[Pkg-gnupg-commit] [gnupg2] 02/06: more patches from upstream
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Mar 21 16:47:05 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gnupg2.
commit a35fa6087766d1fb28aa257785939a3f45e690b3
Author: Daniel Kahn Gillmor <dkg at fifthhorseman.net>
Date: Mon Mar 20 14:05:25 2017 -0400
more patches from upstream
---
.../0064-tests-Add-test-for-issue-2959.patch | 24 ++
debian/patches/0065-gpg-Remove-unused-stuff.patch | 46 +++
...-Add-new-field-no-18-to-the-colon-listing.patch | 355 +++++++++++++++++++++
...-if-we-cannot-create-the-socket-directory.patch | 45 +++
.../0068-tests-Remove-debugging-remnants.patch | 22 ++
debian/patches/series | 5 +
6 files changed, 497 insertions(+)
diff --git a/debian/patches/0064-tests-Add-test-for-issue-2959.patch b/debian/patches/0064-tests-Add-test-for-issue-2959.patch
new file mode 100644
index 0000000..c424580
--- /dev/null
+++ b/debian/patches/0064-tests-Add-test-for-issue-2959.patch
@@ -0,0 +1,24 @@
+From: "Neal H. Walfield" <neal at g10code.com>
+Date: Fri, 17 Mar 2017 19:31:09 +0100
+Subject: tests: Add test for issue 2959.
+
+* tests/openpgp/tofu.scm: Add test for --tofu-default-policy=ask.
+
+Signed-off-by: Neal H. Walfield <neal at g10code.com>
+(cherry picked from commit fb9d68d636490ca88925051f48b08963c324aed1)
+---
+ tests/openpgp/tofu.scm | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tests/openpgp/tofu.scm b/tests/openpgp/tofu.scm
+index f4eab41..aeeef07 100755
+--- a/tests/openpgp/tofu.scm
++++ b/tests/openpgp/tofu.scm
+@@ -120,6 +120,7 @@
+ (checktrust "1C005AF3" "f" '--tofu-default-policy=good)
+ (checktrust "1C005AF3" "-" '--tofu-default-policy=unknown)
+ (checktrust "1C005AF3" "n" '--tofu-default-policy=bad)
++(checktrust "1C005AF3" "q" '--tofu-default-policy=ask)
+
+ ;; Change the policy to something other than auto and make sure the
+ ;; policy and the trust are correct.
diff --git a/debian/patches/0065-gpg-Remove-unused-stuff.patch b/debian/patches/0065-gpg-Remove-unused-stuff.patch
new file mode 100644
index 0000000..7d02bb7
--- /dev/null
+++ b/debian/patches/0065-gpg-Remove-unused-stuff.patch
@@ -0,0 +1,46 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 20 Mar 2017 08:38:54 +0100
+Subject: gpg: Remove unused stuff.
+
+* g10/OPTIONS: Remove.
+* g10/options.h (struct opt): Remove 'shm_coprocess'.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit e2c63a13e2fa4ce39af8471a34c06d73ff3ee6f6)
+---
+ doc/HACKING | 4 ++--
+ g10/options.h | 1 -
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/doc/HACKING b/doc/HACKING
+index e717479..fc0c3f4 100644
+--- a/doc/HACKING
++++ b/doc/HACKING
+@@ -168,13 +168,13 @@ Note that such a comment will be removed if the git commit option
+ that the freed variable is not anymore used, explicitly set the
+ variable to NULL.
+ - New code shall in general use xtrymalloc or xtrycalloc and check
+- for an error (use gpg_error_from_errno()).
++ for an error (use gpg_error_from_syserror()).
+ - Init function local variables only if needed so that the compiler
+ can do a better job in detecting uninitialized variables which may
+ indicate a problem with the code.
+ - Never init static or file local variables to 0 to make sure they
+ end up in BSS.
+- - But extra parenthesis around terms with binary operators to make
++ - Put extra parenthesis around terms with binary operators to make
+ it clear that the binary operator was indeed intended.
+ - Use --enable-maintainer-mode with configure so that all suitable
+ warnings are enabled.
+diff --git a/g10/options.h b/g10/options.h
+index def6385..c634f0f 100644
+--- a/g10/options.h
++++ b/g10/options.h
+@@ -148,7 +148,6 @@ struct
+ {
+ KF_DEFAULT, KF_NONE, KF_SHORT, KF_LONG, KF_0xSHORT, KF_0xLONG
+ } keyid_format;
+- int shm_coprocess;
+ const char *set_filename;
+ strlist_t comments;
+ int throw_keyids;
diff --git a/debian/patches/0066-gpg-Add-new-field-no-18-to-the-colon-listing.patch b/debian/patches/0066-gpg-Add-new-field-no-18-to-the-colon-listing.patch
new file mode 100644
index 0000000..6fa122e
--- /dev/null
+++ b/debian/patches/0066-gpg-Add-new-field-no-18-to-the-colon-listing.patch
@@ -0,0 +1,355 @@
+From: Werner Koch <wk at gnupg.org>
+Date: Mon, 20 Mar 2017 10:09:40 +0100
+Subject: gpg: Add new field no 18 to the colon listing.
+
+* g10/misc.c (gnupg_pk_is_compliant): New.
+* g10/keylist.c (print_compliance_flags): New.
+(list_keyblock_colon): Call it here.
+* sm/keylist.c (print_compliance_flags): New.
+(list_cert_colon): Call it here.
+--
+
+This patch is to convey information about DE_VS compliant keys to the
+caller. The double digit value is used so that parsers do the right
+thing and don't just look for a single digit.
+
+Signed-off-by: Werner Koch <wk at gnupg.org>
+(cherry picked from commit fe0b37e123ded51cc5f4cb5e3547fdfbce37a43e)
+---
+ doc/DETAILS | 9 ++++++
+ g10/keylist.c | 73 ++++++++++++++++++++++++++++++++++--------------
+ g10/main.h | 3 ++
+ g10/misc.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ sm/keylist.c | 18 ++++++++++--
+ 5 files changed, 168 insertions(+), 25 deletions(-)
+
+diff --git a/doc/DETAILS b/doc/DETAILS
+index 8c11872..cfe70e1 100644
+--- a/doc/DETAILS
++++ b/doc/DETAILS
+@@ -218,6 +218,15 @@ described here.
+ For pub, sub, sec, and ssb records this field is used for the ECC
+ curve name.
+
++*** Field 18 - Compliance flags
++
++ Space separated list of asserted compliance modes for this key.
++
++ Valid values are:
++
++ - 8 :: The key is compliant with RFC4880bis
++ - 23 :: The key is compliant with compliance mode "de-vs".
++
+ ** Special fields
+
+ *** PKD - Public key data
+diff --git a/g10/keylist.c b/g10/keylist.c
+index 32cf1e8..b8f32be 100644
+--- a/g10/keylist.c
++++ b/g10/keylist.c
+@@ -1170,6 +1170,29 @@ print_revokers (estream_t fp, PKT_public_key * pk)
+ }
+
+
++/* Print the compliance flags to field 18. PK is the public key.
++ * KEYLENGTH is the length of the key in bits and CURVENAME is either
++ * NULL or the name of the curve. The latter two args are here
++ * merely because the caller has already computed them. */
++static void
++print_compliance_flags (PKT_public_key *pk,
++ unsigned int keylength, const char *curvename)
++{
++ int any = 0;
++
++ if (pk->version == 5)
++ {
++ es_fputs ("8", es_stdout);
++ any++;
++ }
++ if (gnupg_pk_is_compliant (CO_DE_VS, pk, keylength, curvename))
++ {
++ es_fputs (any? " 23":"23", es_stdout);
++ any++;
++ }
++}
++
++
+ /* List a key in colon mode. If SECRET is true this is a secret key
+ record (i.e. requested via --list-secret-key). If HAS_SECRET a
+ secret key is available even if SECRET is not set. */
+@@ -1191,6 +1214,9 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
+ const char *hexgrip = NULL;
+ char *serialno = NULL;
+ int stubkey;
++ unsigned int keylength;
++ char *curve = NULL;
++ const char *curvename = NULL;
+
+ /* Get the keyid from the keyblock. */
+ node = find_kbnode (keyblock, PKT_PUBLIC_KEY);
+@@ -1239,14 +1265,16 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
+ else
+ ownertrust_print = 0;
+
++ keylength = nbits_from_pk (pk);
++
+ es_fputs (secret? "sec:":"pub:", es_stdout);
+ if (trustletter_print)
+ es_putc (trustletter_print, es_stdout);
+ es_fprintf (es_stdout, ":%u:%d:%08lX%08lX:%s:%s::",
+- nbits_from_pk (pk),
+- pk->pubkey_algo,
+- (ulong) keyid[0], (ulong) keyid[1],
+- colon_datestr_from_pk (pk), colon_strtime (pk->expiredate));
++ keylength,
++ pk->pubkey_algo,
++ (ulong) keyid[0], (ulong) keyid[1],
++ colon_datestr_from_pk (pk), colon_strtime (pk->expiredate));
+
+ if (ownertrust_print)
+ es_putc (ownertrust_print, es_stdout);
+@@ -1272,14 +1300,14 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
+ || pk->pubkey_algo == PUBKEY_ALGO_EDDSA
+ || pk->pubkey_algo == PUBKEY_ALGO_ECDH)
+ {
+- char *curve = openpgp_oid_to_str (pk->pkey[0]);
+- const char *name = openpgp_oid_to_curve (curve, 0);
+- if (!name)
+- name = curve;
+- es_fputs (name, es_stdout);
+- xfree (curve);
++ curve = openpgp_oid_to_str (pk->pkey[0]);
++ curvename = openpgp_oid_to_curve (curve, 0);
++ if (!curvename)
++ curvename = curve;
++ es_fputs (curvename, es_stdout);
+ }
+ es_putc (':', es_stdout); /* End of field 17. */
++ print_compliance_flags (pk, keylength, curvename);
+ es_putc (':', es_stdout); /* End of field 18. */
+ es_putc ('\n', es_stdout);
+
+@@ -1380,13 +1408,13 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
+ if (trustletter)
+ es_fprintf (es_stdout, "%c", trustletter);
+ }
++ keylength = nbits_from_pk (pk2);
+ es_fprintf (es_stdout, ":%u:%d:%08lX%08lX:%s:%s:::::",
+- nbits_from_pk (pk2),
+- pk2->pubkey_algo,
+- (ulong) keyid2[0], (ulong) keyid2[1],
+- colon_datestr_from_pk (pk2), colon_strtime (pk2->expiredate)
+- /* fixme: add LID and ownertrust here */
+- );
++ keylength,
++ pk2->pubkey_algo,
++ (ulong) keyid2[0], (ulong) keyid2[1],
++ colon_datestr_from_pk (pk2),
++ colon_strtime (pk2->expiredate));
+ print_capabilities (pk2, NULL);
+ es_putc (':', es_stdout); /* End of field 13. */
+ es_putc (':', es_stdout); /* End of field 14. */
+@@ -1405,14 +1433,16 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
+ || pk2->pubkey_algo == PUBKEY_ALGO_EDDSA
+ || pk2->pubkey_algo == PUBKEY_ALGO_ECDH)
+ {
+- char *curve = openpgp_oid_to_str (pk2->pkey[0]);
+- const char *name = openpgp_oid_to_curve (curve, 0);
+- if (!name)
+- name = curve;
+- es_fputs (name, es_stdout);
+ xfree (curve);
++ curve = openpgp_oid_to_str (pk2->pkey[0]);
++ curvename = openpgp_oid_to_curve (curve, 0);
++ if (!curvename)
++ curvename = curve;
++ es_fputs (curvename, es_stdout);
+ }
+ es_putc (':', es_stdout); /* End of field 17. */
++ print_compliance_flags (pk2, keylength, curvename);
++ es_putc (':', es_stdout); /* End of field 18. */
+ es_putc ('\n', es_stdout);
+ print_fingerprint (NULL, pk2, 0);
+ if (hexgrip)
+@@ -1540,6 +1570,7 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
+ }
+ }
+
++ xfree (curve);
+ xfree (hexgrip_buffer);
+ xfree (serialno);
+ }
+diff --git a/g10/main.h b/g10/main.h
+index f58f041..c9c3454 100644
+--- a/g10/main.h
++++ b/g10/main.h
+@@ -125,6 +125,9 @@ int openpgp_pk_test_algo2 (pubkey_algo_t algo, unsigned int use);
+ int openpgp_pk_algo_usage ( int algo );
+ const char *openpgp_pk_algo_name (pubkey_algo_t algo);
+
++int gnupg_pk_is_compliant (int compliance, PKT_public_key *pk,
++ unsigned int keylength, const char *curvename);
++
+ enum gcry_md_algos map_md_openpgp_to_gcry (digest_algo_t algo);
+ int openpgp_md_test_algo (digest_algo_t algo);
+ const char *openpgp_md_algo_name (int algo);
+diff --git a/g10/misc.c b/g10/misc.c
+index c69f994..0ecdb04 100644
+--- a/g10/misc.c
++++ b/g10/misc.c
+@@ -640,7 +640,7 @@ openpgp_pk_test_algo2 (pubkey_algo_t algo, unsigned int use)
+ if (!ga)
+ return gpg_error (GPG_ERR_PUBKEY_ALGO);
+
+- /* No check whether Libgcrypt has support for the algorithm. */
++ /* Now check whether Libgcrypt has support for the algorithm. */
+ return gcry_pk_algo_info (ga, GCRYCTL_TEST_ALGO, NULL, &use_buf);
+ }
+
+@@ -704,6 +704,94 @@ openpgp_pk_algo_name (pubkey_algo_t algo)
+ }
+
+
++/* Return true if PK is compliant to the give COMPLIANCE mode. If
++ * KEYLENGTH and CURVENAME are not 0/NULL the are assumed to be the
++ * already computed values from PK. */
++int
++gnupg_pk_is_compliant (int compliance, PKT_public_key *pk,
++ unsigned int keylength, const char *curvename)
++{
++ enum { is_rsa, is_pgp5, is_elg_sign, is_ecc } algotype;
++ int result;
++
++ switch (pk->pubkey_algo)
++ {
++ case PUBKEY_ALGO_RSA:
++ case PUBKEY_ALGO_RSA_E:
++ case PUBKEY_ALGO_RSA_S:
++ algotype = is_rsa;
++ break;
++
++ case PUBKEY_ALGO_ELGAMAL_E:
++ case PUBKEY_ALGO_DSA:
++ algotype = is_pgp5;
++ break;
++
++ case PUBKEY_ALGO_ECDH:
++ case PUBKEY_ALGO_ECDSA:
++ case PUBKEY_ALGO_EDDSA:
++ algotype = is_ecc;
++ break;
++
++ case PUBKEY_ALGO_ELGAMAL:
++ algotype = is_elg_sign;
++ break;
++
++ default: /* Unknown. */
++ return 0;
++ }
++
++ if (compliance == CO_DE_VS)
++ {
++ char *curve = NULL;
++
++ switch (algotype)
++ {
++ case is_pgp5:
++ result = 0;
++ break;
++
++ case is_rsa:
++ if (!keylength)
++ keylength = nbits_from_pk (pk);
++ result = (keylength >= 2048);
++ break;
++
++ case is_ecc:
++ if (!curvename)
++ {
++ curve = openpgp_oid_to_str (pk->pkey[0]);
++ curvename = openpgp_oid_to_curve (curve, 0);
++ if (!curvename)
++ curvename = curve;
++ }
++
++ result = (curvename
++ && pk->pubkey_algo != PUBKEY_ALGO_EDDSA
++ && (!strcmp (curvename, "brainpoolP256r1")
++ || !strcmp (curvename, "brainpoolP384r1")
++ || !strcmp (curvename, "brainpoolP512r1")));
++ break;
++
++ default:
++ result = 0;
++ }
++ xfree (curve);
++ }
++ else if (algotype == is_elg_sign)
++ {
++ /* An Elgamal signing key is only RFC-2440 compliant. */
++ result = (compliance == RFC2440);
++ }
++ else
++ {
++ result = 1; /* Assume compliance. */
++ }
++
++ return result;
++}
++
++
+ /* Explicit mapping of OpenPGP digest algos to Libgcrypt. */
+ /* FIXME: We do not yes use it everywhere. */
+ enum gcry_md_algos
+diff --git a/sm/keylist.c b/sm/keylist.c
+index d27d4f4..1b1a261 100644
+--- a/sm/keylist.c
++++ b/sm/keylist.c
+@@ -346,6 +346,14 @@ email_kludge (const char *name)
+ }
+
+
++/* Print the compliance flags to field 18. ALGO is the gcrypt algo
++ * number. NBITS is the length of the key in bits. */
++static void
++print_compliance_flags (int algo, unsigned int nbits, estream_t fp)
++{
++ if (algo == GCRY_PK_RSA && nbits >= 2048)
++ es_fputs ("23", fp);
++}
+
+
+ /* List one certificate in colon mode */
+@@ -496,6 +504,8 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
+ print_capabilities (cert, fp);
+ /* Field 13, not used: */
+ es_putc (':', fp);
++ /* Field 14, not used: */
++ es_putc (':', fp);
+ if (have_secret || ctrl->with_secret)
+ {
+ char *cardsn;
+@@ -504,18 +514,20 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
+ if (!gpgsm_agent_keyinfo (ctrl, p, &cardsn)
+ && (cardsn || ctrl->with_secret))
+ {
+- /* Field 14, not used: */
+- es_putc (':', fp);
+ /* Field 15: Token serial number or secret key indicator. */
+ if (cardsn)
+ es_fputs (cardsn, fp);
+ else if (ctrl->with_secret)
+ es_putc ('+', fp);
+- es_putc (':', fp);
+ }
+ xfree (cardsn);
+ xfree (p);
+ }
++ es_putc (':', fp); /* End of field 15. */
++ es_putc (':', fp); /* End of field 16. */
++ es_putc (':', fp); /* End of field 17. */
++ print_compliance_flags (algo, nbits, fp);
++ es_putc (':', fp); /* End of field 18. */
+ es_putc ('\n', fp);
+
+ /* FPR record */
diff --git a/debian/patches/0067-tests-Fail-if-we-cannot-create-the-socket-directory.patch b/debian/patches/0067-tests-Fail-if-we-cannot-create-the-socket-directory.patch
new file mode 100644
index 0000000..c7a98b5
--- /dev/null
+++ b/debian/patches/0067-tests-Fail-if-we-cannot-create-the-socket-directory.patch
@@ -0,0 +1,45 @@
+From: Justus Winter <justus at g10code.com>
+Date: Mon, 20 Mar 2017 12:21:43 +0100
+Subject: tests: Fail if we cannot create the socket directory.
+
+* tests/migrations/common.scm (run-test): Turn warning into an error.
+* tests/openpgp/defs.scm (start-agent): Likewise.
+--
+
+We use separate directories to create the sockets in so that the
+absolute path to the every socket fits into sun_path.
+
+Fixes-commit: 7e19786a5ddef637d1d9d21593fecf5a36b6f372
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit d75d20909d9f60d33ffd210def92278c0f383aad)
+---
+ tests/migrations/common.scm | 2 +-
+ tests/openpgp/defs.scm | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/migrations/common.scm b/tests/migrations/common.scm
+index fa8f129..b1c90aa 100644
+--- a/tests/migrations/common.scm
++++ b/tests/migrations/common.scm
+@@ -53,7 +53,7 @@
+ (untar-armored src-tarball)
+ (setenv "GNUPGHOME" (getcwd) #t)
+
+- (catch (log "Warning: Creating socket directory failed:" (car *error*))
++ (catch (fail "Creating socket directory failed (see README):" (car *error*))
+ (call-popen `(,gpgconf --create-socketdir) ""))
+ (test (getcwd))
+ (catch (log "Warning: Removing socket directory failed.")
+diff --git a/tests/openpgp/defs.scm b/tests/openpgp/defs.scm
+index 7c8e10a..64c086d 100644
+--- a/tests/openpgp/defs.scm
++++ b/tests/openpgp/defs.scm
+@@ -446,7 +446,7 @@
+ (atexit (lambda ()
+ (with-home-directory gnupghome
+ (stop-agent)))))
+- (catch (log "Warning: Creating socket directory failed:" (car *error*))
++ (catch (fail "Creating socket directory failed (see README):" (car *error*))
+ (call-popen `(,(tool 'gpgconf) --create-socketdir) ""))
+ (call-check `(,(tool 'gpg-connect-agent) --verbose
+ ,(string-append "--agent-program=" (tool 'gpg-agent)
diff --git a/debian/patches/0068-tests-Remove-debugging-remnants.patch b/debian/patches/0068-tests-Remove-debugging-remnants.patch
new file mode 100644
index 0000000..d60feb9
--- /dev/null
+++ b/debian/patches/0068-tests-Remove-debugging-remnants.patch
@@ -0,0 +1,22 @@
+From: Justus Winter <justus at g10code.com>
+Date: Mon, 20 Mar 2017 10:23:55 +0100
+Subject: tests: Remove debugging remnants.
+
+* tests/gpgme/gpgme-defs.scm (run-python-tests?): Remove 'trace's.
+
+Signed-off-by: Justus Winter <justus at g10code.com>
+(cherry picked from commit ceb4b245752bb1fb43fde7e99f8d904ab8a9b5e2)
+---
+ tests/gpgme/gpgme-defs.scm | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/gpgme/gpgme-defs.scm b/tests/gpgme/gpgme-defs.scm
+index 0583774..486d1a1 100644
+--- a/tests/gpgme/gpgme-defs.scm
++++ b/tests/gpgme/gpgme-defs.scm
+@@ -181,4 +181,4 @@
+ (call-popen `(,python -c "import sys; print('{0}.{1}'.format(sys.version_info[0], sys.version_info[1]))") "")))
+ (build-path (path-join gpgme-builddir "lang" "python"
+ (string-append "python" python-version "-gpg"))))
+- (trace (file-exists? (trace build-path))))))
++ (file-exists? build-path))))
diff --git a/debian/patches/series b/debian/patches/series
index 1a14f5e..da3ee88 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -61,3 +61,8 @@ gpg-agent-idling/0011-agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch
0061-gpgscm-Simplify-hash-tables.patch
0062-dirmngr-Ignore-warning-alerts-in-the-GNUTLS-handshak.patch
0063-gpg-Make-sure-the-conflict-set-includes-the-current-.patch
+0064-tests-Add-test-for-issue-2959.patch
+0065-gpg-Remove-unused-stuff.patch
+0066-gpg-Add-new-field-no-18-to-the-colon-listing.patch
+0067-tests-Fail-if-we-cannot-create-the-socket-directory.patch
+0068-tests-Remove-debugging-remnants.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list