From 18af15249de5f826c3fa8d1d40e876734adcd0cf Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 24 Nov 2017 10:30:25 +0100 Subject: agent: New option --auto-expand-secmem. * agent/gpg-agent.c (oAutoExpandSecmem): New enum value. (opts): New option --auto-expand-secmem. (main): Implement that option. -- Note that this option has an effect only if Libgcrypt >= 1.8.2 is used. GnuPG-bug-id: 3530 --- agent/gpg-agent.c | 11 +++++++++++ doc/gpg-agent.texi | 11 +++++++++++ 2 files changed, 22 insertions(+) diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 0b2b98212..1696e4ecd 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -135,6 +135,7 @@ enum cmd_and_opt_values oDisableScdaemon, oDisableCheckOwnSocket, oS2KCount, + oAutoExpandSecmem, oWriteEnvFile }; @@ -252,6 +253,8 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_u (oS2KCount, "s2k-count", "@"), + ARGPARSE_op_u (oAutoExpandSecmem, "auto-expand-secmem", "@"), + /* Dummy options for backward compatibility. */ ARGPARSE_o_s (oWriteEnvFile, "write-env-file", "@"), ARGPARSE_s_n (oUseStandardSocket, "use-standard-socket", "@"), @@ -1233,6 +1236,14 @@ main (int argc, char **argv ) socket_name_browser = pargs.r.ret_str; break; + case oAutoExpandSecmem: + /* Try to enable this option. It will officially only be + * supported by Libgcrypt 1.9 but 1.8.2 already supports it + * on the quiet and thus we use the numeric value value. */ + gcry_control (78 /*GCRYCTL_AUTO_EXPAND_SECMEM*/, + (unsigned int)pargs.r.ret_ulong, 0); + break; + case oDebugQuickRandom: /* Only used by the first stage command line parser. */ break; diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index afe280462..10f8900ca 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -652,6 +652,17 @@ Select the digest algorithm used to compute ssh fingerprints that are communicated to the user, e.g. in pinentry dialogs. OpenSSH has transitioned from using MD5 to the more secure SHA256. + +@item --auto-expand-secmem @var{n} +@opindex auto-expand-secmem +gAllow Libgcrypt to expand its secure memory area as required. The +optional value @var{n} is a non-negative integer with a suggested size +in bytes of each additionally allocated secure memory area. The value +is rounded up to the next 32 KiB; usual C style prefixes are allowed. +For an heavy loaded gpg-agent with many concurrent connection this +option avoids sign or decrypt errors due to out of secure memory error +returns. + @item --s2k-count @var{n} @opindex s2k-count Specify the iteration count used to protect the passphrase. This -- cgit v1.2.3 From 4cf3cc6e3d48c8400466ca29c3f1c22ed2da6c2c Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Sun, 26 Nov 2017 18:33:49 +0100 Subject: gpg: Do not read from uninitialized memory with --list-packets. * g10/parse-packet.c (parse_plaintext): Fill up the allocated NAME. -- This actually does not harm because we merely display a buffer allocated by ourselves. However, we better tell Valgrind about it so that we don't need to track this thing down ever again. Test using a corrupted literal data packet: echo cb 0a 75 ff 59 ae 90 d5 74 65 73 74 | \ undump |\ valgrind gpg --list-packets >/dev/null Reported-by: Sebastian Schinzel Signed-off-by: Werner Koch --- g10/parse-packet.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/g10/parse-packet.c b/g10/parse-packet.c index 0b6ee8b4e..eee14f64e 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -3087,6 +3087,12 @@ parse_plaintext (IOBUF inp, int pkttype, unsigned long pktlen, else pt->name[i] = c; } + /* Fill up NAME so that a check with valgrind won't complain about + * reading from uninitalized memory. This case may be triggred by + * corrupted packets. */ + for (; i < namelen; i++) + pt->name[i] = 0; + pt->timestamp = read_32 (inp); if (pktlen) pktlen -= 4; -- cgit v1.2.3 From 8a2917345ba88159bce6153b54706e701564f189 Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 17 Nov 2017 10:17:08 +0800 Subject: doc: clarify that --encrypt refers to public key encryption -- A simple read of gpg(1) is ambiguous about whether --encrypt could be for either symmetric or pubkey encryption. Closer inference suggests that --encrypt is about pubkey encryption only. Make that clearer on a first read. Signed-off-by: Daniel Kahn Gillmor --- doc/gpg.texi | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi index bd45b0422..35bb9a810 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -196,11 +196,13 @@ Make a detached signature. @item --encrypt @itemx -e @opindex encrypt -Encrypt data. This command may be combined with @option{--sign} (to -sign and encrypt a message), @option{--symmetric} (to encrypt a -message that can decrypted using a secret key or a passphrase), or -@option{--sign} and @option{--symmetric} together (for a signed -message that can be decrypted using a secret key or a passphrase). +Encrypt data to one or more public keys. This command may be combined +with @option{--sign} (to sign and encrypt a message), +@option{--symmetric} (to encrypt a message that can decrypted using a +secret key or a passphrase), or @option{--sign} and +@option{--symmetric} together (for a signed message that can be +decrypted using a secret key or a passphrase). @option{--recipient} +and related options specify which public keys to use for encryption. @item --symmetric @itemx -c -- cgit v1.2.3 From 0d0b9eb0d4f99e8d293a4ce4b90921a879905115 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Thu, 9 Nov 2017 14:03:22 +0900 Subject: g10: Fix regexp sanitization. * g10/trustdb.c (sanitize_regexp): Only escape operators. -- Backport from master commit: ccf3ba92087e79abdeaa0208795829b431c6f201 To sanitize a regular expression, quoting by backslash should be only done for defined characters. POSIX defines 12 characters including dot and backslash. Quoting other characters is wrong, in two ways; It may build an operator like: \b, \s, \w when using GNU library. Case ignored match doesn't work, because quoting lower letter means literally and no much to upper letter. GnuPG-bug-id: 2923 Co-authored-by: Damien Goutte-Gattat Signed-off-by: NIIBE Yutaka --- g10/trustdb.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/g10/trustdb.c b/g10/trustdb.c index 92c1ca50a..0a98c129f 100644 --- a/g10/trustdb.c +++ b/g10/trustdb.c @@ -1505,6 +1505,10 @@ store_validation_status (ctrl_t ctrl, int depth, /* Returns a sanitized copy of the regexp (which might be "", but not NULL). */ #ifndef DISABLE_REGEX +/* Operator charactors except '.' and backslash. + See regex(7) on BSD. */ +#define REGEXP_OPERATOR_CHARS "^[$()|*+?{" + static char * sanitize_regexp(const char *old) { @@ -1544,7 +1548,7 @@ sanitize_regexp(const char *old) { if(!escaped && old[start]=='\\') escaped=1; - else if(!escaped && old[start]!='.') + else if (!escaped && strchr (REGEXP_OPERATOR_CHARS, old[start])) new[idx++]='\\'; else escaped=0; -- cgit v1.2.3 From 1524ba9656f0205d8c6ef504f773b832a7a12ab9 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Wed, 6 Dec 2017 11:20:51 +0900 Subject: agent: Set assuan system hooks before call of assuan_sock_init. * agent/gpg-agent.c (initialize_modules): Move assuan_set_system_hooks. (main): ... here, just before assuan_sock_init. -- In Assuan, global variable SOCK_CTX is used internally, which is initialized by assuan_sock_init. When initialized, system hooks are copied into SOCK_CTX structure. Thus, system hooks should be set, before the call of assuan_sock_init. GnuPG-bug-id: 3378 Signed-off-by: NIIBE Yutaka --- agent/gpg-agent.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 1696e4ecd..b076ca3b8 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -966,7 +966,6 @@ static void initialize_modules (void) { thread_init_once (); - assuan_set_system_hooks (ASSUAN_SYSTEM_NPTH); initialize_module_cache (); initialize_module_call_pinentry (); initialize_module_call_scd (); @@ -1027,6 +1026,7 @@ main (int argc, char **argv ) malloc_hooks.free = gcry_free; assuan_set_malloc_hooks (&malloc_hooks); assuan_set_gpg_err_source (GPG_ERR_SOURCE_DEFAULT); + assuan_set_system_hooks (ASSUAN_SYSTEM_NPTH); assuan_sock_init (); setup_libassuan_logging (&opt.debug, NULL); -- cgit v1.2.3 From b9677ba16f6b386896781a751e4b2fc839e3ec81 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Thu, 7 Dec 2017 14:33:58 +0100 Subject: agent: Change intialization of assuan socket system hooks. * agent/gpg-agent.c (initialize_modules): Add hook again. (main): Remove setting of the system houk but add scoket system hook setting after assuan initialization. -- Thread initialization is better to be deferred after fork (in case of UNIX). assuan_sock_init should be earlier. Thus, we need to change system hooks for assuan_sock_* interface. Or else, on Windows, it may cause hang on server. Updates-commit: 1524ba9656f0205d8c6ef504f773b832a7a12ab9 GnuPG-bug-id: 3378 Signed-off-by: Werner Koch --- agent/gpg-agent.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index b076ca3b8..21beb29c7 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -966,6 +966,7 @@ static void initialize_modules (void) { thread_init_once (); + assuan_set_system_hooks (ASSUAN_SYSTEM_NPTH); initialize_module_cache (); initialize_module_call_pinentry (); initialize_module_call_scd (); @@ -1026,8 +1027,8 @@ main (int argc, char **argv ) malloc_hooks.free = gcry_free; assuan_set_malloc_hooks (&malloc_hooks); assuan_set_gpg_err_source (GPG_ERR_SOURCE_DEFAULT); - assuan_set_system_hooks (ASSUAN_SYSTEM_NPTH); assuan_sock_init (); + assuan_sock_set_system_hooks (ASSUAN_SYSTEM_NPTH); setup_libassuan_logging (&opt.debug, NULL); setup_libgcrypt_logging (); -- cgit v1.2.3 From 2fedf8583bcc493f587c90bc9632d25dfd10bd10 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 7 Dec 2017 14:53:49 +0100 Subject: build: Do not define logging.h constants for libgpg-error dev versions. * common/logging.h [GPGRT_LOG_WITH_PREFIX]: Do not define the log constants. -- logging.h uses constants we plan to use for future versions of libgpg-error. My dev version already has the logging functions and thus I run into a conflict. This patch protects against this and make the GnuPG work with later libgpg-error versions. It was not the best idea to use constants from a planned libgpg-error in the first place. The actual problem are the enums, the macros won't harm. Signed-off-by: Werner Koch --- common/logging.h | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/common/logging.h b/common/logging.h index e1bf56b17..c6a32b45a 100644 --- a/common/logging.h +++ b/common/logging.h @@ -70,15 +70,21 @@ estream_t log_get_stream (void); : _log_assert (#expr, __FILE__, __LINE__)) #endif /*!GPGRT_HAVE_MACRO_FUNCTION*/ -/* Flag values for log_set_prefix. */ -#define GPGRT_LOG_WITH_PREFIX 1 -#define GPGRT_LOG_WITH_TIME 2 -#define GPGRT_LOG_WITH_PID 4 -#define GPGRT_LOG_RUN_DETACHED 256 -#define GPGRT_LOG_NO_REGISTRY 512 -/* Log levels as used by log_log. */ -enum jnlib_log_levels { +/* If we use an older libgpg-error we need to define the constants + * which will be used by current libgpg-error development + * versions. */ +#ifndef GPGRT_LOG_WITH_PREFIX + + /* Flag values for log_set_prefix. */ +# define GPGRT_LOG_WITH_PREFIX 1 +# define GPGRT_LOG_WITH_TIME 2 +# define GPGRT_LOG_WITH_PID 4 +# define GPGRT_LOG_RUN_DETACHED 256 +# define GPGRT_LOG_NO_REGISTRY 512 + + /* Log levels as used by log_log. */ + enum jnlib_log_levels { GPGRT_LOG_BEGIN, GPGRT_LOG_CONT, GPGRT_LOG_INFO, @@ -87,7 +93,9 @@ enum jnlib_log_levels { GPGRT_LOG_FATAL, GPGRT_LOG_BUG, GPGRT_LOG_DEBUG -}; + }; +#endif /* Old libgpg-error. */ + void log_log (int level, const char *fmt, ...) GPGRT_ATTR_PRINTF(2,3); void log_logv (int level, const char *fmt, va_list arg_ptr); void log_logv_with_prefix (int level, const char *prefix, -- cgit v1.2.3 From 5b8d12a8bde246f4c04e1981b21801965cc2638d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 7 Dec 2017 16:29:29 +0100 Subject: speedo,w32: Disable FLTK pinentry. -- --- build-aux/speedo.mk | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk index 7276787e1..2b3b72b86 100644 --- a/build-aux/speedo.mk +++ b/build-aux/speedo.mk @@ -514,7 +514,10 @@ else speedo_pkg_pinentry_configure = --enable-pinentry-gtk2 endif speedo_pkg_pinentry_configure += \ - --disable-pinentry-qt4 \ + --disable-pinentry-qt5 \ + --disable-pinentry-qt \ + --disable-pinentry-fltk \ + --disable-pinentry-tty \ CPPFLAGS=-I$(idir)/include \ LDFLAGS=-L$(idir)/lib \ CXXFLAGS=-static-libstdc++ -- cgit v1.2.3 From 5c121d44443b0a96ec6ea82b90717e3dbafd2cc5 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Fri, 8 Dec 2017 09:19:50 +0900 Subject: agent: Fix description of shadow format. * agent/keyformat.txt, agent/protect.c, agent/t-protect.c: Fix. -- https://lists.gnupg.org/pipermail/gnupg-devel/2015-April/029680.html Signed-off-by: NIIBE Yutaka --- agent/keyformat.txt | 2 +- agent/protect.c | 2 +- agent/t-protect.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/agent/keyformat.txt b/agent/keyformat.txt index 68fbdbc65..768353f4f 100644 --- a/agent/keyformat.txt +++ b/agent/keyformat.txt @@ -271,7 +271,7 @@ to keys stored on a token: (comment whatever) ) -The currently used protocol is "ti-v1" (token info version 1). The +The currently used protocol is "t1-v1" (token info version 1). The second list with the information has this layout: (card_serial_number id_string_of_key fixed_pin_length) diff --git a/agent/protect.c b/agent/protect.c index 9bb2da6b3..7b5abf21b 100644 --- a/agent/protect.c +++ b/agent/protect.c @@ -1494,7 +1494,7 @@ make_shadow_info (const char *serialno, const char *idstring) /* Create a shadow key from a public key. We use the shadow protocol - "ti-v1" and insert the S-expressionn SHADOW_INFO. The resulting + "t1-v1" and insert the S-expressionn SHADOW_INFO. The resulting S-expression is returned in an allocated buffer RESULT will point to. The input parameters are expected to be valid canonicalized S-expressions */ diff --git a/agent/t-protect.c b/agent/t-protect.c index 92d312c9b..d17c19325 100644 --- a/agent/t-protect.c +++ b/agent/t-protect.c @@ -288,7 +288,7 @@ static void test_agent_shadow_key (void) { /* Create a shadow key from a public key. We use the shadow protocol - "ti-v1" and insert the S-expressionn SHADOW_INFO. The resulting + "t1-v1" and insert the S-expressionn SHADOW_INFO. The resulting S-expression is returned in an allocated buffer RESULT will point to. The input parameters are expected to be valid canonicalized S-expressions */ -- cgit v1.2.3 From 6391de3e62a275132664ae96497dd4e47fe9f257 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 8 Dec 2017 07:38:18 +0100 Subject: doc: Fix Dijkstra -- Edsger Wybe Dijkstra (1930 --2002) - Dutch computer scientist --- agent/keyformat.txt | 4 ++-- doc/HACKING | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/agent/keyformat.txt b/agent/keyformat.txt index 768353f4f..2e48b346e 100644 --- a/agent/keyformat.txt +++ b/agent/keyformat.txt @@ -379,7 +379,7 @@ Example: (protected-shared-secret ((desc "List of system passphrases") (key "uid-1002" ("Knuth" "Donald Ervin Knuth")) - (key "uid-1001" ("Dijkstra" "Edsgar Wybe Dijkstra")) + (key "uid-1001" ("Dijkstra" "Edsger Wybe Dijkstra")) (key) (protected mode (parms) encrypted_octet_string) (protected-at "20100915T111722") @@ -402,7 +402,7 @@ hashed: ((desc "List of system passphrases") (key "uid-1002" ("Knuth" "Donald Ervin Knuth")) - (key "uid-1001" ("Dijkstra" "Edsgar Wybe Dijkstra")) + (key "uid-1001" ("Dijkstra" "Edsger Wybe Dijkstra")) (key) (value 4:1002 "signal flags at the lock") (value 4:1001 "taocp") diff --git a/doc/HACKING b/doc/HACKING index 62a6f9511..bd1685678 100644 --- a/doc/HACKING +++ b/doc/HACKING @@ -224,6 +224,7 @@ Note that such a comment will be removed if the git commit option - CVE-id :: CVE id number pertaining to this commit. - Regression-due-to :: Commit id of the regression fixed by this commit. - Fixes-commit :: Commit id this commit fixes. + - Updates-commit :: Commit id this commit updates. - Reported-by :: Value is a name or mail address of a bug reporte. - Suggested-by :: Value is a name or mail address of someone how suggested this change. -- cgit v1.2.3 From ddd54d821020125f777c192e499d6967d02e3322 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 8 Dec 2017 13:27:06 +0100 Subject: Revert: build: Do not define logging.h constants for ... --- This reverts commit 2fedf8583bcc493f587c90bc9632d25dfd10bd10. We better solve this on the libgpg-error side. Signed-off-by: Werner Koch --- common/logging.h | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/common/logging.h b/common/logging.h index c6a32b45a..e1bf56b17 100644 --- a/common/logging.h +++ b/common/logging.h @@ -70,21 +70,15 @@ estream_t log_get_stream (void); : _log_assert (#expr, __FILE__, __LINE__)) #endif /*!GPGRT_HAVE_MACRO_FUNCTION*/ +/* Flag values for log_set_prefix. */ +#define GPGRT_LOG_WITH_PREFIX 1 +#define GPGRT_LOG_WITH_TIME 2 +#define GPGRT_LOG_WITH_PID 4 +#define GPGRT_LOG_RUN_DETACHED 256 +#define GPGRT_LOG_NO_REGISTRY 512 -/* If we use an older libgpg-error we need to define the constants - * which will be used by current libgpg-error development - * versions. */ -#ifndef GPGRT_LOG_WITH_PREFIX - - /* Flag values for log_set_prefix. */ -# define GPGRT_LOG_WITH_PREFIX 1 -# define GPGRT_LOG_WITH_TIME 2 -# define GPGRT_LOG_WITH_PID 4 -# define GPGRT_LOG_RUN_DETACHED 256 -# define GPGRT_LOG_NO_REGISTRY 512 - - /* Log levels as used by log_log. */ - enum jnlib_log_levels { +/* Log levels as used by log_log. */ +enum jnlib_log_levels { GPGRT_LOG_BEGIN, GPGRT_LOG_CONT, GPGRT_LOG_INFO, @@ -93,9 +87,7 @@ estream_t log_get_stream (void); GPGRT_LOG_FATAL, GPGRT_LOG_BUG, GPGRT_LOG_DEBUG - }; -#endif /* Old libgpg-error. */ - +}; void log_log (int level, const char *fmt, ...) GPGRT_ATTR_PRINTF(2,3); void log_logv (int level, const char *fmt, va_list arg_ptr); void log_logv_with_prefix (int level, const char *prefix, -- cgit v1.2.3 From 3e72143023aa8a01d3e648797df89ae106e24e88 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 11 Dec 2017 10:17:59 +0100 Subject: doc: Typo fix -- --- doc/gpg-agent.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 10f8900ca..65df9708b 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -655,7 +655,7 @@ transitioned from using MD5 to the more secure SHA256. @item --auto-expand-secmem @var{n} @opindex auto-expand-secmem -gAllow Libgcrypt to expand its secure memory area as required. The +Allow Libgcrypt to expand its secure memory area as required. The optional value @var{n} is a non-negative integer with a suggested size in bytes of each additionally allocated secure memory area. The value is rounded up to the next 32 KiB; usual C style prefixes are allowed. -- cgit v1.2.3