* g10/misc.c (print_md5_rejected_note): Rename to ..
(print_digest_rejected_note): this. Parameterize function to take an
enum gcry_md_algos.
* g10/sig-check.c: Use print_digest_rejected_note() when rejecting
signatures.
--
76afaed65e3b0ddfa4923cb577ada43217dd4b18 allowed extra --weak-digests,
but removed the one call to print_md5_rejected_note(). This replaces
and generalizes that warning.
Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* g10/options.h: Add additional_weak_digests linked list to opts.
* g10/main.h: Declare weakhash linked list struct and
additional_weak_digest() function to insert newly-declared weak
digests into opts.
* g10/misc.c: (additional_weak_digest): New function.
(print_digest_algo_note): Check for deprecated digests; use proper
gcry_md_algos type.
* g10/sig-check.c: (do_check): Reject weak digests in addition to MD5.
* g10/gpg.c: Add --weak-digest option to gpg.
* doc/gpg.texi: Document gpg --weak-digest option.
* g10/gpgv.c: Add --weak-digest option to gpgv.
* doc/gpgv.texi: Document gpgv --weak-digest option.
--
gpg and gpgv treat signatures made over MD5 as unreliable, unless the
user supplies --allow-weak-digests to gpg. Signatures over any other
digest are considered acceptable.
Despite SHA-1 being a mandatory-to-implement digest algorithm in RFC
4880, the collision-resistance of SHA-1 is weaker than anyone would
like it to be.
Some operators of high-value targets that depend on OpenPGP signatures
may wish to require their signers to use a stronger digest algorithm
than SHA1, even if the OpenPGP ecosystem at large cannot deprecate
SHA1 entirely today.
This changeset adds a new "--weak-digest DIGEST" option for both gpg
and gpgv, which makes it straightforward for anyone to treat any
signature or certification made over the specified digest as
unreliable.
This option can be supplied multiple times if the operator wishes to
deprecate multiple digest algorithms, and will be ignored completely
if the operator supplies --allow-weak-digests (as before).
MD5 is still always considered weak, regardless of any further
--weak-digest options supplied.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Capitialized some comments, shorted a line in do_check, and changed
subject to name the option. -wk
* dirmngr/dirmngr.c (set_tor_mode): New.
(main, reread_configuration): Call it.
* dirmngr/http.c (http_raw_connect, send_request): Check whether TOR
mode is enabled if the FORCE_TOR flag is given.
--
The patch for http.c is a sanity check because tor mode is anyway
global as long as the Assuan socket wrappers are used.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/http.c: Include assuan.h. Changed all code taking a socket
descriptor from int to assuan_fd_t.
(my_unprotect, my_protect): New.
(my_connect): Remove.
(_my_socket_new, _my_socket_unref): use assuan_sock_close.
(connect_server): Use assuan_sock_connect, assuan_sock_new, and
assuan_sock_close.
* dirmngr/Makefile.am (t_common_ldadd): Add LIBASSUAN_LIBS.
--
This change prepares for the use of SOCKS5 with http.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/tofu.c (get_trust): If a conflict occurs when MAY_ASK is false,
set conflict to the key. When prompting the user, don't show the
conflicting key if the conflicting key is the current key.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/trustdb.c (tdb_get_validity_core): Silence a warning.
* g10/tofu.c (tofu_register): Move SIG_DIGEST computation to the top
so that it is not uninitialized in case of an early error.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/mkdir_p.c (gnupg_amkdir_p): Also strdup first item. Return
an error on malloc failure.
(gnupg_mkdir_p): Fix type of dirs and tmp_dirs.
--
The code was correct but it inhibits type checking. Instead of
casting it seems easier to simply allocate also the the first item in
DIRS.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/http.c: Move to ../dirmngr/.
* common/http.h: Move to ../dirmngr/.
* common/t-http.c: Move to ../dirmngr/.
* common/tls-ca.pem: Move to ../dirmngr/.
* common/Makefile.am: Do not build libcommontls.a libcommontlsnpth.a.
Remove http.c related stuff.
* po/POTFILES.in: Move http.c to dirmngr/.
* dirmngr/Makefile.am (EXTRA_DIST): Add tls-ca.pem.
(module_maint_tests): New.
(noinst_PROGRAMS): Add module_maint_tests.
(dirmngr_SOURCES): Add http.c and http.h.
(dirmngr_LDADD): Remove libcommontlsnpth.
(t_common_ldadd): Ditto.
(t_http_SOURCES, t_http_CFLAGS, t_http_LDADD): New.
(t_ldap_parse_uri_SOURCES): Add http.c.
(t_ldap_parse_uri_CFLAGS): Build without npth.
($(PROGRAMS)): Do not require libcommontls.a libcommontlsnpth.a.
* dirmngr/dirmngr.h, dirmngr/ks-engine.h: Fix include of http.h.
--
All network access is done via dirmngr and thus http.c should be
there.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: Check for sqlite3.
(SQLITE3_CFLAGS): AC_SUBST it.
(SQLITE3_LIBS): Likewise.
* g10/Makefile.am (AM_CFLAGS): Add $(SQLITE3_CFLAGS).
(gpg2_SOURCES): Add tofu.h and tofu.c.
(gpg2_LDADD): Add $(SQLITE3_LIBS).
* g10/tofu.c: New file.
* g10/tofu.h: New file.
* g10/options.h (trust_model): Define TM_TOFU and TM_TOFU_PGP.
(tofu_db_format): Define.
* g10/packet.h (PKT_signature): Add fields digest and digest_len.
* g10/gpg.c: Include "tofu.h".
(cmd_and_opt_values): Declare aTOFUPolicy, oTOFUDefaultPolicy,
oTOFUDBFormat.
(opts): Add them.
(parse_trust_model): Recognize the tofu and tofu+pgp trust models.
(parse_tofu_policy): New function.
(parse_tofu_db_format): New function.
(main): Initialize opt.tofu_default_policy and opt.tofu_db_format.
Handle aTOFUPolicy, oTOFUDefaultPolicy and oTOFUDBFormat.
* g10/mainproc.c (do_check_sig): If the signature is good, copy the
hash to SIG->DIGEST and set SIG->DIGEST_LEN appropriately.
* g10/trustdb.h (get_validity): Add arguments sig and may_ask. Update
callers.
(tdb_get_validity_core): Add arguments sig and may_ask. Update
callers.
* g10/trust.c (get_validity) Add arguments sig and may_ask. Pass them
to tdb_get_validity_core.
* g10/trustdb.c: Include "tofu.h".
(trust_model_string): Handle TM_TOFU and TM_TOFU_PGP.
(tdb_get_validity_core): Add arguments sig and may_ask. If
OPT.TRUST_MODEL is TM_TOFU or TM_TOFU_PGP, compute the TOFU trust
level. Combine it with the computed PGP trust level, if appropriate.
* g10/keyedit.c: Include "tofu.h".
(show_key_with_all_names_colon): If the trust mode is tofu or
tofu+pgp, then show the trust policy.
* g10/keylist.c: Include "tofu.h".
(public_key_list): Also show the PGP stats if the trust model is
TM_TOFU_PGP.
(list_keyblock_colon): If the trust mode is tofu or
tofu+pgp, then show the trust policy.
* g10/pkclist.c: Include "tofu.h".
* g10/gpgv.c (get_validity): Add arguments sig and may_ask.
(enum tofu_policy): Define.
(tofu_get_policy): New stub.
(tofu_policy_str): Likewise.
* g10/test-stubs.c (get_validity): Add arguments sig and may_ask.
(enum tofu_policy): Define.
(tofu_get_policy): New stub.
(tofu_policy_str): Likewise.
* doc/DETAILS: Describe the TOFU Policy field.
* doc/gpg.texi: Document --tofu-set-policy, --trust-model=tofu,
--trust-model=tofu+pgp, --tofu-default-policy and --tofu-db-format.
* tests/openpgp/Makefile.am (TESTS): Add tofu.test.
(TEST_FILES): Add tofu-keys.asc, tofu-keys-secret.asc,
tofu-2183839A-1.txt, tofu-BC15C85A-1.txt and tofu-EE37CF96-1.txt.
(CLEANFILES): Add tofu.db.
(clean-local): Add tofu.d.
* tests/openpgp/tofu.test: New file.
* tests/openpgp/tofu-2183839A-1.txt: New file.
* tests/openpgp/tofu-BC15C85A-1.txt: New file.
* tests/openpgp/tofu-EE37CF96-1.txt: New file.
* tests/openpgp/tofu-keys.asc: New file.
* tests/openpgp/tofu-keys-secret.asc: New file.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* common/mkdir_p.h (mkdir_p): Rename from this...
(gnupg_mkdir_p): ... to this. Change directory_component's type from
char * to const char *.
(amkdir_p): Rename from this...
(gnupg_amkdir_p): ... to this. Change directory_component's type from
char * to const char *.
* common/mkdir_p.c (mkdir_p): Rename from this...
(gnupg_mkdir_p): ... to this. Change directory_component's type from
char * to const char *.
(amkdir_p): Rename from this...
(gnupg_amkdir_p): ... to this. Change directory_component's type from
char * to const char *.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/encrypt.c (use_mdc): Make it a global func.
* g10/sign.c (sign_symencrypt_file): Use that function to decide
whether to use an MDC.
* tests/openpgp/conventional-mdc.test: Add a simple test case.
--
We used --force-mdc in sign+symenc mode (-cs) only with --force-mdc.
That broke our assumption from commit 625e292 (GnuPG 2.1.9) that all
uses of modern ciphers are using MDC.
Reported-by: Ben Kibbey <bjk@luxsci.net>
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/http.c (send_request): Fix handling for hostname:port string.
--
The first pass to parse_uri should already do a scheme check so
that a hostname:port string is detected as invlaid and the retry
code actually takes effect and adds a http://
GnuPG-bug-id: 2109
* common/mkdir_p.c: Change license and comment debug statements.
(amkdir_p, mkdir_p): Fail on malloc error and use default_errsource to
build an error code. Change return value to gpg_error_t.
(amkdir_p): Use gnupg_mkdir.
* common/membuf.c: Include util.h first to avoid redefined macro
warnings.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/options.h (opt): Add field "print_dane_records".
* g10/gpg.c (oPrintDANERecords): new.
(opts): Add --print-dane-records.
(main): Set that option.
* g10/export.c (do_export): Remove EXPORT_DANE_FORMAT handling.
(do_export_stream): Add EXPORT_DANE_FORMAT handling.
* g10/keylist.c (list_keyblock_pka): Implement DANE record printing.
* g10/gpgv.c (export_pubkey_buffer): New stub.
* g10/test-stubs.c (export_pubkey_buffer): New stub.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/server.c (cmd_dns_cert): Add option --dane.
--
This implements draft-ietf-dane-openpgpkey-05.txt
To test this use
$ gpg-connect-agent --dirmngr
> /hex
> dns_cert --dane wk@gnupg.org
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dns-cert.c (get_dns_cert): Add hack to retrieve arbitrary
resource records.
* dirmngr/dns-cert.h (DNS_CERTTYPE_RRBASE): New.
(DNS_CERTTYPE_RR61): New.
--
This has been tested with ADNS on Unix and with the standard
resolver. Because ADNS works it should also work on Windows.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/server.c (cmd_killdirmngr): Set assuan close flag.
(cmd_reloaddirmngr): Use check_owner_permission.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr.c (parse_rereadable_options): Do tilde expansion and
check for cert file existance in option --hkp-cacert.
--
GnuPG-bug-id: 2120
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/mainproc.c (proc_encrypted): Fail for modern messages w/o MDC.
--
This change turns the missing MDC warning into an error if the message
has been encrypted using a cipher with a non-64 bit block length cipher
and it is not Twofish.
We can assume that such messages are created by code which should have
been able to create MDC packets. AES was introduced with 1.0.3 on
2000-09-18 shortly after MDC (1.0.2 on 2000-07-12). We need to
exclude Twofish because that might have been used before MDC.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/pksign.c (agent_pksign_do): Use public key smartcard.
--
Since gcry_pk_verify can't handle shadowed private key, public
key SEXP should be prepared for smartcard.
* g10/dirmngr-conf.skel: New.
* g10/Makefile.am (EXTRA_DIST): Add file.
(install-data-local, uninstall-local): Install that file.
* g10/openfile.c (copy_options_file): Add arg "name", return a value,
simplify with xstrconcat, and factor warning message out to:
(try_make_homedir): here. Also install dirmngr.conf.
* g10/options.skel: Remove --keyserver entry.
--
The option --keyserver in gpg has been deprecated in favor of
--keyserver in dirmngr.conf. Thus we need to install a skeleton file
for dirmngr to set a default keyserver.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keyserver.c (keyserver_refresh): Change return type to
gpg_error_t. Use gpg_dirmngr_ks_list to print the name of the
keyserver to use.
(keyserver_search): Do not print the "no keyserver" error
message. The same error is anyway returned from dirmngr.
* g10/call-dirmngr.c (ks_status_parm_s): Add field "keyword".
(ks_status_cb): Handle other status keywords.
(gpg_dirmngr_ks_list): New.
* tools/gpgconf-comp.c (gc_options_gpg): Deprecate "keyserver".
(gc_options_dirmngr): Add "Keyserver" group and "keyserver".
--
Along with the corresponding dirmngr change this option allows to
configure the keyserver only in dirmngr.conf. Existing
configurations will continue to work. However, GUIs using gpgconf
now the keyserver option under the dirmngr (aka Key Acquirer) tab
unless they are in export mode in which the keyserver option is also
show for gpg.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr.c (oKeyServer): New.
(opts): Add "keyserver".
(parse_rereadable_options): Parse that options
(main): Add option to the gpgconf list.
* dirmngr/dirmngr.h (opt): Add field "keyserver".
* dirmngr/server.c (ensure_keyserver): New.
(make_keyserver_item): New. Factored out from
(cmd_keyserver): here. Call ensure_keyserver.
(cmd_ks_search): Call ensure_keyserver.
(cmd_ks_get): Ditto.
(cmd_ks_fetch): Ditto.
(cmd_ks_put): Ditto.
--
This option specifies the keyserver to be used if the client does not
set another keyserver. We want to fade out the use of --keyserver in
gpg.conf in favor of specifying it here.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpgconf-comp.c (gc_component): Change printed name.
--
All network access is handled by Dirmngr so at least in the GUI option
dialog we should acknowledge that by changing the name to an issuer to
understand term. This is an update of
819bba75aaed11ecef2e274add173718358212b9 suggested by Neal Walfield.
The former term "Network Manager" conflicts with the well known GNOME
network manager tool.
* dirmngr/ks-engine-hkp.c (map_host): Do not use original pointer
after realloc.
--
vex01 reported and debugged the problem.
GnuPG-bug-id: 2107
Signed-off-by: Werner Koch <wk@gnupg.org>