*** Security Update (not fix, only workaround) ***

Disable the ability to create signatures using the ElGamal sign+encrypt (type 20) keys as well as to remove the option to create such keys. Reported by: se References: http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020569.html Approved by portmgr (will)
svn path=/head/; revision=94812
2025-02-04 11:23:46 +00:00 · 2003-11-28 00:05:27 +00:00 · 2003-11-28 00:05:27 +00:00 · 660205cc0e · 2021-03-31 03:12:20 +00:00
commit 660205cc0e
parent a860f902fb
6 changed files with 124 additions and 2 deletions
--- a/security/gnupg/Makefile
+++ b/security/gnupg/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	gnupg
 PORTVERSION=	1.2.3
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GNUPG}
 MASTER_SITE_SUBDIR=	gnupg
--- a/security/gnupg/files/patch-getkey.c
+++ b/security/gnupg/files/patch-getkey.c
@ -0,0 +1,28 @@
+--- g10/getkey.c.orig	Tue Jul 29 03:34:41 2003
+++ g10/getkey.c	Thu Nov 27 18:54:55 2003
+@@ -1655,6 +1655,11 @@
+         if ( x ) /* mask it down to the actual allowed usage */
+             key_usage &= x; 
+     }
+
+    /* Type 20 Elgamal keys are not usable. */
+    if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
+      key_usage=0;
+
+     pk->pubkey_usage = key_usage;
+ 
+     if ( !key_expire_seen ) {
+@@ -1869,6 +1874,13 @@
+         if ( x ) /* mask it down to the actual allowed usage */
+             key_usage &= x; 
+     }
+
+    /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are
+       not usable. */
+    if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL
+       || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
+      key_usage=0;
+
+     subpk->pubkey_usage = key_usage;
+     
+     p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL);
--- a/security/gnupg/files/patch-keygen.c
+++ b/security/gnupg/files/patch-keygen.c
@ -0,0 +1,33 @@
+--- g10/keygen.c.orig	Tue Jul 29 03:34:41 2003
+++ g10/keygen.c	Thu Nov 27 18:54:55 2003
+@@ -958,8 +958,6 @@
+     tty_printf(    _("   (%d) DSA (sign only)\n"), 2 );
+     if( addmode )
+ 	tty_printf(    _("   (%d) ElGamal (encrypt only)\n"), 3 );
+-    if (opt.expert)
+-        tty_printf(    _("   (%d) ElGamal (sign and encrypt)\n"), 4 );
+     tty_printf(    _("   (%d) RSA (sign only)\n"), 5 );
+     if (addmode)
+         tty_printf(    _("   (%d) RSA (encrypt only)\n"), 6 );
+@@ -989,21 +987,6 @@
+ 	    algo = PUBKEY_ALGO_RSA;
+             *r_usage = PUBKEY_USAGE_SIG;
+ 	    break;
+-	}
+-	else if( algo == 4 && opt.expert)
+-	  {
+-	    tty_printf(_(
+-"The use of this algorithm is only supported by GnuPG.  You will not be\n"
+-"able to use this key to communicate with PGP users.  This algorithm is also\n"
+-"very slow, and may not be as secure as the other choices.\n"));
+-
+-	    if( cpr_get_answer_is_yes("keygen.algo.elg_se",
+-				      _("Create anyway? ")))
+-	      {
+-		algo = PUBKEY_ALGO_ELGAMAL;
+-		*r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG;
+-		break;
+-	      }
+ 	}
+ 	else if( algo == 3 && addmode ) {
+ 	    algo = PUBKEY_ALGO_ELGAMAL_E;
--- a/security/gnupg1/Makefile
+++ b/security/gnupg1/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	gnupg
 PORTVERSION=	1.2.3
-PORTREVISION=	3
+PORTREVISION=	4
 CATEGORIES=	security
 MASTER_SITES=	${MASTER_SITE_GNUPG}
 MASTER_SITE_SUBDIR=	gnupg
--- a/security/gnupg1/files/patch-getkey.c
+++ b/security/gnupg1/files/patch-getkey.c
@ -0,0 +1,28 @@
+--- g10/getkey.c.orig	Tue Jul 29 03:34:41 2003
+++ g10/getkey.c	Thu Nov 27 18:54:55 2003
+@@ -1655,6 +1655,11 @@
+         if ( x ) /* mask it down to the actual allowed usage */
+             key_usage &= x; 
+     }
+
+    /* Type 20 Elgamal keys are not usable. */
+    if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
+      key_usage=0;
+
+     pk->pubkey_usage = key_usage;
+ 
+     if ( !key_expire_seen ) {
+@@ -1869,6 +1874,13 @@
+         if ( x ) /* mask it down to the actual allowed usage */
+             key_usage &= x; 
+     }
+
+    /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are
+       not usable. */
+    if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL
+       || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
+      key_usage=0;
+
+     subpk->pubkey_usage = key_usage;
+     
+     p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL);
--- a/security/gnupg1/files/patch-keygen.c
+++ b/security/gnupg1/files/patch-keygen.c
@ -0,0 +1,33 @@
+--- g10/keygen.c.orig	Tue Jul 29 03:34:41 2003
+++ g10/keygen.c	Thu Nov 27 18:54:55 2003
+@@ -958,8 +958,6 @@
+     tty_printf(    _("   (%d) DSA (sign only)\n"), 2 );
+     if( addmode )
+ 	tty_printf(    _("   (%d) ElGamal (encrypt only)\n"), 3 );
+-    if (opt.expert)
+-        tty_printf(    _("   (%d) ElGamal (sign and encrypt)\n"), 4 );
+     tty_printf(    _("   (%d) RSA (sign only)\n"), 5 );
+     if (addmode)
+         tty_printf(    _("   (%d) RSA (encrypt only)\n"), 6 );
+@@ -989,21 +987,6 @@
+ 	    algo = PUBKEY_ALGO_RSA;
+             *r_usage = PUBKEY_USAGE_SIG;
+ 	    break;
+-	}
+-	else if( algo == 4 && opt.expert)
+-	  {
+-	    tty_printf(_(
+-"The use of this algorithm is only supported by GnuPG.  You will not be\n"
+-"able to use this key to communicate with PGP users.  This algorithm is also\n"
+-"very slow, and may not be as secure as the other choices.\n"));
+-
+-	    if( cpr_get_answer_is_yes("keygen.algo.elg_se",
+-				      _("Create anyway? ")))
+-	      {
+-		algo = PUBKEY_ALGO_ELGAMAL;
+-		*r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG;
+-		break;
+-	      }
+ 	}
+ 	else if( algo == 3 && addmode ) {
+ 	    algo = PUBKEY_ALGO_ELGAMAL_E;