damien
/
slackbuilds
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Browse Source

l/scute: Upgraded to scute-1.5.0ge22c8cf.

slackware-14.2
Damien Goutte-Gattat 6 years ago
parent
a274c1f2ae
commit
66823ecfce
5 changed files with 31 additions and 264 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 124
      l/scute/0001-Allow-signing-with-other-algorithms-than-MD5-SHA1.patch
  2. 126
      l/scute/0002-Remove-extra-nul-byte-in-signature-data.patch
  3. 13
      l/scute/include-sexp-parse.patch
  4. 1
      l/scute/scute-1.4.0.tar.bz2.sha1
  5. 31
      l/scute/scute.SlackBuild

124
l/scute/0001-Allow-signing-with-other-algorithms-than-MD5-SHA1.patch
Unescape View File

@ -1,124 +0,0 @@
From f07f6c2639b0a127475aad7ccbeb40e10dc565e5 Mon Sep 17 00:00:00 2001
From: Damien Goutte-Gattat <dgouttegattat@incenp.org>
Date: Wed, 10 Dec 2014 01:13:23 +0100
Subject: [PATCH 1/2] Allow signing with other algorithms than MD5+SHA1
To: gnupg-devel@gnupg.org
* src/agent.c (scute_agent_sign): Determine the hash algorithm of the
message digest by checking for known ASN.1 prefixes.
* src/support.h (STR): New.
--
This is a streamlined version of a patch proposed by Werner Koch
<http://lists.gnupg.org/pipermail/gnupg-devel/2014-September/028750.html>
without unrelated, cosmetic changes.
---
src/agent.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++---
src/support.h | 3 +++
2 files changed, 57 insertions(+), 3 deletions(-)
diff --git a/src/agent.c b/src/agent.c
index 9265ca2..b1fdbf0 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -989,6 +989,28 @@ pksign_cb (void *opaque, const void *buffer, size_t length)
#define SIG_LEN 128
#define SIG_LEN_2 256
+
+static unsigned char sha1_prefix[15] = /* (1.3.14.3.2.26) */
+ { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03,
+ 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
+static unsigned char sha224_prefix[19] = /* (2.16.840.1.101.3.4.2.4) */
+ { 0x30, 0x2D, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
+ 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04,
+ 0x1C };
+static unsigned char sha256_prefix[19] = /* (2.16.840.1.101.3.4.2.1) */
+ { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
+ 0x00, 0x04, 0x20 };
+static unsigned char sha384_prefix[19] = /* (2.16.840.1.101.3.4.2.2) */
+ { 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
+ 0x00, 0x04, 0x30 };
+static unsigned char sha512_prefix[19] = /* (2.16.840.1.101.3.4.2.3) */
+ { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
+ 0x00, 0x04, 0x40 };
+
+
/* Call the agent to learn about a smartcard. */
gpg_error_t
scute_agent_sign (char *grip, unsigned char *data, int len,
@@ -996,10 +1018,12 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
{
char cmd[150];
gpg_error_t err;
-#define MAX_DATA_LEN 36
+#define MAX_DATA_LEN 64 /* For SHA-512 - see below. */
unsigned char pretty_data[2 * MAX_DATA_LEN + 1];
int i;
struct signature sig;
+ const char *algostr;
+ int off;
sig.len = 0;
@@ -1025,11 +1049,38 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
if (err)
return err;
+ /* Find out the digest algorithm and strip off the prefix. */
+#define X(a,b) \
+ (len == sizeof a ## _prefix + (b) \
+ && !memcmp (data, a ## _prefix, sizeof a ## _prefix)) \
+ { \
+ algostr = STR(a); \
+ off = sizeof a ## _prefix; \
+ len -= sizeof a ## _prefix; \
+ }
+
+ if (len == 36)
+ {
+ algostr = "tls-md5sha1";
+ off = 0;
+ }
+ else if X(sha1, 20)
+ else if X(sha224, 28)
+ else if X(sha256, 32)
+ else if X(sha384, 48)
+ else if X(sha512, 64) /* MAX_DATA_LEN must be at least this. */
+ else
+ {
+ DEBUG (DBG_INFO, "sign input data format is unknown, size=%d\n", len);
+ return gpg_error (GPG_ERR_DIGEST_ALGO);
+ }
+#undef X
+
for (i = 0; i < len; i++)
- snprintf (&pretty_data[2 * i], 3, "%02X", data[i]);
+ snprintf (&pretty_data[2 * i], 3, "%02X", data[off+i]);
pretty_data[2 * len] = '\0';
- snprintf (cmd, sizeof (cmd), "SETHASH --hash=tls-md5sha1 %s", pretty_data);
+ snprintf (cmd, sizeof (cmd), "SETHASH --hash=%s %s", algostr, pretty_data);
err = assuan_transact (agent_ctx, cmd, NULL, NULL, default_inq_cb,
NULL, NULL, NULL);
if (err)
diff --git a/src/support.h b/src/support.h
index 8f4d538..859d1de 100644
--- a/src/support.h
+++ b/src/support.h
@@ -40,6 +40,9 @@
#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1))
#define DIM(x) (sizeof (x) / sizeof (x[0]))
+#ifndef STR
+# define STR(v) #v
+#endif
/* Copy a string into its location, with blank character padding. */
static inline void
--
1.8.4

126
l/scute/0002-Remove-extra-nul-byte-in-signature-data.patch
Unescape View File

@ -1,126 +0,0 @@
From 3e13d5493c74427655a7208a7bc4fcbcabda6774 Mon Sep 17 00:00:00 2001
From: Damien Goutte-Gattat <dgouttegattat@incenp.org>
Date: Wed, 28 Jan 2015 16:03:10 +0100
Subject: [PATCH 2/2] Remove extra nul byte in signature data
To: gnupg-devel@gnupg.org
* src/agent.c (scute_agent_sign): Check for extra nul byte at the
beginning of signature data.
--
GPG Agent 2.1 prepends a nul byte in the signature value if the first
byte has its most significant bit set, to prevent it from being
interpreted as a sign bit (see agent_pksign_do, in GnuPG's
agent/pksign.c).
But Scute expects the signature to be always of a fixed size (128 or
256 bytes), and it will reject a signature containing this extra nul
byte.
This patch makes Scute read the effective size of the signature from
the S-expression, and remove the prepended nul byte if present.
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
---
src/agent.c | 57 ++++++++++++++++++++++++++++++++-------------------------
1 file changed, 32 insertions(+), 25 deletions(-)
diff --git a/src/agent.c b/src/agent.c
index 9265ca2..547c587 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -981,13 +981,12 @@ pksign_cb (void *opaque, const void *buffer, size_t length)
}
-#define SIG_PREFIX "(7:sig-val(3:rsa(1:s128:"
-#define SIG_PREFIX_2 "(7:sig-val(3:rsa(1:s256:"
+#define SIG_PREFIX "(7:sig-val(3:rsa(1:s"
#define SIG_PREFIX_LEN (sizeof (SIG_PREFIX) - 1)
#define SIG_POSTFIX ")))"
#define SIG_POSTFIX_LEN (sizeof (SIG_POSTFIX) - 1)
-#define SIG_LEN 128
-#define SIG_LEN_2 256
+#define SIG_MIN_LEN 128
+#define SIG_MAX_LEN 256
/* Call the agent to learn about a smartcard. */
gpg_error_t
@@ -1009,14 +1008,14 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
if (sig_result == NULL)
{
/* FIXME: We return the largest supported size - is that correct? */
- *sig_len = SIG_LEN_2;
+ *sig_len = SIG_MAX_LEN;
return 0;
}
if (len > MAX_DATA_LEN)
return gpg_error (GPG_ERR_INV_ARG);
- if (grip == NULL || sig_result == NULL || *sig_len < SIG_LEN)
+ if (grip == NULL || sig_result == NULL || *sig_len < SIG_MIN_LEN)
return gpg_error (GPG_ERR_INV_ARG);
snprintf (cmd, sizeof (cmd), "SIGKEY %s", grip);
@@ -1041,30 +1040,38 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
return err;
/* FIXME: we need a real parser to cope with all kind of S-expressions. */
- if (sig.len == SIG_PREFIX_LEN + SIG_LEN_2 + SIG_POSTFIX_LEN)
+ if (!memcmp (sig.data, SIG_PREFIX, SIG_PREFIX_LEN))
{
- if (memcmp (sig.data, SIG_PREFIX_2, SIG_PREFIX_LEN))
- return gpg_error (GPG_ERR_BAD_SIGNATURE);
- if (memcmp (sig.data + sig.len - SIG_POSTFIX_LEN,
- SIG_POSTFIX, SIG_POSTFIX_LEN))
- return gpg_error (GPG_ERR_BAD_SIGNATURE);
- memcpy (sig_result, sig.data + SIG_PREFIX_LEN, SIG_LEN_2);
- *sig_len = SIG_LEN_2;
- }
- else
- {
- if (sig.len != SIG_PREFIX_LEN + SIG_LEN + SIG_POSTFIX_LEN)
+ unsigned char *sig_val;
+ unsigned int sig_val_len;
+
+ sig_val_len = strtol (sig.data + SIG_PREFIX_LEN, (char **)&sig_val, 10);
+
+ if (*(sig_val++) != ':')
return gpg_error (GPG_ERR_BAD_SIGNATURE);
- if (memcmp (sig.data, SIG_PREFIX, SIG_PREFIX_LEN))
+ if (sig.len != sig_val - sig.data + sig_val_len + SIG_POSTFIX_LEN)
return gpg_error (GPG_ERR_BAD_SIGNATURE);
- if (memcmp (sig.data + sig.len - SIG_POSTFIX_LEN,
- SIG_POSTFIX, SIG_POSTFIX_LEN))
+ if (memcmp (sig.data + sig.len - SIG_POSTFIX_LEN, SIG_POSTFIX,
+ SIG_POSTFIX_LEN))
return gpg_error (GPG_ERR_BAD_SIGNATURE);
- memcpy (sig_result, sig.data + SIG_PREFIX_LEN, SIG_LEN);
- *sig_len = SIG_LEN;
+
+ if ( *sig_val == 0 && *(sig_val+1) & 0x80 )
+ {
+ /* Remove the extra nul byte that was added to prevent
+ * the signature from being interpreted as a negative value. */
+ sig_val += 1;
+ sig_val_len -= 1;
+ }
+
+ if ( sig_val_len > *sig_len )
+ return gpg_error (GPG_ERR_TOO_LARGE);
+
+ memcpy (sig_result, sig_val, sig_val_len);
+ *sig_len = sig_val_len;
}
-
-
+ else
+ return gpg_error( GPG_ERR_BAD_SIGNATURE ); /* Unexpected prefix. */
+
return 0;
}
--
1.8.4

13
l/scute/include-sexp-parse.patch
Unescape View File

@ -0,0 +1,13 @@
diff --git a/src/Makefile.am b/src/Makefile.am
index 43fa086..9ceef93 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -58,7 +58,7 @@ sources = cryptoki.h pkcs11.h debug.c debug.h settings.h support.h \
p11-signrecover.c p11-signrecoverinit.c p11-signupdate.c \
p11-unwrapkey.c p11-verify.c p11-verifyfinal.c p11-verifyinit.c \
p11-verifyrecover.c p11-verifyrecoverinit.c p11-verifyupdate.c \
- p11-waitforslotevent.c p11-wrapkey.c
+ p11-waitforslotevent.c p11-wrapkey.c sexp-parse.h
if HAVE_LD_VERSION_SCRIPT

1
l/scute/scute-1.4.0.tar.bz2.sha1
Unescape View File

@ -1 +0,0 @@
e28141d2b03612c09512651795976c58ed3f8035 scute-1.4.0.tar.bz2

31
l/scute/scute.SlackBuild
Unescape View File

@ -1,6 +1,6 @@
#!/bin/bash
# Build script for Slackware
# Copyright (C) 2014 Damien Goutte-Gattat
# Copyright (C) 2014,2015 Damien Goutte-Gattat
#
# Redistribution and use of this script, with or without modifications,
# is permitted provided that the following conditions are met:
@ -26,13 +26,15 @@
# Source package infos
NAMESRC=${NAMESRC:-scute}
VERSION=${VERSION:-1.4.0}
VERSION=${VERSION:-1.5.0}
ARCHIVE=${ARCHIVE:-$NAMESRC-$VERSION.tar.bz2}
WGET=${WGET:-ftp://ftp.gnupg.org/gcrypt/scute/$ARCHIVE}
GITREV=${GITREV:-e22c8cf}
# Build infos
NAMEPKG=${NAMEPKG:-scute}
BUILD=${BUILD:-6GGD}
VERSIONPKG=${VERSIONPKG:-${VERSION}g$GITREV}
BUILD=${BUILD:-1GGD}
ARCH=${ARCH:-$(uname -m | sed 's/^i.86$/i486/;s/^arm.*/arm/')}
JOBS=${JOBS:-1}
EXT=${EXT:-txz}
@ -72,10 +74,17 @@ esac
# Get and verify the source archive
if [ ! -r $ARCHIVE ]; then
wget -c -O $ARCHIVE.part "$WGET"
mv $ARCHIVE.part $ARCHIVE
git clone git://git.gnupg.org/scute.git
cd scute
patch -p 1 < $CWD/include-sexp-parse.patch
./autogen.sh --force
./configure --enable-maintainer-mode
make -j $JOBS
make dist
mv $ARCHIVE ..
cd ..
rm -rf scute
fi
sha1sum -c $ARCHIVE.sha1
NAME=$(tar ft $ARCHIVE | head -n 1 | cut -d / -f 1)
# Compile
@ -83,10 +92,6 @@ cd $TMP
echo "Building $ARCHIVE..."
tar xf $CWD/$ARCHIVE
cd $NAME
# Add support for TLS 1.2 message digest...
patch -p 1 < $CWD/0001-Allow-signing-with-other-algorithms-than-MD5-SHA1.patch
# and GnuPG 2.1.x
patch -p 1 < $CWD/0002-Remove-extra-nul-byte-in-signature-data.patch
CFLAGS=$CPUOPT \
CXXFLAGS=$CPUOPT \
./configure \
@ -102,8 +107,8 @@ rm $PKG/usr/info/dir
find $PKG/usr/info -type f -exec gzip -9 {} \;
# Install the documentation
mkdir -p $PKG/usr/doc/$NAMEPKG-$VERSION
install -m 644 AUTHORS COPYING ChangeLog NEWS README TODO $PKG/usr/doc/$NAMEPKG-$VERSION
mkdir -p $PKG/usr/doc/$NAMEPKG-$VERSIONPKG
install -m 644 AUTHORS COPYING ChangeLog NEWS README TODO $PKG/usr/doc/$NAMEPKG-$VERSIONPKG
# Copy slack-desc file
install -D -m 644 $CWD/slack-desc $PKG/install/slack-desc
@ -113,7 +118,7 @@ cd $PKG
mkdir -p $OUT
PACKAGING="
chown root:root . -R
/sbin/makepkg -l y -c n $OUT/$NAMEPKG-$VERSION-$ARCH-$BUILD.$EXT
/sbin/makepkg -l y -c n $OUT/$NAMEPKG-$VERSIONPKG-$ARCH-$BUILD.$EXT
rm -rf $PKG
rm -rf $TMP/$NAME
"

Write Preview
Loading…
Cancel
Save