.

ChangeLog

@@ -1,3 +1,7 @@
+2006-10-20  Werner Koch  <wk@g10code.com>
+
+	* Makefile.am (stowinstall): Add convenience target.
+
 2006-10-18  Werner Koch  <wk@g10code.com>
 
 	* configure.ac: svn revison magic fixes for old bashs.  Suggested

Makefile.am

@@ -79,5 +79,7 @@ SUBDIRS = m4 intl gl include jnlib common ${kbx} \
 dist-hook:
 	echo "$(VERSION)" > $(distdir)/VERSION
 
+stowinstall: 
+	$(MAKE) $(AM_MAKEFLAGS) install prefix=/usr/local/stow/gnupg
 
 

NEWS

@@ -4,6 +4,11 @@ Noteworthy changes in version 1.9.94
  * Keys for gpgsm may now be specified using a keygrip.  A keygrip is
    indicated by a prefixing it with an ampersand.
 
+ * gpgconf now supports switching the CMS cipher algo (e.g. to AES).
+
+ * New command --gpgconf-test for all major tools. This may be used to
+   check whether the configuration file is sane.
+
 
 Noteworthy changes in version 1.9.93 (2006-10-18)
 -------------------------------------------------

agent/ChangeLog

@@ -1,5 +1,7 @@
 2006-10-23  Werner Koch  <wk@g10code.com>
 
+	* gpg-agent.c (main): New command --gpgconf-test.
+
 	* minip12.c (parse_bag_encrypted_data, parse_bag_data): Allow for
 	a salt of 20 bytes.
 

agent/gpg-agent.c

@@ -61,6 +61,7 @@ enum cmd_and_opt_values
 
   oNoVerbose = 500,
   aGPGConfList,
+  aGPGConfTest,
   oOptions,
   oDebug,
   oDebugAll,
@@ -105,6 +106,7 @@ enum cmd_and_opt_values
 static ARGPARSE_OPTS opts[] = {
 
   { aGPGConfList, "gpgconf-list", 256, "@" },
+  { aGPGConfTest, "gpgconf-test", 256, "@" },
   
   { 301, NULL, 0, N_("@Options:\n ") },
 
@@ -620,6 +622,7 @@ main (int argc, char **argv )
       switch (pargs.r_opt)
         {
         case aGPGConfList: gpgconf_list = 1; break;
+        case aGPGConfTest: gpgconf_list = 2; break;
         case oBatch: opt.batch=1; break;
 
         case oDebugWait: debug_wait = pargs.r.ret_int; break;
@@ -719,6 +722,8 @@ main (int argc, char **argv )
       log_debug ("... okay\n");
     }
   
+  if (gpgconf_list == 2)
+    agent_exit (0);
   if (gpgconf_list)
     {
       char *filename;

doc/gpg.texi

@@ -365,12 +365,13 @@ those of the given name. The new keyring is written to stdout or to the
 file given with option @option{--output}. Use together with
 @option{--armor} to mail those keys.
 
-@item --send-keys
+@item --send-keys @code{key IDs}
 @opindex send-keys
-Same as @option{--export} but sends the keys to a keyserver.  Option
-@option{--keyserver} must be used to give the name of this
-keyserver. Don't send your complete keyring to a keyserver --- select
-only those keys which are new or changed by you.
+Similar to @option{--export} but sends the keys to a keyserver.
+Fingerprints may be used instead of key IDs. Option @option{--keyserver}
+must be used to give the name of this keyserver. Don't send your
+complete keyring to a keyserver --- select only those keys which are new
+or changed by you.
 
 @item --export-secret-keys
 @itemx --export-secret-subkeys

doc/gpgsm.texi

@@ -490,10 +490,19 @@ certificate.
 
 @table @gnupgtabopt
 @item --include-certs @var{n}
+@opindex include-certs
 Using @var{n} of -2 includes all certificate except for the root cert,
 -1 includes all certs, 0 does not include any certs, 1 includes only
 the signers cert (this is the default) and all other positive
 values include up to @var{n} certificates starting with the signer cert.
+
+
+@item --cipher-algo @var{oid}
+@opindex cipher-algo
+Use the cipher algorithm with the ASN.1 object identifier @var{oid} for
+encryption.  For convenience the strings @code{3DES}, @code{AES} and
+@code{AES256} may be used instead of their OIDs.  The default is
+@code{3DES} (1.2.840.113549.3.7).
   
 @end table
 

g10/ChangeLog

@@ -1,3 +1,9 @@
+2006-10-23  Werner Koch  <wk@g10code.com>
+
+	* gpg.c (main): New command --gpgconf-test.
+
+	* Makefile.am (bzip2_source): New.
+
 2006-10-20  Werner Koch  <wk@g10code.com>
 
 	* getkey.c (classify_user_id): Reserve '&' for search by keygrip.

g10/Makefile.am

@@ -33,11 +33,18 @@ needed_libs = ../gl/libgnu.a ../common/libcommon.a ../jnlib/libjnlib.a
 
 bin_PROGRAMS = gpg2 gpgv2
 
+if ENABLE_BZIP2_SUPPORT
+bzip2_source = compress-bz2.c
+else
+bzip2_source =
+endif
+
+
 common_source =  \
 	      gpg.h             \
 	      build-packet.c	\
 	      compress.c	\
-	      compress-bz2.c	\
+	      $(bzip2_source)	\
 	      filter.h		\
 	      free-packet.c	\
 	      getkey.c		\

g10/gpg.c

@@ -110,6 +110,7 @@ enum cmd_and_opt_values
     aLSignKey,
     aListConfig,
     aGPGConfList,
+    aGPGConfTest,
     aListPackets,
     aEditKey,
     aDeleteKeys,
@@ -408,6 +409,7 @@ static ARGPARSE_OPTS opts[] = {
 #endif
     { aListConfig, "list-config", 256, "@"},
     { aGPGConfList, "gpgconf-list", 256, "@" },
+    { aGPGConfTest, "gpgconf-test", 256, "@" },
     { aListPackets, "list-packets",256, "@"},
     { aExportOwnerTrust, "export-ownertrust", 256, "@"},
     { aImportOwnerTrust, "import-ownertrust", 256, "@"},
@@ -2026,6 +2028,7 @@ main (int argc, char **argv )
 	  case aCheckKeys: 
 	  case aListConfig:
           case aGPGConfList:
+          case aGPGConfTest:
 	  case aListPackets:
 	  case aImport: 
 	  case aFastImport: 
@@ -3183,7 +3186,7 @@ main (int argc, char **argv )
        SELinux, this is so that the rings are added to the list of
        secured files. */
     if( ALWAYS_ADD_KEYRINGS 
-        || (cmd != aDeArmor && cmd != aEnArmor) ) 
+        || (cmd != aDeArmor && cmd != aEnArmor && cmd != aGPGConfTest) ) 
       {
         if (ALWAYS_ADD_KEYRINGS
             || (cmd != aCheckKeys && cmd != aListSigs && cmd != aListKeys
@@ -3202,6 +3205,9 @@ main (int argc, char **argv )
     FREE_STRLIST(nrings);
     FREE_STRLIST(sec_nrings);
 
+    if (cmd == aGPGConfTest)
+      g10_exit(0);
+
 
     if( pwfd != -1 )  /* Read the passphrase now. */
 	read_passphrase_from_fd( pwfd );

keyserver/ChangeLog

@@ -1,3 +1,8 @@
+2006-10-20  Werner Koch  <wk@g10code.com>
+
+	* Makefile.am: Reporder macros for better readability.
+	(gpg2keys_finger_LDADD): Add GPG_ERROR_LIBS.
+
 2006-10-19  David Shaw  <dshaw@jabberwocky.com>
 
 	* gpgkeys_hkp.c (curl_mrindex_writer): Print a warning if we see

keyserver/Makefile.am

@@ -40,18 +40,17 @@ common_libs = ../gl/libgnu.a  ../common/libcommon.a ../jnlib/libjnlib.a
 other_libs = $(LIBICONV) $(LIBINTL) $(CAPLIBS)
 
 gpg2keys_ldap_SOURCES = gpgkeys_ldap.c ksutil.c ksutil.h no-libgcrypt.c
-gpg2keys_hkp_SOURCES = gpgkeys_hkp.c ksutil.c ksutil.h no-libgcrypt.c
-gpg2keys_finger_SOURCES = gpgkeys_finger.c ksutil.c ksutil.h no-libgcrypt.c
-gpg2keys_curl_SOURCES = gpgkeys_curl.c ksutil.c ksutil.h no-libgcrypt.c
-
-
 gpg2keys_ldap_CPPFLAGS = $(LDAP_CPPFLAGS) $(AM_CPPFLAGS)
-gpg2keys_ldap_LDADD = $(LDAPLIBS) $(NETLIBS) \
-                      $(other_libs)
+gpg2keys_ldap_LDADD = $(LDAPLIBS) $(NETLIBS) $(other_libs)
 
-gpg2keys_finger_LDADD = $(common_libs) $(LIBGCRYPT_LIBS) \
+gpg2keys_finger_SOURCES = gpgkeys_finger.c ksutil.c ksutil.h no-libgcrypt.c
+gpg2keys_ldap_CPPFLAGS = $(AM_CPPFLAGS)
+gpg2keys_finger_LDADD = $(common_libs) $(GPG_ERROR_LIBS) \
                         $(NETLIBS) $(other_libs)
 
+
+gpg2keys_curl_SOURCES = gpgkeys_curl.c ksutil.c ksutil.h no-libgcrypt.c
+gpg2keys_hkp_SOURCES  = gpgkeys_hkp.c ksutil.c ksutil.h no-libgcrypt.c
 if FAKE_CURL
 gpg2keys_curl_SOURCES += curl-shim.c curl-shim.h
 gpg2keys_curl_CPPFLAGS = $(AM_CPPFLAGS)

scd/ChangeLog

@@ -1,3 +1,7 @@
+2006-10-23  Werner Koch  <wk@g10code.com>
+
+	* scdaemon.c (main): New command --gpgconf-test.
+
 2006-10-17  Werner Koch  <wk@g10code.com>
 
 	* Makefile.am (scdaemon_LDADD): Link against libcommonpth.

scd/app-p15.c

@@ -2712,7 +2712,7 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name)
          general rule for it so we need to decide case by case. */
       if (app->app_local->card_type == CARD_TYPE_BELPIC)
         {
-          /* The eID card has a card number printed on the fron matter
+          /* The eID card has a card number printed on the front matter
              which seems to be a good indication. */
           unsigned char *buffer;
           const unsigned char *p;
@@ -2938,7 +2938,7 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
 
 
   /* Due to the fact that the non-repudiation signature on a BELPIC
-     card requires a ver verify immediately before the DSO we set the
+     card requires a verify immediately before the DSO we set the
      MSE before we do the verification.  Other cards might allow to do
      this also but I don't want to break anything, thus we do it only
      for the BELPIC card here. */

scd/scdaemon.c

@@ -63,6 +63,7 @@ enum cmd_and_opt_values
   
   oNoVerbose = 500,
   aGPGConfList,
+  aGPGConfTest,
   oOptions,
   oDebug,
   oDebugAll,
@@ -97,6 +98,7 @@ enum cmd_and_opt_values
 static ARGPARSE_OPTS opts[] = {
 
   { aGPGConfList, "gpgconf-list", 256, "@" },
+  { aGPGConfTest, "gpgconf-test", 256, "@" },
   
   { 301, NULL, 0, N_("@Options:\n ") },
 
@@ -450,6 +452,7 @@ main (int argc, char **argv )
       switch (pargs.r_opt)
         {
         case aGPGConfList: gpgconf_list = 1; break;
+        case aGPGConfTest: gpgconf_list = 2; break;
         case oQuiet: opt.quiet = 1; break;
         case oVerbose: opt.verbose++; break;
         case oBatch: opt.batch=1; break;
@@ -552,6 +555,8 @@ main (int argc, char **argv )
       log_debug ("... okay\n");
     }
   
+  if (gpgconf_list == 2)
+    scd_exit (0);
   if (gpgconf_list)
     {
       /* List options and default values in the GPG Conf format.  */

sm/ChangeLog

@@ -1,3 +1,8 @@
+2006-10-23  Werner Koch  <wk@g10code.com>
+
+	* gpgsm.c (main): Remap common cipher algo names to their OIDs.
+	(main): New command --gpgconf-test.
+
 2006-10-20  Werner Koch  <wk@g10code.com>
 
 	* keydb.c (classify_user_id): Parse keygrip for the '&' identifier.

sm/gpgsm.c

@@ -90,6 +90,7 @@ enum cmd_and_opt_values {
   aCallProtectTool,
   aPasswd,
   aGPGConfList,
+  aGPGConfTest,
   aDumpKeys,
   aDumpChain,
   aDumpSecretKeys,
@@ -265,6 +266,7 @@ static ARGPARSE_OPTS opts[] = {
                                    N_("invoke gpg-protect-tool")},
     { aPasswd, "passwd",      256, N_("change a passphrase")},
     { aGPGConfList, "gpgconf-list", 256, "@" },
+    { aGPGConfTest, "gpgconf-test", 256, "@" },
 
     { aDumpKeys, "dump-cert", 256, "@"},
     { aDumpKeys, "dump-keys", 256, "@"},
@@ -781,7 +783,7 @@ main ( int argc, char **argv)
   create_dotlock (NULL); /* register locking cleanup */
   i18n_init();
 
-  opt.def_cipher_algoid = "1.2.840.113549.3.7";  /*des-EDE3-CBC*/
+  opt.def_cipher_algoid = "3DES";  /*des-EDE3-CBC*/
 
   opt.homedir = default_homedir ();
 #ifdef HAVE_W32_SYSTEM
@@ -880,6 +882,7 @@ main ( int argc, char **argv)
       switch (pargs.r_opt)
         {
 	case aGPGConfList: 
+	case aGPGConfTest: 
           set_cmd (&cmd, pargs.r_opt);
           do_not_setup_keys = 1;
           nogreeting = 1;
@@ -1265,18 +1268,32 @@ main ( int argc, char **argv)
     }
 
   /* Must do this after dropping setuid, because the mapping functions
-     may try to load an module and we may have disabled an algorithm. */
-  if ( !gcry_cipher_map_name (opt.def_cipher_algoid)
-       || !gcry_cipher_mode_from_oid (opt.def_cipher_algoid))
-    log_error (_("selected cipher algorithm is invalid\n"));
+     may try to load an module and we may have disabled an algorithm.
+     We remap the commonly used algorithms to the OIDs for
+     convenience.  We need to work with the OIDs because they are used
+     to check whether the encryption mode is actually available. */
+  if (!strcmp (opt.def_cipher_algoid, "3DES") )
+    opt.def_cipher_algoid = "1.2.840.113549.3.7";
+  else if (!strcmp (opt.def_cipher_algoid, "AES")
+           || !strcmp (opt.def_cipher_algoid, "AES128"))
+    opt.def_cipher_algoid = "2.16.840.1.101.3.4.1.2";
+  else if (!strcmp (opt.def_cipher_algoid, "AES256") )
+    opt.def_cipher_algoid = "2.16.840.1.101.3.4.1.42";
 
-  if (def_digest_string)
+  if (cmd != aGPGConfList)
     {
-      opt.def_digest_algo = gcry_md_map_name (def_digest_string);
-      xfree (def_digest_string);
-      def_digest_string = NULL;
-      if (our_md_test_algo(opt.def_digest_algo) )
-        log_error (_("selected digest algorithm is invalid\n"));
+      if ( !gcry_cipher_map_name (opt.def_cipher_algoid)
+           || !gcry_cipher_mode_from_oid (opt.def_cipher_algoid))
+        log_error (_("selected cipher algorithm is invalid\n"));
+
+      if (def_digest_string)
+        {
+          opt.def_digest_algo = gcry_md_map_name (def_digest_string);
+          xfree (def_digest_string);
+          def_digest_string = NULL;
+          if (our_md_test_algo(opt.def_digest_algo) )
+            log_error (_("selected digest algorithm is invalid\n"));
+        }
     }
 
   if (log_get_errorcount(0))
@@ -1411,9 +1428,15 @@ main ( int argc, char **argv)
                 GC_OPT_FLAG_NONE );
         printf ("prefer-system-dirmngr:%lu:\n",
                 GC_OPT_FLAG_NONE );
+        printf ("cipher-algo:%lu:\"3DES:\n",
+                GC_OPT_FLAG_DEFAULT );
 
       }
       break;
+    case aGPGConfTest:
+      /* This is merely a dummy command to test whether the
+         configuration file is valid.  */
+      break;
 
     case aServer:
       if (debug_wait)

tools/ChangeLog

@@ -1,3 +1,11 @@
+2006-10-23  Werner Koch  <wk@g10code.com>
+
+	* gpgconf-comp.c <gpgsm>: Add --cipher-algo.
+
+2006-10-20  Werner Koch  <wk@g10code.com>
+
+	* gpgsm-gencert.sh: Enhanced the main menu. 
+
 2006-10-12  Werner Koch  <wk@g10code.com>
 
 	* Makefile.am (gpg-zip, gpgsplit): Do not install due to a

tools/gpgconf-comp.c

@@ -676,6 +676,9 @@ static gc_option_t gc_options_gpgsm[] =
    { "auto-issuer-key-retrieve", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC,
      "gnupg", "fetch missing issuer certificates",
      GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
+   { "cipher-algo", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED,
+     "gnupg", "|NAME|use cipher algorithm NAME",
+     GC_ARG_TYPE_STRING, GC_BACKEND_GPGSM },
 
    GC_OPTION_NULL
  };

tools/gpgsm-gencert.sh

@@ -84,29 +84,53 @@ query_user_menu()
     echo "You selected: $ANSWER" >&2
 }
 
-query_user_menu "Key type" "RSA" "existing key" "OPENPGP.1" "OPENPGP.3"
-case "$ANSWER" in
-  RSA)
-    KEY_TYPE=$ANSWER
-    query_user_menu "Key length" "1024" "2048"
-    KEY_LENGTH=$ANSWER
-    KEY_GRIP=
-    ;;
-  existing*)
-    # User requested to use an existing key; need to set some dummy defaults
-    KEY_TYPE=RSA 
-    KEY_LENGTH=1024
-    query_user "Keygrip "
-    KEY_GRIP=$ANSWER
-    ;;
-  *) 
-    KEY_TYPE="card:$ANSWER"
-    KEY_LENGTH=
-    KEY_GRIP=
-    ;;
-esac
 
 
+KEY_TYPE=""
+while [ -z "$KEY_TYPE" ]; do
+  query_user_menu "Key type" "RSA" "Existing key" "Direct from card"
+  case "$ANSWER" in
+    RSA)
+      KEY_TYPE=$ANSWER
+      query_user_menu "Key length" "1024" "2048"
+      KEY_LENGTH=$ANSWER
+      KEY_GRIP=
+      ;;
+    Existing*)
+      # User requested to use an existing key; need to set some dummy defaults
+      query_user "Keygrip "
+      if [ -n "$ANSWER" ]; then
+        KEY_TYPE=RSA 
+        KEY_LENGTH=1024
+        KEY_GRIP=$ANSWER
+      fi
+      ;;
+    Direct*)
+      tmp=$(echo 'SCD SERIALNO' | gpg-connect-agent | \
+            awk '$2 == "SERIALNO" {print $3}') 
+      if [ -z "$tmp" ]; then
+          echo "No card found" >&2
+      else
+        echo "Card with S/N $tmp found" >&2
+        tmp=$(echo 'SCD LEARN --force' | gpg-connect-agent | \
+              awk '$2 == "KEYPAIRINFO" {printf " %s", $4}')
+        sshid=$(echo 'SCD GETATTR $AUTHKEYID' | gpg-connect-agent | \
+                awk '$2 == "$AUTHKEYID" {print $3}') 
+        [ -n "$sshid" ] && echo "gpg-agent uses $sshid as ssh key" >&2
+        query_user_menu "Select key " $tmp "back"
+        if [ "$ANSWER" != "back" ]; then
+          KEY_TYPE="card:$ANSWER"
+          KEY_LENGTH=
+          KEY_GRIP=
+        fi
+      fi
+      ;;
+    *)
+      exit 1
+      ;;   
+  esac
+done
+
 query_user_menu "Key usage" "sign, encrypt" "sign" "encrypt"
 KEY_USAGE=$ANSWER