summaryrefslogtreecommitdiffstats
path: root/security/gnupg/files
diff options
context:
space:
mode:
authorkuriyama <kuriyama@FreeBSD.org>2003-11-28 00:05:27 +0000
committerkuriyama <kuriyama@FreeBSD.org>2003-11-28 00:05:27 +0000
commit787d005a9a7769dd72a9c058163a1d1966caa650 (patch)
tree4e238a81bc0593b345ebb059050ad1c4971dddf1 /security/gnupg/files
parent435067f36b5a7749f62ac7bee3fb3991170f446f (diff)
downloadFreeBSD-ports-787d005a9a7769dd72a9c058163a1d1966caa650.zip
FreeBSD-ports-787d005a9a7769dd72a9c058163a1d1966caa650.tar.gz
*** Security Update (not fix, only workaround) ***
Disable the ability to create signatures using the ElGamal sign+encrypt (type 20) keys as well as to remove the option to create such keys. Reported by: se References: http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020570.html http://lists.gnupg.org/pipermail/gnupg-devel/2003-November/020569.html Approved by portmgr (will)
Diffstat (limited to 'security/gnupg/files')
-rw-r--r--security/gnupg/files/patch-getkey.c28
-rw-r--r--security/gnupg/files/patch-keygen.c33
2 files changed, 61 insertions, 0 deletions
diff --git a/security/gnupg/files/patch-getkey.c b/security/gnupg/files/patch-getkey.c
new file mode 100644
index 0000000..fdbb5ec
--- /dev/null
+++ b/security/gnupg/files/patch-getkey.c
@@ -0,0 +1,28 @@
+--- g10/getkey.c.orig Tue Jul 29 03:34:41 2003
++++ g10/getkey.c Thu Nov 27 18:54:55 2003
+@@ -1655,6 +1655,11 @@
+ if ( x ) /* mask it down to the actual allowed usage */
+ key_usage &= x;
+ }
++
++ /* Type 20 Elgamal keys are not usable. */
++ if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++ key_usage=0;
++
+ pk->pubkey_usage = key_usage;
+
+ if ( !key_expire_seen ) {
+@@ -1869,6 +1874,13 @@
+ if ( x ) /* mask it down to the actual allowed usage */
+ key_usage &= x;
+ }
++
++ /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are
++ not usable. */
++ if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL
++ || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++ key_usage=0;
++
+ subpk->pubkey_usage = key_usage;
+
+ p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL);
diff --git a/security/gnupg/files/patch-keygen.c b/security/gnupg/files/patch-keygen.c
new file mode 100644
index 0000000..b4051ed
--- /dev/null
+++ b/security/gnupg/files/patch-keygen.c
@@ -0,0 +1,33 @@
+--- g10/keygen.c.orig Tue Jul 29 03:34:41 2003
++++ g10/keygen.c Thu Nov 27 18:54:55 2003
+@@ -958,8 +958,6 @@
+ tty_printf( _(" (%d) DSA (sign only)\n"), 2 );
+ if( addmode )
+ tty_printf( _(" (%d) ElGamal (encrypt only)\n"), 3 );
+- if (opt.expert)
+- tty_printf( _(" (%d) ElGamal (sign and encrypt)\n"), 4 );
+ tty_printf( _(" (%d) RSA (sign only)\n"), 5 );
+ if (addmode)
+ tty_printf( _(" (%d) RSA (encrypt only)\n"), 6 );
+@@ -989,21 +987,6 @@
+ algo = PUBKEY_ALGO_RSA;
+ *r_usage = PUBKEY_USAGE_SIG;
+ break;
+- }
+- else if( algo == 4 && opt.expert)
+- {
+- tty_printf(_(
+-"The use of this algorithm is only supported by GnuPG. You will not be\n"
+-"able to use this key to communicate with PGP users. This algorithm is also\n"
+-"very slow, and may not be as secure as the other choices.\n"));
+-
+- if( cpr_get_answer_is_yes("keygen.algo.elg_se",
+- _("Create anyway? ")))
+- {
+- algo = PUBKEY_ALGO_ELGAMAL;
+- *r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG;
+- break;
+- }
+ }
+ else if( algo == 3 && addmode ) {
+ algo = PUBKEY_ALGO_ELGAMAL_E;
OpenPOWER on IntegriCloud