importing at -r time. The URL in the PKA record may point to a key put in
by an attacker. Fix is to use the fingerprint from the PKA record as the
recipient. This ensures that the PKA record is followed.
* keyserver-internal.h, keyserver.c (keyserver_import_pka): Return the
fingerprint we requested.
passphrase as if it was used (move from next_pw to last_pw).
* pubkey-enc.c (get_session_key): Use it here to handle the case where a
passphrase happens to be correct for a secret key, but yet that key isn't
the anonymous recipient (i.e. the secret key could be decrypted, but not
the session key). This also handles the case where a secret key is
located on a card and a secret key with no passphrase. Note this does not
fix bug 594 (anonymous recipients on smartcard do not work) - it just
prevents the anonymous search from stopping when the card is encountered.
(keyserver_import_pka), card-util.c (fetch_url): Always require a
scheme:// for keyserver URLs except when used as part of the
--keyserver command for backwards compatibility.
card. If it does, only allow 160-bit hashes, a la DSA. This involves
passing the *sk in, so change all callers. This is correct for today,
given the current 160-bit q in DSA, and the current SHA-1/RIPEMD160
support in the openpgp card. It will almost certainly need changing
down the road.
* app-openpgp.c (do_sign): Give user error if hash algorithm is not
supported by the card.
getkey.c:get_pubkey_byname which was getting crowded.
* keyserver.c (keyserver_import_cert): Import a key found in DNS via CERT
records. Can handle both the PGP (actual key) and IPGP (URL) CERT types.
* getkey.c (get_pubkey_byname): Call them both here.
* options.h, keyserver.c (parse_keyserver_options): Add
"auto-cert-retrieve" option with optional max size argument.
* keyserver-internal.h, keyserver.c (keyserver_spawn, keyserver_work,
keygerver_getname): New keyserver_getname function to fetch keys by name.
* getkey.c (get_pubkey_byname): Call it here to enable locating keys by
full mailbox from a keyserver a la PKA. Try PKA first, though, as it is
likely to be faster.
keyserver_fetch): Set a flag to indicate that we're doing a direct URI
fetch so we can differentiate between a keyserver operation and a URI
fetch for protocols like LDAP that can do either.
when fetching a URI.
* keyserver-internal.h, keyserver.c (keyserver_fetch): New. Fetch an
arbitrary URI using the keyserver helpers.
* gpg.c (main): Call it from here for --fetch-keys.
revoker record. Moved from keyedit.c:show_key_with_all_names_colon.
* keylist.c (list_keyblock_colon): Use it here ...
* keyedit.c (show_key_with_all_names_colon): ... and here.
since we may unprotect it.
* main.h, g10.c (main), revoke.c (gen_desig_revoke): Add local user
support so users can use -u with --desig-revoke. This bypasses the
interactive walk over the revocation keys.
"clean", and add "minimize".
* import.c (parse_import_options): Make help text match the export
versions of the options.
* options.h, export.c (parse_export_options, do_export_stream): Reduce
clean options to two: clean and minimize.
* trustdb.h, trustdb.c (clean_one_uid): New function that joins uid
and sig cleaning into one for a simple API outside trustdb.
cleaning from one convenient place.
* options.h, import.c (parse_import_options, clean_sigs_from_all_uids,
import_one): Reduce clean options to two: clean and minimize.
* parse-packet.c (setup_user_id): Remove. (parse_user_id,
parse_attribute): Just use xmalloc_clear instead.
non-selfsigs from key during cleaning. Change all callers.
* export.c (do_export_stream): Use it here so we don't need additional
minimize code in the export path.
speaking this should be only in gpg_CPPFLAGS, but then we have to
compile everything twice for gpg and gpgv.
* apdu.c (open_pcsc_reader): Fix double free.
* gpg.c (main) [__APPLE__]: Default the PCSC driver to the OS X
location. Suggested by Patty A. Hardy.
so keyserver mangled keys with doubled user IDs can be properly
cleaned - possibly sigs on the different user IDs cancel each other
out.
* import.c (parse_import_options), export.c (parse_export_options):
List "xxx-clean" before the longer options so we don't end up with a
partial match on the longer options.
* trustdb.c (clean_uids_from_key): Return proper number of cleaned
user IDs. Don't count user IDs as cleaned unless we actually delete
something.
keygen.c (make_backsig): Did some backsig interop testing with the PGP
folks. All is well, so I'm turning generation of backsigs on for new
keys. Checking for backsigs on verification is still off.
parse_attribute_subpkts): Make a number of warnings verbose items.
These fire on many slightly mangled keys in the field, so the
warning is becoming burdensome.
algorithms.
* keyedit.c (sign_uids): Don't request a signing key to make a
certification.
* keygen.c (do_add_key_flags): Force the certify flag on for all
primary keys, as the spec requires primary keys must be able to
certify (if nothing else, which key is going to issue the user ID
signature?) (print_key_flags): Show certify flag. (ask_key_flags,
ask_algo): Don't allow setting the C flag for subkeys.
* keyid.c (usagestr_from_pk), getkey.c (parse_key_usage): Distinguish
between a sign/certify key and a certify-only key.
* main.h, misc.c (path_access): New. Same as access() but does a PATH
search like execlp.
* keyserver.c (curl_can_handle): Removed. Replaced by...
(curl_cant_handle): We are now relying on curl as the handler of last
resort. This is necessary because PGP LDAP and curl LDAP are apples
and oranges. (keyserver_typemap): Only test for ldap and ldaps.
(keyserver_spawn): If a given handler is unusable (as determined by
path_access()) then try gpgkeys_curl.
to enable the uid walking when signing a key with no uids specified to
sign.
* keylist.c (list_keyblock_print): Fix silly typo. Noted by Greg
Sabino Mullane.
* export.c (parse_export_options): New option
export-reset-subkey-passwd.
(do_export_stream): Implement it.
* misc.c (get_libexecdir): New.
* keyserver.c (keyserver_spawn): Use it
when compacting a uid. There is no reason to make an attacker's job
easier - this way they only have a revocation which is useless in
bringing the uid back.
* keydb.h, kbnode.c (undelete_kbnode): Removed. No longer needed.
* import.c (chk_self_sigs): Allow a uid revocation to be enough to
allow importing a particular uid (no self sig needed). This allows
importing compacted uids.
* options.h, import.c (parse_import_options, import_one): Add
import-clean-uids option to automatically compact unusable uids when
importing. Like import-clean-sigs, this may nodify the local keyring.
* trustdb.c (clean_uids_from_key): Only allow selfsigs to be a
candidate for re-inclusion.
import_one): Add import-clean-sigs option to automatically clean a key
when importing. Note that when importing a key that is already on the
local keyring, the clean applies to the merged key - i.e. existing
superceded or invalid signatures are removed.
menu_clean_subkeys_from_key), trustdb.h, trustdb.c
(clean_subkeys_from_key): Remove subkey cleaning function. It is of
very limited usefulness since it cannot be used on any subkey that can
sign, and can only affect multiple selfsigs on encryption-only
subkeys.
