1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-30 19:58:44 +01:00
Commit Graph

9117 Commits

Author SHA1 Message Date
Werner Koch
f32994b0bf
scd: Support PC/SC for "getinfo reader_list".
* scd/apdu.c: Include membuf.h.
(pcsc): Add reader_list field.
(open_pcsc_reader): Fill that field.
(apdu_get_reader_list): New.
* scd/command.c: Remove header ccid-driver.h.
(pretty_assuan_send_data): New.
(cmd_getinfo): Print all reader names.
--

Note that depending on the card backend (ccid or PC/SC) it might be
necessary to first send a reset followed by SERIALNO to get an updated
list of reader.  Or well send KILLSCD.

The pretty printing of Assuan data lines does only work if you connect
direct to scdaemon because the wrapper in gpg-agent does not know
about this and combines the Assuan lines again.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-09-08 15:50:28 +02:00
Werner Koch
192113552f
scd: Fix possible assertion in close_pcsc_reader.
* scd/apdu.c (close_pcsc_reader): Don't ref-count if the context is
invalid.
(open_pcsc_reader): Compare the context against -1 which is our
indicator for an invalid context.
--

I got a crash report for Windows:

  DBG: chan_0x000000a4 <- RESTART
  DBG: chan_0x000000a4 -> OK
  DBG: chan_0x000000a4 <- SERIALNO
  DBG: open_pcsc_reader(portstr=(null))
  reader slot 0: not connected
  DBG: open_pcsc_reader => slot=0
  DBG: enter: apdu_connect: slot=0
  pcsc_connect failed: invalid PC/SC error code (0x6)
  reader slot 0: not connected
  DBG: leave: apdu_connect => sw=0x1000b
  DBG: enter: apdu_close_reader: slot=0
  DBG: enter: apdu_disconnect: slot=0
  DBG: leave: apdu_disconnect => sw=0x0
  Ohhhh jeeee: Assertion "pcsc.count > 0" in
    close_pcsc_reader failed (...2.2.28/scd/apdu.c:817)

no smartcard reader was connected but the box might sport a virtual
reader.  This patch should make it more robust.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-09-07 16:40:09 +02:00
Werner Koch
4b2cfec2dc
agent: Fix segv in GET_PASSPHRASE (regression)
* agent/command.c (cmd_get_passphrase): Do not deref PI.  PI is always
NULL.
--

Fixes-commit: db5dc7a91a
GnuPG-bug-id: 5577
2021-09-07 09:03:44 +02:00
Werner Koch
1f726b4123
gpg: Print a note about the obsolete option --secret-keyring.
--

GnuPG-bug-id: 2749
2021-08-28 18:37:41 +02:00
Werner Koch
b03a38355d
Fix announcement mail URL
--
2021-08-27 15:25:02 +02:00
NIIBE Yutaka
7e431e009e common: Fix put_membuf.
* common/membuf.c (put_membuf): Allow NULL for the second arg.

--

Cherry-picked from master commit of:
	f271c69164

There has been such a use case in keybox-blob.c.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 17:22:25 +09:00
NIIBE Yutaka
0ca84cbdf0 build: Fix removal of AC_TYPE_SIGNAL.
* configure.ac: AC_TYPE_SIGNAL is still needed.

--

Fixes-commit: d5f9481186
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 09:58:47 +09:00
NIIBE Yutaka
a8ffc52cec po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 08:57:19 +09:00
NIIBE Yutaka
d5f9481186 common: Fix get_signal_name for GNU/Linux.
* common/signal.c (get_signal_name): Use sigdescr_np if available.
* configure.ac: Check the function.

--

Backport master commit of:
	c4ba712736

GnuPG-bug-id: 5568
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 08:50:12 +09:00
Werner Koch
f64e0f63d6
Post release updates
--
2021-08-26 21:13:30 +02:00
Werner Koch
d583e750a6
Release 2.2.30 2021-08-26 18:18:36 +02:00
Werner Koch
f151587d85
po: Auto update
--
2021-08-26 18:11:48 +02:00
Werner Koch
712930f8dd
po: Update German translation
--
2021-08-26 18:10:14 +02:00
Werner Koch
2b65f4e953
wkd: Properly unescape the user-id from a key listing.
* tools/wks-util.c (append_to_uidinfo_list): Unescape UID.
2021-08-20 16:24:14 +02:00
Werner Koch
17e2ec488f
common: New function decode_c_string.
* common/miscellaneous.c (decode_c_string): New.
--

This is basically a copy from the code we use in gpgme and gpa.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 6ecedd0b25)
2021-08-20 16:24:13 +02:00
Werner Koch
5ed8e598fa
agent: Use the sysconfdir for a pattern file.
* agent/genkey.c (do_check_passphrase_pattern): Use make_filename.
2021-08-20 16:22:44 +02:00
Werner Koch
db5dc7a91a
agent: Ignore passphrase constraints for a generated passphrase.
* agent/agent.h (PINENTRY_STATUS_PASSWORD_GENERATED): New.
(MAX_GENPIN_TRIES): Remove.
* agent/call-pinentry.c (struct entry_parm_s):
(struct inq_cb_parm_s): Add genpinhash and genpinhas_valid.
(is_generated_pin): New.
(inq_cb): Suppress constraints checking for a generated passphrase.
No more need for several tries to generate the passphrase.
(do_getpin): Store a generated passphrase/pin in the status field.
(agent_askpin): Suppress constraints checking for a generated
passphrase.
(agent_get_passphrase): Ditto.
* agent/command.c (cmd_get_passphrase): Ditto.
--

A generated passphrase has enough entropy so that all kind of extra
checks would only reduce the actual available entropy.  We thus detect
if a passphrase has been generated (and not changed) and skip all
passphrase constraints checking.
2021-08-20 10:18:11 +02:00
Werner Koch
576e429d41
wkd: Fix client issue with leading or trailing spaces in user-ids.
* common/recsel.c (recsel_parse_expr): Add flag -t.
* common/stringhelp.c (strtokenize): Factor code out to
do_strtokenize.
(strtokenize_nt): New.
(do_strtokenize): Add arg trim to support the strtokenize_nt.
* common/t-stringhelp.c (test_strtokenize_nt): New test cases.

* tools/wks-util.c (wks_list_key): Use strtokenize_nt and the recsel
flag -t.
--

This fixes a bug with user ids with leading spaces because:

wks-client lists all mail addresses from the key and matches them to the
requested mail address.

If there are several user-ids all with the same mail address
wks-client picks one of them and then extracts exactly that user id.
However, here it does not match by the mail address but by the full
user-id so that we can be sure that there will be only one user-id in
the final key.

The filter built expression unfortunately strips leading blanks but
requires a verbatim match.  Thus it won't find the user id again and
errors out.

The new -t flag and a non-trimming strtokenize solves the problem.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-08-20 09:58:35 +02:00
Werner Koch
6685696ada
gpg: Return SUCCESS/FAILURE status also for --card-edit/name.
* g10/card-util.c (change_name): Call write_sc_op_status.
--

Reported-by: Joey Berkovitz
2021-08-20 09:54:00 +02:00
Werner Koch
2e69ce878f
agent: Improve the GENPIN callback.
* agent/call-pinentry.c (DEFAULT_GENPIN_BYTES): Replace by  ...
(DEFAULT_GENPIN_BITS): this and increase to 150.
(generate_pin): Make sure that we use at least 128 bits.
2021-08-18 11:34:10 +02:00
Werner Koch
4855888c0a
agent: Fix for zero length help string in pinentry hints.
* agent/call-pinentry.c: Remove unused assert.h.
(inq_cb): Fix use use of assuan_end_confidential in case of nested
use.
(do_getpin): Ditto.
(setup_formatted_passphrase): Escape the help string.
(setup_enforced_constraints): Ignore empty help strings.
2021-08-18 10:20:22 +02:00
Werner Koch
ec2f1b3898
common,w32: Replace log_debug by log_info for InProcessJobs
* common/exechelp-w32.c (gnupg_spawn_process_detached): Use log_info.
2021-08-18 09:41:17 +02:00
Werner Koch
4dfa951a0a
w32: Move socketdir to LOCAL_APPDATA
* common/homedir.c (is_gnupg_default_homedir): Use standard_homedir
instead of the constant which makes a difference on Windows.
(_gnupg_socketdir_internal) [W32]: Move the directory to LOCAL_APPDATA.
(gnupg_cachedir): Remove unsued function.

* common/sysutils.c (gnupg_rmdir): New.
* tools/gpgconf.c (main): s/rmdir/gnupg_rmdir/.
--

That is actually a more correct directory than APPDATA.  This fixes
a problem with installations where the APPDATA is non a network drive
and the resulting socket filename is truncated in our socket helper
function (because we use sockaddr also for our local socket
emulation on Windows).

LOCAL_APPDATA is expected to be on the local box and thus in the
majority of cases the resulting socket file name will be short enough.

GnuPG-bug-id: 5537
Signed-off-by: Werner Koch <wk@gnupg.org>
Backport-from-master: 0802cbb59b
2021-08-17 10:53:26 +02:00
Werner Koch
013f2e4672
gpgconf,w32: Print more registry diagnostics with --list-dirs.
* tools/gpgconf.c (list_dirs): Figure out classes with the key.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-08-17 10:42:38 +02:00
Werner Koch
455ba49071
agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pient
* agent/call-pinentry.c (atfork_core): Pass DISPLAY.
2021-08-17 10:42:18 +02:00
Werner Koch
c6a4a660fd
agent: New option --check-sym-passphrase-pattern.
* agent/gpg-agent.c (oCheckSymPassphrasePattern): New.
(opts): Add --check-sym-passphrase-pattern.
(parse_rereadable_options): Set option.
(main): Return option info.
* tools/gpgconf-comp.c: Add new option.
* agent/agent.h (opt): Add var check_sym_passphrase_pattern.
(struct pin_entry_info_s): Add var constraints_flags.
(CHECK_CONSTRAINTS_NOT_EMPTY): New to replace a hardwired 1.
(CHECK_CONSTRAINTS_NEW_SYMKEY): New.
* agent/genkey.c (check_passphrase_pattern): Rename to ...
(do_check_passphrase_pattern): this to make code reading
easier. Handle the --check-sym-passphrase-pattern option.
(check_passphrase_constraints): Replace arg no_empty by a generic
flags arg.  Also handle --check-sym-passphrase-pattern here.
* agent/command.c (cmd_get_passphrase): In --newsymkey mode pass
CHECK_CONSTRAINTS_NEW_SYMKEY flag.
* agent/call-pinentry.c (struct entry_parm_s): Add constraints_flags.
(struct inq_cb_parm_s): New.
(inq_cb): Use new struct for parameter passing.  Pass flags to teh
constraints checking.
(do_getpin): Pass constraints flag down.
(agent_askpin): Take constraints flag from the supplied pinentry
struct.
--

Requirements for a passphrase to protect a private key and for a
passphrase used for symmetric encryption are different.  Thus a
the use of a different pattern file will be useful.  Note that a
pattern file can be used to replace the other passphrase constraints
options and thus we don't need to duplicate them for symmetric
encryption.

GnuPG-bug-id: 5517
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 7c45a69eb9
agent: New option --check-sym-passphrase-pattern.
2021-08-17 10:40:23 +02:00
Ingo Klöcker
9832566e45
agent: Add checkpin inquiry for pinentry
* agent/call-pinentry.c: Include zb32.
(MAX_GENPIN_TRIES): New.
(DEFAULT_GENPIN_BYTES): New.
(generate_pin): New.
(setup_genpin): New.
(inq_quality): Rename to ...
(inq_cb): this.  Handle checkpin inquiry.
(setup_enforced_constraints): New.
(agent_get_passphrase): Call sertup_genpin.  Call
setup_enforced_constraints if new passphrase is requested.
--

This implements the gpg-agent side for checking whether a new passphrase
entered by the user in pinentry satisfies the passphrase constraints.
Performing a checkpin inquiry is only allowed if the passphrase
constraints are enforced. setup_enforced_constraints sends necessary
options and translated strings to pinentry.

The patch also merges 557ddbde32 et
al. from master to add the genpin inquiry machinery.

The suggested passphrase has the required entropy of 128 bits.

GnuPG-bug-id: 5517, 5532
2021-08-17 10:11:24 +02:00
Ingo Klöcker
32fbdddf8b
agent: New option --pinentry-formatted-passphrase
* agent/agent.h (opt): Add field pinentry_formatted_passphrase.
* agent/call-pinentry.c (setup_formatted_passphrase): New.
(agent_get_passphrase): Pass option to pinentry.
* agent/gpg-agent.c (oPinentryFormattedPassphrase): New.
(opts): Add option.
(parse_rereadable_options): Set option.
--

GnuPG-bug-id: 5553, 5517

This is a squashed backport of two commits from master.
Backport-from-master: bf20a80f68
Backport-from-master: 99601778f4

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-08-16 12:45:37 +02:00
Ingo Klöcker
8fff61de94
common: Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to pinentry
* common/session-env.c (stdenvnames): Add XDG_SESSION_TYPE and
QT_QPA_PLATFORM.
--

On Unix systems (except Darwin), Qt uses those two environment
variables additionally to DISPLAY and WAYLAND_DISPLAY to figure out
whether to use X11 or Wayland. For example, QT_QPA_PLATFORM needs
to be set to "wayland" to make Qt use Wayland on Gnome.

GnuPG-bug-id: 3659
2021-08-16 12:01:00 +02:00
Werner Koch
5ca15e58b2
tools: Extend gpg-check-pattern.
* tools/gpg-check-pattern.c: Major rewrite.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 73c03e0232

Here is a simple pattern file:

====================
# Pattern to reject passwords which do not comply to
#   - at least 1 uppercase letter
#   - at least 1 lowercase letter
#   - at least one number
#   - at least one special character
# and a few extra things to show the reject mode

# Reject is the default mode, ignore case is the default
#[reject]
#[icase]

# If the password starts with "foo" (case insensitive) it is rejected.
/foo.*/

[case]

# If the password starts with "bar" (case sensitive) it is rejected.
/bar.*/

# Switch to accept mode: Only if all patterns up to the next "accept"
# or "reject" tag or EOF match, the password is accepted.  Otherwise
# the password is rejected.

[accept]

/[A-Z]+/
/[a-z]+/
/[0-9]+/
/[^A-Za-z0-9]+/
=================
2021-08-16 11:59:29 +02:00
Werner Koch
4952ed9584
Post release updates
--
2021-07-04 17:23:56 +02:00
Werner Koch
695a879af8
Release 2.2.29 2021-07-04 16:15:29 +02:00
Werner Koch
3283cf3a7a
Update OpenPGP card vendor list.
--
2021-07-04 15:49:50 +02:00
Werner Koch
51310497ef
po: Remove removed files.
--
2021-07-02 14:43:34 +02:00
Werner Koch
47c4e3e00a
dirmngr: Change the default keyserver.
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.

* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.

* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--

Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore.  Thus it is better to change them.

For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.

For http based access the Dutch Surfnet keyserver is used.  However
due to a non-standard TLS certificate this server can not easily be
made the default for https.

Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.
2021-06-25 19:15:24 +02:00
Werner Koch
5fe4b97887
gpg: Let --fetch-key return an exit code on failure.
* g10/keyserver.c (keyserver_fetch): Return an error code.
* g10/gpg.c (main) <aFetchKeys>: Return 1 in case of no data.
--

GnuPG-bug-id: 5376
2021-06-25 10:35:24 +02:00
NIIBE Yutaka
b90c55fa66 scd:ccid: Handle LIBUSB_TRANSFER_OVERFLOW interrupt transfer.
* scd/ccid-driver.c (intr_cb): Ignore LIBUSB_TRANSFER_OVERFLOW.

--

Backport-master-commit: 25ae80b8eb
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-23 12:10:01 +09:00
NIIBE Yutaka
8e941e19b0 scd:ccid:spr532: Extend abort_cmd for initialization time.
* scd/ccid-driver.c (abort_cmd): Add INIT argument to support
synchronize until success, even ignoring timeout.
(bulk_in): Normal use case of abort_cmd.
(ccid_vendor_specific_init): Initial use case of abort_cmd.

--

Another backport to stabilize SCM SPR332/SPR532 card reader.

GnuPG-bug-id: 5297
Backport-master-commit: a9aa30ed2c
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-23 11:19:46 +09:00
Werner Koch
af2fd9f0af
tests: Cope with broken Libgcrypt versions
* common/t-sexputil.c (test_ecc_uncompress): Ignore unknwon curve
errors.
--

For unknown reasons some versions of Fedora or RHEL provide a patched
version of Libgcrypt with Brainpool support removed.  We better ignore
this error because it is a regression in 2.2.28 although that older
versions could not used Brainpool keys.

GnuPG-bug-id: 5502
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-22 12:29:59 +02:00
Werner Koch
e94dfa21d2
w32: Add fallback in case the Windows console can't cope with Unicode.
* common/ttyio.c (w32_write_console): Fallback to WriteConsoleA on
error.
--

To test this switch the Windows Console to "legacy mode"

  set LANG=de
  gpg --card-edit

and enter an invalid command.  The response contains an Umlaut and old
Windows versions (and the legacy console) don't have a proper font
installed for this.  Without this patch this runs into a log_fatal
error.

The mitigation we implement is to fallback to WriteConsoleA, that is
accepting wrong encoding and to print a note about the problem.

GnuPG-bug-id: 5491
2021-06-22 11:08:05 +02:00
Werner Koch
adf7bfba5d
dirmngr: Fix regression in KS_GET for mail address pattern.
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Munge mail address pattern.
(ks_hkp_get): Allow for mail addresses.
-

Before the keyserver changes in 2.2.28 gpg passed dirmngr a pail
address as an exact pattern (e.g. "=foo@example.org").  Since 2.2.28
the mail address is detected gpg gpg and we see for example
"<foo@example.org>".  This patch fixes this to turn a mail address
into an exact match again.

GnuPG-bug-id: 5497
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-21 09:22:17 +02:00
NIIBE Yutaka
8b6591c4c5 po: Update Simplified Chinese Translation.
--

Backport-master-commit: 448ccd7f1da0324bd2d8dea1bc018895b165cfba
GnuPG-bug-id: 5477
Reported-by: Zhongren Gu
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-17 11:52:49 +09:00
NIIBE Yutaka
01a413d523 scd: Error code map fix for older Yubikey.
* scd/iso7816.c (map_sw): Recognize 6A86.

--

Yubikey NEO does not support the YK4_GET_CAPA command (001D000000),
and it will be screwed up with the command.

GnuPG-bug-id: 5487
Back-port-master-commit: 13bc0431ff
Fixes-commit: ec56996029
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-14 10:24:39 +09:00
NIIBE Yutaka
c8b2162c0e dirmngir: Fix build with --disable-ldap.
* dirmngr/dirmngr.c (parse_rereadable_options) [USE_LDAP]:
Conditionalize.

--

Reported-by: Phil Pennock
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-11 10:30:02 +09:00
NIIBE Yutaka
8ee4c8d1e0 dirmngr: Remove use of USE_LDAPWRAPPER.
* configure.ac (USE_LDAPWRAPPER): Remove.
* dirmngr/Makefile.am: Use USE_LDAP instead of USE_LDAPWRAPPER.
* dirmngr/ldap-wrapper-ce.c: Remove.
* dirmngr/ldap-wrapper.h, dirmngr/ldap-wrapper.c: Remove
USE_LDAPWRAPPER things.

--

Backported-from-master: 4c295646ba
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-11 10:06:24 +09:00
Werner Koch
fd2571e8fa
Post release updates
--
2021-06-10 19:44:16 +02:00
Werner Koch
9f6076868e
Release 2.2.28 2021-06-10 17:45:10 +02:00
Werner Koch
67b039eae9
po: Auto updates
--
2021-06-10 17:44:49 +02:00
NIIBE Yutaka
3896e7e625 po: Fix typo in Simplified Chinese Translation.
--

GnuPG-bug-id: 5477
Reported-by: Zhongren Gu
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-06-10 20:11:04 +09:00
Werner Koch
845711d142
gpg: Partial fix for Unicode problem in output files.
* g10/openfile.c (overwrite_filep): Use gnupg_access.
--

As said, this is just an obvious but partial fix.  We need to review
things for the output module.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-06-10 12:44:30 +02:00