[Pkg-gnupg-commit] [gnupg2] 164/166: import bugfixes and better testing from upstream
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Mar 16 22:33:21 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gnupg2.
commit a2fdecac72847f8cc5e0389b1253105c66f8fee0
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Sun Mar 5 02:18:55 2017 +0100
import bugfixes and better testing from upstream
---
...s-Always-escape-newlines-when-escaping-da.patch | 63 ++++++
...nformation-about-ssh-add-comments-to-test.patch | 66 ++++++
...an-error-when-trying-to-revoke-non-exista.patch | 53 +++++
...ve-error-message-for-the-KEYTOCARD-comman.patch | 126 +++++++++++
...ix-quick-key-generation-with-always-trust.patch | 84 ++++++++
...initialize-the-trust-db-when-generating-k.patch | 52 +++++
...-gpgconf-list-return-the-default-keyserve.patch | 140 +++++++++++++
...19-dirmngr-Rearrange-files-to-fix-de6d831.patch | 233 +++++++++++++++++++++
...Fix-compile-error-with-older-gcc-versions.patch | 39 ++++
...-variables-to-the-import-and-export-filte.patch | 140 +++++++++++++
...sible-segv-when-attribute-packets-are-fil.patch | 58 +++++
.../patches/0023-scd-Fix-scd_kick_the_loop.patch | 193 +++++++++++++++++
.../patches/0024-dirmngr-Fix-commit-de6d8313.patch | 27 +++
debian/patches/series | 13 ++
14 files changed, 1287 insertions(+)
diff --git a/debian/patches/0012-common-tools-Always-escape-newlines-when-escaping-da.patch b/debian/patches/0012-common-tools-Always-escape-newlines-when-escaping-da.patch
new file mode 100644
index 0000000..fb34573
--- /dev/null
+++ b/debian/patches/0012-common-tools-Always-escape-newlines-when-escaping-da.patch
@@ -0,0 +1,63 @@
+From: Justus Winter <justus at g10code.com>
+Date: Wed, 1 Mar 2017 17:47:47 +0100
+Subject: common,tools: Always escape newlines when escaping data.
+
+* common/stringhelp.c (do_percent_escape): Always escape newlines.
+* tools/gpgconf-comp.c (gc_percent_escape): Likewise.
+--
+Newlines always pose a problem for a line-based communication format.
+
+GnuPG-bug-id: 2387
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit e064c75b08a523f738108428fe0c417a46e66238)
+---
+ common/stringhelp.c | 10 +++++++++-
+ tools/gpgconf-comp.c | 7 +++++++
+ 2 files changed, 16 insertions(+), 1 deletion(-)
+
+diff --git a/common/stringhelp.c b/common/stringhelp.c
+index 341dd52..bea1466 100644
+--- a/common/stringhelp.c
++++ b/common/stringhelp.c
+@@ -1052,7 +1052,8 @@ do_percent_escape (const char *str, const char *extra, int die)
+ return NULL;
+
+ for (i=j=0; str[i]; i++)
+- if (str[i] == ':' || str[i] == '%' || (extra && strchr (extra, str[i])))
++ if (str[i] == ':' || str[i] == '%' || str[i] == '\n'
++ || (extra && strchr (extra, str[i])))
+ j++;
+ if (die)
+ ptr = xmalloc (i + 2 * j + 1);
+@@ -1077,6 +1078,13 @@ do_percent_escape (const char *str, const char *extra, int die)
+ ptr[i++] = '2';
+ ptr[i++] = '5';
+ }
++ else if (*str == '\n')
++ {
++ /* The newline is problematic in a line-based format. */
++ ptr[i++] = '%';
++ ptr[i++] = '0';
++ ptr[i++] = 'a';
++ }
+ else if (extra && strchr (extra, *str))
+ {
+ ptr[i++] = '%';
+diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c
+index d53947e..0c939e5 100644
+--- a/tools/gpgconf-comp.c
++++ b/tools/gpgconf-comp.c
+@@ -1491,6 +1491,13 @@ gc_percent_escape (const char *src)
+ *(dst++) = '2';
+ *(dst++) = 'c';
+ }
++ else if (*src == '\n')
++ {
++ /* The newline is problematic in a line-based format. */
++ *(dst++) = '%';
++ *(dst++) = '0';
++ *(dst++) = 'a';
++ }
+ else
+ *(dst++) = *(src);
+ src++;
diff --git a/debian/patches/0013-tests-Log-information-about-ssh-add-comments-to-test.patch b/debian/patches/0013-tests-Log-information-about-ssh-add-comments-to-test.patch
new file mode 100644
index 0000000..dbe80b2
--- /dev/null
+++ b/debian/patches/0013-tests-Log-information-about-ssh-add-comments-to-test.patch
@@ -0,0 +1,66 @@
+From: Justus Winter <justus at g10code.com>
+Date: Thu, 2 Mar 2017 10:41:03 +0100
+Subject: tests: Log information about ssh, add comments to test.
+
+* tests/openpgp/ssh-import.scm (ssh-version-string): New variable, and
+log the binary and version used in the test.
+(ssh-supports?): Document how we test what algorithms are supported by
+ssh, and log ssh-keygen's replies.
+--
+We have some trouble with this test on macOS, and adding some more
+information in verbose mode will hopefully make tracking down these
+problems easier in the future.
+
+GnuPG-bug-id: 2980
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit 74cb3b230c1f99afc5fd09bccc24186a63b154b0)
+---
+ tests/openpgp/ssh-import.scm | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/tests/openpgp/ssh-import.scm b/tests/openpgp/ssh-import.scm
+index 7a4364c..d210056 100755
+--- a/tests/openpgp/ssh-import.scm
++++ b/tests/openpgp/ssh-import.scm
+@@ -36,8 +36,13 @@
+ (catch (skip "ssh-keygen not found")
+ (set! ssh-keygen (path-expand "ssh-keygen" path)))
+
++(define ssh-version-string
++ (:stderr (call-with-io `(,ssh "-V") "")))
++
++(log "Using" ssh "version:" ssh-version-string)
++
+ (define ssh-version
+- (let ((tmp (:stderr (call-with-io `(,ssh "-V") "")))
++ (let ((tmp ssh-version-string)
+ (prefix "OpenSSH_"))
+ (unless (string-prefix? tmp prefix)
+ (skip "This doesn't look like OpenSSH:" tmp))
+@@ -45,14 +50,22 @@
+ (+ 3 (string-length prefix))))))
+
+ (define (ssh-supports? algorithm)
++ ;; We exploit ssh-keygen as an oracle to test what algorithms ssh
++ ;; supports.
+ (cond
+ ((equal? algorithm "ed25519")
++ ;; Unfortunately, our oracle does not work for ed25519 because
++ ;; this is a specific curve and not a family, so the key size
++ ;; parameter is ignored.
+ (>= ssh-version 6.5))
+ (else
+- (not (string-contains? (:stderr (call-with-io `(,ssh-keygen
+- -t ,algorithm
+- -b "1009") ""))
+- "unknown key type")))))
++ ;; We call ssh-keygen with the algorithm to test, specify an
++ ;; invalid key size, and observe the error message.
++ (let ((output (:stderr (call-with-io `(,ssh-keygen
++ -t ,algorithm
++ -b "1009") ""))))
++ (log "(ssh-supports?" algorithm "), ssh algorithm oracle replied:" output)
++ (not (string-contains? output "unknown key type"))))))
+
+ (define keys
+ '(("dsa" "9a:e1:f1:5f:46:ea:a5:06:e1:e2:f8:38:8e:06:54:58")
diff --git a/debian/patches/0014-g10-Signal-an-error-when-trying-to-revoke-non-exista.patch b/debian/patches/0014-g10-Signal-an-error-when-trying-to-revoke-non-exista.patch
new file mode 100644
index 0000000..431bb9b
--- /dev/null
+++ b/debian/patches/0014-g10-Signal-an-error-when-trying-to-revoke-non-exista.patch
@@ -0,0 +1,53 @@
+From: Justus Winter <justus at g10code.com>
+Date: Thu, 2 Mar 2017 11:39:00 +0100
+Subject: g10: Signal an error when trying to revoke non-existant UID.
+
+* g10/keyedit.c (keyedit_quick_revuid): Signal an error when trying to
+revoke non-existant UID.
+* tests/openpgp/quick-key-manipulation.scm: Test that.
+
+GnuPG-bug-id: 2962
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit 62d21a4ab4029b32ea129f1cf3a0e1f22e2fb7b0)
+---
+ g10/keyedit.c | 2 ++
+ tests/openpgp/quick-key-manipulation.scm | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/g10/keyedit.c b/g10/keyedit.c
+index 892da1a..c591600 100644
+--- a/g10/keyedit.c
++++ b/g10/keyedit.c
+@@ -3053,6 +3053,8 @@ keyedit_quick_revuid (ctrl_t ctrl, const char *username, const char *uidtorev)
+ }
+ }
+
++ log_error (_("User ID revocation failed: %s\n"), gpg_strerror (GPG_ERR_NOT_FOUND));
++
+ leave:
+ release_kbnode (keyblock);
+ keydb_release (kdbhd);
+diff --git a/tests/openpgp/quick-key-manipulation.scm b/tests/openpgp/quick-key-manipulation.scm
+index 7ede5e9..8ceb035 100755
+--- a/tests/openpgp/quick-key-manipulation.scm
++++ b/tests/openpgp/quick-key-manipulation.scm
+@@ -37,6 +37,7 @@
+
+ (define alpha "Alpha <alpha at invalid.example.net>")
+ (define bravo "Bravo <bravo at invalid.example.net>")
++(define charlie "Charlie <charlie at invalid.example.net>")
+
+ (define (key-data key)
+ (filter (lambda (x) (or (string=? (car x) "pub")
+@@ -79,6 +80,11 @@
+ (info "Checking that we can revoke a user ID...")
+ (call-check `(, at GPG --quick-revoke-uid ,(exact bravo) ,alpha))
+
++(info "Checking that we get an error revoking a non-existant user ID.")
++(catch '()
++ (call-check `(, at GPG --quick-revoke-uid ,(exact bravo) ,charlie))
++ (error "Expected an error, but get none."))
++
+ (assert (= 1 (count-uids-of-secret-key bravo)))
+
+ (info "Checking that we can change the expiration time.")
diff --git a/debian/patches/0015-agent-Improve-error-message-for-the-KEYTOCARD-comman.patch b/debian/patches/0015-agent-Improve-error-message-for-the-KEYTOCARD-comman.patch
new file mode 100644
index 0000000..ef38730
--- /dev/null
+++ b/debian/patches/0015-agent-Improve-error-message-for-the-KEYTOCARD-comman.patch
@@ -0,0 +1,126 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 2 Mar 2017 12:29:31 +0100
+Subject: agent: Improve error message for the KEYTOCARD command.
+
+* agent/command.c (cmd_keytocard): Always use leave_cmd. Simplify
+timestamp checking and do an early test with an appropriate error
+message.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit d6f0f368763006abf08818bfefcd32ecedb5c20a)
+---
+ agent/command.c | 39 +++++++++++++++++++++++++++------------
+ 1 file changed, 27 insertions(+), 12 deletions(-)
+
+diff --git a/agent/command.c b/agent/command.c
+index ec38649..acc3877 100644
+--- a/agent/command.c
++++ b/agent/command.c
+@@ -2486,7 +2486,7 @@ cmd_keytocard (assuan_context_t ctx, char *line)
+ unsigned char grip[20];
+ gcry_sexp_t s_skey = NULL;
+ unsigned char *keydata;
+- size_t keydatalen, timestamplen;
++ size_t keydatalen;
+ const char *serialno, *timestamp_str, *id;
+ unsigned char *shadow_info = NULL;
+ time_t timestamp;
+@@ -2499,11 +2499,15 @@ cmd_keytocard (assuan_context_t ctx, char *line)
+
+ err = parse_keygrip (ctx, line, grip);
+ if (err)
+- return err;
++ goto leave;
+
+ if (agent_key_available (grip))
+- return gpg_error (GPG_ERR_NO_SECKEY);
++ {
++ err =gpg_error (GPG_ERR_NO_SECKEY);
++ goto leave;
++ }
+
++ /* Fixme: Replace the parsing code by split_fields(). */
+ line += 40;
+ while (*line && (*line == ' ' || *line == '\t'))
+ line++;
+@@ -2511,7 +2515,10 @@ cmd_keytocard (assuan_context_t ctx, char *line)
+ while (*line && (*line != ' ' && *line != '\t'))
+ line++;
+ if (!*line)
+- return gpg_error (GPG_ERR_MISSING_VALUE);
++ {
++ err = gpg_error (GPG_ERR_MISSING_VALUE);
++ goto leave;
++ }
+ *line = '\0';
+ line++;
+ while (*line && (*line == ' ' || *line == '\t'))
+@@ -2520,7 +2527,10 @@ cmd_keytocard (assuan_context_t ctx, char *line)
+ while (*line && (*line != ' ' && *line != '\t'))
+ line++;
+ if (!*line)
+- return gpg_error (GPG_ERR_MISSING_VALUE);
++ {
++ err = gpg_error (GPG_ERR_MISSING_VALUE);
++ goto leave;
++ }
+ *line = '\0';
+ line++;
+ while (*line && (*line == ' ' || *line == '\t'))
+@@ -2530,9 +2540,12 @@ cmd_keytocard (assuan_context_t ctx, char *line)
+ line++;
+ if (*line)
+ *line = '\0';
+- timestamplen = line - timestamp_str;
+- if (timestamplen != 15)
+- return gpg_error (GPG_ERR_INV_VALUE);
++
++ if ((timestamp = isotime2epoch (timestamp_str)) == (time_t)(-1))
++ {
++ err = gpg_error (GPG_ERR_INV_TIME);
++ goto leave;
++ }
+
+ err = agent_key_from_file (ctrl, NULL, ctrl->server_local->keydesc, grip,
+ &shadow_info, CACHE_MODE_IGNORE, NULL,
+@@ -2540,34 +2553,36 @@ cmd_keytocard (assuan_context_t ctx, char *line)
+ if (err)
+ {
+ xfree (shadow_info);
+- return err;
++ goto leave;
+ }
+ if (shadow_info)
+ {
+ /* Key is on a smartcard already. */
+ xfree (shadow_info);
+ gcry_sexp_release (s_skey);
+- return gpg_error (GPG_ERR_UNUSABLE_SECKEY);
++ err = gpg_error (GPG_ERR_UNUSABLE_SECKEY);
++ goto leave;
+ }
+
+ keydatalen = gcry_sexp_sprint (s_skey, GCRYSEXP_FMT_CANON, NULL, 0);
+ keydata = xtrymalloc_secure (keydatalen + 30);
+ if (keydata == NULL)
+ {
++ err = gpg_error_from_syserror ();
+ gcry_sexp_release (s_skey);
+- return gpg_error_from_syserror ();
++ goto leave;
+ }
+
+ gcry_sexp_sprint (s_skey, GCRYSEXP_FMT_CANON, keydata, keydatalen);
+ gcry_sexp_release (s_skey);
+ keydatalen--; /* Decrement for last '\0'. */
+ /* Add timestamp "created-at" in the private key */
+- timestamp = isotime2epoch (timestamp_str);
+ snprintf (keydata+keydatalen-1, 30, "(10:created-at10:%010lu))", timestamp);
+ keydatalen += 10 + 19 - 1;
+ err = divert_writekey (ctrl, force, serialno, id, keydata, keydatalen);
+ xfree (keydata);
+
++ leave:
+ return leave_cmd (ctx, err);
+ }
+
diff --git a/debian/patches/0016-gpg-Fix-quick-key-generation-with-always-trust.patch b/debian/patches/0016-gpg-Fix-quick-key-generation-with-always-trust.patch
new file mode 100644
index 0000000..e017d1f
--- /dev/null
+++ b/debian/patches/0016-gpg-Fix-quick-key-generation-with-always-trust.patch
@@ -0,0 +1,84 @@
+From: Justus Winter <justus at g10code.com>
+Date: Thu, 2 Mar 2017 14:35:09 +0100
+Subject: gpg: Fix (quick) key generation with --always-trust.
+
+* g10/keygen.c (do_generate_keypair): Only update the ownertrust if we
+do have a trust database.
+* g10/trustdb.c (have_trustdb): New function.
+* g10/trustdb.h (have_trustdb): New prototype.
+* tests/openpgp/quick-key-manipulation.scm: Remove workaround.
+
+GnuPG-bug-id: 2695
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit 4735ab96aa5577d40ba7b3f72d863057198cc6a7)
+---
+ g10/keygen.c | 5 +++--
+ g10/trustdb.c | 10 ++++++++++
+ g10/trustdb.h | 1 +
+ tests/openpgp/quick-key-manipulation.scm | 4 ----
+ 4 files changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/g10/keygen.c b/g10/keygen.c
+index 24cf93c..f044257 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -4791,8 +4791,9 @@ do_generate_keypair (ctrl_t ctrl, struct para_data_s *para,
+ keyid_from_pk (pk, pk->main_keyid);
+ register_trusted_keyid (pk->main_keyid);
+
+- update_ownertrust (pk, ((get_ownertrust (pk) & ~TRUST_MASK)
+- | TRUST_ULTIMATE ));
++ if (have_trustdb ())
++ update_ownertrust (pk, ((get_ownertrust (pk) & ~TRUST_MASK)
++ | TRUST_ULTIMATE ));
+
+ gen_standard_revoke (pk, cache_nonce);
+
+diff --git a/g10/trustdb.c b/g10/trustdb.c
+index f4df4c8..7443051 100644
+--- a/g10/trustdb.c
++++ b/g10/trustdb.c
+@@ -511,6 +511,16 @@ init_trustdb (int no_create)
+ }
+
+
++/* Check whether we have a trust database, initializing it if
++ necessary if the trust model is not 'always trust'. Returns true
++ if we do have a usable trust database. */
++int
++have_trustdb (void)
++{
++ return init_trustdb (opt.trust_model == TM_ALWAYS) == 0;
++}
++
++
+ /****************
+ * Recreate the WoT but do not ask for new ownertrusts. Special
+ * feature: In batch mode and without a forced yes, this is only done
+diff --git a/g10/trustdb.h b/g10/trustdb.h
+index 3088063..00be4df 100644
+--- a/g10/trustdb.h
++++ b/g10/trustdb.h
+@@ -128,6 +128,7 @@ int setup_trustdb( int level, const char *dbname );
+ void how_to_fix_the_trustdb (void);
+ const char *trust_model_string (int model);
+ gpg_error_t init_trustdb (int no_create);
++int have_trustdb (void);
+ void tdb_check_trustdb_stale (ctrl_t ctrl);
+ void sync_trustdb( void );
+
+diff --git a/tests/openpgp/quick-key-manipulation.scm b/tests/openpgp/quick-key-manipulation.scm
+index 8ceb035..10f0bfe 100755
+--- a/tests/openpgp/quick-key-manipulation.scm
++++ b/tests/openpgp/quick-key-manipulation.scm
+@@ -21,10 +21,6 @@
+ (load (with-path "time.scm"))
+ (setup-environment)
+
+- ;; XXX because of --always-trust, the trustdb is not created.
+- ;; Therefore, we redefine GPG without --always-trust.
+-(define GPG `(,(tool 'gpg) --no-permission-warning))
+-
+ (define (exact id)
+ (string-append "=" id))
+
diff --git a/debian/patches/0017-gpg-Always-initialize-the-trust-db-when-generating-k.patch b/debian/patches/0017-gpg-Always-initialize-the-trust-db-when-generating-k.patch
new file mode 100644
index 0000000..9352d08
--- /dev/null
+++ b/debian/patches/0017-gpg-Always-initialize-the-trust-db-when-generating-k.patch
@@ -0,0 +1,52 @@
+From: Justus Winter <justus at g10code.com>
+Date: Thu, 2 Mar 2017 16:25:20 +0100
+Subject: gpg: Always initialize the trust db when generating keys.
+
+* g10/gpg.c (main): Always initialize the trust db when generating
+keys.
+* g10/keygen.c (do_generate_keypair): We can now assume that there is
+a trust db.
+--
+It is important to mark keys we create as ultimately trusted.
+
+Fixes-commit: 4735ab96aa5577d40ba7b3f72d863057198cc6a7
+GnuPG-bug-id: 2695
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit 0c4d0620d327e8a2069532a5519afefe867a47d6)
+---
+ g10/gpg.c | 5 +++++
+ g10/keygen.c | 5 ++---
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/g10/gpg.c b/g10/gpg.c
+index 5a880fd..654dcb9 100644
+--- a/g10/gpg.c
++++ b/g10/gpg.c
+@@ -3949,6 +3949,11 @@ main (int argc, char **argv)
+ case aListTrustDB:
+ rc = setup_trustdb (argc? 1:0, trustdb_name);
+ break;
++ case aKeygen:
++ case aFullKeygen:
++ case aQuickKeygen:
++ rc = setup_trustdb (1, trustdb_name);
++ break;
+ default:
+ /* If we are using TM_ALWAYS, we do not need to create the
+ trustdb. */
+diff --git a/g10/keygen.c b/g10/keygen.c
+index f044257..201ebaa 100644
+--- a/g10/keygen.c
++++ b/g10/keygen.c
+@@ -4791,9 +4791,8 @@ do_generate_keypair (ctrl_t ctrl, struct para_data_s *para,
+ keyid_from_pk (pk, pk->main_keyid);
+ register_trusted_keyid (pk->main_keyid);
+
+- if (have_trustdb ())
+- update_ownertrust (pk, ((get_ownertrust (pk) & ~TRUST_MASK)
+- | TRUST_ULTIMATE ));
++ update_ownertrust (pk, ((get_ownertrust (pk) & ~TRUST_MASK)
++ | TRUST_ULTIMATE ));
+
+ gen_standard_revoke (pk, cache_nonce);
+
diff --git a/debian/patches/0018-dirmngr-Let-gpgconf-list-return-the-default-keyserve.patch b/debian/patches/0018-dirmngr-Let-gpgconf-list-return-the-default-keyserve.patch
new file mode 100644
index 0000000..5482fa5
--- /dev/null
+++ b/debian/patches/0018-dirmngr-Let-gpgconf-list-return-the-default-keyserve.patch
@@ -0,0 +1,140 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 2 Mar 2017 17:58:00 +0100
+Subject: dirmngr: Let --gpgconf-list return the default keyserver.
+
+* dirmngr/misc.c (get_default_keyserver): New.
+* dirmngr/http.c: Include misc.h
+(http_session_new): Use get_default_keyserver instead of hardwired
+"hkps.pool.sks-keyservers.net".
+* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
+* dirmngr/dirmngr.c (main) <aGPGCongList>: Return default keyserver.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit de6d8313f6df32aaa151bee74e1db269ac1e0fed)
+---
+ dirmngr/dirmngr.c | 8 +++++++-
+ dirmngr/http-ntbtls.c | 6 +++---
+ dirmngr/http.c | 3 ++-
+ dirmngr/misc.c | 23 +++++++++++++++++++++++
+ dirmngr/misc.h | 2 ++
+ 5 files changed, 37 insertions(+), 5 deletions(-)
+
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index 6ab3447..f07b986 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -1447,7 +1447,13 @@ main (int argc, char **argv)
+ es_printf ("ignore-ocsp-servic-url:%lu:\n", flags | GC_OPT_FLAG_NONE);
+
+ es_printf ("use-tor:%lu:\n", flags | GC_OPT_FLAG_NONE);
+- es_printf ("keyserver:%lu:\n", flags | GC_OPT_FLAG_NONE);
++
++ filename_esc = percent_escape (get_default_keyserver (0), NULL);
++ es_printf ("keyserver:%lu:\"%s:\n", flags | GC_OPT_FLAG_DEFAULT,
++ filename_esc);
++ xfree (filename_esc);
++
++
+ es_printf ("nameserver:%lu:\n", flags | GC_OPT_FLAG_NONE);
+ es_printf ("resolver-timeout:%lu:%u\n",
+ flags | GC_OPT_FLAG_DEFAULT, 0);
+diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c
+index 00d6a58..d44b779 100644
+--- a/dirmngr/http-ntbtls.c
++++ b/dirmngr/http-ntbtls.c
+@@ -26,12 +26,12 @@
+ #include "dirmngr.h"
+ #include "certcache.h"
+ #include "validate.h"
++#include "misc.h"
+
+ #ifdef HTTP_USE_NTBTLS
+ # include <ntbtls.h>
+
+
+-
+ /* The callback used to verify the peer's certificate. */
+ gpg_error_t
+ gnupg_http_tls_verify_cb (void *opaque,
+@@ -77,11 +77,11 @@ gnupg_http_tls_verify_cb (void *opaque,
+
+ validate_flags = VALIDATE_FLAG_TLS;
+
+- /* Are we using the standard hkps:// pool use the dedicated
++ /* If we are using the standard hkps:// pool use the dedicated
+ * root certificate. */
+ hostname = ntbtls_get_hostname (tls);
+ if (hostname
+- && !ascii_strcasecmp (hostname, "hkps.pool.sks-keyservers.net"))
++ && !ascii_strcasecmp (hostname, get_default_keyserver (1)))
+ {
+ validate_flags |= VALIDATE_FLAG_TRUST_HKPSPOOL;
+ }
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index 890f5f6..fc82924 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -100,6 +100,7 @@
+ #include "i18n.h"
+ #include "dns-stuff.h"
+ #include "http.h"
++#include "misc.h"
+
+
+ #ifdef USE_NPTH
+@@ -726,7 +727,7 @@ http_session_new (http_session_t *r_session,
+
+ is_hkps_pool = (intended_hostname
+ && !ascii_strcasecmp (intended_hostname,
+- "hkps.pool.sks-keyservers.net"));
++ get_default_keyserver (1)));
+
+ /* If the user has not specified a CA list, and they are looking
+ * for the hkps pool from sks-keyservers.net, then default to
+diff --git a/dirmngr/misc.c b/dirmngr/misc.c
+index 6d7c963..d2f1c69 100644
+--- a/dirmngr/misc.c
++++ b/dirmngr/misc.c
+@@ -30,6 +30,29 @@
+ #include "util.h"
+ #include "misc.h"
+
++/* Return a static string with the default keyserver. If NAME_ONLY is
++ * given only the name part is returned. */
++const char *
++get_default_keyserver (int name_only)
++{
++ static const char *result;
++
++ if (!name_only)
++ return DIRMNGR_DEFAULT_KEYSERVER;
++
++ if (!result)
++ {
++ /* Strip the scheme from the constant. */
++ result = strstr (DIRMNGR_DEFAULT_KEYSERVER, "://");
++ log_assert (result && strlen (result) > 3);
++ result += 3;
++ /* Assert that there is no port given. */
++ log_assert (strchr (result, ':'));
++ }
++ return result;
++}
++
++
+
+ /* Convert the hex encoded STRING back into binary and store the
+ result into the provided buffer RESULT. The actual size of that
+diff --git a/dirmngr/misc.h b/dirmngr/misc.h
+index be4049e..f25574f 100644
+--- a/dirmngr/misc.h
++++ b/dirmngr/misc.h
+@@ -21,6 +21,8 @@
+ #ifndef MISC_H
+ #define MISC_H
+
++const char *get_default_keyserver (int name_only);
++
+ /* Convert hex encoded string back to binary. */
+ size_t unhexify (unsigned char *result, const char *string);
+
diff --git a/debian/patches/0019-dirmngr-Rearrange-files-to-fix-de6d831.patch b/debian/patches/0019-dirmngr-Rearrange-files-to-fix-de6d831.patch
new file mode 100644
index 0000000..3167d6b
--- /dev/null
+++ b/debian/patches/0019-dirmngr-Rearrange-files-to-fix-de6d831.patch
@@ -0,0 +1,233 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 2 Mar 2017 18:17:58 +0100
+Subject: dirmngr: Rearrange files to fix de6d831.
+
+* dirmngr/http-common.c: New.
+* dirmngr/http-common.h: New.
+* dirmngr/Makefile.am (dirmngr_SOURCES): Add them.
+(t_http_SOURCES): Add them.
+(t_ldap_parse_uri_SOURCES): Add them.
+* dirmngr/misc.c (get_default_keyserver): Move to ...
+* dirmngr/http-common.c: here.
+* dirmngr/http.c: Include http-common.h instead of misc.h.
+* dirmngr/http-ntbtls.c: Ditto.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 1890896fe698c55d15160a53aa6c5c22dc424031)
+---
+ dirmngr/Makefile.am | 7 +++----
+ dirmngr/dirmngr.c | 1 +
+ dirmngr/http-common.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ dirmngr/http-common.h | 25 +++++++++++++++++++++++++
+ dirmngr/http-ntbtls.c | 2 +-
+ dirmngr/http.c | 2 +-
+ dirmngr/misc.c | 23 -----------------------
+ dirmngr/misc.h | 2 --
+ 8 files changed, 81 insertions(+), 31 deletions(-)
+ create mode 100644 dirmngr/http-common.c
+ create mode 100644 dirmngr/http-common.h
+
+diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
+index 8d22cc4..93880f8 100644
+--- a/dirmngr/Makefile.am
++++ b/dirmngr/Makefile.am
+@@ -61,8 +61,7 @@ dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c \
+ cdb.h cdblib.c misc.c dirmngr-err.h \
+ ocsp.c ocsp.h validate.c validate.h \
+ dns-stuff.c dns-stuff.h \
+- http.c http.h \
+- http-ntbtls.c \
++ http.c http.h http-common.c http-common.h http-ntbtls.c \
+ ks-action.c ks-action.h ks-engine.h \
+ ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c
+
+@@ -141,7 +140,7 @@ endif
+ # http tests
+ # We need to add the KSBA flags in case we are building against GNUTLS.
+ # In that case NTBTLS flags are empty, but we need ksba anyway.
+-t_http_SOURCES = $(t_common_src) t-http.c http.c dns-stuff.c
++t_http_SOURCES = $(t_common_src) t-http.c http.c dns-stuff.c http-common.c
+ t_http_CFLAGS = -DWITHOUT_NPTH=1 $(USE_C99_CFLAGS) \
+ $(LIBGCRYPT_CFLAGS) $(NTBTLS_CFLAGS) $(LIBGNUTLS_CFLAGS) \
+ $(GPG_ERROR_CFLAGS) $(KSBA_CFLAGS)
+@@ -150,7 +149,7 @@ t_http_LDADD = $(t_common_ldadd) \
+
+ t_ldap_parse_uri_SOURCES = \
+ t-ldap-parse-uri.c ldap-parse-uri.c ldap-parse-uri.h \
+- http.c dns-stuff.c \
++ http.c http-common.c dns-stuff.c \
+ $(ldap_url) $(t_common_src)
+ t_ldap_parse_uri_CFLAGS = -DWITHOUT_NPTH=1 $(USE_C99_CFLAGS) \
+ $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS)
+diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
+index f07b986..bab0ac5 100644
+--- a/dirmngr/dirmngr.c
++++ b/dirmngr/dirmngr.c
+@@ -72,6 +72,7 @@
+ #include "../common/init.h"
+ #include "gc-opt-flags.h"
+ #include "dns-stuff.h"
++#include "http-common.h"
+
+ #ifndef ENAMETOOLONG
+ # define ENAMETOOLONG EINVAL
+diff --git a/dirmngr/http-common.c b/dirmngr/http-common.c
+new file mode 100644
+index 0000000..6013669
+--- /dev/null
++++ b/dirmngr/http-common.c
+@@ -0,0 +1,50 @@
++/* http-common.c - Common support for TLS implementations.
++ * Copyright (C) 2017 Werner Koch
++ *
++ * This file is part of GnuPG.
++ *
++ * GnuPG is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuPG is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, see <https://www.gnu.org/licenses/>.
++ */
++
++#include <config.h>
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++
++#include "dirmngr.h"
++#include "http-common.h"
++
++
++/* Return a static string with the default keyserver. If NAME_ONLY is
++ * given only the name part is returned. */
++const char *
++get_default_keyserver (int name_only)
++{
++ static const char *result;
++
++ if (!name_only)
++ return DIRMNGR_DEFAULT_KEYSERVER;
++
++ if (!result)
++ {
++ /* Strip the scheme from the constant. */
++ result = strstr (DIRMNGR_DEFAULT_KEYSERVER, "://");
++ log_assert (result && strlen (result) > 3);
++ result += 3;
++ /* Assert that there is no port given. */
++ log_assert (strchr (result, ':'));
++ }
++ return result;
++}
+diff --git a/dirmngr/http-common.h b/dirmngr/http-common.h
+new file mode 100644
+index 0000000..5e6657b
+--- /dev/null
++++ b/dirmngr/http-common.h
+@@ -0,0 +1,25 @@
++/* http-common.h - Defs for common support for TLS implementations.
++ * Copyright (C) 2017 Werner Koch
++ *
++ * This file is part of GnuPG.
++ *
++ * GnuPG is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * GnuPG is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, see <https://www.gnu.org/licenses/>.
++ */
++
++#ifndef HTTP_COMMON_H
++#define HTTP_COMMON_H
++
++const char *get_default_keyserver (int name_only);
++
++#endif /* HTTP_COMMON_H */
+diff --git a/dirmngr/http-ntbtls.c b/dirmngr/http-ntbtls.c
+index d44b779..250db55 100644
+--- a/dirmngr/http-ntbtls.c
++++ b/dirmngr/http-ntbtls.c
+@@ -26,7 +26,7 @@
+ #include "dirmngr.h"
+ #include "certcache.h"
+ #include "validate.h"
+-#include "misc.h"
++#include "http-common.h"
+
+ #ifdef HTTP_USE_NTBTLS
+ # include <ntbtls.h>
+diff --git a/dirmngr/http.c b/dirmngr/http.c
+index fc82924..0f11af7 100644
+--- a/dirmngr/http.c
++++ b/dirmngr/http.c
+@@ -100,7 +100,7 @@
+ #include "i18n.h"
+ #include "dns-stuff.h"
+ #include "http.h"
+-#include "misc.h"
++#include "http-common.h"
+
+
+ #ifdef USE_NPTH
+diff --git a/dirmngr/misc.c b/dirmngr/misc.c
+index d2f1c69..6d7c963 100644
+--- a/dirmngr/misc.c
++++ b/dirmngr/misc.c
+@@ -30,29 +30,6 @@
+ #include "util.h"
+ #include "misc.h"
+
+-/* Return a static string with the default keyserver. If NAME_ONLY is
+- * given only the name part is returned. */
+-const char *
+-get_default_keyserver (int name_only)
+-{
+- static const char *result;
+-
+- if (!name_only)
+- return DIRMNGR_DEFAULT_KEYSERVER;
+-
+- if (!result)
+- {
+- /* Strip the scheme from the constant. */
+- result = strstr (DIRMNGR_DEFAULT_KEYSERVER, "://");
+- log_assert (result && strlen (result) > 3);
+- result += 3;
+- /* Assert that there is no port given. */
+- log_assert (strchr (result, ':'));
+- }
+- return result;
+-}
+-
+-
+
+ /* Convert the hex encoded STRING back into binary and store the
+ result into the provided buffer RESULT. The actual size of that
+diff --git a/dirmngr/misc.h b/dirmngr/misc.h
+index f25574f..be4049e 100644
+--- a/dirmngr/misc.h
++++ b/dirmngr/misc.h
+@@ -21,8 +21,6 @@
+ #ifndef MISC_H
+ #define MISC_H
+
+-const char *get_default_keyserver (int name_only);
+-
+ /* Convert hex encoded string back to binary. */
+ size_t unhexify (unsigned char *result, const char *string);
+
diff --git a/debian/patches/0020-tools-Fix-compile-error-with-older-gcc-versions.patch b/debian/patches/0020-tools-Fix-compile-error-with-older-gcc-versions.patch
new file mode 100644
index 0000000..80ccf35
--- /dev/null
+++ b/debian/patches/0020-tools-Fix-compile-error-with-older-gcc-versions.patch
@@ -0,0 +1,39 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Thu, 2 Mar 2017 20:07:12 +0100
+Subject: tools: Fix compile error with older gcc versions.
+
+* tools/mime-parser.h: Include rfc822parse.h.
+(struct rfc822parse_context): Remove duplicate definition.
+--
+
+GnuPG-bug-id: 2851
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit b1f48da02b474e985161aa2778d7b602a13c4292)
+---
+ tools/mime-parser.h | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+diff --git a/tools/mime-parser.h b/tools/mime-parser.h
+index b9bb465..5dc0492 100644
+--- a/tools/mime-parser.h
++++ b/tools/mime-parser.h
+@@ -20,6 +20,8 @@
+ #ifndef GNUPG_MIME_PARSER_H
+ #define GNUPG_MIME_PARSER_H
+
++#include "rfc822parse.h"
++
+ struct mime_parser_context_s;
+ typedef struct mime_parser_context_s *mime_parser_t;
+
+@@ -50,10 +52,6 @@ void mime_parser_set_collect_signature (mime_parser_t ctx,
+ gpg_error_t mime_parser_parse (mime_parser_t ctx, estream_t fp);
+
+
+-/* Duplicated declaration of the RFC822 parser context. */
+-struct rfc822parse_context;
+-typedef struct rfc822parse_context *rfc822parse_t;
+-
+ rfc822parse_t mime_parser_rfc822parser (mime_parser_t ctx);
+
+
diff --git a/debian/patches/0021-gpg-Add-new-variables-to-the-import-and-export-filte.patch b/debian/patches/0021-gpg-Add-new-variables-to-the-import-and-export-filte.patch
new file mode 100644
index 0000000..3babde1
--- /dev/null
+++ b/debian/patches/0021-gpg-Add-new-variables-to-the-import-and-export-filte.patch
@@ -0,0 +1,140 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Fri, 3 Mar 2017 09:22:40 +0100
+Subject: gpg: Add new variables to the import and export filters.
+
+* g10/import.c (impex_filter_getval): Add new variables "expired",
+"revoked", and "disabled".
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 1813f3be23bdab5a42070424c47cb8daa9d9e6b7)
+---
+ doc/gpg.texi | 15 +++++++++++++--
+ g10/export.c | 2 +-
+ g10/import.c | 41 ++++++++++++++++++++++++++++++++++-------
+ 3 files changed, 48 insertions(+), 10 deletions(-)
+
+diff --git a/doc/gpg.texi b/doc/gpg.texi
+index 20a2d12..55482b1 100644
+--- a/doc/gpg.texi
++++ b/doc/gpg.texi
+@@ -2359,14 +2359,25 @@ The available properties are:
+ @item primary
+ Boolean indicating whether the user id is the primary one. (keep-uid)
+
++ @item expired
++ Boolean indicating whether a user id (keep-uid), a key (drop-subkey), or a
++ signature (drop-sig) expired.
++
++ @item revoked
++ Boolean indicating whether a user id (keep-uid) or a key (drop-subkey) has
++ been revoked.
++
++ @item disabled
++ Boolean indicating whether a primary key is disabled. (not used)
++
+ @item secret
+ Boolean indicating whether a key or subkey is a secret one.
+- drop-subkey)
++ (drop-subkey)
+
+ @item sig_created
+ @itemx sig_created_d
+ The first is the timestamp a signature packet was created. The
+- second is the same but given as an ISO string,
++ second is the same but given as an ISO date string,
+ e.g. "2016-08-17". (drop-sig)
+
+ @item sig_algo
+diff --git a/g10/export.c b/g10/export.c
+index 4138261..323bf17 100644
+--- a/g10/export.c
++++ b/g10/export.c
+@@ -1377,7 +1377,7 @@ apply_drop_subkey_filter (kbnode_t keyblock, recsel_expr_t selector)
+ {
+ if (recsel_select (selector, impex_filter_getval, node))
+ {
+- log_debug ("drop-subkey: deleting a key\n");
++ /*log_debug ("drop-subkey: deleting a key\n");*/
+ /* The subkey packet and all following packets up to the
+ * next subkey. */
+ delete_kbnode (node);
+diff --git a/g10/import.c b/g10/import.c
+index 45ec07a..9fd16c8 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -1164,7 +1164,7 @@ check_prefs (ctrl_t ctrl, kbnode_t keyblock)
+ }
+
+
+-/* Helper for apply_*_filter in im,port.c and export.c. */
++/* Helper for apply_*_filter in import.c and export.c. */
+ const char *
+ impex_filter_getval (void *cookie, const char *propname)
+ {
+@@ -1175,19 +1175,30 @@ impex_filter_getval (void *cookie, const char *propname)
+
+ if (node->pkt->pkttype == PKT_USER_ID)
+ {
++ PKT_user_id *uid = node->pkt->pkt.user_id;
++
+ if (!strcmp (propname, "uid"))
+- result = node->pkt->pkt.user_id->name;
++ result = uid->name;
+ else if (!strcmp (propname, "mbox"))
+ {
+- if (!node->pkt->pkt.user_id->mbox)
++ if (!uid->mbox)
+ {
+- node->pkt->pkt.user_id->mbox
+- = mailbox_from_userid (node->pkt->pkt.user_id->name);
++ uid->mbox = mailbox_from_userid (uid->name);
+ }
+- result = node->pkt->pkt.user_id->mbox;
++ result = uid->mbox;
+ }
+ else if (!strcmp (propname, "primary"))
+- result = node->pkt->pkt.user_id->is_primary? "1":"0";
++ {
++ result = uid->is_primary? "1":"0";
++ }
++ else if (!strcmp (propname, "expired"))
++ {
++ result = uid->is_expired? "1":"0";
++ }
++ else if (!strcmp (propname, "revoked"))
++ {
++ result = uid->is_revoked? "1":"0";
++ }
+ else
+ result = NULL;
+ }
+@@ -1215,6 +1226,10 @@ impex_filter_getval (void *cookie, const char *propname)
+ snprintf (numbuf, sizeof numbuf, "%d", sig->digest_algo);
+ result = numbuf;
+ }
++ else if (!strcmp (propname, "expired"))
++ {
++ result = sig->flags.expired? "1":"0";
++ }
+ else
+ result = NULL;
+ }
+@@ -1244,6 +1259,18 @@ impex_filter_getval (void *cookie, const char *propname)
+ {
+ result = datestr_from_pk (pk);
+ }
++ else if (!strcmp (propname, "expired"))
++ {
++ result = pk->has_expired? "1":"0";
++ }
++ else if (!strcmp (propname, "revoked"))
++ {
++ result = pk->flags.revoked? "1":"0";
++ }
++ else if (!strcmp (propname, "disabled"))
++ {
++ result = pk_is_disabled (pk)? "1":"0";
++ }
+ else
+ result = NULL;
+ }
diff --git a/debian/patches/0022-gpg-Fix-possible-segv-when-attribute-packets-are-fil.patch b/debian/patches/0022-gpg-Fix-possible-segv-when-attribute-packets-are-fil.patch
new file mode 100644
index 0000000..1fbfd97
--- /dev/null
+++ b/debian/patches/0022-gpg-Fix-possible-segv-when-attribute-packets-are-fil.patch
@@ -0,0 +1,58 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Fri, 3 Mar 2017 09:50:40 +0100
+Subject: gpg: Fix possible segv when attribute packets are filtered.
+
+* g10/import.c (impex_filter_getval): Handle PKT_ATTRIBUTE the same as
+PKT_USER_ID
+(apply_drop_sig_filter): Ditto.
+--
+
+The old code was plainly wrong in that it considered PKT_ATTRIBUTE to
+use a PKT_signature object.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 5f6f3f5cae8a95ed469129f9677782c17951dab3)
+---
+ g10/import.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/g10/import.c b/g10/import.c
+index 9fd16c8..6383d70 100644
+--- a/g10/import.c
++++ b/g10/import.c
+@@ -1173,7 +1173,8 @@ impex_filter_getval (void *cookie, const char *propname)
+ static char numbuf[20];
+ const char *result;
+
+- if (node->pkt->pkttype == PKT_USER_ID)
++ if (node->pkt->pkttype == PKT_USER_ID
++ || node->pkt->pkttype == PKT_ATTRIBUTE)
+ {
+ PKT_user_id *uid = node->pkt->pkt.user_id;
+
+@@ -1202,8 +1203,7 @@ impex_filter_getval (void *cookie, const char *propname)
+ else
+ result = NULL;
+ }
+- else if (node->pkt->pkttype == PKT_SIGNATURE
+- || node->pkt->pkttype == PKT_ATTRIBUTE)
++ else if (node->pkt->pkttype == PKT_SIGNATURE)
+ {
+ PKT_signature *sig = node->pkt->pkt.signature;
+
+@@ -1340,12 +1340,12 @@ apply_drop_sig_filter (kbnode_t keyblock, recsel_expr_t selector)
+ if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY
+ || node->pkt->pkttype == PKT_SECRET_SUBKEY)
+ break; /* ready. */
+- if (node->pkt->pkttype == PKT_USER_ID)
++ if (node->pkt->pkttype == PKT_USER_ID
++ || node->pkt->pkttype == PKT_ATTRIBUTE)
+ active = 1;
+ if (!active)
+ continue;
+- if (node->pkt->pkttype != PKT_SIGNATURE
+- && node->pkt->pkttype != PKT_ATTRIBUTE)
++ if (node->pkt->pkttype != PKT_SIGNATURE)
+ continue;
+
+ sig = node->pkt->pkt.signature;
diff --git a/debian/patches/0023-scd-Fix-scd_kick_the_loop.patch b/debian/patches/0023-scd-Fix-scd_kick_the_loop.patch
new file mode 100644
index 0000000..2df4176
--- /dev/null
+++ b/debian/patches/0023-scd-Fix-scd_kick_the_loop.patch
@@ -0,0 +1,193 @@
+From: NIIBE Yutaka <gniibe at fsij.org>
+Date: Fri, 3 Mar 2017 20:30:56 +0900
+Subject: scd: Fix scd_kick_the_loop.
+
+* scd/scdaemon.c (notify_fd): Remove.
+(the_event) [W32]: New.
+(main_thread_pid) [!W32]: New.
+(handle_signal): Handle SIGCONT.
+(scd_kick_the_loop): Use signal on UNIX and event on Windows.
+(handle_connections): Likewise.
+--
+
+Code with CreateEvent is copied from gpg-agent.c.
+Code for signal is copied from dkg's gpg-agent-idling in Debian.
+
+GnuPG-bug-id: 2982
+Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
+(cherry picked from commit f9acc7d18bb90f47dafe7e32ae92f567756d6b12)
+---
+ scd/scdaemon.c | 87 +++++++++++++++++++++++++++++++++++++---------------------
+ 1 file changed, 56 insertions(+), 31 deletions(-)
+
+diff --git a/scd/scdaemon.c b/scd/scdaemon.c
+index f7e9f83..4b63c9b 100644
+--- a/scd/scdaemon.c
++++ b/scd/scdaemon.c
+@@ -224,8 +224,12 @@ static char *redir_socket_name;
+ POSIX systems). */
+ static assuan_sock_nonce_t socket_nonce;
+
+-/* FD to notify update of usb devices. */
+-static int notify_fd;
++#ifdef HAVE_W32_SYSTEM
++static HANDLE the_event;
++#else
++/* PID to notify update of usb devices. */
++static pid_t main_thread_pid;
++#endif
+
+ static char *create_socket_name (char *standard_name);
+ static gnupg_fd_t create_server_socket (const char *name,
+@@ -996,6 +1000,10 @@ handle_signal (int signo)
+ log_info ("SIGUSR2 received - no action defined\n");
+ break;
+
++ case SIGCONT:
++ /* Nothing. */
++ break;
++
+ case SIGTERM:
+ if (!shutdown_pending)
+ log_info ("SIGTERM received - shutting down ...\n");
+@@ -1185,8 +1193,17 @@ scd_kick_the_loop (void)
+ int ret;
+
+ /* Kick the select loop. */
+- ret = write (notify_fd, "", 1);
+- (void)ret;
++#ifdef HAVE_W32_SYSTEM
++ ret = SetEvent (the_event);
++ if (ret == 0)
++ log_error ("SetEvent for scd_kick_the_loop failed: %s\n",
++ w32_strerror (-1));
++#else
++ ret = kill (main_thread_pid, SIGCONT);
++ if (ret < 0)
++ log_error ("SetEvent for scd_kick_the_loop failed: %s\n",
++ gpg_strerror (gpg_error_from_syserror ()));
++#endif
+ }
+
+ /* Connection handler loop. Wait for connection requests and spawn a
+@@ -1206,18 +1223,12 @@ handle_connections (int listen_fd)
+ struct timespec timeout;
+ struct timespec *t;
+ int saved_errno;
+-#ifndef HAVE_W32_SYSTEM
++#ifdef HAVE_W32_SYSTEM
++ HANDLE events[2];
++ unsigned int events_set;
++#else
+ int signo;
+ #endif
+- int pipe_fd[2];
+-
+- ret = gnupg_create_pipe (pipe_fd);
+- if (ret)
+- {
+- log_error ("pipe creation failed: %s\n", gpg_strerror (ret));
+- return;
+- }
+- notify_fd = pipe_fd[1];
+
+ ret = npth_attr_init(&tattr);
+ if (ret)
+@@ -1228,14 +1239,40 @@ handle_connections (int listen_fd)
+
+ npth_attr_setdetachstate (&tattr, NPTH_CREATE_DETACHED);
+
+-#ifndef HAVE_W32_SYSTEM
++#ifdef HAVE_W32_SYSTEM
++ {
++ HANDLE h, h2;
++ SECURITY_ATTRIBUTES sa = { sizeof (SECURITY_ATTRIBUTES), NULL, TRUE};
++
++ events[0] = the_event = INVALID_HANDLE_VALUE;
++ events[1] = INVALID_HANDLE_VALUE;
++ h = CreateEvent (&sa, TRUE, FALSE, NULL);
++ if (!h)
++ log_error ("can't create scd event: %s\n", w32_strerror (-1) );
++ else if (!DuplicateHandle (GetCurrentProcess(), h,
++ GetCurrentProcess(), &h2,
++ EVENT_MODIFY_STATE|SYNCHRONIZE, TRUE, 0))
++ {
++ log_error ("setting synchronize for scd_kick_the_loop failed: %s\n",
++ w32_strerror (-1) );
++ CloseHandle (h);
++ }
++ else
++ {
++ CloseHandle (h);
++ events[0] = the_event = h2;
++ }
++ }
++#else
+ npth_sigev_init ();
+ npth_sigev_add (SIGHUP);
+ npth_sigev_add (SIGUSR1);
+ npth_sigev_add (SIGUSR2);
+ npth_sigev_add (SIGINT);
++ npth_sigev_add (SIGCONT);
+ npth_sigev_add (SIGTERM);
+ npth_sigev_fini ();
++ main_thread_pid = getpid ();
+ #endif
+
+ FD_ZERO (&fdset);
+@@ -1246,10 +1283,6 @@ handle_connections (int listen_fd)
+ nfd = listen_fd;
+ }
+
+- FD_SET (pipe_fd[0], &fdset);
+- if (nfd < pipe_fd[0])
+- nfd = pipe_fd[0];
+-
+ for (;;)
+ {
+ int periodical_check;
+@@ -1264,8 +1297,6 @@ handle_connections (int listen_fd)
+ file descriptors to wait for, so that the select will be
+ used to just wait on a signal or timeout event. */
+ FD_ZERO (&fdset);
+- FD_SET (pipe_fd[0], &fdset);
+- nfd = pipe_fd[0];
+ listen_fd = -1;
+ }
+
+@@ -1291,8 +1322,11 @@ handle_connections (int listen_fd)
+ while (npth_sigev_get_pending(&signo))
+ handle_signal (signo);
+ #else
+- ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, t, NULL, NULL);
++ ret = npth_eselect (nfd+1, &read_fdset, NULL, NULL, t,
++ events, &events_set);
+ saved_errno = errno;
++ if (events_set & 1)
++ continue;
+ #endif
+
+ if (ret == -1 && saved_errno != EINTR)
+@@ -1307,13 +1341,6 @@ handle_connections (int listen_fd)
+ /* Timeout. Will be handled when calculating the next timeout. */
+ continue;
+
+- if (FD_ISSET (pipe_fd[0], &read_fdset))
+- {
+- char buf[256];
+-
+- ret = read (pipe_fd[0], buf, sizeof buf);
+- }
+-
+ if (listen_fd != -1 && FD_ISSET (listen_fd, &read_fdset))
+ {
+ ctrl_t ctrl;
+@@ -1351,8 +1378,6 @@ handle_connections (int listen_fd)
+ }
+ }
+
+- close (pipe_fd[0]);
+- close (pipe_fd[1]);
+ cleanup ();
+ log_info (_("%s %s stopped\n"), strusage(11), strusage(13));
+ npth_attr_destroy (&tattr);
diff --git a/debian/patches/0024-dirmngr-Fix-commit-de6d8313.patch b/debian/patches/0024-dirmngr-Fix-commit-de6d8313.patch
new file mode 100644
index 0000000..ab0daf3
--- /dev/null
+++ b/debian/patches/0024-dirmngr-Fix-commit-de6d8313.patch
@@ -0,0 +1,27 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Fri, 3 Mar 2017 17:17:08 +0100
+Subject: dirmngr: Fix commit de6d8313
+
+* dirmngr/http-common.c (get_default_keyserver): Fix assert.
+--
+
+Fixes-commit: de6d8313f6df32aaa151bee74e1db269ac1e0fed
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit 67c203b6bf8d6dd489ceef3391f609986e7b7a49)
+---
+ dirmngr/http-common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dirmngr/http-common.c b/dirmngr/http-common.c
+index 6013669..3b6cd44 100644
+--- a/dirmngr/http-common.c
++++ b/dirmngr/http-common.c
+@@ -44,7 +44,7 @@ get_default_keyserver (int name_only)
+ log_assert (result && strlen (result) > 3);
+ result += 3;
+ /* Assert that there is no port given. */
+- log_assert (strchr (result, ':'));
++ log_assert (!strchr (result, ':'));
+ }
+ return result;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 0ebaa56..651daa5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,16 @@ gpg-agent-idling/0008-agent-Create-framework-of-scheduled-timers.patch
gpg-agent-idling/0009-agent-Allow-threads-to-interrupt-main-select-loop-wi.patch
gpg-agent-idling/0010-agent-Avoid-tight-timer-tick-when-possible.patch
gpg-agent-idling/0011-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
+0012-common-tools-Always-escape-newlines-when-escaping-da.patch
+0013-tests-Log-information-about-ssh-add-comments-to-test.patch
+0014-g10-Signal-an-error-when-trying-to-revoke-non-exista.patch
+0015-agent-Improve-error-message-for-the-KEYTOCARD-comman.patch
+0016-gpg-Fix-quick-key-generation-with-always-trust.patch
+0017-gpg-Always-initialize-the-trust-db-when-generating-k.patch
+0018-dirmngr-Let-gpgconf-list-return-the-default-keyserve.patch
+0019-dirmngr-Rearrange-files-to-fix-de6d831.patch
+0020-tools-Fix-compile-error-with-older-gcc-versions.patch
+0021-gpg-Add-new-variables-to-the-import-and-export-filte.patch
+0022-gpg-Fix-possible-segv-when-attribute-packets-are-fil.patch
+0023-scd-Fix-scd_kick_the_loop.patch
+0024-dirmngr-Fix-commit-de6d8313.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list