* sm/gpgsm.h (struct server_control_s): Add fields cached_kh and
cached_kh_for_set_cert_flags.
* sm/certchain.c (do_validate_chain): Cache the keydb handle.
* sm/keydb.c (keydb_set_cert_flags): Ditto
(keydb_release): Invalidate the caches.
--
In particular under Windows opening a file may be a expensive
operation if malware^Dantivirus software gets in the way.
Due to changed locking behaviour this patch has a regression risk.
* kbx/keybox-search.c (open_file): Use sysopen and sequential.
* kbx/keybox-update.c (create_tmp_file): Ditto.
(blob_filecopy): Ditto.
(keybox_set_flags): Ditto.
(keybox_delete): Ditto.
(keybox_compress): Ditto.
--
Under Windows "sysopen" requests that direct API calls (CreateFile et
al.) are used instead of the libc wrappers. This may or may not
improve the performance.
Using "sequential" is a hint to Windows to assume that a file is in
general access in a sequential manner. This will have an affect only
with a future libgpg-error.
* kbx/keybox-defs.h (struct keybox_handle): Add update_mode flag.
* kbx/keybox-init.c (_keybox_close_file): Clear update_mode flag.
* kbx/keybox-update.c (keybox_set_flags): Avoid a second file handle
but make use of the update mode.
--
This is mostly useful for gpgsm because it updates some flags in the
keyring quite often. Avoiding extra CreateFile calls may help to
speed up things in case malware^Dantivirus software is slowing down a
Windows system.
The locking pattern also change, thus there is some regression risk
due to this patch.
* sm/certchain.c (check_cert_policy): Add simple static cache.
--
It is quite common that a policy file does not exist. Thus we can
avoid the overhead of trying to open it over and over again just to
assert that it does not exists.
* g10/import.c (do_transfer): Force the overridden key import
even when smartcard is available.
--
Fixes-commit: 2c1297055041b4657ea1a927acac978c2b09a483
GnuPG-bug-id: 3456
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent/command.c (cmd_keytocard): Add new arg for ECDH params.
* scd/app-openpgp.c (ecc_writekey): Use provided ECDH params to
compute the fingerprint.
* g10/call-agent.c (agent_keytocard): Add arg ecdh_param_str.
* g10/keyid.c (ecdh_param_str_from_pk): New.
* g10/card-util.c (card_store_subkey): Pass ECDH params to writekey.
* g10/keygen.c (card_store_key_with_backup): Ditto.
* scd/app-openpgp.c (store_fpr): Add arg update.
(rsa_read_pubkey, ecc_read_pubkey): Add arg meta_update and avoid
writing the fingerprint back to the card if not set.
(read_public_key): Also add arg meta_update.
(get_public_key): Do not pass it as true here...
(do_genkey): ... but here.
(rsa_write_key, ecc_writekey): Force string the fingerprint.
--
The problem showed up because in 2.4 we changed the standard ECDH
parameter some years ago. Now when trying to write an ECDH key
created by 2.2 with 2.4 to an openpgp card, scdaemon computes a wrong
fingerprint and thus gpg was not able to find the key again by
fingerprint.
The patch also avoids updating the stored fingerprint in certain
situations.
This fix is somewhat related to
GnuPG-bug-id: 6378
* regexp/jimregexp.c (regatom): Raise REG_ERR_UNMATCHED_BRACKET when
no matching end bracket.
(regmatch): Fix the end of word check.
--
Original changes:
Signed-off-by: Steve Bennett <steveb@workware.net.au>
GnuPG-bug-id: 6455
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* regexp/jimregexp.c (regatom): Make error checking for stray
backslash at end of the string work. Check that the pattern class is
closed by a bracket.
--
GnuPG-bug-id: 6455
Co-authored-by: Guldrelokk
* g10/card-util.c (current_card_status): Print a hint for fishy
outputs.
(enum cmdids): Add cmdOPENPGP.
(cmds): Add "openpgp".
(card_edit): Implement that command.
--
If a Yubikey has been used in PIV mode the initial listing does not
look correct. Although we explicitly switch to the OpenPGP app when
needed, we don't want to do this in listing mode. Instead we offer a
new command "openpgp" to force the openpgp mode. The ultimate goal
will be to enhance the gpg-card tool to completely take over the
--card-edit features. But we are not yet there.
GnuPG-bug-id: 6462
* common/homedir.c (gnupg_maybe_make_homedir): Factor some code out to
...
(create_common_conf): new.
(standard_homedir): Call it also from here.
--
Fixes-commit: d9e7488b17fdc617eec735e2c0485b69285ba511
* g10/call-agent.c (agent_scd_switchapp): New.
* g10/card-util.c (get_info_for_key_operation): Call it.
--
It may happen that the active card was last used for PIV and in that
case certain commands will fail because they assume the OpenPGP app.
Fortunately we have a pretty central place to assure that the right
app has been selected.
The bug can be easily noticed on Windows.
GnuPG-bug-id: 6378
* scd/app-common.h (struct card_ctx_s): Add maybe_check_aid flag.
* scd/command.c (cmd_apdu): Set it.
* scd/app.c (check_external_interference): Consult this flag.
(maybe_switch_app): Do a re-select if this flag is set.
--
After the gpg-card tool has issued a Yubikey specific command the
current application is not anymore correctly selected. This then
results in all kind of errors. We detect this now and try to
re-select the last app.
* common/util.h (GNUPG_MODULE_NAME_GPGTAR): New.
* common/homedir.c (gnupg_module_name): Add it.
* tools/gpgtar.c: Include comopt.h.
(enum cmd_and_opt_values): Add oDebug.
(opts): Add --debug.
(any_debug): New.
(main): Parse common.conf.
--
Having a way to see the output of gpgtar is often useful for
debugging. The only effect of the debug option is to show whether
common.conf was read.
* common/openpgp-oid.c (openpgp_curve_to_oid): Repalce strmcp by
ascii_strcasecmp.
(openpgp_oid_or_name_to_curve): Ditto.
(openpgp_is_curve_supported): Ditto.
(get_keyalgo_string): Ditto.
--
It was just to hard to remember the correct capitalization of
names like brainpoolP512r1.
* g10/import.c (transfer_secret_keys): Only emit a warning when secret
key is not encrypted.
--
Fixing-commit: dbfb7f809b89cfe05bdacafdb91a2d485b9fe2e0
GnuPG-bug-id: 6322
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* common/homedir.c (gnupg_maybe_make_homedir): Also create a
common.conf.
* g10/keydb.c: Include comopt.h.
(maybe_create_keyring_or_box): Detect the creation of a common.conf.
* g10/gpg.c (main): Avoid adding more resources in this case.
* sm/keydb.c: Include comopt.h.
(maybe_create_keybox): Detect the creation of a common.conf.
* common/comopt.h (comopt): Remove the conditional "extern".
* dirmngr/server.c (cmd_ks_get): Add option --newer.
(cmd_ad_query): Ditto.
* dirmngr/ldap-misc.c (isotime2rfc4517): New.
(rfc4517toisotime): New.
* dirmngr/ks-action.c (ks_action_get): Add arg newer and pass on.
(ks_action_query): Ditto.
* dirmngr/ks-engine-ldap.c (extract_keys): Print new "chg" record.
(ks_ldap_get): Add arg newer. Modify filter with newer arg.
(ks_ldap_search): Print the modifyTimestamp.
(ks_ldap_query): Add arg newer. Modify filter with newer arg.
--
Note that the modifyTimestamp is also available on Windows, where its
value is more commonly known as whenChanged. Both are constructed
attributes.
Note that the --newer option is a bit of a misnomer because LDAP has
only a greater-or-equal and no greater-than operator.
* agent/trustlist.c (struct trustitem_s): Add field de_vs.
(read_one_trustfile): Parse it.
(istrusted_internal): Emit TRUSTLISTFLAG status line.
* sm/gpgsm.h (struct rootca_flags_s): Add field de_vs.
* sm/call-agent.c (istrusted_status_cb): Detect the flags.
* sm/sign.c (write_detached_signature): Remove unused vars.
--
Right now this flag has no effect; we first need to specify the exact
behaviour.
GnuPG-bug-id: 5079
* sm/sign.c: Include tlv.h.
(write_detached_signature): New,
(gpgsm_sign): Fixup binary detached signatures.
--
This helps some other software to verify detached signatures.
* agent/command.c (cmd_preset_passphrase): Add option.
* agent/preset-passphrase.c (oRestricted): New.
(opts): Add option --restricted.
(main): Set option.
(preset_passphrase): Use option.
--
We use a different cache for connections from the extra-socket.
However, with gpg-preset-passphrase is only able to preset a
passphrase into the regular cache. Further, a restricted connection
may not use PRESET_PASSPHRASE. To solve this we add an new option to
preset the passphrase into the "restricted" cache. For the
gpg-preset-passphrase tool we also add the option --restricted.
Note that this does not yet work with gpg-preset-passphrase --forget.
* dirmngr/dirmngr.h: Include name-value.h
(struct server_control_s): Add rootdse and rootdse_tried.
* dirmngr/dirmngr.c (dirmngr_deinit_default_ctrl): Release them.
* dirmngr/ks-engine.h (KS_GET_FLAG_ROOTDSE): Add two new flags.
* dirmngr/ks-engine-ldap.c: Include ks-action.h
(SERVERINFO_GENERIC): New.
(struct ks_engine_ldap_local_s): Add scope.
(ks_ldap_new_state): Set a default scope.
(ks_ldap_clear_state): Ditto.
(my_ldap_connect): Add flag generic.
(return_all_attributes): New.
(fetch_rootdse): New.
(basedn_from_rootdse): New.
(ks_ldap_get): Move some code out to ...
(ks_ldap_prepare_my_state): New.
(ks_ldap_query): New.
* dirmngr/ks-action.c (ks_action_parse_uri): Factored out from server.c
(ks_action_query): New.
* dirmngr/server.c (make_keyserver_item): Factored most code out to
ks_action_parse_uri.
(cmd_ad_query): New.
--
This command allows to query the Windows Active directory.
* tools/gpgtar.c (main): Don't allow logging via the Registry. Forbid
using stdout for status-fd in crypt mode.
--
Without that check a status output would be mixed up with the input to
the internal call of gpg.
Using the Registry key to enable logging is very annoying.
* g10/card-util.c (card_store_subkey): Add arg processed_keys.
* g10/keyedit.c (keyedit_menu): Delete secret key.
--
This used to work using the gpg-agent: learn we called at "save" time.
However, the recent change inhibited the creation of a shadow key by
learn if a regular key still exists. Now we do an explicit delete key
at save time. This syncs the behaviour with the description of the
man page.
GnuPG-bug-id: 6378