diff --git a/NEWS b/NEWS index 1c3e4ff9b..5de504387 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,13 @@ Noteworthy changes in version 2.0.3 ------------------------------------------------ + * By default, do not allow processing multiple plaintexts in a single + stream. Many programs that called GnuPG were assuming that GnuPG + did not permit this, and were thus not using the plaintext boundary + status tags that GnuPG provides. This change makes GnuPG reject + such messages by default which makes those programs safe again. + --allow-multiple-messages returns to the old behavior. + * New --verify-option show-primary-uid-only. diff --git a/doc/ChangeLog b/doc/ChangeLog index 3c04a980b..aff5149c6 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,8 @@ +2007-03-04 David Shaw + + * gpg.texi (GPG Esoteric Options): Document + --allow-multiple-messages. + 2007-02-26 Werner Koch * gpg.texi (GPG Configuration): Document envvar LANGUAGE. diff --git a/doc/gpg.texi b/doc/gpg.texi index cff4a0f53..e70c32341 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1985,7 +1985,7 @@ SHA224, SHA384, and SHA512 digests. @c ******** ESOTERIC OPTIONS *************** @c ******************************************* @node GPG Esoteric Options -@subsection Doing things one usually don't want to do. +@subsection Doing things one usually doesn't want to do. @table @gnupgtabopt @@ -2380,11 +2380,13 @@ absolute date in the form YYYY-MM-DD. Defaults to "0". @item --allow-secret-key-import This is an obsolete option and is not used anywhere. -@item --allow-multisig-verification -Allow verification of concatenated signed messages. This will run a -signature verification for each data+signature block. There are some -security issues with this option and thus it is off by default. Note -that versions of GPG prior to version 1.4.3 implicitly allowed this. +@item --allow-multiple-messages +@item --no-allow-multiple-messages +Allow processing of multiple OpenPGP messages contained in a single +file or stream. Some programs that call GPG are not prepared to deal +with multiple messages being processed together, so this option +defaults to no. Note that versions of GPG prior to 1.4.7 always +allowed multiple messages. @item --enable-special-filenames This options enables a mode in which filenames of the form diff --git a/g10/ChangeLog b/g10/ChangeLog index fe0f7d69c..1a43fd692 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,20 @@ +2007-03-05 Werner Koch + + Converted this file to UTF-8. + + Ported David and my multiple messages changes from 1.4.7. + + * options.h, gpg.c (main), mainproc.c (check_sig_and_print): Allow + multiple sig verification again as this is protected via the + multiple-messages code. New option --allow-multiple-messages and + --no variant. + * status.h (STATUS_ERROR): New status code. + * status.c (get_status_string): Ditto. + * mainproc.c (proc_plaintext): Emit it if multiple messages are + detected. Error out if more than one plaintext packet is + encountered. + * mainproc.c (literals_seen): New. + 2007-02-26 Werner Koch * gpg.c (main): Add verify option show-primary-uid-only. @@ -1756,7 +1773,7 @@ 2003-04-10 Werner Koch * passphrase.c (read_passphrase_from_fd): Do a dummy read if the - agent is to be used. Noted by Ingo Klöcker. + agent is to be used. Noted by Ingo Klöcker. (agent_get_passphrase): Inhibit caching when we have no fingerprint. This is required for key generation as well as for symmetric only encryption. @@ -2699,7 +2716,7 @@ warning. * passphrase.c (agent_get_passphrase): Fixed signed/unsigned char - problem in %-escaping. Noted by Ingo Klöcker. + problem in %-escaping. Noted by Ingo Klöcker. 2002-10-03 David Shaw @@ -7027,12 +7044,12 @@ Fri Feb 11 17:44:40 CET 2000 Werner Koch Thu Feb 10 17:39:44 CET 2000 Werner Koch * keyedit.c (menu_expire): Fixed segv due to unitialized sub_pk. - By Rémi. + By Rémi. Thu Feb 10 11:39:41 CET 2000 Werner Koch * keylist.c (list_keyblock): Don't print warnings in the middle of - regulat output lines. By Rémi. + regulat output lines. By Rémi. * sig-check.c: Include options.h @@ -7622,7 +7639,7 @@ Mon May 31 19:41:10 CEST 1999 Werner Koch * g10.c (main): Fix for SHM init (Michael). * compress.c, encr-data.c, mdfilter.c, - plaintext.c, free-packet.c: Speed patches (Rémi). + plaintext.c, free-packet.c: Speed patches (Rémi). Thu May 27 09:40:55 CEST 1999 Werner Koch @@ -7647,7 +7664,7 @@ Wed May 26 14:36:29 CEST 1999 Werner Koch Tue May 25 19:50:32 CEST 1999 Werner Koch * sign.c (sign_file): Always use compression algo 1 for signed - onyl file becuase we can´ be sure the the verifier supports other + onyl file becuase we can´ be sure the the verifier supports other algorithms. * build-packet.c (build_sig_subpkt): Support for notation data. @@ -7837,7 +7854,7 @@ Wed Apr 7 20:51:39 CEST 1999 Werner Koch (protect_secret_key). Ditto. * misc.c (print_cipher_algo_note): Twofish is now a standard algo. - * keygen.c (do_create): Fixed spelling (Gaël Quéri) + * keygen.c (do_create): Fixed spelling (Gaël Quéri) (ask_keysize): Only allow keysizes up to 4096 * ringedit.c (add_keyblock_resource): chmod newly created secrings. @@ -7880,7 +7897,7 @@ Wed Mar 17 13:09:03 CET 1999 Werner Koch * trustdb.c (insert_trust_record): Always use the primary key. - * encode.c (encode_simple): Added text_mode filter (Rémi Guyomarch) + * encode.c (encode_simple): Added text_mode filter (Rémi Guyomarch) (encode_crypt): Ditto. * mainproc.c (proc_pubkey_enc): Added status ENC_TO. @@ -9261,7 +9278,7 @@ Wed Apr 8 13:40:33 1998 Werner Koch (wk@isil.d.shuttle.de) Wed Apr 8 09:47:21 1998 Werner Koch (wk@isil.d.shuttle.de) - * sig-check.c (do_check): Applied small fix from Ulf Möller. + * sig-check.c (do_check): Applied small fix from Ulf Möller. Tue Apr 7 19:28:07 1998 Werner Koch (wk@isil.d.shuttle.de) @@ -9640,7 +9657,7 @@ Thu Feb 12 22:24:42 1998 Werner Koch (wk@frodo) Copyright 1998,1999,2000,2001,2002,2003,2004,2005, - 2006 Free Software Foundation, Inc. + 2006,2007 Free Software Foundation, Inc. This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without diff --git a/g10/gpg.c b/g10/gpg.c index dc100dc92..000bf1a9d 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -357,6 +357,8 @@ enum cmd_and_opt_values oAllowMultisigVerification, oEnableDSA2, oDisableDSA2, + oAllowMultipleMessages, + oNoAllowMultipleMessages, oNoop }; @@ -692,6 +694,8 @@ static ARGPARSE_OPTS opts[] = { { oAllowMultisigVerification, "allow-multisig-verification", 0, "@"}, { oEnableDSA2, "enable-dsa2", 0, "@"}, { oDisableDSA2, "disable-dsa2", 0, "@"}, + { oAllowMultipleMessages, "allow-multiple-messages", 0, "@"}, + { oNoAllowMultipleMessages, "no-allow-multiple-messages", 0, "@"}, /* These two are aliases to help users of the PGP command line product use gpg with minimal pain. Many commands are common @@ -2807,13 +2811,18 @@ main (int argc, char **argv ) release_akl(); break; - case oAllowMultisigVerification: - opt.allow_multisig_verification = 1; - break; - case oEnableDSA2: opt.flags.dsa2=1; break; case oDisableDSA2: opt.flags.dsa2=0; break; + case oAllowMultisigVerification: + case oAllowMultipleMessages: + opt.flags.allow_multiple_messages=1; + break; + + case oNoAllowMultipleMessages: + opt.flags.allow_multiple_messages=0; + break; + case oNoop: break; default : pargs.err = configfp? 1:2; break; diff --git a/g10/mainproc.c b/g10/mainproc.c index faefacb10..52c0092d5 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -98,10 +98,9 @@ struct mainproc_context static int do_proc_packets( CTX c, IOBUF a ); - static void list_node( CTX c, KBNODE node ); static void proc_tree( CTX c, KBNODE node ); - +static int literals_seen; static void release_list( CTX c ) @@ -596,6 +595,8 @@ proc_plaintext( CTX c, PACKET *pkt ) int any, clearsig, only_md5, rc; KBNODE n; + literals_seen++; + if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) ) log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n")); else if( opt.verbose ) @@ -683,12 +684,29 @@ proc_plaintext( CTX c, PACKET *pkt ) gcry_md_start_debug ( c->mfx.md2, "verify2" ); } - rc = handle_plaintext( pt, &c->mfx, c->sigs_only, clearsig ); - if ( gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only ) + rc=0; + + if (literals_seen>1) { - /* Can't write output but we hash it anyway to check the - signature. */ - rc = handle_plaintext( pt, &c->mfx, 1, clearsig ); + log_info (_("WARNING: multiple plaintexts seen\n")); + + if (!opt.flags.allow_multiple_messages) + { + write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA"); + log_inc_errorcount (); + rc = gpg_error (GPG_ERR_UNEXPECTED); + } + } + + if(!rc) + { + rc = handle_plaintext( pt, &c->mfx, c->sigs_only, clearsig ); + if ( gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only ) + { + /* Can't write output but we hash it anyway to check the + signature. */ + rc = handle_plaintext( pt, &c->mfx, 1, clearsig ); + } } if( rc ) @@ -1512,8 +1530,17 @@ check_sig_and_print( CTX c, KBNODE node ) n_sig++; if (!n_sig) goto ambiguous; - if (n && !opt.allow_multisig_verification) - goto ambiguous; + + /* If we wanted to disallow multiple sig verification, we'd do + something like this: + + if (n && !opt.allow_multisig_verification) + goto ambiguous; + + However, now that we have --allow-multiple-messages, this + can stay allowable as we can't get here unless multiple + messages (i.e. multiple literals) are allowed. */ + if (n_onepass != n_sig) { log_info ("number of one-pass packets does not match " diff --git a/g10/options.h b/g10/options.h index 315912b33..3c8b5ac4a 100644 --- a/g10/options.h +++ b/g10/options.h @@ -227,6 +227,7 @@ struct unsigned int use_embedded_filename:1; unsigned int utf8_filename:1; unsigned int dsa2:1; + unsigned int allow_multiple_messages:1; } flags; /* Linked list of ways to find a key if the key isn't on the local @@ -238,8 +239,6 @@ struct struct akl *next; } *auto_key_locate; - /* True if multiple concatenated signatures may be verified. */ - int allow_multisig_verification; int passwd_repeat; } opt; diff --git a/g10/status.c b/g10/status.c index 83a28cda4..3e5de6e88 100644 --- a/g10/status.c +++ b/g10/status.c @@ -148,6 +148,7 @@ get_status_string ( int no ) case STATUS_PKA_TRUST_BAD : s = "PKA_TRUST_BAD"; break; case STATUS_PKA_TRUST_GOOD : s = "PKA_TRUST_GOOD"; break; case STATUS_BEGIN_SIGNING : s = "BEGIN_SIGNING"; break; + case STATUS_ERROR : s = "ERROR"; break; default: s = "?"; break; } return s; diff --git a/g10/status.h b/g10/status.h index 6fad17a46..a7b789f99 100644 --- a/g10/status.h +++ b/g10/status.h @@ -120,6 +120,8 @@ #define STATUS_BEGIN_SIGNING 84 +#define STATUS_ERROR 85 + /*-- status.c --*/ void set_status_fd ( int fd ); diff --git a/tests/openpgp/ChangeLog b/tests/openpgp/ChangeLog index 5518b6cd1..c4179d474 100644 --- a/tests/openpgp/ChangeLog +++ b/tests/openpgp/ChangeLog @@ -1,3 +1,9 @@ +2007-03-04 David Shaw (wk) + + * verify.test: Use --allow-multiple-messages instead of + --allow-multisig-verification. Two clearsigs in a row counds as a + multiple-message test. + 2006-11-16 Werner Koch * Makefile.am (plain-large): Use gpg.texi instead of FAQ which diff --git a/tests/openpgp/verify.test b/tests/openpgp/verify.test index e6a61fc1b..41bd94a3f 100755 --- a/tests/openpgp/verify.test +++ b/tests/openpgp/verify.test @@ -121,8 +121,8 @@ IHBlb3BsZS4K # Two standard signed messages in a row -tests="$tests msg_olsols_asc_multisig" -msg_olsols_asc_multisig='-----BEGIN PGP MESSAGE----- +tests="$tests msg_olsols_asc_multiple" +msg_olsols_asc_multiple='-----BEGIN PGP MESSAGE----- kA0DAAIRLXJ8x2hpdzQBrQEHYgNtc2dEDFJaSSB0aGluayB0aGF0IGFsbCByaWdo dC10aGlua2luZyBwZW9wbGUgaW4gdGhpcyBjb3VudHJ5IGFyZSBzaWNrIGFuZAp0 @@ -215,8 +215,8 @@ EOF ` # Two clear text signatures in a row -tests="$tests msg_clsclss_asc" -msg_clsclss_asc="${msg_cls_asc} +tests="$tests msg_clsclss_asc_multiple" +msg_clsclss_asc_multiple="${msg_cls_asc} ${msg_clss_asc}" @@ -233,8 +233,8 @@ for i in $tests ; do msg_*_asc) $GPG --verify x || error "verify of $i failed" ;; - msg_*_asc_multisig) - $GPG --verify --allow-multisig-verification x \ + msg_*_asc_multiple) + $GPG --verify --allow-multiple-messages x \ || error "verify of $i failed" $GPG --verify x && error "verify of $i succeeded but should not" ;;