Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libksba for openSUSE:Factory checked in at 2026-05-12 19:26:22 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libksba (Old) and /work/SRC/openSUSE:Factory/.libksba.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libksba" Tue May 12 19:26:22 2026 rev:51 rq:1352395 version:1.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/libksba/libksba.changes 2026-02-27 17:04:33.902831423 +0100 +++ /work/SRC/openSUSE:Factory/.libksba.new.1966/libksba.changes 2026-05-12 19:26:40.211091857 +0200 @@ -1,0 +2,11 @@ +Sun May 10 10:14:18 UTC 2026 - Andreas Stieger <[email protected]> + +- Update to 1.7.0: + * Add support for building AuthEnvelopedData + * New function ksba_cms_add_attribute + * Fix silent truncation of 64 bit length fields + * Fix incorrect overflow guard condition in _ksba_ber_read_tl + * Interface changes relative to the 1 + ksba_cms_add_attribute NEW. + +------------------------------------------------------------------- Old: ---- libksba-1.6.8.tar.bz2 libksba-1.6.8.tar.bz2.sig New: ---- libksba-1.7.0.tar.bz2 libksba-1.7.0.tar.bz2.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libksba.spec ++++++ --- /var/tmp/diff_new_pack.I3qjnE/_old 2026-05-12 19:26:40.899120372 +0200 +++ /var/tmp/diff_new_pack.I3qjnE/_new 2026-05-12 19:26:40.903120538 +0200 @@ -18,7 +18,7 @@ %define soname 8 Name: libksba -Version: 1.6.8 +Version: 1.7.0 Release: 0 Summary: A X.509 Library License: (GPL-2.0-or-later OR LGPL-3.0-or-later) AND GPL-3.0-or-later AND MIT @@ -27,7 +27,7 @@ Source: https://gnupg.org/ftp/gcrypt/libksba/%{name}-%{version}.tar.bz2 Source2: https://gnupg.org/ftp/gcrypt/libksba/%{name}-%{version}.tar.bz2.sig # https://www.gnupg.org/signature_key.html -Source3: https://gnupg.org/signature_key.asc#/%{name}.keyring +Source3: %{name}.keyring Source4: libksba.changes #PATCH-FIX-OPENSUSE Do not pull revision info from GIT when autoconf is run Patch0: libksba-nobetasuffix.patch @@ -35,7 +35,7 @@ BuildRequires: automake BuildRequires: libtool BuildRequires: pkgconfig -BuildRequires: pkgconfig(gpg-error) >= 1.8 +BuildRequires: pkgconfig(gpg-error) >= 1.28 %description KSBA is a library to simplify the task of working with X.509 ++++++ libksba-1.6.8.tar.bz2 -> libksba-1.7.0.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/ChangeLog new/libksba-1.7.0/ChangeLog --- old/libksba-1.6.8/ChangeLog 2026-02-23 14:41:02.000000000 +0100 +++ new/libksba-1.7.0/ChangeLog 2026-05-07 10:05:17.000000000 +0200 @@ -1,3 +1,91 @@ +2026-05-07 Werner Koch <[email protected]> + + Release 1.7.0. + + commit 941eed831904fb7b3a4d7a3ed55a6842cf6db478 + + +2026-05-06 Werner Koch <[email protected]> + + New function ksba_cms_add_attribute. + + commit 4cccd024e015a4a5f001fc40df909bea51c7ded4 + * src/visibility.c (ksba_cms_add_attribute): New. + * src/visibility.h (ksba_cms_add_attribute): New mapping. + * src/libksba.def: Add new function. + * src/libksba.vers: Ditto. + * src/ksba.h.in: Ditto. + * src/asn1-constants.h (TYPE_PRE_SET_OF): New. + * src/asn1-func.c (_ksba_asn_is_primitive): Add TYPE_PRE_SET_OF. + (_ksba_asn_node_dump): Ditto. + * src/cms.h (struct oidparmlist_s): Add fields 'unprotected' and + 'signeridx'. + (struct ksba_cms_s): Add field attribute_list. + * src/cms.c (ksba_cms_release): Free attribute_list. + (ksba_cms_add_smime_capability): Clear new fields. + (ksba_cms_add_attribute): New. + (build_signed_data_attributes): Implement attribute output. + * src/der-encoder.c (_ksba_der_store_set_of): New. + (set_nhdr_and_len): Handle TYPE_PRE_SET_OF. + (copy_nhdr_and_len): Ditto. + (_ksba_der_encode_tree): Encode TYPE_PRE_SET_OF. + + Minor debug output rework. + + commit 1624246505e671ffb2a63979322ffcb53ed0ca2c + * src/der-encoder.c (_ksba_der_encode_tree): Improve debug output. + (_ksba_der_encode_tree): Use gpgrt log fucntions for debug output. + +2026-05-05 Werner Koch <[email protected]> + + Various typo and comment fixes and minor test code output cleanup. + + commit 0ef4070116d65a185d2a3884fb738f529c483132 + * tests/t-common.h (print_sexp): Print space if no delimiter seen. + + Fix other silent truncation of length fields. + + commit 2d120e345537c64ea71ac9c6e796e9ac2e6669b4 + * src/ber-help.h (MAX_CRL_NUMBER_LENGTH): New. + (MAX_NAME_URL_LENGTH): New. + * src/crl.c (ksba_crl_get_auth_key_id): Error out if the length is + larger that a given limit. + (ksba_crl_get_crl_number): Ditto. + (parse_crl_entry): Ditto. + * src/name.c (_ksba_name_new_from_der): Ditto. + * src/ocsp.c (ksba_ocsp_get_responder_id): Ditto. + + Fix incorrect overflow guard condition in _ksba_ber_read_tl. + + commit 55be6f57b6369bf8e77053b9f3ce616ba29f4bb1 + * src/ber-help.c (_ksba_ber_read_tl): Remove useless extra overflow + check. + + Fix silent truncation of 64 bit length fields. + + commit c44cc98460ea42e393214dc6e23ff746196baefd + * src/ber-help.h (MAX_SERIALNO_LENGTH): New. + (MAX_KEYID_DER_LENGTH): New. + (MAX_CERT_EXT_LENGTH): New. + * src/cms.c (ksba_cms_get_issuer_serial): Error out if the s/n exceeds + a limit. + * src/cert.c (ksba_cert_get_serial): Ditto. + (ksba_cert_get_auth_key_id): Ditto. This also fixes a possible + corrupted s-exp due to an int overlow by a long on systems where this + differs. Also check the keyid length. + (get_simple_octet_string_ext): Likewise. + +2026-05-03 Werner Koch <[email protected]> + + Allow building AUTHENVELOPEDDATA. + + commit 8c640493cbcf53bc18e4442af6280e46f009cfee + * src/cms.h (struct ksba_cms_s): Add flag 'auth_mode'. + * src/cms.c (ksba_cms_set_content_type): Set flag. + (ksba_cms_set_message_digest): Extend to be used for setting the + authtag. + (ct_build_enveloped_data): Add new state WAITTAG and write the + authtag. + +2026-04-23 Werner Koch <[email protected]> + + crl: Fix minor memory leak in case of a corrupt DER structure. + + commit c8df64fe11e872c5a147fe0487cef6436b61d5b5 + * src/crl.c (parse_one_extension): Replace a return by a goto to make + sure everything is cleaned up. + 2026-02-23 Werner Koch <[email protected]> Release 1.6.8. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/NEWS new/libksba-1.7.0/NEWS --- old/libksba-1.6.8/NEWS 2026-02-23 14:38:20.000000000 +0100 +++ new/libksba-1.7.0/NEWS 2026-05-07 09:52:59.000000000 +0200 @@ -1,3 +1,22 @@ +Noteworthy changes in version 1.7.0 (2026-05-07) [C23/A15/R0] +------------------------------------------------ + + * Add support for building AuthEnvelopedData. [T3979] + + * New function ksba_cms_add_attribute. [T4537] + + * Fix silent truncation of 64 bit length fields. [T8246] + + * Fix incorrect overflow guard condition in _ksba_ber_read_tl. [T8247] + + * Interface changes relative to the 1.6.0 release: + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ksba_cms_add_attribute NEW. + + + Release-info: https://dev.gnupg.org/T8121 + + Noteworthy changes in version 1.6.8 (2026-02-23) [C22/A14/R8] ------------------------------------------------ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/configure new/libksba-1.7.0/configure --- old/libksba-1.6.8/configure 2026-02-23 14:40:55.000000000 +0100 +++ new/libksba-1.7.0/configure 2026-05-07 10:05:12.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.71 for libksba 1.6.8. +# Generated by GNU Autoconf 2.71 for libksba 1.7.0. # # Report bugs to <https://bugs.gnupg.org>. # @@ -621,8 +621,8 @@ # Identity of this package. PACKAGE_NAME='libksba' PACKAGE_TARNAME='libksba' -PACKAGE_VERSION='1.6.8' -PACKAGE_STRING='libksba 1.6.8' +PACKAGE_VERSION='1.7.0' +PACKAGE_STRING='libksba 1.7.0' PACKAGE_BUGREPORT='https://bugs.gnupg.org' PACKAGE_URL='' @@ -1408,7 +1408,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libksba 1.6.8 to adapt to many kinds of systems. +\`configure' configures libksba 1.7.0 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1479,7 +1479,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libksba 1.6.8:";; + short | recursive ) echo "Configuration of libksba 1.7.0:";; esac cat <<\_ACEOF @@ -1616,7 +1616,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libksba configure 1.6.8 +libksba configure 1.7.0 generated by GNU Autoconf 2.71 Copyright (C) 2021 Free Software Foundation, Inc. @@ -2161,7 +2161,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libksba $as_me 1.6.8, which was +It was created by libksba $as_me 1.7.0, which was generated by GNU Autoconf 2.71. Invocation command line was $ $0$ac_configure_args_raw @@ -2924,15 +2924,15 @@ # (Interfaces added: CURRENT++, AGE++, REVISION=0) # (No interfaces changed: REVISION++) # Please remember to document interface changes in the NEWS file. -LIBKSBA_LT_CURRENT=22 -LIBKSBA_LT_AGE=14 -LIBKSBA_LT_REVISION=8 +LIBKSBA_LT_CURRENT=23 +LIBKSBA_LT_AGE=15 +LIBKSBA_LT_REVISION=0 #------------------- # If the API is changed in an incompatible way: increment the next counter. KSBA_CONFIG_API_VERSION=1 -NEED_GPG_ERROR_VERSION=1.8 +NEED_GPG_ERROR_VERSION=1.28 @@ -3451,7 +3451,7 @@ # Define the identity of the package. PACKAGE='libksba' - VERSION='1.6.8' + VERSION='1.7.0' printf "%s\n" "#define PACKAGE \"$PACKAGE\"" >>confdefs.h @@ -13778,7 +13778,7 @@ -VERSION_NUMBER=0x010608 +VERSION_NUMBER=0x010700 @@ -16548,11 +16548,11 @@ # Generate extended version information for W32. if test "$have_w32_system" = yes; then BUILD_FILEVERSION=`echo "$VERSION" | sed 's/\([0-9.]*\).*/\1./;s/\./,/g'` - BUILD_FILEVERSION="${BUILD_FILEVERSION}14762" + BUILD_FILEVERSION="${BUILD_FILEVERSION}37918" fi -BUILD_REVISION="39aa843" +BUILD_REVISION="941eed8" printf "%s\n" "#define BUILD_REVISION \"$BUILD_REVISION\"" >>confdefs.h @@ -17148,7 +17148,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libksba $as_me 1.6.8, which was +This file was extended by libksba $as_me 1.7.0, which was generated by GNU Autoconf 2.71. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17216,7 +17216,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config='$ac_cs_config_escaped' ac_cs_version="\\ -libksba config.status 1.6.8 +libksba config.status 1.7.0 configured by $0, generated by GNU Autoconf 2.71, with options \\"\$ac_cs_config\\" @@ -19172,7 +19172,7 @@ echo " Libksba v${VERSION} has been configured as follows: - Revision: 39aa843 (14762) + Revision: 941eed8 (37918) Platform: $host " diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/configure.ac new/libksba-1.7.0/configure.ac --- old/libksba-1.6.8/configure.ac 2026-02-23 14:30:30.000000000 +0100 +++ new/libksba-1.7.0/configure.ac 2026-05-07 09:57:57.000000000 +0200 @@ -29,8 +29,8 @@ # for the LT versions. m4_define([mym4_package],[libksba]) m4_define([mym4_major], [1]) -m4_define([mym4_minor], [6]) -m4_define([mym4_micro], [8]) +m4_define([mym4_minor], [7]) +m4_define([mym4_micro], [0]) # Below is m4 magic to extract and compute the git revision number, # the decimalized short revision number, a beta version string and a @@ -50,15 +50,15 @@ # (Interfaces added: CURRENT++, AGE++, REVISION=0) # (No interfaces changed: REVISION++) # Please remember to document interface changes in the NEWS file. -LIBKSBA_LT_CURRENT=22 -LIBKSBA_LT_AGE=14 -LIBKSBA_LT_REVISION=8 +LIBKSBA_LT_CURRENT=23 +LIBKSBA_LT_AGE=15 +LIBKSBA_LT_REVISION=0 #------------------- # If the API is changed in an incompatible way: increment the next counter. KSBA_CONFIG_API_VERSION=1 -NEED_GPG_ERROR_VERSION=1.8 +NEED_GPG_ERROR_VERSION=1.28 AC_CONFIG_AUX_DIR([build-aux]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/doc/ksba.info new/libksba-1.7.0/doc/ksba.info --- old/libksba-1.6.8/doc/ksba.info 2026-02-23 14:41:02.000000000 +0100 +++ new/libksba-1.7.0/doc/ksba.info 2026-05-05 11:49:23.000000000 +0200 @@ -8,8 +8,8 @@ This file documents the KSBA library to access X.509 and CMS data structures. - This is edition 1.6.8, last updated 22 November 2023, of 'The KSBA -Reference Manual', for Version 1.6.8. + This is edition 1.7.0, last updated 22 November 2023, of 'The KSBA +Reference Manual', for Version 1.7.0. Copyright (C) 2002, 2003, 2004 g10 Code GmbH @@ -25,8 +25,8 @@ Main Menu ********* -This is edition 1.6.8, last updated 22 November 2023, of 'The KSBA -Reference Manual', for Version 1.6.8 of the KSBA library. +This is edition 1.7.0, last updated 22 November 2023, of 'The KSBA +Reference Manual', for Version 1.7.0 of the KSBA library. Copyright (C) 2002, 2003, 2004 g10 Code GmbH diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/doc/stamp-vti new/libksba-1.7.0/doc/stamp-vti --- old/libksba-1.6.8/doc/stamp-vti 2026-02-23 14:41:02.000000000 +0100 +++ new/libksba-1.7.0/doc/stamp-vti 2026-05-07 10:05:17.000000000 +0200 @@ -1,4 +1,4 @@ @set UPDATED 22 November 2023 @set UPDATED-MONTH November 2023 -@set EDITION 1.6.8 -@set VERSION 1.6.8 +@set EDITION 1.7.0 +@set VERSION 1.7.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/doc/version.texi new/libksba-1.7.0/doc/version.texi --- old/libksba-1.6.8/doc/version.texi 2026-02-23 14:41:02.000000000 +0100 +++ new/libksba-1.7.0/doc/version.texi 2026-05-03 17:07:21.000000000 +0200 @@ -1,4 +1,4 @@ @set UPDATED 22 November 2023 @set UPDATED-MONTH November 2023 -@set EDITION 1.6.8 -@set VERSION 1.6.8 +@set EDITION 1.7.0 +@set VERSION 1.7.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/asn1-constants.h new/libksba-1.7.0/src/asn1-constants.h --- old/libksba-1.6.8/src/asn1-constants.h 2020-04-29 15:34:30.000000000 +0200 +++ new/libksba-1.7.0/src/asn1-constants.h 2026-05-06 15:06:38.000000000 +0200 @@ -52,7 +52,8 @@ TYPE_DEFINITIONS, TYPE_CHOICE, TYPE_IMPORTS, - TYPE_PRE_SEQUENCE /* premanufactured Seqences as used by the DER encoder. */ + TYPE_PRE_SEQUENCE, /* premanufactured Sequence as used by the DER encoder. */ + TYPE_PRE_SET_OF /* premanufactured Set_of as used by the DER encoder. */ } node_type_t; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/asn1-func.c new/libksba-1.7.0/src/asn1-func.c --- old/libksba-1.6.8/src/asn1-func.c 2024-02-19 09:11:29.000000000 +0100 +++ new/libksba-1.7.0/src/asn1-func.c 2026-05-06 15:02:00.000000000 +0200 @@ -113,6 +113,7 @@ case TYPE_CHARACTER_STRING: case TYPE_BMP_STRING: case TYPE_PRE_SEQUENCE: + case TYPE_PRE_SET_OF: return 1; default: return 0; @@ -464,6 +465,7 @@ case TYPE_BOOLEAN: typestr = "BOOLEAN"; break; case TYPE_SEQUENCE: typestr = "SEQUENCE"; break; case TYPE_PRE_SEQUENCE: typestr = "PRE_SEQUENCE"; break; + case TYPE_PRE_SET_OF: typestr = "PRE_SET_OF"; break; case TYPE_BIT_STRING: typestr = "BIT_STR"; break; case TYPE_OCTET_STRING: typestr = "OCT_STR"; break; case TYPE_TAG: typestr = "TAG"; break; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/ber-help.c new/libksba-1.7.0/src/ber-help.c --- old/libksba-1.6.8/src/ber-help.c 2022-10-05 14:09:37.000000000 +0200 +++ new/libksba-1.7.0/src/ber-help.c 2026-05-05 11:40:56.000000000 +0200 @@ -182,7 +182,7 @@ ti->length = len; } - if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length) + if ((ti->nhdr + ti->length) < ti->length) { ti->err_string = "header+length would overflow"; return gpg_error (GPG_ERR_EOVERFLOW); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/ber-help.h new/libksba-1.7.0/src/ber-help.h --- old/libksba-1.6.8/src/ber-help.h 2020-04-14 16:22:43.000000000 +0200 +++ new/libksba-1.7.0/src/ber-help.h 2026-05-05 12:10:48.000000000 +0200 @@ -45,6 +45,15 @@ }; +/* Maximum length of certain object to avoid excessive memory + * allocation. Make sure that they are below 2^31. */ +#define MAX_SERIALNO_LENGTH (1 * 1024) +#define MAX_KEYID_DER_LENGTH (4 * 1024) +#define MAX_CERT_EXT_LENGTH (2 * 1024*1024) +#define MAX_CRL_NUMBER_LENGTH (256) +#define MAX_NAME_URL_LENGTH (4 * 1024) + + gpg_error_t _ksba_ber_read_tl (ksba_reader_t reader, struct tag_info *ti); gpg_error_t _ksba_ber_parse_tl (unsigned char const **buffer, size_t *size, struct tag_info *ti); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/cert.c new/libksba-1.7.0/src/cert.c --- old/libksba-1.6.8/src/cert.c 2020-05-13 20:02:37.000000000 +0200 +++ new/libksba-1.7.0/src/cert.c 2026-05-05 11:26:52.000000000 +0200 @@ -518,6 +518,9 @@ return NULL; } + if (n->len > MAX_SERIALNO_LENGTH) + return NULL; + sprintf (numbuf,"(%u:", (unsigned int)n->len); numbuflen = strlen (numbuf); p = xtrymalloc (numbuflen + n->len + 2); @@ -1920,6 +1923,8 @@ if (ti.tag != 2 || !derlen) return gpg_error (GPG_ERR_INV_CERT_OBJ); + if (ti.length > MAX_SERIALNO_LENGTH) + return gpg_error (GPG_ERR_INV_CERT_OBJ); sprintf (numbuf,"(%u:", (unsigned int)ti.length); numbuflen = strlen (numbuf); *r_serial = xtrymalloc (numbuflen + ti.length + 2); @@ -1933,6 +1938,8 @@ build_keyid: if (r_keyid && keyid_der && keyid_derlen) { + if (keyid_derlen > MAX_KEYID_DER_LENGTH) + return gpg_error (GPG_ERR_INV_CERT_OBJ); sprintf (numbuf,"(%u:", (unsigned int)keyid_derlen); numbuflen = strlen (numbuf); *r_keyid = xtrymalloc (numbuflen + keyid_derlen + 2); @@ -2008,6 +2015,8 @@ if (ti.length != derlen) return gpg_error (GPG_ERR_INV_CERT_OBJ); /* Garbage follows. */ + if (ti.length > MAX_CERT_EXT_LENGTH) + return gpg_error (GPG_ERR_INV_CERT_OBJ); sprintf (numbuf,"(%u:", (unsigned int)ti.length); numbuflen = strlen (numbuf); *r_data = xtrymalloc (numbuflen + ti.length + 2); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/cms-parser.c new/libksba-1.7.0/src/cms-parser.c --- old/libksba-1.6.8/src/cms-parser.c 2021-06-02 10:53:33.000000000 +0200 +++ new/libksba-1.7.0/src/cms-parser.c 2026-05-03 15:32:57.000000000 +0200 @@ -1035,7 +1035,7 @@ * function which can be used for all kind of attributes would be * best. */ - /* Read authAttr if availabale. */ + /* Read authAttr if available. */ err = _ksba_ber_read_tl (cms->reader, &ti); if (err) return err; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/cms.c new/libksba-1.7.0/src/cms.c --- old/libksba-1.6.8/src/cms.c 2025-11-28 16:12:30.000000000 +0100 +++ new/libksba-1.7.0/src/cms.c 2026-05-06 17:26:19.000000000 +0200 @@ -637,6 +637,13 @@ xfree (cms->capability_list); cms->capability_list = tmp; } + while (cms->attribute_list) + { + struct oidparmlist_s *tmp = cms->attribute_list->next; + xfree (cms->attribute_list->oid); + xfree (cms->attribute_list); + cms->attribute_list = tmp; + } xfree (cms); } @@ -948,6 +955,8 @@ return gpg_error (GPG_ERR_GENERAL); } + if (n->len > MAX_SERIALNO_LENGTH) + return gpg_error (GPG_ERR_INV_CERT_OBJ); sprintf (numbuf,"(%u:", (unsigned int)n->len); numbuflen = strlen (numbuf); p = xtrymalloc (numbuflen + n->len + 2); @@ -1038,10 +1047,12 @@ } -/* - * Return the extension attribute messageDigest - * or for authenvelopeddata the MAC. - */ +/* In the case of signed data return the extension attribute + * messageDigest. In case of AUTHENVELOPEDDATA return either the MAC + * (with IDX 0) or the attributes (with IDX 1). Note that the parser + * currently returns a not-implemented error when it encounters + * attributes; we firs need to have some solid sample data to + * implement that. */ gpg_error_t ksba_cms_get_message_digest (ksba_cms_t cms, int idx, char **r_digest, size_t *r_digest_len) @@ -1744,6 +1755,7 @@ cms->content.oid = oid; cms->content.ct = content_handlers[i].ct; cms->content.handler = content_handlers[i].build_handler; + cms->auth_mode = (type == KSBA_CT_AUTHENVELOPED_DATA); } else { @@ -1888,6 +1900,8 @@ opl = xtrymalloc (sizeof *opl + derlen - 1); if (!opl) return gpg_error_from_errno (errno); + opl->unprotected = 0; + opl->signeridx = 0; opl->next = NULL; opl->oid = xtrystrdup (oid); if (!opl->oid) @@ -1913,24 +1927,85 @@ return 0; } +/* Add an arbitrary attribute to the message. CMS is the context, OID + * the object identifier of the attribute and (DER,DERLEN) is the + * DER-encoded content which is put into a SET. Thus DER may be a + * straight concatenation of ASN.1 objects w/o the outer container. + * + * The attribute is store stored for the signer with IDX or with an + * IDX of -1 for all signers. The index of a signer is determined by + * the sequence of ksba_cms_add_signer() calls; the first signer has + * the index 0. + * + * If UNPROTECTED is set the attribute will be stored in the unsigned + * section. + * + * No merging of attributes is done, thus the caller should not call it + * twice with the same OID. Note that this function is a generalized + * version of ksba_cms_add_smime_capability. + * + * The function returns 0 on success or an error code. + */ +gpg_error_t +ksba_cms_add_attribute (ksba_cms_t cms, int idx, + const char *oid, int unprotected, + const unsigned char *der, size_t derlen) +{ + gpg_error_t err; + struct oidparmlist_s *opl; + if (!cms || !oid || unprotected < 0 || unprotected > 1 || !der || !derlen) + return gpg_error (GPG_ERR_INV_VALUE); + if (idx < -1) + return gpg_error (GPG_ERR_INV_INDEX); + else if (idx >= 0) + { + struct certlist_s *cl; + int i; -/** - * ksba_cms_set_message_digest: - * @cms: A CMS object - * @idx: The index of the signer - * @digest: a message digest - * @digest_len: the length of the message digest + for (i=0, cl = cms->cert_list; cl; cl = cl->next, i++) + if (i == idx) + break; + if (!cl) + return gpg_error (GPG_ERR_INV_INDEX); + } + + opl = xtrymalloc (sizeof *opl + derlen - 1); + if (!opl) + return gpg_error_from_syserror (); + opl->unprotected = unprotected; + opl->signeridx = idx; + opl->oid = xtrystrdup (oid); + if (!opl->oid) + { + err = gpg_error_from_syserror (); + xfree (opl); + return err; + } + opl->parmlen = derlen; + memcpy (opl->parm, der, derlen); + + opl->next = cms->attribute_list; + cms->attribute_list = opl; + + return 0; +} + + +/* If CMS is used for signed data, this function sets the message + * digest (DIGEST,DIGEST_LEN) into the signedAttributes of the signer + * with the index IDX. That index of the signer is determined by the + * sequence of ksba_cms_add_signer calls; the first signer has the + * index 0. CMS is the usual context. This function is to be used + * when the hash value of the data has been computed and before the + * create function requests the sign operation. * - * Set a message digest into the signedAttributes of the signer with - * the index IDX. The index of a signer is determined by the sequence - * of ksba_cms_add_signer() calls; the first signer has the index 0. - * This function is to be used when the hash value of the data has - * been calculated and before the create function requests the sign - * operation. + * If CMS is used for AUTHENVELOPEDDATA this function sets the + * authentication tag or MAC to (DIGEST,DIGEST_LEN). IDX must be 0 in + * this case. The function is to be used when the build function + * stopped with KSBA_SR_NEED_SIG. * - * Return value: 0 on success or an error code - **/ + * Return value: 0 on success or an error code */ gpg_error_t ksba_cms_set_message_digest (ksba_cms_t cms, int idx, const unsigned char *digest, size_t digest_len) @@ -1939,6 +2014,27 @@ if (!cms || !digest) return gpg_error (GPG_ERR_INV_VALUE); + + /* Special processing for AUTHENVELOPEDDATA to set the MAC/authtag. */ + if (cms->content.ct == KSBA_CT_AUTHENVELOPED_DATA) + { + /* (1024 is just an arbitrary value to catch a faulty caller). */ + if (!digest_len || digest_len > 1024) + return gpg_error (GPG_ERR_INV_VALUE); + if (idx != 0) + return gpg_error (GPG_ERR_INV_INDEX); + + xfree (cms->authdata.mac); + cms->authdata.mac_len = digest_len; + cms->authdata.mac = xtrymalloc (digest_len); + if (!cms->authdata.mac) + return gpg_error_from_syserror (); + memcpy (cms->authdata.mac, digest, digest_len); + + return 0; + } + + /* Standard processing for signed data. */ if (!digest_len || digest_len > DIM(cl->msg_digest)) return gpg_error (GPG_ERR_INV_VALUE); if (idx < 0) @@ -2802,7 +2898,10 @@ for (cap=capabilities; cap; cap = cap->next) { - /* (avoid writing duplicates) */ + /* Note that we do not use the unprotected and signeridx fields + * here. */ + + /* We want to avoid writing duplicates. */ for (cap2=capabilities; cap2 != cap; cap2 = cap2->next) { if (!strcmp (cap->oid, cap2->oid) @@ -2882,13 +2981,13 @@ struct certlist_s *certlist; struct oidlist_s *digestlist; struct signer_info_s *si, **si_tail; + struct oidparmlist_s *opl; AsnNode root = NULL; - struct attrarray_s attrarray[4]; + struct attrarray_s *attrarray = NULL; + unsigned int attrsize; int attridx = 0; int i; - memset (attrarray, 0, sizeof (attrarray)); - /* Write the End tag */ err = _ksba_ber_write_tl (cms->writer, 0, 0, 0, 0); if (err) @@ -2898,6 +2997,25 @@ return gpg_error (GPG_ERR_CONFLICT); /* This list must be empty at this point. */ + /* Allocate four slots for the standard attributes: + * - msg_digest + * - inner_content_type + * - signing time (optional) + * - s/mime capabilities (optional) + */ + attrsize = 4; + /* Add more slots for extra attributes. */ + for (opl = cms->attribute_list; opl; opl = opl->next) + attrsize++; + + attrarray = xtrycalloc (attrsize, sizeof *attrarray); + if (!attrarray) + { + err = gpg_error_from_syserror (); + goto leave; + } + + /* Write optional certificates */ if (cms->cert_info_list) { @@ -2964,7 +3082,7 @@ xfree (attrarray[i].image); } attridx = 0; - memset (attrarray, 0, sizeof (attrarray)); + memset (attrarray, 0, attrsize * sizeof *attrarray); if (!digestlist) { @@ -3124,6 +3242,52 @@ attridx++; } + for (opl = cms->attribute_list; opl; opl = opl->next) + { + if (opl->unprotected) + continue; + if (!(opl->signeridx == -1 || opl->signeridx == signer)) + continue; + attr = _ksba_asn_expand_tree (cms_tree->parse_tree, + "CryptographicMessageSyntax.Attribute"); + if (!attr) + { + err = gpg_error (GPG_ERR_ELEMENT_NOT_FOUND); + goto leave; + } + n = _ksba_asn_find_node (attr, "Attribute.attrType"); + if (!n) + { + err = gpg_error (GPG_ERR_ELEMENT_NOT_FOUND); + goto leave; + } + err = _ksba_der_store_oid (n, opl->oid); + if (err) + goto leave; + n = _ksba_asn_find_node (attr, "Attribute.attrValues"); + if (!n || !n->down) + { + err = gpg_error (GPG_ERR_ELEMENT_NOT_FOUND); + goto leave; + } + n = n->down; + /* gpgrt_log_printhex (opl->parm, opl->parmlen, */ + /* "signer %d, oid=%s der=", signer, opl->oid); */ + err = _ksba_der_store_set_of (n, opl->parm, opl->parmlen); + if (err) + goto leave; + + err = _ksba_der_encode_tree (attr, &image, &imagelen); + if (err) + goto leave; + + assert (attridx < attrsize); + attrarray[attridx].root = attr; + attrarray[attridx].image = image; + attrarray[attridx].imagelen = imagelen; + attridx++; + } + /* Arggh. That silly ASN.1 DER encoding rules: We need to sort the SET values. */ qsort (attrarray, attridx, sizeof (struct attrarray_s), @@ -3148,7 +3312,7 @@ goto leave; } - assert (attridx <= DIM (attrarray)); + assert (attridx <= attrsize); for (i=0; i < attridx; i++) { if (i) @@ -3496,8 +3660,8 @@ state = sDATAREADY; else if (stop_reason == KSBA_SR_NEED_SIG) { - if (!cms->sig_val) - err = gpg_error (GPG_ERR_MISSING_ACTION); /* No ksba_cms_set_sig_val () called */ + if (!cms->sig_val) /* No ksba_cms_set_sig_val () called */ + err = gpg_error (GPG_ERR_MISSING_ACTION); state = sGOTSIG; } else if (stop_reason == KSBA_SR_RUNNING) @@ -3820,12 +3984,15 @@ } + +/* Note that this function also handles authenveloped_data. */ static gpg_error_t ct_build_enveloped_data (ksba_cms_t cms) { enum { sSTART, sINDATA, + sWAITTAG, sREST, sERROR } state = sERROR; @@ -3841,7 +4008,13 @@ else if (stop_reason == KSBA_SR_BEGIN_DATA) state = sINDATA; else if (stop_reason == KSBA_SR_END_DATA) - state = sREST; + state = cms->auth_mode? sWAITTAG : sREST; + else if (stop_reason == KSBA_SR_NEED_SIG) + { + if (!cms->authdata.mac) /* ksba_cms_set_message_digest not called. */ + err = gpg_error (GPG_ERR_MISSING_ACTION); + state = sREST; + } else if (stop_reason == KSBA_SR_RUNNING) err = gpg_error (GPG_ERR_INV_STATE); else if (stop_reason) @@ -3855,12 +4028,26 @@ err = build_enveloped_data_header (cms); else if (state == sINDATA) err = write_encrypted_cont (cms); + else if (state == sWAITTAG) + ; /* Nothing to do here. */ else if (state == sREST) { /* SPHINX does not allow for unprotectedAttributes */ - /* Write 5 end tags */ + /* Write an end tag. */ err = _ksba_ber_write_tl (cms->writer, 0, 0, 0, 0); + + /* In auth_mode write the tag. */ + if (!err && cms->auth_mode) + { + err = _ksba_ber_write_tl (cms->writer, TYPE_OCTET_STRING, + CLASS_UNIVERSAL, 0, cms->authdata.mac_len); + if (!err) + err = ksba_writer_write (cms->writer, + cms->authdata.mac, cms->authdata.mac_len); + } + + /* Write remaining end tags */ if (!err) err = _ksba_ber_write_tl (cms->writer, 0, 0, 0, 0); if (!err) @@ -3883,6 +4070,10 @@ { /* tell the user that we wrote everything */ stop_reason = KSBA_SR_END_DATA; } + else if (state == sWAITTAG) + { + stop_reason = KSBA_SR_NEED_SIG; + } else if (state == sREST) { stop_reason = KSBA_SR_READY; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/cms.h new/libksba-1.7.0/src/cms.h --- old/libksba-1.6.8/src/cms.h 2025-02-13 10:47:01.000000000 +0100 +++ new/libksba-1.7.0/src/cms.h 2026-05-05 14:12:16.000000000 +0200 @@ -69,6 +69,8 @@ /* A structure to store an OID and a parameter. */ struct oidparmlist_s { struct oidparmlist_s *next; + int unprotected; /* Used by ksba_cms_add_attribute. */ + int signeridx; /* Used by ksba_cms_add_attribute. */ char *oid; size_t parmlen; unsigned char parm[1]; @@ -138,6 +140,7 @@ int attr_len; } authdata; + int auth_mode; /* Flag indicating KSBA_CT_AUTHENVELOPED_DATA. */ int cms_version; struct oidlist_s *digest_algos; @@ -156,6 +159,8 @@ struct oidparmlist_s *capability_list; /* A list of S/MIME capabilities. */ + struct oidparmlist_s *attribute_list; /* A list of other attributes. */ + struct signer_info_s *signer_info; struct value_tree_s *recp_info; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/crl.c new/libksba-1.7.0/src/crl.c --- old/libksba-1.6.8/src/crl.c 2024-02-19 09:11:29.000000000 +0100 +++ new/libksba-1.7.0/src/crl.c 2026-05-05 14:12:03.000000000 +0200 @@ -378,6 +378,8 @@ if (ti.tag != 2 || !derlen) return gpg_error (GPG_ERR_INV_CRL_OBJ); + if (ti.length > MAX_SERIALNO_LENGTH) + return gpg_error (GPG_ERR_INV_CERT_OBJ); sprintf (numbuf,"(%u:", (unsigned int)ti.length); numbuflen = strlen (numbuf); *r_serial = xtrymalloc (numbuflen + ti.length + 2); @@ -391,6 +393,8 @@ build_keyid: if (r_keyid && keyid_der && keyid_derlen) { + if (keyid_derlen > MAX_KEYID_DER_LENGTH) + return gpg_error (GPG_ERR_INV_CERT_OBJ); sprintf (numbuf,"(%u:", (unsigned int)keyid_derlen); numbuflen = strlen (numbuf); *r_keyid = xtrymalloc (numbuflen + keyid_derlen + 2); @@ -445,6 +449,8 @@ if (err) return err; + if (ti.length > MAX_CRL_NUMBER_LENGTH) + return gpg_error (GPG_ERR_TOO_LARGE); sprintf (numbuf,"(%u:", (unsigned int)ti.length); numbuflen = strlen (numbuf); *number = xtrymalloc (numbuflen + ti.length + 2); @@ -706,7 +712,7 @@ if (err) goto failure; if (ti.length > derlen) - return gpg_error (GPG_ERR_BAD_BER); + goto bad_ber; if (ti.class == CLASS_UNIVERSAL && ti.tag == TYPE_BOOLEAN && !ti.is_constructed) { @@ -840,8 +846,8 @@ tbs_len -= ti.length; } /* fixme: we should also check the outer data length here and in - the follwing code. It might however be easier to to thsi at - the end of this sequence */ + the follwing code. It might however be easier to to this at + the end of this sequence. */ if (ti.length != 1) return gpg_error (GPG_ERR_UNSUPPORTED_CRL_VERSION); if ( (c=read_byte (crl->reader)) == -1) @@ -920,9 +926,7 @@ } } - - - /* read the thisUpdate time */ + /* Read the thisUpdate time. */ err = _ksba_ber_read_tl (crl->reader, &ti); if (err) return err; @@ -949,7 +953,7 @@ _ksba_asntime_to_iso (tmpbuf+ti.nhdr, ti.length, ti.tag == TYPE_UTC_TIME, crl->this_update); - /* Read the optional nextUpdate time. */ + /* Read the optional nextUpdate time. */ err = _ksba_ber_read_tl (crl->reader, &ti); if (err) return err; @@ -1134,6 +1138,8 @@ return err; HASH (tmpbuf, ti.nhdr+ti.length); + if (ti.length > MAX_SERIALNO_LENGTH) + return gpg_error (GPG_ERR_TOO_LARGE); xfree (crl->item.serial); sprintf (numbuf,"(%u:", (unsigned int)ti.length); numbuflen = strlen (numbuf); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/der-encoder.c new/libksba-1.7.0/src/der-encoder.c --- old/libksba-1.6.8/src/der-encoder.c 2025-02-13 10:47:01.000000000 +0100 +++ new/libksba-1.7.0/src/der-encoder.c 2026-05-06 15:56:00.000000000 +0200 @@ -206,7 +206,7 @@ s = src_root; d = dst_root; - /* note: we use the is_any flags becuase an inserted copy may have + /* Note: we use the is_any flags because an inserted copy may have already changed the any tag to the actual type */ while (s && d && (s->type == d->type || d->flags.is_any)) { @@ -386,6 +386,21 @@ gpg_error_t +_ksba_der_store_set_of (AsnNode node, const unsigned char *buf, size_t len) +{ + if (node->type == TYPE_ANY) + node->type = TYPE_PRE_SET_OF; + + if (node->type == TYPE_SET_OF || node->type == TYPE_PRE_SET_OF) + { + return store_value (node, buf, len); + } + else + return gpg_error (GPG_ERR_INV_VALUE); +} + + +gpg_error_t _ksba_der_store_null (AsnNode node) { if (node->type == TYPE_ANY) @@ -420,6 +435,8 @@ buflen++; else if (node->type < 0x1f || node->type == TYPE_PRE_SEQUENCE) buflen++; + else if(node->type == TYPE_PRE_SET_OF) + ; else { never_reached (); @@ -430,6 +447,8 @@ buflen++; /* end tag */ else if (node->type == TYPE_NULL /*&& !class*/) buflen++; /* NULL tag */ + else if (node->type == TYPE_PRE_SET_OF) + ; else if (!length) buflen++; /* indefinite length */ else if (length < 128) @@ -445,7 +464,7 @@ node->nhdr = buflen; } -/* Like above but put now put it into buffer. return the number of +/* Like above but now put it into buffer. Returns the number of bytes copied. There is no need to do length checking here */ static size_t copy_nhdr_and_len (unsigned char *buffer, AsnNode node) @@ -454,19 +473,24 @@ int tag, class; unsigned long length; + if (node->type == TYPE_PRE_SET_OF) + return node->len; + tag = node->type; class = CLASS_UNIVERSAL; length = node->len; if (tag == TYPE_SET_OF) tag = TYPE_SET; + else if (tag == TYPE_PRE_SET_OF) + tag = TYPE_SET; else if (tag == TYPE_SEQUENCE_OF) tag = TYPE_SEQUENCE; else if (tag == TYPE_PRE_SEQUENCE) tag = TYPE_SEQUENCE; else if (tag == TYPE_TAG) { - class = CLASS_CONTEXT; /* Hmmm: we no way to handle other classes */ + class = CLASS_CONTEXT; /* Hmmm: no way to handle other classes */ tag = node->value.v_ulong; } if (tag < 0x1f) @@ -583,7 +607,7 @@ /* set off to zero, so that it can be dumped */ for (n=root; n ; n = _ksba_asn_walk_tree (root, n)) n->off = 0; - fputs ("DER encoded value Tree:\n", stderr); + fprintf (stderr, "%s: DER encoded value tree:\n", __func__); _ksba_asn_node_dump_all (root, stderr); for (n=root; n ; n = _ksba_asn_walk_tree (root, n)) n->off = -1; @@ -598,22 +622,36 @@ { size_t nbytes; - if (!n->nhdr) + if (n->type == TYPE_PRE_SET_OF) + ; /* Copying buffer verbatim. */ + else if (!n->nhdr) continue; + assert (n->off == -1); assert (len < imagelen); n->off = len; - nbytes = copy_nhdr_and_len (image+len, n); - len += nbytes; - if ( _ksba_asn_is_primitive (n->type) - && n->valuetype == VALTYPE_MEM - && n->value.v_mem.len ) + if (n->type == TYPE_PRE_SET_OF) { + assert (n->valuetype == VALTYPE_MEM); nbytes = n->value.v_mem.len; assert (len + nbytes <= imagelen); memcpy (image+len, n->value.v_mem.buf, nbytes); len += nbytes; } + else + { + nbytes = copy_nhdr_and_len (image+len, n); + len += nbytes; + if ( _ksba_asn_is_primitive (n->type) + && n->valuetype == VALTYPE_MEM + && n->value.v_mem.len ) + { + nbytes = n->value.v_mem.len; + assert (len + nbytes <= imagelen); + memcpy (image+len, n->value.v_mem.buf, nbytes); + len += nbytes; + } + } } assert (len == imagelen); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/der-encoder.h new/libksba-1.7.0/src/der-encoder.h --- old/libksba-1.6.8/src/der-encoder.h 2024-02-19 09:11:29.000000000 +0100 +++ new/libksba-1.7.0/src/der-encoder.h 2026-05-05 14:12:16.000000000 +0200 @@ -63,6 +63,8 @@ const char *buf, size_t len); gpg_error_t _ksba_der_store_sequence (AsnNode node, const unsigned char *buf, size_t len); +gpg_error_t _ksba_der_store_set_of (AsnNode node, + const unsigned char *buf, size_t len); gpg_error_t _ksba_der_store_null (AsnNode node); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/keyinfo.c new/libksba-1.7.0/src/keyinfo.c --- old/libksba-1.6.8/src/keyinfo.c 2024-02-19 09:11:29.000000000 +0100 +++ new/libksba-1.7.0/src/keyinfo.c 2026-05-06 15:35:34.000000000 +0200 @@ -637,7 +637,12 @@ return gpg_error (GPG_ERR_UNEXPECTED_TAG); /* not an OBJECT IDENTIFIER */ TLV_LENGTH(der); - /* der does now point to an oid of length LEN */ + /* DER does now point to an oid of length LEN */ + /* { */ + /* char *p = ksba_oid_to_str (der, len); */ + /* gpgrt_log_debug ("%s: algorithm: %s\n", __func__, p); */ + /* xfree (p); */ + /* } */ *r_pos = der - start; *r_len = len; der += len; @@ -666,6 +671,7 @@ else if (r_parm_pos && r_parm_len && c == 0x04) { /* This is an octet string parameter and we need it. */ + /* gpgrt_log_debug ("%s: parameter: an octet string\n", __func__); */ if (r_parm_type) *r_parm_type = TYPE_OCTET_STRING; TLV_LENGTH(der); @@ -679,6 +685,7 @@ else if (r_parm_pos && r_parm_len && c == 0x06) { /* This is an object identifier. */ + /* gpgrt_log_debug ("%s: parameter: an OID\n", __func__); */ if (r_parm_type) *r_parm_type = TYPE_OBJECT_ID; TLV_LENGTH(der); @@ -692,6 +699,7 @@ else if (r_parm_pos && r_parm_len && c == 0x30) { /* This is a sequence. */ + /* gpgrt_log_debug ("%s: parameter: a sequence\n", __func__); */ if (r_parm_type) *r_parm_type = TYPE_SEQUENCE; TLV_LENGTH(der); @@ -704,7 +712,8 @@ } else { -/* printf ("parameter: with tag %02x - ignored\n", c); */ + /* gpgrt_log_debug ("%s: parameter: with tag %02x - ignored\n", */ + /* __func__, c); */ TLV_LENGTH(der); seqlen -= der - startparm; /* skip the value */ @@ -925,7 +934,8 @@ } c = *der++; derlen--; if (c) - fprintf (stderr, "warning: number of unused bits is not zero\n"); + gpgrt_log_info ("%s: warning: number of unused bits is not zero\n", + __func__); } /* fixme: we should calculate the initial length form the size of the @@ -1631,7 +1641,8 @@ return gpg_error (GPG_ERR_INV_KEYINFO); c = *der++; derlen--; if (c) - fprintf (stderr, "warning: number of unused bits is not zero\n"); + gpgrt_log_debug ("%s: warning: number of unused bits is not zero\n", + __func__); } /* fixme: we should calculate the initial length form the size of the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/ksba.h new/libksba-1.7.0/src/ksba.h --- old/libksba-1.6.8/src/ksba.h 2026-02-23 14:41:00.000000000 +0100 +++ new/libksba-1.7.0/src/ksba.h 2026-05-07 10:05:16.000000000 +0200 @@ -45,11 +45,11 @@ /* The version of this header should match the one of the library. Do * not use this symbol in your application; use assuan_check_version * instead. */ -#define KSBA_VERSION "1.6.8" +#define KSBA_VERSION "1.7.0" /* The version number of this header. It may be used to handle minor * API incompatibilities. */ -#define KSBA_VERSION_NUMBER 0x010608 +#define KSBA_VERSION_NUMBER 0x010700 @@ -387,6 +387,9 @@ gpg_error_t ksba_cms_add_smime_capability (ksba_cms_t cms, const char *oid, const unsigned char *der, size_t derlen); +gpg_error_t ksba_cms_add_attribute (ksba_cms_t cms, int idx, + const char *oid, int unprotected, + const unsigned char *der, size_t derlen); gpg_error_t ksba_cms_set_message_digest (ksba_cms_t cms, int idx, const unsigned char *digest, size_t digest_len); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/ksba.h.in new/libksba-1.7.0/src/ksba.h.in --- old/libksba-1.6.8/src/ksba.h.in 2026-02-23 14:32:46.000000000 +0100 +++ new/libksba-1.7.0/src/ksba.h.in 2026-05-05 14:12:16.000000000 +0200 @@ -387,6 +387,9 @@ gpg_error_t ksba_cms_add_smime_capability (ksba_cms_t cms, const char *oid, const unsigned char *der, size_t derlen); +gpg_error_t ksba_cms_add_attribute (ksba_cms_t cms, int idx, + const char *oid, int unprotected, + const unsigned char *der, size_t derlen); gpg_error_t ksba_cms_set_message_digest (ksba_cms_t cms, int idx, const unsigned char *digest, size_t digest_len); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/libksba.def new/libksba-1.7.0/src/libksba.def --- old/libksba-1.6.8/src/libksba.def 2025-02-13 10:47:01.000000000 +0100 +++ new/libksba-1.7.0/src/libksba.def 2026-05-06 15:43:41.000000000 +0200 @@ -207,3 +207,5 @@ ksba_der_add_tag @161 ksba_der_add_end @162 ksba_der_builder_get @163 + + ksba_cms_add_attribute @164 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/libksba.vers new/libksba-1.7.0/src/libksba.vers --- old/libksba-1.6.8/src/libksba.vers 2025-02-13 10:47:01.000000000 +0100 +++ new/libksba-1.7.0/src/libksba.vers 2026-05-05 14:12:16.000000000 +0200 @@ -74,6 +74,7 @@ ksba_cms_set_message_digest; ksba_cms_set_reader_writer; ksba_cms_set_sig_val; ksba_cms_set_signing_time; ksba_cms_add_smime_capability; + ksba_cms_add_attribute; ksba_crl_get_digest_algo; ksba_crl_get_issuer; ksba_crl_get_item; ksba_crl_get_sig_val; ksba_crl_get_update_times; ksba_crl_new; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/name.c new/libksba-1.7.0/src/name.c --- old/libksba-1.6.8/src/name.c 2016-05-03 18:12:09.000000000 +0200 +++ new/libksba-1.7.0/src/name.c 2026-05-05 12:10:23.000000000 +0200 @@ -192,6 +192,11 @@ name->names[n++] = p; break; case 6: /* URI */ + if (ti.length > MAX_NAME_URL_LENGTH) + { + ksba_name_release (name); + return gpg_error (GPG_ERR_INV_URI); + } sprintf (numbuf, "%u:", (unsigned int)ti.length); p = name->names[n] = xtrymalloc (1+5+strlen (numbuf) + ti.length +1+1); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/ocsp.c new/libksba-1.7.0/src/ocsp.c --- old/libksba-1.6.8/src/ocsp.c 2026-02-18 08:39:26.000000000 +0100 +++ new/libksba-1.7.0/src/ocsp.c 2026-05-05 12:13:50.000000000 +0200 @@ -1623,6 +1623,8 @@ char numbuf[50]; size_t numbuflen; + if (ocsp->responder_id.keyidlen > MAX_KEYID_DER_LENGTH) + return gpg_error (GPG_ERR_TOO_LARGE); sprintf (numbuf,"(%lu:", (unsigned long)ocsp->responder_id.keyidlen); numbuflen = strlen (numbuf); *r_keyid = xtrymalloc (numbuflen + ocsp->responder_id.keyidlen + 2); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/oid.c new/libksba-1.7.0/src/oid.c --- old/libksba-1.6.8/src/oid.c 2024-02-19 09:11:29.000000000 +0100 +++ new/libksba-1.7.0/src/oid.c 2026-05-05 13:55:09.000000000 +0200 @@ -163,19 +163,13 @@ } -/** - * ksba_oid_from_str: - * @string: A string with the OID in dotted decimal form - * @rbuf: Returns the DER encoded OID - * @rlength: and its length +/* Converts an object-identifier given in dotted decimal form in + * STRING to an DER encoding and returns this at the allocated buffer + * RBUF with its length at RLENGTH. RBUF is set to NULL in case an + * error is returned. Scanning stops at the first white space. * - * Convertes the OID given in dotted decimal form to an DER encoding - * and returns it in allocated buffer rbuf and its length in rlength. - * rbuf is set to NULL in case an error is returned. - * Scanning stops at the first white space. - * - * The caller must free the returned buffer using ksba_free() or the - * function he has registered as a replacement. + * The caller must free the returned buffer using ksba_free or the + * function which has been registered as a replacement. * * Return value: 0 on success or an error value **/ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/visibility.c new/libksba-1.7.0/src/visibility.c --- old/libksba-1.6.8/src/visibility.c 2025-02-13 10:47:01.000000000 +0100 +++ new/libksba-1.7.0/src/visibility.c 2026-05-05 14:12:16.000000000 +0200 @@ -502,6 +502,13 @@ return _ksba_cms_add_smime_capability (cms, oid, der, derlen); } +gpg_error_t +ksba_cms_add_attribute (ksba_cms_t cms, int idx, + const char *oid, int unprotected, + const unsigned char *der, size_t derlen) +{ + return _ksba_cms_add_attribute (cms, idx, oid, unprotected, der, derlen); +} gpg_error_t ksba_cms_set_message_digest (ksba_cms_t cms, int idx, diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/src/visibility.h new/libksba-1.7.0/src/visibility.h --- old/libksba-1.6.8/src/visibility.h 2025-02-13 10:47:01.000000000 +0100 +++ new/libksba-1.7.0/src/visibility.h 2026-05-05 14:12:16.000000000 +0200 @@ -118,6 +118,7 @@ #define ksba_cms_set_sig_val _ksba_cms_set_sig_val #define ksba_cms_set_signing_time _ksba_cms_set_signing_time #define ksba_cms_add_smime_capability _ksba_cms_add_smime_capability +#define ksba_cms_add_attribute _ksba_cms_add_attribute #define ksba_crl_get_digest_algo _ksba_crl_get_digest_algo #define ksba_crl_get_issuer _ksba_crl_get_issuer @@ -325,6 +326,7 @@ #undef ksba_cms_set_sig_val #undef ksba_cms_set_signing_time #undef ksba_cms_add_smime_capability +#undef ksba_cms_add_attribute #undef ksba_crl_get_digest_algo #undef ksba_crl_get_issuer @@ -501,6 +503,7 @@ MARK_VISIBLE (ksba_cms_set_sig_val) MARK_VISIBLE (ksba_cms_set_signing_time) MARK_VISIBLE (ksba_cms_add_smime_capability) +MARK_VISIBLE (ksba_cms_add_attribute) MARK_VISIBLE (ksba_crl_get_digest_algo) MARK_VISIBLE (ksba_crl_get_issuer) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/libksba-1.6.8/tests/t-common.h new/libksba-1.7.0/tests/t-common.h --- old/libksba-1.6.8/tests/t-common.h 2025-11-28 16:12:30.000000000 +0100 +++ new/libksba-1.7.0/tests/t-common.h 2026-05-05 13:47:08.000000000 +0200 @@ -95,6 +95,7 @@ print_sexp (ksba_const_sexp_t p) { int level = 0; + int delim_seen = 0; if (!p) fputs ("[none]", stdout); @@ -104,12 +105,14 @@ { if (*p == '(') { + delim_seen = 1; putchar (*p); p++; level++; } else if (*p == ')') { + delim_seen = 1; putchar (*p); p++; if (--level <= 0 ) @@ -140,6 +143,8 @@ || (*s >= '0' && *s <= '9') || *s == '-' || *s == '.')) break; + if (!delim_seen) + putchar (' '); if (n < len) { putchar('#'); @@ -151,7 +156,9 @@ { for (n=0; n < len; n++, p++) putchar (*p); + putchar (' '); } + delim_seen = 0; } } }
