1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Commit Graph

10526 Commits

Author SHA1 Message Date
Werner Koch
b331ae1c3f
Release 2.4.1 2023-04-28 11:16:29 +02:00
Werner Koch
51975712e9
po: msgmerge done
--
2023-04-28 10:50:50 +02:00
Werner Koch
2b8109d102
po: Update German translation
--
2023-04-28 10:44:41 +02:00
NIIBE Yutaka
23c5634485
regexp: Update UnicodeData for Unicode 15.0.0.
* regexp/UnicodeData.txt: Update from upstream.

--

https://www.unicode.org/Public/15.0.0/ucd/UnicodeData.txt

See: https://www.unicode.org/versions/Unicode15.0.0/
     https://www.unicode.org/reports/tr44/

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-04-27 09:10:39 +09:00
Werner Koch
7e1f36b242
speedo,w32: Adjustments for the new Unicode NSIS plugins.
* build-aux/speedo/w32/inst.nsi: Convert to UTF-8.  Add Unicode
statement.
* build-aux/speedo.mk (installer): Remove -INPUTCHARSET.
--

GnuPG-bug-id: 6448
2023-04-26 09:10:39 +02:00
Werner Koch
7359665add
speedo: Update NSIS helper DLL from Gpg4win
* build-aux/speedo/w32/inst.nsi: Re-enable run-once check.
* build-aux/speedo/w32/exdll.c: New.
* build-aux/speedo.mk (g4wihelp.dll): Change build commands.
--

GnuPG-bug-id: 6448
2023-04-26 09:10:39 +02:00
NIIBE Yutaka
c4a456e5ff
po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-04-26 13:37:39 +09:00
NIIBE Yutaka
0ec10fbd0d
gpg: Fix for overridden key import.
* g10/import.c (do_transfer): Force the overridden key import
even when smartcard is available.

--

Fixes-commit: 2c12970550
GnuPG-bug-id: 3456
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-04-25 13:47:49 +09:00
Werner Koch
c03ba92576
gpg: Fix writing ECDH keys to OpenPGP smartcards.
* agent/command.c (cmd_keytocard): Add new arg for ECDH params.
* scd/app-openpgp.c (ecc_writekey): Use provided ECDH params to
compute the fingerprint.
* g10/call-agent.c (agent_keytocard): Add arg ecdh_param_str.
* g10/keyid.c (ecdh_param_str_from_pk): New.
* g10/card-util.c (card_store_subkey): Pass ECDH params to writekey.
* g10/keygen.c (card_store_key_with_backup): Ditto.

* scd/app-openpgp.c (store_fpr): Add arg update.
(rsa_read_pubkey, ecc_read_pubkey): Add arg meta_update and avoid
writing the fingerprint back to the card if not set.
(read_public_key): Also add arg meta_update.
(get_public_key): Do not pass it as true here...
(do_genkey): ... but here.
(rsa_write_key, ecc_writekey): Force string the fingerprint.
--

The problem showed up because in 2.4 we changed the standard ECDH
parameter some years ago.  Now when trying to write an ECDH key
created by 2.2 with 2.4 to an openpgp card, scdaemon computes a wrong
fingerprint and thus gpg was not able to find the key again by
fingerprint.

The patch also avoids updating the stored fingerprint in certain
situations.

This fix is somewhat related to
GnuPG-bug-id: 6378
2023-04-21 15:23:29 +02:00
NIIBE Yutaka
762b7d07ea
common: Incorporate upstream changes of regexp.
* regexp/jimregexp.c (regatom): Raise REG_ERR_UNMATCHED_BRACKET when
no matching end bracket.
(regmatch): Fix the end of word check.

--

Original changes:
	Signed-off-by: Steve Bennett <steveb@workware.net.au>

GnuPG-bug-id: 6455
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-04-21 11:51:47 +09:00
Werner Koch
af3724d383
scd,p15: Enforce a min. PIN length for certain cards.
* scd/app-p15.c (verify_pin): Enforce 6 for RSCS cards.
2023-04-20 12:41:08 +02:00
Werner Koch
a82e6f310a
common: Fix minor bug in the jimregexp code.
* regexp/jimregexp.c (regatom): Make error checking for stray
backslash at end of the string work.  Check that the pattern class is
closed by a bracket.
--

GnuPG-bug-id: 6455
Co-authored-by: Guldrelokk
2023-04-20 12:26:40 +02:00
Werner Koch
e1663c0450
gpg: New command "openpgp" for --card-edit.
* g10/card-util.c (current_card_status): Print a hint for fishy
outputs.
(enum cmdids): Add cmdOPENPGP.
(cmds): Add "openpgp".
(card_edit): Implement that command.
--

If a Yubikey has been used in PIV mode the initial listing does not
look correct.  Although we explicitly switch to the OpenPGP app when
needed, we don't want to do this in listing mode.  Instead we offer a
new command "openpgp" to force the openpgp mode.  The ultimate goal
will be to enhance the gpg-card tool to completely take over the
--card-edit features.  But we are not yet there.

GnuPG-bug-id: 6462
2023-04-20 12:10:54 +02:00
Werner Koch
80d4ae1215
Use keyboxd on a fresh install also on Windows.
* common/homedir.c (gnupg_maybe_make_homedir): Factor some code out to
...
(create_common_conf): new.
(standard_homedir): Call it also from here.
--

Fixes-commit: d9e7488b17
2023-04-19 11:05:42 +02:00
Werner Koch
fa4f716917
gpg: Make sure that we are not accidently working with the PIV app.
* g10/call-agent.c (agent_scd_switchapp): New.
* g10/card-util.c (get_info_for_key_operation): Call it.
--

It may happen that the active card was last used for PIV and in that
case certain commands will fail because they assume the OpenPGP app.
Fortunately we have a pretty central place to assure that the right
app has been selected.

The bug can be easily noticed on Windows.

GnuPG-bug-id: 6378
2023-04-18 17:07:04 +02:00
Werner Koch
f7e00dc73d
scd: On a Yubikey re-select the last app after the use of APDU.
* scd/app-common.h (struct card_ctx_s): Add maybe_check_aid flag.
* scd/command.c (cmd_apdu): Set it.
* scd/app.c (check_external_interference): Consult this flag.
(maybe_switch_app): Do a re-select if this flag is set.
--

After the gpg-card tool has issued a Yubikey specific command the
current application is not anymore correctly selected.  This then
results in all kind of errors.  We detect this now and try to
re-select the last app.
2023-04-18 12:04:15 +02:00
Werner Koch
98b8c518fa
ssh: Allow to prefer on-disk keys over active card keys.
* agent/command-ssh.c (ssh_send_available_keys): Redefine the order of
keys.
--

GnuPG-bug-id: 6212
2023-04-18 09:04:27 +02:00
Werner Koch
ba67fea5b9
gpgtar: Read common.conf for the log-file option.
* common/util.h (GNUPG_MODULE_NAME_GPGTAR): New.
* common/homedir.c (gnupg_module_name): Add it.
* tools/gpgtar.c: Include comopt.h.
(enum cmd_and_opt_values): Add oDebug.
(opts): Add --debug.
(any_debug): New.
(main): Parse common.conf.
--

Having a way to see the output of gpgtar is often useful for
debugging.  The only effect of the debug option is to show whether
common.conf was read.
2023-04-18 08:04:48 +02:00
NIIBE Yutaka
2c12970550
gpg: Allow overridden key import when stub exists.
* g10/import.c (do_transfer): Force importing when it's card
reference.

--

GnuPG-bug-id: 3456
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-04-18 09:53:24 +09:00
Werner Koch
d965ee8d65
gpg: Curvenames may now compared case insensitive.
* common/openpgp-oid.c (openpgp_curve_to_oid): Repalce strmcp by
ascii_strcasecmp.
(openpgp_oid_or_name_to_curve): Ditto.
(openpgp_is_curve_supported): Ditto.
(get_keyalgo_string): Ditto.
--

It was just to hard to remember the correct capitalization of
names like brainpoolP512r1.
2023-04-12 17:10:08 +02:00
Eva Bolten
3013137f74
po: Fix in German translation
--
2023-04-06 10:30:56 +02:00
NIIBE Yutaka
cb055ecb91
gpg: Fix handling of importing cv25519 secret key.
* g10/import.c (transfer_secret_keys): Only emit a warning when secret
key is not encrypted.

--

Fixing-commit: dbfb7f809b
GnuPG-bug-id: 6322
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-04-06 11:32:52 +09:00
Werner Koch
c9e95b8dee
gpg: New option --assert-signer.
* g10/gpg.c (enum cmd_and_opt_values): Add oAssertSigner.
(opts): Add "assert-signer".
(main): Set option.
(assert_signer_true): New var.
(g10_exit): Evaluate new var.
* g10/main.h (assert_signer_true): Declare new var.
* common/status.h (STATUS_ASSERT_SIGNER): New.
* g10/options.h (opt): Add field assert_signer_list.
* g10/verify.c (is_fingerprint): New.
(check_assert_signer_list): New.
* g10/mainproc.c (check_sig_and_print): Call that function.  Clear
assert_signer_true on a warning.

* g10/gpgv.c: Add dummy function and vars.
* g10/t-keydb-get-keyblock.c: Ditto.
* g10/t-keydb.c: Ditto.
* g10/t-stutter.c: Ditto.
--
2023-04-05 21:32:23 +02:00
Werner Koch
42ccbd6c78
speedo,w32: Remove removed profiles and temporary disable runonce.
--
2023-04-05 15:01:18 +02:00
NIIBE Yutaka
946a851d17
build: Update gpg-error.m4.
* m4/gpg-error.m4: Update from libgpg-error master.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-04-05 15:56:05 +09:00
Werner Koch
d261f5e5d0
common: Change allocation of the comopt symbol.
* common/comopt.h (struct gnupg_comopt_s): New.
* common/comopt.c (struct gnupg_comopt_s): Define here in the data
segment.
2023-04-04 16:51:58 +02:00
Werner Koch
d9e7488b17
Use the keyboxd for a fresh install
* common/homedir.c (gnupg_maybe_make_homedir): Also create a
common.conf.
* g10/keydb.c: Include comopt.h.
(maybe_create_keyring_or_box): Detect the creation of a common.conf.
* g10/gpg.c (main): Avoid adding more resources in this case.
* sm/keydb.c:  Include comopt.h.
(maybe_create_keybox): Detect the creation of a common.conf.

* common/comopt.h (comopt): Remove the conditional "extern".
2023-04-04 16:39:59 +02:00
Werner Koch
db6ae6f6f8
speedo: Remove deleted prf files from the Windows installer
--
2023-04-04 13:10:48 +02:00
Werner Koch
fcbb849c26
speedo: Fix regression due to switching from gcc 8.3 to 10.2
* build-aux/speedo.mk (speedo_pkg_zlib_make_args): Use -static-libgcc.

(cherry picked from commit 04f1d9649c)
2023-04-04 10:20:17 +02:00
Werner Koch
7bf57a794b
gpg: Set the default digest algo for S2K to SHA256.
* g10/main.h (DEFAULT_S2K_DIGEST_ALGO): Alias to DEFAULT_DIGEST_ALGO.
--

GnuPG-bug-id: 6367
2023-04-04 09:20:26 +02:00
Werner Koch
56d309133f
dirmngr: Return modifyTimestamp and add server option --newer.
* dirmngr/server.c (cmd_ks_get): Add option --newer.
(cmd_ad_query): Ditto.
* dirmngr/ldap-misc.c (isotime2rfc4517): New.
(rfc4517toisotime): New.
* dirmngr/ks-action.c (ks_action_get): Add arg newer and pass on.
(ks_action_query): Ditto.
* dirmngr/ks-engine-ldap.c (extract_keys): Print new "chg" record.
(ks_ldap_get): Add arg newer.  Modify filter with newer arg.
(ks_ldap_search): Print the modifyTimestamp.
(ks_ldap_query): Add arg newer.  Modify filter with newer arg.
--

Note that the modifyTimestamp is also available on Windows, where its
value is more commonly known as whenChanged.  Both are constructed
attributes.

Note that the --newer option is a bit of a misnomer because LDAP has
only a greater-or-equal and no greater-than operator.
2023-04-04 08:49:55 +02:00
Werner Koch
a5360ae4c7
agent: Add trustlist flag "de-vs".
* agent/trustlist.c (struct trustitem_s): Add field de_vs.
(read_one_trustfile): Parse it.
(istrusted_internal): Emit TRUSTLISTFLAG status line.
* sm/gpgsm.h (struct rootca_flags_s): Add field de_vs.
* sm/call-agent.c (istrusted_status_cb): Detect the flags.

* sm/sign.c (write_detached_signature): Remove unused vars.
--

Right now this flag has no effect; we first need to specify the exact
behaviour.

GnuPG-bug-id: 5079
2023-04-03 14:10:33 +02:00
Werner Koch
8996b0b655
gpgsm: Create binary detached sigs with definite form length octets.
* sm/sign.c: Include tlv.h.
(write_detached_signature): New,
(gpgsm_sign): Fixup binary detached signatures.
--

This helps some other software to verify detached signatures.
2023-04-03 12:01:37 +02:00
Werner Koch
4b9346492e
gpgsm: Remove conditional compilation for older libksba versions.
* sm/sign.c (add_signed_attribute): Return an error because the option
--attribute is not yet working.

--

We require libskba 1.6 anyway.
2023-03-31 09:35:07 +02:00
Werner Koch
ab35d756d8
agent: New option --restricted for PRESET_PASSPHRASE.
* agent/command.c (cmd_preset_passphrase): Add option.

* agent/preset-passphrase.c (oRestricted): New.
(opts): Add option --restricted.
(main): Set option.
(preset_passphrase): Use option.
--

We use a different cache for connections from the extra-socket.
However, with gpg-preset-passphrase is only able to preset a
passphrase into the regular cache.  Further, a restricted connection
may not use PRESET_PASSPHRASE.  To solve this we add an new option to
preset the passphrase into the "restricted" cache.  For the
gpg-preset-passphrase tool we also add the option --restricted.

Note that this does not yet work with gpg-preset-passphrase --forget.
2023-03-27 11:47:28 +02:00
Werner Koch
9f27e448bf
gpg: New command --quick-add-adsk
* g10/gpg.c (enum cmd_and_opt_values): Add aQuickAddADSK.
(opts): Add --quick-add-adsk.
(main): Call the actual function.
* g10/keyedit.c (keyedit_quick_addadsk): New.
(menu_addadsk): Add arg adskfpr and change caller.
--

GnuPG-bug-id: 6395
2023-03-21 16:30:18 +01:00
Werner Koch
d09301a9e1
po: Fix German translation regarding the caching of PINs.
--

We do not actually cache PINs (but the card does this). Thus we now
use a more clear message.
2023-03-21 09:33:16 +01:00
Werner Koch
658daae34a
doc: Suggest the use of out-of-source builds.
--

GnuPG-bug-id:  6313
2023-03-21 09:15:20 +01:00
Werner Koch
625aeb65b0
dirmngr: New command AD_QUERY.
* dirmngr/dirmngr.h: Include name-value.h
(struct server_control_s): Add rootdse and rootdse_tried.
* dirmngr/dirmngr.c (dirmngr_deinit_default_ctrl): Release them.
* dirmngr/ks-engine.h (KS_GET_FLAG_ROOTDSE): Add two new flags.
* dirmngr/ks-engine-ldap.c: Include ks-action.h
(SERVERINFO_GENERIC): New.
(struct ks_engine_ldap_local_s): Add scope.
(ks_ldap_new_state): Set a default scope.
(ks_ldap_clear_state): Ditto.
(my_ldap_connect): Add flag generic.
(return_all_attributes): New.
(fetch_rootdse): New.
(basedn_from_rootdse): New.
(ks_ldap_get): Move some code out to ...
(ks_ldap_prepare_my_state): New.
(ks_ldap_query): New.
* dirmngr/ks-action.c (ks_action_parse_uri): Factored out from server.c
(ks_action_query): New.
* dirmngr/server.c (make_keyserver_item): Factored most code out to
ks_action_parse_uri.
(cmd_ad_query): New.
--

This command allows to query the Windows Active directory.
2023-03-20 19:24:49 +01:00
Werner Koch
f5347fbc25
dirmngr: Add framework to implement a fake CRL feature.
* dirmngr/fakecrl.c: New.
* dirmngr/dirmngr.h (opt): Add fake_crl.
* dirmngr/dirmngr.c (enum cmd_and_opt_values): Add oFakeCRL.
(opts): Add "fake-crl"
(parse_rereadable_options): Set opt.fake_crl.
* dirmngr/server.c (cmd_isvalid): Take care of fakce CRLs.
2023-03-16 14:52:28 +01:00
Werner Koch
e4ac3e7dec
gpgsm: New option --no-pretty-dn
* sm/gpgsm.c (oNoPrettyDN): New.
(opts): Add --no-pretty-dn.
(main): Implement.
* sm/gpgsm.h (opt): Add no_pretty_dn.
* sm/certdump.c (gpgsm_es_print_name): Act upon.
2023-03-16 09:46:05 +01:00
Werner Koch
e5066f2d1c
gpgtar: Do not allow the use of stdout for --status-fd
* tools/gpgtar.c (main): Don't allow logging via the Registry.  Forbid
using stdout for status-fd in crypt mode.
--

Without that check a status output would be mixed up with the input to
the internal call of gpg.

Using the Registry key to enable logging is very annoying.
2023-03-15 12:07:42 +01:00
Werner Koch
56b65f33d2
gpgtar: Print a result status with skiupped files.
* tools/gpgtar.h (struct tarinfo_s): Add new fields.
* tools/gpgtar-extract.c (check_suspicious_name): Add arg info.
(extract_regular): Count files.
(gpgtar_extract): Print stats.
2023-03-15 11:24:04 +01:00
Werner Koch
5118beeec1
gpg: Delete secret key after "keytocard".
* g10/card-util.c (card_store_subkey): Add arg processed_keys.
* g10/keyedit.c (keyedit_menu): Delete secret key.
--

This used to work using the gpg-agent: learn we called at "save" time.
However, the recent change inhibited the creation of a shadow key by
learn if a regular key still exists.  Now we do an explicit delete key
at save time.  This syncs the behaviour with the description of the
man page.

GnuPG-bug-id: 6378
2023-03-15 09:42:12 +01:00
Werner Koch
2e065b4bd2
scd,openpgp: Switch key attributes between RSA and ECC in writekey.
* common/sexputil.c (get_rsa_pk_from_canon_sexp): Also allow private
keys.
(pubkey_algo_string): Ditto.
* scd/app-openpgp.c (do_writekey): Switch key attributes
--

The scd WRITEKEY command for OpenPGP cards missed proper support to
aautomagically switch key attributes based on the new key.  We had
this only in GENKEY.

GnuPG-bug-id: 6378
2023-03-15 09:42:02 +01:00
Werner Koch
6d792ae2eb
agent: Make --disable-extended-key-format a dummy option.
* agent/agent.h (opt): Remove enable_extended_key_format.
* agent/gpg-agent.c (enum cmd_and_opt_values): Turn
oDisableExtendedKeyFormat and oEnableExtendedKeyFormat into dummy
options.

* agent/protect.c (do_encryption): Remove arg use_ocb and
corresponding code.
(agent_protect): Ditto.  Change all callers.

* agent/findkey.c (agent_write_private_key): Simplify due to the
removal of disable-extended-key-format.
(write_extended_private_key): Fold into agent_write_private_key.
--

This change is related to
GnuPG-bug-id: 6386
but should have no visible effect except for the removal of
option --disable-extended-key-format.
2023-03-13 08:53:50 +01:00
Werner Koch
56ca164684
dirmngr: Add command "GETINFO stats".
* dirmngr/server.c (cmd_getinfo): New sub-command "stats".
(dirmngr_status_helpf): Allow for a CTRL of NULL.
* dirmngr/certcache.c (cert_cache_print_stats): Add arg ctrl and use
dirmngr_status_helpf.  Adjust all callers.
* dirmngr/domaininfo.c (domaininfo_print_stats): Ditto.

* sm/certchain.c (ask_marktrusted): Flush stdout before printing the
fingerprint.
2023-03-10 11:24:48 +01:00
Ben Kibbey
be77a7ab8a agent: Try to SETREPEATOK if the pinentry supports it.
* agent/call-pinentry.c (agent_get_passphrase): Do SETREPEATOK.
(agent_askpin): Ditto.

Signed-off-by: Ben Kibbey <bjk@luxsci.net>
2023-03-09 20:12:07 -08:00
Werner Koch
b52a0e244a
dirmngr: Distinguish between "no crl" and "crl not trusted".
* dirmngr/crlcache.h (CRL_CACHE_NOTTRUSTED): New.
* dirmngr/crlcache.c (cache_isvalid): Set this status.
(crl_cache_cert_isvalid): Map it to GPG_ERR_NOT_TRUSTED.
(crl_cache_reload_crl): Move diagnostic to ...
* dirmngr/crlfetch.c (crl_fetch): here.
* dirmngr/server.c (cmd_isvalid): Map it to GPG_ERR_NOT_TRUSTED.
* dirmngr/validate.c (check_revocations): Handle new status.  Improve
diagnostics.
* common/status.c (get_inv_recpsgnr_code): Map INV_CRL_OBJ.
* common/audit.c (proc_type_verify): Ditto.
--

This avoids repeated loading of CRLs in case of untrusted root
certificates.
2023-03-09 18:28:39 +01:00
Werner Koch
65288fc52f
keyboxd: Allow import of v0 certificates.
* kbx/backend-support.c (be_is_x509_blob): Loose detection.
--

Here is a sample v0 cert:

-----BEGIN CERTIFICATE-----
MIIDAzCCAmwCEQC5L2DMiJ+hekYJuFtwbIqvMA0GCSqGSIb3DQEBBQUAMIHBMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0Ns
YXNzIDIgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBH
MjE6MDgGA1UECxMxKGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9y
aXplZCB1c2Ugb25seTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazAe
Fw05ODA1MTgwMDAwMDBaFw0yODA4MDEyMzU5NTlaMIHBMQswCQYDVQQGEwJVUzEX
MBUGA1UEChMOVmVyaVNpZ24sIEluYy4xPDA6BgNVBAsTM0NsYXNzIDIgUHVibGlj
IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgLSBHMjE6MDgGA1UECxMx
KGMpIDE5OTggVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s
eTEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAp4gBIXQs5xoD8JjhlzwPIQjxnNuX6Zr8wgQGE75fUsjM
HiwSViy4AWkszJkfrbCWrnkE8hM5wXuYuggs6MKEEyyqaekJ9MepAqRCwiNPStjw
DqL7MWzJ5m+ZJwf15vRMeJ5t60aG+rmGyVTyssSv1EYcWskVMP8NbPUtDm3Of3cC
AwEAATANBgkqhkiG9w0BAQUFAAOBgQByLvl/0fFx+8Se9sVeUYpAmLho+Jscg9ji
nb3/7aHmZuovCfTK1+qlK5X2JGCGTUQug6XELaDTrnhpb3LabK4I8GOSN+a7xDAX
rXfMSTWqz9iP0b63GJZHc2pUIjRkLbYWm1lbtFFZOrMLFPQS32eg9K0yZF6xRnIn
jBJ7xUS0rg==
-----END CERTIFICATE-----
2023-03-08 16:09:56 +01:00