Preparing another release

ChangeLog

@@ -1,3 +1,7 @@
+2006-10-24  Werner Koch  <wk@g10code.com>
+
+	Released 1.9.94.
+
 2006-10-20  Werner Koch  <wk@g10code.com>
 
 	* Makefile.am (stowinstall): Add convenience target.

NEWS

@@ -1,4 +1,4 @@
-Noteworthy changes in version 1.9.94
+Noteworthy changes in version 1.9.94 (2006-10-24)
 -------------------------------------------------
 
  * Keys for gpgsm may now be specified using a keygrip.  A keygrip is

TODO

@@ -2,14 +2,14 @@
 
 * src/base64
 ** Make parsing more robust
-Currently we don't cope with overlong lines in the best way.
+   Currently we don't cope with overlong lines in the best way.
 ** Check that we really release the ksba reader/writer objects.
 
 * sm/call-agent.c
 ** Some code should go into import.c
 ** When we allow concurrent service request in gpgsm, we
-might want to have an agent context for each service request
+   might want to have an agent context for each service request
-(i.e. Assuan context).
+   (i.e. Assuan context).
 
 * sm/certchain.c
 ** When a certificate chain was sucessfully verified, make ephemeral certs used  in this chain permanent.
@@ -53,7 +53,7 @@ might want to have an agent context for each service request
 ** Return an error code or a status info per user ID.
 
 * scd/tlv.c
-  The parse_sexp fucntion should not go into this file.  Check whether
+  The parse_sexp function should not go into this file.  Check whether
   we can change all S-expression handling code to make use of this
   function.
 
@@ -64,14 +64,10 @@ might want to have an agent context for each service request
   would be better to do this just at one place. First we need to see
   how we can support cards with multiple applications.
 ** Detecting a removed card works only after the ticker detected it.
- We should check the card status in open-card to make this smoother.
+  We should check the card status in open-card to make this smoother.
- Needs to be integrated with the status file update, though.  It is
+  Needs to be integrated with the status file update, though.  It is
- not a real problem because application will get a card removed status
+  not a real problem because application will get a card removed
- and should the send a reset to try solving the problem.
+  status and should the send a reset to try solving the problem.
-** app-p15.c:do_auth
-  We assume SHA1 here.  However we should also allow for TLS-MD5SHA1.
-  To properly inplement this we need to extend the inetrnal API.  A
-  simple workaround by looking at the digest size if possible.
 
 ** Add a test to check the extkeyusage.
 

configure.ac

@@ -27,7 +27,7 @@ min_automake_version="1.9.3"
 # Set my_issvn to "yes" for non-released code.  Remember to run an
 # "svn up" and "autogen.sh" right before creating a distribution.
 m4_define([my_version], [1.9.94])
-m4_define([my_issvn], [yes])
+m4_define([my_issvn], [no])
 
 
 m4_define([svn_revision], m4_esyscmd([echo -n $( (svn info 2>/dev/null \

doc/gpg.texi

@@ -2394,6 +2394,18 @@ source distribution for the details of which configuration items may be
 listed. @option{--list-config} is only usable with
 @option{--with-colons} set.
 
+@item --gpgconf-list
+@opindex gpgconf-list
+This command is simliar to @option{--list-config} but in general only
+internally used by the @command{gpgconf} tool.
+
+@item --gpgconf-test
+@opindex gpgconf-test
+This is more or less dummy action.  However it parses the configuration
+file and returns with failure if the configuraion file would prevent
+@command{gpg} from startup.  Thus it may be used to run a syntax check
+on the configuration file.
+
 @end table
 
 @c *******************************

scd/ChangeLog

@@ -1,3 +1,11 @@
+2006-10-24  Werner Koch  <wk@g10code.com>
+
+	* scdaemon.h (GCRY_MD_USER_TLS_MD5SHA1): New.
+	(MAX_DIGEST_LEN): Increased to 36.
+	* app-p15.c (do_sign): Support for TLS_MD5SHA1.
+	(do_auth): Detect TLS_MD5SHA1.
+	(do_sign): Tweaks for that digest.
+
 2006-10-23  Werner Koch  <wk@g10code.com>
 
 	* scdaemon.c (main): New command --gpgconf-test.

scd/app-p15.c

@@ -2868,8 +2868,9 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
 
   gpg_error_t err;
   int i;
-  unsigned char data[35];   /* Must be large enough for a SHA-1 digest
+  unsigned char data[36];   /* Must be large enough for a SHA-1 digest
-                               + the largest OID prefix above. */
+                               + the largest OID prefix above and also
+                               fit the 36 bytes of md5sha1.  */
   prkdf_object_t prkdf;    /* The private key object. */
   aodf_object_t aodf;      /* The associated authentication object. */
   int no_data_padding = 0; /* True if the card want the data without padding.*/
@@ -2877,7 +2878,7 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
 
   if (!keyidstr || !*keyidstr)
     return gpg_error (GPG_ERR_INV_VALUE);
-  if (indatalen != 20 && indatalen != 16 && indatalen != 35)
+  if (indatalen != 20 && indatalen != 16 && indatalen != 35 && indatalen != 36)
     return gpg_error (GPG_ERR_INV_VALUE);
 
   err = prkdf_object_from_keyidstr (app, keyidstr, &prkdf);
@@ -2948,7 +2949,10 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
       
       mse[0] = 4;    /* Length of the template. */
       mse[1] = 0x80; /* Algorithm reference tag. */
-      mse[2] = 0x02; /* Algorithm: RSASSA-PKCS1-v1.5 using SHA1. */
+      if (hashalgo == GCRY_MD_USER_TLS_MD5SHA1)
+        mse[2] = 0x01; /* Let card do pkcs#1 0xFF padding. */
+      else
+        mse[2] = 0x02; /* RSASSA-PKCS1-v1.5 using SHA1. */
       mse[3] = 0x84; /* Private key reference tag. */
       mse[4] = prkdf->key_reference_valid? prkdf->key_reference : 0x82;
 
@@ -3118,7 +3122,14 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
     }
 
   /* Prepare the DER object from INDATA. */
-  if (indatalen == 35)
+  if (indatalen == 36)
+    {
+      /* No ASN.1 container used. */
+      if (hashalgo != GCRY_MD_USER_TLS_MD5SHA1)
+        return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
+      memcpy (data, indata, indatalen);
+    }
+  else if (indatalen == 35)
     {
       /* Alright, the caller was so kind to send us an already
          prepared DER object.  Check that it is what we want and that
@@ -3177,7 +3188,9 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
       return err;
     }
 
-  if (no_data_padding)
+  if (hashalgo == GCRY_MD_USER_TLS_MD5SHA1)
+    err = iso7816_compute_ds (app->slot, data, 36, outdata, outdatalen);
+  else if (no_data_padding)
     err = iso7816_compute_ds (app->slot, data+15, 20, outdata, outdatalen);
   else
     err = iso7816_compute_ds (app->slot, data, 35, outdata, outdatalen);
@@ -3200,6 +3213,7 @@ do_auth (app_t app, const char *keyidstr,
 {
   gpg_error_t err;
   prkdf_object_t prkdf;
+  int algo;
 
   if (!keyidstr || !*keyidstr)
     return gpg_error (GPG_ERR_INV_VALUE);
@@ -3212,7 +3226,9 @@ do_auth (app_t app, const char *keyidstr,
       log_error ("key %s may not be used for authentication\n", keyidstr);
       return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
     }
-  return do_sign (app, keyidstr, GCRY_MD_SHA1, pincb, pincb_arg, 
+
+  algo = indatalen == 36? GCRY_MD_USER_TLS_MD5SHA1 : GCRY_MD_SHA1;
+  return do_sign (app, keyidstr, algo, pincb, pincb_arg, 
                   indata, indatalen, outdata, outdatalen);
 }
 

scd/scdaemon.h

@@ -34,7 +34,17 @@
 #include "../common/errors.h"
 
 
-#define MAX_DIGEST_LEN 24 
+/* To convey some special hash algorithms we use algorithm numbers
+   reserved for application use. */
+#ifndef GCRY_MD_USER
+#define GCRY_MD_USER 1024
+#endif
+#define GCRY_MD_USER_TLS_MD5SHA1 (GCRY_MD_USER+1)
+
+/* Maximum length of a digest.  */
+#define MAX_DIGEST_LEN 36
+
+
 
 /* A large struct name "opt" to keep global flags. */
 struct