* g10/gpg.c (oRequestOrigin): New const.
(opts): New option --request-origin.
(main): Parse that option.
* g10/options.h (struct opt): Add field request_origin.
* g10/call-agent.c (start_agent): Send option to the agent.
* sm/gpgsm.c (oRequestOrigin): New const.
(opts): New option --request-origin.
(main): Parse that option.
* sm/gpgsm.h (struct opt): Add field request_origin.
* sm/call-agent.c (start_agent): Send option to the agent.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/parse-packet.c (enum_sig_subpkt): Check buflen before reading
the type octet. Print diagnostic.
--
If the final subpacket has only a length header evaluating to zero and
missing the type octet, a read could happen right behind the buffer.
Valgrind detected this. Fix is obvious. Note that the further
parsing of the subpacket is still okay because it always checks the
length. Note further that --list-packets uses a different code path
and already reported an error.
Reported-by: Philippe Antoine
He provided a test file copied below. Running "gpg -v --verify" on it
triggered the bug.
-----BEGIN PGP ARMORED FILE-----
Comment: Use "gpg --dearmor" for unpacking
kA0DAAoBov87N383R0QBrQJhYgZsb2wucHlaqTVWYnl0ZXMgPSBbMHg1LCAweDY0
LCAweDRjLCAweGM0LCAweDMsIDB4MCwgMHg0LCAweDAsIDB4YWMsIDB4YSwgMHhj
MSwgMHhjMSwgMHgyLCAweDEsIDB4MiwgMHg3LCAweDQwLCAweDIsIDB4MiwgMHgy
LCAweDIsIDB4MiwgMHgyLCAweDIsIDB4MiwgMHgyLCAweDJkLCAweGRkLCAweDIs
IDB4MiwgMHgyLCAweDIsIDB4MiwgMHgyLCAweDIsIDB4MiwgMHgyLCAweDIsIDB4
MiwgMHgyLCAweDIsIDB4MiwgMHgyLCAweDIsIDB4NzcsIDB4ODcsIDB4MiwgMHgy
LCAweDIsIDB4MiwgMHgyLCAweDIsIDB4MiwgMHgyLCAweDIsIDB4MiwgMHgyLCAw
eDIsIDB4MiwgMHgyLCAweDIsIDB4MiwgMHg3NywgMHg4NywgMHgyLCAweDIsIDB4
MiwgMHgyLCAweDIsIDB4MiwgMHgyLCAweDIsIDB4MiwgMHgyLCAweDIsIDB4Miwg
MHgyLCAweDIsIDB4MiwgMHgyLCAweDc3LCAweDg3LCAweDIsIDB4MiwgMHgyLCAw
eDIsIDB4MiwgMHgyLCAweDIsIDB4MCwgMHhhZF0KCmZvciBpIGluIHJhbmdlKGxl
bihieXRlcykpOgogICAgaWYgaSUxNiA9PSAwOgogICAgICAgIHByaW50CiAgICAg
ICAgcHJpbnQgIiUwNngiICUgaSwKICAgIHByaW50ICIlMDJ4ICIgJSBieXRlc1tp
XSwKiQJNBAABCgAeFiEEU+Y3aLjDLA3x+9Epov87N383R0QFAlqpNVYAAAoJEKL/
Ozd/N0dElccP/jBAcFHyeMl7kop71Q7/5NPu3DNULmdUzOZPle8PVjNURT4PSELF
qpJ8bd9PAsO4ZkUGwssY4Kfb1iG5cR/a8ADknNd0Cj9/QA2KMVNmgYtReuttAjvn
hQRm2VY0tvDCVAPI/z8OnV/NpOcbk8kSwE+shLsP7EwqL5MJNMXKqzm1uRxGNYxr
8TNuECo3DO64O2NZLkMDXqq6lg+lSxvDtXKxzKXgVC+GMtOE56lDwxWLqr39f9Ae
Pn0q2fVBKhJfpUODeEbYSYUp2hhmMUIJL/ths9MvyRZ9Z/bHCseFPT58Pgx6g+MP
q+iHnVZEIVb38XG+rTYW9hvctkRZP/azhpa7eO8JAZuFNeBGr4IGapwzFPvQSF4B
wBXBu0+PPrV9VJVe98P4nw2xcuJmkn6mgZhRVYSqDIhY64bSTgQxb/pdtGwrTjtL
WoUKVI+joLRPnDmwexH9+QJCB+uA6RsN/LqsQfDseyr40Z6dHJRqWGgP3ll6iZgw
WF768uiIDJD8d4fegVnkpcH98Hm0I/dKsMR1MGV/sBxYC8mAOcOWwSPNGDqPlwwR
eWPdr1O6CoYEWwiZMicSe0b5TsjB5nkAWMy7c9RyhtMJzCQ/hFpycpj0A0Zs+OGa
eJQMZZV0s8AQZ04JzoX0zRpe0RcTyJn3Tr6QGbVi9tr+QdKHFuDMUqoX
=qYZP
-----END PGP ARMORED FILE-----
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/card-util.c (factory_reset): Dummy PIN size is now 32-byte.
Connect the card again at the last step.
--
Before the change, a user has to quit the session to continue. Now,
it is possible to type RET in the session and see if it's really done.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--
WIN32_LEAN_AND_MEAN is required to avoid definitions of grp1, grp2,
and grp3 in dlgs.h, which is included by windows.h.
Fixes-commit: fd595c9d3642dba437fbe0f6e25d7aaaae095f94
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--
Sorry, I accidentally pushed the last commit without having amended it
with this fix.
Fixes-commit: fd595c9d3642dba437fbe0f6e25d7aaaae095f94
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/call-agent.h (agent_card_info_s): Add fields grp1, grp2 and
grp3.
* g10/call-agent.c (unhexify_fpr): Allow for space as delimiter.
(learn_status_cb): Parse KEYPARIINFO int the grpX fields.
* g10/card-util.c (print_keygrip): New.
(current_card_status): Print "grp:" records or with --with-keygrip a
human readable keygrip.
--
Suggested-by: Peter Lebbing <peter@digitalbrains.com>
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keydb.c (parse_keyblock_image): Use log_info instead of
log_error for skipped packets.
* g10/keyring.c (keyring_get_keyblock): Ditto.
--
log_info should be sufficient and makes this more robust. Some
tools (e.g. Enigmail) are too picky on return codes from gpg.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keygen.c (parse_key_parameter_part): Add arg clear_cert.
(parse_key_parameter_string): Add arg suggested_use and implement
fallback. Change callers to pass 0 for new arg.
(parse_algo_usage_expire): Pass the parsed USAGESTR to
parse_key_parameter_string so that it can use it in case a subkey is
to be created.
--
The problem here was that future-default gives the primary and subkey
algorithm. However, when using future-default for adding a key, the
second part was always used which is for encryption. If the caller
now wanted to create a signing subkey using the future-default
parameters this did not worked.
gpg --batch --passphrase "" --quick-add-key FPR future-default encr
aready worked as did
gpg --batch --passphrase "" --quick-add-key FPR ed25519 sign
but
gpg --batch --passphrase "" --quick-add-key FPR future-default sign
does only work with this fix.
GnuPG-bug-id: 3747
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/mainproc.c (proc_pubkey_enc): Use dedicated error code for
list-only and put the key into PKENC_LIST.
(print_pkenc_list): Take care of the new error code.
--
If the secret keys exist in --list-only mode it was not printed in
--list-only mode.
GnuPG-bug-id: 3718
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keygen.c (parse_key_parameter_string): Allow "futuredefault" and
use case-insensitive matching
(quick_generate_keypair): Ditto.
(parse_algo_usage_expire): Ditto.
--
The man page is sometimes rendered in a way that the hyphen may be
not be considered as part of the string. And while at it we also
allow case-insensitivity.
GnuPG-bug-id: 3655
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/filter.h (cipher_filter_context_t): Remove unused filed
'create_mdc'. Turn field 'header' into a bit field. Add new fields
'short_blklen_warn' and 'short_blklen_count'.
* g10/cipher.c (write_header): Print a warning if MDC is not used.
(cipher_filter): Print a warning for long messages encrypted with a
short block length algorithm.
--
Note that to test this warning in a reliable way compression needs to
be disabled.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/pkclist.c (default_recipient): Use hexfingerprint.
--
Note that on malloc failure this function now returns NULL instead of
terminating the process. However, under memory pressure any function
called latter will very likely fail as well.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/getkey.c (get_pubkeys): Do not use xmalloc.
--
We eventually need to get rid of all xmallocs so that gpg won't fail
easily when we make more use of the s server mode.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keygen.c (keygen_set_std_prefs): when producing default internal
personal-digest-preferences, keep the same order. When publishing
external preferences, state preference for SHA512 first.
--
SHA-512 has a wider security margin than SHA-256. It is also slightly
faster on most of the architectures on which GnuPG runs today. New
keys should publish defaults that indicate we prefer the stronger,
more performant digest.
Specifically, this changes --default-preference-list from:
SHA256 SHA384 SHA512 SHA224
to:
SHA512 SHA384 SHA256 SHA224
This patch deliberately avoids touching --personal-digest-preferences
(which itself would affect the default of --digest-algo and
--cert-digest-algo), so that public-facing cleartext signatures and
identity certifications will continue to be made with SHA256 by
default.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* g10/trustdb.c (sanitize_regexp): Only escape operators.
--
Backport from master commit:
ccf3ba92087e79abdeaa0208795829b431c6f201
To sanitize a regular expression, quoting by backslash should be only
done for defined characters. POSIX defines 12 characters including
dot and backslash.
Quoting other characters is wrong, in two ways; It may build an
operator like: \b, \s, \w when using GNU library. Case ignored match
doesn't work, because quoting lower letter means literally and no
much to upper letter.
GnuPG-bug-id: 2923
Co-authored-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/parse-packet.c (parse_plaintext): Fill up the allocated NAME.
--
This actually does not harm because we merely display a buffer
allocated by ourselves. However, we better tell Valgrind about it so
that we don't need to track this thing down ever again.
Test using a corrupted literal data packet:
echo cb 0a 75 ff 59 ae 90 d5 74 65 73 74 | \
undump |\
valgrind gpg --list-packets >/dev/null
Reported-by: Sebastian Schinzel
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/cpr.c (do_get_from_fd): Free the old buffer.
--
If the received input is longer than 200 characters we used to leak
the previous allocated buffer.
GnuPG-bug-id: 3528
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/card-util.c (factory_reset): Simplify.
--
In this summer, I got report about old code before this change didn't
work with newer Yubikey. I got another report test version of OpenPGP
card V3.3 implementation didn't work, either. Then, I confirmed that
according to the OpenPGP card specification, the procedure of old code
is not expected by its author.
This change simplify "factory-reset" as simple.
Only versions of Gnuk 1.2.2, 1.2.3, 1.2.4, won't work with this
change. That's because the factory-reset feature of Gnuk was
introduced by reading the implementation of GnuPG, instead of reading
the specification. Gnuk 1.2.5 and later works well. All OpenPGPcard
implementations I have work well (2.0, 2.1, 2.2, test version of 3).
GnuPG-bug-id: 3286
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit d63b7966cdd72548c60466c620de5cd6104a779e)
* g10/card-util.c (ask_card_keyattr): Handle special value 25519.
(do_change_keyattr): Allow changing to cv25519/ed25519.
(generate_card_keys): Ditto.
(card_generate_subkey): Ditto.
--
This is kludge to make it easier for gnuk to be switched into ECC
mode. This is basically the same change as
commit ea09b6cded9d31a8ebd91878553c3eaa2b76e817
but without the string change in show_keysize_warning.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/card-util.c (ask_card_rsa_keysize): Rename to ask_card_keyattr.
(do_change_rsa_keysize): Rename to do_change_keyattr.
--
We want to support other algos than RSA and thus we need a better name
for the functions.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f795f4529d8ab5a05db1cc1960abd34390bfae1b)
* g10/key-check.c (print_info): New.
(key_check_all_keysigs): Print sig checking results only in debug
mode. Prettify the stats info and suppress them in quiet mode.
--
This also makes usable stats by prefixing them with the key and the
program name.
GnuPG-bug-id: 3397
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keyedit.c (KEYEDIT_NEED_SUBSK): New.
(cmds): Add this flag to keytocard, bkuptocard, expire, and passwd.
(keyedit_menu): Check whether only subkeys are available and take care
of that in the command check and in the HELP listing. Also print a
different notice if only subkeys are available.
--
Print "Secret key is available" and the bailing out in all commands
which require the _primary_ secret key was surprising. Now we print
another notice and adjust the checks.
GnuPG-bug-id: 3463
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keyedit.c (KEYEDIT_NOT_SK, KEYEDIT_ONLY_SK): Remove.
(cmds): Remove them.
--
These flags were cruft from the time we had to switch between secret
and public key view.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keygen.c (generate_subkeypair): Ignore error code issued for
trying to verify a card based key.
--
We try to verify the primary key and thus seed the passphrase cache
before generating the subkey. However, the verification does not yet
work for on-card keys and thus the PASSWD --verify send to the agent
returns an error. This patch detects this error and continues without
a seeded passphrase cache. After all that pre-seeding is just a
convenience.
GnuPG-bug-id: 3280
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/import.c (import_one): Pass FROM_SK to list_keyblock_direct.
--
Note that this will likely add the suffix '#' top "sec" because the
secret key has not yet (or will not be) imported. If the secret key
already exists locally another suffix might be printed. The upshot is
that the suffix has no usefulness.
GnuPG-bug-id: 3431
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/import.c (import_secret_one): Check for dry-run before
transferring keys.
--
The use of --dry-run or --import-option show-only had no effect when
importing a secret key and the public key already existed. If the
public key did not exist an error message inhibited the import of the
secret key.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/pkclist.c (find_and_check_key): Call get_validity on a specific
keyblock.
--
When we have multiple keyrings, get_validity after
get_best_pubkey_byname should access same keyring. Or else, the
situation of an expired key in keyring A but valid key in keyring B
causes SEGV.
Thanks to Guido Günther for the use case and the log.
Debian-bug-id: 878812
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/keydb.c (keydb_handle): New field 'keep_lock'.
(keydb_release): Clear that flag.
(keydb_lock): New function.
(unlock_all): Skip if KEEP_LOCK is set.
* g10/getkey.c (get_keyblock_byfprint_fast): Call keep_lock if
requested.
--
That change is straightforward. It helps to avoid the race condition
that another gpg process inserts a key while the first process is
between the search and the insert.
A similar change is due for gpgsm.
Note that the key edit operations may still suffer from a race.
GnuPG-bug-id: 3446
* g10/getkey.c (get_pubkey_byfprint_fast): Factor most code out to ...
(get_keyblock_byfprint_fast): .. new function.
* g10/import.c (revocation_present): s/int rc/gpg_error_t err/.
(import_one): Use get_keyblock_byfprint_fast to get the keyblock and a
handle. Remove the now surplus keyblock fetch in the merge branch.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/import.c (import_keys_internal): Return gpg_error_t instead of
int. Change var names.
(import_keys_es_stream): Ditto.
(import_one): Ditto. Use a single keydb_new and simplify the use of
of keydb_release.
--
Note that this opens a keydb handle before we call
get_pubkey_byfprint_fast which internally uses another key db handle.
A further patch will cleanup this double use. Note that we also
disable the keydb caching for the insert case.
The s/int/gpg_error_t/ has been done while checking the call chains of
the import functions and making sure that gpg_err_code is always used.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/trust.c (register_trusted_key): Cut off everthing starting as a
hash sign.
--
This problem is fallout from
commit f99830b72812395da5451152bdd2f2d90a7cb7fb
which fixes
GnuPG-bug-id: 1206
The same could happen with other options taking keyids but we won't
change that because a trailing '#' does not indicate a comment. So
this is really only a workaround and eventually we will
deprecate --trusted-key anyway or require a fingerprint as a value.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpgv.c (main): Call gnupg_initialize_compliance.
--
The compliance checker needs to be initialize so that it won't let
spit out a "not suitable" message. We use the module name of gpg.
Because there is no option to change the compliance mode in gpgv we
will always be in the default (CO_GNUPG) mode. It also does not make
much sense to have it here because gpgv expects a "curated" keyring.
GnuPG-bug-id: 3404
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keygen.c (proc_parameter_file): Don't check the result of
stpcpy.
--
Fixes-commit: 7089dcc54099a4909ce7d386c07ab87e1398e2eb
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keygen.c (proc_parameter_file): Special case the email only
case.
--
Using a parameter file like
%ask-passphrase
key-type: RSA
key-length: 2048
key-usage: sign
subkey-type: RSA
subkey-length: 2048
subkey-usage: encrypt
name-email: foo@example.org
with "gpg --gen-key --patch" the result was this key
pub rsa2048 2017-09-11 [SC]
63A8C1BA12CC289A0E8072C971C7F8D4A18CE0BE
uid [ultimate] <foo@example.org>
sub rsa2048 2017-09-11 [E]
At least the the extra leading space the left angle bracket is wrong.
Further some mail providers reject keys which consist of more than
just a plain mail address. Using just a mail address is anyway the
new new suggested content for a user id. With this patch the key
will be
pub rsa2048 2017-09-11 [SC]
B302343C20EA6DECDB6A155135352F2520397080
uid [ultimate] foo@example.org
sub rsa2048 2017-09-11 [E]
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/sig-check.c (check_signature_over_key_or_uid): Remove useless
condition. Actually free when SIGNER was allocated by us.
--
SIGNER_ALLOCATED never received a value of -1 but that was tested.
IF SIGNER_ALLOCATED was 2 the memory was never freed:
if (signer_allocated == 1)
if (signer_allocated == 2)
free()
Fixes-commit: 44cdb9d73f1a0b7d2c8483a119b9c4d6caabc1ec
This function needs to be audited more thoroughly.
Signed-off-by: Werner Koch <wk@gnupg.org>