aboutsummaryrefslogtreecommitdiff
path: root/security
diff options
context:
space:
mode:
authorJun Kuriyama <kuriyama@FreeBSD.org>2003-11-28 00:05:27 +0000
committerJun Kuriyama <kuriyama@FreeBSD.org>2003-11-28 00:05:27 +0000
commit660205cc0e3dab7b8c6dee8d7433393584338418 (patch)
treecbe0255df574fa3f543db28e63be88934e4afc8d /security
parenta860f902fba494095629f726d86b423886b69b2b (diff)
downloadports-660205cc0e3dab7b8c6dee8d7433393584338418.tar.gz
ports-660205cc0e3dab7b8c6dee8d7433393584338418.zip
*** Security Update (not fix, only workaround) ***
Disable the ability to create signatures using the ElGamal sign+encrypt (type 20) keys as well as to remove the option to create such keys. Reported by: se References: http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020569.html Approved by portmgr (will)
Notes
Notes: svn path=/head/; revision=94812
Diffstat (limited to 'security')
-rw-r--r--security/gnupg/Makefile2
-rw-r--r--security/gnupg/files/patch-getkey.c28
-rw-r--r--security/gnupg/files/patch-keygen.c33
-rw-r--r--security/gnupg1/Makefile2
-rw-r--r--security/gnupg1/files/patch-getkey.c28
-rw-r--r--security/gnupg1/files/patch-keygen.c33
6 files changed, 124 insertions, 2 deletions
diff --git a/security/gnupg/Makefile b/security/gnupg/Makefile
index 0ee11e40e531..81e30c469d4c 100644
--- a/security/gnupg/Makefile
+++ b/security/gnupg/Makefile
@@ -7,7 +7,7 @@
PORTNAME= gnupg
PORTVERSION= 1.2.3
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GNUPG}
MASTER_SITE_SUBDIR= gnupg
diff --git a/security/gnupg/files/patch-getkey.c b/security/gnupg/files/patch-getkey.c
new file mode 100644
index 000000000000..fdbb5ec441aa
--- /dev/null
+++ b/security/gnupg/files/patch-getkey.c
@@ -0,0 +1,28 @@
+--- g10/getkey.c.orig Tue Jul 29 03:34:41 2003
++++ g10/getkey.c Thu Nov 27 18:54:55 2003
+@@ -1655,6 +1655,11 @@
+ if ( x ) /* mask it down to the actual allowed usage */
+ key_usage &= x;
+ }
++
++ /* Type 20 Elgamal keys are not usable. */
++ if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++ key_usage=0;
++
+ pk->pubkey_usage = key_usage;
+
+ if ( !key_expire_seen ) {
+@@ -1869,6 +1874,13 @@
+ if ( x ) /* mask it down to the actual allowed usage */
+ key_usage &= x;
+ }
++
++ /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are
++ not usable. */
++ if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL
++ || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++ key_usage=0;
++
+ subpk->pubkey_usage = key_usage;
+
+ p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL);
diff --git a/security/gnupg/files/patch-keygen.c b/security/gnupg/files/patch-keygen.c
new file mode 100644
index 000000000000..b4051ed22b02
--- /dev/null
+++ b/security/gnupg/files/patch-keygen.c
@@ -0,0 +1,33 @@
+--- g10/keygen.c.orig Tue Jul 29 03:34:41 2003
++++ g10/keygen.c Thu Nov 27 18:54:55 2003
+@@ -958,8 +958,6 @@
+ tty_printf( _(" (%d) DSA (sign only)\n"), 2 );
+ if( addmode )
+ tty_printf( _(" (%d) ElGamal (encrypt only)\n"), 3 );
+- if (opt.expert)
+- tty_printf( _(" (%d) ElGamal (sign and encrypt)\n"), 4 );
+ tty_printf( _(" (%d) RSA (sign only)\n"), 5 );
+ if (addmode)
+ tty_printf( _(" (%d) RSA (encrypt only)\n"), 6 );
+@@ -989,21 +987,6 @@
+ algo = PUBKEY_ALGO_RSA;
+ *r_usage = PUBKEY_USAGE_SIG;
+ break;
+- }
+- else if( algo == 4 && opt.expert)
+- {
+- tty_printf(_(
+-"The use of this algorithm is only supported by GnuPG. You will not be\n"
+-"able to use this key to communicate with PGP users. This algorithm is also\n"
+-"very slow, and may not be as secure as the other choices.\n"));
+-
+- if( cpr_get_answer_is_yes("keygen.algo.elg_se",
+- _("Create anyway? ")))
+- {
+- algo = PUBKEY_ALGO_ELGAMAL;
+- *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG;
+- break;
+- }
+ }
+ else if( algo == 3 && addmode ) {
+ algo = PUBKEY_ALGO_ELGAMAL_E;
diff --git a/security/gnupg1/Makefile b/security/gnupg1/Makefile
index 0ee11e40e531..81e30c469d4c 100644
--- a/security/gnupg1/Makefile
+++ b/security/gnupg1/Makefile
@@ -7,7 +7,7 @@
PORTNAME= gnupg
PORTVERSION= 1.2.3
-PORTREVISION= 3
+PORTREVISION= 4
CATEGORIES= security
MASTER_SITES= ${MASTER_SITE_GNUPG}
MASTER_SITE_SUBDIR= gnupg
diff --git a/security/gnupg1/files/patch-getkey.c b/security/gnupg1/files/patch-getkey.c
new file mode 100644
index 000000000000..fdbb5ec441aa
--- /dev/null
+++ b/security/gnupg1/files/patch-getkey.c
@@ -0,0 +1,28 @@
+--- g10/getkey.c.orig Tue Jul 29 03:34:41 2003
++++ g10/getkey.c Thu Nov 27 18:54:55 2003
+@@ -1655,6 +1655,11 @@
+ if ( x ) /* mask it down to the actual allowed usage */
+ key_usage &= x;
+ }
++
++ /* Type 20 Elgamal keys are not usable. */
++ if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++ key_usage=0;
++
+ pk->pubkey_usage = key_usage;
+
+ if ( !key_expire_seen ) {
+@@ -1869,6 +1874,13 @@
+ if ( x ) /* mask it down to the actual allowed usage */
+ key_usage &= x;
+ }
++
++ /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are
++ not usable. */
++ if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL
++ || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++ key_usage=0;
++
+ subpk->pubkey_usage = key_usage;
+
+ p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL);
diff --git a/security/gnupg1/files/patch-keygen.c b/security/gnupg1/files/patch-keygen.c
new file mode 100644
index 000000000000..b4051ed22b02
--- /dev/null
+++ b/security/gnupg1/files/patch-keygen.c
@@ -0,0 +1,33 @@
+--- g10/keygen.c.orig Tue Jul 29 03:34:41 2003
++++ g10/keygen.c Thu Nov 27 18:54:55 2003
+@@ -958,8 +958,6 @@
+ tty_printf( _(" (%d) DSA (sign only)\n"), 2 );
+ if( addmode )
+ tty_printf( _(" (%d) ElGamal (encrypt only)\n"), 3 );
+- if (opt.expert)
+- tty_printf( _(" (%d) ElGamal (sign and encrypt)\n"), 4 );
+ tty_printf( _(" (%d) RSA (sign only)\n"), 5 );
+ if (addmode)
+ tty_printf( _(" (%d) RSA (encrypt only)\n"), 6 );
+@@ -989,21 +987,6 @@
+ algo = PUBKEY_ALGO_RSA;
+ *r_usage = PUBKEY_USAGE_SIG;
+ break;
+- }
+- else if( algo == 4 && opt.expert)
+- {
+- tty_printf(_(
+-"The use of this algorithm is only supported by GnuPG. You will not be\n"
+-"able to use this key to communicate with PGP users. This algorithm is also\n"
+-"very slow, and may not be as secure as the other choices.\n"));
+-
+- if( cpr_get_answer_is_yes("keygen.algo.elg_se",
+- _("Create anyway? ")))
+- {
+- algo = PUBKEY_ALGO_ELGAMAL;
+- *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG;
+- break;
+- }
+ }
+ else if( algo == 3 && addmode ) {
+ algo = PUBKEY_ALGO_ELGAMAL_E;