* agent/gpg-agent.c (oNoUserTrustlist,oSysTrustlistName): New.
(opts): Add new option names.
(parse_rereadable_options): Parse options.
(finalize_rereadable_options): Reset allow-mark-trusted for the new
option.
* agent/agent.h (opt): Add fields no_user_trustlist and
sys_trustlist_name.
* agent/trustlist.c (make_sys_trustlist_name): New.
(read_one_trustfile): Use here.
(read_trustfiles): Use here. Implement --no-user-trustlist.
--
With the global options we can now avoid that a user changes the
Root-CA trust by editing the trustlist.txt. However, to implement
this we need a new option so that we don't need to rely on some magic
like --no-allow-mark-trusted has been put into a force section.
The second option makes system administration easier as it allows to
keep the trustlist in a non-distributed file.
GnuPG-bug-id: 5990
* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--
Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong. Fixed by always using a break to
terminate the escape detection loop. Might have happened for all
status lines which may wrap.
GnuPG-bug-id: T6027
* g10/keygen.c (keygen_set_std_prefs): Use the right variable when
reading AEAD preference string
--
GnuPG-bug-id: 6019
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
* sm/gpgsm.c (oCompatibilityFlags): New option.
(compatibility_flags): new.
(main): Parse and print them in verbose mode.
* sm/gpgsm.h (opt): Add field compat_glags.:
(COMPAT_ALLOW_KA_TO_ENCR): New.
* sm/keylist.c (print_capabilities): Take care of the new flag.
* sm/certlist.c (cert_usage_p): Ditto.
* common/miscellaneous.c (parse_compatibility_flags): New.
* common/util.h (struct compatibility_flags_s): New.
--
This is similar to parse_debug_flags but does not support specifying a
value. This way we can more easily change the internal values or
re-use them for other purposes.
* common/dynload.h (dlopen): Use LoadLibraryEx and remove Windows CE
support.
--
Mingw's libloadapi.h has no prototype for LoadLibrary. Thus we use
LoadLibraryEx which is available Since Windows XP.
* common/iobuf.c (iobuf_cancel): Use gnupg_remove
* common/mischelp.c (same_file_p): Allow for Unicode names.
--
Note that the second patch is used to handle Unicode filenames which
are symbolic links.
* tools/gpg-connect-agent.c (handle_inquire): When the helper program
exit status is not 0, it means cancellation, now.
--
GnuPG-bug-id: 6010
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-nks.c (filelist): Tweak 0x4531.
--
Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--
Also added a couple of comments.
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--
This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.
Note: The design of the FID cache needs to be reconsidered. Until
that the lookup here has been disabled. The do_sign code should be
revamped to be similar to what we do in app-p15.
GnuPG-bug-id: 5219, 4938
* g10/export.c (do_export_stream): Merge the key to get the properties
ready.
--
This makes
gpg --export --export-filter 'drop-subkey=usage=~a'
(Export all subkeys but those with the auth usage)
work without using the workaound of adding
--export-options export-clean
* agent/command.c (get_keyinfo_on_cards): Make it static. Don't
return bogus value on error. Return NULL when scdaemon is disabled.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent/findkey.c (agent_key_from_file): Change the semantics of
GRIP. Now, it's NULL for use by PKDECRYPT and PKSIGN/PKAUTH.
* agent/pkdecrypt.c (agent_pkdecrypt): Set GRIP=NULL.
* agent/pksign.c (agent_pksign_do): Likewise.
--
GnuPG-bug-id: 5099
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.
--
This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).
GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--
BTW, we should add a function to read out the entire table so that you
can ask scdaemon for that list. iirc, Kleopatra still uses a copy of
the table.
* dirmngr/http.c (EHOSTUNREACH, EAFNOSUPPORT): Define when not
available.
[HTTP_USE_GNUTLS] (my_gnutls_read): Use recv for Windows.
[HTTP_USE_GNUTLS] (my_gnutls_write): Use send for Windows.
--
Reported-by: Eli Zaretskii
GnuPG-bug-id: 5899
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* scd/app-p15.c (any_control_or_space_mem): New.
(get_dispserialno): Add new code.
--
This works with my test cards and now reflects what's printed on the
front matter of the card.
* scd/app-p15.c (readcert_by_cdf): Do not use extended mode if the CDF
object has no length info. Add debug output when reading a cert.
(read_p15_info): No more need to disable extended mode for GeNUA cards.
* scd/scdaemon.c (debug_flags): Add "card".
* scd/scdaemon.h (DBG_CARD_VALUE, DBG_CARD): New.
--
Some information from parsing the card are often very helpful.
However, the card_io triggered APDU dumps are in most cases too heavy.
Thus this new debug flag.
* kbx/keyboxd.h (kbxd_status_printf): New.
* kbx/backend-support.c (be_return_pubkey): Use kbxd_status_printf.
* kbx/kbxserver.c (kbxd_status_printf): New.
* kbxd_start_command_handler (kbxd_start_command_handler): Don't
use set_assuan_context_func, because the function pointer is
shared by multiple threads.
--
GnuPG-bug-id: 5948
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>