Commit Graph

10387 Commits

Author SHA1 Message Date
Werner Koch 50e81ad38d
gpg: Make sure a DECRYPTION_OKAY is never issued for a bad OCB tag.
* g10/mainproc.c (proc_encrypted): Force a decryption failure if any
error has been seen.
* g10/decrypt-data.c (aead_checktag): Issue an ERROR line.
--

GnuPG-bug-id: 7042

Note that gpg in any case returns a failure exit code but due to
double forking GPGME would not see it.
2024-03-14 21:41:48 +01:00
Werner Koch f78501c545
gpg: new list-option store-x509-notations.
* g10/options.h (LIST_STORE_X509_NOTATIONS): New.
* g10/gpg.c (parse_list_options): Add "store-x509-notations".
* g10/keylist.c (print_x509_notations): Add arg PK and code to write a
file.
(list_signature_print): Add arg lastpk and handle new option.
(list_keyblock_print): Track last key or subkey and pass to
list_signature_print.
2024-03-14 20:58:01 +01:00
Werner Koch 14c1b73093
gpg: new list-option show-x509-notations
* g10/gpg.c (parse_list_options): Add new option.
* g10/options.h (LIST_SHOW_X509_NOTATIONS): New.
* g10/build-packet.c (search_sig_notations): New.
* g10/keylist.c (print_x509_notations): New.
(list_signature_print): Use macros for the sig classes.  Call
print_x509_notations.
(list_keyblock_print): Call list_signature_print if x509 notation
printing is enabled.
2024-03-12 18:01:24 +01:00
Werner Koch 81536535f8
card: Use xstrdup for module names.
--
2024-03-12 16:04:19 +01:00
Werner Koch 4485930f9f
Merge branch 'STABLE-BRANCH-2-4'
--
Resolved conflicts:
	NEWS
	common/exechelp-w32.c
	configure.ac
2024-03-12 16:00:55 +01:00
Werner Koch 609b1ec0c6
Post release updates
--
2024-03-07 15:10:47 +01:00
Werner Koch cbff323b3b
Release 2.4.5 2024-03-07 14:03:25 +01:00
Werner Koch 348de4a829
po: msgmerge
--
2024-03-07 14:01:59 +01:00
Werner Koch 3ffcd533d4
po: Fix a fuzzy in the German, Polish and Japanese translation
--
2024-03-07 14:01:22 +01:00
Werner Koch 09431d1762
scd: Improve code reability of ccid-driver.c
* scd/ccid-driver.c (my_npth_unprotect, my_npth_protect): New.
Replace all direct uses by these wrappers.
2024-03-07 13:44:30 +01:00
Werner Koch 1682ca9f01
scd: Add support for ACR-122U
* scd/ccid-driver.h (VENDOR_ACR, ACR_122U): New.
* scd/ccid-driver.c (ccid_open_usb_reader): Do not call
libsub_set_interface_alt_setting for this reader.
--

Co-authored-by: markus.montkowski@gnupg.com
2024-03-07 13:44:00 +01:00
Werner Koch a1ea3b13e0
scd: Let the CCID module auto detach the kernel driver.
* scd/ccid-driver.c (ccid_open_usb_reader): Call
libusb_set_auto_detach_kernel_driver.

* scd/scdaemon.c (oCompatibilityFlags): New.
(opts): Add option "compatibility-flags".
(compatibility_flags): New.
(main): Parse flags.
* scd/scdaemon.h (opt): Add field compat_flags.
(COMPAT_CCID_NO_AUTO_DETACH): New.
2024-03-07 13:21:43 +01:00
Werner Koch 79d0e52b2d
gpg: Fix a possible segv due to an uninitialized gcrypt context.
* g10/sign.c (sign_symencrypt_file): Initialize MD for the error case.
--

Reported-by: Falko Strenzke
Fixes-commit: 1ddd69935d
in the not yet released master branch.
2024-03-06 15:49:51 +01:00
Werner Koch 00b877ecda
doc: Typo fix in comment
--
2024-03-06 11:54:33 +01:00
Werner Koch 37cc255e49
wks: Make gpg-wks-client --mirror work w/o args.
* tools/gpg-wks-client.c (mirror_one_key): Test for no domain
specified.
--

The code did not really work if no domain was given.  It worked but
filtered out all keys so that no key was actually exported.
2024-03-06 10:00:37 +01:00
Werner Koch 345794cfe6
gpg: Fix mixed invocation with --trusted-keys and --no-options.
* g10/trustdb.c: Move a function and some definitions around.
(user_utk_list): Rename to trusted_key_list.  Change all users.
(any_trusted_key_seen): New.
(tdb_register_trusted_key): Set it here.  Handle the new value "none".
(verify_own_keys): Do not delete a trusted key from the trustdb if a
trusted-key option was not used.
--

GnuPG-bug-id: 7025
2024-03-04 14:58:45 +01:00
Werner Koch 36a3550bff
wks: Add option --realclean to gpg-wks-client.
* tools/gpg-wks-client.c (oRealClean): New.
(opts): Add "realclean".
(parse_arguments): Implement.
(main): Take a copy of the module name to fix bad assignment from a
former patch.
* tools/gpg-wks-server.c (main): Ditto.
* tools/gpg-wks.h (opt): Add field realclean.
* tools/wks-util.c (wks_get_key): Call gpg with export-realclean
depending on the new option.
--

The default for gpg-wks-client is to install keys with all valid key
signatures.  The new option will eventually allow to install the keys
only with key signatures done by trusted-keys.  Also the export-option
is in gpg, it requires one more gpg patch to make it actually work.
2024-03-04 14:28:48 +01:00
Werner Koch 74e4dd3668
gpg: Prepare for a new export option export-realclean.
* g10/options.h (EXPORT_REALCLEAN): New.  Also re-assign other values
to keep them more in sync with the corresponding import values.
* g10/export.c (parse_export_options): Add "export-realclean".
(do_export_stream): Call clean_all_uids directly with the options
arg.
* g10/import.c (import_one_real): Change for direct use of options in
clean_all_uids.
* g10/key-clean.c (is_trusted_key_sig): New.  Stub for now.
(clean_sigs_from_uid): Re-purpose self_only to a general options arg.
Implement EXPORT_REALCLEAN code path.
(clean_one_uid): Re-purpose self_only to a general options arg.
(clean_all_uids): Ditto.
* g10/keyedit.c (keyedit_menu): Use EXPORT_MINIMAL instead of a simple
flag.
(menu_clean): Re-purpose self_only to a general options arg.

* g10/keyid.c (fpr20_from_pk): Factor code out to ....
(fpr20_from_fpr): new.  Remove useless case for ARRAY being NULL.
* g10/tdbio.c (tdbio_search_trust_byfpr): Add arg fprlen and use
fpr20_from_fpr if needed.
(tdbio_search_trust_bypk): Pass 20 for the fingerprint length.
--

Note that this code has no function yet.  Another patch will follow to
extract the trusted-keys flag from the trustdb.
2024-03-04 14:22:42 +01:00
Werner Koch 233bf39323
build: Extend getswdb.sh to allow a verified download
--
2024-02-29 15:35:27 +01:00
Werner Koch c27e5be50b
build: Make getswdb.sh usable outside the GniPG tree.
--
2024-02-29 10:21:33 +01:00
Werner Koch dcab895e4c
gpg: Emit status lines for errors in the compression layer.
* g10/compress-bz2.c: Replace all log_fatal by log_error,
write_status_error, and g10_exit.
(do_uncompress): Ditto.
--

This gives gpgme a better way to detect corrupted data in the
compression layer.
GnuPG-bug-id: 6977
2024-02-27 11:33:21 +01:00
Werner Koch 962058f704
Allow tilde expansion for the foo-program options.
* agent/gpg-agent.c (parse_rereadable_options): Use make_filename_try
for opt.pinentry_program.  Change definition accordingly.
* g10/gpg.c (main): Use make_filename for agent_program,
dirmngr_program, and keyboxd_program. Change definition accordingly.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-card.c (parse_arguments): Ditto.
* tools/gpg-connect-agent.c (main): Ditto.
* tools/gpg-wks-client.c (parse_arguments): Likewise.  Do it also for
option --output.
(process_confirmation_request): Print a note for a successful sent.
--

GnuPG-bug-id: 7017
2024-02-27 10:36:22 +01:00
Werner Koch adf4db6e20
agent: Allow GET_PASSPHRASE in restricted mode.
* agent/command.c (cmd_get_passphrase): Allow use in restricted mode
but ignore the cacheid.
--

The use case is symmetric encryption via the extra-socket.  To avoid
that the gpg running on the server has access to the cache we set the
cache id to NULL so that the cache is not used at all.
2024-02-25 16:03:54 +01:00
Werner Koch 40227e42ea
doc: Document the "grp" record in colon listings.
--
2024-02-22 17:05:04 +01:00
Werner Koch 2372f6a403
gpg: Fix gpg_mpi_write for the unused opaque case.
* g10/build-packet.c (gpg_mpi_write): Take care of the fact that
get_opaque already returns a bit-exact value.
--

Fixes-commit: ab17f7b6c3
Reported-by: Falko Strenzke <falko.strenzke@mtg.de>
2024-02-21 15:55:14 +01:00
Werner Koch a09157ccb2
wks: Allow command style args for gpg-wks-client.
* tools/gpg-wks-client.c (wrong_args): Take two args.  Change all
callers.
(main): Pass ARGPARSE_FLAG_COMMAND for recent gpgrt version.
--

This requires gpgrt 1.48.  Of course "gpg-wks-client --create ..."
continues to work.
2024-02-21 14:07:06 +01:00
Werner Koch 95bc592ab5
g13: Allow command line style "g13 mount foo".
* g13/g13.c (main): Set flag ARGPARSE_FLAG_COMMAND.
--

This requires gpgrt 1.48.  Of course "g13 --mount foo" continues to
work.
2024-02-20 11:40:49 +01:00
Mario Haustein 3aa02027cd
scd:p15: Fix typo in a comment 2024-02-20 10:34:39 +01:00
Mario Haustein 557f29d2c1
scd:p15: Add ECC support for D-Trust Card 4.1/4.4
* scd/app-p15.c (do_sign): Add MSE RESTORE parameters for D-Trust ECC
cards.
(do_decipher): Ditto.
2024-02-20 10:32:08 +01:00
Werner Koch 1e496cf2e5
scd:p15: Take derive usage into account for decryption (2).
* scd/app-p15.c (do_getattr): Yet another palce to fix.
--
GnuPG-bug-id: 7000
Co-authored-by: Mario Haustein <mario.haustein@hrz.tu-chemnitz.de>
2024-02-20 10:29:25 +01:00
Werner Koch 3341017ff1
scd:p15: Handle duplicate certificate ids.
* scd/app-p15.c (struct app_local_s): Add field cdf_dup_counter.
(objid_in_cdflist_p): New.
(read_p15_info): Clear the counter.
(read_ef_cdf): Detect and fix duplicate IDs.
--

GnuPG-bug-id: 7001
Reported-by: Mario Haustein <mario.haustein@hrz.tu-chemnitz.de>
2024-02-20 09:17:38 +01:00
Werner Koch ad4bc3e04d
scd:p15: Take derive usage into account for decryption.
* scd/app-p15.c (set_usage_string): Map usageflags.derive also to 'e'.
(do_auth): Allow usageflags.sign_recover.
(do_decipher): Allow usageflags.derive.
(do_with_keygrip): Take usageflags.derive into account.
(do_gettatr): Ditto.
(do_decipher): Take a missing AODF for authentication not needed.
--

This is required for D-Trust ECC cards.

The AODF thing is unrelated but seems to be a good idea.

GnuPG-bug-id: 7000
2024-02-20 09:17:38 +01:00
NIIBE Yutaka 2810b93464
dirmngr: Fix keep-alive flag handling.
* dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic
Authentication.  Fix resource leak of FP_WRITE.

--

GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-02-16 16:24:26 +09:00
NIIBE Yutaka 848546b05a
dirmngr: Fix the regression of use of proxy for TLS connection.
* dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it
causes resource leak of FP_WRITE.
Don't try to read response body to fix the hang.

--

GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-02-16 11:38:57 +09:00
Werner Koch 0370678536
speedo: Add config variable for the timestamp service.
--
2024-02-15 14:53:28 +01:00
NIIBE Yutaka 04cbc3074a
dirmngr: Fix proxy with TLS.
* dirmngr/http.c (proxy_get_token, run_proxy_connect): Always
available regardless of USE_TLS.
(run_proxy_connect): Use log_debug_string.
(send_request): Remove USE_TLS.

--

Since the commit of

	1009e4e5f7

Building with TLS library is mandatory.

GnuPG-bug-id: 6997
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-02-15 15:38:34 +09:00
NIIBE Yutaka 874918ab91
common,dirmngr:w32: Add include files.
* common/dynload.h: Include windows.h.  Don't define RTLD_LAZY, if
already defined.
* common/init.c: Include wctype.h.
* dirmngr/certcache.c: Include wincrypt.h.
* dirmngr/dns-stuff.c: Include ws2tcpip.h.

--

GnuPG-bug-id: 5894
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-02-15 14:40:33 +09:00
NIIBE Yutaka 27f66148f7
dirmngr:w32: Add include files.
* dirmngr/ks-engine-ldap.c: Include winldap.h and winber.h.

--

Definition of ber_free is in winber.h.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-02-15 14:38:10 +09:00
Werner Koch 302afcb6f6
gpg: Add option --assert-pubkey_algo.
* g10/keyid.c (parse_one_algo_string): New.
(compare_pubkey_string_part): New.
(compare_pubkey_string): New.
* g10/verify.c (check_assert_signer_list): New.
* g10/mainproc.c (check_sig_and_print): Call check_assert_pubkey_algo.
* g10/options.h (opt): Add field assert_pubkey_algos.
* g10/gpg.c (oAssertPubkeyAlgo): New.
(opts): Add "--assert-pubkey_algo".
(assert_pubkey_algo_false): New.
(main): Parse option.
(g10_exit): Reorder RC modifications.  Check assert_pubkey_algo_false.
* common/status.h (ASSERT_PUBKEY_ALGOS): new.
* common/t-support.h (LEAN_T_SUPPORT): Use a simplified version if
this macro is set.

* g10/gpgv.c (oAssertPubkeyAlgo): New.
(opts): Add "--assert-pubkey_algo".
(assert_pubkey_algo_false): New.
(main): Parse option.
(g10_exit): Check assert_pubkey_algo_false.

* g10/t-keyid.c: New.
* g10/Makefile.am: Add t-keyid.
* g10/test-stubs.c: Add assert_pubkey_algos and assert_signer_list and
remove from other tests.
(check_assert_signer_list): Ditto.
(check_assert_pubkey_algo): Ditto.
--

GnuPG-bug-id: 6946
2024-02-10 14:26:55 +01:00
Werner Koch 5842eee805
doc: Suggest the use of a fingerprint for --default-key.
--

GnuPG-bug-id: 6975
2024-02-05 08:53:06 +01:00
Werner Koch e5f24218fc
doc: Improve warning for --use-embedded-filename.
--

GnuPG-bug-id: 6972
2024-02-05 08:42:56 +01:00
Werner Koch 214d3ffe0f
gpgsm: Increase salt size in pkcs#12 parser.
* sm/minip12.c (parse_bag_encrypted_data): Need 32 bytes.
--

GnuPG-bug-id: 6757
2024-02-05 08:00:20 +01:00
Ángel González 375c3a238a
gpgsm: cleanup on error paths
* sm/minip12.c (p12_parse): set err on the different error paths

--

GnuPG-bug-id: 6973
Fixes-commit: 101433dfb4
Signed-off-by: Ángel González <angel@pgp.16bits.net>
2024-02-05 07:54:14 +01:00
Werner Koch 40b85d8e8c
scd:openpgp: Allow PIN length of 6 also with a reset code.
* scd/app-openpgp.c (do_change_pin): Fix PIN length check.  Add "R"
flag to the reset code prompt.
--

When using the reset code it was not possible to set a PIN of length
6.  The "R" flags fixes a funny prompt.

Fixes-commit: efe325ffdf
scd:openpgp: Allow PIN length of 6 also with a reset code.

* scd/app-openpgp.c (do_change_pin): Fix PIN length check.  Add "R"
flag to the reset code prompt.
--

When using the reset code it was not possible to set a PIN of length
6.  The "R" flags fixes a funny prompt.

Fixes-commit: 2376cdff13
2024-01-30 15:58:14 +01:00
Andre Heinecke d6dedda3f2
w32, msi: Fix directory of gpg-card, add keyboxd
* build-aux/speedo/w32/wixlib.wxs: Fix gpg-card directory id.
Add keyboxd.
2024-01-30 10:20:43 +01:00
Jakub Bogusz 300c9eeace
po: update Polish translation 2024-01-29 10:59:13 +01:00
Werner Koch 03207f62e8
gpg: Minor code cleanup for fingerprint computation.
* g10/keyid.c (do_hash_public_key): Simplify code for clarity.
2024-01-29 10:30:51 +01:00
Werner Koch ae0a755e0d
gpg: Hide --textmode from the help output.
--
2024-01-29 09:26:26 +01:00
Werner Koch 78eae9ffe8
doc: Mark --textmode as legacy option.
--
2024-01-29 09:24:19 +01:00
Werner Koch 2ed1f68b48
doc: Fix spelling errors found by lintian.
--

Reported-by: Andreas Metzler <ametzler@debian.org>
2024-01-29 09:16:21 +01:00