1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-24 10:39:57 +01:00

9756 Commits

Author SHA1 Message Date
Werner Koch
d38f877bd8
doc: Minor doc updates and a typo fix.
--
2019-09-25 16:21:30 +02:00
NIIBE Yutaka
bb5ed9fe1a build: Build gpg-pair-tool only when there is newer libgcrypt.
* configure.ac (HAVE_NEWER_LIBGCRYPT): New.
* tools/Makefile.am: Conditionalize build of gpg-pair-tool.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-20 14:19:18 +09:00
NIIBE Yutaka
7c81e5cb97 tools: Fix gpg-pair-tool to follow new API.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-19 18:36:11 +09:00
NIIBE Yutaka
b928de70e0 tools: Don't prepare G in gpg-pair-tool.
* tools/gpg-pair-tool.c (create_dh_keypair): Use NULL for G.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-19 18:36:11 +09:00
NIIBE Yutaka
f22a004161 tools: Use new API of libgcrypt for gpg-pair-tool.
* tools/gpg-pair-tool.c (create_dh_keypair): Just use
gcry_random_bytes for secret.  Call gcry_ecc_mul_point
with G to get the public key.
(compute_master_secret): Use gcry_ecc_mul_point.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-19 18:36:11 +09:00
Werner Koch
1f987516f6
tests: Add two user-id parsing test cases.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-17 16:19:28 +02:00
NIIBE Yutaka
49671b76ea scd,pcsc: Use HANDLE for context and card.
* scd/apdu.c (HANDLE): New.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-17 19:54:52 +09:00
NIIBE Yutaka
980d0234d3 scd: Remove old fallback logic from CCID to PC/SC.
* scd/apdu.c (apdu_dev_list_start): Return an error on failure.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-12 09:34:34 +09:00
NIIBE Yutaka
6d750fe7fc scd,pcsc: Support "reader-port" option for PC/SC reader.
* scd/apdu.c (apdu_open_reader): Skip use of a reader if it's not the
one specified when it is specified.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-12 09:30:37 +09:00
NIIBE Yutaka
c569e49d17 scd,pcsc: Remove the restriction of no-scanning in PC/SC.
* scd/apdu.h (app_open_reader): Remove the last argument.
* scd/apdu.c (app_open_reader): Ditto.
* scd/app.c (select_application): Don't supply APP_EMPTY.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-12 08:48:48 +09:00
NIIBE Yutaka
92be4e87ee scd,pcsc: Fix examining the list of readers.
* scd/apdu.c (apdu_dev_list_start): Traverse the string+NUL carefully.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-11 11:05:03 +09:00
NIIBE Yutaka
441106cdf0 scd,pcsc: Fix for initializing PC/SC.
* scd/apdu.c (pcsc_init): Load it at first.
(apdu_open_reader): Check for the CCID internal driver.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-11 10:36:29 +09:00
NIIBE Yutaka
e8534f8999 scd,pcsc: Support multiple card readers.
* scd/apdu.c (close_pcsc_reader, apdu_init): Clear pcsc.rdrname.
(pcsc_init): Load of PC/SC module moved from ...
(open_pcsc_reader): ... here.
(apdu_dev_list_start): Add support for PC/SC.
(apdu_dev_list_finish): Likewise.
(apdu_open_reader): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-11 10:11:33 +09:00
NIIBE Yutaka
1080e91efd scd,pcsc: Use a single context.
* scd/apdu.c (pcsc): New variable.
(struct reader_table_s): Remove pcsc.context from member.
(pcsc_get_status, connect_pcsc_card): Use pcsc.context.
(close_pcsc_reader): Release pcsc.context here with reference count.
(pcsc_init): New.
(open_pcsc_reader): Don't call pcsc_establish_context here.  Call
close_pcsc_reader instead of pcsc_release_context.
(apdu_open_reader): Call pcsc_init if needed.
(apdu_init): Initialize pcsc.count and pcsc.context.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-11 10:11:25 +09:00
NIIBE Yutaka
f44aa290c1 scd: Clean up the structure for future fix of PC/SC.
* scd/apdu.c (struct dev_list): Rename from ccid_table, with void*.
(open_ccid_reader): Follow the change.
(apdu_dev_list_start, apdu_dev_list_finish): Likewise.
(apdu_open_reader): Likewise.
* scd/ccid-driver.c (ccid_dev_scan): Use void *.
(ccid_dev_scan_finish, ccid_get_BAI, ccid_open_usb_reader): Likewise.
* scd/ccid-driver.h: Change the APIs.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-11 10:11:18 +09:00
Werner Koch
ce9906b008
gpg: First rough implementation of keyboxd access for key lookup.
* g10/Makefile.am: Add nPth flags.
* g10/gpg.c: Include npth.h.
(gpg_deinit_default_ctrl): Deinit call-keyboxd local data.
(main): Init nPth.
* g10/keydb-private.h (struct keydb_handle_s): Add field 'kbl' and
remove the search result and the assuan context.
* g10/call-keyboxd.c (struct keyboxd_local_s): Add more fields.
(lock_datastream, unlock_datastream): New.
(gpg_keyboxd_deinit_session_data): Adjust for changed data structures.
(prepare_data_pipe): New.
(open_context): Return kbl instead of an Assuan context.  Init mutexes
etc.
(close_context): Merge into ...
(keydb_release): here.  Adjust for changed data structures.
(datastream_thread): New.
(keydb_get_keyblock): Implement datastream stuff.
(keydb_search): Ditto.

* common/asshelp.c (wait_for_sock): Add arg connect_flags.
(start_new_service): Set FDPASSING flag for the keyboxd.
--

This code as a lot of rough edges, in particular it relies on a well
behaving keyboxd.  We need to add code to shutdown the datastream
reader thread in case of errors and to properly get it up again.  We
also need to make really sure that both threads run in lockstep so
that the datastream thread is only active while we are sending a
command to the keyboxd.

We should also see whether we can depend nPth initialization on the
--use-keyboxd option to avoid any problems with nPth.

And we need to test on Windows.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-10 16:05:54 +02:00
Werner Koch
6c327b4dd6
kbx: Allow fd-passing for the keyboxd.
* kbx/kbxserver.c: Include host2net.h
(struct server_local_s): Add field outstream.
(prepare_outstream): New.
(kbxd_writen): New.
(kbxd_write_data_line): Write to file descrptor.  Disable the slow
human reader friendly data line formatting.
(cmd_search, cmd_next): Disable data logging.
(kbxd_start_command_handler): Add OUTPUT command.
* kbx/keyboxd.c (main): Enable log monitor.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-10 15:52:12 +02:00
Werner Koch
2f0fdab8aa
common: Allow a readlimit for iobuf_esopen.
* common/iobuf.c (file_es_filter_ctx_t): Add fields use_readlimit and
readlimit.
(file_es_filter): Implement them.
(iobuf_esopen): Add new arg readlimit.
* g10/decrypt-data.c (decrypt_data): Adjust for change.
* g10/import.c (import_keys_es_stream): Ditto.
--

This comes handy for (length,datablob) style streams.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-10 15:45:58 +02:00
Andre Heinecke
c69a37dcbd
doc: Fix distchek for generated eps file
* doc/Makefile.am (EXTRA_DIST, BUILT_SOURCES): Add
gnupg-module-overview.eps, gnupg-card-architecture.eps
(DISTCLEANFILES): Remove them.

--
The files needs to be added so that it is properly
included in the dist tarball. As the rule
for it was moved into maintainer mode by 58bab1a.
2019-09-10 10:07:19 +02:00
Werner Koch
aba82684fe
gpg: New option --use-keyboxd.
* g10/gpg.c (oUseKeyboxd,oKeyboxdProgram): New consts.
(opts): New options --use-keyboxd and --keyboxd-program.
(main): Implement them.
* g10/keydb.c: Move some defs out to ...
* g10/keydb-private.h: new file.
* g10/keydb.c: prefix function names with "internal" and move original
functions to ...
* g10/call-keyboxd.c: new file.  Divert to the internal fucntion if
--use-keyboxd is used.  Add a CTRL arg to most fucntions and change
all callers.
* g10/Makefile.am (common_source): Add new files.
(noinst_PROGRAMS): Do bot build gpgcompose.
--

Note that this is just the framework with only a basic implementation
of searching via keyboxd.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-09 15:01:47 +02:00
Werner Koch
5e00c1773d
kbx: Fix keyboxd search first.
* kbx/kbxserver.c (cmd_next): Switch to mode next if needed.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-09 14:25:02 +02:00
Werner Koch
1545b948e1
kbx: Allow searching from start.
* kbx/kbxserver.c (cmd_search): Detect empty pattern.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-09 09:01:28 +02:00
Stephan Mueller
e825aea2ba
gpg: expand GPG groups when resolving a key
* g10/expand-group.c: New
* g10/pkclist.c: Extract expand_group and expand_id into expand-group.c.
* g10/keydb.h: Add prototypes of expand_id and expand_group.
* g10/getkey.c: Use expand_group before resolving key references.
* g10/Makefile.am: Compile expand-group.c.
--

When searching a key by its name, try to expand the provided name in
case it is a GPG group reference. This GPG group resolution is performed
before the individual keys are verified.

This allows key listing using a GPG group reference. In particular, this
modification fixes the encryption to group support in KDE's Kmail which
is broken since version 18.04.

Signed-off-by: Stephan Mueller <stephan.mueller@atsec.com>

- Changed new filename to use a dash instead of an underscore.
- Indendation changes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-06 17:12:38 +02:00
Werner Koch
d9c4c3776b
gpg: Make --quiet work on --send-keys.
* g10/keyserver.c (keyserver_put): Act upon --quiet.
--

Suggested-by: Robin H. Johnson <robbat2@gentoo.org>
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-06 16:48:53 +02:00
Werner Koch
209caaff66
gpg: Prepare parser for the new attestation certificates.
* common/openpgpdefs.h (SIGSUBPKT_ATTST_SIGS): New.
* g10/keydb.h (IS_ATTST_SIGS): New.
(IS_CERT): Include the new one.
* g10/sign.c (mk_notation_policy_etc): Do not put notations into
attestation key signatures.
* g10/parse-packet.c (dump_sig_subpkt): Add new arg digest_algo.
Print the attestation sigs.
(parse_one_sig_subpkt): Support SIGSUBPKT_ATTST_SIGS.
(can_handle_critical): Ditto.
(enum_sig_subpkt): Pass digest algo to dump_sig_subpkt.
--

This change allows to list the new subpacket with --list-packets.
Example output:

  :signature packet: algo 22, keyid C694723A1370EAB1
          version 4, created 1567097576, md5len 0, sigclass 0x16
          digest algo 8, begin of digest ff 0c
          hashed subpkt 2 len 4 (sig created 2019-08-29)
          hashed subpkt 37 len 32 (attst-sigs: 1
                                   A794C6E9CCFE2F34C67E07[...])
          hashed subpkt 33 len 21 (issuer fpr v4 156A3872[...])
          subpkt 16 len 8 (issuer key ID C694723A1370EAB1)
          data: [256 bits]
          data: [256 bits]

GnuPG-bug-id: 4694
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-05 21:27:13 +02:00
Werner Koch
e1d9be730c
gpg: Rework the signature subpacket iteration function.
* g10/parse-packet.c (enum_sig_subpkt): Replace first arg by two args
so that the entire signature packet is available.  Change all callers.
(parse_sig_subpkt): Ditto.
--

This patch is a prerequisite to support the new attestation key
signatures.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-05 20:38:23 +02:00
Werner Koch
7febb4f247
scd: Implement auto-switching between Yubikey apps.
* scd/app.c (apptype_from_keyref): New.
(maybe_switch_app): Add arg 'keyref' and use this also for switching.
Change all callers to pass a keyref if needed.
--

A drawback of this auto-switching is that the PIN cache of the cards
are cleared.  That could be mitigated by having our own cache but we
always tried to avoid that.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-05 14:07:27 +02:00
Werner Koch
5d9eb060b7
scd:openpgp: Avoid PIN caching issues after re-select.
* scd/app-openpgp.c (do_reselect): Clear PIN cache flags.
--

It seems that the verification status of the OpenPGP app on a Yubikey
is reset on a select.  We need to reflect this in our cache to avoid a
"Bad PIN" error on computing a signature.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-05 13:53:58 +02:00
Werner Koch
61ed02211a
doc: Update description of --debug
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-05 13:12:14 +02:00
Werner Koch
947b44e835
scd:piv: Allow the keygrip as alternative to a keyref.
* scd/app-piv.c (find_dobj_by_keyref): Allow the keygrip as input.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-05 13:03:00 +02:00
Werner Koch
c8d739a356
scd: Improve locking of app_do_with_keygrip.
* scd/app.c (app_do_with_keygrip): Lock once per card.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-05 13:02:59 +02:00
Werner Koch
4e701953fe
scd: New debug flag "app".
* scd/scdaemon.h (DBG_APP_VALUE, DBG_APP): New.
* scd/scdaemon.c (debug_flags): Add "app".
* scd/app.c (xstrapptype): New.
(app_readcert, app_readkey, app_getattr): Add debug output.
(app_setattr, app_sign, app_auth): Ditto.
(app_writecert, app_writekey, app_change_pin): Ditto.
(app_check_pin): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-05 13:02:59 +02:00
NIIBE Yutaka
9f39e0167d agent: Fix ask_for_card to allow a key on multiple cards.
* agent/divert-scd.c (ask_for_card): Don't use SERIALNO to select
card, but use KEYGRIP.

GnuPG-bug-id: 4695
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-09-05 17:18:39 +09:00
Werner Koch
fed9c93e05
scd: New sub-command cmd_has_option for GETINFO.
* scd/command.c (cmd_getinfo): Add cmd_has_option sub-command.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-04 13:50:12 +02:00
Werner Koch
9a0d8f2d89
scd: Add option --all to the SERIALNO command.
* scd/command.c (cmd_serialno): Add option --all.
(open_card_with_request): Implement that option.
* scd/app.c (select_all_additional_applications_internal): New.
(select_additional_application): Add mode to call new function.
--

This option is currently only useful for Yubikeys and basically
ignored with other cards.  Its use is

  SERIALNO --all
  LEARN --force --multi

which will then print keypairinfo and other stuff for the OpenPGP and
PIV application of a Yubikey.  Scute is going to use this to allow
using certificates from OpenPGP and PIV at the same time.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-04 13:38:58 +02:00
Werner Koch
fa25837942
scd: Fix Error checking in additioal app selection.
* scd/app.c (select_additional_application): Return error for unknown
NAME.
--

ERR was only set but not used.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-04 12:27:54 +02:00
Werner Koch
5cf5a04bae
scd: Add option --multi to the LEARN command.
* scd/app-common.h (APP_LEARN_FLAG_MULTI): New.
* scd/command.c (cmd_learn): Add option --multi.
* scd/app.c (app_write_learn_status): Factor some code out to ...
(write_learn_status_core): new.
(app_write_learn_status): Implement flag --multi.
--

This new option is intended to return information about all active
applications of the current card.  Thus if a "SERIALNO openpgp" and a
"SERIALNO piv" has been done in a session the command "LEARN --force
--multi" returns information about both applications.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-04 12:08:07 +02:00
Werner Koch
2cdea776cd
scd: Use a macro for the flag parameter of learn_status.
* scd/app-common.h (APP_LEARN_FLAG_KEYPAIRINFO): New flag macro..
* scd/command.c (cmd_learn): Pass that flag instead of a plain number.
* scd/app-nks.c (do_learn_status_core): Use new flag.
* scd/app-p15.c (do_learn_status): Ditto.
* scd/app-piv.c (do_learn_status): Ditto.
* scd/app-sc-hsm.c (do_learn_status): Ditto.
* scd/app.c (app_write_learn_status): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-09-04 10:45:29 +02:00
Werner Koch
1d277c9670
doc: Fix grammar error.
--
GnuPG-bug-id: 4691
2019-08-30 08:32:22 +02:00
Werner Koch
e64f0dfd72
gpg,sm: Implement keybox compression run and release lock in gpgsm
* g10/keydb.c (keydb_add_resource): Call keybox_compress.
* sm/keydb.c (keydb_add_resource): Release the lock after a compress.
--

Note that in gpgsm we already did the compress run but we didn't
released the lock on the file.  This might have been a reason for some
strange hangs.

GnuPG-bug-id: 4644
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-23 15:51:43 +02:00
Werner Koch
5ef0d7a795
kbx: Include deleted records into the --stats output.
* kbx/keybox-dump.c (_keybox_dump_file): Take deleted records in
account.
--

This also changes the numbering of the records to reflect the real
record number.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-23 15:44:05 +02:00
Werner Koch
30aaa4ba00
kbx: Fix regression in compression trigger from July 18
* kbx/keybox-update.c (keybox_compress): Change condition back.
Also use make_timestamp for CUT_TIME.
--

Fixes-commit: 824ca6f042dc69edaf67bf9d4e875be75babab00
Note that the original change was not backported to 2.2.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-23 15:42:15 +02:00
Werner Koch
d058d80ed0
gpg: Allow --locate-external-key even with --no-auto-key-locate.
* g10/getkey.c (akl_empty_or_only_local): New.
* g10/gpg.c (DEFAULT_AKL_LIST): New.
(main): Use it here.
(main) <aLocateExtKeys>: Set default AKL if none is set.
--

This better matches the expectations of the user.  The used list in
this case is the default list ("local,wkd") with local ignored by the
command anyway.

GnuPG-bug-id: 4662
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-23 13:22:15 +02:00
Werner Koch
d7aca1bef6
gpg: Silence some warning messages during -Kv.
* g10/options.h (glo_ctrl): Add flag silence_parse_warnings.
* g10/keylist.c (list_all): Set that during secret key listsings.
* g10/parse-packet.c (unknown_pubkey_warning): If new flag is set do
 not print info message normally emitted inh verbose mode.
(can_handle_critical_notation, enum_sig_subpkt): Ditto.
(parse_signature, parse_key, parse_attribute_subpkts): Ditto.
--

Those messages are annoying because they might be emitted due to
parsing public keys which are latter not shows because the secret part
is missing.  No functional regressions are expected because --verbose
should not change anything.

Note that this suppression is only done if no arguments are given to
the command; that is if a listing of the entire keyring is requested.
Thus to see the earnings anyway, a listing of a single or group of
keys can be requested.

GnuPG-bug-id: 4627
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-23 12:50:41 +02:00
Werner Koch
f14ddeb89c
gpg: Do not show two informational diagnostics with quiet.
* g10/trustdb.c (verify_own_keys): Silence informational diagnostic.
--

This silences these notes with --quiet
  gpg: Note: RFC4880bis features are enabled.
  gpg: key EE65E8C75D41FD1D marked as ultimately trusted

GnuPG-bug-id: 4634
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-23 11:45:49 +02:00
Werner Koch
2a45800b2f
gpgconf: Suggest the use of --gpgconf-test on --launch problems.
* tools/gpgconf-comp.c (gc_component_launch): Change suggestion.
--

GnuPG-bug-id: 4668
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-23 10:43:53 +02:00
Werner Koch
d3f5d8544f
gpg: Extend --quick-gen-key for creating keys from a card.
* g10/keygen.c (parse_key_parameter_part): Add arg R_KEYGRIP and
support the special algo "card".
(parse_key_parameter_string): Add args R_KEYGRIP and R_SUBKEYGRIP.
Handle the "card" algo.  Adjust callers.
(parse_algo_usage_expire): Add arg R_KEYGRIP.
(quickgen_set_para): Add arg KEYGRIP and put it into the parameter
list.
(quick_generate_keypair): Handle algo "card".
(generate_keypair): Also handle the keygrips as returned by
parse_key_parameter_string.
(ask_algo): Support ed25519 from a card.
--

Note that this allows to create a new OpenPGP key from an initialized
OpenPGP card or from any other supported cards.  It has been tested
with the TCOS Netkey card.  Right now a stub file for the cards might
be needed; this can be achieved by running "gpgsm --learn" with the
card plugged in.

Example:

  gpg --quick-gen-key foo@example.org card

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-22 16:38:27 +02:00
Werner Koch
b3226d91d0
gpg: Use modern spelling for the female salutation.
--
GnuPG-bug-id: 4682

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-08-22 10:24:16 +02:00
NIIBE Yutaka
6f760e6eb0 gpg: Factor export_ssh_key.
* g10/export.c (export_one_ssh_key): Factor out.
(export_ssh_key): Use export_one_ssh_key.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-08-22 14:18:05 +09:00
NIIBE Yutaka
e00e68135c dns: Fix irrelevant use of tmpfile.
* dirmngr/dns.c (dns_trace_open): Don't use tmpfile.

GnuPG-bug-id: 4228
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-08-22 12:51:17 +09:00