* scd/command.c (cmd_readkey): avoid double-free of cert
--
When ksba_cert_new() fails, cert will be double-freed.
Debian-Bug-Id: 773471
Original patch changed by wk to do the free only at leave.
* common/iobuf.c: (iobuf_open): initialize len
--
In iobuf_open, IOBUFCTRL_DESC and IOBUFCTRL_INIT commands are invoked
(via file_filter()) on fcx, passing in a pointer to an uninitialized
len.
With these two commands, file_filter doesn't actually do anything with
the value of len, so there's no actual risk of use of uninitialized
memory in the code as it stands.
However, some static analysis tools might flag this situation with a
warning, and initializing the value doesn't hurt anything, so i think
this trivial cleanup is warranted.
Debian-Bug-Id: 773469
* common/dotlock.c: (dotlock_create_unix) avoid double-close()
in unusual situations.
--
close(2) says:
close() should not be retried after an EINTR since this may
cause a reused descriptor from another thread to be closed.
Before this patch was applied, if close(fd) failed with EINTR, it
would be closed again in the write_failed: block.
It could also have been closed a second time in the case that
(use_hardlinks_p (h->tname)) evaluated to something other than 0 or 1.
This patch avoids both of those scenarios.
Note that close() could still be called twice on the same file
descriptor if the first close(fd) fails but errno is not EINTR. I'm
not sure the right thing to do in that scenario. An alternate
resolution could be to unequivocally set fd to -1 after the first
failed close(fd), avoiding the errno == EINTR test.
Debian-Bug-Id: 773423
* tools/gpgkey2ssh.c (key_to_blob) : ensure that va_end is called.
--
stdarg(3) says:
Each invocation of va_start() must be matched by a
corresponding invocation of va_end() in the same function.
Observed by Joshua Rogers <honey@internot.info>
Debian-Bug-Id: 773415
* dirmngr/crlfetch.c (crl_fetch): Check that URL is not NULL.
--
Reported-by: Joshua Rogers <git@internot.info>
"Remove un-needed check. If 'url' were not to be true,
http_parse_uri(parse_uri(do_parse_uri))) would fail, leaving 'err'
false."
In addition I added an explicit check for the URL arg not beeing NULL.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL.
* sm/gpgsm.c (parse_keyserver_line): Ditto.
--
Reported-by: Joshua Rogers <git@internot.info>
"If something inside the ldapserver_parse_one function failed,
'server' would be freed, then returned, leading to a
use-after-free. This code is likely copied from sm/gpgsm.c, which
was also susceptible to this bug."
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/divert-scd.c (divert_pkdecrypt): Support ECDH.
* scd/app-openpgp.c (get_algo_byte, store_fpr): Support ECDH.
(send_key_attr): Support ECDH. Fix EdDSA algorithm value.
(retrieve_key_material): Initialize fields.
(get_public_key, ecc_writekey, do_writekey): Support ECDH.
(ecdh_writekey): Remove.
(do_decipher): Support ECDH.
(parse_algorithm_attribute): Support ECDH. Fix EdDSA.
--
Following the gpg-agent protocol, SCDaemon's counter part is now
implemented.
* agent/gpg-agent.c (finalize_rereadable_options): New.
(main, reread_configuration): Call it.
--
This change should help to avoid surprising behaviour.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command-ssh.c (setup_ssh_env): Move code to ...
* agent/gpg-agent.c (agent_copy_startup_env): .. new function. Change
calllers.
* agent/command.c (start_command_handler): Call that fucntion for
restricted connections.
--
A remote connection is and should not be able to setup the local
session environment. However, unless --keep-display is used we would
be left without an environment and thus pinentry can't be used. The
fix is the same as used for ssh-agent connection: We use the default
environment as used at the startup of the agent.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/util.h (GPG_ERR_OBJ_TERM_STATE): New.
* scd/iso7816.c (map_sw): Add this error code.
* scd/app-openpgp.c (do_getattr): Return the life cycle indicator.
* scd/app.c (select_application): Allow a return value of
GPG_ERR_OBJ_TERM_STATE.
* scd/scdaemon.c (set_debug): Print the DBG_READER value.
* g10/call-agent.c (start_agent): Print a status line for the
termination state.
(agent_scd_learn): Make arg "info" optional.
(agent_scd_apdu): New.
* g10/card-util.c (send_apdu): New.
(factory_reset): New.
(card_edit): Add command factory-reset.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/misc.c (pct_expando): Reorder conditions for clarity.
* g10/sign.c (write_signature_packets): Fix notation data creation.
--
Also re-added the check for signature version > 3.
Reported-by: MFPA
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command.c (cmd_learn): Add option --sendinfo.
* agent/learncard.c (agent_handle_learn): Add arg "send" andsend
certifciate only if that is set.
* g10/call-agent.c (agent_scd_learn): Use --sendinfo. Make INFO
optional.
(agent_learn): Remove.
* g10/keygen.c (gen_card_key): Replace agent_learn by agent_scd_learn.
--
The requirement of using --card-status on the first use of card on a
new box is a bit annoying but the alternative of always checking
whether a card is available before a decryption starts does not sound
promising either.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/parse-packet.c (can_handle_critical): Check content length
before calling can_handle_critical_notation.
--
The problem was found by Jan Bee and gniibe proposed the used fix.
Thanks.
This bug can't be exploited: Only if the announced length of the
notation is 21 or 32 a memcmp against fixed strings using that length
would be done. The compared data is followed by the actual signature
and thus it is highly likely that not even read of unallocated memory
will happen. Nevertheless such a bug needs to be fixed.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/http.c (send_request): Print TLS alert info
(connect_server): Detect bogus DNS entry.
--
1. Prints the TLS alert description.
2. Detect case where the DNS returns an IP address but the server is
not reachable at this address. This may happen for a server which
is reachable only at IPv6 but but the local machine has no full
IPv6 configuration.
* g10/options.h (opt): Remove keyserver_options.other.
* g10/gpg.c (main): Obsolete option --honor-http-proxt.
* g10/keyserver.c (add_canonical_option): Replace by ...
(warn_kshelper_option): New.
(parse_keyserver_uri): Obsolete "x-broken-http".
--
Some of these options are deprecated for 10 years and they do not make
any sense without the keyserver helpers. For one we print a hint on
how to replace it:
gpg: keyserver option 'ca-cert-file' is obsolete; \
please use 'hkp-cacert' in dirmngr.conf
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-hkp.c (map_host): Change to return an gpg_error_t.
Return an error code for all dead hosts.
(make_host_part): Change to return an gpg_error_t. Change all
callers.
--
The functions used to return an error code via ERRNO. However, this
does not allow to return extra error codes in a portable way. Thus we
change the function to directly return a gpg_error_t.
Signed-off-by: Werner Koch <wk@gnupg.org>
doc: Document no-allow-mark-trusted for gpg-agent
* doc/gpg-agent.texi: Change allow-mark-trusted doc to
no-allow-mark-trusted.
--
Since rev. 78a56b14 allow-mark-trusted is the default option
and was replaced by no-allow-mark-trusted to disable the
interactive prompt.
Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
* g10/import.c (import): Skip too large keys.
* kbx/keybox-file.c (IMAGELEN_LIMIT): Change limit from 2MB to 5MB.
--
The key which triggered the problem was 0x57930DAB0B86B067. With this
patch it can be imported. Keys larger than the now increased limit of
5MB will are skipped and the already existing not_imported counter is
bumped up.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac (AC_CHECK_HEADERS): Check for sys.select.h
* tools/watchgnupg.c: Include it.
--
It seems http://www.musl-libc.org/ is quite limited and requires
the use sys/select.h instead of unistd.h et al.
* scd/scdaemon.c (ENAMETOOLONG): New.
(redir_socket_name): New.
(cleanup): Take care of a redirected socket.
(main): Pass redir_socket_name to create_server_socket.
(create_socket_name): Remove superfluous length check.
(create_server_socket): Add arg r_redir_name and implement
redirection. Replace assert for older Assuan by an error message.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/gpg-agent.c (ENAMETOOLONG): New.
(redir_socket_name, redir_socket_name_extra)
(redir_socket_name_ssh): New.
(remove_socket): Take care of the redir names.
(main): Pass the redir names to create_server_socket.
(create_socket_name): Remove length check - that is anyway done later.
(create_server_socket): Add arg r_redir_name and implement redirection
if Libassuan is at least 2.14.
