mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
New gpgsm server option no-encrypt-to.
Add caching for symkey encryption. Minor cleanups.
This commit is contained in:
parent
f61e15670a
commit
387a51f951
1
AUTHORS
1
AUTHORS
@ -20,6 +20,7 @@ Per Tunedal <per@clipanish.com> Translations [sv]
|
|||||||
Daniel Nylander <po@danielnylander.se> Translations [sv]
|
Daniel Nylander <po@danielnylander.se> Translations [sv]
|
||||||
|
|
||||||
Daiki Ueno <ueno@unixuser.org> Assigns Past and Future Changes.
|
Daiki Ueno <ueno@unixuser.org> Assigns Past and Future Changes.
|
||||||
|
(changed:passphrase.c and related code)
|
||||||
|
|
||||||
David Shaw <dshaw@jabberwocky.com> Assigns past and future changes.
|
David Shaw <dshaw@jabberwocky.com> Assigns past and future changes.
|
||||||
(all in keyserver/,
|
(all in keyserver/,
|
||||||
|
@ -54,6 +54,11 @@ scd = scd
|
|||||||
else
|
else
|
||||||
scd =
|
scd =
|
||||||
endif
|
endif
|
||||||
|
#if BUILD_G13
|
||||||
|
#g13 = g13
|
||||||
|
#else
|
||||||
|
#g13 =
|
||||||
|
#endif
|
||||||
if BUILD_TOOLS
|
if BUILD_TOOLS
|
||||||
tools = tools
|
tools = tools
|
||||||
else
|
else
|
||||||
@ -72,7 +77,7 @@ tests = tests
|
|||||||
endif
|
endif
|
||||||
|
|
||||||
SUBDIRS = m4 gl include jnlib common ${kbx} \
|
SUBDIRS = m4 gl include jnlib common ${kbx} \
|
||||||
${gpg} ${keyserver} ${sm} ${agent} ${scd} ${tools} po ${doc} ${tests}
|
${gpg} ${keyserver} ${sm} ${agent} ${scd} ${g13} ${tools} po ${doc} ${tests}
|
||||||
|
|
||||||
dist_doc_DATA = README
|
dist_doc_DATA = README
|
||||||
|
|
||||||
|
1
TODO
1
TODO
@ -20,7 +20,6 @@
|
|||||||
** replace leading zero in integer hack by a cleaner solution
|
** replace leading zero in integer hack by a cleaner solution
|
||||||
|
|
||||||
* sm/gpgsm.c
|
* sm/gpgsm.c
|
||||||
** mark all unimplemented commands and options.
|
|
||||||
** Implement --default-key
|
** Implement --default-key
|
||||||
** support the anyPolicy semantic
|
** support the anyPolicy semantic
|
||||||
** Should we prefer nonRepudiation certs over plain signing certs?
|
** Should we prefer nonRepudiation certs over plain signing certs?
|
||||||
|
@ -1453,6 +1453,7 @@ g10/Makefile
|
|||||||
sm/Makefile
|
sm/Makefile
|
||||||
agent/Makefile
|
agent/Makefile
|
||||||
scd/Makefile
|
scd/Makefile
|
||||||
|
g13/Makefile
|
||||||
keyserver/Makefile
|
keyserver/Makefile
|
||||||
keyserver/gpg2keys_mailto
|
keyserver/gpg2keys_mailto
|
||||||
keyserver/gpg2keys_test
|
keyserver/gpg2keys_test
|
||||||
|
@ -1,3 +1,15 @@
|
|||||||
|
2009-05-18 Daiki Ueno <ueno@unixuser.org> (wk)
|
||||||
|
|
||||||
|
* encode.c (encode_simple): Tell passphrase_to_dek to cache
|
||||||
|
the passphrase.
|
||||||
|
(setup_symkey): Ditto.
|
||||||
|
* mainproc.c (proc_symkey_enc): Tell passphrase_to_dek to cache
|
||||||
|
the passphrase.
|
||||||
|
(proc_encrypted): Ditto.
|
||||||
|
* passphrase.c (hash_passphrase): Remove arg CREATE.
|
||||||
|
(passphrase_to_dek): New mode 3 and 4 for caching passphrase for
|
||||||
|
symmetric encryption.
|
||||||
|
|
||||||
2009-05-17 Werner Koch <wk@g10code.com>
|
2009-05-17 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
* keygen.c (ask_algo): Add arg R_SUBKEY_ALGO. Change return value
|
* keygen.c (ask_algo): Add arg R_SUBKEY_ALGO. Change return value
|
||||||
|
@ -216,7 +216,7 @@ encode_simple( const char *filename, int mode, int use_seskey )
|
|||||||
s2k->mode = RFC1991? 0:opt.s2k_mode;
|
s2k->mode = RFC1991? 0:opt.s2k_mode;
|
||||||
s2k->hash_algo=S2K_DIGEST_ALGO;
|
s2k->hash_algo=S2K_DIGEST_ALGO;
|
||||||
cfx.dek = passphrase_to_dek( NULL, 0,
|
cfx.dek = passphrase_to_dek( NULL, 0,
|
||||||
default_cipher_algo(), s2k, 2,
|
default_cipher_algo(), s2k, 4,
|
||||||
NULL, &canceled);
|
NULL, &canceled);
|
||||||
if( !cfx.dek || !cfx.dek->keylen ) {
|
if( !cfx.dek || !cfx.dek->keylen ) {
|
||||||
rc = gpg_error (canceled? GPG_ERR_CANCELED:GPG_ERR_INV_PASSPHRASE);
|
rc = gpg_error (canceled? GPG_ERR_CANCELED:GPG_ERR_INV_PASSPHRASE);
|
||||||
@ -397,7 +397,7 @@ setup_symkey(STRING2KEY **symkey_s2k,DEK **symkey_dek)
|
|||||||
(*symkey_s2k)->hash_algo = S2K_DIGEST_ALGO;
|
(*symkey_s2k)->hash_algo = S2K_DIGEST_ALGO;
|
||||||
|
|
||||||
*symkey_dek=passphrase_to_dek(NULL,0,opt.s2k_cipher_algo,
|
*symkey_dek=passphrase_to_dek(NULL,0,opt.s2k_cipher_algo,
|
||||||
*symkey_s2k,2,NULL, &canceled);
|
*symkey_s2k, 4, NULL, &canceled);
|
||||||
if(!*symkey_dek || !(*symkey_dek)->keylen)
|
if(!*symkey_dek || !(*symkey_dek)->keylen)
|
||||||
{
|
{
|
||||||
xfree(*symkey_dek);
|
xfree(*symkey_dek);
|
||||||
|
@ -311,7 +311,7 @@ proc_symkey_enc( CTX c, PACKET *pkt )
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
c->dek = passphrase_to_dek (NULL, 0, algo, &enc->s2k, 0,
|
c->dek = passphrase_to_dek (NULL, 0, algo, &enc->s2k, 3,
|
||||||
NULL, NULL);
|
NULL, NULL);
|
||||||
if(c->dek)
|
if(c->dek)
|
||||||
{
|
{
|
||||||
@ -548,7 +548,7 @@ proc_encrypted( CTX c, PACKET *pkt )
|
|||||||
log_info (_("assuming %s encrypted data\n"), "IDEA");
|
log_info (_("assuming %s encrypted data\n"), "IDEA");
|
||||||
}
|
}
|
||||||
|
|
||||||
c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 0, NULL, NULL );
|
c->dek = passphrase_to_dek ( NULL, 0, algo, s2k, 3, NULL, NULL );
|
||||||
if (c->dek)
|
if (c->dek)
|
||||||
c->dek->algo_info_printed = 1;
|
c->dek->algo_info_printed = 1;
|
||||||
}
|
}
|
||||||
|
@ -50,11 +50,10 @@ static char *next_pw = NULL;
|
|||||||
static char *last_pw = NULL;
|
static char *last_pw = NULL;
|
||||||
|
|
||||||
|
|
||||||
/* Hash a passphrase using the supplied s2k. If create is true, create
|
/* Hash a passphrase using the supplied s2k.
|
||||||
a new salt or what else must be filled into the s2k for a new key.
|
Always needs: dek->algo, s2k->mode, s2k->hash_algo. */
|
||||||
always needs: dek->algo, s2k->mode, s2k->hash_algo. */
|
|
||||||
static void
|
static void
|
||||||
hash_passphrase ( DEK *dek, char *pw, STRING2KEY *s2k, int create )
|
hash_passphrase ( DEK *dek, char *pw, STRING2KEY *s2k)
|
||||||
{
|
{
|
||||||
gcry_md_hd_t md;
|
gcry_md_hd_t md;
|
||||||
int pass, i;
|
int pass, i;
|
||||||
@ -82,13 +81,6 @@ hash_passphrase ( DEK *dek, char *pw, STRING2KEY *s2k, int create )
|
|||||||
int len2 = pwlen + 8;
|
int len2 = pwlen + 8;
|
||||||
ulong count = len2;
|
ulong count = len2;
|
||||||
|
|
||||||
if ( create && !pass )
|
|
||||||
{
|
|
||||||
gcry_randomize (s2k->salt, 8, GCRY_STRONG_RANDOM);
|
|
||||||
if ( s2k->mode == 3 )
|
|
||||||
s2k->count = opt.s2k_count;
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( s2k->mode == 3 )
|
if ( s2k->mode == 3 )
|
||||||
{
|
{
|
||||||
count = S2K_DECODE_COUNT(s2k->count);
|
count = S2K_DECODE_COUNT(s2k->count);
|
||||||
@ -441,7 +433,9 @@ passphrase_clear_cache ( u32 *keyid, const char *cacheid, int algo )
|
|||||||
|
|
||||||
MODE 0: Allow cached passphrase
|
MODE 0: Allow cached passphrase
|
||||||
1: Ignore cached passphrase
|
1: Ignore cached passphrase
|
||||||
2: Ditto, but change the text to "repeat entry"
|
2: Ditto, but create a new key
|
||||||
|
3: Allow cached passphrase; use the S2K salt as the cache ID
|
||||||
|
4: Ditto, but create a new key
|
||||||
*/
|
*/
|
||||||
DEK *
|
DEK *
|
||||||
passphrase_to_dek_ext (u32 *keyid, int pubkey_algo,
|
passphrase_to_dek_ext (u32 *keyid, int pubkey_algo,
|
||||||
@ -461,6 +455,7 @@ passphrase_to_dek_ext (u32 *keyid, int pubkey_algo,
|
|||||||
|
|
||||||
if ( !s2k )
|
if ( !s2k )
|
||||||
{
|
{
|
||||||
|
assert (mode != 3 && mode != 4);
|
||||||
/* This is used for the old rfc1991 mode
|
/* This is used for the old rfc1991 mode
|
||||||
* Note: This must match the code in encode.c with opt.rfc1991 set */
|
* Note: This must match the code in encode.c with opt.rfc1991 set */
|
||||||
s2k = &help_s2k;
|
s2k = &help_s2k;
|
||||||
@ -468,6 +463,15 @@ passphrase_to_dek_ext (u32 *keyid, int pubkey_algo,
|
|||||||
s2k->hash_algo = S2K_DIGEST_ALGO;
|
s2k->hash_algo = S2K_DIGEST_ALGO;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Create a new salt or what else to be filled into the s2k for a
|
||||||
|
new key. */
|
||||||
|
if ((mode == 2 || mode == 4) && (s2k->mode == 1 || s2k->mode == 3))
|
||||||
|
{
|
||||||
|
gcry_randomize (s2k->salt, 8, GCRY_STRONG_RANDOM);
|
||||||
|
if ( s2k->mode == 3 )
|
||||||
|
s2k->count = opt.s2k_count;
|
||||||
|
}
|
||||||
|
|
||||||
/* If we do not have a passphrase available in NEXT_PW and status
|
/* If we do not have a passphrase available in NEXT_PW and status
|
||||||
information are request, we print them now. */
|
information are request, we print them now. */
|
||||||
if ( !next_pw && is_status_enabled() )
|
if ( !next_pw && is_status_enabled() )
|
||||||
@ -565,10 +569,21 @@ passphrase_to_dek_ext (u32 *keyid, int pubkey_algo,
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
char *cacheid = NULL;
|
||||||
|
char buf[1+16+1];
|
||||||
|
|
||||||
|
if ((mode == 3 || mode == 4) && (s2k->mode == 1 || s2k->mode == 3))
|
||||||
|
{
|
||||||
|
memset (buf, 0, sizeof buf);
|
||||||
|
*buf = 'S';
|
||||||
|
bin2hex (s2k->salt, 8, buf + 1);
|
||||||
|
cacheid = buf;
|
||||||
|
}
|
||||||
|
|
||||||
/* Divert to the gpg-agent. */
|
/* Divert to the gpg-agent. */
|
||||||
pw = passphrase_get ( keyid, mode == 2, NULL,
|
pw = passphrase_get (keyid, mode == 2, cacheid,
|
||||||
mode == 2? opt.passwd_repeat: 0,
|
(mode == 2 || mode == 4)? opt.passwd_repeat : 0,
|
||||||
tryagain_text, custdesc, custprompt, canceled);
|
tryagain_text, custdesc, custprompt, canceled);
|
||||||
if (*canceled)
|
if (*canceled)
|
||||||
{
|
{
|
||||||
xfree (pw);
|
xfree (pw);
|
||||||
@ -585,10 +600,10 @@ passphrase_to_dek_ext (u32 *keyid, int pubkey_algo,
|
|||||||
get_last_passphrase(). */
|
get_last_passphrase(). */
|
||||||
dek = xmalloc_secure_clear ( sizeof *dek );
|
dek = xmalloc_secure_clear ( sizeof *dek );
|
||||||
dek->algo = cipher_algo;
|
dek->algo = cipher_algo;
|
||||||
if ( !*pw && mode == 2 )
|
if ( !*pw && (mode == 2 || mode == 4))
|
||||||
dek->keylen = 0;
|
dek->keylen = 0;
|
||||||
else
|
else
|
||||||
hash_passphrase( dek, pw, s2k, mode==2 );
|
hash_passphrase (dek, pw, s2k);
|
||||||
xfree(last_pw);
|
xfree(last_pw);
|
||||||
last_pw = pw;
|
last_pw = pw;
|
||||||
return dek;
|
return dek;
|
||||||
|
@ -19,6 +19,7 @@ common/miscellaneous.c
|
|||||||
common/asshelp.c
|
common/asshelp.c
|
||||||
common/audit.c
|
common/audit.c
|
||||||
common/helpfile.c
|
common/helpfile.c
|
||||||
|
common/gettime.c
|
||||||
|
|
||||||
g10/armor.c
|
g10/armor.c
|
||||||
g10/build-packet.c
|
g10/build-packet.c
|
||||||
|
@ -1,3 +1,10 @@
|
|||||||
|
2009-05-18 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
|
* server.c (option_handler): New option "no-encrypt-to".
|
||||||
|
(cmd_encrypt): Make use of it.
|
||||||
|
|
||||||
|
* gpgsm.c: Remove not implemented --verify-files.
|
||||||
|
|
||||||
2009-04-02 Werner Koch <wk@g10code.com>
|
2009-04-02 Werner Koch <wk@g10code.com>
|
||||||
|
|
||||||
* keylist.c (list_cert_std): Print card serial number.
|
* keylist.c (list_cert_std): Print card serial number.
|
||||||
|
@ -66,7 +66,6 @@ enum cmd_and_opt_values {
|
|||||||
aDeleteKey,
|
aDeleteKey,
|
||||||
aImport,
|
aImport,
|
||||||
aVerify,
|
aVerify,
|
||||||
aVerifyFiles,
|
|
||||||
aListExternalKeys,
|
aListExternalKeys,
|
||||||
aListChain,
|
aListChain,
|
||||||
aSendKeys,
|
aSendKeys,
|
||||||
@ -191,7 +190,6 @@ static ARGPARSE_OPTS opts[] = {
|
|||||||
ARGPARSE_c (aSym, "symmetric", N_("encryption only with symmetric cipher")),
|
ARGPARSE_c (aSym, "symmetric", N_("encryption only with symmetric cipher")),
|
||||||
ARGPARSE_c (aDecrypt, "decrypt", N_("decrypt data (default)")),
|
ARGPARSE_c (aDecrypt, "decrypt", N_("decrypt data (default)")),
|
||||||
ARGPARSE_c (aVerify, "verify", N_("verify a signature")),
|
ARGPARSE_c (aVerify, "verify", N_("verify a signature")),
|
||||||
ARGPARSE_c (aVerifyFiles, "verify-files", "@"),
|
|
||||||
ARGPARSE_c (aListKeys, "list-keys", N_("list keys")),
|
ARGPARSE_c (aListKeys, "list-keys", N_("list keys")),
|
||||||
ARGPARSE_c (aListExternalKeys, "list-external-keys",
|
ARGPARSE_c (aListExternalKeys, "list-external-keys",
|
||||||
N_("list external keys")),
|
N_("list external keys")),
|
||||||
@ -1711,10 +1709,6 @@ main ( int argc, char **argv)
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case aVerifyFiles:
|
|
||||||
log_error (_("this command has not yet been implemented\n"));
|
|
||||||
break;
|
|
||||||
|
|
||||||
case aDecrypt:
|
case aDecrypt:
|
||||||
{
|
{
|
||||||
FILE *fp = open_fwrite (opt.outfile?opt.outfile:"-");
|
FILE *fp = open_fwrite (opt.outfile?opt.outfile:"-");
|
||||||
|
@ -51,6 +51,7 @@ struct server_local_s {
|
|||||||
certlist_t default_recplist; /* As set by main() - don't release. */
|
certlist_t default_recplist; /* As set by main() - don't release. */
|
||||||
int allow_pinentry_notify; /* Set if pinentry notifications should
|
int allow_pinentry_notify; /* Set if pinentry notifications should
|
||||||
be passed back to the client. */
|
be passed back to the client. */
|
||||||
|
int no_encrypt_to; /* Local version of option. */
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
@ -301,6 +302,10 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
|
|||||||
int i = *value? atoi (value) : 0;
|
int i = *value? atoi (value) : 0;
|
||||||
ctrl->with_ephemeral_keys = i;
|
ctrl->with_ephemeral_keys = i;
|
||||||
}
|
}
|
||||||
|
else if (!strcmp (key, "no-encrypt-to"))
|
||||||
|
{
|
||||||
|
ctrl->server_local->no_encrypt_to = 1;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
return gpg_error (GPG_ERR_UNKNOWN_OPTION);
|
return gpg_error (GPG_ERR_UNKNOWN_OPTION);
|
||||||
|
|
||||||
@ -486,7 +491,7 @@ cmd_encrypt (assuan_context_t ctx, char *line)
|
|||||||
/* Now add all encrypt-to marked recipients from the default
|
/* Now add all encrypt-to marked recipients from the default
|
||||||
list. */
|
list. */
|
||||||
rc = 0;
|
rc = 0;
|
||||||
if (!opt.no_encrypt_to)
|
if (!opt.no_encrypt_to && !ctrl->server_local->no_encrypt_to)
|
||||||
{
|
{
|
||||||
for (cl=ctrl->server_local->default_recplist; !rc && cl; cl = cl->next)
|
for (cl=ctrl->server_local->default_recplist; !rc && cl; cl = cl->next)
|
||||||
if (cl->is_encrypt_to)
|
if (cl->is_encrypt_to)
|
||||||
|
Loading…
x
Reference in New Issue
Block a user