1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

10226 Commits

Author SHA1 Message Date
Werner Koch
fd6c38605a
speedo: Add a hint to run ldconfig
--
2024-01-23 14:19:40 +01:00
Werner Koch
34d19d448d
tests: Add two more sample p12 files
--
GnuPG-bug-id: 6940
2024-01-23 13:55:43 +01:00
Werner Koch
b7c1594861
speedo: Minor fix to the install target
--
2024-01-23 09:04:10 +01:00
NIIBE Yutaka
9408c6bf51
sm: Fix ECDH encryption with dhSinglePass-stdDH-sha384kdf-scheme.
* sm/encrypt.c (ecdh_encrypt): Cipher is AES192 for id-aes192-wrap.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-01-23 15:36:26 +09:00
Werner Koch
ead2982286
gpg: Use ephemeral mode for generating card keys.
* g10/call-agent.c (agent_set_ephemeral_mode): New.
* g10/keyedit.c (keyedit_menu) <bkuptocard>: Switch to ephemeral mode.
* g10/keygen.c (do_generate_keypair): Switch to ephemeral mode for
card keys with backup.
--

GnuPG-bug-id: 6944
2024-01-22 16:52:22 +01:00
Werner Koch
434a641d40
agent: Add "ephemeral" Assuan option.
* agent/agent.h (struct ephemeral_private_key_s): New.
(struct server_control_s): Add ephemeral_mode and ephemeral_keys.
(GENKEY_FLAG_NO_PROTECTION, GENKEY_FLAG_PRESET): New.
* agent/genkey.c (clear_ephemeral_keys): New.
(store_key): Add arg ctrl and implement ephemeral_mode.  Change all
callers.
(agent_genkey): Replace args no_protection and preset by a generic new
flags arg.
* agent/findkey.c (wipe_and_fclose): New.
(agent_write_private_key): Add arg ctrl and implement ephemeral_mode.
Change all callers.
(agent_update_private_key): Ditto
(read_key_file): Ditto.
(agent_key_available): Ditto.
* agent/command-ssh.c (card_key_available): Do not update display s/n
in ephemeral mode.  This is however enver triggred.
* agent/gpg-agent.c (agent_deinit_default_ctrl): Cleanup ephemeral
keys.
* agent/command.c (cmd_genkey): Use the new flags instead of separate
vars.
(cmd_readkey): Create a shadow key only in non-ephemeral_mode.
(cmd_getinfo): Add sub-command "ephemeral".
(option_handler): Add option "ephemeral".
--

The idea here that a session can be switched in an ephemeral mode
which does not store or read keys from disk but keeps them local to
the session.

GnuPG-bug-id: 6944
2024-01-22 16:49:54 +01:00
Werner Koch
18320d692c
doc: Fix description of gpg --unwrap
--
2024-01-22 10:16:03 +01:00
Werner Koch
ee56f71c8a
gpg: Add a communication object to the key generation code.
* g10/keygen.c (struct common_gen_cb_parm_s): New.
(common_gen): Add args common_gen_cb and common_gen_cb_parm.  Adjust
all callers.
(do_generate_keypair): Clarify the code by using a better var name.
--

We may eventually also replace the long arg list with that object.
The immediate reason for this change is the followup commit.
2024-01-22 10:16:03 +01:00
Werner Koch
adeb17e375
card: New subcommand "checkkeys".
* agent/command.c (cmd_havekey): Add new option --info.
* tools/card-call-scd.c (scd_readkey): Allow using without result arg.
(struct havekey_status_parm_s): New.
(havekey_status_cb): New.
(scd_havekey_info): New.
(scd_delete_key): New.
* tools/gpg-card.c (print_keygrip): Add arg with_lf.
(cmd_checkkeys): New.
(cmdCHECKKEYS): New.
(cmds): Add command "checkkeys".
(dispatch_command, interactive_loop): Call cmd_checkkeys.
--

GnuPG-bug-id: 6943
2024-01-22 10:16:03 +01:00
Werner Koch
c8060a8f23
doc: Document Backup-info in keyformat.txt
--

This name is used by Kleopatra for quite some time now but was missing
a specification.
2024-01-22 10:16:03 +01:00
Tobias Fella
cb8eb366cb
Pass PINENTRY_GEOM_HINT environment variable to pinentry
* common/session-env.c: Add PINENTRY_GEOM_HINT to variables.

--

GnuPG-Bug-ID: 6930
2024-01-22 09:07:36 +01:00
Werner Koch
5402e6fb93
gpg: For v5 key generation for X448 also in parm file mode.
* g10/keygen.c (curve_is_448): New.
(do_create_from_keygrip): Pass arg keygen_flags byref so that it can
be updated.  Set v5 flag for X448.
(gen_ecc): Ditto.
(do_create): Change keygen_flags as above.  For robustness change
checking for Ed448.
(do_generate_keypair): Change keygen_flags as above
(generate_subkeypair): Ditto.
(gen_card_key): Ditto. Support v5 keys.
--

GnuPG-bug-id: 6942
2024-01-16 14:32:04 +01:00
Werner Koch
1a2c8267f5
gpg: When using a parm file w/o usage don't set the RENC usage.
* g10/keygen.c (proc_parameter_file): Don't include RENC in the
default usage.
--

Testplan:

  $ gpg --gen-key --batch <<EOF
  Key-Type: EDDSA
  Key-Curve: ed448
  Key-Usage: cert
  Name-Real: Meh Muh
  Name-Email: test-3@example.org
  Expire-Date: 2025-01-01
  Passphrase: abc
  subkey-type: ecdh
  Subkey-curve: cv448
  EOF

and check that the R flag does not show up in the usage.
2024-01-16 14:02:42 +01:00
Werner Koch
daedb3c965
doc: Describe the ssh-agent protocol options for Windows.
--

Also fix a typo in a macro.
2024-01-15 17:21:24 +01:00
Jakub Bogusz
4cdfc1d0d9
po: Update parts of the Polish translation
--

Jakub provided the translation in October but at this time it did
cleanly apply anymore due to string changes.  Thus only parts of his
changes are here.  -wk
2024-01-15 11:28:00 +01:00
Werner Koch
0cb622d632
gpgsm: Allow parsing of PKCS#12 files with two private keys.
* sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2.
(parse_shrouded_key_bag): Handle a second private key.
(p12_parse_free_kparms): New.

* sm/import.c (parse_p12): Factor some code out to ...
(p12_to_skey): this.
(parse_p12): Use p12_parse_free_kparms.
--

Take care: We allow parsing of a second private key but we are not yet
able to import the second private key.

The whole things is required to at least import the certificates of
current pkcs#12 files as created by the German Elster tax system.  No
test data, sorry.
2024-01-15 09:56:07 +01:00
Werner Koch
092154e17e
gpgsm: Improve the status line for --verify errors.
* sm/verify.c (gpgsm_verify): Improve verify.leave status line.
--

Suggested-by: Jakob Bohm
2024-01-15 09:13:46 +01:00
Mario Haustein
3d60ad5c8c
po: Fix indentation for key generation options
--
2024-01-15 09:02:03 +01:00
Werner Koch
b97a36f52d
Prepare the NEWS
--
2024-01-12 16:53:53 +01:00
Werner Koch
3f12e3dacb
speedo: Add install target for Unix.
* build-aux/speedo.mk: Default to SELFCHECK=0.
(install, install-speedo): New targets.
--

GnuPG-bug-id: 6710
2024-01-12 13:50:50 +01:00
Werner Koch
5a6df94a9a
speedo: Patch ELF binaries to use built libraries
* build-aux/speedo.mk: Remove GUI stuff.  Add patchelf feature.
* Makefile.am (speedo): New target.
--

GnuPG-bug-id: 6710
2024-01-12 10:52:00 +01:00
Werner Koch
bbad0a2644
gpg: Improve error message for expired default keys.
* g10/getkey.c (parse_def_secret_key): Track reason for skipping keys.
--

GnuPG-bug-id: 4704
2024-01-11 15:54:27 +01:00
Werner Koch
e65720f286
doc: Document the gpgconf --unlock command.
* tools/gpgconf.c (main): Fix usage message.
--

GnuPG-bug-id: 6838
2024-01-11 15:30:12 +01:00
Werner Koch
8dfbad0c41
gpg: Fix regression in the Revoker keyword of the parmeter file.
* g10/keygen.c (parse_revocation_key): Actually allow for v4
fingerprints.
--

Note that the use of the parameter file is deprecated.

GnuPG-bug-id: 6923
2024-01-11 09:08:54 +01:00
Werner Koch
b7f45ee6ad
gpg: Allow to create revocations even with non-compliant algos.
* g10/sign.c (do_sign): Skip compliance check for revocation certs.
--

It just does not make sense to inhibit the creation of revocations
depending on the compliance mode.  We do this only for key revocation
but not for another kind of revocation because the rationale for uid
or subkey revocation is more complicated to explain.
2024-01-10 17:18:34 +01:00
Werner Koch
275ced5067
scd:p15: Allow signing for CVISION cards
* scd/app-p15.c (do_sign): Add code for Starcos 3.2 and the CVISION
product.
--

The code for the Starcos cards has been implemented according to the
3.52 manual However, this does not work with my test cards.  Protocol
analysis shows that decryption can be used for the cryptovision
product.  Thus we do it the same for now.
2024-01-10 14:35:26 +01:00
Werner Koch
6233a17ac9
g13: New option --no-mount.
* g13/g13.c (oNoMount): New.
(opts): Add --no-mount.
(main): Implement this.
* g13/g13-common.h (opt): Add field no_mount.
* common/status.h (STATUS_PLAINDEV): New.
* g13/sh-cmd.c (has_option): Uncomment.
(cmd_mount): Add option --no-mount and pass down.
* g13/sh-dmcrypt.c (sh_dmcrypt_mount_container): Add arg nomount and
emit PLAINDEV status line.
(sh_dmcrypt_umount_container): Rund findmnt before umount.
--

This option can be used to decrypt a device but not to mount it.  For
example to run fsck first.  A command or option to run fsck before a
mount will eventually be added.

The use of findmnt is needed so that we can easily remove a device
which has not been mounted.
2024-01-09 19:52:04 +01:00
Werner Koch
4ca017e43b
gpg: Print a useful error id SKI algo 253 is found.
* g10/parse-packet.c (parse_key): Detect the SKI algo 253.
--

As long as we have not yet implemented this we should at least be
able to detect this case.
2024-01-09 17:25:48 +01:00
Werner Koch
880dde8e5b
scd:p15: Allow PIN verification and decryption for CVISION cards.
* scd/app-p15.c (CARD_PRODUCT_CVISION): New.
(IS_STARCOS_3): New.
(read_p15_info): Detect this product.
(prepare_verify_pin): Add special handling for this product.
(do_decipher): Use dedicated MSE for Starcos 3 cards.
--

To check the verification run

  gpg-card verify User_PIN

For our test cards the "Benutzer-PIN" must be given.  For decryption
tests gpgsm can be used; --always-trust helps to avoid chain issues.
2024-01-09 17:12:20 +01:00
Werner Koch
35fd89b168
gpgconf: Adjust -X command for the new VERSION file format
* tools/gpgconf.c (show_version_gnupg): Read and parse the entire
VERSION file.
--

GnuPG-bug-id: 6918
2024-01-09 12:52:57 +01:00
Werner Koch
45f6357881
common,w32: Remove duplicated backslashes when setting the homedir.
* common/homedir.c (copy_dir_with_fixup) [W32]: Fold double
backslashes.
--

This is in general no problem but when we hash or compare the directory
to test whether tit is the standard home directory, we may use a
different socket file and thus a second instance of a daemon.

GnuPG-bug-id: 6833
2024-01-09 10:13:54 +01:00
Werner Koch
2cb97713e9
gpg: Improve error return for --quick-add-subkey and -add-adsk.
* g10/keyedit.c (keyedit_quick_addkey): Emit a ERROR status line.
(keyedit_quick_addadsk): Ditto.
--

GnuPG-bug-id: 6880
2024-01-05 11:33:51 +01:00
Werner Koch
3f8cb9b339
scd: Add support for SCE 7.0
* scd/app-common.h (CARDTYPE_SCE7): New.
* scd/app.c (strcardtype): Support it.
(atr_to_cardtype): New.
(app_new_register): Try to get the cardtype from atr_to_cardtype.
* scd/app-piv.c (app_select_piv): Tweak for SCE7.  Add general method
to construct a S/N from the Card UUID.
--

The test cards I have are rsa2048 with X.509 certificates.  I don't
have the entire chain but loading the certificates work.  For testing
I created an OpenPGP key from the keys and tested signing and
decryption.

GnuPG-bug-id: 6919
2024-01-04 16:29:33 +01:00
Werner Koch
4c04143d81
gpg: Choose key from inserted card over a non-inserted card
* g10/call-agent.c (agent_probe_secret_key): Do not return an error
but 0.
* g10/getkey.c (finish_lookup): Improve the selection of secret keys.
--

GnuPG-bug-id: 6831
2024-01-02 10:19:57 +01:00
NIIBE Yutaka
591a53d716
gpg: Don't call keybox_compress when KEYDB_RESOURCE_FLAG_READONLY.
* g10/keydb.c (keydb_add_resource): Check the FLAGS to call
keybox_compress.

--

GnuPG-bug-id: 6811
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-29 10:57:26 +09:00
NIIBE Yutaka
2be53b214d
tools: Fix argparse table of gpgconf.
* tools/gpgconf.c (opts): Use ARGPARSE macros.

--

GnuPG-bug-id: 6902
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-25 10:09:41 +09:00
Werner Koch
431239b83d
doc: Explain why socket activation is a problem
--
2023-12-22 13:19:40 +01:00
Werner Koch
239c1fdc28
common: Add keyword socketdir to gpgconf.ctl
* common/homedir.c (enum wantdir_values): New enums.
(unix_rootdir): Change arg to use the enums.  Adjust all callers.  Add
support for the socketdir keyword.
(_gnupg_socketdir_internal): Take care of the socketdir keyword in
gpgconf.ctl.

* doc/tools.texi (Files used by gpgconf): Briefly explain the
gpgconf.ctl syntax.
2023-12-22 12:47:39 +01:00
NIIBE Yutaka
2376cdff13
scd:openpgp: Add the length check for new PIN.
* scd/app-openpgp.c (do_change_pin): Make sure new PIN length
is longer than MINLEN.

--

GnuPG-bug-id: 6843
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-22 13:32:40 +09:00
NIIBE Yutaka
91255c3afd
tools: Remove the dotlock tool.
* tools/Makefile.am (libexec_PROGRAMS): Remove dotlock.
* tools/dotlock.c: Remove.

--

It's integrated into gpgconf (--lock/--unlock).

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-21 12:35:55 +09:00
Werner Koch
f2904737e5
scd:p15: Add a diagnostic for unsupported DTRUST4 features.
* scd/app-p15.c (do_sign): Add a diagnostic.
2023-12-20 16:52:47 +01:00
Mario Haustein via Gnupg-devel
0b85a9ac09
scd:p15: Add support for D-Trust Card 4.1/4.4
* scd/app-p15.c (CARD_PRODUCT_DTRUST4) New.
(app_select_p15): This cards uses a different AID for PKCS#15
application
(do_sign): The card doesn't support MSE SET, but requires MSE RESTORE to
a predefined template.
(do_decipher): Ditto.
2023-12-20 16:47:25 +01:00
Mario Haustein via Gnupg-devel
812f988059
scd:p15: Add support for CardOS 5.4
* scd/app-p15.c (CARD_TYPE_CARDOS_54): New.
2023-12-20 16:42:00 +01:00
Werner Koch
5d651fc8fd
doc: Explain what to put into mailcap for gpg-wks-client.
--
2023-12-20 15:30:37 +01:00
NIIBE Yutaka
93b5ba38dc
tools: Integrate the dotlock tool into gpgconf.
* tools/gpgconf.c (dotlock_tool): New.
(main): Add --lock and --unlock commands.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:06:03 +09:00
NIIBE Yutaka
1f04993cd0
common: Add dotlock util under libexec.
* tools/Makefile.am (libexec_PROGRAMS): Add dotlock.
* tools/dotlock.c: Finish the first implementation.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:50 +09:00
NIIBE Yutaka
b298322d36
common: Clean up the temporary file at dotlock_destroy.
* common/dotlock.c (dotlock_destroy): Clean up the temporary file
created when it fails.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:36 +09:00
NIIBE Yutaka
2f6fec3f48
common: Support not-removing the lockfile by dotlock_destroy.
* common/dotlock.c (dotlock_destroy): Keep the lock
when DOTLOCK_LOCK_BY_PARENT.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:22 +09:00
NIIBE Yutaka
5488ad0517
common: Fix a possible resource leak for dotlock.
* common/dotlock.c (dotlock_destroy_unix): Don't release ->TNAME here.
(dotlock_destroy): Release the memory unconditionally.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:12 +09:00
Werner Koch
8eff1d4c51
common: Improve the parsing of gpgconf.ctl variables.
* common/homedir.c (unix_rootdir): Simplify.
--

This also relaxes the syntax in that the equal sign may now be
surrounded by any number of spaces.
2023-12-19 10:04:49 +01:00