1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-11 21:48:50 +01:00
Commit Graph

8106 Commits

Author SHA1 Message Date
Werner Koch
6530aff692
Post release updates.
--
2017-11-07 11:04:44 +01:00
Werner Koch
5bd5150050
Release 2.2.2
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-07 10:23:07 +01:00
Werner Koch
30f21f8b0f
dirmngr: Reduce default LDAP timeout to 15 seconds.
* dirmngr/dirmngr.c (DEFAULT_LDAP_TIMEOUT): Change to 15.
* dirmngr/dirmngr_ldap.c (DEFAULT_LDAP_TIMEOUT): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ab7ac82704)
GnuPG-bug-id: 3487
2017-11-07 10:05:18 +01:00
Werner Koch
ab7ac82704
dirmngr: Reduce default LDAP timeout to 15 seconds.
* dirmngr/dirmngr.c (DEFAULT_LDAP_TIMEOUT): Change to 15.
* dirmngr/dirmngr_ldap.c (DEFAULT_LDAP_TIMEOUT): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-07 10:02:53 +01:00
Werner Koch
23bfac6d1a
speedo: Include software versions in the W32 README
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f9f72ffbfa)
2017-11-07 09:29:04 +01:00
Ineiev
1941287c9d
po: Update Russian translation 2017-11-07 09:28:10 +01:00
Werner Koch
f9f72ffbfa
speedo: Include software versions in the W32 README
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-07 09:25:28 +01:00
NIIBE Yutaka
96d441b315 po: Update Japanese translation 2017-11-07 11:16:02 +09:00
NIIBE Yutaka
380bce13d9 agent: Use clock or clock_gettime for calibration.
* agent/protect.c (calibrate_get_time): Use clock or clock_gettime.

--

For calibration, clock(3) is better than times(3) among UNIXen.
Tested on NetBSD 7.1 and FreeBSD 11.1, using QEMU.

Thanks to Damien Goutte-Gattat for the information of use of
CLOCKS_PER_SEC;  The old code with times(3) is not 100% correct,
in terms of POSIX.  It should have used sysconf (_SC_CLK_TCK) instead
of CLOCKS_PER_SEC.  CLOCKS_PER_SEC is specifically for clock(3).

GnuPG-bug-id: 3056, 3276, 3472
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-11-07 10:49:36 +09:00
Werner Koch
42308224d1
tests: Minor imporvement in agent invocation
* tests/openpgp/defs.scm (create-gpghome): Add s2k-count.
--

My tests show only 2.5% improvement, but as we have that option now
let's use it.

real    9m12.604s
user    2m20.720s
sys     0m11.452s

real    8m3.815s
user    2m16.700s
sys     0m11.544s

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-06 16:49:07 +01:00
Werner Koch
3607ab2cf3
agent: New GETINFO sub-commands "s2k_count_cal" and "s2k_time".
* agent/command.c (cmd_getinfo): New sub-commands.
* agent/protect.c (get_standard_s2k_count): Factor some code out to ...
(get_calibrated_s2k_count): new.
(get_standard_s2k_time): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 52d41c8b0f)
2017-11-06 15:11:24 +01:00
Werner Koch
78a6d0ce88
agent: New option --s2k-count.
* agent/agent.h (opt): New field 's2k_count'.
* agent/gpg-agent.c (oS2KCount): New enum value.
(opts): New option --s2k-count.
(parse_rereadable_options): Set opt.s2k_count.
--

This option is useful to speed up the starting of gpg-agent and in
cases where the auto-calibration runs into problems due to a broken
time measurement facility.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f7212f1d11)
2017-11-06 15:11:13 +01:00
Werner Koch
52d41c8b0f
agent: New GETINFO sub-commands "s2k_count_cal" and "s2k_time".
* agent/command.c (cmd_getinfo): New sub-commands.
* agent/protect.c (get_standard_s2k_count): Factor some code out to ...
(get_calibrated_s2k_count): new.
(get_standard_s2k_time): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-06 15:03:06 +01:00
Werner Koch
f7212f1d11
agent: New option --s2k-count.
* agent/agent.h (opt): New field 's2k_count'.
* agent/gpg-agent.c (oS2KCount): New enum value.
(opts): New option --s2k-count.
(parse_rereadable_options): Set opt.s2k_count.
--

This option is useful to speed up the starting of gpg-agent and in
cases where the auto-calibration runs into problems due to a broken
time measurement facility.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-06 13:57:30 +01:00
NIIBE Yutaka
680161647a
g10: Unattended key generation "Key-Grip" and "Subkey-Grip".
* g10/keygen.c (pSUBKEYGRIP): New.
(read_parameter_file): Add "Key-Grip" and "Subkey-Grip".
(do_generate_keypair): Support pSUBKEYGRIP.

--

In the manual, it says "Key-Grip".  gpgsm also supports "Key-Grip".
Adding "Subkey-Grip" now, adding "Key-Grip" makes sense.

GnuPG-bug-id: 3478
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 6c63a04569)
2017-11-06 12:10:09 +01:00
NIIBE Yutaka
f183b9768b
g10: Simplify "factory-reset" procedure.
* g10/card-util.c (factory_reset): Simplify.

--

In this summer, I got report about old code before this change didn't
work with newer Yubikey.  I got another report test version of OpenPGP
card V3.3 implementation didn't work, either.  Then, I confirmed that
according to the OpenPGP card specification, the procedure of old code
is not expected by its author.

This change simplify "factory-reset" as simple.

Only versions of Gnuk 1.2.2, 1.2.3, 1.2.4, won't work with this
change.  That's because the factory-reset feature of Gnuk was
introduced by reading the implementation of GnuPG, instead of reading
the specification.  Gnuk 1.2.5 and later works well.  All OpenPGPcard
implementations I have work well (2.0, 2.1, 2.2, test version of 3).

GnuPG-bug-id: 3286
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit d63b7966cd)
2017-11-06 12:09:37 +01:00
Ineiev
6070f5a61d
po: Update Russian translation 2017-11-02 21:30:57 +01:00
Werner Koch
296783a318
po: Fixed one string wrongly marked as fuzzy.
--

These seems to a a small gettext bug which claimed that
 "NOTE: There is no guarantee that the card supports[...]"
was changed.  Also committed changes due to msgmerge.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-02 17:45:15 +01:00
Werner Koch
a124907742
po: Update German translation
--
2017-11-02 17:38:02 +01:00
Werner Koch
acb3005434
gpg: Introduce magic value 25519 to switch a card to ECC.
* g10/card-util.c (ask_card_keyattr): Handle special value 25519.
(do_change_keyattr): Allow changing to cv25519/ed25519.
(generate_card_keys): Ditto.
(card_generate_subkey): Ditto.
--

This is kludge to make it easier for gnuk to be switched into ECC
mode.  This is basically the same change as
commit ea09b6cded
but without the string change in show_keysize_warning.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-02 17:31:57 +01:00
Werner Koch
de3a740c2e
gpg: Rename two card related functions in card-util.
* g10/card-util.c (ask_card_rsa_keysize): Rename to ask_card_keyattr.
(do_change_rsa_keysize): Rename to do_change_keyattr.
--

We want to support other algos than RSA and thus we need a better name
for the functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f795f4529d)
2017-11-02 17:22:59 +01:00
Werner Koch
922bae8082
gpg: Unifiy the message for re-configuring cards.
* g10/card-util.c (ask_card_keyattr): Print "rsaNNNN".
--

This is a separate patch from the previous to avoid string changes
when backporting the other patch to 2.2.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-02 17:20:13 +01:00
Werner Koch
ea09b6cded
gpg: Introduce magic value 25519 to switch a card to ECC.
* g10/card-util.c (show_keysize_warning): Slightly change the text.
(ask_card_keyattr): Handle special value 25519.
(do_change_keyattr): Allow changing to cv25519/ed25519.
(generate_card_keys): Ditto.
(card_generate_subkey): Ditto.
--

This is kludge to make it easier for gnuk to be switched into ECC
mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-02 17:16:14 +01:00
NIIBE Yutaka
3da47d19df
agent: Fix returning GPG_ERR_NOT_FOUND wrongly.
* agent/learncard.c (agent_handle_learn): Find SERIALNO.

--

Bug is: "gpg-connect-agent learn /bye" just fails wrongly.

Fixes-commit: 8c8ce8711d
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 5e96fe72e4)
2017-11-02 17:04:03 +01:00
Werner Koch
1651310203
build: Remove configure options --disable-gpg
--

gpg is used by several other components as well as from the test
suite.  We need it.

GnuPG-bug-id: 3479
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-02 16:55:17 +01:00
NIIBE Yutaka
5e96fe72e4 agent: Fix returning GPG_ERR_NOT_FOUND wrongly.
* agent/learncard.c (agent_handle_learn): Find SERIALNO.

--

Bug is: "gpg-connect-agent learn /bye" just fails wrongly.

Fixes-commit: 8c8ce8711d
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-11-02 16:23:10 +09:00
NIIBE Yutaka
0e5bd473a0
common: Accept the Z-suffix for yymmddThhmmssZ format.
* common/gettime.c (isotime_p): Accept the Z suffix.

--

The intention is use for human interface.

GnuPG-bug-id: 3278
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit ba8afc4966)
2017-11-01 18:35:29 +01:00
Werner Koch
fd3f5ca151
Register another OpenPGP card vendor.
--
2017-11-01 18:17:44 +01:00
Werner Koch
87b94e08d7
gpg: Remove trailing comma in an enum.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-01 18:14:26 +01:00
Werner Koch
f795f4529d
gpg: Rename two card related functions in card-util.
* g10/card-util.c (ask_card_rsa_keysize): Rename to ask_card_keyattr.
(do_change_rsa_keysize): Rename to do_change_keyattr.
--

We want to support other algos than RSA and thus we need a better name
for the functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-01 18:13:25 +01:00
NIIBE Yutaka
6c63a04569 g10: Unattended key generation "Key-Grip" and "Subkey-Grip".
* g10/keygen.c (pSUBKEYGRIP): New.
(read_parameter_file): Add "Key-Grip" and "Subkey-Grip".
(do_generate_keypair): Support pSUBKEYGRIP.

--

In the manual, it says "Key-Grip".  gpgsm also supports "Key-Grip".
Adding "Subkey-Grip" now, adding "Key-Grip" makes sense.

GnuPG-bug-id: 3478
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-11-01 10:19:35 +09:00
NIIBE Yutaka
d63b7966cd g10: Simplify "factory-reset" procedure.
* g10/card-util.c (factory_reset): Simplify.

--

In this summer, I got report about old code before this change didn't
work with newer Yubikey.  I got another report test version of OpenPGP
card V3.3 implementation didn't work, either.  Then, I confirmed that
according to the OpenPGP card specification, the procedure of old code
is not expected by its author.

This change simplify "factory-reset" as simple.

Only versions of Gnuk 1.2.2, 1.2.3, 1.2.4, won't work with this
change.  That's because the factory-reset feature of Gnuk was
introduced by reading the implementation of GnuPG, instead of reading
the specification.  Gnuk 1.2.5 and later works well.  All OpenPGPcard
implementations I have work well (2.0, 2.1, 2.2, test version of 3).

GnuPG-bug-id: 3286
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-10-30 11:59:11 +09:00
NIIBE Yutaka
3924e1442c
agent: Clean up pinentry access locking.
* agent/agent.h (struct server_control_s): Rename PINENTRY_ACTIVE.
* agent/call-pinentry.c (entry_owner): Remove.
(agent_reset_query): Use thread private object of PINENTRY_ACTIVE.
(unlock_pinentry): Add CTRL to arguments to access thread private.
Check and decrement PINENTRY_ACTIVE for recursive use.
(start_pinentry): Check and increment PINENTRY_ACTIVE for recursion.
(agent_askpin): Follow the change of unlock_pinentry API.
(agent_get_passphrase, agent_get_confirmation): Likewise.
(agent_show_message, agent_popup_message_start): Likewise.
(agent_popup_message_stop, agent_clear_passphrase): Likewise.

--

We use the member PINENTRY_ACTIVE as a thread private object.
It's only valid for a single thread at a time.

It would be possible to have a thread shared object of
PINENTRY_ACTIVE, keeping ENTRY_OWNER for distinguishing its
owner (which is also a thread shared object).  But, in this case,
access to ENTRY_OWNER is tricky (only comparison to accessing thread
would be OK with no lock), or we need to introduce another lock for
accessing ENTRY_OWNER, which complicates the code too much.

So, simply have a thread private object for recursive pinentry access.

GnuPG-bug-id: 3190
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit fb7828676c)
2017-10-27 14:15:58 +02:00
NIIBE Yutaka
4738256f2e
agent: Allow recursive use of pinentry.
* agent/agent.h (struct server_control_s): Add pinentry_level.
* agent/call-pinentry.c (agent_popup_message_stop): Not clear
ENTRY_CTX here.
(unlock_pinentry): Handle recursion.  Clear ENTRY_CTX here.
(start_pinentry): Allow recursive use.

--

GnuPG-bug-id: 3190
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 3b66a256e3)
2017-10-27 14:15:50 +02:00
Werner Koch
f6ab97fd96
Merge branch 'STABLE-BRANCH-2-2' into master
--
Resolved Conflicts:
	configure.ac - Adjust due to new log_clock otions
2017-10-27 13:56:15 +02:00
NIIBE Yutaka
fb7828676c agent: Clean up pinentry access locking.
* agent/agent.h (struct server_control_s): Rename PINENTRY_ACTIVE.
* agent/call-pinentry.c (entry_owner): Remove.
(agent_reset_query): Use thread private object of PINENTRY_ACTIVE.
(unlock_pinentry): Add CTRL to arguments to access thread private.
Check and decrement PINENTRY_ACTIVE for recursive use.
(start_pinentry): Check and increment PINENTRY_ACTIVE for recursion.
(agent_askpin): Follow the change of unlock_pinentry API.
(agent_get_passphrase, agent_get_confirmation): Likewise.
(agent_show_message, agent_popup_message_start): Likewise.
(agent_popup_message_stop, agent_clear_passphrase): Likewise.

--

We use the member PINENTRY_ACTIVE as a thread private object.
It's only valid for a single thread at a time.

It would be possible to have a thread shared object of
PINENTRY_ACTIVE, keeping ENTRY_OWNER for distinguishing its
owner (which is also a thread shared object).  But, in this case,
access to ENTRY_OWNER is tricky (only comparison to accessing thread
would be OK with no lock), or we need to introduce another lock for
accessing ENTRY_OWNER, which complicates the code too much.

So, simply have a thread private object for recursive pinentry access.

GnuPG-bug-id: 3190
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-10-27 09:54:48 +09:00
NIIBE Yutaka
3b66a256e3 agent: Allow recursive use of pinentry.
* agent/agent.h (struct server_control_s): Add pinentry_level.
* agent/call-pinentry.c (agent_popup_message_stop): Not clear
ENTRY_CTX here.
(unlock_pinentry): Handle recursion.  Clear ENTRY_CTX here.
(start_pinentry): Allow recursive use.

--

GnuPG-bug-id: 3190
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-10-26 14:40:38 +09:00
NIIBE Yutaka
05cb87276c agent, tests: Support --disable-scdaemon build case.
* agent/command.c (cmd_scd): Support !BUILD_WITH_SCDAEMON.
* tests/openpgp/defs.scm (create-gpghome): Likewise.
* tests/gpgsm/gpgsm-defs.scm (create-gpgsmhome): Likewise.

--

We could modify gpg-agent to remove all support of scdaemon, with no
inclusion of call-scd.c, divert-scd.c, and learncard.c, but it would
not be worth to do that.

GnuPG-bug-id: 3316
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-10-26 11:39:49 +09:00
NIIBE Yutaka
b13972dfbf Fix comment of configure.
* configure.ac (BUILD_WITH_DIRMNGR): Comment fix.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-10-26 11:38:50 +09:00
NIIBE Yutaka
bf26c08b95 agent, tests: Support --disable-scdaemon build case.
* agent/command.c (cmd_scd): Support !BUILD_WITH_SCDAEMON.
* tests/openpgp/defs.scm (create-gpghome): Likewise.
* tests/gpgsm/gpgsm-defs.scm (create-gpgsmhome): Likewise.

--

We could modify gpg-agent to remove all support of scdaemon, with no
inclusion of call-scd.c, divert-scd.c, and learncard.c, but it would
not be worth to do that.

GnuPG-bug-id: 3316
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-10-26 11:24:39 +09:00
NIIBE Yutaka
3549dce4f5 Fix comment of configure.
* configure.ac (BUILD_WITH_DIRMNGR): Comment fix.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-10-26 11:19:45 +09:00
Werner Koch
84af859e39
gpg: Avoid superfluous sig check info during import.
* g10/key-check.c (print_info): New.
(key_check_all_keysigs): Print sig checking results only in debug
mode.  Prettify the stats info and suppress them in quiet mode.

--

This also makes usable stats by prefixing them with the key and the
program name.

GnuPG-bug-id: 3397
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-24 21:11:38 +02:00
Werner Koch
812fe29bff
build: New configure option --enable-werror
* configure.ac: Implement that option.
--

This can be used as a workaround in case of bogus autoconf tests.

GnuPG-bug-id: 2423
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-24 18:44:49 +02:00
Werner Koch
e417aaf698
build: Do not mess with CFLAGS in configure.
* configure.ac: Do not mess with the user provided CFLAGS.
--

A problem was claimed with some configure tests if the user provided
CFLAGS=-Werror.  The commit introducing this

Fixes-commit: 02eb9fc9d5

does not mention a concrete case.  Anyway, messing with CFLAGS is a
bad idea because configure tests will then test something different
than what is used later (cf. autoconf manual).  Tests which depend on
the whether -Werror is used needsto be fixed.

Note that in certain cases we modify CFLAGS.  This is only done for
some configure options or if the platform requires the use of special
compiler flags (e.g. on HP/UX).

GnuPG-bug-id: 2423
2017-10-24 18:34:28 +02:00
Rainer Perske
1067403c8a
sm: Do not expect X.509 keyids to be unique
* sm/certlist.c (gpgsm_find_cert): Add arg allow_ambiguous and use it.
* sm/call-dirmngr.c (inq_certificate): Pass true to ALLOW_AMBIGUOUS
(run_command_inq_cb): Ditto.
* sm/gpgsm.c (main): Pass false.
* sm/server.c (cmd_passwd): Pass false.

--

As described in my report T1644, it is possible that multiple
certificates exist with the same Distinguished Name and the same key.
In this case, verifying S/MIME signatures and other actions fail with
"certificate not found: Ambiguous name". For details see the bug
report.

To circumvent the problem, I am patching GnuPG since 2014 so that in
this case the newest of the ambiguous certificates is used.

This is not an ultimate solution of the problem: You should try every
certificate with the same DN until verification succeeds or until all
certificates fail, and if multiple certificates of a chain are
ambiguous you even have to check every combination. You may even
consider checking the keyUsage attributes of the ambiguous certificates
to reduce the number of combinations.

But in the existing case of the certificates in the German Research
Network (DFN) PKI where the newest one is the valid one and all
ambiguous certificates have the same keyUsage attributes, this patch
has proven to be sufficient over the last three years.

With every GnuPG update, I have adapted the patch, luckily I never
needed to change anything except line numbers.

GnuPG-bug-id: 1644

ChangeLog log written by wk, comment taken from mail.  Signed-off line
was missing in the plain diff.  However the mail with the patch and
the DCO posted as reply to that mail were both signed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-24 17:29:04 +02:00
Werner Koch
f8e2d87532
Register DCO for Rainer Perske
--
2017-10-24 17:16:27 +02:00
Werner Koch
6e808ae470
gpgconf: Ignore non-installed components with --apply-profile.
* tools/gpgconf-comp.c (retrieve_options_from_program): Add arg
only_installed.
(gc_component_retrieve_options): Use this if we want to process all
components.
--

Note that this also also ignores them in --with-defaults.  This is
useful for systems which come without scdaemon.

GnuPG-bug-id: 3313
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-24 12:01:35 +02:00
Werner Koch
560d85ecff
gpg: Improve the "secret key available" notice in keyedit.c
* g10/keyedit.c (KEYEDIT_NEED_SUBSK): New.
(cmds): Add this flag to keytocard, bkuptocard, expire, and passwd.
(keyedit_menu): Check whether only subkeys are available and take care
of that in the command check and in the HELP listing.  Also print a
different notice if only subkeys are available.
--

Print "Secret key is available" and the bailing out in all commands
which require the _primary_ secret key was surprising.  Now we print
another notice and adjust the checks.

GnuPG-bug-id: 3463
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-24 10:56:13 +02:00
Werner Koch
016538d828
gpg: Remove unused flags from keyedit.c.
* g10/keyedit.c (KEYEDIT_NOT_SK, KEYEDIT_ONLY_SK): Remove.
(cmds): Remove them.
--

These flags were cruft from the time we had to switch between secret
and public key view.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-24 09:35:25 +02:00
Werner Koch
9e3f2a7e0b
doc: Fix "SEE ALSO" section of gpgv.
--
2017-10-20 08:56:39 +02:00