* agent/gpg-agent.c (create_private_keys_directory): Set permissions.
* common/sysutils.c (modestr_to_mode): New function.
(gnupg_mkdir): Use new function.
(gnupg_chmod): New function.
* common/sysutils.h (gnupg_chmod): New prototype.
* tests/migrations/from-classic.test: Test migration with existing
directory.
GnuPG-bug-id: 2312
Signed-off-by: Justus Winter <justus@g10code.com>
* build-aux/speedo.mk: Change sqlite to use our mirror and the
swdb.lst file.
* build-aux/speedo/w32/inst.nsi: gpg is now build and installed as
gpg.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-http.c (ks_hkp_help): Only print https if tls
is supported.
--
Wrong reporting was pointed out by K_F. Check is the same as
in ks-engine-hkp.c
--
With commit b3378b3a56fc90ba8ae38e6298b23a378305af32 from July 2014 we
use strconcat instead of sprintf for the string and thus we need to
remove one level of percent escaping.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/protect.c (do_encryption): Fix CBC hashing.
--
The buggy code included an extra closing parenthesis before
the (protected-at) term in the CBC hashing. We now do it by
explicitly hashing the protected stuff and append the rest of the
expression instead of a fixed closing parenthesis. Note that the OCB
hashing only differs that it does no include the protected part.
Fixes-commit: 4159567f7ed7a1139fdc3a6c92988e1648ad84ab
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/protect-tool.c (read_and_unprotect): Add arg ctrl and pass to
agent_unprotect.
(main): Allocate a simple CTRL object and pass it to
read_and_unprotect.
(convert_from_openpgp_native): Remove stub.
(agent_key_available, agent_get_cache): New stubs.
(agent_askpin): New emulation for the one in call-pinentry.c.
(agent_write_private_key): New to dump key.
* agent/Makefile.am (gpg_protect_tool_SOURCES): Add cvt-openpgp.c
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/protect.c (agent_protect): Add arg use_ocb. Change all caller
to pass -1 for default.
* agent/protect-tool.c: New option --debug-use-ocb.
(oDebugUseOCB): New.
(opt_debug_use_ocb): New.
(main): Set option.
(read_and_protect): Implement option.
* agent/protect.c (OCB_MODE_SUPPORTED): New macro.
(PROT_DEFAULT_TO_OCB): New macro.
(do_encryption): Add args use_ocb, hashbegin, hashlen, timestamp_exp,
and timestamp_exp_len. Implement OCB.
(agent_protect): Change to support OCB.
(do_decryption): Add new args is_ocb, aadhole_begin, and aadhole_len.
Implement OCB.
(merge_lists): Allow NULL for sha1hash.
(agent_unprotect): Change to support OCB.
(agent_private_key_type): Remove debug output.
--
Instead of using the old OpenPGP way of appending a hash of the
plaintext and encrypt that along with the plaintext, the new scheme
uses a proper authenticated encryption mode. See keyformat.txt for a
description. Libgcrypt 1.7 is required.
This mode is not yet enabled because there would be no way to return
to an older GnuPG version. To test the new scheme use
gpg-protect-tool:
./gpg-protect-tool -av -P abc -p --debug-use-ocb <plain.key >prot.key
./gpg-protect-tool -av -P abc -u <prot.key
Any key from the private key storage should work.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/build-packet.c (do_key): Do not use the header length specified
by the public key packet from the keyring, but let 'write_header2'
compute the required length.
--
Specifically exporting RSA keys of length 1024 failed, as the encoded
public key packet requires 141 bytes a length that fits into one byte,
but the secret key is significantly larger, making the export fail.
GnuPG-bug-id: 2307
Signed-off-by: Justus Winter <justus@g10code.com>
* dirmngr/dirmngr-client.c (init_asctobin): New function.
(main): Move the initialization code to the new function.
(read_pem_certificate): Initialize base64 table.
(read_certificate): Try to decode certificates given in files as PEM
first.
GnuPG-bug-id: 1844
Signed-off-by: Justus Winter <justus@g10code.com>
* doc/mkdefsinc.c (main): Add double include guard. Set variable
gpgtwohack. Define macros gpgname and gpgvname.
* doc/gpg.texi: Remove macro definition for gpgname. Use Texinfo var
gpgtwohack to prepare the man pages. Use @gpgname everywhere.
* doc/gpgv.texi: Likewise.
* doc/Makefile.am (myman_pages): Remove gpg2.1 and gpgv2.1 but add
them depending on USE_GPG2_HACK.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac (USE_GPG2_HACK): New ac_define am_conditional.
* common/homedir.c (gnupg_module_name): Replace use of macro
NAME_OF_INSTALLED_GPG.
* g10/keygen.c (generate_keypair): Ditto.
* g10/Makefile.am (bin_PROGRAMS): Remove.
(noinst_PROGRAMS): Add gpg or gpg2 and gpgv or gpg2.
(gpg2_hack_list): New.
(use_gpg2_hack): New.
(gpg2_SOURCES): Rename to gpg_SOURCES.
(gpgv2_SOURCES): Rename to gpgv_SOURCES.
(gpg2_LDADD): Rename to gpg_LDADD.
(gpgv2_LDADD): Rename to gpgv_LDADD.
(gpg2_LDFLAGS): Rename to gpg_LDFLAGS.
(gpgv2_LDFLAGS): Rename to gpgv2_LDFLAGS.
(install-exec-hook): Remove WinCE specific rules and add new rules.
(uninstall-local): Uninstall gpg/gpg2 and gpgv/gpgv2.
* tests/openpgp/Makefile.am (required_pgms): s/gpg2/gpg/.
* tests/openpgp/defs.inc: Ditto.
* tests/openpgp/gpgtar.test: Ditto.
* tests/openpgp/mkdemodirs: Ditto.
* tests/openpgp/signdemokey: Ditto.
* Makefile.am (DISTCHECK_CONFIGURE_FLAGS): Remove obsolete
--enable-mailto, add --enable-gpg2-is-gpg.
--
Although we need to duplicate some automake generated code this method
allows to easily switch the name of the installed target using the
configure option "--enable-gpg2-is-gpg".
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/tofu.c (opendb): Guard call to timeout function.
--
GnuPG-bug-id: 2294
Fix not tested but is pretty obvious.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keygen.c (ask_key_flags): Improve message.
--
Because the curve is only selected after the capabilities are queried
we do not know whether ECDSA or EdDSA will eventually be used. When
printing the possible capabilities we now use print "ECDSA/EdDSA" for
the algorithm.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keygen.c (MY_USE_ECDSADH): New macro local to ask_curve.
(ask_curve): Use a fixed table of curve names and reserve a slot for
Curve448. Simplify CurveNNNN/EdNNNN switching.
(ask_curve): Remove the Curve25519 is non-standard prompt.
--
Given that ECC generation is only available in export mode and that
gpg will in any case support our current ed2559/cv25519 definition the
extra prompt does not make anymore sense.
Signed-off-by: Werner Koch <wk@gnupg.org>
* sm/keydb.c (maybe_create_keybox): Create the header blob.
--
This is required so that g10/keydb.c can properly detect that a keybox
file is actually there. Just writing a 0 zero length keybox file is
not sufficient because a file with that name may also be an old-style
OpenPGP keyring.
GnuPG-bug-id: 2275
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/Makefile.am (EXTRA_DIST): Add t-stutter-data.asc.
(module_tests): Add t-stutter.
(t_stutter_SOURCES): New variable.
(t_stutter_LDADD): New variable.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Add a test to check that the Mister and Zuccerato attack described in
"An Attack on CFB Mode Encryption As Used by OpenPGP" works.
* doc/gpgsm.texi: Document '--pinentry-mode' and '--passphrase-fd'.
* sm/Makefile.am (gpgsm_SOURCES): Add new files
* sm/call-agent.c (struct default_inq_parm_s): New definition.
(start_agent): Pass in the pinentry mode.
(default_inq_cb): Handle 'PASSPHRASE' and 'NEW_PASSPHRASE' inquiries.
Adapt all call sites to the new callback cookie.
* sm/gpgsm.c (cmd_and_opt_values): Add new values.
(opts): Add new options.
(main): Handle new options.
* sm/gpgsm.h (struct opt): Add field 'pinentry_mode'.
* sm/passphrase.c: New file.
* sm/passphrase.h: Likewise.
GnuPG-bug-id: 1970
Signed-off-by: Justus Winter <justus@g10code.com>
* doc/gpgsm.texi: Drop description.
* sm/gpgsm.c (cmd_and_opt_values): Drop enum value.
(opts): Drop argument.
(main): Drop argument handling.
* sm/gpgsm.h (struct opt): Drop field 'fixed_passphrase'.
Signed-off-by: Justus Winter <justus@g10code.com>
* configure.ac: Print an error message and die if the internal ccid
driver is requested but no suitable libusb is found.
Signed-off-by: Justus Winter <justus@g10code.com>