[git] GnuPG - branch, STABLE-BRANCH-1-4, updated. gnupg-1.4.14-16-g0a10f1f
by Werner Koch
cvs at cvs.gnupg.org
Fri Oct 4 22:03:04 CEST 2013
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, STABLE-BRANCH-1-4 has been updated
via 0a10f1f91e487d917b6141a4c16e24235a26f311 (commit)
via 8707657fe635b50a5e1a4ed804ea2645c1427ac6 (commit)
via ffa1ef4c84f734bdcadc784944f16fe6f60a1594 (commit)
via f5c32bd1c6416c97762d7960c94d6f536e259cfa (commit)
via 4a06d9a600def07fdcbb9a6a9500776767d3c2f4 (commit)
via d74dd36c11f1643bd92efb50714e2448cdb885d0 (commit)
via fe0fb5e6b0bb351eb6244e290e112a22a68472d8 (commit)
via 27d0f32f77fbef59ddf7c6d79b5b4adee6b2e6ac (commit)
via 69088ac76fd4b9f303edf3c1453088dda8596399 (commit)
via f10b184e48015f30849d7611bd9654ed23b91211 (commit)
from d90a1d23404f482cc4a5a2b2ee0f296d67ff2227 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 0a10f1f91e487d917b6141a4c16e24235a26f311
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 4 21:29:50 2013 +0200
Post release updates.
--
diff --git a/NEWS b/NEWS
index c948530..ca4bfca 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,7 @@
+Noteworthy changes in version 1.4.16 (unreleased)
+-------------------------------------------------
+
+
Noteworthy changes in version 1.4.15 (2013-10-04)
-------------------------------------------------
diff --git a/configure.ac b/configure.ac
index 88701fb..1b6f7e5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -26,7 +26,7 @@ min_automake_version="1.9.3"
# (git tag -s gnupg-1.n.m) and run "./autogen.sh --force". Please
# bump the version number immediately *after* the release and do
# another commit and push so that the git magic is able to work.
-m4_define([mym4_version], [1.4.15])
+m4_define([mym4_version], [1.4.16])
# Below is m4 magic to extract and compute the git revision number,
# the decimalized short revision number, a beta version string and a
commit 8707657fe635b50a5e1a4ed804ea2645c1427ac6
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 4 21:10:52 2013 +0200
Release 1.4.15
diff --git a/NEWS b/NEWS
index 6223900..c948530 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,14 @@
-Noteworthy changes in version 1.4.15 (unreleased)
+Noteworthy changes in version 1.4.15 (2013-10-04)
-------------------------------------------------
- * Fixed bug with deeply nested compressed packets.
+ * Fixed possible infinite recursion in the compressed packet
+ parser. [CVE-2013-4402]
+
+ * Protect against rogue keyservers sending secret keys.
+
+ * Use 2048 bit also as default for batch key generation.
+
+ * Minor bug fixes.
Noteworthy changes in version 1.4.14 (2013-07-25)
@@ -9,6 +16,7 @@ Noteworthy changes in version 1.4.14 (2013-07-25)
* Mitigate the Yarom/Falkner flush+reload side-channel attack on
RSA secret keys. See <http://eprint.iacr.org/2013/448>.
+ [CVE-2013-4242]
* Fixed IDEA for big-endian CPUs
commit ffa1ef4c84f734bdcadc784944f16fe6f60a1594
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 4 21:03:40 2013 +0200
po: Autoupdate due to changed order of strings.
--
diff --git a/po/be.po b/po/be.po
index 4f1ea18..9add96e 100644
--- a/po/be.po
+++ b/po/be.po
@@ -1938,15 +1938,15 @@ msgstr "паказаць ÑÑŒÐ¿Ñ–Ñ ÐºÐ»ÑŽÑ‡Ð¾Ñž Ñ– подпіÑаў"
msgid "key %s: \"%s\" not changed\n"
msgstr ""
-#, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr ""
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "ÑакрÑтны ключ недаÑтупны"
#, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr ""
+
+#, c-format
msgid "no default secret keyring: %s\n"
msgstr ""
diff --git a/po/ca.po b/po/ca.po
index 5a77110..bc6e6c6 100644
--- a/po/ca.po
+++ b/po/ca.po
@@ -2158,14 +2158,14 @@ msgstr "clau %08lX: «%s» %d ID d'usuari nous\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "clau %08lX: «%s» no ha estat modificada\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "clau %08lX: clau secreta amb xifrat %d no và lid - es descarta\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "s'està escrivint la clau secreta a «%s»\n"
+#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "clau %08lX: clau secreta amb xifrat %d no và lid - es descarta\n"
+
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "no hi ha anell secret predeterminat: %s\n"
diff --git a/po/cs.po b/po/cs.po
index f1f69a5..92198da 100644
--- a/po/cs.po
+++ b/po/cs.po
@@ -2075,13 +2075,13 @@ msgstr "kl
msgid "key %s: \"%s\" not changed\n"
msgstr "klíè %s: \"%s\" beze zmìn\n"
+msgid "importing secret keys not allowed\n"
+msgstr "import tajných klíèù není povolen\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "klíè %s: tajný klíè s neplatnou ¹ifrou %d - pøeskoèeno\n"
-msgid "importing secret keys not allowed\n"
-msgstr "import tajných klíèù není povolen\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "není nastaven implicitní soubor tajných klíèù %s\n"
diff --git a/po/da.po b/po/da.po
index 68dd5ae..edcd31b 100644
--- a/po/da.po
+++ b/po/da.po
@@ -2053,13 +2053,13 @@ msgstr "nøgle %s: »%s« %d bruger-id'er renset\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "nøgle %s: »%s« ikke ændret\n"
+msgid "importing secret keys not allowed\n"
+msgstr "import af hemmelige nøgler er ikke tilladt\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "nøgle %s: hemmelig nøgle med ugyldig chiffer %d - udeladt\n"
-msgid "importing secret keys not allowed\n"
-msgstr "import af hemmelige nøgler er ikke tilladt\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "ingen hemmelig standardnøglering: %s\n"
diff --git a/po/de.po b/po/de.po
index 0562cfb..0a02fb9 100644
--- a/po/de.po
+++ b/po/de.po
@@ -2105,15 +2105,15 @@ msgstr "Schlüssel %s: \"%s\" %d User-IDs bereinigt\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "Schlüssel %s: \"%s\" nicht geändert\n"
+msgid "importing secret keys not allowed\n"
+msgstr "Importieren geheimer Schlüssel ist nicht erlaubt\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr ""
"Schlüssel %s: geheimer Schlüssel mit ungültiger Verschlüsselung %d - "
"übersprungen\n"
-msgid "importing secret keys not allowed\n"
-msgstr "Importieren geheimer Schlüssel ist nicht erlaubt\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "Kein voreingestellter geheimer Schlüsselbund: %s\n"
diff --git a/po/el.po b/po/el.po
index 7989ace..4a15778 100644
--- a/po/el.po
+++ b/po/el.po
@@ -2110,14 +2110,14 @@ msgstr "
msgid "key %s: \"%s\" not changed\n"
msgstr "êëåéäß %08lX: \"%s\" áìåôÜâëçôï\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "êëåéäß %08lX: ìõóôéêü êëåéäß ìå Üêõñï êñõðôáëã. %d - ðáñáëåßöèçêå\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "åããñáöÞ ôïõ ìõóôéêïý êëåéäéïý óôï `%s'\n"
+#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "êëåéäß %08lX: ìõóôéêü êëåéäß ìå Üêõñï êñõðôáëã. %d - ðáñáëåßöèçêå\n"
+
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "äåí õðÜñ÷åé ðñïêáèïñéóìÝíç êëåéäïèÞêç: %s\n"
diff --git a/po/eo.po b/po/eo.po
index 057d9b3..e910584 100644
--- a/po/eo.po
+++ b/po/eo.po
@@ -2078,14 +2078,14 @@ msgstr "
msgid "key %s: \"%s\" not changed\n"
msgstr "þlosilo %08lX: ne þanøita\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "þlosilo %08lX: sekreta þlosilo sen publika þlosilo - ignorita\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "skribas sekretan þlosilon al '%s'\n"
+#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "þlosilo %08lX: sekreta þlosilo sen publika þlosilo - ignorita\n"
+
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "mankas implicita sekreta þlosilaro: %s\n"
diff --git a/po/es.po b/po/es.po
index 3688810..df0a502 100644
--- a/po/es.po
+++ b/po/es.po
@@ -2082,13 +2082,13 @@ msgstr "clave %s: \"%s\" %d nuevos identificadores de usuario\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "clave %s: \"%s\" sin cambios\n"
+msgid "importing secret keys not allowed\n"
+msgstr "no se permite importar claves secretas\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "clave %s: clave secreta con cifrado inválido %d - omitida\n"
-msgid "importing secret keys not allowed\n"
-msgstr "no se permite importar claves secretas\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "no hay anillo secreto de claves por defecto: %s\n"
diff --git a/po/et.po b/po/et.po
index 4c658ca..b635ce1 100644
--- a/po/et.po
+++ b/po/et.po
@@ -2079,14 +2079,14 @@ msgstr "v
msgid "key %s: \"%s\" not changed\n"
msgstr "võti %08lX: \"%s\" ei muudetud\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "võti %08lX: salajane võti vigase ¨ifriga %d - jätsin vahele\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "kirjutan salajase võtme faili `%s'\n"
+#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "võti %08lX: salajane võti vigase ¨ifriga %d - jätsin vahele\n"
+
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "puudub salajaste võtmete vaikimisi võtmehoidla: %s\n"
diff --git a/po/fi.po b/po/fi.po
index 56925c0..a180d81 100644
--- a/po/fi.po
+++ b/po/fi.po
@@ -2111,14 +2111,14 @@ msgstr "avain %08lX: \"%s\" %d uutta käyttäjätunnusta\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "avain %08lX: \"%s\" ei muutoksia\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "avain %08lX: avaimella on epäkelpo salain %d - ohitetaan\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "kirjoitan salaisen avaimen kohteeseen \"%s\"\n"
+#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "avain %08lX: avaimella on epäkelpo salain %d - ohitetaan\n"
+
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "salaiselle avainrenkaalle ei ole asetettu oletusarvoa: %s\n"
diff --git a/po/fr.po b/po/fr.po
index d5792f6..57bc539 100644
--- a/po/fr.po
+++ b/po/fr.po
@@ -2103,13 +2103,13 @@ msgstr "clef %s : « %s » %d identités nettoyées\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "clef %s : « %s » n'est pas modifiée\n"
+msgid "importing secret keys not allowed\n"
+msgstr "impossible d'importer des clefs secrètes\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "clef %s : clef secrète avec chiffrement %d incorrect — ignorée\n"
-msgid "importing secret keys not allowed\n"
-msgstr "impossible d'importer des clefs secrètes\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "pas de porte-clefs par défaut : %s\n"
diff --git a/po/gl.po b/po/gl.po
index 078d931..3e94c4b 100644
--- a/po/gl.po
+++ b/po/gl.po
@@ -2098,14 +2098,14 @@ msgstr "chave %08lX: \"%s\" %d novos IDs de usuario\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "chave %08lX: \"%s\" sen cambios\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "chave %08lX: chave secreta cunha cifra %d non válida - omitida\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "gravando a chave secreta en `%s'\n"
+#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "chave %08lX: chave secreta cunha cifra %d non válida - omitida\n"
+
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "non hai un chaveiro privado por defecto: %s\n"
diff --git a/po/hu.po b/po/hu.po
index 0b4a2ea..4c76185 100644
--- a/po/hu.po
+++ b/po/hu.po
@@ -2086,15 +2086,15 @@ msgstr "%08lX kulcs: \"%s\" %d
msgid "key %s: \"%s\" not changed\n"
msgstr "%08lX kulcs: \"%s\" nem változott.\n"
+#, fuzzy
+msgid "importing secret keys not allowed\n"
+msgstr "Írom a titkos kulcsot a %s állományba.\n"
+
#, fuzzy, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr ""
"%08lX kulcs: Titkos kulcs érvénytelen (%d) rejtjelezõvel - kihagytam.\n"
-#, fuzzy
-msgid "importing secret keys not allowed\n"
-msgstr "Írom a titkos kulcsot a %s állományba.\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "Nincs alapértelmezett titkoskulcs-karika: %s\n"
diff --git a/po/id.po b/po/id.po
index f62ad21..e24c85e 100644
--- a/po/id.po
+++ b/po/id.po
@@ -2101,14 +2101,14 @@ msgstr "kunci %08lX: \"%s\" %d user ID baru\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "kunci %08lX: \"%s\" tidak berubah\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "kunci %08lX: kunci rahasia dengan cipher tidak valid %d - dilewati\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "menulis kunci rahasia ke `%s'\n"
+#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "kunci %08lX: kunci rahasia dengan cipher tidak valid %d - dilewati\n"
+
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "tidak ada keyring rahasia baku: %s\n"
diff --git a/po/it.po b/po/it.po
index 405eef0..fe4ef9d 100644
--- a/po/it.po
+++ b/po/it.po
@@ -2109,14 +2109,14 @@ msgstr "chiave %08lX: \"%s\" %d nuovi user ID\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "chiave %08lX: \"%s\" non cambiata\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "chiave %08lX: chiave segreta con cifrario %d non valido - saltata\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "scrittura della chiave segreta in `%s'\n"
+#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "chiave %08lX: chiave segreta con cifrario %d non valido - saltata\n"
+
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "nessun portachiavi segreto predefinito: %s\n"
diff --git a/po/ja.po b/po/ja.po
index f5847c2..109e964 100644
--- a/po/ja.po
+++ b/po/ja.po
@@ -2040,13 +2040,13 @@ msgstr "
msgid "key %s: \"%s\" not changed\n"
msgstr "¸°%s:¡È%s¡ÉÊѹ¹¤Ê¤·\n"
+msgid "importing secret keys not allowed\n"
+msgstr "ÈëÌ©¸°¤ÎÆɹþ¤ß¤Ï¶Ø»ß¤Ç¤¹\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "¸°%s: ̵¸ú¤Ê°Å¹æË¡%d¤ÎÈëÌ©¸°¤Ç¤¹ - ¤È¤Ð¤·¤Þ¤¹\n"
-msgid "importing secret keys not allowed\n"
-msgstr "ÈëÌ©¸°¤ÎÆɹþ¤ß¤Ï¶Ø»ß¤Ç¤¹\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "´ûÄê¤ÎÈëÌ©¸°Îؤ¬¤¢¤ê¤Þ¤»¤ó: %s\n"
diff --git a/po/nb.po b/po/nb.po
index 4b07169..b18fb22 100644
--- a/po/nb.po
+++ b/po/nb.po
@@ -1974,13 +1974,13 @@ msgstr "n
msgid "key %s: \"%s\" not changed\n"
msgstr "nøkkel %s: «%s» ikke endret\n"
+msgid "importing secret keys not allowed\n"
+msgstr "import av hemmelig nøkkel er ikke tillatt\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "nøkkel %s: hemmelig nøkkel med ugyldig cipher %d - hoppet over\n"
-msgid "importing secret keys not allowed\n"
-msgstr "import av hemmelig nøkkel er ikke tillatt\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "ingen standard hemmelig nøkkelknippe: %s\n"
diff --git a/po/nl.po b/po/nl.po
index 7521574..6b7d76c 100644
--- a/po/nl.po
+++ b/po/nl.po
@@ -2108,15 +2108,15 @@ msgstr "sleutel %s: “%s†%d gebruiker ID's opgeschoond\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "sleutel %s: “%s†niet veranderd\n"
+msgid "importing secret keys not allowed\n"
+msgstr "importeren van geheime sleutels is niet toegestaan\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr ""
"sleutel %s: geheime sleutel met ongeldig versleutelalgoritme %d -\n"
"overgeslagen\n"
-msgid "importing secret keys not allowed\n"
-msgstr "importeren van geheime sleutels is niet toegestaan\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "geen standaard geheim sleutelringbestand: %s\n"
diff --git a/po/pl.po b/po/pl.po
index f511d56..cfd9081 100644
--- a/po/pl.po
+++ b/po/pl.po
@@ -2050,13 +2050,13 @@ msgstr "klucz %s: ,,%s'' %d oczyszczonych identyfikator
msgid "key %s: \"%s\" not changed\n"
msgstr "klucz %s: ,,%s'' bez zmian\n"
+msgid "importing secret keys not allowed\n"
+msgstr "wczytywanie kluczy tajnych nie jest dozwolone\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "klucz %s: klucz tajny z ustawionym b³êdnym szyfrem %d - pominiêty\n"
-msgid "importing secret keys not allowed\n"
-msgstr "wczytywanie kluczy tajnych nie jest dozwolone\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "brak domy¶lnego zbioru kluczy tajnych: %s\n"
diff --git a/po/pt.po b/po/pt.po
index e8e4140..db037e0 100644
--- a/po/pt.po
+++ b/po/pt.po
@@ -2090,14 +2090,14 @@ msgstr "chave %08lX: \"%s\" %d novos IDs de utilizadores\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "chave %08lX: \"%s\" não modificada\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "chave %08lX: chave secreta com cifra inválida %d - ignorada\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "a escrever chave privada para `%s'\n"
+#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "chave %08lX: chave secreta com cifra inválida %d - ignorada\n"
+
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "sem porta-chaves público por omissão: %s\n"
diff --git a/po/pt_BR.po b/po/pt_BR.po
index d7d4a42..215ff45 100644
--- a/po/pt_BR.po
+++ b/po/pt_BR.po
@@ -2056,15 +2056,15 @@ msgstr "chave %08lX: %d novos IDs de usu
msgid "key %s: \"%s\" not changed\n"
msgstr "chave %08lX: não modificada\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "chave %08lX: chave secreta sem chave pública - ignorada\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "escrevendo certificado privado para `%s'\n"
#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "chave %08lX: chave secreta sem chave pública - ignorada\n"
+
+#, fuzzy, c-format
msgid "no default secret keyring: %s\n"
msgstr "impossível bloquear chaveiro secreto: %s\n"
diff --git a/po/ro.po b/po/ro.po
index ecdcf00..bc7d8c3 100644
--- a/po/ro.po
+++ b/po/ro.po
@@ -2070,13 +2070,13 @@ msgstr "cheia %s: \"%s\" %d ID-uri utilizator curățate\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "cheia %s: \"%s\" nu a fost schimbată\n"
+msgid "importing secret keys not allowed\n"
+msgstr "importul de chei secrete nu este permis\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "cheia %s: cheie secretă cu cifru invalid %d - sărită\n"
-msgid "importing secret keys not allowed\n"
-msgstr "importul de chei secrete nu este permis\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "nici un inel de chei secrete implicit: %s\n"
diff --git a/po/ru.po b/po/ru.po
index c7ff2ce..6e6ec64 100644
--- a/po/ru.po
+++ b/po/ru.po
@@ -2062,13 +2062,13 @@ msgstr "ключ %s: \"%s\" %d очищенных User ID\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "ключ %s: \"%s\" не изменен\n"
+msgid "importing secret keys not allowed\n"
+msgstr "импортирование Ñекретного ключа не позволено\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "ключ %s: Ñекретный ключ Ñ Ð½ÐµÐ´Ð¾Ð¿ÑƒÑтимым шифром %d - пропущен\n"
-msgid "importing secret keys not allowed\n"
-msgstr "импортирование Ñекретного ключа не позволено\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "нет оÑновной таблицы Ñекретных ключей: %s\n"
diff --git a/po/sk.po b/po/sk.po
index 21dca20..daa8d69 100644
--- a/po/sk.po
+++ b/po/sk.po
@@ -2099,14 +2099,14 @@ msgstr "k
msgid "key %s: \"%s\" not changed\n"
msgstr "kµúè %08lX: \"%s\" bez zmeny\n"
-#, fuzzy, c-format
-msgid "key %s: secret key with invalid cipher %d - skipped\n"
-msgstr "kµúè %08lX: tajný kµúè bez verejného kµúèa %d - preskoèené\n"
-
#, fuzzy
msgid "importing secret keys not allowed\n"
msgstr "zapisujem tajný kµúè do `%s'\n"
+#, fuzzy, c-format
+msgid "key %s: secret key with invalid cipher %d - skipped\n"
+msgstr "kµúè %08lX: tajný kµúè bez verejného kµúèa %d - preskoèené\n"
+
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "nie je nastavený implicitný súbor tajných kµúèov %s\n"
diff --git a/po/sv.po b/po/sv.po
index 15a9769..acd7ad8 100644
--- a/po/sv.po
+++ b/po/sv.po
@@ -2116,13 +2116,13 @@ msgstr "nyckel %s: \"%s\" %d användaridentiteter rensade\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "nyckel %s: \"%s\" inte ändrad\n"
+msgid "importing secret keys not allowed\n"
+msgstr "import av hemliga nycklar tillåts inte\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "nyckel %s: hemlig nyckel med ogiltigt chiffer %d - hoppade över\n"
-msgid "importing secret keys not allowed\n"
-msgstr "import av hemliga nycklar tillåts inte\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "ingen hemlig nyckelring angiven som standard: %s\n"
diff --git a/po/tr.po b/po/tr.po
index a6688c2..cb9af54 100644
--- a/po/tr.po
+++ b/po/tr.po
@@ -2045,13 +2045,13 @@ msgstr "anahtar %s: \"%s\" %d yeni kullanıcı kimliği\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "anahtar %s: \"%s\" deÄŸiÅŸmedi\n"
+msgid "importing secret keys not allowed\n"
+msgstr "gizli anahtarı alımına izin verilmez\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "anahtar %s: geçersiz şifreli (%d) gizli anahtar - atlandı\n"
-msgid "importing secret keys not allowed\n"
-msgstr "gizli anahtarı alımına izin verilmez\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "öntanımlı gizli anahtar zinciri yok: %s\n"
diff --git a/po/uk.po b/po/uk.po
index 176ed1f..25ef39f 100644
--- a/po/uk.po
+++ b/po/uk.po
@@ -2099,13 +2099,13 @@ msgstr "ключ %s: «%s» Ñпорожнено %d ідентифікаторі
msgid "key %s: \"%s\" not changed\n"
msgstr "ключ %s: «%s» не змінено\n"
+msgid "importing secret keys not allowed\n"
+msgstr "Ñ–Ð¼Ð¿Ð¾Ñ€Ñ‚ÑƒÐ²Ð°Ð½Ð½Ñ Ð·Ð°ÐºÑ€Ð¸Ñ‚Ð¸Ñ… ключів заборонено\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "ключ %s: закритий ключ з некоректним шифром %d — пропущено\n"
-msgid "importing secret keys not allowed\n"
-msgstr "Ñ–Ð¼Ð¿Ð¾Ñ€Ñ‚ÑƒÐ²Ð°Ð½Ð½Ñ Ð·Ð°ÐºÑ€Ð¸Ñ‚Ð¸Ñ… ключів заборонено\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "немає типового Ñховища закритих ключів: %s\n"
diff --git a/po/zh_CN.po b/po/zh_CN.po
index 8631016..be8f292 100644
--- a/po/zh_CN.po
+++ b/po/zh_CN.po
@@ -1995,13 +1995,13 @@ msgstr "密钥 %s:“%sâ€%d ä¸ªç”¨æˆ·æ ‡è¯†è¢«æ¸…é™¤\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "密钥 %s:“%sâ€æœªæ”¹å˜\n"
+msgid "importing secret keys not allowed\n"
+msgstr "ä¸å…许导入ç§é’¥\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "密钥 %s:ç§é’¥ä½¿ç”¨äº†æ— æ•ˆçš„åŠ å¯†ç®—æ³• %d――已跳过\n"
-msgid "importing secret keys not allowed\n"
-msgstr "ä¸å…许导入ç§é’¥\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "没有默认的ç§é’¥é’¥åŒ™çŽ¯ï¼š %s\n"
diff --git a/po/zh_TW.po b/po/zh_TW.po
index ddd7f46..54a690a 100644
--- a/po/zh_TW.po
+++ b/po/zh_TW.po
@@ -2015,13 +2015,13 @@ msgstr "金鑰 %s: \"%s\" 已清除 %d 個使用者 ID\n"
msgid "key %s: \"%s\" not changed\n"
msgstr "金鑰 %s: \"%s\" 未改變\n"
+msgid "importing secret keys not allowed\n"
+msgstr "未å…許匯入ç§é‘°\n"
+
#, c-format
msgid "key %s: secret key with invalid cipher %d - skipped\n"
msgstr "金鑰 %s: ç§é‘°ä½¿ç”¨äº†ç„¡æ•ˆçš„ %d 編密法 - 已跳éŽ\n"
-msgid "importing secret keys not allowed\n"
-msgstr "未å…許匯入ç§é‘°\n"
-
#, c-format
msgid "no default secret keyring: %s\n"
msgstr "沒有é è¨çš„ç§é‘°é‘°åŒ™åœˆ: %s\n"
commit f5c32bd1c6416c97762d7960c94d6f536e259cfa
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 4 21:01:16 2013 +0200
doc: Update from master.
diff --git a/doc/gpg.texi b/doc/gpg.texi
index d679000..c588d7a 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -252,6 +252,14 @@ signed stuff from STDIN, use @samp{-} as the second filename. For
security reasons a detached signature cannot read the signed material
from STDIN without denoting it in the above way.
+Note: When verifying a cleartext signature, @command{gpg} verifies
+only what makes up the cleartext signed data and not any extra data
+outside of the cleartext signature or header lines following directly
+the dash marker line. The option @code{--output} may be used to write
+out the actual signed data; but there are other pitfalls with this
+format as well. It is suggested to avoid cleartext signatures in
+favor of detached signatures.
+
@item --multifile
@opindex multifile
This modifies certain other commands to accept multiple files for
@@ -926,7 +934,9 @@ behaviour and to change the default configuration.
* GPG Key related Options:: Key related options.
* GPG Input and Output:: Input and Output.
* OpenPGP Options:: OpenPGP protocol specific options.
+* Compliance Options:: Compliance options.
* GPG Esoteric Options:: Doing things one usually don't want to do.
+* Deprecated Options:: Deprecated options.
@end menu
Long options can be put in an options file (default
@@ -1293,9 +1303,7 @@ encoded in the character set as specified by
@option{--display-charset}. These options affect all following
arguments. Both options may be used multiple times.
- at ifset gpgone
- at anchor{option --options}
- at end ifset
+ at anchor{gpg-option --options}
@item --options @code{file}
@opindex options
Read options from @code{file} and do not try to read them from the
@@ -2185,6 +2193,7 @@ meaningful if @option{--s2k-mode} is 3.
@c ***************************
@c ******* Compliance ********
@c ***************************
+ at node Compliance Options
@subsection Compliance options
These options control what GnuPG is compliant to. Only one of these
@@ -2418,7 +2427,7 @@ check. @code{value} may be any printable string; it will be encoded in
UTF8, so you should check that your @option{--display-charset} is set
correctly. If you prefix @code{name} with an exclamation mark (!), the
notation data will be flagged as critical
-(rfc2440:5.2.3.15). @option{--sig-notation} sets a notation for data
+(rfc4880:5.2.3.16). @option{--sig-notation} sets a notation for data
signatures. @option{--cert-notation} sets a notation for key signatures
(certifications). @option{--set-notation} sets both.
@@ -2440,7 +2449,7 @@ meaningful when using the OpenPGP smartcard.
@opindex sig-policy-url
@opindex cert-policy-url
@opindex set-policy-url
-Use @code{string} as a Policy URL for signatures (rfc2440:5.2.3.19). If
+Use @code{string} as a Policy URL for signatures (rfc4880:5.2.3.20). If
you prefix it with an exclamation mark (!), the policy URL packet will
be flagged as critical. @option{--sig-policy-url} sets a policy url for
data signatures. @option{--cert-policy-url} sets a policy url for key
@@ -2611,6 +2620,26 @@ Note that this passphrase is only used if the option @option{--batch}
has also been given. This is different from @command{gpg}.
@end ifclear
+ at ifset gpgtwoone
+ at item --pinentry-mode @code{mode}
+ at opindex pinentry-mode
+Set the pinentry mode to @code{mode}. Allowed values for @code{mode}
+are:
+ at table @asis
+ @item default
+ Use the default of the agent, which is @code{ask}.
+ @item ask
+ Force the use of the Pinentry.
+ @item cancel
+ Emulate use of Pinentry's cancel button.
+ @item error
+ Return a Pinentry error (``No Pinentry'').
+ @item loopback
+ Redirect Pinentry queries to the caller. Note that in contrast to
+ Pinentry the user is not prompted again if he enters a bad password.
+ at end table
+ at end ifset
+
@item --command-fd @code{n}
@opindex command-fd
This is a replacement for the deprecated shared-memory IPC mode.
@@ -2827,6 +2856,7 @@ on the configuration file.
@c *******************************
@c ******* Deprecated ************
@c *******************************
+ at node Deprecated Options
@subsection Deprecated options
@table @gnupgtabopt
@@ -2909,7 +2939,7 @@ current home directory (@pxref{option --homedir}).
This is the standard configuration file read by @command{@gpgname} on
startup. It may contain any valid long option; the leading two dashes
may not be entered and the option may not be abbreviated. This default
- name may be changed on the command line (@pxref{option --options}).
+ name may be changed on the command line (@pxref{gpg-option --options}).
You should backup this file.
@end table
@@ -2972,9 +3002,9 @@ Operation is further controlled by a few environment variables:
@item GPG_AGENT_INFO
Used to locate the gpg-agent.
- @ifset gpgone
+ at ifset gpgone
This is only honored when @option{--use-agent} is set.
- @end ifset
+ at end ifset
The value consists of 3 colon delimited fields: The first is the path
to the Unix Domain Socket, the second the PID of the gpg-agent and the
protocol version which should be set to 1. When starting the gpg-agent
@@ -3149,8 +3179,8 @@ are almost always required for this.
@end menu
- at node Unattended GPG key generation,,,Unattended Usage of GPG
- at section Unattended key generation
+ at node Unattended GPG key generation
+ at subsection Unattended key generation
The command @option{--gen-key} may be used along with the option
@option{--batch} for unattended key generation. The parameters are
@@ -3290,21 +3320,23 @@ If you don't give any of them, no user ID is created.
@item Expire-Date: @var{iso-date}|(@var{number}[d|w|m|y])
Set the expiration date for the key (and the subkey). It may either
-be entered in ISO date format (2000-08-15) or as number of days,
-weeks, month or years. The special notation "seconds=N" is also
-allowed to directly give an Epoch value. Without a letter days are
-assumed. Note that there is no check done on the overflow of the type
-used by OpenPGP for timestamps. Thus you better make sure that the
-given value make sense. Although OpenPGP works with time intervals,
-GnuPG uses an absolute value internally and thus the last year we can
-represent is 2105.
+be entered in ISO date format (e.g. "20000815T145012") or as number of
+days, weeks, month or years after the creation date. The special
+notation "seconds=N" is also allowed to specify a number of seconds
+since creation. Without a letter days are assumed. Note that there
+is no check done on the overflow of the type used by OpenPGP for
+timestamps. Thus you better make sure that the given value make
+sense. Although OpenPGP works with time intervals, GnuPG uses an
+absolute value internally and thus the last year we can represent is
+2105.
@item Ceation-Date: @var{iso-date}
Set the creation date of the key as stored in the key information and
which is also part of the fingerprint calculation. Either a date like
"1986-04-26" or a full timestamp like "19860426T042640" may be used.
-The time is considered to be UTC. If it is not given the current time
-is used.
+The time is considered to be UTC. The special notation "seconds=N"
+may be used to directly specify a the number of seconds since Epoch
+(Unix time). If it is not given the current time is used.
@item Preferences: @var{string}
Set the cipher, hash, and compression preference values for this key.
diff --git a/doc/gpgv.texi b/doc/gpgv.texi
index b6047f4..0cb2360 100644
--- a/doc/gpgv.texi
+++ b/doc/gpgv.texi
@@ -62,10 +62,15 @@ the public keys used to make the signature are valid. There are
no configuration files and only a few options are implemented.
@code{@gpgvname} assumes that all keys in the keyring are trustworthy.
-By default it uses a keyring named @file{trustedkeys.gpg} which is
-assumed to be in the home directory as defined by GnuPG or set by an
-option or an environment variable. An option may be used to specify
-another keyring or even multiple keyrings.
+That does also mean that it does not check for expired or revoked
+keys.
+
+By default a keyring named @file{trustedkeys.gpg} is used. This
+default keyring is assumed to be in the home directory of GnuPG,
+either the default home directory or the one set by an option or an
+environment variable. The option @code{--keyring} may be used to
+specify a different keyring or even multiple keyrings.
+
@noindent
@mansect options
diff --git a/doc/opt-homedir.texi b/doc/opt-homedir.texi
index e382f63..033a901 100644
--- a/doc/opt-homedir.texi
+++ b/doc/opt-homedir.texi
@@ -5,6 +5,18 @@ Set the name of the home directory to @var{dir}. If this option is not
used, the home directory defaults to @file{~/.gnupg}. It is only
recognized when given on the command line. It also overrides any home
directory stated through the environment variable @env{GNUPGHOME} or
-(on W32 systems) by means of the Registry entry
+(on Windows systems) by means of the Registry entry
@var{HKCU\Software\GNU\GnuPG:HomeDir}.
+On Windows systems it is possible to install GnuPG as a portable
+application. In this case only this command line option is
+considered, all other ways to set a home directory are ignored.
+
+To install GnuPG as a portable application under Windows, create an
+empty file name @file{gpgconf.ctl} in the same directory as the tool
+ at file{gpgconf.exe}. The root of the installation is than that
+directory; or, if @file{gpgconf.exe} has been installed directly below
+a directory named @file{bin}, its parent directory. You also need to
+make sure that the following directories exist and are writable:
+ at file{ROOT/home} for the GnuPG home and @file{ROOT/var/cache/gnupg}
+for internal cache files.
commit 4a06d9a600def07fdcbb9a6a9500776767d3c2f4
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 4 18:34:56 2013 +0200
gpg: Print a "not found" message for an unknown key in --key-edit.
* g10/keyedit.c (keyedit_menu): Print message.
--
GnuPG-bug-id: 1420
Signed-off-by: Werner Koch <wk at gnupg.org>
(cherry picked from commit 0bf54e60d31389812d05c3fd29bece876204561d)
diff --git a/g10/keyedit.c b/g10/keyedit.c
index c47fd0f..afc5ff4 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -1533,7 +1533,11 @@ keyedit_menu( const char *username, STRLIST locusr,
/* Get the public key */
rc = get_pubkey_byname (NULL, username, &keyblock, &kdbhd, 1);
if( rc )
+ {
+ log_error (_("key \"%s\" not found: %s\n"), username, g10_errstr (rc));
goto leave;
+ }
+
if( fix_keyblock( keyblock ) )
modified++;
if( collapse_uids( &keyblock ) )
commit d74dd36c11f1643bd92efb50714e2448cdb885d0
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 4 13:44:39 2013 +0200
gpg: Protect against rogue keyservers sending secret keys.
* g10/options.h (IMPORT_NO_SECKEY): New.
* g10/keyserver.c (keyserver_spawn, keyserver_import_cert): Set new
flag.
* g10/import.c (import_secret_one): Deny import if flag is set.
--
By modifying a keyserver or a DNS record to send a secret key, an
attacker could trick a user into signing using a different key and
user id. The trust model should protect against such rogue keys but
we better make sure that secret keys are never received from remote
sources.
Suggested-by: Stefan Tomanek
Signed-off-by: Werner Koch <wk at gnupg.org>
(cherry picked from commit e7abed3448c1c1a4e756c12f95b665b517d22ebe)
Resolved conflicts:
g10/options.h
diff --git a/g10/import.c b/g10/import.c
index 90fc2d6..441dcca 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1175,6 +1175,12 @@ import_secret_one( const char *fname, KBNODE keyblock,
}
stats->secret_read++;
+ if ((options & IMPORT_NO_SECKEY))
+ {
+ log_error (_("importing secret keys not allowed\n"));
+ return 0;
+ }
+
if( !uidnode )
{
log_error( _("key %s: no user ID\n"), keystr_from_sk(sk));
diff --git a/g10/keyserver.c b/g10/keyserver.c
index 1eadff1..7bf9830 100644
--- a/g10/keyserver.c
+++ b/g10/keyserver.c
@@ -1503,10 +1503,14 @@ keyserver_spawn(enum ks_action action,STRLIST list,KEYDB_SEARCH_DESC *desc,
It's harmless to ignore them, but ignoring them does make
gpg complain about "no valid OpenPGP data found". One
way to do this could be to continue parsing this
- line-by-line and make a temp iobuf for each key. */
+ line-by-line and make a temp iobuf for each key. Note
+ that we don't allow the import of secret keys from a
+ keyserver. Keyservers should never accept or send them
+ but we better protect against rogue keyservers. */
- import_keys_stream(spawn->fromchild,stats_handle,fpr,fpr_len,
- opt.keyserver_options.import_options);
+ import_keys_stream (spawn->fromchild, stats_handle, fpr, fpr_len,
+ (opt.keyserver_options.import_options
+ | IMPORT_NO_SECKEY));
import_print_stats(stats_handle);
import_release_stats_handle(stats_handle);
@@ -2037,8 +2041,9 @@ keyserver_import_cert(const char *name,unsigned char **fpr,size_t *fpr_len)
/* CERTs are always in binary format */
opt.no_armor=1;
- rc=import_keys_stream(key,NULL,fpr,fpr_len,
- opt.keyserver_options.import_options);
+ rc=import_keys_stream (key, NULL, fpr, fpr_len,
+ (opt.keyserver_options.import_options
+ | IMPORT_NO_SECKEY));
opt.no_armor=armor_status;
diff --git a/g10/options.h b/g10/options.h
index cac1c4c..de4a2e2 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -30,7 +30,7 @@
#if defined (__riscos__) && !defined (INCLUDED_BY_MAIN_MODULE)
#define EXTERN_UNLESS_MAIN_MODULE extern
#else
-#define EXTERN_UNLESS_MAIN_MODULE
+#define EXTERN_UNLESS_MAIN_MODULE
#endif
#endif
@@ -86,7 +86,7 @@ struct
const char *homedir;
char *display; /* 5 options to be passed to the gpg-agent */
- char *ttyname;
+ char *ttyname;
char *ttytype;
char *lc_ctype;
char *lc_messages;
@@ -208,7 +208,7 @@ struct
/* If > 0, limit the number of card insertion prompts to this
value. */
- int limit_card_insert_tries;
+ int limit_card_insert_tries;
#ifdef ENABLE_CARD_SUPPORT
const char *ctapi_driver; /* Library to access the ctAPI. */
@@ -293,6 +293,7 @@ struct {
#define IMPORT_MERGE_ONLY (1<<4)
#define IMPORT_MINIMAL (1<<5)
#define IMPORT_CLEAN (1<<6)
+#define IMPORT_NO_SECKEY (1<<7)
#define EXPORT_LOCAL_SIGS (1<<0)
#define EXPORT_ATTRIBUTES (1<<1)
commit fe0fb5e6b0bb351eb6244e290e112a22a68472d8
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Mar 19 11:25:25 2013 -0400
gpg: Allow setting of all zero key flags
* g10/keygen.c (do_add_key_flags): Do not check for empty key flags.
(cherry picked from commit b693ec02c467696bf9d7324dd081e279f9965151)
(cherry picked from commit dd868acb0d13a9f119c0536777350a6c237a66a1)
diff --git a/g10/keygen.c b/g10/keygen.c
index 8353f36..b84dd0b 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -210,9 +210,6 @@ do_add_key_flags (PKT_signature *sig, unsigned int use)
if (use & PUBKEY_USAGE_AUTH)
buf[0] |= 0x20;
- if (!buf[0])
- return;
-
build_sig_subpkt (sig, SIGSUBPKT_KEY_FLAGS, buf, 1);
}
commit 27d0f32f77fbef59ddf7c6d79b5b4adee6b2e6ac
Author: Werner Koch <wk at gnupg.org>
Date: Fri Mar 15 15:46:03 2013 +0100
gpg: Distinguish between missing and cleared key flags.
* include/cipher.h (PUBKEY_USAGE_NONE): New.
* g10/getkey.c (parse_key_usage): Set new flag.
--
We do not want to use the default capabilities (derived from the
algorithm) if any key flags are given in a signature. Thus if key
flags are used in any way, the default key capabilities are never
used.
This allows to create a key with key flags set to all zero so it can't
be used. This better reflects common sense.
(cherry picked from commit 4bde12206c5bf199dc6e12a74af8da4558ba41bf)
(cherry picked from commit 0a805ed1604ef3e9b27f3e22a936a2d439300e9f)
Resolved conflicts:
include/cipher.h
diff --git a/g10/getkey.c b/g10/getkey.c
index 5440c29..3c953d6 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -1494,13 +1494,19 @@ parse_key_usage(PKT_signature *sig)
if(flags)
key_usage |= PUBKEY_USAGE_UNKNOWN;
+
+ if (!key_usage)
+ key_usage |= PUBKEY_USAGE_NONE;
}
+ else if (p) /* Key flags of length zero. */
+ key_usage |= PUBKEY_USAGE_NONE;
/* We set PUBKEY_USAGE_UNKNOWN to indicate that this key has a
capability that we do not handle. This serves to distinguish
between a zero key usage which we handle as the default
capabilities for that algorithm, and a usage that we do not
- handle. */
+ handle. Likewise we use PUBKEY_USAGE_NONE to indicate that
+ key_flags have been given but they do not specify any usage. */
return key_usage;
}
diff --git a/include/cipher.h b/include/cipher.h
index a69c6b3..dcc3045 100644
--- a/include/cipher.h
+++ b/include/cipher.h
@@ -58,6 +58,7 @@
#define PUBKEY_USAGE_CERT 4 /* key is also good to certify other keys*/
#define PUBKEY_USAGE_AUTH 8 /* key is good for authentication */
#define PUBKEY_USAGE_UNKNOWN 128 /* key has an unknown usage bit */
+#define PUBKEY_USAGE_NONE 256 /* No usage given. */
#define DIGEST_ALGO_MD5 1
#define DIGEST_ALGO_SHA1 2
commit 69088ac76fd4b9f303edf3c1453088dda8596399
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 4 08:28:12 2013 +0200
keyserver: Allow use of cURL's default CA store.
* keyserver/gpgkeys_curl.c (main): Set CURLOPT_CAINFO only if a file
has been given.
* keyserver/gpgkeys_hkp.c (main): Ditto.
--
GnuPG-bug-id: 1542
Signed-off-by: Werner Koch <wk at gnupg.org>
(cherry picked from commit e957b9b3f408491f36660499b215aebcf2633a95)
diff --git a/keyserver/gpgkeys_curl.c b/keyserver/gpgkeys_curl.c
index 5853f2c..55aee68 100644
--- a/keyserver/gpgkeys_curl.c
+++ b/keyserver/gpgkeys_curl.c
@@ -100,7 +100,7 @@ get_key(char *getkey)
return curl_err_to_gpg_err(res);
}
-static void
+static void
show_help (FILE *fp)
{
fprintf (fp,"-h, --help\thelp\n");
@@ -305,7 +305,8 @@ main(int argc,char *argv[])
}
curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
- curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
+ if (opt->ca_cert_file)
+ curl_easy_setopt (curl, CURLOPT_CAINFO, opt->ca_cert_file);
/* Avoid caches to get the most recent copy of the key. This is bug
#1061. In pre-curl versions of the code, we didn't do it. Then
diff --git a/keyserver/gpgkeys_hkp.c b/keyserver/gpgkeys_hkp.c
index 309e728..f45958e 100644
--- a/keyserver/gpgkeys_hkp.c
+++ b/keyserver/gpgkeys_hkp.c
@@ -921,7 +921,8 @@ main(int argc,char *argv[])
curl_easy_setopt(curl,CURLOPT_USERPWD,opt->auth);
curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,(long)opt->flags.check_cert);
- curl_easy_setopt(curl,CURLOPT_CAINFO,opt->ca_cert_file);
+ if (opt->ca_cert_file)
+ curl_easy_setopt (curl, CURLOPT_CAINFO, opt->ca_cert_file);
/* Avoid caches to get the most recent copy of the key. This is bug
#1061. In pre-curl versions of the code, we didn't do it. Then
commit f10b184e48015f30849d7611bd9654ed23b91211
Author: Werner Koch <wk at gnupg.org>
Date: Fri Oct 4 08:20:49 2013 +0200
gpg: Limit the nesting level of I/O filters.
* until/iobuf.c (MAX_NESTING_FILTER): New.
(iobuf_push_filter2): Limit the nesting level.
--
This is a more general fix for the nested compression packet bug. In
particular this helps g10/import.c:read_block to stop pushing
compression filters onto an iobuf stream.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/util/iobuf.c b/util/iobuf.c
index 384b966..35de020 100644
--- a/util/iobuf.c
+++ b/util/iobuf.c
@@ -27,7 +27,7 @@
#include <assert.h>
#include <sys/types.h>
#include <sys/stat.h>
-#include <fcntl.h>
+#include <fcntl.h>
#include <unistd.h>
#ifdef HAVE_DOSISH_SYSTEM
#include <windows.h>
@@ -41,13 +41,13 @@
#include "util.h"
#include "dynload.h"
#include "iobuf.h"
-
+
#ifdef __VMS
# include "vms.h"
# define open open_vms
#endif /* def __VMS */
-/* The size of the internal buffers.
+/* The size of the internal buffers.
NOTE: If you change this value you MUST also adjust the regression
test "armored_key_8192" and "nopad_armored_msg" in armor.test! */
#define IOBUF_BUFFER_SIZE 8192
@@ -55,6 +55,11 @@
#undef FILE_FILTER_USES_STDIO
+/* To avoid a potential DoS with compression packets we better limit
+ the number of filters in a chain. */
+#define MAX_NESTING_FILTER 64
+
+
#ifdef HAVE_DOSISH_SYSTEM
#define USE_SETMODE 1
#endif
@@ -76,8 +81,8 @@ typedef struct {
} file_filter_ctx_t ;
#else
#define my_fileno(a) (a)
-#define my_fopen_ro(a,b) fd_cache_open ((a),(b))
-#define my_fopen(a,b) direct_open ((a),(b))
+#define my_fopen_ro(a,b) fd_cache_open ((a),(b))
+#define my_fopen(a,b) direct_open ((a),(b))
#ifdef HAVE_DOSISH_SYSTEM
typedef HANDLE FILEP_OR_FD;
#define INVALID_FP ((HANDLE)-1)
@@ -99,7 +104,7 @@ typedef struct {
char fname[1]; /* name of the file */
} file_filter_ctx_t ;
- struct close_cache_s {
+ struct close_cache_s {
struct close_cache_s *next;
FILEP_OR_FD fp;
char fname[1];
@@ -153,7 +158,7 @@ fd_cache_strcmp (const char *a, const char *b)
#ifdef HAVE_DOSISH_SYSTEM
for (; *a && *b; a++, b++)
{
- if (*a != *b && !((*a == '/' && *b == '\\')
+ if (*a != *b && !((*a == '/' && *b == '\\')
|| (*a == '\\' && *b == '/')) )
break;
}
@@ -295,7 +300,7 @@ direct_open (const char *fname, const char *mode)
{
struct stat buf;
int rc = stat( fname, &buf );
-
+
/* Don't allow iobufs on directories */
if( !rc && S_ISDIR(buf.st_mode) && !S_ISREG(buf.st_mode) )
return __set_errno( EISDIR );
@@ -308,7 +313,7 @@ direct_open (const char *fname, const char *mode)
/*
- * Instead of closing an FD we keep it open and cache it for later reuse
+ * Instead of closing an FD we keep it open and cache it for later reuse
* Note that this caching strategy only works if the process does not chdir.
*/
static void
@@ -471,8 +476,8 @@ file_filter(void *opaque, int control, IOBUF chain, byte *buf, size_t *ret_len)
if( control == IOBUFCTRL_UNDERFLOW ) {
assert( size ); /* need a buffer */
if ( a->eof_seen) {
- rc = -1;
- *ret_len = 0;
+ rc = -1;
+ *ret_len = 0;
}
else {
#ifdef HAVE_DOSISH_SYSTEM
@@ -606,8 +611,8 @@ sock_filter (void *opaque, int control, IOBUF chain, byte *buf, size_t *ret_len)
if( control == IOBUFCTRL_UNDERFLOW ) {
assert( size ); /* need a buffer */
if ( a->eof_seen) {
- rc = -1;
- *ret_len = 0;
+ rc = -1;
+ *ret_len = 0;
}
else {
int nread;
@@ -1076,7 +1081,7 @@ check_special_filename ( const char *fname )
fname += 2;
for (i=0; digitp (fname+i); i++ )
;
- if ( !fname[i] )
+ if ( !fname[i] )
return atoi (fname);
}
return -1;
@@ -1189,7 +1194,7 @@ iobuf_sockopen ( int fd, const char *mode )
sock_filter( scx, IOBUFCTRL_INIT, NULL, NULL, &len );
if( DBG_IOBUF )
log_debug("iobuf-%d.%d: sockopen `%s'\n", a->no, a->subno, scx->fname);
- iobuf_ioctl (a,3,1,NULL); /* disable fd caching */
+ iobuf_ioctl (a,3,1,NULL); /* disable fd caching */
#else
a = iobuf_fdopen (fd, mode);
#endif
@@ -1233,7 +1238,7 @@ iobuf_create( const char *fname )
file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
if( DBG_IOBUF )
- log_debug("iobuf-%d.%d: create `%s'\n", a->no, a->subno,
+ log_debug("iobuf-%d.%d: create `%s'\n", a->no, a->subno,
a->desc?a->desc:"?" );
return a;
@@ -1267,7 +1272,7 @@ iobuf_append( const char *fname )
file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
if( DBG_IOBUF )
- log_debug("iobuf-%d.%d: append `%s'\n", a->no, a->subno,
+ log_debug("iobuf-%d.%d: append `%s'\n", a->no, a->subno,
a->desc?a->desc:"?" );
return a;
@@ -1296,7 +1301,7 @@ iobuf_openrw( const char *fname )
file_filter( fcx, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &len );
file_filter( fcx, IOBUFCTRL_INIT, NULL, NULL, &len );
if( DBG_IOBUF )
- log_debug("iobuf-%d.%d: openrw `%s'\n", a->no, a->subno,
+ log_debug("iobuf-%d.%d: openrw `%s'\n", a->no, a->subno,
a->desc?a->desc:"?");
return a;
@@ -1309,7 +1314,7 @@ iobuf_ioctl ( IOBUF a, int cmd, int intval, void *ptrval )
if ( cmd == 1 ) { /* keep system filepointer/descriptor open */
if( DBG_IOBUF )
log_debug("iobuf-%d.%d: ioctl `%s' keep=%d\n",
- a? a->no:-1, a?a->subno:-1,
+ a? a->no:-1, a?a->subno:-1,
a&&a->desc?a->desc:"?", intval );
for( ; a; a = a->chain )
if( !a->chain && a->filter == file_filter ) {
@@ -1339,7 +1344,7 @@ iobuf_ioctl ( IOBUF a, int cmd, int intval, void *ptrval )
else if ( cmd == 3 ) { /* disallow/allow caching */
if( DBG_IOBUF )
log_debug("iobuf-%d.%d: ioctl `%s' no_cache=%d\n",
- a? a->no:-1, a?a->subno:-1,
+ a? a->no:-1, a?a->subno:-1,
a&&a->desc?a->desc:"?", intval );
for( ; a; a = a->chain )
if( !a->chain && a->filter == file_filter ) {
@@ -1403,6 +1408,12 @@ iobuf_push_filter2( IOBUF a,
if( a->use == 2 && (rc=iobuf_flush(a)) )
return rc;
+
+ if (a->subno >= MAX_NESTING_FILTER) {
+ log_error ("i/o filter too deeply nested - corrupted data?\n");
+ return G10ERR_UNEXPECTED;
+ }
+
/* make a copy of the current stream, so that
* A is the new stream and B the original one.
* The contents of the buffers are transferred to the
@@ -1449,7 +1460,7 @@ iobuf_push_filter2( IOBUF a,
f( ov, IOBUFCTRL_DESC, NULL, (byte*)&a->desc, &dummy_len );
if( DBG_IOBUF ) {
- log_debug("iobuf-%d.%d: push `%s'\n", a->no, a->subno,
+ log_debug("iobuf-%d.%d: push `%s'\n", a->no, a->subno,
a->desc?a->desc:"?" );
print_chain( a );
}
@@ -1921,7 +1932,7 @@ iobuf_get_filelength (IOBUF a, int *overflow )
if (overflow)
*overflow = 0;
- if (a->directfp)
+ if (a->directfp)
{
FILE *fp = a->directfp;
@@ -1949,14 +1960,14 @@ iobuf_get_filelength (IOBUF a, int *overflow )
#if defined(HAVE_DOSISH_SYSTEM) && !defined(FILE_FILTER_USES_STDIO)
ulong size;
- static int (* __stdcall get_file_size_ex)
+ static int (* __stdcall get_file_size_ex)
(void *handle, LARGE_INTEGER *size);
static int get_file_size_ex_initialized;
if (!get_file_size_ex_initialized)
{
void *handle;
-
+
handle = dlopen ("kernel32.dll", RTLD_LAZY);
if (handle)
{
@@ -1974,14 +1985,14 @@ iobuf_get_filelength (IOBUF a, int *overflow )
return a proper error in case a file is larger than
4GB. */
LARGE_INTEGER size;
-
+
if (get_file_size_ex (fp, &size))
{
if (!size.u.HighPart)
return size.u.LowPart;
if (overflow)
*overflow = 1;
- return 0;
+ return 0;
}
}
else
@@ -2007,7 +2018,7 @@ iobuf_get_filelength (IOBUF a, int *overflow )
/* Return the file descriptor of the underlying file or -1 if it is
not available. */
-int
+int
iobuf_get_fd (IOBUF a)
{
if (a->directfp)
@@ -2260,7 +2271,7 @@ iobuf_translate_file_handle ( int fd, int for_write )
#ifdef _WIN32
{
int x;
-
+
if ( fd <= 2 )
return fd; /* do not do this for error, stdin, stdout, stderr */
@@ -2281,17 +2292,17 @@ static int
translate_file_handle ( int fd, int for_write )
{
#ifdef _WIN32
-#ifdef FILE_FILTER_USES_STDIO
+#ifdef FILE_FILTER_USES_STDIO
fd = iobuf_translate_file_handle (fd, for_write);
#else
{
int x;
- if ( fd == 0 )
+ if ( fd == 0 )
x = (int)GetStdHandle (STD_INPUT_HANDLE);
- else if (fd == 1)
+ else if (fd == 1)
x = (int)GetStdHandle (STD_OUTPUT_HANDLE);
- else if (fd == 2)
+ else if (fd == 2)
x = (int)GetStdHandle (STD_ERROR_HANDLE);
else
x = fd;
-----------------------------------------------------------------------
Summary of changes:
NEWS | 16 ++++++++-
configure.ac | 2 +-
doc/gpg.texi | 72 ++++++++++++++++++++++++++++++++------------
doc/gpgv.texi | 13 +++++--
doc/opt-homedir.texi | 14 ++++++++-
g10/getkey.c | 8 ++++-
g10/import.c | 6 ++++
g10/keyedit.c | 4 ++
g10/keygen.c | 3 --
g10/keyserver.c | 15 ++++++---
g10/options.h | 7 ++--
include/cipher.h | 1 +
keyserver/gpgkeys_curl.c | 5 ++-
keyserver/gpgkeys_hkp.c | 3 +-
po/be.po | 8 ++--
po/ca.po | 8 ++--
po/cs.po | 6 ++--
po/da.po | 6 ++--
po/de.po | 6 ++--
po/el.po | 8 ++--
po/eo.po | 8 ++--
po/es.po | 6 ++--
po/et.po | 8 ++--
po/fi.po | 8 ++--
po/fr.po | 6 ++--
po/gl.po | 8 ++--
po/hu.po | 8 ++--
po/id.po | 8 ++--
po/it.po | 8 ++--
po/ja.po | 6 ++--
po/nb.po | 6 ++--
po/nl.po | 6 ++--
po/pl.po | 6 ++--
po/pt.po | 8 ++--
po/pt_BR.po | 8 ++--
po/ro.po | 6 ++--
po/ru.po | 6 ++--
po/sk.po | 8 ++--
po/sv.po | 6 ++--
po/tr.po | 6 ++--
po/uk.po | 6 ++--
po/zh_CN.po | 6 ++--
po/zh_TW.po | 6 ++--
util/iobuf.c | 75 ++++++++++++++++++++++++++-------------------
44 files changed, 269 insertions(+), 175 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list