From a2786169f2e17f67595c96f383e780b9548a6b6c Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 24 Oct 2006 14:45:34 +0000
Subject: [PATCH] Preparing another release

---
 ChangeLog      |  4 ++++
 NEWS           |  2 +-
 TODO           | 20 ++++++++------------
 configure.ac   |  2 +-
 doc/gpg.texi   | 12 ++++++++++++
 scd/ChangeLog  |  8 ++++++++
 scd/app-p15.c  | 30 +++++++++++++++++++++++-------
 scd/scdaemon.h | 12 +++++++++++-
 8 files changed, 68 insertions(+), 22 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 427ee3355..aadf85268 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2006-10-24  Werner Koch  <wk@g10code.com>
+
+	Released 1.9.94.
+
 2006-10-20  Werner Koch  <wk@g10code.com>
 
 	* Makefile.am (stowinstall): Add convenience target.
diff --git a/NEWS b/NEWS
index 6f6a05beb..f84539137 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,4 @@
-Noteworthy changes in version 1.9.94
+Noteworthy changes in version 1.9.94 (2006-10-24)
 -------------------------------------------------
 
  * Keys for gpgsm may now be specified using a keygrip.  A keygrip is
diff --git a/TODO b/TODO
index f68cb82ea..d5506531b 100644
--- a/TODO
+++ b/TODO
@@ -2,14 +2,14 @@
 
 * src/base64
 ** Make parsing more robust
-Currently we don't cope with overlong lines in the best way.
+   Currently we don't cope with overlong lines in the best way.
 ** Check that we really release the ksba reader/writer objects.
 
 * sm/call-agent.c
 ** Some code should go into import.c
 ** When we allow concurrent service request in gpgsm, we
-might want to have an agent context for each service request
-(i.e. Assuan context).
+   might want to have an agent context for each service request
+   (i.e. Assuan context).
 
 * sm/certchain.c
 ** When a certificate chain was sucessfully verified, make ephemeral certs used  in this chain permanent.
@@ -53,7 +53,7 @@ might want to have an agent context for each service request
 ** Return an error code or a status info per user ID.
 
 * scd/tlv.c
-  The parse_sexp fucntion should not go into this file.  Check whether
+  The parse_sexp function should not go into this file.  Check whether
   we can change all S-expression handling code to make use of this
   function.
 
@@ -64,14 +64,10 @@ might want to have an agent context for each service request
   would be better to do this just at one place. First we need to see
   how we can support cards with multiple applications.
 ** Detecting a removed card works only after the ticker detected it.
- We should check the card status in open-card to make this smoother.
- Needs to be integrated with the status file update, though.  It is
- not a real problem because application will get a card removed status
- and should the send a reset to try solving the problem.
-** app-p15.c:do_auth
-  We assume SHA1 here.  However we should also allow for TLS-MD5SHA1.
-  To properly inplement this we need to extend the inetrnal API.  A
-  simple workaround by looking at the digest size if possible.
+  We should check the card status in open-card to make this smoother.
+  Needs to be integrated with the status file update, though.  It is
+  not a real problem because application will get a card removed
+  status and should the send a reset to try solving the problem.
 
 ** Add a test to check the extkeyusage.
 
diff --git a/configure.ac b/configure.ac
index f90c86ee7..a9715ea36 100644
--- a/configure.ac
+++ b/configure.ac
@@ -27,7 +27,7 @@ min_automake_version="1.9.3"
 # Set my_issvn to "yes" for non-released code.  Remember to run an
 # "svn up" and "autogen.sh" right before creating a distribution.
 m4_define([my_version], [1.9.94])
-m4_define([my_issvn], [yes])
+m4_define([my_issvn], [no])
 
 
 m4_define([svn_revision], m4_esyscmd([echo -n $( (svn info 2>/dev/null \
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 6849b19ae..cc5b070f3 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -2394,6 +2394,18 @@ source distribution for the details of which configuration items may be
 listed. @option{--list-config} is only usable with
 @option{--with-colons} set.
 
+@item --gpgconf-list
+@opindex gpgconf-list
+This command is simliar to @option{--list-config} but in general only
+internally used by the @command{gpgconf} tool.
+
+@item --gpgconf-test
+@opindex gpgconf-test
+This is more or less dummy action.  However it parses the configuration
+file and returns with failure if the configuraion file would prevent
+@command{gpg} from startup.  Thus it may be used to run a syntax check
+on the configuration file.
+
 @end table
 
 @c *******************************
diff --git a/scd/ChangeLog b/scd/ChangeLog
index df9e75a4f..f637e5ad8 100644
--- a/scd/ChangeLog
+++ b/scd/ChangeLog
@@ -1,3 +1,11 @@
+2006-10-24  Werner Koch  <wk@g10code.com>
+
+	* scdaemon.h (GCRY_MD_USER_TLS_MD5SHA1): New.
+	(MAX_DIGEST_LEN): Increased to 36.
+	* app-p15.c (do_sign): Support for TLS_MD5SHA1.
+	(do_auth): Detect TLS_MD5SHA1.
+	(do_sign): Tweaks for that digest.
+
 2006-10-23  Werner Koch  <wk@g10code.com>
 
 	* scdaemon.c (main): New command --gpgconf-test.
diff --git a/scd/app-p15.c b/scd/app-p15.c
index f6b3eff4d..f11de5902 100644
--- a/scd/app-p15.c
+++ b/scd/app-p15.c
@@ -2868,8 +2868,9 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
 
   gpg_error_t err;
   int i;
-  unsigned char data[35];   /* Must be large enough for a SHA-1 digest
-                               + the largest OID prefix above. */
+  unsigned char data[36];   /* Must be large enough for a SHA-1 digest
+                               + the largest OID prefix above and also
+                               fit the 36 bytes of md5sha1.  */
   prkdf_object_t prkdf;    /* The private key object. */
   aodf_object_t aodf;      /* The associated authentication object. */
   int no_data_padding = 0; /* True if the card want the data without padding.*/
@@ -2877,7 +2878,7 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
 
   if (!keyidstr || !*keyidstr)
     return gpg_error (GPG_ERR_INV_VALUE);
-  if (indatalen != 20 && indatalen != 16 && indatalen != 35)
+  if (indatalen != 20 && indatalen != 16 && indatalen != 35 && indatalen != 36)
     return gpg_error (GPG_ERR_INV_VALUE);
 
   err = prkdf_object_from_keyidstr (app, keyidstr, &prkdf);
@@ -2948,7 +2949,10 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
       
       mse[0] = 4;    /* Length of the template. */
       mse[1] = 0x80; /* Algorithm reference tag. */
-      mse[2] = 0x02; /* Algorithm: RSASSA-PKCS1-v1.5 using SHA1. */
+      if (hashalgo == GCRY_MD_USER_TLS_MD5SHA1)
+        mse[2] = 0x01; /* Let card do pkcs#1 0xFF padding. */
+      else
+        mse[2] = 0x02; /* RSASSA-PKCS1-v1.5 using SHA1. */
       mse[3] = 0x84; /* Private key reference tag. */
       mse[4] = prkdf->key_reference_valid? prkdf->key_reference : 0x82;
 
@@ -3118,7 +3122,14 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
     }
 
   /* Prepare the DER object from INDATA. */
-  if (indatalen == 35)
+  if (indatalen == 36)
+    {
+      /* No ASN.1 container used. */
+      if (hashalgo != GCRY_MD_USER_TLS_MD5SHA1)
+        return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
+      memcpy (data, indata, indatalen);
+    }
+  else if (indatalen == 35)
     {
       /* Alright, the caller was so kind to send us an already
          prepared DER object.  Check that it is what we want and that
@@ -3177,7 +3188,9 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
       return err;
     }
 
-  if (no_data_padding)
+  if (hashalgo == GCRY_MD_USER_TLS_MD5SHA1)
+    err = iso7816_compute_ds (app->slot, data, 36, outdata, outdatalen);
+  else if (no_data_padding)
     err = iso7816_compute_ds (app->slot, data+15, 20, outdata, outdatalen);
   else
     err = iso7816_compute_ds (app->slot, data, 35, outdata, outdatalen);
@@ -3200,6 +3213,7 @@ do_auth (app_t app, const char *keyidstr,
 {
   gpg_error_t err;
   prkdf_object_t prkdf;
+  int algo;
 
   if (!keyidstr || !*keyidstr)
     return gpg_error (GPG_ERR_INV_VALUE);
@@ -3212,7 +3226,9 @@ do_auth (app_t app, const char *keyidstr,
       log_error ("key %s may not be used for authentication\n", keyidstr);
       return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
     }
-  return do_sign (app, keyidstr, GCRY_MD_SHA1, pincb, pincb_arg, 
+
+  algo = indatalen == 36? GCRY_MD_USER_TLS_MD5SHA1 : GCRY_MD_SHA1;
+  return do_sign (app, keyidstr, algo, pincb, pincb_arg, 
                   indata, indatalen, outdata, outdatalen);
 }
 
diff --git a/scd/scdaemon.h b/scd/scdaemon.h
index 40a398856..2d20b0231 100644
--- a/scd/scdaemon.h
+++ b/scd/scdaemon.h
@@ -34,7 +34,17 @@
 #include "../common/errors.h"
 
 
-#define MAX_DIGEST_LEN 24 
+/* To convey some special hash algorithms we use algorithm numbers
+   reserved for application use. */
+#ifndef GCRY_MD_USER
+#define GCRY_MD_USER 1024
+#endif
+#define GCRY_MD_USER_TLS_MD5SHA1 (GCRY_MD_USER+1)
+
+/* Maximum length of a digest.  */
+#define MAX_DIGEST_LEN 36
+
+
 
 /* A large struct name "opt" to keep global flags. */
 struct