[svn] GnuPG - r4444 - in trunk: . doc g10 tests/openpgp
svn author wk
cvs at cvs.gnupg.org
Mon Mar 5 15:56:34 CET 2007
Author: wk
Date: 2007-03-05 15:56:31 +0100 (Mon, 05 Mar 2007)
New Revision: 4444
Modified:
trunk/NEWS
trunk/doc/ChangeLog
trunk/doc/gpg.texi
trunk/g10/ChangeLog
trunk/g10/gpg.c
trunk/g10/mainproc.c
trunk/g10/options.h
trunk/g10/status.c
trunk/g10/status.h
trunk/tests/openpgp/ChangeLog
trunk/tests/openpgp/verify.test
Log:
Ported multiple-messages protection.
Modified: trunk/NEWS
===================================================================
--- trunk/NEWS 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/NEWS 2007-03-05 14:56:31 UTC (rev 4444)
@@ -1,6 +1,13 @@
Noteworthy changes in version 2.0.3
------------------------------------------------
+ * By default, do not allow processing multiple plaintexts in a single
+ stream. Many programs that called GnuPG were assuming that GnuPG
+ did not permit this, and were thus not using the plaintext boundary
+ status tags that GnuPG provides. This change makes GnuPG reject
+ such messages by default which makes those programs safe again.
+ --allow-multiple-messages returns to the old behavior.
+
* New --verify-option show-primary-uid-only.
Modified: trunk/doc/ChangeLog
===================================================================
--- trunk/doc/ChangeLog 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/doc/ChangeLog 2007-03-05 14:56:31 UTC (rev 4444)
@@ -1,3 +1,8 @@
+2007-03-04 David Shaw <dshaw at jabberwocky.com>
+
+ * gpg.texi (GPG Esoteric Options): Document
+ --allow-multiple-messages.
+
2007-02-26 Werner Koch <wk at g10code.com>
* gpg.texi (GPG Configuration): Document envvar LANGUAGE.
Modified: trunk/doc/gpg.texi
===================================================================
--- trunk/doc/gpg.texi 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/doc/gpg.texi 2007-03-05 14:56:31 UTC (rev 4444)
@@ -1985,7 +1985,7 @@
@c ******** ESOTERIC OPTIONS ***************
@c *******************************************
@node GPG Esoteric Options
- at subsection Doing things one usually don't want to do.
+ at subsection Doing things one usually doesn't want to do.
@table @gnupgtabopt
@@ -2380,11 +2380,13 @@
@item --allow-secret-key-import
This is an obsolete option and is not used anywhere.
- at item --allow-multisig-verification
-Allow verification of concatenated signed messages. This will run a
-signature verification for each data+signature block. There are some
-security issues with this option and thus it is off by default. Note
-that versions of GPG prior to version 1.4.3 implicitly allowed this.
+ at item --allow-multiple-messages
+ at item --no-allow-multiple-messages
+Allow processing of multiple OpenPGP messages contained in a single
+file or stream. Some programs that call GPG are not prepared to deal
+with multiple messages being processed together, so this option
+defaults to no. Note that versions of GPG prior to 1.4.7 always
+allowed multiple messages.
@item --enable-special-filenames
This options enables a mode in which filenames of the form
Modified: trunk/g10/ChangeLog
===================================================================
--- trunk/g10/ChangeLog 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/g10/ChangeLog 2007-03-05 14:56:31 UTC (rev 4444)
@@ -1,3 +1,20 @@
+2007-03-05 Werner Koch <wk at g10code.com>
+
+ Converted this file to UTF-8.
+
+ Ported David and my multiple messages changes from 1.4.7.
+
+ * options.h, gpg.c (main), mainproc.c (check_sig_and_print): Allow
+ multiple sig verification again as this is protected via the
+ multiple-messages code. New option --allow-multiple-messages and
+ --no variant.
+ * status.h (STATUS_ERROR): New status code.
+ * status.c (get_status_string): Ditto.
+ * mainproc.c (proc_plaintext): Emit it if multiple messages are
+ detected. Error out if more than one plaintext packet is
+ encountered.
+ * mainproc.c (literals_seen): New.
+
2007-02-26 Werner Koch <wk at g10code.com>
* gpg.c (main): Add verify option show-primary-uid-only.
@@ -1756,7 +1773,7 @@
2003-04-10 Werner Koch <wk at gnupg.org>
* passphrase.c (read_passphrase_from_fd): Do a dummy read if the
- agent is to be used. Noted by Ingo Klöcker.
+ agent is to be used. Noted by Ingo Klöcker.
(agent_get_passphrase): Inhibit caching when we have no
fingerprint. This is required for key generation as well as for
symmetric only encryption.
@@ -2699,7 +2716,7 @@
warning.
* passphrase.c (agent_get_passphrase): Fixed signed/unsigned char
- problem in %-escaping. Noted by Ingo Klöcker.
+ problem in %-escaping. Noted by Ingo Klöcker.
2002-10-03 David Shaw <dshaw at jabberwocky.com>
@@ -7027,12 +7044,12 @@
Thu Feb 10 17:39:44 CET 2000 Werner Koch <wk at gnupg.de>
* keyedit.c (menu_expire): Fixed segv due to unitialized sub_pk.
- By Rémi.
+ By Rémi.
Thu Feb 10 11:39:41 CET 2000 Werner Koch <wk at gnupg.de>
* keylist.c (list_keyblock): Don't print warnings in the middle of
- regulat output lines. By Rémi.
+ regulat output lines. By Rémi.
* sig-check.c: Include options.h
@@ -7622,7 +7639,7 @@
* g10.c (main): Fix for SHM init (Michael).
* compress.c, encr-data.c, mdfilter.c,
- plaintext.c, free-packet.c: Speed patches (Rémi).
+ plaintext.c, free-packet.c: Speed patches (Rémi).
Thu May 27 09:40:55 CEST 1999 Werner Koch <wk at isil.d.shuttle.de>
@@ -7647,7 +7664,7 @@
Tue May 25 19:50:32 CEST 1999 Werner Koch <wk at isil.d.shuttle.de>
* sign.c (sign_file): Always use compression algo 1 for signed
- onyl file becuase we can´ be sure the the verifier supports other
+ onyl file becuase we can´ be sure the the verifier supports other
algorithms.
* build-packet.c (build_sig_subpkt): Support for notation data.
@@ -7837,7 +7854,7 @@
(protect_secret_key). Ditto.
* misc.c (print_cipher_algo_note): Twofish is now a standard algo.
- * keygen.c (do_create): Fixed spelling (Gaël Quéri)
+ * keygen.c (do_create): Fixed spelling (Gaël Quéri)
(ask_keysize): Only allow keysizes up to 4096
* ringedit.c (add_keyblock_resource): chmod newly created secrings.
@@ -7880,7 +7897,7 @@
* trustdb.c (insert_trust_record): Always use the primary key.
- * encode.c (encode_simple): Added text_mode filter (Rémi Guyomarch)
+ * encode.c (encode_simple): Added text_mode filter (Rémi Guyomarch)
(encode_crypt): Ditto.
* mainproc.c (proc_pubkey_enc): Added status ENC_TO.
@@ -9261,7 +9278,7 @@
Wed Apr 8 09:47:21 1998 Werner Koch (wk at isil.d.shuttle.de)
- * sig-check.c (do_check): Applied small fix from Ulf Möller.
+ * sig-check.c (do_check): Applied small fix from Ulf Möller.
Tue Apr 7 19:28:07 1998 Werner Koch (wk at isil.d.shuttle.de)
@@ -9640,7 +9657,7 @@
Copyright 1998,1999,2000,2001,2002,2003,2004,2005,
- 2006 Free Software Foundation, Inc.
+ 2006,2007 Free Software Foundation, Inc.
This file is free software; as a special exception the author gives
unlimited permission to copy and/or distribute it, with or without
Modified: trunk/g10/gpg.c
===================================================================
--- trunk/g10/gpg.c 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/g10/gpg.c 2007-03-05 14:56:31 UTC (rev 4444)
@@ -357,6 +357,8 @@
oAllowMultisigVerification,
oEnableDSA2,
oDisableDSA2,
+ oAllowMultipleMessages,
+ oNoAllowMultipleMessages,
oNoop
};
@@ -692,6 +694,8 @@
{ oAllowMultisigVerification, "allow-multisig-verification", 0, "@"},
{ oEnableDSA2, "enable-dsa2", 0, "@"},
{ oDisableDSA2, "disable-dsa2", 0, "@"},
+ { oAllowMultipleMessages, "allow-multiple-messages", 0, "@"},
+ { oNoAllowMultipleMessages, "no-allow-multiple-messages", 0, "@"},
/* These two are aliases to help users of the PGP command line
product use gpg with minimal pain. Many commands are common
@@ -2807,13 +2811,18 @@
release_akl();
break;
- case oAllowMultisigVerification:
- opt.allow_multisig_verification = 1;
- break;
-
case oEnableDSA2: opt.flags.dsa2=1; break;
case oDisableDSA2: opt.flags.dsa2=0; break;
+ case oAllowMultisigVerification:
+ case oAllowMultipleMessages:
+ opt.flags.allow_multiple_messages=1;
+ break;
+
+ case oNoAllowMultipleMessages:
+ opt.flags.allow_multiple_messages=0;
+ break;
+
case oNoop: break;
default : pargs.err = configfp? 1:2; break;
Modified: trunk/g10/mainproc.c
===================================================================
--- trunk/g10/mainproc.c 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/g10/mainproc.c 2007-03-05 14:56:31 UTC (rev 4444)
@@ -98,11 +98,10 @@
static int do_proc_packets( CTX c, IOBUF a );
-
static void list_node( CTX c, KBNODE node );
static void proc_tree( CTX c, KBNODE node );
+static int literals_seen;
-
static void
release_list( CTX c )
{
@@ -596,6 +595,8 @@
int any, clearsig, only_md5, rc;
KBNODE n;
+ literals_seen++;
+
if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) )
log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n"));
else if( opt.verbose )
@@ -683,13 +684,30 @@
gcry_md_start_debug ( c->mfx.md2, "verify2" );
}
- rc = handle_plaintext( pt, &c->mfx, c->sigs_only, clearsig );
- if ( gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only )
+ rc=0;
+
+ if (literals_seen>1)
{
- /* Can't write output but we hash it anyway to check the
- signature. */
- rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
+ log_info (_("WARNING: multiple plaintexts seen\n"));
+
+ if (!opt.flags.allow_multiple_messages)
+ {
+ write_status_text (STATUS_ERROR, "proc_pkt.plaintext 89_BAD_DATA");
+ log_inc_errorcount ();
+ rc = gpg_error (GPG_ERR_UNEXPECTED);
+ }
}
+
+ if(!rc)
+ {
+ rc = handle_plaintext( pt, &c->mfx, c->sigs_only, clearsig );
+ if ( gpg_err_code (rc) == GPG_ERR_EACCES && !c->sigs_only )
+ {
+ /* Can't write output but we hash it anyway to check the
+ signature. */
+ rc = handle_plaintext( pt, &c->mfx, 1, clearsig );
+ }
+ }
if( rc )
log_error( "handle plaintext failed: %s\n", g10_errstr(rc));
@@ -1512,8 +1530,17 @@
n_sig++;
if (!n_sig)
goto ambiguous;
- if (n && !opt.allow_multisig_verification)
- goto ambiguous;
+
+ /* If we wanted to disallow multiple sig verification, we'd do
+ something like this:
+
+ if (n && !opt.allow_multisig_verification)
+ goto ambiguous;
+
+ However, now that we have --allow-multiple-messages, this
+ can stay allowable as we can't get here unless multiple
+ messages (i.e. multiple literals) are allowed. */
+
if (n_onepass != n_sig)
{
log_info ("number of one-pass packets does not match "
Modified: trunk/g10/options.h
===================================================================
--- trunk/g10/options.h 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/g10/options.h 2007-03-05 14:56:31 UTC (rev 4444)
@@ -227,6 +227,7 @@
unsigned int use_embedded_filename:1;
unsigned int utf8_filename:1;
unsigned int dsa2:1;
+ unsigned int allow_multiple_messages:1;
} flags;
/* Linked list of ways to find a key if the key isn't on the local
@@ -238,8 +239,6 @@
struct akl *next;
} *auto_key_locate;
- /* True if multiple concatenated signatures may be verified. */
- int allow_multisig_verification;
int passwd_repeat;
} opt;
Modified: trunk/g10/status.c
===================================================================
--- trunk/g10/status.c 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/g10/status.c 2007-03-05 14:56:31 UTC (rev 4444)
@@ -148,6 +148,7 @@
case STATUS_PKA_TRUST_BAD : s = "PKA_TRUST_BAD"; break;
case STATUS_PKA_TRUST_GOOD : s = "PKA_TRUST_GOOD"; break;
case STATUS_BEGIN_SIGNING : s = "BEGIN_SIGNING"; break;
+ case STATUS_ERROR : s = "ERROR"; break;
default: s = "?"; break;
}
return s;
Modified: trunk/g10/status.h
===================================================================
--- trunk/g10/status.h 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/g10/status.h 2007-03-05 14:56:31 UTC (rev 4444)
@@ -120,7 +120,9 @@
#define STATUS_BEGIN_SIGNING 84
+#define STATUS_ERROR 85
+
/*-- status.c --*/
void set_status_fd ( int fd );
int is_status_enabled ( void );
Modified: trunk/tests/openpgp/ChangeLog
===================================================================
--- trunk/tests/openpgp/ChangeLog 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/tests/openpgp/ChangeLog 2007-03-05 14:56:31 UTC (rev 4444)
@@ -1,3 +1,9 @@
+2007-03-04 David Shaw <dshaw at jabberwocky.com> (wk)
+
+ * verify.test: Use --allow-multiple-messages instead of
+ --allow-multisig-verification. Two clearsigs in a row counds as a
+ multiple-message test.
+
2006-11-16 Werner Koch <wk at g10code.com>
* Makefile.am (plain-large): Use gpg.texi instead of FAQ which
Modified: trunk/tests/openpgp/verify.test
===================================================================
--- trunk/tests/openpgp/verify.test 2007-03-05 10:46:33 UTC (rev 4443)
+++ trunk/tests/openpgp/verify.test 2007-03-05 14:56:31 UTC (rev 4444)
@@ -121,8 +121,8 @@
# Two standard signed messages in a row
-tests="$tests msg_olsols_asc_multisig"
-msg_olsols_asc_multisig='-----BEGIN PGP MESSAGE-----
+tests="$tests msg_olsols_asc_multiple"
+msg_olsols_asc_multiple='-----BEGIN PGP MESSAGE-----
kA0DAAIRLXJ8x2hpdzQBrQEHYgNtc2dEDFJaSSB0aGluayB0aGF0IGFsbCByaWdo
dC10aGlua2luZyBwZW9wbGUgaW4gdGhpcyBjb3VudHJ5IGFyZSBzaWNrIGFuZAp0
@@ -215,8 +215,8 @@
`
# Two clear text signatures in a row
-tests="$tests msg_clsclss_asc"
-msg_clsclss_asc="${msg_cls_asc}
+tests="$tests msg_clsclss_asc_multiple"
+msg_clsclss_asc_multiple="${msg_cls_asc}
${msg_clss_asc}"
@@ -233,8 +233,8 @@
msg_*_asc)
$GPG --verify x || error "verify of $i failed"
;;
- msg_*_asc_multisig)
- $GPG --verify --allow-multisig-verification x \
+ msg_*_asc_multiple)
+ $GPG --verify --allow-multiple-messages x \
|| error "verify of $i failed"
$GPG --verify x && error "verify of $i succeeded but should not"
;;
More information about the Gnupg-commits
mailing list