Ported multiple-messages protection.

NEWS

@@ -1,6 +1,13 @@
 Noteworthy changes in version 2.0.3
 ------------------------------------------------
 
+ * By default, do not allow processing multiple plaintexts in a single
+   stream.  Many programs that called GnuPG were assuming that GnuPG
+   did not permit this, and were thus not using the plaintext boundary
+   status tags that GnuPG provides.  This change makes GnuPG reject
+   such messages by default which makes those programs safe again.
+   --allow-multiple-messages returns to the old behavior.
+
  * New --verify-option show-primary-uid-only. 
 
 

doc/ChangeLog

@@ -1,3 +1,8 @@
+2007-03-04  David Shaw  <dshaw@jabberwocky.com>
+
+	* gpg.texi (GPG Esoteric Options): Document
+	--allow-multiple-messages.
+
 2007-02-26  Werner Koch  <wk@g10code.com>
 
 	* gpg.texi (GPG Configuration): Document envvar LANGUAGE.

doc/gpg.texi

@@ -1985,7 +1985,7 @@ SHA224, SHA384, and SHA512 digests.
 @c ********  ESOTERIC OPTIONS  ***************
 @c *******************************************
 @node GPG Esoteric Options
-@subsection Doing things one usually don't want to do.
+@subsection Doing things one usually doesn't want to do.
 
 @table @gnupgtabopt
 
@@ -2380,11 +2380,13 @@ absolute date in the form YYYY-MM-DD. Defaults to "0".
 @item --allow-secret-key-import
 This is an obsolete option and is not used anywhere.
 
-@item --allow-multisig-verification
+@item --allow-multiple-messages
-Allow verification of concatenated signed messages. This will run a
+@item --no-allow-multiple-messages
-signature verification for each data+signature block. There are some
+Allow processing of multiple OpenPGP messages contained in a single
-security issues with this option and thus it is off by default. Note
+file or stream.  Some programs that call GPG are not prepared to deal
-that versions of GPG prior to version 1.4.3 implicitly allowed this.
+with multiple messages being processed together, so this option
+defaults to no.  Note that versions of GPG prior to 1.4.7 always
+allowed multiple messages.
 
 @item --enable-special-filenames
 This options enables a mode in which filenames of the form

g10/ChangeLog

@@ -1,3 +1,20 @@
+2007-03-05  Werner Koch  <wk@g10code.com>
+
+	Converted this file to UTF-8.
+	
+	Ported David and my multiple messages changes from 1.4.7.
+
+	* options.h, gpg.c (main), mainproc.c (check_sig_and_print): Allow
+	multiple sig verification again as this is protected via the
+	multiple-messages code.  New option --allow-multiple-messages and
+	--no variant.
+	* status.h (STATUS_ERROR): New status code.
+	* status.c (get_status_string): Ditto.
+	* mainproc.c (proc_plaintext): Emit it if multiple messages are
+ 	detected. Error out if more than one plaintext packet is
+ 	encountered.	
+	* mainproc.c (literals_seen): New.
+
 2007-02-26  Werner Koch  <wk@g10code.com>
 
 	* gpg.c (main): Add verify option show-primary-uid-only.
@@ -1756,7 +1773,7 @@
 2003-04-10  Werner Koch  <wk@gnupg.org>
 
 	* passphrase.c (read_passphrase_from_fd): Do a dummy read if the
-	agent is to be used.  Noted by Ingo Klöcker.
+	agent is to be used.  Noted by Ingo Klöcker.
 	(agent_get_passphrase): Inhibit caching when we have no
 	fingerprint.  This is required for key generation as well as for
 	symmetric only encryption.
@@ -2699,7 +2716,7 @@
 	warning.
 
 	* passphrase.c (agent_get_passphrase): Fixed signed/unsigned char
-	problem in %-escaping.  Noted by Ingo Klöcker.
+	problem in %-escaping.  Noted by Ingo Klöcker.
 
 2002-10-03  David Shaw  <dshaw@jabberwocky.com>
 
@@ -7027,12 +7044,12 @@ Fri Feb 11 17:44:40 CET 2000  Werner Koch  <wk@gnupg.de>
 Thu Feb 10 17:39:44 CET 2000  Werner Koch  <wk@gnupg.de>
 
 	* keyedit.c (menu_expire): Fixed segv due to unitialized sub_pk.
-	By Rémi.
+	By Rémi.
 
 Thu Feb 10 11:39:41 CET 2000  Werner Koch  <wk@gnupg.de>
 
 	* keylist.c (list_keyblock): Don't print warnings in the middle of
-	regulat output lines.  By Rémi.
+	regulat output lines.  By Rémi.
 
 	* sig-check.c: Include options.h
 
@@ -7622,7 +7639,7 @@ Mon May 31 19:41:10 CEST 1999  Werner Koch  <wk@isil.d.shuttle.de>
 	* g10.c (main): Fix for SHM init (Michael).
 
 	* compress.c, encr-data.c, mdfilter.c,
-	  plaintext.c, free-packet.c: Speed patches (Rémi).
+	  plaintext.c, free-packet.c: Speed patches (Rémi).
 
 Thu May 27 09:40:55 CEST 1999  Werner Koch  <wk@isil.d.shuttle.de>
 
@@ -7647,7 +7664,7 @@ Wed May 26 14:36:29 CEST 1999  Werner Koch  <wk@isil.d.shuttle.de>
 Tue May 25 19:50:32 CEST 1999  Werner Koch  <wk@isil.d.shuttle.de>
 
 	* sign.c (sign_file): Always use compression algo 1 for signed
-	onyl file becuase we can´ be sure the the verifier supports other
+	onyl file becuase we can´ be sure the the verifier supports other
 	algorithms.
 
 	* build-packet.c (build_sig_subpkt): Support for notation data.
@@ -7837,7 +7854,7 @@ Wed Apr  7 20:51:39 CEST 1999  Werner Koch  <wk@isil.d.shuttle.de>
 	(protect_secret_key). Ditto.
 	* misc.c (print_cipher_algo_note): Twofish is now a standard algo.
 
-	* keygen.c (do_create): Fixed spelling (Gaël Quéri)
+	* keygen.c (do_create): Fixed spelling (Gaël Quéri)
 	(ask_keysize): Only allow keysizes up to 4096
 
 	* ringedit.c (add_keyblock_resource): chmod newly created secrings.
@@ -7880,7 +7897,7 @@ Wed Mar 17 13:09:03 CET 1999  Werner Koch  <wk@isil.d.shuttle.de>
 
 	* trustdb.c (insert_trust_record): Always use the primary key.
 
-	* encode.c (encode_simple): Added text_mode filter (Rémi Guyomarch)
+	* encode.c (encode_simple): Added text_mode filter (Rémi Guyomarch)
 	(encode_crypt): Ditto.
 
 	* mainproc.c (proc_pubkey_enc): Added status ENC_TO.
@@ -9261,7 +9278,7 @@ Wed Apr  8 13:40:33 1998  Werner Koch  (wk@isil.d.shuttle.de)
 
 Wed Apr  8 09:47:21 1998  Werner Koch  (wk@isil.d.shuttle.de)
 
-	* sig-check.c (do_check): Applied small fix from Ulf Möller.
+	* sig-check.c (do_check): Applied small fix from Ulf Möller.
 
 Tue Apr  7 19:28:07 1998  Werner Koch  (wk@isil.d.shuttle.de)
 
@@ -9640,7 +9657,7 @@ Thu Feb 12 22:24:42 1998  Werner Koch  (wk@frodo)
 
 
  Copyright 1998,1999,2000,2001,2002,2003,2004,2005,
-	   2006 Free Software Foundation, Inc.
+	   2006,2007 Free Software Foundation, Inc.
 
  This file is free software; as a special exception the author gives
  unlimited permission to copy and/or distribute it, with or without

g10/gpg.c

@@ -357,6 +357,8 @@ enum cmd_and_opt_values
     oAllowMultisigVerification,
     oEnableDSA2,
     oDisableDSA2,
+    oAllowMultipleMessages,
+    oNoAllowMultipleMessages,
 
     oNoop
   };
@@ -692,6 +694,8 @@ static ARGPARSE_OPTS opts[] = {
     { oAllowMultisigVerification, "allow-multisig-verification", 0, "@"},
     { oEnableDSA2, "enable-dsa2", 0, "@"},
     { oDisableDSA2, "disable-dsa2", 0, "@"},
+    { oAllowMultipleMessages, "allow-multiple-messages", 0, "@"},
+    { oNoAllowMultipleMessages, "no-allow-multiple-messages", 0, "@"},
 
     /* These two are aliases to help users of the PGP command line
        product use gpg with minimal pain.  Many commands are common
@@ -2807,13 +2811,18 @@ main (int argc, char **argv )
 	    release_akl();
 	    break;
 
-          case oAllowMultisigVerification:
-            opt.allow_multisig_verification = 1;
-            break;
-
 	  case oEnableDSA2: opt.flags.dsa2=1; break;
 	  case oDisableDSA2: opt.flags.dsa2=0; break;
 
+          case oAllowMultisigVerification:
+	  case oAllowMultipleMessages:
+	    opt.flags.allow_multiple_messages=1;
+	    break;
+
+	  case oNoAllowMultipleMessages:
+	    opt.flags.allow_multiple_messages=0;
+	    break;
+
 	  case oNoop: break;
 
 	  default : pargs.err = configfp? 1:2; break;

g10/mainproc.c

@@ -98,10 +98,9 @@ struct mainproc_context
 
 
 static int do_proc_packets( CTX c, IOBUF a );
-
 static void list_node( CTX c, KBNODE node );
 static void proc_tree( CTX c, KBNODE node );
-
+static int literals_seen;
 
 static void
 release_list( CTX c )
@@ -596,6 +595,8 @@ proc_plaintext( CTX c, PACKET *pkt )
     int any, clearsig, only_md5, rc;
     KBNODE n;
 
+    literals_seen++;
+
     if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
 	log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
     else if( opt.verbose )
@@ -683,12 +684,29 @@ proc_plaintext( CTX c, PACKET *pkt )
 	    gcry_md_start_debug ( c->mfx.md2, "verify2" );
     }
 
-    rc = handle_plaintext( pt, &c->mfx, c->sigs_only, clearsig );
+    rc=0;
-    if ( gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only ) 
+
+    if (literals_seen>1)
       {
-        /* Can't write output but we hash it anyway to check the
+	log_info (_("WARNING: multiple plaintexts seen\n"));
-           signature. */
+
-        rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
+	if (!opt.flags.allow_multiple_messages)
+	  {
+            write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
+	    log_inc_errorcount ();
+	    rc = gpg_error (GPG_ERR_UNEXPECTED); 
+	  }
+      }
+    
+    if(!rc)
+      {
+        rc = handle_plaintext( pt, &c->mfx, c->sigs_only, clearsig );
+        if ( gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only ) 
+          {
+            /* Can't write output but we hash it anyway to check the
+               signature. */
+            rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
+          }
       }
 
     if( rc )
@@ -1512,8 +1530,17 @@ check_sig_and_print( CTX c, KBNODE node )
           n_sig++;
         if (!n_sig)
           goto ambiguous;
-        if (n && !opt.allow_multisig_verification)
+
-          goto ambiguous;
+	/* If we wanted to disallow multiple sig verification, we'd do
+	   something like this:
+
+	   if (n && !opt.allow_multisig_verification)
+             goto ambiguous;
+
+	   However, now that we have --allow-multiple-messages, this
+	   can stay allowable as we can't get here unless multiple
+	   messages (i.e. multiple literals) are allowed. */
+
         if (n_onepass != n_sig)
           {
             log_info ("number of one-pass packets does not match "

g10/options.h

@@ -227,6 +227,7 @@ struct
     unsigned int use_embedded_filename:1;
     unsigned int utf8_filename:1;
     unsigned int dsa2:1;
+    unsigned int allow_multiple_messages:1;
   } flags;
 
   /* Linked list of ways to find a key if the key isn't on the local
@@ -238,8 +239,6 @@ struct
     struct akl *next;
   } *auto_key_locate;
 
-  /* True if multiple concatenated signatures may be verified. */
-  int allow_multisig_verification;
   int passwd_repeat;
 } opt;
 

g10/status.c

@@ -148,6 +148,7 @@ get_status_string ( int no )
     case STATUS_PKA_TRUST_BAD  : s = "PKA_TRUST_BAD"; break;
     case STATUS_PKA_TRUST_GOOD : s = "PKA_TRUST_GOOD"; break;
     case STATUS_BEGIN_SIGNING  : s = "BEGIN_SIGNING"; break;
+    case STATUS_ERROR          : s = "ERROR"; break;
     default: s = "?"; break;
     }
   return s;

g10/status.h

@@ -120,6 +120,8 @@
 
 #define STATUS_BEGIN_SIGNING    84
 
+#define STATUS_ERROR  85
+
 
 /*-- status.c --*/
 void set_status_fd ( int fd );

tests/openpgp/ChangeLog

@@ -1,3 +1,9 @@
+2007-03-04  David Shaw  <dshaw@jabberwocky.com>  (wk)
+
+	* verify.test: Use --allow-multiple-messages instead of
+	--allow-multisig-verification.  Two clearsigs in a row counds as a
+	multiple-message test.
+
 2006-11-16  Werner Koch  <wk@g10code.com>
 
 	* Makefile.am (plain-large): Use gpg.texi instead of FAQ which

tests/openpgp/verify.test

@@ -121,8 +121,8 @@ IHBlb3BsZS4K
 
 
 # Two standard signed messages in a row
-tests="$tests msg_olsols_asc_multisig"
+tests="$tests msg_olsols_asc_multiple"
-msg_olsols_asc_multisig='-----BEGIN PGP MESSAGE-----
+msg_olsols_asc_multiple='-----BEGIN PGP MESSAGE-----
 
 kA0DAAIRLXJ8x2hpdzQBrQEHYgNtc2dEDFJaSSB0aGluayB0aGF0IGFsbCByaWdo
 dC10aGlua2luZyBwZW9wbGUgaW4gdGhpcyBjb3VudHJ5IGFyZSBzaWNrIGFuZAp0
@@ -215,8 +215,8 @@ EOF
 `
 
 # Two clear text signatures in a row
-tests="$tests msg_clsclss_asc"
+tests="$tests msg_clsclss_asc_multiple"
-msg_clsclss_asc="${msg_cls_asc}
+msg_clsclss_asc_multiple="${msg_cls_asc}
 ${msg_clss_asc}"
 
 
@@ -233,8 +233,8 @@ for i in $tests ; do
     msg_*_asc)
        $GPG --verify x || error "verify of $i failed"
        ;;
-    msg_*_asc_multisig)
+    msg_*_asc_multiple)
-       $GPG --verify --allow-multisig-verification x \
+       $GPG --verify --allow-multiple-messages x \
            || error "verify of $i failed"
        $GPG --verify x && error "verify of $i succeeded but should not"
        ;;