Merge pull request #215109 from afh/gnupg-libgcrypt-lts

{ lib, stdenv, fetchpatch, fetchurl, libgpg-error, enableCapabilities ? false, libcap }:

{ lib

, stdenv

, fetchurl

, libgpg-error

, enableCapabilities ? false, libcap

, buildPackages

# for passthru.tests

, gnupg

, libotr

, rsyslog

}:

assert enableCapabilities -> stdenv.isLinux;

stdenv.mkDerivation rec {

  pname = "libgcrypt";

  version = "1.5.6";

  version = "1.8.10";

  src = fetchurl {

    url = "mirror://gnupg/libgcrypt/libgcrypt-${version}.tar.bz2";

    sha256 = "0ydy7bgra5jbq9mxl5x031nif3m6y3balc6ndw2ngj11wnsjc61h";

    sha256 = "sha256-aJaRVQH5UeI9AtywRTRpwswiqk13oAH/c6JkfC0p590=";

  };

  patches = lib.optionals stdenv.isDarwin [

    (fetchpatch {

      name = "fix-x86_64-apple-darwin.patch";

      sha256 = "138sfwl1avpy19320dbd63mskspc1khlc93j1f1zmylxx3w19csi";

      url = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=71939faa7c54e7b4b28d115e748a85f134876a02";

    })

  ];

  outputs = [ "out" "dev" "info" ];

  outputBin = "dev";

  # The CPU Jitter random number generator must not be compiled with

  # optimizations and the optimize -O0 pragma only works for gcc.

  # The build enables -O2 by default for everything else.

  hardeningDisable = lib.optional stdenv.cc.isClang "fortify";

  depsBuildBuild = [ buildPackages.stdenv.cc ];

  buildInputs =

    [ libgpg-error ]

  buildInputs = [ libgpg-error ]

    ++ lib.optional enableCapabilities libcap;

  strictDeps = true;

  configureFlags = [ "--with-libgpg-error-prefix=${libgpg-error.dev}" ]

      ++ lib.optional (stdenv.hostPlatform.isMusl || (stdenv.hostPlatform.isDarwin && stdenv.hostPlatform.isAarch64)) "--disable-asm"; # for darwin see https://dev.gnupg.org/T5157

  # Necessary to generate correct assembly when compiling for aarch32 on

  # aarch64

  configurePlatforms = [ "host" "build" ];

  postConfigure = ''

    sed -i configure \

        -e 's/NOEXECSTACK_FLAGS=$/NOEXECSTACK_FLAGS="-Wa,--noexecstack"/'

  '';

  # Make sure libraries are correct for .pc and .la files

  # Also make sure includes are fixed for callers who don't use libgpgcrypt-config

  postInstall = ''

    sed -i 's,#include <gpg-error.h>,#include "${libgpg-error.dev}/include/gpg-error.h",g' $out/include/gcrypt.h

  postFixup = ''

    sed -i 's,#include <gpg-error.h>,#include "${libgpg-error.dev}/include/gpg-error.h",g' "$dev/include/gcrypt.h"

  '' + lib.optionalString enableCapabilities ''

    sed -i 's,\(-lcap\),-L${libcap.lib}/lib \1,' $out/lib/libgcrypt.la

  '';

  doCheck = true;

  passthru.tests = {

    inherit gnupg libotr rsyslog;

  };

  meta = with lib; {

    homepage = "https://www.gnu.org/software/libgcrypt/";

    description = "General-pupose cryptographic library";

    changelog = "https://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=blob;f=NEWS;hb=refs/tags/${pname}-${version}";

    description = "General-purpose cryptographic library";

    license = licenses.lgpl2Plus;

    platforms = platforms.all;

    knownVulnerabilities = [

      "CVE-2014-3591"

      "CVE-2015-0837"

      "CVE-2015-7511"

      "CVE-2017-0379"

      "CVE-2017-7526"

      "CVE-2017-9526"

      "CVE-2018-0495"

      "CVE-2018-6829"

      "CVE-2018-12437"

      "CVE-2018-12437" # CVE is about LibTomCrypt

    ];

  };

}

From 1c9cc97e9d47d73763810dcb4a36b6cdf31a2254 Mon Sep 17 00:00:00 2001

From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Date: Sun, 30 Jun 2019 11:54:35 -0400

Subject: [PATCH] dirmngr: Only use SKS pool CA for SKS pool

* dirmngr/http.c (http_session_new): when checking whether the

keyserver is the HKPS pool, check specifically against the pool name,

as ./configure might have been used to select a different default

keyserver.  It makes no sense to apply Kristian's certificate

authority to anything other than the literal host

hkps.pool.sks-keyservers.net.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

GnuPG-Bug-Id: 4593

---

 dirmngr/http.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dirmngr/http.c b/dirmngr/http.c

index 384f2569d..8e5d53939 100644

--- a/dirmngr/http.c

+++ b/dirmngr/http.c

@@ -767,7 +767,7 @@ http_session_new (http_session_t *r_session,

     is_hkps_pool = (intended_hostname

                     && !ascii_strcasecmp (intended_hostname,

-                                          get_default_keyserver (1)));

+                                          "hkps.pool.sks-keyservers.net"));

     /* If the user has not specified a CA list, and they are looking

      * for the hkps pool from sks-keyservers.net, then default to

-- 

2.22.0

 g10/import.c | 44 +++++++++++---------------------------------

 1 file changed, 11 insertions(+), 33 deletions(-)

diff --git a/g10/import.c b/g10/import.c

index 5d3162c..f9acf95 100644

index cd3363fc7..8f10771db 100644

--- a/g10/import.c

+++ b/g10/import.c

@@ -1788,7 +1788,6 @@ import_one_real (ctrl_t ctrl,

@@ -1858,7 +1858,6 @@ import_one_real (ctrl_t ctrl,

   size_t an;

   char pkstrbuf[PUBKEY_STRING_SIZE];

   int merge_keys_done = 0;

   KEYDB_HANDLE hd = NULL;

   if (r_valid)

@@ -1825,14 +1824,6 @@ import_one_real (ctrl_t ctrl,

       log_printf ("\n");

@@ -1896,13 +1895,6 @@ import_one_real (ctrl_t ctrl,

     }

-

-  if (!uidnode )

-    {

-      if (!silent)

   if (screener && screener (keyblock, screener_arg))

     {

       log_error (_("key %s: %s\n"), keystr_from_pk (pk),

@@ -1907,18 +1898,10 @@ import_one_real (ctrl_t ctrl,

@@ -1977,18 +1969,10 @@ import_one_real (ctrl_t ctrl,

 	  }

     }

-  /* Delete invalid parts and bail out if there are no user ids left.  */

-  if (!delete_inv_parts (ctrl, keyblock, keyid, options))

-  if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))

-    {

-      if (!silent)

-        {

+  /* Delete invalid parts, and note if we have any valid ones left.

+   * We will later abort import if this key is new but contains

+   * no valid uids.  */

+  delete_inv_parts (ctrl, keyblock, keyid, options);

+  delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);

   /* Get rid of deleted nodes.  */

   commit_kbnode (&keyblock);

@@ -1927,24 +1911,11 @@ import_one_real (ctrl_t ctrl,

@@ -1998,24 +1982,11 @@ import_one_real (ctrl_t ctrl,

     {

       apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);

       commit_kbnode (&keyblock);

     }

   /* The keyblock is valid and ready for real import.  */

@@ -2002,6 +1973,13 @@ import_one_real (ctrl_t ctrl,

@@ -2073,6 +2044,13 @@ import_one_real (ctrl_t ctrl,

       err = 0;

       stats->skipped_new_keys++;

     }

{ lib, stdenv, fetchurl, buildPackages

, pkg-config, texinfo

, gettext, libassuan, libgcrypt, libgpg-error, libiconv, libksba, npth

, adns, bzip2, gnutls, libusb1, openldap, readline, sqlite, zlib

, enableMinimal ? false

, withPcsc ? !enableMinimal, pcsclite

, guiSupport ? stdenv.isDarwin, pinentry

}:

with lib;

let

  pinentryBinaryPath = pinentry.binaryPath or "bin/pinentry";

in

assert guiSupport -> enableMinimal == false;

stdenv.mkDerivation rec {

  pname = "gnupg";

  version = "2.2.41";

  src = fetchurl {

    url = "mirror://gnupg/gnupg/${pname}-${version}.tar.bz2";

    hash = "sha256-E/MpEAel6FRvy3vAxmEM5EqqmzmVBZ1PgUW6Cf1b4+E=";

  };

  depsBuildBuild = [ buildPackages.stdenv.cc ];

  nativeBuildInputs = [ pkg-config texinfo ];

  buildInputs = [

    gettext libassuan libgcrypt libgpg-error libiconv libksba npth

  ] ++ lib.optionals (!enableMinimal) [

    adns bzip2 gnutls libusb1 openldap readline sqlite zlib

  ];

  patches = [

    ./fix-libusb-include-path.patch

    ./tests-add-test-cases-for-import-without-uid.patch

    ./accept-subkeys-with-a-good-revocation-but-no-self-sig.patch

    ./22-allow-import-of-previously-known-keys-even-without-UI.patch

  ];

  postPatch = ''

    sed -i 's,hkps://hkps.pool.sks-keyservers.net,hkps://keys.openpgp.org,g' configure doc/dirmngr.texi doc/gnupg.info-1

    # Fix broken SOURCE_DATE_EPOCH usage - remove on the next upstream update

    sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.am

    sed -i 's/$SOURCE_DATE_EPOCH/''${SOURCE_DATE_EPOCH}/' doc/Makefile.in

    '' + lib.optionalString (stdenv.isLinux && withPcsc) ''

      sed -i 's,"libpcsclite\.so[^"]*","${lib.getLib pcsclite}/lib/libpcsclite.so",g' scd/scdaemon.c

    '';

  configureFlags = [

    "--with-libgpg-error-prefix=${libgpg-error.dev}"

    "--with-libgcrypt-prefix=${libgcrypt.dev}"

    "--with-libassuan-prefix=${libassuan.dev}"

    "--with-ksba-prefix=${libksba.dev}"

    "--with-npth-prefix=${npth}"

  ]

  ++ lib.optional guiSupport "--with-pinentry-pgm=${pinentry}/${pinentryBinaryPath}"

  ++ lib.optional stdenv.isDarwin "--disable-ccid-driver";

  postInstall = if enableMinimal

  then ''

    rm -r $out/{libexec,sbin,share}

    for f in $(find $out/bin -type f -not -name gpg)

    do

      rm $f

    done

  '' else ''

    mkdir -p $out/lib/systemd/user

    for f in doc/examples/systemd-user/*.{service,socket} ; do

      substitute $f $out/lib/systemd/user/$(basename $f) \

        --replace /usr/bin $out/bin

    done

    # add gpg2 symlink to make sure git does not break when signing commits

    ln -s $out/bin/gpg $out/bin/gpg2

    # Make libexec tools available in PATH

    for f in $out/libexec/; do

      if [[ "$(basename $f)" == "gpg-wks-client" ]]; then continue; fi

      ln -s $f $out/bin/$(basename $f)

    done

    ln -s -t $out/bin $out/libexec/*

  '';

  enableParallelBuilding = true;

  passthru.tests.connman = nixosTests.gnupg;

  meta = with lib; {

    homepage = "https://gnupg.org";

    description = "LTS release of the GNU Privacy Guard, a GPL OpenPGP implementation";

    license = licenses.gpl3Plus;

    longDescription = ''

      The GNU Privacy Guard is the GNU project's complete and free

      implementation of the OpenPGP standard as defined by RFC4880.  GnuPG

      "modern" (2.1) is the latest development with a lot of new features.

      GnuPG allows to encrypt and sign your data and communication, features a

      versatile key management system as well as access modules for all kind of

      public key directories.  GnuPG, also known as GPG, is a command line tool

      with features for easy integration with other applications.  A wealth of

      frontend applications and libraries are available.  Version 2 of GnuPG

      also provides support for S/MIME.

    '';

    maintainers = with maintainers; [ fpletz vrthra ];

    platforms = platforms.all;

    mainProgram = "gpg";

  };

}

From: Vincent Breitmoser <look@my.amazin.horse>

Date: Thu, 13 Jun 2019 21:27:42 +0200

Subject: gpg: allow import of previously known keys, even without UIDs

* g10/import.c (import_one): Accept an incoming OpenPGP certificate that

has no user id, as long as we already have a local variant of the cert

that matches the primary key.

--

This fixes two of the three broken tests in import-incomplete.scm.

GnuPG-Bug-id: 4393

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

---

 g10/import.c | 44 +++++++++++---------------------------------

 1 file changed, 11 insertions(+), 33 deletions(-)

diff --git a/g10/import.c b/g10/import.c

index 9fab46ca6..61896a6bf 100644

--- a/g10/import.c

+++ b/g10/import.c

@@ -1954,7 +1954,6 @@ import_one_real (ctrl_t ctrl,

   size_t an;

   char pkstrbuf[PUBKEY_STRING_SIZE];

   int merge_keys_done = 0;

-  int any_filter = 0;

   KEYDB_HANDLE hd = NULL;

   if (r_valid)

@@ -1992,13 +1991,6 @@ import_one_real (ctrl_t ctrl,

     }

-  if (!uidnode)

-    {

-      if (!silent)

-        log_error( _("key %s: no user ID\n"), keystr_from_pk(pk));

-      return 0;

-    }

-

   if (screener && screener (keyblock, screener_arg))

     {

       log_error (_("key %s: %s\n"), keystr_from_pk (pk),

@@ -2078,18 +2070,10 @@ import_one_real (ctrl_t ctrl,

 	  }

     }

-  /* Delete invalid parts and bail out if there are no user ids left.  */

-  if (!delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs))

-    {

-      if (!silent)

-        {

-          log_error ( _("key %s: no valid user IDs\n"), keystr_from_pk(pk));

-          if (!opt.quiet)

-            log_info(_("this may be caused by a missing self-signature\n"));

-        }

-      stats->no_user_id++;

-      return 0;

-    }

+ /* Delete invalid parts, and note if we have any valid ones left.

+  * We will later abort import if this key is new but contains

+  * no valid uids.  */

+  delete_inv_parts (ctrl, keyblock, keyid, options, otherrevsigs);

   /* Get rid of deleted nodes.  */

   commit_kbnode (&keyblock);

@@ -2099,24 +2083,11 @@ import_one_real (ctrl_t ctrl,

     {

       apply_keep_uid_filter (ctrl, keyblock, import_filter.keep_uid);

       commit_kbnode (&keyblock);

-      any_filter = 1;

     }

   if (import_filter.drop_sig)

     {

       apply_drop_sig_filter (ctrl, keyblock, import_filter.drop_sig);

       commit_kbnode (&keyblock);

-      any_filter = 1;

-    }

-

-  /* If we ran any filter we need to check that at least one user id

-   * is left in the keyring.  Note that we do not use log_error in

-   * this case. */

-  if (any_filter && !any_uid_left (keyblock))

-    {

-      if (!opt.quiet )

-        log_info ( _("key %s: no valid user IDs\n"), keystr_from_pk (pk));

-      stats->no_user_id++;

-      return 0;

     }

   /* The keyblock is valid and ready for real import.  */

@@ -2174,6 +2145,13 @@ import_one_real (ctrl_t ctrl,

       err = 0;

       stats->skipped_new_keys++;

     }

+  else if (err && !any_uid_left (keyblock))

+    {

+      if (!silent)

+        log_info( _("key %s: new key but contains no user ID - skipped\n"), keystr(keyid));

+      err = 0;

+      stats->no_user_id++;

+    }

   else if (err)  /* Insert this key. */

     {

       /* Note: ERR can only be NO_PUBKEY or UNUSABLE_PUBKEY.  */