mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
Ported multiple-messages protection.
This commit is contained in:
parent
f6243073a8
commit
9491ab44c5
7
NEWS
7
NEWS
@ -1,6 +1,13 @@
|
||||
Noteworthy changes in version 2.0.3
|
||||
------------------------------------------------
|
||||
|
||||
* By default, do not allow processing multiple plaintexts in a single
|
||||
stream. Many programs that called GnuPG were assuming that GnuPG
|
||||
did not permit this, and were thus not using the plaintext boundary
|
||||
status tags that GnuPG provides. This change makes GnuPG reject
|
||||
such messages by default which makes those programs safe again.
|
||||
--allow-multiple-messages returns to the old behavior.
|
||||
|
||||
* New --verify-option show-primary-uid-only.
|
||||
|
||||
|
||||
|
@ -1,3 +1,8 @@
|
||||
2007-03-04 David Shaw <dshaw@jabberwocky.com>
|
||||
|
||||
* gpg.texi (GPG Esoteric Options): Document
|
||||
--allow-multiple-messages.
|
||||
|
||||
2007-02-26 Werner Koch <wk@g10code.com>
|
||||
|
||||
* gpg.texi (GPG Configuration): Document envvar LANGUAGE.
|
||||
|
14
doc/gpg.texi
14
doc/gpg.texi
@ -1985,7 +1985,7 @@ SHA224, SHA384, and SHA512 digests.
|
||||
@c ******** ESOTERIC OPTIONS ***************
|
||||
@c *******************************************
|
||||
@node GPG Esoteric Options
|
||||
@subsection Doing things one usually don't want to do.
|
||||
@subsection Doing things one usually doesn't want to do.
|
||||
|
||||
@table @gnupgtabopt
|
||||
|
||||
@ -2380,11 +2380,13 @@ absolute date in the form YYYY-MM-DD. Defaults to "0".
|
||||
@item --allow-secret-key-import
|
||||
This is an obsolete option and is not used anywhere.
|
||||
|
||||
@item --allow-multisig-verification
|
||||
Allow verification of concatenated signed messages. This will run a
|
||||
signature verification for each data+signature block. There are some
|
||||
security issues with this option and thus it is off by default. Note
|
||||
that versions of GPG prior to version 1.4.3 implicitly allowed this.
|
||||
@item --allow-multiple-messages
|
||||
@item --no-allow-multiple-messages
|
||||
Allow processing of multiple OpenPGP messages contained in a single
|
||||
file or stream. Some programs that call GPG are not prepared to deal
|
||||
with multiple messages being processed together, so this option
|
||||
defaults to no. Note that versions of GPG prior to 1.4.7 always
|
||||
allowed multiple messages.
|
||||
|
||||
@item --enable-special-filenames
|
||||
This options enables a mode in which filenames of the form
|
||||
|
@ -1,3 +1,20 @@
|
||||
2007-03-05 Werner Koch <wk@g10code.com>
|
||||
|
||||
Converted this file to UTF-8.
|
||||
|
||||
Ported David and my multiple messages changes from 1.4.7.
|
||||
|
||||
* options.h, gpg.c (main), mainproc.c (check_sig_and_print): Allow
|
||||
multiple sig verification again as this is protected via the
|
||||
multiple-messages code. New option --allow-multiple-messages and
|
||||
--no variant.
|
||||
* status.h (STATUS_ERROR): New status code.
|
||||
* status.c (get_status_string): Ditto.
|
||||
* mainproc.c (proc_plaintext): Emit it if multiple messages are
|
||||
detected. Error out if more than one plaintext packet is
|
||||
encountered.
|
||||
* mainproc.c (literals_seen): New.
|
||||
|
||||
2007-02-26 Werner Koch <wk@g10code.com>
|
||||
|
||||
* gpg.c (main): Add verify option show-primary-uid-only.
|
||||
@ -1756,7 +1773,7 @@
|
||||
2003-04-10 Werner Koch <wk@gnupg.org>
|
||||
|
||||
* passphrase.c (read_passphrase_from_fd): Do a dummy read if the
|
||||
agent is to be used. Noted by Ingo Klöcker.
|
||||
agent is to be used. Noted by Ingo Klöcker.
|
||||
(agent_get_passphrase): Inhibit caching when we have no
|
||||
fingerprint. This is required for key generation as well as for
|
||||
symmetric only encryption.
|
||||
@ -2699,7 +2716,7 @@
|
||||
warning.
|
||||
|
||||
* passphrase.c (agent_get_passphrase): Fixed signed/unsigned char
|
||||
problem in %-escaping. Noted by Ingo Klöcker.
|
||||
problem in %-escaping. Noted by Ingo Klöcker.
|
||||
|
||||
2002-10-03 David Shaw <dshaw@jabberwocky.com>
|
||||
|
||||
@ -7027,12 +7044,12 @@ Fri Feb 11 17:44:40 CET 2000 Werner Koch <wk@gnupg.de>
|
||||
Thu Feb 10 17:39:44 CET 2000 Werner Koch <wk@gnupg.de>
|
||||
|
||||
* keyedit.c (menu_expire): Fixed segv due to unitialized sub_pk.
|
||||
By Rémi.
|
||||
By Rémi.
|
||||
|
||||
Thu Feb 10 11:39:41 CET 2000 Werner Koch <wk@gnupg.de>
|
||||
|
||||
* keylist.c (list_keyblock): Don't print warnings in the middle of
|
||||
regulat output lines. By Rémi.
|
||||
regulat output lines. By Rémi.
|
||||
|
||||
* sig-check.c: Include options.h
|
||||
|
||||
@ -7622,7 +7639,7 @@ Mon May 31 19:41:10 CEST 1999 Werner Koch <wk@isil.d.shuttle.de>
|
||||
* g10.c (main): Fix for SHM init (Michael).
|
||||
|
||||
* compress.c, encr-data.c, mdfilter.c,
|
||||
plaintext.c, free-packet.c: Speed patches (Rémi).
|
||||
plaintext.c, free-packet.c: Speed patches (Rémi).
|
||||
|
||||
Thu May 27 09:40:55 CEST 1999 Werner Koch <wk@isil.d.shuttle.de>
|
||||
|
||||
@ -7647,7 +7664,7 @@ Wed May 26 14:36:29 CEST 1999 Werner Koch <wk@isil.d.shuttle.de>
|
||||
Tue May 25 19:50:32 CEST 1999 Werner Koch <wk@isil.d.shuttle.de>
|
||||
|
||||
* sign.c (sign_file): Always use compression algo 1 for signed
|
||||
onyl file becuase we can´ be sure the the verifier supports other
|
||||
onyl file becuase we can´ be sure the the verifier supports other
|
||||
algorithms.
|
||||
|
||||
* build-packet.c (build_sig_subpkt): Support for notation data.
|
||||
@ -7837,7 +7854,7 @@ Wed Apr 7 20:51:39 CEST 1999 Werner Koch <wk@isil.d.shuttle.de>
|
||||
(protect_secret_key). Ditto.
|
||||
* misc.c (print_cipher_algo_note): Twofish is now a standard algo.
|
||||
|
||||
* keygen.c (do_create): Fixed spelling (Gaël Quéri)
|
||||
* keygen.c (do_create): Fixed spelling (Gaël Quéri)
|
||||
(ask_keysize): Only allow keysizes up to 4096
|
||||
|
||||
* ringedit.c (add_keyblock_resource): chmod newly created secrings.
|
||||
@ -7880,7 +7897,7 @@ Wed Mar 17 13:09:03 CET 1999 Werner Koch <wk@isil.d.shuttle.de>
|
||||
|
||||
* trustdb.c (insert_trust_record): Always use the primary key.
|
||||
|
||||
* encode.c (encode_simple): Added text_mode filter (Rémi Guyomarch)
|
||||
* encode.c (encode_simple): Added text_mode filter (Rémi Guyomarch)
|
||||
(encode_crypt): Ditto.
|
||||
|
||||
* mainproc.c (proc_pubkey_enc): Added status ENC_TO.
|
||||
@ -9261,7 +9278,7 @@ Wed Apr 8 13:40:33 1998 Werner Koch (wk@isil.d.shuttle.de)
|
||||
|
||||
Wed Apr 8 09:47:21 1998 Werner Koch (wk@isil.d.shuttle.de)
|
||||
|
||||
* sig-check.c (do_check): Applied small fix from Ulf Möller.
|
||||
* sig-check.c (do_check): Applied small fix from Ulf Möller.
|
||||
|
||||
Tue Apr 7 19:28:07 1998 Werner Koch (wk@isil.d.shuttle.de)
|
||||
|
||||
@ -9640,7 +9657,7 @@ Thu Feb 12 22:24:42 1998 Werner Koch (wk@frodo)
|
||||
|
||||
|
||||
Copyright 1998,1999,2000,2001,2002,2003,2004,2005,
|
||||
2006 Free Software Foundation, Inc.
|
||||
2006,2007 Free Software Foundation, Inc.
|
||||
|
||||
This file is free software; as a special exception the author gives
|
||||
unlimited permission to copy and/or distribute it, with or without
|
||||
|
17
g10/gpg.c
17
g10/gpg.c
@ -357,6 +357,8 @@ enum cmd_and_opt_values
|
||||
oAllowMultisigVerification,
|
||||
oEnableDSA2,
|
||||
oDisableDSA2,
|
||||
oAllowMultipleMessages,
|
||||
oNoAllowMultipleMessages,
|
||||
|
||||
oNoop
|
||||
};
|
||||
@ -692,6 +694,8 @@ static ARGPARSE_OPTS opts[] = {
|
||||
{ oAllowMultisigVerification, "allow-multisig-verification", 0, "@"},
|
||||
{ oEnableDSA2, "enable-dsa2", 0, "@"},
|
||||
{ oDisableDSA2, "disable-dsa2", 0, "@"},
|
||||
{ oAllowMultipleMessages, "allow-multiple-messages", 0, "@"},
|
||||
{ oNoAllowMultipleMessages, "no-allow-multiple-messages", 0, "@"},
|
||||
|
||||
/* These two are aliases to help users of the PGP command line
|
||||
product use gpg with minimal pain. Many commands are common
|
||||
@ -2807,13 +2811,18 @@ main (int argc, char **argv )
|
||||
release_akl();
|
||||
break;
|
||||
|
||||
case oAllowMultisigVerification:
|
||||
opt.allow_multisig_verification = 1;
|
||||
break;
|
||||
|
||||
case oEnableDSA2: opt.flags.dsa2=1; break;
|
||||
case oDisableDSA2: opt.flags.dsa2=0; break;
|
||||
|
||||
case oAllowMultisigVerification:
|
||||
case oAllowMultipleMessages:
|
||||
opt.flags.allow_multiple_messages=1;
|
||||
break;
|
||||
|
||||
case oNoAllowMultipleMessages:
|
||||
opt.flags.allow_multiple_messages=0;
|
||||
break;
|
||||
|
||||
case oNoop: break;
|
||||
|
||||
default : pargs.err = configfp? 1:2; break;
|
||||
|
@ -98,10 +98,9 @@ struct mainproc_context
|
||||
|
||||
|
||||
static int do_proc_packets( CTX c, IOBUF a );
|
||||
|
||||
static void list_node( CTX c, KBNODE node );
|
||||
static void proc_tree( CTX c, KBNODE node );
|
||||
|
||||
static int literals_seen;
|
||||
|
||||
static void
|
||||
release_list( CTX c )
|
||||
@ -596,6 +595,8 @@ proc_plaintext( CTX c, PACKET *pkt )
|
||||
int any, clearsig, only_md5, rc;
|
||||
KBNODE n;
|
||||
|
||||
literals_seen++;
|
||||
|
||||
if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
|
||||
log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
|
||||
else if( opt.verbose )
|
||||
@ -683,6 +684,22 @@ proc_plaintext( CTX c, PACKET *pkt )
|
||||
gcry_md_start_debug ( c->mfx.md2, "verify2" );
|
||||
}
|
||||
|
||||
rc=0;
|
||||
|
||||
if (literals_seen>1)
|
||||
{
|
||||
log_info (_("WARNING: multiple plaintexts seen\n"));
|
||||
|
||||
if (!opt.flags.allow_multiple_messages)
|
||||
{
|
||||
write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
|
||||
log_inc_errorcount ();
|
||||
rc = gpg_error (GPG_ERR_UNEXPECTED);
|
||||
}
|
||||
}
|
||||
|
||||
if(!rc)
|
||||
{
|
||||
rc = handle_plaintext( pt, &c->mfx, c->sigs_only, clearsig );
|
||||
if ( gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only )
|
||||
{
|
||||
@ -690,6 +707,7 @@ proc_plaintext( CTX c, PACKET *pkt )
|
||||
signature. */
|
||||
rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
|
||||
}
|
||||
}
|
||||
|
||||
if( rc )
|
||||
log_error( "handle plaintext failed: %s\n", g10_errstr(rc));
|
||||
@ -1512,8 +1530,17 @@ check_sig_and_print( CTX c, KBNODE node )
|
||||
n_sig++;
|
||||
if (!n_sig)
|
||||
goto ambiguous;
|
||||
|
||||
/* If we wanted to disallow multiple sig verification, we'd do
|
||||
something like this:
|
||||
|
||||
if (n && !opt.allow_multisig_verification)
|
||||
goto ambiguous;
|
||||
|
||||
However, now that we have --allow-multiple-messages, this
|
||||
can stay allowable as we can't get here unless multiple
|
||||
messages (i.e. multiple literals) are allowed. */
|
||||
|
||||
if (n_onepass != n_sig)
|
||||
{
|
||||
log_info ("number of one-pass packets does not match "
|
||||
|
@ -227,6 +227,7 @@ struct
|
||||
unsigned int use_embedded_filename:1;
|
||||
unsigned int utf8_filename:1;
|
||||
unsigned int dsa2:1;
|
||||
unsigned int allow_multiple_messages:1;
|
||||
} flags;
|
||||
|
||||
/* Linked list of ways to find a key if the key isn't on the local
|
||||
@ -238,8 +239,6 @@ struct
|
||||
struct akl *next;
|
||||
} *auto_key_locate;
|
||||
|
||||
/* True if multiple concatenated signatures may be verified. */
|
||||
int allow_multisig_verification;
|
||||
int passwd_repeat;
|
||||
} opt;
|
||||
|
||||
|
@ -148,6 +148,7 @@ get_status_string ( int no )
|
||||
case STATUS_PKA_TRUST_BAD : s = "PKA_TRUST_BAD"; break;
|
||||
case STATUS_PKA_TRUST_GOOD : s = "PKA_TRUST_GOOD"; break;
|
||||
case STATUS_BEGIN_SIGNING : s = "BEGIN_SIGNING"; break;
|
||||
case STATUS_ERROR : s = "ERROR"; break;
|
||||
default: s = "?"; break;
|
||||
}
|
||||
return s;
|
||||
|
@ -120,6 +120,8 @@
|
||||
|
||||
#define STATUS_BEGIN_SIGNING 84
|
||||
|
||||
#define STATUS_ERROR 85
|
||||
|
||||
|
||||
/*-- status.c --*/
|
||||
void set_status_fd ( int fd );
|
||||
|
@ -1,3 +1,9 @@
|
||||
2007-03-04 David Shaw <dshaw@jabberwocky.com> (wk)
|
||||
|
||||
* verify.test: Use --allow-multiple-messages instead of
|
||||
--allow-multisig-verification. Two clearsigs in a row counds as a
|
||||
multiple-message test.
|
||||
|
||||
2006-11-16 Werner Koch <wk@g10code.com>
|
||||
|
||||
* Makefile.am (plain-large): Use gpg.texi instead of FAQ which
|
||||
|
@ -121,8 +121,8 @@ IHBlb3BsZS4K
|
||||
|
||||
|
||||
# Two standard signed messages in a row
|
||||
tests="$tests msg_olsols_asc_multisig"
|
||||
msg_olsols_asc_multisig='-----BEGIN PGP MESSAGE-----
|
||||
tests="$tests msg_olsols_asc_multiple"
|
||||
msg_olsols_asc_multiple='-----BEGIN PGP MESSAGE-----
|
||||
|
||||
kA0DAAIRLXJ8x2hpdzQBrQEHYgNtc2dEDFJaSSB0aGluayB0aGF0IGFsbCByaWdo
|
||||
dC10aGlua2luZyBwZW9wbGUgaW4gdGhpcyBjb3VudHJ5IGFyZSBzaWNrIGFuZAp0
|
||||
@ -215,8 +215,8 @@ EOF
|
||||
`
|
||||
|
||||
# Two clear text signatures in a row
|
||||
tests="$tests msg_clsclss_asc"
|
||||
msg_clsclss_asc="${msg_cls_asc}
|
||||
tests="$tests msg_clsclss_asc_multiple"
|
||||
msg_clsclss_asc_multiple="${msg_cls_asc}
|
||||
${msg_clss_asc}"
|
||||
|
||||
|
||||
@ -233,8 +233,8 @@ for i in $tests ; do
|
||||
msg_*_asc)
|
||||
$GPG --verify x || error "verify of $i failed"
|
||||
;;
|
||||
msg_*_asc_multisig)
|
||||
$GPG --verify --allow-multisig-verification x \
|
||||
msg_*_asc_multiple)
|
||||
$GPG --verify --allow-multiple-messages x \
|
||||
|| error "verify of $i failed"
|
||||
$GPG --verify x && error "verify of $i succeeded but should not"
|
||||
;;
|
||||
|
Loading…
x
Reference in New Issue
Block a user