diff options
author | kuriyama <kuriyama@FreeBSD.org> | 2005-02-12 09:29:35 +0000 |
---|---|---|
committer | kuriyama <kuriyama@FreeBSD.org> | 2005-02-12 09:29:35 +0000 |
commit | 72b8ecb2a099294b74bb595e4d42acd5cfbcb55a (patch) | |
tree | b1caafdc36535cec58fbf76c5b9e88167fcaac22 /security | |
parent | 03765098c54857d1ba235dcd7e4573b9bbdde0b4 (diff) | |
download | FreeBSD-ports-72b8ecb2a099294b74bb595e4d42acd5cfbcb55a.zip FreeBSD-ports-72b8ecb2a099294b74bb595e4d42acd5cfbcb55a.tar.gz |
Add a workaround patch to avoid protocol attack (but will not be
effective in the real world).
References: http://lists.gnupg.org/pipermail/gnupg-announce/2005q1/000190.html (broken mailman archive)
http://www.pgp.com/library/ctocorner/openpgp.html
http://eprint.iacr.org/2005/033
Reported by: dougb
Diffstat (limited to 'security')
-rw-r--r-- | security/gnupg/Makefile | 2 | ||||
-rw-r--r-- | security/gnupg/files/patch-cfb | 48 | ||||
-rw-r--r-- | security/gnupg1/Makefile | 2 | ||||
-rw-r--r-- | security/gnupg1/files/patch-cfb | 48 |
4 files changed, 98 insertions, 2 deletions
diff --git a/security/gnupg/Makefile b/security/gnupg/Makefile index ae90602..1d15b2d 100644 --- a/security/gnupg/Makefile +++ b/security/gnupg/Makefile @@ -7,7 +7,7 @@ PORTNAME= gnupg PORTVERSION= 1.4.0 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_GNUPG} MASTER_SITE_SUBDIR= gnupg diff --git a/security/gnupg/files/patch-cfb b/security/gnupg/files/patch-cfb new file mode 100644 index 0000000..5355e5d --- /dev/null +++ b/security/gnupg/files/patch-cfb @@ -0,0 +1,48 @@ +Index: include/cipher.h +=================================================================== +RCS file: /cvs/gnupg/gnupg/include/cipher.h,v +retrieving revision 1.63 +diff -u -r1.63 cipher.h +--- include/cipher.h 29 Nov 2004 21:14:18 -0000 1.63 ++++ include/cipher.h 8 Feb 2005 04:10:29 -0000 +@@ -75,6 +75,7 @@ + int keylen; + int algo_info_printed; + int use_mdc; ++ int symmetric; + byte key[32]; /* this is the largest used keylen (256 bit) */ + } DEK; + +Index: g10/mainproc.c +=================================================================== +RCS file: /cvs/gnupg/gnupg/g10/mainproc.c,v +retrieving revision 1.161 +diff -u -r1.161 mainproc.c +--- g10/mainproc.c 21 Oct 2004 19:18:47 -0000 1.161 ++++ g10/mainproc.c 8 Feb 2005 04:10:30 -0000 +@@ -330,6 +330,8 @@ + + if(c->dek) + { ++ c->dek->symmetric=1; ++ + /* FIXME: This doesn't work perfectly if a symmetric + key comes before a public key in the message - if + the user doesn't know the passphrase, then there is +Index: g10/encr-data.c +=================================================================== +RCS file: /cvs/gnupg/gnupg/g10/encr-data.c,v +retrieving revision 1.30 +diff -u -r1.30 encr-data.c +--- g10/encr-data.c 8 Oct 2004 21:54:26 -0000 1.30 ++++ g10/encr-data.c 8 Feb 2005 04:10:30 -0000 +@@ -125,7 +125,7 @@ + cipher_sync( dfx.cipher_hd ); + p = temp; + /* log_hexdump( "prefix", temp, nprefix+2 ); */ +- if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) { ++ if( dek->symmetric && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) ) { + rc = G10ERR_BAD_KEY; + goto leave; + } + diff --git a/security/gnupg1/Makefile b/security/gnupg1/Makefile index ae90602..1d15b2d 100644 --- a/security/gnupg1/Makefile +++ b/security/gnupg1/Makefile @@ -7,7 +7,7 @@ PORTNAME= gnupg PORTVERSION= 1.4.0 -PORTREVISION?= 0 +PORTREVISION?= 1 CATEGORIES= security MASTER_SITES= ${MASTER_SITE_GNUPG} MASTER_SITE_SUBDIR= gnupg diff --git a/security/gnupg1/files/patch-cfb b/security/gnupg1/files/patch-cfb new file mode 100644 index 0000000..5355e5d --- /dev/null +++ b/security/gnupg1/files/patch-cfb @@ -0,0 +1,48 @@ +Index: include/cipher.h +=================================================================== +RCS file: /cvs/gnupg/gnupg/include/cipher.h,v +retrieving revision 1.63 +diff -u -r1.63 cipher.h +--- include/cipher.h 29 Nov 2004 21:14:18 -0000 1.63 ++++ include/cipher.h 8 Feb 2005 04:10:29 -0000 +@@ -75,6 +75,7 @@ + int keylen; + int algo_info_printed; + int use_mdc; ++ int symmetric; + byte key[32]; /* this is the largest used keylen (256 bit) */ + } DEK; + +Index: g10/mainproc.c +=================================================================== +RCS file: /cvs/gnupg/gnupg/g10/mainproc.c,v +retrieving revision 1.161 +diff -u -r1.161 mainproc.c +--- g10/mainproc.c 21 Oct 2004 19:18:47 -0000 1.161 ++++ g10/mainproc.c 8 Feb 2005 04:10:30 -0000 +@@ -330,6 +330,8 @@ + + if(c->dek) + { ++ c->dek->symmetric=1; ++ + /* FIXME: This doesn't work perfectly if a symmetric + key comes before a public key in the message - if + the user doesn't know the passphrase, then there is +Index: g10/encr-data.c +=================================================================== +RCS file: /cvs/gnupg/gnupg/g10/encr-data.c,v +retrieving revision 1.30 +diff -u -r1.30 encr-data.c +--- g10/encr-data.c 8 Oct 2004 21:54:26 -0000 1.30 ++++ g10/encr-data.c 8 Feb 2005 04:10:30 -0000 +@@ -125,7 +125,7 @@ + cipher_sync( dfx.cipher_hd ); + p = temp; + /* log_hexdump( "prefix", temp, nprefix+2 ); */ +- if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) { ++ if( dek->symmetric && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) ) { + rc = G10ERR_BAD_KEY; + goto leave; + } + |