1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-30 19:58:44 +01:00
Commit Graph

9137 Commits

Author SHA1 Message Date
Werner Koch
d528de9c6e
sm: Minor robustness fix for a regression test.
* sm/t-minip12.c (run_one_test): Don't hash if we have no parameters
at all.
--

This fix handles the case that an empty result array is returned by
minip12.c
2023-10-17 16:42:33 +02:00
Werner Koch
2e7a08a829
sm: Support import of PKCS#12 encoded ECC private keys.
* sm/import.c (parse_p12): Support ECC import.
--

Although I extended the parser and its test the actual import
missed the required code.

GnuPG-bug-id: 6253
Backported-from-master: 8dfef5197a
2023-10-17 16:40:49 +02:00
Werner Koch
2e99d27bd2
build: Extend autobuild diagnostics by the username
* m4/autobuild.m4 (AB_INIT): Add username.
--

The old autobuild diagnostics show up in build logs.  What they are
missing is an information on the user who triggered a build.  EMAIL is
a common thing to denote the actual user using a service account.
2023-10-16 16:39:16 +02:00
Werner Koch
5eaf2e9266
gpg: Allow to specify seconds since Epoch beyond 2038.
* g10/keygen.c (parse_expire_string_with_ct): Use new function
scan_secondsstr.
(parse_creation_string): Ditto.
--

Noet that we cap the seconds at the year 2106.

GnuPG-bug-id: 6736
2023-10-14 17:27:38 +02:00
Werner Koch
f5947f7494
common: New function scan_secondsstr.
* common/gettime.c (scan_secondsstr): New.

* common/t-gettime.c (test_scan_secondsstr):
(main): Call it.
2023-10-14 17:27:20 +02:00
Werner Koch
c45a8b034c
scd:openpgp: Use a special compare for the serialno.
* scd/app-openpgp.c (check_keyidstr): Ignore the card version and also
compare case insensitive.
(do_learn_status): Add mssing error handling.
--

This is required because we changed what we emit as serialno of
OpenPGP cards but existing keys still use the old form of the serial
number (i.e. with a firmware version).  This is so that existing stub
keys of gpg-agent will continue to work.

GnuPG-bug-id: 5100
2023-10-11 10:18:59 +02:00
Werner Koch
4e47639af0
scd:openpgp: Allow the reading the key by keygrip.
* scd/app-openpgp.c (do_readkey): Allow the keygrip for the keyid.
Use case insensitive match forthe keyid.
(do_readcert): Allow the keygrip for the keyid.
--

This patch is only to sync ths up with master.
2023-10-11 10:04:52 +02:00
Werner Koch
9252847646
scd:openpgp: Extend KEYPAIRINFO with an algorithm string.
* scd/app-openpgp.c (retrieve_fprtime_from_card): New.
(send_keypair_info): Add more to KEYPAIRINFO.
--

This is mainly needed to sync this version with master.
2023-10-11 09:51:13 +02:00
Werner Koch
10f8bb1671
scd:openpgp: Use shared fucntion for the dispserialno.
* scd/app-openpgp.c (wipe_and_free): New.
(wipe_and_free_string): New.
(get_disp_serialno): Remove.  Replace callers by function
app_get_dispserialno.
(get_usage_string): New.
(send_keypair_info): Use new function.
--

The new function has the same behaviour.  The wipe functions are
not yet used.
2023-10-11 09:38:45 +02:00
Werner Koch
fe683a1d7c
scd:openpgp: Some comment updates
--
2023-10-10 16:51:29 +02:00
NIIBE Yutaka
acda0a3f33
scd: Add handling of "Algorithm Information" DO.
* cd/app-openpgp.c (data_objects): Add 0x00FA.
(do_getattr): Add KEY-ATTR-INFO.

--

See the section 4.4.3.11 Algorithm Information in the OpenPGP card
functional specification version 3.4.1.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 90d0072165)
Some parts where already here.
2023-10-10 16:37:03 +02:00
Werner Koch
d4208704a7
scd:openpgp: New KEY-STATUS attribute.
* scd/app-openpgp.c (do_getattr): Return KEY-STATUS
--

(cherry picked from commit 2149676122)
Some things from the original commit where already here.
2023-10-10 16:33:34 +02:00
Werner Koch
216f3fc96a
scd:openpgp: Add attribute "UIF" for convenience.
* scd/app-openpgp.c (do_getattr): New attrubute "UIF".
(do_learn_status): Use that.
--

Actually this is not just convenience but will make it easier to add
new keys to an openpgp card - we will need to change this only at one
place.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 11f0700282)
2023-10-10 16:25:31 +02:00
NIIBE Yutaka
52abdac2d4
scd: Add handling of Ed448 key.
* scd/app-openpgp.c (struct app_local_s): Add ecc.algo field.
(send_key_attr): Use ecc.algo field.
(ecc_read_pubkey): Use ecc.algo field.
(ecc_writekey): Ed448 means EdDSA.
(parse_algorithm_attribute): Set ecc.algo field from card.
Add checking for Ed25519 for ECC_FLAG_DJB_TWEAK flag.

--

There used to be a possible support of Ed25519 with ECDSA, (instead of
EdDSA).  To distinguish key for Ed25519 for EdDSA, we use the
flag: (flags eddsa).  Ed448 has no support for ECDSA and defaults to
EdDSA even if no such flag.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit b743942a97)
2023-10-10 16:17:04 +02:00
Werner Koch
b262a21c61
scd:openpgp: Support the ecdh-params arg for writing keys.
* scd/app-openpgp.c (ecc_writekey): Use provided ECDH params to
compute the fingerprint.  Add a default for use by gnupg 2.2.
(store_fpr): Add arg update.
(rsa_read_pubkey, ecc_read_pubkey): Add arg meta_update and avoid
writing the fingerprint back to the card if not set.
(read_public_key): Also add arg meta_update.
(get_public_key): Do not pass it as true here...
(do_genkey): ... but here.
--

This is based on commit c03ba92576 and
done here to ease backporting.  There is no functional change.

GnuPG-bug-id: 6378
2023-10-10 16:10:21 +02:00
Werner Koch
d25e960652
scd:openpgp: Handle wrong error return code of Yubikey.
* scd/app-openpgp.c (get_public_key): Handle wrong error code by
Yubikeys.
--

This has been taken from commits
  0db9c83555
  946555ea3c
2023-10-10 16:10:02 +02:00
NIIBE Yutaka
d938abcc5e
scd: Fix description string.
* scd/app-openpgp.c (data_objects): Capitalize the word for usage.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit e6b7e0ff99)
2023-10-10 15:17:29 +02:00
NIIBE Yutaka
7666a45830
scd:openpgp: Support UIF changing command.
* g10/card-util.c (uif, cmdUIF): New.
(card_edit): Add call to uif by cmdUIF.
* scd/app-openpgp.c (do_getattr): Support UIF-1, UIF-2, and UIF-3.
(do_setattr): Likewise.
(do_learn_status): Learn UIF-1, UIF-2, and UIF-3.

--

GnuPG-bug-id: 4158
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 0cb65564e0)
Also included the relevant part from
commit 0240345728

Note that this patch is mainly to simplifying backporting and not to
support the UIF.
2023-10-10 15:16:22 +02:00
Werner Koch
9e3b7e26a9
scd:openpgp: Small speedup reading card properties.
* scd/app-openpgp.c (struct app_local_s): Add new flag.
(get_cached_data): Force chace use if flag is set.
(app_select_openpgp): Avoid reading DO 6E multiple times.
--

The do not cache property of 6E was introduced so that we can change
for example key attributes without getting into with the cache.
However, for initial reading the cache makes a lot of sense and thus we
now use this hack to only temporary cache.  A better strategy would be
to clear the cache when we change card data but that is more error
prone.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d5fb598323)
2023-10-10 13:59:51 +02:00
Werner Koch
57bfad2c39
scd:openpgp: Allow reading and writing user certs for keys 1 and 2
* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--

This has been tested with a Zeitcontrol 3.4 card.  A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 37b1c5c200)
2023-10-10 13:54:26 +02:00
Werner Koch
b2363c1dd9
scd: Allow standard keyref scheme for app-openpgp.
* scd/app-openpgp.c (do_change_pin): Allow prefixing the CHVNO with
"OPENPGP."
--

The generic keyref allows for better error detection in case a keyref
is send to a wrong card.  This has been taken from master commit
3231ecdafd which has additional changed
for gpg-card-tool, which is only available there.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 6651a0640d)
2023-10-10 13:43:38 +02:00
NIIBE Yutaka
3d368c1a7d
scd:openpgp: Support GET DATA response with no header for DO 0x00FA.
* scd/app-openpgp.c (do_getattr): Support Gnuk, as well.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 43bbc25b0f)
2023-10-10 13:29:49 +02:00
Werner Koch
c4eada0787
scd:openpgp: Pass arg ctrl to more functions.
* scd/app-openpgp.c (verify_a_chv): Add currently unused arg ctrl.
Adjust callers.
(verify_chv3): Ditto.
(verify_chv2): Add arg ctrl.  Adjust callers.
(change_keyattr): Ditto.
(change_rsa_keyattr): Ditto.
(change_keyattr_from_string): Ditto.
(rsa_writekey): Ditto.
(ecc_writekey): Ditto.
--

This helps in backporting from master.
2023-10-10 13:25:23 +02:00
Werner Koch
03aa4e6651
scd:openpgp: Replace assert by log_assert.
* scd/app-openpgp.c: Remope assert.h. Replace all assert by
log_assert.
2023-10-10 12:11:50 +02:00
NIIBE Yutaka
a942986f17
scd:openpgp: Fix computing fingerprint for ECC with SOS.
* scd/app-openpgp.c (count_sos_bits): New.  Count as sos_write does.
(store_fpr): For ECC, use count_sos_bits.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 95156ef9bf)
and
(cherry picked from commit f482e4bd12)
2023-10-10 12:06:22 +02:00
Werner Koch
24033dc8ae
scd:openpgp: Very minor refactoring
* scd/app-openpgp.c (app_select_openpgp): Move AID definition to ...
(openpgp_aid): new.
2023-10-10 11:55:25 +02:00
Werner Koch
7f8cac5cec
scd:openpgp: Rename an internal variable.
* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
s/max_certlen_3/max_certlen.  Change users.
--

The extcap_v3 flag is set if the version is 3 or later and as such
does not only declare that the v3 extcap layout is used.  Make this
clear by renaming.

Likewise for max_certlen_3.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit bbdb48ec0d)
2023-10-10 11:46:14 +02:00
Werner Koch
9976285ff0
sm: Support more HMAC algos in the pkcs#12 parser.
* sm/minip12.c (oid_hmacWithSHA1): New.  Also for the SHA-2 algos.
(digest_algo_from_oid): New.
(set_key_iv_pbes2): Add arg digest_algo.
(crypt_block): Ditto.
(decrypt_block): Ditto.
(parse_bag_encrypted_data): Parse the optional prf part and get the
hmac algorithm.
(parse_shrouded_key_bag): Ditto.
(p12_build): Pass SHA1 for digest_algo.

* sm/t-minip12.c (run_one_test): Print failed values in verbose mode.

* tests/samplekeys/nistp256-openssl-self-signed.p12: New.
* tests/samplekeys/Description-p12: Add this one.
* tests/Makefile.am (EXTRA_DIST): Ditto.
--

This supports the modern algorithms, i.e. using SHA256 for the KDF
which is the default in openssl unless the -legacy option is used.

GnuPG-bug-id: 6536
2023-10-06 11:22:59 +02:00
Werner Koch
1e9ac18f88
common,w32: Add missing GetLastError->errno mapping.
* common/iobuf.c (file_filter, sock_filter): Add missing mapping.
--

GnuPG-bug-id: 6528
(cherry picked from commit 5e94470d05)

Also includes commit a3be97df4d
2023-10-05 15:30:42 +02:00
Werner Koch
bb157044a0
sm: Improve the octet string cramming for pkcs#12
* sm/minip12.c (need_octet_string_cramming): New.
(tlv_expect_object, tlv_expect_octet_string): Run the test before
cramming.

* sm/minip12.c (ENABLE_DER_STRUCT_DUMPING): New but undefined macro
for debug purposes.
(bag_decrypted_data_p, bag_data_p): Use macro to allow dumping.
--

This bug was exhibited by importing a gpgsm exported EC certificate.

We use an extra test instead of retrying to allow retruning an error
from malloc failure.  And well, for easier reading of the code.

GnuPG-bug-id: 6536
(cherry picked from commit c1f78634ec)
2023-10-05 10:32:57 +02:00
Werner Koch
a0ac529d08
Update NEWS
--
2023-10-02 16:38:16 +02:00
Werner Koch
45a1ab5017
common: Improve lock strategy for dotlock.
* common/dotlock.c (next_wait_interval): New.
(dotlock_take_unix): Use new function.
(dotlock_take_w32): Ditto.
--

In particular when using a dotlock file for protecting the spawning
and several processes try to spawn the agent or another component, we
often run into long delays.  The solution is to is to exponential
backoff and also to reduce the initial delay from 50ms to 4ms.  We
further limit the maximum wait period to about 2 seconds and then
repeat at intervals of 512, 1024 and 2048ms.  In the wait-forever case
we add a small random value to have different intervals per process.

GnuPG-bug-id: 3380

For testing this code snippet in the spawning function might be
useful:

          const char *s;
          if ((s=getenv("hold_gpg_file")))
            while (!gnupg_access (s, F_OK))
              gnupg_sleep (1);
2023-10-02 14:40:08 +02:00
Werner Koch
d546fdd531
dirmngr: Add code to support the negotiation auth method.
* dirmngr/http.c (enum auth_negotiate_states): New.
(struct proxy_info_s): Add new fields.
(release_proxy_info): Free Windows stuff.
(proxy_get_token): New. Implemented only for Windows for now.
(run_proxy_connect): Add support for auth method Negotiation.
(store_header): Keep some header lines separate.
--

The code does something but I have not yet been able to test it due
to problems setting up Squid with AD authentication.  As of now it
will respond with a failure but that should not be worse than not to
implement Negotiation.

Supporting Negotiation using GSS for Unix should eventually also be
done.

GnuPG-bug-id: 6719
2023-10-02 13:01:08 +02:00
Werner Koch
7f2f970540
dirmngr: Extended the http_get_header function.
* dirmngr/http.c (send_request): Add arg 'skip'.  Adjust all callers.
--

GnuPG-bug-id: 6719
2023-10-02 13:01:01 +02:00
Werner Koch
c1cd185385
common: Add new function b64decode.
* common/b64dec.c (b64decode): New.
* common/t-b64.c: Change license to LGPL.
(oops): New macro.
(hex2buffer): New.
(test_b64decode): New.
(main): Default to run the new test.
* common/Makefile.am (module_maint_tests): Move t-b64 to ...
(module_tests): here.
--

Sometimes we have a short base64 encoded string we need todecode.
This function makes it simpler.

License change of the test module justified because I am the single
author of the code.
2023-09-29 11:34:06 +02:00
Werner Koch
9f1c11cd3f
dirmngr: Fix handling of the HTTP Content-Length
* dirmngr/http.c (cookie_s): Add fields pending, up_to_empty_line,
last_was_lf, and last_was_lfcr.
(http_context_s): Add field keep-alive.
(http_wait_response): Set up_to_empty_line.  Take care of keep_alive
flag.
(coookie_read): Implement detection of empty lines.
(cookie_write): Free the pending buffer.
--

The problem we fix here is that we already buffered stuff beyond the
empty line which marks the start of the content-length counting.  Thus
we tried to wait for more bytes despite that everything had already
been read.  This bug might have showed up more often in the real world
since the we changed the BUFSIZ on Windows from 512 byte to 8k.  It
also depends on the length of the headers and whether the server
closed the connection so that we ignored the Content-Length.

The bug was introduced earlier than 2010 and could have the effect
that a connection got stuck until the network layer timed out.

Note that the keep-alive parts of the patch are not yet used.
2023-09-26 12:37:45 +02:00
Werner Koch
50da09fb62
common: Add gnupg_memstr to repalce static versions.
* common/stringhelp.c (gnupg_memstr): New.
* common/mbox-util.c (my_memstr): Remove.
(is_valid_mailbox_mem): Use gnupg_memstr.
* common/recsel.c (my_memstr): Remove.
(recsel_select): Use gnupg_memstr.
2023-09-26 12:37:45 +02:00
Werner Koch
5fd5e7433d
dirmngr: Require gnutls 3.2
* dirmngr/http.c: Remove gnutls version specific code.
(send_request): Factor some code out to ...
(run_proxy_connect): new.
(mk_proxy_request): new.
(mk_std_request): new.
* configure.ac (NEED_GNUTLS_VERSION): Require 3.2.
--

This patch is to factor out some code and also to remove support for
legacy gnutls versions.  Note that gnutls 3.2 was released 10 years
ago.
2023-09-26 12:37:45 +02:00
NIIBE Yutaka
8e3d4f5b63
gpg: Keep the integrity of the code for KEYINFO command.
* g10/call-agent.c (struct keyinfo_data_parm_s): Remove CARD_AVAILABLE
field.
(keyinfo_status_cb): Don't touch CARD_AVAILABLE field.
(agent_probe_secret_key); Don't check CARD_AVAILABLE field.
* g10/import.c (do_transfer): Check if it's card key or not.

--

In 2.2 branch, gpg-agent doesn't have a capability to report if card
is available or not by KEYINFO command.  Thus, this clean up.

GnuPG-bug-id: 3456
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-09-26 10:05:05 +09:00
NIIBE Yutaka
ff42ed0d69
gpg: Enhance agent_probe_secret_key to return bigger value.
* g10/call-agent.c (keyinfo_status_cb): Parse more fields.
(agent_probe_secret_key): Use KEYINFO and returns bigger value
representing the preference.

--

Backport the commit of:
	8748c50bfa

GnuPG-bug-id: 3456
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-09-25 13:24:35 +09:00
Werner Koch
9fe73df21a
dirmngr: Improve error codes returned from http fetching.
* dirmngr/ks-engine-http.c (ks_http_fetch): Return better error codes.
* dirmngr/ks-engine-hkp.c (send_request): Ditto.
* dirmngr/t-http.c (main): New option --try-proxy.
2023-09-19 16:14:01 +02:00
Werner Koch
63acf06efb
dirmngr: Implement automatic proxy detection on Windows.
* dirmngr/http.c [W32]: Include winhttp.h
(w32_get_internet_session): New.
(w32_get_proxy): New.
(get_proxy_for_url): Implement automatic proxy detection and fix error
in last patch.
(http_reinitialize): New.
* dirmngr/dirmngr.c (dirmngr_sighup_action): Call reinitialize.
* dirmngr/Makefile.am (NETLIBS) [W32]: Link with winhttp.
--

GnuPG-bug-id: 5768
2023-09-19 15:04:49 +02:00
Werner Koch
7659c0a2b0
dirmngr: Further simplify the http code and improve a message.
* dirmngr/http.c (make_fp_write, make_fp_read): New.
(http_raw_connect): Use new functions.
(http_wait_response): Ditto.
(send_request): Ditto.  Change proxy error diagnostic.
(connect_server): Improve error message for host not found.
--

GnuPG-bug-id: 5768
2023-09-19 12:50:20 +02:00
Werner Koch
f4b72c4eb7
dirmngr: Cleanup the http module.
* configure.ac (NEED_NTBTLS_VERSION): Require at least 0.2.0 so that
we can remove a conditional compilation.

* dirmngr/http.c (struct proxy_info_s): New.
(release_proxy_info): New to keep proxy information in one object.
(send_request): Factor some code out to ...
(get_proxy_for_url): this,
(send_request_basic_checks): this,
(send_request_set_sni): this,
(run_ntbtls_handshake): this,
(run_gnutls_handshake): and this.
--

Note that this also removes some never used code.  For example the
NTBTLS handshake has code taken from GNUTLS which was never used due
to the different ways on how the certificates are checked.

The proxy code has been factored out to make to prepare further
authentication methods.  The proxy_info_t was introduced for the same
reason.

Tested against gnutls and ntbtls builds.  No proxy tests yet done,
because we need more sophisticated tests anyway.

GnuPG-bug-id: 5768
2023-09-18 17:37:47 +02:00
Werner Koch
de84c58d90
gpg: Fix --no-utf8-strings.
* g10/gpg.c (main): Ignore --no-utf8-strings only on Windows.
--

Fixes-commit: b912f07cdf
Reported-by: Ingo Klöcker
2023-09-18 11:29:21 +02:00
Werner Koch
936954a18a
dirmngr: Relax the detection of the "none" keyserver.
* dirmngr/server.c (cmd_keyserver): Ignore also hkps://none.
(ensure_keyserver): Better ignore also "none" with a hkp or hpks
scheme.
--

GnuPG-bug-id: 6708
2023-09-11 11:31:32 +02:00
Werner Koch
1964a2a4ae
speedo,w32: Adjustments for the new Unicode NSIS plugins.
* build-aux/speedo/w32/inst.nsi: Convert to UTF-8.  Add Unicode
statement.
* build-aux/speedo.mk (installer): Remove -INPUTCHARSET.
--

GnuPG-bug-id: 6448
(cherry picked from commit 7e1f36b242)
2023-09-08 15:33:04 +02:00
Werner Koch
e2b549f1c7
speedo: Update NSIS helper DLL from Gpg4win
* build-aux/speedo/w32/inst.nsi: Re-enable run-once check.
* build-aux/speedo/w32/exdll.c: New.
* build-aux/speedo.mk (g4wihelp.dll): Change build commands.
--

GnuPG-bug-id: 6448
(cherry picked from commit 7359665add)
2023-09-08 15:30:24 +02:00
Werner Koch
6c9db01101
gpg: New option --add-desig-revoker
* g10/gpg.c (oAddDesigRevoker): New.
(opts): Add new option.
* g10/options.h (opt): Add field desig_revokers.
* g10/keygen.c (get_parameter_idx): New.
(get_parameter): Make use of get_parameter_idx.
(prepare_desig_revoker): New.
(get_parameter_revkey): Add arg idx.
(proc_parameter_file): Add designated revokers.
(do_generate_keypair): Write all designated revokers.
--

(cherry picked from commit 3d094e2bcf)

Support for v5 desig revokers has been removed.  However, we should
check whether we can add a longer v4 desig revoker fingerprint in
addition to the regular v4 desig revoker.
2023-09-07 19:05:39 +02:00
Werner Koch
8c8608425a
Prepare NEWS for a snapshot release
--
2023-09-07 17:35:01 +02:00