[git] GnuPG - branch, master, updated. gnupg-2.1.15-301-g8fced66

by Werner Koch cvs at cvs.gnupg.org
Thu Oct 27 20:01:10 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, master has been updated
       via  8fced66be35db5ac2a6bfdb9bccb2c0e582d8256 (commit)
       via  ece9ade4b44fb3d5d120cfd32b23632e5efd2134 (commit)
      from  8ea72a776a88f3c851e812d258355be80caa1bc1 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 8fced66be35db5ac2a6bfdb9bccb2c0e582d8256
Author: Werner Koch <wk at gnupg.org>
Date:   Thu Oct 27 19:51:56 2016 +0200

    gpg: Verify multiple detached signatures with different hash algos.
    
    * g10/mainproc.c (proc_tree): Loose check.  Enable all algos.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/g10/mainproc.c b/g10/mainproc.c
index 5dc7c33..ce4c595 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -2359,11 +2359,16 @@ proc_tree (CTX c, kbnode_t node)
           for (; n1; (n1 = find_next_kbnode(n1, PKT_SIGNATURE)))
             {
               /* We can't currently handle multiple signatures of
-                 different classes or digests (we'd pretty much have
-                 to run a different hash context for each), but if
-                 they are all the same, make an exception. */
+               * different classes (we'd pretty much have to run a
+               * different hash context for each), but if they are all
+               * the same and it is detached signature, we make an
+               * exception.  Note that the old code also disallowed
+               * multiple signatures if the digest algorithms are
+               * different.  We softened this restriction only for
+               * detached signatures, to be on the safe side. */
               if (n1->pkt->pkt.signature->sig_class != class
-                  || n1->pkt->pkt.signature->digest_algo != hash)
+                  || (c->any.data
+                      && n1->pkt->pkt.signature->digest_algo != hash))
                 {
                   multiple_ok = 0;
                   log_info (_("WARNING: multiple signatures detected.  "
@@ -2385,6 +2390,17 @@ proc_tree (CTX c, kbnode_t node)
           if (rc)
             goto detached_hash_err;
 
+          if (multiple_ok)
+            {
+              /* If we have and want to handle multiple signatures we
+               * need to enable all hash algorithms for the context.  */
+              for (n1 = node; (n1 = find_next_kbnode (n1, PKT_SIGNATURE)); )
+                if (!openpgp_md_test_algo (n1->pkt->pkt.signature->digest_algo))
+                  gcry_md_enable (c->mfx.md,
+                                  map_md_openpgp_to_gcry
+                                  (n1->pkt->pkt.signature->digest_algo));
+            }
+
           if (RFC2440 || RFC4880)
             ; /* Strict RFC mode.  */
           else if (sig->digest_algo == DIGEST_ALGO_SHA1
@@ -2392,7 +2408,9 @@ proc_tree (CTX c, kbnode_t node)
                    && sig->sig_class == 0x01)
             {
               /* Enable a workaround for a pgp5 bug when the detached
-               * signature has been created in textmode.  */
+               * signature has been created in textmode.  Note that we
+               * do not implement this for multiple signatures with
+               * different hash algorithms. */
               rc = gcry_md_open (&c->mfx.md2, sig->digest_algo, 0);
               if (rc)
                 goto detached_hash_err;

commit ece9ade4b44fb3d5d120cfd32b23632e5efd2134
Author: Werner Koch <wk at gnupg.org>
Date:   Thu Oct 27 11:45:01 2016 +0200

    common: Add GNUPG_MODULE_NAME_GPGV.
    
    * common/util.h (GNUPG_MODULE_NAME_GPGV): New.
    * common/homedir.c (gnupg_module_name): Implement.
    
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/common/homedir.c b/common/homedir.c
index 574561a..13ed44c 100644
--- a/common/homedir.c
+++ b/common/homedir.c
@@ -953,6 +953,13 @@ gnupg_module_name (int which)
       X(bindir, GPG_NAME);
 #endif
 
+    case GNUPG_MODULE_NAME_GPGV:
+#if USE_GPG2_HACK
+      X(bindir, GPG_NAME "v2");
+#else
+      X(bindir, GPG_NAME "v");
+#endif
+
     case GNUPG_MODULE_NAME_CONNECT_AGENT:
       X(bindir, "gpg-connect-agent");
 
diff --git a/common/util.h b/common/util.h
index f293234..8a6732f 100644
--- a/common/util.h
+++ b/common/util.h
@@ -244,6 +244,7 @@ char *_gnupg_socketdir_internal (int skip_checks, unsigned *r_info);
 #define GNUPG_MODULE_NAME_CONNECT_AGENT 9
 #define GNUPG_MODULE_NAME_GPGCONF       10
 #define GNUPG_MODULE_NAME_DIRMNGR_LDAP  11
+#define GNUPG_MODULE_NAME_GPGV          12
 const char *gnupg_module_name (int which);
 void gnupg_module_name_flush_some (void);
 

-----------------------------------------------------------------------

Summary of changes:
 common/homedir.c |  7 +++++++
 common/util.h    |  1 +
 g10/mainproc.c   | 28 +++++++++++++++++++++++-----
 3 files changed, 31 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list