security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

Merge branch 'STABLE-BRANCH-2-4' 

--
Resolved conflicts:
	NEWS
	common/exechelp-w32.c
	configure.ac
This commit is contained in:
Werner Koch 2024-03-12 16:00:55 +01:00
parent 79d0e52b2d 609b1ec0c6
commit 4485930f9f
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
103 changed files with 1485 additions and 1135 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.git-blame-ignore-revs
View File

@ -1,2 +1,4 @@
# indent: Modernize mem2str.
6a80d6f9206eae2c867c45daa5cd3e7d6c6ad114
# doc: Fix spelling errors found by lintian.
2ed1f68b48db7b5503045386de0500fddf70077e

10
Makefile.am
View File

@ -247,8 +247,8 @@ release:
mkopt=""; \
if [ -n "$$CUSTOM_SWDB" ]; then \
mkopt="CUSTOM_SWB=1"; \
x=$$(grep '^OVERRIDE_TARBALLS=' \
$$HOME/.gnupg-autogen.rc|cut -d= -f2);\
x=$$(grep '^[[:blank:]]*OVERRIDE_TARBALLS[[:blank:]]*=' \
$$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\
if [ -f "$$x/swdb.lst" ]; then \
echo "/* Copying swdb.lst from the overrides directory */"; \
cp "$$x/swdb.lst" . ; \
@ -275,13 +275,15 @@ release:
sign-release:
+(set -e; \
test $$(pwd | sed 's,.*/,,') = dist || cd dist; \
x=$$(grep '^RELEASE_ARCHIVE=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
x=$$(grep '^[[:blank:]]*RELEASE_ARCHIVE[[:blank:]]*=' \
$$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\
if [ -z "$$x" ]; then \
echo "error: RELEASE_ARCHIVE missing in ~/.gnupg-autogen.rc">&2; \
exit 2;\
fi;\
myarchive="$$x/$(RELEASE_ARCHIVE_SUFFIX)";\
x=$$(grep '^RELEASE_SIGNKEY=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\
x=$$(grep '^[[:blank:]]*RELEASE_SIGNKEY[[:blank:]]*=' \
$$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\
if [ -z "$$x" ]; then \
echo "error: RELEASE_SIGNKEY missing in ~/.gnupg-autogen.rc">&2; \
exit 2;\

60
NEWS
View File

@ -1,6 +1,51 @@
Noteworthy changes in version 2.5.0 (unreleased)
------------------------------------------------
Changes also found in 2.4.5:
Noteworthy changes in version 2.4.5 (2024-03-07)
------------------------------------------------
* gpg,gpgv: New option --assert-pubkey-algo. [T6946]
* gpg: Emit status lines for errors in the compression layer.
[T6977]
* gpg: Fix invocation with --trusted-keys and --no-options. [T7025]
* gpgsm: Allow for a longer salt in PKCS#12 files. [T6757]
* gpgtar: Make --status-fd=2 work on Windows. [T6961]
* scd: Support for the ACR-122U NFC reader. [rG1682ca9f01]
* scd: Suport D-TRUST ECC cards. [T7000,T7001]
* scd: Allow auto detaching of kernel drivers; can be disabled with
the new compatibility-flag ccid-no-auto-detach. [rGa1ea3b13e0]
* scd: Allow setting a PIN length of 6 also with a reset code for
openpgp cards. [T6843]
* agent: Allow GET_PASSPHRASE in restricted mode. [rGadf4db6e20]
* dirmngr: Trust system's root CAs for checking CRL issuers.
[T6963]
* dirmngr: Fix regression in 2.4.4 in fetching keys via hkps.
[T6997]
* gpg-wks-client: Make option --mirror work properly w/o specifying
domains. [rG37cc255e49]
* g13,gpg-wks-client: Allow command style options as in "g13 mount
foo". [rGa09157ccb2]
* Allow tilde expansion for the foo-program options. [T7017]
* Make the getswdb.sh tool usable outside the GnuPG tree.
Changes also found in 2.4.4:
* gpg: Do not keep an unprotected smartcard backup key on disk. See
@ -178,6 +223,7 @@ Noteworthy changes in version 2.5.0 (unreleased)
Release dates of 2.4 versions
-----------------------------
Version 2.4.5 (2024-03-07) https://dev.gnupg.org/T6960
Version 2.4.4 (2024-01-25) https://dev.gnupg.org/T6578
Version 2.4.3 (2023-07-04) https://dev.gnupg.org/T6509
Version 2.4.2 (2023-05-30) https://dev.gnupg.org/T6506
@ -1392,7 +1438,7 @@ Noteworthy changes in version 2.3.0 (2021-04-07)
Changes also found in 2.2.12:
* tools: New commands --install-key and --remove-key for
gpg-wks-client. This allows to prepare a Web Key Directory on a
gpg-wks-client. This allows one to prepare a Web Key Directory on a
local file system for later upload to a web server.
* gpg: New --list-option "show-only-fpr-mbox". This makes the use
@ -1436,7 +1482,7 @@ Noteworthy changes in version 2.3.0 (2021-04-07)
query.
* gpg: Do not store the TOFU trust model in the trustdb. This
allows to enable or disable a TOFO model without triggering a
allows one to enable or disable a TOFO model without triggering a
trustdb rebuild. [#4134]
* scd: Fix cases of "Bad PIN" after using "forcesig". [#4177]
@ -1855,7 +1901,7 @@ Noteworthy changes in version 2.1.23 (2017-08-09)
to your gpg.conf.
* agent: Option --no-grab is now the default. The new option --grab
allows to revert this.
allows one to revert this.
* gpg: New import option "show-only".
@ -2985,7 +3031,7 @@ Noteworthy changes in version 2.1.0 (2014-11-06)
* gpg: Allow use of Brainpool curves.
* gpg: Accepts a space separated fingerprint as user ID. This
allows to copy and paste the fingerprint from the key listing.
allows one to copy and paste the fingerprint from the key listing.
* gpg: The hash algorithm is now printed for signature records in key
listings.
@ -3765,7 +3811,7 @@ Noteworthy changes in version 1.9.10 (2004-07-22)
* Fixed a serious bug in the checking of trusted root certificates.
* New configure option --enable-agent-pnly allows to build and
* New configure option --enable-agent-only allows one to build and
install just the agent.
* Fixed a problem with the log file handling.
@ -4160,7 +4206,7 @@ Noteworthy changes in version 1.1.92 (2002-09-11)
extension specified with --load-extension are checked, along
with their enclosing directories.
* The configure option --with-static-rnd=auto allows to build gpg
* The configure option --with-static-rnd=auto allows one to build gpg
with all available entropy gathering modules included. At
runtime the best usable one will be selected from the list
linux, egd, unix. This is also the default for systems lacking
@ -4543,7 +4589,7 @@ Noteworthy changes in version 1.0.2 (2000-07-12)
* New command --export-secret-subkeys which outputs the
the _primary_ key with it's secret parts deleted. This is
useful for automated decryption/signature creation as it
allows to keep the real secret primary key offline and
allows one to keep the real secret primary key offline and
thereby protecting the key certificates and allowing to
create revocations for the subkeys. See the FAQ for a
procedure to install such secret keys.

4
agent/agent.h
View File

@ -86,8 +86,8 @@ struct
/* Enable pinentry debugging (--debug 1024 should also be used). */
int debug_pinentry;
/* Filename of the program to start as pinentry. */
const char *pinentry_program;
/* Filename of the program to start as pinentry (malloced). */
char *pinentry_program;
/* Filename of the program to handle daemon tasks. */
const char *daemon_program[DAEMON_MAX_TYPE];

9
agent/command.c
View File

@ -1988,9 +1988,6 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
struct pin_entry_info_s *pi2 = NULL;
int is_generated;
if (ctrl->restricted)
return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
opt_data = has_option (line, "--data");
opt_check = has_option (line, "--check");
opt_no_ask = has_option (line, "--no-ask");
@ -2039,7 +2036,9 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
if (!desc)
return set_error (GPG_ERR_ASS_PARAMETER, "no description given");
if (!strcmp (cacheid, "X"))
/* The only limitation in restricted mode is that we don't consider
* the cache. */
if (ctrl->restricted || !strcmp (cacheid, "X"))
cacheid = NULL;
if (!strcmp (errtext, "X"))
errtext = NULL;
@ -2121,7 +2120,7 @@ cmd_get_passphrase (assuan_context_t ctx, char *line)
entry_errtext = NULL;
is_generated = !!(pi->status & PINENTRY_STATUS_PASSWORD_GENERATED);
/* We don't allow an empty passpharse in this mode. */
/* We don't allow an empty passphrase in this mode. */
if (!is_generated
&& check_passphrase_constraints (ctrl, pi->pin,
pi->constraints_flags,

6
agent/gpg-agent.c
View File

@ -876,6 +876,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
opt.debug = 0;
opt.no_grab = 1;
opt.debug_pinentry = 0;
xfree (opt.pinentry_program);
opt.pinentry_program = NULL;
opt.pinentry_touch_file = NULL;
xfree (opt.pinentry_invisible_char);
@ -936,7 +937,10 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread)
case oNoGrab: opt.no_grab |= 1; break;
case oGrab: opt.no_grab |= 2; break;
case oPinentryProgram: opt.pinentry_program = pargs->r.ret_str; break;
case oPinentryProgram:
xfree (opt.pinentry_program);
opt.pinentry_program = make_filename_try (pargs->r.ret_str, NULL);
break;
case oPinentryTouchFile: opt.pinentry_touch_file = pargs->r.ret_str; break;
case oPinentryInvisibleChar:
xfree (opt.pinentry_invisible_char);

122
build-aux/getswdb.sh
View File

@ -28,15 +28,24 @@ cvtver () {
usage()
{
cat <<EOF
Usage: $(basename $0) [OPTIONS]
Usage: $(basename $0) [OPTIONS] [packages]
Get the online version of the GnuPG software version database
and optionally download packages and verify their signatures.
Options:
--info Print only infos about packages
--skip-download Assume download has already been done.
--skip-verify Do not check signatures
--skip-selfcheck Do not check GnuPG version
(default if not used in the GnuPG tree)
--find-sha1sum Print the name of the sha1sum utility
--find-sha256sum Print the name of the sha256sum utility
--help Print this help.
Example:
getswdb.sh gnupg24 gpgme libksba libassuan
EOF
exit $1
}
@ -49,6 +58,9 @@ skip_verify=no
skip_selfcheck=no
find_sha1sum=no
find_sha256sum=no
info_mode=no
packages=
die=no
while test $# -gt 0; do
case "$1" in
# Set up `optarg'.
@ -79,13 +91,20 @@ while test $# -gt 0; do
--find-sha256sum)
find_sha256sum=yes
;;
*)
--info)
info_mode=yes
;;
--*)
usage 1 1>&2
;;
*)
packages="$packages $1"
;;
esac
shift
done
# Mac OSX has only a shasum and not sha1sum
if [ ${find_sha1sum} = yes ]; then
for i in sha1sum shasum ; do
@ -114,16 +133,37 @@ if [ ${find_sha256sum} = yes ]; then
fi
if [ $skip_verify = no ]; then
if [ ! -f "$distsigkey" ]; then
distsigkey="/usr/local/share/gnupg/distsigkey.gpg"
if [ ! -f "$distsigkey" ]; then
distsigkey="/usr/share/gnupg/distsigkey.gpg"
if [ ! -f "$distsigkey" ]; then
echo "no keyring with release keys found!" >&2
exit 1
fi
fi
echo "using release keys from $distsigkey" >&2
skip_selfcheck=yes
fi
fi
# Get GnuPG version from VERSION file. For a GIT checkout this means
# that ./autogen.sh must have been run first. For a regular tarball
# VERSION is always available.
if [ ! -f "$srcdir/../VERSION" ]; then
if [ $skip_selfcheck = no ]; then
if [ ! -f "$srcdir/../VERSION" ]; then
echo "VERSION file missing - run autogen.sh first." >&2
exit 1
fi
version=$(cat "$srcdir/../VERSION")
else
version="0.0.0"
fi
version=$(cat "$srcdir/../VERSION")
version_num=$(echo "$version" | cvtver)
if [ $skip_verify = no ]; then
if ! $GPGV --version >/dev/null 2>/dev/null ; then
echo "command \"gpgv\" is not installed" >&2
@ -164,10 +204,10 @@ else
fi
fi
if [ $skip_verify = no ]; then
if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then
if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst 2>/dev/null; then
echo "list of software versions is not valid!" >&2
exit 1
fi
fi
fi
#
@ -188,3 +228,73 @@ if [ $skip_selfcheck = no ]; then
exit 1
fi
fi
# Download a package and check its signature.
download_pkg () {
local url="$1"
local file="${url##*/}"
if ! $WGET -q -O - "$url" >"${file}.tmp" ; then
echo "download of $file failed." >&2
[ -f "${file}.tmp" ] && rm "${file}.tmp"
return 1
fi
if [ $skip_verify = no ]; then
if ! $WGET -q -O - "${url}.sig" >"${file}.tmpsig" ; then
echo "download of $file.sig failed." >&2
[ -f "${file}.tmpsig" ] && rm "${file}.tmpsig"
return 1
fi
if ! $GPGV -q --keyring "$distsigkey" \
"${file}.tmpsig" "${file}.tmp" 2>/dev/null; then
echo "signature of $file is not valid!" >&2
return 1
fi
mv "${file}.tmpsig" "${file}.sig"
else
[ -f "${file}.sig" ] && rm "${file}.sig"
fi
mv "${file}.tmp" "${file}"
return 0
}
baseurl=$(awk '$1=="gpgorg_base" {print $2; exit 0}' swdb.lst)
for p in $packages; do
pver=$(awk '$1=="'"$p"'_ver" {print $2}' swdb.lst)
if [ -z "$pver" ]; then
echo "package '$p' not found" >&2
die=yes
else
pdir=$(awk '$1=="'"$p"'_dir" {print $2":"$3":"$4}' swdb.lst)
if [ -n "$pdir" ]; then
psuf=$(echo "$pdir" | cut -d: -f3)
pname=$(echo "$pdir" | cut -d: -f2)
pdir=$(echo "$pdir" | cut -d: -f1)
else
psuf=
pdir="$p"
pname="$p"
fi
if [ -z "$psuf" ]; then
psuf=$(awk 'BEGIN {suf="bz2"};
$1=="'"$p"'_sha1_gz" {suf="gz"; exit 0};
$1=="'"$p"'_sha1_xz" {suf"xz"; exit 0};
END {print suf}' swdb.lst)
fi
pfullname="$pname-$pver.tar.$psuf"
if [ $info_mode = yes ]; then
echo "$baseurl/$pdir/$pfullname"
else
echo "downloading $pfullname"
download_pkg "$baseurl/$pdir/$pfullname" || die=yes
fi
fi
done
if [ $die = yes ]; then
echo "errors found!" >&2
exit 1
fi
exit 0

17
build-aux/speedo.mk
View File

@ -51,10 +51,13 @@
# # This is greped by the Makefile.
# RELEASE_ARCHIVE=foo@somehost:tarball-archive
#
# # The key used to sign the released sources.
# # The key used to sign the GnuPG sources.
# # This is greped by the Makefile.
# RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA
#
# # The key used to sign the VERSION files of some MSI installers.
# VERSION_SIGNKEY=02F38DFF731FF97CB039A1DA549E695E905BA208
#
# # For signing Windows binaries we need to employ a Windows machine.
# # We connect to this machine via ssh and take the connection
# # parameters via .ssh/config. For example a VM could be specified
@ -74,6 +77,9 @@
# # This is greped by the Makefile.
# AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe"
#
# # The URL for the timestamping service
# AUTHENTICODE_TSURL=http://rfc3161timestamp.globalsign.com/advanced
#
# # To use osslsigncode the follwing entries are required and
# # an empty string must be given for AUTHENTICODE_SIGNHOST.
# # They are greped by the Makefile.
@ -238,10 +244,11 @@ PATCHELF := $(shell patchelf --version 2>/dev/null >/dev/null || echo "echo plea
# Read signing information from ~/.gnupg-autogen.rc
define READ_AUTOGEN_template
$(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2)
$(1) = $$(shell grep '^[[:blank:]]*$(1)[[:blank:]]*=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs)
endef
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST))
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL))
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TSURL))
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY))
$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS))
$(eval $(call READ_AUTOGEN_template,OSSLSIGNCODE))
@ -1350,7 +1357,7 @@ define AUTHENTICODE_sign
scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\
ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \
/a /n '"g10 Code GmbH"' \
/tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \
/tr '$(AUTHENTICODE_TSURL)' /td sha256 \
/fd sha256 /du https://gnupg.org a.exe ;\
scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\
echo "speedo: signed file is '$(2)'" ;\
@ -1361,13 +1368,13 @@ define AUTHENTICODE_sign
-pkcs11module $(SCUTEMODULE) \
-certs $(AUTHENTICODE_CERTS) \
-h sha256 -n GnuPG -i https://gnupg.org \
-ts http://rfc3161timestamp.globalsign.com/advanced \
-ts $(AUTHENTICODE_TSURL) \
-in $(1) -out $(2).tmp ; mv $(2).tmp $(2) ; \
elif [ -e "$(AUTHENTICODE_KEY)" ]; then \
echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\
osslsigncode sign -certs $(AUTHENTICODE_CERTS) \
-pkcs12 $(AUTHENTICODE_KEY) -askpass \
-ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \
-ts "$(AUTHENTICODE_TSURL)" \
-h sha256 -n GnuPG -i https://gnupg.org \
-in $(1) -out $(2) ;\
else \

5
build-aux/speedo/w32/wixlib.wxs
View File

@ -61,9 +61,12 @@ and then manually edited:
<Component Id="cmp74961776CCC7B203F500FE261DC12F92" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="FBA2569C-554D-4C06-88FC-0FD6541B5B4B">
<File Id="filB82A767EB9971018C006215A9FDE77EF" KeyPath="yes" Source="$(var.SourceDir)\bin\gpg-connect-agent.exe"/>
</Component>
<Component Id="cmp74961776CCC7B203F500FE261DC12F94" Directory="dirAA72FFDDFA224FB221D53750596B0144" Guid="FBA2569C-554D-4C06-88FC-0FD6541B5B4C">
<Component Id="cmp74961776CCC7B203F500FE261DC12F94" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="FBA2569C-554D-4C06-88FC-0FD6541B5B4C">
<File Id="filB82A767EB9971018C006215A9FDE77F1" KeyPath="yes" Source="$(var.SourceDir)\bin\gpg-card.exe"/>
</Component>
<Component Id="cmp74961776CCC7B203F500FE261DC12F95" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="3134BF55-46AF-4B76-A535-DC1EDDB0DBFD">
<File Id="filB82A767EB9971018C006215A9FDE77F2" KeyPath="yes" Source="$(var.SourceDir)\libexec\keyboxd.exe"/>
</Component>
<Component Id="cmp6C1FB70721B208E33DB24296B93AB93F" Directory="dirAA72FFDDFA224FB221D53750596B0142" Guid="FE29D2AA-3151-4421-B8C0-355F69F267A1">
<File Id="fil563D2C0464DCE7ECADE6E15C0FC65821" KeyPath="yes" Source="$(var.SourceDir)\libexec\gpg-preset-passphrase.exe"/>
</Component>

2
common/compliance.c
View File

@ -41,7 +41,7 @@ static int initialized;
static int module;
/* This value is used by DSA and RSA checks in addition to the hard
* coded length checks. It allows to increase the required key length
* coded length checks. It allows one to increase the required key length
* using a confue file. */
static unsigned int min_compliant_rsa_length;

4
common/exechelp-w32.c
View File

@ -437,6 +437,7 @@ check_syscall_func (void)
}
}
static void
pre_syscall (void)
{
@ -444,6 +445,7 @@ pre_syscall (void)
pre_syscall_func ();
}
static void
post_syscall (void)
{
@ -579,7 +581,7 @@ spawn_detached (const char *pgmname, char *cmdline,
cr_flags, /* Creation flags. */
NULL, /* Environment. */
NULL, /* Use current drive/directory. */
(STARTUPINFOW *)&si, /* Startup information. */
(STARTUPINFOW *)&si, /* Startup information. */
&pi /* Returns process information. */
);
if (!ret)

1
common/status.h
View File

@ -54,6 +54,7 @@ enum
STATUS_NEED_PASSPHRASE,
STATUS_VALIDSIG,
STATUS_ASSERT_SIGNER,
STATUS_ASSERT_PUBKEY_ALGO,
STATUS_SIG_ID,
STATUS_ENC_TO,
STATUS_NODATA,

13
common/t-support.h
View File

@ -31,6 +31,8 @@
#ifndef GNUPG_COMMON_T_SUPPORT_H
#define GNUPG_COMMON_T_SUPPORT_H 1
#ifndef LEAN_T_SUPPORT
#ifdef GCRYPT_VERSION
#error The regression tests should not include with gcrypt.h
#endif
@ -45,11 +47,6 @@
# define getenv(a) (NULL)
#endif
#ifndef DIM
# define DIM(v) (sizeof(v)/sizeof((v)[0]))
# define DIMof(type,member) DIM(((type *)0)->member)
#endif
/* Replacement prototypes. */
void *gcry_xmalloc (size_t n);
@ -65,6 +62,12 @@ void gcry_free (void *a);
#define xstrdup(a) gcry_xstrdup ( (a) )
#define xfree(a) gcry_free ( (a) )
#endif /* LEAN_T_SUPPORT */
#ifndef DIM
# define DIM(v) (sizeof(v)/sizeof((v)[0]))
# define DIMof(type,member) DIM(((type *)0)->member)
#endif
/* Macros to print the result of a test. */
#define pass() do { ; } while(0)

2
common/tlv.c
View File

@ -152,7 +152,7 @@ find_tlv_unchecked (const unsigned char *buffer, size_t length,
/* ASN.1 BER parser: Parse BUFFER of length SIZE and return the tag
* and the length part from the TLV triplet. Update BUFFER and SIZE
* on success. Note that this function does not check that the value
* fits into the provided buffer; this allows to work on the TL part
* fits into the provided buffer; this allows one to work on the TL part
* of a TLV. */
gpg_error_t
parse_ber_header (unsigned char const **buffer, size_t *size,

1
dirmngr/crlcache.c
View File

@ -2086,6 +2086,7 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl,
err = validate_cert_chain (ctrl, crlissuer_cert, NULL,
(VALIDATE_FLAG_TRUST_CONFIG
| VALIDATE_FLAG_TRUST_SYSTEM
| VALIDATE_FLAG_CRL
| VALIDATE_FLAG_RECURSIVE),
r_trust_anchor);

2
dirmngr/dirmngr_ldap.c
View File

@ -107,7 +107,7 @@ static gpgrt_opt_t opts[] = {
" a record oriented format"},
{ oProxy, "proxy", 2,
"|NAME|ignore host part and connect through NAME"},
{ oStartTLS, "starttls", 0, "use STARTLS for the conenction"},
{ oStartTLS, "starttls", 0, "use STARTLS for the connection"},
{ oLdapTLS, "ldaptls", 0, "use a TLS for the connection"},
{ oNtds, "ntds", 0, "authenticate using AD"},
{ oARecOnly, "areconly", 0, "do only an A record lookup"},

34
dirmngr/http.c
View File

@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server)
* NULL, decode the string and use this as input from teh server. On
* success the final output token is stored at PROXY->OUTTOKEN and
* OUTTOKLEN. IF the authentication succeeded OUTTOKLEN is zero. */
#ifdef USE_TLS
static gpg_error_t
proxy_get_token (proxy_info_t proxy, const char *inputstring)
{
@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring)
#endif /*!HAVE_W32_SYSTEM*/
}
#endif /*USE_TLS*/
/* Use the CONNECT method to proxy our TLS stream. */
#ifdef USE_TLS
static gpg_error_t
run_proxy_connect (http_t hd, proxy_info_t proxy,
const char *httphost, const char *server,
@ -2556,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
* RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication
*/
auth_basic = !!proxy->uri->auth;
hd->keep_alive = !auth_basic; /* We may need to send more requests. */
/* For basic authentication we need to send just one request. */
if (auth_basic
@ -2577,16 +2575,15 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
httphost ? httphost : server,
port,
authhdr ? authhdr : "",
auth_basic? "" : "Connection: keep-alive\r\n");
hd->keep_alive? "Connection: keep-alive\r\n" : "");
if (!request)
{
err = gpg_error_from_syserror ();
goto leave;
}
hd->keep_alive = !auth_basic; /* We may need to send more requests. */
if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP))
log_debug_with_string (request, "http.c:proxy:request:");
log_debug_string (request, "http.c:proxy:request:");
if (!hd->fp_write)
{
@ -2610,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
if (err)
goto leave;
{
unsigned long count = 0;
while (es_getc (hd->fp_read) != EOF)
count++;
if (opt_debug)
log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n",
count);
}
/* Reset state. */
es_clearerr (hd->fp_read);
((cookie_t)(hd->read_cookie))->up_to_empty_line = 1;
@ -2730,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
}
leave:
if (hd->keep_alive)
{
es_fclose (hd->fp_write);
hd->fp_write = NULL;
/* The close has released the cookie and thus we better set it
* to NULL. */
hd->write_cookie = NULL;
}
/* Restore flags, destroy stream, reset state. */
hd->flags = saved_flags;
es_fclose (hd->fp_read);
@ -2743,7 +2738,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy,
xfree (tmpstr);
return err;
}
#endif /*USE_TLS*/
/* Make a request string using a standard proxy. On success the
@ -2882,7 +2876,7 @@ send_request (ctrl_t ctrl,
if (proxy && proxy->is_http_proxy)
{
use_http_proxy = 1; /* We want to use a proxy for the conenction. */
use_http_proxy = 1; /* We want to use a proxy for the connection. */
err = connect_server (ctrl,
*proxy->uri->host ? proxy->uri->host : "localhost",
proxy->uri->port ? proxy->uri->port : 80,
@ -2903,7 +2897,6 @@ send_request (ctrl_t ctrl,
goto leave;
}
#if USE_TLS
if (use_http_proxy && hd->uri->use_tls)
{
err = run_proxy_connect (hd, proxy, httphost, server, port);
@ -2915,7 +2908,6 @@ send_request (ctrl_t ctrl,
* clear the flag to indicate this. */
use_http_proxy = 0;
}
#endif /* USE_TLS */
#if HTTP_USE_NTBTLS
err = run_ntbtls_handshake (hd);
@ -4411,7 +4403,7 @@ same_host_p (parsed_uri_t a, parsed_uri_t b)
}
/* Also consider hosts the same if they differ only in a subdomain;
* in both direction. This allows to have redirection between the
* in both direction. This allows one to have redirection between the
* WKD advanced and direct lookup methods. */
for (i=0; i < DIM (subdomains); i++)
{

2
dirmngr/ks-engine-ldap.c
View File

@ -607,7 +607,7 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search,
* including whether to use TLS and the username and password (see
* ldap_parse_uri for a description of the various fields). Be
* default a PGP keyserver is assumed; if GENERIC is true a generic
* ldap conenction is instead established.
* ldap connection is instead established.
*
* Returns: The ldap connection handle in *LDAP_CONNP, R_BASEDN is set
* to the base DN for the PGP key space, several flags will be stored

2
dirmngr/server.c
View File

@ -3325,7 +3325,7 @@ dirmngr_status_help (ctrl_t ctrl, const char *text)
/* Print a help status line using a printf like format. The function
* splits text at LFs. With CTRL beeing NULL, the function behaves
* splits text at LFs. With CTRL being NULL, the function behaves
* like log_info. */
gpg_error_t
dirmngr_status_helpf (ctrl_t ctrl, const char *format, ...)

6
doc/DETAILS
View File

@ -532,6 +532,12 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
--assert-signer is used. The fingerprint is printed with
uppercase hex digits.
*** ASSERT_PUBKEY_ALGO <fingerprint> <state> <algostr>
This is emitted when option --assert-pubkey-algo is used and the
signing algorithms is accepted according to that list if state is
1 or denied if state is 0. The fingerprint is printed with
uppercase hex digits.
*** SIG_ID <radix64_string> <sig_creation_date> <sig-timestamp>
This is emitted only for signatures of class 0 or 1 which have
been verified okay. The string is a signature id and may be used

2
doc/dirmngr.texi
View File

@ -172,7 +172,7 @@ socket.
Set compatibility flags to work around certain problems or to emulate
bugs. The @var{flags} are given as a comma separated list of flag
names and are OR-ed together. The special flag "none" clears the list
and allows to start over with an empty list. To get a list of
and allows one to start over with an empty list. To get a list of
available flags the sole word "help" can be used.
@item --faked-system-time @var{epoch}

6
doc/gpg-agent.texi
View File

@ -302,7 +302,7 @@ debugging.
@item --steal-socket
@opindex steal-socket
In @option{--daemon} mode, gpg-agent detects an already running
gpg-agent and does not allow to start a new instance. This option can
gpg-agent and does not allow one to start a new instance. This option can
be used to override this check: the new gpg-agent process will try to
take over the communication sockets from the already running process
and start anyway. This option should in general not be used.
@ -643,7 +643,7 @@ gpg-agent as a replacement for PuTTY's Pageant, the option
In this mode of operation, the agent does not only implement the
gpg-agent protocol, but also the agent protocol used by OpenSSH
(through a separate socket or via Named Pipes) or the protocol used by
PuTTY. Consequently, this allows to use the gpg-agent as a drop-in
PuTTY. Consequently, this allows one to use the gpg-agent as a drop-in
replacement for the ssh-agent.
SSH keys, which are to be used through the agent, need to be added to
@ -693,7 +693,7 @@ The order in which keys are presented to ssh are:
@item Negative Use-for-ssh values
If a key file has the attribute "Use-for-ssh" and its value is
negative, these keys are presented first to ssh. The negative
values are capped at -999 with -999 beeing lower ranked than -1.
values are capped at -999 with -999 being lower ranked than -1.
These values can be used to prefer on-disk keys over keys taken
from active cards.

2
doc/gpg-card.texi
View File

@ -226,7 +226,7 @@ OpenPGP or X.509 keys.
@item LOGIN [--clear] [< @var{file}]
@opindex login
Set the login data object of OpenPGP cards. If @var{file} is given
the data is is read from that file. This allows to store binary data
the data is is read from that file. This allows one to store binary data
in the login field. The option @option{--clear} deletes the login
data object.

137
doc/gpg.texi
View File

@ -716,7 +716,7 @@ inserted smartcard, the special string ``card'' can be used for
will figure them out and creates an OpenPGP key consisting of the
usual primary key and one subkey. This works only with certain
smartcards. Note that the interactive @option{--full-gen-key} command
allows to do the same but with greater flexibility in the selection of
allows one to do the same but with greater flexibility in the selection of
the smartcard keys.
Note that it is possible to create a primary key and a subkey using
@ -1290,19 +1290,22 @@ are usually found in the option file.
@item --default-key @var{name}
@opindex default-key
Use @var{name} as the default key to sign with. If this option is not
used, the default key is the first key found in the secret keyring.
Note that @option{-u} or @option{--local-user} overrides this option.
This option may be given multiple times. In this case, the last key
for which a secret key is available is used. If there is no secret
key available for any of the specified values, GnuPG will not emit an
error message but continue as if this option wasn't given.
Use @var{name} as the default key to sign with. It is suggested to
use a fingerprint or at least a long keyID for @var{name}. If this
option is not used, the default key is the first key found in the
secret keyring. Note that @option{-u} or @option{--local-user}
overrides this option. This option may be given multiple times. In
this case, the last key for which a secret key is available is used.
If there is no secret key available for any of the specified values,
GnuPG will not emit an error message but continue as if this option
wasn't given.
@item --default-recipient @var{name}
@opindex default-recipient
Use @var{name} as default recipient if option @option{--recipient} is
not used and don't ask if this is a valid one. @var{name} must be
non-empty.
non-empty and it is suggested to use a fingerprint for @var{name}.
@item --default-recipient-self
@opindex default-recipient-self
@ -1773,7 +1776,9 @@ useful if you don't want to keep your secret keys (or one of them)
online but still want to be able to check the validity of a given
recipient's or signator's key. If the given key is not locally
available but an LDAP keyserver is configured the missing key is
imported from that server.
imported from that server. The value "none" is explicitly allowed to
distinguish between the use of any trusted-key option and no use of
this option at all (e.g. due to the @option{--no-options} option).
@item --add-desig-revoker [sensitive:]@var{fingerprint}
@opindex add-desig-revoker
@ -1914,6 +1919,29 @@ is guaranteed to return with an exit code of 0 if and only if a
signature has been encountered, is valid, and the key matches one of
the fingerprints given by this option.
@item --assert-pubkey-algo @var{algolist}
@opindex assert-pubkey-algo
During data signature verification this options checks whether the
used public key algorithm matches the algorithms given by
@var{algolist}. This option can be given multiple times to
concatenate more algorithms to the list; the delimiter of the list are
either commas or spaces.
The algorithm names given in the list may either be verbatim names
like "ed25519" with an optional leading single equal sign, or being
prefixed with ">", ">=", "<=", or "<". That prefix operator is
applied to the number part of the algorithm name; for example 2048 in
"rsa2048" or 384 in "brainpoolP384r1". If the the leading non-digits
in the name matches, the prefix operator is used to compare the number
part, a trailing suffix is ignored in this case. For example an
algorithm list ">rsa3000, >=brainpool384r1, =ed25519" allows RSA
signatures with more that 3000 bits, Brainpool curves 384 and 512,
and the ed25519 algorithm.
With this option gpg (and also gpgv) is guaranteed to return with an
exit code of 0 if and only if all valid signatures on data are made
using a matching algorithm from the given list.
@item --auto-key-locate @var{mechanisms}
@itemx --no-auto-key-locate
@ -1947,20 +1975,20 @@ list. The default is "local,wkd".
@item ntds
Locate the key using the Active Directory (Windows only). This
method also allows to search by fingerprint using the command
method also allows one to search by fingerprint using the command
@option{--locate-external-key}. Note that this mechanism is
actually a shortcut for the mechanism @samp{keyserver} but using
"ldap:///" as the keyserver.
@item keyserver
Locate a key using a keyserver. This method also allows to search
Locate a key using a keyserver. This method also allows one to search
by fingerprint using the command @option{--locate-external-key} if
any of the configured keyservers is an LDAP server.
@item keyserver-URL
In addition, a keyserver URL as used in the @command{dirmngr}
configuration may be used here to query that particular keyserver.
This method also allows to search by fingerprint using the command
This method also allows one to search by fingerprint using the command
@option{--locate-external-key} if the URL specifies an LDAP server.
@item local
@ -2336,19 +2364,21 @@ the key in this file is fully valid.
@opindex encrypt-to
Same as @option{--recipient} but this one is intended for use in the
options file and may be used with your own user-id as an
"encrypt-to-self". These keys are only used when there are other
recipients given either by use of @option{--recipient} or by the asked
user id. No trust checking is performed for these user ids and even
disabled keys can be used.
"encrypt-to-self". It is suggested to use a fingerprint or at least a
long keyID for @var{name}. These keys are only used when there are
other recipients given either by use of @option{--recipient} or by the
asked user id. No trust checking is performed for these user ids and
even disabled keys can be used.
@item --hidden-encrypt-to @var{name}
@opindex hidden-encrypt-to
Same as @option{--hidden-recipient} but this one is intended for use in the
options file and may be used with your own user-id as a hidden
"encrypt-to-self". These keys are only used when there are other
recipients given either by use of @option{--recipient} or by the asked user id.
No trust checking is performed for these user ids and even disabled
keys can be used.
Same as @option{--hidden-recipient} but this one is intended for use
in the options file and may be used with your own user-id as a hidden
"encrypt-to-self". It is suggested to use a fingerprint or at least a
long keyID for @var{name}. These keys are only used when there are
other recipients given either by use of @option{--recipient} or by the
asked user id. No trust checking is performed for these user ids and
even disabled keys can be used.
@item --no-encrypt-to
@opindex no-encrypt-to
@ -2899,24 +2929,6 @@ done with @code{--with-colons}.
@table @gnupgtabopt
@item -t, --textmode
@itemx --no-textmode
@opindex textmode
Treat input files as text and store them in the OpenPGP canonical text
form with standard "CRLF" line endings. This also sets the necessary
flags to inform the recipient that the encrypted or signed data is text
and may need its line endings converted back to whatever the local
system uses. This option is useful when communicating between two
platforms that have different line ending conventions (UNIX-like to Mac,
Mac to Windows, etc). @option{--no-textmode} disables this option, and
is the default.
@item --force-v3-sigs
@itemx --no-force-v3-sigs
@item --force-v4-certs
@itemx --no-force-v4-certs
These options are obsolete and have no effect since GnuPG 2.1.
@item --force-ocb
@itemx --force-aead
@opindex force-ocb
@ -3151,7 +3163,7 @@ Prompt before overwriting any files.
Set compatibility flags to work around problems due to non-compliant
keys or data. The @var{flags} are given as a comma separated
list of flag names and are OR-ed together. The special flag "none"
clears the list and allows to start over with an empty list. To get a
clears the list and allows one to start over with an empty list. To get a
list of available flags the sole word "help" can be used.
@item --debug-level @var{level}
@ -3207,7 +3219,7 @@ and may thus be changed or removed at any time without notice.
@item --debug-allow-large-chunks
@opindex debug-allow-large-chunks
To facilitate software tests and experiments this option allows to
To facilitate software tests and experiments this option allows one to
specify a limit of up to 4 EiB (@code{--chunk-size 62}).
@item --debug-ignore-expiration
@ -3378,9 +3390,23 @@ to display the message. This option overrides @option{--set-filename}.
@itemx --no-use-embedded-filename
@opindex use-embedded-filename
Try to create a file with a name as embedded in the data. This can be
a dangerous option as it enables overwriting files. Defaults to no.
a dangerous option as it enables overwriting files by giving the
sender control on how to store files. Defaults to no.
Note that the option @option{--output} overrides this option.
A better approach than using this option is to decrypt to a temporary
filename and then rename that file to the embedded file name after
checking that the embedded filename is harmless. When using the
@option{--status-fd} option gpg tells the filename as part of the
PLAINTEXT status message. If the filename is important, the use of
@command{gpgtar} is another option because gpgtar will never overwrite
a file but decrypt the files to a new directory.
Note also that unless a modern version 5 signature is used the
embedded filename is not part of the signed data.
@item --cipher-algo @var{name}
@opindex cipher-algo
Use @var{name} as cipher algorithm. Running the program with the
@ -3646,7 +3672,7 @@ not need to be listed explicitly.
@opindex allow-weak-key-signatures
To avoid a minor risk of collision attacks on third-party key
signatures made using SHA-1, those key signatures are considered
invalid. This options allows to override this restriction.
invalid. This options allows one to override this restriction.
@item --override-compliance-check
This was a temporary introduced option and has no more effect.
@ -3891,6 +3917,25 @@ all on Windows.
@table @gnupgtabopt
@item -t, --textmode
@itemx --no-textmode
@opindex textmode
Treat input files as text and store them in the OpenPGP canonical text
form with standard "CRLF" line endings. This also sets the necessary
flags to inform the recipient that the encrypted or signed data is text
and may need its line endings converted back to whatever the local
system uses. This option was useful when communicating between two
platforms with different line ending conventions (UNIX-like to Mac,
Mac to Windows, etc). @option{--no-textmode} disables this option, and
is the default. Note that this is a legacy option which should not
anymore be used by any modern software.
@item --force-v3-sigs
@itemx --no-force-v3-sigs
@item --force-v4-certs
@itemx --no-force-v4-certs
These options are obsolete and have no effect since GnuPG 2.1.
@item --show-photos
@itemx --no-show-photos
@opindex show-photos
@ -4111,7 +4156,7 @@ Operation is further controlled by a few environment variables:
@item GNUPG_EXEC_DEBUG_FLAGS
@efindex GNUPG_EXEC_DEBUG_FLAGS
This variable allows to enable diagnostics for process management.
This variable allows one to enable diagnostics for process management.
A numeric decimal value is expected. Bit 0 enables general
diagnostics, bit 1 enables certain warnings on Windows.

2
doc/gpgsm.texi
View File

@ -767,7 +767,7 @@ is given as fingerprint or keygrip.
Set compatibility flags to work around problems due to non-compliant
certificates or data. The @var{flags} are given as a comma separated
list of flag names and are OR-ed together. The special flag "none"
clears the list and allows to start over with an empty list. To get a
clears the list and allows one to start over with an empty list. To get a
list of available flags the sole word "help" can be used.
@item --debug-level @var{level}

5
doc/gpgv.texi
View File

@ -140,6 +140,10 @@ This option enables a mode in which filenames of the form
@file{-&n}, where n is a non-negative decimal number,
refer to the file descriptor n and not to a file with that name.
@item --assert-pubkey-algo @var{algolist}
@opindex assert-pubkey-algo
This option works in the same way as described for @command{gpg}.
@end table
@mansect return value
@ -198,4 +202,3 @@ the allowed keys, using a legacy format.
@mansect see also
@command{gpg}(1)
@include see-also-note.texi

2
doc/scdaemon.texi
View File

@ -309,7 +309,7 @@ with lower priority should be used by default.
@item --application-priority @var{namelist}
@opindex application-priority
This option allows to change the order in which applications of a card
This option allows one to change the order in which applications of a card
a tried if no specific application was requested. @var{namelist} is a
space or comma delimited list of application names. Unknown names are
simply skipped. Applications not mentioned in the list are put in the

2
doc/tools.texi
View File

@ -400,7 +400,7 @@ expected in the current GnuPG home directory. This command is usually
not required because GnuPG is able to detect and remove stale lock
files. Before using the command make sure that the file protected by
the lock file is actually not in use. The lock command may be used to
lock an accidently removed lock file. Note that the commands have no
lock an accidentally removed lock file. Note that the commands have no
effect on Windows because the mere existence of a lock file does not
mean that the lock is active.

2
doc/wks.texi
View File

@ -136,6 +136,8 @@ The command @option{--print-wkd-url} prints the URLs used to fetch the
key for the given user-ids from WKD. The meanwhile preferred format
with sub-domains is used here.
All commands may also be given without the two leading dashes.
@mansect options
@noindent
@command{gpg-wks-client} understands these options:

6
g10/Makefile.am
View File

@ -183,7 +183,7 @@ gpgv_LDFLAGS =
t_common_ldadd =
module_tests = t-rmd160 t-keydb t-keydb-get-keyblock t-stutter
module_tests = t-rmd160 t-keydb t-keydb-get-keyblock t-stutter t-keyid
t_rmd160_SOURCES = t-rmd160.c rmd160.c
t_rmd160_LDADD = $(t_common_ldadd)
t_keydb_SOURCES = t-keydb.c test-stubs.c $(common_source)
@ -200,6 +200,10 @@ t_stutter_SOURCES = t-stutter.c test-stubs.c \
t_stutter_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) \
$(LIBASSUAN_LIBS) $(NPTH_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \
$(LIBICONV) $(t_common_ldadd)
t_keyid_SOURCES = t-keyid.c test-stubs.c $(common_source)
t_keyid_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) \
$(LIBASSUAN_LIBS) $(NPTH_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \
$(LIBICONV) $(t_common_ldadd)
$(PROGRAMS): $(needed_libs) ../common/libgpgrl.a

4
g10/build-packet.c
View File

@ -306,7 +306,9 @@ gpg_mpi_write (iobuf_t out, gcry_mpi_t a, unsigned int *r_nwritten)
p = gcry_mpi_get_opaque (a, &nbits);
if (p)
{
/* Strip leading zero bits. */
/* First get nbits back to full bytes. */
nbits = ((nbits + 7) / 8) * 8;
/* Then strip leading zero bits. */
for (; nbits >= 8 && !*p; p++, nbits -= 8)
;
if (nbits >= 8 && !(*p & 0x80))

26
g10/compress-bz2.c
View File

@ -53,7 +53,11 @@ init_compress( compress_filter_context_t *zfx, bz_stream *bzs )
}
if((rc=BZ2_bzCompressInit(bzs,level,0,0))!=BZ_OK)
log_fatal("bz2lib problem: %d\n",rc);
{
log_error ("bz2lib problem: %d\n",rc);
write_status_error ("bzip2.init", gpg_error (GPG_ERR_INTERNAL));
g10_exit (2);
}
zfx->outbufsize = 8192;
zfx->outbuf = xmalloc( zfx->outbufsize );
@ -80,7 +84,11 @@ do_compress(compress_filter_context_t *zfx, bz_stream *bzs, int flush, IOBUF a)
if( zrc == BZ_STREAM_END && flush == BZ_FINISH )
;
else if( zrc != BZ_RUN_OK && zrc != BZ_FINISH_OK )
log_fatal("bz2lib deflate problem: rc=%d\n", zrc );
{
log_error ("bz2lib deflate problem: rc=%d\n", zrc );
write_status_error ("bzip2.deflate", gpg_error (GPG_ERR_INTERNAL));
g10_exit (2);
}
n = zfx->outbufsize - bzs->avail_out;
if( DBG_FILTER )
@ -91,7 +99,7 @@ do_compress(compress_filter_context_t *zfx, bz_stream *bzs, int flush, IOBUF a)
if( (rc=iobuf_write( a, zfx->outbuf, n )) )
{
log_debug("bzCompress: iobuf_write failed\n");
log_error ("bzCompress: iobuf_write failed\n");
return rc;
}
}
@ -106,7 +114,11 @@ init_uncompress( compress_filter_context_t *zfx, bz_stream *bzs )
int rc;
if((rc=BZ2_bzDecompressInit(bzs,0,opt.bz2_decompress_lowmem))!=BZ_OK)
log_fatal("bz2lib problem: %d\n",rc);
{
log_error ("bz2lib problem: %d\n",rc);
write_status_error ("bzip2.init.un", gpg_error (GPG_ERR_INTERNAL));
g10_exit (2);
}
zfx->inbufsize = 2048;
zfx->inbuf = xmalloc( zfx->inbufsize );
@ -159,7 +171,11 @@ do_uncompress( compress_filter_context_t *zfx, bz_stream *bzs,
if( zrc == BZ_STREAM_END )
rc = -1; /* eof */
else if( zrc != BZ_OK && zrc != BZ_PARAM_ERROR )
log_fatal("bz2lib inflate problem: rc=%d\n", zrc );
{
log_error ("bz2lib inflate problem: rc=%d\n", zrc );
write_status_error ("bzip2.inflate", gpg_error (GPG_ERR_BAD_DATA));
g10_exit (2);
}
else if (zrc == BZ_OK && eofseen
&& !bzs->avail_in && bzs->avail_out > 0)
{

28
g10/compress.c
View File

@ -73,10 +73,12 @@ init_compress( compress_filter_context_t *zfx, z_stream *zs )
-13, 8, Z_DEFAULT_STRATEGY)
: deflateInit( zs, level )
) != Z_OK ) {
log_fatal("zlib problem: %s\n", zs->msg? zs->msg :
log_error ("zlib problem: %s\n", zs->msg? zs->msg :
rc == Z_MEM_ERROR ? "out of core" :
rc == Z_VERSION_ERROR ? "invalid lib version" :
"unknown error" );
write_status_error ("zlib.init", gpg_error (GPG_ERR_INTERNAL));
g10_exit (2);
}
zfx->outbufsize = 8192;
@ -104,9 +106,11 @@ do_compress( compress_filter_context_t *zfx, z_stream *zs, int flush, IOBUF a )
;
else if( zrc != Z_OK ) {
if( zs->msg )
log_fatal("zlib deflate problem: %s\n", zs->msg );
log_error ("zlib deflate problem: %s\n", zs->msg );
else
log_fatal("zlib deflate problem: rc=%d\n", zrc );
log_error ("zlib deflate problem: rc=%d\n", zrc );
write_status_error ("zlib.deflate", gpg_error (GPG_ERR_INTERNAL));
g10_exit (2);
}
n = zfx->outbufsize - zs->avail_out;
if( DBG_FILTER )
@ -116,7 +120,7 @@ do_compress( compress_filter_context_t *zfx, z_stream *zs, int flush, IOBUF a )
(unsigned)n, zrc );
if( (rc=iobuf_write( a, zfx->outbuf, n )) ) {
log_debug("deflate: iobuf_write failed\n");
log_error ("deflate: iobuf_write failed\n");
return rc;
}
} while( zs->avail_in || (flush == Z_FINISH && zrc != Z_STREAM_END) );
@ -140,10 +144,12 @@ init_uncompress( compress_filter_context_t *zfx, z_stream *zs )
*/
if( (rc = zfx->algo == 1? inflateInit2( zs, -15)
: inflateInit( zs )) != Z_OK ) {
log_fatal("zlib problem: %s\n", zs->msg? zs->msg :
rc == Z_MEM_ERROR ? "out of core" :
rc == Z_VERSION_ERROR ? "invalid lib version" :
"unknown error" );
log_error ("zlib problem: %s\n", zs->msg? zs->msg :
rc == Z_MEM_ERROR ? "out of core" :
rc == Z_VERSION_ERROR ? "invalid lib version" :
"unknown error" );
write_status_error ("zlib.init.un", gpg_error (GPG_ERR_INTERNAL));
g10_exit (2);
}
zfx->inbufsize = 2048;
@ -198,9 +204,11 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs,
rc = -1; /* eof */
else if( zrc != Z_OK && zrc != Z_BUF_ERROR ) {
if( zs->msg )
log_fatal("zlib inflate problem: %s\n", zs->msg );
log_error ("zlib inflate problem: %s\n", zs->msg );
else
log_fatal("zlib inflate problem: rc=%d\n", zrc );
log_error ("zlib inflate problem: rc=%d\n", zrc );
write_status_error ("zlib.inflate", gpg_error (GPG_ERR_BAD_DATA));
g10_exit (2);
}
} while (zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR
&& !leave);

9
g10/export.c
View File

@ -129,6 +129,8 @@ parse_export_options(char *str,unsigned int *options,int noisy)
N_("export revocation keys marked as \"sensitive\"")},
{"export-clean",EXPORT_CLEAN,NULL,
N_("remove unusable parts from key during export")},
{"export-realclean",EXPORT_MINIMAL|EXPORT_REALCLEAN|EXPORT_CLEAN,NULL,
NULL},
{"export-minimal",EXPORT_MINIMAL|EXPORT_CLEAN,NULL,
N_("remove as much as possible from key during export")},
@ -166,7 +168,7 @@ parse_export_options(char *str,unsigned int *options,int noisy)
{
*options |= (EXPORT_LOCAL_SIGS | EXPORT_ATTRIBUTES
| EXPORT_SENSITIVE_REVKEYS);
*options &= ~(EXPORT_CLEAN | EXPORT_MINIMAL
*options &= ~(EXPORT_CLEAN | EXPORT_MINIMAL | EXPORT_REALCLEAN
| EXPORT_DANE_FORMAT);
}
@ -643,7 +645,7 @@ canon_pk_algo (enum gcry_pk_algos algo)
}
/* Take an s-expression wit the public and private key and change the
/* Take an s-expression with the public and private key and change the
* parameter array in PK to include the secret parameters. */
static gpg_error_t
secret_key_to_mode1003 (gcry_sexp_t s_key, PKT_public_key *pk)
@ -2366,8 +2368,7 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret,
if ((options & EXPORT_CLEAN))
{
merge_keys_and_selfsig (ctrl, keyblock);
clean_all_uids (ctrl, keyblock, opt.verbose,
(options&EXPORT_MINIMAL), NULL, NULL);
clean_all_uids (ctrl, keyblock, opt.verbose, options, NULL, NULL);
clean_all_subkeys (ctrl, keyblock, opt.verbose,
(options&EXPORT_MINIMAL)? KEY_CLEAN_ALL
/**/ : KEY_CLEAN_AUTHENCR,

2
g10/getkey.c
View File

@ -1921,7 +1921,7 @@ get_pubkey_byfprint_fast (ctrl_t ctrl, PKT_public_key * pk,
* R_HD may be NULL. If LOCK is set the handle has been opend in
* locked mode and keydb_disable_caching () has been called. On error
* R_KEYBLOCK is set to NULL but R_HD must be released by the caller;
* it may have a value of NULL, though. This allows to do an insert
* it may have a value of NULL, though. This allows one to do an insert
* operation on a locked keydb handle. */
gpg_error_t
get_keyblock_byfprint_fast (ctrl_t ctrl,

56
g10/gpg.c
View File

@ -451,6 +451,7 @@ enum cmd_and_opt_values
oCompatibilityFlags,
oAddDesigRevoker,
oAssertSigner,
oAssertPubkeyAlgo,
oKbxBufferSize,
oNoop
@ -715,6 +716,7 @@ static gpgrt_opt_t opts[] = {
#endif
ARGPARSE_s_s (oAddDesigRevoker, "add-desig-revoker", "@"),
ARGPARSE_s_s (oAssertSigner, "assert-signer", "@"),
ARGPARSE_s_s (oAssertPubkeyAlgo,"assert-pubkey-algo", "@"),
ARGPARSE_header ("Input", N_("Options controlling the input")),
@ -753,7 +755,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_n (oNoEscapeFrom, "no-escape-from-lines", "@"),
ARGPARSE_s_n (oMimemode, "mimemode", "@"),
ARGPARSE_s_n (oTextmodeShort, NULL, "@"),
ARGPARSE_s_n (oTextmode, "textmode", N_("use canonical text mode")),
ARGPARSE_s_n (oTextmode, "textmode", "@"),
ARGPARSE_s_n (oNoTextmode, "no-textmode", "@"),
ARGPARSE_s_s (oSetFilename, "set-filename", "@"),
ARGPARSE_s_n (oForYourEyesOnly, "for-your-eyes-only", "@"),
@ -1045,9 +1047,12 @@ static struct compatibility_flags_s compatibility_flags [] =
/* Can be set to true to force gpg to return with EXIT_FAILURE. */
int g10_errors_seen = 0;
/* If opt.assert_signer_list is used and this variabale is not true
/* If opt.assert_signer_list is used and this variable is not true
* gpg will be forced to return EXIT_FAILURE. */
int assert_signer_true = 0;
/* If opt.assert_pubkey_algo is used and this variable is not true
* gpg will be forced to return EXIT_FAILURE. */
int assert_pubkey_algo_false = 0;
static int utf8_strings =
@ -3584,9 +3589,18 @@ main (int argc, char **argv)
case oPersonalCompressPreferences:
pers_compress_list=pargs.r.ret_str;
break;
case oAgentProgram: opt.agent_program = pargs.r.ret_str; break;
case oKeyboxdProgram: opt.keyboxd_program = pargs.r.ret_str; break;
case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str; break;
case oAgentProgram:
xfree (opt.agent_program);
opt.agent_program = make_filename (pargs.r.ret_str, NULL);
break;
case oKeyboxdProgram:
xfree (opt.keyboxd_program);
opt.keyboxd_program = make_filename (pargs.r.ret_str, NULL);
break;
case oDirmngrProgram:
xfree (opt.dirmngr_program);
opt.dirmngr_program = make_filename (pargs.r.ret_str, NULL);
break;
case oDisableDirmngr: opt.disable_dirmngr = 1; break;
case oWeakDigest:
additional_weak_digest(pargs.r.ret_str);
@ -3767,6 +3781,18 @@ main (int argc, char **argv)
add_to_strlist (&opt.assert_signer_list, pargs.r.ret_str);
break;
case oAssertPubkeyAlgo:
if (!opt.assert_pubkey_algos)
opt.assert_pubkey_algos = xstrdup (pargs.r.ret_str);
else
{
char *tmp = opt.assert_pubkey_algos;
opt.assert_pubkey_algos = xstrconcat (tmp, ",",
pargs.r.ret_str, NULL);
xfree (tmp);
}
break;
case oKbxBufferSize:
keybox_set_buffersize (pargs.r.ret_ulong, 0);
break;
@ -5471,6 +5497,17 @@ emergency_cleanup (void)
void
g10_exit( int rc )
{
if (rc)
;
else if (log_get_errorcount(0))
rc = 2;
else if (g10_errors_seen)
rc = 1;
else if (opt.assert_signer_list && !assert_signer_true)
rc = 1;
else if (opt.assert_pubkey_algos && assert_pubkey_algo_false)
rc = 1;
/* If we had an error but not printed an error message, do it now.
* Note that write_status_failure will never print a second failure
* status line. */
@ -5495,15 +5532,6 @@ g10_exit( int rc )
gnupg_block_all_signals ();
emergency_cleanup ();
if (rc)
;
else if (log_get_errorcount(0))
rc = 2;
else if (g10_errors_seen)
rc = 1;
else if (opt.assert_signer_list && !assert_signer_true)
rc = 1;
exit (rc);
}

30
g10/gpgv.c
View File

@ -68,6 +68,7 @@ enum cmd_and_opt_values {
oWeakDigest,
oEnableSpecialFilenames,
oDebug,
oAssertPubkeyAlgo,
aTest
};
@ -91,6 +92,7 @@ static gpgrt_opt_t opts[] = {
N_("|ALGO|reject signatures made with ALGO")),
ARGPARSE_s_n (oEnableSpecialFilenames, "enable-special-filenames", "@"),
ARGPARSE_s_s (oDebug, "debug", "@"),
ARGPARSE_s_s (oAssertPubkeyAlgo,"assert-pubkey-algo", "@"),
ARGPARSE_end ()
};
@ -119,6 +121,7 @@ static struct debug_flags_s debug_flags [] =
int g10_errors_seen = 0;
int assert_signer_true = 0;
int assert_pubkey_algo_false = 0;
static char *
make_libversion (const char *libname, const char *(*getfnc)(const char*))
@ -251,6 +254,19 @@ main( int argc, char **argv )
case oEnableSpecialFilenames:
enable_special_filenames ();
break;
case oAssertPubkeyAlgo:
if (!opt.assert_pubkey_algos)
opt.assert_pubkey_algos = xstrdup (pargs.r.ret_str);
else
{
char *tmp = opt.assert_pubkey_algos;
opt.assert_pubkey_algos = xstrconcat (tmp, ",",
pargs.r.ret_str, NULL);
xfree (tmp);
}
break;
default : pargs.err = ARGPARSE_PRINT_ERROR; break;
}
}
@ -288,10 +304,18 @@ main( int argc, char **argv )
void
g10_exit( int rc )
g10_exit (int rc)
{
rc = rc? rc : log_get_errorcount(0)? 2 : g10_errors_seen? 1 : 0;
exit(rc );
if (rc)
;
else if (log_get_errorcount(0))
rc = 2;
else if (g10_errors_seen)
rc = 1;
else if (opt.assert_pubkey_algos && assert_pubkey_algo_false)
rc = 1;
exit (rc);
}

9
g10/import.c
View File

@ -2081,7 +2081,9 @@ import_one_real (ctrl_t ctrl,
{
merge_keys_and_selfsig (ctrl, keyblock);
clean_all_uids (ctrl, keyblock,
opt.verbose, (options&IMPORT_MINIMAL), NULL, NULL);
opt.verbose,
(options&IMPORT_MINIMAL)? EXPORT_MINIMAL : 0,
NULL, NULL);
clean_all_subkeys (ctrl, keyblock, opt.verbose, KEY_CLEAN_NONE,
NULL, NULL);
}
@ -2233,7 +2235,8 @@ import_one_real (ctrl_t ctrl,
if ((options & IMPORT_CLEAN))
{
merge_keys_and_selfsig (ctrl, keyblock);
clean_all_uids (ctrl, keyblock, opt.verbose, (options&IMPORT_MINIMAL),
clean_all_uids (ctrl, keyblock, opt.verbose,
(options&IMPORT_MINIMAL)? EXPORT_MINIMAL : 0,
&n_uids_cleaned,&n_sigs_cleaned);
clean_all_subkeys (ctrl, keyblock, opt.verbose, KEY_CLEAN_NONE,
NULL, NULL);
@ -2331,7 +2334,7 @@ import_one_real (ctrl_t ctrl,
{
merge_keys_and_selfsig (ctrl, keyblock_orig);
clean_all_uids (ctrl, keyblock_orig, opt.verbose,
(options&IMPORT_MINIMAL),
(options&IMPORT_MINIMAL)? EXPORT_MINIMAL : 0,
&n_uids_cleaned,&n_sigs_cleaned);
clean_all_subkeys (ctrl, keyblock_orig, opt.verbose, KEY_CLEAN_NONE,
NULL, NULL);

41
g10/key-clean.c
View File

@ -91,6 +91,7 @@ mark_usable_uid_certs (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
continue;
}
node->flag |= 1<<NF_CONSIDER;
}
/* Reset the remaining flags. */
for (; node; node = node->next)
@ -215,9 +216,22 @@ mark_usable_uid_certs (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
}
/* Return true if the signature at NODE has is from a key specified by
* the --trusted-key option and is exportable. */
static int
is_trusted_key_sig (kbnode_t node)
{
if (!node->pkt->pkt.signature->flags.exportable)
return 0;
/* Not yet implemented. */
return 0;
}
/* Note: OPTIONS are from the EXPORT_* set. */
static int
clean_sigs_from_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
int noisy, int self_only)
int noisy, unsigned int options)
{
int deleted = 0;
kbnode_t node;
@ -256,8 +270,15 @@ clean_sigs_from_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
{
int keep;
keep = self_only? (node->pkt->pkt.signature->keyid[0] == keyid[0]
&& node->pkt->pkt.signature->keyid[1] == keyid[1]) : 1;
if ((options & EXPORT_REALCLEAN))
keep = ((node->pkt->pkt.signature->keyid[0] == keyid[0]
&& node->pkt->pkt.signature->keyid[1] == keyid[1])
|| is_trusted_key_sig (node));
else if ((options & EXPORT_MINIMAL))
keep = (node->pkt->pkt.signature->keyid[0] == keyid[0]
&& node->pkt->pkt.signature->keyid[1] == keyid[1]);
else
keep = 1;
/* Keep usable uid sigs ... */
if ((node->flag & (1<<NF_USABLE)) && keep)
@ -364,10 +385,12 @@ clean_uid_from_key (kbnode_t keyblock, kbnode_t uidnode, int noisy)
}
/* Needs to be called after a merge_keys_and_selfsig() */
/* Needs to be called after a merge_keys_and_selfsig().
* Note: OPTIONS are from the EXPORT_* set. */
void
clean_one_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
int noisy, int self_only, int *uids_cleaned, int *sigs_cleaned)
int noisy, unsigned int options,
int *uids_cleaned, int *sigs_cleaned)
{
int dummy = 0;
@ -386,15 +409,15 @@ clean_one_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
*uids_cleaned += clean_uid_from_key (keyblock, uidnode, noisy);
if (!uidnode->pkt->pkt.user_id->flags.compacted)
*sigs_cleaned += clean_sigs_from_uid (ctrl, keyblock, uidnode,
noisy, self_only);
noisy, options);
}
/* NB: This function marks the deleted nodes only and the caller is
* responsible to skip or remove them. Needs to be called after a
* merge_keys_and_selfsig(). */
* merge_keys_and_selfsig. Note: OPTIONS are from the EXPORT_* set. */
void
clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, int self_only,
clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, unsigned int options,
int *uids_cleaned, int *sigs_cleaned)
{
kbnode_t node;
@ -405,7 +428,7 @@ clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, int self_only,
node = node->next)
{
if (node->pkt->pkttype == PKT_USER_ID)
clean_one_uid (ctrl, keyblock, node, noisy, self_only,
clean_one_uid (ctrl, keyblock, node, noisy, options,
uids_cleaned, sigs_cleaned);
}

5
g10/key-clean.h
View File

@ -40,9 +40,10 @@ void mark_usable_uid_certs (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
u32 curtime, u32 *next_expire);
void clean_one_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode,
int noisy, int self_only,
int noisy, unsigned int options,
int *uids_cleaned, int *sigs_cleaned);
void clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, int self_only,
void clean_all_uids (ctrl_t ctrl, kbnode_t keyblock,
int noisy, unsigned int options,
int *uids_cleaned,int *sigs_cleaned);
void clean_all_subkeys (ctrl_t ctrl, kbnode_t keyblock,
int noisy, int clean_level,

2
g10/keydb.h
View File

@ -487,6 +487,7 @@ const char *key_origin_string (int origin);
/*-- keyid.c --*/
int pubkey_letter( int algo );
char *pubkey_string (PKT_public_key *pk, char *buffer, size_t bufsize);
int compare_pubkey_string (const char *astr, const char *bstr);
#define PUBKEY_STRING_SIZE 32
u32 v3_keyid (gcry_mpi_t a, u32 *ki);
void hash_public_key( gcry_md_hd_t md, PKT_public_key *pk );
@ -572,6 +573,7 @@ const char *colon_expirestr_from_sig (PKT_signature *sig);
byte *fingerprint_from_pk( PKT_public_key *pk, byte *buf, size_t *ret_len );
byte *v5_fingerprint_from_pk (PKT_public_key *pk, byte *array, size_t *ret_len);
void fpr20_from_pk (PKT_public_key *pk, byte array[20]);
void fpr20_from_fpr (const byte *fpr, unsigned int fprlen, byte array[20]);
char *hexfingerprint (PKT_public_key *pk, char *buffer, size_t buflen);
char *v5hexfingerprint (PKT_public_key *pk, char *buffer, size_t buflen);
char *format_hexfingerprint (const char *fingerprint,

16
g10/keyedit.c
View File

@ -70,7 +70,7 @@ static int menu_adduid (ctrl_t ctrl, kbnode_t keyblock,
int photo, const char *photo_name, const char *uidstr);
static void menu_deluid (KBNODE pub_keyblock);
static int menu_delsig (ctrl_t ctrl, kbnode_t pub_keyblock);
static int menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only);
static int menu_clean (ctrl_t ctrl, kbnode_t keyblock, unsigned int options);
static void menu_delkey (KBNODE pub_keyblock);
static int menu_addrevoker (ctrl_t ctrl, kbnode_t pub_keyblock, int sensitive);
static int menu_addadsk (ctrl_t ctrl, kbnode_t pub_keyblock,
@ -2258,7 +2258,7 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
break;
case cmdMINIMIZE:
if (menu_clean (ctrl, keyblock, 1))
if (menu_clean (ctrl, keyblock, EXPORT_MINIMAL))
redisplay = modified = 1;
break;
@ -4543,11 +4543,13 @@ menu_delsig (ctrl_t ctrl, kbnode_t pub_keyblock)
}
/* Note: OPTIONS are from the EXPORT_* set. */
static int
menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only)
menu_clean (ctrl_t ctrl, kbnode_t keyblock, unsigned int options)
{
KBNODE uidnode;
int modified = 0, select_all = !count_selected_uids (keyblock);
int modified = 0;
int select_all = !count_selected_uids (keyblock);
for (uidnode = keyblock->next;
uidnode && uidnode->pkt->pkttype != PKT_PUBLIC_SUBKEY;
@ -4561,8 +4563,8 @@ menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only)
uidnode->pkt->pkt.user_id->len,
0);
clean_one_uid (ctrl, keyblock, uidnode, opt.verbose, self_only, &uids,
&sigs);
clean_one_uid (ctrl, keyblock, uidnode, opt.verbose, options,
&uids, &sigs);
if (uids)
{
const char *reason;
@ -4587,7 +4589,7 @@ menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only)
}
else
{
tty_printf (self_only == 1 ?
tty_printf ((options & EXPORT_MINIMAL)?
_("User ID \"%s\": already minimized\n") :
_("User ID \"%s\": already clean\n"), user);
}

178
g10/keyid.c
View File

@ -145,6 +145,130 @@ pubkey_string (PKT_public_key *pk, char *buffer, size_t bufsize)
}
/* Helper for compare_pubkey_string. This skips leading spaces,
* commas and optional condition operators and returns a pointer to
* the first non-space character or NULL in case of an error. The
* length of a prefix consisting of letters is then returned ar PFXLEN
* and the value of the number (e.g. 384 for "brainpoolP384r1") at
* NUMBER. R_LENGTH receives the entire length of the algorithm name
* which is terminated by a space, nul, or a comma. If R_CONDITION is
* not NULL, 0 is stored for a leading "=", 1 for a ">", 2 for a ">=",
* -1 for a "<", and -2 for a "<=". If R_CONDITION is NULL no
* condition prefix is allowed. */
static const char *
parse_one_algo_string (const char *str, size_t *pfxlen, unsigned int *number,
size_t *r_length, int *r_condition)
{
int condition = 0;
const char *result;
while (spacep (str) || *str ==',')
str++;
if (!r_condition)
;
else if (*str == '>' && str[1] == '=')
condition = 2, str += 2;
else if (*str == '>' )
condition = 1, str += 1;
else if (*str == '<' && str[1] == '=')
condition = -2, str += 2;
else if (*str == '<')
condition = -1, str += 1;
else if (*str == '=') /* Default. */
str += 1;
if (!alphap (str))
return NULL; /* Error. */
*pfxlen = 1;
for (result = str++; alphap (str); str++)
++*pfxlen;
while (*str == '-' || *str == '+')
str++;
*number = atoi (str);
while (*str && !spacep (str) && *str != ',')
str++;
*r_length = str - result;
if (r_condition)
*r_condition = condition;
return result;
}
/* Helper for compare_pubkey_string. If BPARSED is set to 0 on
* return, an error in ASTR or BSTR was found and further checks are
* not possible. */
static int
compare_pubkey_string_part (const char *astr, const char *bstr_arg,
size_t *bparsed)
{
const char *bstr = bstr_arg;
size_t alen, apfxlen, blen, bpfxlen;
unsigned int anumber, bnumber;
int condition;
*bparsed = 0;
astr = parse_one_algo_string (astr, &apfxlen, &anumber, &alen, &condition);
if (!astr)
return 0; /* Invalid algorithm name. */
bstr = parse_one_algo_string (bstr, &bpfxlen, &bnumber, &blen, &condition);
if (!bstr)
return 0; /* Invalid algorithm name. */
*bparsed = blen + (bstr - bstr_arg);
if (apfxlen != bpfxlen || ascii_strncasecmp (astr, bstr, apfxlen))
return 0; /* false. */
switch (condition)
{
case 2: return anumber >= bnumber;
case 1: return anumber > bnumber;
case -1: return anumber < bnumber;
case -2: return anumber <= bnumber;
}
return alen == blen && !ascii_strncasecmp (astr, bstr, alen);
}
/* Check whether ASTR matches the constraints given by BSTR. ASTR may
* be any algo string like "rsa2048", "ed25519" and BSTR may be a
* constraint which is in the simplest case just another algo string.
* BSTR may have more that one string in which case they are comma
* separated and any match will return true. It is possible to prefix
* BSTR with ">", ">=", "<=", or "<". That prefix operator is applied
* to the number part of the algorithm, i.e. the first sequence of
* digits found before end-of-string or a comma. Examples:
*
* | ASTR | BSTR | result |
* |----------+----------------------+--------|
* | rsa2048 | rsa2048 | true |
* | rsa2048 | >=rsa2048 | true |
* | rsa2048 | >rsa2048 | false |
* | ed25519 | >rsa1024 | false |
* | ed25519 | ed25519 | true |
* | nistp384 | >nistp256 | true |
* | nistp521 | >=rsa3072, >nistp384 | true |
*/
int
compare_pubkey_string (const char *astr, const char *bstr)
{
size_t bparsed;
int result;
while (*bstr)
{
result = compare_pubkey_string_part (astr, bstr, &bparsed);
if (result)
return 1;
if (!bparsed)
return 0; /* Syntax error in ASTR or BSTR. */
bstr += bparsed;
}
return 0;
}
/* Hash a public key and allow to specify the to be used format.
* Note that if the v5 format is requested for a v4 key, a 0x04 as
* version is hashed instead of the 0x05. */
@ -239,20 +363,16 @@ do_hash_public_key (gcry_md_hd_t md, PKT_public_key *pk, int use_v5)
if (use_v5)
{
gcry_md_putc ( md, 0x9a ); /* ctb */
gcry_md_putc ( md, n >> 24 ); /* 4 byte length header */
gcry_md_putc ( md, n >> 24 ); /* 4 byte length header (upper bits) */
gcry_md_putc ( md, n >> 16 );
gcry_md_putc ( md, n >> 8 );
gcry_md_putc ( md, n );
/* Note that the next byte may either be 4 or 5. */
gcry_md_putc ( md, pk->version );
}
else
{
gcry_md_putc ( md, 0x99 ); /* ctb */
gcry_md_putc ( md, n >> 8 ); /* 2 byte length header */
gcry_md_putc ( md, n );
gcry_md_putc ( md, pk->version );
}
gcry_md_putc ( md, n >> 8 ); /* lower bits of the length header. */
gcry_md_putc ( md, n );
gcry_md_putc ( md, pk->version );
gcry_md_putc ( md, pk->timestamp >> 24 );
gcry_md_putc ( md, pk->timestamp >> 16 );
gcry_md_putc ( md, pk->timestamp >> 8 );
@ -260,7 +380,7 @@ do_hash_public_key (gcry_md_hd_t md, PKT_public_key *pk, int use_v5)
gcry_md_putc ( md, pk->pubkey_algo );
if (use_v5)
if (use_v5) /* Hash the 32 bit length */
{
n -= 10;
gcry_md_putc ( md, n >> 24 );
@ -935,6 +1055,32 @@ v5_fingerprint_from_pk (PKT_public_key *pk, byte *array, size_t *ret_len)
}
/*
* This is the core of fpr20_from_pk which directly takes a
* fingerprint and its length instead of the public key. See below
* for details.
*/
void
fpr20_from_fpr (const byte *fpr, unsigned int fprlen, byte array[20])
{
if (fprlen >= 32) /* v5 fingerprint (or larger) */
{
memcpy (array + 0, fpr + 20, 4);
memcpy (array + 4, fpr + 24, 4);
memcpy (array + 8, fpr + 28, 4);
memcpy (array + 12, fpr + 0, 4); /* kid[0] */
memcpy (array + 16, fpr + 4, 4); /* kid[1] */
}
else if (fprlen == 20) /* v4 fingerprint */
memcpy (array, fpr, 20);
else /* v3 or too short: fill up with zeroes. */
{
memset (array, 0, 20);
memcpy (array, fpr, fprlen);
}
}
/*
* Get FPR20 for the given PK/SK into ARRAY.
*
@ -951,19 +1097,7 @@ fpr20_from_pk (PKT_public_key *pk, byte array[20])
if (!pk->fprlen)
compute_fingerprint (pk);
if (!array)
array = xmalloc (pk->fprlen);
if (pk->fprlen == 32) /* v5 fingerprint */
{
memcpy (array + 0, pk->fpr + 20, 4);
memcpy (array + 4, pk->fpr + 24, 4);
memcpy (array + 8, pk->fpr + 28, 4);
memcpy (array + 12, pk->fpr + 0, 4); /* kid[0] */
memcpy (array + 16, pk->fpr + 4, 4); /* kid[1] */
}
else /* v4 fingerprint */
memcpy (array, pk->fpr, 20);
fpr20_from_fpr (pk->fpr, pk->fprlen, array);
}

2
g10/main.h
View File

@ -84,6 +84,7 @@ struct weakhash
/*-- gpg.c --*/
extern int g10_errors_seen;
extern int assert_signer_true;
extern int assert_pubkey_algo_false;
#if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 5 )
void g10_exit(int rc) __attribute__ ((__noreturn__));
@ -495,6 +496,7 @@ int verify_files (ctrl_t ctrl, int nfiles, char **files );
int gpg_verify (ctrl_t ctrl, gnupg_fd_t sig_fd, gnupg_fd_t data_fd,
estream_t out_fp);
void check_assert_signer_list (const char *mainpkhex, const char *pkhex);
void check_assert_pubkey_algo (const char *algostr, const char *pkhex);
/*-- decrypt.c --*/
int decrypt_message (ctrl_t ctrl, const char *filename );

21
g10/mainproc.c
View File

@ -898,7 +898,7 @@ proc_encrypted (CTX c, PACKET *pkt)
* encrypted packet. */
literals_seen++;
/* The --require-compliance option allows to simplify decryption in
/* The --require-compliance option allows one to simplify decryption in
* de-vs compliance mode by just looking at the exit status. */
if (opt.flags.require_compliance
&& opt.compliance == CO_DE_VS
@ -1876,6 +1876,8 @@ check_sig_and_print (CTX c, kbnode_t node)
const void *extrahash = NULL;
size_t extrahashlen = 0;
kbnode_t included_keyblock = NULL;
char pkstrbuf[PUBKEY_STRING_SIZE] = { 0 };
if (opt.skip_verify)
{
@ -2409,8 +2411,14 @@ check_sig_and_print (CTX c, kbnode_t node)
show_notation (sig, 0, 2, 0);
}
/* Fill PKSTRBUF with the algostring in case we later need it. */
if (pk)
pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
/* For good signatures print the VALIDSIG status line. */
if (!rc && (is_status_enabled () || opt.assert_signer_list) && pk)
if (!rc && (is_status_enabled ()
|| opt.assert_signer_list
|| opt.assert_pubkey_algos) && pk)
{
char pkhex[MAX_FINGERPRINT_LEN*2+1];
char mainpkhex[MAX_FINGERPRINT_LEN*2+1];
@ -2432,6 +2440,8 @@ check_sig_and_print (CTX c, kbnode_t node)
mainpkhex);
/* Handle the --assert-signer option. */
check_assert_signer_list (mainpkhex, pkhex);
/* Handle the --assert-pubkey-algo option. */
check_assert_pubkey_algo (pkstrbuf, pkhex);
}
/* Print compliance warning for Good signatures. */
@ -2464,13 +2474,6 @@ check_sig_and_print (CTX c, kbnode_t node)
if (opt.verbose)
{
char pkstrbuf[PUBKEY_STRING_SIZE];
if (pk)
pubkey_string (pk, pkstrbuf, sizeof pkstrbuf);
else
*pkstrbuf = 0;
log_info (_("%s signature, digest algorithm %s%s%s\n"),
sig->sig_class==0x00?_("binary"):
sig->sig_class==0x01?_("textmode"):_("unknown"),

15
g10/options.h
View File

@ -126,9 +126,9 @@ struct
int marginals_needed;
int completes_needed;
int max_cert_depth;
const char *agent_program;
const char *keyboxd_program;
const char *dirmngr_program;
char *agent_program;
char *keyboxd_program;
char *dirmngr_program;
int disable_dirmngr;
const char *def_new_key_algo;
@ -241,6 +241,10 @@ struct
* modify to be uppercase if they represent a fingerrint */
strlist_t assert_signer_list;
/* A single string with the comma delimited args from
* --assert-pubkey_algo. */
char *assert_pubkey_algos;
struct
{
/* If set, require an 0x19 backsig to be present on signatures
@ -414,12 +418,13 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;
#define EXPORT_ATTRIBUTES (1<<1)
#define EXPORT_SENSITIVE_REVKEYS (1<<2)
#define EXPORT_RESET_SUBKEY_PASSWD (1<<3)
#define EXPORT_MINIMAL (1<<4)
#define EXPORT_CLEAN (1<<5)
#define EXPORT_MINIMAL (1<<5)
#define EXPORT_CLEAN (1<<6)
#define EXPORT_DANE_FORMAT (1<<7)
#define EXPORT_BACKUP (1<<10)
#define EXPORT_REVOCS (1<<11)
#define EXPORT_MODE1003 (1<<12)
#define EXPORT_REALCLEAN (1<<13)
#define LIST_SHOW_PHOTOS (1<<0)
#define LIST_SHOW_POLICY_URLS (1<<1)

9
g10/t-keydb-get-keyblock.c
View File

@ -67,12 +67,3 @@ do_test (int argc, char *argv[])
release_kbnode (kb1);
xfree (ctrl);
}
int assert_signer_true = 0;
void
check_assert_signer_list (const char *mainpkhex, const char *pkhex)
{
(void)mainpkhex;
(void)pkhex;
}

10
g10/t-keydb.c
View File

@ -105,13 +105,3 @@ do_test (int argc, char *argv[])
keydb_release (hd2);
xfree (ctrl);
}
int assert_signer_true = 0;
void
check_assert_signer_list (const char *mainpkhex, const char *pkhex)
{
(void)mainpkhex;
(void)pkhex;
}

129
g10/t-keyid.c Normal file
View File

@ -0,0 +1,129 @@
/* t-keyid.c - Tests for keyid.c.
* Copyright (C) 2024 g10 Code GmbH
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <https://www.gnu.org/licenses/>.
* SPDX-License-Identifier: GPL-3.0-or-later
*/
#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define LEAN_T_SUPPORT 1
#define PGM "t-keyid"
#include "gpg.h"
#include "keydb.h"
#include "../common/t-support.h"
static int verbose;
static void
test_compare_pubkey_string (void)
{
static struct { const char *astr; const char *bstr; int expected; } t[] =
{
{ "rsa2048" , "rsa2048" , 1 },
{ "rsa2048" , ">=rsa2048" , 1 },
{ "rsa2048" , ">rsa2048" , 0 },
{ "ed25519" , ">rsa1024" , 0 },
{ "ed25519" , "ed25519" , 1 },
{ "ed25519" , ",,,=ed25519" , 1 },
{ "nistp384" , ">nistp256" , 1 },
{ "nistp521" , ">=rsa3072, >nistp384", 1 },
{ " nistp521" , ">=rsa3072, >nistp384 ", 1 },
{ " nistp521 " , " >=rsa3072, >nistp384 ", 1 },
{ " =nistp521 " , " >=rsa3072, >nistp384,,", 1 },
{ "nistp384" , ">nistp384" , 0 },
{ "nistp384" , ">=nistp384" , 1 },
{ "brainpoolP384" , ">=brainpoolp256", 1 },
{ "brainpoolP384" , ">brainpoolp384" , 0 },
{ "brainpoolP384" , ">=brainpoolp384", 1 },
{ "brainpoolP256r1", ">brainpoolp256r1", 0 },
{ "brainpoolP384r1", ">brainpoolp384r1" , 0 },
{ "brainpoolP384r1", ">=brainpoolp384r1", 1 },
{ "brainpoolP384r1", ">=brainpoolp384" , 1 },
{ "", "", 0}
};
int idx;
int result;
for (idx=0; idx < DIM(t); idx++)
{
result = compare_pubkey_string (t[idx].astr, t[idx].bstr);
if (result != t[idx].expected)
{
fail (idx);
if (verbose)
log_debug ("\"%s\", \"%s\" want %d got %d\n",
t[idx].astr, t[idx].bstr, t[idx].expected, result);
}
}
}
int
main (int argc, char **argv)
{
int last_argc = -1;
no_exit_on_fail = 1;
if (argc)
{ argc--; argv++; }
while (argc && last_argc != argc )
{
last_argc = argc;
if (!strcmp (*argv, "--"))
{
argc--; argv++;
break;
}
else if (!strcmp (*argv, "--help"))
{
fputs ("usage: " PGM " [FILE]\n"
"Options:\n"
" --verbose Print timings etc.\n"
" --debug Flyswatter\n"
, stdout);
exit (0);
}
else if (!strcmp (*argv, "--verbose"))
{
verbose++;
argc--; argv++;
}
else if (!strcmp (*argv, "--debug"))
{
verbose += 2;
argc--; argv++;
}
else if (!strncmp (*argv, "--", 2))
{
fprintf (stderr, PGM ": unknown option '%s'\n", *argv);
exit (1);
}
}
test_compare_pubkey_string ();
return !!errcount;
}

9
g10/t-stutter.c
View File

@ -611,12 +611,3 @@ do_test (int argc, char *argv[])
xfree (filename);
}
int assert_signer_true = 0;
void
check_assert_signer_list (const char *mainpkhex, const char *pkhex)
{
(void)mainpkhex;
(void)pkhex;
}

6
g10/tdbdump.c
View File

@ -190,7 +190,11 @@ import_ownertrust (ctrl_t ctrl, const char *fname )
while (fprlen < MAX_FINGERPRINT_LEN)
fpr[fprlen++] = 0;
rc = tdbio_search_trust_byfpr (ctrl, fpr, &rec);
/* FIXME: The intention is to save the special fpr20 as used
* in the trustdb here. However, the above conversions seems
* not to be aware of this. Or why does it allow up to
* MAX_FINGERPRINT_LEN ? */
rc = tdbio_search_trust_byfpr (ctrl, fpr, 20, &rec);
if( !rc ) { /* found: update */
if (rec.r.trust.ownertrust != otrust)
{

16
g10/tdbio.c
View File

@ -1864,13 +1864,21 @@ cmp_trec_fpr ( const void *fpr, const TRUSTREC *rec )
* Return: 0 if found, GPG_ERR_NOT_FOUND, or another error code.
*/
gpg_error_t
tdbio_search_trust_byfpr (ctrl_t ctrl, const byte *fingerprint, TRUSTREC *rec)
tdbio_search_trust_byfpr (ctrl_t ctrl, const byte *fpr, unsigned int fprlen,
TRUSTREC *rec)
{
int rc;
byte fingerprint[20];
if (fprlen != 20)
{
fpr20_from_fpr (fpr, fprlen, fingerprint);
fpr = fingerprint;
}
/* Locate the trust record using the hash table */
rc = lookup_hashtable (get_trusthashrec (ctrl), fingerprint, 20,
cmp_trec_fpr, fingerprint, rec );
rc = lookup_hashtable (get_trusthashrec (ctrl), fpr, 20,
cmp_trec_fpr, fpr, rec);
return rc;
}
@ -1887,7 +1895,7 @@ tdbio_search_trust_bypk (ctrl_t ctrl, PKT_public_key *pk, TRUSTREC *rec)
byte fingerprint[20];
fpr20_from_pk (pk, fingerprint);
return tdbio_search_trust_byfpr (ctrl, fingerprint, rec);
return tdbio_search_trust_byfpr (ctrl, fingerprint, 20, rec);
}

3
g10/tdbio.h
View File

@ -111,7 +111,8 @@ int tdbio_end_transaction(void);
int tdbio_cancel_transaction(void);
int tdbio_delete_record (ctrl_t ctrl, ulong recnum);
ulong tdbio_new_recnum (ctrl_t ctrl);
gpg_error_t tdbio_search_trust_byfpr (ctrl_t ctrl, const byte *fingerprint,
gpg_error_t tdbio_search_trust_byfpr (ctrl_t ctrl,
const byte *fpr, unsigned int fprlen,
TRUSTREC *rec);
gpg_error_t tdbio_search_trust_bypk (ctrl_t ctrl, PKT_public_key *pk,
TRUSTREC *rec);

18
g10/test-stubs.c
View File

@ -43,6 +43,9 @@
#include "call-agent.h"
int g10_errors_seen;
int assert_signer_true = 0;
int assert_pubkey_algo_false = 0;
void
@ -580,3 +583,18 @@ impex_filter_getval (void *cookie, const char *propname)
(void)propname;
return NULL;
}
void
check_assert_signer_list (const char *mainpkhex, const char *pkhex)
{
(void)mainpkhex;
(void)pkhex;
}
void
check_assert_pubkey_algo (const char *algostr, const char *pkhex)
{
(void)algostr;
(void)pkhex;
}

1
g10/test.c
View File

@ -15,6 +15,7 @@
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <https://www.gnu.org/licenses/>.
* SPDX-License-Identifier: GPL-3.0-or-later
*/
#include <config.h>

110
g10/trustdb.c
View File

@ -39,8 +39,52 @@
#include "tofu.h"
#include "key-clean.h"
typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */
/*
* Structure to keep track of keys, this is used as an array where the
* item right after the last one has a keyblock set to NULL. Maybe we
* can drop this thing and replace it by key_item
*/
struct key_array
{
KBNODE keyblock;
};
/* Control information for the trust DB. */
static struct
{
int init;
int level;
char *dbname;
int no_trustdb;
} trustdb_args;
/* Some globals. */
static struct key_item *utk_list; /* all ultimately trusted keys */
/* A list used to temporary store trusted keys and a flag indicated
* whether any --trusted-key option has been seen. */
static struct key_item *trusted_key_list;
static int any_trusted_key_seen;
/* Flag whether a trustdb check is pending. */
static int pending_check_trustdb;
static void write_record (ctrl_t ctrl, TRUSTREC *rec);
static void do_sync(void);
static void do_sync (void);
static int validate_keys (ctrl_t ctrl, int interactive);
/**********************************************
************* some helpers *******************
**********************************************/
@ -54,7 +98,7 @@ keyid_from_fpr20 (ctrl_t ctrl, const byte *fpr, u32 *keyid)
keyid = dummy_keyid;
/* Problem: We do only use fingerprints in the trustdb but
* we need the keyID here to indetify the key; we can only
* we need the keyID here to identify the key; we can only
* use that ugly hack to distinguish between 16 and 20
* bytes fpr - it does not work always so we better change
* the whole validation code to only work with
@ -88,40 +132,6 @@ keyid_from_fpr20 (ctrl_t ctrl, const byte *fpr, u32 *keyid)
return keyid[1];
}
typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */
/*
* Structure to keep track of keys, this is used as an array wherre
* the item right after the last one has a keyblock set to NULL.
* Maybe we can drop this thing and replace it by key_item
*/
struct key_array
{
KBNODE keyblock;
};
/* Control information for the trust DB. */
static struct
{
int init;
int level;
char *dbname;
int no_trustdb;
} trustdb_args;
/* Some globals. */
static struct key_item *user_utk_list; /* temp. used to store --trusted-keys */
static struct key_item *utk_list; /* all ultimately trusted keys */
static int pending_check_trustdb;
static int validate_keys (ctrl_t ctrl, int interactive);
/**********************************************
************* some helpers *******************
**********************************************/
static struct key_item *
new_key_item (void)
@ -245,11 +255,19 @@ tdb_register_trusted_keyid (u32 *keyid)
k = new_key_item ();
k->kid[0] = keyid[0];
k->kid[1] = keyid[1];
k->next = user_utk_list;
user_utk_list = k;
k->next = trusted_key_list;
trusted_key_list = k;
}
/* This is called for the option --trusted-key to register these keys
* for later syncing them into the trustdb. The special value "none"
* may be used to indicate that there is a trusted-key option but no
* key shall be inserted for it. This "none" value is helpful to
* distinguish between changing the gpg.conf from a trusted-key to no
* trusted-key options at all. Simply not specify the option would
* not allow to distinguish this case from the --no-options case as
* used for certain calls of gpg for example by gpg-wks-client. */
void
tdb_register_trusted_key (const char *string)
{
@ -257,6 +275,9 @@ tdb_register_trusted_key (const char *string)
KEYDB_SEARCH_DESC desc;
u32 kid[2];
any_trusted_key_seen = 1;
if (!strcmp (string, "none"))
return;
err = classify_user_id (string, &desc, 1);
if (!err)
{
@ -378,11 +399,12 @@ verify_own_keys (ctrl_t ctrl)
if (!add_utk (kid))
log_info (_("key %s occurs more than once in the trustdb\n"),
keystr(kid));
else if ((rec.r.trust.flags & 1))
else if ((rec.r.trust.flags & 1)
&& any_trusted_key_seen)
{
/* Record marked as inserted via --trusted-key. Is this
* still the case? */
for (k2 = user_utk_list; k2; k2 = k2->next)
for (k2 = trusted_key_list; k2; k2 = k2->next)
if (k2->kid[0] == kid[0] && k2->kid[1] == kid[1])
break;
if (!k2) /* No - clear the flag. */
@ -406,7 +428,7 @@ verify_own_keys (ctrl_t ctrl)
}
/* Put any --trusted-key keys into the trustdb */
for (k = user_utk_list; k; k = k->next)
for (k = trusted_key_list; k; k = k->next)
{
if ( add_utk (k->kid) )
{ /* not yet in trustDB as ultimately trusted */
@ -431,9 +453,9 @@ verify_own_keys (ctrl_t ctrl)
}
}
/* release the helper table table */
release_key_items (user_utk_list);
user_utk_list = NULL;
/* Release the helper table. */
release_key_items (trusted_key_list);
trusted_key_list = NULL;
return;
}

33
g10/verify.c
View File

@ -335,7 +335,7 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
assert_signer_true = 1;
write_status_text (STATUS_ASSERT_SIGNER, item->d);
if (!opt.quiet)
log_info ("signer '%s' matched\n", item->d);
log_info ("asserted signer '%s'\n", item->d);
goto leave;
}
}
@ -390,7 +390,7 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
assert_signer_true = 1;
write_status_text (STATUS_ASSERT_SIGNER, p);
if (!opt.quiet)
log_info ("signer '%s' matched '%s', line %d\n",
log_info ("asserted signer '%s' (%s:%d)\n",
p, fname, lnr);
goto leave;
}
@ -407,3 +407,32 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex)
leave:
es_fclose (fp);
}
/* This function shall be called with the signer's public key
* algorithm ALGOSTR iff a signature is fully valid. If the option
* --assert-pubkey-algo is active the functions checks whether the
* signing key's algo is valid according to that list; in this case a
* global flag is set. */
void
check_assert_pubkey_algo (const char *algostr, const char *pkhex)
{
if (!opt.assert_pubkey_algos)
return; /* Nothing to do. */
if (compare_pubkey_string (algostr, opt.assert_pubkey_algos))
{
write_status_strings (STATUS_ASSERT_PUBKEY_ALGO,
pkhex, " 1 ", algostr, NULL);
if (!opt.quiet)
log_info ("asserted signer '%s' with algo %s\n", pkhex, algostr);
}
else
{
if (!opt.quiet)
log_info ("denied signer '%s' with algo %s\n", pkhex, algostr);
assert_pubkey_algo_false = 1;
write_status_strings (STATUS_ASSERT_PUBKEY_ALGO,
pkhex, " 0 ", algostr, NULL);
}
}

3
g13/g13.c
View File

@ -455,6 +455,9 @@ main (int argc, char **argv)
pargs.argv = &argv;
pargs.flags |= (ARGPARSE_FLAG_RESET
| ARGPARSE_FLAG_KEEP
#if GPGRT_VERSION_NUMBER >= 0x013000 /* >= 1.48 */
| ARGPARSE_FLAG_COMMAND
#endif
| ARGPARSE_FLAG_SYS
| ARGPARSE_FLAG_USER);

8
po/ca.po
View File

@ -2303,9 +2303,6 @@ msgstr "crea eixida amb armadura ascii"
msgid "|FILE|write output to FILE"
msgstr "|FITXER|carrega el mòdul d'extensió especificat"
msgid "use canonical text mode"
msgstr "usa el mode de text canònic"
#, fuzzy
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|nivell de compressió N (0 no comprimeix)"
@ -7132,7 +7129,7 @@ msgid "||Please enter the PIN"
msgstr "canvia la contrasenya"
#, fuzzy
msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "Seleccioneu la raó de la revocació:\n"
#, c-format
@ -9505,6 +9502,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "usa el mode de text canònic"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

10
po/cs.po
View File

@ -2132,9 +2132,6 @@ msgstr "vytvořit výstup zapsaný v ASCII"
msgid "|FILE|write output to FILE"
msgstr "|SOUBOR|zapsat výstup do SOUBORU"
msgid "use canonical text mode"
msgstr "použít kanonický textový režim"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|nastavit úroveň komprese na N (0  žádná)"
@ -6707,7 +6704,9 @@ msgstr "přístup k příkazům správce není nakonfigurován\n"
msgid "||Please enter the PIN"
msgstr "||Prosím, zadejte PIN"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Prosím, zadejte resetační kód karty"
#, c-format
@ -8983,6 +8982,9 @@ msgstr "Příkazy pro správu Yubikey"
msgid "manage the command history"
msgstr "spravuje historii příkazů"
#~ msgid "use canonical text mode"
#~ msgstr "použít kanonický textový režim"
#~ msgid "selected AEAD algorithm is invalid\n"
#~ msgstr "vybraný algoritmus AEAD je neplatný\n"

10
po/da.po
View File

@ -2334,9 +2334,6 @@ msgstr "opret ascii-pansrede uddata"
msgid "|FILE|write output to FILE"
msgstr "|FILE|skriv resultat til FIL"
msgid "use canonical text mode"
msgstr "brug kanonisk teksttilstand"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|sæt komprimeringsniveauet til N (0 deaktiverer)"
@ -7175,7 +7172,9 @@ msgstr "adgang til administratorkommandoer er ikke konfigureret\n"
msgid "||Please enter the PIN"
msgstr "||Indtast venligst PIN'en"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Indtast venligst nulstillingskoden for kortet"
#, c-format
@ -9720,6 +9719,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "brug kanonisk teksttilstand"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

13
po/de.po
View File

@ -9,7 +9,7 @@ msgid ""
msgstr ""
"Project-Id-Version: gnupg-2.4.1\n"
"Report-Msgid-Bugs-To: translations@gnupg.org\n"
"PO-Revision-Date: 2024-01-24 14:05+0100\n"
"PO-Revision-Date: 2024-03-07 13:56+0100\n"
"Last-Translator: Werner Koch <wk@gnupg.org>\n"
"Language-Team: German\n"
"Language: de\n"
@ -2142,9 +2142,6 @@ msgstr "Ausgabe mit ASCII-Hülle versehen"
msgid "|FILE|write output to FILE"
msgstr "|DATEI|Ausgabe auf DATEI schreiben"
msgid "use canonical text mode"
msgstr "Textmodus benutzen"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|Kompressionsstufe auf N setzen (0=keine)"
@ -6801,8 +6798,8 @@ msgstr "Zugriff auf Admin-Befehle ist nicht eingerichtet\n"
msgid "||Please enter the PIN"
msgstr "||Bitte die PIN eingeben"
msgid "||Please enter the Reset Code for the card"
msgstr "Bitte geben Sie den Rückstellcode für diese Karte ein"
msgid "|R|Please enter the Reset Code for the card"
msgstr "|R|Bitte geben Sie den Rückstellcode für diese Karte ein"
#, c-format
msgid "Reset Code is too short; minimum length is %d\n"
@ -9116,6 +9113,9 @@ msgstr "Verwaltungskommandos für Yubikeys"
msgid "manage the command history"
msgstr "Verwaltung der Kommandohistorie"
#~ msgid "use canonical text mode"
#~ msgstr "Textmodus benutzen"
#~ msgid "continuing verification anyway due to option %s\n"
#~ msgstr "Die Prüfung wird aufgrund der Option %s weiter durchgeführt\n"
@ -9298,7 +9298,6 @@ msgstr "Verwaltung der Kommandohistorie"
#~ msgid "ldapserver missing"
#~ msgstr "LDAP Server fehlt"
#, fuzzy
#~ msgid "Suggest a random passphrase."
#~ msgstr "Ein zufälliges Passwort vorschlagen"

8
po/el.po
View File

@ -2232,9 +2232,6 @@ msgstr "δημιουργία ascii θωρακισμένης εξόδου"
msgid "|FILE|write output to FILE"
msgstr "|ΑΡΧΕΙΟ|φόρτωμα του αρθρώματος επέκτασης ΑΡΧΕΙΟ"
msgid "use canonical text mode"
msgstr "χρήση κανονικής κατάστασης κειμένου"
#, fuzzy
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|καθορισμός επιπέδου συμπίεσης N (0 απενεργοποιεί)"
@ -6997,7 +6994,7 @@ msgid "||Please enter the PIN"
msgstr "αλλαγή της φράσης κλειδί"
#, fuzzy
msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "Παρακαλώ επιλέξτε την αιτία για την ανάκληση:\n"
#, c-format
@ -9329,6 +9326,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "χρήση κανονικής κατάστασης κειμένου"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

8
po/eo.po
View File

@ -2215,9 +2215,6 @@ msgstr "krei eligon en askia kiraso"
msgid "|FILE|write output to FILE"
msgstr "|DOSIERO|legi aldonan bibliotekon DOSIERO"
msgid "use canonical text mode"
msgstr "uzi tekstan reĝimon"
#, fuzzy
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|difini densig-nivelon N (0=nenia)"
@ -6906,7 +6903,7 @@ msgid "||Please enter the PIN"
msgstr "ŝanĝi la pasfrazon"
#, fuzzy
msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "Kialo por revoko: "
#, c-format
@ -9240,6 +9237,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "uzi tekstan reĝimon"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

10
po/es.po
View File

@ -2201,9 +2201,6 @@ msgstr "crea una salida ascii con armadura"
msgid "|FILE|write output to FILE"
msgstr "|FILE|volcar salida en FICHERO"
msgid "use canonical text mode"
msgstr "usa modo de texto canónico"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|nivel de compresión N (0 desactiva)"
@ -6848,7 +6845,9 @@ msgstr "el acceso a órdenes de administrador no está configurado\n"
msgid "||Please enter the PIN"
msgstr "||Por favor introduzca PIN"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Por favor introduzca Código de Reinicio de la tarjeta"
#, c-format
@ -9166,6 +9165,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "usa modo de texto canónico"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

8
po/et.po
View File

@ -2223,9 +2223,6 @@ msgstr "loo ascii pakendis väljund"
msgid "|FILE|write output to FILE"
msgstr "|FAIL|lae laiendusmoodul FAIL"
msgid "use canonical text mode"
msgstr "kasuta kanoonilist tekstimoodi"
#, fuzzy
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|määra pakkimise tase N (0 blokeerib)"
@ -6917,7 +6914,7 @@ msgid "||Please enter the PIN"
msgstr "muuda parooli"
#, fuzzy
msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "Palun valige tühistamise põhjus:\n"
#, c-format
@ -9244,6 +9241,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "kasuta kanoonilist tekstimoodi"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

8
po/fi.po
View File

@ -2240,9 +2240,6 @@ msgstr "tuota ascii-koodattu tuloste"
msgid "|FILE|write output to FILE"
msgstr "|TIEDOSTO|lataa laajennusmoduuli TIEDOSTO"
msgid "use canonical text mode"
msgstr "käytä tekstimuotoa"
#, fuzzy
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|aseta pakkausaste N (0 poistaa käytöstä)"
@ -6980,7 +6977,7 @@ msgid "||Please enter the PIN"
msgstr "muuta salasanaa"
#, fuzzy
msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "Valitse mitätöinnin syy:\n"
#, c-format
@ -9312,6 +9309,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "käytä tekstimuotoa"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

10
po/fr.po
View File

@ -2260,9 +2260,6 @@ msgstr "créer une sortie ASCII avec armure"
msgid "|FILE|write output to FILE"
msgstr "|FICHIER|écrire la sortie dans le FICHIER"
msgid "use canonical text mode"
msgstr "utiliser le mode texte canonique"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|niveau de compression N (0 désactive)"
@ -7116,7 +7113,9 @@ msgstr "l'accès aux commandes d'administration n'est pas configuré\n"
msgid "||Please enter the PIN"
msgstr "||Veuillez entrer le code personnel"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Veuillez entrer le code de réinitialisation pour la carte"
#, c-format
@ -9523,6 +9522,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "utiliser le mode texte canonique"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

8
po/gl.po
View File

@ -2231,9 +2231,6 @@ msgstr "crear saída con armadura en ascii"
msgid "|FILE|write output to FILE"
msgstr "|FICHEIRO|carga-lo módulo de extensión FICHEIRO"
msgid "use canonical text mode"
msgstr "usar modo de texto canónico"
#, fuzzy
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|axusta-lo nivel de compresión a N (0 desactiva)"
@ -6981,7 +6978,7 @@ msgid "||Please enter the PIN"
msgstr "cambia-lo contrasinal"
#, fuzzy
msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "Por favor, escolla o motivo da revocación:\n"
#, c-format
@ -9324,6 +9321,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "usar modo de texto canónico"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

8
po/hu.po
View File

@ -2223,9 +2223,6 @@ msgstr "ascii páncélozott kimenet létrehozása"
msgid "|FILE|write output to FILE"
msgstr "|fájl|bővítő modul betöltése"
msgid "use canonical text mode"
msgstr "kanonikus szöveges mód használata"
#, fuzzy
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|tömörítési szint beállítása N-re (0: tiltás)"
@ -6943,7 +6940,7 @@ msgid "||Please enter the PIN"
msgstr "jelszóváltoztatás"
#, fuzzy
msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "Kérem, válassza ki a visszavonás okát:\n"
#, c-format
@ -9271,6 +9268,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "kanonikus szöveges mód használata"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

8
po/id.po
View File

@ -2227,9 +2227,6 @@ msgstr "ciptakan output ascii"
msgid "|FILE|write output to FILE"
msgstr "|FILE|muat modul ekstensi FILE"
msgid "use canonical text mode"
msgstr "gunakan mode teks kanonikal"
#, fuzzy
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|set tingkat kompresi N (0 tidak ada)"
@ -6942,7 +6939,7 @@ msgid "||Please enter the PIN"
msgstr "ubah passphrase"
#, fuzzy
msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "Silakan pilih alasan untuk pembatalan:\n"
#, c-format
@ -9270,6 +9267,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "gunakan mode teks kanonikal"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

10
po/it.po
View File

@ -2135,9 +2135,6 @@ msgstr "crea un output ascii con armatura"
msgid "|FILE|write output to FILE"
msgstr "|FILE|scrittura dell'output in FILE"
msgid "use canonical text mode"
msgstr "usa il modo testo canonico"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|Impostare il livello di compressione su N (0 disabilita)"
@ -6762,7 +6759,9 @@ msgstr "l'accesso ai comandi di amministrazione non è configurato\n"
msgid "||Please enter the PIN"
msgstr "||Inserisci il PIN"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Inserisci il Codice reset per la carta"
#, c-format
@ -9078,6 +9077,9 @@ msgstr "Comandi di gestione Yubikey"
msgid "manage the command history"
msgstr "gestire la cronologia dei comandi"
#~ msgid "use canonical text mode"
#~ msgstr "usa il modo testo canonico"
#~ msgid "selected AEAD algorithm is invalid\n"
#~ msgstr "l'algoritmo AEAD selezionato non è valido\n"

12
po/ja.po
View File

@ -11,7 +11,7 @@ msgid ""
msgstr ""
"Project-Id-Version: gnupg 2.4.3\n"
"Report-Msgid-Bugs-To: translations@gnupg.org\n"
"PO-Revision-Date: 2024-01-25 09:06+0900\n"
"PO-Revision-Date: 2024-03-07 13:59+0100\n"
"Last-Translator: NIIBE Yutaka <gniibe@fsij.org>\n"
"Language-Team: none\n"
"Language: ja\n"
@ -2086,9 +2086,6 @@ msgstr "ASCII形式の外装を作成"
msgid "|FILE|write output to FILE"
msgstr "|FILE|出力をFILEに書き出す"
msgid "use canonical text mode"
msgstr "正準テキスト・モードを使用"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|圧縮レベルをNに設定 (0は非圧縮)"
@ -6484,8 +6481,8 @@ msgstr "管理コマンドへのアクセスが設定されていません\n"
msgid "||Please enter the PIN"
msgstr "||PINを入力してください"
msgid "||Please enter the Reset Code for the card"
msgstr "||カードのリセット・コードを入力してください"
msgid "|R|Please enter the Reset Code for the card"
msgstr "|R|カードのリセット・コードを入力してください"
#, c-format
msgid "Reset Code is too short; minimum length is %d\n"
@ -8738,6 +8735,9 @@ msgstr "Yubikey管理コマンド"
msgid "manage the command history"
msgstr "コマンド履歴を管理する"
#~ msgid "use canonical text mode"
#~ msgstr "正準テキスト・モードを使用"
#~ msgid "continuing verification anyway due to option %s\n"
#~ msgstr "オプション %sのため、検証を続けます\n"

10
po/nb.po
View File

@ -2171,9 +2171,6 @@ msgstr "lag ASCII-beskyttet utdata"
msgid "|FILE|write output to FILE"
msgstr "|FILE|skriv utdata til valgt FIL"
msgid "use canonical text mode"
msgstr "bruk kanonisk tekstmodus"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|endre komprimeringsnivå til N (0 for å slå av)"
@ -6770,7 +6767,9 @@ msgstr "tilgang til admin-kommandoer er ikke konfigurert\n"
msgid "||Please enter the PIN"
msgstr "||Skriv inn PIN-kode"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Skriv inn tilbakestillingskode for kortet"
#, c-format
@ -9055,6 +9054,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "bruk kanonisk tekstmodus"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

651
po/pl.po
View File

@ -2,13 +2,13 @@
# Copyright (C) 1998, 1999, 2000, 2001, 2002,
# 2007 Free Software Foundation, Inc.
# Janusz A. Urbanowicz <alex@bofh.net.pl>, 1999, 2000, 2001, 2002, 2003-2004
# Jakub Bogusz <qboosh@pld-linux.org>, 2003-2023.
# Jakub Bogusz <qboosh@pld-linux.org>, 2003-2024.
#
msgid ""
msgstr ""
"Project-Id-Version: gnupg-2.4.3\n"
"Project-Id-Version: gnupg-2.4.4\n"
"Report-Msgid-Bugs-To: translations@gnupg.org\n"
"PO-Revision-Date: 2023-10-20 21:29+0200\n"
"PO-Revision-Date: 2024-03-07 14:00+0100\n"
"Last-Translator: Jakub Bogusz <qboosh@pld-linux.org>\n"
"Language-Team: Polish <translation-team-pl@lists.sourceforge.net>\n"
"Language: pl\n"
@ -923,43 +923,35 @@ msgstr "OSTRZEŻENIE: „%s%s” jest przestarzałą opcją - nie ma efektu\n"
msgid "unknown debug flag '%s' ignored\n"
msgstr "nieznana flaga diagnostyczna „%s” zignorowana\n"
#, fuzzy, c-format
#| msgid "waiting for the %s to come up ... (%ds)\n"
#, c-format
msgid "waiting for the dirmngr to come up ... (%ds)\n"
msgstr "oczekiwanie na uruchomienie procesu %s... (%ds)\n"
msgstr "oczekiwanie na uruchomienie procesu dirmngr... (%ds)\n"
#, fuzzy, c-format
#| msgid "waiting for the %s to come up ... (%ds)\n"
#, c-format
msgid "waiting for the keyboxd to come up ... (%ds)\n"
msgstr "oczekiwanie na uruchomienie procesu %s... (%ds)\n"
msgstr "oczekiwanie na uruchomienie procesu keyboxd... (%ds)\n"
#, fuzzy, c-format
#| msgid "waiting for the %s to come up ... (%ds)\n"
#, c-format
msgid "waiting for the agent to come up ... (%ds)\n"
msgstr "oczekiwanie na uruchomienie procesu %s... (%ds)\n"
msgstr "oczekiwanie na uruchomienie procesu agenta... (%ds)\n"
#, fuzzy, c-format
#| msgid "connection to %s established\n"
#, c-format
msgid "connection to the dirmngr established\n"
msgstr "ustanowiono połączenie z procesem %s\n"
msgstr "ustanowiono połączenie z procesem dirmngr\n"
#, fuzzy, c-format
#| msgid "connection to %s established\n"
#, c-format
msgid "connection to the keyboxd established\n"
msgstr "ustanowiono połączenie z procesem %s\n"
msgstr "ustanowiono połączenie z procesem keyboxd\n"
#, fuzzy, c-format
#| msgid "connection to %s established\n"
#, c-format
msgid "connection to the agent established\n"
msgstr "ustanowiono połączenie z procesem %s\n"
msgstr "ustanowiono połączenie z procesem agenta\n"
#, fuzzy, c-format
#| msgid "no running Dirmngr - starting '%s'\n"
#, c-format
msgid "no running %s - starting '%s'\n"
msgstr "Dirmngr nie działa - uruchamianie „%s”\n"
msgstr "brak działającego %s - uruchamianie „%s”\n"
#, fuzzy, c-format
#| msgid "connection to agent is in restricted mode\n"
#, c-format
msgid "connection to the agent is in restricted mode\n"
msgstr "połączenie z agentem jest w trybie ograniczonym\n"
@ -1332,10 +1324,11 @@ msgstr "problem z agentem: %s\n"
msgid "no dirmngr running in this session\n"
msgstr "brak działającego dirmngr w tej sesji\n"
#, fuzzy, c-format
#| msgid "keyserver option \"%s\" may not be used in %s mode\n"
#, c-format
msgid "keyserver option \"honor-keyserver-url\" may not be used in Tor mode\n"
msgstr "opcja serwera kluczy „%s” nie może być używana w trybie %s\n"
msgstr ""
"opcja serwera kluczy „honor-keyserver-url” nie może być używana w trybie "
"Tor\n"
msgid "WKD uses a cached result"
msgstr "WKD używa zapamiętanego wyniku"
@ -1402,7 +1395,7 @@ msgstr "wymuszono"
#, c-format
msgid "Please try command \"%s\" if the listing does not look correct\n"
msgstr "Proszę spróbować polecenia ,,%s'', jeśli lista nie wygląda poprawnie\n"
msgstr "Proszę spróbować polecenia „%s”, jeśli lista nie wygląda poprawnie\n"
msgid "Error: Only plain ASCII is currently allowed.\n"
msgstr "Błąd: aktualnie dopuszczalne jest tylko czyste ASCII.\n"
@ -1768,14 +1761,13 @@ msgstr ""
"OSTRZEŻENIE: wymuszone użycie szyfru %s (%d) kłóci się z ustawieniami "
"adresata\n"
#, fuzzy, c-format
#| msgid "cipher algorithm '%s' may not be used in %s mode\n"
#, c-format
msgid "cipher algorithm '%s' may not be used for encryption\n"
msgstr "szyfr „%s” nie może być używany w trybie %s\n"
msgstr "algorytm szyfru „%s” nie może być używany do szyfrowania\n"
#, c-format
msgid "(use option \"%s\" to override)\n"
msgstr ""
msgstr "(opcją „%s” można to obejść)\n"
#, c-format
msgid "cipher algorithm '%s' may not be used in %s mode\n"
@ -1821,17 +1813,15 @@ msgstr ""
"OSTRZEŻENIE: wymuszone użycie kompresji %s (%d) kłóci się z ustawieniami "
"adresata\n"
#, fuzzy, c-format
#| msgid "%s/%s encrypted for: \"%s\"\n"
#, c-format
msgid "%s/%s.%s encrypted for: \"%s\"\n"
msgstr "%s/%s zaszyfrowany dla: „%s”\n"
msgstr "%s/%s.%s zaszyfrowany dla: „%s”\n"
#, c-format
msgid "option '%s' may not be used in %s mode\n"
msgstr "opcja „%s” nie może być używana w trybie %s\n"
#, fuzzy, c-format
#| msgid "%s encrypted data\n"
#, c-format
msgid "%s encrypted data\n"
msgstr "dane zaszyfrowano za pomocą %s\n"
@ -2101,9 +2091,6 @@ msgstr "opakowanie ASCII pliku wynikowego"
msgid "|FILE|write output to FILE"
msgstr "|PLIK|zapis wyjścia do PLIKU"
msgid "use canonical text mode"
msgstr "kanoniczny format tekstowy"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|ustawienie poziomu kompresji N (0 - bez)"
@ -2798,12 +2785,11 @@ msgstr ""
#, c-format
msgid " \"%s\": preference for cipher algorithm %s\n"
msgstr " „%s”: preferowany szyfr %s\n"
msgstr " „%s”: preferowany algorytm szyfru %s\n"
#, fuzzy, c-format
#| msgid " \"%s\": preference for cipher algorithm %s\n"
#, c-format
msgid " \"%s\": preference for AEAD algorithm %s\n"
msgstr " „%s”: preferowany szyfr %s\n"
msgstr " „%s”: preferowany algorytm AEAD %s\n"
#, c-format
msgid " \"%s\": preference for digest algorithm %s\n"
@ -3905,7 +3891,7 @@ msgstr "Czy podano odcisk podklucza?\n"
#, c-format
msgid "key \"%s\" is already on this keyblock\n"
msgstr "klucz ,,%s'' jest już w tym bloku kluczy\n"
msgstr "klucz „%s” jest już w tym bloku kluczy\n"
msgid ""
"Are you sure you want to change the expiration time for multiple subkeys? (y/"
@ -4154,77 +4140,64 @@ msgstr " (%c) Przełączenie możliwości uwierzytelniania\n"
msgid " (%c) Finished\n"
msgstr " (%c) Zakończenie\n"
#, fuzzy, c-format
#| msgid " (%d) RSA and RSA (default)\n"
#, c-format
msgid " (%d) RSA and RSA%s\n"
msgstr " (%d) RSA i RSA (domyślne)\n"
msgstr " (%d) RSA i RSA%s\n"
#, fuzzy, c-format
#| msgid " (%d) DSA and Elgamal\n"
#, c-format
msgid " (%d) DSA and Elgamal%s\n"
msgstr " (%d) DSA i Elgamala\n"
msgstr " (%d) DSA i Elgamala%s\n"
#, fuzzy, c-format
#| msgid " (%d) DSA (sign only)\n"
#, c-format
msgid " (%d) DSA (sign only)%s\n"
msgstr " (%d) DSA (tylko do podpisywania)\n"
msgstr " (%d) DSA (tylko do podpisywania)%s\n"
#, fuzzy, c-format
#| msgid " (%d) RSA (sign only)\n"
#, c-format
msgid " (%d) RSA (sign only)%s\n"
msgstr " (%d) RSA (tylko do podpisywania)\n"
msgstr " (%d) RSA (tylko do podpisywania)%s\n"
#, fuzzy, c-format
#| msgid " (%d) Elgamal (encrypt only)\n"
#, c-format
msgid " (%d) Elgamal (encrypt only)%s\n"
msgstr " (%d) Elgamala (tylko do szyfrowania)\n"
msgstr " (%d) Elgamala (tylko do szyfrowania)%s\n"
#, fuzzy, c-format
#| msgid " (%d) RSA (encrypt only)\n"
#, c-format
msgid " (%d) RSA (encrypt only)%s\n"
msgstr " (%d) RSA (tylko do szyfrowania)\n"
msgstr " (%d) RSA (tylko do szyfrowania)%s\n"
#, fuzzy, c-format
#| msgid " (%d) DSA (set your own capabilities)\n"
#, c-format
msgid " (%d) DSA (set your own capabilities)%s\n"
msgstr " (%d) DSA (możliwości do ustawienia)\n"
msgstr " (%d) DSA (możliwości do ustawienia)%s\n"
#, fuzzy, c-format
#| msgid " (%d) RSA (set your own capabilities)\n"
#, c-format
msgid " (%d) RSA (set your own capabilities)%s\n"
msgstr " (%d) RSA (możliwości do ustawienia)\n"
msgstr " (%d) RSA (możliwości do ustawienia)%s\n"
#, fuzzy, c-format
#| msgid " (%d) sign, encrypt\n"
#, c-format
msgid " (%d) ECC (sign and encrypt)%s\n"
msgstr " (%d) podpisywanie, szyfrowanie\n"
msgstr " (%d) ECC (podpisywanie i szyfrowanie)%s\n"
msgid " *default*"
msgstr ""
msgstr " *domyślne*"
#, c-format
msgid " (%d) ECC (sign only)\n"
msgstr " (%d) ECC (tylko do podpisywania)\n"
#, fuzzy, c-format
#| msgid " (%d) ECC (set your own capabilities)\n"
#, c-format
msgid " (%d) ECC (set your own capabilities)%s\n"
msgstr " (%d) ECC (możliwości do ustawienia)\n"
msgstr " (%d) ECC (możliwości do ustawienia)%s\n"
#, fuzzy, c-format
#| msgid " (%d) ECC (encrypt only)\n"
#, c-format
msgid " (%d) ECC (encrypt only)%s\n"
msgstr " (%d) ECC (tylko do szyfrowania)\n"
msgstr " (%d) ECC (tylko do szyfrowania)%s\n"
#, fuzzy, c-format
#| msgid " (%d) Existing key\n"
#, c-format
msgid " (%d) Existing key%s\n"
msgstr " (%d) Istniejący klucz\n"
msgstr " (%d) Istniejący klucz%s\n"
#, fuzzy, c-format
#| msgid " (%d) Existing key from card\n"
#, c-format
msgid " (%d) Existing key from card%s\n"
msgstr " (%d) Istniejący klucz z karty\n"
msgstr " (%d) Istniejący klucz z karty%s\n"
msgid "Enter the keygrip: "
msgstr "Uchwyt klucza: "
@ -5336,25 +5309,22 @@ msgstr ""
"OSTRZEŻENIE: ten klucz mógł zostać unieważniony\n"
" (brak klucza unieważniającego aby to sprawdzić)\n"
#, fuzzy, c-format
#| msgid "user ID: \"%s\"\n"
#, c-format
msgid "checking User ID \"%s\"\n"
msgstr "identyfikator użytkownika: „%s”\n"
msgstr "sprawdzanie identyfikatora użytkownika: „%s”\n"
#, fuzzy, c-format
#| msgid "option '%s' given, but option '%s' not given\n"
#, c-format
msgid "option %s given but issuer \"%s\" does not match\n"
msgstr "podano opcję „%s”, ale nie podano opcji „%s”\n"
msgstr "podano opcję %s, ale wystawca „%s” nie pasuje\n"
#, fuzzy, c-format
#| msgid "key %s: doesn't match our copy\n"
#, c-format
msgid "issuer \"%s\" does not match any User ID\n"
msgstr "klucz %s: nie zgadza się z lokalną kopią\n"
msgstr "klucz „%s” nie pasuje do żadnego identyfikatora użytkownika\n"
#, fuzzy, c-format
#| msgid "option '%s' given, but option '%s' not given\n"
#, c-format
msgid "option %s given but no matching User ID found\n"
msgstr "podano opcję „%s”, ale nie podano opcji „%s”\n"
msgstr ""
"podano opcję %s, ale nie znaleziono pasującego identyfikatora użytkownika\n"
#, c-format
msgid "WARNING: This key has been revoked by its designated revoker!\n"
@ -6524,15 +6494,14 @@ msgstr "linia wejścia %u zbyt długa lub brak znaku LF\n"
msgid "can't open fd %d: %s\n"
msgstr "nie można otworzyć fd %d: %s\n"
#, fuzzy, c-format
#| msgid "WARNING: message was not integrity protected\n"
#, c-format
msgid "WARNING: encrypting without integrity protection is dangerous\n"
msgstr "OSTRZEŻENIE: wiadomość nie była zabezpieczona przed manipulacją\n"
msgstr ""
"OSTRZEŻENIE: szyfrowanie bez ochrony przed manipulacją jest niebezpieczne\n"
#, fuzzy, c-format
#| msgid "ambiguous option '%s'\n"
#, c-format
msgid "Hint: Do not use option %s\n"
msgstr "niejednoznaczna opcja „%s”\n"
msgstr "Podpowiedź: nie używać opcji %s\n"
msgid "set debugging flags"
msgstr "ustawienie flag diagnostycznych"
@ -6774,8 +6743,8 @@ msgstr "dostęp do poleceń administratora nie został skonfigurowany\n"
msgid "||Please enter the PIN"
msgstr "||Proszę wpisać PIN"
msgid "||Please enter the Reset Code for the card"
msgstr "||Proszę wprowadzić kod resetujący dla karty"
msgid "|R|Please enter the Reset Code for the card"
msgstr "|R|Proszę wprowadzić kod resetujący dla karty"
#, c-format
msgid "Reset Code is too short; minimum length is %d\n"
@ -8553,7 +8522,7 @@ msgstr "%s:%u: podano hasło bez użytkownika\n"
#, c-format
msgid "%s:%u: ignoring unknown flag '%s'\n"
msgstr "%s:%u: zignorowano nieznaną flagę ,,%s''\n"
msgstr "%s:%u: zignorowano nieznaną flagę „%s”\n"
#, c-format
msgid "%s:%u: skipping this line\n"
@ -8986,489 +8955,69 @@ msgstr ""
"Składnia: gpg-check-pattern [opcje] plik-wzorców\n"
"Sprawdzanie hasła ze standardowego wejścia względem pliku wzorców\n"
#, fuzzy, c-format
#| msgid "Note: keys are already stored on the card!\n"
#, c-format
msgid "Note: key %s is already stored on the card!\n"
msgstr "Uwaga: klucze są już zapisane na karcie!\n"
msgstr "Uwaga: klucz %s jest już zapisany na karcie!\n"
#, fuzzy, c-format
#| msgid "Note: keys are already stored on the card!\n"
#, c-format
msgid "Note: Keys are already stored on the card!\n"
msgstr "Uwaga: klucze są już zapisane na karcie!\n"
#, fuzzy, c-format
#| msgid "Replace existing keys? (y/N) "
#, c-format
msgid "Replace existing key %s ? (y/N) "
msgstr "Zastąpić istniejące klucze? (t/N) "
msgstr "Zastąpić istniejące klucz %s? (t/N) "
#, fuzzy, c-format
#| msgid "OpenPGP card no. %s detected\n"
#, c-format
msgid "%s card no. %s detected\n"
msgstr "Wykryto kartę OpenPGP nr %s\n"
msgstr "Wykryto kartę %s nr %s\n"
#, c-format
msgid "User Interaction Flag is set to \"%s\" - can't change\n"
msgstr ""
"Flaga interakcji użytkownika (UIF) jest ustawiona na „%s” - nie można "
"zmienić\n"
#, c-format
msgid ""
"Warning: Setting the User Interaction Flag to \"%s\"\n"
" can only be reverted using a factory reset!\n"
msgstr ""
"Uwaga: ustawienie flagi interakcji użytkownika (UIF) na „%s”\n"
" może być odwrócone tylko przez reset do ustawień fabrycznych!\n"
#, c-format
msgid "Please use \"uif --yes %d %s\"\n"
msgstr ""
msgstr "Proszę użyć „uif --yes %d %s”\n"
#, fuzzy
#| msgid "add a certificate to the cache"
msgid "authenticate to the card"
msgstr "dodanie certyfikatu do pamięci podręcznej"
msgstr "uwierzytelnienie względem karty"
msgid "send a reset to the card daemon"
msgstr ""
msgstr "wysłanie resetu do demona kart"
msgid "setup KDF for PIN authentication"
msgstr "ustawienie KDF do uwierzytelniania PIN-em"
msgid "change a private data object"
msgstr ""
msgstr "zmiana obiektu danych prywatnych"
#, fuzzy
#| msgid "add a certificate to the cache"
msgid "read a certificate from a data object"
msgstr "dodanie certyfikatu do pamięci podręcznej"
msgstr "odczyt certyfikatu z obiektu danych"
#, fuzzy
#| msgid "add a certificate to the cache"
msgid "store a certificate to a data object"
msgstr "dodanie certyfikatu do pamięci podręcznej"
msgstr "zapis certyfikatu w obiekcie danych"
msgid "store a private key to a data object"
msgstr ""
msgstr "zapis klucza prywatnego w obiekcie danych"
msgid "run various checks on the keys"
msgstr ""
msgstr "wykonanie różnych sprawdzeń kluczy"
msgid "Yubikey management commands"
msgstr ""
msgstr "polecenia zarządzające kluczami Yubikey"
msgid "manage the command history"
msgstr ""
msgstr "zarządzanie historią poleceń"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"
#~ msgstr "wybrany algorytm skrótów wiadomości jest niepoprawny\n"
#, fuzzy
#~| msgid "invalid personal cipher preferences\n"
#~ msgid "invalid personal AEAD preferences\n"
#~ msgstr "niewłaściwe ustawienia szyfrów\n"
#, fuzzy
#~| msgid "cipher algorithm '%s' may not be used in %s mode\n"
#~ msgid "AEAD algorithm '%s' may not be used in %s mode\n"
#~ msgstr "szyfr „%s” nie może być używany w trybie %s\n"
#~ msgid "forcing symmetric cipher %s (%d) violates recipient preferences\n"
#~ msgstr "wymuszone użycie szyfru %s (%d) kłóci się z ustawieniami adresata\n"
#~ msgid "error writing to temporary file: %s\n"
#~ msgstr "błąd zapisu do pliku tymczasowego: %s\n"
#~ msgid "run in supervised mode"
#~ msgstr "uruchomienie w trybie dozorowanym"
#~ msgid "Name may not start with a digit\n"
#~ msgstr "Imię lub nazwisko nie może zaczynać się od cyfry\n"
#~ msgid "Name must be at least 5 characters long\n"
#~ msgstr "Imię i nazwisko muszą mieć co najmniej 5 znaków długości.\n"
#~ msgid "Configuration for Keyservers"
#~ msgstr "Konfiguracja dla serwerów kluczy"
#~ msgid "Configuration of LDAP servers to use"
#~ msgstr "Konfiguracja używanych serwerów LDAP"
#~ msgid "selfsigned certificate has a BAD signature"
#~ msgstr "certyfikat z własnym podpisem ma BŁĘDNY podpis"
#~ msgid "requesting key %s from %s server %s\n"
#~ msgstr "zapytanie o klucz %s z serwera %s %s\n"
#~ msgid "%s:%u: no hostname given\n"
#~ msgstr "%s:%u: nie podano nazwy hosta\n"
#~ msgid "could not parse keyserver\n"
#~ msgstr "niezrozumiały adres serwera kluczy\n"
#~ msgid "return all values in a record oriented format"
#~ msgstr "zwrócenie wszystkich wartości w formacie rekordu"
#~ msgid "|NAME|ignore host part and connect through NAME"
#~ msgstr "|NAZWA|zignorowanie części z hostem i połączenie poprzez NAZWĘ"
#~ msgid "|NAME|connect to host NAME"
#~ msgstr "|NAZWA|połączenie z hostem NAZWA"
#~ msgid "|N|connect to port N"
#~ msgstr "|N|połączenie z portem N"
#~ msgid "|NAME|use user NAME for authentication"
#~ msgstr "|NAZWA|użycie NAZWY użytkownika do uwierzytelnienia"
#~ msgid "|PASS|use password PASS for authentication"
#~ msgstr "|HASŁO|użycie HASŁA do uwierzytelnienia"
#~ msgid "take password from $DIRMNGR_LDAP_PASS"
#~ msgstr "pobranie hasła z $DIRMNGR_LDAP_PASS"
#~ msgid "|STRING|query DN STRING"
#~ msgstr "|ŁAŃCUCH|ŁAŃCUCH zapytania DN"
#~ msgid "|STRING|use STRING as filter expression"
#~ msgstr "|ŁAŃCUCH|użycie ŁAŃCUCHA jako wyrażenia filtra"
#~ msgid "|STRING|return the attribute STRING"
#~ msgstr "|ŁAŃCUCH|zwrócenie atrybutu ŁAŃCUCH"
#~ msgid "Usage: dirmngr_ldap [options] [URL] (-h for help)\n"
#~ msgstr "Składnia: dirmngr_ldap [opcje] [URL] (-h wyświetla pomoc)\n"
#~ msgid ""
#~ "Syntax: dirmngr_ldap [options] [URL]\n"
#~ "Internal LDAP helper for Dirmngr\n"
#~ "Interface and options may change without notice\n"
#~ msgstr ""
#~ "Składnia: dirmngr_ldap [opcje] [URL]\n"
#~ "Wewnętrzny program pomocniczy LDAP dla Dirmngr\n"
#~ "Interfejs i opcje mogą się zmienić bez uprzedzenia\n"
#~ msgid "invalid port number %d\n"
#~ msgstr "błędny numer portu %d\n"
#~ msgid "scanning result for attribute '%s'\n"
#~ msgstr "przeszukiwanie wyniku pod kątem atrybutu „%s”\n"
#~ msgid "error writing to stdout: %s\n"
#~ msgstr "błąd zapisu na standardowe wyjście: %s\n"
#~ msgid " available attribute '%s'\n"
#~ msgstr " dostępny atrybut „%s”\n"
#~ msgid "attribute '%s' not found\n"
#~ msgstr "nie znaleziono atrybutu „%s”\n"
#~ msgid "found attribute '%s'\n"
#~ msgstr "znaleziono atrybut „%s”\n"
#~ msgid "processing url '%s'\n"
#~ msgstr "przetwarzanie URL-a „%s”\n"
#~ msgid " user '%s'\n"
#~ msgstr " użytkownik „%s”\n"
#~ msgid " pass '%s'\n"
#~ msgstr " hasło „%s”\n"
#~ msgid " host '%s'\n"
#~ msgstr " host „%s”\n"
#~ msgid " port %d\n"
#~ msgstr " port %d\n"
#~ msgid " DN '%s'\n"
#~ msgstr " DN „%s”\n"
#~ msgid " filter '%s'\n"
#~ msgstr " filtr „%s”\n"
#~ msgid " attr '%s'\n"
#~ msgstr " atrybut „%s”\n"
#~ msgid "no host name in '%s'\n"
#~ msgstr "brak nazwy hosta w „%s”\n"
#~ msgid "no attribute given for query '%s'\n"
#~ msgstr "nie podano atrybutu dla zapytania „%s”\n"
#~ msgid "WARNING: using first attribute only\n"
#~ msgstr "OSTRZEŻENIE: użyto tylko pierwszego atrybutu\n"
#~ msgid "LDAP init to '%s:%d' failed: %s\n"
#~ msgstr "nie udało się zainicjować LDAP na „%s:%d”: %s\n"
#, fuzzy
#~| msgid "LDAP init to '%s:%d' failed: %s\n"
#~ msgid "LDAP init to '%s' failed: %s\n"
#~ msgstr "nie udało się zainicjować LDAP na „%s:%d”: %s\n"
#, fuzzy
#~| msgid "LDAP init to '%s:%d' failed: %s\n"
#~ msgid "LDAP init to '%s' done\n"
#~ msgstr "nie udało się zainicjować LDAP na „%s:%d”: %s\n"
#~ msgid "binding to '%s:%d' failed: %s\n"
#~ msgstr "dowiązanie do „%s:%d” nie powiodło się: %s\n"
#~ msgid "searching '%s' failed: %s\n"
#~ msgstr "szukanie „%s” nie powiodło się: %s\n"
#~ msgid "start_cert_fetch: invalid pattern '%s'\n"
#~ msgstr "start_cert_fetch: błędny wzorzec „%s”\n"
#~ msgid "ldapserver missing"
#~ msgstr "brak pola ldapserver"
#, fuzzy
#~| msgid "change a passphrase"
#~ msgid "Suggest a random passphrase."
#~ msgstr "zmiana hasła"
#~ msgid "detected card with S/N: %s\n"
#~ msgstr "wykryto kartę o numerze seryjnym: %s\n"
#~ msgid "no authentication key for ssh on card: %s\n"
#~ msgstr "nie znaleziono klucza uwierzytelniającego dla ssh na karcie: %s\n"
#~ msgid "Please remove the current card and insert the one with serial number"
#~ msgstr "Proszę wyjąć obecną kartę i włożyć kartę z numerem seryjnym"
#~ msgid "use a log file for the server"
#~ msgstr "użycie pliku loga dla serwera"
#~ msgid "no running gpg-agent - starting '%s'\n"
#~ msgstr "gpg-agent nie działa - uruchamianie „%s”\n"
#~ msgid "argument not expected"
#~ msgstr "nieoczekiwany argument"
#~ msgid "read error"
#~ msgstr "błąd odczytu"
#~ msgid "keyword too long"
#~ msgstr "słowo kluczowe zbyt długie"
#~ msgid "missing argument"
#~ msgstr "brak argumentu"
#~ msgid "invalid argument"
#~ msgstr "niepoprawny argument"
#~ msgid "invalid command"
#~ msgstr "błędne polecenie"
#~ msgid "invalid alias definition"
#~ msgstr "błędna definicja aliasu"
#~ msgid "out of core"
#~ msgstr "brak pamięci"
#, fuzzy
#~| msgid "invalid command"
#~ msgid "invalid meta command"
#~ msgstr "błędne polecenie"
#, fuzzy
#~| msgid "unknown command '%s'\n"
#~ msgid "unknown meta command"
#~ msgstr "nieznane polecenie „%s”\n"
#, fuzzy
#~| msgid "unexpected armor: "
#~ msgid "unexpected meta command"
#~ msgstr "nieoczekiwane opakowanie: "
#~ msgid "invalid option"
#~ msgstr "błędna opcja"
#~ msgid "missing argument for option \"%.50s\"\n"
#~ msgstr "brak argumentu dla opcji „%.50s”\n"
#~ msgid "option \"%.50s\" does not expect an argument\n"
#~ msgstr "opcja „%.50s” nie może mieć argumentów\n"
#~ msgid "invalid command \"%.50s\"\n"
#~ msgstr "błędne polecenie „%.50s”\n"
#~ msgid "option \"%.50s\" is ambiguous\n"
#~ msgstr "opcja „%.50s” jest niejednoznaczna\n"
#~ msgid "command \"%.50s\" is ambiguous\n"
#~ msgstr "polecenie „%.50s” jest niejednoznaczne\n"
#~ msgid "invalid option \"%.50s\"\n"
#~ msgstr "błędna opcja „%.50s”\n"
#~ msgid "Note: no default option file '%s'\n"
#~ msgstr "Uwaga: brak domyślnego pliku opcji „%s”\n"
#~ msgid "option file '%s': %s\n"
#~ msgstr "plik opcji „%s”: %s\n"
#~ msgid "unable to execute program '%s': %s\n"
#~ msgstr "nie można uruchomić programu „%s”: %s\n"
#~ msgid "unable to execute external program\n"
#~ msgstr "nie można uruchomić zewnętrznego programu\n"
#~ msgid "unable to read external program response: %s\n"
#~ msgstr "nie można odczytać odpowiedzi programu zewnętrznego: %s\n"
#~ msgid "validate signatures with PKA data"
#~ msgstr "sprawdzanie podpisów z danymi PKA"
#~ msgid "elevate the trust of signatures with valid PKA data"
#~ msgstr "zwiększenie zaufania podpisów z poprawnymi danymi PKA"
#~ msgid " (%d) ECC and ECC\n"
#~ msgstr " (%d) ECC i ECC\n"
#~ msgid "honor the PKA record set on a key when retrieving keys"
#~ msgstr "honorowanie rekordu PKA ustawionego w kluczu przy pobieraniu kluczy"
#~ msgid "Note: Verified signer's address is '%s'\n"
#~ msgstr "Uwaga: Sprawdzony adres pospisującego to „%s”\n"
#~ msgid "Note: Signer's address '%s' does not match DNS entry\n"
#~ msgstr "Uwaga: Adres podpisującego „%s” nie pasuje do wpisu DNS\n"
#~ msgid "trustlevel adjusted to FULL due to valid PKA info\n"
#~ msgstr ""
#~ "poziom zaufania poprawiony na PEŁNY ze względu na poprawne informacje "
#~ "PKA\n"
#~ msgid "trustlevel adjusted to NEVER due to bad PKA info\n"
#~ msgstr ""
#~ "poziom zaufania poprawiony na ŻADEN ze względu na błędne informacje PKA\n"
#~ msgid "|FILE|write a server mode log to FILE"
#~ msgstr "|PLIK|zapisanie logów trybu serwerowego do PLIKU"
#~ msgid "run without asking a user"
#~ msgstr "działanie bez pytania użytkownika"
#~ msgid "allow PKA lookups (DNS requests)"
#~ msgstr "zezwolenie na wyszukiwania PKA (żądania DNS)"
#~ msgid "Options controlling the format of the output"
#~ msgstr "Opcje sterujące formatem wyjścia"
#~ msgid "Options controlling the use of Tor"
#~ msgstr "Opcje sterujące użyciem Tora"
#~ msgid "LDAP server list"
#~ msgstr "lista serwerów LDAP"
#~ msgid "Note: old default options file '%s' ignored\n"
#~ msgstr "Uwaga: stary domyślny plik opcji „%s” został zignorowany\n"
#~ msgid ""
#~ "@\n"
#~ "Commands:\n"
#~ " "
#~ msgstr ""
#~ "@\n"
#~ "Polecenia:\n"
#~ " "
#~ msgid "decryption modus"
#~ msgstr "tryb rozszyfrowywania"
#~ msgid "encryption modus"
#~ msgstr "tryb szyfrowania"
#~ msgid "tool class (confucius)"
#~ msgstr "klasa narzędzia (confucius)"
#~ msgid "program filename"
#~ msgstr "nazwa programu"
#~ msgid "secret key file (required)"
#~ msgstr "plik klucza tajnego (wymagany)"
#~ msgid "input file name (default stdin)"
#~ msgstr "nazwa pliku wejściowego (domyślnie standardowe wejście)"
#~ msgid "Usage: symcryptrun [options] (-h for help)"
#~ msgstr "Składnia: symcryptrun [opcje] (-h wyświetla pomoc)"
#~ msgid ""
#~ "Syntax: symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE "
#~ "[options...] COMMAND [inputfile]\n"
#~ "Call a simple symmetric encryption tool\n"
#~ msgstr ""
#~ "Składnia: symcryptrun --class KLASA --program PROGRAM --keyfile "
#~ "PLIK_KLUCZA [opcje...] POLECENIE [plik-weściowy]\n"
#~ "Wywołanie prostego narzędzia do szyfrowania symetrycznego\n"
#~ msgid "%s on %s aborted with status %i\n"
#~ msgstr "%s na %s przerwany ze stanem %i\n"
#~ msgid "%s on %s failed with status %i\n"
#~ msgstr "%s na %s nie powiódł się ze stanem %i\n"
#~ msgid "can't create temporary directory '%s': %s\n"
#~ msgstr "nie można utworzyć katalogu tymczasowego „%s”: %s\n"
#~ msgid "could not open %s for writing: %s\n"
#~ msgstr "nie udało się otworzyć %s do zapisu: %s\n"
#~ msgid "error closing %s: %s\n"
#~ msgstr "błąd zamykania %s: %s\n"
#~ msgid "no --program option provided\n"
#~ msgstr "nie podano opcji --program\n"
#~ msgid "only --decrypt and --encrypt are supported\n"
#~ msgstr "obsługiwane są tylko --decrypt i --encrypt\n"
#~ msgid "no --keyfile option provided\n"
#~ msgstr "nie podano opcji --keyfile\n"
#~ msgid "cannot allocate args vector\n"
#~ msgstr "nie można przydzielić wektora args\n"
#~ msgid "could not create pipe: %s\n"
#~ msgstr "nie udało się utworzyć potoku: %s\n"
#~ msgid "could not create pty: %s\n"
#~ msgstr "nie udało się utworzyć pty: %s\n"
#~ msgid "could not fork: %s\n"
#~ msgstr "nie udało się wykonać fork: %s\n"
#~ msgid "execv failed: %s\n"
#~ msgstr "execv nie powiodło się: %s\n"
#~ msgid "select failed: %s\n"
#~ msgstr "select nie powiodło się: %s\n"
#~ msgid "read failed: %s\n"
#~ msgstr "odczyt nie powiódł się: %s\n"
#~ msgid "pty read failed: %s\n"
#~ msgstr "odczyt pty nie powiódł się: %s\n"
#~ msgid "waitpid failed: %s\n"
#~ msgstr "waitpid nie powiodło się: %s\n"
#~ msgid "child aborted with status %i\n"
#~ msgstr "potomek został przerwany ze stanem %i\n"
#~ msgid "cannot allocate infile string: %s\n"
#~ msgstr "nie można przydzielić łańcucha pliku wejściowego: %s\n"
#~ msgid "cannot allocate outfile string: %s\n"
#~ msgstr "nie można przydzielić łańcucha pliku wyjściowego: %s\n"
#~ msgid "either %s or %s must be given\n"
#~ msgstr "musi być podane %s lub %s\n"
#~ msgid "no class provided\n"
#~ msgstr "nie podano klasy\n"
#~ msgid "class %s is not supported\n"
#~ msgstr "klasa %s nie jest obsługiwana\n"
#~ msgid "use canonical text mode"
#~ msgstr "kanoniczny format tekstowy"

10
po/pt.po
View File

@ -2157,9 +2157,6 @@ msgstr "criar saída blindada ASCII"
msgid "|FILE|write output to FILE"
msgstr "|FILE|escrever saída em FILE"
msgid "use canonical text mode"
msgstr "usar modo de texto canónico"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|definir nível de compressão para N (0 desabilita)"
@ -6726,7 +6723,9 @@ msgstr "o acesso aos comandos admin não está configurado\n"
msgid "||Please enter the PIN"
msgstr "||Introduza o PIN"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Introduza o Código de Reset do cartão"
#, c-format
@ -8997,6 +8996,9 @@ msgstr "comandos de gerir uma Yubikey"
msgid "manage the command history"
msgstr "gerir o histórico de comandos"
#~ msgid "use canonical text mode"
#~ msgstr "usar modo de texto canónico"
#, c-format
#~ msgid "waiting for process to terminate failed: ec=%d\n"
#~ msgstr "falha ao esperar que o processo terminasse: ec=%d\n"

8
po/ro.po
View File

@ -2248,9 +2248,6 @@ msgstr "crează ieşire în armură ascii"
msgid "|FILE|write output to FILE"
msgstr "|FIŞIER|încarcă modulul extensie FIŞIER"
msgid "use canonical text mode"
msgstr "foloseşte modul text canonic"
#, fuzzy
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|setează nivel de compresie N (0 deactivează)"
@ -7056,7 +7053,7 @@ msgid "||Please enter the PIN"
msgstr "||Vă rugăm introduceţi PIN%%0A[semnături făcute: %lu]"
#, fuzzy
msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Vă rugăm introduceţi PIN%%0A[semnături făcute: %lu]"
#, fuzzy, c-format
@ -9415,6 +9412,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "foloseşte modul text canonic"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

10
po/ru.po
View File

@ -2158,9 +2158,6 @@ msgstr "вывод в текстовом формате"
msgid "|FILE|write output to FILE"
msgstr "|FILE|выводить данные в файл FILE"
msgid "use canonical text mode"
msgstr "использовать канонический текстовый режим"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|установить уровень сжатия N (0 - без сжатия)"
@ -6836,7 +6833,9 @@ msgstr "доступ к командам управления не настро
msgid "||Please enter the PIN"
msgstr "||Введите PIN"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Введите код сброса для карты"
#, c-format
@ -9156,6 +9155,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "использовать канонический текстовый режим"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

8
po/sk.po
View File

@ -2231,9 +2231,6 @@ msgstr "vytvor výstup zakódovaný pomocou ASCII"
msgid "|FILE|write output to FILE"
msgstr "|SÚBOR|nahrať rozširujúci modul SÚBOR"
msgid "use canonical text mode"
msgstr "použiť kánonický textový mód"
#, fuzzy
msgid "|N|set compress level to N (0 disables)"
msgstr ""
@ -6969,7 +6966,7 @@ msgid "||Please enter the PIN"
msgstr "zmeniť heslo"
#, fuzzy
msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "Prosím výberte dôvod na revokáciu:\n"
#, c-format
@ -9304,6 +9301,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "použiť kánonický textový mód"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

10
po/sv.po
View File

@ -2369,9 +2369,6 @@ msgstr "skapa utdata med ett ascii-skal"
msgid "|FILE|write output to FILE"
msgstr "|FIL|skriv utdata till FIL"
msgid "use canonical text mode"
msgstr "använd \"ursprunglig text\"-läget"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|ställ in komprimeringsnivån till N (0 för att inaktivera)"
@ -7294,7 +7291,9 @@ msgstr "åtkomst till administrationskommandon är inte konfigurerat\n"
msgid "||Please enter the PIN"
msgstr "||Ange PIN-koden"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Ange nollställningskoden för kortet"
#, c-format
@ -9860,6 +9859,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "använd \"ursprunglig text\"-läget"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

10
po/tr.po
View File

@ -2101,9 +2101,6 @@ msgstr "ascii zırhlı çıktı oluştur"
msgid "|FILE|write output to FILE"
msgstr "|FILE|çıktıyı FILE'a yaz"
msgid "use canonical text mode"
msgstr "kurallı metin kipini kullan"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|sıkıştırma düzeyini N olarak ayarla (0 devre dışı bırakır)"
@ -6666,7 +6663,9 @@ msgstr "yönetici komutlarına erişim yapılandırılmamış\n"
msgid "||Please enter the PIN"
msgstr "||Lütfen PIN'i giriniz"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Lütfen kart için Sıfırlama Kodunu giriniz"
#, c-format
@ -8918,3 +8917,6 @@ msgstr "Yubikey yönetim konsolu"
msgid "manage the command history"
msgstr "komut geçmişini yönet"
#~ msgid "use canonical text mode"
#~ msgstr "kurallı metin kipini kullan"

10
po/uk.po
View File

@ -2179,9 +2179,6 @@ msgstr "створити дані у форматі ASCII"
msgid "|FILE|write output to FILE"
msgstr "|FILE|записати дані до вказаного файла"
msgid "use canonical text mode"
msgstr "використовувати канонічний текстовий режим"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|встановити рівень стиснення (0 — вимкнути)"
@ -6937,7 +6934,9 @@ msgstr "доступ до адміністративних команд не н
msgid "||Please enter the PIN"
msgstr "||Вкажіть пінкод"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||Вкажіть код скидання коду картки"
#, c-format
@ -9249,6 +9248,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "використовувати канонічний текстовий режим"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

10
po/zh_CN.po
View File

@ -2075,9 +2075,6 @@ msgstr "创建 ASCII 字符封装的输出"
msgid "|FILE|write output to FILE"
msgstr "|FILE|写输出到 FILE"
msgid "use canonical text mode"
msgstr "使用规范的文本模式"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|设置压缩等级为 N 0 为禁用)"
@ -6435,7 +6432,9 @@ msgstr "未配置到管理员命令的访问\n"
msgid "||Please enter the PIN"
msgstr "||请输入 PIN"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||请输入卡片的重置码"
#, c-format
@ -8675,6 +8674,9 @@ msgstr "Yubikey 管理命令"
msgid "manage the command history"
msgstr "管理命令历史记录"
#~ msgid "use canonical text mode"
#~ msgstr "使用规范的文本模式"
#~ msgid "continuing verification anyway due to option %s\n"
#~ msgstr "由于 %s 选项,验证仍在继续中\n"

10
po/zh_TW.po
View File

@ -2189,9 +2189,6 @@ msgstr "建立以 ASCII 封裝過的輸出"
msgid "|FILE|write output to FILE"
msgstr "|檔案|將輸出寫入至指定檔案"
msgid "use canonical text mode"
msgstr "使用標準的文字模式"
msgid "|N|set compress level to N (0 disables)"
msgstr "|N|設定壓縮等級為 N (0 表示不壓縮)"
@ -6778,7 +6775,9 @@ msgstr "管理者指令存取權限尚未組態\n"
msgid "||Please enter the PIN"
msgstr "||請輸入個人識別碼 (PIN)"
msgid "||Please enter the Reset Code for the card"
#, fuzzy
#| msgid "||Please enter the Reset Code for the card"
msgid "|R|Please enter the Reset Code for the card"
msgstr "||請輸入卡片的重設碼"
#, c-format
@ -9057,6 +9056,9 @@ msgstr ""
msgid "manage the command history"
msgstr ""
#~ msgid "use canonical text mode"
#~ msgstr "使用標準的文字模式"
#, fuzzy
#~| msgid "selected digest algorithm is invalid\n"
#~ msgid "selected AEAD algorithm is invalid\n"

2
scd/app-nks.c
View File

@ -1613,7 +1613,7 @@ verify_pin (app_t app, int pwid, const char *desc,
memset (&pininfo, 0, sizeof pininfo);
pininfo.fixedlen = -1;
/* FIXME: TCOS allows to read the min. and max. values - do this. */
/* FIXME: TCOS allows one to read the min. and max. values - do this. */
if (app->appversion == 15)
{
if (app->app_local->active_nks_app == NKS_APP_NKS && pwid == 0x03)

17
scd/app-openpgp.c
View File

@ -3306,6 +3306,7 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr,
char *pinvalue = NULL;
int reset_mode = !!(flags & APP_CHANGE_FLAG_RESET);
int set_resetcode = 0;
int use_resetcode = 0;
pininfo_t pininfo;
int use_pinpad = 0;
int minlen = 6;
@ -3458,7 +3459,7 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr,
}
rc = pincb (pincb_arg,
_("||Please enter the Reset Code for the card"),
_("|R|Please enter the Reset Code for the card"),
&resetcode);
if (rc)
{
@ -3473,13 +3474,14 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr,
rc = gpg_error (GPG_ERR_BAD_RESET_CODE);
goto leave;
}
use_resetcode = 1;
}
else
{
rc = gpg_error (GPG_ERR_INV_ID);
goto leave;
}
}
} /* End version 2 cards. */
if (chvno == 3)
app->did_chv3 = 0;
@ -3511,6 +3513,17 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr,
goto leave;
}
}
else if (use_resetcode)
{
minlen = 6; /* Reset from the RC value to the PIN value. */
if (strlen (pinvalue) < minlen)
{
log_info (_("PIN for CHV%d is too short;"
" minimum length is %d\n"), 1, minlen);
rc = gpg_error (GPG_ERR_BAD_PIN);
goto leave;
}
}
else
{
if (chvno == 3)

97
scd/app-p15.c
View File

@ -305,7 +305,7 @@ struct prkdf_object_s
keyaccess_flags_t accessflags;
/* Extended key usage flags. Only used if .valid is set. This
* information is computed from an associated certificate15. */
* information is computed from an associated certificate. */
struct {
unsigned int valid:1;
unsigned int sign:1;
@ -520,6 +520,9 @@ struct app_local_s
/* Information on all useful certificates. */
cdf_object_t useful_certificate_info;
/* Counter to make object ids of certificates unique. */
unsigned int cdf_dup_counter;
/* Information on all public keys. */
prkdf_object_t public_key_info;
@ -2419,6 +2422,22 @@ read_ef_pukdf (app_t app, unsigned short fid, pukdf_object_t *result)
}
/* Return true id CDFLIST has the given object id. */
static int
objid_in_cdflist_p (cdf_object_t cdflist,
const unsigned char *objid, size_t objidlen)
{
cdf_object_t cdf;
if (!objid || !objidlen)
return 0;
for (cdf = cdflist; cdf; cdf = cdf->next)
if (cdf->objidlen == objidlen && !memcmp (cdf->objid, objid, objidlen))
return 1;
return 0;
}
/* Read and parse the Certificate Directory Files identified by FID.
On success a newlist of CDF object gets stored at RESULT and the
caller is then responsible of releasing this list. On error a
@ -2464,6 +2483,7 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result)
unsigned long ul;
const unsigned char *objid;
size_t objidlen;
int objidextralen;
err = parse_ber_header (&p, &n, &class, &tag, &constructed,
&ndef, &objlen, &hdrlen);
@ -2588,8 +2608,19 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result)
label = NULL;
}
cdf->objidlen = objidlen;
cdf->objid = xtrymalloc (objidlen);
/* Card's have been found in the wild which do not have unique
* IDs for their certificate objects. If we detect this we
* append a counter to the ID. */
objidextralen =
(objid_in_cdflist_p (cdflist, objid, objidlen)
|| objid_in_cdflist_p (app->app_local->certificate_info,
objid, objidlen)
|| objid_in_cdflist_p (app->app_local->trusted_certificate_info,
objid, objidlen)
|| objid_in_cdflist_p (app->app_local->useful_certificate_info,
objid, objidlen));
cdf->objidlen = objidlen + objidextralen;
cdf->objid = xtrymalloc (objidlen + objidextralen);
if (!cdf->objid)
{
err = gpg_error_from_syserror ();
@ -2597,6 +2628,16 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result)
goto leave;
}
memcpy (cdf->objid, objid, objidlen);
if (objidextralen)
{
if (app->app_local->cdf_dup_counter == 255)
{
log_error ("p15: too many duplicate certificate ids\n");
err = gpg_error (GPG_ERR_TOO_MANY);
goto parse_error;
}
cdf->objid[objidlen] = ++app->app_local->cdf_dup_counter;
}
cdf->pathlen = objlen/2;
for (i=0; i < cdf->pathlen; i++, pp += 2, nn -= 2)
@ -3664,6 +3705,7 @@ read_p15_info (app_t app)
log_assert (!app->app_local->certificate_info);
log_assert (!app->app_local->trusted_certificate_info);
log_assert (!app->app_local->useful_certificate_info);
app->app_local->cdf_dup_counter = 0;
err = read_ef_cdf (app, app->app_local->odf.certificates, 'c',
&app->app_local->certificate_info);
if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA)
@ -4214,7 +4256,8 @@ set_usage_string (char usage[5], prkdf_object_t prkdf)
&& (!prkdf->extusage.valid || prkdf->extusage.sign))
usage[usagelen++] = 'c';
if ((prkdf->usageflags.decrypt
|| prkdf->usageflags.unwrap)
|| prkdf->usageflags.unwrap
|| prkdf->usageflags.derive)
&& (!prkdf->extusage.valid || prkdf->extusage.encr))
usage[usagelen++] = 'e';
if ((prkdf->usageflags.sign
@ -4661,7 +4704,7 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name)
/* We return the ID of the first private key capable of the
* requested action. If any gpgusage flag has been set for the
* card we consult the gpgusage flags and not the regualr usage
* card we consult the gpgusage flags and not the regular usage
* flags.
*/
/* FIXME: This changed: Note that we do not yet return
@ -4683,7 +4726,8 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name)
if ((name[1] == 'A' && (prkdf->usageflags.sign
|| prkdf->usageflags.sign_recover))
|| (name[1] == 'E' && (prkdf->usageflags.decrypt
|| prkdf->usageflags.unwrap))
|| prkdf->usageflags.unwrap
|| prkdf->usageflags.derive))
|| (name[1] == 'S' && (prkdf->usageflags.sign
|| prkdf->usageflags.sign_recover)))
break;
@ -4892,7 +4936,8 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name)
}
else
{
if (prkdf->usageflags.decrypt || prkdf->usageflags.unwrap)
if (prkdf->usageflags.decrypt || prkdf->usageflags.unwrap
|| prkdf->usageflags.derive)
break;
}
}
@ -5784,9 +5829,8 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo,
{
if (prkdf->is_ecc)
{
/* Not implemented due to lacking test hardware. */
log_info ("Note: ECC is not yet implemented for DTRUST 4 cards\n");
err = gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
err = iso7816_manage_security_env (app_get_slot (app),
0xf3, 0x21, NULL, 0);
}
else
{
@ -5927,7 +5971,8 @@ do_auth (app_t app, ctrl_t ctrl, const char *keyidstr,
err = prkdf_object_from_keyidstr (app, keyidstr, &prkdf);
if (err)
return err;
if (!(prkdf->usageflags.sign || prkdf->gpgusage.auth))
if (!(prkdf->usageflags.sign || prkdf->usageflags.sign_recover
|| prkdf->gpgusage.auth))
{
log_error ("p15: key %s may not be used for authentication\n", keyidstr);
return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
@ -5970,6 +6015,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
return err;
if (!(prkdf->usageflags.decrypt
|| prkdf->usageflags.unwrap
|| prkdf->usageflags.derive
|| prkdf->gpgusage.encr ))
{
log_error ("p15: key %s may not be used for decryption\n", keyidstr);
@ -5979,17 +6025,18 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
/* Find the authentication object to this private key object. */
if (!prkdf->authid)
{
log_error ("p15: no authentication object defined for %s\n", keyidstr);
/* fixme: we might want to go ahead and do without PIN
verification. */
return gpg_error (GPG_ERR_UNSUPPORTED_OPERATION);
log_info ("p15: no authentication object defined for %s\n", keyidstr);
aodf = NULL;
}
else
{
for (aodf = app->app_local->auth_object_info; aodf; aodf = aodf->next)
if (aodf->objidlen == prkdf->authidlen
&& !memcmp (aodf->objid, prkdf->authid, prkdf->authidlen))
break;
if (!aodf)
log_info ("p15: no authentication for %s needed\n", keyidstr);
}
for (aodf = app->app_local->auth_object_info; aodf; aodf = aodf->next)
if (aodf->objidlen == prkdf->authidlen
&& !memcmp (aodf->objid, prkdf->authid, prkdf->authidlen))
break;
if (!aodf)
log_info ("p15: no authentication for %s needed\n", keyidstr);
/* We need some more info about the key - get the keygrip to
* populate these fields. */
@ -6042,9 +6089,8 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr,
{
if (prkdf->is_ecc)
{
/* Not implemented due to lacking test hardware. */
log_info ("Note: ECC is not yet implemented for DTRUST 4 cards\n");
err = gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
err = iso7816_manage_security_env (app_get_slot (app),
0xF3, 0x39, NULL, 0);
}
else
{
@ -6274,7 +6320,8 @@ do_with_keygrip (app_t app, ctrl_t ctrl, int action,
}
else if (capability == GCRY_PK_USAGE_ENCR)
{
if (!(prkdf->usageflags.decrypt || prkdf->usageflags.unwrap))
if (!(prkdf->usageflags.decrypt || prkdf->usageflags.unwrap
|| prkdf->usageflags.derive))
continue;
}
else if (capability == GCRY_PK_USAGE_AUTH)

153
scd/ccid-driver.c
View File

@ -298,6 +298,23 @@ static int send_escape_cmd (ccid_driver_t handle, const unsigned char *data,
size_t resultmax, size_t *resultlen);
static void
my_npth_unprotect (void)
{
#ifdef USE_NPTH
npth_unprotect ();
#endif
}
static void
my_npth_protect (void)
{
#ifdef USE_NPTH
npth_protect ();
#endif
}
static int
map_libusb_error (int usberr)
{
@ -984,31 +1001,23 @@ get_escaped_usb_string (libusb_device_handle *idev, int idx,
/* First get the list of supported languages and use the first one.
If we do don't find it we try to use English. Note that this is
all in a 2 bute Unicode encoding using little endian. */
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
rc = libusb_control_transfer (idev, LIBUSB_ENDPOINT_IN,
LIBUSB_REQUEST_GET_DESCRIPTOR,
(LIBUSB_DT_STRING << 8), 0,
buf, sizeof buf, 1000 /* ms timeout */);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
if (rc < 4)
langid = 0x0409; /* English. */
else
langid = (buf[3] << 8) | buf[2];
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
rc = libusb_control_transfer (idev, LIBUSB_ENDPOINT_IN,
LIBUSB_REQUEST_GET_DESCRIPTOR,
(LIBUSB_DT_STRING << 8) + idx, langid,
buf, sizeof buf, 1000 /* ms timeout */);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
if (rc < 2 || buf[1] != LIBUSB_DT_STRING)
return NULL; /* Error or not a string. */
len = buf[0];
@ -1345,13 +1354,9 @@ ccid_vendor_specific_setup (ccid_driver_t handle)
{
if (handle->id_vendor == VENDOR_SCM && handle->id_product == SCM_SPR532)
{
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
libusb_clear_halt (handle->idev, handle->ep_intr);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
}
return 0;
}
@ -1660,13 +1665,9 @@ ccid_usb_thread (void *arg)
while (ccid_usb_thread_is_alive)
{
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
libusb_handle_events_completed (ctx, NULL);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
}
return NULL;
@ -1776,36 +1777,42 @@ ccid_open_usb_reader (const char *spec_reader_name,
goto leave;
}
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
if (!(opt.compat_flags & COMPAT_CCID_NO_AUTO_DETACH))
{
rc = libusb_set_auto_detach_kernel_driver (idev, 1);
if (rc)
{
my_npth_protect ();
DEBUGOUT_1 ("note: set_auto_detach_kernel_driver failed: %d\n", rc);
my_npth_unprotect ();
}
}
rc = libusb_claim_interface (idev, ifc_no);
if (rc)
{
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
DEBUGOUT_1 ("usb_claim_interface failed: %d\n", rc);
rc = map_libusb_error (rc);
goto leave;
}
/* Submit SET_INTERFACE control transfer which can reset the device. */
rc = libusb_set_interface_alt_setting (idev, ifc_no, set_no);
if ((*handle)->id_vendor == VENDOR_ACR && (*handle)->id_product == ACR_122U)
rc = 0; /* Not supported by this reader. */
else
rc = libusb_set_interface_alt_setting (idev, ifc_no, set_no);
if (rc)
{
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
DEBUGOUT_1 ("usb_set_interface_alt_setting failed: %d\n", rc);
rc = map_libusb_error (rc);
goto leave;
}
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
/* Perform any vendor specific intialization. */
rc = ccid_vendor_specific_init (*handle);
leave:
@ -1939,13 +1946,9 @@ do_close_reader (ccid_driver_t handle)
while (!handle->powered_off)
{
DEBUGOUT ("libusb_handle_events_completed\n");
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
libusb_handle_events_completed (NULL, &handle->powered_off);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
}
}
@ -2076,15 +2079,11 @@ bulk_out (ccid_driver_t handle, unsigned char *msg, size_t msglen,
}
}
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_out,
msg, msglen, &transferred,
5000 /* ms timeout */);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
if (rc == 0 && transferred == msglen)
return 0;
@ -2124,14 +2123,10 @@ bulk_in (ccid_driver_t handle, unsigned char *buffer, size_t length,
memset (buffer, 0, length);
retry:
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_in,
buffer, length, &msglen, bwi*timeout);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
if (rc)
{
DEBUGOUT_1 ("usb_bulk_read error: %s\n", libusb_error_name (rc));
@ -2280,9 +2275,7 @@ abort_cmd (ccid_driver_t handle, int seqno, int init)
/* Send the abort command to the control pipe. Note that we don't
need to keep track of sent abort commands because there should
never be another thread using the same slot concurrently. */
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
rc = libusb_control_transfer (handle->idev,
0x21,/* bmRequestType: host-to-device,
class specific, to interface. */
@ -2291,9 +2284,7 @@ abort_cmd (ccid_driver_t handle, int seqno, int init)
handle->ifc_no,
dummybuf, 0,
1000 /* ms timeout */);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
if (rc)
{
DEBUGOUT_1 ("usb_control_msg error: %s\n", libusb_error_name (rc));
@ -2319,15 +2310,11 @@ abort_cmd (ccid_driver_t handle, int seqno, int init)
msglen = 10;
set_msg_len (msg, 0);
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_out,
msg, msglen, &transferred,
init? 100: 5000 /* ms timeout */);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
if (rc == 0 && transferred == msglen)
rc = 0;
else if (rc)
@ -2337,15 +2324,11 @@ abort_cmd (ccid_driver_t handle, int seqno, int init)
if (rc)
return map_libusb_error (rc);
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_in,
msg, sizeof msg, &msglen,
init? 100: 5000 /*ms timeout*/);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
if (rc)
{
DEBUGOUT_1 ("usb_bulk_read error in abort_cmd: %s\n",
@ -2559,14 +2542,10 @@ ccid_slot_status (ccid_driver_t handle, int *statusbits, int on_wire)
if (!retries)
{
DEBUGOUT ("USB: CALLING USB_CLEAR_HALT\n");
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
libusb_clear_halt (handle->idev, handle->ep_bulk_in);
libusb_clear_halt (handle->idev, handle->ep_bulk_out);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
}
else
DEBUGOUT ("USB: RETRYING bulk_in AGAIN\n");
@ -3335,13 +3314,9 @@ ccid_transceive (ccid_driver_t handle,
if (tpdulen < 4)
{
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
libusb_clear_halt (handle->idev, handle->ep_bulk_in);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
return CCID_DRIVER_ERR_ABORTED;
}
@ -3793,13 +3768,9 @@ ccid_transceive_secure (ccid_driver_t handle,
if (tpdulen < 4)
{
#ifdef USE_NPTH
npth_unprotect ();
#endif
my_npth_unprotect ();
libusb_clear_halt (handle->idev, handle->ep_bulk_in);
#ifdef USE_NPTH
npth_protect ();
#endif
my_npth_protect ();
return CCID_DRIVER_ERR_ABORTED;
}
if (debug_level > 1)

2
scd/ccid-driver.h
View File

@ -70,6 +70,7 @@ enum {
VENDOR_FSIJ = 0x234b,
VENDOR_VASCO = 0x1a44,
VENDOR_NXP = 0x1fc9,
VENDOR_ACR = 0x072f
};
@ -88,6 +89,7 @@ enum {
#define VEGA_ALPHA 0x0008
#define CYBERJACK_GO 0x0504
#define CRYPTOUCAN 0x81e6
#define ACR_122U 0x2200 /* NFC Reader */
#endif /*CCID_DRIVER_INCLUDE_USB_IDS*/

19
scd/scdaemon.c
View File

@ -104,6 +104,7 @@ enum cmd_and_opt_values
oDisableApplication,
oApplicationPriority,
oEnablePinpadVarlen,
oCompatibilityFlags,
oListenBacklog
};
@ -172,6 +173,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oDisableApplication, "disable-application", "@"),
ARGPARSE_s_s (oApplicationPriority, "application-priority",
N_("|LIST|change the application priority to LIST")),
ARGPARSE_s_s (oCompatibilityFlags, "compatibility-flags", "@"),
ARGPARSE_s_i (oListenBacklog, "listen-backlog", "@"),
@ -204,6 +206,14 @@ static struct debug_flags_s debug_flags [] =
};
/* The list of compatibility flags. */
static struct compatibility_flags_s compatibility_flags [] =
{
{ COMPAT_CCID_NO_AUTO_DETACH, "ccid-no-auto-detach" },
{ 0, NULL }
};
/* The card driver we use by default for PC/SC. */
#if defined(HAVE_W32_SYSTEM) || defined(__CYGWIN__)
#define DEFAULT_PCSC_DRIVER "winscard.dll"
@ -628,6 +638,15 @@ main (int argc, char **argv )
case oEnablePinpadVarlen: opt.enable_pinpad_varlen = 1; break;
case oCompatibilityFlags:
if (parse_compatibility_flags (pargs.r.ret_str, &opt.compat_flags,
compatibility_flags))
{
pargs.r_opt = ARGPARSE_INVALID_ARG;
pargs.err = ARGPARSE_PRINT_WARNING;
}
break;
case oListenBacklog:
listen_backlog = pargs.r.ret_int;
break;

8
scd/scdaemon.h
View File

@ -67,6 +67,9 @@ struct
want to use. */
unsigned long card_timeout; /* Disconnect after N seconds of inactivity. */
int debug_allow_pin_logging; /* Allow PINs in debug output. */
/* Compatibility flags (COMPAT_FLAG_xxxx). */
unsigned int compat_flags;
} opt;
@ -92,6 +95,11 @@ struct
#define DBG_CARD_IO (opt.debug & DBG_CARD_IO_VALUE)
#define DBG_READER (opt.debug & DBG_READER_VALUE)
#define COMPAT_CCID_NO_AUTO_DETACH 1
struct server_local_s;
struct card_ctx_s;
struct app_ctx_s;

16
sm/gpgsm.c
View File

@ -1330,8 +1330,19 @@ main ( int argc, char **argv)
case oHomedir: gnupg_set_homedir (pargs.r.ret_str); break;
case oChUid: break; /* Command line only (see above). */
case oAgentProgram: opt.agent_program = pargs.r.ret_str; break;
case oKeyboxdProgram: opt.keyboxd_program = pargs.r.ret_str; break;
case oAgentProgram:
xfree (opt.agent_program);
opt.agent_program = make_filename (pargs.r.ret_str, NULL);
break;
case oKeyboxdProgram:
xfree (opt.keyboxd_program);
opt.keyboxd_program = make_filename (pargs.r.ret_str, NULL);
break;
case oDirmngrProgram:
xfree (opt.dirmngr_program);
opt.dirmngr_program = make_filename (pargs.r.ret_str, NULL);
break;
case oDisplay:
set_opt_session_env ("DISPLAY", pargs.r.ret_str);
@ -1349,7 +1360,6 @@ main ( int argc, char **argv)
case oLCctype: opt.lc_ctype = xstrdup (pargs.r.ret_str); break;
case oLCmessages: opt.lc_messages = xstrdup (pargs.r.ret_str); break;
case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str; break;
case oDisableDirmngr: opt.disable_dirmngr = 1; break;
case oPreferSystemDirmngr: /* Obsolete */; break;
case oProtectToolProgram:

6
sm/gpgsm.h
View File

@ -60,16 +60,16 @@ struct
int use_keyboxd; /* Use the external keyboxd as storage backend. */
const char *config_filename; /* Name of the used config file. */
const char *agent_program;
char *agent_program;
const char *keyboxd_program;
char *keyboxd_program;
session_env_t session_env;
char *lc_ctype;
char *lc_messages;
int autostart;
const char *dirmngr_program;
char *dirmngr_program;
int disable_dirmngr; /* Do not do any dirmngr calls. */
const char *protect_tool_program;
char *outfile; /* name of output file */

47
sm/minip12.c
View File

@ -677,7 +677,7 @@ parse_bag_encrypted_data (struct p12_parse_ctx_s *ctx, tlv_parser_t tlv)
const unsigned char *data;
size_t datalen;
int intval;
char salt[20];
char salt[32];
size_t saltlen;
char iv[16];
unsigned int iter;
@ -1945,43 +1945,46 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw,
}
where = "pfx";
if (tlv_next (tlv))
if ((err = tlv_next (tlv)))
goto bailout;
if (tlv_expect_sequence (tlv))
if ((err = tlv_expect_sequence (tlv)))
goto bailout;
where = "pfxVersion";
if (tlv_next (tlv))
if ((err = tlv_next (tlv)))
goto bailout;
if (tlv_expect_integer (tlv, &intval) || intval != 3)
if ((err = tlv_expect_integer (tlv, &intval)) || intval != 3)
goto bailout;
where = "authSave";
if (tlv_next (tlv))
if ((err = tlv_next (tlv)))
goto bailout;
if (tlv_expect_sequence (tlv))
if ((err = tlv_expect_sequence (tlv)))
goto bailout;
if (tlv_next (tlv))
if ((err = tlv_next (tlv)))
goto bailout;
if (tlv_expect_object_id (tlv, &oid, &oidlen))
if ((err = tlv_expect_object_id (tlv, &oid, &oidlen)))
goto bailout;
if (oidlen != DIM(oid_data) || memcmp (oid, oid_data, DIM(oid_data)))
{
err = gpg_error (GPG_ERR_INV_OBJ);
goto bailout;
}
if ((err = tlv_next (tlv)))
goto bailout;
if ((err = tlv_expect_context_tag (tlv, &intval)) || intval != 0 )
goto bailout;
if (tlv_next (tlv))
if ((err = tlv_next (tlv)))
goto bailout;
if (tlv_expect_context_tag (tlv, &intval) || intval != 0 )
goto bailout;
if (tlv_next (tlv))
goto bailout;
if (tlv_expect_octet_string (tlv, 1, NULL, NULL))
if ((err = tlv_expect_octet_string (tlv, 1, NULL, NULL)))
goto bailout;
if (tlv_peek (tlv, CLASS_UNIVERSAL, TAG_OCTET_STRING))
{
if (tlv_next (tlv))
if ((err = tlv_next (tlv)))
goto bailout;
err = tlv_expect_octet_string (tlv, 1, NULL, NULL);
if (err)
@ -1989,9 +1992,9 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw,
}
where = "bags";
if (tlv_next (tlv))
if ((err = tlv_next (tlv)))
goto bailout;
if (tlv_expect_sequence (tlv))
if ((err = tlv_expect_sequence (tlv)))
goto bailout;
startlevel = tlv_parser_level (tlv);
@ -2000,12 +2003,12 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw,
{
where = "bag-sequence";
tlv_parser_dump_state (where, NULL, tlv);
if (tlv_expect_sequence (tlv))
if ((err = tlv_expect_sequence (tlv)))
goto bailout;
if (tlv_next (tlv))
if ((err = tlv_next (tlv)))
goto bailout;
if (tlv_expect_object_id (tlv, &oid, &oidlen))
if ((err = tlv_expect_object_id (tlv, &oid, &oidlen)))
goto bailout;
if (oidlen == DIM(oid_encryptedData)

2
tests/openpgp/README
View File

@ -99,7 +99,7 @@ suite.
This envvar gives the root directory of the build tree. See
tests/gpgconf.ctl.in for the way we tell the GnuPG components this
location. Note that we can't use that envvar directly because this
would allow user scripts and other software to accidently mess up the
would allow user scripts and other software to accidentally mess up the
used components.
**** argv[0]
run-tests.scm depends on being able to re-exec gpgscm. It uses

14
tools/gpg-card.c
View File

@ -220,9 +220,15 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
}
break;
case oGpgProgram: opt.gpg_program = pargs->r.ret_str; break;
case oGpgsmProgram: opt.gpgsm_program = pargs->r.ret_str; break;
case oAgentProgram: opt.agent_program = pargs->r.ret_str; break;
case oGpgProgram:
opt.gpg_program = make_filename (pargs->r.ret_str, NULL);
break;
case oGpgsmProgram:
opt.gpgsm_program = make_filename (pargs->r.ret_str, NULL);
break;
case oAgentProgram:
opt.agent_program = make_filename (pargs->r.ret_str, NULL);
break;
case oStatusFD:
gnupg_set_status_fd (translate_sys2libc_fd_int (pargs->r.ret_int, 1));
@ -402,7 +408,7 @@ nullnone (const char *s)
* success returns 0 and stores the number of bytes read at R_BUFLEN
* and the address of a newly allocated buffer at R_BUFFER. A
* complementary nul byte is always appended to the data but not
* counted; this allows to pass NULL for R-BUFFER and consider the
* counted; this allows one to pass NULL for R-BUFFER and consider the
* returned data as a string. */
static gpg_error_t
get_data_from_file (const char *fname, char **r_buffer, size_t *r_buflen)

6
tools/gpg-card.h
View File

@ -34,9 +34,9 @@ struct
unsigned int debug;
int quiet;
int with_colons;
const char *gpg_program;
const char *gpgsm_program;
const char *agent_program;
char *gpg_program;
char *gpgsm_program;
char *agent_program;
int autostart;
int no_key_lookup; /* Assume --no-key-lookup for "list". */

18
tools/gpg-connect-agent.c
View File

@ -126,9 +126,9 @@ struct
int quiet; /* Be extra quiet. */
int autostart; /* Start the server if not running. */
const char *homedir; /* Configuration directory name */
const char *agent_program; /* Value of --agent-program. */
const char *dirmngr_program; /* Value of --dirmngr-program. */
const char *keyboxd_program; /* Value of --keyboxd-program. */
char *agent_program; /* Value of --agent-program. */
char *dirmngr_program; /* Value of --dirmngr-program. */
char *keyboxd_program; /* Value of --keyboxd-program. */
int hex; /* Print data lines in hex format. */
int decode; /* Decode received data lines. */
int use_dirmngr; /* Use the dirmngr and not gpg-agent. */
@ -1269,9 +1269,15 @@ main (int argc, char **argv)
case oVerbose: opt.verbose++; break;
case oNoVerbose: opt.verbose = 0; break;
case oHomedir: gnupg_set_homedir (pargs.r.ret_str); break;
case oAgentProgram: opt.agent_program = pargs.r.ret_str; break;
case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str; break;
case oKeyboxdProgram: opt.keyboxd_program = pargs.r.ret_str; break;
case oAgentProgram:
opt.agent_program = make_filename (pargs.r.ret_str, NULL);
break;
case oDirmngrProgram:
opt.dirmngr_program = make_filename (pargs.r.ret_str, NULL);
break;
case oKeyboxdProgram:
opt.keyboxd_program = make_filename (pargs.r.ret_str, NULL);
break;
case oNoAutostart: opt.autostart = 0; break;
case oNoHistory: opt.no_history = 1; break;
case oHex: opt.hex = 1; break;

52
tools/gpg-wks-client.c
View File

@ -78,6 +78,7 @@ enum cmd_and_opt_values
oNoAutostart,
oAddRevocs,
oNoAddRevocs,
oRealClean,
oDummy
};
@ -121,8 +122,9 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_n (oWithColons, "with-colons", "@"),
ARGPARSE_s_s (oBlacklist, "blacklist", "@"),
ARGPARSE_s_s (oDirectory, "directory", "@"),
ARGPARSE_s_n (oAddRevocs, "add-revocs", "add revocation certificates"),
ARGPARSE_s_n (oAddRevocs, "add-revocs", "@"),
ARGPARSE_s_n (oNoAddRevocs, "no-add-revocs", "do not add revocation certificates"),
ARGPARSE_s_n (oRealClean, "realclean", "remove most key signatures"),
ARGPARSE_s_s (oFakeSubmissionAddr, "fake-submission-addr", "@"),
@ -154,7 +156,7 @@ static char **blacklist_array;
static size_t blacklist_array_len;
static void wrong_args (const char *text) GPGRT_ATTR_NORETURN;
static void wrong_args (const char *t1, const char *t2) GPGRT_ATTR_NORETURN;
static void add_blacklist (const char *fname);
static gpg_error_t proc_userid_from_stdin (gpg_error_t (*func)(const char *),
const char *text);
@ -204,10 +206,15 @@ my_strusage( int level )
static void
wrong_args (const char *text)
wrong_args (const char *text, const char *text2)
{
es_fprintf (es_stderr, _("usage: %s [options] %s\n"),
gpgrt_strusage (11), text);
#if GPGRT_VERSION_NUMBER >= 0x013000 /* >= 1.48 */
/* Skip the leading dashes if build with command support. */
if (text[0] == '-' && text[1] == '-' && text[2])
text += 2;
#endif
es_fprintf (es_stderr, _("usage: %s %s [options] %s\n"),
gpgrt_strusage (11), text, text2);
exit (2);
}
@ -235,16 +242,16 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
break;
case oGpgProgram:
opt.gpg_program = pargs->r.ret_str;
opt.gpg_program = make_filename (pargs->r.ret_str, NULL);
break;
case oDirectory:
opt.directory = pargs->r.ret_str;
opt.directory = make_filename (pargs->r.ret_str, NULL);
break;
case oSend:
opt.use_sendmail = 1;
break;
case oOutput:
opt.output = pargs->r.ret_str;
opt.output = make_filename (pargs->r.ret_str, NULL);
break;
case oFakeSubmissionAddr:
fake_submission_addr = pargs->r.ret_str;
@ -268,6 +275,10 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts)
opt.add_revocs = 0;
break;
case oRealClean:
opt.realclean = 1;
break;
case aSupported:
case aCreate:
case aReceive:
@ -315,6 +326,9 @@ main (int argc, char **argv)
pargs.argc = &argc;
pargs.argv = &argv;
pargs.flags = ARGPARSE_FLAG_KEEP;
#if GPGRT_VERSION_NUMBER >= 0x013000 /* >= 1.48 */
pargs.flags |= ARGPARSE_FLAG_COMMAND;
#endif
cmd = parse_arguments (&pargs, opts);
gpgrt_argparse (NULL, &pargs, NULL);
@ -350,7 +364,7 @@ main (int argc, char **argv)
/* Set defaults for non given options. */
if (!opt.gpg_program)
opt.gpg_program = gnupg_module_name (GNUPG_MODULE_NAME_GPG);
opt.gpg_program = xstrdup (gnupg_module_name (GNUPG_MODULE_NAME_GPG));
if (!opt.directory)
opt.directory = "openpgpkey";
@ -394,7 +408,7 @@ main (int argc, char **argv)
else
{
if (argc != 1)
wrong_args ("--supported DOMAIN");
wrong_args ("--supported", "DOMAIN");
err = command_supported (argv[0]);
if (err && gpg_err_code (err) != GPG_ERR_FALSE)
log_error ("checking support failed: %s\n", gpg_strerror (err));
@ -403,7 +417,7 @@ main (int argc, char **argv)
case aCreate:
if (argc != 2)
wrong_args ("--create FINGERPRINT USER-ID");
wrong_args ("--create", "FINGERPRINT USER-ID");
err = command_create (argv[0], argv[1]);
if (err)
log_error ("creating request failed: %s\n", gpg_strerror (err));
@ -411,7 +425,7 @@ main (int argc, char **argv)
case aReceive:
if (argc)
wrong_args ("--receive < MIME-DATA");
wrong_args ("--receive", "< MIME-DATA");
err = wks_receive (es_stdin, command_receive_cb, NULL);
if (err)
log_error ("processing mail failed: %s\n", gpg_strerror (err));
@ -419,7 +433,7 @@ main (int argc, char **argv)
case aRead:
if (argc)
wrong_args ("--read < WKS-DATA");
wrong_args ("--read", "< WKS-DATA");
err = read_confirmation_request (es_stdin);
if (err)
log_error ("processing mail failed: %s\n", gpg_strerror (err));
@ -427,7 +441,7 @@ main (int argc, char **argv)
case aCheck:
if (argc != 1)
wrong_args ("--check USER-ID");
wrong_args ("--check", "USER-ID");
err = command_check (argv[0]);
break;
@ -444,12 +458,12 @@ main (int argc, char **argv)
else if (argc == 2)
err = wks_cmd_install_key (*argv, argv[1]);
else
wrong_args ("--install-key [FILE|FINGERPRINT USER-ID]");
wrong_args ("--install-key", "[FILE|FINGERPRINT USER-ID]");
break;
case aRemoveKey:
if (argc != 1)
wrong_args ("--remove-key USER-ID");
wrong_args ("--remove-key", "USER-ID");
err = wks_cmd_remove_key (*argv);
break;
@ -1779,6 +1793,8 @@ process_confirmation_request (estream_t msg, const char *mainfpr)
log_info ("no encryption key found - sending response in the clear\n");
err = send_confirmation_response (sender, address, nonce, 0, NULL);
}
if (!err)
log_info ("response sent to '%s' for '%s'\n", sender, address);
leave:
nvc_release (nvc);
@ -1903,7 +1919,7 @@ domain_matches_mbox (const char *domain, const char *mbox)
* so that for a key with
* uid: Joe Someone <joe@example.org>
* uid: Joe <joe@example.org>
* only the news user id (and thus its self-signature) is used.
* only the newest user id (and thus its self-signature) is used.
* UIDLIST is nodified to set all MBOX fields to NULL for a processed
* user id. FPR is the fingerprint of the key.
*/
@ -2010,7 +2026,7 @@ mirror_one_key (estream_t key)
continue; /* No mail box or already processed. */
if (uid->expired)
continue;
if (!domain_matches_mbox (domain, uid->mbox))
if (*domain && !domain_matches_mbox (domain, uid->mbox))
continue; /* We don't want this one. */
if (is_in_blacklist (uid->mbox))
continue;

2
tools/gpg-wks-server.c
View File

@ -308,7 +308,7 @@ main (int argc, char **argv)
/* Set defaults for non given options. */
if (!opt.gpg_program)
opt.gpg_program = gnupg_module_name (GNUPG_MODULE_NAME_GPG);
opt.gpg_program = xstrdup (gnupg_module_name (GNUPG_MODULE_NAME_GPG));
if (!opt.directory)
opt.directory = "/var/lib/gnupg/wks";

Some files were not shown because too many files have changed in this diff Show More