1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-30 19:58:44 +01:00
Commit Graph

9156 Commits

Author SHA1 Message Date
Werner Koch
aa612d752e
agent: Silence error messages for READKEY --card
* agent/command.c (cmd_readkey): Test for shadow key before creating
it.

(cherry picked from commit 8f2c9cb735)
2021-05-04 08:42:51 +02:00
Werner Koch
2af217ecd7
gpg: Allow fingerprint based lookup with --locate-external-key.
* g10/keyserver.c (keyserver_import_fprint_ntds): New.
* g10/getkey.c (get_pubkey_byname): Detect an attempt to search by
fingerprint in no_local mode.
--

See the man page.  For testing use

  gpg --auto-key-locate local,wkd,keyserver --locate-external-key  \
    FINGERPRINT

with at least one LDAP keyserver given in dirmngr.conf.  On Windows
"ntds" may be used instead or in addtion to "keyserver".

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ec36eca08c)
2021-05-03 20:53:15 +02:00
Werner Koch
b59af0e2a0
gpg: Lookup a missing public key of the current card via LDAP.
* g10/getkey.c (get_seckey_default_or_card): Lookup a missing public
key from the current card via LDAP.
* g10/call-dirmngr.c: Include keyserver-intetnal.h.
(gpg_dirmngr_ks_get): Rename arg quick into flags.  Take care of the
new LDAP flag.
* g10/keyserver-internal.h (KEYSERVER_IMPORT_FLAG_QUICK): New.
Replace the use of the value 1 for the former quick arg.
(KEYSERVER_IMPORT_FLAG_LDAP): New.
* g10/keyserver.c (keyserver_get_chunk): Increase the reserved line
length.
* dirmngr/ks-action.c (ks_action_get): Add arg ldap_only.
* dirmngr/server.c (cmd_ks_get): Add option --ldap.
--

This change makes it easy to start working with gnupg: Just insert the
smartcard or token provided to you and the first time you sign a
message the public key associated with the current card will be
imported and everything is set without any configuration.

This works only with an LDAP directory because it can be expected that
the public key has been put into the LDAP during card personalization.
Of course an LDAP server needs to be configured; in a Windows AD
domain this can be a mere "keyserver ldap:///" in dirmngr.conf.  Other
configured keyservers are ignored.

Requirements for the card driver: The $SIGNKEYID attribute must exists
and a query for the KEY-FPR attribute needs to return the OpenPGP
fingerprint for that key.  This is currently supported for OpenPGP
cards and certain PKCS#15 cards.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d7e707170f)
2021-05-03 20:28:33 +02:00
Werner Koch
79f5ffb1ad
gpg: Minor restructuring of a function.
--

This is for easier reading and future changing.

(cherry picked from commit d984de172c)
2021-05-03 20:22:47 +02:00
Werner Koch
b8df8321e1
scd: Add option --info to emit KEYPAIRINFO by readkey command.
* scd/command.c (do_readkey): Implement this.
* scd/app-help.c (app_help_get_keygrip_string_pk): Make HEXKEYGRIP
parm optional.  Add arg R_ALGOSTR.
--

This patch basically mimics what we do in 2.3.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-03 20:15:03 +02:00
NIIBE Yutaka
c2ba6bea4c
common: Fix gnupg_wait_processes, by skipping invalid PID.
* common/exechelp-posix.c (gnupg_wait_processes): Skip invalid PID.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit d82dae5d22)
2021-05-03 19:05:14 +02:00
Werner Koch
bbf4bd3bfc
agent: Skip unknown unknown ssh curves seen on cards.
* agent/command-ssh.c (ssh_handler_request_identities): Skip unknown
curves.
--

For example when using my standard ed25519 token and testing cards
with only Brainpool support, the ssh-agent failed due to the unknown
curves seen on the card.  This patches fixes this by ignoring keys
with unknown curves.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 2d2391dfc2)
2021-05-03 18:59:07 +02:00
Werner Koch
a456303ae3
gpgconf: Do not i18n an empty string to the PO files meta data.
* tools/gpgconf-comp.c (my_dgettext): Ignore empty strings.
--

GnuPG-bug-id: 5363
(cherry picked from commit 18d884f841)
2021-04-29 19:56:42 +02:00
Werner Koch
26a024057d
gpg: No warning in quiet mode for S2K mode 0.
--
2021-04-29 19:51:39 +02:00
Werner Koch
f9198189e3
doc: Fix option name.
--
2021-04-29 19:50:58 +02:00
Werner Koch
8bc808a98f
w32: Silence a compiler warning in dirmngr.c
--

(cherry picked from commit 683ff00bb1)
2021-04-29 19:45:00 +02:00
Werner Koch
5eec40f3d8
scd: New option --pcsc-shared.
* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (verify_chv2): Do not auto verify chv1 in shared
mode.
--

This option should in general not be used.  The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.

(cherry picked from commit 5732e7a8e9)
2021-04-29 19:43:23 +02:00
Werner Koch
96577e2e46
scd: Rewrite READKEY to allow for compressed points.
* scd/app-help.c (app_help_pubkey_from_cert): New.  Taken from 2.3.
* scd/command.c (cmd_readkey): Rewrite using new helper.
--

Actually the readkey functions needs to return the uncompressed points
but if there is no readkey function, like in app-p15.c, readcert is
used and here we need to extract and the key and uncompress the point.

Noet that the --advanced flag did not and still does not work if the
key is fetched via readcert.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 16:07:14 +02:00
Werner Koch
7637d39fe2
scd:p15: Update from current GnuPG 2.3
--

This reflects the state of
commit 1f846823b3
featuring these commits:

1f846823b scd:p15: Fix the name of a card.
cc5aa68b6 scd:p15: Fix last commit and improve D-TRUST detection.
21e3f750b scd:p15: Shorten the displayed s/n of RSCS cards
30f90fc85 scd:p15: Support attribute KEY-FPR.
ecb9265b8 scd:p15: Match private keys with certificates also by ...
e17d3f866 scd:p15: New flag APP_LEARN_FLAG_REREAD.
1c16878ef scd: Replace all assert macros by the log_assert macro.
7f9126363 scd:p15: Return labels for keys and certificates.
651c07a73 scd:p15: For CardOS make use of ISO7816_VERIFY_NOT_NEEDED.
de4d3c99a scd:p15: Return the creation time of the keys.
592f48011 scd:p15: Make RSA with SHA512 work with CardOS.
a494b29af scd:p15: Support ECDSA and ECDH for CardOS.
964363e78 scd:p15: Make $SIGNKEY et al determination more fault ...
85082a83c scd:p15: Allow to use an auth object label with cmd CHECKPIN.
ef29a960b scd:p15: New attribute CHV-LABEL.
bf1d7bc36 scd:p15: Implement CHV-STATUS attribute
0f191a070 scd:p15: Fix faulty removal of a test code change.
08b5ac492 scd:p15: Support special extended usage flags for OpenPGP ...
d51a5ca10 scd:p15: Read out the access flags.
cfdaf2bcc scd:p15: Get the label value of all objects for better diag...
33aaa37e5 scd:p15: Make it code work again for D-Trust cards.
488eaedc9 scd:p15: Extract extended usage flagsand act upon them.
0c080ed57 scd:p15: Read PuKDF and minor refactoring.
1e197c29e scd:p15: Make file selection more robust.
5bcbc8cee scd:p15: Factor the commonKeyAttributes parser out.
fb84674d6 scd:p15: Factor the commonObjectAttributes parser out.
fc287c055 scd:p15: First step towards real CardOS 5 support.
60499d989 scd:p15: Show the ATR as part of the TokenInfo diagnostics.
00037f499 scd:p15: Print the internal card type.
c7b9a4ee4 scd:p15: Improve support for some CardOS based cards.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 15:26:36 +02:00
Werner Koch
5b8593135f
common: Extend the openpgp_curve_to_oid function.
* common/openpgp-oid.c (openpgp_curve_to_oid): Add optional arg R_NBITS.
Change all callers.
--

In particular for ed25519 and cv25519 it is quite useful to have an
ability to get the required algorithm.

(cherry picked from commit 24095101a5)
2021-04-29 12:57:00 +02:00
Werner Koch
f3c98b8cb5
common: New module to compute openpgp fingerprints
* common/openpgp-fpr.c: New.
* common/Makefile.am (common_sources): Add it.
--

This function is targeted to handle keys on smartcards.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 2f2bdd9c08)
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 12:37:04 +02:00
Werner Koch
c825117c5f
common: New function to uncompress an ECC public key.
* common/sexputil.c (ec2os): New.
(uncompress_ecc_q_in_canon_sexp): New.

* common/t-sexputil.c (fail2): new.
(test_ecc_uncompress): New.
(main): Run new test.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 935765b451)
2021-04-29 12:31:14 +02:00
Werner Koch
473e649ea1
common: New function cmp_canon_sexp.
* common/sexputil.c (cmp_canon_sexp): New.
(cmp_canon_sexp_def_tcmp): New.
* common/t-sexputil.c (test_cmp_canon_sexp): Add a simple test.
--

To be used to fix
GnuPG-bug-id: 5061

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit b6ba6a79ce)
2021-04-29 12:25:46 +02:00
Werner Koch
0eed0ced9b
scd: New function send_keyinfo to assist in backporting.
* scd/command.c (send_keyinfo): New.
2021-04-29 12:18:48 +02:00
Werner Koch
3db99b8861
scd: Minor changes to assist in backporting from 2.3
* scd/command.c (send_status_direct): Return an error code.
* scd/app-common.h (APP_LEARN_FLAG_REREAD): New.
2021-04-29 11:43:46 +02:00
Werner Koch
72a7d45a23
scd: Extend an internal function to also return the algo.
* scd/app-help.c (app_help_get_keygrip_string_pk): Add optional arg
r_algo.  Change all callers.
(app_help_get_keygrip_string): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 10:52:43 +02:00
Werner Koch
91dd74f3d7
scd: New function for iso7816 PSO_CSV.
* scd/iso7816.c (iso7816_pso_csv): New.
2021-04-29 10:44:12 +02:00
Werner Koch
855d14d390
scd: Extend iso7816_select_path
* scd/iso7816.c (iso7816_select_path): Add arg top_fd.
* scd/app-nks.c (do_readkey): Adjust for this change
(select_ef_by_path: Ditto.

* common/tlv.h: Include membuf.h.
--

Including membuf.h is just for easier backporting.  In 2.3 it is
actually required in tlv.h but in 2.2 we right now only use it
indirect.
2021-04-29 10:38:29 +02:00
Werner Koch
3ce69d8387
scd: Add new status codes.
* scd/apdu.h (SW_SM_NOT_SUP, SW_CC_NOT_SUP, SW_FILE_STRUCT)
(SW_NO_CURRENT_EF): New.
* scd/apdu.c (apdu_strerror): Map them to strings.
* scd/iso7816.c (map_sw): ... and to gpg-error.
2021-04-29 10:14:53 +02:00
Werner Koch
ec9e8e0d6a
scd: Extend ISO binary and record reading functions.
* scd/iso7816.c (iso7816_read_binary_ext): Add optional arg r_sw and
change callers.
(iso7816_read_record): Factor all code out to ...
(iso7816_read_record_ext): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 10:03:12 +02:00
Werner Koch
1303b0ed84
gpg: Do not use self-sigs-only for LDAP keyserver imports.
* dirmngr/ks-engine-ldap.c (ks_ldap_get): Print a SOURCE status.
* g10/options.h (opts): New field expl_import_self_sigs_only.
* g10/import.c (parse_import_options): Set it.
* g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP.
--

I can be assumed that configured LDAP servers are somehow curated and
not affected by rogue key signatures as the HKP servers are.  Thus we
can allow the import of key signature from LDAP keyservers by default.

GnuPG-bug-id: 5387
2021-04-13 14:50:05 +02:00
bobwxc
b0a7132856 po: Update Simplified Chinese Translation.
--

Signed-off-by: bobwxc <bobwxc@yeah.net>
2021-04-08 13:58:07 +09:00
NIIBE Yutaka
f8ae51977c scd: Fix CCID driver for SCM SPR332/SPR532.
* scd/ccid-driver.c (ccid_vendor_specific_pinpad_setup): New.
(ccid_vendor_specific_setup): Only send CLEAR_HALT.
(ccid_transceive_secure): Each time, use send_escape_cmd.

--

Cherry-pick master commit of:
	ab66c43575

GnuPG-bug-id: 5297
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-04-08 13:45:38 +09:00
Werner Koch
18551c6dc2
gpg: Fix new pseudo option compliance_de_vs
* g10/gpg.c (gpgconf_list): Take opt.compliance also in account.
--

This makes it a one-stop check.
2021-04-06 09:30:24 +02:00
Werner Koch
8ef0f53cb0
common: Make the compliance check more robust.
* common/compliance.c (get_compliance_cache): New.
(gnupg_rng_is_compliant): Use per mode cache.
(gnupg_gcrypt_is_compliant): Ditto.
--

This addresses the problem tha the check might be called with
different compliance values and thus it should return the
corresponding cached result.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from 2.3.  Added PGP6 support which was removed from 2.3.
2021-04-01 13:21:33 +02:00
Werner Koch
9feffc03f3
gpgconf: Return a new pseudo option compliance_de_vs.
* tools/gpgconf-comp.c (gc_options_gpg): Add "compliance_de_vs".
* g10/gpg.c (gpgconf_list): Return that pseudo option.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 13:19:10 +02:00
Werner Koch
a50093893c
gpgconf: Fix argv overflow if --homedir is used.
* tools/gpgconf-comp.c (gc_component_launch): Fix crash due to too
small array.
--

GnuPG-bug-id: 5366

Depending on the stack layout this could have led to zeroing out the
PID variable if --homedir was used and thus under Windows to a leaked
handle.  However, gpgconf is a short running process and thus no
really harm.

Co-authored-by: cbiedl@gnupg.com
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 14:53:39 +01:00
Werner Koch
87d7b7e075
gpg: New option --force-sign-key
* g10/gpg.c (oForceSignKey,opts): New option "--force-sign-key".
(main): Set it.
* g10/options.h (opt): New flag flags.force_sign_key.
* g10/keyedit.c (sign_uids): Use new flag.
--

GnuPG-bug-id: 4584
2021-03-11 11:32:00 +01:00
Werner Koch
f3e68e39da
sm: Do away with the locked flag in keydb.c
* sm/keydb.c (struct keydb_handle): Remove field locked.
(keydb_lock): Remove use of locked flag.
(lock_all): Ditto.
(unlock_all): Ditto.
(keydb_set_flags): Use dotlock_is_locked instead of the locked flag.
(keydb_insert_cert): Ditto.
(keydb_delete): Ditto.
(keydb_search): s/keydb_lock/lock_all/.
(keydb_set_cert_flags): Ditto.
(keydb_clear_some_cert_flags): Ditto.

* sm/keydb.c (maybe_create_keybox): s/access/gnupg_access/.
--

We already keep the lock state in the dotlock module so it does not
make sense to add and sync another one here.  Instead we use a new
dotlock function to test whether we are locked.
2021-03-02 19:16:28 +01:00
Werner Koch
67b82a9c60
common: New function dotlock_is_locked.
* common/dotlock.c (dotlock_is_locked): New.
(dotlock_take): Set locked flag also in disabled mode.  No more
warning if the lock has already been taken.
(dotlock_release): Clear locked flag also in disabled mode.  No more
warning if the lock has not been taken.
--

This allow to use dotlock_take and dotlock_release even if they have
already been called.  Before this changes this worked too but a
diagnostic was printed.
2021-03-02 19:11:53 +01:00
Werner Koch
677245ba0e
sm: Lock kbx files also before a search.
* sm/keydb.c (keydb_search): Lock files.
--

This is required for Windows to avoid update locks.  We use it also on
Unix so that the locking behaviour is more or less indentical.

GnuPG-bug-id: 4505
2021-03-02 19:03:00 +01:00
Werner Koch
2b9ae79ad8
sm: On Windows close the kbx files at several places.
* kbx/keybox-search.c (keybox_search_reset) [W32]: Always close.

* kbx/keybox-init.c (keybox_close_all_files): New.
* sm/keydb.c (keydb_close_all_files): New.
* sm/call-dirmngr.c (gpgsm_dirmngr_isvalid): Call new function.
(gpgsm_dirmngr_lookup): Ditto.
(gpgsm_dirmngr_run_command): Ditto.
--

We need to make sure that there are no open files on Windows.  Thus we
close them at several strategic locations.

GnuPG-bug-id: 4505
2021-03-02 19:01:07 +01:00
Werner Koch
c99f3599d8
sm: Remove unused function.
* sm/keydb.c (keydb_insert_cert): Remove.
* kbx/keybox-update.c (keybox_update_cert): Remove stub.
2021-03-02 13:49:55 +01:00
Nicolas Fella via Gnupg-devel
0441ed6e1c
gpg: Keep temp files when opening images via xdg-open
* g10/photoid.c (get_default_photo_command): Change parameter for
xdg-open.
--

xdg-open spawns the user's preferred image viewer and then exits.
Therefore we must not remove the temp file when it exits,
otherwise by the time the actual image viewer is started the file
doesn't exist any more.

Signed-off-by: Nicolas Fella <nicolas.fella@gmx.de>
2021-03-01 09:47:21 +01:00
Werner Koch
e5af401fc4
sm: Silence some other pkcs#12 import prattle
* sm/minip12.c (parse_bag_data): Print a regular log_info only in
verbose mode.
--
2021-03-01 09:46:59 +01:00
Werner Koch
b8998e5ee0
doc: Explain how Tor is detected.
--
2021-02-24 11:09:37 +01:00
Werner Koch
bcdbf0fcf3
sm: Silence some output on --quiet
* sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
* sm/gpgsm.c: Include minip12.h.
(set_debug): Call p12_set_verbosity.
* sm/import.c (parse_p12): Dump keygrip only in debug mode.
* sm/minip12.c (opt_verbose, p12_set_verbosity): New.
(parse_bag_encrypted_data): Print info messages only in verbose mode.
--

GnuPG-bug-id: 4757
2021-02-24 08:38:13 +01:00
Werner Koch
41979ed730
scd: Change parameters of readkey fucntion pointer.
* scd/app-common.h (APP_READKEY_FLAG_ADVANCED): New.
(struct app_ctx_s): Replace param advanced by flags in readkey.
Change all users.
2021-02-19 10:10:28 +01:00
Werner Koch
669786cf64
scd: Pass ctrl parameter to more app functions.
* scd/app-common.h (struct app_ctx_s): Add parameter ctrl to function
pointers for readkey, setattr, sign, auth, decipher, and check_pin.
--

This is a yet another patch to allow for easier backporting.
2021-02-19 09:56:44 +01:00
Werner Koch
f8588369bc
scd: Detect Yubikey and provide nicer display-s/n.
* scd/app-common.h (struct app_ctx_s): Rename unused field
card_version to cardversion.
* scd/app.c (app_new_register): Add code rom 2.3 to detect the Yubikey
and set cardversion.
(app_get_dispserialno): New.
* scd/app-openpgp.c (do_getattr): Use app_get_dispserialno.
2021-02-19 09:20:29 +01:00
Werner Koch
43b3ec5aee
scd: Change the apptype from a string to an enum.
* scd/app-common.h (cardtype_t): New.
(apptype_t): New.
(struct app_ctx_s): Change type of field apptype.  Add fields
appversion and cardtype.  Adjust all app-*.c for the new type.
* scd/app.c (supported_app_list): New.
(strapptype): New.
(apptype_from_name): New.
(app_dump_state): Use strapptype.
(app_write_learn_status): Ditto.
(app_getattr): Ditto.
(check_conflict): Use apptype_from_name and integer comparison.
* scd/app-openpgp.c: Replace app->card_version by app->appversion.
--

This is another patch to make backporting from 2.3 easier.
2021-02-19 09:17:06 +01:00
Werner Koch
6380126b31
scd: Add some compatibility code for easier backporting.
* scd/app-common.h (APP_WRITEKEY_FLAG_FORCE): New.
(APP_READKEY_FLAG_INFO): New.
(APP_LEARN_FLAG_KEYPAIRINFO): New.
(APP_LEARN_FLAG_MULTI): New.
(struct app_ctx_s): New forward declaration.
(struct app_ctx_s): Add members prep_reselect, reselect, and
with_keygrip.
(KEYGRIP_ACTION_SEND_DATA): New.
(KEYGRIP_ACTION_WRITE_STATUS): New.
(KEYGRIP_ACTION_LOOKUP): New.
(APP_CARD): New macro.
* scd/scdaemon.h: Include app-common.h and remove from all other
files.
(app_t): Move typedef to ...
* scd/app-common.h: here.
--

These changes will make it easier to backport changes from 2.3 to 2.2.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-02-19 08:30:36 +01:00
Werner Koch
55f46b33df
dirmngr: Support new gpgNtds parameter in LDAP keyserver URLs.
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Support a new gpgNtds
extension.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Do ldap_init always with
hostname - which is NULL and thus the same if not given.  Fix minor
error in error code handling.
--

Note that "gpgNtds" is per RFC-4512 case insensitive and has not yet
been officially regisetered.  Thus for correctness the OID can be
used:

  1.3.6.1.4.1.11591.2.5          LDAP URL extensions
  1.3.6.1.4.1.11591.2.5.1          gpgNtds=1 (auth. with current user)

Note that the value must be 1; all other values won't enable AD
authentication and are resevered for future use.
2021-02-17 17:31:36 +01:00
Werner Koch
cdc828f690
dirmngr: Rewrite a weird function by straighter code.
* dirmngr/ldap-parse-uri.c (ldap_uri_p): Use ascii-memcasecmp.
--

Note that the first test on ldaps or ldaps in the original code did
not worked at all so that the Mixed Case part took over there.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-02-17 16:15:59 +01:00
Werner Koch
3c7b1f3f5f
common: Fix compiler warning
--
2021-02-17 15:28:05 +01:00