Pullup ticket #5472 - requested by sevan security/libksba: bugfix Revisions pulled up: - security/libksba/Makefile 1.34 - security/libksba/distinfo 1.22 - security/libksba/patches/patch-src_cms.c 1.1 --- Module Name: pkgsrc Committed By: gdt Date: Tue May 30 22:40:17 UTC 2017 Modified Files: pkgsrc/security/libksba: Makefile distinfo Added Files: pkgsrc/security/libksba/patches: patch-src_cms.c Log Message: Add patch to resolve gpgsm S/MIME failures S/MIME messages encrypted with gpgsm are sometimes not decodable by other implementations. Discussion on gnupg-devel indicates that gpg (via libksba) is incorrectly dropping leading zeros from the encrypted session key. This commit adds a patch by Daiki Ueno from the mailinglist that appears to improve interoperability. Upstream has not yet applied it, but also has not said that it is wrong.

(bsiegert)

@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.33 2016/08/22 12:32:11 wiz Exp $
+# $NetBSD: Makefile,v 1.33.6.1 2017/06/13 19:34:53 bsiegert Exp $
 
 DISTNAME=	libksba-1.3.5
+PKGREVISION=	1
 CATEGORIES=	security
 MASTER_SITES=	ftp://ftp.gnupg.org/gcrypt/libksba/
 EXTRACT_SUFX=	.tar.bz2

@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.21 2016/08/22 12:32:11 wiz Exp $
+$NetBSD: distinfo,v 1.21.6.1 2017/06/13 19:34:53 bsiegert Exp $
 
 SHA1 (libksba-1.3.5.tar.bz2) = a98385734a0c3f5b713198e8d6e6e4aeb0b76fde
 RMD160 (libksba-1.3.5.tar.bz2) = ee7c752196ae89ce798007b076e8eb695d6c4ea9
@@ -6,3 +6,4 @@
 Size (libksba-1.3.5.tar.bz2) = 620649 bytes
 SHA1 (patch-aa) = f2e63361afb95d5469153efaecebcb8719938d58
 SHA1 (patch-src_Makefile.in) = 484f6c02bc382b8c5647ce867f30bb2c4073580f
+SHA1 (patch-src_cms.c) = e98ae5b586e99bea440ac5fdad80549a0f8fface

$NetBSD: patch-src_cms.c,v 1.1.2.2 2017/06/13 19:34:53 bsiegert Exp $ Avoid dropping leading zeros in encoded session key. Patch by Daiki Ueno, taken from discussion on gnupg-devel: https://lists.gnupg.org/pipermail/gnupg-devel/2016-February/030825.html (Upstream has been asked to apply this patch, but so far has not.) --- src/cms.c.orig 2013-03-15 19:26:38.000000000 +0000 +++ src/cms.c @@ -87,6 +87,8 @@ static const char oid_signingTime[9] = " static const char oidstr_smimeCapabilities[] = "1.2.840.113549.1.9.15"; +static const char oidstr_rsaEncryption[] = "1.2.840.113549.1.1.1"; + /* Helper for read_and_hash_cont(). */ @@ -1621,7 +1623,7 @@ ksba_cms_set_sig_val (ksba_cms_t cms, in return gpg_error (GPG_ERR_ENOMEM); if (n==3 && s[0] == 'r' && s[1] == 's' && s[2] == 'a') { /* kludge to allow "rsa" to be passed as algorithm name */ - sv->algo = xtrystrdup ("1.2.840.113549.1.1.1"); + sv->algo = xtrystrdup (oidstr_rsaEncryption); if (!sv->algo) { xfree (sv); @@ -1674,9 +1676,10 @@ ksba_cms_set_sig_val (ksba_cms_t cms, in return gpg_error (GPG_ERR_INV_SEXP); } - if (n > 1 && !*s) + if (strcmp (sv->algo, oidstr_rsaEncryption) != 0 && n > 1 && !*s) { /* We might have a leading zero due to the way we encode - MPIs - this zero should not go into the OCTECT STRING. */ + MPIs - this zero should not go into the OCTECT STRING, + unless it is explicitly allowed in the signature scheme. */ s++; n--; } @@ -1798,7 +1801,7 @@ ksba_cms_set_enc_val (ksba_cms_t cms, in xfree (cl->enc_val.algo); if (n==3 && s[0] == 'r' && s[1] == 's' && s[2] == 'a') { /* kludge to allow "rsa" to be passed as algorithm name */ - cl->enc_val.algo = xtrystrdup ("1.2.840.113549.1.1.1"); + cl->enc_val.algo = xtrystrdup (oidstr_rsaEncryption); if (!cl->enc_val.algo) return gpg_error (GPG_ERR_ENOMEM); } @@ -1831,9 +1834,10 @@ ksba_cms_set_enc_val (ksba_cms_t cms, in if (!n || *s != ':') return gpg_error (GPG_ERR_INV_SEXP); s++; - if (n > 1 && !*s) + if (strcmp (cl->enc_val.algo, oidstr_rsaEncryption) != 0 && n > 1 && !*s) { /* We might have a leading zero due to the way we encode - MPIs - this zero should not go into the OCTECT STRING. */ + MPIs - this zero should not go into the OCTECT STRING, + unless it is explicitly allowed in the encryption scheme. */ s++; n--; }