1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

3991 Commits

Author SHA1 Message Date
Werner Koch
d192ab790c doc: Change remaining http links to gnupg.org to https
--
GnuPG-bug-id: 1830
2015-02-12 19:32:19 +01:00
Werner Koch
824d88ac51 gpg: Prevent an invalid memory read using a garbled keyring.
* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
types.
--

The keyring DB code did not reject packets which don't belong into a
keyring.  If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).

We now skip all packets which are not allowed in a keyring.

Reported-by: Hanno Böck <hanno@hboeck.de>

(back ported from commit f0f71a721ccd7ab9e40b8b6b028b59632c0cc648)
2015-02-12 18:58:36 +01:00
Werner Koch
8da836e76f gpg: Fix a NULL-deref in export due to invalid packet lengths.
* g10/build-packet.c (write_fake_data): Take care of a NULL stored as
opaque MPI.
--

Reported-by: Hanno Böck <hanno@hboeck.de>

(back ported from commit 0835d2f44ef62eab51fce6a927908f544e01cf8f)
2015-02-12 18:54:17 +01:00
Werner Koch
7e12ec4c7d gpg: Fix a NULL-deref due to empty ring trust packets.
* g10/parse-packet.c (parse_trust): Always allocate a packet.
--

Reported-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Werner Koch <wk@gnupg.org>

(back ported from commit 39978487863066e59bb657f5fe4e8baab510da7e)
2015-02-12 18:52:07 +01:00
Joshua Rogers
a55c212538 kbx: Fix resource leak.
* kbx/keybox-update.c (blob_filecopy): Fix resource leak.  On error
return, 'fp' and 'newfp' was never closed.

--

Signed-off-by: Joshua Rogers <git@internot.info>

[Log entry reformatted, and added more fixes - gniibe]

(cherry picked from commit 7db6c82cec49b7c56c403a8ea98364086baf75f3)
2015-02-12 18:46:03 +01:00
Werner Koch
2b2adb8594 gpg: Limit the size of key packets to a sensible value.
* g10/parse-packet.c (MAX_KEY_PACKET_LENGTH): New.
(MAX_UID_PACKET_LENGTH): New.
(MAX_COMMENT_PACKET_LENGTH): New.
(MAX_ATTR_PACKET_LENGTH): New.
(parse_key): Limit the size of a key packet to 256k.
(parse_user_id): Use macro for the packet size limit.
(parse_attribute): Ditto.
(parse_comment): Ditto.
--

Without that it is possible to force gpg to allocate large amounts of
memory by using a bad encoded MPI.  This would be an too easy DoS.
Another way to mitigate would be to change the MPI read function to
allocate memory dynamically while reading the MPI.  However, that
complicates and possibly slows down the code.  A too large key packet
is in any case a sign for broken data and thus gpg should not use it.

Reported-by: Hanno Böck
GnuPG-bug-id: 1823
Signed-off-by: Werner Koch <wk@gnupg.org>

(back ported from commit 382ba4b137b42d5f25a7e256bb7c053ee5ac7b64)
2015-02-12 18:45:08 +01:00
Werner Koch
f256bab03e Avoid double-close in unusual dotlock situations.
* jnlib/dotlock.c (create_dotlock): Avoid double close due to EINTR.
--

close(2) says:

  close() should not be retried after an EINTR since this may cause a
  reused descriptor from another thread to be closed.

(backported from commit 628b111fa679612e23c0d46505b1ecbbf091897d)

Debian-Bug-Id: 773423
Signed-off-by: Werner Koch <wk@gnupg.org>
2015-02-12 18:26:58 +01:00
Werner Koch
b2359db21c gpg: Allow predefined names as answer to the keygen.algo prompt.
* g10/keygen.c (ask_algo): Add list of strings.

--
Signed-off-by: Werner Koch <wk@gnupg.org>
(backported from commit b1d5ed6ac842469afcb84868d0f6641dc286a6c7)
2015-01-28 09:24:20 +01:00
Werner Koch
2424028fd9 gpg: Print a warning if the subkey expiration may not be what you want.
* g10/keyedit.c (subkey_expire_warning): New.
keyedit_menu): Call it when needed.
--
GnuPG-bug-id: 1715

The heuristic to detect a problem is not very advanced but it should
catch the most common cases.

(backported from commit ae3d1bbb65b65cf3c57bb14886be120f5e31635d)
2015-01-26 14:55:24 +01:00
Werner Koch
01d6902839 build: Update to gettext 0.19.3. 2015-01-26 14:31:55 +01:00
Werner Koch
c25513cc1b build: Require automake 1.14.
* Makefile.am (AUTOMAKE_OPTIONS): Move to ...
* configure.ac (AM_INIT_AUTOMAKE): here.  Add option serial-tests.
* kbx/Makefile.am (INCLUDES): Remove.  Include ../am/cmacros.
2015-01-26 14:31:49 +01:00
Jedi Lin
43deed7359 po: Yet another update for Chinese (traditional) 2015-01-26 12:10:04 +01:00
Joshua Rogers
3d9f8bf1dc Remove incorrect expression leading to errors.
* scd/ccid-driver.c (send_escape_cmd): Fix setting of 'rc'.
--

Variable 'rc' in send_escape_cmd was overwritten before it was
returned, leading to incorrect computation.

Signed-off-by: Joshua Rogers <git@internot.info>

[Log entry reformatted - wk]
2015-01-25 10:38:26 +01:00
Werner Koch
068ec6c8ed gpgconf: Fix validity check for UINT32 values.
* tools/gpgconf-comp.c (option_check_validity): Enable check for
UINT32.
--

Reported-by: Günther Noack <gnoack@google.com>

This is actually a bug which inhibited the checking of values of type
UINT32.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 3f6abb57a7b5e54b593c5775c8f7a07d61119705)
2015-01-23 15:39:50 +01:00
Joshua Rogers
1298b14f97 tools: Free variable before return
* tools/gpgconf-comp.c: Free 'dest_filename' before it is returned
upon error.
--

Signed-off-by: Joshua Rogers <git@internot.info>
2015-01-13 10:52:23 +09:00
Daniel Kahn Gillmor
ced689e12a sm: Avoid double-free on iconv failure
* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid
double-free of pwbuf.

--

Observed by Joshua Rogers <honey@internot.info>, who proposed a
slightly different fix.

Debian-Bug-Id: 773472

Added fix at a second place - wk.
2015-01-13 10:52:22 +09:00
Daniel Kahn Gillmor
0fd4cd8503 scd: Avoid double-free on error condition in scd
* scd/command.c (cmd_readkey): avoid double-free of cert

--

When ksba_cert_new() fails, cert will be double-freed.

Debian-Bug-Id: 773471

Original patch changed by wk to do the free only at leave.
2015-01-13 10:52:22 +09:00
Daniel Kahn Gillmor
1fc4dc541a avoid future chance of using uninitialized memory
* common/iobuf.c: (iobuf_open): initialize len

--

In iobuf_open, IOBUFCTRL_DESC and IOBUFCTRL_INIT commands are invoked
(via file_filter()) on fcx, passing in a pointer to an uninitialized
len.

With these two commands, file_filter doesn't actually do anything with
the value of len, so there's no actual risk of use of uninitialized
memory in the code as it stands.

However, some static analysis tools might flag this situation with a
warning, and initializing the value doesn't hurt anything, so i think
this trivial cleanup is warranted.

Debian-Bug-Id: 773469
2015-01-13 10:52:22 +09:00
Daniel Kahn Gillmor
f542826b04 gpgkey2ssh: clean up varargs
* tools/gpgkey2ssh.c (key_to_blob) : ensure that va_end is called.

--

stdarg(3) says:
       Each invocation of va_start() must be matched by a
       corresponding invocation of va_end() in the same function.

Observed by Joshua Rogers <honey@internot.info>

Debian-Bug-Id: 773415
2015-01-13 10:52:21 +09:00
Werner Koch
01b364b6da doc: Fix memory leak in yat2m.
* doc/yat2m.c (write_th): Free NAME.
--

Reported-by: Joshua Rogers <git@internot.info>
2015-01-13 10:51:38 +09:00
Werner Koch
907a9a1e98 gpgsm: Return NULL on fail
* sm/gpgsm.c (parse_keyserver_line): Set SERVER to NULL.

--

Cherry-pick of abd5f6752d693b7f313c19604f0723ecec4d39a6.

Reported-by: Joshua Rogers <git@internot.info>

  "If something inside the ldapserver_parse_one function failed,
   'server' would be freed, then returned, leading to a
   use-after-free.  This code is likely copied from sm/gpgsm.c, which
   was also susceptible to this bug."

Signed-off-by: Werner Koch <wk@gnupg.org>
2015-01-13 10:49:57 +09:00
Werner Koch
d2b0e61313 gpg: Fix possible read of unallocated memory
* g10/parse-packet.c (can_handle_critical): Check content length
before calling can_handle_critical_notation.
--

The problem was found by Jan Bee and gniibe proposed the used fix.
Thanks.

This bug can't be exploited: Only if the announced length of the
notation is 21 or 32 a memcmp against fixed strings using that length
would be done.  The compared data is followed by the actual signature
and thus it is highly likely that not even read of unallocated memory
will happen.  Nevertheless such a bug needs to be fixed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2015-01-13 10:44:11 +09:00
Werner Koch
d92fe965f3 scd: Fix possibly inhibited checkpin of the admin pin.
* scd/app-openpgp.c (do_check_pin): Do not check a byte of a released
buffer.

Signed-off-by: Werner Koch <wk@gnupg.org>
2015-01-09 09:07:28 +09:00
Joshua Rogers
40f476867c scd: fix get_public_key for OpenPGPcard v1.0.
* scd/app-openpgp.c (get_public_key): correctly close 'fp' upon use.

--

Inside the get_public_key function, 'fp' was opened using popen, but
incorrectly closed using fclose.

Debian-Bug-Id: 773474
2015-01-08 11:16:51 +09:00
NIIBE Yutaka
4f0d526b7d gpg: release DEK soon after its use.
* g10/keygen.c (generate_subkeypair): Release DEK soon.

--

This fixes the out_of_core error in the test case of adding
RSA-4096 subkey to RSA-4096 primary key with configuration:

    s2k-cipher-algo S10

Debian-bug-id: 772780

Cherry-picked da66ad5bba4215b9ddd0cb927a89aa75355632aa from
STABLE-BRANCH-1-4 branch.
2014-12-12 17:46:45 +09:00
David Prévot
4e03e27575 po: Update French translation 2014-11-26 11:21:52 +01:00
David Prévot
798721f596 po: Update Danish translation 2014-11-26 11:18:00 +01:00
Yuri Chornoivan
e8c3fa7748 po: Update Ukrainian translation 2014-11-26 11:04:49 +01:00
Jedi Lin
445eabf8f7 po: Update Chinese (traditional) translation 2014-11-26 11:02:02 +01:00
Ineiev
d084ae8f53 po: Update Russian translation 2014-11-26 11:00:34 +01:00
Jakub Bogusz
d53d46b99c po: Update pl.po
--
2014-11-26 10:56:37 +01:00
Werner Koch
2edf857822 po: Convert pl.po to utf-8
--
2014-11-26 10:54:24 +01:00
Frans Spiesschaert
0f429d5539 po: New Dutch translation
* po/LINGUAS: Add nl.po.
--
Debian-Bug-Id: 770981
2014-11-26 10:44:38 +01:00
Manuel "Venturi" Porras Peralta
a0459db923 po: Update es.po
--
2014-11-26 10:37:37 +01:00
Werner Koch
48085fe881 po: Convert es.po to utf-8
--
2014-11-26 10:36:08 +01:00
Werner Koch
1f9dfe1fed gpg: Fix use of uninit.value in listing sig subpkts.
* g10/parse-packet.c (dump_sig_subpkt): Print regex subpacket
sanitized.
--

We may not use "%s" to print an arbitrary buffer.  At least "%.*s"
should have been used.  However, it is in general preferable to escape
control characters while printf user data.

Reported-by: Hanno Böck
Signed-off-by: Werner Koch <wk@gnupg.org>

(backported from commit 596ae9f5433ca3b0e01f7acbe06fd2e424c42ae8)
2014-11-24 19:27:20 +01:00
Werner Koch
7a068ac50b gpg: Fix off-by-one read in the attribute subpacket parser.
* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--

Reported-by: Hanno Böck
Signed-off-by: Werner Koch <wk@gnupg.org>

(backported from commit 0988764397f99db4efef1eabcdb8072d6159af76)
2014-11-24 19:27:20 +01:00
Werner Koch
92a7949ae6 gpg: Fix a NULL-deref for invalid input data.
* g10/mainproc.c (proc_encrypted): Take care of canceled passpharse
entry.
--

GnuPG-bug-id: 1761
Signed-off-by: Werner Koch <wk@gnupg.org>

(backported from commit 32e85668b82f6fbcb824eea9548970804fb41d9e)
2014-11-24 19:27:20 +01:00
NIIBE Yutaka
a1c861ed38 po: Update Japanese translation.
--
2014-11-18 11:19:51 +09:00
Werner Koch
a5ca45e616 gpg: Make the use of "--verify FILE" for detached sigs harder.
* g10/openfile.c (open_sigfile): Factor some code out to ...
(get_matching_datafile): new function.
* g10/plaintext.c (hash_datafiles): Do not try to find matching file
in batch mode.
* g10/mainproc.c (check_sig_and_print): Print a warning if a possibly
matching data file is not used by a standard signatures.
--

Allowing to use the abbreviated form for detached signatures is a long
standing bug which has only been noticed by the public with the
release of 2.1.0.  :-(

What we do is to remove the ability to check detached signature in
--batch using the one file abbreviated mode.  This should exhibit
problems in scripts which use this insecure practice.  We also print a
warning if a matching data file exists but was not considered because
the detached signature was actually a standard signature:

  gpgv: Good signature from "Werner Koch (dist sig)"
  gpgv: WARNING: not a detached signature; \
  file 'gnupg-2.1.0.tar.bz2' was NOT verified!

We can only print a warning because it is possible that a standard
signature is indeed to be verified but by coincidence a file with a
matching name is stored alongside the standard signature.

Reported-by: Simon Nicolussi (to gnupg-users on Nov 7)
Signed-off-by: Werner Koch <wk@gnupg.org>

(backported from commit 69384568f66a48eff3968bb1714aa13925580e9f)
2014-11-14 09:36:19 +01:00
Werner Koch
da95d0d378 gpg: Add import option "keep-ownertrust".
* g10/options.h (IMPORT_KEEP_OWNERTTRUST): New.
* g10/import.c (parse_import_options): Add "keep-ownertrust".
(import_one): Act upon new option.
--

This option is in particular useful to convert from a pubring.gpg to
the new pubring.kbx in GnuPG 2.1 or vice versa:

gpg1 --export | gpg2 --import-options keep-ownertrust --import

(cherry-picked from commit ffc2307843ce6c4ac3c8d99ba8c70ffa1ae28e39)
2014-11-12 10:23:53 +01:00
Werner Koch
eb756e2510 gpg: Show v3 key fingerprints as all zero.
* g10/keyid.c (fingerprint_from_pk): Show v3 fingerprints as all zero.
--

MD5 is considered broken for a long time now.  To make it easier for
users to notice that a listing shows a v3 key, the fingerprint is now
displayed as 16 zero bytes unless --allow-weak-digest-algos is active.

Signed-off-by: Werner Koch <wk@gnupg.org>
2014-10-11 19:44:13 +02:00
Werner Koch
9112fed78b gpg: Avoid using cached MD5 signature status.
* g10/sig-check.c (check_key_signature2): Avoid using a cached MD5
signature status.
* g10/keyring.c (keyring_get_keyblock): Ditto.
(write_keyblock): Ditto.

* g10/sig-check.c (do_check): Move reject warning to ...
* g10/misc.c (print_md5_rejected_note): new.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2014-10-11 19:41:51 +02:00
Daniel Kahn Gillmor
f952fe8c6d gpg: Add build and runtime support for larger RSA keys
* configure.ac: Added --enable-large-secmem option.
* g10/options.h: Add opt.flags.large_rsa.
* g10/gpg.c: Contingent on configure option: adjust secmem size,
add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
* g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
* doc/gpg.texi: Document --enable-large-rsa.

--

This is a cherry-pick of 534e2876acc05f9f8d9b54c18511fe768d77dfb5 from
STABLE-BRANCH-1-4 against STABLE-BRANCH-2-0

Some older implementations built and used RSA keys up to 16Kib, but
the larger secret keys now fail when used by more recent GnuPG, due to
secure memory limitations.

Building with ./configure --enable-large-secmem will make gpg
capable of working with those secret keys, as well as permitting the
use of a new gpg option --enable-large-rsa, which let gpg generate RSA
keys up to 8Kib when used with --batch --gen-key.

Debian-bug-id: 739424

Minor edits by wk.

GnuPG-bug-id: 1732
2014-10-03 20:24:03 +02:00
Werner Koch
39c5d991a8 build: Update m4 scripts
* m4/gpg-error.m4: Update from Libgpg-error git master.
* m4/libgcrypt.m4: Update from Libgcrypt git master.
* configure.ac: Declare SYSROOT a precious variable.  Add extra error
message for library configuration mismatches.
2014-10-02 16:23:42 +02:00
Daniel Kahn Gillmor
dcb5fa8747 gpg: --compress-sigs and --compress-keys are not no-ops in 2.0
* g10/gpg.c: Cleanup argument parsing.

--

c76117f8b0165fe5cec5e7f234f55f5a4cd7f0ab mistakenly marked
compress-sigs and compress-keys as no-ops on the 2.0.x branch.

These options still have an effect on the 2.0.x branch, and the
duplicate declaration also causes the gpg argument parser to fail when
shortened versions of the option are present, like:

  gpg: option "--compress-k" is ambiguous
2014-10-02 16:09:01 +02:00
Daniel Kahn Gillmor
3e14da863a gpg: Avoid duplicate declaration of {no-,}sk-comments noops.
* g10/gpg.c: Cleanup argument parsing.

--

With c76117f8b0165fe5cec5e7f234f55f5a4cd7f0ab, the GnuPG 2.0.x branch
accidentally introduced a second (identical) argument parser for both
--sk-comments, and for --no-sk-comments.

This caused short versions (e.g. omitting the trailing "s", as gpgme
does) of either command to fail with:

   gpg: option "--sk-comment" is ambiguous
2014-10-02 16:08:06 +02:00
Werner Koch
36179da032 gpg: Default to SHA-256 for all signature types on RSA keys.
* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA256 in --gnupg and SHA1 in
strict RFC or PGP modes.
* g10/sign.c (make_keysig_packet): Use DEFAULT_DIGEST_ALGO also for
RSA key signatures.
--

(Backported from commit d33246700578cddd1cb8ed8164cfbba50aba4ef3)
2014-09-27 15:36:02 +02:00
Werner Koch
ba2b8c20ee doc: Update the file OpenPGP
--

It should actually be completey reworked but for now I added just a
few notes.
2014-09-27 15:31:25 +02:00
Werner Koch
b9b6ac9d26 gpg: Add shortcut for setting key capabilities.
* g10/keygen.c (ask_key_flags): Add shortcut '='.
* doc/help.txt (gpg.keygen.flags): New.
2014-09-26 14:44:44 +02:00