Browse Source

l/scute: Apply upstream TLS1.2 patch

slackware-14.2
Damien Goutte-Gattat 8 years ago
parent
commit
2219d26cf9
  1. 328
      l/scute/scute-1.4.0-tls12.diff
  2. 7
      l/scute/scute.SlackBuild

328
l/scute/scute-1.4.0-tls12.diff

@ -1,38 +1,330 @@
commit de04b59ac8614941ac2e6c1e1d53d77cf7f9c871
Author: Werner Koch <wk@gnupg.org>
Date: Fri Sep 12 15:50:17 2014 +0200
Allow signing with other algorithms than MD5+SHA1
* src/support.h (STR, STR2): NEw.
* src/agent.c (sha1_prefix, sha224_prefix, sha256_prefix)
(sha384_prefix, sha512_prefix): New.
(scute_agent_sign): Increase MAX_DATA_LEN to 64. Determine hash
algorithm by checking the ASN.1 prefixes.
diff --git a/src/agent.c b/src/agent.c
index 9265ca2..b77c879 100644
index 9265ca2..edf8d2d 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -996,8 +996,9 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
@@ -2,7 +2,7 @@
Copyright (C) 2006, 2007, 2008 g10 Code GmbH
This file is part of Scute.
-
+
Scute is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
@@ -65,7 +65,7 @@ static int agent_version_minor;
/* Hack required for Windows. */
-void
+void
gnupg_allow_set_foregound_window (pid_t pid)
{
if (!pid || pid == (pid_t)(-1))
@@ -111,7 +111,7 @@ build_w32_commandline_copy (char *buffer, const char *string)
/* Build a command line for use with W32's CreateProcess. On success
CMDLINE gets the address of a newly allocated string. */
static gpg_error_t
-build_w32_commandline (const char *pgmname, const char * const *argv,
+build_w32_commandline (const char *pgmname, const char * const *argv,
char **cmdline)
{
int i, n;
@@ -139,7 +139,7 @@ build_w32_commandline (const char *pgmname, const char * const *argv,
return gpg_error_from_syserror ();
p = build_w32_commandline_copy (p, pgmname);
- for (i=0; argv[i]; i++)
+ for (i=0; argv[i]; i++)
{
*p++ = ' ';
p = build_w32_commandline_copy (p, argv[i]);
@@ -161,7 +161,7 @@ spawn_process_detached (const char *pgmname, const char *argv[])
{
gpg_error_t err;
SECURITY_ATTRIBUTES sec_attr;
- PROCESS_INFORMATION pi =
+ PROCESS_INFORMATION pi =
{
NULL, /* Returns process handle. */
0, /* Returns primary thread handle. */
@@ -179,11 +179,11 @@ spawn_process_detached (const char *pgmname, const char *argv[])
memset (&sec_attr, 0, sizeof sec_attr );
sec_attr.nLength = sizeof sec_attr;
sec_attr.bInheritHandle = FALSE;
-
+
/* Build the command line. */
err = build_w32_commandline (pgmname, argv, &cmdline);
if (err)
- return err;
+ return err;
/* Start the process. */
memset (&si, 0, sizeof si);
@@ -194,7 +194,7 @@ spawn_process_detached (const char *pgmname, const char *argv[])
cr_flags = (CREATE_DEFAULT_ERROR_MODE
| GetPriorityClass (GetCurrentProcess ())
| CREATE_NEW_PROCESS_GROUP
- | DETACHED_PROCESS);
+ | DETACHED_PROCESS);
DEBUG (DBG_INFO, "CreateProcess(detached), path=`%s' cmdline=`%s'\n",
pgmname, cmdline);
if (!CreateProcess (pgmname, /* Program to start. */
@@ -221,7 +221,7 @@ spawn_process_detached (const char *pgmname, const char *argv[])
" dwProcessID=%d dwThreadId=%d\n", pi.hProcess, pi.hThread,
(int) pi.dwProcessId, (int) pi.dwThreadId);
- CloseHandle (pi.hThread);
+ CloseHandle (pi.hThread);
return 0;
}
@@ -280,8 +280,8 @@ agent_connect (assuan_context_t *ctx_r)
const char *argv[3];
argv[0] = "--daemon";
- argv[1] = "--use-standard-socket";
- argv[2] = NULL;
+ argv[1] = "--use-standard-socket";
+ argv[2] = NULL;
err = spawn_process_detached (agent_program, argv);
if (err)
@@ -306,15 +306,15 @@ agent_connect (assuan_context_t *ctx_r)
pgmname = agent_program;
else
pgmname++;
-
+
argv[0] = pgmname;
argv[1] = "--server";
argv[2] = NULL;
-
+
i=0;
no_close_list[i++] = assuan_fd_from_posix_fd (fileno (stderr));
no_close_list[i] = -1;
-
+
/* Connect to the agent and perform initial handshaking. */
err = assuan_pipe_connect (ctx, agent_program, argv,
no_close_list, NULL, NULL, 0);
@@ -353,7 +353,7 @@ agent_connect (assuan_context_t *ctx_r)
force_pipe_server = 1;
goto restart;
}
-
+
err = assuan_socket_connect (ctx, infostr, pid, 0);
free (infostr);
if (err)
@@ -400,7 +400,7 @@ default_inq_cb (void *opaque, const char *line)
/* Send a simple command to the agent. */
-static gpg_error_t
+static gpg_error_t
agent_simple_cmd (assuan_context_t ctx, const char *fmt, ...)
{
gpg_error_t err;
@@ -421,7 +421,7 @@ agent_simple_cmd (assuan_context_t ctx, const char *fmt, ...)
DEBUG (DBG_CRIT, "gpg-agent command '%s' failed: %s", optstr,
gpg_strerror (err));
free (optstr);
-
+
return err;
}
@@ -432,7 +432,7 @@ read_version_cb (void *opaque, const void *buffer, size_t length)
{
char version[20];
const char *s;
-
+
if (length > sizeof (version) -1)
length = sizeof (version) - 1;
strncpy (version, buffer, length);
@@ -444,7 +444,7 @@ read_version_cb (void *opaque, const void *buffer, size_t length)
return 0;
}
-
+
/* Configure the GPG agent at connection CTX. */
static gpg_error_t
@@ -615,7 +615,7 @@ unescape_status_string (const unsigned char *src)
while (*src)
{
if (*src == '%' && src[1] && src[2])
- {
+ {
src++;
*dst = xtoi_2 (src);
if (*dst == '\0')
@@ -631,7 +631,7 @@ unescape_status_string (const unsigned char *src)
else
*(dst++) = *(src++);
}
- *dst = 0;
+ *dst = 0;
return buffer;
}
@@ -894,7 +894,7 @@ geteventcounter_status_cb (void *opaque, const char *line)
last_count = count;
}
}
-
+
return 0;
}
@@ -989,6 +989,28 @@ pksign_cb (void *opaque, const void *buffer, size_t length)
#define SIG_LEN 128
#define SIG_LEN_2 256
+
+static unsigned char sha1_prefix[15] = /* (1.3.14.3.2.26) */
+ { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03,
+ 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
+static unsigned char sha224_prefix[19] = /* (2.16.840.1.101.3.4.2.4) */
+ { 0x30, 0x2D, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
+ 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04,
+ 0x1C };
+static unsigned char sha256_prefix[19] = /* (2.16.840.1.101.3.4.2.1) */
+ { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
+ 0x00, 0x04, 0x20 };
+static unsigned char sha384_prefix[19] = /* (2.16.840.1.101.3.4.2.2) */
+ { 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
+ 0x00, 0x04, 0x30 };
+static unsigned char sha512_prefix[19] = /* (2.16.840.1.101.3.4.2.3) */
+ { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
+ 0x00, 0x04, 0x40 };
+
+
/* Call the agent to learn about a smartcard. */
gpg_error_t
scute_agent_sign (char *grip, unsigned char *data, int len,
@@ -996,10 +1018,12 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
{
char cmd[150];
gpg_error_t err;
-#define MAX_DATA_LEN 36
+#define MAX_DATA_LEN 51
+#define MAX_DATA_LEN 64 /* For SHA-512 - see below. */
unsigned char pretty_data[2 * MAX_DATA_LEN + 1];
+ char *data_type;
int i;
struct signature sig;
+ const char *algostr;
+ int off;
sig.len = 0;
@@ -1016,6 +1017,13 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
if (len > MAX_DATA_LEN)
return gpg_error (GPG_ERR_INV_ARG);
@@ -1025,11 +1049,38 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
if (err)
return err;
+ if (len == 36) /* TLS <= 1.1, data is a MD5+SHA1 hash */
+ data_type = "tls-md5sha1";
+ else if (len == 35 || len == 51) /* TLS 1.2, data is a DigestInfo object */
+ data_type = "tls-digest";
+ /* Find out the digest algorithm and strip off the prefix. */
+#define X(a,b) \
+ (len == sizeof a ## _prefix + (b) \
+ && !memcmp (data, a ## _prefix, sizeof a ## _prefix)) \
+ { \
+ algostr = STR(a); \
+ off = sizeof a ## _prefix; \
+ len -= sizeof a ## _prefix; \
+ }
+
+ if (len == 36)
+ {
+ algostr = "tls-md5sha1";
+ off = 0;
+ }
+ else if X(sha1, 20)
+ else if X(sha224, 28)
+ else if X(sha256, 32)
+ else if X(sha384, 48)
+ else if X(sha512, 64) /* MAX_DATA_LEN must be at least this. */
+ else
+ return gpg_error (GPG_ERR_INV_ARG);
+ {
+ DEBUG (DBG_INFO, "sign input data format is unknown, size=%d\n", len);
+ return gpg_error (GPG_ERR_DIGEST_ALGO);
+ }
+#undef X
+
if (grip == NULL || sig_result == NULL || *sig_len < SIG_LEN)
return gpg_error (GPG_ERR_INV_ARG);
@@ -1029,7 +1037,7 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
snprintf (&pretty_data[2 * i], 3, "%02X", data[i]);
for (i = 0; i < len; i++)
- snprintf (&pretty_data[2 * i], 3, "%02X", data[i]);
+ snprintf (&pretty_data[2 * i], 3, "%02X", data[off+i]);
pretty_data[2 * len] = '\0';
- snprintf (cmd, sizeof (cmd), "SETHASH --hash=tls-md5sha1 %s", pretty_data);
+ snprintf (cmd, sizeof (cmd), "SETHASH --hash=%s %s", data_type, pretty_data);
+ snprintf (cmd, sizeof (cmd), "SETHASH --hash=%s %s", algostr, pretty_data);
err = assuan_transact (agent_ctx, cmd, NULL, NULL, default_inq_cb,
NULL, NULL, NULL);
if (err)
@@ -1063,8 +1114,8 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
memcpy (sig_result, sig.data + SIG_PREFIX_LEN, SIG_LEN);
*sig_len = SIG_LEN;
}
-
-
+
+
return 0;
}
diff --git a/src/support.h b/src/support.h
index 8f4d538..f6bb80c 100644
--- a/src/support.h
+++ b/src/support.h
@@ -2,7 +2,7 @@
Copyright (C) 2006 g10 Code GmbH
This file is part of Scute.
-
+
Scute is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
@@ -40,6 +40,10 @@
#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1))
#define DIM(x) (sizeof (x) / sizeof (x[0]))
+#ifndef STR
+# define STR(v) #v
+#endif
+#define STR2(v) STR(v)
/* Copy a string into its location, with blank character padding. */
static inline void
@@ -64,7 +68,7 @@ scute_copy_string (char *dest, char *src, int max_len)
#ifndef HAVE_TTYNAME
/* Systems without ttyname (W32) will merely return NULL. */
static inline char *
-ttyname (int fd)
+ttyname (int fd)
{
return NULL;
}
@@ -96,5 +100,5 @@ const char *default_homedir (void);
char *make_filename (const char *first_part, ...);
-
+
#endif /* !SUPPORT_H */

7
l/scute/scute.SlackBuild

@ -33,7 +33,7 @@ WGET=${WGET:-http://git.gnupg.org/cgi-bin/gitweb.cgi?p=scute.git;a=snapshot;h=$C
# Build infos
NAMEPKG=${NAMEPKG:-scute}
BUILD=${BUILD:-3GGD}
BUILD=${BUILD:-4GGD}
ARCH=${ARCH:-$(uname -m | sed 's/^i.86$/i486/;s/^arm.*/arm/')}
JOBS=${JOBS:-1}
EXT=${EXT:-txz}
@ -84,9 +84,8 @@ cd $TMP
echo "Building $ARCHIVE..."
tar xf $CWD/$ARCHIVE
cd $NAME
# Patch adapted from Oliver Winker to support TLS 1.2
# <http://www.gossamer-threads.com/lists/gnupg/users/67663>
# (Work together with the accompanying patch for GnuPG-2.x)
# Patch from upstream (W. Koch) to support TLS 1.2
# <http://lists.gnupg.org/pipermail/gnupg-devel/2014-September/028750.html>
patch -p 1 < $CWD/scute-1.4.0-tls12.diff
./autogen.sh
CFLAGS=$CPUOPT \

Loading…
Cancel
Save