Merge branch 'STABLE-BRANCH-2-2.40' into STABLE-BRANCH-2-2

--

g10/card-util.c

@@ -801,7 +801,6 @@ change_name (void)
     {
       tty_printf (_("Error: Combined name too long "
                     "(limit is %d characters).\n"), 39);
-      xfree (isoname);
       rc = gpg_error (GPG_ERR_TOO_LARGE);
       goto leave;
     }

g10/export.c

@@ -62,15 +62,17 @@ struct export_stats_s
 };
 
 
-/* A global variable to store the selector created from
+/* Global variables to store the selectors created from
  * --export-filter keep-uid=EXPR.
  * --export-filter drop-subkey=EXPR.
+ * --export-filter select=EXPR.
  *
  * FIXME: We should put this into the CTRL object but that requires a
  * lot more changes right now.
  */
 static recsel_expr_t export_keep_uid;
 static recsel_expr_t export_drop_subkey;
+static recsel_expr_t export_select_filter;
 
 
 /* An object used for a linked list to implement the
@@ -80,6 +82,7 @@ struct export_filter_attic_s
   struct export_filter_attic_s *next;
   recsel_expr_t export_keep_uid;
   recsel_expr_t export_drop_subkey;
+  recsel_expr_t export_select_filter;
 };
 static struct export_filter_attic_s *export_filter_attic;
 
@@ -105,6 +108,8 @@ cleanup_export_globals (void)
   export_keep_uid = NULL;
   recsel_release (export_drop_subkey);
   export_drop_subkey = NULL;
+  recsel_release (export_select_filter);
+  export_select_filter = NULL;
 }
 
 
@@ -129,6 +134,9 @@ parse_export_options(char *str,unsigned int *options,int noisy)
       {"export-pka", EXPORT_PKA_FORMAT, NULL, NULL },
       {"export-dane", EXPORT_DANE_FORMAT, NULL, NULL },
 
+      {"export-revocs", EXPORT_REVOCS, NULL,
+       N_("export only revocation certificates") },
+
       {"backup", EXPORT_BACKUP, NULL,
        N_("use the GnuPG key backup format")},
       {"export-backup", EXPORT_BACKUP, NULL, NULL },
@@ -181,6 +189,8 @@ parse_export_options(char *str,unsigned int *options,int noisy)
  *
  *                - secret   :: 1 for a secret subkey, else 0.
  *                - key_algo :: Public key algorithm id
+ *
+ *  - select :: The key is only exported if the filter returns true.
  */
 gpg_error_t
 parse_and_set_export_filter (const char *string)
@@ -194,6 +204,8 @@ parse_and_set_export_filter (const char *string)
     err = recsel_parse_expr (&export_keep_uid, string+9);
   else if (!strncmp (string, "drop-subkey=", 12))
     err = recsel_parse_expr (&export_drop_subkey, string+12);
+  else if (!strncmp (string, "select=", 7))
+    err = recsel_parse_expr (&export_select_filter, string+7);
   else
     err = gpg_error (GPG_ERR_INV_NAME);
 
@@ -214,6 +226,8 @@ push_export_filters (void)
   export_keep_uid = NULL;
   item->export_drop_subkey = export_drop_subkey;
   export_drop_subkey = NULL;
+  item->export_select_filter = export_select_filter;
+  export_select_filter = NULL;
   item->next = export_filter_attic;
   export_filter_attic = item;
 }
@@ -232,6 +246,7 @@ pop_export_filters (void)
   cleanup_export_globals ();
   export_keep_uid = item->export_keep_uid;
   export_drop_subkey = item->export_drop_subkey;
+  export_select_filter = item->export_select_filter;
 }
 
 
@@ -1885,6 +1900,78 @@ do_export_one_keyblock (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid,
 }
 
 
+/* Helper for do_export_stream which writes the own revocations
+ * certificates (if any) from KEYBLOCK to OUT. */
+static gpg_error_t
+do_export_revocs (ctrl_t ctrl, kbnode_t keyblock, u32 *keyid,
+                  iobuf_t out, unsigned int options, int *any)
+{
+  gpg_error_t err = 0;
+  kbnode_t kbctx, node;
+  PKT_signature *sig;
+
+  (void)ctrl;
+
+  /* NB: walk_kbnode skips packets marked as deleted.  */
+  for (kbctx=NULL; (node = walk_kbnode (keyblock, &kbctx, 0)); )
+    {
+      if (node->pkt->pkttype != PKT_SIGNATURE)
+        continue;
+      sig = node->pkt->pkt.signature;
+
+      /* We are only interested in revocation certifcates.  */
+      if (!(IS_KEY_REV (sig) || IS_UID_REV (sig) || IS_SUBKEY_REV (sig)))
+        continue;
+
+      if (!(sig->keyid[0] == keyid[0] && sig->keyid[1] == keyid[1]))
+        continue;  /* Not a self-signature.  */
+
+      /* Do not export signature packets which are marked as not
+       * exportable.  */
+      if (!(options & EXPORT_LOCAL_SIGS)
+          && !sig->flags.exportable)
+        continue; /* not exportable */
+
+      /* Do not export packets with a "sensitive" revocation key
+       * unless the user wants us to.  */
+      if (!(options & EXPORT_SENSITIVE_REVKEYS)
+          && sig->revkey)
+        {
+          int i;
+
+          for (i = 0; i < sig->numrevkeys; i++)
+            if ((sig->revkey[i].class & 0x40))
+              break;
+          if (i < sig->numrevkeys)
+            continue;
+        }
+
+      if (!sig->flags.checked)
+        {
+          log_info ("signature not marked as checked - ignored\n");
+          continue;
+        }
+      if (!sig->flags.valid)
+        {
+          log_info ("signature not not valid - ignored\n");
+          continue;
+        }
+
+      err = build_packet (out, node->pkt);
+      if (err)
+        {
+          log_error ("build_packet(%d) failed: %s\n",
+                     node->pkt->pkttype, gpg_strerror (err));
+          goto leave;
+        }
+      *any = 1;
+    }
+
+ leave:
+  return err;
+}
+
+
 /* Export the keys identified by the list of strings in USERS to the
    stream OUT.  If SECRET is false public keys will be exported.  With
    secret true secret keys will be exported; in this case 1 means the
@@ -2070,6 +2157,32 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret,
                              NULL, NULL);
           commit_kbnode (&keyblock);
         }
+      else if (export_keep_uid || export_drop_subkey || export_select_filter)
+        {
+          /* Need to merge so that for example the "usage" property
+           * has been setup.  */
+          merge_keys_and_selfsig (ctrl, keyblock);
+        }
+
+
+      if (export_select_filter)
+        {
+          int selected = 0;
+          struct impex_filter_parm_s parm;
+          parm.ctrl = ctrl;
+
+          for (parm.node = keyblock; parm.node; parm.node = parm.node->next)
+            {
+              if (recsel_select (export_select_filter,
+                                 impex_filter_getval, &parm))
+                {
+                  selected = 1;
+                  break;
+                }
+            }
+          if (!selected)
+            continue;  /* Skip this keyblock.  */
+        }
 
       if (export_keep_uid)
         {
@@ -2086,10 +2199,15 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret,
         }
 
       /* And write it. */
-      err = do_export_one_keyblock (ctrl, keyblock, keyid,
-                                    out_help? out_help : out,
-                                    secret, options, stats, any,
-                                    desc, ndesc, descindex, cipherhd);
+      if ((options & EXPORT_REVOCS))
+        err = do_export_revocs (ctrl, keyblock, keyid,
+                                out_help? out_help : out,
+                                options, any);
+      else
+        err = do_export_one_keyblock (ctrl, keyblock, keyid,
+                                      out_help? out_help : out,
+                                      secret, options, stats, any,
+                                      desc, ndesc, descindex, cipherhd);
       if (err)
         break;
 
@@ -2132,8 +2250,8 @@ do_export_stream (ctrl_t ctrl, iobuf_t out, strlist_t users, int secret,
   keydb_release (kdbhd);
   if (err || !keyblock_out)
     release_kbnode( keyblock );
-  if( !*any )
-    log_info(_("WARNING: nothing exported\n"));
+  if( !*any && !opt.quiet)
+    log_info (_("WARNING: nothing exported\n"));
   return err;
 }
 

g10/gpg.c

@@ -3804,9 +3804,11 @@ main (int argc, char **argv)
     set_debug (debug_level);
     if (opt.verbose) /* Print the compatibility flags.  */
       parse_compatibility_flags (NULL, &opt.compat_flags, compatibility_flags);
+
     gnupg_set_compliance_extra_info (CO_EXTRA_INFO_MIN_RSA, opt.min_rsa_length);
     if ((opt.compat_flags & COMPAT_VSD_ALLOW_OCB))
       gnupg_set_compliance_extra_info (CO_EXTRA_INFO_VSD_ALLOW_OCB, 1);
+
     if (DBG_CLOCK)
       log_clock ("start");
 

g10/mainproc.c

@@ -765,7 +765,7 @@ proc_encrypted (CTX c, PACKET *pkt)
     result = GPG_ERR_NO_SECKEY;
 
   /* Compute compliance with CO_DE_VS.  */
-  if (!result && is_status_enabled ()
+  if (!result && (is_status_enabled () || opt.flags.require_compliance)
       /* Overriding session key voids compliance.  */
       && !opt.override_session_key
       /* Check symmetric cipher.  */

g10/options.h

@@ -391,6 +391,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;
 #define EXPORT_PKA_FORMAT                (1<<6)
 #define EXPORT_DANE_FORMAT               (1<<7)
 #define EXPORT_BACKUP                    (1<<10)
+#define EXPORT_REVOCS                    (1<<11)
 
 #define LIST_SHOW_PHOTOS                 (1<<0)
 #define LIST_SHOW_POLICY_URLS            (1<<1)

g10/plaintext.c

@@ -584,11 +584,16 @@ do_hash (gcry_md_hd_t md, gcry_md_hd_t md2, IOBUF fp, int textmode)
     }
   else
     {
-      while ((c = iobuf_get (fp)) != -1)
+      byte *buffer = xmalloc (32768);
+      int ret;
+
+      while ((ret = iobuf_read (fp, buffer, 32768)) != -1)
 	{
 	  if (md)
-	    gcry_md_putc (md, c);
+	    gcry_md_write (md, buffer, ret);
 	}
+
+      xfree (buffer);
     }
 }
 

g10/sign.c

@@ -1211,8 +1211,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
 		    iobuf_push_filter( inp, text_filter, &tfx );
 		  }
 		iobuf_push_filter( inp, md_filter, &mfx );
-		while( iobuf_get(inp) != -1 )
-		    ;
+		while (iobuf_read (inp, NULL, 1<<30) != -1 )
+                  ;
 		iobuf_close(inp); inp = NULL;
 	    }
 	    if( opt.verbose )
@@ -1220,8 +1220,8 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr,
 	}
 	else {
 	    /* read, so that the filter can calculate the digest */
-	    while( iobuf_get(inp) != -1 )
-		;
+            while (iobuf_read (inp, NULL, 1<<30) != -1 )
+              ;
 	}
     }
     else {