* sm/decrypt.c (pwri_parse_pbkdf2): New.
(pwri_decrypt): New.
(prepare_decryption): Support pwri.
(gpgsm_decrypt): Test for PWRI. Move IS_DE_VS flag to DFPARM.
--
Note that this is not finished because we need to implement a password
callback. For now "abc" is used as passwort.
Latest libksba is also required to return the required info.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command-ssh.c (ssh_handler_request_identities): Remove double
check of ERR.
* g10/getkey.c (get_pubkey_byname): Remove double use of break.
* g10/pkglue.c (pk_encrypt): Handle possible NULL-ptr access due to
failed malloc.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/apdu.c (open_pcsc_reader): PCSC.COUNT should
be incremented before possible call of close_pcsc_reader.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/apdu.c (pcsc_cancel): New.
(pcsc_init): Load new function.
(connect_pcsc_card): Use it after a removed card error.
--
Well, that was easier than I expected yesterday.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/apdu.c (close_pcsc_reader): Do not decrement refcount if already
zero. Always release context if or becomes zero.
(apdu_dev_list_start): Unlock prior to close_pcsc_reader. For PC/SC
increment the count. Always release the lock.
(apdu_dev_list_finish): No more unlocking. Use close_pcsc_reader
instead of code duplication.
* scd/apdu.c (pcsc_error_string): Add an error code.
* scd/scdaemon.c (scd_kick_the_loop): Fix a diagnostic.
--
There was an obvious bug in that the pcsc.count could go below zero
and thus there was no chance to get the context release. Releasing
and recreating the context is at least under Windows important to get
rit of the PCSC_E_SERVICE_STOPPED.
Also removes a potential problem in holding the reader_table_lock
between calls to apdu_dev_list_start apdu_dev_list_finish. There is
no need for this. Instead we bump the pcsc.count.
The reader_table_lock strategy should be reviewed; we may be able to
remove it.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keyserver.c (keyserver_import_name): Rename to ...
(keyserver_import_mbox): this. And use mail search mode.
* g10/getkey.c (get_pubkey_byname): Change the two callers.
--
In contrast to a search via keyserver_import_ntds the older
keyserver_import_name used a full match of the provided name despite
that it is only called with an addr-spec (mbox). Due to the mode the
pattern send to dirmngr was prefixed with a '=' and thus dirmngr used
an exact search;. This did only work for provided user ids like
"foo@example.org" but not for "<foo@example.org>" or
"Foo <foo@xample.org>". The old code dates back to 2010.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/options.h (opts): New field expl_import_only.
* g10/import.c (parse_import_options): Set it.
* g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP.
--
I can be assumed that configured LDAP servers are somehow curated and
not affected by rogue key signatures as the HKP servers are. Thus we
don't clean the key anymore so that key certifications are kept even
if the public key has not yet been imported.
See-commit: 6c26e593df
GnuPG-bug-id: 5387
* scd/app-p15.c (read_p15_info): Improve D-TRUST card detection.
(do_getattr): Fix faulty code for the last commit. Append the product
name to MANUFACTURER.
Signed-off-by: Werner Koch <wk@gnupg.org>
* scd/app-p15.c (get_dispserialno): Add dedicated handling for RSCS.
--
In fact we fix the display of the s/n because the s/n was taken from a
certificate.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command.c (cmd_readkey): Add option --no-data and special
handling for $SIGNKEYID and $AUTHKEYID.
* g10/call-agent.c (agent_scd_getattr): Create shadow keys for KEY-FPR
output.
* g10/skclist.c (enum_secret_keys): Automagically get a missing public
key for the current card.
Signed-off-by: Werner Koch <wk@gnupg.org>
--
This is required because GlobalSign re-issued the certificate (which
actually required to install InternetExploder in addition to Edge) and
now we have two certs to select from. The /a option seems to use the
latest generated certificate.
* tools/card-call-scd.c (scd_readkey): Add arg create_shadow.
* tools/gpg-card.c (list_one_kinfo): Add arg create_shadow and pass it
down to scd-readkey. Change all callers to convey this arg.
(cmd_list): Add option --shadow.
* g10/keyserver.c (keyserver_import_fprint_ntds): New.
* g10/getkey.c (get_pubkey_byname): Detect an attempt to search by
fingerprint in no_local mode.
--
See the man page. For testing use
gpg --auto-key-locate local,wkd,keyserver --locate-external-key \
FINGERPRINT
with at least one LDAP keyserver given in dirmngr.conf. On Windows
"ntds" may be used instead or in addtion to "keyserver".
Signed-off-by: Werner Koch <wk@gnupg.org>
* kbx/kbxserver.c (cmd_search): Use the openpgp hack for calling
classify_user_id.
* kbx/backend-sqlite.c (run_select_statement): Remove angle brackets
in exact addrspec mode.
* g10/call-keyboxd.c (keydb_search): Do not duplicate the left angle
bracket.
* sm/keydb.c (keydb_search): Ditto.
--
Note that the openpgp hack flag of classify_user_id is actually a
misnomer because we actually hack a round a problem in gpgsm. And it
is only over there that we don't set it there. In keyboxd the flag
should be set. And we need to remove the angle brackets of course
because that is how we create the addrspec column values.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (main): Don't use the default log file from common.conf.
* sm/gpgsm.c (main): Ditto.
--
That was acutally not intended and contradicts the description in
doc/example/common.conf.
Signed-off-by: Werner Koch <wk@gnupg.org>
* sm/keylist.c (do_show_certs): New.
(gpgsm_show_certs): New.
* sm/gpgsm.c (aShowCerts): New.
(opts): Add --show-certs.
(main): Call gpgsm_show_certs.
--
I have been using libksba test programs for countless times to look at
certificates and I always wanted to add such a feature to gpgsm. This
is simply much more convenient.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: New option --with-tss to force the use of a
specific TSS library.
--
While most systems will probably have only one of the two TPM
libraries that we support (the IBM TSS or the Intel TSS), it
would still be helpful to allow which one to use in the event
that both are detected, instead of always using the IBM one.
This patch does that by adding a --with-tss=TSS configure-time
option, where TSS can be "ibm", "intel", or "autodetect". The
default value is "autodetect", which triggers the original
behavior (i.e. try to detect both libraries, and prefer the IBM
one if both are found).
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
* g10/keyedit.c (show_prefs): Show 'AEAD' if flags.aead is set.
--
The terse 'pref' command in the key editor correctly shows '[aead]'
if the uid->flags.aead is set, but the more verbose 'showpref'
command does not, due to an inverted condition check.
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>