Browse Source

l/scute: Upgraded to scute-1.5.0ge22c8cf.

slackware-14.2
Damien Goutte-Gattat 6 years ago
parent
commit
66823ecfce
  1. 124
      l/scute/0001-Allow-signing-with-other-algorithms-than-MD5-SHA1.patch
  2. 126
      l/scute/0002-Remove-extra-nul-byte-in-signature-data.patch
  3. 13
      l/scute/include-sexp-parse.patch
  4. 1
      l/scute/scute-1.4.0.tar.bz2.sha1
  5. 31
      l/scute/scute.SlackBuild

124
l/scute/0001-Allow-signing-with-other-algorithms-than-MD5-SHA1.patch

@ -1,124 +0,0 @@
From f07f6c2639b0a127475aad7ccbeb40e10dc565e5 Mon Sep 17 00:00:00 2001
From: Damien Goutte-Gattat <dgouttegattat@incenp.org>
Date: Wed, 10 Dec 2014 01:13:23 +0100
Subject: [PATCH 1/2] Allow signing with other algorithms than MD5+SHA1
To: gnupg-devel@gnupg.org
* src/agent.c (scute_agent_sign): Determine the hash algorithm of the
message digest by checking for known ASN.1 prefixes.
* src/support.h (STR): New.
--
This is a streamlined version of a patch proposed by Werner Koch
<http://lists.gnupg.org/pipermail/gnupg-devel/2014-September/028750.html>
without unrelated, cosmetic changes.
---
src/agent.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++---
src/support.h | 3 +++
2 files changed, 57 insertions(+), 3 deletions(-)
diff --git a/src/agent.c b/src/agent.c
index 9265ca2..b1fdbf0 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -989,6 +989,28 @@ pksign_cb (void *opaque, const void *buffer, size_t length)
#define SIG_LEN 128
#define SIG_LEN_2 256
+
+static unsigned char sha1_prefix[15] = /* (1.3.14.3.2.26) */
+ { 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, 0x2b, 0x0e, 0x03,
+ 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 };
+static unsigned char sha224_prefix[19] = /* (2.16.840.1.101.3.4.2.4) */
+ { 0x30, 0x2D, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
+ 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, 0x05, 0x00, 0x04,
+ 0x1C };
+static unsigned char sha256_prefix[19] = /* (2.16.840.1.101.3.4.2.1) */
+ { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05,
+ 0x00, 0x04, 0x20 };
+static unsigned char sha384_prefix[19] = /* (2.16.840.1.101.3.4.2.2) */
+ { 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, 0x05,
+ 0x00, 0x04, 0x30 };
+static unsigned char sha512_prefix[19] = /* (2.16.840.1.101.3.4.2.3) */
+ { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86,
+ 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05,
+ 0x00, 0x04, 0x40 };
+
+
/* Call the agent to learn about a smartcard. */
gpg_error_t
scute_agent_sign (char *grip, unsigned char *data, int len,
@@ -996,10 +1018,12 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
{
char cmd[150];
gpg_error_t err;
-#define MAX_DATA_LEN 36
+#define MAX_DATA_LEN 64 /* For SHA-512 - see below. */
unsigned char pretty_data[2 * MAX_DATA_LEN + 1];
int i;
struct signature sig;
+ const char *algostr;
+ int off;
sig.len = 0;
@@ -1025,11 +1049,38 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
if (err)
return err;
+ /* Find out the digest algorithm and strip off the prefix. */
+#define X(a,b) \
+ (len == sizeof a ## _prefix + (b) \
+ && !memcmp (data, a ## _prefix, sizeof a ## _prefix)) \
+ { \
+ algostr = STR(a); \
+ off = sizeof a ## _prefix; \
+ len -= sizeof a ## _prefix; \
+ }
+
+ if (len == 36)
+ {
+ algostr = "tls-md5sha1";
+ off = 0;
+ }
+ else if X(sha1, 20)
+ else if X(sha224, 28)
+ else if X(sha256, 32)
+ else if X(sha384, 48)
+ else if X(sha512, 64) /* MAX_DATA_LEN must be at least this. */
+ else
+ {
+ DEBUG (DBG_INFO, "sign input data format is unknown, size=%d\n", len);
+ return gpg_error (GPG_ERR_DIGEST_ALGO);
+ }
+#undef X
+
for (i = 0; i < len; i++)
- snprintf (&pretty_data[2 * i], 3, "%02X", data[i]);
+ snprintf (&pretty_data[2 * i], 3, "%02X", data[off+i]);
pretty_data[2 * len] = '\0';
- snprintf (cmd, sizeof (cmd), "SETHASH --hash=tls-md5sha1 %s", pretty_data);
+ snprintf (cmd, sizeof (cmd), "SETHASH --hash=%s %s", algostr, pretty_data);
err = assuan_transact (agent_ctx, cmd, NULL, NULL, default_inq_cb,
NULL, NULL, NULL);
if (err)
diff --git a/src/support.h b/src/support.h
index 8f4d538..859d1de 100644
--- a/src/support.h
+++ b/src/support.h
@@ -40,6 +40,9 @@
#define xtoi_2(p) ((xtoi_1(p) * 16) + xtoi_1((p)+1))
#define DIM(x) (sizeof (x) / sizeof (x[0]))
+#ifndef STR
+# define STR(v) #v
+#endif
/* Copy a string into its location, with blank character padding. */
static inline void
--
1.8.4

126
l/scute/0002-Remove-extra-nul-byte-in-signature-data.patch

@ -1,126 +0,0 @@
From 3e13d5493c74427655a7208a7bc4fcbcabda6774 Mon Sep 17 00:00:00 2001
From: Damien Goutte-Gattat <dgouttegattat@incenp.org>
Date: Wed, 28 Jan 2015 16:03:10 +0100
Subject: [PATCH 2/2] Remove extra nul byte in signature data
To: gnupg-devel@gnupg.org
* src/agent.c (scute_agent_sign): Check for extra nul byte at the
beginning of signature data.
--
GPG Agent 2.1 prepends a nul byte in the signature value if the first
byte has its most significant bit set, to prevent it from being
interpreted as a sign bit (see agent_pksign_do, in GnuPG's
agent/pksign.c).
But Scute expects the signature to be always of a fixed size (128 or
256 bytes), and it will reject a signature containing this extra nul
byte.
This patch makes Scute read the effective size of the signature from
the S-expression, and remove the prepended nul byte if present.
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
---
src/agent.c | 57 ++++++++++++++++++++++++++++++++-------------------------
1 file changed, 32 insertions(+), 25 deletions(-)
diff --git a/src/agent.c b/src/agent.c
index 9265ca2..547c587 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -981,13 +981,12 @@ pksign_cb (void *opaque, const void *buffer, size_t length)
}
-#define SIG_PREFIX "(7:sig-val(3:rsa(1:s128:"
-#define SIG_PREFIX_2 "(7:sig-val(3:rsa(1:s256:"
+#define SIG_PREFIX "(7:sig-val(3:rsa(1:s"
#define SIG_PREFIX_LEN (sizeof (SIG_PREFIX) - 1)
#define SIG_POSTFIX ")))"
#define SIG_POSTFIX_LEN (sizeof (SIG_POSTFIX) - 1)
-#define SIG_LEN 128
-#define SIG_LEN_2 256
+#define SIG_MIN_LEN 128
+#define SIG_MAX_LEN 256
/* Call the agent to learn about a smartcard. */
gpg_error_t
@@ -1009,14 +1008,14 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
if (sig_result == NULL)
{
/* FIXME: We return the largest supported size - is that correct? */
- *sig_len = SIG_LEN_2;
+ *sig_len = SIG_MAX_LEN;
return 0;
}
if (len > MAX_DATA_LEN)
return gpg_error (GPG_ERR_INV_ARG);
- if (grip == NULL || sig_result == NULL || *sig_len < SIG_LEN)
+ if (grip == NULL || sig_result == NULL || *sig_len < SIG_MIN_LEN)
return gpg_error (GPG_ERR_INV_ARG);
snprintf (cmd, sizeof (cmd), "SIGKEY %s", grip);
@@ -1041,30 +1040,38 @@ scute_agent_sign (char *grip, unsigned char *data, int len,
return err;
/* FIXME: we need a real parser to cope with all kind of S-expressions. */
- if (sig.len == SIG_PREFIX_LEN + SIG_LEN_2 + SIG_POSTFIX_LEN)
+ if (!memcmp (sig.data, SIG_PREFIX, SIG_PREFIX_LEN))
{
- if (memcmp (sig.data, SIG_PREFIX_2, SIG_PREFIX_LEN))
- return gpg_error (GPG_ERR_BAD_SIGNATURE);
- if (memcmp (sig.data + sig.len - SIG_POSTFIX_LEN,
- SIG_POSTFIX, SIG_POSTFIX_LEN))
- return gpg_error (GPG_ERR_BAD_SIGNATURE);
- memcpy (sig_result, sig.data + SIG_PREFIX_LEN, SIG_LEN_2);
- *sig_len = SIG_LEN_2;
- }
- else
- {
- if (sig.len != SIG_PREFIX_LEN + SIG_LEN + SIG_POSTFIX_LEN)
+ unsigned char *sig_val;
+ unsigned int sig_val_len;
+
+ sig_val_len = strtol (sig.data + SIG_PREFIX_LEN, (char **)&sig_val, 10);
+
+ if (*(sig_val++) != ':')
return gpg_error (GPG_ERR_BAD_SIGNATURE);
- if (memcmp (sig.data, SIG_PREFIX, SIG_PREFIX_LEN))
+ if (sig.len != sig_val - sig.data + sig_val_len + SIG_POSTFIX_LEN)
return gpg_error (GPG_ERR_BAD_SIGNATURE);
- if (memcmp (sig.data + sig.len - SIG_POSTFIX_LEN,
- SIG_POSTFIX, SIG_POSTFIX_LEN))
+ if (memcmp (sig.data + sig.len - SIG_POSTFIX_LEN, SIG_POSTFIX,
+ SIG_POSTFIX_LEN))
return gpg_error (GPG_ERR_BAD_SIGNATURE);
- memcpy (sig_result, sig.data + SIG_PREFIX_LEN, SIG_LEN);
- *sig_len = SIG_LEN;
+
+ if ( *sig_val == 0 && *(sig_val+1) & 0x80 )
+ {
+ /* Remove the extra nul byte that was added to prevent
+ * the signature from being interpreted as a negative value. */
+ sig_val += 1;
+ sig_val_len -= 1;
+ }
+
+ if ( sig_val_len > *sig_len )
+ return gpg_error (GPG_ERR_TOO_LARGE);
+
+ memcpy (sig_result, sig_val, sig_val_len);
+ *sig_len = sig_val_len;
}
-
-
+ else
+ return gpg_error( GPG_ERR_BAD_SIGNATURE ); /* Unexpected prefix. */
+
return 0;
}
--
1.8.4

13
l/scute/include-sexp-parse.patch

@ -0,0 +1,13 @@
diff --git a/src/Makefile.am b/src/Makefile.am
index 43fa086..9ceef93 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -58,7 +58,7 @@ sources = cryptoki.h pkcs11.h debug.c debug.h settings.h support.h \
p11-signrecover.c p11-signrecoverinit.c p11-signupdate.c \
p11-unwrapkey.c p11-verify.c p11-verifyfinal.c p11-verifyinit.c \
p11-verifyrecover.c p11-verifyrecoverinit.c p11-verifyupdate.c \
- p11-waitforslotevent.c p11-wrapkey.c
+ p11-waitforslotevent.c p11-wrapkey.c sexp-parse.h
if HAVE_LD_VERSION_SCRIPT

1
l/scute/scute-1.4.0.tar.bz2.sha1

@ -1 +0,0 @@
e28141d2b03612c09512651795976c58ed3f8035 scute-1.4.0.tar.bz2

31
l/scute/scute.SlackBuild

@ -1,6 +1,6 @@
#!/bin/bash
# Build script for Slackware
# Copyright (C) 2014 Damien Goutte-Gattat
# Copyright (C) 2014,2015 Damien Goutte-Gattat
#
# Redistribution and use of this script, with or without modifications,
# is permitted provided that the following conditions are met:
@ -26,13 +26,15 @@
# Source package infos
NAMESRC=${NAMESRC:-scute}
VERSION=${VERSION:-1.4.0}
VERSION=${VERSION:-1.5.0}
ARCHIVE=${ARCHIVE:-$NAMESRC-$VERSION.tar.bz2}
WGET=${WGET:-ftp://ftp.gnupg.org/gcrypt/scute/$ARCHIVE}
GITREV=${GITREV:-e22c8cf}
# Build infos
NAMEPKG=${NAMEPKG:-scute}
BUILD=${BUILD:-6GGD}
VERSIONPKG=${VERSIONPKG:-${VERSION}g$GITREV}
BUILD=${BUILD:-1GGD}
ARCH=${ARCH:-$(uname -m | sed 's/^i.86$/i486/;s/^arm.*/arm/')}
JOBS=${JOBS:-1}
EXT=${EXT:-txz}
@ -72,10 +74,17 @@ esac
# Get and verify the source archive
if [ ! -r $ARCHIVE ]; then
wget -c -O $ARCHIVE.part "$WGET"
mv $ARCHIVE.part $ARCHIVE
git clone git://git.gnupg.org/scute.git
cd scute
patch -p 1 < $CWD/include-sexp-parse.patch
./autogen.sh --force
./configure --enable-maintainer-mode
make -j $JOBS
make dist
mv $ARCHIVE ..
cd ..
rm -rf scute
fi
sha1sum -c $ARCHIVE.sha1
NAME=$(tar ft $ARCHIVE | head -n 1 | cut -d / -f 1)
# Compile
@ -83,10 +92,6 @@ cd $TMP
echo "Building $ARCHIVE..."
tar xf $CWD/$ARCHIVE
cd $NAME
# Add support for TLS 1.2 message digest...
patch -p 1 < $CWD/0001-Allow-signing-with-other-algorithms-than-MD5-SHA1.patch
# and GnuPG 2.1.x
patch -p 1 < $CWD/0002-Remove-extra-nul-byte-in-signature-data.patch
CFLAGS=$CPUOPT \
CXXFLAGS=$CPUOPT \
./configure \
@ -102,8 +107,8 @@ rm $PKG/usr/info/dir
find $PKG/usr/info -type f -exec gzip -9 {} \;
# Install the documentation
mkdir -p $PKG/usr/doc/$NAMEPKG-$VERSION
install -m 644 AUTHORS COPYING ChangeLog NEWS README TODO $PKG/usr/doc/$NAMEPKG-$VERSION
mkdir -p $PKG/usr/doc/$NAMEPKG-$VERSIONPKG
install -m 644 AUTHORS COPYING ChangeLog NEWS README TODO $PKG/usr/doc/$NAMEPKG-$VERSIONPKG
# Copy slack-desc file
install -D -m 644 $CWD/slack-desc $PKG/install/slack-desc
@ -113,7 +118,7 @@ cd $PKG
mkdir -p $OUT
PACKAGING="
chown root:root . -R
/sbin/makepkg -l y -c n $OUT/$NAMEPKG-$VERSION-$ARCH-$BUILD.$EXT
/sbin/makepkg -l y -c n $OUT/$NAMEPKG-$VERSIONPKG-$ARCH-$BUILD.$EXT
rm -rf $PKG
rm -rf $TMP/$NAME
"

Loading…
Cancel
Save