[Gpg4win-commits] r1211 - in trunk: . patches/gnupg2-2.0.12
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Thu Jul 9 16:12:16 CEST 2009
Author: werner
Date: 2009-07-09 16:12:15 +0200 (Thu, 09 Jul 2009)
New Revision: 1211
Added:
trunk/patches/gnupg2-2.0.12/03-opgp-writekey.patch
trunk/patches/gnupg2-2.0.12/04-hash-prefs.patch
trunk/patches/gnupg2-2.0.12/05-dns-sd.patch
Modified:
trunk/ChangeLog
trunk/Makefile.am
Log:
Add a few pacthes for GnuPG. Note that we do not want to update to a
newer GnuPG version for 2.0.0 due to a lot of changes for Unix with no
functionality for Windows. However, these changes are important for
the v2 card and for new gpg keys.
Modified: trunk/ChangeLog
===================================================================
--- trunk/ChangeLog 2009-07-09 09:57:38 UTC (rev 1210)
+++ trunk/ChangeLog 2009-07-09 14:12:15 UTC (rev 1211)
@@ -1,3 +1,10 @@
+2009-07-09 Werner Koch <wk at g10code.com>
+
+ * patches/gnupg2-2.0.12/03-opgp-writekey.patch: New.
+ * patches/gnupg2-2.0.12/04-hash-prefs.patch: New.
+ * patches/gnupg2-2.0.12/05-dns-sd.patch: New.
+ * Makefile.am (EXTRA_DIST): Add them.
+
2009-06-26 Emanuel Schuetze <emanuel.schuetze at intevation.de>
* packages/packages.current: Update kdesupport.
Modified: trunk/Makefile.am
===================================================================
--- trunk/Makefile.am 2009-07-09 09:57:38 UTC (rev 1210)
+++ trunk/Makefile.am 2009-07-09 14:12:15 UTC (rev 1211)
@@ -45,6 +45,9 @@
patches/gnupg2-2.0.9/05-w32-http.patch \
patches/gnupg2-2.0.12/01-scd-pw2.patch \
patches/gnupg2-2.0.12/02-pth-estream.patch \
+ patches/gnupg2-2.0.12/03-opgp-writekey.patch \
+ patches/gnupg2-2.0.12/04-hash-prefs.patch \
+ patches/gnupg2-2.0.12/05-dns-sd.patch \
patches/gpgol-0.9.91/01-gpgme.patch \
patches/claws-mail-3.7.1/01-fix-spaces-after-re.patch \
patches/claws-mail-3.7.1/02-3.7.1cvs22.patch \
Added: trunk/patches/gnupg2-2.0.12/03-opgp-writekey.patch
===================================================================
--- trunk/patches/gnupg2-2.0.12/03-opgp-writekey.patch 2009-07-09 09:57:38 UTC (rev 1210)
+++ trunk/patches/gnupg2-2.0.12/03-opgp-writekey.patch 2009-07-09 14:12:15 UTC (rev 1211)
@@ -0,0 +1,189 @@
+#! /bin/sh
+patch -p0 -f $* < $0
+exit $?
+
+[scd]
+2009-07-09 Werner Koch <wk at g10code.com>
+
+ * app-openpgp.c (change_keyattr): New.
+ (do_writekey): Call it.
+
+ * app-openpgp.c (does_key_exist): Add arg GENERATING. Change
+ callers.
+
+[g10]
+2009-07-09 Werner Koch <wk at g10code.com>
+
+ * card-util.c (card_store_subkey): Do not restrict to 1024 bit keys.
+ Print an error message on write errors.
+
+
+
+--- scd/app-openpgp.c (revision 5068)
++++ scd/app-openpgp.c (working copy)
+@@ -213,6 +213,7 @@
+ void *pincb_arg,
+ const void *indata, size_t indatalen,
+ unsigned char **outdata, size_t *outdatalen);
++static void parse_algorithm_attribute (app_t app, int keyno);
+
+
+
+@@ -2144,9 +2145,10 @@
+
+ /* Check whether a key already exists. KEYIDX is the index of the key
+ (0..2). If FORCE is TRUE a diagnositic will be printed but no
+- error returned if the key already exists. */
++ error returned if the key already exists. The flag GENERATING is
++ only used to print correct messages. */
+ static gpg_error_t
+-does_key_exist (app_t app, int keyidx, int force)
++does_key_exist (app_t app, int keyidx, int generating, int force)
+ {
+ const unsigned char *fpr;
+ unsigned char *buffer;
+@@ -2178,8 +2180,10 @@
+ }
+ else if (i!=20)
+ log_info (_("existing key will be replaced\n"));
++ else if (generating)
++ log_info (_("generating new key\n"));
+ else
+- log_info (_("generating new key\n"));
++ log_info (_("writing new key\n"));
+ return 0;
+ }
+
+@@ -2340,7 +2344,64 @@
+ }
+
+
++/* Helper for do_writekley to change the size of a key. Not ethat
++ this deletes the entire key without asking. */
++static gpg_error_t
++change_keyattr (app_t app, int keyno, unsigned int nbits,
++ gpg_error_t (*pincb)(void*, const char *, char **),
++ void *pincb_arg)
++{
++ gpg_error_t err;
++ unsigned char *buffer;
++ size_t buflen;
++ void *relptr;
+
++ assert (keyno >=0 && keyno <= 2);
++
++ if (nbits > 3072)
++ return gpg_error (GPG_ERR_TOO_LARGE);
++
++ /* Read the current attributes into a buffer. */
++ relptr = get_one_do (app, 0xC1+keyno, &buffer, &buflen, NULL);
++ if (!relptr)
++ return gpg_error (GPG_ERR_CARD);
++ if (buflen < 6 || buffer[0] != 1)
++ {
++ /* Attriutes too short or not an RSA key. */
++ xfree (relptr);
++ return gpg_error (GPG_ERR_CARD);
++ }
++
++ /* We only change n_bits and don't touch anything else. Before we
++ do so, we round up NBITS to a sensible way in the same way as
++ gpg's key generation does it. This may help to sort out problems
++ with a few bits too short keys. */
++ nbits = ((nbits + 31) / 32) * 32;
++ buffer[1] = (nbits >> 8);
++ buffer[2] = nbits;
++
++ /* Prepare for storing the key. */
++ err = verify_chv3 (app, pincb, pincb_arg);
++ if (err)
++ {
++ xfree (relptr);
++ return err;
++ }
++
++ /* Change the attribute. */
++ err = iso7816_put_data (app->slot, 0, 0xC1+keyno, buffer, buflen);
++ xfree (relptr);
++ if (err)
++ log_error ("error changing size of key %d to %u bits\n", keyno+1, nbits);
++ else
++ log_info ("size of key %d changed to %u bits\n", keyno+1, nbits);
++ flush_cache (app);
++ parse_algorithm_attribute (app, keyno);
++ return err;
++}
++
++
++
+ /* Handle the WRITEKEY command for OpenPGP. This function expects a
+ canonical encoded S-expression with the secret key in KEYDATA and
+ its length (for assertions) in KEYDATALEN. KEYID needs to be the
+@@ -2385,7 +2446,7 @@
+ else
+ return gpg_error (GPG_ERR_INV_ID);
+
+- err = does_key_exist (app, keyno, force);
++ err = does_key_exist (app, keyno, 0, force);
+ if (err)
+ return err;
+
+@@ -2515,6 +2576,14 @@
+ if (opt.verbose)
+ log_info ("RSA modulus size is %u bits (%u bytes)\n",
+ nbits, (unsigned int)rsa_n_len);
++ if (nbits && nbits != maxbits
++ && app->app_local->extcap.algo_attr_change)
++ {
++ /* Try to switch the key to a new length. */
++ err = change_keyattr (app, keyno, nbits, pincb, pincb_arg);
++ if (!err)
++ maxbits = app->app_local->keyattr[keyno].n_bits;
++ }
+ if (nbits != maxbits)
+ {
+ log_error (_("RSA modulus missing or not of size %d bits\n"),
+@@ -2696,7 +2765,7 @@
+ app->app_local->pk[keyno].read_done = 0;
+
+ /* Check whether a key already exists. */
+- rc = does_key_exist (app, keyno, force);
++ rc = does_key_exist (app, keyno, 1, force);
+ if (rc)
+ return rc;
+
+
+
+--- g10/card-util.c (revision 5068)
++++ g10/card-util.c (working copy)
+@@ -1,5 +1,5 @@
+ /* card-util.c - Utility functions for the OpenPGP card.
+- * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc.
++ * Copyright (C) 2003, 2004, 2005, 2009 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+@@ -1393,7 +1393,8 @@
+
+ show_card_key_info (&info);
+
+- if (!is_RSA (sk->pubkey_algo) || nbits_from_sk (sk) != 1024 )
++ if (!is_RSA (sk->pubkey_algo)
++ || (!info.is_v2 && nbits_from_sk (sk) != 1024) )
+ {
+ tty_printf ("You may only store a 1024 bit RSA key on the card\n");
+ tty_printf ("\n");
+@@ -1461,7 +1462,10 @@
+
+ rc = save_unprotected_key_to_card (sk, keyno);
+ if (rc)
+- goto leave;
++ {
++ log_error (_("error writing key to card: %s\n"), gpg_strerror (rc));
++ goto leave;
++ }
+
+ /* Get back to the maybe protected original secret key. */
+ if (copied_sk)
+
+
Property changes on: trunk/patches/gnupg2-2.0.12/03-opgp-writekey.patch
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/patches/gnupg2-2.0.12/04-hash-prefs.patch
===================================================================
--- trunk/patches/gnupg2-2.0.12/04-hash-prefs.patch 2009-07-09 09:57:38 UTC (rev 1210)
+++ trunk/patches/gnupg2-2.0.12/04-hash-prefs.patch 2009-07-09 14:12:15 UTC (rev 1211)
@@ -0,0 +1,133 @@
+#! /bin/sh
+patch -p0 -f $* < $0
+exit $?
+
+[g10]
+2009-07-09 Werner Koch <wk at g10code.com>
+
+ * gpg.c (main): Remove the SHA-1 default from the personal digest
+ list. This was used in the past as a hack to avoid preferring
+ RMD-160.
+
+ * keygen.c (keygen_set_std_prefs): Remove RMD-160 from the list.
+ Change order to SHA-256, SHA-1, SHA-384, SHA-512, SHA-224.
+ (gen_dsa): Use a 256 bit Q for 2048 bit P. Runt to FIPS allowed
+ values in non-expert mode.
+
+
+Index: g10/keygen.c
+===================================================================
+--- g10/keygen.c (revision 5068)
++++ g10/keygen.c (working copy)
+@@ -1,6 +1,6 @@
+ /* keygen.c - generate a key pair
+ * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
+- * 2006, 2007 Free Software Foundation, Inc.
++ * 2006, 2007, 2009 Free Software Foundation, Inc.
+ *
+ * This file is part of GnuPG.
+ *
+@@ -301,7 +301,7 @@
+ byte sym[MAX_PREFS], hash[MAX_PREFS], zip[MAX_PREFS];
+ int nsym=0, nhash=0, nzip=0, val, rc=0;
+ int mdc=1, modify=0; /* mdc defaults on, modify defaults off. */
+- char dummy_string[45+1]; /* Enough for 15 items. */
++ char dummy_string[20*4+1]; /* Enough for 20 items. */
+
+ if (!string || !ascii_strcasecmp (string, "default"))
+ {
+@@ -345,16 +345,30 @@
+ if ( !openpgp_cipher_test_algo (CIPHER_ALGO_IDEA) )
+ strcat(dummy_string,"S1 ");
+
+- /* SHA-1 */
+- strcat(dummy_string,"H2 ");
+
+- if (!openpgp_md_test_algo(DIGEST_ALGO_SHA256))
+- strcat(dummy_string,"H8 ");
++ /* The default hash algo order is:
++ SHA-256, SHA-1, SHA-384, SHA-512, SHA-224.
++ Ordering SHA-1 before SHA-384 might be viewed as a bit
++ strange; it is done because we expect that soon enough
++ SHA-3 will be available and at that point there should
++ be no more need for SHA-384 etc. Anyway this order is
++ just a default and can easily be changed by a config
++ option. */
++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA256))
++ strcat (dummy_string, "H8 ");
+
+- /* RIPEMD160 */
+- if (!openpgp_md_test_algo(DIGEST_ALGO_RMD160))
+- strcat(dummy_string,"H3 ");
++ strcat (dummy_string, "H2 "); /* SHA-1 */
+
++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA384))
++ strcat (dummy_string, "H9 ");
++
++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA512))
++ strcat (dummy_string, "H10 ");
++
++ if (!openpgp_md_test_algo (DIGEST_ALGO_SHA224))
++ strcat (dummy_string, "H11 ");
++
++
+ /* ZLIB */
+ strcat(dummy_string,"Z2 ");
+
+@@ -507,7 +521,8 @@
+
+ /* Return a fake user ID containing the preferences. Caller must
+ free. */
+-PKT_user_id *keygen_get_std_prefs(void)
++PKT_user_id *
++keygen_get_std_prefs(void)
+ {
+ int i,j=0;
+ PKT_user_id *uid=xmalloc_clear(sizeof(PKT_user_id));
+@@ -1280,6 +1295,14 @@
+ log_info(_("keysize rounded up to %u bits\n"), nbits );
+ }
+
++ /* To comply with FIPS rules we round up to the next value unless in
++ expert mode. */
++ if (!opt.expert && nbits > 1024 && (nbits % 1024))
++ {
++ nbits = ((nbits + 1023) / 1024) * 1024;
++ log_info(_("keysize rounded up to %u bits\n"), nbits );
++ }
++
+ /*
+ Figure out a q size based on the key size. FIPS 180-3 says:
+
+@@ -1291,11 +1314,11 @@
+ 2048/256 is an odd pair since there is also a 2048/224 and
+ 3072/256. Matching sizes is not a very exact science.
+
+- We'll do 256 qbits for nbits over 2048, 224 for nbits over 1024
++ We'll do 256 qbits for nbits over 2047, 224 for nbits over 1024
+ but less than 2048, and 160 for 1024 (DSA1).
+ */
+
+- if (nbits > 2048)
++ if (nbits > 2047)
+ qbits = 256;
+ else if ( nbits > 1024)
+ qbits = 224;
+Index: g10/gpg.c
+===================================================================
+--- g10/gpg.c (revision 5068)
++++ g10/gpg.c (working copy)
+@@ -3195,11 +3195,6 @@
+ keygen_set_std_prefs(opt.def_preference_list,0))
+ log_error(_("invalid default preferences\n"));
+
+- /* We provide defaults for the personal digest list. This is
+- SHA-1. */
+- if(!pers_digest_list)
+- pers_digest_list="h2";
+-
+ if(pers_cipher_list &&
+ keygen_set_std_prefs(pers_cipher_list,PREFTYPE_SYM))
+ log_error(_("invalid personal cipher preferences\n"));
+
+
Property changes on: trunk/patches/gnupg2-2.0.12/04-hash-prefs.patch
___________________________________________________________________
Name: svn:executable
+ *
Added: trunk/patches/gnupg2-2.0.12/05-dns-sd.patch
===================================================================
--- trunk/patches/gnupg2-2.0.12/05-dns-sd.patch 2009-07-09 09:57:38 UTC (rev 1210)
+++ trunk/patches/gnupg2-2.0.12/05-dns-sd.patch 2009-07-09 14:12:15 UTC (rev 1211)
@@ -0,0 +1,70 @@
+#! /bin/sh
+patch -p0 -f $* < $0
+exit $?
+
+[keyserver]
+2009-07-06 David Shaw <dshaw at jabberwocky.com>
+
+ * gpgkeys_hkp.c (main, srv_replace): Minor tweaks to use the
+ DNS-SD names ("pgpkey-http" and "pgpkey-https") in SRV lookups
+ instead of "hkp" and "hkps".
+
+
+Index: keyserver/gpgkeys_hkp.c
+===================================================================
+--- keyserver/gpgkeys_hkp.c (revision 5068)
++++ keyserver/gpgkeys_hkp.c (working copy)
+@@ -489,18 +489,21 @@
+ /* If there is a SRV record, take the highest ranked possibility.
+ This is a hack, as we don't proceed downwards. */
+ static void
+-srv_replace(void)
++srv_replace(const char *srvtag)
+ {
+ #ifdef USE_DNS_SRV
+ struct srventry *srvlist=NULL;
+ int srvcount;
+
+- if(1+strlen(opt->scheme)+6+strlen(opt->host)+1<=MAXDNAME)
++ if(!srvtag)
++ return;
++
++ if(1+strlen(srvtag)+6+strlen(opt->host)+1<=MAXDNAME)
+ {
+ char srvname[MAXDNAME];
+
+ strcpy(srvname,"_");
+- strcat(srvname,opt->scheme);
++ strcat(srvname,srvtag);
+ strcat(srvname,"._tcp.");
+ strcat(srvname,opt->host);
+ srvcount=getsrv(srvname,&srvlist);
+@@ -714,17 +717,26 @@
+ port=opt->port;
+ else if(try_srv)
+ {
++ char *srvtag;
++
++ if(ks_strcasecmp(opt->scheme,"hkp")==0)
++ srvtag="pgpkey-http";
++ else if(ks_strcasecmp(opt->scheme,"hkps")==0)
++ srvtag="pgpkey-https";
++ else
++ srvtag=NULL;
++
+ #ifdef HAVE_LIBCURL
+ /* We're using libcurl, so fake SRV support via our wrapper.
+ This isn't as good as true SRV support, as we do not try all
+ possible targets at one particular level and work our way
+ down the list, but it's better than nothing. */
+- srv_replace();
++ srv_replace(srvtag);
+ #else
+ /* We're using our internal curl shim, so we can use its (true)
+ SRV support. Obviously, CURLOPT_SRVTAG_GPG_HACK isn't a real
+ libcurl option. It's specific to our shim. */
+- curl_easy_setopt(curl,CURLOPT_SRVTAG_GPG_HACK,opt->scheme);
++ curl_easy_setopt(curl,CURLOPT_SRVTAG_GPG_HACK,srvtag);
+ #endif
+ }
+
Property changes on: trunk/patches/gnupg2-2.0.12/05-dns-sd.patch
___________________________________________________________________
Name: svn:executable
+ *
More information about the Gpg4win-commits
mailing list