diff options
| author | Ido Rosen | 2015-04-17 22:58:41 -0400 |
|---|---|---|
| committer | Ido Rosen | 2015-04-17 22:58:41 -0400 |
| commit | ec6df5b1c46d851c948e45eb71378dfb9691bfe1 (patch) | |
| tree | fefd97cc9af928f4a4eb119feb149f57be979daa | |
| parent | 77d624bb27d7fe143e8d7c1727d1a669f3438d30 (diff) | |
| download | aur-ec6df5b1c46d851c948e45eb71378dfb9691bfe1.tar.gz | |
gnupg-largekeys 2.0.27
| -rw-r--r-- | .SRCINFO | 41 | ||||
| -rw-r--r-- | PKGBUILD | 47 | ||||
| -rw-r--r-- | PKGBUILD.sig | bin | 543 -> 0 bytes | |||
| -rw-r--r-- | gnupg2-large-keys.patch | 57 | ||||
| -rw-r--r-- | gnupg2-large-keys.patch.sig | bin | 543 -> 0 bytes | |||
| -rw-r--r-- | hash-ecdsa.patch | 48 | ||||
| -rw-r--r-- | install | 28 | ||||
| -rw-r--r-- | install.sig | bin | 543 -> 0 bytes | |||
| -rw-r--r-- | oid2str-overflow.patch | 72 | ||||
| -rw-r--r-- | refresh-keys.patch | 238 | ||||
| -rw-r--r-- | subpacket-off.patch | 38 |
11 files changed, 70 insertions, 499 deletions
@@ -1,45 +1,38 @@ pkgbase = gnupg-largekeys pkgdesc = Complete and free implementation of the OpenPGP standard - pkgver = 2.1.0 - pkgrel = 6 + pkgver = 2.0.27 + pkgrel = 1 url = http://www.gnupg.org/ install = install arch = i686 arch = x86_64 license = GPL + makedepends = curl makedepends = libldap makedepends = libusb-compat - depends = npth - depends = libgpg-error - depends = libgcrypt + depends = bzip2 depends = libksba + depends = libgcrypt + depends = pth depends = libassuan - depends = pinentry - depends = bzip2 depends = readline + depends = pinentry + depends = dirmngr + optdepends = curl: gpg2keys_curl optdepends = libldap: gpg2keys_ldap optdepends = libusb-compat: scdaemon - provides = dirmngr - provides = gnupg2=2.1.0 - provides = gnupg=2.1.0 - conflicts = dirmngr + provides = gnupg2=2.0.27 + provides = gnupg=2.0.27 conflicts = gnupg2 conflicts = gnupg - replaces = dirmngr replaces = gnupg2 replaces = gnupg - source = ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2 - source = ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2.sig - source = oid2str-overflow.patch - source = subpacket-off.patch - source = refresh-keys.patch - source = hash-ecdsa.patch - sha1sums = 2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33 - sha1sums = SKIP - sha1sums = 774f7fe541428f45ee145c763cf5634264e3bc69 - sha1sums = 1a86b834904c7d18d932ad1bb44d3642990d3cbd - sha1sums = 246bea8776882f4c0293685482558f6ead1cf902 - sha1sums = b9bd644276aa1c1a3fcaed82e65eecccfd1f36ed + source = ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.27.tar.bz2 + source = gnupg2-large-keys.patch + source = install + sha1sums = d065be185f5bac8ea07b210ab7756e79b83b63d4 + sha1sums = 49c93544a6ff7522845dbd94a2a545559a608e62 + sha1sums = ff80fc79329cfa631c19ae1ea6fc4a390ab851f7 pkgname = gnupg-largekeys @@ -11,47 +11,33 @@ # pkgname=gnupg-largekeys -pkgver=2.1.0 -pkgrel=6 +pkgver=2.0.27 +pkgrel=1 pkgdesc='Complete and free implementation of the OpenPGP standard' url='http://www.gnupg.org/' license=('GPL') arch=('i686' 'x86_64') -optdepends=('libldap: gpg2keys_ldap' +optdepends=('curl: gpg2keys_curl' + 'libldap: gpg2keys_ldap' 'libusb-compat: scdaemon') -makedepends=('libldap' 'libusb-compat') -depends=('npth' 'libgpg-error' 'libgcrypt' 'libksba' 'libassuan' - 'pinentry' 'bzip2' 'readline') -source=("ftp://ftp.gnupg.org/gcrypt/${pkgname%%-largekeys}/${pkgname%%-largekeys}-${pkgver}.tar.bz2"{,.sig} - 'oid2str-overflow.patch' - 'subpacket-off.patch' - 'refresh-keys.patch' - 'hash-ecdsa.patch') - #'gnupg2-large-keys.patch'{,.sig} - #'install'{,.sig} - #'PKGBUILD.sig') -sha1sums=('2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33' 'SKIP' - '774f7fe541428f45ee145c763cf5634264e3bc69' - '1a86b834904c7d18d932ad1bb44d3642990d3cbd' - '246bea8776882f4c0293685482558f6ead1cf902' - 'b9bd644276aa1c1a3fcaed82e65eecccfd1f36ed') - #'5932d322a6d4ec5eeafa4ac472f19c07bf4502af' 'SKIP' - #'9409c0fab2ae8e580f4b00bd15b4a590f097a9a9' 'SKIP' - #'SKIP') +makedepends=('curl' 'libldap' 'libusb-compat') +depends=('bzip2' 'libksba' 'libgcrypt' 'pth' 'libassuan' 'readline' 'pinentry' 'dirmngr') +source=("ftp://ftp.gnupg.org/gcrypt/${pkgname%%-largekeys}/${pkgname%%-largekeys}-${pkgver}.tar.bz2" + 'gnupg2-large-keys.patch' + 'install') +sha1sums=('d065be185f5bac8ea07b210ab7756e79b83b63d4' + '49c93544a6ff7522845dbd94a2a545559a608e62' + 'ff80fc79329cfa631c19ae1ea6fc4a390ab851f7') install=install -conflicts=('dirmngr' 'gnupg2' 'gnupg') -provides=('dirmngr' "gnupg2=${pkgver}" "gnupg=${pkgver}") -replaces=('dirmngr' 'gnupg2' 'gnupg') +conflicts=('gnupg2' 'gnupg') +provides=("gnupg2=${pkgver}" "gnupg=${pkgver}") +replaces=('gnupg2' 'gnupg') prepare() { cd "${srcdir}/${pkgname%%-largekeys}-${pkgver}" - patch -p1 -i ../oid2str-overflow.patch - patch -p1 -i ../subpacket-off.patch - patch -p1 -i ../refresh-keys.patch - patch -p1 -i ../hash-ecdsa.patch - #patch -p1 -i ../gnupg2-large-keys.patch + patch -p1 -i ../gnupg2-large-keys.patch } build() { @@ -62,6 +48,7 @@ build() { --sbindir=/usr/bin \ --libexecdir=/usr/lib/gnupg \ --enable-maintainer-mode \ + --enable-standard-socket \ --enable-symcryptrun \ --enable-gpgtar \ --enable-large-secmem \ diff --git a/PKGBUILD.sig b/PKGBUILD.sig Binary files differdeleted file mode 100644 index fe6e7fb79906..000000000000 --- a/PKGBUILD.sig +++ /dev/null diff --git a/gnupg2-large-keys.patch b/gnupg2-large-keys.patch index 631761597d96..4bcda13106cd 100644 --- a/gnupg2-large-keys.patch +++ b/gnupg2-large-keys.patch @@ -1,39 +1,30 @@ -diff --git a/g10/gpg.c b/g10/gpg.c -index 1a8e6e7..0d1e15e 100644 ---- a/g10/gpg.c -+++ b/g10/gpg.c -@@ -2059,7 +2059,7 @@ main (int argc, char **argv) - #endif - - /* Initialize the secure memory. */ -- if (!gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0)) -+ if (!gcry_control (GCRYCTL_INIT_SECMEM, 131072, 0)) - got_secmem = 1; - #if defined(HAVE_GETUID) && defined(HAVE_GETEUID) - /* There should be no way to get to this spot while still carrying +diff --git a/configure b/configure +index d974ec3..bda0b0f 100755 +--- a/configure ++++ b/configure +@@ -5307,7 +5307,7 @@ fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $large_secmem" >&5 + $as_echo "$large_secmem" >&6; } + if test "$large_secmem" = yes ; then +- SECMEM_BUFFER_SIZE=65536 ++ SECMEM_BUFFER_SIZE=131072 + else + SECMEM_BUFFER_SIZE=32768 + fi diff --git a/g10/keygen.c b/g10/keygen.c -index 6d3dfa6..6d362c0 100644 +index 560480d..7a89c05 100644 --- a/g10/keygen.c +++ b/g10/keygen.c -@@ -1175,7 +1175,7 @@ gen_elg (int algo, unsigned int nbits, - nbits = 2048; - log_info (_("keysize invalid; using %u bits\n"), nbits ); - } -- else if (nbits > 4096) -+ else if (nbits > 65535) - { - nbits = 4096; - log_info (_("keysize invalid; using %u bits\n"), nbits ); -@@ -1442,7 +1442,7 @@ gen_rsa (int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek, - nbits = 2048; - log_info (_("keysize invalid; using %u bits\n"), nbits ); - } -- else if (nbits > 4096) -+ else if (nbits > 65535) - { - nbits = 4096; - log_info (_("keysize invalid; using %u bits\n"), nbits ); -@@ -1781,7 +1781,7 @@ ask_algo (int addmode, int *r_subkey_algo, unsigned int *r_usage) +@@ -1429,7 +1429,7 @@ gen_rsa (int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek, + PKT_secret_key *sk; + PKT_public_key *pk; + gcry_sexp_t s_parms, s_key; +- const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096); ++ const unsigned maxsize = (opt.flags.large_rsa ? 65535 : 4096); + + assert (is_RSA(algo)); + +@@ -1798,7 +1798,7 @@ ask_algo (int addmode, int *r_subkey_algo, unsigned int *r_usage) static unsigned ask_keysize (int algo, unsigned int primary_keysize) { diff --git a/gnupg2-large-keys.patch.sig b/gnupg2-large-keys.patch.sig Binary files differdeleted file mode 100644 index 601cd773761d..000000000000 --- a/gnupg2-large-keys.patch.sig +++ /dev/null diff --git a/hash-ecdsa.patch b/hash-ecdsa.patch deleted file mode 100644 index c451a18b80e7..000000000000 --- a/hash-ecdsa.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Werner Koch <wk@gnupg.org> -Date: Wed, 19 Nov 2014 09:34:32 +0000 (+0100) -Subject: gpg: Fix hash detection for ECDSA. -X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=f80c2dd78d522f12b2c7afbd5c0763a97d87d2bd;hp=cd2c6f36fe5d1d1d45546f5168aead5cbe6487e0 - -gpg: Fix hash detection for ECDSA. - -* g10/sign.c (sign_file): Use DSA or ECDSA and not DSA|EdDSA. --- - -This error was introduced with -commit b7f8dec6325f1c80640f878ed3080bbc194fbc78 -while separating EdDSA from ECDSA. - -Found due to a related bug report from Brian Minton. - -Signed-off-by: Werner Koch <wk@gnupg.org> ---- - -diff --git a/g10/sign.c b/g10/sign.c -index e7d4a68..2e62f04 100644 ---- a/g10/sign.c -+++ b/g10/sign.c -@@ -899,13 +899,12 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, - for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next ) - { - if (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_DSA -- || (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_EDDSA -- && !openpgp_oid_is_ed25519 (sk_rover->pk->pkey[1]))) -+ || sk_rover->pk->pubkey_algo == PUBKEY_ALGO_ECDSA) - { - int temp_hashlen = (gcry_mpi_get_nbits - (sk_rover->pk->pkey[1])); - -- if (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_EDDSA) -+ if (sk_rover->pk->pubkey_algo == PUBKEY_ALGO_ECDSA) - temp_hashlen = ecdsa_qbits_from_Q (temp_hashlen); - temp_hashlen = (temp_hashlen+7)/8; - -@@ -915,7 +914,7 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, - if (hint.digest_length<temp_hashlen) - hint.digest_length=temp_hashlen; - } -- /* FIXME: need toall gpg-agent */ -+ /* FIXME: need to check gpg-agent for this. */ - /* else if (sk_rover->pk->is_protected */ - /* && sk_rover->pk->protect.s2k.mode == 1002) */ - /* smartcard = 1; */ @@ -2,25 +2,21 @@ info_dir=/usr/share/info info_files=(gnupg.info gnupg.info-1 gnupg.info-2) post_install() { - [ -x usr/bin/install-info ] || return 0 - for f in ${info_files[@]}; do - usr/bin/install-info ${info_dir}/$f ${info_dir}/dir 2> /dev/null - done + [ -x usr/bin/install-info ] || return 0 + for f in ${info_files[@]}; do + usr/bin/install-info ${info_dir}/$f ${info_dir}/dir 2> /dev/null + done echo -e "\e[1mNOTE: Keys larger than 16384 bits fail on unpatched gnupg versions!\e[0m" } -pre_remove() { - [ -x usr/bin/install-info ] || return 0 - for f in ${info_files[@]}; do - usr/bin/install-info --delete ${info_dir}/$f ${info_dir}/dir 2> /dev/null - done -} - post_upgrade() { - post_install + post_install $1 + echo -e "\e[1mNOTE: Keys larger than 16384 bits fail on unpatched gnupg versions!\e[0m" +} - # Fix upgrade to 2.1; see FS#42798 - [ $(vercmp $2 2.1.0-4) = -1 ] && - dirmngr </dev/null &>/dev/null || - return 0 +pre_remove() { + [ -x usr/bin/install-info ] || return 0 + for f in ${info_files[@]}; do + usr/bin/install-info --delete ${info_dir}/$f ${info_dir}/dir 2> /dev/null + done } diff --git a/install.sig b/install.sig Binary files differdeleted file mode 100644 index bff9c38923ee..000000000000 --- a/install.sig +++ /dev/null diff --git a/oid2str-overflow.patch b/oid2str-overflow.patch deleted file mode 100644 index 797a18f87ea8..000000000000 --- a/oid2str-overflow.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Werner Koch <wk@gnupg.org> -Date: Tue, 25 Nov 2014 10:58:56 +0000 (+0100) -Subject: Fix buffer overflow in openpgp_oid_to_str. -X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=8445ef24fc31e1fe0291e17f90f9f06b536e34da;hp=28dafd4714a9b01d3a6f1e6e5919bf6f909987c7 - -Fix buffer overflow in openpgp_oid_to_str. - -* common/openpgp-oid.c (openpgp_oid_to_str): Fix unsigned underflow. - -* common/t-openpgp-oid.c (BADOID): New. -(test_openpgp_oid_to_str): Add test cases. --- - -The code has an obvious error by not considering invalid encoding for -arc-2. A first byte of 0x80 can be used to make a value of less then -80 and we then subtract 80 from that value as required by the OID -encoding rules. Due to the unsigned integer this results in a pretty -long value which won't fit anymore into the allocated buffer. - -The fix is obvious. Also added a few simple test cases. Note that we -keep on using sprintf instead of snprintf because managing the -remaining length of the buffer would probably be more error prone than -assuring that the buffer is large enough. Getting rid of sprintf -altogether by using direct conversion along with membuf_t like code -might be possible. - -Reported-by: Hanno Böck -Signed-off-by: Werner Koch <wk@gnupg.org> - -Ported from libksba commit f715b9e156dfa99ae829fc694e5a0abd23ef97d7 ---- - -diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c -index 010c23f..d3d1f2a 100644 ---- a/common/openpgp-oid.c -+++ b/common/openpgp-oid.c -@@ -236,6 +236,8 @@ openpgp_oid_to_str (gcry_mpi_t a) - val <<= 7; - val |= buf[n] & 0x7f; - } -+ if (val < 80) -+ goto badoid; - val -= 80; - sprintf (p, "2.%lu", val); - p += strlen (p); -diff --git a/common/t-openpgp-oid.c b/common/t-openpgp-oid.c -index 79e5a70..5cd778d 100644 ---- a/common/t-openpgp-oid.c -+++ b/common/t-openpgp-oid.c -@@ -32,6 +32,9 @@ - } while(0) - - -+#define BADOID "1.3.6.1.4.1.11591.2.12242973" -+ -+ - static void - test_openpgp_oid_from_str (void) - { -@@ -108,6 +111,12 @@ test_openpgp_oid_to_str (void) - { "1.3.132.0.35", - { 5, 0x2B, 0x81, 0x04, 0x00, 0x23 }}, - -+ { BADOID, -+ { 9, 0x80, 0x02, 0x70, 0x50, 0x25, 0x46, 0xfd, 0x0c, 0xc0 }}, -+ -+ { BADOID, -+ { 1, 0x80 }}, -+ - { NULL }}; - gcry_mpi_t a; - int idx; diff --git a/refresh-keys.patch b/refresh-keys.patch deleted file mode 100644 index 2b0cc8fb79ca..000000000000 --- a/refresh-keys.patch +++ /dev/null @@ -1,238 +0,0 @@ -From eecbed004ca1e9ca23c3892c3a5e6dd174ddf93b Mon Sep 17 00:00:00 2001 -From: Werner Koch <wk@gnupg.org> -Date: Wed, 12 Nov 2014 12:14:32 +0100 -Subject: [PATCH] gpg: Fix regression in --refresh-keys - -* g10/keyserver.c (keyserver_get): Factor all code out to ... -(keyserver_get_chunk): new. Extimate line length. -(keyserver_get): Split up requests into chunks. --- - -Note that refreshing all keys still requires way to much memory -because we build an in-memory list of all keys first. It is required -to first get a list of all keys to avoid conflicts while updating the -key store in the process of receiving keys. A better strategy would -be a background process and tracking the last update in the key store. - -GnuPG-bug-id: 1755 -Signed-off-by: Werner Koch <wk@gnupg.org> ---- - g10/call-dirmngr.c | 2 +- - g10/keyserver.c | 107 ++++++++++++++++++++++++++++++++++++++++++---------- - 2 files changed, 89 insertions(+), 20 deletions(-) - -diff --git a/g10/call-dirmngr.c b/g10/call-dirmngr.c -index 5bddbbe..71f5324 100644 ---- a/g10/call-dirmngr.c -+++ b/g10/call-dirmngr.c -@@ -429,7 +429,7 @@ ks_get_data_cb (void *opaque, const void *data, size_t datalen) - error an error code is returned and NULL stored at R_FP. - - The pattern may only use search specification which a keyserver can -- use to retriev keys. Because we know the format of the pattern we -+ use to retrieve keys. Because we know the format of the pattern we - don't need to escape the patterns before sending them to the - server. - -diff --git a/g10/keyserver.c b/g10/keyserver.c -index 1b2e128..5bc1eba 100644 ---- a/g10/keyserver.c -+++ b/g10/keyserver.c -@@ -1567,17 +1567,16 @@ keyserver_search (ctrl_t ctrl, strlist_t tokens) - return err; - } - -- -- --/* Retrieve a key from a keyserver. The search pattern are in -- (DESC,NDESC). Allowed search modes are keyid, fingerprint, and -- exact searches. KEYSERVER gives an optional override keyserver. If -- (R_FPR,R_FPRLEN) are not NULL, the may retrun the fingerprint of -- one imported key. */ -+/* Helper for keyserver_get. Here we only receive a chunk of the -+ description to be processed in one batch. This is required due to -+ the limited number of patterns the dirmngr interface (KS_GET) can -+ grok and to limit the amount of temporary required memory. */ - static gpg_error_t --keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, -- struct keyserver_spec *keyserver, -- unsigned char **r_fpr, size_t *r_fprlen) -+keyserver_get_chunk (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, -+ int *r_ndesc_used, -+ void *stats_handle, -+ struct keyserver_spec *keyserver, -+ unsigned char **r_fpr, size_t *r_fprlen) - - { - gpg_error_t err = 0; -@@ -1585,12 +1584,26 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, - int idx, npat; - estream_t datastream; - char *source = NULL; -+ size_t linelen; /* Estimated linelen for KS_GET. */ -+ size_t n; -+ -+#define MAX_KS_GET_LINELEN 950 /* Somewhat lower than the real limit. */ -+ -+ *r_ndesc_used = 0; - - /* Create an array filled with a search pattern for each key. The - array is delimited by a NULL entry. */ - pattern = xtrycalloc (ndesc+1, sizeof *pattern); - if (!pattern) - return gpg_error_from_syserror (); -+ -+ /* Note that we break the loop as soon as our estimation of the to -+ be used line length reaches the limit. But we do this only if we -+ have processed at leas one search requests so that an overlong -+ single request will be rejected only later by gpg_dirmngr_ks_get -+ but we are sure that R_NDESC_USED has been updated. This avoids -+ a possible indefinite loop. */ -+ linelen = 9; /* "KS_GET --" */ - for (npat=idx=0; idx < ndesc; idx++) - { - int quiet = 0; -@@ -1598,7 +1611,12 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, - if (desc[idx].mode == KEYDB_SEARCH_MODE_FPR20 - || desc[idx].mode == KEYDB_SEARCH_MODE_FPR16) - { -- pattern[npat] = xtrymalloc (2+2*20+1); -+ n = 1+2+2*20; -+ if (idx && linelen + n > MAX_KS_GET_LINELEN) -+ break; /* Declare end of this chunk. */ -+ linelen += n; -+ -+ pattern[npat] = xtrymalloc (n); - if (!pattern[npat]) - err = gpg_error_from_syserror (); - else -@@ -1612,6 +1630,11 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, - } - else if(desc[idx].mode == KEYDB_SEARCH_MODE_LONG_KID) - { -+ n = 1+2+16; -+ if (idx && linelen + n > MAX_KS_GET_LINELEN) -+ break; /* Declare end of this chunk. */ -+ linelen += n; -+ - pattern[npat] = xtryasprintf ("0x%08lX%08lX", - (ulong)desc[idx].u.kid[0], - (ulong)desc[idx].u.kid[1]); -@@ -1622,6 +1645,11 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, - } - else if(desc[idx].mode == KEYDB_SEARCH_MODE_SHORT_KID) - { -+ n = 1+2+8; -+ if (idx && linelen + n > MAX_KS_GET_LINELEN) -+ break; /* Declare end of this chunk. */ -+ linelen += n; -+ - pattern[npat] = xtryasprintf ("0x%08lX", (ulong)desc[idx].u.kid[1]); - if (!pattern[npat]) - err = gpg_error_from_syserror (); -@@ -1630,11 +1658,17 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, - } - else if(desc[idx].mode == KEYDB_SEARCH_MODE_EXACT) - { -- /* The Dirmngr uses also classify_user_id to detect the type -+ /* The Dirmngr also uses classify_user_id to detect the type - of the search string. By adding the '=' prefix we force - Dirmngr's KS_GET to consider this an exact search string. - (In gpg 1.4 and gpg 2.0 the keyserver helpers used the - KS_GETNAME command to indicate this.) */ -+ -+ n = 1+1+strlen (desc[idx].u.name); -+ if (idx && linelen + n > MAX_KS_GET_LINELEN) -+ break; /* Declare end of this chunk. */ -+ linelen += n; -+ - pattern[npat] = strconcat ("=", desc[idx].u.name, NULL); - if (!pattern[npat]) - err = gpg_error_from_syserror (); -@@ -1669,6 +1703,9 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, - } - } - -+ /* Remember now many of search items were considered. Note that -+ this is different from NPAT. */ -+ *r_ndesc_used = idx; - - err = gpg_dirmngr_ks_get (ctrl, pattern, &datastream, &source); - for (idx=0; idx < npat; idx++) -@@ -1679,11 +1716,8 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, - - if (!err) - { -- void *stats_handle; - struct ks_retrieval_screener_arg_s screenerarg; - -- stats_handle = import_new_stats_handle(); -- - /* FIXME: Check whether this comment should be moved to dirmngr. - - Slurp up all the key data. In the future, it might be nice -@@ -1697,15 +1731,12 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, - keyservers. */ - - screenerarg.desc = desc; -- screenerarg.ndesc = ndesc; -+ screenerarg.ndesc = *r_ndesc_used; - import_keys_es_stream (ctrl, datastream, stats_handle, - r_fpr, r_fprlen, - (opt.keyserver_options.import_options - | IMPORT_NO_SECKEY), - keyserver_retrieval_screener, &screenerarg); -- -- import_print_stats (stats_handle); -- import_release_stats_handle (stats_handle); - } - es_fclose (datastream); - xfree (source); -@@ -1714,6 +1745,44 @@ keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, - } - - -+/* Retrieve a key from a keyserver. The search pattern are in -+ (DESC,NDESC). Allowed search modes are keyid, fingerprint, and -+ exact searches. KEYSERVER gives an optional override keyserver. If -+ (R_FPR,R_FPRLEN) are not NULL, they may return the fingerprint of a -+ single imported key. */ -+static gpg_error_t -+keyserver_get (ctrl_t ctrl, KEYDB_SEARCH_DESC *desc, int ndesc, -+ struct keyserver_spec *keyserver, -+ unsigned char **r_fpr, size_t *r_fprlen) -+{ -+ gpg_error_t err; -+ void *stats_handle; -+ int ndesc_used; -+ int any_good = 0; -+ -+ stats_handle = import_new_stats_handle(); -+ -+ for (;;) -+ { -+ err = keyserver_get_chunk (ctrl, desc, ndesc, &ndesc_used, stats_handle, -+ keyserver, r_fpr, r_fprlen); -+ if (!err) -+ any_good = 1; -+ if (err || ndesc_used >= ndesc) -+ break; /* Error or all processed. */ -+ /* Prepare for the next chunk. */ -+ desc += ndesc_used; -+ ndesc -= ndesc_used; -+ } -+ -+ if (any_good) -+ import_print_stats (stats_handle); -+ -+ import_release_stats_handle (stats_handle); -+ return err; -+} -+ -+ - /* Send all keys specified by KEYSPECS to the KEYSERVERS. */ - static gpg_error_t - keyserver_put (ctrl_t ctrl, strlist_t keyspecs, --- -1.7.10.4 - diff --git a/subpacket-off.patch b/subpacket-off.patch deleted file mode 100644 index a9794d0c7ac3..000000000000 --- a/subpacket-off.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Werner Koch <wk@gnupg.org> -Date: Mon, 24 Nov 2014 16:28:25 +0000 (+0100) -Subject: gpg: Fix off-by-one read in the attribute subpacket parser. -X-Git-Url: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commitdiff_plain;h=0988764397f99db4efef1eabcdb8072d6159af76;hp=b716e6a69919b89c7887d6c7c9b97e58d18fdf95 - -gpg: Fix off-by-one read in the attribute subpacket parser. - -* g10/parse-packet.c (parse_attribute_subpkts): Check that the -attribute packet is large enough for the subpacket type. --- - -Reported-by: Hanno Böck -Signed-off-by: Werner Koch <wk@gnupg.org> ---- - -diff --git a/g10/parse-packet.c b/g10/parse-packet.c -index e0370aa..f75e21c 100644 ---- a/g10/parse-packet.c -+++ b/g10/parse-packet.c -@@ -2359,8 +2359,16 @@ parse_attribute_subpkts (PKT_user_id * uid) - if (buflen < n) - goto too_short; - -- attribs = -- xrealloc (attribs, (count + 1) * sizeof (struct user_attribute)); -+ if (!n) -+ { -+ /* Too short to encode the subpacket type. */ -+ if (opt.verbose) -+ log_info ("attribute subpacket too short\n"); -+ break; -+ } -+ -+ attribs = xrealloc (attribs, -+ (count + 1) * sizeof (struct user_attribute)); - memset (&attribs[count], 0, sizeof (struct user_attribute)); - - type = *buffer; |