* tools/gpgconf-comp.c: Remove all regular option descriptions. They
are now read in from the component. Also remove a few meanwhile
obsolete options.
* agent/gpg-agent.c: Add option description which were only set in
gpgconf-comp.c.
* dirmngr/dirmngr.c: Ditto.
* scd/scdaemon.c: Ditto.
* sm/gpgsm.c: Ditto.
* g10/gpg.c: Ditto.
--
This second part removes all regular option descriptions because they
can be read from the components. A few were missing in the components
and thus moved to there.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (main): Re-add permission checking of the user config
file. Re-add code to check against the SE-Linux secured file list.
(get_default_configname): Remove unused func.
* configure.ac (SAFE_VERSION, SAFE_VERSION_DOT)
(SAFE_VERSION_DASH): Remove.
--
Die to the switch to the new option parser, the permissions were not
anymore checked. This patch fixes this. Note that there there is no
checking for the global config file because that file is not expected
to be user modifiable.
This patch also adds checking against the list of SE-linux secured
files. However, like in the old code the checking does not work in
practise because the to be checked files are added to the the list
only after option parsing. Tested using temporary debug code.
The SAFE_VERSION macros were used for RISC OS, which is not anymore
supported, and only in the now removed get_default_configname. There
purpose was that a RISC OS could use a modified config.h here.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/util.h: Remove argparse.h.
* common/argparse.c: Undef GPGRT_ENABLE_ARGPARSE_MACROS.
* configure.ac (GPGRT_ENABLE_ARGPARSE_MACROS): Define.
* agent/gpg-agent.c: Undef GPGRT_ENABLE_ARGPARSE_MACROS and include
argparse.h. Do this also for all main modules which use our option
parser except for gpg. Replace calls to strusage by calls to
gpgrt_strusage everywhere.
* g10/gpg.c (opts): Change type to gpgrt_opt_t. Flag oOptions and
oNoOptions with ARGPARSE_conffile and ARGPARSE_no_conffile.
(main): Change type of pargs to gpgrt_argparse_t. Rework the option
parser to make use of the new gpgrt_argparser.
--
This is not yet finished but a make check works. gpg has the most
complex and oldest option handling and thus this is the first
migration target. SE-Linux checks and version-ed config files are
missing and will be added later.
GnuPG-bug-id: 4788
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/openpgp-oid.c (openpgp_curve_to_oid): Add optional arg R_NBITS.
Change all callers.
--
In particular for ed25519 and cv25519 it is quite useful to have an
ability to get the required algorithm.
* scd/app-openpgp.c (send_key_attr): Use log_assert.
(do_genkey): Allow prefix.
--
It is more uniform to always use full keyref (e.g. "OPENPGP.1")
instead of just the key number.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/sysutils.c (inhibit_set_foregound_window): New var.
(gnupg_inhibit_set_foregound_window): New func.
(gnupg_allow_set_foregound_window): Use var.
* g10/gpg.c (main): Inhibit in loopback mode.
* sm/gpgsm.c (main): Ditto.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
--
Resolved Conflicts:
* common/asshelp.c: Keep the new code in master for spawing under
Windows.
* g10/Makefile.am: Keep all new file.
* g10/photoid.c: Pass CTRL to pct_expando.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/Makefile.am: Add nPth flags.
* g10/gpg.c: Include npth.h.
(gpg_deinit_default_ctrl): Deinit call-keyboxd local data.
(main): Init nPth.
* g10/keydb-private.h (struct keydb_handle_s): Add field 'kbl' and
remove the search result and the assuan context.
* g10/call-keyboxd.c (struct keyboxd_local_s): Add more fields.
(lock_datastream, unlock_datastream): New.
(gpg_keyboxd_deinit_session_data): Adjust for changed data structures.
(prepare_data_pipe): New.
(open_context): Return kbl instead of an Assuan context. Init mutexes
etc.
(close_context): Merge into ...
(keydb_release): here. Adjust for changed data structures.
(datastream_thread): New.
(keydb_get_keyblock): Implement datastream stuff.
(keydb_search): Ditto.
* common/asshelp.c (wait_for_sock): Add arg connect_flags.
(start_new_service): Set FDPASSING flag for the keyboxd.
--
This code as a lot of rough edges, in particular it relies on a well
behaving keyboxd. We need to add code to shutdown the datastream
reader thread in case of errors and to properly get it up again. We
also need to make really sure that both threads run in lockstep so
that the datastream thread is only active while we are sending a
command to the keyboxd.
We should also see whether we can depend nPth initialization on the
--use-keyboxd option to avoid any problems with nPth.
And we need to test on Windows.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (oUseKeyboxd,oKeyboxdProgram): New consts.
(opts): New options --use-keyboxd and --keyboxd-program.
(main): Implement them.
* g10/keydb.c: Move some defs out to ...
* g10/keydb-private.h: new file.
* g10/keydb.c: prefix function names with "internal" and move original
functions to ...
* g10/call-keyboxd.c: new file. Divert to the internal fucntion if
--use-keyboxd is used. Add a CTRL arg to most fucntions and change
all callers.
* g10/Makefile.am (common_source): Add new files.
(noinst_PROGRAMS): Do bot build gpgcompose.
--
Note that this is just the framework with only a basic implementation
of searching via keyboxd.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/getkey.c (akl_empty_or_only_local): New.
* g10/gpg.c (DEFAULT_AKL_LIST): New.
(main): Use it here.
(main) <aLocateExtKeys>: Set default AKL if none is set.
--
This better matches the expectations of the user. The used list in
this case is the default list ("local,wkd") with local ignored by the
command anyway.
GnuPG-bug-id: 4662
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/trustdb.c (verify_own_keys): Silence informational diagnostic.
--
This silences these notes with --quiet
gpg: Note: RFC4880bis features are enabled.
gpg: key EE65E8C75D41FD1D marked as ultimately trusted
GnuPG-bug-id: 4634
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (opts): Add option.
(main): Set flag.
* g10/options.h: Add flags.use_only_openpgp_card.
* g10/call-agent.c (start_agent): Implement option.
--
With the previous patch we switch to autoselect an application
instead of requesting an openpgp card. This option allows to revert
this in case of use use cases which expected the former behaviour.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c185f6dfbd)
This was first added to the 2.2 branch.
* g10/gpg.c (main): Change default.
--
Due to the DoS attack on the keyeservers we do not anymore default to
import key signatures. That makes the keyserver unsuable for getting
keys for the WoT but it still allows to retriev keys - even if that
takes long to download the large keyblocks.
To revert to the old behavior add
keyserver-optiions no-self-sigs-only,no-import-clean
to gpg.conf.
GnuPG-bug-id: 4607
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (aLocateExtKeys): New.
(opts): Add --locate-external-keys.
(main): Implement that.
* g10/getkey.c (get_pubkey_byname): Implement GET_PUBKEY_NO_LOCAL.
(get_best_pubkey_byname): Add arg 'mode' and pass on to
get_pubkey_byname. Change callers.
* g10/keylist.c (public_key_list): Add arg 'no_local'.
(locate_one): Ditto. Pass on to get_best_pubkey_byname.
--
This new command is a shortcut for
--auto-key-locate nodefault,clear,wkd,... --locate-key
and uses the default or configured AKL list but does so without local.
See also
GnuPG-bug-id: 4599
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (g10_exit): Block all signals before calling
emergency_cleanup.
--
There is a race condition here which results crash of the process.
When a signal is delivered in emergency_cleanup, it is called again.
This change fixes the problem.
GnuPG-bug-id: 2747
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* g10/objcache.c: New.
* g10/objcache.h: New.
* g10/Makefile.am (common_source): Add them.
* g10/gpg.c: Include objcache.h.
(g10_exit): Call objcache_dump_stats.
* g10/getkey.c: Include objcache.h.
(get_primary_uid, release_keyid_list): Remove.
(cache_user_id): Remove.
(finish_lookup): Call the new cache_put_keyblock instead of
cache_user_id.
(get_user_id_string): Remove code for mode 2.
(get_user_id): Implement using cache_get_uid_bykid.
--
This generic caching module is better than the ad-hoc code we used in
getkey.c. More cleanup in getkey is still required but it is a
start. There is also a small performance increase with the new cache:
With a large keyring and --list-sigs I get these numbers:
| | before | after |
|------+------------+------------|
| real | 14m1.028s | 12m16.186s |
| user | 2m18.484s | 1m36.040s |
| sys | 11m42.420s | 10m40.044s |
Note the speedup in the user time which is due to the improved cache
algorithm. This is obvious, because the old cache was just a long
linked list; the new cache are two hash tables.
Signed-off-by: Werner Koch <wk@gnupg.org>
* kbx/keybox-search-desc.h (KEYDB_SEARCH_MODE_FPR16)
(KEYDB_SEARCH_MODE_FPR20, KEYDB_SEARCH_MODE_FPR32): Remove. Switch
all users to KEYDB_SEARCH_MODE_FPR along with the fprlen value.
--
These search modes were added over time and there has until recently
be no incentive to remove the cruft. With the change for v5 keys I
finally went over all places and allowed the generic fingerprint mode
along with a given length of the fingerprint at all places.
Consequently the other modes can now be removed.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (set_compliance_option, main): Change CO_GNUPG to include
rfc4880bis features.
(main): Change rfc4880bis warning to a note.
--
Note that the default is CO_GNUPG and not CO_OPENPGP. CO_OPENPGP does
not include rfc4880bis yet and has a couple of things we don't like,
like --allow-non-selfsigned-uids.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/userids.c (classify_user_id): Support 32 byte fingerprints.
* kbx/keybox-search-desc.h (KEYDB_SEARCH_MODE_FPR32): New.
(struct keydb_search_desc): Add field fprlen.
* kbx/keybox-defs.h (struct _keybox_openpgp_key_info): Add field
version and increase size of fpr to 32.
* kbx/keybox-blob.c: Define new version 2 for PGP and X509 blobs.
(struct keyboxblob_key): Add field fprlen and increase size of fpr.
(pgp_create_key_part_single): Allow larger fingerprints.
(create_blob_header): Implement blob version 2 and add arg want_fpr32.
(_keybox_create_openpgp_blob): Detect the need for blob version 2.
* kbx/keybox-search.c (blob_get_first_keyid): Support 32 byte
fingerprints.
(blob_cmp_fpr): Ditto.
(blob_cmp_fpr_part): Ditto.
(has_fingerprint): Add arg fprlen and pass on.
(keybox_search): Support KEYDB_SEARCH_MODE_FPR32 and adjust for
changed has_fingerprint.
* kbx/keybox-openpgp.c (parse_key): Support version 5 keys.
* kbx/keybox-dump.c (_keybox_dump_blob): Support blob version 2.
* g10/delkey.c (do_delete_key): Support KEYDB_SEARCH_MODE_FPR32.
* g10/export.c (exact_subkey_match_p): Ditto.
* g10/gpg.c (main): Ditto.
* g10/getkey.c (get_pubkey_byfprint): Adjust for changed
KEYDB_SEARCH_MODE_FPR.
* g10/keydb.c (keydb_search_desc_dump): Support
KEYDB_SEARCH_MODE_FPR32 and adjust for changed KEYDB_SEARCH_MODE_FPR.
(keydb_search): Add new arg fprlen and change all callers.
* g10/keyedit.c (find_by_primary_fpr): Ditto.
* g10/keyid.c (keystr_from_desc): Ditto.
* g10/keyring.c (keyring_search): Ditto.
* g10/keyserver.c (print_keyrec): Ditto.
(parse_keyrec): Ditto.
(keyserver_export): Ditto.
(keyserver_retrieval_screener): Ditto.
(keyserver_import): Ditto.
(keyserver_import_fprint): Ditto.
(keyidlist): Ditto.
(keyserver_get_chunk): Ditto.
* g10/keydb.c (keydb_search): Add new arg fprlen and change all
callers.
* sm/keydb.c (keydb_search_fpr): Adjust for changed
KEYDB_SEARCH_MODE_FPR.
--
This prepares the support for OpenPGP v5 keys. The new version 2 blob
format is needed for the longer fingerprints and we also use this
opportunity to prepare for storing the keygrip in the blob for faster
lookup by keygrip. Right now this is not yet functional.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (parse_list_options): Add option "show-only-fpr-mbox".
* g10/options.h (LIST_SHOW_ONLY_FPR_MBOX): New.
* g10/keylist.c (list_keyblock_simple): New.
(list_keyblock): Call it.
(list_all): Do not print the keyring name in LIST_SHOW_ONLY_FPR_MBOX
mode.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/mbox-util.c (mailbox_from_userid): Add arg subaddress and
implement. Change all callers to pass false for it.
* common/t-mbox-util.c (run_mbox_no_sub_test): New.
(run_filter): Add arg no_sub.
(main): Call new test and add option --no-sub.
--
Some stats: In the about 5300000 keys on the SKS servers we found 3055
unique mailboxes with a '+' in it. After removing leading and
trailing '+' as well as multiple '+' (e.g. "c++" or "foo+bar+baz")
2697 were left which seem to be valid sub-addresses.
To filter mailboxes out from a line delimited list with
user-ids (e.g. an SQL output), the command
t-mbox-util --verbose --filter
can be used; to output w/o sub-addresses add --no-sub.
GnuPG-bug-id: 4200
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (oKnownNotation): New const.
(opts): Add option --known-notation.
(main): Set option.
* g10/parse-packet.c (known_notations_list): New local var.
(register_known_notation): New.
(can_handle_critical_notation): Rewrite to handle the new feature.
Also print the name of unknown notations in verbose mode.
--
GnuPG-bug-id: 4060
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (main): Set some list options.
--
The new command --show-keys is commonly used to check the content of a
file with keys. In this case it can be expected that all included
subkeys and uids are of interested, even when they are already expired
or have been revoked.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (aShowKeys): New const.
(opts): New command --show-keys.
(main): Implement command.
* g10/import.c (import_keys_internal): Don't print stats in show-only
mode.
(import_one): Be silent in show-only mode.
--
Using
--import --import-options show-only
to look at a key is too cumbersome. Provide this shortcut and also
remove some diagnostic cruft in this case.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (oAllowMultisigVerification)
(oAllowMultipleMessages, oNoAllowMultipleMessages): Remove.
(opts): Turn --allow-multisig-verification, --allow-multiple-messages
and --no-allow-multiple-messages into NOPs
* g10/options.h (struct opt): Remove flags.allow_multiple_messages.
* g10/mainproc.c (proc_plaintext): Assume allow_multiple_messages is
false.
--
These options are very old compatibility hacks and should not be used
anymore. We keep them as dummy options in case someone has them in
the conf file.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c: Make --pgp6 an alias for --pgp7.
* common/compliance.h (gnupg_compliance_mode): Remove CO_PGP6.
* g10/options.h (PGP6): Remove. Adjust all users.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c: Tuen options --force-mdc, --no-force-mdc, --disable-mdc
and --no-disable-mdc into NOPs.
* g10/encrypt.c (use_mdc): Simplify. MDC is now almost always used.
(use_aead): Ignore MDC options. Print warning for missing MDC feature
flags.
* g10/pkclist.c (warn_missing_mdc_from_pklist): Rename to ...
(warn_missing_aead_from_pklist): this and adjust.
--
The MDC is now always used except with --rfc2440 which will lead to a
a big fat warning.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (oNoMDCWarn): Remove.
(opts): Make --no-mdc-warn a NOP.
(main): Don't set var.
* g10/options.h (struct opt): Remove 'no_mdc_var'.
* g10/cipher-cfb.c (write_header): Assume opt.no_mdc_warn is false.
* g10/mainproc.c (proc_encrypted): Ditto.
--
Users should not be allowed to suppress the warning that they are
shooting into their foot.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (g10_exit): Print STATUS_FAILURE only based on passed
return code and not on the presence of any call to log_error.
--
This fixes an actual regression in GPGME where FAILURE is considered
for example by a signature verify operation. The operation will simply
fail and not just record that that a signature could not be verified.
In particular for files with more than one signature a log_error if
often called to show that a pubkey is missing for one of the
signatures. Using that log_error is correct in that case.
Fixes-commit: 0336e5d1a7
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (oNoSymkeyCache): New.
(opts): Add that option.
(main): Set var.
* g10/options.h (struct opt): New field no_symkey_cache.
* g10/passphrase.c (passphrase_to_dek): Implement that feature.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/cpr.c (write_status_failure): Make it print only once.
* g10/gpg.c (wrong_args): Bump error counter.
(g10_exit): Print a FAILURE status if we ever did a log_error etc.
(main): Use log_error instead of log_fatal at one place. Print a
FAILURE status for a bad option. Ditto for certain exit points so
that we can see different error locations.
--
This makes it easier to detect errors by tools which have no way to
get the exit code (e.g. due to double forking).
GnuPG-bug-id: 3872
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (oRequestOrigin): New const.
(opts): New option --request-origin.
(main): Parse that option.
* g10/options.h (struct opt): Add field request_origin.
* g10/call-agent.c (start_agent): Send option to the agent.
* sm/gpgsm.c (oRequestOrigin): New const.
(opts): New option --request-origin.
(main): Parse that option.
* sm/gpgsm.h (struct opt): Add field request_origin.
* sm/call-agent.c (start_agent): Send option to the agent.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (opts): Add new option.
(opt_set_iobuf_size): New var.
(set_debug): Set the option.
* tests/openpgp/armor.scm: Use this option to revert the buffer size
to the one which used to exhibit the tested bugs.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/openpgpdefs.h (PKT_ENCRYPTED_AEAD): New const.
* g10/dek.h (DEK): Increase size of use_aead to 4 bits.
* g10/filter.h (cipher_filter_context_t): Add new fields for AEAD.
* g10/packet.h (PKT_encrypted): Add fields aead_algo, cipher_algo, and
chunkbyte.
* g10/build-packet.c (do_encrypted_aead): New.
(build_packet): Call it.
* g10/parse-packet.c (dump_sig_subpkt): Handle SIGSUBPKT_PREF_AEAD.
(parse_one_sig_subpkt, can_handle_critical): Ditto.
(parse_encrypted): Clear new PKT_ENCRYPTED fields.
(parse_encrypted_aead): New.
(parse): Call it.
* g10/gpg.c (main): Take care of --rfc4880bis option when checking
compliance.
* g10/cipher-aead.c: Replace the stub by real code.
* g10/decrypt-data.c (decode_filter_ctx_t): Add fields for use with
AEAD.
(aead_set_nonce): New.
(aead_set_ad): New.
(decrypt_data): Support AEAD.
(aead_underflow): New.
(aead_decode_filter): New.
* g10/encrypt.c (use_aead): Make that new fucntion work.
(encrypt_simple): Use default_aead_algo() instead of EAX.
* g10/mainproc.c (proc_encrypted): Support AEAD.
(do_proc_packets): Support PKT_ENCRYPTED_AEAD.
--
This code has seen only a very few manual tests. Encrypting always
uses a 64k chunks and decryption has not been tested with larger
chunks. Those small chunks make debugging much faster.
Tests can be done using:
gpg --rfc4880bis --pinentry-mode=loopback --passphrase abc \
--force-aead --aead-algo ocb --s2k-mode 0 --cipher AES \
-v -z 0 --status-fd 2 -c <INFILE >OUTFILE
and
gpg --rfc4880bis --pinentry-mode=loopback --passphrase=abc \
--status-fd 2 -v -d <INFILE >OUTFILE
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/dek.h (DEK): Turn fields use_mdc, algo_printed and symmetric
into single bit vars. Make sure they are always set to 1 or 0.
(DEK): New field use_aead.
* g10/options.h (struct opt): New field force_aead.
* g10/pkclist.c (select_aead_from_pklist): New.
* g10/gpg.c (oForceAEAD): New const.
(opts): New options "--force-aead".
(main): Set new option.
* g10/encrypt.c (use_aead): New.
(encrypt_simple): Implement new flags DEK.use_aead.
(encrypt_crypt): Ditto.
(encrypt_filter): Ditto.
* g10/sign.c (sign_symencrypt_file): Ditto.
--
This patch should be enough to detect whether AEAD can be used.
Not tested.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/pkscreening.c: New.
* common/pkscreening.h: New.
* common/Makefile.am (common_sources): Add them.
* g10/gpg.c (opts): New option --with-key-screening.
* g10/options.h (struct opt): New field with_key_screening.
* g10/keylist.c: Include pkscreening.h.
(print_pk_screening): New.
(list_keyblock_print): Call it.
(print_compliance_flags): Call it.
* sm/gpgsm.c (opts): New option --with-key-screening.
* sm/gpgsm.h (scruct opt): New field with_key_screening.
* sm/keylist.c: Include pkscreening.h.
(print_pk_screening): New.
(print_compliance_flags): Call it. Add new arg cert.
(list_cert_colon): Pass arg cert
(list_cert_std): Call print_pk_screening.
* sm/fingerprint.c (gpgsm_get_rsa_modulus): New.
--
This new option can be used to detect ROCA affected keys. To scan an
entire keyring and print the affected fingerprints use this:
gpg -k --with-key-screening --with-colons | gawk -F: \
'$1~/pub|sub|sec|ssb|crt/ && $18~/\<6001\>/ {found=1;next};
$1=="fpr" && found {print $10}; {found=0}'
The same works for gpgsm. Note that we need gawk due to the "\<" in
the r.e.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (gpgconf_list): Announce "auto-key-retrieve".
(main): Simplify setting of KEYSERVER_AUTO_KEY_RETRIEVE.
* tools/gpgconf-comp.c: Make "no-auto-key-retrieve" invisible. Make
"auto-key-retrieve" an expert option.
--
This basically reverts 9bb13a0e81
because --no-auto-key-retrieve is again the default. Note that we
allow both options for the sake of profiles.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpgconf-comp.c (gc_options_gpg): Add max-cert-depth,
completes-needed, and marginals-needed options.
* g10/gpg.c (gpgconf_list): Likewise.
--
Some tests to come for the PGP trust model will need to manipulate
these parameters.
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
* g10/gpg.c (main): remove KEYSERVER_AUTO_KEY_RETRIEVE from the
default keyserver options.
* doc/gpg.texi: document this change.
--
This is a partial reversion of
7e1fe791d1. Werner and i discussed it
earlier today, and came to the conclusion that:
* the risk of metadata leakage represented by a default
--auto-key-retrieve, both in e-mail (as a "web bug") and in other
contexts where GnuPG is used to verified signatures, is quite high.
* the advantages of --auto-key-retrieve (in terms of signature
verification) can sometimes be achieved in other ways, such as when
a signed message includes a copy of its own key.
* when those other ways are not useful, a graphical, user-facing
application can still offer the user the opportunity to choose to
fetch the key; or it can apply its own policy about when to set
--auto-key-retrieve, without needing to affect the defaults.
Note that --auto-key-retrieve is specifically about signature
verification. Decisions about how and whether to look up a key during
message encryption are governed by --auto-key-locate. This change
does not touch the --auto-key-locate default of "local,wkd". The user
deliberately asking gpg to encrypt to an e-mail address is a different
scenario than having an incoming e-mail trigger a potentially unique
network request.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* doc/gpg.texi: Document new option.
* g10/call-dirmngr.c (create_context): Fail if option is given.
* g10/gpg.c (cmd_and_opt_values): New value.
(opts): New option.
(gpgconf_list): Add new option.
(main): Handle new option.
* g10/options.h (struct opt): New field 'disable_dirmngr'.
* tools/gpgconf-comp.c (gc_options_gpg): New option.
GnuPG-bug-id: 3334
Signed-off-by: Justus Winter <justus@g10code.com>
* g10/gpg.c (gpgconf_list): Print no-auto-key-retrieve instead of
auto-key-retrieve.
* tools/gpgconf-comp.c (gc_options_gpg): Replace auto-key-retrieve by
no-auto-key-retrieve and chnage level from invisible to advanced.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (main): Add KEYSERVER_AUTO_KEY_RETRIEVE to the default
keyserver options. Set the default for --auto-key-locate to
"local,wkd". Reset that default iff --auto-key-locate has been given
in the option file or in the commandline.
* g10/getkey.c (parse_auto_key_locate): Work on a copy of the arg.
--
GnuPG-bug-id: 3324
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/import.c (apply_meta_data): Remove arg 'merge'. Add arg 'url'.
Implement WKD and DANE key origin.
(import_keys_internal): Add arg 'url' and change all callers.
(import_keys_es_stream): Ditto.
(import): Ditto.
(import_one): Ditto.
* g10/keylist.c (list_keyblock_print): Fix update URL printing.
* g10/call-dirmngr.c (gpg_dirmngr_wkd_get): Add arg 'r_url' to return
the SOURCE. Pass ks_status_cb to assuan_transact.
* g10/keyserver.c (keyserver_import_wkd): Get that URL and pass it to
the import function.
--
Note that this only for new keys. Merging this info will be added
soon.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/import.c (import_keys_stream): Remove this unused function.
(import_keys_internal): Add arg origin.
(import_keys): Ditto.
(import_keys_es_stream): Ditto.
(import): Ditto.
(import_one): Ditto.
(apply_meta_data): New stub.
(import_secret_one): Pass 0 for ORIGIN.
* g10/keyserver.c (keyserver_get_chunk): For now pass 0 for ORIGIN.
(keyserver_fetch): Add arg origin.
(keyserver_import_cert): Pass KEYORG_DANE for ORIGIN.
(keyserver_import_wkd): Pass KEYORG_WKD for ORIGIN.
* g10/gpg.c (main): Pass OPT.KEY_ORIGIN to import_keys and
keyserver_fetch.
* g10/card-util.c (fetch_url): Pass KEYORG_URL for ORIGIN.
--
This is just the framework; applying the meta data will be done in
another commit.
GnuPG-bug-id: 3252
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/gpg.texi: Document the new import option.
* g10/gpg.c (main): Make the new option default to yes.
* g10/import.c (parse_import_options): Parse the new option.
(import_one): Act on the new option.
* g10/options.h (IMPORT_REPAIR_KEYS): New macro.
GnuPG-bug-id: 2236
Signed-off-by: Justus Winter <justus@g10code.com>
* common/compliance.c (gnupg_parse_compliance_option): New function.
* common/compliance.h (struct gnupg_compliance_option): New type.
(gnupg_parse_compliance_option): New prototype.
* g10/gpg.c (parse_compliance_option): Remove function.
(compliance_options): New variable.
(main): Adapt callsite.
* sm/gpgsm.c (main): Use the new common function.
* sm/gpgsm.h (opt): New field 'compliance'.
GnuPG-bug-id: 3191
Signed-off-by: Justus Winter <justus@g10code.com>
* g10/gpg.c (set_compliance_option): The specification, section 4.1.1,
forbids the use of encryption without integrity protection.
GnuPG-bug-id: 3191
Signed-off-by: Justus Winter <justus@g10code.com>
* g10/gpg.c: Define _dowildcard = -1;
--
If this value is defined wildcard support in the c runtime
is enabled again. This fixes a regression caused by switching to
mingw 3.0
Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
* g10/keydb.h (KEYDB_HANDLE): Move typedef to ...
* g10/gpg.h: here.
(struct server_control_s): Add field 'cached_getkey_kdb'.
* g10/gpg.c (gpg_deinit_default_ctrl): Release that keydb handle.
* g10/getkey.c (getkey_end): Cache keydb handle.
(get_pubkey): Use cached keydb handle.
* kbx/keybox-search.c (keybox_search_reset): Use lseek instead of
closing the file.
--
Before this patch a "gpg --check-sigs" opened and closed the keybox
file for almost every signature check. By caching the keydb handle
and using lseek(2) this can be limited to just 2 times. This might
speed up things on Windows.
Signed-off-by: Werner Koch <wk@gnupg.org>
--
For proper operations as a server we need to avoid global variables.
Thus we need to pass the session state CTRL to most functions. Quite
a lot of changes but fortunately straightforward to do.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (aQuickSetPrimaryUid): New const.
(opts): New command --quick-set-primary-uid.
(main): Implement it.
* g10/keyedit.c (keyedit_quick_adduid): Factor some code out to ...
(quick_find_keyblock): new func.
(keyedit_quick_revuid): Use quick_find_keyblock.
(keyedit_quick_set_primary): New.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/gpg.c (main): Always initialize the trust db when generating
keys.
* g10/keygen.c (do_generate_keypair): We can now assume that there is
a trust db.
--
It is important to mark keys we create as ultimately trusted.
Fixes-commit: 4735ab96aa
GnuPG-bug-id: 2695
Signed-off-by: Justus Winter <justus@g10code.com>
* g10/export.c (export_seckeys): Add arg OPTIONS and pass it to
do_export.
(export_secsubkeys): Ditto.
* g10/gpg.c (main): Pass opt.export_options to export_seckeys and
export_secsubkeys
--
Back in the old days we did not used the export options for secret
keys export because of a lot of duplicated code and that the old
secring.gpg was anyway smaller that the pubring.gpg. With 2.1 it was
pretty easy to enable it.
Reported-by: Peter Lebbing
GnuPG-bug-id: 2973
* common/sysutils.c (gnupg_fd_valid): New function.
* common/sysutils.h (gnupg_fd_valid): New declaration.
* common/logging.c (log_set_file): Use the new function.
* g10/cpr.c (set_status_fd): Likewise.
* g10/gpg.c (main): Likewise.
* g10/keylist.c (read_sessionkey_from_fd): Likewise.
* g10/passphrase.c (set_attrib_fd): Likewise.
* tests/openpgp/Makefile.am (XTESTS): Add the new test.
* tests/openpgp/issue2941.scm: New file.
--
Consider a situation where the user passes "--status-fd 3" but file
descriptor 3 is not open.
During the course of executing the rest of the commands, it's possible
that gpg itself will open some files, and file descriptor 3 will get
allocated.
In this situation, the status information will be appended directly to
whatever file happens to have landed on fd 3 (the trustdb? the
keyring?).
This is a potential data destruction issue for all writable file
descriptor options:
--status-fd
--attribute-fd
--logger-fd
It's also a potential issue for readable file descriptor options, but
the risk is merely weird behavior, and not data corruption:
--override-session-key-fd
--passphrase-fd
--command-fd
Fixes this by checking whether the fd is valid early on before using
it.
GnuPG-bug-id: 2941
Signed-off-by: Justus Winter <justus@g10code.com>
* g10/gpg.c (opts): Define commands with ARGPARSE_c
instead of ARGPARSE_s_n.
--
These three entries are commands, but they're being treated as a
string-based option for some reason. However, if you try to use them
concurrently with another command like --clearsign, you'll get "gpg:
conflicting commands".
Furthermore, because they're marked as options, their flags differ
from the commands that they alias, they cause ambiguity in
abbreviation (e.g. try "gpg --list-ke") which should have been fixed
by 7249ab0f95.
Marking them explicitly as commands for argparse should be more
accurate and should resolve the abbreviation ambiguity issue.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
gpg: fix aliases --list-key, --list-sig, and --check-sig.
* g10/gpg.c: ARGPARSE_OPTS opts[]: define commands with ARGPARSE_c
instead of ARGPARSE_s_n.
--
These three entries are commands, but they're being treated as a
string-based option for some reason. However, if you try to use them
concurrently with another command like --clearsign, you'll get "gpg:
conflicting commands".
Furthermore, because they're marked as options, their flags differ
from the commands that they alias, they cause ambiguity in
abbreviation (e.g. try "gpg --list-ke") which should have been fixed
by 7249ab0f95.
Marking them explicitly as commands for argparse should be more
accurate and should resolve the abbreviation ambiguity issue.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* g10/gpg.c (main): If the parameter for --faked-system-time
ends with a '!', freeze time at the specified point.
* common/gettime.c (gnupg_set_time): Allow to freeze the time
at an arbitrary time instead of only the current time.
* doc/gpg.texi: Update documentation for --faked-system-time.
--
This patch allows the user to modify the behavior of the
--faked-system-time option: by appending a '!' to the parameter,
time in GnuPG will be frozen at the specified time, instead of
advancing normally from that time onward.
Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
* g10/gpg.c (main): Avoid translating arguments to 'wrong_args'.
--
Translating these messages is a burden for translators, and we only
have translations for very few of them as it is.
If we want to localize these messages, I'd suggest to translate the
placeholders (e.g. 'filename').
Signed-off-by: Justus Winter <justus@g10code.com>
* g10/gpg.c (opts): Rename options.
(main): Update errors.
* doc/gpg.texi: Update accordingly.
--
I decided not to keep the old versions as aliases in the documentation
because the interface is a fairly recent addition.
GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
* g10/gpg.c (opts): Rename option.
* g10/call-agent.c (agent_scd_learn): Update comment.
* doc/gpg.texi: Update accordingly.
--
This change has a surprising side effect. Previously, --edit was an
alias for --edit-key, because the argument parser actually accepts
unique prefixes of all options. With this change, however, --edit is
ambiguous.
GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
* g10/gpg.c (opts): Rename option.
* doc/gpg.texi: Update accordingly.
--
This is a rather long name, but I believe that this command is rarely
used, and in places where it is used frequently, the process is likely
automated.
GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
