1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

4627 Commits

Author SHA1 Message Date
Werner Koch
715285bcbc gpgsm: Handle re-issued CA certificates in a better way.
* sm/certchain.c (find_up_search_by_keyid): Consider all matching
certificates.
(find_up): Add some debug messages.
--

The DFN-Verein recently re-issued its CA certificates without
generating new keys.  Thus looking up the chain using the authority
keyids works but may use still existing old certificates.  This may
break the CRL lookup in the Dirmngr.  The hack to fix this is by using
the latest issued certificate with the same subject key identifier.

As usual Peter Gutman's X.509 style guide has some comments on that
re-issuing.

GnuPG-bug-id: 1644
2014-06-02 16:02:30 +02:00
Werner Koch
42c043a8ad gpgsm: Add a way to save a found state.
* kbx/keybox-defs.h (keybox_found_s): New.
(keybox_handle): Factor FOUND out to above.  Add saved_found.
* kbx/keybox-init.c (keybox_release): Release saved_found.
(keybox_push_found_state, keybox_pop_found_state): New.

* sm/keydb.c (keydb_handle): Add field saved_found.
(keydb_new): Init it.
(keydb_push_found_state, keydb_pop_found_state): New.
2014-06-02 15:55:00 +02:00
Werner Koch
99972bd6e9 gpg: Fix bug parsing a zero length user id.
* g10/getkey.c (get_user_id): Do not call xmalloc with 0.

* common/xmalloc.c (xmalloc, xcalloc): Take extra precaution not to
pass 0 to the arguments.
--

The problem did not occur in 1.x because over there the xmalloc makes
sure to allocate at least one byte.  With 2.x for most calls the
xmalloc of Libgcrypt is used and Libgcrypt returns an error insteead
of silent allocating a byte.  Thus gpg 2.x bailed out with an
"Fatal: out of core while allocating 0 bytes".

The extra code in xmalloc.c is for more robustness for the other
xmalloc calls.
2014-06-02 11:47:25 +02:00
Werner Koch
9e1c99f800 dirmngr: Print certificates on failed TLS verification.
* dirmngr/ks-engine-hkp.c (cert_log_cb): New.
(send_request): Set callback.
--

We use the KSBA functions here because we have them anyway in Dirmngr.
2014-05-19 09:48:42 +02:00
Werner Koch
45f15b2d76 http: Add callback to help logging of server certificates.
* common/http.c (http_session_s): Add field cert_log_cb.
(http_session_set_log_cb): New.
(http_verify_server_credentials): Call callback.
2014-05-19 09:47:18 +02:00
Werner Koch
d2d9d4fb60 keyserver: Improve support for hkps pools.
* dirmngr/ks-engine-hkp.c (hostinfo_s): Add fields cname, v4addr, and
v6addr.
(create_new_hostinfo): Clear them.
(my_getnameinfo): Add args numeric and r_isnumeric.
(is_ip_address): New.
(map_host): Add arg r_host.  Rewrite the code to handle pools in a
special way.
(ks_hkp_print_hosttable): Change format of help info output.
(make_host_part): Add arg optional r_httphost.
(send_request): Add arg httphost.
(ks_hkp_search, ks_hkp_get, ks_hkp_put): Get httphost and pass it to
send_request.
--

This changes quite some things on how the hostinfo is maintained.
However, it might be better to rework the data structures and have one
entry per IP address instead of this clumsy patch.
2014-05-16 21:15:40 +02:00
Werner Koch
8b90d79818 http: Allow overriding of the Host header.
* common/http.c (http_open): Add arg httphost.
(http_open_document): Pass NULL for httphost.
(send_request): Add arg httphost.  If given, use HTTPHOST instead of
SERVER.  Use https with a proxy if requested.
(http_verify_server_credentials): Do not stop at the first error
message.
* dirmngr/ocsp.c (do_ocsp_request): Adjust call to http_open.
* keyserver/curl-shim.c (curl_easy_perform): Ditto.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ks-engine-hkp.c (ks_hkp_help): Ditto.
2014-05-16 21:01:08 +02:00
Werner Koch
25036ec6ab gpg: Fix uninitialized access to search descindex with gpg keyboxes.
* kbx/keybox-search.c (keybox_search): Add arg  R_DESCINDEX.  Chnage
both callers.
* g10/keydb.c (keydb_search): Always set DESCINDEX.
--

This only affects the new keybox for OpenPGP keys in 2.1.  The bug
exhibited itself by running GPA's backup command on Windows.
2014-05-14 18:13:11 +02:00
Werner Koch
71fa6a3510 w32: Make make_absfilename work with drive letters.
* common/stringhelp.c (do_make_filename) [HAVE_DRIVE_LETTERS]: Fix.
2014-05-14 18:13:07 +02:00
Werner Koch
455a4a2212 gpg: Remove useless diagnostic in MDC verification.
* g10/decrypt-data.c (decrypt_data): Do not distinguish between a bad
MDC packer header and a bad MDC.
--

The separate diagnostic was introduced for debugging a problems.  For
explaining an MDC error a single error message is easier to
understand.
2014-05-14 08:56:39 +02:00
Werner Koch
b2945c451d gpg: Fix glitch entering a full expiration time.
* g10/keygen.c (ask_expire_interval): Get the current time after the
prompt.
--

This almost avoid that an entered full ISO timestamp is not used as
given but off by the time the user required to enter the timestamp.

GnuPG-bug-id: 1639
2014-05-14 08:56:36 +02:00
Werner Koch
4aeb02562c agent: Fix import of non-protected gpg keys.
* agent/cvt-openpgp.c (do_unprotect): Return an s-exp also for
non-protected keys.
(convert_from_openpgp_main): Do not call agent_askpin for a
non-protected key.
2014-05-08 10:28:24 +02:00
Werner Koch
cb2aeb4e11 Make more use of *_NAME macros.
* configure.ac (GPG_DISP_NAME, GPGSM_DISP_NAME): New.
(GPG_AGENT_DISP_NAME, SCDAEMON_DISP_NAME): New.
(DIRMNGR_DISP_NAME, G13_DISP_NAME): New.
(GPGCONF_DISP_NAME): New.
(SCDAEMON_SOCK_NAME): New.
* common/argparse.c (show_help): Map description string.
2014-05-08 10:28:23 +02:00
NIIBE Yutaka
fb24808db9 agent: Fix auth key comment handling.
* agent/command-ssh.c (ssh_send_key_public): Handle the case with no
comment.
2014-05-08 11:46:38 +09:00
Werner Koch
57011da53e Make -jN work again.
* common/Makefile.am ($(PROGRAMS)): New rule
(t_http_LDADD): Use libcommontls.a without directory prefix.
* dirmngr/Makefile.am ($(PROGRAMS)): New rule.
2014-05-07 16:37:15 +02:00
Werner Koch
359c643d74 gpg: Print the key algorithm/curve with signature info.
* g10/mainproc.c (check_sig_and_print): Print the name and curve.
2014-05-07 15:05:34 +02:00
Werner Koch
e73edfb175 gpg: Fix memleak in signature verification of bogus keys.
* g10/mainproc.c (check_sig_and_print): Factor common code out to ...
(print_good_bad_signature): here.
--

P was not released if the key had no user id.
2014-05-07 14:36:34 +02:00
Werner Koch
e5279c85a0 gpg: Fix indendation of check_sig_and_print.
--
2014-05-07 14:08:42 +02:00
Werner Koch
09055aa0f7 gpg: Mark experimental algorithms in the key listing.
* g10/keylist.c (list_keyblock_print): Remove duplicate curve name.
Print a note for experimental algorithms.
* g10/misc.c (print_pubkey_algo_note): Fix warning message.
2014-05-07 13:50:00 +02:00
Werner Koch
8fee6c1ce6 gpg: Finish experimental support for Ed25519.
* agent/cvt-openpgp.c (try_do_unprotect_arg_s): Add field "curve".
(get_keygrip): Add and use arg CURVE.
(convert_secret_key): Ditto.
(convert_transfer_key): Ditto.
(get_npkey_nskey): New.
(prepare_unprotect): Replace gcrypt functions by
get_npkey_nskey.  Allow opaque MPIs.
(do_unprotect): Use CURVE instead of parameters.
(convert_from_openpgp_main): Ditto.
(convert_to_openpgp):  Simplify.
* g10/import.c (one_mpi_from_pkey): Remove.
(transfer_secret_keys): Rewrite to use the curve instead of the
parameters.
* g10/parse-packet.c (parse_key): Mark protected MPIs with USER1 flag.

* common/openpgp-oid.c (openpgp_curve_to_oid): Allow the use of
 "NIST P-256" et al.
* g10/keygen.c (ask_curve): Add arg ALGO.
(generate_keypair): Rewrite the ECC key logic.

* tests/openpgp/ecc.test: Provide the "ecc" passphrase.
2014-05-07 13:27:43 +02:00
Werner Koch
bdb9c2b314 kbx: Add experimental support for EDDSA.
* kbx/keybox-openpgp.c (parse_key): Use algo constants and add
experimental support for EdDSA.
2014-05-07 12:39:43 +02:00
Werner Koch
a63ed98758 agent: Remove greeting message.
* agent/gpg-agent.c (main): Remove greeting.  Make --no-greeting a
dummy.
2014-05-07 08:51:11 +02:00
Werner Koch
6477e51919 Use "samethread" mode keyword for some es_fopenmem.
* dirmngr/ks-engine-hkp.c (armor_data): Add mode keyword.
* g10/call-dirmngr.c (ks_put_inq_cb): Ditto.
* scd/atr.c (atr_dump): Ditto.
2014-05-06 09:49:26 +02:00
Werner Koch
60e2fc7d38 dirmngr: Add support for hkps keyservers.
* dirmngr/dirmngr.c: Include gnutls.h.
(opts): Add --gnutls-debug and --hkp-cacert.
(opt_gnutls_debug, my_gnutls_log): New.
(set_debug): Set gnutls log level.
(parse_rereadable_options): Register a CA file.
(main): Init GNUTLS.
* dirmngr/ks-engine-hkp.c (ks_hkp_help): Support hkps.
(send_request): Ditto.
2014-05-05 16:23:37 +02:00
Werner Koch
ea0f5481f0 http: Add reference counting to the session object.
* common/http.c (http_session_t): Add field "refcount".
(_my_socket_new, _my_socket_ref, _my_socket_unref): Add debug code.
(send_request, my_npth_read, my_npth_write): Use SOCK object for the
transport ptr.
(http_session_release): Factor all code out to ...
(session_unref): here.  Deref SOCK.
(http_session_new): Init refcount and transport ptr.
(http_session_ref): New.  Ref and unref all assignments.
--

Having the reference counted session objects makes it easier for the
application to pass around only an estream.  Without that the
application would need to implement an es_onclose machinery for the
session object.
2014-05-05 16:06:42 +02:00
Werner Koch
0e59195642 http: Add HTTP_FLAG_FORCE_TLS and http_get_tls_info.
* common/http.c (http_parse_uri): Factor code out to ...
(parse_uri): here.  Add arg FORCE_TLS.
(do_parse_uri): Ditto.  Implement flag.
(http_get_tls_info): New.
(http_register_tls_ca): Allow clearing of the list.
(send_request): Use a default verification function.
* common/http.h (HTTP_FLAG_FORCE_TLS): New.
* common/t-http.c (main): Add several command line options.
2014-05-02 17:28:02 +02:00
Werner Koch
2def230231 common: Fix test for openpgp_oid_is_ed25519.
* common/t-openpgp-oid.c (test_openpgp_oid_is_ed25519): Add correct
value.
2014-05-02 14:07:03 +02:00
Werner Koch
8412a5825c http: Revamp TLS API.
* configure.ac (NEED_GNUTLS_VERSION): New.
(HTTP_USE_GNUTLS, LIBGNUTLS_CFLAGS, LIBGNUTLS_LIBS): New ac_subst.

* common/http.h (http_session_t): New.
* common/http.c: Remove compatibility for gnutls < 3.0.
(http_session_s): New.
(cookie_s): Replace gnutls_session_t by http_session_t.
(tls_callback, tls_ca_certlist): New variables.
(my_socket_unref): Add preclose args.
(my_npth_read, my_npth_write): New.
(make_header_line): Fix bug using int* instead of char*.
(http_register_tls_callback): New.
(http_register_tls_ca): New.
(http_session_new): New.
(http_session_release): New.
(http_get_header_names): New.
(escape_data): Add hack to escape in forms mode.
(send_request) [HTTP_USE_GNUTLS]: Support SNI.
(send_request) [HTTP_USE_GNUTLS]: Fix use of make_header_line.
(send_gnutls_bye): New.
(cookie_close): Make use of preclose feature.
(http_verify_server_credentials): New.
(main) [TEST]: Remove test code.
* common/t-http.c: New.
* common/tls-ca.pem: New.
* common/Makefile.am (tls_sources): New. Move http code to here.
(libcommontls_a_SOURCES): New.
(libcommontlsnpth_a_SOURCES): New.
(EXTRA_DIST): Add tls-ca.pem
(module_maint_tests): Add t-http.
(t_http_SOURCES, t_http_CFLAGS, t_http_LDADD): New.

* dirmngr/Makefile.am (dirmngr_LDADD): Add libcommontlsnpth.
--

This new TLS API for http.c is much more flexible than the crude old
hack.
2014-05-02 11:19:25 +02:00
Werner Koch
84289e85c7 common: Cleanup the use of USE_NPTH and HAVE_NPTH macros.
* configure.ac (HAVE_NPTH): New ac_define.
* common/estream.c: Use USE_NPTH instead of HAVE_NPTH.
* common/http.c: Ditto.  Replace remaining calls to pth by npth calls.
(connect_server): Remove useless _().
* common/exechelp-posix.c, common/exechelp-w32.c
* common/exechelp-w32ce.c: Use HAVE_PTH to include npth.h.
* common/init.c (_init_common_subsystems): Remove call to pth_init.
* common/sysutils.c (gnupg_sleep): Use npth_sleep.
* scd/ccid-driver.c (my_sleep): Ditto.
--

USE_NPTH is used in case were we may build with and without nPth.  The
missing definition HAVE_NPTH didn't allowed us to build outher sources
with nPTh support.
2014-05-02 08:22:38 +02:00
Werner Koch
8416c875a7 estream: Implement "samethread" mode keyword.
* src/estream.c (estream_internal): Add field SAMETHREAD.
(init_stream_lock, lock_stream, trylock_stream, unlock_stream): Use it.
(parse_mode): Add arg SAMETHREAD and parse that keyword.
(es_initialize): Rename to ...
(init_stream_obj): this.  Add arg SAMETHREAD.
(es_create): Add arg SAMETHREAD.  Call init_stream_lock after
init_stream_obj.
(doreadline): Call es_create with samethread flag.
(es_fopen, es_mopen, es_fopenmem, es_fopencookie, do_fdopen)
(do_fpopen, do_w32open): Implement "samethread" keyword.
(es_freopen): Take samthread flag from old stream.
(es_tmpfile): Call es)_create w/o samethread.
--

Note: Unfortunately es_tmpfile has no mode arg so that we can't use
samethread.
2014-04-30 21:14:28 +02:00
Werner Koch
ecea94461e estream: Fix deadlock in es_fileno.
* src/estream.c (es_fileno_unlocked): Call the unlocked functions.
2014-04-30 21:14:28 +02:00
Werner Koch
aeb81727c7 estream: Add debug code to the lock functions.
* common/estream.c (dbg_lock_0, dbg_lock_1, dbg_lock_1): New.
2014-04-30 21:14:28 +02:00
Werner Koch
39e91a5f0a estream: Replace locking macros by functions.
* common/estream.c: Replace most macros.
--

The macros were too hard to read and actually blew up the source.
2014-04-30 21:14:28 +02:00
Werner Koch
7296ccf3d5 estream: Migrate from Pth to nPth.
--

Actually the mutex stuff was never used since we switched to nPth.
2014-04-30 21:14:28 +02:00
Werner Koch
7adeae3ba3 gpg: Minor doc enhancement
--
2014-04-30 21:14:28 +02:00
NIIBE Yutaka
21dab64030 ECC Fixes.
* agent/cvt-openpgp.c (get_keygrip, convert_secret_key)
(convert_transfer_key): Follow newer (>= 1.6) libgcrypt API, which
does not distinguish the detail.
(do_unprotect, convert_from_openpgp_main): Don't call
map_pk_openpgp_to_gcry, as it's the value of libgcrypt API already and
not the value defined by OpenPGP.
(convert_to_openpgp): It's "ecc".
* agent/gpg-agent.c (map_pk_openpgp_to_gcry): Remove.
* g10/call-agent.c (agent_pkdecrypt): Fix off-by-one error.
* g10/pubkey-enc.c (get_it): Fix swapping the fields error.
2014-04-28 10:36:16 +09:00
Werner Koch
fdd938a5bb gpg: Pass --homedir to gpg-agent.
* agent/gpg-agent.c (main): Make sure homedir is absolute.
* common/asshelp.c (lock_spawning): Create lock file with an absolute
name.
(start_new_gpg_agent): Use an absolute name for the socket and pass
option --homedir to the agent.
(start_new_dirmngr): Use an absolute name for the --homedir.
--

This patch makes gpg's --homedir option behave again like in older
versions.  This is done by starting a new agent for each different
home directory.  Note that this assumes --use-standard-socket is used
which is the default for 2.1.
2014-04-22 16:59:06 +02:00
Werner Koch
71a54313ad common: Add functions make_absfilename and make_absfilename_try.
* common/stringhelp.c (do_make_filename): Add modes 2 and 3.
(make_absfilename): New.
(make_absfilename_try): New.
2014-04-22 15:58:33 +02:00
Werner Koch
1a87edab66 common: Add function gnupg_getcwd.
* tools/gpg-connect-agent.c (gnu_getcwd): Move to ...
* common/sysutils.c (gnupg_getcwd): .. here.
* tools/gpg-connect-agent.c (get_var_ext): Use gnupg_getcwd.
2014-04-22 15:02:05 +02:00
Werner Koch
ffa39be5eb gpg: Print a warning if GKR has hijacked gpg-agent.
* g10/call-agent.c (check_hijacking): New.
(start_agent): Call it.
(membuf_data_cb, default_inq_cb): Move more to the top.
--

Note that GUIs may use the gpg status line

[GNUPG:] ERROR check_hijacking 33554509

to detect this and print an appropriate warning.
2014-04-22 12:50:15 +02:00
Werner Koch
e184a11f94 gpg: New %U expando for the photo viewer.
* g10/photoid.c (show_photos): Set namehash.
* g10/misc.c (pct_expando): Add "%U" expando.
--

This makes is possible to extract all photos ids from a key to
different files.
2014-04-17 21:44:09 +02:00
Werner Koch
b8a91ebf46 common: Add z-base-32 encoder.
* common/zb32.c: New.
* common/t-zb32.c: New.
* common/Makefile.am (common_sources): Add zb82.c
(module_tests): Add t-zb32.
2014-04-17 21:09:10 +02:00
Werner Koch
a34afa8f20 Two minor code cleanups and one NULL deref on error fix.
* common/estream.c (es_freopen): Remove useless check for STREAM.
* kbx/keybox-blob.c (_keybox_create_x509_blob): Remove useless check
for BLOB.
* tools/sockprox.c (run_proxy): Do not fclose(NULL).
--

Found by Hans-Christoph Steiner with cppcheck.
2014-04-16 10:18:17 +02:00
Werner Koch
db3b528239 gpg: Re-enable secret key deletion.
* g10/call-agent.c (agent_delete_key): New.
* g10/keydb.h (FORMAT_KEYDESC_DELKEY): New.
* g10/passphrase.c (gpg_format_keydesc): Support new format.
* g10/delkey.c (do_delete_key): Add secret key deletion.
2014-04-15 19:44:50 +02:00
Werner Koch
d25d00b89e gpg: Re-indent a file.
* g10/delkey.c: Re-indent.
(do_delete_key, delete_keys): Change return type top gpg_error_t.
2014-04-15 19:44:48 +02:00
Werner Koch
c4d983239a gpg: Fix regression in secret key export.
* agent/cvt-openpgp.c (convert_to_openpgp): Fix use
gcry_sexp_extract_param.
* g10/export.c (do_export_stream): Provide a proper prompt to the
agent.
--

NB: The export needs more work, in particular the ECC algorithms.
2014-04-15 19:44:42 +02:00
Werner Koch
e549799db6 gpg: Change pinentry prompt to talk about "secret key".
* g10/passphrase.c (gpg_format_keydesc): Add mode 2.  Change strings.
* g10/keydb.h (FORMAT_KEYDESC_NORMAL, FORMAT_KEYDESC_IMPORT)
(FORMAT_KEYDESC_EXPORT): New.  Use them for clarity.
--

The use of the term "certificate" was more confusing than helpful.
2014-04-15 19:29:57 +02:00
Werner Koch
e3a4ff89a0 agent: Add command DELETE_KEY.
* agent/command.c (cmd_delete_key): New.
* agent/findkey.c (modify_description): Add '%C' feature.
(remove_key_file): New.
(agent_delete_key): New.
* agent/command-ssh.c (search_control_file): Make arg R_DISABLE
optional.

* configure.ac: Require libgpg-error 1.13.
2014-04-15 17:03:54 +02:00
NIIBE Yutaka
3132bd90dc scd: EdDSA support.
* scd/app-openpgp.c (KEY_TYPE_EDDSA, CURVE_ED25519): New.
(struct app_local_s): Add eddsa.
(get_algo_byte, store_fpr): Support KEY_TYPE_EDDSA.
(get_ecc_key_parameters, get_curve_name): Support CURVE_ED25519.
(send_key_attr, get_public_key): Support KEY_TYPE_EDDSA.
(build_ecc_privkey_template): Rename as it supports both of
ECDSA and EdDSA.
(ecc_writekey): Rename.  Support CURVE_ED25519, too.
(do_writekey): Follow the change of ecc_writekey.
(do_auth): Support KEY_TYPE_EDDSA.
(parse_ecc_curve): Support CURVE_ED25519.  Bug fix for other curves.
(parse_algorithm_attribute): Bug fix for ECDH.  Support EdDSA.
2014-04-09 09:30:19 +09:00
Werner Koch
db85feceaf dirmngr: Fix compiler warning.
* common/mischelp.h (JNLIB_GCC_HAVE_PUSH_PRAGMA): New.
* dirmngr/dirmngr.c (handle_tick): Factor time check out to ...
(time_for_housekeeping_p): new.
--

I am not sure whether that y2038 hack is really useful but it might
make me smile in my retirement.
2014-04-08 17:06:17 +02:00