diff --git a/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch b/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch deleted file mode 100644 index 8d4f703a3dd14..0000000000000 --- a/pkgs/tools/security/gnupg/24-allow-import-of-previously-known-keys-even-without-UI.patch +++ /dev/null @@ -1,107 +0,0 @@ -From: Vincent Breitmoser -Date: Thu, 13 Jun 2019 21:27:42 +0200 -Subject: gpg: allow import of previously known keys, even without UIDs - -* g10/import.c (import_one): Accept an incoming OpenPGP certificate that -has no user id, as long as we already have a local variant of the cert -that matches the primary key. - --- - -This fixes two of the three broken tests in import-incomplete.scm. - -GnuPG-Bug-id: 4393 -Signed-off-by: Daniel Kahn Gillmor ---- - g10/import.c | 44 +++++++++++--------------------------------- - 1 file changed, 11 insertions(+), 33 deletions(-) - - -diff --git a/g10/import.c b/g10/import.c -index 9fab46ca6..61896a6bf 100644 ---- a/g10/import.c -+++ b/g10/import.c -@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl, - size_t an; - char pkstrbuf[PUBKEY_STRING_SIZE]; - int merge_keys_done = 0; -- int any_filter = 0; - KEYDB_HANDLE hd = NULL; - - if (r_valid) -@@ -1992,13 +1991,6 @@ import_one_real (ctrl_t ctrl, - } - - -- if (!uidnode) -- { -- if (!silent) -- log_error( _("key %s: no user ID\n"), keystr_from_pk(pk)); -- return 0; -- } -- - if (screener && screener (keyblock, screener_arg)) - { - log_error (_("key %s: %s\n"), keystr_from_pk (pk), -@@ -2078,18 +2070,10 @@ import_one_real (ctrl_t ctrl, - } - } - -- /* Delete invalid parts and bail out if there are no user ids left. */ -- if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs)) -- { -- if (!silent) -- { -- log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk)); -- if (!opt.quiet) -- log_info(_("this may be caused by a missing self-signature\n")); -- } -- stats->no_user_id++; -- return 0; -- } -+ /* Delete invalid parts, and note if we have any valid ones left. -+ * We will later abort import if this key is new but contains -+ * no valid uids. */ -+ delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs); - - /* Get rid of deleted nodes. */ - commit_kbnode (&keyblock); -@@ -2099,24 +2083,11 @@ import_one_real (ctrl_t ctrl, - { - apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid); - commit_kbnode (&keyblock); -- any_filter = 1; - } - if (import_filter.drop_sig) - { - apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig); - commit_kbnode (&keyblock); -- any_filter = 1; -- } -- -- /* If we ran any filter we need to check that at least one user id -- * is left in the keyring. Note that we do not use log_error in -- * this case. */ -- if (any_filter && !any_uid_left (keyblock)) -- { -- if (!opt.quiet ) -- log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk)); -- stats->no_user_id++; -- return 0; - } - - /* The keyblock is valid and ready for real import. */ -@@ -2174,6 +2145,13 @@ import_one_real (ctrl_t ctrl, - err = 0; - stats->skipped_new_keys++; - } -+ else if (err && !any_uid_left (keyblock)) -+ { -+ if (!silent) -+ log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid)); -+ err = 0; -+ stats->no_user_id++; -+ } - else if (err) /* Insert this key. */ - { - /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY. */ diff --git a/pkgs/tools/security/gnupg/24-revert-rfc4880bis-defaults.patch b/pkgs/tools/security/gnupg/24-revert-rfc4880bis-defaults.patch deleted file mode 100644 index 8bc65ede79c06..0000000000000 --- a/pkgs/tools/security/gnupg/24-revert-rfc4880bis-defaults.patch +++ /dev/null @@ -1,200 +0,0 @@ -From 1e4f1550996334d2a631a5d769e937d29ace47bb Mon Sep 17 00:00:00 2001 -From: Jakub Jelen -Date: Thu, 9 Feb 2023 16:38:58 +0100 -Subject: [PATCH gnupg] Revert the introduction of the RFC4880bis draft into - defaults - -This reverts commit 4583f4fe2 (gpg: Merge --rfc4880bis features into ---gnupg, 2022-10-31). ---- - g10/gpg.c | 35 ++++++++++++++++++++++++++++++++--- - g10/keygen.c | 30 ++++++++++++++++++------------ - 2 files changed, 50 insertions(+), 15 deletions(-) - -diff --git a/g10/gpg.c b/g10/gpg.c -index dcab0a11a..796888013 100644 ---- a/g10/gpg.c -+++ b/g10/gpg.c -@@ -247,6 +247,7 @@ enum cmd_and_opt_values - oGnuPG, - oRFC2440, - oRFC4880, -+ oRFC4880bis, - oOpenPGP, - oPGP7, - oPGP8, -@@ -636,6 +637,7 @@ static gpgrt_opt_t opts[] = { - ARGPARSE_s_n (oGnuPG, "no-pgp8", "@"), - ARGPARSE_s_n (oRFC2440, "rfc2440", "@"), - ARGPARSE_s_n (oRFC4880, "rfc4880", "@"), -+ ARGPARSE_s_n (oRFC4880bis, "rfc4880bis", "@"), - ARGPARSE_s_n (oOpenPGP, "openpgp", N_("use strict OpenPGP behavior")), - ARGPARSE_s_n (oPGP7, "pgp6", "@"), - ARGPARSE_s_n (oPGP7, "pgp7", "@"), -@@ -978,7 +980,6 @@ static gpgrt_opt_t opts[] = { - ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"), - ARGPARSE_s_s (oNoop, "aead-algo", "@"), - ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"), -- ARGPARSE_s_n (oNoop, "rfc4880bis", "@"), - ARGPARSE_s_n (oNoop, "override-compliance-check", "@"), - - -@@ -2227,7 +2228,7 @@ static struct gnupg_compliance_option compliance_options[] = - { - { "gnupg", oGnuPG }, - { "openpgp", oOpenPGP }, -- { "rfc4880bis", oGnuPG }, -+ { "rfc4880bis", oRFC4880bis }, - { "rfc4880", oRFC4880 }, - { "rfc2440", oRFC2440 }, - { "pgp6", oPGP7 }, -@@ -2243,8 +2244,28 @@ static struct gnupg_compliance_option compliance_options[] = - static void - set_compliance_option (enum cmd_and_opt_values option) - { -+ opt.flags.rfc4880bis = 0; /* Clear because it is initially set. */ -+ - switch (option) - { -+ case oRFC4880bis: -+ opt.flags.rfc4880bis = 1; -+ opt.compliance = CO_RFC4880; -+ opt.flags.dsa2 = 1; -+ opt.flags.require_cross_cert = 1; -+ opt.rfc2440_text = 0; -+ opt.allow_non_selfsigned_uid = 1; -+ opt.allow_freeform_uid = 1; -+ opt.escape_from = 1; -+ opt.not_dash_escaped = 0; -+ opt.def_cipher_algo = 0; -+ opt.def_digest_algo = 0; -+ opt.cert_digest_algo = 0; -+ opt.compress_algo = -1; -+ opt.s2k_mode = 3; /* iterated+salted */ -+ opt.s2k_digest_algo = DIGEST_ALGO_SHA256; -+ opt.s2k_cipher_algo = CIPHER_ALGO_AES256; -+ break; - case oOpenPGP: - case oRFC4880: - /* This is effectively the same as RFC2440, but with -@@ -2288,6 +2309,7 @@ set_compliance_option (enum cmd_and_opt_values option) - case oPGP8: opt.compliance = CO_PGP8; break; - case oGnuPG: - opt.compliance = CO_GNUPG; -+ opt.flags.rfc4880bis = 1; - break; - - case oDE_VS: -@@ -2491,6 +2513,7 @@ main (int argc, char **argv) - opt.emit_version = 0; - opt.weak_digests = NULL; - opt.compliance = CO_GNUPG; -+ opt.flags.rfc4880bis = 1; - - /* Check special options given on the command line. */ - orig_argc = argc; -@@ -3033,6 +3056,7 @@ main (int argc, char **argv) - case oOpenPGP: - case oRFC2440: - case oRFC4880: -+ case oRFC4880bis: - case oPGP7: - case oPGP8: - case oGnuPG: -@@ -3862,6 +3886,11 @@ main (int argc, char **argv) - if( may_coredump && !opt.quiet ) - log_info(_("WARNING: program may create a core file!\n")); - -+ if (!opt.flags.rfc4880bis) -+ { -+ opt.mimemode = 0; /* This will use text mode instead. */ -+ } -+ - if (eyes_only) { - if (opt.set_filename) - log_info(_("WARNING: %s overrides %s\n"), -@@ -4078,7 +4107,7 @@ main (int argc, char **argv) - /* Check our chosen algorithms against the list of legal - algorithms. */ - -- if(!GNUPG) -+ if(!GNUPG && !opt.flags.rfc4880bis) - { - const char *badalg=NULL; - preftype_t badtype=PREFTYPE_NONE; -diff --git a/g10/keygen.c b/g10/keygen.c -index a2cfe3ccf..2a1dd1f81 100644 ---- a/g10/keygen.c -+++ b/g10/keygen.c -@@ -404,7 +404,7 @@ keygen_set_std_prefs (const char *string,int personal) - strcat(dummy_string,"S7 "); - strcat(dummy_string,"S2 "); /* 3DES */ - -- if (!openpgp_aead_test_algo (AEAD_ALGO_OCB)) -+ if (opt.flags.rfc4880bis && !openpgp_aead_test_algo (AEAD_ALGO_OCB)) - strcat(dummy_string,"A2 "); - - if (personal) -@@ -889,7 +889,7 @@ keygen_upd_std_prefs (PKT_signature *sig, void *opaque) - /* Make sure that the MDC feature flag is set if needed. */ - add_feature_mdc (sig,mdc_available); - add_feature_aead (sig, aead_available); -- add_feature_v5 (sig, 1); -+ add_feature_v5 (sig, opt.flags.rfc4880bis); - add_keyserver_modify (sig,ks_modify); - keygen_add_keyserver_url(sig,NULL); - -@@ -3382,7 +3382,10 @@ parse_key_parameter_part (ctrl_t ctrl, - } - } - else if (!ascii_strcasecmp (s, "v5")) -- keyversion = 5; -+ { -+ if (opt.flags.rfc4880bis) -+ keyversion = 5; -+ } - else if (!ascii_strcasecmp (s, "v4")) - keyversion = 4; - else -@@ -3641,7 +3644,7 @@ parse_key_parameter_part (ctrl_t ctrl, - * ecdsa := Use algorithm ECDSA. - * eddsa := Use algorithm EdDSA. - * ecdh := Use algorithm ECDH. -- * v5 := Create version 5 key -+ * v5 := Create version 5 key (requires option --rfc4880bis) - * - * There are several defaults and fallbacks depending on the - * algorithm. PART can be used to select which part of STRING is -@@ -4513,9 +4516,9 @@ read_parameter_file (ctrl_t ctrl, const char *fname ) - } - } - -- if ((keywords[i].key == pVERSION -- || keywords[i].key == pSUBVERSION)) -- ; /* Ignore version. */ -+ if (!opt.flags.rfc4880bis && (keywords[i].key == pVERSION -+ || keywords[i].key == pSUBVERSION)) -+ ; /* Ignore version unless --rfc4880bis is active. */ - else - { - r = xmalloc_clear( sizeof *r + strlen( value ) ); -@@ -4610,11 +4613,14 @@ quickgen_set_para (struct para_data_s *para, int for_subkey, - para = r; - } - -- r = xmalloc_clear (sizeof *r + 20); -- r->key = for_subkey? pSUBVERSION : pVERSION; -- snprintf (r->u.value, 20, "%d", version); -- r->next = para; -- para = r; -+ if (opt.flags.rfc4880bis) -+ { -+ r = xmalloc_clear (sizeof *r + 20); -+ r->key = for_subkey? pSUBVERSION : pVERSION; -+ snprintf (r->u.value, 20, "%d", version); -+ r->next = para; -+ para = r; -+ } - - if (keytime) - { diff --git a/pkgs/tools/security/gnupg/24.nix b/pkgs/tools/security/gnupg/24.nix index c59b9475ef05c..8c340f3b32062 100644 --- a/pkgs/tools/security/gnupg/24.nix +++ b/pkgs/tools/security/gnupg/24.nix @@ -2,6 +2,7 @@ lib, stdenv, fetchurl, + fetchFromGitLab, buildPackages, pkg-config, texinfo, @@ -68,15 +69,30 @@ stdenv.mkDerivation rec { ] ++ lib.optionals withTpm2Tss [ tpm2-tss ]; - patches = [ - ./fix-libusb-include-path.patch - ./tests-add-test-cases-for-import-without-uid.patch - ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch - ./24-allow-import-of-previously-known-keys-even-without-UI.patch - ./24-revert-rfc4880bis-defaults.patch - # Patch for DoS vuln from https://seclists.org/oss-sec/2022/q3/27 - ./v3-0001-Disallow-compressed-signatures-and-certificates.patch - ]; + freepgPatches = fetchFromGitLab { + domain = "gitlab.com"; + owner = "freepg"; + repo = "gnupg"; + rev = "541772915dc4ec832c37f85bc629a22051f0e8f7"; + hash = "sha256-QOUY6EfJbTTN242BtzLojDgECGjUwbLfPJgzn/mj5L8="; + }; + + patches = + [ + ./fix-libusb-include-path.patch + ./CVE-2022-3219.patch + ] + ++ lib.map (v: "${freepgPatches}/STABLE-BRANCH-2-4-freepg/" + v) [ + "0002-gpg-accept-subkeys-with-a-good-revocation-but-no-sel.patch" + "0003-gpg-allow-import-of-previously-known-keys-even-witho.patch" + "0004-tests-add-test-cases-for-import-without-uid.patch" + "0005-gpg-drop-import-clean-from-default-keyserver-import-.patch" + "0006-Do-not-use-OCB-mode-even-if-AEAD-OCB-key-preference-.patch" + "0007-Revert-the-introduction-of-the-RFC4880bis-draft-into.patch" + "0008-avoid-systemd-deprecation-warning.patch" + "0009-Add-systemd-support-for-keyboxd.patch" + "0010-doc-Remove-profile-and-systemd-example-files.patch" + ]; postPatch = '' diff --git a/pkgs/tools/security/gnupg/v3-0001-Disallow-compressed-signatures-and-certificates.patch b/pkgs/tools/security/gnupg/CVE-2022-3219.patch similarity index 100% rename from pkgs/tools/security/gnupg/v3-0001-Disallow-compressed-signatures-and-certificates.patch rename to pkgs/tools/security/gnupg/CVE-2022-3219.patch