1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Commit Graph

10243 Commits

Author SHA1 Message Date
NIIBE Yutaka
0b64c27446 kbx: Fix checksum computation for no UBID entry on disk.
* kbx/keybox-blob.c (create_blob_header): Fix the flag to match no
UBID entry,
(create_blob_finish): Fix the length of data to be hashed.

--

GnuPG-bug-id: 5573
Fixes-commit: 915297705a
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 17:04:53 +09:00
NIIBE Yutaka
f271c69164 common: Fix put_membuf.
* common/membuf.c (put_membuf): Allow NULL for the second arg.

--

There has been such a use case in keybox-blob.c.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-27 16:55:25 +09:00
NIIBE Yutaka
c4ba712736 common: Fix get_signal_name for GNU/Linux.
* common/signal.c (get_signal_name): Use sigdescr_np if available.
* configure.ac: Check the function.

--

GnuPG-bug-id: 5568
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-26 14:22:19 +09:00
Werner Koch
5f045c24ff
Post release updates
--
2021-08-24 19:30:52 +02:00
Werner Koch
3bf8d7e1b7
Release 2.3.2 2021-08-24 18:31:38 +02:00
Werner Koch
55b5928099
dirmngr: Change the default keyserver.
* configure.ac (DIRMNGR_DEFAULT_KEYSERVER): Change to
keyserver.ubuntu.com.

* dirmngr/certcache.c (cert_cache_init): Disable default pool cert.
* dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto.
* dirmngr/http.c (http_session_new): Ditto.

* dirmngr/server.c (make_keyserver_item): Use a different mapping for
the gnupg.net names.
--

Due to the unfortunate shutdown of the keyserver pool, the long term
defaults won't work anymore.  Thus it is better to change them.

For https access keyserver.ubuntu.com is now used because it can be
expected that this server can stand the load from newer gnupg LTS
versions.

For http based access the Dutch Surfnet keyserver is used.  However
due to a non-standard TLS certificate this server can not easily be
made the default for https.

Note: that the default server will be changed again as soon as a new
connected keyserver infrastructure has been established.

(cherry picked from commit 47c4e3e00a)
2021-08-24 18:09:56 +02:00
Werner Koch
8b1fb97861
po: In German always use "Passwort" instead of "Passphrase".
--

This is a several decade old debate how to name this.  Meanwhile in
Germany it seems to be more clean to use the term "Passwort" instead
of "Passphrase" (or that "Mantra" thing).  It is easier to explain to
users that a password may include spaces etc than to to explain the
difference between passphrase and password.

So let's keep the things in the code as is but change the
translations.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c9859967c0)
and adjusted for 2.3.
2021-08-24 15:14:45 +02:00
Werner Koch
79e252714f
po: Auto update translations
--
2021-08-24 14:07:32 +02:00
Werner Koch
3b1f4e8a3d
po: Update German translation
--
2021-08-24 14:07:03 +02:00
NIIBE Yutaka
3ed5f566fc gpg: Report the status of NO_SECKEY for decryption.
* g10/mainproc.c (proc_encrypted): Fix the condition to report
NO_SECKEY even when the key was not considered by get_session_key.

--

GnuPG-bug-id: 5562
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-24 10:39:59 +09:00
Werner Koch
87d238de3d
wkd: Properly unescape the user-id from a key listing.
* tools/wks-util.c (append_to_uidinfo_list): Unescape UID.
2021-08-20 16:15:49 +02:00
Werner Koch
b4345f7521
wkd: Fix client issue with leading or trailing spaces in user-ids.
* common/recsel.c (recsel_parse_expr): Add flag -t.
* common/stringhelp.c: Remove assert.h.
(strtokenize): Factor code out to do_strtokenize.
(strtokenize_nt): New.
(do_strtokenize): Add arg trim to support the strtokenize_nt.
* common/t-stringhelp.c (test_strtokenize_nt): New test cases.

* tools/wks-util.c (wks_list_key): Use strtokenize_nt and the recsel
flag -t.
--

This fixes a bug with user ids with leading spaces because:

wks-client lists all mail addresses from the key and matches them to the
requested mail address.

If there are several user-ids all with the same mail address
wks-client picks one of them and then extracts exactly that user id.
However, here it does not match by the mail address but by the full
user-id so that we can be sure that there will be only one user-id in
the final key.

The filter built expression unfortunately strips leading blanks but
requires a verbatim match.  Thus it won't find the user id again and
errors out.

The new -t flag and a non-trimming strtokenize solves the problem.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-08-20 09:18:22 +02:00
NIIBE Yutaka
1565baa93a scd: Don't release the context until list_finish for PC/SC.
* scd/apdu.c (apdu_dev_list_start): Increment PCSC.COUNT here.
(apdu_dev_list_finish): Decrement PCSC.COUNT.

--

GnuPG-bug-id: 5416
Fixes-commit: 32baa9acfb
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-20 15:22:28 +09:00
Werner Koch
c1a23c3664
gpg: Return SUCCESS/FAILURE status also for --card-edit/name.
* g10/card-util.c (change_name): Call write_sc_op_status.
--

Reported-by: Joey Berkovitz
2021-08-19 14:09:27 +02:00
Werner Koch
661c2ae966
agent: Use the sysconfdir for a pattern file.
* agent/genkey.c (do_check_passphrase_pattern): Use make_filename.
2021-08-18 19:21:22 +02:00
Werner Koch
b89b1f35c2
agent: Ignore passphrase constraints for a generated passphrase.
* agent/agent.h (PINENTRY_STATUS_PASSWORD_GENERATED): New.
(MAX_GENPIN_TRIES): Remove.
* agent/call-pinentry.c (struct entry_parm_s):
(struct inq_cb_parm_s): Add genpinhash and genpinhas_valid.
(is_generated_pin): New.
(inq_cb): Suppress constraints checking for a generated passphrase.
No more need for several tries to generate the passphrase.
(do_getpin): Store a generated passphrase/pin in the status field.
(agent_askpin): Suppress constraints checking for a generated
passphrase.
(agent_get_passphrase): Ditto.
* agent/command.c (cmd_get_passphrase): Ditto.
--

A generated passphrase has enough entropy so that all kind of extra
checks would only reduce the actual available entropy.  We thus detect
if a passphrase has been generated (and not changed) and skip all
passphrase constraints checking.
2021-08-18 18:46:39 +02:00
Werner Koch
8ed7910347
agent: Improve the GENPIN callback.
* agent/call-pinentry.c (DEFAULT_GENPIN_BYTES): Replace by  ...
(DEFAULT_GENPIN_BITS): this and increase to 150.
(generate_pin): Make sure that we use at least 128 bits.
2021-08-18 11:24:53 +02:00
Werner Koch
9fb6466602
agent: Fix for zero length help string in pinentry hints.
* agent/call-pinentry.c: Remove unused assert.h.
(inq_cb): Fix use use of assuan_end_confidential in case of nested
use.
(do_getpin): Ditto.
(setup_formatted_passphrase): Escape the help string.
(setup_enforced_constraints): Ignore empty help strings.
--

(Ported from 2.2)
2021-08-18 10:36:42 +02:00
Werner Koch
629f4a5cff
common,w32: Replace log_debug by log_info for InProcessJobs
* common/exechelp-w32.c (gnupg_spawn_process_detached): Use log_info.
2021-08-18 10:34:05 +02:00
Werner Koch
c622cf59fd
doc: Add sample texts for Pinentry hints
--
2021-08-18 10:33:31 +02:00
Werner Koch
1305baf099
agent: Make QT_QPA_PLATFORMTHEME=qt5ct work for the pient
* agent/call-pinentry.c (atfork_core): Pass DISPLAY.
2021-08-13 14:08:53 +02:00
Werner Koch
7c45a69eb9
agent: New option --check-sym-passphrase-pattern.
* agent/gpg-agent.c (oCheckSymPassphrasePattern): New.
(opts): Add --check-sym-passphrase-pattern.
(parse_rereadable_options): Set option.
(main): Return option info.
* tools/gpgconf-comp.c: Add new option.
* agent/agent.h (opt): Add var check_sym_passphrase_pattern.
(struct pin_entry_info_s): Add var constraints_flags.
(CHECK_CONSTRAINTS_NOT_EMPTY): New to replace a hardwired 1.
(CHECK_CONSTRAINTS_NEW_SYMKEY): New.
* agent/genkey.c (check_passphrase_pattern): Rename to ...
(do_check_passphrase_pattern): this to make code reading
easier. Handle the --check-sym-passphrase-pattern option.
(check_passphrase_constraints): Replace arg no_empty by a generic
flags arg.  Also handle --check-sym-passphrase-pattern here.
* agent/command.c (cmd_get_passphrase): In --newsymkey mode pass
CHECK_CONSTRAINTS_NEW_SYMKEY flag.
* agent/call-pinentry.c (struct entry_parm_s): Add constraints_flags.
(struct inq_cb_parm_s): New.
(inq_cb): Use new struct for parameter passing.  Pass flags to teh
constraints checking.
(do_getpin): Pass constraints flag down.
(agent_askpin): Take constrainst flag from the supplied pinentry
struct.
--

Requirements for a passphrase to protect a private key and for a
passphrase used for symmetric encryption are different.  Thus a
the use of a different pattern file will be useful.  Note that a
pattern file can be used to replace the other passphrase constraints
options and thus we don't need to duplicate them for symmetric
encryption.

GnuPG-bug-id: 5517
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-08-13 13:42:31 +02:00
Werner Koch
22c5461b4a
indent: Add a git blame ignore file
--
2021-08-13 13:28:44 +02:00
Ingo Klöcker
99601778f4 agent: Make --pinentry-formatted-passphrase a simple flag
* agent/agent.h (opt): Change type of pinentry_formatted_passphrase
to int (as for other flags).
* agent/call-pinentry.c (setup_formatted_passphrase): Remove no longer
needed translated strings. Write option without value to Assuan
connection.
* agent/gpg-agent.c (opts): Use ARGPARSE_s_n for
oPinentryFormattedPassphrase.
(parse_rereadable_options): Set option to 1.
--

GnuPG-bug-id: 5553, 5517
2021-08-12 10:50:33 +02:00
Werner Koch
0802cbb59b
w32: Move socketdir to LCOAL_APPDATA
* common/homedir.c (is_gnupg_default_homedir): Use standard_homedir
instead of the constant which makes a difference on Windows.
(_gnupg_socketdir_internal) [W32]: Move the directory to LOCAL_APPDATA.
(gnupg_cachedir): Remove unsued function.

* common/sysutils.c (gnupg_rmdir): New.
* tools/gpgconf.c (main): s/rmdir/gnupg_rmdir/.
--

That is actually a more correct directory than APPDATA.  This fixes
a problem with installations where the APPDATA is non a network drive
and the resulting socket filename is truncated in our socket helper
function (because we use sockaddr also for our local socket
emulation on Windows).

LOCAL_APPDATA is expected to be on the local box and thus in the
majority of cases the resulting socket file name will be short enough.

GnuPG-bug-id: 5537
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-08-11 11:50:41 +02:00
Werner Koch
4cc5340206
gpgconf,w32: Print more registry diagnostics with --list-dirs.
* tools/gpgconf.c (list_dirs): Figure out classes with the key.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-08-11 11:38:37 +02:00
Ingo Klöcker
5976d293ef
agent: Add checkpin inquiry for pinentry
* agent/call-pinentry.c (inq_cb): Handle checkpin inquiry.
(setup_enforced_constraints): New.
(agent_get_passphrase): Call setup_enforced_constraints if new
passphrase is requested.
--

This implements the gpg-agent side for checking whether a new passphrase
entered by the user in pinentry satisfies the passphrase constraints.
Performing a checkpin inquiry is only allowed if the passphrase
constraints are enforced. setup_enforced_constraints sends necessary
options and translated strings to pinentry.

GnuPG-bug-id: 5517, 5532
2021-08-10 12:05:57 +02:00
Ingo Klöcker
bf20a80f68
agent: New option --pinentry-formatted-passphrase
* agent/agent.h (opt): Add field pinentry_formatted_passphrase.
* agent/call-pinentry.c (setup_formatted_passphrase): New.
(agent_get_passphrase): Pass option to pinentry.
* agent/gpg-agent.c (oPinentryFormattedPassphrase): New.
(opts): Add option.
(parse_rereadable_options): Set option.
--

GnuPG-bug-id: 5517
2021-08-10 12:05:53 +02:00
NIIBE Yutaka
29d58e9de7 build: Simplify for string.h and getopt.h.
* configure.ac (AC_CHECK_HEADERS): Remove string.h and getopt.h.
* dirmngr/ks-engine-ldap.c: Remove including getopt.h.
* tools/make-dns-cert.c: Likewise.

--

Checking string.h is supported by AC_HEADER_STDC.  Use of getopt.h
is only needed for getopt_long of GNU extention.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-05 14:01:14 +09:00
NIIBE Yutaka
100c954ab0 sm: Fix pwri.
* sm/decrypt.c (pwri_parse_pbkdf2): Use int for digest algo.
(pwri_decrypt): Use int for cipher algo and digest algo.

--

Fixes-commit: 02029f9eab
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-05 11:16:56 +09:00
NIIBE Yutaka
3f33c7ffcc build: Remove duplication of AC_HEADER_TIME.
* configure.ac: Have a single AC_HEADER_TIME.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-05 10:36:33 +09:00
NIIBE Yutaka
a89f13726d build: Update checking headers.
* configure.ac (AC_CHECK_HEADERS): Remove pty.h utmp.h, util.h,
and libutil.h.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-08-05 10:18:04 +09:00
Ingo Klöcker
94d18320b2 common: Pass XDG_SESSION_TYPE and QT_QPA_PLATFORM envvars to pinentry
* common/session-env.c (stdenvnames): Add XDG_SESSION_TYPE and
QT_QPA_PLATFORM.
--

On Unix systems (except Darwin), Qt uses those two environment
variables additionally to DISPLAY and WAYLAND_DISPLAY to figure out
whether to use X11 or Wayland. For example, QT_QPA_PLATFORM needs
to be set to "wayland" to make Qt use Wayland on Gnome.

GnuPG-bug-id: 3659
2021-08-02 17:19:45 +02:00
Werner Koch
7cdd06af47
sm,w32: Fix Unicode problem on key box creation.
* sm/keydb.c (maybe_create_keybox): Replace access by gnupg_access
2021-07-29 11:51:25 +02:00
Werner Koch
73c03e0232
tools: Extend gpg-check-pattern.
* tools/gpg-check-pattern.c: Major rewrite.
--
Signed-off-by: Werner Koch <wk@gnupg.org>

Here is a simple pattern file:

====================
# Pattern to reject passwords which do not comply to
#   - at least 1 uppercase letter
#   - at least 1 lowercase letter
#   - at least one number
#   - at least one special character
# and a few extra things to show the reject mode

# Reject is the default mode, ignore case is the default
#[reject]
#[icase]

# If the password starts with "foo" (case insensitive) it is rejected.
/foo.*/

[case]

# If the password starts with "bar" (case sensitive) it is rejected.
/bar.*/

# Switch to accept mode: Only if all patterns up to the next "accept"
# or "reject" tag or EOF match, the password is accepted.  Otherwise
# the password is rejected.

[accept]

/[A-Z]+/
/[a-z]+/
/[0-9]+/
/[^A-Za-z0-9]+/
=================

Someone™ please write regression tests.
2021-07-29 11:33:24 +02:00
NIIBE Yutaka
5c8124b8b9 scd: Small clean up for card access.
* scd/app.c (app_get_challenge): Remove the check to ref_count.
* scd/command.c (send_client_notifications): Update comments.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-22 11:22:47 +09:00
NIIBE Yutaka
50ad29f9a7 scd: Fix direct use of card with no ctrl->card_ctx.
* scd/app.c (maybe_switch_app): Remove check of ref_count.

--

Fixes-commit: 0d6b4210cf
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-22 09:43:30 +09:00
Ingo Klöcker
b2a6e5b516 agent: Add translatable text for Caps Lock hint
* agent/call-pinentry.c (start_pinentry): Add new default text.
--

GnuPG-bug-id: 4950
2021-07-21 12:57:44 +02:00
NIIBE Yutaka
0d6b4210cf scd: Fix access to list of cards (3/3).
* scd/app-common.h (card_reset): Simplify more.
(select_additional_application): Supply CARD.
(card_ref, card_unref): Remove.
(card_get, card_put): New.
* scd/app.c (card_reset): No locking/unlocking inside.
(app_switch_current_card): Fix comment.
(select_additional_application): No locking/unlocking inside.
(do_with_keygrip): New, unlocked version.
(card_get): New, with support of KEYGRIP.
(card_unref): Remove.
(card_put): New.
(app_write_learn_status, app_readcert: No locking/unlocking inside.
(app_readkey, app_getattr, app_setattr, app_sign, app_auth): Likewise.
(app_decipher, app_writecert, app_writekey): Likewise.
(app_genkey, app_get_challenge, app_change_pin): Likewise.
(app_check_pin, app_switch_active_app): Likewise.
* scd/command.c (do_reset): Use card_get/card_put.
(open_card_with_request): Use card_get/card_put, return CARD locked.
(cmd_serialno): Follow the change of open_card_with_request.
(cmd_switchapp): Use card_get/card_put.
(cmd_learn, cmd_readcert, cmd_readkey, cmd_pksign): Likewise.
(cmd_pkauth, cmd_pkdecrypt, cmd_getattr): Likewise.
(cmd_setattr, cmd_writecert, cmd_writekey): Likewise.
(cmd_genkey, cmd_random, cmd_passwd): Likewise.
(cmd_checkpin, cmd_getinfo, cmd_restart): Likewise.
(cmd_disconnect, cmd_apdu, cmd_devinfo): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-21 17:22:26 +09:00
NIIBE Yutaka
b436fb6766 scd: Fix access to list of cards (2/3).
* scd/app-common.h (card_reset, select_application): Simplify.
* scd/app.c (card_reset, select_application): Simplify.
* scd/command.c (do_reset): Follow the change.
(open_card, open_card_with_request): Follow the change.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-21 15:59:03 +09:00
NIIBE Yutaka
216945a80e scd: Fix access to list of cards (1/3).
* scd/app.c (card_list_lock): Use MRSW lock.
(lock_r_card_list, unlock_r_card_list): New.
(lock_w_card_list, unlock_w_card_list): New.
(app_dump_state, app_send_devinfo): Use the MRSW lock.
(select_application, app_switch_current_card): Likewise.
(scd_update_reader_status_file): Likewise.
(initialize_module_command, send_card_and_app_list): Likewise.
(app_do_with_keygrip, app_wait): Likewise.

--

GnuPG-bug-id: 5524
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-21 15:34:16 +09:00
Ingo Klöcker
5a93acbc7a po: Fix typo in German translation.
--
2021-07-12 09:44:09 +02:00
Werner Koch
924c8221fb
scd: Silence compiler waring about unused args.
--
2021-07-08 14:11:10 +02:00
Werner Koch
b871824fef
kbx: Improve debugging of the search descriptions in keyboxd.
* kbx/frontend.c (dump_search_desc): New.
(kbxd_search): Actually log the search descriptions.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-07-08 13:57:13 +02:00
Werner Koch
101ba4f18a
kbx: Fix keyboxd searching with multiple patterns.
* kbx/keybox-search-desc.h (struct keydb_search_desc): New flag
name_used.
* common/userids.c (classify_user_id): Set flag.
* kbx/kbxserver.c (struct search_backing_store_s): New.
(cmd_search): use a backing store for the const pointers.
(kbxd_start_command_handler): Release the backing store.
--

Well, the search object partly uses buffers but also const
pointers (for strings and the serial number).  This when assigning
such objects to an another one we should really take a deep copy and
not just copy the pointer.  The more clean solution would have been to
provide a storage option the search object but that needs checking the
code at too many places so that I decided to use a separate backing
store array here.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-07-08 13:57:13 +02:00
NIIBE Yutaka
044e5a3c38 scd: Detect external interference when PCSC_SHARED.
* scd/app-common.h (check_aid): New method.
* scd/app-openpgp.c (do_check_aid): New.
* scd/app-piv.c (do_check_aid): New.
* scd/app.c (check_external_interference): New.
(maybe_switch_app): Check interference to determine switching is
needed.

--

GnuPG-bug-id: 5484
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-07-06 14:52:29 +09:00
Werner Koch
5f78ae696c
artwork: Explain the license for the logo 2021-06-29 18:42:51 +02:00
Werner Koch
a6efde307f
agent: Fix regression in agent_get_shadow_info_type.
* agent/protect.c (agent_get_shadow_info_type): Return the correct
value.
--

Fixes-commit: 33a2362e56
GnuPG-bug-id: 5393
2021-06-25 20:23:01 +02:00
Werner Koch
9579c77862
gpg: Let --fetch-key return an exit code on failure.
* g10/keyserver.c (keyserver_fetch): Return an error code.
* g10/gpg.c (main) <aFetchKeys>: Return 1 in case of no data.
--

GnuPG-bug-id: 5376
2021-06-25 09:55:52 +02:00
Werner Koch
95d707e093
tools: Tweak ccidmon output.
--
2021-06-25 09:55:52 +02:00