From 381a76d7aff0f6dcad6ff41700d8d1dc3f683f47 Mon Sep 17 00:00:00 2001 From: Kevin Mihelich <kevin@archlinuxarm.org> Date: Tue, 26 Jan 2021 12:20:19 +0000 Subject: [PATCH] core/libgcrypt to 1.9.0-2 --- core/libgcrypt/PKGBUILD | 17 +++- .../libgcrypt-1.9.0-fix-ed25519.patch | 95 +++++++++++++++++++ 2 files changed, 107 insertions(+), 5 deletions(-) create mode 100644 core/libgcrypt/libgcrypt-1.9.0-fix-ed25519.patch diff --git a/core/libgcrypt/PKGBUILD b/core/libgcrypt/PKGBUILD index a518434c8..e58c94744 100644 --- a/core/libgcrypt/PKGBUILD +++ b/core/libgcrypt/PKGBUILD @@ -5,8 +5,8 @@ # - fix screwed up capability detection pkgname=libgcrypt -pkgver=1.8.7 -pkgrel=1 +pkgver=1.9.0 +pkgrel=2 pkgdesc="General purpose cryptographic library based on the code from GnuPG" arch=(x86_64) url="https://www.gnupg.org" @@ -14,13 +14,20 @@ license=('LGPL') depends=('libgpg-error') options=('!emptydirs') # https://www.gnupg.org/download/integrity_check.html -source=(https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2{,.sig}) -sha1sums=('ea79a279b27bf25cb1564f96693128f8fc9f41d6' - 'SKIP') +source=(https://gnupg.org/ftp/gcrypt/${pkgname}/${pkgname}-${pkgver}.tar.bz2{,.sig} + libgcrypt-1.9.0-fix-ed25519.patch) +sha1sums=('459383a8b6200673cfc31f7b265c4961c0850031' + 'SKIP' + '7721be79a4de70be2def86f3e97416c380acd9cb') validpgpkeys=('6DAA6E64A76D2840571B4902528897B826403ADA') # "Werner Koch (dist signing 2020)" prepare() { cd "${pkgname}"-${pkgver} + + # fix gpg-agent crash using Ed25519 keys - FS#69389 + # https://lists.gnupg.org/pipermail/gcrypt-devel/2021-January/005076.html + patch -Np1 -i ../libgcrypt-1.9.0-fix-ed25519.patch + # tests fail due to systemd+libseccomp preventing memory syscalls when building in chroots # t-secmem: line 176: gcry_control (GCRYCTL_INIT_SECMEM, pool_size, 0) failed: General error # FAIL: t-secmem diff --git a/core/libgcrypt/libgcrypt-1.9.0-fix-ed25519.patch b/core/libgcrypt/libgcrypt-1.9.0-fix-ed25519.patch new file mode 100644 index 000000000..13ce088c4 --- /dev/null +++ b/core/libgcrypt/libgcrypt-1.9.0-fix-ed25519.patch @@ -0,0 +1,95 @@ +diff --git a/cipher/ecc-curves.c b/cipher/ecc-curves.c +index 26006d6c..900b668a 100644 +--- a/cipher/ecc-curves.c ++++ b/cipher/ecc-curves.c +@@ -1200,13 +1200,18 @@ mpi_ec_setup_elliptic_curve (mpi_ec_t ec, int flags, + + if ((n+7)/8 != len) + { +- if ((n+7)/8 < len && ec->dialect == ECC_DIALECT_ED25519) ++ if (ec->dialect == ECC_DIALECT_ED25519) + { + /* + * GnuPG (<= 2.2) or OpenPGP implementations with no + * SOS support may remove zeros at the beginning. + * Recover those zeros. + */ ++ /* ++ * Also, GnuPG (<= 2.2) may add additional zero at ++ * the beginning, when private key is moved from ++ * OpenPGP to gpg-agent. Remove such a zero-prefix. ++ */ + const unsigned char *buf; + unsigned char *value; + +@@ -1214,13 +1219,26 @@ mpi_ec_setup_elliptic_curve (mpi_ec_t ec, int flags, + if (!buf) + return GPG_ERR_INV_OBJ; + +- value = xtrycalloc_secure (1, len); ++ value = xtrymalloc_secure (len); + if (!value) + return gpg_err_code_from_syserror (); + +- memset (value, 0, len - (n+7)/8); +- memcpy (value + len - (n+7)/8, buf, (n+7)/8); +- mpi_set_opaque (ec->d, value, len); ++ if ((n+7)/8 < len) ++ /* Recover zeros. */ ++ { ++ memset (value, 0, len - (n+7)/8); ++ memcpy (value + len - (n+7)/8, buf, (n+7)/8); ++ } ++ else if ((n+7)/8 == len + 1) ++ /* Remove a zero. */ ++ memcpy (value, buf+1, len); ++ else ++ { ++ xfree (value); ++ return GPG_ERR_INV_OBJ; ++ } ++ ++ mpi_set_opaque (ec->d, value, len*8); + } + else + { +diff --git a/cipher/ecc.c b/cipher/ecc.c +index b4672d3d..5d8c7607 100644 +--- a/cipher/ecc.c ++++ b/cipher/ecc.c +@@ -688,6 +688,8 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) + mpi_ec_t ec = NULL; + int flags = 0; + ++ _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_SIGN, 0); ++ + /* + * Extract the key. + */ +@@ -700,7 +702,6 @@ ecc_sign (gcry_sexp_t *r_sig, gcry_sexp_t s_data, gcry_sexp_t keyparms) + goto leave; + } + +- _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_SIGN, 0); + ctx.flags |= flags; + if (ec->model == MPI_EC_EDWARDS && ec->dialect == ECC_DIALECT_SAFECURVE) + ctx.flags |= PUBKEY_FLAG_EDDSA; +@@ -783,6 +784,9 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t s_keyparms) + mpi_ec_t ec = NULL; + int flags = 0; + ++ _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_VERIFY, ++ ecc_get_nbits (s_keyparms)); ++ + /* + * Extract the key. + */ +@@ -804,8 +808,6 @@ ecc_verify (gcry_sexp_t s_sig, gcry_sexp_t s_data, gcry_sexp_t s_keyparms) + goto leave; + } + +- _gcry_pk_util_init_encoding_ctx (&ctx, PUBKEY_OP_VERIFY, +- ecc_get_nbits (s_keyparms)); + ctx.flags |= flags; + if (ec->model == MPI_EC_EDWARDS && ec->dialect == ECC_DIALECT_SAFECURVE) + ctx.flags |= PUBKEY_FLAG_EDDSA;