1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

10212 Commits

Author SHA1 Message Date
Werner Koch
845d5e61d8
dirmngr: Cleanup the http module.
* configure.ac (NEED_NTBTLS_VERSION): Require at least 0.2.0 so that
we can remove a conditional compilation.

* dirmngr/http.c (struct proxy_info_s): New.
(release_proxy_info): New to keep proxy information in one object.
(send_request): Factor some code out to ...
(get_proxy_for_url): this,
(send_request_basic_checks): this,
(send_request_set_sni): this,
(run_ntbtls_handshake): this,
(run_gnutls_handshake): and this.
--

Note that this also removes some never used code.  For example the
NTBTLS handshake has code taken from GNUTLS which was never used due
to the different ways on how the certificates are checked.

The proxy code has been factored out to make to prepare further
authentication methods.  The proxy_info_t was introduced for the same
reason.

Tested against gnutls and ntbtls builds.  No proxy tests yet done,
because we need more sophisticated tests anyway.

GnuPG-bug-id: 5768
2023-09-26 13:58:31 +02:00
Werner Koch
2a2846959f
gpg: Fix --no-utf8-strings.
* g10/gpg.c (main): Ignore --no-utf8-strings only on Windows.
--

Fixes-commit: 8c41b8aac3efb78178fe1eaf52d8d1bbc44941a8
Reported-by: Ingo Klöcker
2023-09-18 11:26:56 +02:00
Robin H. Johnson via Gnupg-devel
bf662d0f93
gpg: Add --list-filter properties sig_expires/sig_expires_d
Modelled after key_expires/key_expires_d.

This should be useful to detect upcoming certification expiry, so the
certifications can be renewed in advance of the expiry.

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
2023-09-15 10:37:47 +02:00
Werner Koch
4fc745bc43
dirmngr: Relax the detection of the "none" keyserver.
* dirmngr/server.c (cmd_keyserver): Ignore also hkps://none.
(ensure_keyserver): Better ignore also "none" with a hkp or hpks
scheme.
--

GnuPG-bug-id: 6708
2023-09-11 11:24:00 +02:00
Werner Koch
7f9e05d73f
common: Never remove /dev/null.
* common/sysutils.c (gnupg_remove): Detect /dev/null.
--

GnuPG-bug-id: 6556
2023-09-07 17:21:05 +02:00
Werner Koch
a02f3cc4e8
gpg: Fix validity of re-imported keys.
* g10/trustdb.c (tdb_clear_ownertrusts): Detect stale validity
records.
--

GnuPG-bug-id: 6399

This problem was introduced by an actually very useful patch

  2002-12-13  David Shaw  <dshaw@jabberwocky.com>
  [...]
  * import.c (import_keys_internal): Used here so we don't rebuild
  the trustdb if it is still clean.
  (import_one, chk_self_sigs): Only mark trustdb dirty if the key
  that is being imported has any sigs other than self-sigs.
  Suggested by Adrian von Bidder.

[the last part]

The bug exhibited itself only after signing a key, deleting that key
and then re-importing the original non-signed key.
2023-09-06 12:12:47 +02:00
Werner Koch
0aa32e2429
dirmngr: Allow conf files to disable default keyservers.
* dirmngr/server.c (ensure_keyserver): Detect special value "none"
(cmd_keyserver): Ignore "none" and "hkp://none".
--

GnuPG-bug-id: 6708
2023-09-06 09:50:28 +02:00
Werner Koch
362a6dfb0a
gpg: Fix last commit.
* g10/keyid.c (hash_public_key): Do not pass the version.
--

Fixes-commit: 1f76cbca35133969ccccfa324d633556e19a386c
2023-09-05 08:08:54 +02:00
Werner Koch
1f76cbca35
gpg: Add option --with-v5-fingerprint
* g10/gpg.c (oWithV5Fingerprint): New.
(opts): Add new option.
(main): Set option.
* g10/options.h (opt): Add with_v5_fingerprint.
* g10/keyid.c (hash_public_key): Factor out to ...
(do_hash_public_key): this.  Add new arg to foce v5 style hashing.
(v5_fingerprint_from_pk): New.
(v5hexfingerprint): New.
* g10/keylist.c (print_fingerprint): Print v5 fingerprint for v4 keys
if the option is set.
--

GnuPG-bug-id: 6705
2023-09-04 16:36:51 +02:00
Werner Koch
776876ce1c
gpgsm: Add --always-trust feature.
* sm/gpgsm.h (opt): Re-purpose unused flag always_trust.
(struct server_control_s): Add "always_trust".
(VALIDATE_FLAG_BYPASS): New.
* sm/gpgsm.c (oAlwaysTrust): New.
(opts): Add "--always-trust"
(main): Set option.
* sm/server.c (option_handler): Add option "always-trust".
(reset_notify): Clear that option.
(cmd_encrypt): Ditto.
(cmd_getinfo): Add sub-command always-trust.
* sm/certchain.c (gpgsm_validate_chain): Handle VALIDATE_FLAG_BYPASS.
* sm/certlist.c (gpgsm_add_to_certlist): Set that flag for recipients
in always-trust mode.
--

GnuPG-bug-id: 6559
2023-08-31 12:30:26 +02:00
Werner Koch
ee27ac18ea
doc: Add some hints for AD queries.
--

This is repo only.
2023-08-24 11:28:12 +02:00
Werner Koch
32c55603df
dirmngr: Fix LDAP time parser.
* dirmngr/ldap-misc.c (rfc4517toisotime): Correct index.
--

Obviously the parser assumes the standard ISO format with the 'T'
before the hour.  That is not correct here.  We need this parser for
the modifyTimestamp thingy.
2023-08-24 11:25:30 +02:00
NIIBE Yutaka
fa29c86582
build: Update libassuan.m4 to allow build with libassuan 3.
* m4/libassuan.m4: Update from libassuan master.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-08-02 11:39:40 +09:00
NIIBE Yutaka
96b69c1866
gpg: Add support for Subkey-Expire-Date.
* g10/keygen.c (enum para_name): Add pSUBKEYEXPIREDATE.
(proc_parameter_file): Add support for pSUBKEYEXPIREDATE.
(read_parameter_file): Add "Subkey-Expire-Date".

--

Cherry-pick from master commit of:
	23bcb78d279ebc81ec9340356401d19cf89985f1

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-25 11:15:22 +09:00
NIIBE Yutaka
2258bcded6
gpg: Fix expiration time when Creation-Date is specified.
* g10/keygen.c (parse_expire_string_with_ct): New function, optionally
supply the creation time.
(parse_expire_string): Use parse_expire_string_with_ct with no
creation time.
(proc_parameter_file): Use parse_expire_string_with_ct possibly with
the creation time.

--

Cherry-pick from master commit of:
	b07b5144ff6a9208ea27fe1e1518270bd22b382c

GnuPG-bug-id: 5252
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-25 11:14:43 +09:00
Andre Heinecke
c68b70ce9d
w32: Add keyboxd.exe to signed files
* build-aux/speedo.mk (AUTHENTICODE_FILES): Add keyboxd.exe

--
This should prevent that keyboxd.exe is blocked on systems that
only allow signed executables.
2023-07-21 10:29:22 +02:00
Andre Heinecke
083a16ae08
dirmngr: Add doc for faked-system-time
* dirmngr/dirmngr.c (gpgrt_opt_t): Use string for oFakedSystemTime.
(oFakedSystemTime): Use similar conversion as gpgsm has.
* dirmngr/dirmngr.texi (faked-system-time): Document it.

--
For testing X509 certificates this is usually required and
then confusing that the example from the gpgsm man page
does not work for dirmngr.
2023-07-21 10:26:44 +02:00
NIIBE Yutaka
a3be97df4d
common:w32: Fix gnupg_w32_set_errno.
* common/sysutils.c (gnupg_w32_set_errno): Return EC.

--

Cherry-pick master commit of:
	4c6b759368bcf19a13df07c5c6080765ecac28ca

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-10 11:21:16 +09:00
NIIBE Yutaka
9ae3cfcabe
dirmngr: Enable the call of ks_ldap_help_variables when USE_LDAP.
* dirmngr/server.c [USE_LDAP] (cmd_ad_query): Conditionalize.

--

Cherry-pick master commit of:
	dc13361524c1477b2106c7385f2059f9ea111b84

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-07-05 10:46:45 +09:00
Werner Koch
2378ccf97c
Post release updates
--
2023-07-04 16:44:01 +02:00
Werner Koch
d073f26d81
Release 2.4.3 gnupg-2.4.3 2023-07-04 16:06:59 +02:00
Werner Koch
7c04a6a284
po: msgmerge
--
2023-07-04 16:06:57 +02:00
Emir SARI
7f8ea1c9be
po: Update Turkish translation
--
2023-07-04 15:52:05 +02:00
Werner Koch
b83d86b988
scd:p15: Make signing work for Nexus cards.
* scd/app-p15.c (CARD_PRODUCT_NEXUS): New.
(read_p15_info): Detect Nexus cards.
(get_dispserialno): Use product_id instead of comparing the
manufacturer_id.
(do_sign): Handle Nexus like BELPIC.
2023-07-04 14:32:08 +02:00
Werner Koch
7a2831bc0e
gpgsm: Init a diagnostic var.
* sm/minip12.c (p12_parse): Init where.
--
2023-07-04 09:26:55 +02:00
Werner Koch
5e94470d05
common,w32: Add missing GetLastError->errno mapping.
* common/iobuf.c (file_filter, sock_filter): Add missing mapping.
--

GnuPG-bug-id: 6528
2023-07-04 09:19:05 +02:00
Werner Koch
5377226ec0
Prepare NEWS for the next release
--
2023-06-30 10:59:06 +02:00
Werner Koch
5f694dc0be
sm: Adding missing stuff to the PKCS#12 parser rewrite.
* sm/minip12.c (struct bufferlist_s): New.
(struct tlv_ctx_s): Add bufferlist.
(tlv_register_buffer): New.
(tlv_release): Release bufferlist.
(tlv_expect_object): Handle octet string cramming.
(tlv_expect_octet_string): Ditto.
(cram_octet_string): Changed interface.  We don't need the
input_consumed value anymore.

* sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set.

* sm/t-minip12.c (main): Add option --no-extra.
(cert_collect_cb, run_tests_from_file): Fix memory leak

* tests/cms/samplekeys/t5793-openssl.pfx: New from T5793.
* tests/cms/samplekeys/t5793-test.pfx: Ditto.
* tests/cms/samplekeys/Description-p12: Add them.
* tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys.
--

This should finish the rewrite of the pkcsc#12 parser for now.  More
fun is likely to come.

GnuPG-bug-id: 6536, 5793
2023-06-29 17:49:10 +02:00
Werner Koch
101433dfb4
sm: Major rewrite of the PKCS#12 parser
* sm/minip12.c: Reworked most of the parser.
(p12_set_verbosity): Add arg debug and change all callers.

* sm/t-minip12.c: Major rewrite to run regression tests unattended.
* sm/Makefile.am (module_maint_tests): Move t-Minit to ...
(module_tests): here.
* tests/cms/samplekeys/Description-p12: New.
--

Note that cram_octet_string stuff has not yet been reworked.  I need
to locate the sample files first.

GnuPG-bug-id: 6536
2023-06-28 17:34:19 +02:00
Werner Koch
c926967d85
sm: Remove duplicated code.
* sm/minip12.c (struct tag_info): Change type of length and nhdr.
(dump_tag_info): Adjust.
(parse_tag): Re-implement using the parse_ber_header.
2023-06-28 17:34:19 +02:00
NIIBE Yutaka
25b59cf6ce
scd:piv: Fix authentication with Administration Key.
* scd/app-piv.c (auth_adm_key): Fix the value of the Response Tag.
(do_setattr): Fix the comment.

--

Cherry-pick master commit of:
	7cfbf0dd72d8d5c14fbf19c13722d153bd1cbd70

Reported-by: Heiko Schäfer <heiko@schaefer.name>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-06-28 14:03:45 +09:00
Werner Koch
10c937ee68
wks: Make --add-revocs the default.
* tools/gpg-wks-client.c (opt): New option --no-add-revocs.
(main): Make --add-revocs the default.

(command_send): Rename to ...
(command_create): to match the command name.
2023-06-21 11:48:02 +02:00
Werner Koch
2c7f7a5a27
wks: Use export-clean for --mirror and --create.
* tools/wks-util.c (wks_get_key): Change from export-minimal to
export-clean
--

To properly work with tusted introducers et al. it is important to also
upload valid key signatures to the Web Key Directory.
2023-06-21 11:48:02 +02:00
zhangguangzhi
06aeb2b45c
kbx: Close file handle when return.
* kbx/keybox-dump.c (_keybox_dump_find_dups): Close FP on the error
paths.

--

GnuPG-bug-id: 6495
Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
2023-06-20 09:20:49 +09:00
zhangguangzhi
40090dbbf9
delete redundant characters
--

GnuPG-bug-id: 6482
Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
2023-06-20 09:08:14 +09:00
Werner Koch
b1ecc8353a
dirmngr: New option --ignore-crl-extensions.
* dirmngr/dirmngr.c (oIgnoreCRLExtension): New.
(opts): Add --ignore-crl-extension.
(parse_rereadable_options): Add to list/
* dirmngr/dirmngr.h (opt): Add ignored_crl_extensions.
* dirmngr/crlcache.c (crl_cache_insert): Implement option.
--

This option is is useful for debugging problems with new CRL
extensions.  It is similar to --ignore-cert-extension.

GnuPG-bug-id: 6545
2023-06-19 14:25:47 +02:00
Werner Koch
701a8b30f0
gpgsm: Support SENDCERT_SKI for --call-dirmngr
* sm/call-dirmngr.c (run_command_inq_cb): Support SENDCERT_SKI.

* dirmngr/crlcache.c (crl_cache_insert): Print the CRL name along with
the unknown OID nortice.
2023-06-19 14:05:22 +02:00
Werner Koch
0a63afc79a
dirmngr: Disable the HTTP redirect rewriting.
* dirmngr/http.h (struct http_redir_info_s): Add restrict_redir.
* dirmngr/ks-engine-hkp.c (send_request): Set it depending on flags.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http-basic.c (test_http_prepare_redirect): Always set it.
* dirmngr/http.c (http_prepare_redirect): Remove location rewriting
unless the flag is set.
--

GnuPG-bug-id: 6477
2023-06-15 15:06:21 +02:00
Werner Koch
bf04b07327
dirmngr: New option --compatibility-flags.
* dirmngr/dirmngr.c (oCompatibilityFlags): NEw.
(opts): Add option --compatibility-flags.
(compatibility_flags): New.
(parse_rereadable_options): Parse them.
2023-06-15 15:00:28 +02:00
Werner Koch
3bab25d7d5
gpgtar: New option --no-compress.
* tools/gpgtar.c: Add option --no-compress.
* tools/gpgtar.h (opt): Add field no_compress.
* tools/gpgtar-create.c (gpgtar_create): Pass -z0 to gpg.
--

This option is probably easier to remember than --gpg-args '-z0'.
2023-06-15 13:59:22 +02:00
Werner Koch
2178f35dff
gpg: New option --no-compress as alias for -z0. 2023-06-15 13:59:16 +02:00
Werner Koch
e9c337c0b9
gpgsm: New option --input-size-hint.
* sm/gpgsm.c (oInputSizeHint): New.
(opts): Add "--input-size-hint".
(main): Set option.
* sm/server.c (option_handler): Add option "input-size-hint".
* sm/gpgsm.h (struct server_control_s): Add field input_size_hint.
* sm/encrypt.c (gpgsm_encrypt): Set the toatl file size.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--

This option allows to set a value for the progress output line.  Note
that as of now there is no other way to set the file size.

GnuPG-bug-id: 6534
2023-06-15 12:28:55 +02:00
Werner Koch
a88aeee129
gpgsm: Fix last commit
--

There was some test code left over and a check reversed.
2023-06-15 12:20:11 +02:00
Werner Koch
c58067415f
gpgsm: Print PROGRESS status lines.
* common/ksba-io-support.c (struct writer_cb_parm_s): Add field
progress.
(struct gnupg_ksba_io_s): Add field is_writer.
(update_write_progress): New.
(base64_writer_cb, plain_writer_cb): Call update_write_progress.
(base64_finish_write): Ditto.
(gnupg_ksba_create_writer): Set is_writer.
(gnupg_ksba_set_progress_cb): New.
(gnupg_ksba_set_total): New.
* common/ksba-io-support.h (gnupg_ksba_progress_cb_t): New type.
* sm/server.c (gpgsm_status2): Return error from statusfp writes.
(gpgsm_progress_cb): New.
* sm/decrypt.c (gpgsm_decrypt): Set progress handler.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--

GnuPG-bug-id: 6534
2023-06-15 10:37:07 +02:00
Werner Koch
808494b485
gpg: Make progress work for large files on Windows.
* common/iobuf.c (iobuf_get_filelength): Change return type to
uint64_t and remove the overflow args.  For Windows always use
GetFileSizeEx which is available since the long EOL-ed Windows XP.

* g10/sign.c (write_plaintext_packet): Adjust for changed
iobuf_get_filelength.
* g10/encrypt.c (encrypt_simple, encrypt_crypt): Ditto.
* g10/photoid.c (generate_photo_id): Ditto.  Also add an upper limit.

* g10/filter.h (progress_filter_context_t): Change amount values to
use uint64_t.
* g10/progress.c (write_status_progress): Change accordingly.

--
GnuPG-bug-id: 6534
2023-06-13 10:07:07 +02:00
Werner Koch
695cb04af5
gpg: Print status line and proper diagnostics for write errors.
* common/iobuf.c (file_filter): Improve diagnostics.
* g10/build-packet.c (do_plaintext): Make sure to cache all error
cases.
--

GnuPG-bug-id: 6528
2023-06-09 17:40:53 +02:00
Andre Heinecke
64509134d4
speedo,w32: Call gpgconf --kill all
* build-aux/speedo/w32/inst.nsi: Use kill all instead of
explicitly killing processes.
2023-06-09 16:29:11 +02:00
Werner Koch
ca3f0e66bc
w32: Map ERROR_FILE_INVALID to EIO.
* common/sysutils.c (map_w32_to_errno): Add mapping.
--

We see this error sometimes when writing to an USB connected disk.
2023-06-09 16:29:04 +02:00
Werner Koch
c68dd22872
gpg: Add --list-filter properties key_expires and key_expires_d.
* g10/import.c (impex_filter_getval): Support new filter properties.
--

Here is how to list all subkeys expiring in the year 2061:

 gpg --list-keys --list-filter
      'select= sub/key_expires_d -gt 2061-01-01 \
               && sub/key_expires_d -lt 2061-12-31'

To list all primary key expirations, use the "pub/" prefix and to list
all expiration dates use no prefix.

GnuPG-bug-id: 6509
2023-06-09 16:16:56 +02:00
Werner Koch
207c99567c
dirmngr: Extend the AD_QUERY command.
* dirmngr/server.c (cmd_ad_query): Add options --help and --subst.
(cmd_getinfo): Add sub-command "sid".
* dirmngr/ks-engine.h (KS_GET_FLAG_SUBST): New.
* dirmngr/ks-engine-ldap.c (ks_ldap_help_variables): New.
(getval_for_filter): New.
(map_rid_to_dn): New.
(ks_ldap_query): Support variables.
--

The new variables features makes it easier to write AD queries without
requiring domain specific expressions.
2023-06-07 10:03:48 +02:00