* g10/plaintext.c (handle_plaintext): Disable estream buffering in
binary modes.
--
Since in binary mode, large buffers are passed from source iobuf to
target estream, extra buffering in estream only causes extra memory
copying and overhead.
GnuPG-bug-id: T5828
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
* common/iobuf.c (iobuf_copy): Use iobuf buffer size for temporary
buffers.
* g10/plaintext.c (handle_plaintext, do_hash): Likewise.
* g10/sign.c (sign_file): Likewise.
--
As iobuf will have zerocopy operation for read/write, it is better to
use same size buffers as iobuf for temporary copy buffers.
GnuPG-bug-id: T5828
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
* tools/gpgtar.c: Replace assert by log_assert.
* tools/gpgtar-extract.c: Ditto.
(extract_regular): Create files with sysopen flag.
* tools/gpgtar-create.c (scan_directory): Use gpgrt_fname_to_wchar.
--
Note that for this change libgpg-error 1.45 is required for Windows.
* scd/app.c (app_auth): It's only APPTYPE_OPENPGP which supports
the challenge response interaction.
* scd/command.c (cmd_pkauth): It only wants if it works or not.
--
GnuPG-bug-id: 5862
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/sign.c (sign_file): Use iobuf_read instead of iobuf_get for
reading data from detached file.
--
This patch reduces iobuf_read per byte processing overhead and speeds
up detached signing.
Detached signing speed on AMD Ryzen 5800X (4.3GiB file, SHA256):
gpg process
user time
before: 3.951s
after: 1.898s (2.0x faster)
GnuPG-bug-id: T5826
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
* g10/plaintext.c (do_hash): Use iobuf_read instead of iobuf_get for
reading data; Use gcry_md_write instead of gcry_md_putc for hash data.
--
This patch reduces iobuf_read per byte processing overhead and speeds
up detached signature verifying.
Detached verifying speed on AMD Ryzen 5800X (4.3GiB file, SHA256):
gpg process
user time
before: 9.410s
after: 1.913s (4.9x faster)
GnuPG-bug-id: T5826
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
* agent/call-daemon.c (wait_child_thread): Print the correct name.
--
This makes sure that the log print the actual used name if for example
--pinentry-program was used.
* agent/trustlist.c (struct trustitem_s): Add flag "qual".
(read_one_trustfile): Rename arg "allow_include" to "systrust" and
change callers. Parse new flag "qual".
(istrusted_internal): Print all flags.
* sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag.
* sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified".
* sm/certchain.c (do_validate_chain): Take care of the qualified flag.
* dirmngr/validate.c (pk_algo_from_sexp): Make public. Support ECC.
* dirmngr/ocsp.c (check_signature): Remove hash preparation out to ...
(check_signature_core): here. This changes the arg s_hash to md.
Support ECDSA.
--
The test was done with my qualified signature certificate from the
Telesec and their responder http://tqrca1.ocsp.telesec.de/ocspr .
See also libksba commit rK24992a4a7a61d93759e1dbd104b845903d4589bf
* g10/mainproc.c (proc_tree): Call ask_for_detached_datafile
with MD2=NULL.
--
Here, c->mfx.md2 is always NULL, in fact. But, text-wise
(when searching the use of "mfx.md2"), before the change, it used
mfx.md2, which is irrelevant in the handling of PKT_ONEPASS_SIG.
Note that: One-Pass Signature is not available in PGP2.
This fix removes (text-wise) unmatch of the calls of functions
hash_datafile_by_fd hash_datafiles, and ask_for_detached_datafile.
Fixes-commit: 88a916cdd40e43312ffcde6bb1c157fe1c122f74
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/mainproc.c (mainproc_context): New member
'seen_pkt_encrypted_mdc'.
(release_list): Clear 'seen_pkt_encrypted_mdc'.
(proc_encrypted): Set 'seen_pkt_encrypted_mdc'.
(have_seen_pkt_encrypted_aead): Rename to...
(have_seen_pkt_encrypted_aead_or_mdc): ...this and add check for
'seen_pkt_encrypted_mdc'.
(proc_plaintext): Do not enable extra hash contexts when decrypting
MDC input.
--
Avoiding extra hash contexts speeds up CFB/MDC decryption quite
a lot. For example, decrypting symmetric-key AES-256 encrypted
4 GiB file from RAM to /dev/null sees ~3.4x speed increase on
AMD Ryzen 5800X:
AES256.CFB encryption: 783 MB/s
AES256.CFB decryption: 386 MB/s (before)
AES256.CFB encryption: 1.3 GB/s (after patch)
Note, AEAD is still significantly faster:
AES256.OCB encryption: 2.2 GB/s
AES256.OCB decryption: 3.0 GB/s
GnuPG-bug-id: T5820
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
* g10/cipher-aead.c (do_flush): Use PRIu64.
* g10/decrypt-data.c (aead_underflow): Likewise.
--
Even among LP64 data model machines, uint64_t type may differ;
unsigned long or unsigned long long.
Only portable way is use of PRIu64.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* dirmngr/dirmngr.c (dirmngr_never_use_tor_p): New.
* dirmngr/server.c (ensure_keyserver): Don't even test for the Tor
proxy in never-use-tor Mode.
* tools/gpgtar-create.c: Include unistd.h to avoid a warning on
Windows.
--
This delay of 2 or 3 seconds is in particular annoying on Windows.
This is now suppressed, as it should be, if --no-use-tor is used.
The second patch is unrelated
* agent/command-ssh.c (sexp_key_construct): Do not put an empty string
into an S-expression.
(stream_read_string): Do not not try to a read a zero length block.
--
Actually we could handles this different by not putting a comment tag
into the s-expression, however this requires more code and at other
places we already return "(none)" instead of an empty comment.
The second fix is more or less a cosmetic thing to get better error
messages in case the underlying read system call returns an error.
GnuPG-bug-id: 5794
* g10/filter.h (armor_filter_context_t): New fields dearmor_mode and
dearmor_state.
* g10/dearmor.c (dearmor_file): Set dearmor_mode.
* g10/armor.c (is_armor_header): Magic to switch to generic dearmor
mode.
(parse_header_line): Treat non OpenPGP armor in a special way.
(check_input): Ditto.
(radix64_read): Detect non OpenPGP armor END lines.
* sm/gpgsm.c (oKeyServer_deprecated): New.
(opts): Assign "ldapserver" to the new option and mark it as obsolete.
--
We want to use "ldapserver" in dirmngr but need to keep using
"keyserver" in gpgsm for existant versions of Kleopatra etc.
GnuPG-bug-id: 5801
* tools/gpgconf-comp.c (retrieve_options_from_program): Ignore to to
ignored options. Add failsafe code to avoid calling percent_escape
with NULL.
--
Remember: When using ARGPARSE_FLAG_WITHATTR the ARGPARSE_OPT_IGNORE
flags in the returned type needs to be considered.
GnuPG-bug-id: 5800
* dirmngr/dirmngr.c: Reorder two option groups.
* tools/gpgconf-comp.c (known_options_gpgsm): Rename "keyserver" to
"ldapserver" and set level to invisible.
(known_options_dirmngr): Add "ldapserver" at the basic level.
* sm/gpgsm.c (opts): No more help text for "ldapserver".
--
GnuPG-bug-id: 5800
--
The current code uses the binary ctrl->keygrip, but all the passphrase
storage engines expect this to be a string, so convert the binary
keygrip to a hex one before passing it in as the keyid. This fixes a
crash seen in some libsecret implementations where a non-ascii keyid
isn't well handled.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
* g10/call-agent.c (learn_status_cb): Parse APPVERSION.
* g10/call-agent.h (struct agent_card_info_s): Add field appversion.
* g10/card-util.c (print_a_version): New.
(current_card_status): Print version from appversion.
--
This is a regression due to the PIV support. Note that the newer
gpg-card worked correctly.
GnuPG-bug-id: 5787
* g10/keygen.c (generate_subkeypair): On error, write error and
"key not created" message to status interface.
--
This change allows users of the status/command interface to detect
errors when adding a subkey to a key. Similar status messages are
output by do_generate_keypair.
GnuPG-bug-id: 5771
* g10/keygen.c (ask_algo): Request keygrip via cpr_get.
* doc/help.txt (gpg.keygen.keygrip): New help text.
--
This change makes it possible to add an existing (sub)key to
another key via the status/command interface.
GnuPG-bug-id: 5771
* dirmngr/server.c (make_keyserver_item): Change mapping.
--
It turned out that having the old surfnet keyserver for unencrypted
connections is problematic because that server does not sync with the
Ubuntu server.
GnuPG-bug-id: 5751
* tools/gpgtar.h (TF_EXTHDR, TF_GEXTHDR): New.
* tools/gpgtar-list.c (parse_header): Set the new type flags.
(parse_extended_header): New.
(read_header): Add arg r_extheader and parse extended header.
(print_header): Consult the extended header.
(gpgtar_list): Pass an extended header object.
(gpgtar_read_header): Ditto.
(gpgtar_print_header): Ditto.
* tools/gpgtar-extract.c (extract): New arg exthdr and factor name
checking out to ...
(check_suspicious_name): new.
(extract_regular): Add arg exthdr and consult it.
(extract_directory): Likewise.
(gpgtar_extract): Provide extheader object.
--
GnuPG-bug-id: 5754
* tools/gpgtar-create.c (global_header_count): new.
(myreadlink): New.
(build_header): New arg r_exthdr. Detect and store long file and link
names. Factor checkum computation out to ...
(compute_checksum): new.
(add_extended_header_record): New.
(write_extended_header): New.
(write_file): Write extended header.
--
GnuPG-bug-id: 5754