1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-04 20:38:50 +01:00
Commit Graph

4917 Commits

Author SHA1 Message Date
Werner Koch
2d68dc437e gpg: Minor change for better readability.
* g10/build-packet.c (write_version): Remove.
(do_pubkey_enc, do_onepass_sig): Write version directly.

Signed-off-by: Werner Koch <wk@gnupg.org>
2014-10-12 19:16:13 +02:00
Werner Koch
54ffe2045a Use a unique capitalization for "Note:".
--
2014-10-10 15:29:42 +02:00
Werner Koch
36679f33aa po: Fix some grammar buglets in the German translation.
--

Reported-by: Thomas Gries

  1)
  "GnuPG erstellt eine User-ID,[Komma fehlt] um Ihren Schlüssel …"
  2)
  "Die Karte wird nun konfiguriert,[<<< Komma fehlt] um einen  …"
  in gpg-agent
  3)
  "verbite" → "verbiete"
  4)
  in gpg-agent --help

  ich fände eine einheitliche Groß- bzw. Kleinschreibung der Befehle
  besser, derzeit gibt es einen Mix aus Groß- und Kleinschreibung
  "Benutze... ", "benutze..." usw:

Item 3 was already fixed.  Also fixed some capitalization
inconsistencies.

Signed-off-by: Werner Koch <wk@gnupg.org>
2014-10-10 15:02:02 +02:00
Werner Koch
5b5e5a6027 doc: Fix a man page rendering problem.
* doc/gpg-agent.texi (Agent Configuration): Fix rendering of the
sshcontrol example.
2014-10-10 13:51:19 +02:00
Daniel Kahn Gillmor
6cabb7a2a1 gpg: Add build and runtime support for larger RSA keys
* configure.ac: Added --enable-large-secmem option.
* g10/options.h: Add opt.flags.large_rsa.
* g10/gpg.c: Contingent on configure option: adjust secmem size,
add gpg --enable-large-rsa, bound to opt.flags.large_rsa.
* g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa
* doc/gpg.texi: Document --enable-large-rsa.

--

This is a cherry-pick of 534e2876ac from
STABLE-BRANCH-1-4 against master

Some older implementations built and used RSA keys up to 16Kib, but
the larger secret keys now fail when used by more recent GnuPG, due to
secure memory limitations.

Building with ./configure --enable-large-secmem will make gpg
capable of working with those secret keys, as well as permitting the
use of a new gpg option --enable-large-rsa, which let gpg generate RSA
keys up to 8Kib when used with --batch --gen-key.

Debian-bug-id: 739424

Minor edits by wk.

GnuPG-bug-id: 1732
2014-10-10 13:40:38 +02:00
Werner Koch
2ca90f78ce gpg: Skip overlong keys and a print a warning.
* kbx/keybox-search.c (keybox_search): Add arg r_skipped and skip too
long blobs.
* sm/keydb.c (keydb_search): Call keybox_search with a dummy param.
* g10/keydb.c (struct keydb_handle): Add field skipped_long_blobs.
(keydb_search_reset): Reset that field.
(keydb_search): Update that field.
(keydb_get_skipped_counter): New.
* g10/keylist.c (list_all): Print count of skipped keys.

Signed-off-by: Werner Koch <wk@gnupg.org>
2014-10-09 21:01:49 +02:00
Werner Koch
60e21d8b85 gpg: Sync keylist output and warning messages.
* g10/keylist.c (list_all): Flush stdout before logging.
* g10/misc.c (print_pubkey_algo_note): Ditto.
(print_cipher_algo_note): Ditto.
(print_digest_algo_note): Ditto.
(print_md5_rejected_note): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2014-10-09 20:57:02 +02:00
Werner Koch
b6507bb80e kbx: Fix handling of overlong keys.
* kbx/keybox-file.c (IMAGELEN_LIMIT): Change limit from 10^6 to 2MiB.
(_keybox_read_blob2): Skip too long record records.
(_keybox_write_blob): Do not accept too long record.
* kbx/keybox-dump.c (file_stats_s): Add field skipped_long_blobs.
(_keybox_dump_file): Print new counter.
(_keybox_dump_file): Skip too long records.
----

To test this feature you may set the limit back to 1MiB and use key
F7F0E70F307D56ED which is in my local copy close to 2MiB.  Without
this patch it was possible to import the key but access to that key
and all keys stored after it was not possible.

Signed-off-by: Werner Koch <wk@gnupg.org>
2014-10-09 20:19:05 +02:00
Werner Koch
ec332d58ef gpg: Take care to use pubring.kbx if it has ever been used.
* kbx/keybox-defs.h (struct keybox_handle): Add field for_openpgp.
* kbx/keybox-file.c (_keybox_write_header_blob): Set openpgp header
flag.
* kbx/keybox-blob.c (_keybox_update_header_blob): Add arg for_openpgp
and set header flag.
* kbx/keybox-init.c (keybox_new): Rename to do_keybox_new, make static
and add arg for_openpgp.
(keybox_new_openpgp, keybox_new_x509): New.  Use them instead of the
former keybox_new.
* kbx/keybox-update.c (blob_filecopy): Add arg for_openpgp and set the
openpgp header flags.

* g10/keydb.c (rt_from_file): New.  Factored out and extended from
keydb_add_resource.
(keydb_add_resource): Switch to the kbx file if it has the openpgp
flag set.

* kbx/keybox-dump.c (dump_header_blob): Print header flags.
--

The problem was reported by dkg on gnupg-devel (2014-10-07):

  I just discovered a new problem, though, which will affect people on
  systems that have gpg and gpg2 coinstalled:

   0) create a new keyring with gpg2, and use it exclusively with gpg2
  for a while.
   1) somehow (accidentally?) use gpg (1.4.x) again -- this creates
  ~/.gnupg/pubring.gpg
   2) future runs of gpg2 now only look at pubring.gpg and ignore
  pubring.kbx -- the keys you had accumulated in the keybox are no
  longer listed in the output of gpg2 --list-keys

Note that gpgsm has always used pubring.kbx and thus this file might
already be there but without gpg ever inserted a key.  The new flag in
the KBX header gives us an indication whether a KBX file has ever been
written by gpg >= 2.1.  If that is the case we will use it instead of
the default pubring.gpg.

Signed-off-by: Werner Koch <wk@gnupg.org>
2014-10-09 19:10:32 +02:00
Werner Koch
d8c01d826f gpg: Change wording of a migration error message.
--
2014-10-09 10:56:25 +02:00
Kristian Fiskerstrand
6be5c4febc doc: Add missing entry for allow-preset-passphase
--
2014-10-09 08:25:09 +02:00
Daniel Kahn Gillmor
27fe067efe Avoid unnecessary library linkage
* dirmngr/Makefile.am: Avoid $(DNSLIBS) for dirmngr_ldap
* g10/Makefile.am: $(LIBREADLINE) is only for gpg2; gpgv2 does not
need $(LIBASSUAN_LIBS)
* sm/Makefile.am: gpgsm does not need $(ZLIBS)
* tools/Makefile.am: gpgconf does not need $(NPTH_LIBS)

--

In the course of building GnuPG 2.1.0 beta864 on debian, i found that
several of the installed executables were linked to libraries that
they did not need to be linked to, which would cause unnecessary
package dependencies at runtime.

The changeset here removes these unnecessary libraries from linking.

Something similar could possibly also be done by passing --as-needed
to the linker, but trimming the depenencies seems more parsimonious.
2014-10-09 08:17:32 +02:00
Werner Koch
3ae6afc133 gpg: Avoid error exit if keygrip computations fails in a key listing.
* g10/keyid.c (keygrip_from_pk): Use log_info and clear array on error.
--

This may happen due to algorithms or curves not supported by
Libgcrypt.  We should only print a warning and not have gpg return
with failure for a secret key listing.

Signed-off-by: Werner Koch <wk@gnupg.org>
2014-10-08 21:43:28 +02:00
Werner Koch
0c52bfa395 doc: Minor fix.
--

Due to todays reminder:

  On Tue 2014-04-22 18:46:15 -0400, Daniel Kahn Gillmor wrote:
  > With --trust-model=always, all keys and user IDs are considered
  > automatically valid; they are not automatically trusted (setting
  > universal ownertrust to anything other than "ultimate" would be
  > insufficient to acheive the effect of --trust-model=always, due to
  > --max-cert-depth and certificate path reachability).
  >
  > Thanks to Nicolai Josuttis for pointing out this documentation
  error.
2014-10-03 20:19:08 +02:00
Werner Koch
0943c7cc23 Release 2.1.0-beta864. 2014-10-03 15:45:32 +02:00
Werner Koch
841a797f6d speedo: Add INSTALL_PREFIX feature.
--

With this it is now possible build and install gnupg 2.1 properly
below /usr/local:

  make -f TOPSRC/build-aux/speed.ml native INSTALL_PREFIX=/usr/local

Of course you need installation priviliges for the /usr/local tree.
2014-10-03 15:30:38 +02:00
Werner Koch
bc8583f247 gpg: Allow creating a cert-only primary key.
* g10/keygen.c (ask_key_flags): Allow a 'c' in direct entry.
--

GnuPG-bug-id: 1726
2014-10-03 15:05:47 +02:00
Werner Koch
ade531acac Some doc fixes and a fix for "make distcheck".
--
2014-10-03 13:02:23 +02:00
Werner Koch
6522a68d8d build: Add configure options --disable-{ntb,gnu}tls.
* configure.ac: Add --disable-ntbtls and --disable-gnutls.
2014-10-03 12:35:22 +02:00
Andre Heinecke
a6fcdbc9e0 gpg: Check gpg-agent version before 2.1 migration.
* g10/call-agent.c, g10/call-agent.h (agent_get_version): New.
* g10/migrate.c (migrate_secring): Abort migration if
agent_get_version returns not at least 2.1.0

--
GnuPG-bug-id: 1718

On the first installation of GnuPG 2.1 it is likely that an
old gpg-agent is still running in the environment. In that
case the migration would fail.

Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
2014-10-03 12:19:07 +02:00
Werner Koch
09a8f75f30 po: Auto update translations.
--
2014-10-03 12:13:25 +02:00
Werner Koch
b15d5d42ad po: Update German translation. 2014-10-03 12:13:05 +02:00
Werner Koch
9c380384da Remove support for the GPG_AGENT_INFO envvar.
* agent/agent.h (opt): Remove field use_standard_socket.
* agent/command.c (cmd_killagent): Always allow killing.
* agent/gpg-agent.c (main): Turn --{no,}use-standard-socket and
--write-env-file into dummy options.  Always return true for
--use-standard-socket-p. Do not print the GPG_AGENT_INFO envvar
setting or set that envvar.
(create_socket_name): Simplify by removing non standard socket
support.
(check_for_running_agent): Ditto.
* common/asshelp.c (start_new_gpg_agent): Remove GPG_AGENT_INFO use.
* common/simple-pwquery.c (agent_open): Ditto.
* configure.ac (GPG_AGENT_INFO_NAME): Remove.
* g10/server.c (gpg_server): Do not print the AgentInfo comment.
* g13/server.c (g13_server): Ditto.
* sm/server.c (gpgsm_server): Ditto.
* tools/gpgconf.c (main): Simplify by removing non standard socket
support.
--

The indented fix to allow using a different socket than the one in the
gnupg home directory is to change Libassuan to check whether the
socket files exists as a regualr file with a special keyword to
redirect to another socket file name.
2014-10-03 11:58:58 +02:00
Werner Koch
688a903b4b gpg: Fix regression removing SHA256.
* g10/misc.c (map_md_openpgp_to_gcry): Always use SHA256.
--

Regression due to commit d332467005

GnuPG-bug-id: 1733.
2014-10-02 19:17:34 +02:00
Werner Koch
f2361e6d58 First changes for future use of NTBTLS.
* configure.ac (NEED_NTBTLS_ABI, NEED_NTBTLS_VERSION): New.
(HTTP_USE_NTBTLS): New.  Prefer over GNUTLS.
* m4/ntbtls.m4: New.
* m4/Makefile.am (EXTRA_DIST): Add new file.
* common/http.c: Add conditionals to eventually use NTBTLS.
--

This is only the configure stuff.  If you have NTBTLS installed GNUTLS
will not be used but there won't be any https support either :-(.
This patch is used to have a real world test bench for the forthcoming
library.
2014-10-02 17:33:57 +02:00
Werner Koch
6bc0cd6202 build: Update m4 scripts
* m4/gpg-error.m4: Update from Libgpg-error git master.
* m4/libgcrypt.m4: Update from Libgcrypt git master.
* configure.ac: Declare SYSROOT a precious variable.  Add extra error
message for library configuration mismatches.
2014-10-02 16:25:27 +02:00
Werner Koch
edd191e5b0 doc: Remove GnuPG-1 related parts from gpg.texi.
* doc/Makefile.am (YAT2M_OPTIONS): Add 2.1 to the source info.
* doc/gpg.texi: Remove gpg1 related texts.
2014-09-29 11:49:50 +02:00
Werner Koch
d332467005 gpg: Default to SHA-256 for all signature types on RSA keys.
* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA256 in --gnupg and SHA1 in
strict RFC or PGP modes.
* g10/sign.c (make_keysig_packet): Use DEFAULT_DIGEST_ALGO also for
RSA key signatures.
* configure.ac: Do not allow to disable sha256.
2014-09-27 15:28:17 +02:00
Werner Koch
f3625bb018 gpg: Simplify command --gen-key and add --full-gen-key.
* g10/gpg.c (aFullKeygen): New.
(opts): Add command --full-key-gen.
(main): Implement it.
* g10/keygen.c (DEFAULT_STD_ALGO): Replace wrong GCRY_PK_RSA although
the value is identical.
(DEFAULT_STD_CURVE): New.
(DEFAULT_STD_SUBALGO): New.
(DEFAULT_STD_SUBKEYSIZE): New.
(DEFAULT_STD_SUBCURVE): New.
(quick_generate_keypair): Use new macros here.
(generate_keypair): Add arg "full" and fix call callers. Do not ask
for keysize in non-full node.
(ask_user_id): Add arg "full" and simplify for non-full mode.
2014-09-27 15:14:13 +02:00
Werner Koch
f16e76cfb8 doc: Update the file OpenPGP
--

It should actually be completey reworked but for now I added just a
few notes.
2014-09-27 11:17:07 +02:00
Werner Koch
7ff4ea2160 gpg: Add shortcut for setting key capabilities.
* g10/keygen.c (ask_key_flags): Add shortcut '='.
* doc/help.txt (gpg.keygen.flags): New.
2014-09-26 14:43:48 +02:00
Werner Koch
20c6da50d4 gpg: Do not always print dashes in obsolete_option.
* g10/gpg.c (main): Pass option names to obsolete_option without
double dash.
* g10/misc.c (obsolete_option, obsolete_scdaemon_option): Print double
dash only for command line options.
2014-09-25 22:14:30 +02:00
Daniel Kahn Gillmor
371c2b14b0 gpg: Warn about (but don't fail) on scdaemon options in gpg.conf.
* g10/gpg.c: Add config options that should belong in scdaemon.conf
* g10/main.h, g10/misc.c (obsolete_scdaemon_option): New.

--

In gpg2, the following options are only relevant for scdaemon:

 reader-port
 ctapi-driver
 pcsc-driver
 disable-ccid

but in gpg1, they are options for gpg itself.

Some users of gpg1 might have these options in their
~/.gnupg/gpg.conf, which causes gpg2 to fail hard if it reads that
config file.

gpg2 should not fail hard, though giving a warning (and suggesting a
move to scdaemon.conf) seems OK.

This patch does *not* reintroduce any documentation for these options
in gpg.texi, even to indicate that they are "dummy" options, since
scdaemon.texi contains the appropriate documentation.

Debian-bug-id: 762844

- Program names factored out from obsolete_scdaemon_option to make
  reuse without new translations easier. -wk
2014-09-25 22:05:29 +02:00
Werner Koch
26592fbef3 build: Change urlbase of getswdb.sh.
--
2014-09-25 08:44:57 +02:00
Werner Koch
64c15a7e11 Reformat README and minor gpg.texi improvement.
--

The second thing is to explain the file names below under
~/.gnupg/openpgp-revocs.d/.
2014-09-24 14:40:11 +02:00
Werner Koch
fb223be97b Register DCO for Daniel Kahn Gillmor.
--
2014-09-24 14:37:48 +02:00
Werner Koch
59b6f6f16e speedo: Check that wget and gpgv are installed.
* build-aux/getswdb.sh: Check for required tools.
2014-09-22 14:38:55 +02:00
Werner Koch
2427bc5bc7 speedo: Autodetect sha1sum tools.
* build-aux/getswdb.sh: Add option --find-sha1sum.
* build-aux/speedo.mk (check-tools): New phony target.  Not yet used.
(SHA1SUM): New var.  Use it instead of sha1sum.
2014-09-22 13:51:35 +02:00
Werner Koch
bc2f5c1d1a gpg: Create default keyring with .kbx suffix.
* g10/keydb.c (maybe_create_keyring_or_box): Rename arg for clarity.
(keydb_add_resource): Fix order of args to maybe_create_keyring_or_box
and check and create .kbx.
2014-09-22 08:36:24 +02:00
Werner Koch
a4205d5ed0 doc: Fix --secret-keyring option for 2.1
--
2014-09-22 08:33:54 +02:00
Werner Koch
1d33d03f0b gpg: --delete-secret-key - check that a secret key exists.
* g10/delkey.c (do_delete_key): Check availibility of a secret key.
--

Actually we check that at least one secret subkey exists.
2014-09-20 16:27:16 +02:00
Werner Koch
cf648fc5c8 gpg: Make algorithm selection prompt for ECC more clear.
* g10/keygen.c (ask_algo): Change 9 to "ECC and ECC".
2014-09-20 15:17:11 +02:00
Werner Koch
72137a4522 Register DCO for Andre Heinecke.
--
2014-09-20 11:59:25 +02:00
Werner Koch
34a3e458d0 Post beta release update.
--
2014-09-18 18:28:40 +02:00
Werner Koch
93f158df38 Release 2.1.0-beta834. 2014-09-18 17:57:09 +02:00
Werner Koch
72a16d80d4 speedo: Distribute needed files.
* Makefile.am (EXTRA_DIST): Add speedo stuff.
2014-09-18 17:55:40 +02:00
Werner Koch
345a8374f3 build: Enable gpgtar by default. 2014-09-18 17:32:36 +02:00
Werner Koch
927db789c1 common: Do not build maintainer modules in non-maintainer mode.
* common/Makefile.am (module_maint_tests): Use only in maintainer
mode.
(t_common_cflags): New.
2014-09-18 17:03:06 +02:00
Werner Koch
cad181b5ec common: Remove superfluous statements.
* common/exechelp-posix.c: Remove weak pragmas.
* common/sexputil.c (make_canon_sexp_from_rsa_pk): Remove double
const.
--

We do not use Pth anymore and thus there is no more need for the weak
pragmas.
2014-09-18 16:01:11 +02:00
Werner Koch
6e7bcabd78 g13: Avoid segv after pipe creation failure.
* g13/call-gpg.c (gpg_encrypt_blob): Init some vars in case of an
early error.
(gpg_decrypt_blob): Ditto.
2014-09-18 16:01:05 +02:00