1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

9207 Commits

Author SHA1 Message Date
Werner Koch
e208ccc66c
gpg: Rename recently added import option no-seckeys to only-pubkeys.
* g10/import.c (parse_import_options): Rename option.
* g10/options.h (IMPORT_NO_SECKEY): Rename to IMPORT_ONLY_PUBKEYS.
Change all users.
--

GnuPG-bug-id: 7146
2024-06-24 11:51:54 +02:00
Werner Koch
7788aba7d8
gpg: Add --import-option "no-seckeys".
* g10/import.c (parse_import_options): Add "no-seckeys".
--

GnuPG-bug-id: 7146
2024-06-11 15:57:01 +02:00
Werner Koch
c489bf7e7e
gpg: Do not bail out on secret keys with an unknown algo
* g10/getkey.c (lookup): Skip keys with unknown algos.
--

If the local store has private keys with an algorithm not supported by
thi version of gpg, gpg used to bail out.  Thus decryption of proper
messages was not possible.  This fix skips such secret keys.
2024-06-11 12:44:25 +02:00
Werner Koch
1d91252205
gpg: Do not show RENC if no key capabilities are found for a key.
* g10/packet.h (PUBKEY_USAGE_BASIC_MASK): New.
* g10/getkey.c (merge_selfsigs_subkey): Mask the default.
(merge_selfsigs_main): Ditto.
--
2024-06-05 11:20:14 +02:00
Jakub Jelen
bc43812358
gpgsm: Avoid double free when checking rsaPSS signatures.
* sm/certcheck.c (gpgsm_check_cms_signature): Do not free s_sig on
error. Its owned and freed by the caller.

--
This is part of
GnuPG-bug-id: 7129
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Fixes-commit: 969abcf40cdfc65f3ee859c5e62889e1a8ccde91
(cherry picked from commit dcb0b6fd4822107d68bcb046d4d0650d02c82522)
2024-05-29 11:58:27 +02:00
Jakub Jelen
a1f85fdc40
agent: Avoid uninitialized access in GENKEY command on parameter error.
* agent/command.c (cmd_genkey): Moved init_membuf to the top.
--

Signed-off-by: Jakub Jelen <jjelen@redhat.com>

This is part of
GnuPG-bug-id: 7129

(cherry picked from commit 379fc5569d604c4a7b5f12b2bbfc4106893c2a9e)
2024-05-29 11:57:30 +02:00
Werner Koch
ebf9e3b824
wks: Make sure that ERR is always initialized.
* tools/wks-util.c (install_key_from_spec_file): Initialize ERR in case
the loop is never run.
--

This is part of
GnuPG-bug-id: 7129
Co-authored-by: Jakub Jelen <jjelen@redhat.com>

(cherry picked from commit 021c27510b52f86a95ae70b5f4ed5d2c3886c3e8)
2024-05-29 11:55:56 +02:00
NIIBE Yutaka
bb57c808b2
scd:openpgp: Fix PIN pin2hash_if_kdf.
* scd/app-openpgp.c (pin2hash_if_kdf): DEK had been changed to pointer
to allocated memory, so, we need to use DEKLEN for the length.

--

GnuPG-bug-id: 7121
Fixes-commit: 20e85585ed20af67ce68e637ea5c3637615ba2e9
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-05-16 10:28:38 +09:00
Werner Koch
97b37db144
gpg,gpgsm: Remove compatibility_flags allow-ecc-encr and vsd-allow-encr.
* g10/options.h (COMPAT_VSD_ALLOW_OCB): Remove.
* g10/gpg.c (compatibility_flags): Remove "vsd-allow_ocb".
(main): Alwas set CO_EXTRA_INFO_VSD_ALLOW_OCB.
* g10/keygen.c (keygen_set_std_prefs): Always set OCB feature flag.
* g10/encrypt.c (use_aead): Always OCB also in de-vs mode.
* sm/gpgsm.h (COMPAT_ALLOW_ECC_ENCR): Remove.
* sm/gpgsm.c (compatibility_flags): Remove "allow-ecc-encr".
* sm/encrypt.c (encrypt_dek): Always allow ecc encryption.
* sm/certreqgen.c (proc_parameters): Likewise.
--

Both feature are meanwhile approved in de-vs mode thus there is no
more need for the flags.
2024-05-06 14:34:48 +02:00
Werner Koch
6228bb0012
tests: Avoid new C23 keyword true.
* tests/asschk.c (eval_boolean): s/true/tru/
--

GnuPG-bug-is: 7093
2024-04-22 08:05:45 +02:00
Werner Koch
7ed15f7548
Post release updates
--
2024-04-16 11:45:35 +02:00
Werner Koch
398cbbbf8d
Release 2.2.43 gnupg-2.2.43 2024-04-16 09:50:46 +02:00
Werner Koch
15564fa3f6
po: Update some translations for the |R| prompt flag.
--
2024-04-09 13:37:22 +02:00
Werner Koch
1f31dc6200
gpg: Do not allow to accidently set the RENC usage.
* g10/keygen.c (print_key_flags): Print "RENC" if set.
(ask_key_flags_with_mask): Remove RENC from the possible set of
usages.  Add a direct way to set it iff the key is encryption capable.
--

This could be done by using "set your own capabilities" for an RSA
key.  In fact it was always set in this case.

GnuPG-bug-id: 7072
2024-04-04 16:49:50 +02:00
Werner Koch
72c5c70871
gpgconf: Change layout of the gpgconf -X output.
* tools/gpgconf.c (list_dirs): Change the config mode output.
(my_copy_file): Adjust output for org-mode style.
(show_configs_one_file): Ditto.
(show_other_registry_entries): Ditto.
(show_registry_entries_from_file): Ditto.
(show_configs): Ditto.
2024-04-04 15:54:32 +02:00
Werner Koch
8a4069527a
build: Update nPth configure macros.
* m4/npth.m4: Update.
2024-03-18 14:55:46 +01:00
Werner Koch
ce1e671cdc
Update NEWS
--
2024-03-18 14:02:53 +01:00
Werner Koch
5ccfc2101a
gpgconf: Check readability of some files with -X
* tools/gpgconf.c (list_dirs): Rename arg from special to
show_config_mode. Add "S.Uiserver" test and test existsing files for
readability.
2024-03-18 11:15:08 +01:00
Werner Koch
82b39fe254
gpg: Make sure a DECRYPTION_OKAY is never issued for a bad OCB tag.
* g10/mainproc.c (proc_encrypted): Force a decryption failure if any
error has been seen.
* g10/decrypt-data.c (aead_checktag): Issue an ERROR line.
--

GnuPG-bug-id: 7042

Note that gpg in any case returns a failure exit code but due to
double forking GPGME would not see it.
2024-03-14 21:53:19 +01:00
Werner Koch
509d0f76ce
gpg-check-pattern: Consider an empty pattern file as valid
* tools/gpg-check-pattern.c (read_file): Check length before calling
fread.
--

The problem with an empty file is that es_fread is called to read one
element of length zero which seems to be undefined behaviour and
results in ENOENT on my test box.
2024-03-13 15:32:10 +01:00
Werner Koch
5999d95e04
wks: Make gpg-wks-client --mirror work w/o args.
* tools/gpg-wks-client.c (mirror_one_key): Test for no domain
specified.
--

The code did not really work if no domain was given.  It worked but
filtered out all keys so that no key was actually exported.
2024-03-06 11:44:19 +01:00
Werner Koch
8cd920f6aa
gpg: Fix mixed invocation with --trusted-keys and --no-options.
* g10/trustdb.c: Move some definitions around.
(user_utk_list): Rename to trusted_key_list.  Change all users.
(any_trusted_key_seen): New.
(tdb_register_trusted_key): Set it here.  Handle the new value "none".
(verify_own_keys): Do not delete a trusted key from the trustdb if a
trusted-key option was not used.
--

GnuPG-bug-id: 7025
2024-03-04 15:24:40 +01:00
NIIBE Yutaka
f50c543326
agent: Allow simple KEYINFO command when restricted.
* agent/command.c (cmd_keyinfo): Only forbid list command.

--

GnuPG-bug-id: 7003
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-03-01 13:59:43 +09:00
NIIBE Yutaka
41c0220725
dirmngr: Fix keep-alive flag handling.
* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic
Authentication.  Fix resource leak of FP_WRITE.

--

GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-02-21 15:12:16 +01:00
NIIBE Yutaka
c33c4fdf10
dirmngr: Fix the regression of use of proxy for TLS connection.
* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it
causes resource leak of FP_WRITE.
Don't try to read response body to fix the hang.

--

GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-02-21 15:11:31 +01:00
NIIBE Yutaka
d6c428699d
dirmngr: Fix proxy with TLS.
* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always
available regardless of USE_TLS.
(send_request): Remove USE_TLS.

--

Since quite some time building w/o TLS won't work.

GnuPG-bug-id: 6997
2024-02-21 15:09:07 +01:00
Werner Koch
23d9093d9b
More NEWS.
--
2024-02-05 13:03:16 +01:00
Ángel González
3d46eb6cf7
common: Update requisites
* configure.ac: Require libgpg-error 1.38 and libksba 1.4.0
* common/util.h: Remove error number substitutes.
--

These versions were already needed for a successful compilation,
but it was not reflected by configure.

GnuPG-bug-id: 6974
Signed-off-by: Ángel González <angel@pgp.16bits.net>

util.h patch by wk.
2024-02-05 08:24:09 +01:00
Werner Koch
cbe0956df0
gpgsm: Increase salt size in pkcs#12 parser.
* sm/minip12.c (parse_bag_encrypted_data): Need 32 bytes.
--

GnuPG-bug-id: 6757
2024-02-05 07:59:02 +01:00
Werner Koch
ce69c103f4
scd:openpgp: Allow PIN length of 6 also with a reset code.
* scd/app-openpgp.c (do_change_pin): Fix PIN length check.  Add "R"
flag to the reset code prompt.
--

When using the reset code it was not possible to set a PIN of length
6.  The "R" flags fixes a funny prompt.

Fixes-commit: efe325ffdf21205b90f888c8f0248bbd4f61404b
2024-01-30 15:50:09 +01:00
Werner Koch
573098a2f2
Prepare NEWS for 2.2.43
--
2024-01-29 10:48:49 +01:00
NIIBE Yutaka
efe325ffdf
scd:openpgp: Add the length check for new PIN.
* scd/app-openpgp.c (do_change_pin): Make sure new PIN length
is longer than MINLEN.

--

GnuPG-bug-id: 6843
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 2376cdff1318688d94c95fd01adc4b2139c4a8c7)
2024-01-26 15:14:02 +01:00
Werner Koch
20e85585ed
scd:openpgp: Restructure the pin2hash_id_kdf function.
* scd/app-openpgp.c (wipe_and_free_string, wipe_and_free): Enable
functions.
(pin2hash_if_kdf): Change interface.  The input PIN is not anymore
changed.  Further there are no more assumptions about the length of
the provided buffer.
(verify_a_chv): Adjust for changed pin2hash_if_kdf.
(verify_chv2): Ditto
(verify_chv3): Ditto.
(do_change_pin): Ditto.
(do_sign): Ditto.
--

Note that this a part of the patch
63bda3aad8ec4163b0241f64e8b587d665d650c3 which we used in 2.4 to
implement a PIN cache.  For easier backporting we need to add this
here.
2024-01-26 15:11:54 +01:00
NIIBE Yutaka
97b01ad3f8
tools: Fix argparse table of gpgconf.
* tools/gpgconf.c (opts): Use ARGPARSE macros.

--

GnuPG-bug-id: 6902
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 2be53b214d1c9205f5326ca663115200609d8df4)
2024-01-26 13:47:22 +01:00
Werner Koch
935b5a49b4
dirmngr: For CRL issuer verification trust the system's root CA.
* dirmngr/crlcache.c (crl_parse_insert): Add
VALIDATE_FLAG_TRUST_SYSTEM.
--

GnuPG-bug-id: 6963
2024-01-26 13:14:14 +01:00
Werner Koch
535c5cf769
common,w32: Fix use of GNUPG_SPAWN_KEEP_STDERR.
* common/exechelp-w32.c (gnupg_spawn_process): Fix macro.
--

Fixes-commit: 7ba44d15ca2f800c402a56eb71bb524f91ea2ffa
GnuPG-bug-id: 6961
2024-01-26 10:27:40 +01:00
Werner Koch
ccd201d7db
doc: Minor typo fix.
--

Was already fixed in 2.4. A 2.2 user reported this to g10 Code.
2024-01-24 15:09:59 +01:00
Werner Koch
3b69d8bf71
gpg: Fix leftover unprotected card backup key.
* agent/command.c (cmd_learn): Add option --reallyforce.
* agent/findkey.c (agent_write_private_key): Implement reallyforce.
Also add arg reallyforce and pass it along the call chain.

* g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a
special force value.
* g10/keygen.c (card_store_key_with_backup): Use that force value.
--

This was a regression in 2.2.42.  We took the easy path to fix it by
getting the behaviour back to what we did prior to 2.2.42.  With GnuPG
2.4.4 we use an entire different and safer approach by introducing an
ephemeral private key store.

GnuPG-bug-id: 6944
2024-01-24 11:45:31 +01:00
Werner Koch
9938e8d3f4
common: Fix unused variable warning on Unix.
--
2024-01-10 17:21:32 +01:00
Werner Koch
89c7eccba5
gpg: Allow to create revocations even with non-compliant algos.
* g10/sign.c (do_sign): Skip compliance check for revocation certs.
--

It just does not make sense to inhibit the creation of revocations
depending on the compliance mode.  We do this only for key revocation
but not for another kind of revocation because the rationale for uid
or subkey revocation is more complicated to explain.
2024-01-10 17:18:58 +01:00
Werner Koch
6400672904
gpgconf: Adjust -X command for the new VERSION file format
* tools/gpgconf.c (show_version_gnupg): Read and parse the entire
VERSION file.
--

GnuPG-bug-id: 6918
2024-01-09 12:52:11 +01:00
Werner Koch
cc9568cd59
common,w32: Remove duplicated backslashes when setting the homedir.
* common/homedir.c (copy_dir_with_fixup) [W32]: Fold double
backslashes.
--

This is in general no problem but when we hash or compare the directory
to test whether tit is the standard home directory, we may use a
different socket file and thus a second instance of a daemon.

GnuPG-bug-id: 6833
2024-01-09 10:09:45 +01:00
Builder account for the GnuPG engine
5ce7f8189e Post release updates 2023-11-28 16:08:42 +01:00
Werner Koch
6f5c72a2b5
Release 2.2.42 gnupg-2.2.42 2023-11-28 15:27:41 +01:00
Werner Koch
e020b59ff6
po: Update po files
* g10/keyserver.c (keyserver_refresh): Use ngettext to avoid msgmerge
warnings.
2023-11-28 15:26:37 +01:00
Werner Koch
a6eefa9996
gpgsm: Set validity flag in keylisting to n for untrusted root cert.
* sm/keylist.c (list_cert_colon): Map not_trusted to 'n' for non-root
certs like we do for root certs.
--

GnuPG-bug-id: 6841
2023-11-27 12:34:38 +01:00
Werner Koch
1d472e4934
scd:openpgp: Print a diagnostic for the use of default ECDH params.
* scd/app-openpgp.c (ecc_writekey): Remove the useless check and print
a diagnostic if the default params are used.
--

Note that here in 2.2 we use different default ECDH parameters than in
2.4 (AES192 instead of AES256 for 384 bit curves).

GnuPG-bug-id: 6378
2023-11-23 16:06:15 +01:00
Werner Koch
4c700e3afe
Update NEWS
--
2023-11-21 12:37:35 +01:00
Werner Koch
a91f268d6c
agent: Update the key file only if changed (slight return).
* agent/findkey.c (read_key_file): Add optional arg r_orig_key_value
to return the old Key value.  Change all callers.
(agent_write_private_key): Detect whether the Key entry was really
changed.
--

GnuPG-bug-id: 6829
2023-11-21 12:13:50 +01:00
Werner Koch
5bab257d3a
agent: Update the key file only if not changed.
* common/name-value.c (struct name_value_container): Add flag
"modified".
(nvc_modified): New.
(nvc_new): Set flag.
(_nvc_add): Set flag.
(nvc_delete): Set flag.
(nve_set): Add arg PK.  Change the caller.  Check whether to change at
all.
* agent/findkey.c (agent_write_private_key): Update only if modified.
--

This helps software which uses a file system watcher to track changes
to private keys.  In particular smartcard triggered changes are a
problem for such software because this may at worst trigger another
smartcard read.

GnuPG-bug-id: 6829
2023-11-21 09:06:00 +01:00