Benjamin Schieder <blindcoder@scavenger.homeip.net>:

GnuPGs ElGamal Type 20 Keys are comprimisable since version 1.0.2
The attached patch disables ElGamal Type 20 Keys.
See:
http://lists.gnupg.org/pipermail/gnupg-users/2003-November/020772.html
for the message and
http://lists.gnupg.org/pipermail/gnupg-users/2003-November/020771.html
for the patch.


git-svn-id: http://www.rocklinux.org/svn/rock-linux/trunk@1871 c5f82cb5-29bc-0310-9cd0-bff59a50e3bc

Documentation/Developers/CHANGELOG-RENE

@@ -3,6 +3,7 @@
 
  - Juergen Sawinski: fixed priority of nikolaus/gnupod-perlmods
  - Dimitar Zhekov: xfce upgrade 2/2
+ - Benjamin Schieder: disabled ElGamal Keys in GnuPG
 
 *) 2003-11-27 (2.0.0-rc3 - 2.0.0-rc4)
 

package/base/gnupg/disable_elgamal.patch

@@ -0,0 +1,63 @@
+diff -pruN gnupg-1.2.3_orig/g10/getkey.c gnupg-1.2.3/g10/getkey.c
+--- gnupg-1.2.3_orig/g10/getkey.c	2003-11-27 14:27:05.000000000 +0100
++++ gnupg-1.2.3/g10/getkey.c	2003-11-27 14:27:10.000000000 +0100
+@@ -1655,6 +1655,11 @@ merge_selfsigs_main( KBNODE keyblock, in
+         if ( x ) /* mask it down to the actual allowed usage */
+             key_usage &= x; 
+     }
++
++    /* Type 20 Elgamal keys are not usable. */
++    if(pk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++      key_usage=0;
++
+     pk->pubkey_usage = key_usage;
+ 
+     if ( !key_expire_seen ) {
+@@ -1869,6 +1874,13 @@ merge_selfsigs_subkey( KBNODE keyblock, 
+         if ( x ) /* mask it down to the actual allowed usage */
+             key_usage &= x; 
+     }
++
++    /* Type 20 Elgamal subkeys or any subkey on a type 20 primary are
++       not usable. */
++    if(mainpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL
++       || subpk->pubkey_algo==PUBKEY_ALGO_ELGAMAL)
++      key_usage=0;
++
+     subpk->pubkey_usage = key_usage;
+     
+     p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL);
+diff -pruN gnupg-1.2.3_orig/g10/keygen.c gnupg-1.2.3/g10/keygen.c
+--- gnupg-1.2.3_orig/g10/keygen.c	2003-11-27 14:27:05.000000000 +0100
++++ gnupg-1.2.3/g10/keygen.c	2003-11-27 14:27:10.000000000 +0100
+@@ -958,8 +958,6 @@ ask_algo (int addmode, unsigned int *r_u
+     tty_printf(    _("   (%d) DSA (sign only)\n"), 2 );
+     if( addmode )
+ 	tty_printf(    _("   (%d) ElGamal (encrypt only)\n"), 3 );
+-    if (opt.expert)
+-        tty_printf(    _("   (%d) ElGamal (sign and encrypt)\n"), 4 );
+     tty_printf(    _("   (%d) RSA (sign only)\n"), 5 );
+     if (addmode)
+         tty_printf(    _("   (%d) RSA (encrypt only)\n"), 6 );
+@@ -990,21 +988,6 @@ ask_algo (int addmode, unsigned int *r_u
+             *r_usage = PUBKEY_USAGE_SIG;
+ 	    break;
+ 	}
+-	else if( algo == 4 && opt.expert)
+-	  {
+-	    tty_printf(_(
+-"The use of this algorithm is only supported by GnuPG.  You will not be\n"
+-"able to use this key to communicate with PGP users.  This algorithm is also\n"
+-"very slow, and may not be as secure as the other choices.\n"));
+-
+-	    if( cpr_get_answer_is_yes("keygen.algo.elg_se",
+-				      _("Create anyway? ")))
+-	      {
+-		algo = PUBKEY_ALGO_ELGAMAL;
+-		*r_usage = PUBKEY_USAGE_ENC | PUBKEY_USAGE_SIG;
+-		break;
+-	      }
+-	}
+ 	else if( algo == 3 && addmode ) {
+ 	    algo = PUBKEY_ALGO_ELGAMAL_E;
+             *r_usage = PUBKEY_USAGE_ENC;

package/base/gnupg/gnupg.conf

@@ -30,7 +30,14 @@ pm_main() {
 	fi
 }
 
+gnupg_checkpatch() {
+	if [[ ${xsrctar} != *gnupg* ]] ; then
+		unset patchfiles
+	fi
+}
+
 hook_add postmake 5 "pm_main"
+hook_add prepatch 9 "gnupg_checkpatch"
 
 var_append configprefix " " 'CFLAGS="-I$pkg_openldap_prefix/include"'
 var_append configprefix " " 'LDFLAGS="-L$pkg_openldap_prefix/lib"'