1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-30 19:58:44 +01:00
Commit Graph

9117 Commits

Author SHA1 Message Date
NIIBE Yutaka
f1bd7369a7
scd,nks: Fix caching keygrip.
* scd/app-nks.c (keygripstr_from_pk_file): Identify by cfid if
available.
--

GnuPG-bug-id: 5150, 6252
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 9201543708:
2022-10-20 12:22:08 +02:00
Werner Koch
c1c3331cf9
scd:nks: Emit the algo string with KEYPAIRINFO
* scd/app-nks.c (do_learn_status_core): Emit the algo string as part
of a KEYPAIRINFO.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache.  Use a
single exit label.  Set algostr.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 26da47ae53
Backported-from-master: 006944b856
GnuPG-bug-id: 6252, 5144

This has been backported to keep this, and only this, module in sync
with master. All other changes from the original patch have been
stripped.
2022-10-20 12:22:08 +02:00
Werner Koch
fe698586b5
scd:nks: Implement writecert for the Signature card v2.
* scd/iso7816.c (CMD_UPDATE_BINARY): New.
(iso7816_update_binary): New.
* scd/app-nks.c (do_deinit): Factor some code out to...
(flush_fid_cache): new.
(do_writecert): New.
(app_select_nks): Register new handler.
--

This has been backported only to make the following backpoorts easier.
The code is only used in 2.3; for details see the original commit
message.

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: c1663c690b
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
c99870f790
scd:nks: Fix certificate read problem with TCOS signature card v2.
* scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN.
(do_readcert): Test for the app_id.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 07aef873eb
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
a974d8aefa
scd:nks: Fix remaining tries warning in --reset mode.
* scd/app-nks.c (do_change_pin): Change computation of 'remaining'.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 2429e85598
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
60ba61e78e
scd:nks: Add framework to support IDKey cards.
* scd/app-nks.c (NKS_APP_IDLM): New.
(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
(do_learn_status): Always send CHV-STATUS.
(find_fid_by_keyref): Basic support for IDLM only use.
(do_learn_status_core): Ditto.
(do_readcert): Ditto.
(verify_pin): Ditto.
(parse_pwidstr): Ditto.
(do_with_keygrip): Ditto.
(switch_application): Ditto.
(app_select_nks): Fallback to IDLM.
--

Backported-from-master: 1f6a39092f
GnuPG-bug-id: 6252

Also not directly required for the Signature Card 2.0, it is easier to
port this patch as well.
2022-10-20 12:22:07 +02:00
Werner Koch
a83281176c
scd:nks: Get the PIN prompts right for the Signature Card
* scd/app-nks.c (get_dispserialno): Move more to the top.
(do_getattr): Add $DISPSERIALNO and SERIALNO.  Make CHV-STATUS work
with NKS15.
(verify_pin): Use dedicated min. PIN lengths.
(parse_pwidstr): Support NKS15
--

GnuPG-bug-id: 4938
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit aecc008acb)
2022-10-20 12:22:07 +02:00
Werner Koch
bbef2d1790
scd:nks: Support decryption using ECDH.
* scd/app-nks.c (struct fid_cache_s): Add field 'algo'.
(keygripstr_from_pk_file): Add arg 'r_algo' to return the algo.
(find_fid_by_keyref): Ditto.
(get_dispserialno): New.
(make_prompt): New.
(verify_pin): Provide better prompts.
(do_decipher): Support ECDH.
(parse_pwidstr): Add hack tospecify any pwid..
(do_change_pin): Support Signature Card V2.0 (NKS15) style NullPIN.
Provide a better prompt.
--

GnuPG-bug-id: 4938, 6252
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: af45d884aa
2022-10-20 12:22:07 +02:00
Werner Koch
f5e0469d6e
scd:nks: Add do_with_keygrip and implement a cache.
* scd/app-nks.c (struct fid_cache_s): New.
(struct app_local_s): Add field 'fid_cache'.
(do_deinit): Release the cache.
(keygripstr_from_pk_file): Implement the cache.
(find_fid_by_keyref): New
(do_sign, do_decipher): Use new function.
(do_with_keygrip): New.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 1e72a1a218
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
471e610fcd
scd:nks: Allow retrieving certificates from a Signature Card v.20
* scd/app-nks.c: Major rework to support non-RSA cards.
--

This is a fist step so support this ECC card.  The code has been
reworked while taking care that old cards should keep on working.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported-from-master: f05a32e5c9
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
NIIBE Yutaka
256b3c0578
gpg: Move NETLIBS after GPG_ERROR_LIBS (another).
* g10/Makefile.am (t_keydb_LDADD): Add NETLIBS after GPG_ERROR_LIBS.

--

Fixes-commit: b26bb03ed9
GnuPG-bug-id: 6244
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-18 10:24:54 +09:00
NIIBE Yutaka
a5c3821664
dirmngr: Fix build with no LDAP support.
* dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize.

--

Cherry-pick master commit of:
	7011286ce6

GnuPG-bug-id: 6239
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-18 10:16:11 +09:00
NIIBE Yutaka
b26bb03ed9
gpg: Move NETLIBS after GPG_ERROR_LIBS.
* g10/Makefile.am (LDADD): Remove NETLIBS.
(gpg_LDADD, gpgv_LDADD): Add NETLIBS after GPG_ERROR_LIBS.
(gpgcompose_LDADD, t_keydb_get_keyblock_LDADD): Likewise.
(t_stutter_LDADD): Likewise.

--

GnuPG-bug-id: 6244
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-18 10:08:20 +09:00
NIIBE Yutaka
6f0066db2c
gpg: Report an error for receiving key from agent.
* g10/export.c (do_export_one_keyblock): Report an error.

--

GnuPG-bug-id: 5151
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-13 18:35:34 +02:00
Werner Koch
70ec346fb4
Post release updates
--

Also switch speedo to use https instead of ftp for download.
2022-10-13 17:02:47 +02:00
Werner Koch
2e9f8a511d
Release 2.2.40 2022-10-10 12:32:35 +02:00
Werner Koch
21db05100d
po: Auto update
--
2022-10-10 11:53:14 +02:00
Werner Koch
5df1c247be
gpg: For de-vs use AES-128 instead of 3DES as implicit preference.
* g10/pkclist.c (select_algo_from_prefs): Change implicit cipher
algorithm.
--

Although 3DES is still a compliant algorithm, some other software does
not consider it has compliant but also does not set preference
accordingly.  Thus it is better to switch the implicit cipher algorithm
similar to what we already did with SHA-1.

Note that in GnuPG 2.3 3DES is already not anymore used here.

GnuPG-bug-id: 6063
2022-10-10 11:22:57 +02:00
Ingo Klöcker
94092793f6
sm: Fix reporting of bad passphrase error
* sm/minip12.c (p12_parse): Set badpass flag to result in ctx.
--

Fixes-commit: 4c14bbf56f
GnuPG-bug-id: 5713, 6037
(cherry picked from commit a47b3a4087)
2022-10-10 09:17:10 +02:00
Werner Koch
cd020284c9
wkd: Implement --blacklist option for gpg-wks-client
* tools/gpg-wks-client.c (blacklist_array, blacklist_array_len): New.
(parse_arguments): Install blacklist.
(read_file): New.
(cmp_blacklist, add_blacklist, is_in_blacklist): New.
(mirror_one_key): Check list.
* tools/gpg-wks.h (opt): Remove field blacklist.
--

GnuPG-bug-id: 6224
(cherry picked from commit b0b4e24c4f)
2022-10-07 17:44:44 +02:00
Werner Koch
88042821d8
wkd: Restrict gpg-wks-client --mirror to the given domains.
* tools/gpg-wks-client.c (domain_matches_mbox): New.
(mirror_one_key): Skip non-matching domains.
(command_mirror): Change args to allow for several domains.
--

Although dirmngr returns only the keys matching a certain domain,
those keys still may have user ids from other domains.  Now we publish
only the user-ids as specified on the command line.

GnuPG-bug-id: T6224
(cherry picked from commit 0a151548b6)
2022-10-07 17:44:16 +02:00
Werner Koch
b18b9b972e
wkd: Silence gpg-wks-client diagnostics from gpg.
* tools/gpg-wks-client.c (add_user_id): PAss --quiet to gpg unless we
are running in double verbose mode.
(decrypt_stream): Ditto
(encrypt_response): Ditto.
(mirror_one_keys_userid): Ditto.
* tools/wks-util.c (wks_get_key): Ditto.
(wks_list_key): Ditto.
(wks_filter_uid): Ditto.

(cherry picked from commit 4364283f75)
2022-10-07 17:43:58 +02:00
Werner Koch
a946343f14
wkd: New command --mirror for gpg-wks-client.
* tools/gpg-wks-client.c (aMirror,oBlacklist,oNoAutostart): New.
(opts): Add --mirror, --no-autostart, and --blacklist.
(parse_arguments): Parse new options.
(main): Implement aMirror.
(mirror_one_key_parm): New.
(mirror_one_keys_userid, mirror_one_key): New.
(command_mirror): New.

* tools/gpg-wks.h (struct uidinfo_list_s): Add fields flags.
* tools/wks-util.c (wks_cmd_install_key): Factor some code out to ...
(wks_install_key_core): new.

* tools/call-dirmngr.c (wkd_dirmngr_ks_get): New.
--

This implements the basic LDAP to WKD mirroring.  The blacklist
option and domain restrictions are not yet fully implemented.

Take care: In OpenLDAP you may need to increase the paged result limit
by using a configuration like:

  dn: olcDatabase={1}mdb,cn=config
  changetype: modify
  replace: olcLimits
  olcLimits: dn.subtree="dc=example,dc=org" size.prtotal=unlimited

GnuPG-bug-id: 6224
Backported-from-master: 7ccd489aa2
2022-10-07 17:42:25 +02:00
Werner Koch
c300253181
common: Protect against a theoretical integer overflow in tlv.c
* common/tlv.c (parse_ber_header): Protect agains integer overflow.
--

Although there is no concrete case where we use the (nhdr + length),
it is better to protect against this already here.
2022-10-07 14:21:20 +02:00
Werner Koch
a70a3204c2
dirmngr: Support paged LDAP mode for KS_GET
* dirmngr/ks-engine-ldap.c (PAGE_SIZE): New.
(struct ks_engine_ldap_local_s): Add several new fields.
(ks_ldap_clear_state): Release them.
(search_and_parse): Factored out from ks_ldap_get and extended to
support the paged mode.
(ks_ldap_get):  Implement the pages mode for --first and --next.
* dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first
mode.
* dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS.
--

The paged mode allows to retrieve more items than the servers usually
limit (e.g. 1000 for an LDS).  This patch also allows to use --first
without a patter to retrieve all keyblocks (except for disabled and
revoked keys).

GnuPG-bug-id: 6224
Backported-from-master: 7a01e806ea
2022-10-07 13:54:34 +02:00
Werner Koch
20cb9319d9
dirmngr: New options --first and --next for KS_GET.
* dirmngr/server.c (cmd_ks_get): Add option --first and --next.
(start_command_handler): Free that new ldap state.
* dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New.
(ks_ldap_new_state, ks_ldap_clear_state): New.
(ks_ldap_free_state): New.
(return_one_keyblock): New.  Mostly factored out from ....
(ks_ldap_get): here.  Implement --first/--next feature.

* dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to
ks_get_flags.
* dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New.
(KS_GET_FLAG_FIRST): New.
(KS_GET_FLAG_NEXT): New.

* dirmngr/dirmngr.h (struct server_control_s): Add member
ks_get_state.
(struct ks_engine_ldap_local_s): New forward reference.
--

This feature allows to fetch keyblock by keyblock from an LDAP server.
This way tools can process and maybe filter each keyblock in a more
flexible way.  Here is an example where two keyblocks for one mail
address are returned:

  $ gpg-connect-agent --dirmngr
  > ks_get --ldap --first  <foo@example.org>
  [... First keyblock is returned ]
  OK
  > ks_get --next
  [ ... Next keyblock is returned ]
  OK
  > ks_get --next
  ERR 167772218 No data <Dirmngr>

GnuPG_bug_id: 6224
Backported-from-master: 4de98d4468
2022-10-07 13:49:55 +02:00
Werner Koch
2b2f8a1a0c
gpg: Show just keyserver and port with --send-keys.
* g10/call-dirmngr.c (ks_status_cb): Mangle the keyserver url
2022-10-07 13:37:09 +02:00
Werner Koch
4cf8dc2d96
dirmngr: Minor fix for baseDN fallback.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data
behind the EOS.
(interrogate_ldap_dn): Stylistic change.
--

This also updates the my_ldap_connect description.

GnuPG-bug-id: 6047
(cherry picked from commit 11aa5a93a7)
2022-10-07 13:35:21 +02:00
NIIBE Yutaka
73cc5e073c
dirnmgr: Fix the function prototype.
* dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with
no arguments.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 530d709607)
2022-10-07 13:22:03 +02:00
NIIBE Yutaka
98fbac6141
dirmngr: Change interrogate_ldap_dn for better memory semantics.
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found,
memory allocated.
(my_ldap_connect): Follow the change, removing needless allocation.

--

GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 4b2066afb4)
2022-10-07 13:21:37 +02:00
Joey Berkovitz
5516f92224
dirmngr: Interrogate LDAP server when base DN specified.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP
server when basedn specified.

--

GnuPG-bug-id: 6047
Signed-off-by: Joey Berkovitz <joeyberkovitz@gmail.com>
(cherry picked from commit 3257385378)
2022-10-07 13:21:20 +02:00
Werner Koch
615c9717c1
dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if
server supports this.
2022-10-07 13:19:10 +02:00
Werner Koch
44960e702e
dirmngr: Factor out interrogate_ldap_dn function.
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New.
--

GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 993820c315
2022-10-07 13:16:57 +02:00
Werner Koch
fe7114ebf3
po: Fix wrong LF in the German translation
--

Reported-by: mario.haustein@hrz.tu-chemnitz.de

Also fix one typo
2022-10-07 11:53:42 +02:00
Werner Koch
07c6743148
gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.
* g10/encrypt.c (check_encryption_compliance): Check gcrypt compliance
before emitting an ENCRYPTION_COMPLIANCE_MODE status.
--

GnuPG-bug-id: 6221
2022-09-29 14:15:47 +02:00
Werner Koch
d7a0df4478
doc: Typo fix in a comment.
--
2022-09-28 15:41:16 +02:00
Werner Koch
32ce7ac0c6
dirmngr: Fix lost flags during LDAP upload
* dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const.
Use strtokenize instead of strtok style parsing.
--

This fixes a problem with resulted in a General Error for the second
key to be uploaded in the same session.  But only if the colon format
to specify a keyserver with flags was used.
2022-09-28 15:40:22 +02:00
Werner Koch
6300035ba1
dirmngr: New server flag "areconly" (A-record-only)
* dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly.
* dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly"
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag.
* dirmngr/dirmngr_ldap.c: Add option --areconly
(connect_ldap): Implement option.
* dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option.
--

This flag is used to pass the Windows specific option
LDAP_OPT_AREC_EXCLUSIVE.  It is ignored on other systems.

Signed-off-by: Werner Koch <wk@gnupg.org>
2022-09-28 09:43:25 +02:00
Werner Koch
05b7e4a405
gpg: Don't consider unknown keys as non-compliant while decrypting.
* g10/mainproc.c (proc_encrypted):  Change compliance logic.
--

For the description of the proplem see
  https://dev.gnupg.org/T6205#163306

GnuPG-bug-id: 6205
2022-09-22 10:25:36 +02:00
Werner Koch
289fbc550d
dirmngr: Fix CRL DP error fallback to other schemes.
* dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop.
Remove the unused issuername_uri stuff.
--

It is quite common that LDAP servers are blocked and thuis the HTTP
access point should be used instead.  This worked well for
certificates where the DP are given in this form:

        crlDP: ldap://x500.bund.de/[...]
               http://x500.bund.de/[...]
               issuer: none

but it failed for this form

        crlDP: ldap://x500.bund.de/[...]
               issuer: none
        crlDP: http://x500.bund.de/[...]
               issuer: none

because the LAST_ERR thing terminated the outer loop.  This pacth
fixes this and also cleans up the code to be more robust.

Note that the common workaround of using --ignore-ldap-dp will now
only be needed if the firewall uses packet dropping instead of proper
ICMP rejects.
2022-09-16 16:54:39 +02:00
NIIBE Yutaka
ed1264e74b
build: Update gpg-error.m4.
* m4/gpg-error.m4: Update from libgpg-error.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-15 11:57:33 +09:00
Werner Koch
268e876ee2
Post release updates
--
2022-09-02 15:40:09 +02:00
Werner Koch
7c2078a680
Release 2.2.39 2022-09-02 14:48:56 +02:00
Werner Koch
fc99ff8aff
speedo: Authenticode sign two more tools.
--
2022-09-02 12:05:26 +02:00
Werner Koch
8c22b00268
common: Make nvc_lookup more robust.
* common/name-value.c (nvc_first): Allow for NULL arg.
(nvc_lookup): Allow for PK being NULL.
--

GnuPG-bug-id: 6176
2022-09-01 17:35:41 +02:00
Werner Koch
9eb03b722c
Post release updates
--
2022-09-01 13:35:39 +02:00
Werner Koch
0b786fde77
Release 2.2.38 2022-09-01 12:05:21 +02:00
NIIBE Yutaka
d1490c6df9 po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-01 14:53:44 +09:00
Werner Koch
ea34325c54
dirmngr: New option --debug-cache-expired-certs.
* dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs:
* dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New.
(opts): Add option.
(parse_rereadable_options): Set option.
* dirmngr/certcache.c (put_cert): Handle the option.
2022-08-31 18:13:25 +02:00
Werner Koch
a95a31cd2f
gpg: Add descriptions for --auto-key-import and --include-key-import
--

Actually we once had them but they got lost at some point.  The German
translation is also up-to-date now.
2022-08-31 18:06:16 +02:00