diff --git a/.git-blame-ignore-revs b/.git-blame-ignore-revs index 7182d90d9..ec5aae1c7 100644 --- a/.git-blame-ignore-revs +++ b/.git-blame-ignore-revs @@ -1,2 +1,4 @@ # indent: Modernize mem2str. 6a80d6f9206eae2c867c45daa5cd3e7d6c6ad114 +# doc: Fix spelling errors found by lintian. +2ed1f68b48db7b5503045386de0500fddf70077e diff --git a/Makefile.am b/Makefile.am index 67ee98e20..1b6933484 100644 --- a/Makefile.am +++ b/Makefile.am @@ -247,8 +247,8 @@ release: mkopt=""; \ if [ -n "$$CUSTOM_SWDB" ]; then \ mkopt="CUSTOM_SWB=1"; \ - x=$$(grep '^OVERRIDE_TARBALLS=' \ - $$HOME/.gnupg-autogen.rc|cut -d= -f2);\ + x=$$(grep '^[[:blank:]]*OVERRIDE_TARBALLS[[:blank:]]*=' \ + $$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\ if [ -f "$$x/swdb.lst" ]; then \ echo "/* Copying swdb.lst from the overrides directory */"; \ cp "$$x/swdb.lst" . ; \ @@ -275,13 +275,15 @@ release: sign-release: +(set -e; \ test $$(pwd | sed 's,.*/,,') = dist || cd dist; \ - x=$$(grep '^RELEASE_ARCHIVE=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\ + x=$$(grep '^[[:blank:]]*RELEASE_ARCHIVE[[:blank:]]*=' \ + $$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\ if [ -z "$$x" ]; then \ echo "error: RELEASE_ARCHIVE missing in ~/.gnupg-autogen.rc">&2; \ exit 2;\ fi;\ myarchive="$$x/$(RELEASE_ARCHIVE_SUFFIX)";\ - x=$$(grep '^RELEASE_SIGNKEY=' $$HOME/.gnupg-autogen.rc|cut -d= -f2);\ + x=$$(grep '^[[:blank:]]*RELEASE_SIGNKEY[[:blank:]]*=' \ + $$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs);\ if [ -z "$$x" ]; then \ echo "error: RELEASE_SIGNKEY missing in ~/.gnupg-autogen.rc">&2; \ exit 2;\ diff --git a/NEWS b/NEWS index 4a5fe2f27..062353b66 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,51 @@ Noteworthy changes in version 2.5.0 (unreleased) ------------------------------------------------ + Changes also found in 2.4.5: + +Noteworthy changes in version 2.4.5 (2024-03-07) +------------------------------------------------ + + * gpg,gpgv: New option --assert-pubkey-algo. [T6946] + + * gpg: Emit status lines for errors in the compression layer. + [T6977] + + * gpg: Fix invocation with --trusted-keys and --no-options. [T7025] + + * gpgsm: Allow for a longer salt in PKCS#12 files. [T6757] + + * gpgtar: Make --status-fd=2 work on Windows. [T6961] + + * scd: Support for the ACR-122U NFC reader. [rG1682ca9f01] + + * scd: Suport D-TRUST ECC cards. [T7000,T7001] + + * scd: Allow auto detaching of kernel drivers; can be disabled with + the new compatibility-flag ccid-no-auto-detach. [rGa1ea3b13e0] + + * scd: Allow setting a PIN length of 6 also with a reset code for + openpgp cards. [T6843] + + * agent: Allow GET_PASSPHRASE in restricted mode. [rGadf4db6e20] + + * dirmngr: Trust system's root CAs for checking CRL issuers. + [T6963] + + * dirmngr: Fix regression in 2.4.4 in fetching keys via hkps. + [T6997] + + * gpg-wks-client: Make option --mirror work properly w/o specifying + domains. [rG37cc255e49] + + * g13,gpg-wks-client: Allow command style options as in "g13 mount + foo". [rGa09157ccb2] + + * Allow tilde expansion for the foo-program options. [T7017] + + * Make the getswdb.sh tool usable outside the GnuPG tree. + + Changes also found in 2.4.4: * gpg: Do not keep an unprotected smartcard backup key on disk. See @@ -178,6 +223,7 @@ Noteworthy changes in version 2.5.0 (unreleased) Release dates of 2.4 versions ----------------------------- +Version 2.4.5 (2024-03-07) https://dev.gnupg.org/T6960 Version 2.4.4 (2024-01-25) https://dev.gnupg.org/T6578 Version 2.4.3 (2023-07-04) https://dev.gnupg.org/T6509 Version 2.4.2 (2023-05-30) https://dev.gnupg.org/T6506 @@ -1392,7 +1438,7 @@ Noteworthy changes in version 2.3.0 (2021-04-07) Changes also found in 2.2.12: * tools: New commands --install-key and --remove-key for - gpg-wks-client. This allows to prepare a Web Key Directory on a + gpg-wks-client. This allows one to prepare a Web Key Directory on a local file system for later upload to a web server. * gpg: New --list-option "show-only-fpr-mbox". This makes the use @@ -1436,7 +1482,7 @@ Noteworthy changes in version 2.3.0 (2021-04-07) query. * gpg: Do not store the TOFU trust model in the trustdb. This - allows to enable or disable a TOFO model without triggering a + allows one to enable or disable a TOFO model without triggering a trustdb rebuild. [#4134] * scd: Fix cases of "Bad PIN" after using "forcesig". [#4177] @@ -1855,7 +1901,7 @@ Noteworthy changes in version 2.1.23 (2017-08-09) to your gpg.conf. * agent: Option --no-grab is now the default. The new option --grab - allows to revert this. + allows one to revert this. * gpg: New import option "show-only". @@ -2985,7 +3031,7 @@ Noteworthy changes in version 2.1.0 (2014-11-06) * gpg: Allow use of Brainpool curves. * gpg: Accepts a space separated fingerprint as user ID. This - allows to copy and paste the fingerprint from the key listing. + allows one to copy and paste the fingerprint from the key listing. * gpg: The hash algorithm is now printed for signature records in key listings. @@ -3765,7 +3811,7 @@ Noteworthy changes in version 1.9.10 (2004-07-22) * Fixed a serious bug in the checking of trusted root certificates. - * New configure option --enable-agent-pnly allows to build and + * New configure option --enable-agent-only allows one to build and install just the agent. * Fixed a problem with the log file handling. @@ -4160,7 +4206,7 @@ Noteworthy changes in version 1.1.92 (2002-09-11) extension specified with --load-extension are checked, along with their enclosing directories. - * The configure option --with-static-rnd=auto allows to build gpg + * The configure option --with-static-rnd=auto allows one to build gpg with all available entropy gathering modules included. At runtime the best usable one will be selected from the list linux, egd, unix. This is also the default for systems lacking @@ -4543,7 +4589,7 @@ Noteworthy changes in version 1.0.2 (2000-07-12) * New command --export-secret-subkeys which outputs the the _primary_ key with it's secret parts deleted. This is useful for automated decryption/signature creation as it - allows to keep the real secret primary key offline and + allows one to keep the real secret primary key offline and thereby protecting the key certificates and allowing to create revocations for the subkeys. See the FAQ for a procedure to install such secret keys. diff --git a/agent/agent.h b/agent/agent.h index 37582483b..9a7b59db3 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -86,8 +86,8 @@ struct /* Enable pinentry debugging (--debug 1024 should also be used). */ int debug_pinentry; - /* Filename of the program to start as pinentry. */ - const char *pinentry_program; + /* Filename of the program to start as pinentry (malloced). */ + char *pinentry_program; /* Filename of the program to handle daemon tasks. */ const char *daemon_program[DAEMON_MAX_TYPE]; diff --git a/agent/command.c b/agent/command.c index 20ae08e9f..575456cc5 100644 --- a/agent/command.c +++ b/agent/command.c @@ -1988,9 +1988,6 @@ cmd_get_passphrase (assuan_context_t ctx, char *line) struct pin_entry_info_s *pi2 = NULL; int is_generated; - if (ctrl->restricted) - return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN)); - opt_data = has_option (line, "--data"); opt_check = has_option (line, "--check"); opt_no_ask = has_option (line, "--no-ask"); @@ -2039,7 +2036,9 @@ cmd_get_passphrase (assuan_context_t ctx, char *line) if (!desc) return set_error (GPG_ERR_ASS_PARAMETER, "no description given"); - if (!strcmp (cacheid, "X")) + /* The only limitation in restricted mode is that we don't consider + * the cache. */ + if (ctrl->restricted || !strcmp (cacheid, "X")) cacheid = NULL; if (!strcmp (errtext, "X")) errtext = NULL; @@ -2121,7 +2120,7 @@ cmd_get_passphrase (assuan_context_t ctx, char *line) entry_errtext = NULL; is_generated = !!(pi->status & PINENTRY_STATUS_PASSWORD_GENERATED); - /* We don't allow an empty passpharse in this mode. */ + /* We don't allow an empty passphrase in this mode. */ if (!is_generated && check_passphrase_constraints (ctrl, pi->pin, pi->constraints_flags, diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index e7818697d..3c71ba65d 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -876,6 +876,7 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) opt.debug = 0; opt.no_grab = 1; opt.debug_pinentry = 0; + xfree (opt.pinentry_program); opt.pinentry_program = NULL; opt.pinentry_touch_file = NULL; xfree (opt.pinentry_invisible_char); @@ -936,7 +937,10 @@ parse_rereadable_options (gpgrt_argparse_t *pargs, int reread) case oNoGrab: opt.no_grab |= 1; break; case oGrab: opt.no_grab |= 2; break; - case oPinentryProgram: opt.pinentry_program = pargs->r.ret_str; break; + case oPinentryProgram: + xfree (opt.pinentry_program); + opt.pinentry_program = make_filename_try (pargs->r.ret_str, NULL); + break; case oPinentryTouchFile: opt.pinentry_touch_file = pargs->r.ret_str; break; case oPinentryInvisibleChar: xfree (opt.pinentry_invisible_char); diff --git a/build-aux/getswdb.sh b/build-aux/getswdb.sh index 7d4b31eef..0b97f0de5 100755 --- a/build-aux/getswdb.sh +++ b/build-aux/getswdb.sh @@ -28,15 +28,24 @@ cvtver () { usage() { cat <&2 ;; + *) + packages="$packages $1" + ;; esac shift done + # Mac OSX has only a shasum and not sha1sum if [ ${find_sha1sum} = yes ]; then for i in sha1sum shasum ; do @@ -114,16 +133,37 @@ if [ ${find_sha256sum} = yes ]; then fi +if [ $skip_verify = no ]; then + if [ ! -f "$distsigkey" ]; then + distsigkey="/usr/local/share/gnupg/distsigkey.gpg" + if [ ! -f "$distsigkey" ]; then + distsigkey="/usr/share/gnupg/distsigkey.gpg" + if [ ! -f "$distsigkey" ]; then + echo "no keyring with release keys found!" >&2 + exit 1 + fi + fi + echo "using release keys from $distsigkey" >&2 + skip_selfcheck=yes + fi +fi + + # Get GnuPG version from VERSION file. For a GIT checkout this means # that ./autogen.sh must have been run first. For a regular tarball # VERSION is always available. -if [ ! -f "$srcdir/../VERSION" ]; then +if [ $skip_selfcheck = no ]; then + if [ ! -f "$srcdir/../VERSION" ]; then echo "VERSION file missing - run autogen.sh first." >&2 exit 1 + fi + version=$(cat "$srcdir/../VERSION") +else + version="0.0.0" fi -version=$(cat "$srcdir/../VERSION") version_num=$(echo "$version" | cvtver) + if [ $skip_verify = no ]; then if ! $GPGV --version >/dev/null 2>/dev/null ; then echo "command \"gpgv\" is not installed" >&2 @@ -164,10 +204,10 @@ else fi fi if [ $skip_verify = no ]; then - if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst; then + if ! $GPGV --keyring "$distsigkey" swdb.lst.sig swdb.lst 2>/dev/null; then echo "list of software versions is not valid!" >&2 exit 1 - fi + fi fi # @@ -188,3 +228,73 @@ if [ $skip_selfcheck = no ]; then exit 1 fi fi + + +# Download a package and check its signature. +download_pkg () { + local url="$1" + local file="${url##*/}" + + if ! $WGET -q -O - "$url" >"${file}.tmp" ; then + echo "download of $file failed." >&2 + [ -f "${file}.tmp" ] && rm "${file}.tmp" + return 1 + fi + if [ $skip_verify = no ]; then + if ! $WGET -q -O - "${url}.sig" >"${file}.tmpsig" ; then + echo "download of $file.sig failed." >&2 + [ -f "${file}.tmpsig" ] && rm "${file}.tmpsig" + return 1 + fi + if ! $GPGV -q --keyring "$distsigkey" \ + "${file}.tmpsig" "${file}.tmp" 2>/dev/null; then + echo "signature of $file is not valid!" >&2 + return 1 + fi + mv "${file}.tmpsig" "${file}.sig" + else + [ -f "${file}.sig" ] && rm "${file}.sig" + fi + mv "${file}.tmp" "${file}" + return 0 +} + + + +baseurl=$(awk '$1=="gpgorg_base" {print $2; exit 0}' swdb.lst) +for p in $packages; do + pver=$(awk '$1=="'"$p"'_ver" {print $2}' swdb.lst) + if [ -z "$pver" ]; then + echo "package '$p' not found" >&2 + die=yes + else + pdir=$(awk '$1=="'"$p"'_dir" {print $2":"$3":"$4}' swdb.lst) + if [ -n "$pdir" ]; then + psuf=$(echo "$pdir" | cut -d: -f3) + pname=$(echo "$pdir" | cut -d: -f2) + pdir=$(echo "$pdir" | cut -d: -f1) + else + psuf= + pdir="$p" + pname="$p" + fi + if [ -z "$psuf" ]; then + psuf=$(awk 'BEGIN {suf="bz2"}; + $1=="'"$p"'_sha1_gz" {suf="gz"; exit 0}; + $1=="'"$p"'_sha1_xz" {suf"xz"; exit 0}; + END {print suf}' swdb.lst) + fi + pfullname="$pname-$pver.tar.$psuf" + if [ $info_mode = yes ]; then + echo "$baseurl/$pdir/$pfullname" + else + echo "downloading $pfullname" + download_pkg "$baseurl/$pdir/$pfullname" || die=yes + fi + fi +done +if [ $die = yes ]; then + echo "errors found!" >&2 + exit 1 +fi +exit 0 diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk index 477873f60..8946c764c 100644 --- a/build-aux/speedo.mk +++ b/build-aux/speedo.mk @@ -51,10 +51,13 @@ # # This is greped by the Makefile. # RELEASE_ARCHIVE=foo@somehost:tarball-archive # -# # The key used to sign the released sources. +# # The key used to sign the GnuPG sources. # # This is greped by the Makefile. # RELEASE_SIGNKEY=6DAA6E64A76D2840571B4902528897B826403ADA # +# # The key used to sign the VERSION files of some MSI installers. +# VERSION_SIGNKEY=02F38DFF731FF97CB039A1DA549E695E905BA208 +# # # For signing Windows binaries we need to employ a Windows machine. # # We connect to this machine via ssh and take the connection # # parameters via .ssh/config. For example a VM could be specified @@ -74,6 +77,9 @@ # # This is greped by the Makefile. # AUTHENTICODE_TOOL="C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" # +# # The URL for the timestamping service +# AUTHENTICODE_TSURL=http://rfc3161timestamp.globalsign.com/advanced +# # # To use osslsigncode the follwing entries are required and # # an empty string must be given for AUTHENTICODE_SIGNHOST. # # They are greped by the Makefile. @@ -238,10 +244,11 @@ PATCHELF := $(shell patchelf --version 2>/dev/null >/dev/null || echo "echo plea # Read signing information from ~/.gnupg-autogen.rc define READ_AUTOGEN_template -$(1) = $$(shell grep '^$(1)=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2) +$(1) = $$(shell grep '^[[:blank:]]*$(1)[[:blank:]]*=' $$$$HOME/.gnupg-autogen.rc|cut -d= -f2|xargs) endef $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_SIGNHOST)) $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TOOL)) +$(eval $(call READ_AUTOGEN_template,AUTHENTICODE_TSURL)) $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_KEY)) $(eval $(call READ_AUTOGEN_template,AUTHENTICODE_CERTS)) $(eval $(call READ_AUTOGEN_template,OSSLSIGNCODE)) @@ -1350,7 +1357,7 @@ define AUTHENTICODE_sign scp $(1) "$(AUTHENTICODE_SIGNHOST):a.exe" ;\ ssh "$(AUTHENTICODE_SIGNHOST)" '$(AUTHENTICODE_TOOL)' sign \ /a /n '"g10 Code GmbH"' \ - /tr 'http://rfc3161timestamp.globalsign.com/advanced' /td sha256 \ + /tr '$(AUTHENTICODE_TSURL)' /td sha256 \ /fd sha256 /du https://gnupg.org a.exe ;\ scp "$(AUTHENTICODE_SIGNHOST):a.exe" $(2);\ echo "speedo: signed file is '$(2)'" ;\ @@ -1361,13 +1368,13 @@ define AUTHENTICODE_sign -pkcs11module $(SCUTEMODULE) \ -certs $(AUTHENTICODE_CERTS) \ -h sha256 -n GnuPG -i https://gnupg.org \ - -ts http://rfc3161timestamp.globalsign.com/advanced \ + -ts $(AUTHENTICODE_TSURL) \ -in $(1) -out $(2).tmp ; mv $(2).tmp $(2) ; \ elif [ -e "$(AUTHENTICODE_KEY)" ]; then \ echo "speedo: Signing using key $(AUTHENTICODE_KEY)";\ osslsigncode sign -certs $(AUTHENTICODE_CERTS) \ -pkcs12 $(AUTHENTICODE_KEY) -askpass \ - -ts "http://timestamp.globalsign.com/scripts/timstamp.dll" \ + -ts "$(AUTHENTICODE_TSURL)" \ -h sha256 -n GnuPG -i https://gnupg.org \ -in $(1) -out $(2) ;\ else \ diff --git a/build-aux/speedo/w32/wixlib.wxs b/build-aux/speedo/w32/wixlib.wxs index 02568fe2f..e11455813 100644 --- a/build-aux/speedo/w32/wixlib.wxs +++ b/build-aux/speedo/w32/wixlib.wxs @@ -61,9 +61,12 @@ and then manually edited: - + + + + diff --git a/common/compliance.c b/common/compliance.c index 04978ed1b..84449af25 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -41,7 +41,7 @@ static int initialized; static int module; /* This value is used by DSA and RSA checks in addition to the hard - * coded length checks. It allows to increase the required key length + * coded length checks. It allows one to increase the required key length * using a confue file. */ static unsigned int min_compliant_rsa_length; diff --git a/common/exechelp-w32.c b/common/exechelp-w32.c index f63341e7c..08290e442 100644 --- a/common/exechelp-w32.c +++ b/common/exechelp-w32.c @@ -437,6 +437,7 @@ check_syscall_func (void) } } + static void pre_syscall (void) { @@ -444,6 +445,7 @@ pre_syscall (void) pre_syscall_func (); } + static void post_syscall (void) { @@ -579,7 +581,7 @@ spawn_detached (const char *pgmname, char *cmdline, cr_flags, /* Creation flags. */ NULL, /* Environment. */ NULL, /* Use current drive/directory. */ - (STARTUPINFOW *)&si, /* Startup information. */ + (STARTUPINFOW *)&si, /* Startup information. */ &pi /* Returns process information. */ ); if (!ret) diff --git a/common/status.h b/common/status.h index d249174d1..0a1266d3c 100644 --- a/common/status.h +++ b/common/status.h @@ -54,6 +54,7 @@ enum STATUS_NEED_PASSPHRASE, STATUS_VALIDSIG, STATUS_ASSERT_SIGNER, + STATUS_ASSERT_PUBKEY_ALGO, STATUS_SIG_ID, STATUS_ENC_TO, STATUS_NODATA, diff --git a/common/t-support.h b/common/t-support.h index 7aa46c00c..aa1b560fc 100644 --- a/common/t-support.h +++ b/common/t-support.h @@ -31,6 +31,8 @@ #ifndef GNUPG_COMMON_T_SUPPORT_H #define GNUPG_COMMON_T_SUPPORT_H 1 +#ifndef LEAN_T_SUPPORT + #ifdef GCRYPT_VERSION #error The regression tests should not include with gcrypt.h #endif @@ -45,11 +47,6 @@ # define getenv(a) (NULL) #endif -#ifndef DIM -# define DIM(v) (sizeof(v)/sizeof((v)[0])) -# define DIMof(type,member) DIM(((type *)0)->member) -#endif - /* Replacement prototypes. */ void *gcry_xmalloc (size_t n); @@ -65,6 +62,12 @@ void gcry_free (void *a); #define xstrdup(a) gcry_xstrdup ( (a) ) #define xfree(a) gcry_free ( (a) ) +#endif /* LEAN_T_SUPPORT */ + +#ifndef DIM +# define DIM(v) (sizeof(v)/sizeof((v)[0])) +# define DIMof(type,member) DIM(((type *)0)->member) +#endif /* Macros to print the result of a test. */ #define pass() do { ; } while(0) diff --git a/common/tlv.c b/common/tlv.c index 4ba9ef20d..c77f4cc4f 100644 --- a/common/tlv.c +++ b/common/tlv.c @@ -152,7 +152,7 @@ find_tlv_unchecked (const unsigned char *buffer, size_t length, /* ASN.1 BER parser: Parse BUFFER of length SIZE and return the tag * and the length part from the TLV triplet. Update BUFFER and SIZE * on success. Note that this function does not check that the value - * fits into the provided buffer; this allows to work on the TL part + * fits into the provided buffer; this allows one to work on the TL part * of a TLV. */ gpg_error_t parse_ber_header (unsigned char const **buffer, size_t *size, diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c index ac673a8d5..d3fe5c272 100644 --- a/dirmngr/crlcache.c +++ b/dirmngr/crlcache.c @@ -2086,6 +2086,7 @@ crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl, err = validate_cert_chain (ctrl, crlissuer_cert, NULL, (VALIDATE_FLAG_TRUST_CONFIG + | VALIDATE_FLAG_TRUST_SYSTEM | VALIDATE_FLAG_CRL | VALIDATE_FLAG_RECURSIVE), r_trust_anchor); diff --git a/dirmngr/dirmngr_ldap.c b/dirmngr/dirmngr_ldap.c index 412d0ad1f..d999ee87e 100644 --- a/dirmngr/dirmngr_ldap.c +++ b/dirmngr/dirmngr_ldap.c @@ -107,7 +107,7 @@ static gpgrt_opt_t opts[] = { " a record oriented format"}, { oProxy, "proxy", 2, "|NAME|ignore host part and connect through NAME"}, - { oStartTLS, "starttls", 0, "use STARTLS for the conenction"}, + { oStartTLS, "starttls", 0, "use STARTLS for the connection"}, { oLdapTLS, "ldaptls", 0, "use a TLS for the connection"}, { oNtds, "ntds", 0, "authenticate using AD"}, { oARecOnly, "areconly", 0, "do only an A record lookup"}, diff --git a/dirmngr/http.c b/dirmngr/http.c index ea9b0365b..6ae9029be 100644 --- a/dirmngr/http.c +++ b/dirmngr/http.c @@ -2362,7 +2362,6 @@ run_gnutls_handshake (http_t hd, const char *server) * NULL, decode the string and use this as input from teh server. On * success the final output token is stored at PROXY->OUTTOKEN and * OUTTOKLEN. IF the authentication succeeded OUTTOKLEN is zero. */ -#ifdef USE_TLS static gpg_error_t proxy_get_token (proxy_info_t proxy, const char *inputstring) { @@ -2530,11 +2529,9 @@ proxy_get_token (proxy_info_t proxy, const char *inputstring) #endif /*!HAVE_W32_SYSTEM*/ } -#endif /*USE_TLS*/ /* Use the CONNECT method to proxy our TLS stream. */ -#ifdef USE_TLS static gpg_error_t run_proxy_connect (http_t hd, proxy_info_t proxy, const char *httphost, const char *server, @@ -2556,6 +2553,7 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, * RFC-4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication */ auth_basic = !!proxy->uri->auth; + hd->keep_alive = !auth_basic; /* We may need to send more requests. */ /* For basic authentication we need to send just one request. */ if (auth_basic @@ -2577,16 +2575,15 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, httphost ? httphost : server, port, authhdr ? authhdr : "", - auth_basic? "" : "Connection: keep-alive\r\n"); + hd->keep_alive? "Connection: keep-alive\r\n" : ""); if (!request) { err = gpg_error_from_syserror (); goto leave; } - hd->keep_alive = !auth_basic; /* We may need to send more requests. */ if (opt_debug || (hd->flags & HTTP_FLAG_LOG_RESP)) - log_debug_with_string (request, "http.c:proxy:request:"); + log_debug_string (request, "http.c:proxy:request:"); if (!hd->fp_write) { @@ -2610,16 +2607,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, if (err) goto leave; - { - unsigned long count = 0; - - while (es_getc (hd->fp_read) != EOF) - count++; - if (opt_debug) - log_debug ("http.c:proxy_connect: skipped %lu bytes of response-body\n", - count); - } - /* Reset state. */ es_clearerr (hd->fp_read); ((cookie_t)(hd->read_cookie))->up_to_empty_line = 1; @@ -2730,6 +2717,14 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, } leave: + if (hd->keep_alive) + { + es_fclose (hd->fp_write); + hd->fp_write = NULL; + /* The close has released the cookie and thus we better set it + * to NULL. */ + hd->write_cookie = NULL; + } /* Restore flags, destroy stream, reset state. */ hd->flags = saved_flags; es_fclose (hd->fp_read); @@ -2743,7 +2738,6 @@ run_proxy_connect (http_t hd, proxy_info_t proxy, xfree (tmpstr); return err; } -#endif /*USE_TLS*/ /* Make a request string using a standard proxy. On success the @@ -2882,7 +2876,7 @@ send_request (ctrl_t ctrl, if (proxy && proxy->is_http_proxy) { - use_http_proxy = 1; /* We want to use a proxy for the conenction. */ + use_http_proxy = 1; /* We want to use a proxy for the connection. */ err = connect_server (ctrl, *proxy->uri->host ? proxy->uri->host : "localhost", proxy->uri->port ? proxy->uri->port : 80, @@ -2903,7 +2897,6 @@ send_request (ctrl_t ctrl, goto leave; } -#if USE_TLS if (use_http_proxy && hd->uri->use_tls) { err = run_proxy_connect (hd, proxy, httphost, server, port); @@ -2915,7 +2908,6 @@ send_request (ctrl_t ctrl, * clear the flag to indicate this. */ use_http_proxy = 0; } -#endif /* USE_TLS */ #if HTTP_USE_NTBTLS err = run_ntbtls_handshake (hd); @@ -4411,7 +4403,7 @@ same_host_p (parsed_uri_t a, parsed_uri_t b) } /* Also consider hosts the same if they differ only in a subdomain; - * in both direction. This allows to have redirection between the + * in both direction. This allows one to have redirection between the * WKD advanced and direct lookup methods. */ for (i=0; i < DIM (subdomains); i++) { diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index d404a04ac..688972a89 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -607,7 +607,7 @@ interrogate_ldap_dn (LDAP *ldap_conn, const char *basedn_search, * including whether to use TLS and the username and password (see * ldap_parse_uri for a description of the various fields). Be * default a PGP keyserver is assumed; if GENERIC is true a generic - * ldap conenction is instead established. + * ldap connection is instead established. * * Returns: The ldap connection handle in *LDAP_CONNP, R_BASEDN is set * to the base DN for the PGP key space, several flags will be stored diff --git a/dirmngr/server.c b/dirmngr/server.c index 1dbc87878..32c85d07b 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -3325,7 +3325,7 @@ dirmngr_status_help (ctrl_t ctrl, const char *text) /* Print a help status line using a printf like format. The function - * splits text at LFs. With CTRL beeing NULL, the function behaves + * splits text at LFs. With CTRL being NULL, the function behaves * like log_info. */ gpg_error_t dirmngr_status_helpf (ctrl_t ctrl, const char *format, ...) diff --git a/doc/DETAILS b/doc/DETAILS index a04269ede..583022113 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -532,6 +532,12 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB: --assert-signer is used. The fingerprint is printed with uppercase hex digits. +*** ASSERT_PUBKEY_ALGO + This is emitted when option --assert-pubkey-algo is used and the + signing algorithms is accepted according to that list if state is + 1 or denied if state is 0. The fingerprint is printed with + uppercase hex digits. + *** SIG_ID This is emitted only for signatures of class 0 or 1 which have been verified okay. The string is a signature id and may be used diff --git a/doc/dirmngr.texi b/doc/dirmngr.texi index 84f568692..420340ee3 100644 --- a/doc/dirmngr.texi +++ b/doc/dirmngr.texi @@ -172,7 +172,7 @@ socket. Set compatibility flags to work around certain problems or to emulate bugs. The @var{flags} are given as a comma separated list of flag names and are OR-ed together. The special flag "none" clears the list -and allows to start over with an empty list. To get a list of +and allows one to start over with an empty list. To get a list of available flags the sole word "help" can be used. @item --faked-system-time @var{epoch} diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 6e78558aa..1d531fb57 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -302,7 +302,7 @@ debugging. @item --steal-socket @opindex steal-socket In @option{--daemon} mode, gpg-agent detects an already running -gpg-agent and does not allow to start a new instance. This option can +gpg-agent and does not allow one to start a new instance. This option can be used to override this check: the new gpg-agent process will try to take over the communication sockets from the already running process and start anyway. This option should in general not be used. @@ -643,7 +643,7 @@ gpg-agent as a replacement for PuTTY's Pageant, the option In this mode of operation, the agent does not only implement the gpg-agent protocol, but also the agent protocol used by OpenSSH (through a separate socket or via Named Pipes) or the protocol used by -PuTTY. Consequently, this allows to use the gpg-agent as a drop-in +PuTTY. Consequently, this allows one to use the gpg-agent as a drop-in replacement for the ssh-agent. SSH keys, which are to be used through the agent, need to be added to @@ -693,7 +693,7 @@ The order in which keys are presented to ssh are: @item Negative Use-for-ssh values If a key file has the attribute "Use-for-ssh" and its value is negative, these keys are presented first to ssh. The negative - values are capped at -999 with -999 beeing lower ranked than -1. + values are capped at -999 with -999 being lower ranked than -1. These values can be used to prefer on-disk keys over keys taken from active cards. diff --git a/doc/gpg-card.texi b/doc/gpg-card.texi index 8787793f8..3a659e80f 100644 --- a/doc/gpg-card.texi +++ b/doc/gpg-card.texi @@ -226,7 +226,7 @@ OpenPGP or X.509 keys. @item LOGIN [--clear] [< @var{file}] @opindex login Set the login data object of OpenPGP cards. If @var{file} is given -the data is is read from that file. This allows to store binary data +the data is is read from that file. This allows one to store binary data in the login field. The option @option{--clear} deletes the login data object. diff --git a/doc/gpg.texi b/doc/gpg.texi index 7e6420a49..cb4506049 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -716,7 +716,7 @@ inserted smartcard, the special string ``card'' can be used for will figure them out and creates an OpenPGP key consisting of the usual primary key and one subkey. This works only with certain smartcards. Note that the interactive @option{--full-gen-key} command -allows to do the same but with greater flexibility in the selection of +allows one to do the same but with greater flexibility in the selection of the smartcard keys. Note that it is possible to create a primary key and a subkey using @@ -1290,19 +1290,22 @@ are usually found in the option file. @item --default-key @var{name} @opindex default-key -Use @var{name} as the default key to sign with. If this option is not -used, the default key is the first key found in the secret keyring. -Note that @option{-u} or @option{--local-user} overrides this option. -This option may be given multiple times. In this case, the last key -for which a secret key is available is used. If there is no secret -key available for any of the specified values, GnuPG will not emit an -error message but continue as if this option wasn't given. +Use @var{name} as the default key to sign with. It is suggested to +use a fingerprint or at least a long keyID for @var{name}. If this +option is not used, the default key is the first key found in the +secret keyring. Note that @option{-u} or @option{--local-user} +overrides this option. This option may be given multiple times. In +this case, the last key for which a secret key is available is used. +If there is no secret key available for any of the specified values, +GnuPG will not emit an error message but continue as if this option +wasn't given. + @item --default-recipient @var{name} @opindex default-recipient Use @var{name} as default recipient if option @option{--recipient} is not used and don't ask if this is a valid one. @var{name} must be -non-empty. +non-empty and it is suggested to use a fingerprint for @var{name}. @item --default-recipient-self @opindex default-recipient-self @@ -1773,7 +1776,9 @@ useful if you don't want to keep your secret keys (or one of them) online but still want to be able to check the validity of a given recipient's or signator's key. If the given key is not locally available but an LDAP keyserver is configured the missing key is -imported from that server. +imported from that server. The value "none" is explicitly allowed to +distinguish between the use of any trusted-key option and no use of +this option at all (e.g. due to the @option{--no-options} option). @item --add-desig-revoker [sensitive:]@var{fingerprint} @opindex add-desig-revoker @@ -1914,6 +1919,29 @@ is guaranteed to return with an exit code of 0 if and only if a signature has been encountered, is valid, and the key matches one of the fingerprints given by this option. +@item --assert-pubkey-algo @var{algolist} +@opindex assert-pubkey-algo +During data signature verification this options checks whether the +used public key algorithm matches the algorithms given by +@var{algolist}. This option can be given multiple times to +concatenate more algorithms to the list; the delimiter of the list are +either commas or spaces. + +The algorithm names given in the list may either be verbatim names +like "ed25519" with an optional leading single equal sign, or being +prefixed with ">", ">=", "<=", or "<". That prefix operator is +applied to the number part of the algorithm name; for example 2048 in +"rsa2048" or 384 in "brainpoolP384r1". If the the leading non-digits +in the name matches, the prefix operator is used to compare the number +part, a trailing suffix is ignored in this case. For example an +algorithm list ">rsa3000, >=brainpool384r1, =ed25519" allows RSA +signatures with more that 3000 bits, Brainpool curves 384 and 512, +and the ed25519 algorithm. + +With this option gpg (and also gpgv) is guaranteed to return with an +exit code of 0 if and only if all valid signatures on data are made +using a matching algorithm from the given list. + @item --auto-key-locate @var{mechanisms} @itemx --no-auto-key-locate @@ -1947,20 +1975,20 @@ list. The default is "local,wkd". @item ntds Locate the key using the Active Directory (Windows only). This - method also allows to search by fingerprint using the command + method also allows one to search by fingerprint using the command @option{--locate-external-key}. Note that this mechanism is actually a shortcut for the mechanism @samp{keyserver} but using "ldap:///" as the keyserver. @item keyserver - Locate a key using a keyserver. This method also allows to search + Locate a key using a keyserver. This method also allows one to search by fingerprint using the command @option{--locate-external-key} if any of the configured keyservers is an LDAP server. @item keyserver-URL In addition, a keyserver URL as used in the @command{dirmngr} configuration may be used here to query that particular keyserver. - This method also allows to search by fingerprint using the command + This method also allows one to search by fingerprint using the command @option{--locate-external-key} if the URL specifies an LDAP server. @item local @@ -2336,19 +2364,21 @@ the key in this file is fully valid. @opindex encrypt-to Same as @option{--recipient} but this one is intended for use in the options file and may be used with your own user-id as an -"encrypt-to-self". These keys are only used when there are other -recipients given either by use of @option{--recipient} or by the asked -user id. No trust checking is performed for these user ids and even -disabled keys can be used. +"encrypt-to-self". It is suggested to use a fingerprint or at least a +long keyID for @var{name}. These keys are only used when there are +other recipients given either by use of @option{--recipient} or by the +asked user id. No trust checking is performed for these user ids and +even disabled keys can be used. @item --hidden-encrypt-to @var{name} @opindex hidden-encrypt-to -Same as @option{--hidden-recipient} but this one is intended for use in the -options file and may be used with your own user-id as a hidden -"encrypt-to-self". These keys are only used when there are other -recipients given either by use of @option{--recipient} or by the asked user id. -No trust checking is performed for these user ids and even disabled -keys can be used. +Same as @option{--hidden-recipient} but this one is intended for use +in the options file and may be used with your own user-id as a hidden +"encrypt-to-self". It is suggested to use a fingerprint or at least a +long keyID for @var{name}. These keys are only used when there are +other recipients given either by use of @option{--recipient} or by the +asked user id. No trust checking is performed for these user ids and +even disabled keys can be used. @item --no-encrypt-to @opindex no-encrypt-to @@ -2899,24 +2929,6 @@ done with @code{--with-colons}. @table @gnupgtabopt -@item -t, --textmode -@itemx --no-textmode -@opindex textmode -Treat input files as text and store them in the OpenPGP canonical text -form with standard "CRLF" line endings. This also sets the necessary -flags to inform the recipient that the encrypted or signed data is text -and may need its line endings converted back to whatever the local -system uses. This option is useful when communicating between two -platforms that have different line ending conventions (UNIX-like to Mac, -Mac to Windows, etc). @option{--no-textmode} disables this option, and -is the default. - -@item --force-v3-sigs -@itemx --no-force-v3-sigs -@item --force-v4-certs -@itemx --no-force-v4-certs -These options are obsolete and have no effect since GnuPG 2.1. - @item --force-ocb @itemx --force-aead @opindex force-ocb @@ -3151,7 +3163,7 @@ Prompt before overwriting any files. Set compatibility flags to work around problems due to non-compliant keys or data. The @var{flags} are given as a comma separated list of flag names and are OR-ed together. The special flag "none" -clears the list and allows to start over with an empty list. To get a +clears the list and allows one to start over with an empty list. To get a list of available flags the sole word "help" can be used. @item --debug-level @var{level} @@ -3207,7 +3219,7 @@ and may thus be changed or removed at any time without notice. @item --debug-allow-large-chunks @opindex debug-allow-large-chunks -To facilitate software tests and experiments this option allows to +To facilitate software tests and experiments this option allows one to specify a limit of up to 4 EiB (@code{--chunk-size 62}). @item --debug-ignore-expiration @@ -3378,9 +3390,23 @@ to display the message. This option overrides @option{--set-filename}. @itemx --no-use-embedded-filename @opindex use-embedded-filename Try to create a file with a name as embedded in the data. This can be -a dangerous option as it enables overwriting files. Defaults to no. +a dangerous option as it enables overwriting files by giving the +sender control on how to store files. Defaults to no. Note that the option @option{--output} overrides this option. +A better approach than using this option is to decrypt to a temporary +filename and then rename that file to the embedded file name after +checking that the embedded filename is harmless. When using the +@option{--status-fd} option gpg tells the filename as part of the +PLAINTEXT status message. If the filename is important, the use of +@command{gpgtar} is another option because gpgtar will never overwrite +a file but decrypt the files to a new directory. + +Note also that unless a modern version 5 signature is used the +embedded filename is not part of the signed data. + + + @item --cipher-algo @var{name} @opindex cipher-algo Use @var{name} as cipher algorithm. Running the program with the @@ -3646,7 +3672,7 @@ not need to be listed explicitly. @opindex allow-weak-key-signatures To avoid a minor risk of collision attacks on third-party key signatures made using SHA-1, those key signatures are considered -invalid. This options allows to override this restriction. +invalid. This options allows one to override this restriction. @item --override-compliance-check This was a temporary introduced option and has no more effect. @@ -3891,6 +3917,25 @@ all on Windows. @table @gnupgtabopt +@item -t, --textmode +@itemx --no-textmode +@opindex textmode +Treat input files as text and store them in the OpenPGP canonical text +form with standard "CRLF" line endings. This also sets the necessary +flags to inform the recipient that the encrypted or signed data is text +and may need its line endings converted back to whatever the local +system uses. This option was useful when communicating between two +platforms with different line ending conventions (UNIX-like to Mac, +Mac to Windows, etc). @option{--no-textmode} disables this option, and +is the default. Note that this is a legacy option which should not +anymore be used by any modern software. + +@item --force-v3-sigs +@itemx --no-force-v3-sigs +@item --force-v4-certs +@itemx --no-force-v4-certs +These options are obsolete and have no effect since GnuPG 2.1. + @item --show-photos @itemx --no-show-photos @opindex show-photos @@ -4111,7 +4156,7 @@ Operation is further controlled by a few environment variables: @item GNUPG_EXEC_DEBUG_FLAGS @efindex GNUPG_EXEC_DEBUG_FLAGS - This variable allows to enable diagnostics for process management. + This variable allows one to enable diagnostics for process management. A numeric decimal value is expected. Bit 0 enables general diagnostics, bit 1 enables certain warnings on Windows. diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index 0d4fb2fcc..71cfa1e8a 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -767,7 +767,7 @@ is given as fingerprint or keygrip. Set compatibility flags to work around problems due to non-compliant certificates or data. The @var{flags} are given as a comma separated list of flag names and are OR-ed together. The special flag "none" -clears the list and allows to start over with an empty list. To get a +clears the list and allows one to start over with an empty list. To get a list of available flags the sole word "help" can be used. @item --debug-level @var{level} diff --git a/doc/gpgv.texi b/doc/gpgv.texi index 1cf699b70..cbaea40e5 100644 --- a/doc/gpgv.texi +++ b/doc/gpgv.texi @@ -140,6 +140,10 @@ This option enables a mode in which filenames of the form @file{-&n}, where n is a non-negative decimal number, refer to the file descriptor n and not to a file with that name. +@item --assert-pubkey-algo @var{algolist} +@opindex assert-pubkey-algo +This option works in the same way as described for @command{gpg}. + @end table @mansect return value @@ -198,4 +202,3 @@ the allowed keys, using a legacy format. @mansect see also @command{gpg}(1) @include see-also-note.texi - diff --git a/doc/scdaemon.texi b/doc/scdaemon.texi index 264f71301..cbb22225d 100644 --- a/doc/scdaemon.texi +++ b/doc/scdaemon.texi @@ -309,7 +309,7 @@ with lower priority should be used by default. @item --application-priority @var{namelist} @opindex application-priority -This option allows to change the order in which applications of a card +This option allows one to change the order in which applications of a card a tried if no specific application was requested. @var{namelist} is a space or comma delimited list of application names. Unknown names are simply skipped. Applications not mentioned in the list are put in the diff --git a/doc/tools.texi b/doc/tools.texi index 2f60a46dd..26c4c5f3d 100644 --- a/doc/tools.texi +++ b/doc/tools.texi @@ -400,7 +400,7 @@ expected in the current GnuPG home directory. This command is usually not required because GnuPG is able to detect and remove stale lock files. Before using the command make sure that the file protected by the lock file is actually not in use. The lock command may be used to -lock an accidently removed lock file. Note that the commands have no +lock an accidentally removed lock file. Note that the commands have no effect on Windows because the mere existence of a lock file does not mean that the lock is active. diff --git a/doc/wks.texi b/doc/wks.texi index 8c5fc557c..bfdd069f2 100644 --- a/doc/wks.texi +++ b/doc/wks.texi @@ -136,6 +136,8 @@ The command @option{--print-wkd-url} prints the URLs used to fetch the key for the given user-ids from WKD. The meanwhile preferred format with sub-domains is used here. +All commands may also be given without the two leading dashes. + @mansect options @noindent @command{gpg-wks-client} understands these options: diff --git a/g10/Makefile.am b/g10/Makefile.am index c5691f551..e8d8e9017 100644 --- a/g10/Makefile.am +++ b/g10/Makefile.am @@ -183,7 +183,7 @@ gpgv_LDFLAGS = t_common_ldadd = -module_tests = t-rmd160 t-keydb t-keydb-get-keyblock t-stutter +module_tests = t-rmd160 t-keydb t-keydb-get-keyblock t-stutter t-keyid t_rmd160_SOURCES = t-rmd160.c rmd160.c t_rmd160_LDADD = $(t_common_ldadd) t_keydb_SOURCES = t-keydb.c test-stubs.c $(common_source) @@ -200,6 +200,10 @@ t_stutter_SOURCES = t-stutter.c test-stubs.c \ t_stutter_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) \ $(LIBASSUAN_LIBS) $(NPTH_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \ $(LIBICONV) $(t_common_ldadd) +t_keyid_SOURCES = t-keyid.c test-stubs.c $(common_source) +t_keyid_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) \ + $(LIBASSUAN_LIBS) $(NPTH_LIBS) $(GPG_ERROR_LIBS) $(NETLIBS) \ + $(LIBICONV) $(t_common_ldadd) $(PROGRAMS): $(needed_libs) ../common/libgpgrl.a diff --git a/g10/build-packet.c b/g10/build-packet.c index 67d4a6eef..19a13760a 100644 --- a/g10/build-packet.c +++ b/g10/build-packet.c @@ -306,7 +306,9 @@ gpg_mpi_write (iobuf_t out, gcry_mpi_t a, unsigned int *r_nwritten) p = gcry_mpi_get_opaque (a, &nbits); if (p) { - /* Strip leading zero bits. */ + /* First get nbits back to full bytes. */ + nbits = ((nbits + 7) / 8) * 8; + /* Then strip leading zero bits. */ for (; nbits >= 8 && !*p; p++, nbits -= 8) ; if (nbits >= 8 && !(*p & 0x80)) diff --git a/g10/compress-bz2.c b/g10/compress-bz2.c index 2c3b86f8f..162dee96e 100644 --- a/g10/compress-bz2.c +++ b/g10/compress-bz2.c @@ -53,7 +53,11 @@ init_compress( compress_filter_context_t *zfx, bz_stream *bzs ) } if((rc=BZ2_bzCompressInit(bzs,level,0,0))!=BZ_OK) - log_fatal("bz2lib problem: %d\n",rc); + { + log_error ("bz2lib problem: %d\n",rc); + write_status_error ("bzip2.init", gpg_error (GPG_ERR_INTERNAL)); + g10_exit (2); + } zfx->outbufsize = 8192; zfx->outbuf = xmalloc( zfx->outbufsize ); @@ -80,7 +84,11 @@ do_compress(compress_filter_context_t *zfx, bz_stream *bzs, int flush, IOBUF a) if( zrc == BZ_STREAM_END && flush == BZ_FINISH ) ; else if( zrc != BZ_RUN_OK && zrc != BZ_FINISH_OK ) - log_fatal("bz2lib deflate problem: rc=%d\n", zrc ); + { + log_error ("bz2lib deflate problem: rc=%d\n", zrc ); + write_status_error ("bzip2.deflate", gpg_error (GPG_ERR_INTERNAL)); + g10_exit (2); + } n = zfx->outbufsize - bzs->avail_out; if( DBG_FILTER ) @@ -91,7 +99,7 @@ do_compress(compress_filter_context_t *zfx, bz_stream *bzs, int flush, IOBUF a) if( (rc=iobuf_write( a, zfx->outbuf, n )) ) { - log_debug("bzCompress: iobuf_write failed\n"); + log_error ("bzCompress: iobuf_write failed\n"); return rc; } } @@ -106,7 +114,11 @@ init_uncompress( compress_filter_context_t *zfx, bz_stream *bzs ) int rc; if((rc=BZ2_bzDecompressInit(bzs,0,opt.bz2_decompress_lowmem))!=BZ_OK) - log_fatal("bz2lib problem: %d\n",rc); + { + log_error ("bz2lib problem: %d\n",rc); + write_status_error ("bzip2.init.un", gpg_error (GPG_ERR_INTERNAL)); + g10_exit (2); + } zfx->inbufsize = 2048; zfx->inbuf = xmalloc( zfx->inbufsize ); @@ -159,7 +171,11 @@ do_uncompress( compress_filter_context_t *zfx, bz_stream *bzs, if( zrc == BZ_STREAM_END ) rc = -1; /* eof */ else if( zrc != BZ_OK && zrc != BZ_PARAM_ERROR ) - log_fatal("bz2lib inflate problem: rc=%d\n", zrc ); + { + log_error ("bz2lib inflate problem: rc=%d\n", zrc ); + write_status_error ("bzip2.inflate", gpg_error (GPG_ERR_BAD_DATA)); + g10_exit (2); + } else if (zrc == BZ_OK && eofseen && !bzs->avail_in && bzs->avail_out > 0) { diff --git a/g10/compress.c b/g10/compress.c index 9e094460f..e787b2918 100644 --- a/g10/compress.c +++ b/g10/compress.c @@ -73,10 +73,12 @@ init_compress( compress_filter_context_t *zfx, z_stream *zs ) -13, 8, Z_DEFAULT_STRATEGY) : deflateInit( zs, level ) ) != Z_OK ) { - log_fatal("zlib problem: %s\n", zs->msg? zs->msg : + log_error ("zlib problem: %s\n", zs->msg? zs->msg : rc == Z_MEM_ERROR ? "out of core" : rc == Z_VERSION_ERROR ? "invalid lib version" : "unknown error" ); + write_status_error ("zlib.init", gpg_error (GPG_ERR_INTERNAL)); + g10_exit (2); } zfx->outbufsize = 8192; @@ -104,9 +106,11 @@ do_compress( compress_filter_context_t *zfx, z_stream *zs, int flush, IOBUF a ) ; else if( zrc != Z_OK ) { if( zs->msg ) - log_fatal("zlib deflate problem: %s\n", zs->msg ); + log_error ("zlib deflate problem: %s\n", zs->msg ); else - log_fatal("zlib deflate problem: rc=%d\n", zrc ); + log_error ("zlib deflate problem: rc=%d\n", zrc ); + write_status_error ("zlib.deflate", gpg_error (GPG_ERR_INTERNAL)); + g10_exit (2); } n = zfx->outbufsize - zs->avail_out; if( DBG_FILTER ) @@ -116,7 +120,7 @@ do_compress( compress_filter_context_t *zfx, z_stream *zs, int flush, IOBUF a ) (unsigned)n, zrc ); if( (rc=iobuf_write( a, zfx->outbuf, n )) ) { - log_debug("deflate: iobuf_write failed\n"); + log_error ("deflate: iobuf_write failed\n"); return rc; } } while( zs->avail_in || (flush == Z_FINISH && zrc != Z_STREAM_END) ); @@ -140,10 +144,12 @@ init_uncompress( compress_filter_context_t *zfx, z_stream *zs ) */ if( (rc = zfx->algo == 1? inflateInit2( zs, -15) : inflateInit( zs )) != Z_OK ) { - log_fatal("zlib problem: %s\n", zs->msg? zs->msg : - rc == Z_MEM_ERROR ? "out of core" : - rc == Z_VERSION_ERROR ? "invalid lib version" : - "unknown error" ); + log_error ("zlib problem: %s\n", zs->msg? zs->msg : + rc == Z_MEM_ERROR ? "out of core" : + rc == Z_VERSION_ERROR ? "invalid lib version" : + "unknown error" ); + write_status_error ("zlib.init.un", gpg_error (GPG_ERR_INTERNAL)); + g10_exit (2); } zfx->inbufsize = 2048; @@ -198,9 +204,11 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs, rc = -1; /* eof */ else if( zrc != Z_OK && zrc != Z_BUF_ERROR ) { if( zs->msg ) - log_fatal("zlib inflate problem: %s\n", zs->msg ); + log_error ("zlib inflate problem: %s\n", zs->msg ); else - log_fatal("zlib inflate problem: rc=%d\n", zrc ); + log_error ("zlib inflate problem: rc=%d\n", zrc ); + write_status_error ("zlib.inflate", gpg_error (GPG_ERR_BAD_DATA)); + g10_exit (2); } } while (zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR && !leave); diff --git a/g10/export.c b/g10/export.c index 2c6eb7bff..74cb03764 100644 --- a/g10/export.c +++ b/g10/export.c @@ -129,6 +129,8 @@ parse_export_options(char *str,unsigned int *options,int noisy) N_("export revocation keys marked as \"sensitive\"")}, {"export-clean",EXPORT_CLEAN,NULL, N_("remove unusable parts from key during export")}, + {"export-realclean",EXPORT_MINIMAL|EXPORT_REALCLEAN|EXPORT_CLEAN,NULL, + NULL}, {"export-minimal",EXPORT_MINIMAL|EXPORT_CLEAN,NULL, N_("remove as much as possible from key during export")}, @@ -166,7 +168,7 @@ parse_export_options(char *str,unsigned int *options,int noisy) { *options |= (EXPORT_LOCAL_SIGS | EXPORT_ATTRIBUTES | EXPORT_SENSITIVE_REVKEYS); - *options &= ~(EXPORT_CLEAN | EXPORT_MINIMAL + *options &= ~(EXPORT_CLEAN | EXPORT_MINIMAL | EXPORT_REALCLEAN | EXPORT_DANE_FORMAT); } @@ -643,7 +645,7 @@ canon_pk_algo (enum gcry_pk_algos algo) } -/* Take an s-expression wit the public and private key and change the +/* Take an s-expression with the public and private key and change the * parameter array in PK to include the secret parameters. */ static gpg_error_t secret_key_to_mode1003 (gcry_sexp_t s_key, PKT_public_key *pk) @@ -2366,8 +2368,7 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret, if ((options & EXPORT_CLEAN)) { merge_keys_and_selfsig (ctrl, keyblock); - clean_all_uids (ctrl, keyblock, opt.verbose, - (options&EXPORT_MINIMAL), NULL, NULL); + clean_all_uids (ctrl, keyblock, opt.verbose, options, NULL, NULL); clean_all_subkeys (ctrl, keyblock, opt.verbose, (options&EXPORT_MINIMAL)? KEY_CLEAN_ALL /**/ : KEY_CLEAN_AUTHENCR, diff --git a/g10/getkey.c b/g10/getkey.c index b959d77c7..ce59628a0 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -1921,7 +1921,7 @@ get_pubkey_byfprint_fast (ctrl_t ctrl, PKT_public_key * pk, * R_HD may be NULL. If LOCK is set the handle has been opend in * locked mode and keydb_disable_caching () has been called. On error * R_KEYBLOCK is set to NULL but R_HD must be released by the caller; - * it may have a value of NULL, though. This allows to do an insert + * it may have a value of NULL, though. This allows one to do an insert * operation on a locked keydb handle. */ gpg_error_t get_keyblock_byfprint_fast (ctrl_t ctrl, diff --git a/g10/gpg.c b/g10/gpg.c index 96a0c345c..bef3b6fbd 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -451,6 +451,7 @@ enum cmd_and_opt_values oCompatibilityFlags, oAddDesigRevoker, oAssertSigner, + oAssertPubkeyAlgo, oKbxBufferSize, oNoop @@ -715,6 +716,7 @@ static gpgrt_opt_t opts[] = { #endif ARGPARSE_s_s (oAddDesigRevoker, "add-desig-revoker", "@"), ARGPARSE_s_s (oAssertSigner, "assert-signer", "@"), + ARGPARSE_s_s (oAssertPubkeyAlgo,"assert-pubkey-algo", "@"), ARGPARSE_header ("Input", N_("Options controlling the input")), @@ -753,7 +755,7 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oNoEscapeFrom, "no-escape-from-lines", "@"), ARGPARSE_s_n (oMimemode, "mimemode", "@"), ARGPARSE_s_n (oTextmodeShort, NULL, "@"), - ARGPARSE_s_n (oTextmode, "textmode", N_("use canonical text mode")), + ARGPARSE_s_n (oTextmode, "textmode", "@"), ARGPARSE_s_n (oNoTextmode, "no-textmode", "@"), ARGPARSE_s_s (oSetFilename, "set-filename", "@"), ARGPARSE_s_n (oForYourEyesOnly, "for-your-eyes-only", "@"), @@ -1045,9 +1047,12 @@ static struct compatibility_flags_s compatibility_flags [] = /* Can be set to true to force gpg to return with EXIT_FAILURE. */ int g10_errors_seen = 0; -/* If opt.assert_signer_list is used and this variabale is not true +/* If opt.assert_signer_list is used and this variable is not true * gpg will be forced to return EXIT_FAILURE. */ int assert_signer_true = 0; +/* If opt.assert_pubkey_algo is used and this variable is not true + * gpg will be forced to return EXIT_FAILURE. */ +int assert_pubkey_algo_false = 0; static int utf8_strings = @@ -3584,9 +3589,18 @@ main (int argc, char **argv) case oPersonalCompressPreferences: pers_compress_list=pargs.r.ret_str; break; - case oAgentProgram: opt.agent_program = pargs.r.ret_str; break; - case oKeyboxdProgram: opt.keyboxd_program = pargs.r.ret_str; break; - case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str; break; + case oAgentProgram: + xfree (opt.agent_program); + opt.agent_program = make_filename (pargs.r.ret_str, NULL); + break; + case oKeyboxdProgram: + xfree (opt.keyboxd_program); + opt.keyboxd_program = make_filename (pargs.r.ret_str, NULL); + break; + case oDirmngrProgram: + xfree (opt.dirmngr_program); + opt.dirmngr_program = make_filename (pargs.r.ret_str, NULL); + break; case oDisableDirmngr: opt.disable_dirmngr = 1; break; case oWeakDigest: additional_weak_digest(pargs.r.ret_str); @@ -3767,6 +3781,18 @@ main (int argc, char **argv) add_to_strlist (&opt.assert_signer_list, pargs.r.ret_str); break; + case oAssertPubkeyAlgo: + if (!opt.assert_pubkey_algos) + opt.assert_pubkey_algos = xstrdup (pargs.r.ret_str); + else + { + char *tmp = opt.assert_pubkey_algos; + opt.assert_pubkey_algos = xstrconcat (tmp, ",", + pargs.r.ret_str, NULL); + xfree (tmp); + } + break; + case oKbxBufferSize: keybox_set_buffersize (pargs.r.ret_ulong, 0); break; @@ -5471,6 +5497,17 @@ emergency_cleanup (void) void g10_exit( int rc ) { + if (rc) + ; + else if (log_get_errorcount(0)) + rc = 2; + else if (g10_errors_seen) + rc = 1; + else if (opt.assert_signer_list && !assert_signer_true) + rc = 1; + else if (opt.assert_pubkey_algos && assert_pubkey_algo_false) + rc = 1; + /* If we had an error but not printed an error message, do it now. * Note that write_status_failure will never print a second failure * status line. */ @@ -5495,15 +5532,6 @@ g10_exit( int rc ) gnupg_block_all_signals (); emergency_cleanup (); - if (rc) - ; - else if (log_get_errorcount(0)) - rc = 2; - else if (g10_errors_seen) - rc = 1; - else if (opt.assert_signer_list && !assert_signer_true) - rc = 1; - exit (rc); } diff --git a/g10/gpgv.c b/g10/gpgv.c index f2895563e..c3b09f752 100644 --- a/g10/gpgv.c +++ b/g10/gpgv.c @@ -68,6 +68,7 @@ enum cmd_and_opt_values { oWeakDigest, oEnableSpecialFilenames, oDebug, + oAssertPubkeyAlgo, aTest }; @@ -91,6 +92,7 @@ static gpgrt_opt_t opts[] = { N_("|ALGO|reject signatures made with ALGO")), ARGPARSE_s_n (oEnableSpecialFilenames, "enable-special-filenames", "@"), ARGPARSE_s_s (oDebug, "debug", "@"), + ARGPARSE_s_s (oAssertPubkeyAlgo,"assert-pubkey-algo", "@"), ARGPARSE_end () }; @@ -119,6 +121,7 @@ static struct debug_flags_s debug_flags [] = int g10_errors_seen = 0; int assert_signer_true = 0; +int assert_pubkey_algo_false = 0; static char * make_libversion (const char *libname, const char *(*getfnc)(const char*)) @@ -251,6 +254,19 @@ main( int argc, char **argv ) case oEnableSpecialFilenames: enable_special_filenames (); break; + + case oAssertPubkeyAlgo: + if (!opt.assert_pubkey_algos) + opt.assert_pubkey_algos = xstrdup (pargs.r.ret_str); + else + { + char *tmp = opt.assert_pubkey_algos; + opt.assert_pubkey_algos = xstrconcat (tmp, ",", + pargs.r.ret_str, NULL); + xfree (tmp); + } + break; + default : pargs.err = ARGPARSE_PRINT_ERROR; break; } } @@ -288,10 +304,18 @@ main( int argc, char **argv ) void -g10_exit( int rc ) +g10_exit (int rc) { - rc = rc? rc : log_get_errorcount(0)? 2 : g10_errors_seen? 1 : 0; - exit(rc ); + if (rc) + ; + else if (log_get_errorcount(0)) + rc = 2; + else if (g10_errors_seen) + rc = 1; + else if (opt.assert_pubkey_algos && assert_pubkey_algo_false) + rc = 1; + + exit (rc); } diff --git a/g10/import.c b/g10/import.c index 8f874a7d1..ff8847cb6 100644 --- a/g10/import.c +++ b/g10/import.c @@ -2081,7 +2081,9 @@ import_one_real (ctrl_t ctrl, { merge_keys_and_selfsig (ctrl, keyblock); clean_all_uids (ctrl, keyblock, - opt.verbose, (options&IMPORT_MINIMAL), NULL, NULL); + opt.verbose, + (options&IMPORT_MINIMAL)? EXPORT_MINIMAL : 0, + NULL, NULL); clean_all_subkeys (ctrl, keyblock, opt.verbose, KEY_CLEAN_NONE, NULL, NULL); } @@ -2233,7 +2235,8 @@ import_one_real (ctrl_t ctrl, if ((options & IMPORT_CLEAN)) { merge_keys_and_selfsig (ctrl, keyblock); - clean_all_uids (ctrl, keyblock, opt.verbose, (options&IMPORT_MINIMAL), + clean_all_uids (ctrl, keyblock, opt.verbose, + (options&IMPORT_MINIMAL)? EXPORT_MINIMAL : 0, &n_uids_cleaned,&n_sigs_cleaned); clean_all_subkeys (ctrl, keyblock, opt.verbose, KEY_CLEAN_NONE, NULL, NULL); @@ -2331,7 +2334,7 @@ import_one_real (ctrl_t ctrl, { merge_keys_and_selfsig (ctrl, keyblock_orig); clean_all_uids (ctrl, keyblock_orig, opt.verbose, - (options&IMPORT_MINIMAL), + (options&IMPORT_MINIMAL)? EXPORT_MINIMAL : 0, &n_uids_cleaned,&n_sigs_cleaned); clean_all_subkeys (ctrl, keyblock_orig, opt.verbose, KEY_CLEAN_NONE, NULL, NULL); diff --git a/g10/key-clean.c b/g10/key-clean.c index c8a6efe50..ca8ca40d9 100644 --- a/g10/key-clean.c +++ b/g10/key-clean.c @@ -91,6 +91,7 @@ mark_usable_uid_certs (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode, continue; } node->flag |= 1<next) @@ -215,9 +216,22 @@ mark_usable_uid_certs (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode, } +/* Return true if the signature at NODE has is from a key specified by + * the --trusted-key option and is exportable. */ +static int +is_trusted_key_sig (kbnode_t node) +{ + if (!node->pkt->pkt.signature->flags.exportable) + return 0; + /* Not yet implemented. */ + return 0; +} + + +/* Note: OPTIONS are from the EXPORT_* set. */ static int clean_sigs_from_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode, - int noisy, int self_only) + int noisy, unsigned int options) { int deleted = 0; kbnode_t node; @@ -256,8 +270,15 @@ clean_sigs_from_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode, { int keep; - keep = self_only? (node->pkt->pkt.signature->keyid[0] == keyid[0] - && node->pkt->pkt.signature->keyid[1] == keyid[1]) : 1; + if ((options & EXPORT_REALCLEAN)) + keep = ((node->pkt->pkt.signature->keyid[0] == keyid[0] + && node->pkt->pkt.signature->keyid[1] == keyid[1]) + || is_trusted_key_sig (node)); + else if ((options & EXPORT_MINIMAL)) + keep = (node->pkt->pkt.signature->keyid[0] == keyid[0] + && node->pkt->pkt.signature->keyid[1] == keyid[1]); + else + keep = 1; /* Keep usable uid sigs ... */ if ((node->flag & (1<pkt->pkt.user_id->flags.compacted) *sigs_cleaned += clean_sigs_from_uid (ctrl, keyblock, uidnode, - noisy, self_only); + noisy, options); } /* NB: This function marks the deleted nodes only and the caller is * responsible to skip or remove them. Needs to be called after a - * merge_keys_and_selfsig(). */ + * merge_keys_and_selfsig. Note: OPTIONS are from the EXPORT_* set. */ void -clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, int self_only, +clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, unsigned int options, int *uids_cleaned, int *sigs_cleaned) { kbnode_t node; @@ -405,7 +428,7 @@ clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, int self_only, node = node->next) { if (node->pkt->pkttype == PKT_USER_ID) - clean_one_uid (ctrl, keyblock, node, noisy, self_only, + clean_one_uid (ctrl, keyblock, node, noisy, options, uids_cleaned, sigs_cleaned); } diff --git a/g10/key-clean.h b/g10/key-clean.h index c4f164928..b2825b0c5 100644 --- a/g10/key-clean.h +++ b/g10/key-clean.h @@ -40,9 +40,10 @@ void mark_usable_uid_certs (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode, u32 curtime, u32 *next_expire); void clean_one_uid (ctrl_t ctrl, kbnode_t keyblock, kbnode_t uidnode, - int noisy, int self_only, + int noisy, unsigned int options, int *uids_cleaned, int *sigs_cleaned); -void clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, int noisy, int self_only, +void clean_all_uids (ctrl_t ctrl, kbnode_t keyblock, + int noisy, unsigned int options, int *uids_cleaned,int *sigs_cleaned); void clean_all_subkeys (ctrl_t ctrl, kbnode_t keyblock, int noisy, int clean_level, diff --git a/g10/keydb.h b/g10/keydb.h index b18f6e93a..62a99295d 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -487,6 +487,7 @@ const char *key_origin_string (int origin); /*-- keyid.c --*/ int pubkey_letter( int algo ); char *pubkey_string (PKT_public_key *pk, char *buffer, size_t bufsize); +int compare_pubkey_string (const char *astr, const char *bstr); #define PUBKEY_STRING_SIZE 32 u32 v3_keyid (gcry_mpi_t a, u32 *ki); void hash_public_key( gcry_md_hd_t md, PKT_public_key *pk ); @@ -572,6 +573,7 @@ const char *colon_expirestr_from_sig (PKT_signature *sig); byte *fingerprint_from_pk( PKT_public_key *pk, byte *buf, size_t *ret_len ); byte *v5_fingerprint_from_pk (PKT_public_key *pk, byte *array, size_t *ret_len); void fpr20_from_pk (PKT_public_key *pk, byte array[20]); +void fpr20_from_fpr (const byte *fpr, unsigned int fprlen, byte array[20]); char *hexfingerprint (PKT_public_key *pk, char *buffer, size_t buflen); char *v5hexfingerprint (PKT_public_key *pk, char *buffer, size_t buflen); char *format_hexfingerprint (const char *fingerprint, diff --git a/g10/keyedit.c b/g10/keyedit.c index e56e6d10b..7523a1a62 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -70,7 +70,7 @@ static int menu_adduid (ctrl_t ctrl, kbnode_t keyblock, int photo, const char *photo_name, const char *uidstr); static void menu_deluid (KBNODE pub_keyblock); static int menu_delsig (ctrl_t ctrl, kbnode_t pub_keyblock); -static int menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only); +static int menu_clean (ctrl_t ctrl, kbnode_t keyblock, unsigned int options); static void menu_delkey (KBNODE pub_keyblock); static int menu_addrevoker (ctrl_t ctrl, kbnode_t pub_keyblock, int sensitive); static int menu_addadsk (ctrl_t ctrl, kbnode_t pub_keyblock, @@ -2258,7 +2258,7 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr, break; case cmdMINIMIZE: - if (menu_clean (ctrl, keyblock, 1)) + if (menu_clean (ctrl, keyblock, EXPORT_MINIMAL)) redisplay = modified = 1; break; @@ -4543,11 +4543,13 @@ menu_delsig (ctrl_t ctrl, kbnode_t pub_keyblock) } +/* Note: OPTIONS are from the EXPORT_* set. */ static int -menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only) +menu_clean (ctrl_t ctrl, kbnode_t keyblock, unsigned int options) { KBNODE uidnode; - int modified = 0, select_all = !count_selected_uids (keyblock); + int modified = 0; + int select_all = !count_selected_uids (keyblock); for (uidnode = keyblock->next; uidnode && uidnode->pkt->pkttype != PKT_PUBLIC_SUBKEY; @@ -4561,8 +4563,8 @@ menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only) uidnode->pkt->pkt.user_id->len, 0); - clean_one_uid (ctrl, keyblock, uidnode, opt.verbose, self_only, &uids, - &sigs); + clean_one_uid (ctrl, keyblock, uidnode, opt.verbose, options, + &uids, &sigs); if (uids) { const char *reason; @@ -4587,7 +4589,7 @@ menu_clean (ctrl_t ctrl, kbnode_t keyblock, int self_only) } else { - tty_printf (self_only == 1 ? + tty_printf ((options & EXPORT_MINIMAL)? _("User ID \"%s\": already minimized\n") : _("User ID \"%s\": already clean\n"), user); } diff --git a/g10/keyid.c b/g10/keyid.c index ed76818a2..7e4c50b59 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -145,6 +145,130 @@ pubkey_string (PKT_public_key *pk, char *buffer, size_t bufsize) } +/* Helper for compare_pubkey_string. This skips leading spaces, + * commas and optional condition operators and returns a pointer to + * the first non-space character or NULL in case of an error. The + * length of a prefix consisting of letters is then returned ar PFXLEN + * and the value of the number (e.g. 384 for "brainpoolP384r1") at + * NUMBER. R_LENGTH receives the entire length of the algorithm name + * which is terminated by a space, nul, or a comma. If R_CONDITION is + * not NULL, 0 is stored for a leading "=", 1 for a ">", 2 for a ">=", + * -1 for a "<", and -2 for a "<=". If R_CONDITION is NULL no + * condition prefix is allowed. */ +static const char * +parse_one_algo_string (const char *str, size_t *pfxlen, unsigned int *number, + size_t *r_length, int *r_condition) +{ + int condition = 0; + const char *result; + + while (spacep (str) || *str ==',') + str++; + if (!r_condition) + ; + else if (*str == '>' && str[1] == '=') + condition = 2, str += 2; + else if (*str == '>' ) + condition = 1, str += 1; + else if (*str == '<' && str[1] == '=') + condition = -2, str += 2; + else if (*str == '<') + condition = -1, str += 1; + else if (*str == '=') /* Default. */ + str += 1; + + if (!alphap (str)) + return NULL; /* Error. */ + + *pfxlen = 1; + for (result = str++; alphap (str); str++) + ++*pfxlen; + while (*str == '-' || *str == '+') + str++; + *number = atoi (str); + while (*str && !spacep (str) && *str != ',') + str++; + + *r_length = str - result; + if (r_condition) + *r_condition = condition; + return result; +} + +/* Helper for compare_pubkey_string. If BPARSED is set to 0 on + * return, an error in ASTR or BSTR was found and further checks are + * not possible. */ +static int +compare_pubkey_string_part (const char *astr, const char *bstr_arg, + size_t *bparsed) +{ + const char *bstr = bstr_arg; + size_t alen, apfxlen, blen, bpfxlen; + unsigned int anumber, bnumber; + int condition; + + *bparsed = 0; + astr = parse_one_algo_string (astr, &apfxlen, &anumber, &alen, &condition); + if (!astr) + return 0; /* Invalid algorithm name. */ + bstr = parse_one_algo_string (bstr, &bpfxlen, &bnumber, &blen, &condition); + if (!bstr) + return 0; /* Invalid algorithm name. */ + *bparsed = blen + (bstr - bstr_arg); + if (apfxlen != bpfxlen || ascii_strncasecmp (astr, bstr, apfxlen)) + return 0; /* false. */ + switch (condition) + { + case 2: return anumber >= bnumber; + case 1: return anumber > bnumber; + case -1: return anumber < bnumber; + case -2: return anumber <= bnumber; + } + + return alen == blen && !ascii_strncasecmp (astr, bstr, alen); +} + + +/* Check whether ASTR matches the constraints given by BSTR. ASTR may + * be any algo string like "rsa2048", "ed25519" and BSTR may be a + * constraint which is in the simplest case just another algo string. + * BSTR may have more that one string in which case they are comma + * separated and any match will return true. It is possible to prefix + * BSTR with ">", ">=", "<=", or "<". That prefix operator is applied + * to the number part of the algorithm, i.e. the first sequence of + * digits found before end-of-string or a comma. Examples: + * + * | ASTR | BSTR | result | + * |----------+----------------------+--------| + * | rsa2048 | rsa2048 | true | + * | rsa2048 | >=rsa2048 | true | + * | rsa2048 | >rsa2048 | false | + * | ed25519 | >rsa1024 | false | + * | ed25519 | ed25519 | true | + * | nistp384 | >nistp256 | true | + * | nistp521 | >=rsa3072, >nistp384 | true | + */ +int +compare_pubkey_string (const char *astr, const char *bstr) +{ + size_t bparsed; + int result; + + while (*bstr) + { + result = compare_pubkey_string_part (astr, bstr, &bparsed); + if (result) + return 1; + if (!bparsed) + return 0; /* Syntax error in ASTR or BSTR. */ + bstr += bparsed; + } + + return 0; +} + + + /* Hash a public key and allow to specify the to be used format. * Note that if the v5 format is requested for a v4 key, a 0x04 as * version is hashed instead of the 0x05. */ @@ -239,20 +363,16 @@ do_hash_public_key (gcry_md_hd_t md, PKT_public_key *pk, int use_v5) if (use_v5) { gcry_md_putc ( md, 0x9a ); /* ctb */ - gcry_md_putc ( md, n >> 24 ); /* 4 byte length header */ + gcry_md_putc ( md, n >> 24 ); /* 4 byte length header (upper bits) */ gcry_md_putc ( md, n >> 16 ); - gcry_md_putc ( md, n >> 8 ); - gcry_md_putc ( md, n ); - /* Note that the next byte may either be 4 or 5. */ - gcry_md_putc ( md, pk->version ); } else { gcry_md_putc ( md, 0x99 ); /* ctb */ - gcry_md_putc ( md, n >> 8 ); /* 2 byte length header */ - gcry_md_putc ( md, n ); - gcry_md_putc ( md, pk->version ); } + gcry_md_putc ( md, n >> 8 ); /* lower bits of the length header. */ + gcry_md_putc ( md, n ); + gcry_md_putc ( md, pk->version ); gcry_md_putc ( md, pk->timestamp >> 24 ); gcry_md_putc ( md, pk->timestamp >> 16 ); gcry_md_putc ( md, pk->timestamp >> 8 ); @@ -260,7 +380,7 @@ do_hash_public_key (gcry_md_hd_t md, PKT_public_key *pk, int use_v5) gcry_md_putc ( md, pk->pubkey_algo ); - if (use_v5) + if (use_v5) /* Hash the 32 bit length */ { n -= 10; gcry_md_putc ( md, n >> 24 ); @@ -935,6 +1055,32 @@ v5_fingerprint_from_pk (PKT_public_key *pk, byte *array, size_t *ret_len) } +/* + * This is the core of fpr20_from_pk which directly takes a + * fingerprint and its length instead of the public key. See below + * for details. + */ +void +fpr20_from_fpr (const byte *fpr, unsigned int fprlen, byte array[20]) +{ + if (fprlen >= 32) /* v5 fingerprint (or larger) */ + { + memcpy (array + 0, fpr + 20, 4); + memcpy (array + 4, fpr + 24, 4); + memcpy (array + 8, fpr + 28, 4); + memcpy (array + 12, fpr + 0, 4); /* kid[0] */ + memcpy (array + 16, fpr + 4, 4); /* kid[1] */ + } + else if (fprlen == 20) /* v4 fingerprint */ + memcpy (array, fpr, 20); + else /* v3 or too short: fill up with zeroes. */ + { + memset (array, 0, 20); + memcpy (array, fpr, fprlen); + } +} + + /* * Get FPR20 for the given PK/SK into ARRAY. * @@ -951,19 +1097,7 @@ fpr20_from_pk (PKT_public_key *pk, byte array[20]) if (!pk->fprlen) compute_fingerprint (pk); - if (!array) - array = xmalloc (pk->fprlen); - - if (pk->fprlen == 32) /* v5 fingerprint */ - { - memcpy (array + 0, pk->fpr + 20, 4); - memcpy (array + 4, pk->fpr + 24, 4); - memcpy (array + 8, pk->fpr + 28, 4); - memcpy (array + 12, pk->fpr + 0, 4); /* kid[0] */ - memcpy (array + 16, pk->fpr + 4, 4); /* kid[1] */ - } - else /* v4 fingerprint */ - memcpy (array, pk->fpr, 20); + fpr20_from_fpr (pk->fpr, pk->fprlen, array); } diff --git a/g10/main.h b/g10/main.h index c202dacb8..5123dd03b 100644 --- a/g10/main.h +++ b/g10/main.h @@ -84,6 +84,7 @@ struct weakhash /*-- gpg.c --*/ extern int g10_errors_seen; extern int assert_signer_true; +extern int assert_pubkey_algo_false; #if __GNUC__ > 2 || (__GNUC__ == 2 && __GNUC_MINOR__ >= 5 ) void g10_exit(int rc) __attribute__ ((__noreturn__)); @@ -495,6 +496,7 @@ int verify_files (ctrl_t ctrl, int nfiles, char **files ); int gpg_verify (ctrl_t ctrl, gnupg_fd_t sig_fd, gnupg_fd_t data_fd, estream_t out_fp); void check_assert_signer_list (const char *mainpkhex, const char *pkhex); +void check_assert_pubkey_algo (const char *algostr, const char *pkhex); /*-- decrypt.c --*/ int decrypt_message (ctrl_t ctrl, const char *filename ); diff --git a/g10/mainproc.c b/g10/mainproc.c index 74c7430ec..043b34f62 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -898,7 +898,7 @@ proc_encrypted (CTX c, PACKET *pkt) * encrypted packet. */ literals_seen++; - /* The --require-compliance option allows to simplify decryption in + /* The --require-compliance option allows one to simplify decryption in * de-vs compliance mode by just looking at the exit status. */ if (opt.flags.require_compliance && opt.compliance == CO_DE_VS @@ -1876,6 +1876,8 @@ check_sig_and_print (CTX c, kbnode_t node) const void *extrahash = NULL; size_t extrahashlen = 0; kbnode_t included_keyblock = NULL; + char pkstrbuf[PUBKEY_STRING_SIZE] = { 0 }; + if (opt.skip_verify) { @@ -2409,8 +2411,14 @@ check_sig_and_print (CTX c, kbnode_t node) show_notation (sig, 0, 2, 0); } + /* Fill PKSTRBUF with the algostring in case we later need it. */ + if (pk) + pubkey_string (pk, pkstrbuf, sizeof pkstrbuf); + /* For good signatures print the VALIDSIG status line. */ - if (!rc && (is_status_enabled () || opt.assert_signer_list) && pk) + if (!rc && (is_status_enabled () + || opt.assert_signer_list + || opt.assert_pubkey_algos) && pk) { char pkhex[MAX_FINGERPRINT_LEN*2+1]; char mainpkhex[MAX_FINGERPRINT_LEN*2+1]; @@ -2432,6 +2440,8 @@ check_sig_and_print (CTX c, kbnode_t node) mainpkhex); /* Handle the --assert-signer option. */ check_assert_signer_list (mainpkhex, pkhex); + /* Handle the --assert-pubkey-algo option. */ + check_assert_pubkey_algo (pkstrbuf, pkhex); } /* Print compliance warning for Good signatures. */ @@ -2464,13 +2474,6 @@ check_sig_and_print (CTX c, kbnode_t node) if (opt.verbose) { - char pkstrbuf[PUBKEY_STRING_SIZE]; - - if (pk) - pubkey_string (pk, pkstrbuf, sizeof pkstrbuf); - else - *pkstrbuf = 0; - log_info (_("%s signature, digest algorithm %s%s%s\n"), sig->sig_class==0x00?_("binary"): sig->sig_class==0x01?_("textmode"):_("unknown"), diff --git a/g10/options.h b/g10/options.h index 571399967..476c30ad5 100644 --- a/g10/options.h +++ b/g10/options.h @@ -126,9 +126,9 @@ struct int marginals_needed; int completes_needed; int max_cert_depth; - const char *agent_program; - const char *keyboxd_program; - const char *dirmngr_program; + char *agent_program; + char *keyboxd_program; + char *dirmngr_program; int disable_dirmngr; const char *def_new_key_algo; @@ -241,6 +241,10 @@ struct * modify to be uppercase if they represent a fingerrint */ strlist_t assert_signer_list; + /* A single string with the comma delimited args from + * --assert-pubkey_algo. */ + char *assert_pubkey_algos; + struct { /* If set, require an 0x19 backsig to be present on signatures @@ -414,12 +418,13 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define EXPORT_ATTRIBUTES (1<<1) #define EXPORT_SENSITIVE_REVKEYS (1<<2) #define EXPORT_RESET_SUBKEY_PASSWD (1<<3) -#define EXPORT_MINIMAL (1<<4) -#define EXPORT_CLEAN (1<<5) +#define EXPORT_MINIMAL (1<<5) +#define EXPORT_CLEAN (1<<6) #define EXPORT_DANE_FORMAT (1<<7) #define EXPORT_BACKUP (1<<10) #define EXPORT_REVOCS (1<<11) #define EXPORT_MODE1003 (1<<12) +#define EXPORT_REALCLEAN (1<<13) #define LIST_SHOW_PHOTOS (1<<0) #define LIST_SHOW_POLICY_URLS (1<<1) diff --git a/g10/t-keydb-get-keyblock.c b/g10/t-keydb-get-keyblock.c index e40be9cc1..90ce6e9a6 100644 --- a/g10/t-keydb-get-keyblock.c +++ b/g10/t-keydb-get-keyblock.c @@ -67,12 +67,3 @@ do_test (int argc, char *argv[]) release_kbnode (kb1); xfree (ctrl); } - -int assert_signer_true = 0; - -void -check_assert_signer_list (const char *mainpkhex, const char *pkhex) -{ - (void)mainpkhex; - (void)pkhex; -} diff --git a/g10/t-keydb.c b/g10/t-keydb.c index 9055d5b94..4c78dac48 100644 --- a/g10/t-keydb.c +++ b/g10/t-keydb.c @@ -105,13 +105,3 @@ do_test (int argc, char *argv[]) keydb_release (hd2); xfree (ctrl); } - - -int assert_signer_true = 0; - -void -check_assert_signer_list (const char *mainpkhex, const char *pkhex) -{ - (void)mainpkhex; - (void)pkhex; -} diff --git a/g10/t-keyid.c b/g10/t-keyid.c new file mode 100644 index 000000000..d42399027 --- /dev/null +++ b/g10/t-keyid.c @@ -0,0 +1,129 @@ +/* t-keyid.c - Tests for keyid.c. + * Copyright (C) 2024 g10 Code GmbH + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see . + * SPDX-License-Identifier: GPL-3.0-or-later + */ + +#include +#include +#include +#include +#define LEAN_T_SUPPORT 1 + +#define PGM "t-keyid" + +#include "gpg.h" +#include "keydb.h" +#include "../common/t-support.h" + + + +static int verbose; + + +static void +test_compare_pubkey_string (void) +{ + static struct { const char *astr; const char *bstr; int expected; } t[] = + { + { "rsa2048" , "rsa2048" , 1 }, + { "rsa2048" , ">=rsa2048" , 1 }, + { "rsa2048" , ">rsa2048" , 0 }, + { "ed25519" , ">rsa1024" , 0 }, + { "ed25519" , "ed25519" , 1 }, + { "ed25519" , ",,,=ed25519" , 1 }, + { "nistp384" , ">nistp256" , 1 }, + { "nistp521" , ">=rsa3072, >nistp384", 1 }, + { " nistp521" , ">=rsa3072, >nistp384 ", 1 }, + { " nistp521 " , " >=rsa3072, >nistp384 ", 1 }, + { " =nistp521 " , " >=rsa3072, >nistp384,,", 1 }, + { "nistp384" , ">nistp384" , 0 }, + { "nistp384" , ">=nistp384" , 1 }, + { "brainpoolP384" , ">=brainpoolp256", 1 }, + { "brainpoolP384" , ">brainpoolp384" , 0 }, + { "brainpoolP384" , ">=brainpoolp384", 1 }, + { "brainpoolP256r1", ">brainpoolp256r1", 0 }, + { "brainpoolP384r1", ">brainpoolp384r1" , 0 }, + { "brainpoolP384r1", ">=brainpoolp384r1", 1 }, + { "brainpoolP384r1", ">=brainpoolp384" , 1 }, + { "", "", 0} + }; + int idx; + int result; + + for (idx=0; idx < DIM(t); idx++) + { + result = compare_pubkey_string (t[idx].astr, t[idx].bstr); + if (result != t[idx].expected) + { + fail (idx); + if (verbose) + log_debug ("\"%s\", \"%s\" want %d got %d\n", + t[idx].astr, t[idx].bstr, t[idx].expected, result); + } + } + +} + + +int +main (int argc, char **argv) +{ + int last_argc = -1; + + no_exit_on_fail = 1; + + if (argc) + { argc--; argv++; } + while (argc && last_argc != argc ) + { + last_argc = argc; + if (!strcmp (*argv, "--")) + { + argc--; argv++; + break; + } + else if (!strcmp (*argv, "--help")) + { + fputs ("usage: " PGM " [FILE]\n" + "Options:\n" + " --verbose Print timings etc.\n" + " --debug Flyswatter\n" + , stdout); + exit (0); + } + else if (!strcmp (*argv, "--verbose")) + { + verbose++; + argc--; argv++; + } + else if (!strcmp (*argv, "--debug")) + { + verbose += 2; + argc--; argv++; + } + else if (!strncmp (*argv, "--", 2)) + { + fprintf (stderr, PGM ": unknown option '%s'\n", *argv); + exit (1); + } + } + + test_compare_pubkey_string (); + + return !!errcount; +} diff --git a/g10/t-stutter.c b/g10/t-stutter.c index 7b2ea4b37..503a92004 100644 --- a/g10/t-stutter.c +++ b/g10/t-stutter.c @@ -611,12 +611,3 @@ do_test (int argc, char *argv[]) xfree (filename); } - -int assert_signer_true = 0; - -void -check_assert_signer_list (const char *mainpkhex, const char *pkhex) -{ - (void)mainpkhex; - (void)pkhex; -} diff --git a/g10/tdbdump.c b/g10/tdbdump.c index 9ff3f81a3..99f135678 100644 --- a/g10/tdbdump.c +++ b/g10/tdbdump.c @@ -190,7 +190,11 @@ import_ownertrust (ctrl_t ctrl, const char *fname ) while (fprlen < MAX_FINGERPRINT_LEN) fpr[fprlen++] = 0; - rc = tdbio_search_trust_byfpr (ctrl, fpr, &rec); + /* FIXME: The intention is to save the special fpr20 as used + * in the trustdb here. However, the above conversions seems + * not to be aware of this. Or why does it allow up to + * MAX_FINGERPRINT_LEN ? */ + rc = tdbio_search_trust_byfpr (ctrl, fpr, 20, &rec); if( !rc ) { /* found: update */ if (rec.r.trust.ownertrust != otrust) { diff --git a/g10/tdbio.c b/g10/tdbio.c index 1b68f772f..7ee62fca0 100644 --- a/g10/tdbio.c +++ b/g10/tdbio.c @@ -1864,13 +1864,21 @@ cmp_trec_fpr ( const void *fpr, const TRUSTREC *rec ) * Return: 0 if found, GPG_ERR_NOT_FOUND, or another error code. */ gpg_error_t -tdbio_search_trust_byfpr (ctrl_t ctrl, const byte *fingerprint, TRUSTREC *rec) +tdbio_search_trust_byfpr (ctrl_t ctrl, const byte *fpr, unsigned int fprlen, + TRUSTREC *rec) { int rc; + byte fingerprint[20]; + + if (fprlen != 20) + { + fpr20_from_fpr (fpr, fprlen, fingerprint); + fpr = fingerprint; + } /* Locate the trust record using the hash table */ - rc = lookup_hashtable (get_trusthashrec (ctrl), fingerprint, 20, - cmp_trec_fpr, fingerprint, rec ); + rc = lookup_hashtable (get_trusthashrec (ctrl), fpr, 20, + cmp_trec_fpr, fpr, rec); return rc; } @@ -1887,7 +1895,7 @@ tdbio_search_trust_bypk (ctrl_t ctrl, PKT_public_key *pk, TRUSTREC *rec) byte fingerprint[20]; fpr20_from_pk (pk, fingerprint); - return tdbio_search_trust_byfpr (ctrl, fingerprint, rec); + return tdbio_search_trust_byfpr (ctrl, fingerprint, 20, rec); } diff --git a/g10/tdbio.h b/g10/tdbio.h index 9452d76c9..7cf630121 100644 --- a/g10/tdbio.h +++ b/g10/tdbio.h @@ -111,7 +111,8 @@ int tdbio_end_transaction(void); int tdbio_cancel_transaction(void); int tdbio_delete_record (ctrl_t ctrl, ulong recnum); ulong tdbio_new_recnum (ctrl_t ctrl); -gpg_error_t tdbio_search_trust_byfpr (ctrl_t ctrl, const byte *fingerprint, +gpg_error_t tdbio_search_trust_byfpr (ctrl_t ctrl, + const byte *fpr, unsigned int fprlen, TRUSTREC *rec); gpg_error_t tdbio_search_trust_bypk (ctrl_t ctrl, PKT_public_key *pk, TRUSTREC *rec); diff --git a/g10/test-stubs.c b/g10/test-stubs.c index 6ae0f4eb7..d9bead754 100644 --- a/g10/test-stubs.c +++ b/g10/test-stubs.c @@ -43,6 +43,9 @@ #include "call-agent.h" int g10_errors_seen; +int assert_signer_true = 0; +int assert_pubkey_algo_false = 0; + void @@ -580,3 +583,18 @@ impex_filter_getval (void *cookie, const char *propname) (void)propname; return NULL; } + + +void +check_assert_signer_list (const char *mainpkhex, const char *pkhex) +{ + (void)mainpkhex; + (void)pkhex; +} + +void +check_assert_pubkey_algo (const char *algostr, const char *pkhex) +{ + (void)algostr; + (void)pkhex; +} diff --git a/g10/test.c b/g10/test.c index 648148a10..f6c697a35 100644 --- a/g10/test.c +++ b/g10/test.c @@ -15,6 +15,7 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, see . + * SPDX-License-Identifier: GPL-3.0-or-later */ #include diff --git a/g10/trustdb.c b/g10/trustdb.c index e846abe82..6de9f6b66 100644 --- a/g10/trustdb.c +++ b/g10/trustdb.c @@ -39,8 +39,52 @@ #include "tofu.h" #include "key-clean.h" + + +typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */ + +/* + * Structure to keep track of keys, this is used as an array where the + * item right after the last one has a keyblock set to NULL. Maybe we + * can drop this thing and replace it by key_item + */ +struct key_array +{ + KBNODE keyblock; +}; + + +/* Control information for the trust DB. */ +static struct +{ + int init; + int level; + char *dbname; + int no_trustdb; +} trustdb_args; + + +/* Some globals. */ +static struct key_item *utk_list; /* all ultimately trusted keys */ + +/* A list used to temporary store trusted keys and a flag indicated + * whether any --trusted-key option has been seen. */ +static struct key_item *trusted_key_list; +static int any_trusted_key_seen; + +/* Flag whether a trustdb check is pending. */ +static int pending_check_trustdb; + + + static void write_record (ctrl_t ctrl, TRUSTREC *rec); -static void do_sync(void); +static void do_sync (void); +static int validate_keys (ctrl_t ctrl, int interactive); + + +/********************************************** + ************* some helpers ******************* + **********************************************/ @@ -54,7 +98,7 @@ keyid_from_fpr20 (ctrl_t ctrl, const byte *fpr, u32 *keyid) keyid = dummy_keyid; /* Problem: We do only use fingerprints in the trustdb but - * we need the keyID here to indetify the key; we can only + * we need the keyID here to identify the key; we can only * use that ugly hack to distinguish between 16 and 20 * bytes fpr - it does not work always so we better change * the whole validation code to only work with @@ -88,40 +132,6 @@ keyid_from_fpr20 (ctrl_t ctrl, const byte *fpr, u32 *keyid) return keyid[1]; } -typedef struct key_item **KeyHashTable; /* see new_key_hash_table() */ - -/* - * Structure to keep track of keys, this is used as an array wherre - * the item right after the last one has a keyblock set to NULL. - * Maybe we can drop this thing and replace it by key_item - */ -struct key_array -{ - KBNODE keyblock; -}; - - -/* Control information for the trust DB. */ -static struct -{ - int init; - int level; - char *dbname; - int no_trustdb; -} trustdb_args; - -/* Some globals. */ -static struct key_item *user_utk_list; /* temp. used to store --trusted-keys */ -static struct key_item *utk_list; /* all ultimately trusted keys */ - -static int pending_check_trustdb; - -static int validate_keys (ctrl_t ctrl, int interactive); - - -/********************************************** - ************* some helpers ******************* - **********************************************/ static struct key_item * new_key_item (void) @@ -245,11 +255,19 @@ tdb_register_trusted_keyid (u32 *keyid) k = new_key_item (); k->kid[0] = keyid[0]; k->kid[1] = keyid[1]; - k->next = user_utk_list; - user_utk_list = k; + k->next = trusted_key_list; + trusted_key_list = k; } +/* This is called for the option --trusted-key to register these keys + * for later syncing them into the trustdb. The special value "none" + * may be used to indicate that there is a trusted-key option but no + * key shall be inserted for it. This "none" value is helpful to + * distinguish between changing the gpg.conf from a trusted-key to no + * trusted-key options at all. Simply not specify the option would + * not allow to distinguish this case from the --no-options case as + * used for certain calls of gpg for example by gpg-wks-client. */ void tdb_register_trusted_key (const char *string) { @@ -257,6 +275,9 @@ tdb_register_trusted_key (const char *string) KEYDB_SEARCH_DESC desc; u32 kid[2]; + any_trusted_key_seen = 1; + if (!strcmp (string, "none")) + return; err = classify_user_id (string, &desc, 1); if (!err) { @@ -378,11 +399,12 @@ verify_own_keys (ctrl_t ctrl) if (!add_utk (kid)) log_info (_("key %s occurs more than once in the trustdb\n"), keystr(kid)); - else if ((rec.r.trust.flags & 1)) + else if ((rec.r.trust.flags & 1) + && any_trusted_key_seen) { /* Record marked as inserted via --trusted-key. Is this * still the case? */ - for (k2 = user_utk_list; k2; k2 = k2->next) + for (k2 = trusted_key_list; k2; k2 = k2->next) if (k2->kid[0] == kid[0] && k2->kid[1] == kid[1]) break; if (!k2) /* No - clear the flag. */ @@ -406,7 +428,7 @@ verify_own_keys (ctrl_t ctrl) } /* Put any --trusted-key keys into the trustdb */ - for (k = user_utk_list; k; k = k->next) + for (k = trusted_key_list; k; k = k->next) { if ( add_utk (k->kid) ) { /* not yet in trustDB as ultimately trusted */ @@ -431,9 +453,9 @@ verify_own_keys (ctrl_t ctrl) } } - /* release the helper table table */ - release_key_items (user_utk_list); - user_utk_list = NULL; + /* Release the helper table. */ + release_key_items (trusted_key_list); + trusted_key_list = NULL; return; } diff --git a/g10/verify.c b/g10/verify.c index f8abadd45..c2c63255c 100644 --- a/g10/verify.c +++ b/g10/verify.c @@ -335,7 +335,7 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex) assert_signer_true = 1; write_status_text (STATUS_ASSERT_SIGNER, item->d); if (!opt.quiet) - log_info ("signer '%s' matched\n", item->d); + log_info ("asserted signer '%s'\n", item->d); goto leave; } } @@ -390,7 +390,7 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex) assert_signer_true = 1; write_status_text (STATUS_ASSERT_SIGNER, p); if (!opt.quiet) - log_info ("signer '%s' matched '%s', line %d\n", + log_info ("asserted signer '%s' (%s:%d)\n", p, fname, lnr); goto leave; } @@ -407,3 +407,32 @@ check_assert_signer_list (const char *mainpkhex, const char *pkhex) leave: es_fclose (fp); } + + +/* This function shall be called with the signer's public key + * algorithm ALGOSTR iff a signature is fully valid. If the option + * --assert-pubkey-algo is active the functions checks whether the + * signing key's algo is valid according to that list; in this case a + * global flag is set. */ +void +check_assert_pubkey_algo (const char *algostr, const char *pkhex) +{ + if (!opt.assert_pubkey_algos) + return; /* Nothing to do. */ + + if (compare_pubkey_string (algostr, opt.assert_pubkey_algos)) + { + write_status_strings (STATUS_ASSERT_PUBKEY_ALGO, + pkhex, " 1 ", algostr, NULL); + if (!opt.quiet) + log_info ("asserted signer '%s' with algo %s\n", pkhex, algostr); + } + else + { + if (!opt.quiet) + log_info ("denied signer '%s' with algo %s\n", pkhex, algostr); + assert_pubkey_algo_false = 1; + write_status_strings (STATUS_ASSERT_PUBKEY_ALGO, + pkhex, " 0 ", algostr, NULL); + } +} diff --git a/g13/g13.c b/g13/g13.c index 9662dd028..dc2dca109 100644 --- a/g13/g13.c +++ b/g13/g13.c @@ -455,6 +455,9 @@ main (int argc, char **argv) pargs.argv = &argv; pargs.flags |= (ARGPARSE_FLAG_RESET | ARGPARSE_FLAG_KEEP +#if GPGRT_VERSION_NUMBER >= 0x013000 /* >= 1.48 */ + | ARGPARSE_FLAG_COMMAND +#endif | ARGPARSE_FLAG_SYS | ARGPARSE_FLAG_USER); diff --git a/po/ca.po b/po/ca.po index b2c28e72f..b4f5b1424 100644 --- a/po/ca.po +++ b/po/ca.po @@ -2303,9 +2303,6 @@ msgstr "crea eixida amb armadura ascii" msgid "|FILE|write output to FILE" msgstr "|FITXER|carrega el mòdul d'extensió especificat" -msgid "use canonical text mode" -msgstr "usa el mode de text canònic" - #, fuzzy msgid "|N|set compress level to N (0 disables)" msgstr "|N|nivell de compressió N (0 no comprimeix)" @@ -7132,7 +7129,7 @@ msgid "||Please enter the PIN" msgstr "canvia la contrasenya" #, fuzzy -msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "Seleccioneu la raó de la revocació:\n" #, c-format @@ -9505,6 +9502,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "usa el mode de text canònic" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/cs.po b/po/cs.po index 8b6287734..91abc050a 100644 --- a/po/cs.po +++ b/po/cs.po @@ -2132,9 +2132,6 @@ msgstr "vytvořit výstup zapsaný v ASCII" msgid "|FILE|write output to FILE" msgstr "|SOUBOR|zapsat výstup do SOUBORU" -msgid "use canonical text mode" -msgstr "použít kanonický textový režim" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|nastavit úroveň komprese na N (0 – žádná)" @@ -6707,7 +6704,9 @@ msgstr "přístup k příkazům správce není nakonfigurován\n" msgid "||Please enter the PIN" msgstr "||Prosím, zadejte PIN" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Prosím, zadejte resetační kód karty" #, c-format @@ -8983,6 +8982,9 @@ msgstr "Příkazy pro správu Yubikey" msgid "manage the command history" msgstr "spravuje historii příkazů" +#~ msgid "use canonical text mode" +#~ msgstr "použít kanonický textový režim" + #~ msgid "selected AEAD algorithm is invalid\n" #~ msgstr "vybraný algoritmus AEAD je neplatný\n" diff --git a/po/da.po b/po/da.po index 602b28d75..9029f37ec 100644 --- a/po/da.po +++ b/po/da.po @@ -2334,9 +2334,6 @@ msgstr "opret ascii-pansrede uddata" msgid "|FILE|write output to FILE" msgstr "|FILE|skriv resultat til FIL" -msgid "use canonical text mode" -msgstr "brug kanonisk teksttilstand" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|sæt komprimeringsniveauet til N (0 deaktiverer)" @@ -7175,7 +7172,9 @@ msgstr "adgang til administratorkommandoer er ikke konfigureret\n" msgid "||Please enter the PIN" msgstr "||Indtast venligst PIN'en" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Indtast venligst nulstillingskoden for kortet" #, c-format @@ -9720,6 +9719,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "brug kanonisk teksttilstand" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/de.po b/po/de.po index d4bf929ee..22ac2fcc0 100644 --- a/po/de.po +++ b/po/de.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-2.4.1\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"PO-Revision-Date: 2024-01-24 14:05+0100\n" +"PO-Revision-Date: 2024-03-07 13:56+0100\n" "Last-Translator: Werner Koch \n" "Language-Team: German\n" "Language: de\n" @@ -2142,9 +2142,6 @@ msgstr "Ausgabe mit ASCII-Hülle versehen" msgid "|FILE|write output to FILE" msgstr "|DATEI|Ausgabe auf DATEI schreiben" -msgid "use canonical text mode" -msgstr "Textmodus benutzen" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|Kompressionsstufe auf N setzen (0=keine)" @@ -6801,8 +6798,8 @@ msgstr "Zugriff auf Admin-Befehle ist nicht eingerichtet\n" msgid "||Please enter the PIN" msgstr "||Bitte die PIN eingeben" -msgid "||Please enter the Reset Code for the card" -msgstr "Bitte geben Sie den Rückstellcode für diese Karte ein" +msgid "|R|Please enter the Reset Code for the card" +msgstr "|R|Bitte geben Sie den Rückstellcode für diese Karte ein" #, c-format msgid "Reset Code is too short; minimum length is %d\n" @@ -9116,6 +9113,9 @@ msgstr "Verwaltungskommandos für Yubikeys" msgid "manage the command history" msgstr "Verwaltung der Kommandohistorie" +#~ msgid "use canonical text mode" +#~ msgstr "Textmodus benutzen" + #~ msgid "continuing verification anyway due to option %s\n" #~ msgstr "Die Prüfung wird aufgrund der Option %s weiter durchgeführt\n" @@ -9298,7 +9298,6 @@ msgstr "Verwaltung der Kommandohistorie" #~ msgid "ldapserver missing" #~ msgstr "LDAP Server fehlt" -#, fuzzy #~ msgid "Suggest a random passphrase." #~ msgstr "Ein zufälliges Passwort vorschlagen" diff --git a/po/el.po b/po/el.po index 9417187b7..c2d740743 100644 --- a/po/el.po +++ b/po/el.po @@ -2232,9 +2232,6 @@ msgstr "δημιουργία ascii θωρακισμένης εξόδου" msgid "|FILE|write output to FILE" msgstr "|ΑΡΧΕΙΟ|φόρτωμα του αρθρώματος επέκτασης ΑΡΧΕΙΟ" -msgid "use canonical text mode" -msgstr "χρήση κανονικής κατάστασης κειμένου" - #, fuzzy msgid "|N|set compress level to N (0 disables)" msgstr "|N|καθορισμός επιπέδου συμπίεσης N (0 απενεργοποιεί)" @@ -6997,7 +6994,7 @@ msgid "||Please enter the PIN" msgstr "αλλαγή της φράσης κλειδί" #, fuzzy -msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "Παρακαλώ επιλέξτε την αιτία για την ανάκληση:\n" #, c-format @@ -9329,6 +9326,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "χρήση κανονικής κατάστασης κειμένου" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/eo.po b/po/eo.po index 3a9a4d130..16def7e84 100644 --- a/po/eo.po +++ b/po/eo.po @@ -2215,9 +2215,6 @@ msgstr "krei eligon en askia kiraso" msgid "|FILE|write output to FILE" msgstr "|DOSIERO|legi aldonan bibliotekon DOSIERO" -msgid "use canonical text mode" -msgstr "uzi tekstan reĝimon" - #, fuzzy msgid "|N|set compress level to N (0 disables)" msgstr "|N|difini densig-nivelon N (0=nenia)" @@ -6906,7 +6903,7 @@ msgid "||Please enter the PIN" msgstr "ŝanĝi la pasfrazon" #, fuzzy -msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "Kialo por revoko: " #, c-format @@ -9240,6 +9237,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "uzi tekstan reĝimon" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/es.po b/po/es.po index 7edbe88d7..16b13a7ff 100644 --- a/po/es.po +++ b/po/es.po @@ -2201,9 +2201,6 @@ msgstr "crea una salida ascii con armadura" msgid "|FILE|write output to FILE" msgstr "|FILE|volcar salida en FICHERO" -msgid "use canonical text mode" -msgstr "usa modo de texto canónico" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|nivel de compresión N (0 desactiva)" @@ -6848,7 +6845,9 @@ msgstr "el acceso a órdenes de administrador no está configurado\n" msgid "||Please enter the PIN" msgstr "||Por favor introduzca PIN" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Por favor introduzca Código de Reinicio de la tarjeta" #, c-format @@ -9166,6 +9165,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "usa modo de texto canónico" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/et.po b/po/et.po index 139ed412c..65019a83f 100644 --- a/po/et.po +++ b/po/et.po @@ -2223,9 +2223,6 @@ msgstr "loo ascii pakendis väljund" msgid "|FILE|write output to FILE" msgstr "|FAIL|lae laiendusmoodul FAIL" -msgid "use canonical text mode" -msgstr "kasuta kanoonilist tekstimoodi" - #, fuzzy msgid "|N|set compress level to N (0 disables)" msgstr "|N|määra pakkimise tase N (0 blokeerib)" @@ -6917,7 +6914,7 @@ msgid "||Please enter the PIN" msgstr "muuda parooli" #, fuzzy -msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "Palun valige tühistamise põhjus:\n" #, c-format @@ -9244,6 +9241,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "kasuta kanoonilist tekstimoodi" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/fi.po b/po/fi.po index 505f5c237..47388b28d 100644 --- a/po/fi.po +++ b/po/fi.po @@ -2240,9 +2240,6 @@ msgstr "tuota ascii-koodattu tuloste" msgid "|FILE|write output to FILE" msgstr "|TIEDOSTO|lataa laajennusmoduuli TIEDOSTO" -msgid "use canonical text mode" -msgstr "käytä tekstimuotoa" - #, fuzzy msgid "|N|set compress level to N (0 disables)" msgstr "|N|aseta pakkausaste N (0 poistaa käytöstä)" @@ -6980,7 +6977,7 @@ msgid "||Please enter the PIN" msgstr "muuta salasanaa" #, fuzzy -msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "Valitse mitätöinnin syy:\n" #, c-format @@ -9312,6 +9309,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "käytä tekstimuotoa" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/fr.po b/po/fr.po index 7baf95d2c..23f74aada 100644 --- a/po/fr.po +++ b/po/fr.po @@ -2260,9 +2260,6 @@ msgstr "créer une sortie ASCII avec armure" msgid "|FILE|write output to FILE" msgstr "|FICHIER|écrire la sortie dans le FICHIER" -msgid "use canonical text mode" -msgstr "utiliser le mode texte canonique" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|niveau de compression N (0 désactive)" @@ -7116,7 +7113,9 @@ msgstr "l'accès aux commandes d'administration n'est pas configuré\n" msgid "||Please enter the PIN" msgstr "||Veuillez entrer le code personnel" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Veuillez entrer le code de réinitialisation pour la carte" #, c-format @@ -9523,6 +9522,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "utiliser le mode texte canonique" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/gl.po b/po/gl.po index 5f408eabd..70cacffb3 100644 --- a/po/gl.po +++ b/po/gl.po @@ -2231,9 +2231,6 @@ msgstr "crear saída con armadura en ascii" msgid "|FILE|write output to FILE" msgstr "|FICHEIRO|carga-lo módulo de extensión FICHEIRO" -msgid "use canonical text mode" -msgstr "usar modo de texto canónico" - #, fuzzy msgid "|N|set compress level to N (0 disables)" msgstr "|N|axusta-lo nivel de compresión a N (0 desactiva)" @@ -6981,7 +6978,7 @@ msgid "||Please enter the PIN" msgstr "cambia-lo contrasinal" #, fuzzy -msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "Por favor, escolla o motivo da revocación:\n" #, c-format @@ -9324,6 +9321,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "usar modo de texto canónico" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/hu.po b/po/hu.po index 0955d468a..697b141cf 100644 --- a/po/hu.po +++ b/po/hu.po @@ -2223,9 +2223,6 @@ msgstr "ascii páncélozott kimenet létrehozása" msgid "|FILE|write output to FILE" msgstr "|fájl|bővítő modul betöltése" -msgid "use canonical text mode" -msgstr "kanonikus szöveges mód használata" - #, fuzzy msgid "|N|set compress level to N (0 disables)" msgstr "|N|tömörítési szint beállítása N-re (0: tiltás)" @@ -6943,7 +6940,7 @@ msgid "||Please enter the PIN" msgstr "jelszóváltoztatás" #, fuzzy -msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "Kérem, válassza ki a visszavonás okát:\n" #, c-format @@ -9271,6 +9268,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "kanonikus szöveges mód használata" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/id.po b/po/id.po index 5a22bb96d..b192b70d9 100644 --- a/po/id.po +++ b/po/id.po @@ -2227,9 +2227,6 @@ msgstr "ciptakan output ascii" msgid "|FILE|write output to FILE" msgstr "|FILE|muat modul ekstensi FILE" -msgid "use canonical text mode" -msgstr "gunakan mode teks kanonikal" - #, fuzzy msgid "|N|set compress level to N (0 disables)" msgstr "|N|set tingkat kompresi N (0 tidak ada)" @@ -6942,7 +6939,7 @@ msgid "||Please enter the PIN" msgstr "ubah passphrase" #, fuzzy -msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "Silakan pilih alasan untuk pembatalan:\n" #, c-format @@ -9270,6 +9267,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "gunakan mode teks kanonikal" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/it.po b/po/it.po index f3bcde883..39faf5469 100644 --- a/po/it.po +++ b/po/it.po @@ -2135,9 +2135,6 @@ msgstr "crea un output ascii con armatura" msgid "|FILE|write output to FILE" msgstr "|FILE|scrittura dell'output in FILE" -msgid "use canonical text mode" -msgstr "usa il modo testo canonico" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|Impostare il livello di compressione su N (0 disabilita)" @@ -6762,7 +6759,9 @@ msgstr "l'accesso ai comandi di amministrazione non è configurato\n" msgid "||Please enter the PIN" msgstr "||Inserisci il PIN" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Inserisci il Codice reset per la carta" #, c-format @@ -9078,6 +9077,9 @@ msgstr "Comandi di gestione Yubikey" msgid "manage the command history" msgstr "gestire la cronologia dei comandi" +#~ msgid "use canonical text mode" +#~ msgstr "usa il modo testo canonico" + #~ msgid "selected AEAD algorithm is invalid\n" #~ msgstr "l'algoritmo AEAD selezionato non è valido\n" diff --git a/po/ja.po b/po/ja.po index ab6a8dda4..cc14e47bb 100644 --- a/po/ja.po +++ b/po/ja.po @@ -11,7 +11,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg 2.4.3\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"PO-Revision-Date: 2024-01-25 09:06+0900\n" +"PO-Revision-Date: 2024-03-07 13:59+0100\n" "Last-Translator: NIIBE Yutaka \n" "Language-Team: none\n" "Language: ja\n" @@ -2086,9 +2086,6 @@ msgstr "ASCII形式の外装を作成" msgid "|FILE|write output to FILE" msgstr "|FILE|出力をFILEに書き出す" -msgid "use canonical text mode" -msgstr "正準テキスト・モードを使用" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|圧縮レベルをNに設定 (0は非圧縮)" @@ -6484,8 +6481,8 @@ msgstr "管理コマンドへのアクセスが設定されていません\n" msgid "||Please enter the PIN" msgstr "||PINを入力してください" -msgid "||Please enter the Reset Code for the card" -msgstr "||カードのリセット・コードを入力してください" +msgid "|R|Please enter the Reset Code for the card" +msgstr "|R|カードのリセット・コードを入力してください" #, c-format msgid "Reset Code is too short; minimum length is %d\n" @@ -8738,6 +8735,9 @@ msgstr "Yubikey管理コマンド" msgid "manage the command history" msgstr "コマンド履歴を管理する" +#~ msgid "use canonical text mode" +#~ msgstr "正準テキスト・モードを使用" + #~ msgid "continuing verification anyway due to option %s\n" #~ msgstr "オプション %sのため、検証を続けます\n" diff --git a/po/nb.po b/po/nb.po index e79896ccb..98a6882a7 100644 --- a/po/nb.po +++ b/po/nb.po @@ -2171,9 +2171,6 @@ msgstr "lag ASCII-beskyttet utdata" msgid "|FILE|write output to FILE" msgstr "|FILE|skriv utdata til valgt FIL" -msgid "use canonical text mode" -msgstr "bruk kanonisk tekstmodus" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|endre komprimeringsnivå til N (0 for å slå av)" @@ -6770,7 +6767,9 @@ msgstr "tilgang til admin-kommandoer er ikke konfigurert\n" msgid "||Please enter the PIN" msgstr "||Skriv inn PIN-kode" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Skriv inn tilbakestillingskode for kortet" #, c-format @@ -9055,6 +9054,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "bruk kanonisk tekstmodus" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/pl.po b/po/pl.po index 1248d87c6..a423f520c 100644 --- a/po/pl.po +++ b/po/pl.po @@ -2,13 +2,13 @@ # Copyright (C) 1998, 1999, 2000, 2001, 2002, # 2007 Free Software Foundation, Inc. # Janusz A. Urbanowicz , 1999, 2000, 2001, 2002, 2003-2004 -# Jakub Bogusz , 2003-2023. +# Jakub Bogusz , 2003-2024. # msgid "" msgstr "" -"Project-Id-Version: gnupg-2.4.3\n" +"Project-Id-Version: gnupg-2.4.4\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"PO-Revision-Date: 2023-10-20 21:29+0200\n" +"PO-Revision-Date: 2024-03-07 14:00+0100\n" "Last-Translator: Jakub Bogusz \n" "Language-Team: Polish \n" "Language: pl\n" @@ -923,43 +923,35 @@ msgstr "OSTRZEŻENIE: „%s%s” jest przestarzałą opcją - nie ma efektu\n" msgid "unknown debug flag '%s' ignored\n" msgstr "nieznana flaga diagnostyczna „%s” zignorowana\n" -#, fuzzy, c-format -#| msgid "waiting for the %s to come up ... (%ds)\n" +#, c-format msgid "waiting for the dirmngr to come up ... (%ds)\n" -msgstr "oczekiwanie na uruchomienie procesu %s... (%ds)\n" +msgstr "oczekiwanie na uruchomienie procesu dirmngr... (%ds)\n" -#, fuzzy, c-format -#| msgid "waiting for the %s to come up ... (%ds)\n" +#, c-format msgid "waiting for the keyboxd to come up ... (%ds)\n" -msgstr "oczekiwanie na uruchomienie procesu %s... (%ds)\n" +msgstr "oczekiwanie na uruchomienie procesu keyboxd... (%ds)\n" -#, fuzzy, c-format -#| msgid "waiting for the %s to come up ... (%ds)\n" +#, c-format msgid "waiting for the agent to come up ... (%ds)\n" -msgstr "oczekiwanie na uruchomienie procesu %s... (%ds)\n" +msgstr "oczekiwanie na uruchomienie procesu agenta... (%ds)\n" -#, fuzzy, c-format -#| msgid "connection to %s established\n" +#, c-format msgid "connection to the dirmngr established\n" -msgstr "ustanowiono połączenie z procesem %s\n" +msgstr "ustanowiono połączenie z procesem dirmngr\n" -#, fuzzy, c-format -#| msgid "connection to %s established\n" +#, c-format msgid "connection to the keyboxd established\n" -msgstr "ustanowiono połączenie z procesem %s\n" +msgstr "ustanowiono połączenie z procesem keyboxd\n" -#, fuzzy, c-format -#| msgid "connection to %s established\n" +#, c-format msgid "connection to the agent established\n" -msgstr "ustanowiono połączenie z procesem %s\n" +msgstr "ustanowiono połączenie z procesem agenta\n" -#, fuzzy, c-format -#| msgid "no running Dirmngr - starting '%s'\n" +#, c-format msgid "no running %s - starting '%s'\n" -msgstr "Dirmngr nie działa - uruchamianie „%s”\n" +msgstr "brak działającego %s - uruchamianie „%s”\n" -#, fuzzy, c-format -#| msgid "connection to agent is in restricted mode\n" +#, c-format msgid "connection to the agent is in restricted mode\n" msgstr "połączenie z agentem jest w trybie ograniczonym\n" @@ -1332,10 +1324,11 @@ msgstr "problem z agentem: %s\n" msgid "no dirmngr running in this session\n" msgstr "brak działającego dirmngr w tej sesji\n" -#, fuzzy, c-format -#| msgid "keyserver option \"%s\" may not be used in %s mode\n" +#, c-format msgid "keyserver option \"honor-keyserver-url\" may not be used in Tor mode\n" -msgstr "opcja serwera kluczy „%s” nie może być używana w trybie %s\n" +msgstr "" +"opcja serwera kluczy „honor-keyserver-url” nie może być używana w trybie " +"Tor\n" msgid "WKD uses a cached result" msgstr "WKD używa zapamiętanego wyniku" @@ -1402,7 +1395,7 @@ msgstr "wymuszono" #, c-format msgid "Please try command \"%s\" if the listing does not look correct\n" -msgstr "Proszę spróbować polecenia ,,%s'', jeśli lista nie wygląda poprawnie\n" +msgstr "Proszę spróbować polecenia „%s”, jeśli lista nie wygląda poprawnie\n" msgid "Error: Only plain ASCII is currently allowed.\n" msgstr "Błąd: aktualnie dopuszczalne jest tylko czyste ASCII.\n" @@ -1768,14 +1761,13 @@ msgstr "" "OSTRZEŻENIE: wymuszone użycie szyfru %s (%d) kłóci się z ustawieniami " "adresata\n" -#, fuzzy, c-format -#| msgid "cipher algorithm '%s' may not be used in %s mode\n" +#, c-format msgid "cipher algorithm '%s' may not be used for encryption\n" -msgstr "szyfr „%s” nie może być używany w trybie %s\n" +msgstr "algorytm szyfru „%s” nie może być używany do szyfrowania\n" #, c-format msgid "(use option \"%s\" to override)\n" -msgstr "" +msgstr "(opcją „%s” można to obejść)\n" #, c-format msgid "cipher algorithm '%s' may not be used in %s mode\n" @@ -1821,17 +1813,15 @@ msgstr "" "OSTRZEŻENIE: wymuszone użycie kompresji %s (%d) kłóci się z ustawieniami " "adresata\n" -#, fuzzy, c-format -#| msgid "%s/%s encrypted for: \"%s\"\n" +#, c-format msgid "%s/%s.%s encrypted for: \"%s\"\n" -msgstr "%s/%s zaszyfrowany dla: „%s”\n" +msgstr "%s/%s.%s zaszyfrowany dla: „%s”\n" #, c-format msgid "option '%s' may not be used in %s mode\n" msgstr "opcja „%s” nie może być używana w trybie %s\n" -#, fuzzy, c-format -#| msgid "%s encrypted data\n" +#, c-format msgid "%s encrypted data\n" msgstr "dane zaszyfrowano za pomocą %s\n" @@ -2101,9 +2091,6 @@ msgstr "opakowanie ASCII pliku wynikowego" msgid "|FILE|write output to FILE" msgstr "|PLIK|zapis wyjścia do PLIKU" -msgid "use canonical text mode" -msgstr "kanoniczny format tekstowy" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|ustawienie poziomu kompresji N (0 - bez)" @@ -2798,12 +2785,11 @@ msgstr "" #, c-format msgid " \"%s\": preference for cipher algorithm %s\n" -msgstr " „%s”: preferowany szyfr %s\n" +msgstr " „%s”: preferowany algorytm szyfru %s\n" -#, fuzzy, c-format -#| msgid " \"%s\": preference for cipher algorithm %s\n" +#, c-format msgid " \"%s\": preference for AEAD algorithm %s\n" -msgstr " „%s”: preferowany szyfr %s\n" +msgstr " „%s”: preferowany algorytm AEAD %s\n" #, c-format msgid " \"%s\": preference for digest algorithm %s\n" @@ -3905,7 +3891,7 @@ msgstr "Czy podano odcisk podklucza?\n" #, c-format msgid "key \"%s\" is already on this keyblock\n" -msgstr "klucz ,,%s'' jest już w tym bloku kluczy\n" +msgstr "klucz „%s” jest już w tym bloku kluczy\n" msgid "" "Are you sure you want to change the expiration time for multiple subkeys? (y/" @@ -4154,77 +4140,64 @@ msgstr " (%c) Przełączenie możliwości uwierzytelniania\n" msgid " (%c) Finished\n" msgstr " (%c) Zakończenie\n" -#, fuzzy, c-format -#| msgid " (%d) RSA and RSA (default)\n" +#, c-format msgid " (%d) RSA and RSA%s\n" -msgstr " (%d) RSA i RSA (domyślne)\n" +msgstr " (%d) RSA i RSA%s\n" -#, fuzzy, c-format -#| msgid " (%d) DSA and Elgamal\n" +#, c-format msgid " (%d) DSA and Elgamal%s\n" -msgstr " (%d) DSA i Elgamala\n" +msgstr " (%d) DSA i Elgamala%s\n" -#, fuzzy, c-format -#| msgid " (%d) DSA (sign only)\n" +#, c-format msgid " (%d) DSA (sign only)%s\n" -msgstr " (%d) DSA (tylko do podpisywania)\n" +msgstr " (%d) DSA (tylko do podpisywania)%s\n" -#, fuzzy, c-format -#| msgid " (%d) RSA (sign only)\n" +#, c-format msgid " (%d) RSA (sign only)%s\n" -msgstr " (%d) RSA (tylko do podpisywania)\n" +msgstr " (%d) RSA (tylko do podpisywania)%s\n" -#, fuzzy, c-format -#| msgid " (%d) Elgamal (encrypt only)\n" +#, c-format msgid " (%d) Elgamal (encrypt only)%s\n" -msgstr " (%d) Elgamala (tylko do szyfrowania)\n" +msgstr " (%d) Elgamala (tylko do szyfrowania)%s\n" -#, fuzzy, c-format -#| msgid " (%d) RSA (encrypt only)\n" +#, c-format msgid " (%d) RSA (encrypt only)%s\n" -msgstr " (%d) RSA (tylko do szyfrowania)\n" +msgstr " (%d) RSA (tylko do szyfrowania)%s\n" -#, fuzzy, c-format -#| msgid " (%d) DSA (set your own capabilities)\n" +#, c-format msgid " (%d) DSA (set your own capabilities)%s\n" -msgstr " (%d) DSA (możliwości do ustawienia)\n" +msgstr " (%d) DSA (możliwości do ustawienia)%s\n" -#, fuzzy, c-format -#| msgid " (%d) RSA (set your own capabilities)\n" +#, c-format msgid " (%d) RSA (set your own capabilities)%s\n" -msgstr " (%d) RSA (możliwości do ustawienia)\n" +msgstr " (%d) RSA (możliwości do ustawienia)%s\n" -#, fuzzy, c-format -#| msgid " (%d) sign, encrypt\n" +#, c-format msgid " (%d) ECC (sign and encrypt)%s\n" -msgstr " (%d) podpisywanie, szyfrowanie\n" +msgstr " (%d) ECC (podpisywanie i szyfrowanie)%s\n" msgid " *default*" -msgstr "" +msgstr " *domyślne*" #, c-format msgid " (%d) ECC (sign only)\n" msgstr " (%d) ECC (tylko do podpisywania)\n" -#, fuzzy, c-format -#| msgid " (%d) ECC (set your own capabilities)\n" +#, c-format msgid " (%d) ECC (set your own capabilities)%s\n" -msgstr " (%d) ECC (możliwości do ustawienia)\n" +msgstr " (%d) ECC (możliwości do ustawienia)%s\n" -#, fuzzy, c-format -#| msgid " (%d) ECC (encrypt only)\n" +#, c-format msgid " (%d) ECC (encrypt only)%s\n" -msgstr " (%d) ECC (tylko do szyfrowania)\n" +msgstr " (%d) ECC (tylko do szyfrowania)%s\n" -#, fuzzy, c-format -#| msgid " (%d) Existing key\n" +#, c-format msgid " (%d) Existing key%s\n" -msgstr " (%d) Istniejący klucz\n" +msgstr " (%d) Istniejący klucz%s\n" -#, fuzzy, c-format -#| msgid " (%d) Existing key from card\n" +#, c-format msgid " (%d) Existing key from card%s\n" -msgstr " (%d) Istniejący klucz z karty\n" +msgstr " (%d) Istniejący klucz z karty%s\n" msgid "Enter the keygrip: " msgstr "Uchwyt klucza: " @@ -5336,25 +5309,22 @@ msgstr "" "OSTRZEŻENIE: ten klucz mógł zostać unieważniony\n" " (brak klucza unieważniającego aby to sprawdzić)\n" -#, fuzzy, c-format -#| msgid "user ID: \"%s\"\n" +#, c-format msgid "checking User ID \"%s\"\n" -msgstr "identyfikator użytkownika: „%s”\n" +msgstr "sprawdzanie identyfikatora użytkownika: „%s”\n" -#, fuzzy, c-format -#| msgid "option '%s' given, but option '%s' not given\n" +#, c-format msgid "option %s given but issuer \"%s\" does not match\n" -msgstr "podano opcję „%s”, ale nie podano opcji „%s”\n" +msgstr "podano opcję %s, ale wystawca „%s” nie pasuje\n" -#, fuzzy, c-format -#| msgid "key %s: doesn't match our copy\n" +#, c-format msgid "issuer \"%s\" does not match any User ID\n" -msgstr "klucz %s: nie zgadza się z lokalną kopią\n" +msgstr "klucz „%s” nie pasuje do żadnego identyfikatora użytkownika\n" -#, fuzzy, c-format -#| msgid "option '%s' given, but option '%s' not given\n" +#, c-format msgid "option %s given but no matching User ID found\n" -msgstr "podano opcję „%s”, ale nie podano opcji „%s”\n" +msgstr "" +"podano opcję %s, ale nie znaleziono pasującego identyfikatora użytkownika\n" #, c-format msgid "WARNING: This key has been revoked by its designated revoker!\n" @@ -6524,15 +6494,14 @@ msgstr "linia wejścia %u zbyt długa lub brak znaku LF\n" msgid "can't open fd %d: %s\n" msgstr "nie można otworzyć fd %d: %s\n" -#, fuzzy, c-format -#| msgid "WARNING: message was not integrity protected\n" +#, c-format msgid "WARNING: encrypting without integrity protection is dangerous\n" -msgstr "OSTRZEŻENIE: wiadomość nie była zabezpieczona przed manipulacją\n" +msgstr "" +"OSTRZEŻENIE: szyfrowanie bez ochrony przed manipulacją jest niebezpieczne\n" -#, fuzzy, c-format -#| msgid "ambiguous option '%s'\n" +#, c-format msgid "Hint: Do not use option %s\n" -msgstr "niejednoznaczna opcja „%s”\n" +msgstr "Podpowiedź: nie używać opcji %s\n" msgid "set debugging flags" msgstr "ustawienie flag diagnostycznych" @@ -6774,8 +6743,8 @@ msgstr "dostęp do poleceń administratora nie został skonfigurowany\n" msgid "||Please enter the PIN" msgstr "||Proszę wpisać PIN" -msgid "||Please enter the Reset Code for the card" -msgstr "||Proszę wprowadzić kod resetujący dla karty" +msgid "|R|Please enter the Reset Code for the card" +msgstr "|R|Proszę wprowadzić kod resetujący dla karty" #, c-format msgid "Reset Code is too short; minimum length is %d\n" @@ -8553,7 +8522,7 @@ msgstr "%s:%u: podano hasło bez użytkownika\n" #, c-format msgid "%s:%u: ignoring unknown flag '%s'\n" -msgstr "%s:%u: zignorowano nieznaną flagę ,,%s''\n" +msgstr "%s:%u: zignorowano nieznaną flagę „%s”\n" #, c-format msgid "%s:%u: skipping this line\n" @@ -8986,489 +8955,69 @@ msgstr "" "Składnia: gpg-check-pattern [opcje] plik-wzorców\n" "Sprawdzanie hasła ze standardowego wejścia względem pliku wzorców\n" -#, fuzzy, c-format -#| msgid "Note: keys are already stored on the card!\n" +#, c-format msgid "Note: key %s is already stored on the card!\n" -msgstr "Uwaga: klucze są już zapisane na karcie!\n" +msgstr "Uwaga: klucz %s jest już zapisany na karcie!\n" -#, fuzzy, c-format -#| msgid "Note: keys are already stored on the card!\n" +#, c-format msgid "Note: Keys are already stored on the card!\n" msgstr "Uwaga: klucze są już zapisane na karcie!\n" -#, fuzzy, c-format -#| msgid "Replace existing keys? (y/N) " +#, c-format msgid "Replace existing key %s ? (y/N) " -msgstr "Zastąpić istniejące klucze? (t/N) " +msgstr "Zastąpić istniejące klucz %s? (t/N) " -#, fuzzy, c-format -#| msgid "OpenPGP card no. %s detected\n" +#, c-format msgid "%s card no. %s detected\n" -msgstr "Wykryto kartę OpenPGP nr %s\n" +msgstr "Wykryto kartę %s nr %s\n" #, c-format msgid "User Interaction Flag is set to \"%s\" - can't change\n" msgstr "" +"Flaga interakcji użytkownika (UIF) jest ustawiona na „%s” - nie można " +"zmienić\n" #, c-format msgid "" "Warning: Setting the User Interaction Flag to \"%s\"\n" " can only be reverted using a factory reset!\n" msgstr "" +"Uwaga: ustawienie flagi interakcji użytkownika (UIF) na „%s”\n" +" może być odwrócone tylko przez reset do ustawień fabrycznych!\n" #, c-format msgid "Please use \"uif --yes %d %s\"\n" -msgstr "" +msgstr "Proszę użyć „uif --yes %d %s”\n" -#, fuzzy -#| msgid "add a certificate to the cache" msgid "authenticate to the card" -msgstr "dodanie certyfikatu do pamięci podręcznej" +msgstr "uwierzytelnienie względem karty" msgid "send a reset to the card daemon" -msgstr "" +msgstr "wysłanie resetu do demona kart" msgid "setup KDF for PIN authentication" msgstr "ustawienie KDF do uwierzytelniania PIN-em" msgid "change a private data object" -msgstr "" +msgstr "zmiana obiektu danych prywatnych" -#, fuzzy -#| msgid "add a certificate to the cache" msgid "read a certificate from a data object" -msgstr "dodanie certyfikatu do pamięci podręcznej" +msgstr "odczyt certyfikatu z obiektu danych" -#, fuzzy -#| msgid "add a certificate to the cache" msgid "store a certificate to a data object" -msgstr "dodanie certyfikatu do pamięci podręcznej" +msgstr "zapis certyfikatu w obiekcie danych" msgid "store a private key to a data object" -msgstr "" +msgstr "zapis klucza prywatnego w obiekcie danych" msgid "run various checks on the keys" -msgstr "" +msgstr "wykonanie różnych sprawdzeń kluczy" msgid "Yubikey management commands" -msgstr "" +msgstr "polecenia zarządzające kluczami Yubikey" msgid "manage the command history" -msgstr "" +msgstr "zarządzanie historią poleceń" -#, fuzzy -#~| msgid "selected digest algorithm is invalid\n" -#~ msgid "selected AEAD algorithm is invalid\n" -#~ msgstr "wybrany algorytm skrótów wiadomości jest niepoprawny\n" - -#, fuzzy -#~| msgid "invalid personal cipher preferences\n" -#~ msgid "invalid personal AEAD preferences\n" -#~ msgstr "niewłaściwe ustawienia szyfrów\n" - -#, fuzzy -#~| msgid "cipher algorithm '%s' may not be used in %s mode\n" -#~ msgid "AEAD algorithm '%s' may not be used in %s mode\n" -#~ msgstr "szyfr „%s” nie może być używany w trybie %s\n" - -#~ msgid "forcing symmetric cipher %s (%d) violates recipient preferences\n" -#~ msgstr "wymuszone użycie szyfru %s (%d) kłóci się z ustawieniami adresata\n" - -#~ msgid "error writing to temporary file: %s\n" -#~ msgstr "błąd zapisu do pliku tymczasowego: %s\n" - -#~ msgid "run in supervised mode" -#~ msgstr "uruchomienie w trybie dozorowanym" - -#~ msgid "Name may not start with a digit\n" -#~ msgstr "Imię lub nazwisko nie może zaczynać się od cyfry\n" - -#~ msgid "Name must be at least 5 characters long\n" -#~ msgstr "Imię i nazwisko muszą mieć co najmniej 5 znaków długości.\n" - -#~ msgid "Configuration for Keyservers" -#~ msgstr "Konfiguracja dla serwerów kluczy" - -#~ msgid "Configuration of LDAP servers to use" -#~ msgstr "Konfiguracja używanych serwerów LDAP" - -#~ msgid "selfsigned certificate has a BAD signature" -#~ msgstr "certyfikat z własnym podpisem ma BŁĘDNY podpis" - -#~ msgid "requesting key %s from %s server %s\n" -#~ msgstr "zapytanie o klucz %s z serwera %s %s\n" - -#~ msgid "%s:%u: no hostname given\n" -#~ msgstr "%s:%u: nie podano nazwy hosta\n" - -#~ msgid "could not parse keyserver\n" -#~ msgstr "niezrozumiały adres serwera kluczy\n" - -#~ msgid "return all values in a record oriented format" -#~ msgstr "zwrócenie wszystkich wartości w formacie rekordu" - -#~ msgid "|NAME|ignore host part and connect through NAME" -#~ msgstr "|NAZWA|zignorowanie części z hostem i połączenie poprzez NAZWĘ" - -#~ msgid "|NAME|connect to host NAME" -#~ msgstr "|NAZWA|połączenie z hostem NAZWA" - -#~ msgid "|N|connect to port N" -#~ msgstr "|N|połączenie z portem N" - -#~ msgid "|NAME|use user NAME for authentication" -#~ msgstr "|NAZWA|użycie NAZWY użytkownika do uwierzytelnienia" - -#~ msgid "|PASS|use password PASS for authentication" -#~ msgstr "|HASŁO|użycie HASŁA do uwierzytelnienia" - -#~ msgid "take password from $DIRMNGR_LDAP_PASS" -#~ msgstr "pobranie hasła z $DIRMNGR_LDAP_PASS" - -#~ msgid "|STRING|query DN STRING" -#~ msgstr "|ŁAŃCUCH|ŁAŃCUCH zapytania DN" - -#~ msgid "|STRING|use STRING as filter expression" -#~ msgstr "|ŁAŃCUCH|użycie ŁAŃCUCHA jako wyrażenia filtra" - -#~ msgid "|STRING|return the attribute STRING" -#~ msgstr "|ŁAŃCUCH|zwrócenie atrybutu ŁAŃCUCH" - -#~ msgid "Usage: dirmngr_ldap [options] [URL] (-h for help)\n" -#~ msgstr "Składnia: dirmngr_ldap [opcje] [URL] (-h wyświetla pomoc)\n" - -#~ msgid "" -#~ "Syntax: dirmngr_ldap [options] [URL]\n" -#~ "Internal LDAP helper for Dirmngr\n" -#~ "Interface and options may change without notice\n" -#~ msgstr "" -#~ "Składnia: dirmngr_ldap [opcje] [URL]\n" -#~ "Wewnętrzny program pomocniczy LDAP dla Dirmngr\n" -#~ "Interfejs i opcje mogą się zmienić bez uprzedzenia\n" - -#~ msgid "invalid port number %d\n" -#~ msgstr "błędny numer portu %d\n" - -#~ msgid "scanning result for attribute '%s'\n" -#~ msgstr "przeszukiwanie wyniku pod kątem atrybutu „%s”\n" - -#~ msgid "error writing to stdout: %s\n" -#~ msgstr "błąd zapisu na standardowe wyjście: %s\n" - -#~ msgid " available attribute '%s'\n" -#~ msgstr " dostępny atrybut „%s”\n" - -#~ msgid "attribute '%s' not found\n" -#~ msgstr "nie znaleziono atrybutu „%s”\n" - -#~ msgid "found attribute '%s'\n" -#~ msgstr "znaleziono atrybut „%s”\n" - -#~ msgid "processing url '%s'\n" -#~ msgstr "przetwarzanie URL-a „%s”\n" - -#~ msgid " user '%s'\n" -#~ msgstr " użytkownik „%s”\n" - -#~ msgid " pass '%s'\n" -#~ msgstr " hasło „%s”\n" - -#~ msgid " host '%s'\n" -#~ msgstr " host „%s”\n" - -#~ msgid " port %d\n" -#~ msgstr " port %d\n" - -#~ msgid " DN '%s'\n" -#~ msgstr " DN „%s”\n" - -#~ msgid " filter '%s'\n" -#~ msgstr " filtr „%s”\n" - -#~ msgid " attr '%s'\n" -#~ msgstr " atrybut „%s”\n" - -#~ msgid "no host name in '%s'\n" -#~ msgstr "brak nazwy hosta w „%s”\n" - -#~ msgid "no attribute given for query '%s'\n" -#~ msgstr "nie podano atrybutu dla zapytania „%s”\n" - -#~ msgid "WARNING: using first attribute only\n" -#~ msgstr "OSTRZEŻENIE: użyto tylko pierwszego atrybutu\n" - -#~ msgid "LDAP init to '%s:%d' failed: %s\n" -#~ msgstr "nie udało się zainicjować LDAP na „%s:%d”: %s\n" - -#, fuzzy -#~| msgid "LDAP init to '%s:%d' failed: %s\n" -#~ msgid "LDAP init to '%s' failed: %s\n" -#~ msgstr "nie udało się zainicjować LDAP na „%s:%d”: %s\n" - -#, fuzzy -#~| msgid "LDAP init to '%s:%d' failed: %s\n" -#~ msgid "LDAP init to '%s' done\n" -#~ msgstr "nie udało się zainicjować LDAP na „%s:%d”: %s\n" - -#~ msgid "binding to '%s:%d' failed: %s\n" -#~ msgstr "dowiązanie do „%s:%d” nie powiodło się: %s\n" - -#~ msgid "searching '%s' failed: %s\n" -#~ msgstr "szukanie „%s” nie powiodło się: %s\n" - -#~ msgid "start_cert_fetch: invalid pattern '%s'\n" -#~ msgstr "start_cert_fetch: błędny wzorzec „%s”\n" - -#~ msgid "ldapserver missing" -#~ msgstr "brak pola ldapserver" - -#, fuzzy -#~| msgid "change a passphrase" -#~ msgid "Suggest a random passphrase." -#~ msgstr "zmiana hasła" - -#~ msgid "detected card with S/N: %s\n" -#~ msgstr "wykryto kartę o numerze seryjnym: %s\n" - -#~ msgid "no authentication key for ssh on card: %s\n" -#~ msgstr "nie znaleziono klucza uwierzytelniającego dla ssh na karcie: %s\n" - -#~ msgid "Please remove the current card and insert the one with serial number" -#~ msgstr "Proszę wyjąć obecną kartę i włożyć kartę z numerem seryjnym" - -#~ msgid "use a log file for the server" -#~ msgstr "użycie pliku loga dla serwera" - -#~ msgid "no running gpg-agent - starting '%s'\n" -#~ msgstr "gpg-agent nie działa - uruchamianie „%s”\n" - -#~ msgid "argument not expected" -#~ msgstr "nieoczekiwany argument" - -#~ msgid "read error" -#~ msgstr "błąd odczytu" - -#~ msgid "keyword too long" -#~ msgstr "słowo kluczowe zbyt długie" - -#~ msgid "missing argument" -#~ msgstr "brak argumentu" - -#~ msgid "invalid argument" -#~ msgstr "niepoprawny argument" - -#~ msgid "invalid command" -#~ msgstr "błędne polecenie" - -#~ msgid "invalid alias definition" -#~ msgstr "błędna definicja aliasu" - -#~ msgid "out of core" -#~ msgstr "brak pamięci" - -#, fuzzy -#~| msgid "invalid command" -#~ msgid "invalid meta command" -#~ msgstr "błędne polecenie" - -#, fuzzy -#~| msgid "unknown command '%s'\n" -#~ msgid "unknown meta command" -#~ msgstr "nieznane polecenie „%s”\n" - -#, fuzzy -#~| msgid "unexpected armor: " -#~ msgid "unexpected meta command" -#~ msgstr "nieoczekiwane opakowanie: " - -#~ msgid "invalid option" -#~ msgstr "błędna opcja" - -#~ msgid "missing argument for option \"%.50s\"\n" -#~ msgstr "brak argumentu dla opcji „%.50s”\n" - -#~ msgid "option \"%.50s\" does not expect an argument\n" -#~ msgstr "opcja „%.50s” nie może mieć argumentów\n" - -#~ msgid "invalid command \"%.50s\"\n" -#~ msgstr "błędne polecenie „%.50s”\n" - -#~ msgid "option \"%.50s\" is ambiguous\n" -#~ msgstr "opcja „%.50s” jest niejednoznaczna\n" - -#~ msgid "command \"%.50s\" is ambiguous\n" -#~ msgstr "polecenie „%.50s” jest niejednoznaczne\n" - -#~ msgid "invalid option \"%.50s\"\n" -#~ msgstr "błędna opcja „%.50s”\n" - -#~ msgid "Note: no default option file '%s'\n" -#~ msgstr "Uwaga: brak domyślnego pliku opcji „%s”\n" - -#~ msgid "option file '%s': %s\n" -#~ msgstr "plik opcji „%s”: %s\n" - -#~ msgid "unable to execute program '%s': %s\n" -#~ msgstr "nie można uruchomić programu „%s”: %s\n" - -#~ msgid "unable to execute external program\n" -#~ msgstr "nie można uruchomić zewnętrznego programu\n" - -#~ msgid "unable to read external program response: %s\n" -#~ msgstr "nie można odczytać odpowiedzi programu zewnętrznego: %s\n" - -#~ msgid "validate signatures with PKA data" -#~ msgstr "sprawdzanie podpisów z danymi PKA" - -#~ msgid "elevate the trust of signatures with valid PKA data" -#~ msgstr "zwiększenie zaufania podpisów z poprawnymi danymi PKA" - -#~ msgid " (%d) ECC and ECC\n" -#~ msgstr " (%d) ECC i ECC\n" - -#~ msgid "honor the PKA record set on a key when retrieving keys" -#~ msgstr "honorowanie rekordu PKA ustawionego w kluczu przy pobieraniu kluczy" - -#~ msgid "Note: Verified signer's address is '%s'\n" -#~ msgstr "Uwaga: Sprawdzony adres pospisującego to „%s”\n" - -#~ msgid "Note: Signer's address '%s' does not match DNS entry\n" -#~ msgstr "Uwaga: Adres podpisującego „%s” nie pasuje do wpisu DNS\n" - -#~ msgid "trustlevel adjusted to FULL due to valid PKA info\n" -#~ msgstr "" -#~ "poziom zaufania poprawiony na PEŁNY ze względu na poprawne informacje " -#~ "PKA\n" - -#~ msgid "trustlevel adjusted to NEVER due to bad PKA info\n" -#~ msgstr "" -#~ "poziom zaufania poprawiony na ŻADEN ze względu na błędne informacje PKA\n" - -#~ msgid "|FILE|write a server mode log to FILE" -#~ msgstr "|PLIK|zapisanie logów trybu serwerowego do PLIKU" - -#~ msgid "run without asking a user" -#~ msgstr "działanie bez pytania użytkownika" - -#~ msgid "allow PKA lookups (DNS requests)" -#~ msgstr "zezwolenie na wyszukiwania PKA (żądania DNS)" - -#~ msgid "Options controlling the format of the output" -#~ msgstr "Opcje sterujące formatem wyjścia" - -#~ msgid "Options controlling the use of Tor" -#~ msgstr "Opcje sterujące użyciem Tora" - -#~ msgid "LDAP server list" -#~ msgstr "lista serwerów LDAP" - -#~ msgid "Note: old default options file '%s' ignored\n" -#~ msgstr "Uwaga: stary domyślny plik opcji „%s” został zignorowany\n" - -#~ msgid "" -#~ "@\n" -#~ "Commands:\n" -#~ " " -#~ msgstr "" -#~ "@\n" -#~ "Polecenia:\n" -#~ " " - -#~ msgid "decryption modus" -#~ msgstr "tryb rozszyfrowywania" - -#~ msgid "encryption modus" -#~ msgstr "tryb szyfrowania" - -#~ msgid "tool class (confucius)" -#~ msgstr "klasa narzędzia (confucius)" - -#~ msgid "program filename" -#~ msgstr "nazwa programu" - -#~ msgid "secret key file (required)" -#~ msgstr "plik klucza tajnego (wymagany)" - -#~ msgid "input file name (default stdin)" -#~ msgstr "nazwa pliku wejściowego (domyślnie standardowe wejście)" - -#~ msgid "Usage: symcryptrun [options] (-h for help)" -#~ msgstr "Składnia: symcryptrun [opcje] (-h wyświetla pomoc)" - -#~ msgid "" -#~ "Syntax: symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE " -#~ "[options...] COMMAND [inputfile]\n" -#~ "Call a simple symmetric encryption tool\n" -#~ msgstr "" -#~ "Składnia: symcryptrun --class KLASA --program PROGRAM --keyfile " -#~ "PLIK_KLUCZA [opcje...] POLECENIE [plik-weściowy]\n" -#~ "Wywołanie prostego narzędzia do szyfrowania symetrycznego\n" - -#~ msgid "%s on %s aborted with status %i\n" -#~ msgstr "%s na %s przerwany ze stanem %i\n" - -#~ msgid "%s on %s failed with status %i\n" -#~ msgstr "%s na %s nie powiódł się ze stanem %i\n" - -#~ msgid "can't create temporary directory '%s': %s\n" -#~ msgstr "nie można utworzyć katalogu tymczasowego „%s”: %s\n" - -#~ msgid "could not open %s for writing: %s\n" -#~ msgstr "nie udało się otworzyć %s do zapisu: %s\n" - -#~ msgid "error closing %s: %s\n" -#~ msgstr "błąd zamykania %s: %s\n" - -#~ msgid "no --program option provided\n" -#~ msgstr "nie podano opcji --program\n" - -#~ msgid "only --decrypt and --encrypt are supported\n" -#~ msgstr "obsługiwane są tylko --decrypt i --encrypt\n" - -#~ msgid "no --keyfile option provided\n" -#~ msgstr "nie podano opcji --keyfile\n" - -#~ msgid "cannot allocate args vector\n" -#~ msgstr "nie można przydzielić wektora args\n" - -#~ msgid "could not create pipe: %s\n" -#~ msgstr "nie udało się utworzyć potoku: %s\n" - -#~ msgid "could not create pty: %s\n" -#~ msgstr "nie udało się utworzyć pty: %s\n" - -#~ msgid "could not fork: %s\n" -#~ msgstr "nie udało się wykonać fork: %s\n" - -#~ msgid "execv failed: %s\n" -#~ msgstr "execv nie powiodło się: %s\n" - -#~ msgid "select failed: %s\n" -#~ msgstr "select nie powiodło się: %s\n" - -#~ msgid "read failed: %s\n" -#~ msgstr "odczyt nie powiódł się: %s\n" - -#~ msgid "pty read failed: %s\n" -#~ msgstr "odczyt pty nie powiódł się: %s\n" - -#~ msgid "waitpid failed: %s\n" -#~ msgstr "waitpid nie powiodło się: %s\n" - -#~ msgid "child aborted with status %i\n" -#~ msgstr "potomek został przerwany ze stanem %i\n" - -#~ msgid "cannot allocate infile string: %s\n" -#~ msgstr "nie można przydzielić łańcucha pliku wejściowego: %s\n" - -#~ msgid "cannot allocate outfile string: %s\n" -#~ msgstr "nie można przydzielić łańcucha pliku wyjściowego: %s\n" - -#~ msgid "either %s or %s must be given\n" -#~ msgstr "musi być podane %s lub %s\n" - -#~ msgid "no class provided\n" -#~ msgstr "nie podano klasy\n" - -#~ msgid "class %s is not supported\n" -#~ msgstr "klasa %s nie jest obsługiwana\n" +#~ msgid "use canonical text mode" +#~ msgstr "kanoniczny format tekstowy" diff --git a/po/pt.po b/po/pt.po index c0b052b2e..31f3fbec8 100644 --- a/po/pt.po +++ b/po/pt.po @@ -2157,9 +2157,6 @@ msgstr "criar saída blindada ASCII" msgid "|FILE|write output to FILE" msgstr "|FILE|escrever saída em FILE" -msgid "use canonical text mode" -msgstr "usar modo de texto canónico" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|definir nível de compressão para N (0 desabilita)" @@ -6726,7 +6723,9 @@ msgstr "o acesso aos comandos admin não está configurado\n" msgid "||Please enter the PIN" msgstr "||Introduza o PIN" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Introduza o Código de Reset do cartão" #, c-format @@ -8997,6 +8996,9 @@ msgstr "comandos de gerir uma Yubikey" msgid "manage the command history" msgstr "gerir o histórico de comandos" +#~ msgid "use canonical text mode" +#~ msgstr "usar modo de texto canónico" + #, c-format #~ msgid "waiting for process to terminate failed: ec=%d\n" #~ msgstr "falha ao esperar que o processo terminasse: ec=%d\n" diff --git a/po/ro.po b/po/ro.po index c7b55e2f1..39b43f663 100644 --- a/po/ro.po +++ b/po/ro.po @@ -2248,9 +2248,6 @@ msgstr "crează ieşire în armură ascii" msgid "|FILE|write output to FILE" msgstr "|FIŞIER|încarcă modulul extensie FIŞIER" -msgid "use canonical text mode" -msgstr "foloseşte modul text canonic" - #, fuzzy msgid "|N|set compress level to N (0 disables)" msgstr "|N|setează nivel de compresie N (0 deactivează)" @@ -7056,7 +7053,7 @@ msgid "||Please enter the PIN" msgstr "||Vă rugăm introduceţi PIN%%0A[semnături făcute: %lu]" #, fuzzy -msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Vă rugăm introduceţi PIN%%0A[semnături făcute: %lu]" #, fuzzy, c-format @@ -9415,6 +9412,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "foloseşte modul text canonic" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/ru.po b/po/ru.po index 47b9e3b56..b12d936b1 100644 --- a/po/ru.po +++ b/po/ru.po @@ -2158,9 +2158,6 @@ msgstr "вывод в текстовом формате" msgid "|FILE|write output to FILE" msgstr "|FILE|выводить данные в файл FILE" -msgid "use canonical text mode" -msgstr "использовать канонический текстовый режим" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|установить уровень сжатия N (0 - без сжатия)" @@ -6836,7 +6833,9 @@ msgstr "доступ к командам управления не настро msgid "||Please enter the PIN" msgstr "||Введите PIN" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Введите код сброса для карты" #, c-format @@ -9156,6 +9155,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "использовать канонический текстовый режим" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/sk.po b/po/sk.po index 638bc8955..6f31a693d 100644 --- a/po/sk.po +++ b/po/sk.po @@ -2231,9 +2231,6 @@ msgstr "vytvor výstup zakódovaný pomocou ASCII" msgid "|FILE|write output to FILE" msgstr "|SÚBOR|nahrať rozširujúci modul SÚBOR" -msgid "use canonical text mode" -msgstr "použiť kánonický textový mód" - #, fuzzy msgid "|N|set compress level to N (0 disables)" msgstr "" @@ -6969,7 +6966,7 @@ msgid "||Please enter the PIN" msgstr "zmeniť heslo" #, fuzzy -msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "Prosím výberte dôvod na revokáciu:\n" #, c-format @@ -9304,6 +9301,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "použiť kánonický textový mód" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/sv.po b/po/sv.po index 0e6951f81..b0e86cd32 100644 --- a/po/sv.po +++ b/po/sv.po @@ -2369,9 +2369,6 @@ msgstr "skapa utdata med ett ascii-skal" msgid "|FILE|write output to FILE" msgstr "|FIL|skriv utdata till FIL" -msgid "use canonical text mode" -msgstr "använd \"ursprunglig text\"-läget" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|ställ in komprimeringsnivån till N (0 för att inaktivera)" @@ -7294,7 +7291,9 @@ msgstr "åtkomst till administrationskommandon är inte konfigurerat\n" msgid "||Please enter the PIN" msgstr "||Ange PIN-koden" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Ange nollställningskoden för kortet" #, c-format @@ -9860,6 +9859,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "använd \"ursprunglig text\"-läget" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/tr.po b/po/tr.po index 95aa0aef5..f8a21ea2f 100644 --- a/po/tr.po +++ b/po/tr.po @@ -2101,9 +2101,6 @@ msgstr "ascii zırhlı çıktı oluştur" msgid "|FILE|write output to FILE" msgstr "|FILE|çıktıyı FILE'a yaz" -msgid "use canonical text mode" -msgstr "kurallı metin kipini kullan" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|sıkıştırma düzeyini N olarak ayarla (0 devre dışı bırakır)" @@ -6666,7 +6663,9 @@ msgstr "yönetici komutlarına erişim yapılandırılmamış\n" msgid "||Please enter the PIN" msgstr "||Lütfen PIN'i giriniz" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Lütfen kart için Sıfırlama Kodunu giriniz" #, c-format @@ -8918,3 +8917,6 @@ msgstr "Yubikey yönetim konsolu" msgid "manage the command history" msgstr "komut geçmişini yönet" + +#~ msgid "use canonical text mode" +#~ msgstr "kurallı metin kipini kullan" diff --git a/po/uk.po b/po/uk.po index 3f5bfedba..56c1939f5 100644 --- a/po/uk.po +++ b/po/uk.po @@ -2179,9 +2179,6 @@ msgstr "створити дані у форматі ASCII" msgid "|FILE|write output to FILE" msgstr "|FILE|записати дані до вказаного файла" -msgid "use canonical text mode" -msgstr "використовувати канонічний текстовий режим" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|встановити рівень стиснення (0 — вимкнути)" @@ -6937,7 +6934,9 @@ msgstr "доступ до адміністративних команд не н msgid "||Please enter the PIN" msgstr "||Вкажіть пінкод" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||Вкажіть код скидання коду картки" #, c-format @@ -9249,6 +9248,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "використовувати канонічний текстовий режим" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/po/zh_CN.po b/po/zh_CN.po index f48fdec84..a02d48f00 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -2075,9 +2075,6 @@ msgstr "创建 ASCII 字符封装的输出" msgid "|FILE|write output to FILE" msgstr "|FILE|写输出到 FILE" -msgid "use canonical text mode" -msgstr "使用规范的文本模式" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|设置压缩等级为 N (0 为禁用)" @@ -6435,7 +6432,9 @@ msgstr "未配置到管理员命令的访问\n" msgid "||Please enter the PIN" msgstr "||请输入 PIN" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||请输入卡片的重置码" #, c-format @@ -8675,6 +8674,9 @@ msgstr "Yubikey 管理命令" msgid "manage the command history" msgstr "管理命令历史记录" +#~ msgid "use canonical text mode" +#~ msgstr "使用规范的文本模式" + #~ msgid "continuing verification anyway due to option %s\n" #~ msgstr "由于 %s 选项,验证仍在继续中\n" diff --git a/po/zh_TW.po b/po/zh_TW.po index aa5a1125e..8110f3d11 100644 --- a/po/zh_TW.po +++ b/po/zh_TW.po @@ -2189,9 +2189,6 @@ msgstr "建立以 ASCII 封裝過的輸出" msgid "|FILE|write output to FILE" msgstr "|檔案|將輸出寫入至指定檔案" -msgid "use canonical text mode" -msgstr "使用標準的文字模式" - msgid "|N|set compress level to N (0 disables)" msgstr "|N|設定壓縮等級為 N (0 表示不壓縮)" @@ -6778,7 +6775,9 @@ msgstr "管理者指令存取權限尚未組態\n" msgid "||Please enter the PIN" msgstr "||請輸入個人識別碼 (PIN)" -msgid "||Please enter the Reset Code for the card" +#, fuzzy +#| msgid "||Please enter the Reset Code for the card" +msgid "|R|Please enter the Reset Code for the card" msgstr "||請輸入卡片的重設碼" #, c-format @@ -9057,6 +9056,9 @@ msgstr "" msgid "manage the command history" msgstr "" +#~ msgid "use canonical text mode" +#~ msgstr "使用標準的文字模式" + #, fuzzy #~| msgid "selected digest algorithm is invalid\n" #~ msgid "selected AEAD algorithm is invalid\n" diff --git a/scd/app-nks.c b/scd/app-nks.c index cdbdde8fb..c207fd500 100644 --- a/scd/app-nks.c +++ b/scd/app-nks.c @@ -1613,7 +1613,7 @@ verify_pin (app_t app, int pwid, const char *desc, memset (&pininfo, 0, sizeof pininfo); pininfo.fixedlen = -1; - /* FIXME: TCOS allows to read the min. and max. values - do this. */ + /* FIXME: TCOS allows one to read the min. and max. values - do this. */ if (app->appversion == 15) { if (app->app_local->active_nks_app == NKS_APP_NKS && pwid == 0x03) diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c index 3bc709602..1f5d64e6a 100644 --- a/scd/app-openpgp.c +++ b/scd/app-openpgp.c @@ -3306,6 +3306,7 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr, char *pinvalue = NULL; int reset_mode = !!(flags & APP_CHANGE_FLAG_RESET); int set_resetcode = 0; + int use_resetcode = 0; pininfo_t pininfo; int use_pinpad = 0; int minlen = 6; @@ -3458,7 +3459,7 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr, } rc = pincb (pincb_arg, - _("||Please enter the Reset Code for the card"), + _("|R|Please enter the Reset Code for the card"), &resetcode); if (rc) { @@ -3473,13 +3474,14 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr, rc = gpg_error (GPG_ERR_BAD_RESET_CODE); goto leave; } + use_resetcode = 1; } else { rc = gpg_error (GPG_ERR_INV_ID); goto leave; } - } + } /* End version 2 cards. */ if (chvno == 3) app->did_chv3 = 0; @@ -3511,6 +3513,17 @@ do_change_pin (app_t app, ctrl_t ctrl, const char *chvnostr, goto leave; } } + else if (use_resetcode) + { + minlen = 6; /* Reset from the RC value to the PIN value. */ + if (strlen (pinvalue) < minlen) + { + log_info (_("PIN for CHV%d is too short;" + " minimum length is %d\n"), 1, minlen); + rc = gpg_error (GPG_ERR_BAD_PIN); + goto leave; + } + } else { if (chvno == 3) diff --git a/scd/app-p15.c b/scd/app-p15.c index 2bb90beaa..6af10b46b 100644 --- a/scd/app-p15.c +++ b/scd/app-p15.c @@ -305,7 +305,7 @@ struct prkdf_object_s keyaccess_flags_t accessflags; /* Extended key usage flags. Only used if .valid is set. This - * information is computed from an associated certificate15. */ + * information is computed from an associated certificate. */ struct { unsigned int valid:1; unsigned int sign:1; @@ -520,6 +520,9 @@ struct app_local_s /* Information on all useful certificates. */ cdf_object_t useful_certificate_info; + /* Counter to make object ids of certificates unique. */ + unsigned int cdf_dup_counter; + /* Information on all public keys. */ prkdf_object_t public_key_info; @@ -2419,6 +2422,22 @@ read_ef_pukdf (app_t app, unsigned short fid, pukdf_object_t *result) } +/* Return true id CDFLIST has the given object id. */ +static int +objid_in_cdflist_p (cdf_object_t cdflist, + const unsigned char *objid, size_t objidlen) +{ + cdf_object_t cdf; + + if (!objid || !objidlen) + return 0; + for (cdf = cdflist; cdf; cdf = cdf->next) + if (cdf->objidlen == objidlen && !memcmp (cdf->objid, objid, objidlen)) + return 1; + return 0; +} + + /* Read and parse the Certificate Directory Files identified by FID. On success a newlist of CDF object gets stored at RESULT and the caller is then responsible of releasing this list. On error a @@ -2464,6 +2483,7 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result) unsigned long ul; const unsigned char *objid; size_t objidlen; + int objidextralen; err = parse_ber_header (&p, &n, &class, &tag, &constructed, &ndef, &objlen, &hdrlen); @@ -2588,8 +2608,19 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result) label = NULL; } - cdf->objidlen = objidlen; - cdf->objid = xtrymalloc (objidlen); + /* Card's have been found in the wild which do not have unique + * IDs for their certificate objects. If we detect this we + * append a counter to the ID. */ + objidextralen = + (objid_in_cdflist_p (cdflist, objid, objidlen) + || objid_in_cdflist_p (app->app_local->certificate_info, + objid, objidlen) + || objid_in_cdflist_p (app->app_local->trusted_certificate_info, + objid, objidlen) + || objid_in_cdflist_p (app->app_local->useful_certificate_info, + objid, objidlen)); + cdf->objidlen = objidlen + objidextralen; + cdf->objid = xtrymalloc (objidlen + objidextralen); if (!cdf->objid) { err = gpg_error_from_syserror (); @@ -2597,6 +2628,16 @@ read_ef_cdf (app_t app, unsigned short fid, int cdftype, cdf_object_t *result) goto leave; } memcpy (cdf->objid, objid, objidlen); + if (objidextralen) + { + if (app->app_local->cdf_dup_counter == 255) + { + log_error ("p15: too many duplicate certificate ids\n"); + err = gpg_error (GPG_ERR_TOO_MANY); + goto parse_error; + } + cdf->objid[objidlen] = ++app->app_local->cdf_dup_counter; + } cdf->pathlen = objlen/2; for (i=0; i < cdf->pathlen; i++, pp += 2, nn -= 2) @@ -3664,6 +3705,7 @@ read_p15_info (app_t app) log_assert (!app->app_local->certificate_info); log_assert (!app->app_local->trusted_certificate_info); log_assert (!app->app_local->useful_certificate_info); + app->app_local->cdf_dup_counter = 0; err = read_ef_cdf (app, app->app_local->odf.certificates, 'c', &app->app_local->certificate_info); if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA) @@ -4214,7 +4256,8 @@ set_usage_string (char usage[5], prkdf_object_t prkdf) && (!prkdf->extusage.valid || prkdf->extusage.sign)) usage[usagelen++] = 'c'; if ((prkdf->usageflags.decrypt - || prkdf->usageflags.unwrap) + || prkdf->usageflags.unwrap + || prkdf->usageflags.derive) && (!prkdf->extusage.valid || prkdf->extusage.encr)) usage[usagelen++] = 'e'; if ((prkdf->usageflags.sign @@ -4661,7 +4704,7 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name) /* We return the ID of the first private key capable of the * requested action. If any gpgusage flag has been set for the - * card we consult the gpgusage flags and not the regualr usage + * card we consult the gpgusage flags and not the regular usage * flags. */ /* FIXME: This changed: Note that we do not yet return @@ -4683,7 +4726,8 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name) if ((name[1] == 'A' && (prkdf->usageflags.sign || prkdf->usageflags.sign_recover)) || (name[1] == 'E' && (prkdf->usageflags.decrypt - || prkdf->usageflags.unwrap)) + || prkdf->usageflags.unwrap + || prkdf->usageflags.derive)) || (name[1] == 'S' && (prkdf->usageflags.sign || prkdf->usageflags.sign_recover))) break; @@ -4892,7 +4936,8 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name) } else { - if (prkdf->usageflags.decrypt || prkdf->usageflags.unwrap) + if (prkdf->usageflags.decrypt || prkdf->usageflags.unwrap + || prkdf->usageflags.derive) break; } } @@ -5784,9 +5829,8 @@ do_sign (app_t app, ctrl_t ctrl, const char *keyidstr, int hashalgo, { if (prkdf->is_ecc) { - /* Not implemented due to lacking test hardware. */ - log_info ("Note: ECC is not yet implemented for DTRUST 4 cards\n"); - err = gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); + err = iso7816_manage_security_env (app_get_slot (app), + 0xf3, 0x21, NULL, 0); } else { @@ -5927,7 +5971,8 @@ do_auth (app_t app, ctrl_t ctrl, const char *keyidstr, err = prkdf_object_from_keyidstr (app, keyidstr, &prkdf); if (err) return err; - if (!(prkdf->usageflags.sign || prkdf->gpgusage.auth)) + if (!(prkdf->usageflags.sign || prkdf->usageflags.sign_recover + || prkdf->gpgusage.auth)) { log_error ("p15: key %s may not be used for authentication\n", keyidstr); return gpg_error (GPG_ERR_WRONG_KEY_USAGE); @@ -5970,6 +6015,7 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, return err; if (!(prkdf->usageflags.decrypt || prkdf->usageflags.unwrap + || prkdf->usageflags.derive || prkdf->gpgusage.encr )) { log_error ("p15: key %s may not be used for decryption\n", keyidstr); @@ -5979,17 +6025,18 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, /* Find the authentication object to this private key object. */ if (!prkdf->authid) { - log_error ("p15: no authentication object defined for %s\n", keyidstr); - /* fixme: we might want to go ahead and do without PIN - verification. */ - return gpg_error (GPG_ERR_UNSUPPORTED_OPERATION); + log_info ("p15: no authentication object defined for %s\n", keyidstr); + aodf = NULL; + } + else + { + for (aodf = app->app_local->auth_object_info; aodf; aodf = aodf->next) + if (aodf->objidlen == prkdf->authidlen + && !memcmp (aodf->objid, prkdf->authid, prkdf->authidlen)) + break; + if (!aodf) + log_info ("p15: no authentication for %s needed\n", keyidstr); } - for (aodf = app->app_local->auth_object_info; aodf; aodf = aodf->next) - if (aodf->objidlen == prkdf->authidlen - && !memcmp (aodf->objid, prkdf->authid, prkdf->authidlen)) - break; - if (!aodf) - log_info ("p15: no authentication for %s needed\n", keyidstr); /* We need some more info about the key - get the keygrip to * populate these fields. */ @@ -6042,9 +6089,8 @@ do_decipher (app_t app, ctrl_t ctrl, const char *keyidstr, { if (prkdf->is_ecc) { - /* Not implemented due to lacking test hardware. */ - log_info ("Note: ECC is not yet implemented for DTRUST 4 cards\n"); - err = gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM); + err = iso7816_manage_security_env (app_get_slot (app), + 0xF3, 0x39, NULL, 0); } else { @@ -6274,7 +6320,8 @@ do_with_keygrip (app_t app, ctrl_t ctrl, int action, } else if (capability == GCRY_PK_USAGE_ENCR) { - if (!(prkdf->usageflags.decrypt || prkdf->usageflags.unwrap)) + if (!(prkdf->usageflags.decrypt || prkdf->usageflags.unwrap + || prkdf->usageflags.derive)) continue; } else if (capability == GCRY_PK_USAGE_AUTH) diff --git a/scd/ccid-driver.c b/scd/ccid-driver.c index ad1e16a12..0fcd5a3d8 100644 --- a/scd/ccid-driver.c +++ b/scd/ccid-driver.c @@ -298,6 +298,23 @@ static int send_escape_cmd (ccid_driver_t handle, const unsigned char *data, size_t resultmax, size_t *resultlen); +static void +my_npth_unprotect (void) +{ +#ifdef USE_NPTH + npth_unprotect (); +#endif +} + +static void +my_npth_protect (void) +{ +#ifdef USE_NPTH + npth_protect (); +#endif +} + + static int map_libusb_error (int usberr) { @@ -984,31 +1001,23 @@ get_escaped_usb_string (libusb_device_handle *idev, int idx, /* First get the list of supported languages and use the first one. If we do don't find it we try to use English. Note that this is all in a 2 bute Unicode encoding using little endian. */ -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); rc = libusb_control_transfer (idev, LIBUSB_ENDPOINT_IN, LIBUSB_REQUEST_GET_DESCRIPTOR, (LIBUSB_DT_STRING << 8), 0, buf, sizeof buf, 1000 /* ms timeout */); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); if (rc < 4) langid = 0x0409; /* English. */ else langid = (buf[3] << 8) | buf[2]; -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); rc = libusb_control_transfer (idev, LIBUSB_ENDPOINT_IN, LIBUSB_REQUEST_GET_DESCRIPTOR, (LIBUSB_DT_STRING << 8) + idx, langid, buf, sizeof buf, 1000 /* ms timeout */); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); if (rc < 2 || buf[1] != LIBUSB_DT_STRING) return NULL; /* Error or not a string. */ len = buf[0]; @@ -1345,13 +1354,9 @@ ccid_vendor_specific_setup (ccid_driver_t handle) { if (handle->id_vendor == VENDOR_SCM && handle->id_product == SCM_SPR532) { -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); libusb_clear_halt (handle->idev, handle->ep_intr); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); } return 0; } @@ -1660,13 +1665,9 @@ ccid_usb_thread (void *arg) while (ccid_usb_thread_is_alive) { -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); libusb_handle_events_completed (ctx, NULL); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); } return NULL; @@ -1776,36 +1777,42 @@ ccid_open_usb_reader (const char *spec_reader_name, goto leave; } -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); + if (!(opt.compat_flags & COMPAT_CCID_NO_AUTO_DETACH)) + { + rc = libusb_set_auto_detach_kernel_driver (idev, 1); + if (rc) + { + my_npth_protect (); + DEBUGOUT_1 ("note: set_auto_detach_kernel_driver failed: %d\n", rc); + my_npth_unprotect (); + } + } rc = libusb_claim_interface (idev, ifc_no); if (rc) { -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); DEBUGOUT_1 ("usb_claim_interface failed: %d\n", rc); rc = map_libusb_error (rc); goto leave; } /* Submit SET_INTERFACE control transfer which can reset the device. */ - rc = libusb_set_interface_alt_setting (idev, ifc_no, set_no); + if ((*handle)->id_vendor == VENDOR_ACR && (*handle)->id_product == ACR_122U) + rc = 0; /* Not supported by this reader. */ + else + rc = libusb_set_interface_alt_setting (idev, ifc_no, set_no); if (rc) { -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); DEBUGOUT_1 ("usb_set_interface_alt_setting failed: %d\n", rc); rc = map_libusb_error (rc); goto leave; } -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); + /* Perform any vendor specific intialization. */ rc = ccid_vendor_specific_init (*handle); leave: @@ -1939,13 +1946,9 @@ do_close_reader (ccid_driver_t handle) while (!handle->powered_off) { DEBUGOUT ("libusb_handle_events_completed\n"); -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); libusb_handle_events_completed (NULL, &handle->powered_off); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); } } @@ -2076,15 +2079,11 @@ bulk_out (ccid_driver_t handle, unsigned char *msg, size_t msglen, } } -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_out, msg, msglen, &transferred, 5000 /* ms timeout */); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); if (rc == 0 && transferred == msglen) return 0; @@ -2124,14 +2123,10 @@ bulk_in (ccid_driver_t handle, unsigned char *buffer, size_t length, memset (buffer, 0, length); retry: -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_in, buffer, length, &msglen, bwi*timeout); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); if (rc) { DEBUGOUT_1 ("usb_bulk_read error: %s\n", libusb_error_name (rc)); @@ -2280,9 +2275,7 @@ abort_cmd (ccid_driver_t handle, int seqno, int init) /* Send the abort command to the control pipe. Note that we don't need to keep track of sent abort commands because there should never be another thread using the same slot concurrently. */ -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); rc = libusb_control_transfer (handle->idev, 0x21,/* bmRequestType: host-to-device, class specific, to interface. */ @@ -2291,9 +2284,7 @@ abort_cmd (ccid_driver_t handle, int seqno, int init) handle->ifc_no, dummybuf, 0, 1000 /* ms timeout */); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); if (rc) { DEBUGOUT_1 ("usb_control_msg error: %s\n", libusb_error_name (rc)); @@ -2319,15 +2310,11 @@ abort_cmd (ccid_driver_t handle, int seqno, int init) msglen = 10; set_msg_len (msg, 0); -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_out, msg, msglen, &transferred, init? 100: 5000 /* ms timeout */); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); if (rc == 0 && transferred == msglen) rc = 0; else if (rc) @@ -2337,15 +2324,11 @@ abort_cmd (ccid_driver_t handle, int seqno, int init) if (rc) return map_libusb_error (rc); -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); rc = libusb_bulk_transfer (handle->idev, handle->ep_bulk_in, msg, sizeof msg, &msglen, init? 100: 5000 /*ms timeout*/); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); if (rc) { DEBUGOUT_1 ("usb_bulk_read error in abort_cmd: %s\n", @@ -2559,14 +2542,10 @@ ccid_slot_status (ccid_driver_t handle, int *statusbits, int on_wire) if (!retries) { DEBUGOUT ("USB: CALLING USB_CLEAR_HALT\n"); -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); libusb_clear_halt (handle->idev, handle->ep_bulk_in); libusb_clear_halt (handle->idev, handle->ep_bulk_out); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); } else DEBUGOUT ("USB: RETRYING bulk_in AGAIN\n"); @@ -3335,13 +3314,9 @@ ccid_transceive (ccid_driver_t handle, if (tpdulen < 4) { -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); libusb_clear_halt (handle->idev, handle->ep_bulk_in); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); return CCID_DRIVER_ERR_ABORTED; } @@ -3793,13 +3768,9 @@ ccid_transceive_secure (ccid_driver_t handle, if (tpdulen < 4) { -#ifdef USE_NPTH - npth_unprotect (); -#endif + my_npth_unprotect (); libusb_clear_halt (handle->idev, handle->ep_bulk_in); -#ifdef USE_NPTH - npth_protect (); -#endif + my_npth_protect (); return CCID_DRIVER_ERR_ABORTED; } if (debug_level > 1) diff --git a/scd/ccid-driver.h b/scd/ccid-driver.h index 18cbc87f0..bac5fac07 100644 --- a/scd/ccid-driver.h +++ b/scd/ccid-driver.h @@ -70,6 +70,7 @@ enum { VENDOR_FSIJ = 0x234b, VENDOR_VASCO = 0x1a44, VENDOR_NXP = 0x1fc9, + VENDOR_ACR = 0x072f }; @@ -88,6 +89,7 @@ enum { #define VEGA_ALPHA 0x0008 #define CYBERJACK_GO 0x0504 #define CRYPTOUCAN 0x81e6 +#define ACR_122U 0x2200 /* NFC Reader */ #endif /*CCID_DRIVER_INCLUDE_USB_IDS*/ diff --git a/scd/scdaemon.c b/scd/scdaemon.c index e49b2ce42..2a9b0923c 100644 --- a/scd/scdaemon.c +++ b/scd/scdaemon.c @@ -104,6 +104,7 @@ enum cmd_and_opt_values oDisableApplication, oApplicationPriority, oEnablePinpadVarlen, + oCompatibilityFlags, oListenBacklog }; @@ -172,6 +173,7 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_s (oDisableApplication, "disable-application", "@"), ARGPARSE_s_s (oApplicationPriority, "application-priority", N_("|LIST|change the application priority to LIST")), + ARGPARSE_s_s (oCompatibilityFlags, "compatibility-flags", "@"), ARGPARSE_s_i (oListenBacklog, "listen-backlog", "@"), @@ -204,6 +206,14 @@ static struct debug_flags_s debug_flags [] = }; +/* The list of compatibility flags. */ +static struct compatibility_flags_s compatibility_flags [] = + { + { COMPAT_CCID_NO_AUTO_DETACH, "ccid-no-auto-detach" }, + { 0, NULL } + }; + + /* The card driver we use by default for PC/SC. */ #if defined(HAVE_W32_SYSTEM) || defined(__CYGWIN__) #define DEFAULT_PCSC_DRIVER "winscard.dll" @@ -628,6 +638,15 @@ main (int argc, char **argv ) case oEnablePinpadVarlen: opt.enable_pinpad_varlen = 1; break; + case oCompatibilityFlags: + if (parse_compatibility_flags (pargs.r.ret_str, &opt.compat_flags, + compatibility_flags)) + { + pargs.r_opt = ARGPARSE_INVALID_ARG; + pargs.err = ARGPARSE_PRINT_WARNING; + } + break; + case oListenBacklog: listen_backlog = pargs.r.ret_int; break; diff --git a/scd/scdaemon.h b/scd/scdaemon.h index 7b82d1b21..16873c54b 100644 --- a/scd/scdaemon.h +++ b/scd/scdaemon.h @@ -67,6 +67,9 @@ struct want to use. */ unsigned long card_timeout; /* Disconnect after N seconds of inactivity. */ int debug_allow_pin_logging; /* Allow PINs in debug output. */ + + /* Compatibility flags (COMPAT_FLAG_xxxx). */ + unsigned int compat_flags; } opt; @@ -92,6 +95,11 @@ struct #define DBG_CARD_IO (opt.debug & DBG_CARD_IO_VALUE) #define DBG_READER (opt.debug & DBG_READER_VALUE) + +#define COMPAT_CCID_NO_AUTO_DETACH 1 + + + struct server_local_s; struct card_ctx_s; struct app_ctx_s; diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 4b6c353a0..7c866d0b8 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -1330,8 +1330,19 @@ main ( int argc, char **argv) case oHomedir: gnupg_set_homedir (pargs.r.ret_str); break; case oChUid: break; /* Command line only (see above). */ - case oAgentProgram: opt.agent_program = pargs.r.ret_str; break; - case oKeyboxdProgram: opt.keyboxd_program = pargs.r.ret_str; break; + + case oAgentProgram: + xfree (opt.agent_program); + opt.agent_program = make_filename (pargs.r.ret_str, NULL); + break; + case oKeyboxdProgram: + xfree (opt.keyboxd_program); + opt.keyboxd_program = make_filename (pargs.r.ret_str, NULL); + break; + case oDirmngrProgram: + xfree (opt.dirmngr_program); + opt.dirmngr_program = make_filename (pargs.r.ret_str, NULL); + break; case oDisplay: set_opt_session_env ("DISPLAY", pargs.r.ret_str); @@ -1349,7 +1360,6 @@ main ( int argc, char **argv) case oLCctype: opt.lc_ctype = xstrdup (pargs.r.ret_str); break; case oLCmessages: opt.lc_messages = xstrdup (pargs.r.ret_str); break; - case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str; break; case oDisableDirmngr: opt.disable_dirmngr = 1; break; case oPreferSystemDirmngr: /* Obsolete */; break; case oProtectToolProgram: diff --git a/sm/gpgsm.h b/sm/gpgsm.h index eb9ba9f17..673ea1687 100644 --- a/sm/gpgsm.h +++ b/sm/gpgsm.h @@ -60,16 +60,16 @@ struct int use_keyboxd; /* Use the external keyboxd as storage backend. */ const char *config_filename; /* Name of the used config file. */ - const char *agent_program; + char *agent_program; - const char *keyboxd_program; + char *keyboxd_program; session_env_t session_env; char *lc_ctype; char *lc_messages; int autostart; - const char *dirmngr_program; + char *dirmngr_program; int disable_dirmngr; /* Do not do any dirmngr calls. */ const char *protect_tool_program; char *outfile; /* name of output file */ diff --git a/sm/minip12.c b/sm/minip12.c index 2e7b50e1c..4a1fab050 100644 --- a/sm/minip12.c +++ b/sm/minip12.c @@ -677,7 +677,7 @@ parse_bag_encrypted_data (struct p12_parse_ctx_s *ctx, tlv_parser_t tlv) const unsigned char *data; size_t datalen; int intval; - char salt[20]; + char salt[32]; size_t saltlen; char iv[16]; unsigned int iter; @@ -1945,43 +1945,46 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw, } where = "pfx"; - if (tlv_next (tlv)) + if ((err = tlv_next (tlv))) goto bailout; - if (tlv_expect_sequence (tlv)) + if ((err = tlv_expect_sequence (tlv))) goto bailout; where = "pfxVersion"; - if (tlv_next (tlv)) + if ((err = tlv_next (tlv))) goto bailout; - if (tlv_expect_integer (tlv, &intval) || intval != 3) + if ((err = tlv_expect_integer (tlv, &intval)) || intval != 3) goto bailout; where = "authSave"; - if (tlv_next (tlv)) + if ((err = tlv_next (tlv))) goto bailout; - if (tlv_expect_sequence (tlv)) + if ((err = tlv_expect_sequence (tlv))) goto bailout; - if (tlv_next (tlv)) + if ((err = tlv_next (tlv))) goto bailout; - if (tlv_expect_object_id (tlv, &oid, &oidlen)) + if ((err = tlv_expect_object_id (tlv, &oid, &oidlen))) goto bailout; if (oidlen != DIM(oid_data) || memcmp (oid, oid_data, DIM(oid_data))) + { + err = gpg_error (GPG_ERR_INV_OBJ); + goto bailout; + } + + if ((err = tlv_next (tlv))) + goto bailout; + if ((err = tlv_expect_context_tag (tlv, &intval)) || intval != 0 ) goto bailout; - if (tlv_next (tlv)) + if ((err = tlv_next (tlv))) goto bailout; - if (tlv_expect_context_tag (tlv, &intval) || intval != 0 ) - goto bailout; - - if (tlv_next (tlv)) - goto bailout; - if (tlv_expect_octet_string (tlv, 1, NULL, NULL)) + if ((err = tlv_expect_octet_string (tlv, 1, NULL, NULL))) goto bailout; if (tlv_peek (tlv, CLASS_UNIVERSAL, TAG_OCTET_STRING)) { - if (tlv_next (tlv)) + if ((err = tlv_next (tlv))) goto bailout; err = tlv_expect_octet_string (tlv, 1, NULL, NULL); if (err) @@ -1989,9 +1992,9 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw, } where = "bags"; - if (tlv_next (tlv)) + if ((err = tlv_next (tlv))) goto bailout; - if (tlv_expect_sequence (tlv)) + if ((err = tlv_expect_sequence (tlv))) goto bailout; startlevel = tlv_parser_level (tlv); @@ -2000,12 +2003,12 @@ p12_parse (const unsigned char *buffer, size_t length, const char *pw, { where = "bag-sequence"; tlv_parser_dump_state (where, NULL, tlv); - if (tlv_expect_sequence (tlv)) + if ((err = tlv_expect_sequence (tlv))) goto bailout; - if (tlv_next (tlv)) + if ((err = tlv_next (tlv))) goto bailout; - if (tlv_expect_object_id (tlv, &oid, &oidlen)) + if ((err = tlv_expect_object_id (tlv, &oid, &oidlen))) goto bailout; if (oidlen == DIM(oid_encryptedData) diff --git a/tests/openpgp/README b/tests/openpgp/README index 1225d4aad..86ff4624c 100644 --- a/tests/openpgp/README +++ b/tests/openpgp/README @@ -99,7 +99,7 @@ suite. This envvar gives the root directory of the build tree. See tests/gpgconf.ctl.in for the way we tell the GnuPG components this location. Note that we can't use that envvar directly because this -would allow user scripts and other software to accidently mess up the +would allow user scripts and other software to accidentally mess up the used components. **** argv[0] run-tests.scm depends on being able to re-exec gpgscm. It uses diff --git a/tools/gpg-card.c b/tools/gpg-card.c index 056cdca66..8c9a26090 100644 --- a/tools/gpg-card.c +++ b/tools/gpg-card.c @@ -220,9 +220,15 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts) } break; - case oGpgProgram: opt.gpg_program = pargs->r.ret_str; break; - case oGpgsmProgram: opt.gpgsm_program = pargs->r.ret_str; break; - case oAgentProgram: opt.agent_program = pargs->r.ret_str; break; + case oGpgProgram: + opt.gpg_program = make_filename (pargs->r.ret_str, NULL); + break; + case oGpgsmProgram: + opt.gpgsm_program = make_filename (pargs->r.ret_str, NULL); + break; + case oAgentProgram: + opt.agent_program = make_filename (pargs->r.ret_str, NULL); + break; case oStatusFD: gnupg_set_status_fd (translate_sys2libc_fd_int (pargs->r.ret_int, 1)); @@ -402,7 +408,7 @@ nullnone (const char *s) * success returns 0 and stores the number of bytes read at R_BUFLEN * and the address of a newly allocated buffer at R_BUFFER. A * complementary nul byte is always appended to the data but not - * counted; this allows to pass NULL for R-BUFFER and consider the + * counted; this allows one to pass NULL for R-BUFFER and consider the * returned data as a string. */ static gpg_error_t get_data_from_file (const char *fname, char **r_buffer, size_t *r_buflen) diff --git a/tools/gpg-card.h b/tools/gpg-card.h index 5b49ef31e..8d7975ba9 100644 --- a/tools/gpg-card.h +++ b/tools/gpg-card.h @@ -34,9 +34,9 @@ struct unsigned int debug; int quiet; int with_colons; - const char *gpg_program; - const char *gpgsm_program; - const char *agent_program; + char *gpg_program; + char *gpgsm_program; + char *agent_program; int autostart; int no_key_lookup; /* Assume --no-key-lookup for "list". */ diff --git a/tools/gpg-connect-agent.c b/tools/gpg-connect-agent.c index 5323313e2..577b12575 100644 --- a/tools/gpg-connect-agent.c +++ b/tools/gpg-connect-agent.c @@ -126,9 +126,9 @@ struct int quiet; /* Be extra quiet. */ int autostart; /* Start the server if not running. */ const char *homedir; /* Configuration directory name */ - const char *agent_program; /* Value of --agent-program. */ - const char *dirmngr_program; /* Value of --dirmngr-program. */ - const char *keyboxd_program; /* Value of --keyboxd-program. */ + char *agent_program; /* Value of --agent-program. */ + char *dirmngr_program; /* Value of --dirmngr-program. */ + char *keyboxd_program; /* Value of --keyboxd-program. */ int hex; /* Print data lines in hex format. */ int decode; /* Decode received data lines. */ int use_dirmngr; /* Use the dirmngr and not gpg-agent. */ @@ -1269,9 +1269,15 @@ main (int argc, char **argv) case oVerbose: opt.verbose++; break; case oNoVerbose: opt.verbose = 0; break; case oHomedir: gnupg_set_homedir (pargs.r.ret_str); break; - case oAgentProgram: opt.agent_program = pargs.r.ret_str; break; - case oDirmngrProgram: opt.dirmngr_program = pargs.r.ret_str; break; - case oKeyboxdProgram: opt.keyboxd_program = pargs.r.ret_str; break; + case oAgentProgram: + opt.agent_program = make_filename (pargs.r.ret_str, NULL); + break; + case oDirmngrProgram: + opt.dirmngr_program = make_filename (pargs.r.ret_str, NULL); + break; + case oKeyboxdProgram: + opt.keyboxd_program = make_filename (pargs.r.ret_str, NULL); + break; case oNoAutostart: opt.autostart = 0; break; case oNoHistory: opt.no_history = 1; break; case oHex: opt.hex = 1; break; diff --git a/tools/gpg-wks-client.c b/tools/gpg-wks-client.c index fa0278ae0..ef11a4e3e 100644 --- a/tools/gpg-wks-client.c +++ b/tools/gpg-wks-client.c @@ -78,6 +78,7 @@ enum cmd_and_opt_values oNoAutostart, oAddRevocs, oNoAddRevocs, + oRealClean, oDummy }; @@ -121,8 +122,9 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oWithColons, "with-colons", "@"), ARGPARSE_s_s (oBlacklist, "blacklist", "@"), ARGPARSE_s_s (oDirectory, "directory", "@"), - ARGPARSE_s_n (oAddRevocs, "add-revocs", "add revocation certificates"), + ARGPARSE_s_n (oAddRevocs, "add-revocs", "@"), ARGPARSE_s_n (oNoAddRevocs, "no-add-revocs", "do not add revocation certificates"), + ARGPARSE_s_n (oRealClean, "realclean", "remove most key signatures"), ARGPARSE_s_s (oFakeSubmissionAddr, "fake-submission-addr", "@"), @@ -154,7 +156,7 @@ static char **blacklist_array; static size_t blacklist_array_len; -static void wrong_args (const char *text) GPGRT_ATTR_NORETURN; +static void wrong_args (const char *t1, const char *t2) GPGRT_ATTR_NORETURN; static void add_blacklist (const char *fname); static gpg_error_t proc_userid_from_stdin (gpg_error_t (*func)(const char *), const char *text); @@ -204,10 +206,15 @@ my_strusage( int level ) static void -wrong_args (const char *text) +wrong_args (const char *text, const char *text2) { - es_fprintf (es_stderr, _("usage: %s [options] %s\n"), - gpgrt_strusage (11), text); +#if GPGRT_VERSION_NUMBER >= 0x013000 /* >= 1.48 */ + /* Skip the leading dashes if build with command support. */ + if (text[0] == '-' && text[1] == '-' && text[2]) + text += 2; +#endif + es_fprintf (es_stderr, _("usage: %s %s [options] %s\n"), + gpgrt_strusage (11), text, text2); exit (2); } @@ -235,16 +242,16 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts) break; case oGpgProgram: - opt.gpg_program = pargs->r.ret_str; + opt.gpg_program = make_filename (pargs->r.ret_str, NULL); break; case oDirectory: - opt.directory = pargs->r.ret_str; + opt.directory = make_filename (pargs->r.ret_str, NULL); break; case oSend: opt.use_sendmail = 1; break; case oOutput: - opt.output = pargs->r.ret_str; + opt.output = make_filename (pargs->r.ret_str, NULL); break; case oFakeSubmissionAddr: fake_submission_addr = pargs->r.ret_str; @@ -268,6 +275,10 @@ parse_arguments (gpgrt_argparse_t *pargs, gpgrt_opt_t *popts) opt.add_revocs = 0; break; + case oRealClean: + opt.realclean = 1; + break; + case aSupported: case aCreate: case aReceive: @@ -315,6 +326,9 @@ main (int argc, char **argv) pargs.argc = &argc; pargs.argv = &argv; pargs.flags = ARGPARSE_FLAG_KEEP; +#if GPGRT_VERSION_NUMBER >= 0x013000 /* >= 1.48 */ + pargs.flags |= ARGPARSE_FLAG_COMMAND; +#endif cmd = parse_arguments (&pargs, opts); gpgrt_argparse (NULL, &pargs, NULL); @@ -350,7 +364,7 @@ main (int argc, char **argv) /* Set defaults for non given options. */ if (!opt.gpg_program) - opt.gpg_program = gnupg_module_name (GNUPG_MODULE_NAME_GPG); + opt.gpg_program = xstrdup (gnupg_module_name (GNUPG_MODULE_NAME_GPG)); if (!opt.directory) opt.directory = "openpgpkey"; @@ -394,7 +408,7 @@ main (int argc, char **argv) else { if (argc != 1) - wrong_args ("--supported DOMAIN"); + wrong_args ("--supported", "DOMAIN"); err = command_supported (argv[0]); if (err && gpg_err_code (err) != GPG_ERR_FALSE) log_error ("checking support failed: %s\n", gpg_strerror (err)); @@ -403,7 +417,7 @@ main (int argc, char **argv) case aCreate: if (argc != 2) - wrong_args ("--create FINGERPRINT USER-ID"); + wrong_args ("--create", "FINGERPRINT USER-ID"); err = command_create (argv[0], argv[1]); if (err) log_error ("creating request failed: %s\n", gpg_strerror (err)); @@ -411,7 +425,7 @@ main (int argc, char **argv) case aReceive: if (argc) - wrong_args ("--receive < MIME-DATA"); + wrong_args ("--receive", "< MIME-DATA"); err = wks_receive (es_stdin, command_receive_cb, NULL); if (err) log_error ("processing mail failed: %s\n", gpg_strerror (err)); @@ -419,7 +433,7 @@ main (int argc, char **argv) case aRead: if (argc) - wrong_args ("--read < WKS-DATA"); + wrong_args ("--read", "< WKS-DATA"); err = read_confirmation_request (es_stdin); if (err) log_error ("processing mail failed: %s\n", gpg_strerror (err)); @@ -427,7 +441,7 @@ main (int argc, char **argv) case aCheck: if (argc != 1) - wrong_args ("--check USER-ID"); + wrong_args ("--check", "USER-ID"); err = command_check (argv[0]); break; @@ -444,12 +458,12 @@ main (int argc, char **argv) else if (argc == 2) err = wks_cmd_install_key (*argv, argv[1]); else - wrong_args ("--install-key [FILE|FINGERPRINT USER-ID]"); + wrong_args ("--install-key", "[FILE|FINGERPRINT USER-ID]"); break; case aRemoveKey: if (argc != 1) - wrong_args ("--remove-key USER-ID"); + wrong_args ("--remove-key", "USER-ID"); err = wks_cmd_remove_key (*argv); break; @@ -1779,6 +1793,8 @@ process_confirmation_request (estream_t msg, const char *mainfpr) log_info ("no encryption key found - sending response in the clear\n"); err = send_confirmation_response (sender, address, nonce, 0, NULL); } + if (!err) + log_info ("response sent to '%s' for '%s'\n", sender, address); leave: nvc_release (nvc); @@ -1903,7 +1919,7 @@ domain_matches_mbox (const char *domain, const char *mbox) * so that for a key with * uid: Joe Someone * uid: Joe - * only the news user id (and thus its self-signature) is used. + * only the newest user id (and thus its self-signature) is used. * UIDLIST is nodified to set all MBOX fields to NULL for a processed * user id. FPR is the fingerprint of the key. */ @@ -2010,7 +2026,7 @@ mirror_one_key (estream_t key) continue; /* No mail box or already processed. */ if (uid->expired) continue; - if (!domain_matches_mbox (domain, uid->mbox)) + if (*domain && !domain_matches_mbox (domain, uid->mbox)) continue; /* We don't want this one. */ if (is_in_blacklist (uid->mbox)) continue; diff --git a/tools/gpg-wks-server.c b/tools/gpg-wks-server.c index d3406bd79..31de67618 100644 --- a/tools/gpg-wks-server.c +++ b/tools/gpg-wks-server.c @@ -308,7 +308,7 @@ main (int argc, char **argv) /* Set defaults for non given options. */ if (!opt.gpg_program) - opt.gpg_program = gnupg_module_name (GNUPG_MODULE_NAME_GPG); + opt.gpg_program = xstrdup (gnupg_module_name (GNUPG_MODULE_NAME_GPG)); if (!opt.directory) opt.directory = "/var/lib/gnupg/wks"; diff --git a/tools/gpg-wks.h b/tools/gpg-wks.h index 93039c1e8..0601d48fe 100644 --- a/tools/gpg-wks.h +++ b/tools/gpg-wks.h @@ -40,9 +40,10 @@ struct int with_colons; int no_autostart; int add_revocs; - const char *output; - const char *gpg_program; - const char *directory; + int realclean; + char *output; + char *gpg_program; + char *directory; const char *default_from; strlist_t extra_headers; } opt; diff --git a/tools/watchgnupg.c b/tools/watchgnupg.c index 7a7544bb5..39746d489 100644 --- a/tools/watchgnupg.c +++ b/tools/watchgnupg.c @@ -461,7 +461,7 @@ main (int argc, char **argv) if (!tcp && argc == 1) ; else if (tcp && (argc == 1 || argc == 2)) - ; /* Option --tcp optionally allows to also read from a socket. */ + ; /* Option --tcp optionally allows one to also read from a socket. */ else if (!tcp && !argc) { /* No args given - figure out the socket using gpgconf. We also diff --git a/tools/wks-util.c b/tools/wks-util.c index 49dbb6f8a..4a15d672a 100644 --- a/tools/wks-util.c +++ b/tools/wks-util.c @@ -246,7 +246,8 @@ wks_get_key (estream_t *r_key, const char *fingerprint, const char *addrspec, ccparray_put (&ccp, "--always-trust"); if (!binary) ccparray_put (&ccp, "--armor"); - ccparray_put (&ccp, "--export-options=export-clean"); + ccparray_put (&ccp, opt.realclean? "--export-options=export-realclean" + /* */ : "--export-options=export-clean"); ccparray_put (&ccp, "--export-filter"); ccparray_put (&ccp, filterexp); ccparray_put (&ccp, "--export");