* common/dns-cert.c (get_dns_cert): Make r_key optional.
* common/pka.c: Rewrite for the new hash based lookup.
* common/t-pka.c: New.
* configure.ac: Remove option --disable-dns-pka.
(USE_DNS_PKA): Remove ac_define.
* g10/getkey.c (parse_auto_key_locate): Always include PKA.
--
Note that although PKA is now always build, it will only work if
support for looking up via DNS has not been disabled.
The new PKA only works with the IPGP DNS certtype and shall be used
only to retrieve the fingerprint and optional the key for the first
time. Due to the security problems with DNSSEC the former assumption
to validate the key using DNSSEC is not anymore justified. Instead an
additional layer (e.g. Trust-On-First-Use) needs to be implemented to
track change to the key. Having a solid way of getting a key matching
a mail address is however a must have.
More work needs to go into a redefinition of the --verify-options
pka-lookups and pka-trust-increase. The auto-key-locate mechanism
should also be able to continue key fetching with another methods once
the fingerprint has been retrieved with PKA.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.w32-manifest.in: New.
* g10/gpg-w32info.rc: Add manifest.
* g10/Makefile.am (EXTRA_DIST): Add manifest.
(gpg-w32info.o): Depend on manifest.
* configure.ac (BUILD_VERSION): New.
(AC_CONFIG_FILES): Add manifest.
--
There are no dependencies yet defined - we need to do this for the
libs first.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac (AC_CHECK_HEADERS): Check for sys.select.h
* tools/watchgnupg.c: Include it.
--
It seems http://www.musl-libc.org/ is quite limited and requires
the use sys/select.h instead of unistd.h et al.
* gl/: Remove entire tree.
* configure.ac: Remove gnulib tests and the gl/ Makefile.
(setenv): Add to AC_CHECK_FUNCS.
* autogen.rc (extra_aclocal_flags): Set to empty.
* Makefile.am (ACLOCAL_AMFLAGS): Remove -I gl/m4
(SUBDIRS): Remove gl/.
* agent/Makefile.am (common_libs): Remove ../gl/gnulib.a
* common/Makefile.am (t_common_ldadd): Ditto.
* dirmngr/Makefile.am (dirmngr_LDADD): Ditto.
(dirmngr_ldap_LDADD, dirmngr_client_LDADD): Ditto.
* g10/Makefile.am (needed_libs): Ditto.
* g13/Makefile.am (g13_LDADD): Ditto.
* kbx/Makefile.am (kbxutil_LDADD): Ditto.
($(PROGRAMS)): Ditto.
* scd/Makefile.am (scdaemon_LDADD): Ditto.
* sm/Makefile.am (common_libs): Ditto.
* tools/Makefile.am (common_libs, commonpth_libs): Ditto.
* agent/gpg-agent.c: Remove "mkdtemp.h"
* g10/exec.c: Ditto.
* scd/scdaemon.c: Ditto.
* tools/symcryptrun.c: Ditto.
* common/sysutils.c: Remove "setenv.h"
* common/t-timestuff.c: Use putenv if setenv is not available.
--
gnulib has always been a cause of trouble in GnuPG because we used
only a very few functions and the complex include machinery of gnulib
is quite complex and the cause for many build problems for example on
OS X. This is not gnulib's fault but due to our limited use of gnulib
and that we only rarely update the gnulib code to avoid regressions.
In part two we will address the functions
mkdtemp
setenv
unsetenv
strpbrk
which may bot be implemented on all platforms. They are not required
on a libc based system.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac <adns>: Use adns_free as probe function for libadns.
(HAVE_ADNS_FREE): Remove bogus tests to set this and remove the macro.
(ADNSLIBS): Do not ac_subst - it is only used within configure.
--
adns_free is required on Windows anyway (for robustness reasons) and
it has been around for so long now that we do not need a separate
test. An upstream adns 1.5 has meanwhile been release but I doubt that
this has the required Windows code - and it is not libtool based
anyway.
--
Also fixed some of my own copyright notices due to the termination of
my assignment. The one displayed by --version is kept at FSF because
we had contributors in 2014 with FSF assignments and it gives the FSF
some visibility.
* configure.ac: Add option --disable-ldap.
(USE_LDAP): New ac_define and am_conditional.
* dirmngr/Makefile.am: Take care of USE_LDAP.
* dirmngr/dirmngr.c (!USE_LDAP): Make all ldap options dummy options
and do not call any ldap function.
* dirmngr/server.c (!USE_LDAP): Do not call any ldap function.
* dirmngr/crlfetch.c (!USE_LDAP): Ditto.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: Added --enable-large-secmem option.
* g10/options.h: Add opt.flags.large_rsa.
* g10/gpg.c: Contingent on configure option: adjust secmem size,
add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
* g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
* doc/gpg.texi: Document --enable-large-rsa.
--
This is a cherry-pick of 534e2876ac from
STABLE-BRANCH-1-4 against master
Some older implementations built and used RSA keys up to 16Kib, but
the larger secret keys now fail when used by more recent GnuPG, due to
secure memory limitations.
Building with ./configure --enable-large-secmem will make gpg
capable of working with those secret keys, as well as permitting the
use of a new gpg option --enable-large-rsa, which let gpg generate RSA
keys up to 8Kib when used with --batch --gen-key.
Debian-bug-id: 739424
Minor edits by wk.
GnuPG-bug-id: 1732
* agent/agent.h (opt): Remove field use_standard_socket.
* agent/command.c (cmd_killagent): Always allow killing.
* agent/gpg-agent.c (main): Turn --{no,}use-standard-socket and
--write-env-file into dummy options. Always return true for
--use-standard-socket-p. Do not print the GPG_AGENT_INFO envvar
setting or set that envvar.
(create_socket_name): Simplify by removing non standard socket
support.
(check_for_running_agent): Ditto.
* common/asshelp.c (start_new_gpg_agent): Remove GPG_AGENT_INFO use.
* common/simple-pwquery.c (agent_open): Ditto.
* configure.ac (GPG_AGENT_INFO_NAME): Remove.
* g10/server.c (gpg_server): Do not print the AgentInfo comment.
* g13/server.c (g13_server): Ditto.
* sm/server.c (gpgsm_server): Ditto.
* tools/gpgconf.c (main): Simplify by removing non standard socket
support.
--
The indented fix to allow using a different socket than the one in the
gnupg home directory is to change Libassuan to check whether the
socket files exists as a regualr file with a special keyword to
redirect to another socket file name.
* configure.ac (NEED_NTBTLS_ABI, NEED_NTBTLS_VERSION): New.
(HTTP_USE_NTBTLS): New. Prefer over GNUTLS.
* m4/ntbtls.m4: New.
* m4/Makefile.am (EXTRA_DIST): Add new file.
* common/http.c: Add conditionals to eventually use NTBTLS.
--
This is only the configure stuff. If you have NTBTLS installed GNUTLS
will not be used but there won't be any https support either :-(.
This patch is used to have a real world test bench for the forthcoming
library.
* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA256 in --gnupg and SHA1 in
strict RFC or PGP modes.
* g10/sign.c (make_keysig_packet): Use DEFAULT_DIGEST_ALGO also for
RSA key signatures.
* configure.ac: Do not allow to disable sha256.
* configure.ac: Remove option --build-agent-only.
(FAKE_CURL, GPGKEYS_CURL): Remove check for cURL
(GPGKEYS_MAILTO): Remove ac_subst but keep the currently unused
SENDMAIL check.
(GPGKEYS_KDNS): Remove ac_subst.
* autogen.rc (final_info): Remove suggestion to use the removed option
--enable-mailto.
* autogen.sh: Add option --find-version
* configure.ac: Rework the setting of the mym4_ variables.
--
The old system was not too well defined if no release for a series has
yet been done. We now introduce a "PACKAGE-N.M-base" tag to solve
this problem. To keep the M4 code readable the GIT parsing has been
moved to ./autogen.sh.
* configure.ac: Remove keyserver helper related stuff.
* Makefile.am (SUBDIRS): Remove keyserver.
* keyserver/Makefile.am: Remove.
--
The dirmngr is used instead of the keyserver helpers. Thus there is
more need to distribute the old code. We keep it in the repo for
references, though.
* configure.ac (HAVE_NPTH): New ac_define.
* common/estream.c: Use USE_NPTH instead of HAVE_NPTH.
* common/http.c: Ditto. Replace remaining calls to pth by npth calls.
(connect_server): Remove useless _().
* common/exechelp-posix.c, common/exechelp-w32.c
* common/exechelp-w32ce.c: Use HAVE_PTH to include npth.h.
* common/init.c (_init_common_subsystems): Remove call to pth_init.
* common/sysutils.c (gnupg_sleep): Use npth_sleep.
* scd/ccid-driver.c (my_sleep): Ditto.
--
USE_NPTH is used in case were we may build with and without nPth. The
missing definition HAVE_NPTH didn't allowed us to build outher sources
with nPTh support.
* m4/readline.m4: Set gnupg_cv_have_readline.
* configure.ac: Add readline support to summary output.
--
Readline is an optional feature which is build if the readline
development files are available on the build systems. Too often they
are missing on a (new) build machine which at least makes debugging
inconvenient.
Backport useful code from fixes for bug 1447.
* configure.ac: Cehck for inet_ntop.
* m4/libcurl.m4: Provide a #define for the version of the curl
library.
--
We do not have keyserver helpers anymore but this fixes may come handy
eventually.
* configure.ac: Cehck for inet_ntop.
* m4/libcurl.m4: Provide a #define for the version of the curl
library.
--
We do not have keyserver helpers anymore but this fixes may come handy
eventually.
* common/utf8conv.c: Remove dynload.h.
(load_libiconv): Remove. Remove all calls to it.
--
The iconv functions are standard feature on most systems and in any
case libiconv can be used to provide the functions. The old code used
to dlopen iconv.dll on Windows. This goes back to GnuPG-1 which was
designed as a one-binary program without any hard dependencies.
GnuPG2 however demands a lot of libraries anyway and thus there is no
more need for the fragile code to load a possible wrong version of
iconv.dll at runtime.
* configure.ac: Add option --disable-trust-models
(NO_TRUST_MODELS): New ac_define and am_conditional.
* g10/Makefile.am (trust_source): New.
(gpg2_SOURCES): Factor some files out to above. Add trust.c.
* g10/gpg.c [NO_TRUST_MODELS]: Disable options --export-ownertrust,
--import-ownertrust, --update-trustdb, --check-trustdb, --fix-trustdb,
--list-trustdb, --trustdb-name, --auto-check-trustdb,
--no-auto-check-trustdb, and --force-ownertrust.
(parse_trust_model) [NO_TRUST_MODELS]: Do not build.
(main) [NO_TRUST_MODELS]: Set trust_model to always and exclude all
trustdb related option code.
* g10/keyedit.c (cmds) [NO_TRUST_MODELS]: Remove menu items "trust",
"enable", and "disable".
* g10/keylist.c (public_key_list) [NO_TRUST_MODELS]: Do not print
"tru" record.
* g10/trust.c: New.
* g10/trustdb.c (struct key_item): Move to trustdb.h.
(register_trusted_keyid): Rename to tdb_register_trusted_keyid.
(register_trusted_key): Rename to tdb_register_trusted_key.
(trust_letter, uid_trust_string_fixed, trust_value_to_string)
(string_to_trust_value, get_ownertrust_with_min, get_ownertrust_info)
(get_ownertrust_string, get_validity_info, get_validity_string)
(clean_sigs_from_uid, clean_uid_from_key, clean_key): Move to trust.c.
(mark_usable_uid_certs): Move to trust.c and make global.
(is_in_klist): Move as inline to trustdb.h.
(trustdb_check_or_update): Rename to tdb_check_or_update
(revalidation_mark): Rename to tdb_revalidation_mark.
(get_ownertrust): Rename to tdb_get_ownertrust.
(get_min_ownertrust): Rename to tdb_get_min_ownertrust.
(update_ownertrust): Rename to tdb_update_ownertrust.
(clear_ownertrusts): Rename to tdb_clear_ownertrusts.
(cache_disabled_value): Rename to tdb_cache_disabled_value.
(check_trustdb_stale): Rename to tdb_check_trustdb_stale.
(get_validity): Rename to tdb_get_validity_core, add arg MAIN_PK and
factor some code out to ...
* trust.c (get_validity): ...new.
(check_or_update_trustdb): New wrapper.
(revalidation_mark): New wrapper.
(get_ownertrust): New wrapper.
(get_ownertrust_with_min): New wrapper.
(update_ownertrust): New wrapper.
(clear_ownertrusts): New wrapper.
(cache_disabled_value): New wrapper.
(check_trustdb_stale): New wrapper.
* tests/openpgp/defs.inc (opt_always): New. Use in all tests instead
of --always-trust.
* acinclude.m4 (GNUPG_GPG_DISABLE_ALGO): New.
* configure.ac: Add --enable-gpg-* options to disable non MUS
algorithms.
* g10/misc.c (map_cipher_openpgp_to_gcry): Implement these options.
(openpgp_pk_test_algo2): Ditto.
(map_md_openpgp_to_gcry): Ditto.
(openpgp_cipher_test_algo, openpgp_md_test_algo): Simplify.
--
We have a similar feature in GnuPG-1. Although we don't shrink the
size of the gpg binary by disabling algorithms (they are implemented
in Libgcrypt), this feature may still be useful for inerop testing.
* configure.ac: Remove check for uint64 and UINT64_C.
* include/types.h: Remove u64 stuff.
* common/types.h: Ditto.
--
There have been relicts from GnuPG-1.
Signed-off-by: Werner Koch <wk@gnupg.org>
