1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-24 10:39:57 +01:00

8823 Commits

Author SHA1 Message Date
Werner Koch
7397872445
gpgconf: Support reading global options (part 1).
* tools/gpgconf.c (main): Set the config directories.
* tools/gpgconf-comp.c (gc_backend): Change the name of the config
files.
(struct gc_option): Add new field 'attr'.
(retrieve_options_from_program): Rewrite to use gpgrt_argparser.
--

We need to do larger changes to gpgconf so that it is possible to get
also global config options and their attributes.  The old code worked
along its own list of option and used a generic option file parser.
This has no support for global config files.  We now use
gnupgt_argparser so that we to do exactly the same as the component
does and thus delivers the actual option values as seen by the
component.

This is just a first step and we need to change more things.

Signed-off-by: Werner Koch <wk@gnupg.org>

This is a backport from master (2.3).
2021-12-29 09:21:55 +01:00
Werner Koch
f0d034ebf4
common: New function xreallocarray
* common/miscellaneous.c (gnupg_reallocarray): New.
(xreallocarray): New.
--

Taken from libgpg-error so that we can build with older versions of
libgpg-error.
2021-12-29 09:21:00 +01:00
Werner Koch
449b331952
build: Add .git-blame-ignore-revs
--
2021-12-13 19:29:08 +01:00
Werner Koch
1af559a9a2
common,w32: Sync read_w32_registry_string with the gpgrt version
* common/w32-reg.c (get_root_key): Add short version of the root
classes.
--

The code here is only used by gpgconf's new --show-configs command.
Usually on Windows the code from gpgrt is used for reading the
registry.  This one here is an exception and when backporting it I
missed to add the HKCU etc al string.

Fixes-commit: 6c6c404883e52545ed38293384c95fdacb7227c4
GnuPG-bug-id: 5724
2021-12-13 19:25:48 +01:00
NIIBE Yutaka
14de7b1e59 gpg: Accept Ed25519 private key in SOS which reserves leading zeros.
* g10/parse-packet.c (sos_read): Backport from 2.3.
(parse_key): Use sos_read for Ed25519 private key.

--

Note that we keep the code of sos_read as same as 2.3.  Even it is
set, the GCRYMPI_FLAG_USER2 flag is not used.

GnuPG-bug-id: 5120
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-12-07 15:37:55 +09:00
NIIBE Yutaka
4cf8bdb048 po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-12-07 14:28:45 +09:00
Werner Koch
65c80d6b0f
Post release updates
--
2021-11-23 11:48:27 +01:00
Werner Koch
457f6ac1ef
Release 2.2.33 gnupg-2.2.33 2021-11-23 10:52:07 +01:00
Werner Koch
9adee2dd33
po: Auto update
--
2021-11-23 10:51:31 +01:00
Ineiev
007fea8ce9
po: Update Russian translation. 2021-11-23 10:04:03 +01:00
Werner Koch
985fb25c46
gpg: New option --forbid-gen-key.
* g10/gpg.c (oForbidGenKey, opts): New option.
(mopt): New local struct
(gen_key_forbidden): New.
(main): Set and handle the option.
--

In large system installation it is sometimes useful to make it a bit
harder for users to generate their own keys.  An example is a policy
to not use on-disk keys.
2021-11-22 21:05:16 +01:00
Werner Koch
40d2c93165
gpgconf: Include output of --list-dirs in --show-configs.
* tools/gpgconf.c (list_dirs): Add arg special.
(show_other_registry_entries): Print the Homedir.
(show_configs): List directories.
2021-11-19 09:34:53 +01:00
Werner Koch
7f31891ab1
gpgconf: --show-configs now prints a bunch of Registry entries.
* tools/gpgconf.c (show_other_registry_entries): New.
(show_configs): Call it.  Minor reformatting.
--
2021-11-18 21:46:41 +01:00
Werner Koch
58652f4c0b
gpgconf: Extend --show-config to show envvars.
* tools/gpgconf.c (my_copy_file): Add arg LISTP and record certain
things.
(show_configs_one_file): New arg LISTP to be passed thru.
(show_configs): Show envars and regisiry values.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-11-18 21:46:06 +01:00
Werner Koch
6c6c404883
common,w32: New function read_w32_reg_string.
* common/w32-reg.c (read_w32_reg_string): New.

* common/t-w32-reg.c (test_read_registry): Add another test.
2021-11-18 21:45:02 +01:00
Werner Koch
6ee01c1d26
gpg,gpgsm: Add option --min-rsa-length.
* common/compliance.c (min_compliant_rsa_length): New.
(gnupg_pk_is_compliant): Take in account.
(gnupg_pk_is_allowed): Ditto.
(gnupg_set_compliance_extra_info): New.
* g10/gpg.c (oMinRSALength): New.
(opts): Add --min-rsa-length.
(main): Set value.
* g10/options.h (opt): Add field min_rsa_length.
* sm/gpgsm.c (oMinRSALength): New.
(opts): Add --min-rsa-length.
(main): Set value.
* sm/gpgsm.h (opt): Add field min_rsa_length.
2021-11-18 21:11:10 +01:00
Werner Koch
f453d52e53
po: Replace "PIN-Cache" by "Passwort Cache" in German.
--

For whatever reason (maybe because it is shorter) we used the term
"PIN" instead of "Passphrase" or "Passwort".  That is confusing
because there is no cache for smartcard PINs.
2021-11-18 16:53:23 +01:00
Werner Koch
c9343bec83
sm: Detect circular chains in --list-chain.
* sm/keylist.c (list_cert_chain): Break loop for a too long chain.
--

This avoids endless loops in case of circular chain definitions.  We
use such a limit at other palces as well.  Example for such a chain is

# ------------------------ >8 ------------------------
           ID: 0xBE231B05
          S/N: 51260A931CE27F9CC3A55F79E072AE82
        (dec): 107864989418777835411218143713715990146
       Issuer: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
      Subject: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
     sha2_fpr: 92:5E:4B:37:2B:A3:2E:5E:87:30:22:84:B2:D7:C9:DF:BF:82:00:FF:CB:A0:D1:66:03:A1:A0:6F:F7:6C:D3:53
     sha1_fpr: 31:93:78:6A:48:BD:F2:D4:D2:0B:8F:C6:50:1F:4D:E8:BE:23:1B:05
      md5_fpr: AC:F3:10:0D:1A:96:A9:2E:B8:8B:9B:F8:7E:09:FA:E6
      pgp_fpr: E8D2CA1449A80D784FB1532C06B1611DB06A1678
       certid: 610C27E9D37835A8962EA5B8368D3FBED1A8A15D.51260A931CE27F9CC3A55F79E072AE82
      keygrip: CFCA58448222ECAAF77EEF8CC45F0D6DB4E412C9
    notBefore: 2005-06-07 08:09:10
     notAfter: 2019-06-24 19:06:30
     hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
      keyType: rsa2048
    subjKeyId: ADBD987A34B426F7FAC42654EF03BDE024CB541A
    authKeyId: [none]
 authKeyId.ki: 5332D1B3CF7FFAE0F1A05D854E92D29E451DB44F
[...]

Certified by
           ID: 0xCE2E4C63
          S/N: 46EAF096054CC5E3FA65EA6E9F42C664
        (dec): 94265836834010752231943569188608722532
       Issuer: CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
      Subject: CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
     sha2_fpr: 21:3F:AD:03:B1:C5:23:47:E9:A8:0F:29:9A:F0:89:9B:CA:FF:3F:62:B3:4E:B0:60:66:F4:D7:EE:A5:EE:1A:73
     sha1_fpr: 9E:99:81:7D:12:28:0C:96:77:67:44:30:49:2E:DA:1D:CE:2E:4C:63
      md5_fpr: 55:07:0F:1F:9A:E5:EA:21:61:F3:72:2B:8B:41:7F:27
      pgp_fpr: 922A6D0A1C0027E75038F8A1503DA72CF2C53840
       certid: 14673DA5792E145E9FA1425F9EF3BFC1C4B4957C.46EAF096054CC5E3FA65EA6E9F42C664
      keygrip: 10678FB5A458D99B7692851E49849F507688B847
    notBefore: 2005-06-07 08:09:10
     notAfter: 2020-05-30 10:48:38
     hashAlgo: 1.2.840.113549.1.1.5 (sha1WithRSAEncryption)
      keyType: rsa2048
    subjKeyId: 5332D1B3CF7FFAE0F1A05D854E92D29E451DB44F
    authKeyId: [none]
 authKeyId.ki: ADBD987A34B426F7FAC42654EF03BDE024CB541A
     keyUsage: certSign crlSign
[...]

Which has a circular dependency on subKeyId/authkeyId.ki.
2021-11-15 17:54:08 +01:00
NIIBE Yutaka
b6b735edab
scd:openpgp: Support longer data for INTERNAL_AUTHENTICATE.
* scd/app-openpgp.c (do_auth): Use extended Lc, when supported.

--

GnuPG-bug-id: 5682
Co-authored-by: Klas Lindfors
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-11-15 17:54:04 +01:00
Ingo Klöcker
027e34235b
build: Fix several "include file not found" problems
* dirmngr/Makefile.am (t_ldap_parse_uri_CFLAGS): Add KSBA_CFLAGS.
* kbx/Makefile.am (libkeybox_a_CFLAGS, libkeybox509_a_CFLAGS): Add
NPTH_CFLAGS.
* tools/Makefile.am (gpgtar_CFLAGS, gpg_wks_server_CFLAGS,
gpg_wks_client_CFLAGS, gpg_pair_tool_CFLAGS): Add LIBGCRYPT_CFLAGS.
--

The tools include gcrypt.h via common/util.h.

GnuPG-bug-id: 5592
2021-11-14 18:18:41 +01:00
Werner Koch
a43efc9294
agent: Print the non-option warning earlier.
* agent/gpg-agent.c (main): Move detection up.
--

The problem is that PARGS is re-used and when detecting a possible
incorrect use, the flag that "--" has already been seen has gone.
2021-11-14 18:09:22 +01:00
Werner Koch
d2b2dc4549
Update release signing keys
--

The last key is new.  As usual the key is on a dedicated card with the
Admin PIN accessible to a few core hackers.

# ------------------------ >8 ------------------------

pub   rsa3072 2017-03-17 [SC] [expires: 2027-03-15]
      5B80C5754298F0CB55D8ED6ABCEF7E294B092E28
sig    R     BCEF7E294B092E28 2017-03-17  Andre Heinecke (Release Signing Key)
uid                      Andre Heinecke (Release Signing Key)
sig 3        BCEF7E294B092E28 2017-03-17  Andre Heinecke (Release Signing Key)
sig          1FDF723CF462B6B1 2017-03-17  Andre Heinecke <aheinecke@intevation.de>

pub   ed25519 2020-08-24 [SC] [expires: 2030-06-30]
      6DAA6E64A76D2840571B4902528897B826403ADA
uid                      Werner Koch (dist signing 2020)
sig 3        528897B826403ADA 2020-08-24  Werner Koch (dist signing 2020)
sig          249B39D24F25E3B6 2020-08-24  Werner Koch (dist sig)
sig          63113AE866587D0A 2020-08-24  wk@gnupg.org
sig          E3FDFF218E45B72B 2020-08-24  Werner Koch (wheatstone commit signing)
sig          F2AD85AC1E42B367 2020-08-24  Werner Koch <wk@gnupg.org>

pub   ed25519 2021-05-19 [SC] [expires: 2027-04-04]
      AC8E115BF73E2D8D47FA9908E98E9B2D19C6C8BD
uid                      Niibe Yutaka (GnuPG Release Key)
sig 3        E98E9B2D19C6C8BD 2021-05-19  Niibe Yutaka (GnuPG Release Key)
sig          00B45EBD4CA7BABE 2021-09-14  NIIBE Yutaka <gniibe@fsij.org>
sig          E267B052364F028D 2021-09-14  NIIBE Yutaka <gniibe@fsij.org>

pub   brainpoolP256r1 2021-10-15 [SC] [expires: 2029-12-31]
      02F38DFF731FF97CB039A1DA549E695E905BA208
uid                      GnuPG.com (Release Signing Key 2021)
sig 3        549E695E905BA208 2021-10-15  GnuPG.com (Release Signing Key 2021)
sig          528897B826403ADA 2021-10-15  Werner Koch (dist signing 2020)
sig          E3FDFF218E45B72B 2021-10-15  Werner Koch (wheatstone commit signing)
2021-11-13 21:02:22 +01:00
Werner Koch
bc6d56282e
gpg: Remove stale ultimately trusted keys from the trustdb.
* g10/tdbdump.c (export_ownertrust): Skip records marked with the
option --trusted-key.
(import_ownertrust): Clear the trusted-key flag.
* g10/tdbio.h (struct trust_record): Add field flags.
* g10/tdbio.c (tdbio_dump_record): Improve output.
(tdbio_read_record, tdbio_write_record): Handle flags.
* g10/trustdb.c (verify_own_keys): Clear stale trusted-keys and set
the flag for new --trusted-keys.
(tdb_update_ownertrust): Add arg as_trusted_key.  Update callers.
--

GnuPG-bug-id: 5685
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-11-13 20:59:17 +01:00
Werner Koch
8fe3f57643
gpgconf: New command --show-configs.
* tools/gpgconf.c (aShowConfigs): New.
(opts): Add --show-configs.
(CUTLINE_FMT): New.
(show_version_gnupg): Add arg "prefix" and adjust caller.
(my_copy_file): New.
(show_configs_one_file): New.New.
(show_configs): New.
(main): Call show_configs.
--

The ability to have a consolidated list of all config files is very
useful for support cases.  This is in particular important due to the
global config files and their conditional constructs.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-11-13 20:58:57 +01:00
Werner Koch
6507c6ab10
agent,dirmngr: New option --steal-socket
* agent/gpg-agent.c (oStealSocket): New.
(opts): Add option.
(steal_socket): New file global var.
(main): Set option.
(create_server_socket): Implement option.

* dirmngr/dirmngr.c (oStealSocket): New.
(opts): Add option.
(steal_socket): New file global var.
(main): Set option.  Add comment to eventually implement it.
--

Note that --steal-socket has currently no effect on dirmngr because
dirmngr does this anway.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-11-13 15:07:35 +01:00
Werner Koch
751b978ee1
doc: Clarify the "ntds" AKL mechanism.
--
2021-11-12 16:15:17 +01:00
NIIBE Yutaka
0982c6cb19 scd: More conservative selection of a card reader.
* scd/apdu.c (select_a_reader): Only SPRx32 is in the white list.

--

GnuPG-bug-id: 5644
Fixes-commit: 752422a792cecf459b37f517d634bcf272292b14
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-11-10 11:58:16 +09:00
Bernhard M. Wiedemann
46ada6a9bd
wks: Do not mark key files as executable 2021-11-09 08:47:40 +01:00
Bernhard M. Wiedemann
f54feb4470
wks: Allow access to newly created dirs 2021-11-09 08:47:40 +01:00
Werner Koch
8d6968c52c
doc: Minor fix for --http-proxy.
--
2021-11-05 09:00:19 +01:00
Werner Koch
6c5765907a
build: Let the release target also sign the wixlib.
--
2021-11-02 21:11:08 +01:00
Werner Koch
006131f628
common: Support MYPROC_SELF_EXE for Solaris
* common/homedir.c (MYPROC_SELF_EXE): Add case for SunOS.
--

GnuPG-bug-id: 5671
2021-11-02 20:57:10 +01:00
Werner Koch
bcd8f0239d
common: Silence warning from unix_rootdir on systems w/o /proc
* common/homedir.c (unix_rootdir): Silence diagnostic in the common
case.
(MYPROC_SELF_EXE): Support NetBSD.
--

GnuPG-bug-id: 5656
2021-11-02 20:57:03 +01:00
Ingo Klöcker
947fedf0e7
common: Respect gpgconf.ctl when looking up translations
* common/i18n.c (i18n_init): Use gnupg_localedir() instead of LOCALEDIR.
(i18n_localegettext): Ditto.
* tools/gpgconf-comp.c (my_dgettext): Ditto.
--

On Unix, gnupg_localedir() returns the locale directory relative to
the root directory of the gnupg installation if specified in the
gpgconf.ctl. Otherwise, it returns the built-in LOCALEDIR.

GnuPG-bug-id: 5999
2021-11-02 20:56:25 +01:00
Werner Koch
49d589c409
common: Support gpgconf.ctl also for BSDs.
* common/homedir.c (MYPROC_SELF_EXE): New.
(unix_rootdir): Use it here.  Also support GNUPG_BUILD_ROOT as
fallback.
--

In addition this adds a fallback method for AIX etc which do not have
an easy way to get the info.
2021-11-02 20:55:24 +01:00
Werner Koch
3828dd7a40
common: Add keyword sysconfdir to the optional gpgconf.ctl file.
* common/homedir.c (unix_rootdir): Add arg want_sysconfdir.
(gnupg_sysconfdir): Return it.
--

Our regression test suite has the problem that we can't disable the
use of the global config files or test them using the regualr
binaries.  This new keyword will allow us to overcome the problem.
2021-11-02 20:55:20 +01:00
Werner Koch
82328165cf
common: Support a gpgconf.ctl file under Unix.
* common/homedir.c (unix_rootdir): New.
(gnupg_bindir): Use it.
(gnupg_libexecdir): Use it.
(gnupg_libdir): Use it.
(gnupg_datadir): Use it.
(gnupg_localedir): Use it.
--

This feature is useful for building and using an AppImage version of
gnupg and probably also for some other use cases.

GnuPG-bug-id: 5999

Here is a sample gpgconf.ctl file
--8<---------------cut here---------------start------------->8---
# gpgconf.ctl
#
# This file is used to change the directories where the gpg components
# are installed.  It does not change the configuration directories.
# The file is expected in the same directory as gpgconf.  The physical
# installation directories are evaluated and no symlinks.  Blank lines
# and lines starting with pound signed are ignored.  No errors are
# printed for unknown keywords or commands.  The only defined key for
# now is "rootdir" which must be followed by one optional space, an
# equal sign, and the value for the root directory.  Environment
# variables are substituted in standard shell manner, the final value
# must start with a slash, trailing slashed are stripped.

rootdir = $APPDIR/gnupg
--8<---------------cut here---------------end--------------->8---
2021-11-02 20:55:04 +01:00
Werner Koch
f0162afb6b
common: New function substitute_envvars.
* common/stringhelp.c (substitute_envvars): New.  Based on code in
gpg-connect-agent.
* common/t-stringhelp.c: Include sysutils.h.
(test_substitute_envvars): New.
--

GnuPG-bug-id: 5599
2021-11-02 20:54:03 +01:00
Werner Koch
a756a61f19
common,w32: Do not always print "Garbled console data" warning.
* common/init.c (_init_common_subsystems): Silence message.
--
2021-11-02 20:50:34 +01:00
NIIBE Yutaka
152f028155
dns: Make reading resolv.conf more robust.
* dirmngr/dns.c (dns_resconf_loadfile): Skip "search" which
begins with '.'.

--

GnuPG-bug-id: 5657
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-11-02 20:49:51 +01:00
Werner Koch
918e921800
gpg: Fix printing of binary notations.
* g10/keylist.c (show_notation): Print binary notation from BDAT.
--

GnuPG-bug-id: 5667
2021-10-22 16:33:40 +02:00
Werner Koch
5e3eea4b73
gpgconf: create local option file even if a global file exists.
* tools/gpgconf-comp.c (munge_config_filename): New.
(change_options_program): Call it.
--

In case a system-wide config exists but no local file, the component
returns the name of the system-wide config file and gpgconf tried to
update this file.  This fixes this by detecting the presense of a
system-wide config file.

This applies only to 2.2; the configuration system in 2.3 has been
heavily changed to better handle system-wide configuration files.

GnuPG-bug-id: 5650
2021-10-22 12:10:47 +02:00
NIIBE Yutaka
752422a792 scd: Select a reader for PC/SC.
* scd/apdu.c (select_a_reader): New.
(open_pcsc_reader): Use select_a_reader.

--

GnuPG-bug-id: 5644
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-10-22 13:49:07 +09:00
Werner Koch
773b8fbbe9
gpg: New option --override-compliance-check
* g10/gpg.c (oOverrideComplianceCheck): New.
(opts): Add new option.
(main): Set option and add check for batch mode.
* g10/options.h (opt): Add flags.override_compliance_check.

* g10/sig-check.c (check_signature2): Factor complaince checking out
to ...
(check_key_verify_compliance): new.  Turn error into a warning in
override mode.
--

There is one important use case for this: For systems configured
globally to use de-vs mode, Ed25519 and other key types are not
allowed because they are not listred in the BSI algorithm catalog.
Now, our release signing keys happen to be Ed25519 and thus we need to
offer a way for users to check new versions even if the system is in
de-vs mode.  This does on purpose not work in --batch mode so that
scripted solutions won't accidently pass a signature check.

GnuPG-bug-id: 5655
Backported-from-master: fb26e144adfd93051501d58f5d0d4f8826ddf436
2021-10-13 17:34:12 +02:00
Werner Koch
bb750cf4ba
Post release updates
--
2021-10-06 21:15:11 +02:00
Werner Koch
476096099d
Release 2.2.32 gnupg-2.2.32 2021-10-06 20:23:37 +02:00
NIIBE Yutaka
a17f1b6074
gpg: Skip the packet when not used for AEAD.
* g10/free-packet.c (free_packet): Add the case for case
PKT_ENCRYPTED_AEAD.
--

GnuPG-bug-id: 5584
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(bug id fixed in this backport)
2021-10-06 20:03:34 +02:00
Werner Koch
323a20399d
dirmngr: New option --ignore-cert
* dirmngr/dirmngr.h (struct fingerprint_list_s): Add field binlen.
(opt): Add field ignored_certs.
* dirmngr/dirmngr.c: Add option --ignore-cert
(parse_rereadable_options): Handle that option.
(parse_ocsp_signer): Rename to ...
(parse_fingerprint_item): this and add two args.
* dirmngr/certcache.c (put_cert): Ignore all to be igored certs.
Change callers to handle the new error return.
--

This option is useful as a workaround in case we ill run into other
chain validation errors like what we fixed in
GnuPG-bug-id: 5639
Backported-from-master: 4b3e9a44b58e74b3eb4a59f88ee017fe7483a17d
2021-10-06 11:06:01 +02:00
Werner Koch
341ab0123a
dirmngr: Fix Let's Encrypt certificate chain validation.
* dirmngr/certcache.c (find_cert_bysubject): Return the first trusted
certififcate if any.
--

This is basically the same as using OpenSSL with ist
X509_V_FLAG_TRUSTED_FIRST flag. See
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

GnuPG-bug-id: 5639
2021-10-06 10:56:43 +02:00
Werner Koch
48dc463ada
Post release updates
--
2021-09-16 11:54:18 +02:00