No functional changes, just fixing minor spelling issues.
---
Most of these were identified from the command line by running:
codespell \
--ignore-words-list fpr,stati,keyserver,keyservers,asign,cas,iff,ifset \
--skip '*.po,ChangeLog*,help.*.txt,*.jpg,*.eps,*.pdf,*.png,*.gpg,*.asc' \
doc g13 g10 kbx agent artwork scd tests tools am common dirmngr sm \
NEWS README README.maint TODO
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* scd/app.c (send_serialno_and_app_status): Add fallback.
--
The app list was only printed for apps which support the with_keygrip
function. That is not the case for the netkey and otehr cards. The
new fallback prints the actual app name.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (send_keypair_info): Reaturn the key creation time
as part of a KEYPAIRINFO.
(do_readkey): Do not return the KEY-TIME anymore.
--
Sending the KEY_TIME status as part of a READKEY command was only
recently added. It is better to merge that into the KEYPAIRINFO line.
Another patch with chnage this for the consumers of that info.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (retrieve_fprtime_from_card): New.
(do_readkey): Send a KEY_TIME status.
--
It might be easier to fold this into KEYPAIRINFO but for backward
compatibility using a separate status line is safer.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (do_readkey): Use case insensitive match of the
keyref.
(do_writekey, do_sign, do_auth, do_decipher): Ditto.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (struct app_local_s): Add field keyalgo.
(parse_algorithm_attribute): Store the new keyalgo field.
(change_keyattr): Change info message.
(change_keyattr_from_string): Rewrite to also accept a keyref and a
keyalgo string.
(do_genkey): Change the keyattr if a keyalgo string is given.
--
Having this feature makes it easier to use OpenPGP cards in a similar
way to other cards. Note that the explicit changing via SETATTR is
still supported.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/openpgp-oid.c (openpgp_curve_to_oid): Add optional arg R_NBITS.
Change all callers.
--
In particular for ed25519 and cv25519 it is quite useful to have an
ability to get the required algorithm.
* common/util.h (EXTERN_UNLESS_MAIN_MODULE): Add the definion only
here but now without the Norcroft-C. Change all other places where it
gets defined.
* common/iobuf.h (iobuf_debug_mode): Declare unconditionally as
extern.
* common/iobuf.c (iobuf_debug_mode): Define it here.
* agent/gpg-agent.c (INCLUDED_BY_MAIN_MODULE): Define here and also in
all main modules of all other programs.
* g10/main.h: Put util.h before the local header files.
--
This change is required for use with gcc/ld's LTO feature which does
not allow common blocks. Further gcc 10 will make -fno-common the
default and thus this chnage is always needed. What a pitty.
Co-authored-by: Tomáš Mráz
GnuPG-bug-id: 4831
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 21d9bd8b87)
- Applied respective chnages also to gpg-card and keyboxd.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (send_key_attr): Use log_assert.
(do_genkey): Allow prefix.
--
It is more uniform to always use full keyref (e.g. "OPENPGP.1")
instead of just the key number.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app.c: Include membuf.h.
(app_switch_current_card): New.
(send_card_and_app_list): Factor code out to ...
(send_serialno_and_app_status): new.
(app_send_card_list): New.
(app_send_active_apps): New.
(app_switch_active_app): New.
* scd/command.c (cmd_switchcard): New.
(cmd_switchapp): New.
(register_commands): Register new commands.
(cmd_getinfo): New sub-commands "active_apps" and "all_active_apps".
--
These new commands allow to switch between known cards and are in
particular useful for the gpg-card tool.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-piv.c (ask_and_prepare_chv): here.
--
The test code from the last PIV change was accidently kept enabled.
Fixes-commit: 2dd6b4b998
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (struct app_local_s): New field pincache.
(cache_pin): Set it.
(pin_from_cache): Consult it.
* scd/app-piv.c (struct app_local_s): New field pincache.
(cache_pin): Set it.
(pin_from_cache): Consult it.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/command.c (pincache_put): Add arg pinlen and change all callers
to provide it.
* scd/app-piv.c (cache_pin): New.
(pin_from_cache): New.
(ask_and_prepare_chv): Add args no_cache and r_unpaddedpinlen. Take
PIN from the cache. Return the unpadded length.
(verify_chv): Add arg ctrl. Cache the PIN.
(do_change_chv): Clear PIN cache.
--
The PIV pins are padded but we want to store the unpadded PIN. Thus
the changes to the function.
Code has has been tested by commenting the no_cache parameter because
we the current test certificate was created for PIV.9C which requires
a verification for each use. More testing is required.
GnuPG-bug-id: 4791
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app.c (maybe_switch_app): Factor reselect code out to ...
(run_reselect): new.
(app_write_learn_status): Tweak diagnostics.
(app_do_with_keygrip): Run reselect if a card has more than one
switchable application.
* agent/call-scd.c (agent_card_serialno): Ditto.
* tools/card-call-scd.c (start_agent): Use option --all with SERIALNO.
(scd_serialno): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (wipe_and_free, wipe_and_free_string): Use them
everywere where we do a wipememory followed by a free.
(pin2hash_if_kdf): Change interface. The input PIN is not anymore
changed. Further there are no more assumptions about the length of
the provided buffer.
(cache_pin): Restructure.
(chvno_to_keyref): New.
(pin_from_cache): New.
(verify_a_chv): Add arg CTRL. Adjust for changed pin2hash_if_kdf.
Chache and retrieve the PIN here.
(verify_chv2): Do not cache the PIN here.
(build_enter_admin_pin_prompt): Add arg 'r_remaining'.
(verify_chv3): Adjust for changed pin2hash_if_kdf. Implement the PIN
cache.
(do_change_pin): Clear the PIN cache. Do not change the PIN here.
Lots of adjustments to cope with the chnaged pin2hash_if_kdf.
(do_sign): Do not cache the PIN here.
--
Note that some of the changes are required because we can't rely that
the PIN is always cached in secure memory. Thus it is better to do an
explicit wipe.
Testing the PIN cache can currently only be done my modifying the
code to do a verification for each operation. Only some basic testing
has been done. Clearing the PIN cache is also not fully
implemented. With the forthcoming changes to app-piv we should be
enter able to test the PIN cache.
Missing stuff:
- The agent should be able to selectively clear the cache on a per
slot base.
- We should replace AESWRAP by OCB.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/call-scd.c (handle_pincache_put): Do not decrypt.
(handle_pincache_get): New.
(inq_needpin): Call it.
* scd/command.c (set_key_for_pincache): New.
(pincache_put): Restructure and set key.
(pincache_get): Ditto.
--
This change does away with encrypting and decrypting the cached PIN in
the agent. There is no need for this we can simply cache the
cryptogram and let scdaemon decrypt after retrieving it from the
agent. This way we do not need to share a key between gpg-agent and
scdaemon and further the cached content is invalid after the scdaemon
process has been replaced.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/command.c (pincache_put): New. Uses a dummy key for now.
(pincache_get): New.
* scd/app.c (select_application): Flush the PIN cache.
(scd_update_reader_status_file): Ditto.
(maybe_switch_app): Call the new prep_reselect function.
(app_write_learn_status): Ditto.
* scd/app-openpgp.c (cache_pin): New helper to cache a PIN.
(verify_chv2): Call it.
(verify_chv3): Call it.
(clear_chv_status): Call it.
(do_change_pin): Call it.
* scd/app-common.h (struct app_ctx_s): Add function 'prep_select'.
* scd/app-openpgp.c (do_prep_reselect): New stub function.
(app_select_openpgp): Set new stub function.
* scd/app-piv.c (do_prep_reselect): New stub function.
(app_select_piv): Set new stub function.
* scd/app-common.h (struct app_ctx_s): Add parameter ctrl to setattr,
sign, auth, decipher, and check_pin. Change all implementations and
callers to pass such a parameter.
--
This is work in progress.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/command.c (open_card_with_request): Use NULL instead of
APPTYPE_NULL.
--
Using the enum is wrong because a string is expected. However it did
harm anything because the value of the enum is 0 and thus equivalent
to NULL.
Signed-off-by: Werner Koch <wk@gnupg.org>
* kbx/keybox.h: Fix naming of arguments.
* scd/ccid-driver.c (print_error) [TEST]: Add missing break. Note
that this is anyway an impossible case.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/apdu.c (apdu_open_reader): Skip use of a reader if it's not the
one specified when it is specified.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app.c (apptype_from_keyref): New.
(maybe_switch_app): Add arg 'keyref' and use this also for switching.
Change all callers to pass a keyref if needed.
--
A drawback of this auto-switching is that the PIN cache of the cards
are cleared. That could be mitigated by having our own cache but we
always tried to avoid that.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-openpgp.c (do_reselect): Clear PIN cache flags.
--
It seems that the verification status of the OpenPGP app on a Yubikey
is reset on a select. We need to reflect this in our cache to avoid a
"Bad PIN" error on computing a signature.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/command.c (cmd_serialno): Add option --all.
(open_card_with_request): Implement that option.
* scd/app.c (select_all_additional_applications_internal): New.
(select_additional_application): Add mode to call new function.
--
This option is currently only useful for Yubikeys and basically
ignored with other cards. Its use is
SERIALNO --all
LEARN --force --multi
which will then print keypairinfo and other stuff for the OpenPGP and
PIV application of a Yubikey. Scute is going to use this to allow
using certificates from OpenPGP and PIV at the same time.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app.c (select_additional_application): Return error for unknown
NAME.
--
ERR was only set but not used.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-common.h (APP_LEARN_FLAG_MULTI): New.
* scd/command.c (cmd_learn): Add option --multi.
* scd/app.c (app_write_learn_status): Factor some code out to ...
(write_learn_status_core): new.
(app_write_learn_status): Implement flag --multi.
--
This new option is intended to return information about all active
applications of the current card. Thus if a "SERIALNO openpgp" and a
"SERIALNO piv" has been done in a session the command "LEARN --force
--multi" returns information about both applications.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-common.h (APP_LEARN_FLAG_KEYPAIRINFO): New flag macro..
* scd/command.c (cmd_learn): Pass that flag instead of a plain number.
* scd/app-nks.c (do_learn_status_core): Use new flag.
* scd/app-p15.c (do_learn_status): Ditto.
* scd/app-piv.c (do_learn_status): Ditto.
* scd/app-sc-hsm.c (do_learn_status): Ditto.
* scd/app.c (app_write_learn_status): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-nks.c (do_getattr): Add new attributes.
--
Note that these were already added to 2.2 as part of
commit 23784f8bf0
Signed-off-by: Werner Koch <wk@gnupg.org>
Daniel Kahn Gillmor