* sm/gpgsm.c (opts): Add option --ldapserver and make --keyserver an
alias.
--
We should use "keyserver" for OpenPGP and thus it is better to allow
for "ldapserver" here - it is the same convention as now used in
dirmngr.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d6df1bf849)
* dirmngr/dirmngr_ldap.c (main): Handle no args case.
--
This is required for example for CRLs. The old code did not require
this because the hos was taken from the URL given has arg.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f6e45671aa)
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Remove the
password_param thing because we set the password directly without an
intermediate var.
--
Reported-by: Ingo Kloecker
(cherry picked from commit 8bd5172539)
* dirmngr/server.c (make_keyserver_item): Fix default port for ldaps.
Move a tmpstr out of the blocks.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Improve diagnostics.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 8de9d54ac8)
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Use LDAP_OPT_TIMEOUT.
* dirmngr/dirmngr.c (main): Move --ldaptimeout setting to ...
(parse_rereadable_options): here.
--
Note that this has not yet been tested. In fact a test with OpenLDAP
using a modified route got stuck in the connection attempt. Maybe it
works on Windows - will be tested later.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 317d5947b8)
* dirmngr/dirmngr.c (opts): Add option --ldapserver.
(ldapserver_list_needs_reset): New var.
(parse_rereadable_options): Implement option.
(main): Ignore dirmngr_ldapservers.conf if no --ldapserver is used.
* dirmngr/server.c (cmd_ldapserver): Add option --clear and list
configured servers if none are given.
--
This option allows to specify LDAP keyserver in dirmngr instead of
using gpgsm.conf.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ff17aee5d1)
* dirmngr/server.c (cmd_ldapserver): Strip an optional prefix.
(make_keyserver_item): Handle non-URL ldap specs.
* dirmngr/dirmngr.h (struct ldap_server_s): Add fields starttls,
ldap_over_tls, and ntds.
* dirmngr/ldapserver.c (ldapserver_parse_one): Add for an empty host
string. Improve error messages for the non-file case. Support flags.
* dirmngr/ks-action.c (ks_action_help): Handle non-URL ldap specs.
(ks_action_search, ks_action_get, ks_action_put): Ditto.
* dirmngr/ks-engine-ldap.c: Include ldapserver.h.
(ks_ldap_help): Handle non-URL ldap specs.
(my_ldap_connect): Add args r_host and r_use_tls. Rewrite to support
URLs and non-URL specified keyservers.
(ks_ldap_get): Adjust for changes in my_ldap_connect.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.
--
The idea here is to unify our use of URLS or colon delimited ldap
keyserver specification. The requirement for percent escaping, for
example the bindname in an URLs, is cumbersome and prone to errors.
This we allow our classic colon delimited format as an alternative.
That format makes it also easy to specify flags to tell dirmngr
whether to use starttls or ldap-over-tls. The code is nearly 100%
compatible to existing specification. There is one ambiguity if the
hostname for CRL/X509 searches is just "ldap"; this can be solved by
prefixing it with "ldap:" (already implemented in gpgsm).
GnuPG-bug-id: 5405, 5452
Ported-from: 2b4cddf908
* common/keyserver.h: Remove.
* sm/gpgsm.h (struct keyserver_spec): Remove.
(opt): Change keyserver to a strlist_t.
* sm/gpgsm.c (keyserver_list_free): Remove.
(parse_keyserver_line): Remove.
(main): Store keyserver in an strlist.
* sm/call-dirmngr.c (prepare_dirmngr): Adjust for the strlist. Avoid
an ambiguity in dirmngr by adding a prefix if needed.
* g10/options.h (struct keyserver_spec): Move definition from
keyserver.h to here. Remove most fields.
* g10/keyserver.c (free_keyserver_spec): Adjust.
(cmp_keyserver_spec): Adjust.
(parse_keyserver_uri): Simplify.
(keyidlist): Remove fakev3 arg which does not make any sense because
we don't even support v3 keys.
--
We now rely on the dirmngr to parse the keyserver specs. Thus a bad
specification will not be caught immediately. However, even before
that dirmngr had stricter tests.
Signed-off-by: Werner Koch <wk@gnupg.org>
Ported-from: 9f586700ec
* dirmngr/http.h (HTTP_PARSE_NO_SCHEME_CHECK): New.
* dirmngr/http.c (http_parse_uri): Use this flag. Change all callers
to use the new macro for better readability.
(do_parse_uri): Add pseudo scheme "opaque".
(uri_query_value): New.
--
This scheme can be used to convey arbitrary strings in a parsed_uri_t
object.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 72124fadaf)
* sm/keydb.c (struct keydb_local_s): Add field saved_search_result.
(keydb_push_found_state): Implement for keyboxd.
(keydb_pop_found_state): Ditto.
(keydb_get_cert): Do not release the cert so that the function can be
used again to get the same cert. This is the same behaviour as in
pubring.kbx mode.
* sm/certchain.c, sm/import.c: Improve some error messages.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpgtar-create.c (fillup_entry_w32): Move parentheses.
--
Fixes-commit: 8b8925a2bd
The bug is so obvious that I wonder why it was not reported more often
on Windows. (Adding 1 to MAXDWORD (0xfffffff) always gives 0 for the
product).
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/cvt-openpgp.c (do_unprotect): Only modify SKEY when it is
correctly decrypted.
--
GnuPG-bug-id: 5122
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* common/compliance.c (gnupg_cipher_is_allowed): Allow GCM for gpgsm
in decrypt mode.
* tests/cms/samplemsgs/pwri-sample.gcm.p7m: Remove duplicated authtag
--
We allow GCM in de-vs mode for decryption although this has not been
evaluation. It is decryption and thus no serious harm may happen.
* tests/cms/samplemsgs/: Add sample messages.
* sm/gpgsm.c (main): Use gpgrt_fcancel on decryption error.
* sm/decrypt.c (decrypt_gcm_filter): New.
(gpgsm_decrypt): Use this filter if requested. Check authtag.
--
Note that the sample message pwri-sample.gcm.p7m is broken: The
authtag is duplicated to the authEncryptedContentInfo. I used a
temporary code during testing hack to that test message out.
* g10/openfile.c (overwrite_filep): Use gnupg_access.
--
As said, this is just an obvious but partial fix. We need to review
things for the output module.
Signed-off-by: Werner Koch <wk@gnupg.org>
* sm/keylist.c (list_cert_raw): Print the OpenPGP fpr.
--
This is useful for debugging for example if an OpenPGP key is used to
create an X.509 cert.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command.c (cmd_genkey): Use goto instead of return.
* agent/cvt-openpgp.c (convert_from_openpgp_main): Ditto.
* agent/genkey.c (agent_ask_new_passphrase): Fix typo to free correct
pointer
(agent_genkey): Release memory
* agent/gpg-agent.c (check_own_socket): Free sockname
* agent/protect-tool.c (read_key): Free buf.
(agent_askpin): Free passphrase
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Changed original patch to not add a free before a GPG_ERR_BUG.
Signed-off-by: Werner Koch <wk@gnupg.org>
GnuPG-bug-id: 5393
* dirmngr/ks-engine-ldap.c (extract_keys): Return the fingerprint if
available.
(ks_ldap_search): Ditto.
(extract_keys): Make sure to free the ldap values also in corner
cases.
(my_ldap_value_free): New.
(ks_ldap_get): Ditto.
(ks_ldap_search): Ditto.
(my_ldap_connect): Ditto.
--
For background see these comments from gpgme:
/* The output for external keylistings in GnuPG is different from all
the other key listings. We catch this here with a special
preprocessor that reformats the colon handler lines. */
/* The format is:
pub:<keyid>:<algo>:<keylen>:<creationdate>:<expirationdate>:<flags>
as defined in 5.2. Machine Readable Indexes of the OpenPGP
HTTP Keyserver Protocol (draft). Modern versions of the SKS
keyserver return the fingerprint instead of the keyid. We
detect this here and use the v4 fingerprint format to convert
it to a key id.
We want:
pub:o<flags>:<keylen>:<algo>:<keyid>:<creatdate>:<expdate>::::::::
*/
Regarding the freeing of values: I was not able to find a
specification stating it is okay to pass NULL to ldap_value_free, thus
the new wrapper. Also add robustness measures in case ldap_get_value
returns an empty array.
GnuPG-bug-id: 5441
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command.c (cmd_keyinfo): Factor some code out to ...
(get_keyinfo_on_cards): ... new.
(cmd_havekey): Add --list mode.
* g10/gpg.h (struct server_control_s): Add new caching vars.
* g10/gpg.c (gpg_deinit_default_ctrl): Release cache.
* g10/call-agent.c (agent_probe_any_secret_key): Init and try to use
the keygrip cache.
(agent_genkey): Clear the cache.
(agent_import_key): Ditto.
* g10/keylist.c (list_all, list_one): Pass ctrl to
agent_probe_any_secret_key.
* g10/getkey.c (lookup): Ditto.
--
With this change we first ask the agent for a list of all secret
keygrips and use that list instead of asking the agent for each public
key. Speeds up my "gpg -K" with a lot of secret and public keys by
more than 25%.
Signed-off-by: Werner Koch <wk@gnupg.org>
