1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

9347 Commits

Author SHA1 Message Date
Werner Koch
5f78ae696c
artwork: Explain the license for the logo 2021-06-29 18:42:51 +02:00
Werner Koch
a6efde307f
agent: Fix regression in agent_get_shadow_info_type.
* agent/protect.c (agent_get_shadow_info_type): Return the correct
value.
--

Fixes-commit: 33a2362e566c0e0d7011abf2e5fa5704d7cb4206
GnuPG-bug-id: 5393
2021-06-25 20:23:01 +02:00
Werner Koch
9579c77862
gpg: Let --fetch-key return an exit code on failure.
* g10/keyserver.c (keyserver_fetch): Return an error code.
* g10/gpg.c (main) <aFetchKeys>: Return 1 in case of no data.
--

GnuPG-bug-id: 5376
2021-06-25 09:55:52 +02:00
Werner Koch
95d707e093
tools: Tweak ccidmon output.
--
2021-06-25 09:55:52 +02:00
NIIBE Yutaka
25ae80b8eb scd:ccid: Handle LIBUSB_TRANSFER_OVERFLOW interrupt transfer.
* scd/ccid-driver.c (intr_cb): Ignore LIBUSB_TRANSFER_OVERFLOW.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-23 12:08:20 +09:00
Werner Koch
2c6b62b357
tools: Extend ccidmon to print T=1 APDUs
* tools/ccidmon.c (print_as_ascii): New.
(print_t1_block): New.
(print_p2r_xfrblock): Print APDUs
(print_r2p_datablock): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-22 20:41:47 +02:00
Werner Koch
5df658233a
tests: Cope with broken Libgcrypt versions
* common/t-sexputil.c (test_ecc_uncompress): Ignore unknwon curve
errors.
--

For unknown reasons some versions of Fedora or RHEL provide a patched
version of Libgcrypt with Brainpool support removed.  We better ignore
this error because it is a regression in 2.2.28 although that older
versions could not used Brainpool keys.

GnuPG-bug-id: 5502
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-22 12:30:46 +02:00
Werner Koch
edfe9453be
w32: Add fallback in case the Windows console can't cope with Unicode.
* common/ttyio.c (w32_write_console): Fallback to WriteConsoleA on
error.
--

To test this switch the Windows Console to "legacy mode"

  set LANG=de
  gpg --card-edit

and enter an invalid command.  The response contains an Umlaut and old
Windows versions (and the legacy console) don't have a proper font
installed for this.  Without this patch this runs into a log_fatal
error.

The mitigation we implement is to fallback to WriteConsoleA, that is
accepting wrong encoding and to print a note about the problem.

GnuPG-bug-id: 5491
2021-06-22 11:12:28 +02:00
Werner Koch
e387cc97c8
scd:p15: Prepare AODF parsing for other authentication types.
* scd/app-p15.c (auth_type_t): New.
(struct aodf_object_s): Add field auth_type.
(read_ef_aodf): Distinguish between pin and authkey types.  Include
the authtype in the verbose mode diags.
--

Note that the bulk of chnages are just indentation chnages.  There
should be no functional change.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-22 11:11:46 +02:00
Werner Koch
d5126efd89
dirmngr: Fix regression in KS_GET for mail address pattern.
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Munge mail address pattern.
(ks_hkp_get): Allow for mail addresses.
-

Before the keyserver changes in 2.2.28 gpg passed dirmngr a pail
address as an exact pattern (e.g. "=foo@example.org").  Since 2.2.28
the mail address is detected gpg gpg and we see for example
"<foo@example.org>".  This patch fixes this to turn a mail address
into an exact match again.

GnuPG-bug-id: 5497
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-21 09:32:16 +02:00
Werner Koch
029924a46e
scd:p15: Add pre-check for ascii-numeric PINs.
* scd/app-p15.c (verify_pin): acii-numerix is different than BCD.
2021-06-18 18:02:08 +02:00
Werner Koch
544ec7872a
scd:p15: Add basic support for AET JCOP cards.
* scd/app-p15.c (CARD_TYPE_AET): New.
(cardtype2str): Add string.
(card_atr_list): Add corresponding ATR.
(app_local_s): New flag no_extended_mode.  Turn two other flags into
bit flags.
(select_ef_by_path): Hack to handle the 3FFF thing.
(readcert_by_cdf): Do not use etxended mode for AET.
(app_select_p15): Set no_extended_mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-18 17:42:38 +02:00
Werner Koch
7a8545c91b
scd:p15: Handle cards with bad encoded path objects.
* scd/app-p15.c (read_ef_prkdf, read_ef_pukdf)
(read_ef_cdf, read_ef_aodf): Allow for a zero length path and
correctly skip unsupported auth types.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-18 17:42:38 +02:00
Werner Koch
44f977d0e3
scd: Improve reading of binary records.
* scd/iso7816.c (iso7816_read_binary_ext): Handle the 0x6a86 SW the
same as 6b00.
* scd/apdu.c (apdu_get_atr): Modify debug messages.
* scd/app-p15.c (app_select_p15): Print FCI on error.
(read_p15_info): Clean up diag in presence of debug options.
--

Some cards return 6a86 instead of 6b00.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-18 17:42:38 +02:00
NIIBE Yutaka
7718244168 scd: Fix RESET handling.
* scd/app.c (scd_update_reader_status_file): Clear ->reset_requested.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-17 16:07:09 +09:00
NIIBE Yutaka
09c62e263b po: Fix Simplified Chinese Translation.
--

GnuPG-bug-id: 5477
Reported-by: Zhongren Gu
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-17 11:36:07 +09:00
NIIBE Yutaka
c6900f5723
dirmngr: Fix build with --disable-ldap.
* dirmngr/dirmngr.c (parse_rereadable_options) [USE_LDAP]:
Conditionalize.

--

Reported-by: Phil Pennock
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit c8b2162c0e7eb42b74811b7ed225fa0f56be4083)
2021-06-16 13:06:40 +02:00
Werner Koch
89df86157e
sm: New option --ldapserver as an alias for --keyserver.
* sm/gpgsm.c (opts): Add option --ldapserver and make --keyserver an
alias.
--

We should use "keyserver" for OpenPGP and thus it is better to allow
for "ldapserver" here - it is the same convention as now used in
dirmngr.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d6df1bf84969bf5f5781e33bc1c2f6cb2aee0093)
2021-06-16 13:04:34 +02:00
Werner Koch
14528ec66b
dirmngr: Allow to pass no filter args to dirmngr_ldap.
* dirmngr/dirmngr_ldap.c (main): Handle no args case.
--

This is required for example for CRLs.  The old code did not require
this because the hos was taken from the URL given has arg.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f6e45671aa26f3e7abb968a876de7bbdb4fca3f1)
2021-06-16 12:59:49 +02:00
Werner Koch
864ea25198
dirmngr: Rewrite the LDAP wrapper tool
* dirmngr/ldap-misc.c: New.
* dirmngr/ldap-misc.h: New.
* dirmngr/ks-engine-ldap.c: Include ldap-misc.h.
(ldap_err_to_gpg_err, ldap_to_gpg_err): Move to ldap-misc.c.
* dirmngr/ldap-wrapper.c (ldap_wrapper): Print list of args in debug
mode.
* dirmngr/server.c (lookup_cert_by_pattern): Handle GPG_ERR_NOT_FOUND
the saqme as GPG_ERR_NO_DATA.
* dirmngr/ldap.c (run_ldap_wrapper): Add args tls_mode and ntds.
Remove arg url.  Adjust for changes in dirmngr_ldap.
(url_fetch_ldap): Remove args host and port.  Parse the URL and use
these values to call run_ldap_wrapper.
(attr_fetch_ldap): Pass tls flags to run_ldap_wrapper.
(rfc2254_need_escape, rfc2254_escape): New.
(extfilt_need_escape, extfilt_escape): New.
(parse_one_pattern): Rename to ...
(make_one_filter): this.  Change for new dirmngr_ldap calling
convention.  Make issuer DN searching partly work.
(escape4url, make_url): Remove.
(start_cert_fetch_ldap): Change for new dirmngr_ldap calling
convention.
* dirmngr/dirmngr_ldap.c: Major rewrite.

* dirmngr/t-ldap-misc.c: New.
* dirmngr/t-support.h (DIM, DIMof): New.
* dirmngr/Makefile.am (dirmngr_ldap_SOURCES): Add ldap-misc.c
(module_tests) [USE_LDAP]: Add t-ldap-misc.
(t_ldap_parse_uri_SOURCES): Ditto.
(t_ldap_misc_SOURCES): New.
--

This rewrite allows to properly handle TLS and avoids some code
duplication.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 39815c023f0371dea01f7c51469b19c06ad18718)
2021-06-16 12:58:32 +02:00
Werner Koch
bcb9931562
dirmngr: Remove useless code.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Remove the
password_param thing because we set the password directly without an
intermediate var.
--

Reported-by: Ingo Kloecker
(cherry picked from commit 8bd5172539e1399b407aa2a9d56fa51b8e040ae3)
2021-06-16 12:47:04 +02:00
Werner Koch
0426e6e869
doc: Update description of LDAP keyservers
--

(cherry picked from commit 7c4b0eda7462cecf230aba8472d264593257dd0d)
2021-06-16 12:46:21 +02:00
Werner Koch
58e4c82512
dirmngr: Fix default port for our redefinition of ldaps.
* dirmngr/server.c (make_keyserver_item): Fix default port for ldaps.
Move a tmpstr out of the blocks.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Improve diagnostics.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 8de9d54ac83fa20cb52b847b643311841be4d6dc)
2021-06-16 12:45:20 +02:00
Werner Koch
3e05f99e8d
dirmngr: Use --ldaptimeout for OpenPGP LDAP keyservers.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Use LDAP_OPT_TIMEOUT.

* dirmngr/dirmngr.c (main): Move --ldaptimeout setting to ...
(parse_rereadable_options): here.
--

Note that this has not yet been tested.  In fact a test with OpenLDAP
using a modified route got stuck in the connection attempt.  Maybe it
works on Windows - will be tested later.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 317d5947b84ae2707e46b89fb0d8318c07174e13)
2021-06-16 12:43:11 +02:00
Werner Koch
52cf32ce2f
dirmngr: New option --ldapserver
* dirmngr/dirmngr.c (opts): Add option --ldapserver.
(ldapserver_list_needs_reset): New var.
(parse_rereadable_options): Implement option.
(main): Ignore dirmngr_ldapservers.conf if no --ldapserver is used.

* dirmngr/server.c (cmd_ldapserver): Add option --clear and list
configured servers if none are given.
--

This option allows to specify LDAP keyserver in dirmngr instead of
using gpgsm.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ff17aee5d10c8c5ab902253fb4332001c3fc3701)
2021-06-16 12:42:02 +02:00
Werner Koch
eb3a629154
dirmngr: Allow for non-URL specified ldap keyservers.
* dirmngr/server.c (cmd_ldapserver): Strip an optional prefix.
(make_keyserver_item): Handle non-URL ldap specs.
* dirmngr/dirmngr.h (struct ldap_server_s): Add fields starttls,
ldap_over_tls, and ntds.

* dirmngr/ldapserver.c (ldapserver_parse_one): Add for an empty host
string.  Improve error messages for the non-file case.  Support flags.
* dirmngr/ks-action.c (ks_action_help): Handle non-URL ldap specs.
(ks_action_search, ks_action_get, ks_action_put): Ditto.
* dirmngr/ks-engine-ldap.c: Include ldapserver.h.
(ks_ldap_help): Handle non-URL ldap specs.
(my_ldap_connect): Add args r_host and r_use_tls.  Rewrite to support
URLs and non-URL specified keyservers.
(ks_ldap_get): Adjust for changes in my_ldap_connect.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.
--

The idea here is to unify our use of URLS or colon delimited ldap
keyserver specification.  The requirement for percent escaping, for
example the bindname in an URLs, is cumbersome and prone to errors.
This we allow our classic colon delimited format as an alternative.
That format makes it also easy to specify flags to tell dirmngr
whether to use starttls or ldap-over-tls.  The code is nearly 100%
compatible to existing specification.  There is one ambiguity if the
hostname for CRL/X509 searches is just "ldap"; this can be solved by
prefixing it with "ldap:" (already implemented in gpgsm).

GnuPG-bug-id: 5405, 5452
Ported-from: 2b4cddf9086faaf5b35f64a7db97a5ce8804c05b
2021-06-16 12:25:13 +02:00
Werner Koch
bebc71d229
gpg,sm: Simplify keyserver spec parsing.
* common/keyserver.h: Remove.
* sm/gpgsm.h (struct keyserver_spec): Remove.
(opt): Change keyserver to a strlist_t.
* sm/gpgsm.c (keyserver_list_free): Remove.
(parse_keyserver_line): Remove.
(main): Store keyserver in an strlist.
* sm/call-dirmngr.c (prepare_dirmngr): Adjust for the strlist.  Avoid
an ambiguity in dirmngr by adding a prefix if needed.

* g10/options.h (struct keyserver_spec): Move definition from
keyserver.h to here.  Remove most fields.
* g10/keyserver.c (free_keyserver_spec): Adjust.
(cmp_keyserver_spec): Adjust.
(parse_keyserver_uri): Simplify.
(keyidlist): Remove fakev3 arg which does not make any sense because
we don't even support v3 keys.
--

We now rely on the dirmngr to parse the keyserver specs.  Thus a bad
specification will not be caught immediately.  However, even before
that dirmngr had stricter tests.

Signed-off-by: Werner Koch <wk@gnupg.org>
Ported-from: 9f586700ec4ceac97fd47cd799878a8847342ffa
2021-06-16 12:03:13 +02:00
Werner Koch
1c96f4d663
dirmngr: Support pseudo URI scheme "opaque".
* dirmngr/http.h (HTTP_PARSE_NO_SCHEME_CHECK): New.
* dirmngr/http.c (http_parse_uri): Use this flag.  Change all callers
to use the new macro for better readability.
(do_parse_uri): Add pseudo scheme "opaque".
(uri_query_value): New.
--

This scheme can be used to convey arbitrary strings in a parsed_uri_t
object.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 72124fadafde153f8ac89a70202006d831829d06)
2021-06-16 11:54:47 +02:00
Jiri Kerestes
755a5f1a0e
card: Fix typo in help message
--
Signed-off-by: Jiri Kerestes <jiri.kerestes@trustica.cz>
2021-06-12 18:33:32 +02:00
Werner Koch
6b76693ff5
sm: Fix finding of issuer in use-keyboxd mode.
* sm/keydb.c (struct keydb_local_s): Add field saved_search_result.
(keydb_push_found_state): Implement for keyboxd.
(keydb_pop_found_state): Ditto.
(keydb_get_cert): Do not release the cert so that the function can be
used again to get the same cert.  This is the same behaviour as in
pubring.kbx mode.

* sm/certchain.c, sm/import.c: Improve some error messages.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-11 20:15:32 +02:00
NIIBE Yutaka
4e02db75e3 scd: Support clearing of Reset Code by ''.
* scd/app-openpgp.c (do_change_pin): Allow null-string.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-11 13:42:01 +09:00
NIIBE Yutaka
63427a0e4e po: Fix typo in Simplified Chinese Translation.
--

Forward port 2.2 commit of:
	3896e7e625dc9cc8d04dcd6cae9f0c22bfe5b404

GnuPG-bug-id: 5477
Reported-by: Zhongren Gu
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-11 13:30:32 +09:00
Werner Koch
cd53c6d0f3
scd: Add new card vendor.
--
2021-06-10 21:55:36 +02:00
Werner Koch
14e36bdbe1
gpgtar,w32: Fix file size computation
* tools/gpgtar-create.c (fillup_entry_w32): Move parentheses.
--

Fixes-commit: 8b8925a2bdbb12dd537dde20a27cdb1416c2f1ae

The bug is so obvious that I wonder why it was not reported more often
on Windows. (Adding 1 to MAXDWORD (0xfffffff) always gives 0 for the
product).

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-09 20:03:20 +02:00
NIIBE Yutaka
7a80004d54 agent: Fix importing protected secret key.
* agent/cvt-openpgp.c (do_unprotect): Only modify SKEY when it is
correctly decrypted.

--

GnuPG-bug-id: 5122
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-09 10:57:52 +09:00
NIIBE Yutaka
c3a9ee0b65 scd: Fix serial number detection for Yubikey 5.
* scd/app.c (app_new_register): Handle serial number correctly.

--

GnuPG-bug-id: 5442
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-08 10:37:48 +09:00
NIIBE Yutaka
ee5b6af370 scd: Fix READER-PORT option handling for PC/SC.
* scd/apdu.c (apdu_open_reader): READERNO should be -1 when
READER-PORT is specified for PC/SC.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-07 11:38:25 +09:00
NIIBE Yutaka
21ef425e22 agent: Appropriate error code for importing key with no passwd.
* agent/cvt-openpgp.c (convert_from_openpgp_main): Return
GPG_ERR_BAD_SECKEY.

--

When non-protected case, error at gcry_pk_testkey results
GPG_ERR_BAD_PASSPHRASE.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-04 13:44:05 +09:00
NIIBE Yutaka
9668ee097a gpg: Support KEYGRIP search with traditional keyring.
* g10/keyring.c (keyring_search): Handle KEYDB_SEARCH_MODE_KEYGRIP.

--

GnuPG-bug-id: 5469
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-03 13:32:25 +09:00
Werner Koch
c17dac5ac3
common: Allow for GCM decryption in de-vs mode.
* common/compliance.c (gnupg_cipher_is_allowed): Allow GCM for gpgsm
in decrypt mode.

* tests/cms/samplemsgs/pwri-sample.gcm.p7m: Remove duplicated authtag
--

We allow GCM in de-vs mode for decryption although this has not been
evaluation.  It is decryption and thus no serious harm may happen.
2021-06-02 19:14:37 +02:00
Werner Koch
4980fb3c6d
sm: Support AES-GCM decryption.
* tests/cms/samplemsgs/: Add sample messages.
* sm/gpgsm.c (main): Use gpgrt_fcancel on decryption error.
* sm/decrypt.c (decrypt_gcm_filter): New.
(gpgsm_decrypt): Use this filter if requested.  Check authtag.
--

Note that the sample message pwri-sample.gcm.p7m is broken: The
authtag is duplicated to the authEncryptedContentInfo.  I used a
temporary code during testing hack to that test message out.
2021-06-02 11:03:55 +02:00
Werner Koch
a8209b001c
tests: Rename subdir gpgsm to cms and move sample dirs.
--

It does not make sense to have the cms stuff at the top level but the
openpgp at a dedicated directory.  This patch fixes that.
2021-05-31 21:51:45 +02:00
Werner Koch
31c0aa2ff3
gpgconf: Make runtime changes with different homedir work.
* tools/gpgconf-comp.c (dirmngr_runtime_change): Pass --homedir first.
2021-05-28 19:48:16 +02:00
Werner Koch
1ca4df446f
doc: Add notes on how to enable TLS in openldap.
--
2021-05-28 17:48:14 +02:00
NIIBE Yutaka
36f50b259c agent: Fix calling handle_pincache_put.
* agent/call-scd.c (padding_info_cb): Fix the argument.

--

GnuPG-bug-id: 5436
Reported-by: Bogdan Luca
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-28 13:43:59 +09:00
NIIBE Yutaka
5b1806454c scd: Fix zero-byte handling in ECC.
* scd/app-openpgp.c (ecc_writekey): Don't remove zero-byte.

--

Fixes-commit: a25c99b156ca9acaa7712e9c09a6df0a7a23c833
GnuPG-bug-id: 5163
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-28 11:34:56 +09:00
NIIBE Yutaka
2b50f94267 gpg: Ed448 and X448 are only for v5 for --full-gen-key.
* g10/keygen.c (generate_keypair): Set pVERSION = 5, pSUBVERSION = 5,
when it's Ed448 or X448.

--

Fixes-commit: 36355394d865f5760075e62267d70f7a7d5dd671
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-27 17:03:49 +09:00
NIIBE Yutaka
be81941e1a build: _DARWIN_C_SOURCE should be 1.
* configure.ac (*-apple-darwin*): Set _DARWIN_C_SOURCE 1.

--

GnuPG-bug-id: 5440
Reported-by: Jay Freeman
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-27 13:32:08 +09:00
Werner Koch
30563ea297
gpg: Partial fix for Unicode problem in output files.
* g10/openfile.c (overwrite_filep): Use gnupg_access.
--

As said, this is just an obvious but partial fix.  We need to review
things for the output module.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-25 13:39:59 +02:00
Werner Koch
260bbb4ab2
common: Annotate leaked memory in homedir.c
* g10/trustdb.c (how_to_fix_the_trustdb): Use gnupg_homedir.
* common/homedir.c (standard_homedir): Annotate leaked memory.
(gnupg_daemon_rootdir): Ditto.
(gnupg_socketdir): Ditto.
(gnupg_sysconfdir): Ditto.
(gnupg_bindir): Ditto.
(gnupg_libdir): Ditto.
(gnupg_datadir): Ditto.
(gnupg_localedir): Ditto.
(gnupg_cachedir): Ditto.
(gpg_agent_socket_name): Ditto.
(dirmngr_socket_name): Ditto.
(keyboxd_socket_name): Ditto.
(get_default_pinentry_name): Ditto.
(gnupg_module_name): Ditto.
(default_homedir): Ditto.  Make static.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-21 09:23:04 +02:00