1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-24 10:39:57 +01:00

8861 Commits

Author SHA1 Message Date
NIIBE Yutaka
0ca84cbdf0 build: Fix removal of AC_TYPE_SIGNAL.
* configure.ac: AC_TYPE_SIGNAL is still needed.

--

Fixes-commit: d5f9481186eaf2ff28d7ab04fd36f0bbd1c9714d
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 09:58:47 +09:00
NIIBE Yutaka
a8ffc52cec po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 08:57:19 +09:00
NIIBE Yutaka
d5f9481186 common: Fix get_signal_name for GNU/Linux.
* common/signal.c (get_signal_name): Use sigdescr_np if available.
* configure.ac: Check the function.

--

Backport master commit of:
	c4ba712736ddeda66055567874d573e79d22666b

GnuPG-bug-id: 5568
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 08:50:12 +09:00
Werner Koch
f64e0f63d6
Post release updates
--
2021-08-26 21:13:30 +02:00
Werner Koch
d583e750a6
Release 2.2.30 gnupg-2.2.30 2021-08-26 18:18:36 +02:00
Werner Koch
f151587d85
po: Auto update
--
2021-08-26 18:11:48 +02:00
Werner Koch
712930f8dd
po: Update German translation
--
2021-08-26 18:10:14 +02:00
Werner Koch
2b65f4e953
wkd: Properly unescape the user-id from a key listing.
* tools/wks-util.c (append_to_uidinfo_list): Unescape UID.
2021-08-20 16:24:14 +02:00
Werner Koch
17e2ec488f
common: New function decode_c_string.
* common/miscellaneous.c (decode_c_string): New.
--

This is basically a copy from the code we use in gpgme and gpa.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 6ecedd0b25b6b1a33be63b99f2a8256370000521)
2021-08-20 16:24:13 +02:00
Werner Koch
5ed8e598fa
agent: Use the sysconfdir for a pattern file.
* agent/genkey.c (do_check_passphrase_pattern): Use make_filename.
2021-08-20 16:22:44 +02:00
Werner Koch
db5dc7a91a
agent: Ignore passphrase constraints for a generated passphrase.
* agent/agent.h (PINENTRY_STATUS_PASSWORD_GENERATED): New.
(MAX_GENPIN_TRIES): Remove.
* agent/call-pinentry.c (struct entry_parm_s):
(struct inq_cb_parm_s): Add genpinhash and genpinhas_valid.
(is_generated_pin): New.
(inq_cb): Suppress constraints checking for a generated passphrase.
No more need for several tries to generate the passphrase.
(do_getpin): Store a generated passphrase/pin in the status field.
(agent_askpin): Suppress constraints checking for a generated
passphrase.
(agent_get_passphrase): Ditto.
* agent/command.c (cmd_get_passphrase): Ditto.
--

A generated passphrase has enough entropy so that all kind of extra
checks would only reduce the actual available entropy.  We thus detect
if a passphrase has been generated (and not changed) and skip all
passphrase constraints checking.
2021-08-20 10:18:11 +02:00
Werner Koch
576e429d41
wkd: Fix client issue with leading or trailing spaces in user-ids.
* common/recsel.c (recsel_parse_expr): Add flag -t.
* common/stringhelp.c (strtokenize): Factor code out to
do_strtokenize.
(strtokenize_nt): New.
(do_strtokenize): Add arg trim to support the strtokenize_nt.
* common/t-stringhelp.c (test_strtokenize_nt): New test cases.

* tools/wks-util.c (wks_list_key): Use strtokenize_nt and the recsel
flag -t.
--

This fixes a bug with user ids with leading spaces because:

wks-client lists all mail addresses from the key and matches them to the
requested mail address.

If there are several user-ids all with the same mail address
wks-client picks one of them and then extracts exactly that user id.
However, here it does not match by the mail address but by the full
user-id so that we can be sure that there will be only one user-id in
the final key.

The filter built expression unfortunately strips leading blanks but
requires a verbatim match.  Thus it won't find the user id again and
errors out.

The new -t flag and a non-trimming strtokenize solves the problem.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-08-20 09:58:35 +02:00
Werner Koch
6685696ada
gpg: Return SUCCESS/FAILURE status also for --card-edit/name.
* g10/card-util.c (change_name): Call write_sc_op_status.
--

Reported-by: Joey Berkovitz
2021-08-20 09:54:00 +02:00
Werner Koch
2e69ce878f
agent: Improve the GENPIN callback.
* agent/call-pinentry.c (DEFAULT_GENPIN_BYTES): Replace by  ...
(DEFAULT_GENPIN_BITS): this and increase to 150.
(generate_pin): Make sure that we use at least 128 bits.
2021-08-18 11:34:10 +02:00
Werner Koch
4855888c0a
agent: Fix for zero length help string in pinentry hints.
* agent/call-pinentry.c: Remove unused assert.h.
(inq_cb): Fix use use of assuan_end_confidential in case of nested
use.
(do_getpin): Ditto.
(setup_formatted_passphrase): Escape the help string.
(setup_enforced_constraints): Ignore empty help strings.
2021-08-18 10:20:22 +02:00
Werner Koch
ec2f1b3898
common,w32: Replace log_debug by log_info for InProcessJobs
* common/exechelp-w32.c (gnupg_spawn_process_detached): Use log_info.
2021-08-18 09:41:17 +02:00
Werner Koch
4dfa951a0a
w32: Move socketdir to LOCAL_APPDATA
* common/homedir.c (is_gnupg_default_homedir): Use standard_homedir
instead of the constant which makes a difference on Windows.
(_gnupg_socketdir_internal) [W32]: Move the directory to LOCAL_APPDATA.
(gnupg_cachedir): Remove unsued function.

* common/sysutils.c (gnupg_rmdir): New.
* tools/gpgconf.c (main): s/rmdir/gnupg_rmdir/.
--

That is actually a more correct directory than APPDATA.  This fixes
a problem with installations where the APPDATA is non a network drive
and the resulting socket filename is truncated in our socket helper
function (because we use sockaddr also for our local socket
emulation on Windows).

LOCAL_APPDATA is expected to be on the local box and thus in the
majority of cases the resulting socket file name will be short enough.

GnuPG-bug-id: 5537
Signed-off-by: Werner Koch <wk@gnupg.org>
Backport-from-master: 0802cbb59b21e06e16b4fd8596934c5565e7f659
2021-08-17 10:53:26 +02:00
Werner Koch
013f2e4672
gpgconf,w32: Print more registry diagnostics with --list-dirs.
* tools/gpgconf.c (list_dirs): Figure out classes with the key.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-08-17 10:42:38 +02:00
Werner Koch
455ba49071
agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pient
* agent/call-pinentry.c (atfork_core): Pass DISPLAY.
2021-08-17 10:42:18 +02:00
Werner Koch
c6a4a660fd
agent: New option --check-sym-passphrase-pattern.
* agent/gpg-agent.c (oCheckSymPassphrasePattern): New.
(opts): Add --check-sym-passphrase-pattern.
(parse_rereadable_options): Set option.
(main): Return option info.
* tools/gpgconf-comp.c: Add new option.
* agent/agent.h (opt): Add var check_sym_passphrase_pattern.
(struct pin_entry_info_s): Add var constraints_flags.
(CHECK_CONSTRAINTS_NOT_EMPTY): New to replace a hardwired 1.
(CHECK_CONSTRAINTS_NEW_SYMKEY): New.
* agent/genkey.c (check_passphrase_pattern): Rename to ...
(do_check_passphrase_pattern): this to make code reading
easier. Handle the --check-sym-passphrase-pattern option.
(check_passphrase_constraints): Replace arg no_empty by a generic
flags arg.  Also handle --check-sym-passphrase-pattern here.
* agent/command.c (cmd_get_passphrase): In --newsymkey mode pass
CHECK_CONSTRAINTS_NEW_SYMKEY flag.
* agent/call-pinentry.c (struct entry_parm_s): Add constraints_flags.
(struct inq_cb_parm_s): New.
(inq_cb): Use new struct for parameter passing.  Pass flags to teh
constraints checking.
(do_getpin): Pass constraints flag down.
(agent_askpin): Take constraints flag from the supplied pinentry
struct.
--

Requirements for a passphrase to protect a private key and for a
passphrase used for symmetric encryption are different.  Thus a
the use of a different pattern file will be useful.  Note that a
pattern file can be used to replace the other passphrase constraints
options and thus we don't need to duplicate them for symmetric
encryption.

GnuPG-bug-id: 5517
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 7c45a69eb988e9c0329d75900af0c5b1e47291b7
agent: New option --check-sym-passphrase-pattern.
2021-08-17 10:40:23 +02:00
Ingo Klöcker
9832566e45
agent: Add checkpin inquiry for pinentry
* agent/call-pinentry.c: Include zb32.
(MAX_GENPIN_TRIES): New.
(DEFAULT_GENPIN_BYTES): New.
(generate_pin): New.
(setup_genpin): New.
(inq_quality): Rename to ...
(inq_cb): this.  Handle checkpin inquiry.
(setup_enforced_constraints): New.
(agent_get_passphrase): Call sertup_genpin.  Call
setup_enforced_constraints if new passphrase is requested.
--

This implements the gpg-agent side for checking whether a new passphrase
entered by the user in pinentry satisfies the passphrase constraints.
Performing a checkpin inquiry is only allowed if the passphrase
constraints are enforced. setup_enforced_constraints sends necessary
options and translated strings to pinentry.

The patch also merges 557ddbde32585c534626b57a595a2ccf28fd585e et
al. from master to add the genpin inquiry machinery.

The suggested passphrase has the required entropy of 128 bits.

GnuPG-bug-id: 5517, 5532
2021-08-17 10:11:24 +02:00
Ingo Klöcker
32fbdddf8b
agent: New option --pinentry-formatted-passphrase
* agent/agent.h (opt): Add field pinentry_formatted_passphrase.
* agent/call-pinentry.c (setup_formatted_passphrase): New.
(agent_get_passphrase): Pass option to pinentry.
* agent/gpg-agent.c (oPinentryFormattedPassphrase): New.
(opts): Add option.
(parse_rereadable_options): Set option.
--

GnuPG-bug-id: 5553, 5517

This is a squashed backport of two commits from master.
Backport-from-master: bf20a80f68449cc83b67c53ba9a0a84c45827ac4
Backport-from-master: 99601778f4a9dc1c9fee792361c959f5e0732cfd

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-08-16 12:45:37 +02:00
Ingo Klöcker
8fff61de94
common: Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to pinentry
* common/session-env.c (stdenvnames): Add XDG_SESSION_TYPE and
QT_QPA_PLATFORM.
--

On Unix systems (except Darwin), Qt uses those two environment
variables additionally to DISPLAY and WAYLAND_DISPLAY to figure out
whether to use X11 or Wayland. For example, QT_QPA_PLATFORM needs
to be set to "wayland" to make Qt use Wayland on Gnome.

GnuPG-bug-id: 3659
2021-08-16 12:01:00 +02:00
Werner Koch
5ca15e58b2
tools: Extend gpg-check-pattern.
* tools/gpg-check-pattern.c: Major rewrite.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 73c03e02322880c740310207dd2151cfd843792e

Here is a simple pattern file:

====================
# Pattern to reject passwords which do not comply to
#   - at least 1 uppercase letter
#   - at least 1 lowercase letter
#   - at least one number
#   - at least one special character
# and a few extra things to show the reject mode

# Reject is the default mode, ignore case is the default
#[reject]
#[icase]

# If the password starts with "foo" (case insensitive) it is rejected.
/foo.*/

[case]

# If the password starts with "bar" (case sensitive) it is rejected.
/bar.*/

# Switch to accept mode: Only if all patterns up to the next "accept"
# or "reject" tag or EOF match, the password is accepted.  Otherwise
# the password is rejected.

[accept]

/[A-Z]+/
/[a-z]+/
/[0-9]+/
/[^A-Za-z0-9]+/
=================
2021-08-16 11:59:29 +02:00
Werner Koch
4952ed9584
Post release updates
--
2021-07-04 17:23:56 +02:00
Werner Koch
695a879af8
Release 2.2.29 gnupg-2.2.29 2021-07-04 16:15:29 +02:00
Werner Koch
3283cf3a7a
Update OpenPGP card vendor list.
--
2021-07-04 15:49:50 +02:00
Werner Koch
51310497ef
po: Remove removed files.
--
2021-07-02 14:43:34 +02:00
Werner Koch
47c4e3e00a
dirmngr: Change the default keyserver.
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.

* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.

* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--

Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore.  Thus it is better to change them.

For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.

For http based access the Dutch Surfnet keyserver is used.  However
due to a non-standard TLS certificate this server can not easily be
made the default for https.

Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.
2021-06-25 19:15:24 +02:00
Werner Koch
5fe4b97887
gpg: Let --fetch-key return an exit code on failure.
* g10/keyserver.c (keyserver_fetch): Return an error code.
* g10/gpg.c (main) <aFetchKeys>: Return 1 in case of no data.
--

GnuPG-bug-id: 5376
2021-06-25 10:35:24 +02:00
NIIBE Yutaka
b90c55fa66 scd:ccid: Handle LIBUSB_TRANSFER_OVERFLOW interrupt transfer.
* scd/ccid-driver.c (intr_cb): Ignore LIBUSB_TRANSFER_OVERFLOW.

--

Backport-master-commit: 25ae80b8eb6e9011049d76440ad7d250c1d02f7c
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-23 12:10:01 +09:00
NIIBE Yutaka
8e941e19b0 scd:ccid:spr532: Extend abort_cmd for initialization time.
* scd/ccid-driver.c (abort_cmd): Add INIT argument to support
synchronize until success, even ignoring timeout.
(bulk_in): Normal use case of abort_cmd.
(ccid_vendor_specific_init): Initial use case of abort_cmd.

--

Another backport to stabilize SCM SPR332/SPR532 card reader.

GnuPG-bug-id: 5297
Backport-master-commit: a9aa30ed2c2c399c2baa6a5aa2624d8fdee6286f
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-23 11:19:46 +09:00
Werner Koch
af2fd9f0af
tests: Cope with broken Libgcrypt versions
* common/t-sexputil.c (test_ecc_uncompress): Ignore unknwon curve
errors.
--

For unknown reasons some versions of Fedora or RHEL provide a patched
version of Libgcrypt with Brainpool support removed.  We better ignore
this error because it is a regression in 2.2.28 although that older
versions could not used Brainpool keys.

GnuPG-bug-id: 5502
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-22 12:29:59 +02:00
Werner Koch
e94dfa21d2
w32: Add fallback in case the Windows console can't cope with Unicode.
* common/ttyio.c (w32_write_console): Fallback to WriteConsoleA on
error.
--

To test this switch the Windows Console to "legacy mode"

  set LANG=de
  gpg --card-edit

and enter an invalid command.  The response contains an Umlaut and old
Windows versions (and the legacy console) don't have a proper font
installed for this.  Without this patch this runs into a log_fatal
error.

The mitigation we implement is to fallback to WriteConsoleA, that is
accepting wrong encoding and to print a note about the problem.

GnuPG-bug-id: 5491
2021-06-22 11:08:05 +02:00
Werner Koch
adf7bfba5d
dirmngr: Fix regression in KS_GET for mail address pattern.
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Munge mail address pattern.
(ks_hkp_get): Allow for mail addresses.
-

Before the keyserver changes in 2.2.28 gpg passed dirmngr a pail
address as an exact pattern (e.g. "=foo@example.org").  Since 2.2.28
the mail address is detected gpg gpg and we see for example
"<foo@example.org>".  This patch fixes this to turn a mail address
into an exact match again.

GnuPG-bug-id: 5497
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-21 09:22:17 +02:00
NIIBE Yutaka
8b6591c4c5 po: Update Simplified Chinese Translation.
--

Backport-master-commit: 448ccd7f1da0324bd2d8dea1bc018895b165cfba
GnuPG-bug-id: 5477
Reported-by: Zhongren Gu
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-17 11:52:49 +09:00
NIIBE Yutaka
01a413d523 scd: Error code map fix for older Yubikey.
* scd/iso7816.c (map_sw): Recognize 6A86.

--

Yubikey NEO does not support the YK4_GET_CAPA command (001D000000),
and it will be screwed up with the command.

GnuPG-bug-id: 5487
Back-port-master-commit: 13bc0431ff1ce51246694208df611cc4561fb4b3
Fixes-commit: ec56996029d95d4bd26e1badfe207232270c6247
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-14 10:24:39 +09:00
NIIBE Yutaka
c8b2162c0e dirmngir: Fix build with --disable-ldap.
* dirmngr/dirmngr.c (parse_rereadable_options) [USE_LDAP]:
Conditionalize.

--

Reported-by: Phil Pennock
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-11 10:30:02 +09:00
NIIBE Yutaka
8ee4c8d1e0 dirmngr: Remove use of USE_LDAPWRAPPER.
* configure.ac (USE_LDAPWRAPPER): Remove.
* dirmngr/Makefile.am: Use USE_LDAP instead of USE_LDAPWRAPPER.
* dirmngr/ldap-wrapper-ce.c: Remove.
* dirmngr/ldap-wrapper.h, dirmngr/ldap-wrapper.c: Remove
USE_LDAPWRAPPER things.

--

Backported-from-master: 4c295646ba0e175743e6be13457308c1e6d21dd3
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-11 10:06:24 +09:00
Werner Koch
fd2571e8fa
Post release updates
--
2021-06-10 19:44:16 +02:00
Werner Koch
9f6076868e
Release 2.2.28 gnupg-2.2.28 2021-06-10 17:45:10 +02:00
Werner Koch
67b039eae9
po: Auto updates
--
2021-06-10 17:44:49 +02:00
NIIBE Yutaka
3896e7e625 po: Fix typo in Simplified Chinese Translation.
--

GnuPG-bug-id: 5477
Reported-by: Zhongren Gu
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-10 20:11:04 +09:00
Werner Koch
845711d142
gpg: Partial fix for Unicode problem in output files.
* g10/openfile.c (overwrite_filep): Use gnupg_access.
--

As said, this is just an obvious but partial fix.  We need to review
things for the output module.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-10 12:44:30 +02:00
Werner Koch
c2f02797cd
scd: Fix serial number detection for Yubikey 5.
* scd/app.c (app_new_register): Handle serial number correctly.

--

GnuPG-bug-id: 5442
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: c3a9ee0b658887ca9baa4514187b17857fdf6586
2021-06-10 12:44:23 +02:00
Werner Koch
c5d1e8fb5f
speedo,w32: Remove a leftover directory during uninstall
--
2021-06-10 12:29:59 +02:00
Werner Koch
198b240b19
gpgtar,w32: Fix file size computation
* tools/gpgtar-create.c (fillup_entry_w32): Move parentheses.
--

Fixes-commit: 8b8925a2bdbb12dd537dde20a27cdb1416c2f1ae

The bug is so obvious that I wonder why it was not reported more often
on Windows. (Adding 1 to MAXDWORD (0xfffffff) always gives 0 for the
product).

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-09 17:47:45 +02:00
Werner Koch
d6df1bf849
sm: New option --ldapserver as an alias for --keyserver.
* sm/gpgsm.c (opts): Add option --ldapserver and make --keyserver an
alias.
--

We should use "keyserver" for OpenPGP and thus it is better to allow
for "ldapserver" here - it is the same convention as now used in
dirmngr.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-09 10:34:14 +02:00
Werner Koch
f6e45671aa
dirmngr: Allow to pass no filter args to dirmngr_ldap.
* dirmngr/dirmngr_ldap.c (main): Handle no args case.
--

This is required for example for CRLs.  The old code did not require
this because the hos was taken from the URL given has arg.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-09 10:23:55 +02:00
NIIBE Yutaka
26d783c899 po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-09 09:29:04 +09:00