[git] GnuPG - branch, master, updated. post-nuke-of-trailing-ws-84-g14e0b60

by Werner Koch cvs at cvs.gnupg.org
Mon Aug 8 11:24:46 CEST 2011


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, master has been updated
       via  14e0b60efd9d9ef40cdae7e3b5ad2b41e62c1186 (commit)
       via  663768f9af49098ce91e59b27c58192c09280c3a (commit)
      from  fe8619d29ca599cc9f38538db62d1dd42bfbee40 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 14e0b60efd9d9ef40cdae7e3b5ad2b41e62c1186
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Aug 8 10:44:03 2011 +0200

    Adjust for signed integer passed to OpenPGP card decrypt.

diff --git a/scd/ChangeLog b/scd/ChangeLog
index 9c4d035..4f2d2f2 100644
--- a/scd/ChangeLog
+++ b/scd/ChangeLog
@@ -1,3 +1,8 @@
+2011-08-08  Werner Koch  <wk at g10code.com>
+
+	* app-openpgp.c (do_decipher): Take care of accidentally passed
+	signed integer data with a leading 0.
+
 2011-06-16  Werner Koch  <wk at g10code.com>
 
 	* app-openpgp.c (send_key_data): Implemented chunked mode.
diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index fef17fa..eb0b4f0 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -3367,17 +3367,19 @@ do_decipher (app_t app, const char *keyidstr,
   rc = verify_chv2 (app, pincb, pincb_arg);
   if (!rc)
     {
-      size_t fixuplen;
+      int fixuplen;
       unsigned char *fixbuf = NULL;
       int padind = 0;
 
       /* We might encounter a couple of leading zeroes in the
-         cryptogram.  Due to internal use of MPIs thease leading
-         zeroes are stripped.  However the OpenPGP card expects
-         exactly 128 bytes for the cryptogram (for a 1k key).  Thus we
-         need to fix it up.  We do this for up to 16 leading zero
-         bytes; a cryptogram with more than this is with a very high
-         probability anyway broken.  */
+         cryptogram.  Due to internal use of MPIs these leading zeroes
+         are stripped.  However the OpenPGP card expects exactly 128
+         bytes for the cryptogram (for a 1k key).  Thus we need to fix
+         it up.  We do this for up to 16 leading zero bytes; a
+         cryptogram with more than this is with a very high
+         probability anyway broken.  If a signed conversion was used
+         we may also encounter one leading zero followed by the correct
+         length.  We fix that as well.  */
       if (indatalen >= (128-16) && indatalen < 128)      /* 1024 bit key.  */
         fixuplen = 128 - indatalen;
       else if (indatalen >= (192-16) && indatalen < 192) /* 1536 bit key.  */
@@ -3388,10 +3390,16 @@ do_decipher (app_t app, const char *keyidstr,
         fixuplen = 384 - indatalen;
       else if (indatalen >= (512-16) && indatalen < 512) /* 4096 bit key.  */
         fixuplen = 512 - indatalen;
+      else if (!*(const char *)indata && (indatalen == 129
+                                          || indatalen == 193
+                                          || indatalen == 257
+                                          || indatalen == 385
+                                          || indatalen == 513))
+        fixuplen = -1;
       else
         fixuplen = 0;
 
-      if (fixuplen)
+      if (fixuplen > 0)
         {
           /* While we have to prepend stuff anyway, we can also
              include the padding byte here so that iso1816_decipher
@@ -3408,6 +3416,11 @@ do_decipher (app_t app, const char *keyidstr,
           indatalen = fixuplen + indatalen;
           padind = -1; /* Already padded.  */
         }
+      else if (fixuplen < 0)
+        {
+          /* We use the extra leading zero as the padding byte.  */
+          padind = -1;
+        }
 
       if (app->app_local->cardcap.ext_lc_le && indatalen > 254 )
         {

commit 663768f9af49098ce91e59b27c58192c09280c3a
Author: Werner Koch <wk at gnupg.org>
Date:   Mon Aug 8 10:17:33 2011 +0200

    Minor doc updates v2.0 vs. v2.1)

diff --git a/.gitignore b/.gitignore
index 6eeeb5c..d5ccfa0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,7 @@ common/t-sexputil
 common/t-sysutils
 common/t-stringhelp
 common/t-timestuff
+common/t-ssh-utils
 doc/addgnupghome.8
 doc/applygnupgdefaults.8
 doc/faq.html
@@ -129,6 +130,9 @@ tests/private-keys-v1.d/
 tests/pubring.kbx
 tests/testdir.stamp
 tests/trustlist.txt
+tests/openpgp/*.log
+tests/openpgp/trustdb.gpg
+tests/openpgp/z
 tools/clean-sat
 tools/gpg-check-pattern
 tools/gpg-connect-agent
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 8811d05..73fa2ef 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -348,11 +348,13 @@ Allow clients to mark keys as trusted, i.e. put them into the
 @file{trustlist.txt} file.  This is by default not allowed to make it
 harder for users to inadvertently accept Root-CA keys.
 
+ at ifset gpgtwoone
 @anchor{option --allow-loopback-pinentry}
 @item --allow-loopback-pinentry
 @opindex allow-loopback-pinentry
 Allow clients to use the loopback pinentry features; see the option
 @option{pinentry-mode} for details.
+ at end ifset
 
 @item --ignore-cache-for-signing
 @opindex ignore-cache-for-signing
@@ -1332,6 +1334,7 @@ See Assuan command @code{PKSIGN}.
 This does not need any value.  It is used to enable the
 PINENTRY_LAUNCHED inquiry.
 
+ at ifset gpgtwoone
 @item pinentry-mode
 This option is used to change the operation mode of the pinentry.  The
 following values are defined:
@@ -1355,12 +1358,16 @@ following values are defined:
   Use the @xref{option --allow-loopback-pinentry}.
 
   @end table
+ at end ifset
 
+ at ifset gpgtwoone
 @item cache-ttl-opt-preset
 This option sets the cache TTL for new entries created by GENKEY and
 PASSWD commands when using the @option{--preset} option.  It it is not
 used a default value is used.
+ at end ifset
 
+ at ifset gpgtwoone
 @item s2k-count
 Instead of using the standard S2K counted (which is computed on the
 fly), the given S2K count is used for new keys or when changing the
@@ -1368,6 +1375,7 @@ passphrase of a key.  Values below 65536 are considered to be 0.  This
 option is valid for the entire session or until reset to 0.  This
 option is useful if the key is later used on boxes which are either
 much slower or faster than the actual box.
+ at end ifset
 
 @end table
 
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 1f4950a..0de3daf 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -165,12 +165,20 @@ use @samp{--help} to get a list of supported operations.
 @table @gnupgtabopt
 @item --gen-key
 @opindex gen-key
+ at ifclear gpgtwoone
+-This command allows the creation of a certificate signing request.  It
+-is commonly used along with the @option{--output} option to save the
+-created CSR into a file.  If used with the @option{--batch} a parameter
+-file is used to create the CSR.
+ at end ifclear
+ at ifset gpgtwoone
 This command allows the creation of a certificate signing request or a
 self-signed certificate.  It is commonly used along with the
 @option{--output} option to save the created CSR or certificate into a
 file.  If used with the @option{--batch} a parameter file is used to
 create the CSR or certificate and it is further possible to create
 non-self-signed certificates.
+ at end ifset
 
 @item --list-keys
 @itemx -k
@@ -955,10 +963,16 @@ this is a missing certificate.
 @node CSR and certificate creation,,,Unattended Usage
 @section CSR and certificate creation
 
+ at ifclear gpgtwoone
+ at strong{Please notice}: The immediate creation of certificates is only
+supported by GnuPG version 2.1 or later.  With a 2.0 version you may
+only create a CSR.
+ at end ifclear
+
 The command @option{--gen-key} may be used along with the option
- at option{--batch} to either create a certificate signing request (CSR) or an
-X.509 certificate.  The is controlled by a parameter file; the format
-of this file is as follows:
+ at option{--batch} to either create a certificate signing request (CSR)
+or an X.509 certificate. The is controlled by a parameter file; the
+format of this file is as follows:
 
 @itemize @bullet
 @item Text only, line length is limited to about 1000 characters.

-----------------------------------------------------------------------

Summary of changes:
 .gitignore         |    4 ++++
 doc/gpg-agent.texi |    8 ++++++++
 doc/gpgsm.texi     |   20 +++++++++++++++++---
 scd/ChangeLog      |    5 +++++
 scd/app-openpgp.c  |   29 +++++++++++++++++++++--------
 5 files changed, 55 insertions(+), 11 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org




More information about the Gnupg-commits mailing list