Preparing another release

2006-10-24 14:45:34 +00:00 · 2006-10-24 14:45:34 +00:00 · a2786169f2
parent 86852e7eed
commit a2786169f2
8 changed files with 68 additions and 22 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+2006-10-24  Werner Koch  <wk@g10code.com>
+
+	Released 1.9.94.
+
 2006-10-20  Werner Koch  <wk@g10code.com>

 	* Makefile.am (stowinstall): Add convenience target.
--- a/2
+++ b/2
@ -1,4 +1,4 @@
-Noteworthy changes in version 1.9.94
+Noteworthy changes in version 1.9.94 (2006-10-24)
 -------------------------------------------------

 * Keys for gpgsm may now be specified using a keygrip.  A keygrip is
--- a/10
+++ b/10
@ -53,7 +53,7 @@ might want to have an agent context for each service request
 ** Return an error code or a status info per user ID.

 * scd/tlv.c
-  The parse_sexp fucntion should not go into this file.  Check whether
+  The parse_sexp function should not go into this file.  Check whether
  we can change all S-expression handling code to make use of this
  function.

@ -66,12 +66,8 @@ might want to have an agent context for each service request
 ** Detecting a removed card works only after the ticker detected it.
  We should check the card status in open-card to make this smoother.
  Needs to be integrated with the status file update, though.  It is
- not a real problem because application will get a card removed status
- and should the send a reset to try solving the problem.
-** app-p15.c:do_auth
-  We assume SHA1 here.  However we should also allow for TLS-MD5SHA1.
-  To properly inplement this we need to extend the inetrnal API.  A
-  simple workaround by looking at the digest size if possible.
+  not a real problem because application will get a card removed
+  status and should the send a reset to try solving the problem.

 ** Add a test to check the extkeyusage.

--- a/configure.ac
+++ b/configure.ac
@ -27,7 +27,7 @@ min_automake_version="1.9.3"
 # Set my_issvn to "yes" for non-released code.  Remember to run an
 # "svn up" and "autogen.sh" right before creating a distribution.
 m4_define([my_version], [1.9.94])
-m4_define([my_issvn], [yes])
+m4_define([my_issvn], [no])


 m4_define([svn_revision], m4_esyscmd([echo -n $( (svn info 2>/dev/null \
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@ -2394,6 +2394,18 @@ source distribution for the details of which configuration items may be
 listed. @option{--list-config} is only usable with
@option{--with-colons} set.

+@item --gpgconf-list
+@opindex gpgconf-list
+This command is simliar to @option{--list-config} but in general only
+internally used by the @command{gpgconf} tool.
+
+@item --gpgconf-test
+@opindex gpgconf-test
+This is more or less dummy action.  However it parses the configuration
+file and returns with failure if the configuraion file would prevent
+@command{gpg} from startup.  Thus it may be used to run a syntax check
+on the configuration file.
+
@end table

@c *******************************
--- a/scd/ChangeLog
+++ b/scd/ChangeLog
@ -1,3 +1,11 @@
+2006-10-24  Werner Koch  <wk@g10code.com>
+
+	* scdaemon.h (GCRY_MD_USER_TLS_MD5SHA1): New.
+	(MAX_DIGEST_LEN): Increased to 36.
+	* app-p15.c (do_sign): Support for TLS_MD5SHA1.
+	(do_auth): Detect TLS_MD5SHA1.
+	(do_sign): Tweaks for that digest.
+
 2006-10-23  Werner Koch  <wk@g10code.com>

 	* scdaemon.c (main): New command --gpgconf-test.
--- a/scd/app-p15.c
+++ b/scd/app-p15.c
@ -2868,8 +2868,9 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,

  gpg_error_t err;
  int i;
-  unsigned char data[35];   /* Must be large enough for a SHA-1 digest
-                               + the largest OID prefix above. */
+  unsigned char data[36];   /* Must be large enough for a SHA-1 digest
+                               + the largest OID prefix above and also
+                               fit the 36 bytes of md5sha1.  */
  prkdf_object_t prkdf;    /* The private key object. */
  aodf_object_t aodf;      /* The associated authentication object. */
  int no_data_padding = 0; /* True if the card want the data without padding.*/
@ -2877,7 +2878,7 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,

  if (!keyidstr || !*keyidstr)
    return gpg_error (GPG_ERR_INV_VALUE);
-  if (indatalen != 20 && indatalen != 16 && indatalen != 35)
+  if (indatalen != 20 && indatalen != 16 && indatalen != 35 && indatalen != 36)
    return gpg_error (GPG_ERR_INV_VALUE);

  err = prkdf_object_from_keyidstr (app, keyidstr, &prkdf);
@ -2948,7 +2949,10 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
      
      mse[0] = 4;    /* Length of the template. */
      mse[1] = 0x80; /* Algorithm reference tag. */
-      mse[2] = 0x02; /* Algorithm: RSASSA-PKCS1-v1.5 using SHA1. */
+      if (hashalgo == GCRY_MD_USER_TLS_MD5SHA1)
+        mse[2] = 0x01; /* Let card do pkcs#1 0xFF padding. */
+      else
+        mse[2] = 0x02; /* RSASSA-PKCS1-v1.5 using SHA1. */
      mse[3] = 0x84; /* Private key reference tag. */
      mse[4] = prkdf->key_reference_valid? prkdf->key_reference : 0x82;

@ -3118,7 +3122,14 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
    }

  /* Prepare the DER object from INDATA. */
-  if (indatalen == 35)
+  if (indatalen == 36)
+    {
+      /* No ASN.1 container used. */
+      if (hashalgo != GCRY_MD_USER_TLS_MD5SHA1)
+        return gpg_error (GPG_ERR_UNSUPPORTED_ALGORITHM);
+      memcpy (data, indata, indatalen);
+    }
+  else if (indatalen == 35)
    {
      /* Alright, the caller was so kind to send us an already
         prepared DER object.  Check that it is what we want and that
@ -3177,7 +3188,9 @@ do_sign (app_t app, const char *keyidstr, int hashalgo,
      return err;
    }

-  if (no_data_padding)
+  if (hashalgo == GCRY_MD_USER_TLS_MD5SHA1)
+    err = iso7816_compute_ds (app->slot, data, 36, outdata, outdatalen);
+  else if (no_data_padding)
    err = iso7816_compute_ds (app->slot, data+15, 20, outdata, outdatalen);
  else
    err = iso7816_compute_ds (app->slot, data, 35, outdata, outdatalen);
@ -3200,6 +3213,7 @@ do_auth (app_t app, const char *keyidstr,
 {
  gpg_error_t err;
  prkdf_object_t prkdf;
+  int algo;

  if (!keyidstr || !*keyidstr)
    return gpg_error (GPG_ERR_INV_VALUE);
@ -3212,7 +3226,9 @@ do_auth (app_t app, const char *keyidstr,
      log_error ("key %s may not be used for authentication\n", keyidstr);
      return gpg_error (GPG_ERR_WRONG_KEY_USAGE);
    }
-  return do_sign (app, keyidstr, GCRY_MD_SHA1, pincb, pincb_arg, 
+
+  algo = indatalen == 36? GCRY_MD_USER_TLS_MD5SHA1 : GCRY_MD_SHA1;
+  return do_sign (app, keyidstr, algo, pincb, pincb_arg, 
                  indata, indatalen, outdata, outdatalen);
 }

--- a/scd/scdaemon.h
+++ b/scd/scdaemon.h
@ -34,7 +34,17 @@
 #include "../common/errors.h"


-#define MAX_DIGEST_LEN 24 
+/* To convey some special hash algorithms we use algorithm numbers
+   reserved for application use. */
+#ifndef GCRY_MD_USER
+#define GCRY_MD_USER 1024
+#endif
+#define GCRY_MD_USER_TLS_MD5SHA1 (GCRY_MD_USER+1)
+
+/* Maximum length of a digest.  */
+#define MAX_DIGEST_LEN 36
+
+

 /* A large struct name "opt" to keep global flags. */
 struct