[Pkg-gnupg-commit] [gnupg2] 01/05: more upstream fixes (Closes: #854359)
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Apr 26 07:11:12 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch master
in repository gnupg2.
commit 699fe5945ef2d7c769180f767ab3bc1449231782
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Tue Apr 25 23:26:25 2017 -0400
more upstream fixes (Closes: #854359)
---
...x-aliases-list-key-list-sig-and-check-sig.patch | 66 ++++++
...mon-Make-sure-that-all-fd-given-are-valid.patch | 226 +++++++++++++++++++++
...d-warning-about-implicit-declaration-of-g.patch | 36 ++++
...ory-leak-in-the-error-case-of-signature-c.patch | 51 +++++
...nt-a-warning-if-no-command-has-been-given.patch | 32 +++
...-ENOENT-warning-with-change-options-et-al.patch | 40 ++++
...a-DNS-lookup-even-if-it-is-missing-from-n.patch | 60 ++++++
...e-export-ssh-key-work-for-the-primary-key.patch | 162 +++++++++++++++
...mngr-Avoid-PTR-lookup-for-hosts-in-a-pool.patch | 71 +++++++
debian/patches/series | 9 +
10 files changed, 753 insertions(+)
diff --git a/debian/patches/0031-gpg-Fix-aliases-list-key-list-sig-and-check-sig.patch b/debian/patches/0031-gpg-Fix-aliases-list-key-list-sig-and-check-sig.patch
new file mode 100644
index 0000000..e22f218
--- /dev/null
+++ b/debian/patches/0031-gpg-Fix-aliases-list-key-list-sig-and-check-sig.patch
@@ -0,0 +1,66 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Sat, 4 Feb 2017 01:23:32 -0500
+Subject: gpg: Fix aliases --list-key, --list-sig, and --check-sig.
+
+* g10/gpg.c (opts): Define commands with ARGPARSE_c
+instead of ARGPARSE_s_n.
+
+--
+
+These three entries are commands, but they're being treated as a
+string-based option for some reason. However, if you try to use them
+concurrently with another command like --clearsign, you'll get "gpg:
+conflicting commands".
+
+Furthermore, because they're marked as options, their flags differ
+from the commands that they alias, they cause ambiguity in
+abbreviation (e.g. try "gpg --list-ke") which should have been fixed
+by 7249ab0f95d1f6cb8ee61eefedc79801bb56398f.
+
+Marking them explicitly as commands for argparse should be more
+accurate and should resolve the abbreviation ambiguity issue.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+gpg: fix aliases --list-key, --list-sig, and --check-sig.
+
+* g10/gpg.c: ARGPARSE_OPTS opts[]: define commands with ARGPARSE_c
+instead of ARGPARSE_s_n.
+
+--
+
+These three entries are commands, but they're being treated as a
+string-based option for some reason. However, if you try to use them
+concurrently with another command like --clearsign, you'll get "gpg:
+conflicting commands".
+
+Furthermore, because they're marked as options, their flags differ
+from the commands that they alias, they cause ambiguity in
+abbreviation (e.g. try "gpg --list-ke") which should have been fixed
+by 7249ab0f95d1f6cb8ee61eefedc79801bb56398f.
+
+Marking them explicitly as commands for argparse should be more
+accurate and should resolve the abbreviation ambiguity issue.
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+(cherry picked from commit f31120a5aa40b6e4e89d41d1d5d34e0f7da173b4)
+---
+ g10/gpg.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/g10/gpg.c b/g10/gpg.c
+index f9039ae..e280c22 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -728,9 +728,9 @@ static ARGPARSE_OPTS opts[] = {
+ ARGPARSE_s_n (oWithKeyData,"with-key-data", "@"),
+ ARGPARSE_s_n (oWithSigList,"with-sig-list", "@"),
+ ARGPARSE_s_n (oWithSigCheck,"with-sig-check", "@"),
+- ARGPARSE_s_n (aListKeys, "list-key", "@"), /* alias */
+- ARGPARSE_s_n (aListSigs, "list-sig", "@"), /* alias */
+- ARGPARSE_s_n (aCheckKeys, "check-sig", "@"), /* alias */
++ ARGPARSE_c (aListKeys, "list-key", "@"), /* alias */
++ ARGPARSE_c (aListSigs, "list-sig", "@"), /* alias */
++ ARGPARSE_c (aCheckKeys, "check-sig", "@"), /* alias */
+ ARGPARSE_s_n (oSkipVerify, "skip-verify", "@"),
+ ARGPARSE_s_n (oSkipHiddenRecipients, "skip-hidden-recipients", "@"),
+ ARGPARSE_s_n (oNoSkipHiddenRecipients, "no-skip-hidden-recipients", "@"),
diff --git a/debian/patches/0032-gpg-common-Make-sure-that-all-fd-given-are-valid.patch b/debian/patches/0032-gpg-common-Make-sure-that-all-fd-given-are-valid.patch
new file mode 100644
index 0000000..400d51b
--- /dev/null
+++ b/debian/patches/0032-gpg-common-Make-sure-that-all-fd-given-are-valid.patch
@@ -0,0 +1,226 @@
+From: Justus Winter <justus at g10code.com>
+Date: Wed, 8 Feb 2017 13:49:41 +0100
+Subject: gpg,common: Make sure that all fd given are valid.
+
+* common/sysutils.c (gnupg_fd_valid): New function.
+* common/sysutils.h (gnupg_fd_valid): New declaration.
+* common/logging.c (log_set_file): Use the new function.
+* g10/cpr.c (set_status_fd): Likewise.
+* g10/gpg.c (main): Likewise.
+* g10/keylist.c (read_sessionkey_from_fd): Likewise.
+* g10/passphrase.c (set_attrib_fd): Likewise.
+* tests/openpgp/Makefile.am (XTESTS): Add the new test.
+* tests/openpgp/issue2941.scm: New file.
+--
+
+Consider a situation where the user passes "--status-fd 3" but file
+descriptor 3 is not open.
+
+During the course of executing the rest of the commands, it's possible
+that gpg itself will open some files, and file descriptor 3 will get
+allocated.
+
+In this situation, the status information will be appended directly to
+whatever file happens to have landed on fd 3 (the trustdb? the
+keyring?).
+
+This is a potential data destruction issue for all writable file
+descriptor options:
+
+ --status-fd
+ --attribute-fd
+ --logger-fd
+
+It's also a potential issue for readable file descriptor options, but
+the risk is merely weird behavior, and not data corruption:
+
+ --override-session-key-fd
+ --passphrase-fd
+ --command-fd
+
+Fixes this by checking whether the fd is valid early on before using
+it.
+
+GnuPG-bug-id: 2941
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit 6823ed46584e753de3aba48a00ab738ab009a860)
+---
+ common/logging.c | 3 +++
+ common/sysutils.c | 11 +++++++++++
+ common/sysutils.h | 1 +
+ g10/cpr.c | 3 +++
+ g10/gpg.c | 5 +++++
+ g10/keylist.c | 3 +++
+ g10/passphrase.c | 3 +++
+ tests/openpgp/Makefile.am | 2 +-
+ tests/openpgp/issue2941.scm | 34 ++++++++++++++++++++++++++++++++++
+ 9 files changed, 64 insertions(+), 1 deletion(-)
+ create mode 100755 tests/openpgp/issue2941.scm
+
+diff --git a/common/logging.c b/common/logging.c
+index 8c70742..ac13053 100644
+--- a/common/logging.c
++++ b/common/logging.c
+@@ -570,6 +570,9 @@ log_set_file (const char *name)
+ void
+ log_set_fd (int fd)
+ {
++ if (! gnupg_fd_valid (fd))
++ log_fatal ("logger-fd is invalid: %s\n", strerror (errno));
++
+ set_file_fd (NULL, fd);
+ }
+
+diff --git a/common/sysutils.c b/common/sysutils.c
+index e67420f..a796677 100644
+--- a/common/sysutils.c
++++ b/common/sysutils.c
+@@ -1281,3 +1281,14 @@ gnupg_get_socket_name (int fd)
+ return name;
+ }
+ #endif /*!HAVE_W32_SYSTEM*/
++
++/* Check whether FD is valid. */
++int
++gnupg_fd_valid (int fd)
++{
++ int d = dup (fd);
++ if (d < 0)
++ return 0;
++ close (d);
++ return 1;
++}
+diff --git a/common/sysutils.h b/common/sysutils.h
+index a9316d7..ecd9f84 100644
+--- a/common/sysutils.h
++++ b/common/sysutils.h
+@@ -72,6 +72,7 @@ int gnupg_setenv (const char *name, const char *value, int overwrite);
+ int gnupg_unsetenv (const char *name);
+ char *gnupg_getcwd (void);
+ char *gnupg_get_socket_name (int fd);
++int gnupg_fd_valid (int fd);
+
+ gpg_error_t gnupg_inotify_watch_socket (int *r_fd, const char *socket_name);
+ int gnupg_inotify_has_name (int fd, const char *name);
+diff --git a/g10/cpr.c b/g10/cpr.c
+index 0133cad..4984e89 100644
+--- a/g10/cpr.c
++++ b/g10/cpr.c
+@@ -107,6 +107,9 @@ set_status_fd (int fd)
+ if (fd == -1)
+ return;
+
++ if (! gnupg_fd_valid (fd))
++ log_fatal ("status-fd is invalid: %s\n", strerror (errno));
++
+ if (fd == 1)
+ statusfp = es_stdout;
+ else if (fd == 2)
+diff --git a/g10/gpg.c b/g10/gpg.c
+index e280c22..66a2055 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -3079,6 +3079,8 @@ main (int argc, char **argv)
+
+ case oCommandFD:
+ opt.command_fd = translate_sys2libc_fd_int (pargs.r.ret_int, 0);
++ if (! gnupg_fd_valid (opt.command_fd))
++ log_fatal ("command-fd is invalid: %s\n", strerror (errno));
+ break;
+ case oCommandFile:
+ opt.command_fd = open_info_file (pargs.r.ret_str, 0, 1);
+@@ -5293,6 +5295,9 @@ read_sessionkey_from_fd (int fd)
+ int i, len;
+ char *line;
+
++ if (! gnupg_fd_valid (fd))
++ log_fatal ("override-session-key-fd is invalid: %s\n", strerror (errno));
++
+ for (line = NULL, i = len = 100; ; i++ )
+ {
+ if (i >= len-1 )
+diff --git a/g10/keylist.c b/g10/keylist.c
+index 4fe1e40..abdcb9f 100644
+--- a/g10/keylist.c
++++ b/g10/keylist.c
+@@ -1900,6 +1900,9 @@ set_attrib_fd (int fd)
+ if (fd == -1)
+ return;
+
++ if (! gnupg_fd_valid (fd))
++ log_fatal ("attribute-fd is invalid: %s\n", strerror (errno));
++
+ #ifdef HAVE_DOSISH_SYSTEM
+ setmode (fd, O_BINARY);
+ #endif
+diff --git a/g10/passphrase.c b/g10/passphrase.c
+index fb4ec4c..37abc0f 100644
+--- a/g10/passphrase.c
++++ b/g10/passphrase.c
+@@ -166,6 +166,9 @@ read_passphrase_from_fd( int fd )
+ int i, len;
+ char *pw;
+
++ if (! gnupg_fd_valid (fd))
++ log_fatal ("passphrase-fd is invalid: %s\n", strerror (errno));
++
+ if ( !opt.batch && opt.pinentry_mode != PINENTRY_MODE_LOOPBACK)
+ { /* Not used but we have to do a dummy read, so that it won't end
+ up at the begin of the message if the quite usual trick to
+diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am
+index 05341fb..d9a2e34 100644
+--- a/tests/openpgp/Makefile.am
++++ b/tests/openpgp/Makefile.am
+@@ -96,11 +96,11 @@ XTESTS = \
+ issue2346.scm \
+ issue2417.scm \
+ issue2419.scm
++ issue2941.scm
+
+ # Fixme: gpgconf.scm does not yet work with make distcheck.
+ # gpgconf.scm
+
+-
+ # XXX: Currently, one cannot override automake's 'check' target. As a
+ # workaround, we avoid defining 'TESTS', thus automake will not emit
+ # the 'check' target. For extra robustness, we merely define a
+diff --git a/tests/openpgp/issue2941.scm b/tests/openpgp/issue2941.scm
+new file mode 100755
+index 0000000..d7220e0
+--- /dev/null
++++ b/tests/openpgp/issue2941.scm
+@@ -0,0 +1,34 @@
++#!/usr/bin/env gpgscm
++
++;; Copyright (C) 2017 g10 Code GmbH
++;;
++;; This file is part of GnuPG.
++;;
++;; GnuPG is free software; you can redistribute it and/or modify
++;; it under the terms of the GNU General Public License as published by
++;; the Free Software Foundation; either version 3 of the License, or
++;; (at your option) any later version.
++;;
++;; GnuPG is distributed in the hope that it will be useful,
++;; but WITHOUT ANY WARRANTY; without even the implied warranty of
++;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++;; GNU General Public License for more details.
++;;
++;; You should have received a copy of the GNU General Public License
++;; along with this program; if not, see <http://www.gnu.org/licenses/>.
++
++(load (with-path "defs.scm"))
++(setup-legacy-environment)
++
++(define (check-failure options)
++ (let ((command `(, at gpg , at options)))
++ (catch '()
++ (call-check command)
++ (error "Expected an error, but got none when executing" command))))
++
++(for-each-p
++ "Checking invocation with invalid file descriptors (issue2941)."
++ (lambda (option)
++ (check-failure `(,(string-append "--" option "=23") --sign gpg.conf)))
++ '("status-fd" "attribute-fd" "logger-fd"
++ "override-session-key-fd" "passphrase-fd" "command-fd"))
diff --git a/debian/patches/0033-common-Avoid-warning-about-implicit-declaration-of-g.patch b/debian/patches/0033-common-Avoid-warning-about-implicit-declaration-of-g.patch
new file mode 100644
index 0000000..52f4d36
--- /dev/null
+++ b/debian/patches/0033-common-Avoid-warning-about-implicit-declaration-of-g.patch
@@ -0,0 +1,36 @@
+From: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+Date: Wed, 8 Feb 2017 12:05:08 -0500
+Subject: common: Avoid warning about implicit declaration of gnupg_fd_valid.
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+* common/logging.c: Add #include "sysutils.h".
+
+--
+
+Without this, we see:
+
+logging.c:573:9: warning: implicit declaration of function \
+ ‘gnupg_fd_valid’ [-Wimplicit-function-declaration]
+ if (! gnupg_fd_valid (fd))
+ ^~~~~~~~~~~~~~
+
+Signed-off-by: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
+(cherry picked from commit 8810314e377a9cb6612150a57cf99260ed0bb9f6)
+---
+ common/logging.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/common/logging.c b/common/logging.c
+index ac13053..670affb 100644
+--- a/common/logging.c
++++ b/common/logging.c
+@@ -61,6 +61,7 @@
+ #include "i18n.h"
+ #include "common-defs.h"
+ #include "logging.h"
++#include "sysutils.h"
+
+ #ifdef HAVE_W32_SYSTEM
+ # define S_IRGRP S_IRUSR
diff --git a/debian/patches/0034-gpg-Fix-memory-leak-in-the-error-case-of-signature-c.patch b/debian/patches/0034-gpg-Fix-memory-leak-in-the-error-case-of-signature-c.patch
new file mode 100644
index 0000000..3665e3b
--- /dev/null
+++ b/debian/patches/0034-gpg-Fix-memory-leak-in-the-error-case-of-signature-c.patch
@@ -0,0 +1,51 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Fri, 10 Feb 2017 17:16:07 +0100
+Subject: gpg: Fix memory leak in the error case of signature creation.
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+* g10/sign.c (write_signature_packets): Free SIG. Also replace
+xcalloc by xtrycalloc.
+--
+
+If do_sign fails SIG was not released. Note that in the good case SIG
+is transferred to PKT and freed by free_packet.
+
+Reported-by: Stephan Müller
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 5996c7bf99f3a681393fd9589276399ebc956cff)
+---
+ g10/sign.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/g10/sign.c b/g10/sign.c
+index acc894c..ff099b3 100644
+--- a/g10/sign.c
++++ b/g10/sign.c
+@@ -686,7 +686,10 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash,
+ pk = sk_rover->pk;
+
+ /* Build the signature packet. */
+- sig = xmalloc_clear (sizeof *sig);
++ sig = xtrycalloc (1, sizeof *sig);
++ if (!sig)
++ return gpg_error_from_syserror ();
++
+ if (duration || opt.sig_policy_url
+ || opt.sig_notations || opt.sig_keyserver_url)
+ sig->version = 4;
+@@ -731,8 +734,12 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash,
+ print_status_sig_created (pk, sig, status_letter);
+ free_packet (&pkt);
+ if (rc)
+- log_error ("build signature packet failed: %s\n", gpg_strerror (rc));
++ log_error ("build signature packet failed: %s\n",
++ gpg_strerror (rc));
+ }
++ else
++ xfree (sig);
++
+ if (rc)
+ return rc;
+ }
diff --git a/debian/patches/0035-gpg-Print-a-warning-if-no-command-has-been-given.patch b/debian/patches/0035-gpg-Print-a-warning-if-no-command-has-been-given.patch
new file mode 100644
index 0000000..6172346
--- /dev/null
+++ b/debian/patches/0035-gpg-Print-a-warning-if-no-command-has-been-given.patch
@@ -0,0 +1,32 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 13 Feb 2017 13:09:51 +0100
+Subject: gpg: Print a warning if no command has been given.
+
+* g10/gpg.c (main): Print in the default case.
+--
+
+GnuPG-bug-id: 2943
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 810adfd47801fc01e45fb71af9f05c91f7890cdb)
+---
+ g10/gpg.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 66a2055..0c5a167 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -4894,8 +4894,12 @@ main (int argc, char **argv)
+ #endif /*USE_TOFU*/
+ break;
+
+- case aListPackets:
+ default:
++ if (!opt.quiet)
++ log_info (_("WARNING: no command supplied."
++ " Trying to guess what you mean ...\n"));
++ /*FALLTHU*/
++ case aListPackets:
+ if( argc > 1 )
+ wrong_args("[filename]");
+ /* Issue some output for the unix newbie */
diff --git a/debian/patches/0036-gpgconf-No-ENOENT-warning-with-change-options-et-al.patch b/debian/patches/0036-gpgconf-No-ENOENT-warning-with-change-options-et-al.patch
new file mode 100644
index 0000000..fa39a09
--- /dev/null
+++ b/debian/patches/0036-gpgconf-No-ENOENT-warning-with-change-options-et-al.patch
@@ -0,0 +1,40 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 13 Feb 2017 19:38:53 +0100
+Subject: gpgconf: No ENOENT warning with --change-options et al.
+
+* tools/gpgconf-comp.c (retrieve_options_from_program): Check ERRNO
+before printing a warning.
+--
+
+It is common that a conf files does not exist - thus we should not
+print a warning.
+
+GnuPG-bug-id: 2944
+
+BTW: The error messages in gpgconf should be reworked to match those
+of the other components.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 30dac0486b6357e84fbe79c612eea940b654e4d1)
+---
+ tools/gpgconf-comp.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
+index 180fd65..a0d9659 100644
+--- a/tools/gpgconf-comp.c
++++ b/tools/gpgconf-comp.c
+@@ -2163,8 +2163,11 @@ retrieve_options_from_program (gc_component_t component, gc_backend_t backend)
+
+ config = es_fopen (config_filename, "r");
+ if (!config)
+- gc_error (0, errno, "warning: can not open config file %s",
+- config_filename);
++ {
++ if (errno != ENOENT)
++ gc_error (0, errno, "warning: can not open config file %s",
++ config_filename);
++ }
+ else
+ {
+ while ((length = es_read_line (config, &line, &line_len, NULL)) > 0)
diff --git a/debian/patches/0037-dirmngr-Do-a-DNS-lookup-even-if-it-is-missing-from-n.patch b/debian/patches/0037-dirmngr-Do-a-DNS-lookup-even-if-it-is-missing-from-n.patch
new file mode 100644
index 0000000..b91abd7
--- /dev/null
+++ b/debian/patches/0037-dirmngr-Do-a-DNS-lookup-even-if-it-is-missing-from-n.patch
@@ -0,0 +1,60 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 13 Feb 2017 20:09:26 +0100
+Subject: dirmngr: Do a DNS lookup even if it is missing from nsswitch.conf.
+
+* dirmngr/dns-stuff.c (libdns_init): Do not print error message for a
+missing nsswitch.conf. Make sure that tehre is a DNS entry.
+--
+
+GnuPG-bug-id: 2948
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit dee026d761ae3d7594c3dbc5b3fa842df53cc189)
+---
+ dirmngr/dns-stuff.c | 27 +++++++++++++++++++++------
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/dirmngr/dns-stuff.c b/dirmngr/dns-stuff.c
+index 52f011a..bc2e071 100644
+--- a/dirmngr/dns-stuff.c
++++ b/dirmngr/dns-stuff.c
+@@ -498,12 +498,10 @@ libdns_init (void)
+ (dns_nssconf_loadpath (ld.resolv_conf, fname));
+ if (err)
+ {
+- log_error ("failed to load '%s': %s\n", fname, gpg_strerror (err));
+- /* not fatal, nsswitch.conf is not used on all systems; assume
+- * classic behavior instead. Our dns library states "bf" which tries
+- * DNS then Files, which is not classic; FreeBSD
+- * /usr/src/lib/libc/net/gethostnamadr.c defines default_src[] which
+- * is Files then DNS, which is. */
++ /* This is not a fatal error: nsswitch.conf is not used on
++ * all systems; assume classic behavior instead. */
++ if (gpg_err_code (err) != GPG_ERR_ENOENT)
++ log_error ("failed to load '%s': %s\n", fname, gpg_strerror (err));
+ if (opt_debug)
+ log_debug ("dns: fallback resolution order, files then DNS\n");
+ ld.resolv_conf->lookup[0] = 'f';
+@@ -511,6 +509,23 @@ libdns_init (void)
+ ld.resolv_conf->lookup[2] = '\0';
+ err = GPG_ERR_NO_ERROR;
+ }
++ else if (!strchr (ld.resolv_conf->lookup, 'b'))
++ {
++ /* No DNS resulution type found in the list. This might be
++ * due to systemd based systems which allow for custom
++ * keywords which are not known to us and thus we do not
++ * know whether DNS is wanted or not. Becuase DNS is
++ * important for our infrastructure, we forcefully append
++ * DNS to the end of the list. */
++ if (strlen (ld.resolv_conf->lookup)+2 < sizeof ld.resolv_conf->lookup)
++ {
++ if (opt_debug)
++ log_debug ("dns: appending DNS to resolution order\n");
++ strcat (ld.resolv_conf->lookup, "b");
++ }
++ else
++ log_error ("failed to append DNS to resolution order\n");
++ }
+
+ #endif /* Unix */
+ }
diff --git a/debian/patches/0038-gpg-Make-export-ssh-key-work-for-the-primary-key.patch b/debian/patches/0038-gpg-Make-export-ssh-key-work-for-the-primary-key.patch
new file mode 100644
index 0000000..9ba738b
--- /dev/null
+++ b/debian/patches/0038-gpg-Make-export-ssh-key-work-for-the-primary-key.patch
@@ -0,0 +1,162 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Tue, 14 Feb 2017 10:55:13 +0100
+Subject: gpg: Make --export-ssh-key work for the primary key.
+
+* g10/export.c (export_ssh_key): Also check the primary key.
+--
+
+If no suitable subkey was found for export, we now check whether the
+primary key is suitable for export and export this one. Without this
+change it was only possible to export the primary key by using the '!'
+suffix in the key specification.
+
+Also added a sample key for testing this.
+
+GnuPG-bug-id: 2957
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit b456e5be91dc064fc9509ea86edab113721ed299)
+---
+ g10/export.c | 42 ++++++++++++++++++++++
+ tests/openpgp/samplekeys/README | 2 ++
+ .../samplekeys/rsa-primary-auth-only.pub.asc | 23 ++++++++++++
+ .../samplekeys/rsa-primary-auth-only.sec.asc | 38 ++++++++++++++++++++
+ 4 files changed, 105 insertions(+)
+ create mode 100644 tests/openpgp/samplekeys/rsa-primary-auth-only.pub.asc
+ create mode 100644 tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc
+
+diff --git a/g10/export.c b/g10/export.c
+index f354ca0..8668126 100644
+--- a/g10/export.c
++++ b/g10/export.c
+@@ -2208,6 +2208,48 @@ export_ssh_key (ctrl_t ctrl, const char *userid)
+ latest_key = node;
+ }
+ }
++
++ /* If no subkey was suitable check the primary key. */
++ if (!latest_key
++ && (node = keyblock) && node->pkt->pkttype == PKT_PUBLIC_KEY)
++ {
++ pk = node->pkt->pkt.public_key;
++ if (DBG_LOOKUP)
++ log_debug ("\tchecking primary key %08lX\n",
++ (ulong) keyid_from_pk (pk, NULL));
++ if (!(pk->pubkey_usage & PUBKEY_USAGE_AUTH))
++ {
++ if (DBG_LOOKUP)
++ log_debug ("\tprimary key not usable for authentication\n");
++ }
++ else if (!pk->flags.valid)
++ {
++ if (DBG_LOOKUP)
++ log_debug ("\tprimary key not valid\n");
++ }
++ else if (pk->flags.revoked)
++ {
++ if (DBG_LOOKUP)
++ log_debug ("\tprimary key has been revoked\n");
++ }
++ else if (pk->has_expired)
++ {
++ if (DBG_LOOKUP)
++ log_debug ("\tprimary key has expired\n");
++ }
++ else if (pk->timestamp > curtime && !opt.ignore_valid_from)
++ {
++ if (DBG_LOOKUP)
++ log_debug ("\tprimary key not yet valid\n");
++ }
++ else
++ {
++ if (DBG_LOOKUP)
++ log_debug ("\tprimary key is fine\n");
++ latest_date = pk->timestamp;
++ latest_key = node;
++ }
++ }
+ }
+
+ if (!latest_key)
+diff --git a/tests/openpgp/samplekeys/README b/tests/openpgp/samplekeys/README
+index 29524d5..6f2399f 100644
+--- a/tests/openpgp/samplekeys/README
++++ b/tests/openpgp/samplekeys/README
+@@ -17,3 +17,5 @@ E657FB607BB4F21C90BB6651BC067AF28BC90111.asc Key with subkeys (no protection)
+ rsa-rsa-sample-1.asc RSA+RSA sample key (no passphrase)
+ ed25519-cv25519-sample-1.asc Ed25519+CV25519 sample key (no passphrase)
+ silent-running.asc Collection of sample secret keys (no passphrases)
++rsa-primary-auth-only.pub.asc rsa2408 primary only, usage: cert,auth
++rsa-primary-auth-only.sec.asc Ditto but the secret keyblock.
+diff --git a/tests/openpgp/samplekeys/rsa-primary-auth-only.pub.asc b/tests/openpgp/samplekeys/rsa-primary-auth-only.pub.asc
+new file mode 100644
+index 0000000..f34999e
+--- /dev/null
++++ b/tests/openpgp/samplekeys/rsa-primary-auth-only.pub.asc
+@@ -0,0 +1,23 @@
++pub rsa2048 2017-02-14 [CA]
++ F74B4029E6906D12EBDA8EE3BD7744900FDABC8D
++ Keygrip = AB1BB1843677AF7CC4D6C14444320C3FF4147E98
++uid [ unknown] ssh://host.example.net
++
++-----BEGIN PGP PUBLIC KEY BLOCK-----
++
++mQENBFiizWgBCACi28riS0AaC7UvXaZfoafEvcXq/MAq6akiowPf3eY4zz5DkBPf
++Ep3kGuDMAFqULvchIt9vpg719Zar/Xldi+UG+/KsDz+TT5k+nP6CwvBHbAXXtISv
++S51TKKnTFpvjcgJc1BMFN0pGf7JnZx1QfRfsZO2BvS4qVzYCWbSS9hlpMq4aIgOc
++ERBMsZYMPnI4ijbXysksecDC91kbJH0q5j8aGir5sDyrDwfVLp0SUAubRFU5gXuZ
++SEv9QmeV7XoXKXzk9KEYy7GUgoAJzabvbF0rVXqd3DE8KFkwK7rKBe8sGC04DWlK
++j/sHJcAfMSqCi/SZyYpO+FSfnB+uJ1BNc05hABEBAAG0FnNzaDovL2hvc3QuZXhh
++bXBsZS5uZXSJAU4EEwEIADgWIQT3S0Ap5pBtEuvajuO9d0SQD9q8jQUCWKLNaAIb
++IQULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRC9d0SQD9q8jZBrB/41MJWUeclV
++tM60+ydPNgUJwyRXpKdLIm/AtM1zOijlFkwsaMmzbFSFJJX98HGASHdU5OpL2Lv3
++1NNDNMbUuFumApVrLzJUBugFRb+8/uY7H3Z0/YKQ9g9OC3z7+uqFFv/+/wA+VdYX
++Zy6uim8E4OlJ41S68fQcMiTxbLTCDkvBbpf505t6JhNqF6JB+SBFQJXvRqjoydXf
++dyoiDz9N1V0ERzmGEiPewvHg2zWcVia07NGhxN3slQ3klOfYJQ8Ye72feNq1zKCy
++AyU3X8fL10XKWooCAU+t4hR5hXYxYTSZse5q0FHZ38Lt9c3ApMSZ2+ueeOtGbsH9
++kV8icGkI6KXp
++=zMXp
++-----END PGP PUBLIC KEY BLOCK-----
+diff --git a/tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc b/tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc
+new file mode 100644
+index 0000000..9d72421
+--- /dev/null
++++ b/tests/openpgp/samplekeys/rsa-primary-auth-only.sec.asc
+@@ -0,0 +1,38 @@
++sec rsa2048 2017-02-14 [CA]
++ F74B4029E6906D12EBDA8EE3BD7744900FDABC8D
++ Keygrip = AB1BB1843677AF7CC4D6C14444320C3FF4147E98
++uid [ unknown] ssh://host.example.net
++
++Passprase: none
++
++-----BEGIN PGP PRIVATE KEY BLOCK-----
++
++lQOYBFiizWgBCACi28riS0AaC7UvXaZfoafEvcXq/MAq6akiowPf3eY4zz5DkBPf
++Ep3kGuDMAFqULvchIt9vpg719Zar/Xldi+UG+/KsDz+TT5k+nP6CwvBHbAXXtISv
++S51TKKnTFpvjcgJc1BMFN0pGf7JnZx1QfRfsZO2BvS4qVzYCWbSS9hlpMq4aIgOc
++ERBMsZYMPnI4ijbXysksecDC91kbJH0q5j8aGir5sDyrDwfVLp0SUAubRFU5gXuZ
++SEv9QmeV7XoXKXzk9KEYy7GUgoAJzabvbF0rVXqd3DE8KFkwK7rKBe8sGC04DWlK
++j/sHJcAfMSqCi/SZyYpO+FSfnB+uJ1BNc05hABEBAAEAB/wN0yan4HIdQ+fU5i2c
++v0uknI9+i9zW8mWUi84Puks0K15CZ1VTLHC8JQ6hgq4twhw3HeS7GkJO3X2K4BuQ
++tggdIv94slqtQKaQ9XbNgYraz/AMXZtIiNy0FdGaGmM6rY+ccwxM9w1BFXn+48v4
++lzCUCq/2wX53wwDSC5dpRPw8km6+uksFh3dfY8kgfpjU/lUCCwQiooYrQhut1EGB
++lDLRHp2ntC1xsnowtdPzluIHFetFSnmn2ehGqXqXtXLAMF0HOirViO5dUVMuj2Pe
++ra3IYVYANYK/7FEsRXHxU6aB/BSnubb5EiqB1Oi1JNyMrvYZnRsoRUaMjVgjA4ne
++RwD5BADBZN2USYGgciDVh7kvTbrtS1igPhoe3xUUQsM0hVIEwBzG4A4pWXznIQyW
++BziVTnRNp953EbHJIYdn7vmJzdiRKI+hOvrF8dfvVsq+fp4pWxrc+zrC6qptpo6H
++IhkHWUpyfIPuTI8d+glIUIuDshwKau0UZ8VDTOYuRYEZX9PrAwQA15RdS3geA1cf
++UK/ZaKs5VnohcLtEE/z3BlvlQaEdHxSQJSLYC4By7zKVOFZlZkHk36IPikwYNTgc
++P57aLe7rwNZqPhADue1ZN6Ypetvrek55lAYL9XoPJ/mWaYz6oDWWW8vHYqEPk8OL
++N8/8a6DhK0iydXi9/ztHQllbOt0EUcsEAJBjX84FgIi3VRotRSEDN/tIhekNo8p6
++Pl8YF4V8A1hCVBEKRIcsPVx603DFiGFRcQQcBbblqVG4fpOYYgiBtEgJksRiMg/o
++kmVkl8BPrIhBGe2ez7byhhFvJDAoOWCdH0MWGaPGUoCGTDvd046GE8B3UWN9TSmo
++qAqfrUG0hQVQLEa0FnNzaDovL2hvc3QuZXhhbXBsZS5uZXSJAU4EEwEIADgWIQT3
++S0Ap5pBtEuvajuO9d0SQD9q8jQUCWKLNaAIbIQULCQgHAgYVCAkKCwIEFgIDAQIe
++AQIXgAAKCRC9d0SQD9q8jZBrB/41MJWUeclVtM60+ydPNgUJwyRXpKdLIm/AtM1z
++OijlFkwsaMmzbFSFJJX98HGASHdU5OpL2Lv31NNDNMbUuFumApVrLzJUBugFRb+8
++/uY7H3Z0/YKQ9g9OC3z7+uqFFv/+/wA+VdYXZy6uim8E4OlJ41S68fQcMiTxbLTC
++DkvBbpf505t6JhNqF6JB+SBFQJXvRqjoydXfdyoiDz9N1V0ERzmGEiPewvHg2zWc
++Via07NGhxN3slQ3klOfYJQ8Ye72feNq1zKCyAyU3X8fL10XKWooCAU+t4hR5hXYx
++YTSZse5q0FHZ38Lt9c3ApMSZ2+ueeOtGbsH9kV8icGkI6KXp
++=3QG9
++-----END PGP PRIVATE KEY BLOCK-----
diff --git a/debian/patches/0039-dirmngr-Avoid-PTR-lookup-for-hosts-in-a-pool.patch b/debian/patches/0039-dirmngr-Avoid-PTR-lookup-for-hosts-in-a-pool.patch
new file mode 100644
index 0000000..f1e9791
--- /dev/null
+++ b/debian/patches/0039-dirmngr-Avoid-PTR-lookup-for-hosts-in-a-pool.patch
@@ -0,0 +1,71 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Wed, 15 Feb 2017 17:03:57 +0100
+Subject: dirmngr: Avoid PTR lookup for hosts in a pool
+
+* dirmngr/ks-engine-hkp.c (add_host): Don't to a PTR lookup for hosts
+in a pool.
+--
+
+GnuPG-bug-id: 2928
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit da2ba20868093e3054d18adc2b1bc56cb23e4ba7)
+---
+ dirmngr/ks-engine-hkp.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/dirmngr/ks-engine-hkp.c b/dirmngr/ks-engine-hkp.c
+index be8b083..32db4bc 100644
+--- a/dirmngr/ks-engine-hkp.c
++++ b/dirmngr/ks-engine-hkp.c
+@@ -320,10 +320,17 @@ add_host (const char *name, int is_pool,
+
+ idx = find_hostinfo (name);
+
+- if (!is_pool && !is_ip_address (name))
++ if (is_pool)
+ {
+- /* This is a hostname but not a pool. Use the name
+- as given without going through resolve_dns_addr. */
++ /* For a pool immediately convert the address to a string. */
++ tmperr = resolve_dns_addr (ai->addr, ai->addrlen,
++ (DNS_NUMERICHOST | DNS_WITHBRACKET), &tmphost);
++ is_numeric = 1;
++ }
++ else if (!is_ip_address (name))
++ {
++ /* This is a hostname. Use the name as given without going
++ * through resolve_dns_addr. */
+ tmphost = xtrystrdup (name);
+ if (!tmphost)
+ tmperr = gpg_error_from_syserror ();
+@@ -332,6 +339,10 @@ add_host (const char *name, int is_pool,
+ }
+ else
+ {
++ /* Do a PTR lookup on AI. If a name was not found the function
++ * returns the numeric address (with brackets) and we set a flag
++ * so that we know that the conversion to a numerical string has
++ * already be done. */
+ tmperr = resolve_dns_addr (ai->addr, ai->addrlen,
+ DNS_WITHBRACKET, &tmphost);
+ if (tmphost && is_ip_address (tmphost))
+@@ -364,8 +375,7 @@ add_host (const char *name, int is_pool,
+
+ if (tmpidx == -1)
+ {
+- log_error ("map_host for '%s' problem: %s - '%s'"
+- " [ignored]\n",
++ log_error ("map_host for '%s' problem: %s - '%s' [ignored]\n",
+ name, strerror (errno), tmphost);
+ }
+ else /* Set or update the entry. */
+@@ -375,6 +385,9 @@ add_host (const char *name, int is_pool,
+ if (port)
+ hosttable[tmpidx]->port = port;
+
++ /* If TMPHOST is not yet a numerical value do this now.
++ * Note: This is a simple string operations and not a PTR
++ * lookup (due to DNS_NUMERICHOST). */
+ if (!is_numeric)
+ {
+ xfree (tmphost);
diff --git a/debian/patches/series b/debian/patches/series
index afa84e1..6de976c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,12 @@ gpg-agent-idling/0004-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
0028-scd-Backport-two-fixes-from-master.patch
0029-scd-Fix-use-case-of-PC-SC.patch
0030-scd-Fix-factory-reset.patch
+0031-gpg-Fix-aliases-list-key-list-sig-and-check-sig.patch
+0032-gpg-common-Make-sure-that-all-fd-given-are-valid.patch
+0033-common-Avoid-warning-about-implicit-declaration-of-g.patch
+0034-gpg-Fix-memory-leak-in-the-error-case-of-signature-c.patch
+0035-gpg-Print-a-warning-if-no-command-has-been-given.patch
+0036-gpgconf-No-ENOENT-warning-with-change-options-et-al.patch
+0037-dirmngr-Do-a-DNS-lookup-even-if-it-is-missing-from-n.patch
+0038-gpg-Make-export-ssh-key-work-for-the-primary-key.patch
+0039-dirmngr-Avoid-PTR-lookup-for-hosts-in-a-pool.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list