[New] gnupg2

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

[New] gnupg2

Pierre-Emmanuel André
Hi,

This is a port for gnupg2
All the tarball must be untarred in security/
Libksba and pinentry are necessary dependancies for gnupg2.
The following diff for gnupg1 is needed to permit the installation
of both 1 & 2 at the same time.
It could be fun if someone could test this port with a gnupg smartcard.

Regards,

--
Pierre-Emmanuel André <pea at raveland.org>
GPG key: 0x7AE329DC

libksba-1.0.7.tgz (1K) Download Attachment
pinentry-0.8.0.tgz (1K) Download Attachment
gnupg-2.0.15.tgz (3K) Download Attachment
gnupg-1.4.10p0.diff (915 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [New] gnupg2

Olivier Mehani
On Tue, Jun 01, 2010 at 01:52:40PM +0200, Pierre-Emmanuel André wrote:
> This is a port for gnupg2

It builds and works on 4.7 GENERIC#112 amd64 after manually installing
CURRENT ports for libassuan and libgpg-error.

> The following diff for gnupg1 is needed to permit the installation
> of both 1 & 2 at the same time.

I didn't try this part.

> It could be fun if someone could test this port with a gnupg smartcard.

Hum, I actually have a card reader that I just set up under Linux [0].
My 4.7 is on a remote machine, but I'll try to track down a spare
machine and put a fresh 4.8 on it to try it all.

[0] http://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard

--
Olivier Mehani <[hidden email]>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655

attachment0 (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [New] gnupg2

David Coppa
2010/11/3 Olivier Mehani <[hidden email]>:

> On Tue, Jun 01, 2010 at 01:52:40PM +0200, Pierre-Emmanuel André wrote:
>> This is a port for gnupg2
>
> It builds and works on 4.7 GENERIC#112 amd64 after manually installing
> CURRENT ports for libassuan and libgpg-error.
>
>> The following diff for gnupg1 is needed to permit the installation
>> of both 1 & 2 at the same time.
>
> I didn't try this part.
>
>> It could be fun if someone could test this port with a gnupg smartcard.
>
> Hum, I actually have a card reader that I just set up under Linux [0].
> My 4.7 is on a remote machine, but I'll try to track down a spare
> machine and put a fresh 4.8 on it to try it all.
>
> [0] http://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard

It doesn't work. At least the OpenPGP SmartCard V2 I have.
This card requires pcsc-lite and ccid. I've ported both and they worked.
My work stopped trying to make scdaemon working: threading issues made
me give up.

ciao,
david

Reply | Threaded
Open this post in threaded view
|

Re: [New] gnupg2

David Coppa
On Wed, Nov 3, 2010 at 7:31 AM, David Coppa <[hidden email]> wrote:

> It doesn't work. At least the OpenPGP SmartCard V2 I have.
> This card requires pcsc-lite and ccid. I've ported both and they worked.
> My work stopped trying to make scdaemon working: threading issues made
> me give up.

I'm sorry. I was in a hurry to catch the train and wrote a lot of crap ;)

I meant to say that the reader I have, a Gemalto USB Shell Token V2,
only works with pcsc-lite and ccid.
The way gnupg2's scdaemon interfaces with pcsc-lite using the funky
"gnupg-pcsc-wrapper" (scdaemon -> gnupg-pcsc-wrapper -> pcscd -> ccid)
suffers from the usual threading issues on OpenBSD and does not work
at all.

A card reader which is correctly recognized by gnupg internal libusb
support should not have problems (maybe, didn't test it).

ciao,
David

Reply | Threaded
Open this post in threaded view
|

Re: [New] gnupg2

David Coppa
On Wed, Nov 3, 2010 at 9:44 AM, David Coppa <[hidden email]> wrote:

> A card reader which is correctly recognized by gnupg internal libusb
> support should not have problems (maybe, didn't test it).

A reader like this one:

http://shop.kernelconcepts.de/product_info.php?&products_id=64

Reply | Threaded
Open this post in threaded view
|

SCM SCR335 SmartCard reader works OK with GnuPG 2 (was Re: [New] gnupg2)

Olivier Mehani
In reply to this post by David Coppa
Ahoy,

On Wed, Nov 03, 2010 at 07:31:38AM +0100, David Coppa wrote:
> >> It could be fun if someone could test this port with a gnupg smartcard.
> > Hum, I actually have a card reader that I just set up under Linux [0].
> > My 4.7 is on a remote machine, but I'll try to track down a spare
> > machine and put a fresh 4.8 on it to try it all.
> It doesn't work. At least the OpenPGP SmartCard V2 I have.
> This card requires pcsc-lite and ccid. I've ported both and they worked.
> My work stopped trying to make scdaemon working: threading issues made
> me give up.

I just found time, over the week end, to install 4.8 on said spare machine.
My SCM SCR335 USB reader works nicely out of the box with just
gnupg-2-0-15. No need for pcsc-lite nor ccid.

After starting the GPG agent, I could list and use the keys, both for
signing, decryption AND remote SSH login. I jotted down some doc here
[0].

Next step is trying to see how to do system auth as well! (;

[0] https://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard#doing_the_same_with_openbsd_48

--
Olivier Mehani <[hidden email]>
PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE  F5F9 F012 A6E2 98C6 6655

attachment0 (501 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: SCM SCR335 SmartCard reader works OK with GnuPG 2 (was Re: [New] gnupg2)

Pierre-Emmanuel André
On Sun, Nov 07, 2010 at 10:15:54PM +1100, Olivier Mehani wrote:

> Ahoy,
>
> On Wed, Nov 03, 2010 at 07:31:38AM +0100, David Coppa wrote:
> > >> It could be fun if someone could test this port with a gnupg smartcard.
> > > Hum, I actually have a card reader that I just set up under Linux [0].
> > > My 4.7 is on a remote machine, but I'll try to track down a spare
> > > machine and put a fresh 4.8 on it to try it all.
> > It doesn't work. At least the OpenPGP SmartCard V2 I have.
> > This card requires pcsc-lite and ccid. I've ported both and they worked.
> > My work stopped trying to make scdaemon working: threading issues made
> > me give up.
>
> I just found time, over the week end, to install 4.8 on said spare machine.
> My SCM SCR335 USB reader works nicely out of the box with just
> gnupg-2-0-15. No need for pcsc-lite nor ccid.
>
> After starting the GPG agent, I could list and use the keys, both for
> signing, decryption AND remote SSH login. I jotted down some doc here
> [0].
>
> Next step is trying to see how to do system auth as well! (;
>
> [0] https://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard#doing_the_same_with_openbsd_48

Nice :)
Thanks for your report.

Regards,

--
Pierre-Emmanuel André <pea at raveland.org>
GPG key: 0x7AE329DC

Reply | Threaded
Open this post in threaded view
|

gnupg2 improvements (Was Re: SCM SCR335 SmartCard reader works OK with GnuPG 2)

David Coppa
On Mon, 08 Nov 2010, Pierre-Emmanuel André wrote:

> On Sun, Nov 07, 2010 at 10:15:54PM +1100, Olivier Mehani wrote:
> >
> > I just found time, over the week end, to install 4.8 on said spare machine.
> > My SCM SCR335 USB reader works nicely out of the box with just
> > gnupg-2-0-15. No need for pcsc-lite nor ccid.
> >
> > After starting the GPG agent, I could list and use the keys, both for
> > signing, decryption AND remote SSH login. I jotted down some doc here
> > [0].
> >
> > Next step is trying to see how to do system auth as well! (;
> >
> > [0] https://www.narf.ssji.net/~shtrom/wiki/tips/openpgpsmartcard#doing_the_same_with_openbsd_48
>
> Nice :)
> Thanks for your report.

Wonderful news! This is exactly the same card reader I've ordered to
replace my unusable Gemalto USB Shell Token.

Pierre, what about the following diff?

- Disable the pcscd wrapper because it's utterly broken with our current
  threading implementation

- Backport a patch from upstream that allows using all the available
  hash algorithms with scdaemon

- Fix license marker

- Fix wrong REGRESS_DEPENDS

- Swith to new-style LIB_DEPENDS/WANTLIB

- Adjust spacing

Ok?

Ciao,
David

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/gnupg2/Makefile,v
retrieving revision 1.5
diff -u -p -r1.5 Makefile
--- Makefile 18 Oct 2010 21:41:45 -0000 1.5
+++ Makefile 8 Nov 2010 09:11:53 -0000
@@ -3,6 +3,7 @@
 COMMENT = gnu privacy guard - a free PGP replacement
 
 DISTNAME = gnupg-2.0.16
+REVISION = 0
 CATEGORIES = security
 
 MASTER_SITES = ftp://ftp.gnupg.org/gcrypt/gnupg/ \
@@ -19,41 +20,43 @@ HOMEPAGE = http://www.gnupg.org/
 
 MAINTAINER = Pierre-Emmanuel Andre <[hidden email]>
 
-# GPLv3
+# GPLv3+
 PERMIT_PACKAGE_CDROM = Yes
 PERMIT_PACKAGE_FTP = Yes
-PERMIT_DISTFILES_CDROM= Yes
+PERMIT_DISTFILES_CDROM =Yes
 PERMIT_DISTFILES_FTP = Yes
 
 EXTRACT_SUFX = .tar.bz2
 
 MODULES = devel/gettext
 
-WANTLIB = c crypto z readline ssl termcap gpg-error idn
+WANTLIB += assuan bz2 c crypto curl gcrypt gpg-error
+WANTLIB += idn ksba pth readline ssl termcap usb z
 
 FLAVORS = ldap
 FLAVOR ?=
 USE_GROFF = Yes
 
+LIB_DEPENDS = ::devel/libusb \
+ ::archivers/bzip2 \
+ ::security/libassuan \
+ ::security/libgcrypt \
+ ::security/libksba \
+ ::net/curl \
+ ::devel/pth
+
 .if ${FLAVOR:L:Mldap}
-CONFIGURE_ARGS+= --enable-ldap
-LIB_DEPENDS+= ldap.>=8::databases/openldap
+CONFIGURE_ARGS += --enable-ldap
+WANTLIB += ldap
+LIB_DEPENDS += ::databases/openldap
 .else
-CONFIGURE_ARGS+= --disable-ldap
+CONFIGURE_ARGS += --disable-ldap
 .endif
 
-LIB_DEPENDS = usb::devel/libusb \
- bz2::archivers/bzip2 \
- assuan::security/libassuan \
- gcrypt::security/libgcrypt \
- ksba.::security/libksba \
- curl.>=6::net/curl \
- pth.::devel/pth
-
 RUN_DEPENDS = ::security/pinentry
 
 # gpg-agent must be installed to run the regress tests
-REGRESS_DEPENDS = ${PKGNAME}::${BUILD_PKGPATH}
+REGRESS_DEPENDS = :${PKGNAME}:${BUILD_PKGPATH}
 
 USE_GMAKE = Yes
 
Index: patches/patch-g10_call-agent_c
===================================================================
RCS file: patches/patch-g10_call-agent_c
diff -N patches/patch-g10_call-agent_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-g10_call-agent_c 8 Nov 2010 09:11:53 -0000
@@ -0,0 +1,42 @@
+$OpenBSD$
+
+Patch from upstream: allow more hash algorithms when using scdaemon.
+Needed to use SHA2-family of functions with OpenPGPv2 cards, that do
+support them.
+
+--- g10/call-agent.c.orig Wed Feb 17 09:55:45 2010
++++ g10/call-agent.c Wed Nov  3 14:59:39 2010
+@@ -892,6 +892,23 @@ membuf_data_cb (void *opaque, const void *buffer, size
+   return 0;
+ }
+  
++
++static const char *
++hash_algo_option (int algo)
++{
++  switch (algo)
++    {
++    case GCRY_MD_RMD160: return "--hash=rmd160 ";
++    case GCRY_MD_SHA1  : return "--hash=sha1 ";
++    case GCRY_MD_SHA224: return "--hash=sha224 ";
++    case GCRY_MD_SHA256: return "--hash=sha256 ";
++    case GCRY_MD_SHA384: return "--hash=sha384 ";
++    case GCRY_MD_SHA512: return "--hash=sha512 ";
++    case GCRY_MD_MD5   : return "--hash=md5 ";
++    default:             return "";
++    }
++}
++
+ /* Send a sign command to the scdaemon via gpg-agent's pass thru
+    mechanism. */
+ int
+@@ -938,8 +955,7 @@ agent_scd_pksign (const char *serialno, int hashalgo,
+   else
+ #endif
+     snprintf (line, DIM(line)-1, "SCD PKSIGN %s%s",
+-              hashalgo == GCRY_MD_RMD160? "--hash=rmd160 " : "",
+-              serialno);
++              hash_algo_option (hashalgo), serialno);
+   line[DIM(line)-1] = 0;
+   rc = assuan_transact (agent_ctx, line, membuf_data_cb, &data,
+                         default_inq_cb, NULL, NULL, NULL);
Index: patches/patch-scd_apdu_c
===================================================================
RCS file: patches/patch-scd_apdu_c
diff -N patches/patch-scd_apdu_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-scd_apdu_c 8 Nov 2010 09:11:53 -0000
@@ -0,0 +1,17 @@
+$OpenBSD$
+
+The pcscd wrapper does not work due to problems with our current
+threading implementation: one has to use a card reader supported
+by GnuPG's internal CCID driver.
+
+--- scd/apdu.c.orig Wed Mar 17 13:11:30 2010
++++ scd/apdu.c Wed Nov  3 11:35:04 2010
+@@ -66,7 +66,7 @@
+ /* Due to conflicting use of threading libraries we usually can't link
+    against libpcsclite.   Instead we use a wrapper program.  */
+ #ifdef USE_GNU_PTH
+-#if !defined(HAVE_W32_SYSTEM) && !defined(__CYGWIN__)
++#if !defined(HAVE_W32_SYSTEM) && !defined(__CYGWIN__) && !defined(__OpenBSD__)
+ #define NEED_PCSC_WRAPPER 1
+ #endif
+ #endif
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/gnupg2/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PLIST
--- pkg/PLIST 8 Jul 2010 16:57:54 -0000 1.1.1.1
+++ pkg/PLIST 8 Nov 2010 09:11:53 -0000
@@ -13,7 +13,7 @@ bin/gpgsm-gencert.sh
 @bin bin/scdaemon
 @bin bin/watchgnupg
 @info info/gnupg.info
-@bin libexec/gnupg-pcsc-wrapper
+@comment libexec/gnupg-pcsc-wrapper
 @bin libexec/gpg-check-pattern
 @bin libexec/gpg-preset-passphrase
 @bin libexec/gpg-protect-tool

Reply | Threaded
Open this post in threaded view
|

Re: gnupg2 improvements

David Coppa
On Mon, 08 Nov 2010, David Coppa wrote:

> Wonderful news! This is exactly the same card reader I've ordered to
> replace my unusable Gemalto USB Shell Token.

My new reader has just arrived yesterday and, most important, it works
like a charm:

$ gpg2 --card-status                        
gpg: directory `/home/dcoppa/.gnupg' created
gpg: new configuration file `/home/dcoppa/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/dcoppa/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/dcoppa/.gnupg/secring.gpg' created
gpg: keyring `/home/dcoppa/.gnupg/pubring.gpg' created
Application ID ...: D2760001240102000005000007DB0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 000007DB
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

$ gpg2 --card-edit
Application ID ...: D2760001240102000005000007DB0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 000007DB
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> help
quit       quit this menu
admin      show admin commands
help       show this help
list       list all available data
fetch      fetch the key specified in the card URL
passwd     menu to change or unblock the PIN
verify     verify the PIN and list all data
unblock    unblock the PIN using a Reset Code

gpg/card> admin
Admin commands are allowed

gpg/card> help
quit       quit this menu
admin      show admin commands
help       show this help
list       list all available data
name       change card holder's name
url        change URL to retrieve key
fetch      fetch the key specified in the card URL
login      change the login name
lang       change the language preferences
sex        change card holder's sex
cafpr      change a CA fingerprint
forcesig   toggle the signature force PIN flag
generate   generate new keys
passwd     menu to change or unblock the PIN
verify     verify the PIN and list all data
unblock    unblock the PIN using a Reset Code

gpg/card> name
Cardholder's surname: Coppa
Cardholder's given name: David

gpg/card> sex
Sex ((M)ale, (F)emale or space): M

gpg/card> lang
Language preferences: it

gpg/card> login
Login data (account name): dcoppa

gpg/card> list

Application ID ...: D2760001240102000005000007DB0000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 000007DB
Name of cardholder: David Coppa
Language prefs ...: it
Sex ..............: male
URL of public key : [not set]
Login data .......: dcoppa
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

gpg/card> quit
$

I'm using the following gpg-agent wrapper:

--- cut here ---

# Copyright (c) 2010 Diego E. Petteno <[hidden email]>
# Available under CC-BY license (Attribution)

if ! [ -f "${HOME}/.gpg-agent-info" ] ||
   ! pgrep -u ${USER} gpg-agent >/dev/null; then
        gpg-agent --daemon --log-file ~/.gnupg/gpg-agent.log --write-env-file --enable-ssh-support
fi

# for ssh-agent forwarding, override gnome-keyring though!
if [ -n ${SSH_AUTH_SOCK} ] && \
    [ ${SSH_AUTH_SOCK#/tmp/keyring-} = ${SSH_AUTH_SOCK} ]; then

    fwd_SSH_AUTH_SOCK=${SSH_AUTH_SOCK}
fi

. ${HOME}/.gpg-agent-info
export GPG_AGENT_INFO
export SSH_AUTH_SOCK
export SSH_AGENT_PID

if [ "${fwd_SSH_AUTH_SOCK}" != "" ]; then
    SSH_AUTH_SOCK=${fwd_SSH_AUTH_SOCK}
    export SSH_AUTH_SOCK
fi

GPG_TTY=$(tty)
export GPG_TTY

--- cut here ---

Invoked from ~/.profile with:

if [ -f ${HOME}/.gnupg/gpg-agent-wrapper ]; then
        . ${HOME}/.gnupg/gpg-agent-wrapper
fi

Having the new toy in my hands has led to a revised patch for
security/gnupg2:

Index: Makefile
===================================================================
RCS file: /cvs/ports/security/gnupg2/Makefile,v
retrieving revision 1.5
diff -u -p -r1.5 Makefile
--- Makefile 18 Oct 2010 21:41:45 -0000 1.5
+++ Makefile 12 Nov 2010 07:38:39 -0000
@@ -3,6 +3,7 @@
 COMMENT = gnu privacy guard - a free PGP replacement
 
 DISTNAME = gnupg-2.0.16
+REVISION = 0
 CATEGORIES = security
 
 MASTER_SITES = ftp://ftp.gnupg.org/gcrypt/gnupg/ \
@@ -19,41 +20,43 @@ HOMEPAGE = http://www.gnupg.org/
 
 MAINTAINER = Pierre-Emmanuel Andre <[hidden email]>
 
-# GPLv3
+# GPLv3+
 PERMIT_PACKAGE_CDROM = Yes
 PERMIT_PACKAGE_FTP = Yes
-PERMIT_DISTFILES_CDROM= Yes
+PERMIT_DISTFILES_CDROM =Yes
 PERMIT_DISTFILES_FTP = Yes
 
 EXTRACT_SUFX = .tar.bz2
 
 MODULES = devel/gettext
 
-WANTLIB = c crypto z readline ssl termcap gpg-error idn
+WANTLIB += assuan bz2 c crypto curl gcrypt gpg-error
+WANTLIB += idn ksba pth readline ssl termcap usb z
 
 FLAVORS = ldap
 FLAVOR ?=
 USE_GROFF = Yes
 
+LIB_DEPENDS = ::devel/libusb \
+ ::archivers/bzip2 \
+ ::security/libassuan \
+ ::security/libgcrypt \
+ ::security/libksba \
+ ::net/curl \
+ ::devel/pth
+
 .if ${FLAVOR:L:Mldap}
-CONFIGURE_ARGS+= --enable-ldap
-LIB_DEPENDS+= ldap.>=8::databases/openldap
+CONFIGURE_ARGS += --enable-ldap
+WANTLIB += ldap
+LIB_DEPENDS += ::databases/openldap
 .else
-CONFIGURE_ARGS+= --disable-ldap
+CONFIGURE_ARGS += --disable-ldap
 .endif
 
-LIB_DEPENDS = usb::devel/libusb \
- bz2::archivers/bzip2 \
- assuan::security/libassuan \
- gcrypt::security/libgcrypt \
- ksba.::security/libksba \
- curl.>=6::net/curl \
- pth.::devel/pth
-
 RUN_DEPENDS = ::security/pinentry
 
 # gpg-agent must be installed to run the regress tests
-REGRESS_DEPENDS = ${PKGNAME}::${BUILD_PKGPATH}
+REGRESS_DEPENDS = :${PKGNAME}:${BUILD_PKGPATH}
 
 USE_GMAKE = Yes
 
Index: patches/patch-g10_call-agent_c
===================================================================
RCS file: patches/patch-g10_call-agent_c
diff -N patches/patch-g10_call-agent_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-g10_call-agent_c 12 Nov 2010 07:38:39 -0000
@@ -0,0 +1,42 @@
+$OpenBSD$
+
+Patch from upstream: allow more hash algorithms when using scdaemon.
+Needed to use SHA2-family of functions with OpenPGPv2 cards, that do
+support them.
+
+--- g10/call-agent.c.orig Wed Feb 17 09:55:45 2010
++++ g10/call-agent.c Wed Nov  3 14:59:39 2010
+@@ -892,6 +892,23 @@ membuf_data_cb (void *opaque, const void *buffer, size
+   return 0;
+ }
+  
++
++static const char *
++hash_algo_option (int algo)
++{
++  switch (algo)
++    {
++    case GCRY_MD_RMD160: return "--hash=rmd160 ";
++    case GCRY_MD_SHA1  : return "--hash=sha1 ";
++    case GCRY_MD_SHA224: return "--hash=sha224 ";
++    case GCRY_MD_SHA256: return "--hash=sha256 ";
++    case GCRY_MD_SHA384: return "--hash=sha384 ";
++    case GCRY_MD_SHA512: return "--hash=sha512 ";
++    case GCRY_MD_MD5   : return "--hash=md5 ";
++    default:             return "";
++    }
++}
++
+ /* Send a sign command to the scdaemon via gpg-agent's pass thru
+    mechanism. */
+ int
+@@ -938,8 +955,7 @@ agent_scd_pksign (const char *serialno, int hashalgo,
+   else
+ #endif
+     snprintf (line, DIM(line)-1, "SCD PKSIGN %s%s",
+-              hashalgo == GCRY_MD_RMD160? "--hash=rmd160 " : "",
+-              serialno);
++              hash_algo_option (hashalgo), serialno);
+   line[DIM(line)-1] = 0;
+   rc = assuan_transact (agent_ctx, line, membuf_data_cb, &data,
+                         default_inq_cb, NULL, NULL, NULL);
Index: patches/patch-scd_apdu_c
===================================================================
RCS file: patches/patch-scd_apdu_c
diff -N patches/patch-scd_apdu_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-scd_apdu_c 12 Nov 2010 07:38:39 -0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+
+The pcsc backend does not work due to problems with our current
+threading implementation: one has to use a card reader supported
+by GnuPG's internal CCID driver.
+
+--- scd/apdu.c.orig Wed Mar 17 13:11:30 2010
++++ scd/apdu.c Fri Nov 12 08:30:02 2010
+@@ -66,7 +66,8 @@
+ /* Due to conflicting use of threading libraries we usually can't link
+    against libpcsclite.   Instead we use a wrapper program.  */
+ #ifdef USE_GNU_PTH
+-#if !defined(HAVE_W32_SYSTEM) && !defined(__CYGWIN__)
++/* XXX */
++#if !defined(HAVE_W32_SYSTEM) && !defined(__CYGWIN__) && !defined(__OpenBSD__)
+ #define NEED_PCSC_WRAPPER 1
+ #endif
+ #endif
+@@ -2388,6 +2389,10 @@ apdu_open_reader (const char *portstr, int *r_no_servi
+   /* No ctAPI configured, so lets try the PC/SC API */
+   if (!pcsc_api_loaded)
+     {
++      /* XXX */
++#ifdef __OpenBSD__
++      return -1;
++#endif
+ #ifndef NEED_PCSC_WRAPPER
+       void *handle;
+
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/gnupg2/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PLIST
--- pkg/PLIST 8 Jul 2010 16:57:54 -0000 1.1.1.1
+++ pkg/PLIST 12 Nov 2010 07:38:39 -0000
@@ -13,7 +13,7 @@ bin/gpgsm-gencert.sh
 @bin bin/scdaemon
 @bin bin/watchgnupg
 @info info/gnupg.info
-@bin libexec/gnupg-pcsc-wrapper
+@comment libexec/gnupg-pcsc-wrapper
 @bin libexec/gpg-check-pattern
 @bin libexec/gpg-preset-passphrase
 @bin libexec/gpg-protect-tool

Reply | Threaded
Open this post in threaded view
|

Re: gnupg2 improvements

Stuart Henderson
On 2010/11/12 10:54, David Coppa wrote:
>
> Having the new toy in my hands has led to a revised patch for
> security/gnupg2:

here's a diff which applies to -current, basically the same
+ fix a typo in comment.

I've checked the manpages and groff is still needed.

ok with me.


Index: Makefile
===================================================================
RCS file: /cvs/ports/security/gnupg2/Makefile,v
retrieving revision 1.6
diff -u -p -r1.6 Makefile
--- Makefile 11 Nov 2010 18:34:59 -0000 1.6
+++ Makefile 12 Nov 2010 10:14:30 -0000
@@ -1,8 +1,9 @@
-# $OpenBSD: Makefile,v 1.6 2010/11/11 18:34:59 espie Exp $
+# $OpenBSD: Makefile,v 1.5 2010/10/18 21:41:45 espie Exp $
 
 COMMENT = gnu privacy guard - a free PGP replacement
 
 DISTNAME = gnupg-2.0.16
+REVISION = 0
 CATEGORIES = security
 
 MASTER_SITES = ftp://ftp.gnupg.org/gcrypt/gnupg/ \
@@ -14,36 +15,26 @@ MASTER_SITES = ftp://ftp.gnupg.org/gcry
  ftp://pgp.iijlab.net/pub/pgp/gnupg/ \
  ftp://ring.aist.go.jp/pub/net/gnupg/gnupg/
 
-
 HOMEPAGE = http://www.gnupg.org/
 
 MAINTAINER = Pierre-Emmanuel Andre <[hidden email]>
 
-# GPLv3
+# GPLv3+
 PERMIT_PACKAGE_CDROM = Yes
 PERMIT_PACKAGE_FTP = Yes
-PERMIT_DISTFILES_CDROM= Yes
+PERMIT_DISTFILES_CDROM =Yes
 PERMIT_DISTFILES_FTP = Yes
 
+WANTLIB += assuan bz2 c crypto curl gcrypt gpg-error
+WANTLIB += idn ksba pth readline ssl termcap usb z
+
 EXTRACT_SUFX = .tar.bz2
 
 MODULES = devel/gettext
 
-WANTLIB = c crypto z readline ssl termcap gpg-error idn
-
 FLAVORS = ldap
 FLAVOR ?=
-USE_GROFF = Yes
 
-.if ${FLAVOR:L:Mldap}
-CONFIGURE_ARGS+= --enable-ldap
-LIB_DEPENDS+= ::databases/openldap
-WANTLIB += ldap.>=8
-.else
-CONFIGURE_ARGS+= --disable-ldap
-.endif
-
-WANTLIB += usb bz2 assuan gcrypt ksba curl.>=6 pth
 LIB_DEPENDS = ::devel/libusb \
  ::archivers/bzip2 \
  ::security/libassuan \
@@ -52,19 +43,28 @@ LIB_DEPENDS = ::devel/libusb \
  ::net/curl \
  ::devel/pth
 
+.if ${FLAVOR:L:Mldap}
+CONFIGURE_ARGS += --enable-ldap
+WANTLIB += ldap
+LIB_DEPENDS += ::databases/openldap
+.else
+CONFIGURE_ARGS += --disable-ldap
+.endif
+
 RUN_DEPENDS = ::security/pinentry
 
 # gpg-agent must be installed to run the regress tests
-REGRESS_DEPENDS = ${PKGNAME}::${BUILD_PKGPATH}
+REGRESS_DEPENDS = :${PKGNAME}:${BUILD_PKGPATH}
 
 USE_GMAKE = Yes
+USE_GROFF = Yes
 
 CONFIGURE_STYLE = gnu
 CONFIGURE_ENV = CPPFLAGS="-I${LOCALBASE}/include" \
  LDFLAGS="-L${LOCALBASE}/lib"
 CONFIGURE_ARGS = docdir=${LOCALBASE}/share/doc/gnupg2
 
-# Avoid conflit with gnupg-1.x
+# Avoid conflict with gnupg-1.x
 post-install:
  @mv ${PREFIX}/man/man1/gpg-zip.1 ${PREFIX}/man/man1/gpg2-zip.1
 
Index: patches/patch-g10_call-agent_c
===================================================================
RCS file: patches/patch-g10_call-agent_c
diff -N patches/patch-g10_call-agent_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-g10_call-agent_c 12 Nov 2010 10:14:30 -0000
@@ -0,0 +1,42 @@
+$OpenBSD$
+
+Patch from upstream: allow more hash algorithms when using scdaemon.
+Needed to use SHA2-family of functions with OpenPGPv2 cards, that do
+support them.
+
+--- g10/call-agent.c.orig Wed Feb 17 09:55:45 2010
++++ g10/call-agent.c Wed Nov  3 14:59:39 2010
+@@ -892,6 +892,23 @@ membuf_data_cb (void *opaque, const void *buffer, size
+   return 0;
+ }
+  
++
++static const char *
++hash_algo_option (int algo)
++{
++  switch (algo)
++    {
++    case GCRY_MD_RMD160: return "--hash=rmd160 ";
++    case GCRY_MD_SHA1  : return "--hash=sha1 ";
++    case GCRY_MD_SHA224: return "--hash=sha224 ";
++    case GCRY_MD_SHA256: return "--hash=sha256 ";
++    case GCRY_MD_SHA384: return "--hash=sha384 ";
++    case GCRY_MD_SHA512: return "--hash=sha512 ";
++    case GCRY_MD_MD5   : return "--hash=md5 ";
++    default:             return "";
++    }
++}
++
+ /* Send a sign command to the scdaemon via gpg-agent's pass thru
+    mechanism. */
+ int
+@@ -938,8 +955,7 @@ agent_scd_pksign (const char *serialno, int hashalgo,
+   else
+ #endif
+     snprintf (line, DIM(line)-1, "SCD PKSIGN %s%s",
+-              hashalgo == GCRY_MD_RMD160? "--hash=rmd160 " : "",
+-              serialno);
++              hash_algo_option (hashalgo), serialno);
+   line[DIM(line)-1] = 0;
+   rc = assuan_transact (agent_ctx, line, membuf_data_cb, &data,
+                         default_inq_cb, NULL, NULL, NULL);
Index: patches/patch-scd_apdu_c
===================================================================
RCS file: patches/patch-scd_apdu_c
diff -N patches/patch-scd_apdu_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-scd_apdu_c 12 Nov 2010 10:14:30 -0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+
+The pcsc backend does not work due to problems with our current
+threading implementation: one has to use a card reader supported
+by GnuPG's internal CCID driver.
+
+--- scd/apdu.c.orig Wed Mar 17 13:11:30 2010
++++ scd/apdu.c Fri Nov 12 08:30:02 2010
+@@ -66,7 +66,8 @@
+ /* Due to conflicting use of threading libraries we usually can't link
+    against libpcsclite.   Instead we use a wrapper program.  */
+ #ifdef USE_GNU_PTH
+-#if !defined(HAVE_W32_SYSTEM) && !defined(__CYGWIN__)
++/* XXX */
++#if !defined(HAVE_W32_SYSTEM) && !defined(__CYGWIN__) && !defined(__OpenBSD__)
+ #define NEED_PCSC_WRAPPER 1
+ #endif
+ #endif
+@@ -2388,6 +2389,10 @@ apdu_open_reader (const char *portstr, int *r_no_servi
+   /* No ctAPI configured, so lets try the PC/SC API */
+   if (!pcsc_api_loaded)
+     {
++      /* XXX */
++#ifdef __OpenBSD__
++      return -1;
++#endif
+ #ifndef NEED_PCSC_WRAPPER
+       void *handle;
+
Index: pkg/PLIST
===================================================================
RCS file: /cvs/ports/security/gnupg2/pkg/PLIST,v
retrieving revision 1.1.1.1
diff -u -p -r1.1.1.1 PLIST
--- pkg/PLIST 8 Jul 2010 16:57:54 -0000 1.1.1.1
+++ pkg/PLIST 12 Nov 2010 10:14:30 -0000
@@ -13,7 +13,7 @@ bin/gpgsm-gencert.sh
 @bin bin/scdaemon
 @bin bin/watchgnupg
 @info info/gnupg.info
-@bin libexec/gnupg-pcsc-wrapper
+@comment libexec/gnupg-pcsc-wrapper
 @bin libexec/gpg-check-pattern
 @bin libexec/gpg-preset-passphrase
 @bin libexec/gpg-protect-tool

Reply | Threaded
Open this post in threaded view
|

Re: gnupg2 improvements

David Coppa
On Fri, Nov 12, 2010 at 11:15 AM, Stuart Henderson <[hidden email]> wrote:

> On 2010/11/12 10:54, David Coppa wrote:
>>
>> Having the new toy in my hands has led to a revised patch for
>> security/gnupg2:
>
> here's a diff which applies to -current, basically the same
> + fix a typo in comment.
>
> I've checked the manpages and groff is still needed.
>
> ok with me.

Thanks.
Last word goes to pea@... ;)

ciao,
david

Reply | Threaded
Open this post in threaded view
|

Re: gnupg2 improvements

Pierre-Emmanuel André
On Fri, Nov 12, 2010 at 11:19:13AM +0100, David Coppa wrote:

> On Fri, Nov 12, 2010 at 11:15 AM, Stuart Henderson <[hidden email]> wrote:
> > On 2010/11/12 10:54, David Coppa wrote:
> >>
> >> Having the new toy in my hands has led to a revised patch for
> >> security/gnupg2:
> >
> > here's a diff which applies to -current, basically the same
> > + fix a typo in comment.
> >
> > I've checked the manpages and groff is still needed.
> >
> > ok with me.
>
> Thanks.
> Last word goes to pea@... ;)
>

Ok with me too.
Regards,

--
Pierre-Emmanuel André <pea at raveland.org>
GPG key: 0x7AE329DC