1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

9280 Commits

Author SHA1 Message Date
Damien Goutte-Gattat via Gnupg-devel
86f446fd44
gpg: Fix showpref to list AEAD feature.
* g10/keyedit.c (show_prefs): Show 'AEAD' if flags.aead is set.
--

The terse 'pref' command in the key editor correctly shows '[aead]'
if the uid->flags.aead is set, but the more verbose 'showpref'
command does not, due to an inverted condition check.

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2021-04-19 13:18:38 +02:00
Werner Koch
8576c34750
doc: Fix an example in README.ldap
--
2021-04-19 13:01:37 +02:00
Werner Koch
d13c5bc244
gpg,gpgsm: Move use-keyboxd to the new conf file common.conf
* common/comopt.c, common/comopt.h: New.
* common/Makefile.am: Add them.
* g10/gpg.c: Include comopt.h.
(main): Also parse common.conf.
* sm/gpgsm.c: Include comopt.h.
(main): Set a flag for the --no-logfile option.  Parse common.conf.

* tools/gpgconf-comp.c (known_options_gpg): Remove "use-keyboxd", add
pseudo option "use_keyboxd".
(known_pseudo_options_gpg): Add pseudo option "use_keyboxd".
(known_options_gpgsm): Remove "use-keyboxd".

* tests/openpgp/defs.scm (create-gpghome): Create common.conf.

* doc/examples/common.conf: New.
--

Note that --use-keybox still works but prints a warning.  We will
eventually remove this option becuase it was marked as an experimental
feature anyway.

It would be too confusing if gpg and gpgsm use different key storages.
Further, other components (e.g. dirmngr or gpg-wks-client) which call
gpg or gpgsm need to be aware that the keyboxd is used and pass that
option on the command line.  Now that common.conf is always read (even
if --no-options is used) those tools will work instantly.
2021-04-19 11:33:19 +02:00
Werner Koch
d7e707170f
gpg: Lookup a missing public key of the current card via LDAP.
* g10/getkey.c (get_seckey_default_or_card): Lookup a missing public
key from the current card via LDAP.
* g10/call-dirmngr.c: Include keyserver-intetnal.h.
(gpg_dirmngr_ks_get): Rename arg quick into flags.  Take care of the
new LDAP flag.
* g10/keyserver-internal.h (KEYSERVER_IMPORT_FLAG_QUICK): New.
Replace the use of the value 1 for the former quick arg.
(KEYSERVER_IMPORT_FLAG_LDAP): New.
* g10/keyserver.c (keyserver_get_chunk): Increase the reserved line
length.
* dirmngr/ks-action.c (ks_action_get): Add arg ldap_only.
* dirmngr/server.c (cmd_ks_get): Add option --ldap.
--

This change makes it easy to start working with gnupg: Just insert the
smartcard or token provided to you and the first time you sign a
message the public key associated with the current card will be
imported and everything is set without any configuration.

This works only with an LDAP directory because it can be expected that
the public key has been put into the LDAP during card personalization.
Of course an LDAP server needs to be configured; in a Windows AD
domain this can be a mere "keyserver ldap:///" in dirmngr.conf.  Other
configured keyservers are ignored.

Requirements for the card driver: The $SIGNKEYID attribute must exists
and a query for the KEY-FPR attribute needs to return the OpenPGP
fingerprint for that key.  This is currently supported for OpenPGP
cards and certain PKCS#15 cards.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-16 20:21:23 +02:00
Werner Koch
30f90fc857
scd:p15: Support attribute KEY-FPR.
* scd/app-p15.c: Include openpgpdefs.h.
(struct prkdf_object_s): Add fields have_keytime and ecdh_kdf.
(read_p15_info): Set ecdh_kdf.
(keygrip_from_prkdf): Flag that we have the keytime.
(send_keypairinfo): Send the key time only if valid.
(send_key_fpr_line): New.
(send_key_fpr): New.
(do_getattr): Add KEY-FPR.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-16 12:49:37 +02:00
Werner Koch
2f2bdd9c08
common: New module to compute openpgp fingerprints
* common/openpgp-fpr.c: New.
* common/Makefile.am (common_sources): Add it.
--

This function is targeted to handle keys on smartcards.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-16 12:49:37 +02:00
Denis
283ccbc824 po: Update Italian Translation.
--

GnuPG-bug-id: 5390
2021-04-15 10:12:00 +09:00
Werner Koch
6c26e593df
gpg: Do not use self-sigs-only for LDAP keyserver imports.
* dirmngr/ks-engine-ldap.c (ks_ldap_get): Print a SOURCE status.
* g10/options.h (opts): New field expl_import_self_sigs_only.
* g10/import.c (parse_import_options): Set it.
* g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP.
--

I can be assumed that configured LDAP servers are somehow curated and
not affected by rogue key signatures as the HKP servers are.  Thus we
can allow the import of key signature from LDAP keyservers by default.

GnuPG-bug-id: 5387
2021-04-13 14:33:50 +02:00
Jakub Jelen
a16f726f94 common: Fix memory leaks.
* common/name-value.c (do_nvc_parse): Free NAME.
* common/recsel.c (recsel_parse_expr): Release SE_HEAD and EXPR_BUFFER.

--

GnuPG-bug-id: 5393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-04-13 14:57:51 +09:00
Jakub Jelen
51bbd99a3c kbx: Fix memory leak.
* kbx/keybox-update.c (blob_filecopy): Goto leave instead of return.

--

GnuPG-bug-id: 5393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-04-13 14:35:04 +09:00
Jakub Jelen
4c8be54cc4 tools: Fix memory leaks.
* tools/gpgsplit.c (write_part): Free BLOB on error.

--

GnuPG-bug-id: 5393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-04-13 14:26:15 +09:00
Jakub Jelen
7cbe29c4fb scd: Fix memory leaks.
* scd/apdu.c (apdu_dev_list_start): Free DL.
* scd/app-nks.c (pubkey_from_pk_file): Fix typo in condition.

--

GnuPG-bug-id: 5393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-04-13 14:21:29 +09:00
Jakub Jelen
cd66b2eb0d agent,kbx: Add LIBASSUAN_CLFAGS.
* agent/Makefile.am (gpg_preset_passphrase_CFLAGS, t_protect_CFLAGS):
Add LIBASSUAN_CFLAGS.
* kbx/Makefile.am (libkeybox_a_CFLAGS, libkeybox509_a_CFLAGS):
Likewise.

--

GnuPG-bug-id: 5389
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2021-04-13 13:54:14 +09:00
Werner Koch
d984de172c
gpg: Minor restructuring of a function.
--

This is for easier reading and future changing.
2021-04-12 17:50:17 +02:00
Werner Koch
ecb9265b8d
scd:p15: Match private keys with certificates also by labels.
* scd/app-p15.c (cdf_object_from_label): New.
(cdf_object_from_certid): Fallback to label matching.
(read_p15_info): Ditto.
(keygrip_from_prkdf): Ditto.  Replace duplicated code by a call to
cdf_object_from_objid.
--

In case there is no certificate for a private key we now also try to
find a certificate using a matching label.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-12 11:41:00 +02:00
NIIBE Yutaka
304c2e0202 doc: Register DCO for Jakub Jelen.
--
2021-04-12 12:54:45 +09:00
Werner Koch
51395dbebd
build: Change version tag also in getswdb.sh
--
2021-04-09 18:51:43 +02:00
Werner Koch
63320ba2f8
scd:nks: Handle APP_READKEY_FLAG_INFO.
* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
(get_nks_tag): New.
(do_learn_status_core): Use it.  Make sure not to mange the
KEYPAIRINFO line if no usage is known.
(do_readkey): Output the KEYPAIRINFO for the keygrip case.
--

Note that this only handles the most common case of providing a
keygrip.  $AUTHKEYID and ODLM are not yet supported.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-08 19:30:51 +02:00
Werner Koch
22fd48e48d
scd: Fix duplicate output of KEYPAIRINFO by readkey command.
* scd/app-help.c (app_help_get_keygrip_string_pk): Make HEXKEYGRIP
parm optional.
* scd/command.c (do_readkey): Remove duplicate output of keypairinfo
lines.
--

Note that this change needs a fix in app-p15 which does not yet handle
the APP_READKEY_FLAG_INFO.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-08 19:27:25 +02:00
NIIBE Yutaka
36355394d8 gpg: Ed448 and X448 are only for v5.
* g10/keygen.c (parse_key_parameter_part): Generate with version 5
packet, when it's Ed448 or X448.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-04-08 16:49:20 +09:00
NIIBE Yutaka
ab66c43575 scd: Fix CCID driver for SCM SPR332/SPR532.
* scd/ccid-driver.c (ccid_vendor_specific_pinpad_setup): New.
(ccid_vendor_specific_setup): Only send CLEAR_HALT.
(ccid_transceive_secure): Each time, use send_escape_cmd.

--

GnuPG-bug-id: 5297
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-04-08 13:41:28 +09:00
NIIBE Yutaka
d82dae5d22 common: Fix gnupg_wait_processes, by skipping invalid PID.
* common/exechelp-posix.c (gnupg_wait_processes): Skip invalid PID.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-04-08 11:26:58 +09:00
NIIBE Yutaka
ac1e159397 po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-04-08 10:23:47 +09:00
Werner Koch
f88d6a5279
Post release updates
--
2021-04-07 20:46:21 +02:00
Werner Koch
c922a798a3
Release GnuPG 2.3.0 gnupg-2.3.0 2021-04-07 19:04:46 +02:00
Werner Koch
e0eefba56c
doc: Add some error locations to DETAILS.
--

This should actually be enhanced to describe all error locations as
known by GPGME.
2021-04-06 09:54:52 +02:00
Werner Koch
a78475fbb7
gpgconf: Return a new pseudo option compliance_de_vs.
* tools/gpgconf-comp.c (known_pseudo_options_gpg): Add
"compliance_de_vs".
* g10/gpg.c (gpgconf_list): Returh that pseudo option.
--

Of course this will always return false for this version of gnupg.
But as soon as this version has been approved we have everything ready
for a runtime check.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 13:11:16 +02:00
Werner Koch
1d1ec1146c
common: Make the compliance check more robust.
* common/compliance.c (get_compliance_cache): New.
(gnupg_rng_is_compliant): Use per mode cache.
(gnupg_gcrypt_is_compliant): Ditto.
--

This addresses the problem tha the check might be called with
different compliance values and thus it should return the
corresponding cached result.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 13:08:15 +02:00
Werner Koch
c727951a24
card: New flag --reread for LIST.
* tools/gpg-card.c (cmd_list): Add flag --reread.
* tools/card-call-scd.c (scd_learn): New arg reread.

* tools/card-call-scd.c (release_card_info): Fix releasing of the new
label var.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 10:34:06 +02:00
Werner Koch
ff87f4e578
scd: New flag --reread for LEARN
* scd/command.c (cmd_learn): Add flag --reread.
* scd/app-common.h (struct app_ctx_s): New field need_reset.
* scd/app.c (write_learn_status_core): Set need_reset if we notice an
error after returning from a reread.  Change all callers of card
functions to return GPG_ERR_CARD_RESET so that that app is not anymore
used.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 10:31:52 +02:00
Werner Koch
e17d3f8660
scd:p15: New flag APP_LEARN_FLAG_REREAD.
* scd/app-p15.c (do_deinit): Factor code out to ...
(release_lists, release_tokeninfo): new.
(read_ef_tokeninfo): Reset all data before reading.
(read_p15_info): Ditto.
(do_learn_status): Implement reread flag.
--

Objects of a card may be protected by a PIN and thus only readble
after a verify command.  This new flag makes it possible to gather the
entire PKCS#15 card info again without a need for a reset (and thus
loss of the verify status).

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 10:28:07 +02:00
Werner Koch
1c16878efd
scd: Replace all assert macros by the log_assert macro.
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-31 19:16:05 +02:00
Werner Koch
6ca5407151
build: Require automake 1.16.3
* configure.ac (min_automake_version): Bump to 1.16.3
--

This version has the now needed support for

 - new variable AM_DISTCHECK_DVI_TARGET, to allow overriding the
   "make dvi" that is done as part of distcheck.
2021-03-31 09:18:12 +02:00
NIIBE Yutaka
8d6152a4cf build: Update gpg-error.m4.
* m4/gpg-error.m4: Update from libgpg-error.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-31 10:37:06 +09:00
Werner Koch
0d6f276f61
card: Print the key's label if available.
* tools/gpg-card.h (struct key_info_s): Add field 'label'.
* tools/card-call-scd.c (learn_status_cb): Parse KEY-LABEL.
(scd_learn): Always request KEY-LABEL.
* tools/gpg-card.c (nullnone): New.
(list_one_kinfo, list_card): Use it.  Print the label.
--

PKCS#15 defines label which help to understand for what a key is
intended.  Print them.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 17:28:45 +02:00
Werner Koch
7f91263632
scd:p15: Return labels for keys and certificates.
* scd/app-p15.c (send_certinfo): Extend certinfo.
(do_getattr): Support KEY-LABEL.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 17:25:24 +02:00
Werner Koch
651c07a730
scd:p15: For CardOS make use of ISO7816_VERIFY_NOT_NEEDED.
* scd/app-p15.c (verify_pin): Take care of verify status.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 11:43:45 +02:00
Werner Koch
de4d3c99aa
scd:p15: Return the creation time of the keys.
* scd/app-p15.c (struct prkdf_object_s): Add keytime and keyalgostr.
(keygrip_from_prkdf): Set them.
(send_keypairinfo): Extend KEYPAIRINFO.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-30 10:27:20 +02:00
NIIBE Yutaka
d1bac0a3be build: Fix for make distcheck, no EPS support.
* Makefile.am (AM_DISTCHECK_DVI_TARGET): Specify 'pdf'.
* doc/Makefile.am (EXTRA_DIST, BUILT_SOURCES): Remove EPS files.
(gnupg.dvi): Remove.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-03-30 12:38:50 +09:00
Werner Koch
592f480117
scd:p15: Make RSA with SHA512 work with CardOS.
* scd/app-p15.c (do_sign): Rewrite.
--

This basically works now but for my test card I need to pass
--cert-digest-algo-512 manually.  Need to check this again and
automate it.  It will also be useful to take the NotBefore timestamp
from the dummy X.509 certificate and use that for the PGP key creation
time.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 20:36:01 +02:00
Werner Koch
2d2391dfc2
agent: Skip unknown unknown ssh curves seen on cards.
* agent/command-ssh.c (ssh_handler_request_identities): Skip unknown
curves.
--

For example when using my standard ed25519 token and testing cards
with only Brainpool support, the ssh-agent failed due to the unknown
curves seen on the card.  This patches fixes this by ignoring keys
with unknown curves.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 15:39:32 +02:00
Werner Koch
a494b29af9
scd:p15: Support ECDSA and ECDH for CardOS.
* scd/iso7816.c (iso7816_pso_csv): New.
* scd/app-help.c (app_help_pubkey_from_cert): Uncompress a point if
needed.

* scd/app-p15.c (CARD_PRODUCT_RSCS): New.
(struct prkdf_object_s): Add fields is_ecc, token_label, and
tokenflags.
(do_deinit): Free new fields.
(cardproduct2str): New.
(read_ef_prkdf): Set new is_ecc flag.
(read_ef_tokeninfo): Store some data and move Tokeninfo diags to ...
(read_p15_info): here.  set the product info here after all data has
been gathered.
(send_keypairinfo): Chnage the way the gpgusage flags are used.
(make_pin_prompt): If the token has a label and the current cert has
no CN, show the label as holder info.
(do_sign): Support ECDSA.  Take care of the gpgusage flags.
(do_decipher): Support ECDH.  Take care of the gpgusage flags.
--

This has been tested with Trusted Object Manager generated cards by
Rohde & Schwarz Cybersecurity.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-29 14:49:08 +02:00
Werner Koch
f129b0e977
gpg: Allow ECDH with a smartcard returning just the x-ccordinate.
* g10/ecdh.c (extract_secret_x): Add extra safety check. Allow for
x-only coordinate.
2021-03-29 14:36:52 +02:00
Werner Koch
18d884f841
gpgconf: Do not i18n an empty string to the PO files meta data.
* tools/gpgconf-comp.c (my_dgettext): Ignore empty strings.
--

GnuPG-bug-id: 5363
2021-03-28 10:38:42 +02:00
Werner Koch
a5e72b663b
tests: Make sure the built keyboxd is used by the tests.
* tests/openpgp/defs.scm (tool): Add keyboxd.
* tests/openpgp/setup.scm: Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 17:06:44 +01:00
Werner Koch
057131159b
gpgconf: Fix another argv overflow if --homedir is used.
* tools/gpgconf-comp.c (gc_component_check_options): Increase array.
--

I missed to fix that one with the last patch.

Note that there was no problem in 2.2 at thismlocation - probably
because it had been manually backported once.

GnuPG-bug-id: 5366
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 16:51:35 +01:00
Werner Koch
d3d57a1bc8
gpgconf: Fix argv overflow if --homedir is used.
* tools/gpgconf-comp.c (gc_component_launch): Fix crasg due to too
small array.
(gpg_agent_runtime_change): Fix error message.
(scdaemon_runtime_change): Ditto.
(tpm2daemon_runtime_change): Ditto.
(dirmngr_runtime_change): Ditto.
(keyboxd_runtime_change): Ditto.
--

GnuPG-bug-id: 5366
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 14:44:17 +01:00
Werner Koch
6de1ec3ba5
agent: Add debug output for failed RSA signature verification
* agent/pksign.c (agent_pksign_do): Support ECC and DSA verification
and print some debug info in the error case.
--

Note that the addition of do_encode_dsa has no immediate effect
because we use the code only for RSA.  However, for debugging it can
be useful to change the code to check also other created signatures.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 14:30:58 +01:00
Werner Koch
935765b451
common: New function to uncompress an ECC public key.
* common/sexputil.c (ec2os): New.
(uncompress_ecc_q_in_canon_sexp): New.

* common/t-sexputil.c (fail2): new.
(test_ecc_uncompress): New.
(main): Run new test.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 14:30:58 +01:00
Werner Koch
6a80d6f920
indent: Modernize mem2str.
--
2021-03-26 14:30:58 +01:00