security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-02-01 16:33:02 +01:00
Code Activity

Browse Source
This commit is contained in:
Werner Koch 2009-08-03 17:47:18 +00:00
parent 3f95e31e5d
commit b8805ca724
8 changed files with 142 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
NEWS
View File

@ -1,6 +1,13 @@
Noteworthy changes in version 1.4.10 (unreleased) Noteworthy changes in version 1.4.10 (unreleased)
------------------------------------------------- -------------------------------------------------
* 2048 bit RSA keys are now generated by default. The default
hash algorithm preferences has changed to prefer SHA-256 over
SHA-1. 2048 bit DSA keys are now generated to use a 256 bit
hash algorithm
* Support v2 OpenPGP cards.
* The algorithm to compute the SIG_ID status has been changed to * The algorithm to compute the SIG_ID status has been changed to
match the one from 2.0.10. match the one from 2.0.10.
@ -8,9 +15,7 @@ Noteworthy changes in version 1.4.10 (unreleased)
* Fixed a memory leak which made imports of many keys very slow. * Fixed a memory leak which made imports of many keys very slow.
* Support v2 OpenPGP cards. * Many smaller bug fixes.
* FIXME: Anything else?
Noteworthy changes in version 1.4.9 (2008-03-26) Noteworthy changes in version 1.4.9 (2008-03-26)

16
g10/ChangeLog
View File

@ -1,3 +1,19 @@
2009-08-03 Werner Koch <wk@g10code.com>
* card-util.c (generate_card_keys): Ask for off-card keys only if
the card supports it.
(get_info_for_key_operation): Read EXTCAP.
(card_store_subkey): Check for non matching sizes.
* cardglue.c (agent_scd_writecert, agent_scd_readcert): New stubs.
* misc.c (not_in_gpg1_notice): New.
2009-07-30 Werner Koch <wk@g10code.com>
* misc.c (md5_digest_warn): New.
(print_digest_algo_note): Divert to new function.
* sig-check.c (do_check): Print MD5 warning.
2009-07-31 David Shaw <dshaw@jabberwocky.com> 2009-07-31 David Shaw <dshaw@jabberwocky.com>
* gpg.c (main): --pgp6 includes --disable-mdc. * gpg.c (main): --pgp6 includes --disable-mdc.

59
g10/card-util.c
View File

@ -952,8 +952,7 @@ change_cert (const char *args)
return -1; return -1;
} }
#warning need to implement this fucntion rc = agent_scd_writecert ("OPENPGP.3", data, n);
rc = -1; /*agent_scd_writecert ("OPENPGP.3", data, n);*/
if (rc) if (rc)
log_error ("error writing certificate to card: %s\n", gpg_strerror (rc)); log_error ("error writing certificate to card: %s\n", gpg_strerror (rc));
xfree (data); xfree (data);
@ -982,8 +981,7 @@ read_cert (const char *args)
return -1; return -1;
} }
#warning need to implement this fucntion rc = agent_scd_readcert ("OPENPGP.3", &buffer, &length);
rc = -1; /*agent_scd_readcert ("OPENPGP.3", &buffer, &length);*/
if (rc) if (rc)
log_error ("error reading certificate from card: %s\n", gpg_strerror (rc)); log_error ("error reading certificate from card: %s\n", gpg_strerror (rc));
else else
@ -1158,6 +1156,8 @@ get_info_for_key_operation (struct agent_card_info_s *info)
rc = agent_scd_getattr ("CHV-STATUS", info); rc = agent_scd_getattr ("CHV-STATUS", info);
if (!rc) if (!rc)
rc = agent_scd_getattr ("DISP-NAME", info); rc = agent_scd_getattr ("DISP-NAME", info);
if (!rc)
rc = agent_scd_getattr ("EXTCAP", info);
if (rc) if (rc)
log_error (_("error getting current key info: %s\n"), gpg_strerror (rc)); log_error (_("error getting current key info: %s\n"), gpg_strerror (rc));
return rc; return rc;
@ -1263,21 +1263,27 @@ generate_card_keys (void)
if (get_info_for_key_operation (&info)) if (get_info_for_key_operation (&info))
return; return;
if (info.extcap.ki)
{
#if GNUPG_MAJOR_VERSION == 1 #if GNUPG_MAJOR_VERSION == 1
{ char *answer;
char *answer=cpr_get("cardedit.genkeys.backup_enc",
_("Make off-card backup of encryption key? (Y/n) "));
want_backup=answer_is_yes_no_default(answer,1);
cpr_kill_prompt(); answer = cpr_get ("cardedit.genkeys.backup_enc",
xfree(answer); _("Make off-card backup of encryption key? (Y/n) "));
}
want_backup=answer_is_yes_no_default(answer,1);
cpr_kill_prompt();
xfree(answer);
#else #else
want_backup = cpr_get_answer_is_yes want_backup = cpr_get_answer_is_yes
( "cardedit.genkeys.backup_enc", ( "cardedit.genkeys.backup_enc",
_("Make off-card backup of encryption key? (Y/n) ")); _("Make off-card backup of encryption key? (Y/n) "));
/*FIXME: we need answer_is_yes_no_default()*/ /*FIXME: we need answer_is_yes_no_default()*/
#endif #endif
}
else
want_backup = 0;
if ( (info.fpr1valid && !fpr_is_zero (info.fpr1)) if ( (info.fpr1valid && !fpr_is_zero (info.fpr1))
|| (info.fpr2valid && !fpr_is_zero (info.fpr2)) || (info.fpr2valid && !fpr_is_zero (info.fpr2))
@ -1385,6 +1391,8 @@ card_store_subkey (KBNODE node, int use)
size_t n; size_t n;
const char *s; const char *s;
int allow_keyno[3]; int allow_keyno[3];
unsigned int nbits;
assert (node->pkt->pkttype == PKT_SECRET_KEY assert (node->pkt->pkttype == PKT_SECRET_KEY
|| node->pkt->pkttype == PKT_SECRET_SUBKEY); || node->pkt->pkttype == PKT_SECRET_SUBKEY);
@ -1393,10 +1401,18 @@ card_store_subkey (KBNODE node, int use)
if (get_info_for_key_operation (&info)) if (get_info_for_key_operation (&info))
return 0; return 0;
if (!info.extcap.ki)
{
tty_printf ("The card does not support the import of keys\n");
tty_printf ("\n");
goto leave;
}
show_card_key_info (&info); show_card_key_info (&info);
if (!is_RSA (sk->pubkey_algo) nbits = nbits_from_sk (sk);
|| (!info.is_v2 && nbits_from_sk (sk) != 1024) )
if (!is_RSA (sk->pubkey_algo) || (!info.is_v2 && nbits != 1024) )
{ {
tty_printf ("You may only store a 1024 bit RSA key on the card\n"); tty_printf ("You may only store a 1024 bit RSA key on the card\n");
tty_printf ("\n"); tty_printf ("\n");
@ -1429,8 +1445,17 @@ card_store_subkey (KBNODE node, int use)
keyno = *answer? atoi(answer): 0; keyno = *answer? atoi(answer): 0;
xfree(answer); xfree(answer);
if (keyno >= 1 && keyno <= 3 && allow_keyno[keyno-1]) if (keyno >= 1 && keyno <= 3 && allow_keyno[keyno-1])
break; /* Okay. */ {
tty_printf(_("Invalid selection.\n")); if (info.is_v2 && !info.extcap.aac
&& info.key_attr[keyno-1].nbits != nbits)
{
tty_printf ("Key does not match the card's capability.\n");
}
else
break; /* Okay. */
}
else
tty_printf(_("Invalid selection.\n"));
} }
if (replace_existing_key_p (&info, keyno)) if (replace_existing_key_p (&info, keyno))

23
g10/cardglue.c
View File

@ -1527,3 +1527,26 @@ agent_clear_pin_cache (const char *sn)
xfree (cacheid); xfree (cacheid);
} }
} }
int
agent_scd_writecert (const char *certidstr,
const unsigned char *certdata, size_t certdatalen)
{
/* It does not make sense to implement this rarely used and mainly
interactive command in GPG-1. GPG-2 is better suited for this. */
not_in_gpg1_notice ();
return gpg_error (GPG_ERR_NOT_SUPPORTED);
}
int
agent_scd_readcert (const char *certidstr,
void **r_buf, size_t *r_buflen)
{
/* It does not make sense to implement this rarely used and mainly
interactive command in GPG-1. GPG-2 is better suited for this. */
*r_buf = NULL;
not_in_gpg1_notice ();
return gpg_error (GPG_ERR_NOT_SUPPORTED);
}

7
g10/cardglue.h
View File

@ -230,6 +230,13 @@ int agent_scd_checkpin (const char *serialnobuf);
void agent_clear_pin_cache (const char *sn); void agent_clear_pin_cache (const char *sn);
/* Dummy functions. */
int agent_scd_writecert (const char *certidstr,
const unsigned char *certdata, size_t certdatalen);
int agent_scd_readcert (const char *certidstr,
void **r_buf, size_t *r_buflen);
#endif /*ENABLE_CARD_SUPPORT*/ #endif /*ENABLE_CARD_SUPPORT*/
#endif /*GNUPG_G10_CARDGLUE_H*/ #endif /*GNUPG_G10_CARDGLUE_H*/

4
g10/main.h
View File

@ -91,6 +91,10 @@ void idea_cipher_warn( int show );
#define idea_cipher_warn(a) #define idea_cipher_warn(a)
#endif #endif
void md5_digest_warn (int show);
void not_in_gpg1_notice (void);
struct expando_args struct expando_args
{ {
PKT_public_key *pk; PKT_public_key *pk;

39
g10/misc.c
View File

@ -350,8 +350,7 @@ print_digest_algo_note( int algo )
} }
} }
else if(algo==DIGEST_ALGO_MD5) else if(algo==DIGEST_ALGO_MD5)
log_info(_("WARNING: digest algorithm %s is deprecated\n"), md5_digest_warn (1);
digest_algo_to_string(algo));
} }
/* Return a string which is used as a kind of process ID */ /* Return a string which is used as a kind of process ID */
@ -464,7 +463,41 @@ idea_cipher_warn(int show)
} }
#endif #endif
static unsigned long get_signature_count(PKT_secret_key *sk) /* Print a warning if the md5 digest algorithm has been used. This
warning is printed only once unless SHOW is used. */
void
md5_digest_warn (int show)
{
static int warned = 0;
if (!warned || show)
{
log_info (_("WARNING: digest algorithm %s is deprecated\n"),
digest_algo_to_string (DIGEST_ALGO_MD5));
log_info (_("please see %s for more information\n"),
"http://www.gnupg.org/faq/weak-digest-algos.html");
warned = 1;
}
}
void
not_in_gpg1_notice (void)
{
static int warned = 0;
if (!warned)
{
log_info (_("NOTE: This feature is not available in %s\n"), "GnuPG 1.x");
log_info (_("please see %s for more information\n"),
"http://www.gnupg.org/faq/features-not-in-gnupg-1.html");
warned = 1;
}
}
static unsigned long
get_signature_count(PKT_secret_key *sk)
{ {
#ifdef ENABLE_CARD_SUPPORT #ifdef ENABLE_CARD_SUPPORT
if(sk && sk->is_protected && sk->protect.s2k.mode==1002) if(sk && sk->is_protected && sk->protect.s2k.mode==1002)

6
g10/sig-check.c
View File

@ -318,6 +318,12 @@ do_check( PKT_public_key *pk, PKT_signature *sig, MD_HANDLE digest,
mpi_free(result); mpi_free(result);
} }
/* Print the MD5 warning if not yet done. Thus at most we get one
warning during signature checking. Note that while validating
a key we might have already checked MD5 key signatures. */
if (sig->digest_algo == DIGEST_ALGO_MD5)
md5_digest_warn (0);
if( !rc && sig->flags.unknown_critical ) if( !rc && sig->flags.unknown_critical )
{ {
log_info(_("assuming bad signature from key %s" log_info(_("assuming bad signature from key %s"