1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

10537 Commits

Author SHA1 Message Date
Werner Koch
97b2837653
speedo: Improve parsing of the ~./.gnupg-autogen.rc
--

We now allow spaces around the variable name and the value.
2024-01-26 16:01:06 +01:00
Werner Koch
4dc09bc5e7
dirmngr: For CRL issuer verification trust the system's root CA.
* dirmngr/crlcache.c (crl_parse_insert): Add
VALIDATE_FLAG_TRUST_SYSTEM.
--

GnuPG-bug-id: 6963
2024-01-26 13:14:35 +01:00
Werner Koch
eaf6a7ab87
common,w32: Fix use of GNUPG_SPAWN_KEEP_STDERR.
* common/exechelp-w32.c (gnupg_spawn_process): Fix macro.
--

Fixes-commit: 6d6438a361d25f3b269f702e017f5e39fd1f5c38
GnuPG-bug-id: 6961
2024-01-26 10:29:08 +01:00
Werner Koch
dfa60c09f5
Merge branch 'STABLE-BRANCH-2-4'
--
Fixed conflicts:
	NEWS
	configure.ac
	doc/gpg.texi
2024-01-26 09:41:00 +01:00
NIIBE Yutaka
af6ac2ac02
gpg: Clean up pk_ecdh_decrypt function.
* g10/ecdh.c (pk_ecdh_decrypt): Allocate just the right size of memory
for the session key, simplifying the decrypt process.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-01-26 14:13:01 +09:00
Werner Koch
367ae86019
Post release updates
--
2024-01-25 11:30:37 +01:00
Werner Koch
a43271cc08
Release 2.4.4 gnupg-2.4.4 2024-01-25 11:06:01 +01:00
Werner Koch
c5429644e9
po: msgmerge
--
2024-01-25 11:05:58 +01:00
Werner Koch
2a4180812a
card: Tweak the checkcmds sub-command.
* tools/gpg-card.c (cmd_checkkeys): Skip not found keys.
2024-01-25 10:35:34 +01:00
NIIBE Yutaka
6481d410ec
po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-01-25 09:07:11 +09:00
Werner Koch
d4976e35d2
gpg: Add sub-option ignore-attributes to --import-options.
* g10/options.h (IMPORT_IGNORE_ATTRIBUTES): New.
* g10/import.c (parse_import_options): Add new sub-option.
(read_block): Implement sub-option.
--

Suggested-by: Robin H. Johnson

Tested using the import-export feature:

  gpg --export KEY_WITH_PICTURE \
   | gpg --import --import-options import-export,ignore-attributes \
   | gpg --show-key
2024-01-24 18:26:01 +01:00
Werner Koch
a227a0d54d
po: Update German translation.
--

Just the new string for gpg-card's checkkeys.
2024-01-24 14:06:32 +01:00
Werner Koch
154ecf17bd
speedo: Build zlib, bzip2 and sqlite also on Unix.
--

This avoids extra build dependencies.  Note that bzip2 is not
necessary statically linked but an existing bzip2 SO might be used.
We would need to fix the bzip2 SO building and also provide a gnupg
configure option to build statically against bzip2.
2024-01-24 13:41:04 +01:00
Werner Koch
bea31c845a
card: flush stdout to get checkcmd's info messages in order.
* tools/gpg-card.c (cmd_checkkeys): Insert an fflush.
2024-01-24 10:40:03 +01:00
NIIBE Yutaka
ccfbb9ebdf
kbx: Have threads monitoring socket takeover and homedir if no inotify.
* kbx/keyboxd.c (CHECK_PROBLEMS_INTERVAL): New.
(have_homedir_inotify): Remove the global.
[HAVE_W32_SYSTEM] (create_an_event): New.
(handle_tick): Remove.
(handle_signal): Add handling SIGCONT.
(keyboxd_kick_the_loop): New.
(handle_connections): Spawn check_own_socket_thread and
check_others_thread if no inotify.
(check_own_socket_thread, check_others_thread): New.

--

This change follows the change of gpg-agent.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-01-24 13:45:49 +09:00
Werner Koch
fd6c38605a
speedo: Add a hint to run ldconfig
--
2024-01-23 14:19:40 +01:00
Werner Koch
34d19d448d
tests: Add two more sample p12 files
--
GnuPG-bug-id: 6940
2024-01-23 13:55:43 +01:00
Werner Koch
b7c1594861
speedo: Minor fix to the install target
--
2024-01-23 09:04:10 +01:00
NIIBE Yutaka
9408c6bf51
sm: Fix ECDH encryption with dhSinglePass-stdDH-sha384kdf-scheme.
* sm/encrypt.c (ecdh_encrypt): Cipher is AES192 for id-aes192-wrap.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-01-23 15:36:26 +09:00
Werner Koch
ead2982286
gpg: Use ephemeral mode for generating card keys.
* g10/call-agent.c (agent_set_ephemeral_mode): New.
* g10/keyedit.c (keyedit_menu) <bkuptocard>: Switch to ephemeral mode.
* g10/keygen.c (do_generate_keypair): Switch to ephemeral mode for
card keys with backup.
--

GnuPG-bug-id: 6944
2024-01-22 16:52:22 +01:00
Werner Koch
434a641d40
agent: Add "ephemeral" Assuan option.
* agent/agent.h (struct ephemeral_private_key_s): New.
(struct server_control_s): Add ephemeral_mode and ephemeral_keys.
(GENKEY_FLAG_NO_PROTECTION, GENKEY_FLAG_PRESET): New.
* agent/genkey.c (clear_ephemeral_keys): New.
(store_key): Add arg ctrl and implement ephemeral_mode.  Change all
callers.
(agent_genkey): Replace args no_protection and preset by a generic new
flags arg.
* agent/findkey.c (wipe_and_fclose): New.
(agent_write_private_key): Add arg ctrl and implement ephemeral_mode.
Change all callers.
(agent_update_private_key): Ditto
(read_key_file): Ditto.
(agent_key_available): Ditto.
* agent/command-ssh.c (card_key_available): Do not update display s/n
in ephemeral mode.  This is however enver triggred.
* agent/gpg-agent.c (agent_deinit_default_ctrl): Cleanup ephemeral
keys.
* agent/command.c (cmd_genkey): Use the new flags instead of separate
vars.
(cmd_readkey): Create a shadow key only in non-ephemeral_mode.
(cmd_getinfo): Add sub-command "ephemeral".
(option_handler): Add option "ephemeral".
--

The idea here that a session can be switched in an ephemeral mode
which does not store or read keys from disk but keeps them local to
the session.

GnuPG-bug-id: 6944
2024-01-22 16:49:54 +01:00
Werner Koch
18320d692c
doc: Fix description of gpg --unwrap
--
2024-01-22 10:16:03 +01:00
Werner Koch
ee56f71c8a
gpg: Add a communication object to the key generation code.
* g10/keygen.c (struct common_gen_cb_parm_s): New.
(common_gen): Add args common_gen_cb and common_gen_cb_parm.  Adjust
all callers.
(do_generate_keypair): Clarify the code by using a better var name.
--

We may eventually also replace the long arg list with that object.
The immediate reason for this change is the followup commit.
2024-01-22 10:16:03 +01:00
Werner Koch
adeb17e375
card: New subcommand "checkkeys".
* agent/command.c (cmd_havekey): Add new option --info.
* tools/card-call-scd.c (scd_readkey): Allow using without result arg.
(struct havekey_status_parm_s): New.
(havekey_status_cb): New.
(scd_havekey_info): New.
(scd_delete_key): New.
* tools/gpg-card.c (print_keygrip): Add arg with_lf.
(cmd_checkkeys): New.
(cmdCHECKKEYS): New.
(cmds): Add command "checkkeys".
(dispatch_command, interactive_loop): Call cmd_checkkeys.
--

GnuPG-bug-id: 6943
2024-01-22 10:16:03 +01:00
Werner Koch
c8060a8f23
doc: Document Backup-info in keyformat.txt
--

This name is used by Kleopatra for quite some time now but was missing
a specification.
2024-01-22 10:16:03 +01:00
Tobias Fella
cb8eb366cb
Pass PINENTRY_GEOM_HINT environment variable to pinentry
* common/session-env.c: Add PINENTRY_GEOM_HINT to variables.

--

GnuPG-Bug-ID: 6930
2024-01-22 09:07:36 +01:00
Werner Koch
5402e6fb93
gpg: For v5 key generation for X448 also in parm file mode.
* g10/keygen.c (curve_is_448): New.
(do_create_from_keygrip): Pass arg keygen_flags byref so that it can
be updated.  Set v5 flag for X448.
(gen_ecc): Ditto.
(do_create): Change keygen_flags as above.  For robustness change
checking for Ed448.
(do_generate_keypair): Change keygen_flags as above
(generate_subkeypair): Ditto.
(gen_card_key): Ditto. Support v5 keys.
--

GnuPG-bug-id: 6942
2024-01-16 14:32:04 +01:00
Werner Koch
1a2c8267f5
gpg: When using a parm file w/o usage don't set the RENC usage.
* g10/keygen.c (proc_parameter_file): Don't include RENC in the
default usage.
--

Testplan:

  $ gpg --gen-key --batch <<EOF
  Key-Type: EDDSA
  Key-Curve: ed448
  Key-Usage: cert
  Name-Real: Meh Muh
  Name-Email: test-3@example.org
  Expire-Date: 2025-01-01
  Passphrase: abc
  subkey-type: ecdh
  Subkey-curve: cv448
  EOF

and check that the R flag does not show up in the usage.
2024-01-16 14:02:42 +01:00
Werner Koch
daedb3c965
doc: Describe the ssh-agent protocol options for Windows.
--

Also fix a typo in a macro.
2024-01-15 17:21:24 +01:00
Jakub Bogusz
4cdfc1d0d9
po: Update parts of the Polish translation
--

Jakub provided the translation in October but at this time it did
cleanly apply anymore due to string changes.  Thus only parts of his
changes are here.  -wk
2024-01-15 11:28:00 +01:00
Werner Koch
0cb622d632
gpgsm: Allow parsing of PKCS#12 files with two private keys.
* sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2.
(parse_shrouded_key_bag): Handle a second private key.
(p12_parse_free_kparms): New.

* sm/import.c (parse_p12): Factor some code out to ...
(p12_to_skey): this.
(parse_p12): Use p12_parse_free_kparms.
--

Take care: We allow parsing of a second private key but we are not yet
able to import the second private key.

The whole things is required to at least import the certificates of
current pkcs#12 files as created by the German Elster tax system.  No
test data, sorry.
2024-01-15 09:56:07 +01:00
Werner Koch
092154e17e
gpgsm: Improve the status line for --verify errors.
* sm/verify.c (gpgsm_verify): Improve verify.leave status line.
--

Suggested-by: Jakob Bohm
2024-01-15 09:13:46 +01:00
Mario Haustein
3d60ad5c8c
po: Fix indentation for key generation options
--
2024-01-15 09:02:03 +01:00
Werner Koch
b97a36f52d
Prepare the NEWS
--
2024-01-12 16:53:53 +01:00
Werner Koch
3f12e3dacb
speedo: Add install target for Unix.
* build-aux/speedo.mk: Default to SELFCHECK=0.
(install, install-speedo): New targets.
--

GnuPG-bug-id: 6710
2024-01-12 13:50:50 +01:00
Werner Koch
5a6df94a9a
speedo: Patch ELF binaries to use built libraries
* build-aux/speedo.mk: Remove GUI stuff.  Add patchelf feature.
* Makefile.am (speedo): New target.
--

GnuPG-bug-id: 6710
2024-01-12 10:52:00 +01:00
Werner Koch
bbad0a2644
gpg: Improve error message for expired default keys.
* g10/getkey.c (parse_def_secret_key): Track reason for skipping keys.
--

GnuPG-bug-id: 4704
2024-01-11 15:54:27 +01:00
Werner Koch
e65720f286
doc: Document the gpgconf --unlock command.
* tools/gpgconf.c (main): Fix usage message.
--

GnuPG-bug-id: 6838
2024-01-11 15:30:12 +01:00
Werner Koch
8dfbad0c41
gpg: Fix regression in the Revoker keyword of the parmeter file.
* g10/keygen.c (parse_revocation_key): Actually allow for v4
fingerprints.
--

Note that the use of the parameter file is deprecated.

GnuPG-bug-id: 6923
2024-01-11 09:08:54 +01:00
Werner Koch
b7f45ee6ad
gpg: Allow to create revocations even with non-compliant algos.
* g10/sign.c (do_sign): Skip compliance check for revocation certs.
--

It just does not make sense to inhibit the creation of revocations
depending on the compliance mode.  We do this only for key revocation
but not for another kind of revocation because the rationale for uid
or subkey revocation is more complicated to explain.
2024-01-10 17:18:34 +01:00
Werner Koch
275ced5067
scd:p15: Allow signing for CVISION cards
* scd/app-p15.c (do_sign): Add code for Starcos 3.2 and the CVISION
product.
--

The code for the Starcos cards has been implemented according to the
3.52 manual However, this does not work with my test cards.  Protocol
analysis shows that decryption can be used for the cryptovision
product.  Thus we do it the same for now.
2024-01-10 14:35:26 +01:00
Werner Koch
6233a17ac9
g13: New option --no-mount.
* g13/g13.c (oNoMount): New.
(opts): Add --no-mount.
(main): Implement this.
* g13/g13-common.h (opt): Add field no_mount.
* common/status.h (STATUS_PLAINDEV): New.
* g13/sh-cmd.c (has_option): Uncomment.
(cmd_mount): Add option --no-mount and pass down.
* g13/sh-dmcrypt.c (sh_dmcrypt_mount_container): Add arg nomount and
emit PLAINDEV status line.
(sh_dmcrypt_umount_container): Rund findmnt before umount.
--

This option can be used to decrypt a device but not to mount it.  For
example to run fsck first.  A command or option to run fsck before a
mount will eventually be added.

The use of findmnt is needed so that we can easily remove a device
which has not been mounted.
2024-01-09 19:52:04 +01:00
Werner Koch
4ca017e43b
gpg: Print a useful error id SKI algo 253 is found.
* g10/parse-packet.c (parse_key): Detect the SKI algo 253.
--

As long as we have not yet implemented this we should at least be
able to detect this case.
2024-01-09 17:25:48 +01:00
Werner Koch
880dde8e5b
scd:p15: Allow PIN verification and decryption for CVISION cards.
* scd/app-p15.c (CARD_PRODUCT_CVISION): New.
(IS_STARCOS_3): New.
(read_p15_info): Detect this product.
(prepare_verify_pin): Add special handling for this product.
(do_decipher): Use dedicated MSE for Starcos 3 cards.
--

To check the verification run

  gpg-card verify User_PIN

For our test cards the "Benutzer-PIN" must be given.  For decryption
tests gpgsm can be used; --always-trust helps to avoid chain issues.
2024-01-09 17:12:20 +01:00
Werner Koch
35fd89b168
gpgconf: Adjust -X command for the new VERSION file format
* tools/gpgconf.c (show_version_gnupg): Read and parse the entire
VERSION file.
--

GnuPG-bug-id: 6918
2024-01-09 12:52:57 +01:00
Werner Koch
45f6357881
common,w32: Remove duplicated backslashes when setting the homedir.
* common/homedir.c (copy_dir_with_fixup) [W32]: Fold double
backslashes.
--

This is in general no problem but when we hash or compare the directory
to test whether tit is the standard home directory, we may use a
different socket file and thus a second instance of a daemon.

GnuPG-bug-id: 6833
2024-01-09 10:13:54 +01:00
Werner Koch
2cb97713e9
gpg: Improve error return for --quick-add-subkey and -add-adsk.
* g10/keyedit.c (keyedit_quick_addkey): Emit a ERROR status line.
(keyedit_quick_addadsk): Ditto.
--

GnuPG-bug-id: 6880
2024-01-05 11:33:51 +01:00
Werner Koch
3f8cb9b339
scd: Add support for SCE 7.0
* scd/app-common.h (CARDTYPE_SCE7): New.
* scd/app.c (strcardtype): Support it.
(atr_to_cardtype): New.
(app_new_register): Try to get the cardtype from atr_to_cardtype.
* scd/app-piv.c (app_select_piv): Tweak for SCE7.  Add general method
to construct a S/N from the Card UUID.
--

The test cards I have are rsa2048 with X.509 certificates.  I don't
have the entire chain but loading the certificates work.  For testing
I created an OpenPGP key from the keys and tested signing and
decryption.

GnuPG-bug-id: 6919
2024-01-04 16:29:33 +01:00
Werner Koch
4c04143d81
gpg: Choose key from inserted card over a non-inserted card
* g10/call-agent.c (agent_probe_secret_key): Do not return an error
but 0.
* g10/getkey.c (finish_lookup): Improve the selection of secret keys.
--

GnuPG-bug-id: 6831
2024-01-02 10:19:57 +01:00
NIIBE Yutaka
591a53d716
gpg: Don't call keybox_compress when KEYDB_RESOURCE_FLAG_READONLY.
* g10/keydb.c (keydb_add_resource): Check the FLAGS to call
keybox_compress.

--

GnuPG-bug-id: 6811
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-29 10:57:26 +09:00