connections (int listen_fd)
/* Timeout. Will be handled when calculating the next timeout. */
continue;
......@@ -344,7 +344,7 @@ index 74fed44..02f0e72 100644
if (listen_fd != -1 && FD_ISSET (listen_fd, &read_fdset))
{
ctrl_t ctrl;
@@ -1322,6 +1363,8 @@ handle_connections (int listen_fd)
@@ -1331,6 +1372,8 @@ handle_connections (int listen_fd)
}
}
......@@ -354,7 +354,7 @@ index 74fed44..02f0e72 100644
log_info (_("%s %s stopped\n"), strusage(11), strusage(13));
npth_attr_destroy (&tattr);
diff --git a/scd/scdaemon.h b/scd/scdaemon.h
index d0bc98e..fcab648 100644
index d0bc98efe..fcab6489f 100644
--- a/scd/scdaemon.h
+++ b/scd/scdaemon.h
@@ -125,6 +125,7 @@ void send_status_info (ctrl_t ctrl, const char *keyword, ...)
......
......@@ -48,7 +48,7 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/g10/gpg.c b/g10/gpg.c
index f9039ae..e280c22 100644
index f9039ae09..e280c2249 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -728,9 +728,9 @@ static ARGPARSE_OPTS opts[] = {
......
......@@ -58,7 +58,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
create mode 100755 tests/openpgp/issue2941.scm
diff --git a/common/logging.c b/common/logging.c
index 8c70742..ac13053 100644
index 8c70742cc..ac130535c 100644
--- a/common/logging.c
+++ b/common/logging.c
@@ -570,6 +570,9 @@ log_set_file (const char *name)
......@@ -72,7 +72,7 @@ index 8c70742..ac13053 100644
}
diff --git a/common/sysutils.c b/common/sysutils.c
index e67420f..a796677 100644
index e67420f18..a796677ba 100644
--- a/common/sysutils.c
+++ b/common/sysutils.c
@@ -1281,3 +1281,14 @@ gnupg_get_socket_name (int fd)
......@@ -91,7 +91,7 @@ index e67420f..a796677 100644
+ return 1;
+}
diff --git a/common/sysutils.h b/common/sysutils.h
index a9316d7..ecd9f84 100644
index a9316d7ce..ecd9f846e 100644
--- a/common/sysutils.h
+++ b/common/sysutils.h
@@ -72,6 +72,7 @@ int gnupg_setenv (const char *name, const char *value, int overwrite);
......@@ -103,7 +103,7 @@ index a9316d7..ecd9f84 100644
gpg_error_t gnupg_inotify_watch_socket (int *r_fd, const char *socket_name);
int gnupg_inotify_has_name (int fd, const char *name);
diff --git a/g10/cpr.c b/g10/cpr.c
index 0133cad..4984e89 100644
index 0133cad31..4984e8903 100644
--- a/g10/cpr.c
+++ b/g10/cpr.c
@@ -107,6 +107,9 @@ set_status_fd (int fd)
......@@ -117,7 +117,7 @@ index 0133cad..4984e89 100644
statusfp = es_stdout;
else if (fd == 2)
diff --git a/g10/gpg.c b/g10/gpg.c
index e280c22..66a2055 100644
index e280c2249..66a2055b5 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -3079,6 +3079,8 @@ main (int argc, char **argv)
......@@ -140,7 +140,7 @@ index e280c22..66a2055 100644
{
if (i >= len-1 )
diff --git a/g10/keylist.c b/g10/keylist.c
index 4fe1e40..abdcb9f 100644
index 4fe1e4034..abdcb9f0a 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -1900,6 +1900,9 @@ set_attrib_fd (int fd)
......@@ -154,7 +154,7 @@ index 4fe1e40..abdcb9f 100644
setmode (fd, O_BINARY);
#endif
diff --git a/g10/passphrase.c b/g10/passphrase.c
index fb4ec4c..37abc0f 100644
index fb4ec4c85..37abc0f1c 100644
--- a/g10/passphrase.c
+++ b/g10/passphrase.c
@@ -166,6 +166,9 @@ read_passphrase_from_fd( int fd )
......@@ -168,7 +168,7 @@ index fb4ec4c..37abc0f 100644
{ /* Not used but we have to do a dummy read, so that it won't end
up at the begin of the message if the quite usual trick to
diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am
index 05341fb..377a2ed 100644
index 05341fbfd..377a2edc3 100644
--- a/tests/openpgp/Makefile.am
+++ b/tests/openpgp/Makefile.am
@@ -95,12 +95,12 @@ XTESTS = \
......@@ -188,7 +188,7 @@ index 05341fb..377a2ed 100644
# the 'check' target. For extra robustness, we merely define a
diff --git a/tests/openpgp/issue2941.scm b/tests/openpgp/issue2941.scm
new file mode 100755
index 0000000..d7220e0
index 000000000..d7220e098
--- /dev/null
+++ b/tests/openpgp/issue2941.scm
@@ -0,0 +1,34 @@
......
......@@ -23,7 +23,7 @@ Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
1 file changed, 1 insertion(+)
diff --git a/common/logging.c b/common/logging.c
index ac13053..670affb 100644
index ac130535c..670affb12 100644
--- a/common/logging.c
+++ b/common/logging.c
@@ -61,6 +61,7 @@
......
......@@ -20,7 +20,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/g10/sign.c b/g10/sign.c
index acc894c..ff099b3 100644
index acc894c49..ff099b31c 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -686,7 +686,10 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash,
......
......@@ -13,7 +13,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/g10/gpg.c b/g10/gpg.c
index 66a2055..0c5a167 100644
index 66a2055b5..0c5a1677c 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -4894,8 +4894,12 @@ main (int argc, char **argv)
......
......@@ -21,7 +21,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index 180fd65..a0d9659 100644
index 180fd65c2..a0d965969 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -2163,8 +2163,11 @@ retrieve_options_from_program (gc_component_t component, gc_backend_t backend)
......
......@@ -14,7 +14,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 21 insertions(+), 6 deletions(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index 52f011a..bc2e071 100644
index 52f011a00..bc2e071f8 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -498,12 +498,10 @@ libdns_init (void)
......
......@@ -25,7 +25,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
create mode 100644 tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc
diff --git a/g10/export.c b/g10/export.c
index f354ca0..8668126 100644
index f354ca0f6..86681264d 100644
--- a/g10/export.c
+++ b/g10/export.c
@@ -2208,6 +2208,48 @@ export_ssh_key (ctrl_t ctrl, const char *userid)
......@@ -78,7 +78,7 @@ index f354ca0..8668126 100644
if (!latest_key)
diff --git a/tests/openpgp/samplekeys/README b/tests/openpgp/samplekeys/README
index 29524d5..6f2399f 100644
index 29524d512..6f2399fd9 100644
--- a/tests/openpgp/samplekeys/README
+++ b/tests/openpgp/samplekeys/README
@@ -17,3 +17,5 @@ E657FB607BB4F21C90BB6651BC067AF28BC90111.asc Key with subkeys (no protection)
......@@ -89,7 +89,7 @@ index 29524d5..6f2399f 100644
+rsa-primary-auth-only.sec.asc Ditto but the secret keyblock.
diff --git a/tests/openpgp/samplekeys/rsa-primary-auth-only.pub.asc b/tests/openpgp/samplekeys/rsa-primary-auth-only.pub.asc
new file mode 100644
index 0000000..f34999e
index 000000000..f34999e92
--- /dev/null
+++ b/tests/openpgp/samplekeys/rsa-primary-auth-only.pub.asc
@@ -0,0 +1,23 @@
......@@ -118,7 +118,7 @@ index 0000000..f34999e
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc b/tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc
new file mode 100644
index 0000000..9d72421
index 000000000..9d72421d0
--- /dev/null
+++ b/tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc
@@ -0,0 +1,38 @@
......
......@@ -14,7 +14,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index be8b083..32db4bc 100644
index be8b08333..32db4bc69 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -320,10 +320,17 @@ add_host (const char *name, int is_pool,
......
......@@ -11,7 +11,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/g10/gpgv.c b/g10/gpgv.c
index bd16b39..ca8fca4 100644
index bd16b3907..ca8fca423 100644
--- a/g10/gpgv.c
+++ b/g10/gpgv.c
@@ -194,7 +194,9 @@ main( int argc, char **argv )
......
......@@ -14,7 +14,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
2 files changed, 5 insertions(+)
diff --git a/g10/gpg.c b/g10/gpg.c
index 0c5a167..09bdf66 100644
index 0c5a1677c..09bdf66ba 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -1845,6 +1845,7 @@ gpgconf_list (const char *configfile)
......@@ -26,7 +26,7 @@ index 0c5a167..09bdf66 100644
/* The next one is an info only item and should match the macros at
the top of keygen.c */
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index a0d9659..cdd2586 100644
index a0d965969..cdd2586b7 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -716,6 +716,10 @@ static gc_option_t gc_options_gpg[] =
......
......@@ -14,7 +14,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
2 files changed, 3 insertions(+)
diff --git a/g10/gpg.c b/g10/gpg.c
index 09bdf66..2a4a0ad 100644
index 09bdf66ba..2a4a0addf 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -1840,6 +1840,7 @@ gpgconf_list (const char *configfile)
......@@ -26,7 +26,7 @@ index 09bdf66..2a4a0ad 100644
es_printf ("debug-level:%lu:\"none:\n", GC_OPT_FLAG_DEFAULT);
es_printf ("group:%lu:\n", GC_OPT_FLAG_NONE);
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index cdd2586..530c128 100644
index cdd2586b7..530c1287f 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -747,6 +747,8 @@ static gc_option_t gc_options_gpg[] =
......
......@@ -19,7 +19,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
4 files changed, 34 insertions(+), 83 deletions(-)
diff --git a/common/sexputil.c b/common/sexputil.c
index 0c5c730..a8dc1a5 100644
index 0c5c730ac..a8dc1a58c 100644
--- a/common/sexputil.c
+++ b/common/sexputil.c
@@ -512,53 +512,6 @@ get_rsa_pk_from_canon_sexp (const unsigned char *keydata, size_t keydatalen,
......@@ -99,7 +99,7 @@ index 0c5c730..a8dc1a5 100644
+ return algo;
+}
diff --git a/common/util.h b/common/util.h
index f7a53e1..b6d7156 100644
index f7a53e160..b6d715630 100644
--- a/common/util.h
+++ b/common/util.h
@@ -195,10 +195,10 @@ gpg_error_t get_rsa_pk_from_canon_sexp (const unsigned char *keydata,
......@@ -117,7 +117,7 @@ index f7a53e1..b6d7156 100644
/*-- convert.c --*/
int hex2bin (const char *string, void *buffer, size_t length);
diff --git a/g10/keygen.c b/g10/keygen.c
index 98ef29e..0180581 100644
index 98ef29efb..0180581d3 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -1838,7 +1838,7 @@ check_keygrip (ctrl_t ctrl, const char *hexgrip)
......@@ -159,7 +159,7 @@ index 98ef29e..0180581 100644
diff --git a/sm/certreqgen-ui.c b/sm/certreqgen-ui.c
index ece8668..b50d338 100644
index ece8668f6..b50d338ae 100644
--- a/sm/certreqgen-ui.c
+++ b/sm/certreqgen-ui.c
@@ -95,7 +95,7 @@ check_keygrip (ctrl_t ctrl, const char *hexgrip)
......
......@@ -25,7 +25,7 @@ GnuPG-bug-id: 2973
4 files changed, 26 insertions(+), 22 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index b79b783..3b82b44 100644
index b79b78334..3b82b4457 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1824,7 +1824,8 @@ are available for all keyserver types, some common options are:
......@@ -50,7 +50,7 @@ index b79b783..3b82b44 100644
@table @asis
diff --git a/g10/export.c b/g10/export.c
index 8668126..207f994 100644
index 86681264d..207f9949b 100644
--- a/g10/export.c
+++ b/g10/export.c
@@ -247,16 +247,17 @@ export_pubkeys (ctrl_t ctrl, strlist_t users, unsigned int options,
......@@ -116,7 +116,7 @@ index 8668126..207f994 100644
clean_key (keyblock, opt.verbose, (options&EXPORT_MINIMAL), NULL, NULL);
diff --git a/g10/gpg.c b/g10/gpg.c
index 2a4a0ad..5a880fd 100644
index 2a4a0addf..5a880fd53 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -4546,7 +4546,7 @@ main (int argc, char **argv)
......@@ -138,7 +138,7 @@ index 2a4a0ad..5a880fd 100644
export_release_stats (stats);
}
diff --git a/g10/main.h b/g10/main.h
index 5ed501b..6837e98 100644
index 5ed501b3c..6837e989e 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -397,8 +397,10 @@ gpg_error_t parse_and_set_export_filter (const char *string);
......
......@@ -16,7 +16,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
2 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/common/stringhelp.c b/common/stringhelp.c
index dea2212..0abfa3d 100644
index dea2212c4..0abfa3d3a 100644
--- a/common/stringhelp.c
+++ b/common/stringhelp.c
@@ -1052,7 +1052,8 @@ do_percent_escape (const char *str, const char *extra, int die)
......@@ -44,7 +44,7 @@ index dea2212..0abfa3d 100644
{
ptr[i++] = '%';
diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
index 530c128..9358e2e 100644
index 530c1287f..9358e2efa 100644
--- a/tools/gpgconf-comp.c
+++ b/tools/gpgconf-comp.c
@@ -1490,6 +1490,13 @@ gc_percent_escape (const char *src)
......
......@@ -15,7 +15,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
2 files changed, 8 insertions(+)
diff --git a/g10/keyedit.c b/g10/keyedit.c
index 1456d28..a477e92 100644
index 1456d2867..a477e92c4 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -3053,6 +3053,8 @@ keyedit_quick_revuid (ctrl_t ctrl, const char *username, const char *uidtorev)
......@@ -28,7 +28,7 @@ index 1456d28..a477e92 100644
release_kbnode (keyblock);
keydb_release (kdbhd);
diff --git a/tests/openpgp/quick-key-manipulation.scm b/tests/openpgp/quick-key-manipulation.scm
index d43f7b5..ae1d0b9 100755
index d43f7b53a..ae1d0b963 100755
--- a/tests/openpgp/quick-key-manipulation.scm
+++ b/tests/openpgp/quick-key-manipulation.scm
@@ -36,6 +36,7 @@
......
......@@ -17,7 +17,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index b6c04dc..4e6f692 100644
index b6c04dcfc..4e6f6923d 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1173,7 +1173,8 @@ impex_filter_getval (void *cookie, const char *propname)
......
......@@ -20,7 +20,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/g10/getkey.c b/g10/getkey.c
index e39de28..21dcf08 100644
index e39de28ae..21dcf083c 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1592,8 +1592,10 @@ get_best_pubkey_byname (ctrl_t ctrl, GETKEY_CTX *retctx, PKT_public_key *pk,
......
......@@ -11,7 +11,7 @@ from trust-mode:foo to trust-model:foo.
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 3b82b44..d658737 100644
index 3b82b4457..d65873756 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1600,17 +1600,17 @@ Set what trust model GnuPG should follow. The models are:
......
......@@ -12,7 +12,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/g10/keylist.c b/g10/keylist.c
index abdcb9f..4078053 100644
index abdcb9f0a..407805357 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -465,6 +465,10 @@ print_signature_stats (struct keylist_context *s)
......
......@@ -14,7 +14,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index fe9c3c7..c9c16df 100644
index fe9c3c734..c9c16dfac 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -1847,6 +1847,7 @@ send_request (http_t hd, const char *httphost, const char *auth,
......
......@@ -18,7 +18,7 @@ Signed-off-by: Neal H. Walfield <neal@g10code.com>
1 file changed, 25 insertions(+), 3 deletions(-)
diff --git a/g10/tofu.c b/g10/tofu.c
index 449e921..39457a5 100644
index 449e921b6..39457a501 100644
--- a/g10/tofu.c
+++ b/g10/tofu.c
@@ -2304,9 +2304,14 @@ build_conflict_set (tofu_dbs_t dbs,
......
......@@ -18,7 +18,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index bc2e071..35e6c82 100644
index bc2e071f8..35e6c8240 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -533,11 +533,35 @@ libdns_init (void)
......
......@@ -11,7 +11,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index 35e6c82..c79a9c7 100644
index 35e6c8240..c79a9c7f4 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -568,8 +568,8 @@ libdns_init (void)
......
......@@ -17,7 +17,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/common/homedir.c b/common/homedir.c
index 6b40bb6..c41cbdc 100644
index 6b40bb6bf..c41cbdc7e 100644
--- a/common/homedir.c
+++ b/common/homedir.c
@@ -542,7 +542,7 @@ _gnupg_socketdir_internal (int skip_checks, unsigned *r_info)
......
......@@ -20,7 +20,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
1 file changed, 2 insertions(+)
diff --git a/common/homedir.c b/common/homedir.c
index c41cbdc..4571aac 100644
index c41cbdc7e..4571aac7b 100644
--- a/common/homedir.c
+++ b/common/homedir.c
@@ -586,6 +586,8 @@ _gnupg_socketdir_internal (int skip_checks, unsigned *r_info)
......
......@@ -11,7 +11,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/g10/decrypt-data.c b/g10/decrypt-data.c
index 585b150..f5843d6 100644
index 585b1507f..f5843d6d7 100644
--- a/g10/decrypt-data.c
+++ b/g10/decrypt-data.c
@@ -222,7 +222,7 @@ decrypt_data (ctrl_t ctrl, void *procctx, PKT_encrypted *ed, DEK *dek)
......
......@@ -12,7 +12,7 @@ Signed-off-by: Justus Winter <justus@g10code.com>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/iobuf.c b/common/iobuf.c
index d346027..b8baf7f 100644
index d346027e4..b8baf7ff7 100644
--- a/common/iobuf.c
+++ b/common/iobuf.c
@@ -2552,7 +2552,7 @@ iobuf_read_line (iobuf_t a, byte ** addr_of_buffer,
......
......@@ -18,7 +18,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 1 insertion(+)
diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index 7f44ce5..bbb784a 100644
index 7f44ce532..bbb784a90 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -1572,6 +1572,7 @@ can_handle_critical (const byte * buffer, size_t n, int type)
......
......@@ -17,7 +17,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index c79a9c7..c2d5488 100644
index c79a9c7f4..c2d5488c1 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -538,10 +538,9 @@ libdns_init (void)
......
......@@ -18,7 +18,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 1 insertion(+), 10 deletions(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index c2d5488..150237e 100644
index c2d5488c1..150237e53 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -550,24 +550,15 @@ libdns_init (void)
......
......@@ -13,7 +13,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 1 insertion(+)
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 32db4bc..66350a7 100644
index 32db4bc69..66350a7bc 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -1245,6 +1245,7 @@ handle_send_request_error (ctrl_t ctrl, gpg_error_t err, const char *request,
......
......@@ -32,7 +32,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
10 files changed, 40 insertions(+), 8 deletions(-)
diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c
index 337fe6e..2700cf9 100644
index 337fe6e4d..2700cf932 100644
--- a/dirmngr/crlfetch.c
+++ b/dirmngr/crlfetch.c
@@ -200,6 +200,7 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader)
......@@ -44,7 +44,7 @@ index 337fe6e..2700cf9 100644
ctrl->http_proxy, NULL, NULL, NULL);
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 43e9cbd..31d3ca2 100644
index 43e9cbd07..31d3ca235 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -112,6 +112,7 @@ enum cmd_and_opt_values {
......@@ -80,7 +80,7 @@ index 43e9cbd..31d3ca2 100644
return 1; /* Handled. */
}
diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h
index 6a4fd00..4cc2be0 100644
index 6a4fd003f..4cc2be0a9 100644
--- a/dirmngr/dirmngr.h
+++ b/dirmngr/dirmngr.h
@@ -97,7 +97,8 @@ struct
......@@ -94,7 +94,7 @@ index 6a4fd00..4cc2be0 100644
const char *http_proxy; /* The default HTTP proxy. */
const char *ldap_proxy; /* Use given LDAP proxy. */
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index 150237e..ed77742 100644
index 150237e53..ed77742b4 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -123,6 +123,10 @@ static int opt_timeout;
......@@ -134,7 +134,7 @@ index 150237e..ed77742 100644
dai = xtrymalloc (sizeof *dai + ai->ai_addrlen - 1);
dai->family = ai->ai_family;
diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
index 9b8303c..71605b7 100644
index 9b8303c3b..71605b741 100644
--- a/dirmngr/dns-stuff.h
+++ b/dirmngr/dns-stuff.h
@@ -99,6 +99,10 @@ void set_dns_verbose (int verbose, int debug);
......@@ -149,7 +149,7 @@ index 9b8303c..71605b7 100644
void set_dns_timeout (int seconds);
diff --git a/dirmngr/ks-engine-finger.c b/dirmngr/ks-engine-finger.c
index 811b72d..8a21c9f 100644
index 811b72de4..8a21c9f40 100644
--- a/dirmngr/ks-engine-finger.c
+++ b/dirmngr/ks-engine-finger.c
@@ -84,7 +84,8 @@ ks_finger_fetch (ctrl_t ctrl, parsed_uri_t uri, estream_t *r_fp)
......@@ -163,7 +163,7 @@ index 811b72d..8a21c9f 100644
if (err)
{
diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
index 66350a7..7c91b6a 100644
index 66350a7bc..7c91b6a36 100644
--- a/dirmngr/ks-engine-hkp.c
+++ b/dirmngr/ks-engine-hkp.c
@@ -568,6 +568,8 @@ map_host (ctrl_t ctrl, const char *name, const char *srvtag, int force_reselect,
......@@ -195,7 +195,7 @@ index 66350a7..7c91b6a 100644
session,
NULL,
diff --git a/dirmngr/ks-engine-http.c b/dirmngr/ks-engine-http.c
index 69642ff..6de0616 100644
index 69642ff98..6de061699 100644
--- a/dirmngr/ks-engine-http.c
+++ b/dirmngr/ks-engine-http.c
@@ -89,7 +89,8 @@ ks_http_fetch (ctrl_t ctrl, const char *url, estream_t *r_fp)
......@@ -209,7 +209,7 @@ index 69642ff..6de0616 100644
session,
NULL,
diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c
index aff8e32..22391c3 100644
index aff8e3288..22391c32d 100644
--- a/dirmngr/ocsp.c
+++ b/dirmngr/ocsp.c
@@ -175,7 +175,8 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, gcry_md_hd_t md,
......@@ -223,7 +223,7 @@ index aff8e32..22391c3 100644
if (err)
{
diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi
index b00c2d3..9a7238f 100644
index b00c2d377..9a7238fb5 100644
--- a/doc/dirmngr.texi
+++ b/doc/dirmngr.texi
@@ -313,9 +313,10 @@ a numerical IP address must be given (IPv6 or IPv4) and that no error
......
......@@ -19,7 +19,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 37 insertions(+), 36 deletions(-)
diff --git a/agent/cache.c b/agent/cache.c
index 2483682..fead737 100644
index 248368277..fead73708 100644
--- a/agent/cache.c
+++ b/agent/cache.c
@@ -31,9 +31,8 @@
......
......@@ -13,7 +13,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/g10/keylist.c b/g10/keylist.c
index 4078053..1998ee9 100644
index 407805357..1998ee9aa 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -1017,7 +1017,7 @@ list_keyblock_print (ctrl_t ctrl, kbnode_t keyblock, int secret, int fpr,
......
......@@ -11,7 +11,7 @@ Signed-off-by: Werner Koch <wk@gnupg.org>
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index d658737..c591049 100644
index d65873756..c591049f0 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -301,10 +301,13 @@ and other programs.
......
......@@ -11,7 +11,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/dirmngr/dns.c b/dirmngr/dns.c
index 869e7ed..ebfd4c3 100644
index 869e7ed2e..ebfd4c31f 100644
--- a/dirmngr/dns.c
+++ b/dirmngr/dns.c
@@ -4594,8 +4594,9 @@ dns_error_t dns_trace_fput(const struct dns_trace_event *te, const void *data, s
......
......@@ -16,7 +16,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/gpg-connect-agent.c b/tools/gpg-connect-agent.c
index a5413cf..5af1465 100644
index a5413cf61..5af146565 100644
--- a/tools/gpg-connect-agent.c
+++ b/tools/gpg-connect-agent.c
@@ -2237,7 +2237,7 @@ start_agent (void)
......
......@@ -17,7 +17,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2 files changed, 19 insertions(+), 16 deletions(-)
diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
index ed77742..c63d958 100644
index ed77742b4..c63d9583d 100644
--- a/dirmngr/dns-stuff.c
+++ b/dirmngr/dns-stuff.c
@@ -827,7 +827,7 @@ resolve_name_libdns (const char *name, unsigned short port,
......@@ -132,7 +132,7 @@ index ed77742..c63d958 100644
{
gpg_error_t err;
diff --git a/dirmngr/dns-stuff.h b/dirmngr/dns-stuff.h
index 71605b7..adb0b80 100644
index 71605b741..adb0b80b0 100644
--- a/dirmngr/dns-stuff.h
+++ b/dirmngr/dns-stuff.h
@@ -78,7 +78,7 @@ struct dns_addrinfo_s
......
......@@ -12,7 +12,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index c9c16df..674cb3d 100644
index c9c16dfac..674cb3d2e 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -2415,13 +2415,13 @@ start_server ()
......
......@@ -11,7 +11,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/g10/import.c b/g10/import.c
index 4e6f692..125b994 100644
index 4e6f6923d..125b9948b 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1235,7 +1235,7 @@ impex_filter_getval (void *cookie, const char *propname)
......
......@@ -16,7 +16,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
3 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/g10/export.c b/g10/export.c
index 207f994..ea9ffb4 100644
index 207f9949b..ea9ffb4d0 100644
--- a/g10/export.c
+++ b/g10/export.c
@@ -580,7 +580,7 @@ canon_pk_algo (enum gcry_pk_algos algo)
......@@ -38,7 +38,7 @@ index 207f994..ea9ffb4 100644
subkey_list_t subkey_list = NULL; /* Track already processed subkeys. */
int skip_until_subkey = 0;
diff --git a/g10/getkey.c b/g10/getkey.c
index 21dcf08..961d7de 100644
index 21dcf083c..961d7de22 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1640,7 +1640,8 @@ get_best_pubkey_byname (ctrl_t ctrl, GETKEY_CTX *retctx, PKT_public_key *pk,
......@@ -52,7 +52,7 @@ index 21dcf08..961d7de 100644
}
else
diff --git a/g10/tofu.c b/g10/tofu.c
index 39457a5..c3a4988 100644
index 39457a501..c3a4988cd 100644
--- a/g10/tofu.c
+++ b/g10/tofu.c
@@ -3857,7 +3857,7 @@ tofu_get_validity (ctrl_t ctrl, PKT_public_key *pk, strlist_t user_id_list,
......
......@@ -11,7 +11,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 31d3ca2..513e2a6 100644
index 31d3ca235..513e2a630 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -1905,7 +1905,6 @@ handle_connections (assuan_fd_t listen_fd)
......
......@@ -15,7 +15,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/g10/keyring.c b/g10/keyring.c
index 328290e..d75fdbc 100644
index 328290ed8..d75fdbc7b 100644
--- a/g10/keyring.c
+++ b/g10/keyring.c
@@ -692,7 +692,6 @@ keyring_search_reset (KEYRING_HANDLE hd)
......
......@@ -15,7 +15,7 @@ Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
1 file changed, 18 insertions(+), 16 deletions(-)
diff --git a/dirmngr/dns.c b/dirmngr/dns.c
index ebfd4c3..866f69d 100644
index ebfd4c31f..866f69dd5 100644
--- a/dirmngr/dns.c
+++ b/dirmngr/dns.c
@@ -9440,29 +9440,31 @@ void dns_ai_close(struct dns_addrinfo *ai) {
......
From: Werner Koch <wk@gnupg.org>
Date: Fri, 8 Jun 2018 10:45:21 +0200
Subject: gpg: Sanitize diagnostic with the original file name.
* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
--
This fixes a forgotten sanitation of user supplied data in a verbose
mode diagnostic. The mention CVE is about using this to inject
status-fd lines into the stderr output. Other harm good as well be
done. Note that GPGME based applications are not affected because
GPGME does not fold status output into stderr.
CVE-id: CVE-2018-12020
GnuPG-bug-id: 4012
(cherry picked from commit 13f135c7a252cc46cff96e75968d92b6dc8dce1b)
---
g10/mainproc.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/g10/mainproc.c b/g10/mainproc.c
index ac2ab03c9..79ad8d5a2 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -675,7 +675,14 @@ proc_plaintext( CTX c, PACKET *pkt )
if (pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8))
log_info (_("Note: sender requested \"for-your-eyes-only\"\n"));
else if (opt.verbose)
- log_info (_("original file name='%.*s'\n"), pt->namelen, pt->name);
+ {
+ /* We don't use print_utf8_buffer because that would require a
+ * string change which we don't want in 2.2. It is also not
+ * clear whether the filename is always utf-8 encoded. */
+ char *tmp = make_printable_string (pt->name, pt->namelen, 0);
+ log_info (_("original file name='%.*s'\n"), (int)strlen (tmp), tmp);
+ xfree (tmp);
+ }
free_md_filter_context (&c->mfx);
if (gcry_md_open (&c->mfx.md, 0, 0))
From: Justus Winter <justus@g10code.com>
Date: Tue, 13 Jun 2017 11:33:06 +0200
Subject: dirmngr: Implement querying nameservers over IPv6.
* dirmngr/dns.c (dns_so_check): Reinitialize sockets on address family
mismatch.
(enum dns_res_state): New states for querying over IPv6.
(dns_res_exec): Implement the new states by copying and modifying the
IPv4 variants. Branch to their respective counterparts if the current
list of resolvers using the current address family is exhausted.
--
This allows dirmngr to resolve names on systems where the nameservers
are only reachable via IPv6.
GnuPG-bug-id: 2990
Signed-off-by: Justus Winter <justus@g10code.com>
(cherry picked from commit 15d2a009931f44a60b9df6325f837add208459d6)
---
dirmngr/dns.c | 180 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 179 insertions(+), 1 deletion(-)
diff --git a/dirmngr/dns.c b/dirmngr/dns.c
index 866f69dd5..c473e5a6a 100644
--- a/dirmngr/dns.c
+++ b/dirmngr/dns.c
@@ -7567,6 +7567,22 @@ int dns_so_check(struct dns_socket *so) {
retry:
switch (so->state) {
case DNS_SO_UDP_INIT:
+ if (so->remote.ss_family != so->local.ss_family) {
+ /* Family mismatch. Reinitialize. */
+ if ((error = dns_so_closefd(so, &so->udp)))
+ goto error;
+ if ((error = dns_so_closefd(so, &so->tcp)))
+ goto error;
+
+ /* If the user supplied an interface
+ statement, that is gone now. Sorry. */
+ memset(&so->local, 0, sizeof so->local);
+ so->local.ss_family = so->remote.ss_family;
+
+ if (-1 == (so->udp = dns_socket((struct sockaddr *)&so->local, SOCK_DGRAM, &error)))
+ goto error;
+ }
+
so->state++;
case DNS_SO_UDP_CONN:
error = dns_connect(so->udp, (struct sockaddr *)&so->remote, dns_sa_len(&so->remote));
@@ -7605,6 +7621,19 @@ retry:
so->state++;
case DNS_SO_TCP_INIT:
+ if (so->remote.ss_family != so->local.ss_family) {
+ /* Family mismatch. Reinitialize. */
+ if ((error = dns_so_closefd(so, &so->udp)))
+ goto error;
+ if ((error = dns_so_closefd(so, &so->tcp)))
+ goto error;
+
+ /* If the user supplied an interface
+ statement, that is gone now. Sorry. */
+ memset(&so->local, 0, sizeof so->local);
+ so->local.ss_family = so->remote.ss_family;
+ }
+
if (dns_so_tcp_keep(so)) {
so->state = DNS_SO_TCP_SEND;
@@ -8056,6 +8085,8 @@ enum dns_res_state {
DNS_R_RESOLV1_NS, /* Epilog: Inspect answer */
DNS_R_FOREACH_A,
DNS_R_QUERY_A,
+ DNS_R_FOREACH_AAAA,
+ DNS_R_QUERY_AAAA,
DNS_R_CNAME0_A,
DNS_R_CNAME1_A,
@@ -8715,8 +8746,22 @@ exec:
F->hints_j.section = DNS_S_ALL & ~DNS_S_QD;
if (!dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
- if (!dns_rr_i_count(&F->hints_j))
+ if (!dns_rr_i_count(&F->hints_j)) {
+ /* Check if we have in fact servers
+ with an IPv6 address. */
+ dns_rr_i_init(&F->hints_j, F->hints);
+ F->hints_j.name = u.ns.host;
+ F->hints_j.type = DNS_T_AAAA;
+ F->hints_j.section = DNS_S_ALL & ~DNS_S_QD;
+ if (dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
+ /* We do. Reinitialize
+ iterator and handle it. */
+ dns_rr_i_init(&F->hints_j, F->hints);
+ dgoto(R->sp, DNS_R_FOREACH_AAAA);
+ }
+
dgoto(R->sp, DNS_R_RESOLV0_NS);
+ }
dgoto(R->sp, DNS_R_FOREACH_NS);
}
@@ -8817,6 +8862,139 @@ exec:
/* XXX: Should we copy F->answer to R->nodata? */
dgoto(R->sp, DNS_R_FOREACH_A);
+ case DNS_R_FOREACH_AAAA: {
+ struct dns_aaaa aaaa;
+ struct sockaddr_in6 sin6;
+
+ /*
+ * NOTE: Iterator initialized in DNS_R_FOREACH_NS because
+ * this state is re-entrant, but we need to reset
+ * .name to a valid pointer each time.
+ */
+ if ((error = dns_ns_parse(&u.ns, &F->hints_ns, F->hints)))
+ goto error;
+
+ F->hints_j.name = u.ns.host;
+ F->hints_j.type = DNS_T_AAAA;
+ F->hints_j.section = DNS_S_ALL & ~DNS_S_QD;
+
+ if (!dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
+ if (!dns_rr_i_count(&F->hints_j)) {
+ /* Check if we have in fact servers
+ with an IPv4 address. */
+ dns_rr_i_init(&F->hints_j, F->hints);
+ F->hints_j.name = u.ns.host;
+ F->hints_j.type = DNS_T_A;
+ F->hints_j.section = DNS_S_ALL & ~DNS_S_QD;
+ if (dns_rr_grep(&rr, 1, &F->hints_j, F->hints, &error)) {
+ /* We do. Reinitialize
+ iterator and handle it. */
+ dns_rr_i_init(&F->hints_j, F->hints);
+ dgoto(R->sp, DNS_R_FOREACH_A);
+ }
+
+ dgoto(R->sp, DNS_R_RESOLV0_NS);
+ }
+
+ dgoto(R->sp, DNS_R_FOREACH_NS);
+ }
+
+ if ((error = dns_aaaa_parse(&aaaa, &rr, F->hints)))
+ goto error;
+
+ memset(&sin6, '\0', sizeof sin6); /* NB: silence valgrind */
+ sin6.sin6_family = AF_INET6;
+ sin6.sin6_addr = aaaa.addr;
+ if (R->sp == 0)
+ sin6.sin6_port = dns_hints_port(R->hints, AF_INET, &sin6.sin6_addr);
+ else
+ sin6.sin6_port = htons(53);
+
+ if (DNS_DEBUG) {
+ char addr[INET6_ADDRSTRLEN + 1];
+ dns_aaaa_print(addr, sizeof addr, &aaaa);
+ dns_header(F->query)->qid = dns_so_mkqid(&R->so);
+ DNS_SHOW(F->query, "ASKING: %s/%s @ DEPTH: %u)", u.ns.host, addr, R->sp);
+ }
+
+ dns_trace_setcname(R->trace, u.ns.host, (struct sockaddr *)&sin6);
+
+ if ((error = dns_so_submit(&R->so, F->query, (struct sockaddr *)&sin6)))
+ goto error;
+
+ F->state++;
+ }
+ case DNS_R_QUERY_AAAA:
+ if (dns_so_elapsed(&R->so) >= dns_resconf_timeout(R->resconf))
+ dgoto(R->sp, DNS_R_FOREACH_AAAA);
+
+ if ((error = dns_so_check(&R->so)))
+ goto error;
+
+ if (!dns_p_setptr(&F->answer, dns_so_fetch(&R->so, &error)))
+ goto error;
+
+ if (DNS_DEBUG) {
+ DNS_SHOW(F->answer, "ANSWER @ DEPTH: %u)", R->sp);
+ }
+
+ if (dns_p_rcode(F->answer) == DNS_RC_FORMERR ||
+ dns_p_rcode(F->answer) == DNS_RC_NOTIMP ||
+ dns_p_rcode(F->answer) == DNS_RC_BADVERS) {
+ /* Temporarily disable EDNS0 and try again. */
+ if (F->qflags & DNS_Q_EDNS0) {
+ F->qflags &= ~DNS_Q_EDNS0;
+ if ((error = dns_q_remake(&F->query, F->qflags)))
+ goto error;
+
+ dgoto(R->sp, DNS_R_FOREACH_AAAA);
+ }
+ }
+
+ if ((error = dns_rr_parse(&rr, 12, F->query)))
+ goto error;
+
+ if (!(len = dns_d_expand(u.name, sizeof u.name, rr.dn.p, F->query, &error)))
+ goto error;
+ else if (len >= sizeof u.name)
+ goto toolong;
+
+ dns_rr_foreach(&rr, F->answer, .section = DNS_S_AN, .name = u.name, .type = rr.type) {
+ dgoto(R->sp, DNS_R_FINISH); /* Found */
+ }
+
+ dns_rr_foreach(&rr, F->answer, .section = DNS_S_AN, .name = u.name, .type = DNS_T_CNAME) {
+ F->ans_cname = rr;
+
+ dgoto(R->sp, DNS_R_CNAME0_A);
+ }
+
+ /*
+ * XXX: The condition here should probably check whether
+ * R->sp == 0, because DNS_R_SEARCH runs regardless of
+ * options.recurse. See DNS_R_BIND.
+ */
+ if (!R->resconf->options.recurse) {
+ /* Make first answer our tentative answer */
+ if (!R->nodata)
+ dns_p_movptr(&R->nodata, &F->answer);
+
+ dgoto(R->sp, DNS_R_SEARCH);
+ }
+
+ dns_rr_foreach(&rr, F->answer, .section = DNS_S_NS, .type = DNS_T_NS) {
+ dns_p_movptr(&F->hints, &F->answer);
+
+ dgoto(R->sp, DNS_R_ITERATE);
+ }
+
+ /* XXX: Should this go further up? */
+ if (dns_header(F->answer)->aa)
+ dgoto(R->sp, DNS_R_FINISH);
+
+ /* XXX: Should we copy F->answer to R->nodata? */
+
+ dgoto(R->sp, DNS_R_FOREACH_AAAA);
case DNS_R_CNAME0_A:
if (&F[1] >= endof(R->stack))
dgoto(R->sp, DNS_R_FINISH);
From: Werner Koch <wk@gnupg.org>
Date: Wed, 11 Apr 2018 20:35:40 +0200
Subject: gpg: New option --no-symkey-cache.
* g10/gpg.c (oNoSymkeyCache): New.
(opts): Add that option.
(main): Set var.
* g10/options.h (struct opt): New field no_symkey_cache.
* g10/passphrase.c (passphrase_to_dek): Implement that feature.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 789d240cb40ab36406a7c57ad49897e0bafbb41e)
---
doc/gpg.texi | 11 ++++++++++-
g10/gpg.c | 3 +++
g10/options.h | 4 +++-
g10/passphrase.c | 3 +++
4 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index a7d78c4ff..b2945b861 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -212,7 +212,10 @@ symmetric cipher used is @value{GPGSYMENCALGO}, but may be chosen with the
@option{--encrypt} (for a message that may be decrypted via a secret key
or a passphrase), or @option{--sign} and @option{--encrypt} together
(for a signed message that may be decrypted via a secret key or a
-passphrase).
+passphrase). @command{@gpgname} caches the passphrase used for
+symmetric encryption so that a decrypt operation may not require that
+the user needs to enter the passphrase. The option
+@option{--no-symkey-cache} can be used to disable this feature.
@item --store
@opindex store
@@ -3056,6 +3059,12 @@ are:
Pinentry the user is not prompted again if he enters a bad password.
@end table
+@item --no-symkey-cache
+@opindex no-symkey-cache
+Disable the passphrase cache used for symmetrical en- and decryption.
+This cache is based on the message specific salt value
+(cf. @option{--s2k-mode}).
+
@item --command-fd @code{n}
@opindex command-fd
This is a replacement for the deprecated shared-memory IPC mode.
diff --git a/g10/gpg.c b/g10/gpg.c
index 5a880fd53..09e50db46 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -414,6 +414,7 @@ enum cmd_and_opt_values
oOnlySignTextIDs,
oDisableSignerUID,
oSender,
+ oNoSymkeyCache,
oNoop
};
@@ -874,6 +875,7 @@ static ARGPARSE_OPTS opts[] = {
ARGPARSE_s_s (oAutoKeyLocate, "auto-key-locate", "@"),
ARGPARSE_s_n (oNoAutoKeyLocate, "no-auto-key-locate", "@"),
ARGPARSE_s_n (oNoAutostart, "no-autostart", "@"),
+ ARGPARSE_s_n (oNoSymkeyCache, "no-symkey-cache", "@"),
/* Dummy options with warnings. */
ARGPARSE_s_n (oUseAgent, "use-agent", "@"),
@@ -3515,6 +3517,7 @@ main (int argc, char **argv)
break;
case oNoAutostart: opt.autostart = 0; break;
+ case oNoSymkeyCache: opt.no_symkey_cache = 1; break;
case oDefaultNewKeyAlgo:
opt.def_new_key_algo = pargs.r.ret_str;
diff --git a/g10/options.h b/g10/options.h
index 88a8f32bd..fda174f80 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -244,7 +244,7 @@ struct
unsigned int allow_weak_digest_algos:1;
unsigned int large_rsa:1;
unsigned int disable_signer_uid:1;
- /* Flag to enbale experimental features from RFC4880bis. */
+ /* Flag to enable experimental features from RFC4880bis. */
unsigned int rfc4880bis:1;
} flags;
@@ -272,6 +272,8 @@ struct
int unwrap_encryption;
int only_sign_text_ids;
+
+ int no_symkey_cache; /* Disable the cache used for --symmetric. */
} opt;
/* CTRL is used to keep some global variables we currently can't
diff --git a/g10/passphrase.c b/g10/passphrase.c
index 37abc0f1c..fde3ee4b5 100644
--- a/g10/passphrase.c
+++ b/g10/passphrase.c
@@ -317,6 +317,9 @@ passphrase_to_dek (int cipher_algo, STRING2KEY *s2k,
canceled = &dummy_canceled;
*canceled = 0;
+ if (opt.no_symkey_cache)
+ nocache = 1; /* Force no symmtric key caching. */
+
if ( !s2k )
{
log_assert (create && !nocache);
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Wed, 3 Oct 2018 00:14:24 -0500
Subject: avoid spurious debugging message
---
g10/export.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/g10/export.c b/g10/export.c
index ea9ffb4d0..4c4c0971a 100644
--- a/g10/export.c
+++ b/g10/export.c
@@ -1377,7 +1377,7 @@ apply_drop_subkey_filter (kbnode_t keyblock, recsel_expr_t selector)
{
if (recsel_select (selector, impex_filter_getval, node))
{
- log_debug ("drop-subkey: deleting a key\n");
+ /*log_debug ("drop-subkey: deleting a key\n");*/
/* The subkey packet and all following packets up to the
* next subkey. */
delete_kbnode (node);
From: Werner Koch <wk@gnupg.org>
Date: Fri, 3 Mar 2017 09:22:40 +0100
Subject: gpg: Add new variables to the import and export filters.
* g10/import.c (impex_filter_getval): Add new variables "expired",
"revoked", and "disabled".
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 1813f3be23bdab5a42070424c47cb8daa9d9e6b7)
---
doc/gpg.texi | 15 +++++++++++++--
g10/import.c | 41 ++++++++++++++++++++++++++++++++++-------
2 files changed, 47 insertions(+), 9 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index b2945b861..c77a4a50e 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -2361,14 +2361,25 @@ The available properties are:
@item primary
Boolean indicating whether the user id is the primary one. (keep-uid)
+ @item expired
+ Boolean indicating whether a user id (keep-uid), a key (drop-subkey), or a
+ signature (drop-sig) expired.
+
+ @item revoked
+ Boolean indicating whether a user id (keep-uid) or a key (drop-subkey) has
+ been revoked.
+
+ @item disabled
+ Boolean indicating whether a primary key is disabled. (not used)
+
@item secret
Boolean indicating whether a key or subkey is a secret one.
- drop-subkey)
+ (drop-subkey)
@item sig_created
@itemx sig_created_d
The first is the timestamp a signature packet was created. The
- second is the same but given as an ISO string,
+ second is the same but given as an ISO date string,
e.g. "2016-08-17". (drop-sig)
@item sig_algo
diff --git a/g10/import.c b/g10/import.c
index 125b9948b..153b4daed 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1164,7 +1164,7 @@ check_prefs (ctrl_t ctrl, kbnode_t keyblock)
}
-/* Helper for apply_*_filter in im,port.c and export.c. */
+/* Helper for apply_*_filter in import.c and export.c. */
const char *
impex_filter_getval (void *cookie, const char *propname)
{
@@ -1176,19 +1176,30 @@ impex_filter_getval (void *cookie, const char *propname)
if (node->pkt->pkttype == PKT_USER_ID
|| node->pkt->pkttype == PKT_ATTRIBUTE)
{
+ PKT_user_id *uid = node->pkt->pkt.user_id;
+
if (!strcmp (propname, "uid"))
- result = node->pkt->pkt.user_id->name;
+ result = uid->name;
else if (!strcmp (propname, "mbox"))
{
- if (!node->pkt->pkt.user_id->mbox)
+ if (!uid->mbox)
{
- node->pkt->pkt.user_id->mbox
- = mailbox_from_userid (node->pkt->pkt.user_id->name);
+ uid->mbox = mailbox_from_userid (uid->name);
}
- result = node->pkt->pkt.user_id->mbox;
+ result = uid->mbox;
}
else if (!strcmp (propname, "primary"))
- result = node->pkt->pkt.user_id->is_primary? "1":"0";
+ {
+ result = uid->is_primary? "1":"0";
+ }
+ else if (!strcmp (propname, "expired"))
+ {
+ result = uid->is_expired? "1":"0";
+ }
+ else if (!strcmp (propname, "revoked"))
+ {
+ result = uid->is_revoked? "1":"0";
+ }
else
result = NULL;
}
@@ -1215,6 +1226,10 @@ impex_filter_getval (void *cookie, const char *propname)
snprintf (numbuf, sizeof numbuf, "%d", sig->digest_algo);
result = numbuf;
}
+ else if (!strcmp (propname, "expired"))
+ {
+ result = sig->flags.expired? "1":"0";
+ }
else
result = NULL;
}
@@ -1244,6 +1259,18 @@ impex_filter_getval (void *cookie, const char *propname)
{
result = datestr_from_pk (pk);
}
+ else if (!strcmp (propname, "expired"))
+ {
+ result = pk->has_expired? "1":"0";
+ }
+ else if (!strcmp (propname, "revoked"))
+ {
+ result = pk->flags.revoked? "1":"0";
+ }
+ else if (!strcmp (propname, "disabled"))
+ {
+ result = pk_is_disabled (pk)? "1":"0";
+ }
else
result = NULL;
}
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Tue, 12 Jun 2018 00:41:59 -0400
Subject: gpg: Add new usage option for drop-subkey filters.
* g10/import.c (impex_filter_getval): Add new "usage" property for
drop-subkey filter.
--
For example, this permits extraction of only encryption-capable
subkeys like so:
gpg --export-filter 'drop-subkey=usage !~ e' --export $FPR
GnuPG-Bug-id: 4019
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 2ddfb5bef920919443309ece9fa2930282bbce85)
(cherry picked from commit 86b64876bef0d8c4be8e309fcf3e2ce21e65a947)
---
doc/gpg.texi | 5 +++++
g10/import.c | 10 ++++++++++
2 files changed, 15 insertions(+)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index c77a4a50e..ca6f53698 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -2376,6 +2376,11 @@ The available properties are:
Boolean indicating whether a key or subkey is a secret one.
(drop-subkey)
+ @item usage
+ A string indicating the usage flags for the subkey, from the
+ sequence ``ecsa?''. For example, a subkey capable of just signing
+ and authentication would be an exact match for ``sa''. (drop-subkey)
+
@item sig_created
@itemx sig_created_d
The first is the timestamp a signature packet was created. The
diff --git a/g10/import.c b/g10/import.c
index 153b4daed..49ba04b6f 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1271,6 +1271,16 @@ impex_filter_getval (void *cookie, const char *propname)
{
result = pk_is_disabled (pk)? "1":"0";
}
+ else if (!strcmp (propname, "usage"))
+ {
+ snprintf (numbuf, sizeof numbuf, "%s%s%s%s%s",
+ (pk->pubkey_usage & PUBKEY_USAGE_ENC)?"e":"",
+ (pk->pubkey_usage & PUBKEY_USAGE_SIG)?"s":"",
+ (pk->pubkey_usage & PUBKEY_USAGE_CERT)?"c":"",
+ (pk->pubkey_usage & PUBKEY_USAGE_AUTH)?"a":"",
+ (pk->pubkey_usage & PUBKEY_USAGE_UNKNOWN)?"?":"");
+ result = numbuf;
+ }
else
result = NULL;