[git] GnuPG - branch, master, updated. post-nuke-of-trailing-ws-84-g14e0b60
by Werner Koch
cvs at cvs.gnupg.org
Mon Aug 8 11:24:46 CEST 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 14e0b60efd9d9ef40cdae7e3b5ad2b41e62c1186 (commit)
via 663768f9af49098ce91e59b27c58192c09280c3a (commit)
from fe8619d29ca599cc9f38538db62d1dd42bfbee40 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 14e0b60efd9d9ef40cdae7e3b5ad2b41e62c1186
Author: Werner Koch <wk at gnupg.org>
Date: Mon Aug 8 10:44:03 2011 +0200
Adjust for signed integer passed to OpenPGP card decrypt.
diff --git a/scd/ChangeLog b/scd/ChangeLog
index 9c4d035..4f2d2f2 100644
--- a/scd/ChangeLog
+++ b/scd/ChangeLog
@@ -1,3 +1,8 @@
+2011-08-08 Werner Koch <wk at g10code.com>
+
+ * app-openpgp.c (do_decipher): Take care of accidentally passed
+ signed integer data with a leading 0.
+
2011-06-16 Werner Koch <wk at g10code.com>
* app-openpgp.c (send_key_data): Implemented chunked mode.
diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
index fef17fa..eb0b4f0 100644
--- a/scd/app-openpgp.c
+++ b/scd/app-openpgp.c
@@ -3367,17 +3367,19 @@ do_decipher (app_t app, const char *keyidstr,
rc = verify_chv2 (app, pincb, pincb_arg);
if (!rc)
{
- size_t fixuplen;
+ int fixuplen;
unsigned char *fixbuf = NULL;
int padind = 0;
/* We might encounter a couple of leading zeroes in the
- cryptogram. Due to internal use of MPIs thease leading
- zeroes are stripped. However the OpenPGP card expects
- exactly 128 bytes for the cryptogram (for a 1k key). Thus we
- need to fix it up. We do this for up to 16 leading zero
- bytes; a cryptogram with more than this is with a very high
- probability anyway broken. */
+ cryptogram. Due to internal use of MPIs these leading zeroes
+ are stripped. However the OpenPGP card expects exactly 128
+ bytes for the cryptogram (for a 1k key). Thus we need to fix
+ it up. We do this for up to 16 leading zero bytes; a
+ cryptogram with more than this is with a very high
+ probability anyway broken. If a signed conversion was used
+ we may also encounter one leading zero followed by the correct
+ length. We fix that as well. */
if (indatalen >= (128-16) && indatalen < 128) /* 1024 bit key. */
fixuplen = 128 - indatalen;
else if (indatalen >= (192-16) && indatalen < 192) /* 1536 bit key. */
@@ -3388,10 +3390,16 @@ do_decipher (app_t app, const char *keyidstr,
fixuplen = 384 - indatalen;
else if (indatalen >= (512-16) && indatalen < 512) /* 4096 bit key. */
fixuplen = 512 - indatalen;
+ else if (!*(const char *)indata && (indatalen == 129
+ || indatalen == 193
+ || indatalen == 257
+ || indatalen == 385
+ || indatalen == 513))
+ fixuplen = -1;
else
fixuplen = 0;
- if (fixuplen)
+ if (fixuplen > 0)
{
/* While we have to prepend stuff anyway, we can also
include the padding byte here so that iso1816_decipher
@@ -3408,6 +3416,11 @@ do_decipher (app_t app, const char *keyidstr,
indatalen = fixuplen + indatalen;
padind = -1; /* Already padded. */
}
+ else if (fixuplen < 0)
+ {
+ /* We use the extra leading zero as the padding byte. */
+ padind = -1;
+ }
if (app->app_local->cardcap.ext_lc_le && indatalen > 254 )
{
commit 663768f9af49098ce91e59b27c58192c09280c3a
Author: Werner Koch <wk at gnupg.org>
Date: Mon Aug 8 10:17:33 2011 +0200
Minor doc updates v2.0 vs. v2.1)
diff --git a/.gitignore b/.gitignore
index 6eeeb5c..d5ccfa0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -46,6 +46,7 @@ common/t-sexputil
common/t-sysutils
common/t-stringhelp
common/t-timestuff
+common/t-ssh-utils
doc/addgnupghome.8
doc/applygnupgdefaults.8
doc/faq.html
@@ -129,6 +130,9 @@ tests/private-keys-v1.d/
tests/pubring.kbx
tests/testdir.stamp
tests/trustlist.txt
+tests/openpgp/*.log
+tests/openpgp/trustdb.gpg
+tests/openpgp/z
tools/clean-sat
tools/gpg-check-pattern
tools/gpg-connect-agent
diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi
index 8811d05..73fa2ef 100644
--- a/doc/gpg-agent.texi
+++ b/doc/gpg-agent.texi
@@ -348,11 +348,13 @@ Allow clients to mark keys as trusted, i.e. put them into the
@file{trustlist.txt} file. This is by default not allowed to make it
harder for users to inadvertently accept Root-CA keys.
+ at ifset gpgtwoone
@anchor{option --allow-loopback-pinentry}
@item --allow-loopback-pinentry
@opindex allow-loopback-pinentry
Allow clients to use the loopback pinentry features; see the option
@option{pinentry-mode} for details.
+ at end ifset
@item --ignore-cache-for-signing
@opindex ignore-cache-for-signing
@@ -1332,6 +1334,7 @@ See Assuan command @code{PKSIGN}.
This does not need any value. It is used to enable the
PINENTRY_LAUNCHED inquiry.
+ at ifset gpgtwoone
@item pinentry-mode
This option is used to change the operation mode of the pinentry. The
following values are defined:
@@ -1355,12 +1358,16 @@ following values are defined:
Use the @xref{option --allow-loopback-pinentry}.
@end table
+ at end ifset
+ at ifset gpgtwoone
@item cache-ttl-opt-preset
This option sets the cache TTL for new entries created by GENKEY and
PASSWD commands when using the @option{--preset} option. It it is not
used a default value is used.
+ at end ifset
+ at ifset gpgtwoone
@item s2k-count
Instead of using the standard S2K counted (which is computed on the
fly), the given S2K count is used for new keys or when changing the
@@ -1368,6 +1375,7 @@ passphrase of a key. Values below 65536 are considered to be 0. This
option is valid for the entire session or until reset to 0. This
option is useful if the key is later used on boxes which are either
much slower or faster than the actual box.
+ at end ifset
@end table
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 1f4950a..0de3daf 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -165,12 +165,20 @@ use @samp{--help} to get a list of supported operations.
@table @gnupgtabopt
@item --gen-key
@opindex gen-key
+ at ifclear gpgtwoone
+-This command allows the creation of a certificate signing request. It
+-is commonly used along with the @option{--output} option to save the
+-created CSR into a file. If used with the @option{--batch} a parameter
+-file is used to create the CSR.
+ at end ifclear
+ at ifset gpgtwoone
This command allows the creation of a certificate signing request or a
self-signed certificate. It is commonly used along with the
@option{--output} option to save the created CSR or certificate into a
file. If used with the @option{--batch} a parameter file is used to
create the CSR or certificate and it is further possible to create
non-self-signed certificates.
+ at end ifset
@item --list-keys
@itemx -k
@@ -955,10 +963,16 @@ this is a missing certificate.
@node CSR and certificate creation,,,Unattended Usage
@section CSR and certificate creation
+ at ifclear gpgtwoone
+ at strong{Please notice}: The immediate creation of certificates is only
+supported by GnuPG version 2.1 or later. With a 2.0 version you may
+only create a CSR.
+ at end ifclear
+
The command @option{--gen-key} may be used along with the option
- at option{--batch} to either create a certificate signing request (CSR) or an
-X.509 certificate. The is controlled by a parameter file; the format
-of this file is as follows:
+ at option{--batch} to either create a certificate signing request (CSR)
+or an X.509 certificate. The is controlled by a parameter file; the
+format of this file is as follows:
@itemize @bullet
@item Text only, line length is limited to about 1000 characters.
-----------------------------------------------------------------------
Summary of changes:
.gitignore | 4 ++++
doc/gpg-agent.texi | 8 ++++++++
doc/gpgsm.texi | 20 +++++++++++++++++---
scd/ChangeLog | 5 +++++
scd/app-openpgp.c | 29 +++++++++++++++++++++--------
5 files changed, 55 insertions(+), 11 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list