* agent/command-ssh.c (card_key_available): Replace blanks.
--
For managing the authorized_key file of ssh it is convenient if the
comment does not have any spaces. Thus we now return
cardno:FFFE_50FF3D01
instead of
cardno:FFFE 50FF3D01
Note that gpg --export-ssh-key uses the keyid as comment because it
does not known the S/N of the card. Gpg-agent however does not know
about OpenPGP and uses the s/n.
* g10/gpg.c (oRFC4880bis): Remove.
(opts): Make --rfc4880bis a Noop.
(compliance_options): Make rfc4880bis to gnupg.
(set_compliance_option): Remove rfc4880bis stuff.
(main): Ditto. Note that this now activates the --mimemode option.
* g10/keygen.c (keygen_set_std_prefs): Remove rfc4880bis protection.
(keygen_upd_std_prefs): Always announce support for v5 keys.
(read_parameter_file): Activate the v4 and v5 keywords.
--
* g10/gpg.c (opts): New option--force-ocb as alias for force-aead.
Turn --aead-algo and --personal-aead-preferences into dummy options.
(build_list_md_test_algo, build_list_aead_algo_name): Remove.
(my_strusage): Remove output of AEAD algos.
(main): Remove code from the --aead options.
* g10/encrypt.c (encrypt_seskey): Make file local.
(use_aead): Remove requirement for rfc4880bis. Always return
AEAD_ALGO_OCB.
* g10/main.h (DEFAULT_AEAD_ALGO): Removed unused macro.
* g10/misc.c (default_aead_algo): Remove.
* g10/pkclist.c (select_aead_from_pklist): Return AEAD_ALGO_OCB or 0.
(select_algo_from_prefs): Remove personal AEAD algo setting.
* g10/keygen.c (keygen_set_std_prefs): Remove AEAD preference option
parsing.
* g10/options.h (opt): Remove def_aead_algo and personal_aead_prefs.
--
Due to the meanwhile expired patent on OCB there is no more reason for
using EAX. Thus we forcefully use OCB if the AEAD feature flag is set
on a key.
* g10/gpg.c (oCompatibilityFlags): New.
(opts): Add option.
(compatibility_flags): New list.
(main): Set flags and print help.
* g10/options.h (opt): Add field compatibility_flags.
--
No flags are yet defined but it is good to have the framework.
* g10/kbnode.c (new_kbnode2): New.
* g10/import.c (delete_inv_parts): New arg r_otherrevsigs to store
misplaced revocations.
(import_revoke_cert): Allow to pass an entire list.
(import_one): Import revocations found by delete_inv_parts.
--
It might be useful to distribute revocations of old keys along with
new keys. This is in particicualrr useful for WKD stored keys. This
patch allows to put unrelated standalone revocations into a key. For
example they can simply appended to a keyblock. Right now it is a bit
inaesthetic to see diagnostics about misplaced or bad revocation
signatures.
* agent/command.c (cmd_keyattr): Reject when disabled extended key
format. Handle the case when key is in non-extended format.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* tools/gpg-card.c: Include exechelp.h
(cmd_gpg): New.
(enum cmdids): Add cmdGPG and cmdGPGSM.
(cmds): Add commands "gpg" and "gpgsm"
(dispatch_command, interactive_loop): Call them.
--
It is too cumbersome to leave the gpg-card shell just for running a
quick gpg or gpgsm command. Thus we add these new commands.
Take care: As of now we don't have proper shell-quoting rules
implemented. This will eventually be done.
* sm/certlist.c (cert_usage_p): Allow keyAgreement for ECC.
* sm/fingerprint.c (gpgsm_is_ecc_key): New.
--
For ECC encryption keys keyAgreement is the keyUsage we want.
* g10/ecdh.c (derive_kek): Use GCRY_KDF_ONESTEP_KDF.
--
This change is not yet enabled. We will be able to use the code when
we update NEED_LIBGCRYPT_VERSION to 1.11.0. Before the update, gpg
compiled with libgcrypt 1.11.0 can't work with older libgcrypt
runtime.
GnuPG-bug-id: 5964
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* tools/gpg-wks-client.c (domain_matches_mbox): New.
(mirror_one_key): Skip non-matching domains.
(command_mirror): Change args to allow for several domains.
--
Although dirmngr returns only the keys matching a certain domain,
those keys still may have user ids from other domains. Now we publish
only the user-ids as specified on the command line.
GnuPG-bug-id: T6224
* common/tlv.c (parse_ber_header): Protect agains integer overflow.
--
Although there is no concrete case where we use the (nhdr + length),
it is better to protect against this already here.
* g10/decrypt.c (decrypt_message_fd): Use INPUT_FD directly.
* g10/encrypt.c (encrypt_crypt): Use FILEFD directly.
--
Before 8402815d, original code was with iobuf_open_fd_or_name, which
used gnupg_fd_t for the file descriptor (FD2INT was relevant at that
time). After the change, because it's not gnupg_fd_t but int, use of
FD2INT is irrelevant.
Fixes-commit: 8402815d8e
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* tools/gpg-wks-client.c (aMirror,oBlacklist,oNoAutostart): New.
(opts): Add ----mirror, --no-autostart, and --blacklist.
(parse_arguments): Parse new options.
(main): Parse common.conf. Implement aMirror.
(mirror_one_key_parm): New.
(mirror_one_keys_userid, mirror_one_key): New.
(command_mirror): New.
* tools/gpg-wks.h (struct uidinfo_list_s): Add fields flags.
* tools/wks-util.c (wks_cmd_install_key): Factor some code out to ...
(wks_install_key_core): new.
* tools/call-dirmngr.c (wkd_dirmngr_ks_get): New.
--
This implements the basic LDAP to WKD mirroring. The blacklist
option and domain restrictions are not yet fully implemented.
Take care: In OpenLDAP you may need to increase the paged result limit
by using a configuration like:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcLimits
olcLimits: dn.subtree="dc=example,dc=org" size.prtotal=unlimited
GnuPG-bug-id: 6224
* dirmngr/ks-engine-ldap.c (PAGE_SIZE): New.
(struct ks_engine_ldap_local_s): Add several new fields.
(ks_ldap_clear_state): Release them.
(search_and_parse): Factored out from ks_ldap_get and extended to
support the paged mode.
(ks_ldap_get): Implement the pages mode for --first and --next.
* dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first
mode.
* dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS.
--
The paged mode allows to retrieve more items than the servers usually
limit (e.g. 1000 for an LDS). This patch also allows to use --first
without a patter to retrieve all keyblocks (except for disabled and
revoked keys).
GnuPG-bug-id: 6224
* dirmngr/server.c (cmd_ks_get): Add option --first and --next.
(start_command_handler): Free that new ldap state.
* dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New.
(ks_ldap_new_state, ks_ldap_clear_state): New.
(ks_ldap_free_state): New.
(return_one_keyblock): New. Mostly factored out from ....
(ks_ldap_get): here. Implement --first/--next feature.
* dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to
ks_get_flags.
* dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New.
(KS_GET_FLAG_FIRST): New.
(KS_GET_FLAG_NEXT): New.
* dirmngr/dirmngr.h (struct server_control_s): Add member
ks_get_state.
(struct ks_engine_ldap_local_s): New forward reference.
--
This feature allows to fetch keyblock by keyblock from an LDAP server.
This way tools can process and maybe filter each keyblock in a more
flexible way. Here is an example where two keyblocks for one mail
address are returned:
$ gpg-connect-agent --dirmngr
> ks_get --ldap --first <foo@example.org>
[... First keyblock is returned ]
OK
> ks_get --next
[ ... Next keyblock is returned ]
OK
> ks_get --next
ERR 167772218 No data <Dirmngr>
GnuPG_bug_id: 6224
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data
behind the EOS.
(interrogate_ldap_dn): Stylistic change.
--
This also updates the my_ldap_connect description.
GnuPG-bug-id: 6047
* g10/encrypt.c (encrypt_crypt, encrypt_filter): Factor common code
out to ...
(create_dek_with_warnings): new
(check_encryption_compliance): and new.
* g10/encrypt.c (encrypt_filter): Add the compliance check.
--
GnuPG-bug-id: 6174
Ported-from: f88cb12f8e