1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Commit Graph

2536 Commits

Author SHA1 Message Date
Werner Koch
da3015e3c0
gpg: Unify AEAD parameter retrieval.
* g10/pkclist.c (select_aead_from_pklist): Return the AEAD_algo.
* g10/encrypt.c (use_aead): Return the AEAD algo.
(encrypt_simple): Adjust for this change.
(encrypt_crypt): Ditto.
(encrypt_filter): Ditto.
* g10/sign.c (sign_symencrypt_file): Ditto.

* g10/misc.c (MY_GCRY_CIPHER_MODE_EAX): New.
(openpgp_aead_algo_info): New.
* g10/cipher-aead.c (MY_GCRY_CIPHER_MODE_EAX): Remove.
(write_header): Use new fucntion.
* g10/decrypt-data.c (MY_GCRY_CIPHER_MODE_EAX): Remove.
(decrypt_data): Use new function.  Also allow for chunkbytes other
than 10.
--

Note that other chunk bytes than 10 and in particular 0 (64 byte
chunks) have not yet been tested.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-01-22 16:50:21 +01:00
Werner Koch
0131d4369a
gpg: Refactor function encrypt_seskey.
* g10/encrypt.c (encrypt_seskey): Allocate the buffer for the
encrypted key and returns that buffer and its length.
(encrypt_simple): Adjust for above change.
(write_symkey_enc): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-01-22 15:50:24 +01:00
Werner Koch
7356d6ec50
gpg: Support EAX if for latest Libgcrypt.
* g10/cipher-aead.c (MY_GCRY_CIPHER_MODE_EAX): New.
(write_header): Use it.
* g10/decrypt-data.c (MY_GCRY_CIPHER_MODE_EAX): New.
(decrypt_data): Use it.
* g10/misc.c (openpgp_aead_test_algo): Allow EAX.
--

This allows the use of EAX when the latest Libgcrypt master is used.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-01-21 17:00:27 +01:00
Werner Koch
3f4ca85cb0
gpg: First take on PKT_ENCRYPTED_AEAD.
* common/openpgpdefs.h (PKT_ENCRYPTED_AEAD): New const.
* g10/dek.h (DEK): Increase size of use_aead to 4 bits.
* g10/filter.h (cipher_filter_context_t):  Add new fields for AEAD.
* g10/packet.h (PKT_encrypted): Add fields aead_algo, cipher_algo, and
chunkbyte.
* g10/build-packet.c (do_encrypted_aead): New.
(build_packet): Call it.
* g10/parse-packet.c (dump_sig_subpkt): Handle SIGSUBPKT_PREF_AEAD.
(parse_one_sig_subpkt, can_handle_critical): Ditto.
(parse_encrypted): Clear new PKT_ENCRYPTED fields.
(parse_encrypted_aead): New.
(parse): Call it.
* g10/gpg.c (main): Take care of --rfc4880bis option when checking
compliance.
* g10/cipher-aead.c: Replace the stub by real code.
* g10/decrypt-data.c (decode_filter_ctx_t): Add fields for use with
AEAD.
(aead_set_nonce): New.
(aead_set_ad): New.
(decrypt_data): Support AEAD.
(aead_underflow): New.
(aead_decode_filter): New.
* g10/encrypt.c (use_aead): Make that new fucntion work.
(encrypt_simple): Use default_aead_algo() instead of EAX.
* g10/mainproc.c (proc_encrypted): Support AEAD.
(do_proc_packets): Support PKT_ENCRYPTED_AEAD.
--

This code has seen only a very few manual tests.  Encrypting always
uses a 64k chunks and decryption has not been tested with larger
chunks.  Those small chunks make debugging much faster.

Tests can be done using:

  gpg --rfc4880bis --pinentry-mode=loopback --passphrase abc \
      --force-aead --aead-algo ocb --s2k-mode 0 --cipher AES \
      -v -z 0 --status-fd 2 -c <INFILE >OUTFILE

and

  gpg --rfc4880bis --pinentry-mode=loopback --passphrase=abc \
      --status-fd 2 -v -d <INFILE >OUTFILE

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-01-21 16:30:53 +01:00
Werner Koch
e1e35db510
gpg: Fix the use of future-default with --quick-add-key.
* g10/keygen.c (parse_key_parameter_part): Add arg clear_cert.
(parse_key_parameter_string): Add arg suggested_use and implement
fallback.  Change callers to pass 0 for new arg.
(parse_algo_usage_expire): Pass the parsed USAGESTR to
parse_key_parameter_string so that it can use it in case a subkey is
to be created.
--

The problem here was that future-default gives the primary and subkey
algorithm.  However, when using future-default for adding a key, the
second part was always used which is for encryption.  If the caller
now wanted to create a signing subkey using the future-default
parameters this did not worked.

  gpg --batch --passphrase "" --quick-add-key FPR future-default encr

aready worked as did

  gpg --batch --passphrase "" --quick-add-key FPR ed25519 sign

but

  gpg --batch --passphrase "" --quick-add-key FPR future-default sign

does only work with this fix.

GnuPG-bug-id: 3747
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-01-18 13:39:19 +01:00
Werner Koch
81d71818d0
gpg: Add stub function for encrypting AEAD.
* g10/cipher.c (cipher_filter): Rename to cipher_filter_cfb.
* g10/cipher-aead.c: New.  Right now only with a stub function.
* g10/Makefile.am (gpg_sources): Add file.
* g10/encrypt.c (encrypt_simple): Push either cipher_filter_cfb or
cipher_filter_aead.
(encrypt_crypt): Ditto.
(encrypt_filter): Ditto.
* g10/sign.c (sign_symencrypt_file): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-01-10 17:33:50 +01:00
Werner Koch
4e2ba546cd
gpg: New option --force-aead
* g10/dek.h (DEK): Turn fields use_mdc, algo_printed and symmetric
into single bit vars.  Make sure they are always set to 1 or 0.
(DEK): New field use_aead.
* g10/options.h (struct opt): New field force_aead.
* g10/pkclist.c (select_aead_from_pklist): New.
* g10/gpg.c (oForceAEAD): New const.
(opts): New options "--force-aead".
(main): Set new option.
* g10/encrypt.c (use_aead): New.
(encrypt_simple): Implement new flags DEK.use_aead.
(encrypt_crypt): Ditto.
(encrypt_filter): Ditto.
* g10/sign.c (sign_symencrypt_file): Ditto.
--

This patch should be enough to detect whether AEAD can be used.
Not tested.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-01-10 17:07:11 +01:00
Werner Koch
8217cd4936
gpg: Add option and preference framework for AEAD.
* common/openpgpdefs.h (aead_algo_t): New.
(SIGSUBPKT_PREF_AEAD): New.
* g10/gpg.c (oAEADAlgo, oPersonalAEADPreferences): New.
(opts): New options --aead-algo and --personal-aead-preferences.
(set_compliance_option): Clar aead algo.
(main): Parse and check the new options
* g10/options.h (struct opt): Add fields def_aead_algo and
personal_aead_prefs.
* g10/packet.h (PREFTYPE_AEAD): New enum value.
(PKT_user_id): Add field flags.aead.
(PKT_public_key): Add field flags.aead.
* g10/pkclist.c (select_algo_from_prefs): Support PREFTYPE_AEAD.
* g10/getkey.c (fixup_uidnode): Set AEAD flag.
(merge_selfsigs): Ditto.
* g10/kbnode.c (dump_kbnode): Show aead flag.
* g10/keyedit.c (show_prefs): Ditto.
(show_key_with_all_names_colon): Ditto.
* g10/keygen.c (aead_presf, n_aead_prefs): New vars.
(set_one_pref): Suppport PREFTYPE_AEAD.
(keygen_set_std_prefs): Parse AEAD preferences.
(keygen_get_std_prefs): Ditto.
(add_feature_aead): New.
(keygen_upd_std_prefs): Call that and build AEAD pref  packet.
* g10/main.h (DEFAULT_AEAD_ALGO): New const.
* g10/misc.c (openpgp_aead_test_algo): New.
(openpgp_aead_algo_name): New.
(string_to_aead_algo): New.
(default_aead_algo): New.
--

This is only used in --rfc4880bis mode and not really tested.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-01-10 11:51:03 +01:00
Werner Koch
339b3301ee
gpg: Print all keys with --decrypt --list-only.
* g10/mainproc.c (proc_pubkey_enc): Use dedicated error code for
list-only and put the key into PKENC_LIST.
(print_pkenc_list): Take care of the new error code.
--

If the secret keys exist in --list-only mode it was not printed in
--list-only mode.

GnuPG-bug-id: 3718
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-01-08 09:30:31 +01:00
Werner Koch
4d3c500f47
gpg: Allow "futuredefault" as alias for "future-default".
* g10/keygen.c (parse_key_parameter_string): Allow "futuredefault" and
use case-insensitive matching
(quick_generate_keypair): Ditto.
(parse_algo_usage_expire): Ditto.
--

The man page is sometimes rendered in a way that the hyphen may be
not be considered as part of the string.  And while at it we also
allow case-insensitivity.

GnuPG-bug-id: 3655
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-01-01 14:59:30 +01:00
Werner Koch
412bb7a801
gpg: Allow the use of "cv25519" and "ed25519" in the keygen parms.
* g10/keygen.c (gen_ecc): Map curve names.
--

See
https://lists.gnupg.org/pipermail/gnupg-users/2017-December/059619.html

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-29 20:18:20 +01:00
Werner Koch
c817e75028
Merge branch 'STABLE-BRANCH-2-2' into master
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-18 16:42:59 +01:00
Werner Koch
416cf9e9be
gpg: Print a warning for too much data encrypted with 3DES et al.
* g10/filter.h (cipher_filter_context_t): Remove unused filed
'create_mdc'.  Turn field 'header' into a bit field.  Add new fields
'short_blklen_warn' and 'short_blklen_count'.
* g10/cipher.c (write_header): Print a warning if MDC is not used.
(cipher_filter): Print a warning for long messages encrypted with a
short block length algorithm.
--

Note that to test this warning in a reliable way compression needs to
be disabled.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-13 13:02:34 +01:00
Werner Koch
b5333e13cb
gpg: Simplify cipher:write_header.
* g10/cipher.c (write_header): Use write_status_printf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-13 12:15:40 +01:00
Werner Koch
067e62fe55
indent: Re-indent g10/cipher.c
--
2017-12-13 12:14:52 +01:00
Werner Koch
9f641430dc
gpg: Simplify default_recipient().
* g10/pkclist.c (default_recipient): Use hexfingerprint.
--

Note that on malloc failure this function now returns NULL instead of
terminating the process.  However, under memory pressure any function
called latter will very likely fail as well.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-13 11:03:06 +01:00
Werner Koch
cd26c5482b
gpg: Return an error from hexfingerprint on malloc error.
* g10/keyid.c (hexfingerprint): Return NULL on malloc failure.  Chnage
all callers.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-13 10:52:34 +01:00
Werner Koch
29119a6492
gpg: Remove some xmallocs.
* g10/getkey.c (get_pubkeys): Do not use xmalloc.
--

We eventually need to get rid of all xmallocs so that gpg won't fail
easily when we make more use of the s server mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-13 10:07:30 +01:00
Werner Koch
8602b980df
indent: Re-indent get_pubkeys.
--
2017-12-13 10:07:28 +01:00
Daniel Kahn Gillmor
8ede3ae29a
gpg: default-preference-list: prefer SHA512.
* g10/keygen.c (keygen_set_std_prefs): when producing default internal
personal-digest-preferences, keep the same order.  When publishing
external preferences, state preference for SHA512 first.

--

SHA-512 has a wider security margin than SHA-256.  It is also slightly
faster on most of the architectures on which GnuPG runs today.  New
keys should publish defaults that indicate we prefer the stronger,
more performant digest.

Specifically, this changes --default-preference-list from:

   SHA256 SHA384 SHA512 SHA224

to:

   SHA512 SHA384 SHA256 SHA224

This patch deliberately avoids touching --personal-digest-preferences
(which itself would affect the default of --digest-algo and
--cert-digest-algo), so that public-facing cleartext signatures and
identity certifications will continue to be made with SHA256 by
default.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-12-12 15:07:43 +01:00
Werner Koch
b38ca59bdb
Merge branch 'STABLE-BRANCH-2-2' into master 2017-12-11 10:42:38 +01:00
Werner Koch
34defc9bce
Adjust for changed macro names in libgpg-error master.
* common/logging.h (GPGRT_LOGLVL_): New replacement macros for older
libgpg-error versions.

--

Updates-commit: b56dfdfc18
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-12-11 10:42:23 +01:00
NIIBE Yutaka
0d0b9eb0d4 g10: Fix regexp sanitization.
* g10/trustdb.c (sanitize_regexp): Only escape operators.

--

Backport from master commit:
	ccf3ba9208

To sanitize a regular expression, quoting by backslash should be only
done for defined characters.  POSIX defines 12 characters including
dot and backslash.

Quoting other characters is wrong, in two ways; It may build an
operator like: \b, \s, \w when using GNU library.  Case ignored match
doesn't work, because quoting lower letter means literally and no
much to upper letter.

GnuPG-bug-id: 2923
Co-authored-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-12-04 19:26:49 +09:00
Werner Koch
b56dfdfc18
Use the gpgrt log functions if possible.
* common/logging.c: Do not build any code if we can use the gpgrt_log
functions.
(log_logv_with_prefix): Rename to log_logv_prefix and change order of
args so that this function matches its printf like counterpart
gpgrt_logv_prefix.  Change all callers.
(log_debug_with_string): Rename to log_debug_string. Change all
callers.
(log_printhex): Move first arg to end so that this function matches
its printf like counterpart gpgrt_log_printhex.  Change all callers.
* common/logging.h: Divert to gpgrt/libgpg-error if we can use the
gpgrt_log functions.
(bug_at): Add inline versions if we can use the gpgrt_log functions.
* configure.ac (GPGRT_ENABLE_LOG_MACROS): Add to AH_BOTTOM.
(mycflags): Add -Wno-format-zero-length.
--

This patch enables the use of the log function from libgpgrt (aka
libgpg-error).  Instead of checking a version number, we enable them
depending on macros set by recent gpg-error versions.  Eventually the
whole divert stuff can be removed.

The -Wno-format-zero-length is required because log_printhex can be
called with an empty format string.  Note that this is fully specified
standard C behaviour.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-27 15:00:25 +01:00
Werner Koch
4cf3cc6e3d
gpg: Do not read from uninitialized memory with --list-packets.
* g10/parse-packet.c (parse_plaintext): Fill up the allocated NAME.
--

This actually does not harm because we merely display a buffer
allocated by ourselves.  However, we better tell Valgrind about it so
that we don't need to track this thing down ever again.

Test using a corrupted literal data packet:

  echo cb 0a 75 ff 59 ae 90 d5  74 65 73 74 | \
    undump |\
    valgrind gpg --list-packets >/dev/null

Reported-by: Sebastian Schinzel
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-26 18:33:49 +01:00
Werner Koch
fe96ca8d86
Merge branch 'STABLE-BRANCH-2-2'
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-23 15:12:45 +01:00
Werner Koch
531182b7f8
build: Update distsigkey.gpg
--
2017-11-22 20:54:47 +01:00
Werner Koch
ea28ea18f3
gpg: Fix memory leaking for long inputs via --command-fd.
* g10/cpr.c (do_get_from_fd): Free the old buffer.
--

If the received input is longer than 200 characters we used to leak
the previous allocated buffer.

GnuPG-bug-id: 3528
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-22 20:54:47 +01:00
Werner Koch
166f3f9ec4
gpg: Repurpose the ISO defined DO "sex" to "salutation".
* g10/card-util.c (current_card_status): String changes.
(change_sex): Description change.
(cmds): Add "salutation"; keep "sex" as an alias.
--

Note that we can't change the used values or tags but at least the UI
should show reflect the real purpose of the field.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-15 11:34:30 +01:00
Werner Koch
091c4af645
Merge branch 'STABLE-BRANCH-2-2'
--
Kept our AUTHORS and README
2017-11-15 11:01:10 +01:00
Werner Koch
b062ea5bc2
gpg: Print AKL info only in verbose mode.
* g10/getkey.c (get_pubkey_byname): Print info only in verbose mode.
--

GnuPG-bug-id: 3504
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-15 08:47:41 +01:00
NIIBE Yutaka
ccf3ba9208 g10: Fix regexp sanitization.
* g10/trustdb.c (sanitize_regexp): Only escape operators.

--

To sanitize a regular expression, quoting by backslash should be only
done for defined characters.  POSIX defines 12 characters including
dot and backslash.

Quoting other characters is wrong, in two ways; It may build an
operator like: \b, \s, \w when using GNU library.  Case ignored match
doesn't work, because quoting lower letter means literally and no
much to upper letter.

GnuPG-bug-id: 2923
Co-authored-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-11-09 14:03:22 +09:00
NIIBE Yutaka
680161647a
g10: Unattended key generation "Key-Grip" and "Subkey-Grip".
* g10/keygen.c (pSUBKEYGRIP): New.
(read_parameter_file): Add "Key-Grip" and "Subkey-Grip".
(do_generate_keypair): Support pSUBKEYGRIP.

--

In the manual, it says "Key-Grip".  gpgsm also supports "Key-Grip".
Adding "Subkey-Grip" now, adding "Key-Grip" makes sense.

GnuPG-bug-id: 3478
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 6c63a04569)
2017-11-06 12:10:09 +01:00
NIIBE Yutaka
f183b9768b
g10: Simplify "factory-reset" procedure.
* g10/card-util.c (factory_reset): Simplify.

--

In this summer, I got report about old code before this change didn't
work with newer Yubikey.  I got another report test version of OpenPGP
card V3.3 implementation didn't work, either.  Then, I confirmed that
according to the OpenPGP card specification, the procedure of old code
is not expected by its author.

This change simplify "factory-reset" as simple.

Only versions of Gnuk 1.2.2, 1.2.3, 1.2.4, won't work with this
change.  That's because the factory-reset feature of Gnuk was
introduced by reading the implementation of GnuPG, instead of reading
the specification.  Gnuk 1.2.5 and later works well.  All OpenPGPcard
implementations I have work well (2.0, 2.1, 2.2, test version of 3).

GnuPG-bug-id: 3286
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit d63b7966cd)
2017-11-06 12:09:37 +01:00
Werner Koch
acb3005434
gpg: Introduce magic value 25519 to switch a card to ECC.
* g10/card-util.c (ask_card_keyattr): Handle special value 25519.
(do_change_keyattr): Allow changing to cv25519/ed25519.
(generate_card_keys): Ditto.
(card_generate_subkey): Ditto.
--

This is kludge to make it easier for gnuk to be switched into ECC
mode.  This is basically the same change as
commit ea09b6cded
but without the string change in show_keysize_warning.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-02 17:31:57 +01:00
Werner Koch
de3a740c2e
gpg: Rename two card related functions in card-util.
* g10/card-util.c (ask_card_rsa_keysize): Rename to ask_card_keyattr.
(do_change_rsa_keysize): Rename to do_change_keyattr.
--

We want to support other algos than RSA and thus we need a better name
for the functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f795f4529d)
2017-11-02 17:22:59 +01:00
Werner Koch
922bae8082
gpg: Unifiy the message for re-configuring cards.
* g10/card-util.c (ask_card_keyattr): Print "rsaNNNN".
--

This is a separate patch from the previous to avoid string changes
when backporting the other patch to 2.2.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-02 17:20:13 +01:00
Werner Koch
ea09b6cded
gpg: Introduce magic value 25519 to switch a card to ECC.
* g10/card-util.c (show_keysize_warning): Slightly change the text.
(ask_card_keyattr): Handle special value 25519.
(do_change_keyattr): Allow changing to cv25519/ed25519.
(generate_card_keys): Ditto.
(card_generate_subkey): Ditto.
--

This is kludge to make it easier for gnuk to be switched into ECC
mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-02 17:16:14 +01:00
Werner Koch
fd3f5ca151
Register another OpenPGP card vendor.
--
2017-11-01 18:17:44 +01:00
Werner Koch
87b94e08d7
gpg: Remove trailing comma in an enum.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-01 18:14:26 +01:00
Werner Koch
f795f4529d
gpg: Rename two card related functions in card-util.
* g10/card-util.c (ask_card_rsa_keysize): Rename to ask_card_keyattr.
(do_change_rsa_keysize): Rename to do_change_keyattr.
--

We want to support other algos than RSA and thus we need a better name
for the functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-11-01 18:13:25 +01:00
NIIBE Yutaka
6c63a04569 g10: Unattended key generation "Key-Grip" and "Subkey-Grip".
* g10/keygen.c (pSUBKEYGRIP): New.
(read_parameter_file): Add "Key-Grip" and "Subkey-Grip".
(do_generate_keypair): Support pSUBKEYGRIP.

--

In the manual, it says "Key-Grip".  gpgsm also supports "Key-Grip".
Adding "Subkey-Grip" now, adding "Key-Grip" makes sense.

GnuPG-bug-id: 3478
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-11-01 10:19:35 +09:00
NIIBE Yutaka
d63b7966cd g10: Simplify "factory-reset" procedure.
* g10/card-util.c (factory_reset): Simplify.

--

In this summer, I got report about old code before this change didn't
work with newer Yubikey.  I got another report test version of OpenPGP
card V3.3 implementation didn't work, either.  Then, I confirmed that
according to the OpenPGP card specification, the procedure of old code
is not expected by its author.

This change simplify "factory-reset" as simple.

Only versions of Gnuk 1.2.2, 1.2.3, 1.2.4, won't work with this
change.  That's because the factory-reset feature of Gnuk was
introduced by reading the implementation of GnuPG, instead of reading
the specification.  Gnuk 1.2.5 and later works well.  All OpenPGPcard
implementations I have work well (2.0, 2.1, 2.2, test version of 3).

GnuPG-bug-id: 3286
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-10-30 11:59:11 +09:00
Werner Koch
f6ab97fd96
Merge branch 'STABLE-BRANCH-2-2' into master
--
Resolved Conflicts:
	configure.ac - Adjust due to new log_clock otions
2017-10-27 13:56:15 +02:00
Werner Koch
84af859e39
gpg: Avoid superfluous sig check info during import.
* g10/key-check.c (print_info): New.
(key_check_all_keysigs): Print sig checking results only in debug
mode.  Prettify the stats info and suppress them in quiet mode.

--

This also makes usable stats by prefixing them with the key and the
program name.

GnuPG-bug-id: 3397
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-24 21:11:38 +02:00
Werner Koch
560d85ecff
gpg: Improve the "secret key available" notice in keyedit.c
* g10/keyedit.c (KEYEDIT_NEED_SUBSK): New.
(cmds): Add this flag to keytocard, bkuptocard, expire, and passwd.
(keyedit_menu): Check whether only subkeys are available and take care
of that in the command check and in the HELP listing.  Also print a
different notice if only subkeys are available.
--

Print "Secret key is available" and the bailing out in all commands
which require the _primary_ secret key was surprising.  Now we print
another notice and adjust the checks.

GnuPG-bug-id: 3463
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-24 10:56:13 +02:00
Werner Koch
016538d828
gpg: Remove unused flags from keyedit.c.
* g10/keyedit.c (KEYEDIT_NOT_SK, KEYEDIT_ONLY_SK): Remove.
(cmds): Remove them.
--

These flags were cruft from the time we had to switch between secret
and public key view.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-24 09:35:25 +02:00
Werner Koch
44fb3fbc85
gpg: Fix creating on-disk subkey with on-card primary key.
* g10/keygen.c (generate_subkeypair): Ignore error code issued for
trying to verify a card based key.
--

We try to verify the primary key and thus seed the passphrase cache
before generating the subkey.  However, the verification does not yet
work for on-card keys and thus the PASSWD --verify send to the agent
returns an error.  This patch detects this error and continues without
a seeded passphrase cache.  After all that pre-seeding is just a
convenience.

GnuPG-bug-id: 3280
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-19 18:10:37 +02:00
Werner Koch
2c7dccca9b
gpg: Print sec/sbb with --import-option import-show or show-only.
* g10/import.c (import_one): Pass FROM_SK to list_keyblock_direct.
--

Note that this will likely add the suffix '#' top "sec" because the
secret key has not yet (or will not be) imported.  If the secret key
already exists locally another suffix might be printed.  The upshot is
that the suffix has no usefulness.

GnuPG-bug-id: 3431
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-19 17:12:36 +02:00
Werner Koch
68c8619114
gpg: Make --dry-run and show-only work for secret keys.
* g10/import.c (import_secret_one): Check for dry-run before
transferring keys.
--

The use of --dry-run or --import-option show-only had no effect when
importing a secret key and the public key already existed.  If the
public key did not exist an error message inhibited the import of the
secret key.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-19 17:05:39 +02:00
NIIBE Yutaka
d07de38627
g10: Fix find_and_check_key for multiple keyrings.
* g10/pkclist.c (find_and_check_key): Call get_validity on a specific
keyblock.

--

When we have multiple keyrings, get_validity after
get_best_pubkey_byname should access same keyring.  Or else, the
situation of an expired key in keyring A but valid key in keyring B
causes SEGV.

Thanks to Guido Günther for the use case and the log.

Debian-bug-id: 878812
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-10-19 15:03:19 +02:00
Werner Koch
7c73db3d31
gpg: Keep a lock during the read-update/insert cycle in import.
* g10/keydb.c (keydb_handle): New field 'keep_lock'.
(keydb_release): Clear that flag.
(keydb_lock): New function.
(unlock_all): Skip if KEEP_LOCK is set.
* g10/getkey.c (get_keyblock_byfprint_fast): Call keep_lock if
requested.
--

That change is straightforward.  It helps to avoid the race condition
that another gpg process inserts a key while the first process is
between the search and the insert.

A similar change is due for gpgsm.

Note that the key edit operations may still suffer from a race.

GnuPG-bug-id: 3446
2017-10-19 15:02:28 +02:00
Werner Koch
8448347b5b
gpg: Improve keydb handling in the main import function.
* g10/getkey.c (get_pubkey_byfprint_fast): Factor most code out to ...
(get_keyblock_byfprint_fast): .. new function.
* g10/import.c (revocation_present): s/int rc/gpg_error_t err/.
(import_one): Use get_keyblock_byfprint_fast to get the keyblock and a
handle.  Remove the now surplus keyblock fetch in the merge branch.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-19 15:01:38 +02:00
Werner Koch
752cae6dd2
gpg: Simplify keydb handling of the main import function.
* g10/import.c (import_keys_internal): Return gpg_error_t instead of
int.  Change var names.
(import_keys_es_stream): Ditto.
(import_one): Ditto.  Use a single keydb_new and simplify the use of
of keydb_release.
--

Note that this opens a keydb handle before we call
get_pubkey_byfprint_fast which internally uses another key db handle.
A further patch will cleanup this double use.  Note that we also
disable the keydb caching for the insert case.

The s/int/gpg_error_t/ has been done while checking the call chains of
the import functions and making sure that gpg_err_code is always used.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-19 15:00:05 +02:00
NIIBE Yutaka
995c46ea77 g10: Fix find_and_check_key for multiple keyrings.
* g10/pkclist.c (find_and_check_key): Call get_validity on a specific
keyblock.

--

When we have multiple keyrings, get_validity after
get_best_pubkey_byname should access same keyring.  Or else, the
situation of an expired key in keyring A but valid key in keyring B
causes SEGV.

Thanks to Guido Günther for the use case and the log.

Debian-bug-id: 878812
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-10-19 11:08:24 +09:00
Werner Koch
645f30ad31
gpg: Keep a lock during the read-update/insert cycle in import.
* g10/keydb.c (keydb_handle): New field 'keep_lock'.
(keydb_release): Clear that flag.
(keydb_lock): New function.
(unlock_all): Skip if KEEP_LOCK is set.
* g10/getkey.c (get_keyblock_byfprint_fast): Call keep_lock if
requested.
--

That change is straightforward.  It helps to avoid the race condition
that another gpg process inserts a key while the first process is
between the search and the insert.

A similar change is due for gpgsm.

Note that the key edit operations may still suffer from a race.

GnuPG-bug-id: 3446
2017-10-18 18:28:52 +02:00
Werner Koch
3bb06531d3
gpg: Improve keydb handling in the main import function.
* g10/getkey.c (get_pubkey_byfprint_fast): Factor most code out to ...
(get_keyblock_byfprint_fast): .. new function.
* g10/import.c (revocation_present): s/int rc/gpg_error_t err/.
(import_one): Use get_keyblock_byfprint_fast to get the keyblock and a
handle.  Remove the now surplus keyblock fetch in the merge branch.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-18 17:52:41 +02:00
Werner Koch
d353287f72
gpg: Simplify keydb handling of the main import function.
* g10/import.c (import_keys_internal): Return gpg_error_t instead of
int.  Change var names.
(import_keys_es_stream): Ditto.
(import_one): Ditto.  Use a single keydb_new and simplify the use of
of keydb_release.
--

Note that this opens a keydb handle before we call
get_pubkey_byfprint_fast which internally uses another key db handle.
A further patch will cleanup this double use.  Note that we also
disable the keydb caching for the insert case.

The s/int/gpg_error_t/ has been done while checking the call chains of
the import functions and making sure that gpg_err_code is always used.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-18 13:56:14 +02:00
Werner Koch
18e5946aef
gpg: Fix wrong Tofu DB consistency check.
* g10/tofu.c (build_conflict_set): Do not assume MAX_FINGERPRINT_LEN
is the size of the fingerprint.
--

This problem was exhibited by
commit ecbbafb88d.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-18 13:56:12 +02:00
Werner Koch
825abec0e7
gpg,sm: New option --with-key-screening.
* common/pkscreening.c: New.
* common/pkscreening.h: New.
* common/Makefile.am (common_sources): Add them.
* g10/gpg.c (opts): New option --with-key-screening.
* g10/options.h (struct opt): New field with_key_screening.
* g10/keylist.c: Include pkscreening.h.
(print_pk_screening): New.
(list_keyblock_print): Call it.
(print_compliance_flags): Call it.
* sm/gpgsm.c (opts): New option --with-key-screening.
* sm/gpgsm.h (scruct opt): New field with_key_screening.
* sm/keylist.c:  Include pkscreening.h.
(print_pk_screening): New.
(print_compliance_flags): Call it.  Add new arg cert.
(list_cert_colon): Pass arg cert
(list_cert_std): Call print_pk_screening.
* sm/fingerprint.c (gpgsm_get_rsa_modulus): New.
--

This new option can be used to detect ROCA affected keys.  To scan an
entire keyring and print the affected fingerprints use this:

  gpg -k --with-key-screening --with-colons | gawk -F: \
       '$1~/pub|sub|sec|ssb|crt/ && $18~/\<6001\>/ {found=1;next};
        $1=="fpr" && found {print $10}; {found=0}'

The same works for gpgsm.  Note that we need gawk due to the "\<" in
the r.e.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-10-17 21:10:19 +02:00
Neal H. Walfield
1ed21eee79 gpg: Fix comparison.
* g10/gpgcompose.c (literal_name): Complain if passed zero arguments,
not one or fewer.

Signed-off-by: Neal H. Walfield <neal@walfield.org>
2017-10-06 11:53:51 +02:00
Werner Koch
b509d81cab
gpg: Workaround for junk after --trusted-key.
* g10/trust.c (register_trusted_key): Cut off everthing starting as a
hash sign.
--

This problem is fallout from
commit f99830b728
which fixes
GnuPG-bug-id: 1206

The same could happen with other options taking keyids but we won't
change that because a trailing '#' does not indicate a comment.  So
this is really only a workaround and eventually we will
deprecate --trusted-key anyway or require a fingerprint as a value.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-09-28 14:10:12 +02:00
Werner Koch
ecbbafb88d
gpg: Prepare for a longer fingerprint
* g10/card-util.c (change_cafpr): Use MAX_FINGERPRINT_LEN.
* g10/cipher.c (write_header): Use snprintf.
* g10/gpg.h (MAX_FINGERPRINT_LEN): Change to 32.
(MAX_FORMATTED_FINGERPRINT_LEN): Change to 59
* g10/keyid.c (format_hexfingerprint): Add v5 fingerprint format.
* g10/tofu.c (get_policy): Use MAX_FINGERPRINT_LEN for the buffer but
keep the raw length for now.
--

Note that this patch only increases the size of the buffer and adds a
new formatting for v5 fingerprints.  Moe work is required to fix
internal data structures like those in trustdb.gpg and the tofu
tables.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-09-27 09:42:13 +02:00
Werner Koch
76c80021d4
common: Add constant KEYGRIP_LEN.
* common/util.h (KEYGRIP_LEN): New.
* g10/call-agent.c (agent_probe_any_secret_key): Use that constant.
* g10/keyid.c (keygrip_from_pk): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-09-27 09:33:14 +02:00
Werner Koch
6aa4478c78
gpg: Let --debug clock time sign and verify.
* configure.ac (ENABLE_LOG_CLOCK): New ac_define and option.
* common/logging.c (log_clock): Use ENABLE_LOG_CLOCK to enable
timestamp printing.
* g10/call-agent.c (agent_pksign): Time signing.
* g10/sig-check.c (check_signature_end_simple): Time verification.
--

Timing for verification is limited to data signatures because this is
the most common thing to evaluate.  We should consider to change
log_clock to printf style so that we could print the signature class
and other info.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-09-27 07:59:07 +02:00
Werner Koch
cd2d758f3f
Merge branch 'STABLE-BRANCH-2-2' into master
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Conflicts:
	NEWS - include release info from 2.2.1
	configure.ac - keep master.
2017-09-26 12:00:03 +02:00
NIIBE Yutaka
0a76611294 g10: Select a secret key by checking availability under gpg-agent.
* g10/getkey.c (finish_lookup): Add WANT_SECRET argument to confirm
by agent_probe_secret_key.
(get_pubkey_fromfile, lookup): Supply WANT_SECRET argument.

--

GnuPG-bug-id: 1967
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-09-26 11:02:05 +09:00
Werner Koch
006ca124ed
gpgv: Initialize compliance checker.
* g10/gpgv.c (main): Call gnupg_initialize_compliance.
--

The compliance checker needs to be initialize so that it won't let
spit out a "not suitable" message.  We use the module name of gpg.
Because there is no option to change the compliance mode in gpgv we
will always be in the default (CO_GNUPG) mode.  It also does not make
much sense to have it here because gpgv expects a "curated" keyring.

GnuPG-bug-id: 3404
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-09-13 09:18:15 +02:00
Werner Koch
8b5a2474f2
gpg: Fix "Fix key generation with only an email part".
* g10/keygen.c (proc_parameter_file): Don't check the result of
stpcpy.
--

Fixes-commit: 7089dcc540
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-09-12 14:38:44 +02:00
Werner Koch
7089dcc540
gpg: Fix key generation with only an email part.
* g10/keygen.c (proc_parameter_file): Special case the email only
case.
--

Using a parameter file like

  %ask-passphrase
  key-type:      RSA
  key-length:    2048
  key-usage:     sign
  subkey-type:   RSA
  subkey-length: 2048
  subkey-usage:  encrypt
  name-email:    foo@example.org

with "gpg --gen-key --patch" the result was this key

  pub   rsa2048 2017-09-11 [SC]
        63A8C1BA12CC289A0E8072C971C7F8D4A18CE0BE
  uid           [ultimate]  <foo@example.org>
  sub   rsa2048 2017-09-11 [E]

At least the the extra leading space the left angle bracket is wrong.
Further some mail providers reject keys which consist of more than
just a plain mail address.  Using just a mail address is anyway the
new new suggested content for a user id.  With this patch the key
will be

  pub   rsa2048 2017-09-11 [SC]
        B302343C20EA6DECDB6A155135352F2520397080
  uid           [ultimate] foo@example.org
  sub   rsa2048 2017-09-11 [E]

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-09-11 11:29:13 +02:00
Daniel Kahn Gillmor
73ff075204 gpg: default to AES-256.
* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default.

--

It's 2017, and pretty much everyone has AES-256 available.  Symmetric
crypto is also rarely the bottleneck (asymmetric crypto is much more
expensive).  AES-256 provides some level of protection against
large-scale decryption efforts, and longer key lengths provide a hedge
against unforseen cryptanalysis.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-09-08 14:32:49 -04:00
Daniel Kahn Gillmor
909fbca196 gpg: default to 3072-bit RSA keys.
* agent/command.c (hlp_genkey): update help text to suggest the use of
3072 bits.
* doc/wks.texi: Make example match default generation.
* g10/keygen.c (DEFAULT_STD_KEY_PARAM): update to
rsa3072/cert,sign+rsa3072/encr, and fix neighboring comment,
(gen_rsa, get_keysize_range): update default from 2048 to 3072).
* g10/keyid.c (pubkey_string): update comment so that first example
is the default 3072-bit RSA.

--

3072-bit RSA is widely considered to be 128-bit-equivalent security.
This is a sensible default in 2017.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Gbp-Pq: Topic update-defaults
Gbp-Pq: Name 0015-gpg-default-to-3072-bit-RSA-keys.patch
2017-09-08 11:37:42 -04:00
Werner Koch
13821e15fb
gpg: Fix memory leak while running --check-trustdb.
* g10/trustdb.c (update_min_ownertrust): Free PK.
--

This bug was revealed by the new trust-pgp-2.scm test.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-24 22:10:44 +02:00
Werner Koch
b065a69634
gpg: Fix memory leak in sig-check.
* g10/sig-check.c (check_signature_over_key_or_uid): Remove useless
condition.  Actually free when SIGNER was allocated by us.
--

SIGNER_ALLOCATED never received a value of -1 but that was tested.

IF SIGNER_ALLOCATED was 2 the memory was never freed:

  if (signer_allocated == 1)
    if (signer_allocated == 2)
      free()

Fixes-commit: 44cdb9d73f

This function needs to be audited more thoroughly.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-24 20:26:19 +02:00
Werner Koch
757302cc7a
indent: Change comment style on two functions
--

This is to make those function better readable.

  if (foo)
     /* Comment */
     {

     }

is bad style because it requires extra time to notice the begin of the
block and vice versa when noticing the block it is not clear whether
this is an conditioned or unconditioned block.

Having asterisks on the left is better for view impaired people and
for b/w printouts.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-24 19:19:23 +02:00
Werner Koch
565e486b80
gpgconf: Swap "auto-key-retrieve" and "no-auto-key-retrieve".
* g10/gpg.c (gpgconf_list): Announce "auto-key-retrieve".
(main): Simplify setting of KEYSERVER_AUTO_KEY_RETRIEVE.
* tools/gpgconf-comp.c: Make "no-auto-key-retrieve" invisible.  Make
"auto-key-retrieve" an expert option.
--

This basically reverts 9bb13a0e81
because --no-auto-key-retrieve is again the default.  Note that we
allow both options for the sake of profiles.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-23 16:45:20 +02:00
Damien Goutte-Gattat
0161225457
gpgconf: Make WoT settings configurable by gpgconf.
* tools/gpgconf-comp.c (gc_options_gpg): Add max-cert-depth,
completes-needed, and marginals-needed options.
* g10/gpg.c (gpgconf_list): Likewise.
--

Some tests to come for the PGP trust model will need to manipulate
these parameters.

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2017-08-21 16:50:01 +02:00
Daniel Kahn Gillmor
e6f84116ab gpg: default to --no-auto-key-retrieve.
* g10/gpg.c (main): remove KEYSERVER_AUTO_KEY_RETRIEVE from the
default keyserver options.
* doc/gpg.texi: document this change.
--

This is a partial reversion of
7e1fe791d1.  Werner and i discussed it
earlier today, and came to the conclusion that:

 * the risk of metadata leakage represented by a default
   --auto-key-retrieve, both in e-mail (as a "web bug") and in other
   contexts where GnuPG is used to verified signatures, is quite high.

 * the advantages of --auto-key-retrieve (in terms of signature
   verification) can sometimes be achieved in other ways, such as when
   a signed message includes a copy of its own key.

 * when those other ways are not useful, a graphical, user-facing
   application can still offer the user the opportunity to choose to
   fetch the key; or it can apply its own policy about when to set
   --auto-key-retrieve, without needing to affect the defaults.

Note that --auto-key-retrieve is specifically about signature
verification.  Decisions about how and whether to look up a key during
message encryption are governed by --auto-key-locate.  This change
does not touch the --auto-key-locate default of "local,wkd".  The user
deliberately asking gpg to encrypt to an e-mail address is a different
scenario than having an incoming e-mail trigger a potentially unique
network request.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-08-11 02:26:52 -04:00
Marcus Brinkmann
977fc5f0eb g10: Write status error on error of --quick-revoke-uid.
* g10/keyedit.c (keyedit_quick_revuid): Write status error on error.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2963
2017-08-09 18:37:20 +02:00
Justus Winter
c4506f624e
gpg: Add option '--disable-dirmngr'.
* doc/gpg.texi: Document new option.
* g10/call-dirmngr.c (create_context): Fail if option is given.
* g10/gpg.c (cmd_and_opt_values): New value.
(opts): New option.
(gpgconf_list): Add new option.
(main): Handle new option.
* g10/options.h (struct opt): New field 'disable_dirmngr'.
* tools/gpgconf-comp.c (gc_options_gpg): New option.

GnuPG-bug-id: 3334
Signed-off-by: Justus Winter <justus@g10code.com>
2017-08-08 11:43:22 +02:00
Werner Koch
b70e86fd10
gpg: Fix memory leak in parse_auto_key_locate.
* g10/getkey.c (parse_auto_key_locate): Fix freeing of OPTIONS.
--

It was probably too late for me to hack.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-04 22:46:40 +02:00
Werner Koch
9bb13a0e81
gpg: Make --no-auto-key-retrieve gpgconf-igurable.
* g10/gpg.c (gpgconf_list): Print no-auto-key-retrieve instead of
auto-key-retrieve.
* tools/gpgconf-comp.c (gc_options_gpg): Replace auto-key-retrieve by
no-auto-key-retrieve and chnage level from invisible to advanced.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-04 22:19:37 +02:00
Werner Koch
7e1fe791d1
gpg: Default to --auto-key-locate "local,wkd" and --auto-key-retrieve.
* g10/gpg.c (main): Add KEYSERVER_AUTO_KEY_RETRIEVE to the default
keyserver options.  Set the default for --auto-key-locate to
"local,wkd".  Reset that default iff --auto-key-locate has been given
in the option file or in the commandline.
* g10/getkey.c (parse_auto_key_locate): Work on a copy of the arg.
--

GnuPG-bug-id: 3324
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-04 22:06:18 +02:00
Werner Koch
b54d75fb1d
gpg: Avoid double fingerprint printing with import-show.
* g10/import.c (import_one) <IMPORT_SHOW>: Take care of fingerprint
options.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-04 17:09:17 +02:00
Werner Koch
d9fabcc198
gpg: New import option show-only.
* g10/options.h (IMPORT_DRY_RUN): New.
* g10/import.c (parse_import_options): Add "show-only".
(import_one): use that as alternative to opt.dry_run.
--

This is just a convenience thing for

  --import-options import-show --dry-run

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-04 17:03:03 +02:00
Marcus Brinkmann
dcfb019598 g10: Always save standard revocation certificate in file.
* g10/revoke.c (gen_standard_revocation): Set opt.outfile to NULL
temporarily to create certificate in right place.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 3015
2017-08-02 16:14:48 +02:00
Marcus Brinkmann
624cd2d0bf Revert "g10: Always save standard revocation certificate in file."
This reverts commit ebc65ff459.
2017-08-01 19:08:16 +02:00
Marcus Brinkmann
ebc65ff459 g10: Always save standard revocation certificate in file.
* g10/main.h (open_outfile): New parameter NO_OUTFILE.
* g10/openfile.c (open_outfile): New parameter NO_OUTFILE.  If given,
never use opt.outfile.
* g10/revoke.c (create_revocation): If FILENAME is true, also set
NO_OUTFILE to true (for standard revocation certificates).
* g10/dearmor.c, g10/encrypt.c, g10/export.c, g10/revoke.c,
g10/sign.c: Adjust all other callers.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 3015
2017-08-01 17:41:03 +02:00
Werner Koch
4e117f206b
gpg,sm: Error out on compliance mismatch while decrypting.
* g10/pubkey-enc.c (get_session_key): Bail out if the algo is not
allowed in the current compliance mode.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
--

The idea here is that the owner of the key created a non-compliant key
and later receives a mail encrypted to that key.  The sender should
have checked this key too but we can't guarantee that.  By hard
failing here the owner of the key will notice that he had created a
non-compliant key and thus has a chance to generate a new compliant
key.  In case the compliant criteria changes and the owner wants to
decrypt an old message he can still switch gpg to another compliant
mode.

Fixes-commit: a0d0cbee76
GnuPG-bug-id: 3308
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-08-01 08:41:47 +02:00
Werner Koch
4ad5bc1b6d
Explain the "server is older than xxx warning".
* g10/call-agent.c (warn_version_mismatch): Print a note on how to
restart the servers.
* g10/call-dirmngr.c (warn_version_mismatch): Ditto.
* sm/call-agent.c (warn_version_mismatch): Ditto.
* sm/call-dirmngr.c (warn_version_mismatch): Ditto.
--

We should move this fucntion to common.  However, the status output
functions are different and would need to be streamlined too.

GnuPG-bug-id: 3117
Debian-bug-id: 860745
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-31 11:20:47 +02:00
Werner Koch
efe187e8a2
gpg,sm: String changes for compliance diagnostics.
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-28 17:46:43 +02:00
Werner Koch
1c35e29af9
gpg: Minor rework for better readibility of get_best_pubkey_byname.
* g10/getkey.c (get_best_pubkey_byname): Change return type to
gpg_error_t.  Use var name err instead of rc.  Move a
gpg_error_from_syserror closer to the call.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-28 11:08:32 +02:00
Werner Koch
6496dc1f9d
gpg: Fix segv in get_best_pubkey_byname.
* g10/getkey.c (get_best_pubkey_byname): Init NEW.
--

We call free_user_id on NEW.uid and thus it needs to be initialized.

This fixes the ref-count or invisible segv bug from
GnuPG-bug-id: 3266

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-28 10:58:59 +02:00
Werner Koch
6502bb0d2a
gpg: Tweak compliance checking for verification
* common/compliance.c (gnupg_pk_is_allowed): Rework to always allow
verification.
* g10/mainproc.c (check_sig_and_print): Print a con-compliant warning.
* g10/sig-check.c (check_signature2): Use log_error instead of
log_info.
--

We should be able to verify all signatures.  So we only print a
warning.  That is the same beheavour as for untrusted keys etc.

GnuPG-bug-id: 3311
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-27 16:22:36 +02:00
Werner Koch
1bd22a85b4
gpg,sm: Allow encryption (with warning) to any key in de-vs mode.
* g10/encrypt.c (encrypt_crypt): Do not abort for a non-compliant key.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
--

GnuPG-bug-id: 3306
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-27 14:57:32 +02:00
Werner Koch
a0d0cbee76
gpg,sm: Fix compliance checking for decryption.
* common/compliance.c (gnupg_pk_is_compliant): Remove the Elgamal
signing check.  We don't support Elgamal signing at all.
(gnupg_pk_is_allowed) <de-vs>: Revert encryption/decryption for RSA.
Check the curvenames for ECDH.
* g10/pubkey-enc.c (get_session_key): Print only a warning if the key
is not compliant.
* sm/decrypt.c (gpgsm_decrypt): Ditto.  Use the same string as in gpg
so that we have only one translation.
--

We always allow decryption and print only a note if the key was not
complaint at the encryption site.

GnuPG-bug-id: 3308
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-27 13:56:38 +02:00
Werner Koch
6d95611d01
indent: Wrap an overlong line.
--

Folks, please set your editors to 80 columns to notice such flaws.
2017-07-27 11:41:40 +02:00
Werner Koch
fcb62fe20f
gpg: Avoid output to the tty during import.
* g10/key-check.c (key_check_all_keysigs): Add arg mode and change all
output calls to use it.
* g10/keyedit.c (keyedit_print_one_sig): Add arg fp and chnage all
output calls to use it.
(keyedit_menu): Adjust for changes.
* g10/gpgcompose.c (keyedit_print_one_sig): Add dummy arg fp.
* g10/import.c (import_one): Call key_check_all_keysigs with output to
the log stream.
--

Fixes-commit: 404fa8211b
GnuPG-bug-id: 3288
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-27 11:38:57 +02:00
Marcus Brinkmann
94eea0ed2c g10: Make sure exactly one fingerprint is output with --quick-gen-key.
* g10/keygen.c (do_generate_keypair): Only set fpr in
list_keyblock_direct invocation if neither --fingerprint nor
--with-fingerprints are given.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2741
2017-07-26 18:10:21 +02:00
Werner Koch
166d0d7a24
gpg: Update key origin info during import merge.
* g10/import.c (update_key_origin): New.
(merge_blocks): Add arg curtime.
(import_one): Pass curtime to merge_blocks.  Call update_key_origin.
--

We probably need to refine the rules on how this is done.  But it is a
start.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-25 11:23:08 +02:00
Werner Koch
84c993d932
gpg: Store key origin for new userids during import merge.
* g10/import.c (apply_meta_data): Rename to ...
(insert_key_origin): this.  Factor code out to ...
(insert_key_origin_pk, insert_key_origin_uid): new funcs.
(import_one): Move insert_key_origin behind clean_key.
(merge_blocks): Add args options, origin, and url.
(append_uid): Rename to ...
(append_new_uid): this.  Add args options, curtime, origin, and url.
Call insert_key_origin_uid for new UIDs.
--

This is a straightforward change to handle new user ids.

How to test:

With an empty keyring run

  gpg --with-key-origin --locate-key \
      --auto-key-locate clear,nodefault,wkd  wk@gnupg.org

and then append a new keyid using

  gpg --with-key-origin --locate-key \
      --auto-key-locate clear,nodefault,wkd  wk@g10code.com

Works with my current key 80615870F5BAD690333686D0F2AD85AC1E42B367.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-25 10:34:50 +02:00
Werner Koch
87b5421ca8
gpg: Extend --key-origin to take an optional URL arg.
* g10/getkey.c (parse_key_origin): Parse appended URL.
* g10/options.h (struct opt): Add field 'key_origin_url'.
* g10/gpg.c (main) <aImport>: Pass that option to import_keys.
* g10/import.c (apply_meta_data): Extend for file and url.
* g10/keyserver.c (keyserver_fetch): Pass the url to
import_keys_es_stream.
--

Example:

  gpg --key-origin url,myscheme://bla --import FILE

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-24 21:10:58 +02:00
Werner Koch
2ca0381d07
gpg: Store key origin info for new keys from a keyserver
* g10/keyserver.c (keyserver_get_chunk): Use KEYORG_KS if request was
done by fingerprint.
* g10/import.c (apply_meta_data): Implement that.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-24 20:47:41 +02:00
Werner Koch
e7068bf92e
gpg: Store key origin info for new DANE and WKD retrieved keys.
* g10/import.c (apply_meta_data): Remove arg 'merge'.  Add arg 'url'.
Implement WKD and DANE key origin.
(import_keys_internal): Add arg 'url' and change all callers.
(import_keys_es_stream): Ditto.
(import): Ditto.
(import_one): Ditto.
* g10/keylist.c (list_keyblock_print): Fix update URL printing.
* g10/call-dirmngr.c (gpg_dirmngr_wkd_get): Add arg 'r_url' to return
the SOURCE.  Pass ks_status_cb to assuan_transact.
* g10/keyserver.c (keyserver_import_wkd): Get that URL and pass it to
the import function.
--

Note that this only for new keys.  Merging this info will be added
soon.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-24 20:09:52 +02:00
Werner Koch
f6f0dd4d5e
gpg: Filter keys received via DANE
* g10/keyserver.c (keyserver_import_cert): Use an import filter in
DANE mode.
--

We only want to see the user ids requested via DANE and not any
additional ids.  This filter enables this in the same way we do this
in WKD.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-24 20:09:52 +02:00
Marcus Brinkmann
872137b592 g10: Make sure to emit NEED_PASSPHRASE on --import of secret key.
* call-agent.h (agent_import_key): Add keyid parameters.
* call-agent.c (agent_import_key): Set keyid parameters.
* import.c (transfer_secret_keys): Pass keyid parameters.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2667
2017-07-24 17:18:42 +02:00
Marcus Brinkmann
d8e46f1069 g10: Make sure to emit NEED_PASSPHRASE on --export-secret-key.
* call-agent.h (agent_export_key): Add keyid parameters.
* call-agent.c (agent_export_key): Set keyid parameters.
* export.c (receive_seckey_from_agent): Pass keyid parameters.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2667
2017-07-24 16:03:25 +02:00
Marcus Brinkmann
e4c720fa3b g10: Avoid caching passphrase for failed symmetric encryption.
* g10/mainproc.c (proc_encrypted): If error code is GPG_ERR_CIPHER_ALGO,
assume the symmetric passphrase was wrong and invalidate the cache.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2270
2017-07-21 20:03:59 +02:00
Werner Koch
b55b72bb81
gpg: Extend --quick-set-expire to allow subkey expiration setting.
* g10/keyedit.c (keyedit_quick_set_expire): Add new arg subkeyfprs.
(menu_expire): Rename arg force_mainkey to unattended and allow
unattended changing of subkey expiration.
* g10/gpg.c (main): Extend --quick-set-expire.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-21 18:15:01 +02:00
Werner Koch
e888f7af65
gpg: Fix possible double free of the card serialno.
* g10/free-packet.c (copy_public_key): Copy fields serialno and
updateurl.
--

The PK->serialno is used to get the version of the card to decide
whether it does support other algorithms than SHA-1.  This value is
cached but no deep copy was done when calling copy_public_key.

Bug detected by importing some public keys and then importing a secret
key which led to a double free.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-21 17:49:10 +02:00
Werner Koch
5818ff0ae3
gpg: Use macros to check the signature class.
* g10/import.c: Use the extistin macros for better readability.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-21 17:49:08 +02:00
Marcus Brinkmann
609bbdf361 g10: Clean keyblock on initial commit.
* g10/import.c (import_one): If option import-clean is set,
also clean on initial import, not only for merge.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2401
2017-07-21 16:04:17 +02:00
NIIBE Yutaka
a76b6cf970 g10: Don't limit at the frontend side for card capability.
* g10/card-util.c (MAX_GET_DATA_FROM_FILE): New.
(get_data_from_file): Use MAX_GET_DATA_FROM_FILE.
(change_url, change_login, change_private_do): Don't limit.

--

V3.3 card support longer data for URL, Login and Private DOs.
It's scdaemon which knows that.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-07-21 11:22:38 +09:00
Werner Koch
a5dcc01a73
indent: Improve readability of some comments in getkey.c
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-20 18:35:46 +02:00
Werner Koch
165cdd8121
gpg: New option --with-key-origin.
* g10/getkey.c (parse_key_origin): Factor list out as ...
(key_origin_list): new struct.
(key_origin_string): New.
* g10/gpg.c (oWithKeyOrigin): New const.
(opts): New option --with-key-origin.
(main): Implement option.
* g10/options.h (struct opt): New flag with_key_origin.
* g10/keylist.c (list_keyblock_print): Print key origin info.
(list_keyblock_colon): Ditto.
2017-07-20 18:13:40 +02:00
Werner Koch
33ecb541fc
doc: Comment fixes and one trailing comma fix.
--
2017-07-20 18:13:40 +02:00
Werner Koch
3ee314dde1
gpg: Make function mk_datestr public.
* g10/keydb.h (MK_DATESTR_SIZE): New.
* g10/keyid.c (mk_datestr): Make public.  Add arg bufsize and use
snprintf.  Change arg atime to u32.
(datestr_from_pk): Simplify.
(datestr_from_sig): Ditto.
(expirestr_from_pk): Ditto.
(expirestr_from_sig): Ditto.
(revokestr_from_pk): Ditto.
--

Note that this also reduces the size of the static buffers from 16 to
11 which is sufficient for the string.  In the past we added the 5
extra bytes to cope for bugs in gmtime which is now handles by
snprintf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-20 18:13:40 +02:00
Marcus Brinkmann
9998b162b4 g10: Return proper error when gpg-agent fails to start during probe.
* g10/getkey.c (lookup): Return immediately on any other error than
GPG_ERR_NO_SECKEY from agent_probe_any_secret_key.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 2204
2017-07-20 17:47:04 +02:00
Werner Koch
2e54594574
gpg: Avoid asking by fpr and then by keyid during auto-key-retrieve.
* g10/mainproc.c (check_sig_and_print): Track key server request via
fingerprint.
--

New signatures carry the fingerprint and thus --auto-key-retrieve tries
to lookup the key by fingerprint.  If that failed it used to also ask
the same thing by KEYID - but the keyid is part of the fingerprint and
thus it will either get no response or the wrong key back.  We can
easily avoid this.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-19 13:09:13 +02:00
Werner Koch
a149afe338
gpg,sm: Check compliance of the RNG.
* common/compliance.c (gnupg_rng_is_compliant): New.
* g10/call-agent.c (start_agent) [W32]: Check rng compliance.
* sm/call-agent.c (start_agent) [W32]: Ditto.
* g10/encrypt.c (encrypt_simple, encrypt_crypt): Check that the RNG is
compliant.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* g10/sign.c (do_sign): Ditto.
* sm/sign.c (gpgsm_sign): Ditto.
--

Under Windows we need to check that the Jitter RNG is active in de-vs
mode.  Under Linux this is not necessary because /dev/random can be
scrutinized and is believed to provide enough entropy.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-17 15:53:16 +02:00
Justus Winter
956da89193
gpg: Fix importing keys.
* g10/import.c (import_one): Fix error handling.

Fixes-commit: 330212efb9
Signed-off-by: Justus Winter <justus@g10code.com>
2017-07-14 11:17:49 +02:00
Werner Koch
330212efb9
gpg: Pass key origin values to import functions.
* g10/import.c (import_keys_stream): Remove this unused function.
(import_keys_internal): Add arg origin.
(import_keys): Ditto.
(import_keys_es_stream): Ditto.
(import): Ditto.
(import_one): Ditto.
(apply_meta_data): New stub.
(import_secret_one): Pass 0 for ORIGIN.
* g10/keyserver.c (keyserver_get_chunk): For now pass 0 for ORIGIN.
(keyserver_fetch): Add arg origin.
(keyserver_import_cert): Pass KEYORG_DANE for ORIGIN.
(keyserver_import_wkd): Pass KEYORG_WKD for ORIGIN.
* g10/gpg.c (main): Pass OPT.KEY_ORIGIN to import_keys and
keyserver_fetch.
* g10/card-util.c (fetch_url): Pass KEYORG_URL for ORIGIN.
--

This is just the framework; applying the meta data will be done in
another commit.

GnuPG-bug-id: 3252
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-13 18:29:01 +02:00
Werner Koch
fa1155e89e
gpg: New option --key-origin.
* g10/keydb.h (KEYORG_): Rename to KEYORG_.
* g10/packet.h (PKT_user_id): Rename field keysrc to keyorg.  Adjust
users.
(PKT_public_key): Ditto.
(PKT_ring_trust): Ditto.
* g10/options.h (struct opt): Add field key_origin.
* g10/getkey.c (parse_key_origin): New.
* g10/gpg.c (oKeyOrigin): New.
(opts): Add "keys-origin".
(main): Set option.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-07-13 18:29:01 +02:00
Marcus Brinkmann
d245949766 tofu: Compare squares instead of square roots.
* g10/Makefile.am (tofu_source) [USE_TOFU]: Remove sqrtu32.h and
sqrtu32.c.
* g10/sqrtu32.h, g10/sqrtu32.c: Removed files.
* g10/tofu.c: Compare squares instead of square roots.
--
The original code is a factor 11.5 slower than using libm's sqrt(),
which in turn is a factor 3.5 slower than using one multiplication
on the other side of the comparison.  Also, it's much simpler now.

Signed-off-by: Marcus Brinkmann <mb@g10code.com>
2017-07-10 18:09:42 +02:00
Werner Koch
f31dc2540a
gpg,gpgsm: Emit status code ENCRYPTION_COMPLIANCE_MODE.
* common/status.h (STATUS_ENCRYPTION_COMPLIANCE_MODE): New.
* g10/encrypt.c (encrypt_crypt): Emit new status code.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
--

This status code allows to report whether an encryption operation was
compliant to de-vs.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-06-23 12:01:20 +02:00
Werner Koch
e0877a98a0
indent,i18n: Make some new strings translatable. Wrap too long lines.
--
2017-06-23 12:01:20 +02:00
Justus Winter
a68a98233a
gpg: Close cached keydb handle in gpgv.
* g10/gpgv.c (main): Close cached handle.

Fixes-commit: 5556eca5ac
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-21 15:51:10 +02:00
Justus Winter
890a3a70f2
gpg: Fix printing keyserver URLs and notation data.
* g10/keylist.c (show_keyserver_url): Print to 'fp', not to 'stdout'.
(show_notation): Likewise.
--

Fixes the fact that if mode == -1, all text except for the labels is
written to the tty, but the label is written to stdout, which is
buffered.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-21 15:06:04 +02:00
Justus Winter
badc1cdae5
gpg: Fix error handling.
* g10/keygen.c (generate_subkeypair): Handle errors from pinentry.
--

Previously, when generating a subkey, gpg would ask for the passphrase
of the primary key.  If that dialog is canceled, gpg would ask a
second time for a passphrase to protect the new subkey.

Fix this by handling the error.

GnuPG-bug-id: 3212
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-20 10:46:52 +02:00
Werner Koch
3621dbe525
gpg,gpgsm: Fix compliance check for DSA and avoid an assert.
* common/compliance.c (gnupg_pk_is_compliant): Swap P and Q for DSA
check.  Explicitly check for allowed ECC algos.
(gnupg_pk_is_allowed): Swap P and Q for DSA check.
* g10/mainproc.c (proc_encrypted): Simplify SYMKEYS check.  Replace
assert by debug message.

--

Note that in mainproc.c SYMKEYS is unsigned and thus a greater than 0
condition is surprising because it leads to the assumption SYMKEYS
could be negative.  Better use a boolean test.

The assert could have lead to a regression for no good reason.  Not
being compliant is better than breaking existing users.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-06-19 19:57:11 +02:00
Werner Koch
6cc4702767
indent: Always use "_(" and not "_ (" to mark translatable strings.
--

This makes greping much easier and we have done that since ever.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-06-19 19:57:11 +02:00
Justus Winter
9b12b45aa5
gpg: Check and fix keys on import.
* doc/gpg.texi: Document the new import option.
* g10/gpg.c (main): Make the new option default to yes.
* g10/import.c (parse_import_options): Parse the new option.
(import_one): Act on the new option.
* g10/options.h (IMPORT_REPAIR_KEYS): New macro.

GnuPG-bug-id: 2236
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-14 09:36:28 +02:00
Justus Winter
404fa8211b
gpg: Refactor key checking and fixing.
* g10/Makefile.am (gpg_sources): Add new files.
* g10/gpgcompose.c (keyedit_print_one_sig): New stub.
* g10/keyedit.c (sig_comparison): Move to new module.
(check_all_keysigs): Likewise.
(fix_keyblock): Adapt callsite.
(keyedit_menu): Likewise.
* g10/key-check.c: New file.
* g10/key-check.h: Likewise.

GnuPG-bug-id: 2236
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-14 09:35:47 +02:00
Justus Winter
8095d16b3e
gpg: Refactor keyedit module.
* g10/Makefile.am (gpg_SOURCES): Add new file.
* g10/keyedit.c (NODFLG_*): Move flags to the new header file.
(print_one_sig): Export symbol and rename accordingly.
(print_and_check_one_sig): Adapt accordingly.
(check_all_keysigs): Likewise.
* g10/keyedit.h: New file.
* g10/main.h: Drop declarations, include new header.

GnuPG-bug-id: 2236
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-13 15:36:47 +02:00
Werner Koch
e80925171d
gpg: Disable keydb handle caching only for W32
* g10/getkey.c (getkey_end) [!W32]: Re-enable caching.
--

This change limits of the effects of commit
d3d640b9cc to W32 system.

GnuPG-bug-id: 3097
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-06-13 09:05:40 +02:00
Werner Koch
a36c48a780
po: Make a string translatable.
--
2017-06-13 09:02:12 +02:00
Neal H. Walfield
7aeac20f12 gpg: Send gpgcompose --help output to stdout, not stderr.
* g10/gpgcompose.c (show_help): Send gpgcompose --help output to
stdout, not stderr.

Reported-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-06-11 14:10:46 +02:00
Neal H. Walfield
cb0484e076 gpg: Improve some output of gpgcompose. 2017-06-11 14:07:02 +02:00
Neal H. Walfield
4ddf4e114c gpg: Support 'gpgcompose --encrypted-pop --help'
* g10/gpgcompose.c (encrypted_pop_options): New variable.
(encrypted_pop): Support the --help option.

Reported-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-06-11 14:06:44 +02:00
Neal H. Walfield
8a90668656 gpg: Remove dead code.
* g10/gpgcompose.c (filter_pop): F->PKTTYPE will never be
PKT_ENCRYPTED_MDC.
(encrypted_pop): Likewise and there is no option --encrypted-mdc-pop.
2017-06-11 13:59:31 +02:00
Justus Winter
a64a55e104
common,gpg,sm: Restrict the use of algorithms according to CO_DE_VS.
* common/compliance.c (gnupg_pk_is_allowed): New function.
(gnupg_cipher_is_allowed): Likewise.
(gnupg_digest_is_allowed): Likewise.
* common/compliance.h (enum pk_use_case): New definition.
(gnupg_pk_is_allowed): New prototype.
(gnupg_cipher_is_allowed): Likewise.
(gnupg_digest_is_allowed): Likewise.
* g10/decrypt-data.c (decrypt_data): Restrict use of algorithms using
the new predicates.
* g10/encrypt.c (encrypt_crypt): Likewise.
* g10/gpg.c (main): Likewise.
* g10/pubkey-enc.c (get_session_key): Likewise.
* g10/sig-check.c (check_signature2): Likewise.
* g10/sign.c (do_sign): Likewise.
* sm/decrypt.c (gpgsm_decrypt): Likewise.
* sm/encrypt.c (gpgsm_encrypt): Likewise.
* sm/gpgsm.c (main): Likewise.
* sm/sign.c (gpgsm_sign): Likewise.
* sm/verify.c (gpgsm_verify): Likewise.
--

With this change, policies can effectively restrict what algorithms
are used for different purposes.  The algorithm policy for CO_DE_VS is
implemented.

GnuPG-bug-id: 3191
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-08 14:22:54 +02:00
Justus Winter
b03fab09e1
gpg: Fix computation of compliance with CO_DE_VS.
* g10/mainproc.c (proc_encrypted): Symmetric encryption is also in
compliance with CO_DE_VS.

GnuPG-bug-id: 3059
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-08 13:57:53 +02:00
Werner Koch
17e5afd80f
gpg: Avoid failure exit when scdaemon is disabled but not needed.
* g10/call-agent.c (warn_version_mismatch): Use log_info if error is
"not supported".
--

This fix may make the fix for
GnuPG-bug-id: 3192
even more robust.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-06-08 09:37:36 +02:00
Justus Winter
e051e39615
common: Add cipher mode to compliance predicate.
* common/compliance.c (gnupg_cipher_is_compliant): Add mode parameter.
* common/compliance.h (gnupg_cipher_is_compliant): Likewise.
* g10/mainproc.c (proc_encrypted): Adapt callsite.
* sm/decrypt.c (gpgsm_decrypt): Likewise.

GnuPG-bug-id: 3059
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-07 16:54:44 +02:00
Justus Winter
21fc2508c9
common,gpg,sm: Initialize compliance module.
* common/compliance.c (gnupg_initialize_compliance): New function.
* common/compliance.h (gnupg_initialize_compliance): New prototype.
* g10/gpg.c (main): Use the new function.
* sm/gpgsm.c (main): Likewise.

GnuPG-bug-id: 3191
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-07 16:54:42 +02:00
Justus Winter
f440cf73ea
common,gpg: Move the compliance option printer.
* common/compliance.c (gnupg_compliance_option_string): New function.
* common/compliance.h (gnupg_compliance_option_string): New prototype.
* g10/encrypt.c (write_pubkey_enc_from_list): Update callsite.
* g10/gpg.c (main): Likewise.
* g10/keyedit.c (keyedit_menu): Likewise.
* g10/pkclist.c (build_pk_list): Likewise.
* g10/main.h (compliance_option_string): Remove prototype.
* g10/misc.c (compliance_option_string): Remove function.

GnuPG-bug-id: 3191
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-07 16:53:32 +02:00
Justus Winter
842d233d40
common,gpg,sm: Move the compliance option parser.
* common/compliance.c (gnupg_parse_compliance_option): New function.
* common/compliance.h (struct gnupg_compliance_option): New type.
(gnupg_parse_compliance_option): New prototype.
* g10/gpg.c (parse_compliance_option): Remove function.
(compliance_options): New variable.
(main): Adapt callsite.
* sm/gpgsm.c (main): Use the new common function.
* sm/gpgsm.h (opt): New field 'compliance'.

GnuPG-bug-id: 3191
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-07 16:53:31 +02:00
Justus Winter
027ce4ba37
gpg: Improve compliance with CO_DE_VS.
* g10/gpg.c (set_compliance_option): The specification, section 4.1.1,
forbids the use of encryption without integrity protection.

GnuPG-bug-id: 3191
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-07 16:53:29 +02:00
Justus Winter
216f0804c1
common,g10: Fix typos.
--
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-06 16:08:45 +02:00
Justus Winter
be8ca88526
gpg: Report compliance with CO_DE_VS.
* common/compliance.c (gnupg_pk_is_compliant): Add DSA with certain
parameters.
(gnupg_cipher_is_compliant): New function.
(gnupg_digest_is_compliant): Likewise.
* common/compliance.h (gnupg_cipher_is_compliant): New prototype.
(gnupg_digest_is_compliant): Likewise.
* common/status.h (STATUS_DECRYPTION_COMPLIANCE_MODE): New status.
(STATUS_VERIFICATION_COMPLIANCE_MODE): Likewise.
* doc/DETAILS: Document the new status lines.
* g10/mainproc.c (proc_encrypted): Compute compliance with CO_DE_VS
and report that using the new status line.
(check_sig_and_print): Likewise.
* sm/decrypt.c (gpgsm_decrypt): Likewise.
* sm/verify.c (gpgsm_verify): Likewise.
--

When decrypting data and verifying signatures, report whether the
operations are in compliance with the criteria for data classified as
VS-NfD.  This information will be picked up by the frontend and
presented to the user.

GnuPG-bug-id: 3059
Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-01 13:16:18 +02:00
Justus Winter
8a012280e0
gpg,common: Move the compliance framework.
* common/Makefile.am (common_sources): Add new files.
* common/compliance.c: New file.  Move 'gnupg_pk_is_compliant' here,
and tweak it to not rely on types private to gpg.
* common/compliance.h: New file.  Move the compliance enum here.
* g10/keylist.c (print_compliance_flags): Adapt callsite.
* g10/main.h (gnupg_pk_is_compliant): Remove prototype.
* g10/misc.c (gnupg_pk_is_compliant): Remove function.
* g10/options.h (opt): Use the new compliance enum.
* sm/keylist.c (print_compliance_flags): Use the common functions.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-06-01 12:09:43 +02:00
Justus Winter
02af509dfc
gpg: Fix compliance computation.
* g10/misc.c (gnupg_pk_is_compliant): Compare against CO_RFC2440, not
RFC2440 which is actually a predicate.

Fixes-commit: fe0b37e123
Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-31 17:38:21 +02:00
Justus Winter
663e5ed073
gpg: Fix typos.
--
Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-30 14:30:43 +02:00
Andre Heinecke
d3d640b9cc
gpg: Disable keydb handle caching
* g10/getkey.c (getkey_end): Disable caching of the open keydb
handle.

--
This created a big regression for Windows because the keyring
is only released after the global ctrl is released. So if an operation
does a getkey and then tries to modify the keyring it will fail on
Windows with a sharing violation. We need to modify all
keyring write operations to also take the ctrl and close the
cached_getkey_kdb handle to make writing work. See:
https://dev.gnupg.org/T3097

GnuPG-Bug-Id: T3097

Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
2017-05-30 10:22:35 +02:00
NIIBE Yutaka
fbb2259d22 g10: Fix default-key selection for signing, possibly by card.
* g10/call-agent.c (warn_version_mismatch): Revert.
(start_agent): Suppress version mismatch if relevant.
* g10/getkey.c (get_seckey_default_or_card): New.
* g10/skclist.c (build_sk_list): Use get_seckey_default_or_card.

--

The change of 97a2394, which prefers available card than default key
specified is too strong.

Fixes-commit: 97a2394eca
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-05-22 09:27:36 +09:00
NIIBE Yutaka
ae95a7f533 g10: Fix gpgcompose.c.
* g10/gpgcompose.c (show_help): Check return value.

--

Fixes-commit: 00b7767bc6
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-05-17 10:14:43 +09:00
NIIBE Yutaka
a8dd96826f g10: Suppress error for card availability check.
* g10/call-agent.c (start_agent): Add semantics for card; Suppress
error for card check.
(warn_version_mismatch): Ignore an error for scdaemon.
(agent_scd_serialno): Call start_agent with
FLAG_FOR_CARD_SUPPRESS_ERRORS.

--

GnuPG-bug-id: 3165
Fixes-commit: 97a2394eca
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-05-17 09:46:06 +09:00
Werner Koch
2d381b0f0b
gpg: Do not mark ", " translatable.
* g10/tofu.c (ask_about_binding): Remove useless translation markers.
--

Translation and in particular punctuation marks can only be translated
with context.  Thus making a sole comma translatable is useless.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-05-15 15:56:46 +02:00
Werner Koch
00b7767bc6
common: Let format_text return an error.
* common/stringhelp.c (format_text): Return NULL on error.
* common/t-stringhelp.c (test_format_text): Adjust for change.
* g10/gpgcompose.c (show_help): Abort on out of core.
* g10/tofu.c (ask_about_binding): Abort on format_text error.
(show_statistics): Ditto.
(show_warning): Ditto.
--

For better re-usability function in common/ shot  better not use
xmalloc functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-05-15 09:58:27 +02:00
Justus Winter
f4365790da
tests: Make it possible to run all tests using our infrastructure.
* Makefile.am (TESTS_ENVIRONMENT): New variable.
(check-all): New phony target to run all tests.
* tests/gpgme/gpgme-defs.scm (have-gpgme?): New function that tests
whether the GPGME test suite is available instead of exiting the
process.
* tests/gpgscm/init.scm (export): New macro.
* tests/gpgscm/tests.scm (run-tests): New function.
(load-tests): Likewise.
* tests/gpgme/run-tests.scm: Simplify and move the parsing of the list
of tests to 'all-tests.scm'.
* tests/gpgsm/run-tests.scm: Likewise.
* tests/migrations/run-tests.scm: Likewise.
* tests/openpgp/run-tests.scm: Likewise.
* tests/gpgme/Makefile.am: To select the tests to run, use the
variable 'TESTS'.  This harmonizes the interface with the automake
test suite.
* tests/gpgsm/Makefile.am: Likewise.
* tests/migrations/Makefile.am: Likewise.
* tests/openpgp/Makefile.am: Likewise.
* tests/openpgp/README: Likewise.
* agent/all-tests.scm: New file.
* common/all-tests.scm: Likewise.
* g10/all-tests.scm: Likewise.
* g13/all-tests.scm: Likewise.
* tests/gpgme/all-tests.scm: Likewise.
* tests/gpgsm/all-tests.scm: Likewise.
* tests/migrations/all-tests.scm: Likewise.
* tests/openpgp/all-tests.scm: Likewise.
* tests/run-tests.scm: Likewise.
--

This change allows us to run all tests in parallel and write one XML
report capturing the results of every test.  It also lays the
foundation to parametrize test suites.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-11 18:12:37 +02:00
NIIBE Yutaka
0ce94a9698 g10, sm, dirmngr, common: Add comment for fall through.
* common/b64dec.c (b64dec_proc): Comment to clarify.
* dirmngr/cdblib.c (cdb_make_put): Use same pattern to clarify.
* dirmngr/dirmngr-client.c (read_pem_certificate): Likewise.
* dirmngr/ks-engine-hkp.c (ks_hkp_get): Likewise.
* g10/armor.c (unarmor_pump): Likewise.
* g10/gpg.c (main): Likewise.
* g10/import.c (read_block): Likewise.
* g10/keygen.c (make_backsig): Likewise.
* g10/pkclist.c (check_signatures_trust):  Likewise.
* sm/gpgsm.c (main): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-05-10 11:13:12 +09:00
NIIBE Yutaka
98b759119c g10: Stop compiler warning for t-stutter.
* g10/t-stutter.c (do_test): Refer current_test_group_failed.

--

Since this test does not follow the framework of TEST/TEST_P/ABORT,
the variable is not used.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-05-10 11:13:03 +09:00
Justus Winter
22739433e9
gpg: Properly account for ring trust packets.
* g10/keyring.c (keyring_get_keyblock): Use the parser's packet count
instead of counting ourself.
* g10/packet.h (struct parse_packet_ctx_s): New field
'n_parsed_packets'.
(init_parse_packet): Initialize new field.
* g10/parse-packet.c (parse): Count packets.
--

The 'keyring' keystore depends on the number of packets for delete and
update operations.  With the rework of the ring trust packets, the
trust packets were no longer properly accounted for leading to keyring
corruptions.

The 'keybox' store was not affected.

GnuPG-bug-id: 3123
GnuPG-bug-id: 3135
GnuPG-bug-id: 3144
Fixes-commit: a8895c99a7
Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-08 14:33:11 +02:00
Justus Winter
692208fd6c
gpg: Fix typo.
--
Signed-off-by: Justus Winter <justus@g10code.com>
2017-05-08 14:33:09 +02:00
Daniel Kahn Gillmor
201f868030 g10: Remove skeleton options files.
* build-aux/speed/w32/inst.nsi: stop installing skeleton files.
* doc/gpg.texi: stop documenting skeleton files.
* g10/Makefile.am: stop installing skeleton files.
* g10/openfile.c (copy_options_file): Remove.
(try_make_homedir): do not call copy_options_file.

--

The defaults for gpg and dirmngr are good.  Both programs should work
fine for the simple case without any config file.  The skeleton config
files were being copied at first use (when the defaults are fine).
But when the user needs to fiddle with them (after they've become
sophisticated users), they're likely out of date because gpg has been
upgraded since then.  So they're used for documentation, but they're
stale documentation, which is probably worse than a clean empty file.

GnuPG-bug-id: 3086
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-05-02 18:55:32 +09:00
NIIBE Yutaka
5c8fe54809 Spelling fixes in docs and comments.
--

In addition, fix trailing spaces in tests/inittests.

GnuPG-bug-id: 3121
Reported-by: ka7 (klemens)
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-28 10:06:33 +09:00
NIIBE Yutaka
97a2394eca g10: For signing, prefer available card key when no -u option.
* g10/skclist.c (build_sk_list): Ask gpg-agent if card is available.
Then, use the card key if any.

--

GnuPG-bug-id: 1983
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-27 10:33:58 +09:00
NIIBE Yutaka
2262a80c5f g10: Minor clean up.
* g10/main.h (complete_sig): Remove declaration.
* g10/sign.c (complete_sig): Make it static.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-26 11:39:28 +09:00
NIIBE Yutaka
116cfd6077 g10: invalidate the fd cache for keyring.
* g10/keyring.c (keyring_search_reset): Don't keep the FD cache.

--

GnuPG-bug-id: 3096
Fixes-commit: 5556eca5ac
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-25 07:48:51 +09:00
Andre Heinecke
2e71bf30f0
w32: Enable wildcard expansion with mingw-w64
* g10/gpg.c: Define _dowildcard = -1;

--
If this value is defined wildcard support in the c runtime
is enabled again. This fixes a regression caused by switching to
mingw 3.0

Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
2017-04-24 18:10:04 +02:00
Justus Winter
ed4d23d75e
tests: Locate resources and scripts relative to top source dir.
--

Locate every resource and every script used in the tests using a path
relative to the top of the source tree.

This is a purely mechanical change, mostly done using regular
expressions, with a few manual fixups here and there.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-04-24 14:14:05 +02:00
NIIBE Yutaka
256e861bce g10: Fix parse_ring_trust.
* g10/parse-packet.c (parse_ring_trust): Fix condition.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-17 09:33:19 +09:00
NIIBE Yutaka
0dec0cc281 g10: Minor fixes.
* g10/export.c (cleartext_secret_key_to_openpgp): No initialization.
(do_export_one_keyblock): Initialize with GPG_ERR_NOT_FOUND.
* g10/getkey.c (get_best_pubkey_byname): Add non-null check.
* g10/tofu.c (tofu_set_policy): ERR initialize to 0.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-17 09:15:13 +09:00
NIIBE Yutaka
af5f8ecf51 g10: Fix import/export filter property match.
* g10/import.c (impex_filter_getval): Fix to "else if".

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-17 09:08:31 +09:00
NIIBE Yutaka
74258278ef common, g10: Fix enumeration types.
* common/openpgpdefs.h (CIPHER_ALGO_PRIVATE10, PUBKEY_ALGO_PRIVATE10)
(DIGEST_ALGO_PRIVATE10, COMPRESS_ALGO_PRIVATE10): New.
* g10/misc.c (map_pk_gcry_to_openpgp): Add type conversion.
(map_cipher_openpgp_to_gcry, openpgp_cipher_algo_name)
(openpgp_pk_test_algo2, map_md_openpgp_to_gcry)
(pubkey_get_npkey): Add default handling.

--

Compilers may emit code assuming the maximum value of enum type.
According to OpenPGP specification, there are cases for private uses.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-13 12:54:52 +09:00
NIIBE Yutaka
7b4edf14bb common: Simplify format_text.
* common/stringhelp.c (format_text): Don't allow IN_PLACE formatting.
* common/stringhelp.h: Change the API with no IN_PLACE.
* common/t-stringhelp.c (test_format_text): Follow the change.
* g10/gpgcompose.c (show_help): Likewise.
* g10/tofu.c (format_conflict_msg_part1, ask_about_binding)
(show_statistics, show_warning): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-12 14:47:30 +09:00
NIIBE Yutaka
0521882958 g10: Minor clean up for export.c.
* g10/export.c (export_ssh_key): Check IDENTIFIER for error.
Release base64 thing on error of get_membuf.

--

Compiler (older) may misunderstand the variable IDENTIFIER is not
initialized, while good one can do better analysys on the value for
ERR (and thus, IDENTIFIER).

On the error of get_membuf, still, b64enc_finish should be called,
even if it lost the ERR value.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-12 08:47:23 +09:00
NIIBE Yutaka
03d77b60be g10,tools: Fix bzlib.h include order.
* g10/compress-bz2.c: Include bzlib.h after gcrypt.h.
* tools/gpgsplit.c: Likewise.

--

bzlib.h may include windows.h on Windows.  It is better
after gcrypt.h which may include winsock2.h.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-11 13:52:19 +09:00
NIIBE Yutaka
f079822b2c g10: Minor clean up for TOFU.
* g10/tofu.c (ask_about_binding): Fix for qualifier.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-04-11 12:51:47 +09:00
Werner Koch
547bc01d57
gpg: Fix printing of offline taken subkey.
* g10/keylist.c (list_keyblock_print): Set SECRET to 2 and not 0x32.
--

Reported-by: Danielle McLean <dani@00dani.me>
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-04-07 10:13:09 +02:00
Werner Koch
3f6d949011
gpg: Handle critical marked 'Reason for Revocation'.
* g10/parse-packet.c (can_handle_critical): Add
SIGSUBPKT_REVOC_REASON.
--

Some software seems to mark that subpacket as criticial.  Although gpg
has no special treatment for a revocation reasons (except for
--list-packets) we can accept a criticial marked anyway.  There are no
mandatary rules specified on how to handle a revocation reason.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-04-03 08:51:52 +02:00
Werner Koch
5556eca5ac
gpg: Avoid multiple open calls to the keybox file.
* g10/keydb.h (KEYDB_HANDLE): Move typedef to ...
* g10/gpg.h: here.
(struct server_control_s): Add field 'cached_getkey_kdb'.
* g10/gpg.c (gpg_deinit_default_ctrl): Release that keydb handle.
* g10/getkey.c (getkey_end): Cache keydb handle.
(get_pubkey): Use cached keydb handle.
* kbx/keybox-search.c (keybox_search_reset): Use lseek instead of
closing the file.
--

Before this patch a "gpg --check-sigs" opened and closed the keybox
file for almost every signature check.  By caching the keydb handle
and using lseek(2) this can be limited to just 2 times.  This might
speed up things on Windows.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-31 21:27:16 +02:00
Werner Koch
aca5f494a8
gpg: Pass CTRL also to getkey_end.
* g10/getkey.c (getkey_end): Add arg CTRL.  Change all callers.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-31 20:35:28 +02:00
Werner Koch
3a10de3bfd
gpg: Print more stats for the keydb and the signature cache.
* g10/sig-check.c (sig_check_dump_stats): New.
(cache_stats): New struct.
(check_key_signature2): Update stats.
* g10/gpg.c (g10_exit): Call new function.
* g10/keydb.c (kid_not_found_cache_count): Replace by ...
(kid_not_found_stats): ... new struct.  Change users.
(keydb_stats): New struct.  Update the counters.
(keydb_dump_stats): Print all stats.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-31 20:08:23 +02:00
Werner Koch
52ba5e67ca
gpg: Assert that an opaque parameter is really what we expect.
* g10/gpg.h (SERVER_CONTROL_MAGIC): New const.
(server_control_s): Add field 'magic'.
* g10/gpg.c (gpg_init_default_ctrl): Init MAGIC.
* g10/import.c (impex_filter_getval): Assert MAGIC.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-31 20:07:33 +02:00
Werner Koch
8f2671d2cc
gpg: Pass CTRL to many more functions.
--

For proper operations as a server we need to avoid global variables.
Thus we need to pass the session state CTRL to most functions.  Quite
a lot of changes but fortunately straightforward to do.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-31 20:07:20 +02:00
Justus Winter
5e89144cbc
gpg: Consistent use of preprocessor conditionals.
* g10/parse-packet.c: Use '#if' instead of '#ifdef' when checking
DEBUG_PARSE_PACKET.  This fixes the build with '#define
DEBUG_PARSE_PACKET 0'.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-03-30 16:13:45 +02:00
Werner Koch
a6142dbdbc
gpg: Remove the use of the signature information from a KBX.
* g10/keydb.c (keyblock_cache): Remove field SIGSTATUS.
(keyblock_cache_clear): Adjust for that removal.
(parse_keyblock_image): Remove arg SIGSTATUS.  Remove the signature
cache setting; this is now done in the parser.
(keydb_get_keyblock): Do not set SIGSTATUS.
(build_keyblock_image): Remove arg SIGSTATUS and simplify.  Change
caller.
* kbx/keybox-blob.c: Explain that the signature information is not
anymore used.
(_keybox_create_openpgp_blob): Remove arg SIGSTATUS and change
callers.
* kbx/keybox-search.c (keybox_get_keyblock): Remove arg R_SIGSTATUS
and change callers.
* kbx/keybox-update.c (keybox_insert_keyblock): Likewise.
--

This thing was too complicated and has been replaced by the new ring
trust packet code.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-30 16:01:55 +02:00
Werner Koch
7bf24e8146
gpg: Fix actual leak and possible leaks in the packet parser.
* g10/packet.h (struct parse_packet_ctx_s): Change LAST_PKT deom a
pointer to its struct.
(init_parse_packet): Adjust for LAST_PKT not being a pointer.
* g10/parse-packet.c (parse): Ditto. Free the last packet before
storing a new one in case of a deep link.
(parse_ring_trust): Adjust for LAST_PKT not being a pointer.
* g10/free-packet.c (free_packet): Ditto.
* g10/t-keydb-get-keyblock.c (do_test): Release keyblock.
--

Fixes-commit: afa8680908
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-30 16:01:52 +02:00
Werner Koch
64665404e4
gpg: Fix export porting of zero length user ID packets.
* g10/build-packet.c (do_user_id): Avoid indeterminate length header.
--

We are able to import such user ids but when exporting them the
exported data could not be imported again because the parser bails out
on invalid keyrings.  This is now fixed and should be backported.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-30 10:35:20 +02:00
Werner Koch
a8895c99a7
gpg: Revamp reading and writing of ring trust packets.
* g10/parse-packet.c (parse_trust): Rename to ...
(parse_ring_trust): this.  Change args and implement new ring trust
packet format.
(parse): Add special ring trust packet handling.
* g10/packet.h (PKT_user_id): New fields KEYUPDATE, UPDATEURL, and
KEYSRC.
(PKT_public_key): Ditto.
(RING_TRUST_SIG, RING_TRUST_KEY, RING_TRUST_UID): New consts.
(PKT_ring_trust): New.
(struct packet_struct): Remove member RING_TRUST.
(strcu parse_packet_ctx_s): Add field SKIP_META.
(init_parse_packet): Init SKIPT_META.
* g10/free-packet.c (release_public_key_parts): Free UDPATEURL.
(free_user_id): Ditto.
* g10/mainproc.c (list_node): Remove printing of non-documented "rtv"
lines.
* g10/build-packet.c (build_packet_and_meta): New.
(do_ring_trust): New.
* g10/export.c (write_keyblock_to_output): Use build_packet_and_meta
in backup mode.
(do_export_one_keyblock): Ditto.
* g10/import.c (read_block): Add arg WITH_META.  Skip ring trust
packets if that ism not set.
(import): Call read_block WITH_META in restore mode.
* g10/keydb.h (KEYSRC_UNKNOWN, KEYSRC_FILE, KEYSRC_KS, KEYSRC_PREF_KS)
(KEYSRC_WKD, KEYSRC_WKD_SD, KEYSRC_DANE): New constants.  They are not
yet used, though.
* g10/keydb.c (parse_keyblock_image): Allow ring trust packets.
(build_keyblock_image): Ditto.  Use build_packet_and_meta.
* g10/keyring.c (keyring_get_keyblock): Remove specila treatment of
ring trust packets.
(write_keyblock): Use build_packet_and_meta.  Remove special treatment
of ring trust packets and initialization of the signature caches.
--

This patch introduced the framework to store meta data for keys and
user ids in the keyrings/keyboxes.  Ring trust packets are
implementation defined and have always been used in gpg to cache the
signature verification status.

Ring trust packets are only exported with the export option "backup"
and only imported with the import option "restore".

The new code uses a cleaner way to handle the ring trust packets: When
the parser reads a ring trust packet and the previously read packet
matches the type of that ring trust packet, the information is stored
in that previously read packet (signature, user id, or primary key)
and the next packet is read immediately.  Thus only the parser sees
the ring trust packets.  Ring trust packets are written by using the
new function build_packet_and_meta instead of build_packet.  That
function writes a ring trust packet when the needed information is
available.

As a side-effect of this patch the signature status cache works again
and "gpg --check-sigs" is thus much faster.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-30 09:07:02 +02:00
Werner Koch
afa8680908
gpg: Extend free_packet to handle a packet parser context.
* g10/packet.h (struct parse_packet_ctx_s): Add fields LAST_PKT and
FREE_LAST_PKT.
(init_parse_packet): Clear them.
(deinit_parse_packet): New macro.  Change all users if
init_parse_packet to also call this macro.
* g10/free-packet.c (free_packet): Add arg PARSECTX and handle shallow
packet copies in the context.  Change all callers.
* g10/parse-packet.c (parse): Store certain packets in the parse
context.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-29 12:08:31 +02:00
Werner Koch
ba57f8302a
indent: Re-indent function free-packet.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-29 11:28:30 +02:00
Werner Koch
0526c99164
gpg: Change parse_packet to take a context.
* g10/packet.h (struct parse_packet_ctx_s): New.
(parse_packet_ctx_t): New type.
(init_parse_packet): New macro.
* g10/parse-packet.c (parse_packet, dbg_parse_packet): Change to take
a parse context.  Change all callers to provide a context instead of
directly supplying the input stream.
(search_packet, dbg_search_packet): Ditto.
(copy_all_packets, dbg_copy_all_packets): Init an use a parse context.
(copy_some_packets, dbg_copy_some_packets): Ditto.
(skip_some_packets, dbg_skip_some_packets): Ditto.
--

We will need this change to handle ring packets inside the parser.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-29 10:06:29 +02:00
Werner Koch
f5b565a5b8
gpg: Export ring trust packets in backup mode.
* g10/export.c (write_keyblock_to_output): Export ring trust packets.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-29 10:06:29 +02:00
Werner Koch
5b3523d3e0
indent: Re-indent parts of build-packet.c
--
2017-03-29 10:06:29 +02:00
Werner Koch
4af389c972
gpg: Prepare for listing last_update and key origin data.
* g10/keylist.c (list_keyblock_colon): Add empty fields 19 and 20.

--

We add them now to early catch error in parsers which arbitrary limit
the number of fields in --with-colon listings.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-28 12:32:05 +02:00
Justus Winter
6d3edfd972
g10: Fix memory leak.
* g10/decrypt-data.c (decrypt_data): Free 'filename'.

Signed-off-by: Justus Winter <justus@g10code.com>
2017-03-28 12:11:02 +02:00
NIIBE Yutaka
c1e6302b34 g10: Support specifying SERIALNO for --card-status.
* g10/gpg.c (main): Allow an argument for --card-status.
* g10/card-util.c (current_card_status): Rename from card_status.
(card_status): New, which supports multiple cards.
(get_one_name): Use current_card_status.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-03-27 14:02:01 +09:00
Werner Koch
74c1f30ad6
gpg: New command --quick-set-primary-uid.
* g10/gpg.c (aQuickSetPrimaryUid): New const.
(opts): New command --quick-set-primary-uid.
(main): Implement it.
* g10/keyedit.c (keyedit_quick_adduid): Factor some code out to ...
(quick_find_keyblock): new func.
(keyedit_quick_revuid): Use quick_find_keyblock.
(keyedit_quick_set_primary): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-21 15:09:30 +01:00
Werner Koch
fe0b37e123
gpg: Add new field no 18 to the colon listing.
* g10/misc.c (gnupg_pk_is_compliant): New.
* g10/keylist.c (print_compliance_flags): New.
(list_keyblock_colon): Call it here.
* sm/keylist.c (print_compliance_flags): New.
(list_cert_colon): Call it here.
--

This patch is to convey information about DE_VS compliant keys to the
caller.  The double digit value is used so that parsers do the right
thing and don't just look for a single digit.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-20 10:09:40 +01:00
Werner Koch
e2c63a13e2
gpg: Remove unused stuff.
* g10/OPTIONS: Remove.
* g10/options.h (struct opt): Remove 'shm_coprocess'.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-20 08:40:21 +01:00
Neal H. Walfield
b1106b4d64 gpg: Make sure the conflict set includes the current key.
* g10/tofu.c (get_trust): Sanity check CONFLICT_SET after calling
get_policy.  If POLICY is 'auto' and the default policy is 'ask', make
sure CONFLICT_SET includes the current key.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
GnuPG-bug-id: 2959
Debian-bug-id: 854829

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2017-03-17 14:35:00 +01:00
NIIBE Yutaka
8c8ce8711d agent,g10: Remove redundant SERIALNO request.
* agent/learncard.c (agent_handle_learn): Don't call
agent_card_serialno.  Get the serialno in status response.
* g10/call-agent.c (agent_scd_learn): Don't request "SCD SERIALNO".
(agent_scd_serialno): New.
(card_cardlist_cb, agent_scd_cardlist): New.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-03-16 14:32:51 +09:00
NIIBE Yutaka
61785b679c g10: Fix check of serialno.
* g10/card-util.c (card_status): Fix.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-03-15 16:50:48 +09:00
NIIBE Yutaka
ed3248219e g10: Remove unused function.
* g10/call-agent.c (select_openpgp): Remove.

--

By this change, the function get_serialno_cb will be also unused.  But
please don't remove the function, because it will be soon used.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-03-15 16:48:01 +09:00
Werner Koch
9a77b3b6e4
gpg: Flush stdout before printing stats with --check-sigs.
* g10/keylist.c (print_signature_stats): Flush stdout.
(list_keyblock_colon): Use es_flush instead of fflush.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-13 17:43:07 +01:00
Justus Winter
2649fdfff5
g10: Move more flags into the flag bitfield.
* g10/packet.h (PKT_user_id): Move 'is_primary', 'is_revoked', and
'is_expired' into the flags bitfield, and drop the prefix.
* g10/call-dirmngr.c: Adapt accordingly.
* g10/export.c: Likewise.
* g10/getkey.c: Likewise.
* g10/import.c: Likewise.
* g10/kbnode.c: Likewise.
* g10/keyedit.c: Likewise.
* g10/keylist.c: Likewise.
* g10/keyserver.c: Likewise.
* g10/mainproc.c: Likewise.
* g10/pkclist.c: Likewise.
* g10/pubkey-enc.c: Likewise.
* g10/tofu.c: Likewise.
* g10/trust.c: Likewise.
* g10/trustdb.c: Likewise.
--

This patch has been created by applying the following semantic patch:

    @@
    expression E;
    @@
    -E->is_expired
    +E->flags.expired

    @@
    expression E;
    @@
    -E->is_primary
    +E->flags.primary

    @@
    expression E;
    @@
    -E->is_revoked
    +E->flags.revoked

Signed-off-by: Justus Winter <justus@g10code.com>
2017-03-08 13:31:10 +01:00
Werner Koch
8f02864223
dirmngr: Do not put a keyserver into a new dirmngr.conf
* g10/dirmngr-conf.skel: Do not define keyservers.
--
2017-03-08 11:35:53 +01:00
Justus Winter
591b6a9d87
gpg: Do not allow the user to revoke the last valid UID.
* g10/keyedit.c (keyedit_quick_revuid): Merge self signatures, then
make sure that we do not revoke the last valid UID.
(menu_revuid): Make sure that we do not revoke the last valid UID.
* tests/openpgp/quick-key-manipulation.scm: Demonstrate that
'--quick-revoke-uid' can not be used to revoke the last valid UID.

GnuPG-bug-id: 2960
Signed-off-by: Justus Winter <justus@g10code.com>
2017-03-07 13:46:20 +01:00
NIIBE Yutaka
d6c7bf1f8a More change for common.
* g10, scd, test, tools: Follow the change of removal of -Icommon.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-03-07 20:32:09 +09:00
NIIBE Yutaka
70aca95d68 Remove -I option to common.
* dirmngr/Makefile.am (AM_CPPFLAGS): Remove -I$(top_srcdir)/common.
* g10/Makefile.am (AM_CPPFLAGS): Ditto.
* g13/Makefile.am (AM_CPPFLAGS): Ditto.
* kbx/Makefile.am (AM_CPPFLAGS): Ditto.
* scd/Makefile.am (AM_CPPFLAGS): Ditto.
* sm/Makefile.am (AM_CPPFLAGS): Ditto.
* tools/Makefile.am (AM_CPPFLAGS): Ditto.
* Throughout: Follow the change.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-03-07 20:25:54 +09:00
Werner Koch
4a130bbc2c
gpg: Fix attempt to double free an UID structure.
* g10/getkey.c (get_best_pubkey_byname): Set released .UID to NULL.
--

Phil Pennock reported an assertion failure when doing

  % gpg --auto-key-locate dane --locate-keys someone
  gpg: Ohhhh jeeee: Assertion "uid->ref > 0" in \
         free_user_id failed (free-packet.c:310)

on his keyring.  This patch is not tested but a good guess.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-06 07:57:08 +01:00
Werner Koch
5f6f3f5cae
gpg: Fix possible segv when attribute packets are filtered.
* g10/import.c (impex_filter_getval): Handle PKT_ATTRIBUTE the same as
PKT_USER_ID
(apply_drop_sig_filter): Ditto.
--

The old code was plainly wrong in that it considered PKT_ATTRIBUTE to
use a PKT_signature object.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-03 09:50:40 +01:00
Werner Koch
1813f3be23
gpg: Add new variables to the import and export filters.
* g10/import.c (impex_filter_getval): Add new variables "expired",
"revoked", and "disabled".

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-03 09:22:40 +01:00
Justus Winter
0c4d0620d3
gpg: Always initialize the trust db when generating keys.
* g10/gpg.c (main): Always initialize the trust db when generating
keys.
* g10/keygen.c (do_generate_keypair): We can now assume that there is
a trust db.
--
It is important to mark keys we create as ultimately trusted.

Fixes-commit: 4735ab96aa
GnuPG-bug-id: 2695
Signed-off-by: Justus Winter <justus@g10code.com>
2017-03-02 16:25:20 +01:00
Justus Winter
4735ab96aa
gpg: Fix (quick) key generation with --always-trust.
* g10/keygen.c (do_generate_keypair): Only update the ownertrust if we
do have a trust database.
* g10/trustdb.c (have_trustdb): New function.
* g10/trustdb.h (have_trustdb): New prototype.
* tests/openpgp/quick-key-manipulation.scm: Remove workaround.

GnuPG-bug-id: 2695
Signed-off-by: Justus Winter <justus@g10code.com>
2017-03-02 14:50:23 +01:00
Justus Winter
62d21a4ab4
g10: Signal an error when trying to revoke non-existant UID.
* g10/keyedit.c (keyedit_quick_revuid): Signal an error when trying to
revoke non-existant UID.
* tests/openpgp/quick-key-manipulation.scm: Test that.

GnuPG-bug-id: 2962
Signed-off-by: Justus Winter <justus@g10code.com>
2017-03-02 11:39:00 +01:00
Werner Koch
891ab23411
gpg: Make --export-options work with --export-secret-keys.
* g10/export.c (export_seckeys): Add arg OPTIONS and pass it to
do_export.
(export_secsubkeys): Ditto.
* g10/gpg.c (main): Pass opt.export_options to export_seckeys and
export_secsubkeys
--

Back in the old days we did not used the export options for secret
keys export because of a lot of duplicated code and that the old
secring.gpg was anyway smaller that the pubring.gpg.  With 2.1 it was
pretty easy to enable it.

Reported-by: Peter Lebbing
GnuPG-bug-id: 2973
2017-03-01 14:41:47 +01:00
Werner Koch
2bbdeb8ee8
gpg: Allow creating keys using an existing ECC key.
* common/sexputil.c (get_pk_algo_from_canon_sexp): Remove arg R_ALGO.
Change to return the algo id.  Reimplement using get_pk_algo_from_key.
* g10/keygen.c (check_keygrip): Adjust for change.
* sm/certreqgen-ui.c (check_keygrip): Ditto.
--

GnuPG-bug-id: 2976
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-03-01 13:36:01 +01:00
Werner Koch
e182542e90
gpg: Do not require a trustdb for decryption.
* g10/trustdb.c (init_trustdb): Add and implement arg NO_CREATE.
Change to return an error code.  Change all callers to to pass False
for NO_CREATE.
(tdb_get_ownertrust): New arg NO_CREATE.  Call init_trustdb to test
for a non-existing trustdb.  Change all callers to to pass False for
NO_CREATE.
(tdb_get_min_ownertrust): Ditto.
* g10/trust.c (get_ownertrust_with_min): Add arg NO_CREATE.  Call
init_trustdb for a quick check.
(get_ownertrust_info): Add arg NO_CREATE.
(get_ownertrust_string): Ditto.
* g10/gpgv.c (get_ownertrust_info): Adjust stub.
* g10/test-stubs.c (get_ownertrust_info): Ditto.
* g10/mainproc.c (list_node): Call get_ownertrust_info with NO_CREATE
set.
* g10/pubkey-enc.c (get_it): Ditto.
--

Fixes-commit: effa80e0b5

For details see mails on Feb 27 and 28 by dkg, gniibe, and Justus to
gnupg-devel 'test failure on git master with
decrypt-session-key.scm (and: continuous integration?)'

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-28 20:30:48 +01:00
Justus Winter
d379a0174c
gpg,tools: Make auto-key-retrieve configurable via gpgconf.
* g10/gpg.c (gpgconf_list): Add 'auto-key-retrieve'.
* tools/gpgconf-comp.c (gc_options_gpg): Likewise.

GnuPG-bug-id: 2381
Signed-off-by: Justus Winter <justus@g10code.com>
2017-02-28 14:59:11 +01:00
Justus Winter
ebeccd73eb
gpg,tools: Make trust-model configurable via gpgconf.
* g10/gpg.c (gpgconf_list): Add 'trust-model'.
* tools/gpgconf-comp.c (gc_options_gpg): Likewise.

GnuPG-bug-id: 2381
Signed-off-by: Justus Winter <justus@g10code.com>
2017-02-28 13:15:42 +01:00
Werner Koch
8a67dc4c43
gpgv,w32: Fix --status-fd.
* g10/gpgv.c (main): Use translate_sys2libc_fd_int for --status-fd.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-28 09:39:10 +01:00
Daniel Kahn Gillmor
ddf01a67d6 trustdb: Respect --quiet during --import-ownertrust.
* g10/tdbdump.c (import_ownertrust): If opt.quiet is set, do not send
log_info messages.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-25 22:46:54 -08:00
Manish Goregaokar
64ec21bebd g10: fix typo
I already have copyright assignment with the FSF for GDB. I don't
think I'll need to do the DCO thing.

Signed-off-by: Manish Goregaokar <manish@mozilla.com>
2017-02-25 22:46:32 -08:00
Werner Koch
7af5d61c6e
gpgv: New options --log-file and --debug
* g10/gpgv.c (oLoggerFile, oDebug): New consts.
(opts): Add options --log-file and --debug.
(main): Implement options.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-24 13:23:16 +01:00
Werner Koch
effa80e0b5
gpg: Emit new status DECRYPTION_KEY
* common/status.h (STATUS_DECRYPTION_KEY): New.
* g10/pubkey-enc.c (get_it): Emit that status.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-23 19:59:21 +01:00
Daniel Kahn Gillmor
ccb420380b Fix spelling.
--

Clean up several other misspellings noticed while reviewing Yuri's
de-duplication patch.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-21 13:11:46 -05:00
Yuri Chornoivan
24cf0606b4 Clean up word replication.
--

This fixes extra word repetitions (like "the the" or "is is") in the
code and docs.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-21 13:11:46 -05:00
NIIBE Yutaka
3fc69224b7 g10: Support primary key generation by keygrip.
* g10/keygen.c (para_name): Add pKEYGRIP.
(generate_keypair): Use pKEYGRIP for key generation.
(do_generate_keypair): Call do_create_from_keygrip with pKEYGRIP.

--

https://lists.gnupg.org/pipermail/gnupg-devel/2017-February/032591.html

Reported-by: Alon Bar-Lev <alon.barlev@gmail.com>
Suggested-by: Peter Lebbing <peter@digitalbrains.com>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2017-02-21 08:27:23 +09:00
Werner Koch
b456e5be91
gpg: Make --export-ssh-key work for the primary key.
* g10/export.c (export_ssh_key): Also check the primary key.
--

If no suitable subkey was found for export, we now check whether the
primary key is suitable for export and export this one.  Without this
change it was only possible to export the primary key by using the '!'
suffix in the key specification.

Also added a sample key for testing this.

GnuPG-bug-id: 2957
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-14 10:55:13 +01:00
Werner Koch
810adfd478
gpg: Print a warning if no command has been given.
* g10/gpg.c (main): Print in the default case.
--

GnuPG-bug-id: 2943
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-13 20:13:05 +01:00
Werner Koch
5996c7bf99
gpg: Fix memory leak in the error case of signature creation.
* g10/sign.c (write_signature_packets): Free SIG.  Also replace
xcalloc by xtrycalloc.
--

If do_sign fails SIG was not released.  Note that in the good case SIG
is transferred to PKT and freed by free_packet.

Reported-by: Stephan Müller
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-10 17:58:26 +01:00
Justus Winter
6823ed4658
gpg,common: Make sure that all fd given are valid.
* common/sysutils.c (gnupg_fd_valid): New function.
* common/sysutils.h (gnupg_fd_valid): New declaration.
* common/logging.c (log_set_file): Use the new function.
* g10/cpr.c (set_status_fd): Likewise.
* g10/gpg.c (main): Likewise.
* g10/keylist.c (read_sessionkey_from_fd): Likewise.
* g10/passphrase.c (set_attrib_fd): Likewise.
* tests/openpgp/Makefile.am (XTESTS): Add the new test.
* tests/openpgp/issue2941.scm: New file.
--

Consider a situation where the user passes "--status-fd 3" but file
descriptor 3 is not open.

During the course of executing the rest of the commands, it's possible
that gpg itself will open some files, and file descriptor 3 will get
allocated.

In this situation, the status information will be appended directly to
whatever file happens to have landed on fd 3 (the trustdb? the
keyring?).

This is a potential data destruction issue for all writable file
descriptor options:

   --status-fd
   --attribute-fd
   --logger-fd

It's also a potential issue for readable file descriptor options, but
the risk is merely weird behavior, and not data corruption:

   --override-session-key-fd
   --passphrase-fd
   --command-fd

Fixes this by checking whether the fd is valid early on before using
it.

GnuPG-bug-id: 2941
Signed-off-by: Justus Winter <justus@g10code.com>
2017-02-08 14:28:49 +01:00
Daniel Kahn Gillmor
f31120a5aa
gpg: Fix aliases --list-key, --list-sig, and --check-sig.
* g10/gpg.c (opts): Define commands with ARGPARSE_c
instead of ARGPARSE_s_n.

--

These three entries are commands, but they're being treated as a
string-based option for some reason.  However, if you try to use them
concurrently with another command like --clearsign, you'll get "gpg:
conflicting commands".

Furthermore, because they're marked as options, their flags differ
from the commands that they alias, they cause ambiguity in
abbreviation (e.g. try "gpg --list-ke") which should have been fixed
by 7249ab0f95.

Marking them explicitly as commands for argparse should be more
accurate and should resolve the abbreviation ambiguity issue.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
gpg: fix aliases --list-key, --list-sig, and --check-sig.

* g10/gpg.c: ARGPARSE_OPTS opts[]: define commands with ARGPARSE_c
instead of ARGPARSE_s_n.

--

These three entries are commands, but they're being treated as a
string-based option for some reason.  However, if you try to use them
concurrently with another command like --clearsign, you'll get "gpg:
conflicting commands".

Furthermore, because they're marked as options, their flags differ
from the commands that they alias, they cause ambiguity in
abbreviation (e.g. try "gpg --list-ke") which should have been fixed
by 7249ab0f95.

Marking them explicitly as commands for argparse should be more
accurate and should resolve the abbreviation ambiguity issue.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-05 18:05:17 +01:00
Werner Koch
7052a0d77c
gpg: More diagnostics for a launched pinentry.
* agent/call-pinentry.c (start_pinentry): Call getinfo/ttyinfo.
* g10/server.c (gpg_proxy_pinentry_notify): Simplify the output so
that we do not change the code when adding new fields to
PINENTRY_LAUNCHED.
--

This patch changes the --verbose output of gpg to show
for example

  gpg: pinentry launched (5228 gtk2 1.0.1-beta10 \
  /dev/pts/4 xterm localhost:10.0)

the used tty, its type, and the value of DISPLAY in addiion to the
pid, flavor, and version.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-02-03 12:05:16 +01:00
Neal H. Walfield
407f5f9bae gpg: Don't assume that strtoul interprets "" as 0.
* g10/tofu.c (show_statistics): If there are not records, return 0
instead of NULL.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
GnuPG-bug-id: 2853

According to SUSv3:

  If the subject sequence is empty or does not have the expected form,
  no conversion is performed
  ...
  If no conversion could be performed, 0 is returned and errno may be
  set to [EINVAL].

  http://pubs.opengroup.org/onlinepubs/007908799/xsh/strtol.html

It appears that MacOS X sets errno to EINVAL, but glibc doesn't.
Hence, we map NULL to 0 explicitly.
2017-02-02 15:48:45 +01:00
Neal H. Walfield
769272ba87 gpg: Ensure TOFU bindings associated with UTKs are registered as usual
* g10/tofu.c (get_trust): Call get_policy before short-circuiting the
policy lookup for ultimately trusted keys to make sure the binding is
added to the bindings table, if necessary.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
GnuPG-bug-id: 2929
2017-02-02 14:24:38 +01:00
Neal H. Walfield
a08c781739 gpg: If there is a TOFU conflict, elide the too few message warning.
* g10/tofu.c (tofu_get_validity): If there was a conflict, don't also
print out a warning about too few messages.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2017-02-02 13:26:42 +01:00
Neal H. Walfield
027b81b35f gpg: Only print out TOFU statistics for conflicts in interactive mode
* g10/tofu.c (get_trust): Add arguments POLICYP and CONFLICT_SETP.  If
they are not NULL, return the policy and conflict set (if there is
one), respectively.  Update callers.  If MAY_ASK is FALSE, don't print
out the statistics.
(tofu_register_encryption): If there is a conflict and we haven't yet
printed the statistics about the conflicting bindings, do so now.
(tofu_get_validity): Likewise.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
GnuPG-bug-id: 2914
2017-02-02 13:26:42 +01:00
Neal H. Walfield
74268180e5 gpg: Add newline to output.
* g10/tofu.c (ask_about_binding): Add newline to output.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2017-02-02 13:26:41 +01:00
Neal H. Walfield
6f9d8a956b gpg: Remove period at end of warning.
* g10/tofu.c (tofu_register_encryption): Remove period at end of
warning.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2017-02-02 13:26:41 +01:00
Justus Winter
3f4f20ee6e gpg: Fix searching for mail addresses in keyrings.
* g10/keyring.c (compare_name): Fix KEYDB_SEARCH_MODE_MAIL* searches
in keyrings when the UID is a plain addr-spec.
--
Previously, 'gpg --list-key "<foo@example.org>"' failed if 1/ the
keyring format is used and 2/ the key's UID is a plain addr-spec
(cf. RFC2822 section 4.3), e.g. 'foo@example.org'.

GnuPG-bug-id: 2930
Signed-off-by: Justus Winter <justus@g10code.com>
2017-01-25 16:58:46 +01:00
Werner Koch
770b75a746
gpg: Print a warning on Tor problems.
* dirmngr/ks-engine-hkp.c (tor_not_running_p): New.
(map_host): Call that to print a warning.
(handle_send_request_error): Ditto and avoid marking the host dead.
Also print a tor_config_problem warning.  Add arg CTRL; adjust callers
to pass that new arg.
* g10/call-dirmngr.c (ks_status_cb): Detect and print the new
warnings.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-24 20:52:24 +01:00
Werner Koch
707c47f559
Update copyright notices for 2017.
--

Also some http:// -> https:// fixes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-23 19:16:55 +01:00
Damien Goutte-Gattat
a85731ada2
gpg: Fix misleading log message when checking regexp.
* src/trustdb.c (check_regexp): Correctly print whether the
regexp matched or not.
--

This patch fixes the log message displayed when gpg attempts to
match the regexp associated with a trust signature with an user ID.
The current message interprets the 'ret' variable backwards, and
displays 'YES' when the regexp actually fails to match.

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2017-01-23 10:48:06 +01:00
Werner Koch
953d4ec6af
gpg: New export and import options "backup" and "restore".
* g10/export.c (parse_export_options): Add "backup" and its alias
"export-backup".
(do_export_one_keyblock): Export ring trust packets in backup mode.
* g10/import.c (parse_import_options): Add "restore" and its alias
"import-restore".
(read_block): Import ring trust packets.
--

These options are intended to, well, backup and restore keys between
GnuPG implementations.  These options may eventually be enhanced to
backup and restore all public key related information.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-23 10:13:26 +01:00
Damien Goutte-Gattat
3daeef702b gpg: Allow to freeze faked system time.
* g10/gpg.c (main): If the parameter for --faked-system-time
ends with a '!', freeze time at the specified point.
* common/gettime.c (gnupg_set_time): Allow to freeze the time
at an arbitrary time instead of only the current time.
* doc/gpg.texi: Update documentation for --faked-system-time.
--

This patch allows the user to modify the behavior of the
--faked-system-time option: by appending a '!' to the parameter,
time in GnuPG will be frozen at the specified time, instead of
advancing normally from that time onward.

Signed-off-by: Damien Goutte-Gattat <dgouttegattat@incenp.org>
2017-01-19 10:39:06 +01:00
Werner Koch
701f54eccf
gpg: Remove unused definitions.
* g10/keydb.h (rt_UNKNOWN, rt_RING): Remove constants.
(keyblock_pos_struct, KBPOS): Remove struct and type.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-18 10:07:53 +01:00
Werner Koch
356323768a
gpg: Clean bogus subkey binding when cleaning a key.
* g10/trust.c (clean_key): Also clean bogus subkey bindings.
--

GnuPG-bug-id: 2922
Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-17 10:26:34 +01:00
Werner Koch
766c25018b
gpg: Sync print of additional sig data in --edit-key.
* g10/keylist.c (show_policy_url): Implement MODE -1.
(show_keyserver_url): Ditto.
(show_notation): Ditto.
* g10/keyedit.c (print_one_sig): Print policy URL, keyserver URL and
notation data to the tty.
--

With this change the listing of signatures in the key edit menu does
now include policy URLs et al in order and not possible after leaving
the menu (it used to go to stdout and not the tty).

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-17 10:23:52 +01:00
Werner Koch
adbfbf608e
gpg: Prepare some key cleaning function for use with secret key packets.
* g10/trust.c (mark_usable_uid_certs): Allow use of secret key packets.
(clean_sigs_from_uid): Ditto.
(clean_uid_from_key): Ditto.
(clean_one_uid): Ditto.
(clean_key): Ditto.
--

Since 2.1 secret keys and public keys use identical data structure and
thus we should not restrict those key cleaning functions to work only
with public key packets.  This change has no immediate effect but may
come handy in the future.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-17 09:14:44 +01:00
Werner Koch
c99a09f111
gpg: Rename a var to avoid a shadowing warning.
* g10/keygen.c (keygen_set_std_prefs): Rename variable.
--

I consider it better not to use the name of a commonly used function.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-12 10:40:43 +01:00
Daniel Kahn Gillmor
38671cfe5a g10: avoid warning when --disable-tofu
If configured with --disable-tofu, we see compiler warnings about an
unused variable.  This should remove those warnings.
2017-01-04 13:18:04 -05:00
Werner Koch
6b84ecbf31
Replace use of variable-length-arrays.
* common/t-iobuf.c (main): Replace variable-length-array.
* g10/gpgcompose.c (mksubpkt_callback): Ditto.
(encrypted): Ditto.
* g10/t-stutter.c (log_hexdump): Ditto.
(oracle_test): Ditto.
* g10/tofu.c (get_policy): Ditto.  Use "%zu" for size_t.
* scd/app-openpgp.c (ecc_writekey): Replace variable-length-array.
Check for zero length OID_LEN.

Signed-off-by: Werner Koch <wk@gnupg.org>
2017-01-02 13:29:18 +01:00
Werner Koch
b8b0d2f4c1
build: Update distributed signature key.
--

This update is required because gniibe prolonged his key.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-20 10:22:05 +01:00
Werner Koch
10dae15186
typo: Fix a string in do_we_trust_pre.
--
2016-12-19 16:39:26 +01:00
Werner Koch
e384405b6e
Remove unused debug flags and add "dns" and "network".
* g10/options.h (DBG_CARD_IO_VALUE, DBG_CARD_IO): Remove.
* g10/gpg.c (debug_flags): Remove "cardio".
* agent/agent.h (DBG_COMMAND_VALUE, DBG_COMMAND): Remove.
* agent/gpg-agent.c (debug_flags): Remove "command".
* scd/scdaemon.h (DBG_COMMAND_VALUE, DBG_COMMAND): Remove.
* scd/scdaemon.c (debug_flags): Remove "command".
* dirmngr/dirmngr.h (DBG_DNS_VALUE, DBG_DNS): New.
(DBG_NETWORK_VALUE, DNG_NETWORK): New.
* dirmngr/dirmngr.c (debug_flags): Add "dns" and "network".
--

Note that "dns" and "network" are not yet used but will soon be added
to dirmngr.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-19 09:41:15 +01:00
Werner Koch
48671f295f
gpg,sm: A few more option for --gpgconf-list.
* g10/gpg.c (gpgconf_list): Add --compliance and
--default-new-key-algo.
(parse_compliance_option):
* sm/gpgsm.c (main) <gpgconf-list>: Add --enable-crl-checks.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-16 16:05:02 +01:00
Neal H. Walfield
4a2c210b75 g10: Use total days, not total messages to compute TOFU validity
* g10/tofu.c (write_stats_status): Use the number of days with
signatures / encryptions to compute the validity, not the total number
of signatures / encryptions.
(BASIC_TRUST_THRESHOLD): Adjust given the new semantics.
(FULL_TRUST_THRESHOLD): Likewise.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-12-16 14:51:15 +01:00
Neal H. Walfield
94f6b9010d g10: Extend TOFU_STATS to emit <sign-days> and <encyrption-days>
* doc/DETAILS: Add SIGN-DAYS and ENCRYPT-DAYS to the TOFU_STATS status
line.
* g10/tofu.c (write_stats_status): Take additional parameters
signature_days and encryption_days.  Update callers.  Include them in
the tfs record and TOFU status lines.
(show_statistics): Compute the number of days on which we saw a
message signed by FINGERPRINT, and the number of days on which we
encrypted a message to it.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-12-16 14:32:39 +01:00
Neal H. Walfield
fea9da4a8a g10: On a TOFU conflict, write the conflicting keys to the status fd
* g10/tofu.c (ask_about_binding): Emit all of the conflicting keys and
their statistics on the status fd.
(get_trust): Likewise, if we don't call ask_about_binding.
(show_statistics): Have the caller pass the policy as returned by
get_policy.  Add argument only_status_fd and don't emit any output on
stdout if it is set.  Update callers.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-12-16 11:11:17 +01:00
Neal H. Walfield
6caa2d0ba2 g10: Add missing space.
* g10/tofu.c (tofu_register_encryption): Add missing space.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-12-16 11:11:16 +01:00
Justus Winter
6b16b02109 g10: Avoid translating simple error messages.
* g10/gpg.c (main): Avoid translating arguments to 'wrong_args'.
--
Translating these messages is a burden for translators, and we only
have translations for very few of them as it is.

If we want to localize these messages, I'd suggest to translate the
placeholders (e.g. 'filename').

Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-15 16:14:23 +01:00
Justus Winter
41ad04d403 g10: Rework the --quick-* interface.
* g10/gpg.c (opts): Rename options.
(main): Update errors.
* doc/gpg.texi: Update accordingly.
--
I decided not to keep the old versions as aliases in the documentation
because the interface is a fairly recent addition.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-15 15:32:51 +01:00
Justus Winter
6e4396723e g10: Rename 'card-edit' to 'edit-card'.
* g10/gpg.c (opts): Rename option.
* g10/call-agent.c (agent_scd_learn): Update comment.
* doc/gpg.texi: Update accordingly.
--
This change has a surprising side effect.  Previously, --edit was an
alias for --edit-key, because the argument parser actually accepts
unique prefixes of all options.  With this change, however, --edit is
ambiguous.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-15 14:50:10 +01:00
Justus Winter
3c691097ca g10: Spell out --desig-revoke.
* g10/gpg.c (opts): Rename option.
* doc/gpg.texi: Update accordingly.
--
This is a rather long name, but I believe that this command is rarely
used, and in places where it is used frequently, the process is likely
automated.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-15 13:59:48 +01:00
Justus Winter
c252627c6f g10: Shorten unreasonably long option.
* g10/gpg.c (opts): Rename 'generate-revocation-certificate' to
'generate-revocation'.
* doc/gpg.texi: Update accordingly.
* po: Update translations.

GnuPG-bug-id: 2700
Fixes-commit: ec1bd3ae68
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-15 13:01:03 +01:00
Justus Winter
c1c35fb887 g10,sm: Spell out --passwd.
* g10/gpg.c (opts): Spell out option.
* sm/gpgsm.c (opts): Likewise.
* doc/gpg.texi: Update accordingly.
* doc/gpgsm.texi: Likewise.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:49:47 +01:00
Justus Winter
ec1bd3ae68 g10: Spell out --gen-revoke.
* g10/gpg.c (opts): Spell out option.
* doc/gpg.texi: Update accordingly.
* po: Update translations.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:43:22 +01:00
Justus Winter
09163a6390 g10: Spell out --full-gen-key.
* g10/gpg.c (opts): Spell out option.
(main): Likewise.
* g10/keygen.c (generate_keypair): Likewise.
* doc/gpg.texi: Update accordingly.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:55 +01:00
Justus Winter
892c827e72 g10,sm: Spell out --gen-key.
* g10/gpg.c (opts): Spell out option.
* sm/gpgsm.c (opts): Likewise.
* doc/gpg.texi: Update accordingly.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:55 +01:00
Justus Winter
9147737f1c g10,sm: Spell out --check-sigs.
* g10/gpg.c (opts): Spell out option.
* sm/gpgsm.c (opts): Likewise.
* doc/gpg.texi: Update accordingly.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:55 +01:00
Justus Winter
a6d6e4afe4 g10,sm: Spell out --list-sigs.
* g10/gpg.c (opts): Spell out option.
* sm/gpgsm.c (opts): Likewise.
* doc/gpg.texi: Update accordingly.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:54 +01:00
Justus Winter
04754ce3a7 g10: Hyphenate --clearsign.
* g10/gpg.c (opts): Hyphenate option.
* doc/gpg.texi: Update accordingly.
* po: Update translations.
* tests/openpgp: Update tests.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:54 +01:00
Justus Winter
ca59815234 g10: Spell out --recv-keys.
* g10/gpg.c (opts): Spell out option.
* doc/gpg.texi: Update accordingly.

GnuPG-bug-id: 2700
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 17:30:54 +01:00
Justus Winter
dd3dde07a9 g10: Create expiring keys in quick key generation mode.
* doc/gpg.texi: Document that fact.
* g10/keygen.c (quick_generate_keypair): Use a default value.
* tests/openpgp/quick-key-manipulation.scm: Test that fact.

GnuPG-bug-id: 2701
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-13 16:35:08 +01:00
Werner Koch
98433c7043
gpg: Fix memory leak in ecc key generation.
* g10/keygen.c (ecckey_from_sexp): Release curve.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-12 14:02:14 +01:00
Werner Koch
f1304ee9b2
gpg: Do not use a fixed string for --gpgconf-list:default_pubkey_algo.
* g10/keygen.c (get_default_pubkey_algo): New.
(parse_key_parameter_string): Use it.
* g10/gpg.c (gpgconf_list): Take value from new function.
--

Note that consumers of that gpgconf-list value may need to be adjusted
to that new value.  It should anyway only be used to display the
default algorithm.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-12 10:50:42 +01:00
Werner Koch
522e6f798d
gpg: Fix algo string parsing of --quick-addkey.
* g10/keygen.c (parse_key_parameter_string): Fix handling of PART==1.
(parse_key_parameter_part): Use default key size if only "rsa", "dsa",
or "elg" is given.
--

The first change is the actual fix.  The second change avoids the
error "Invalid Curve" when only "rsa" instead of RSA2048 is given.

Fixes-commit: ce29272e24
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-12 10:13:06 +01:00
Justus Winter
d568a15616 g10: Create keys that expire in simple key generation mode.
* g10/keygen.c (default_expiration_interval): New variable.
(generate_keypair): Use the new default.
--
Cursory discussion on gnupg-devel@ suggested two years as a good
default expiration interval.

GnuPG-bug-id: 2701
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-09 14:38:31 +01:00
Justus Winter
c8100fc0fa g10: List compression algorithms using human-readable names.
* g10/gpg.c (list_config): List all enabled compression algorithms
under the key 'compressname'.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-09 13:13:45 +01:00
Justus Winter
3de9bad359 g10: Fix memory leak.
* g10/sign.c (do_sign): Release old signature data.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-09 13:13:45 +01:00
Werner Koch
cb4c7abb77
Fix 2 compiler warnings.
* dirmngr/loadswdb.c: Set ERR on malloc failure.
* g10/passphrase.c (passphrase_to_dek): Initialize all fields of
HELP_S2K.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-08 19:02:56 +01:00
Werner Koch
a75790b740
gpg: Fix the fix out-of-bounds access.
* g10/tofu.c (build_conflict_set): Revert to int* and fix calloc.
--

The original code used an int array and thus better keep that and do
not limit it to 128 entries.

Fixes-commit: c3008bffac
Fixes-commit: 3b5b94ceab
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-08 17:03:26 +01:00
Justus Winter
3b5b94ceab g10: Fix out-of-bounds access.
* g10/tofu.c (build_conflict_set): Use 'char'.

Fixes-commit: c3008bffac
Signed-off-by: Justus Winter <justus@g10code.com>
2016-12-08 14:19:09 +01:00
Werner Koch
c3008bffac
gpg: Fix portability problem.
* g10/tofu.c (build_conflict_set): Replace variable dynamic array.
--

Note that clang complained that CONFLICT_SET_COUNT could be negative.
Thus I added an assert.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-08 13:08:02 +01:00
Neal H. Walfield
6102099985 g10: Avoid a memory leak.
* g10/gpg.c (main): Free KB when we're done with it.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-12-06 12:16:59 +01:00
Neal H. Walfield
bd9ebe1404 g10: Remove dead code.
* g10/tofu.c (tofu_set_policy_by_keyid): Remove function.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-12-06 12:16:56 +01:00
Werner Koch
41b3d0975d
gpg: New option --quick-set-expire.
* g10/gpg.c (aQuickSetExpire): New.
(opts): New option --quick-set-expire.
(main): Implement option.
* g10/keyedit.c (menu_expire): Add args FORCE_MAINKEY and
NEWEXPIRATION.  Change semantics of the return value.  Change caller.
(keyedit_quick_set_expire): New.
--

This patch partly solves
GnuPG-bug-id: 2701
2016-12-05 11:00:11 +01:00
Werner Koch
ef10c348bf
gpg: Fix error code arg in ERRSIG status line.
* g10/mainproc.c (check_sig_and_print): Use gpg_err_code to return an
error code in ERRSIG.
--

Debian-bug-id: 846834
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-03 21:36:14 +01:00
Werner Koch
ce29272e24
gpg: New option --default-new-key-algo.
* common/openpgp-oid.c (openpgp_is_curve_supported): Add optional arg
R_ALGO and change all callers.
* common/util.h (GPG_ERR_UNKNOWN_FLAG): New error code.
* g10/options.h (struct opt): Add field DEF_NEW_KEY_ALGO.
* g10/gpg.c (oDefaultNewKeyAlgo): New enum.
(opts): New option "--default-new-key-algo".
(main): Set the option.
* g10/keygen.c: Remove DEFAULT_STD_ FUTURE_STD_ constants and replace
them by ...
(DEFAULT_STD_KEY_PARAM, FUTURE_STD_KEY_PARAM): new string constants.
(get_keysize_range): Remove arg R_DEF and return that value instead.
Change all callers.
(gen_rsa): Use get_keysize_range instead of the removed
DEFAULT_STD_KEYSIZE.
(parse_key_parameter_part): New function.
(parse_key_parameter_string): New function.
(quick_generate_keypair): Refactor using parse_key_parameter_string.
(generate_keypair): Ditto.
(parse_algo_usage_expire): Ditto.
--

This new option is intended to be used in the forthcoming
--set-profile command of gpgconf.  It allows to provide a gpg
configuration with custom defaults for a new key using the simple
commands which use the default algorithm set.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-02 19:47:40 +01:00
Neal H. Walfield
cd532bb7b8 g10: Improve debugging output.
* g10/tofu.c (string_to_long): Improve debugging output.
(string_to_ulong): Likewise.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-12-02 11:07:04 +01:00
Neal H. Walfield
bd1a1d8582 g10: In the TOFU module, make strings easier to translate.
* g10/tofu.c: Remove dead code.
(time_ago_str): Simplify implementation since we only want the most
significant unit.
(format_conflict_msg_part1): Use ngettext.
(ask_about_binding): Likewise and only emit full sentences.
(show_statistics): Likewise.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-12-01 22:12:56 +01:00
Werner Koch
86efc3ee53
gpg: Let only Dirmngr decide whether CERT is supported.
* g10/getkey.c (parse_auto_key_locate): Do not build parts depending
on USE_DNS_CERT.
--

This also removes USE_DNS_SRV from commented code.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-12-01 16:40:32 +01:00
Werner Koch
a5910e00ac
gpg: Make --decrypt with output '-&nnnn' work.
* g10/plaintext.c (get_output_file): Check and open special filename
before falling back to stdout.
--

GnuPG-bug-id: 2677
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-29 16:54:36 +01:00
Werner Koch
60b4982836
gpg,sm: Merge the two versions of check_special_filename.
* sm/gpgsm.c (check_special_filename): Move to ..
* common/sysutils.c (check_special_filename): here.  Add arg
NOTRANSLATE.
(allow_special_filenames): New local var.
(enable_special_filenames): New public functions.
* sm/gpgsm.c (allow_special_filenames): Remove var.
(main): Call enable_special_filenames instead of setting the var.
(open_read, open_es_fread, open_es_fwrite): Call
check_special_filename with 0 for NOTRANSLATE.
* common/iobuf.c (special_names_enabled): Remove var.
(iobuf_enable_special_filenames): Remove func.
(check_special_filename): Remove func.
(iobuf_is_pipe_filename): Call new version of the function with
NOTRANSLATE set.
(do_open): Ditto.
* g10/gpg.c (main): Call enable_special_filenames instead of
iobuf_enable_special_filenames.
* g10/gpgv.c (main): Ditto.
--

Note that we keep the iobuf.c:translate_file_handle because it is a
bit different (for whatever reasons) than the translate function from
sysutils.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-29 16:54:36 +01:00
Justus Winter
52385a2ba1 g10: Fix memory leak.
* g10/decrypt.c (decrypt_messages): Properly decrease the reference
count of the armor filters after pushing them.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-29 16:48:35 +01:00
Neal H. Walfield
522f74f7e3 Improve some comments. 2016-11-29 14:56:00 +01:00
Neal H. Walfield
2f27cb12e3 g10: Extend TOFU_STATS to always show the validity
* doc/DETAILS (TOFU_STATS): Rename the VALIDITY field to SUMMARY.  Add
a new field called VALIDITY.
* g10/tofu.c (write_stats_status): Update output accordingly.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

Change TOFU_STATS as discussed offline with Werner, Justus and Andre.
2016-11-29 14:55:59 +01:00
Justus Winter
4db9a42564 g10: Fix iteration over getkey results.
* g10/getkey.c (getkey_next): Only ask 'lookup' for the exact match if
our caller requested the key.  Fixes a crash in 'lookup'.

GnuPG-bug-id: 2848
Fixes-commit: 1d03cc77e1
Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-28 13:48:19 +01:00
Neal H. Walfield
03a65a5323 g10: Avoid gratuitously loading a keyblock when it is already available
* g10/trust.c (get_validity): Add new, optional parameter KB.  Only
load the keyblock if KB is NULL.  Update callers.
(get_validity): Likewise.
* g10/trustdb.c (tdb_get_validity_core): Likewise.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
GnuPG-bug-id: 2812
2016-11-23 12:29:22 +01:00
Neal H. Walfield
bfeafe2d3f g10: Use es_fopen instead of open.
* g10/tofu.c: Don't include <utime.h>, <fcntl.h> or <unistd.h>.
(busy_handler): Replace use of open with es_fopen.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

Thanks for Werner for pointing this out: es_fopen is more portable
than open.
2016-11-22 17:12:38 +01:00
Neal H. Walfield
44c17bcb00 g10: If the set of UTKs changes, invalidate any changed policies.
* g10/trustdb.c (tdb_utks): New function.
* g10/tofu.c (check_utks): New function.
(initdb): Call it.
* tests/openpgp/tofu.scm: Modify test to check the effective policy of
keys whose effective policy changes when we change the set of UTKs.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

If the set of ultimately trusted keys changes, then it is possible
that a binding's effective policy changes.  To deal with this, we
detect when the set of ultimately trusted keys changes and invalidate
all cached policies.
2016-11-22 15:24:05 +01:00
Justus Winter
6ce14a805f g10: Fix memory leak.
* g10/tofu.c (tofu_notice_key_changed): Remove spurious duplicate call
to 'hexfingerprint'.

Fixes-commit: 037f9de092
Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-22 12:09:47 +01:00
Neal H. Walfield
037f9de092 g10: Cache the effective policy. Recompute it when required.
* g10/tofu.c (initdb): Add column effective_policy to the bindings
table.
(record_binding): New parameters effective_policy and set_conflict.
Save the effective policy.  If SET_CONFLICT is set, then set conflict
according to CONFLICT.  Otherwise, preserve the current value of
conflict.  Update callers.
(get_trust): Don't compute the effective policy here...
(get_policy): ... do it here, if it was not cached.  Take new
parameters, PK, the public key, and NOW, the time that the operation
started.  Update callers.
(show_statistics): New parameter PK.  Pass it to get_policy.  Update
callers.
(tofu_notice_key_changed): New function.
* g10/gpgv.c (tofu_notice_key_changed): New stub.
* g10/import.c (import_revoke_cert): Take additional argument CTRL.
Pass it to keydb_update_keyblock.
* g10/keydb.c (keydb_update_keyblock): Take additional argument CTRL.
Update callers.
[USE_TOFU]: Call tofu_notice_key_changed.
* g10/test-stubs.c (tofu_notice_key_changed): New stub.
* tests/openpgp/tofu.scm: Assume that manually setting a binding's
policy to auto does not cause the tofu engine to forget about any
conflict.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

We now store the computed policy in the tofu DB (in the
effective_policy column of the bindings table) to avoid computing it
every time, which is expensive.  Further, policy is never overridden
in case of a conflict.  Instead, we detect a conflict if CONFLICT is
not empty.

This change is backwards compatible to existing DBs.  The only minor
incompatibility is that unresolved conflicts won't be automatically
resolved in case we import a direct signature, or cross signatures.
2016-11-21 22:47:30 +01:00
Neal H. Walfield
182efc5b5d g10: Correctly parameterize ngettext.
* g10/tofu.c (ask_about_binding): Correctly parameterize ngettext.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-11-21 21:22:02 +01:00
Neal H. Walfield
7142b293c8 g10: Don't use the same variable for multiple SQL compiled statements
* g10/tofu.c (struct tofu_dbs_s): Remove unused field
record_binding_update2.  Replace register_insert with
register_signature and register_encryption.
(tofu_register_signature): Don't use dbs->s.register_insert, but
dbs->s.register_signature.
(tofu_register_encryption): Don't use dbs->s.register_insert, but
dbs->s.register_encryption.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-11-21 21:13:15 +01:00
Neal H. Walfield
91a0483c5d g10: Add a convenience function for checking if a key is a primary key
* g10/keydb.h (pk_is_primary): New function.
* g10/tofu.c (get_trust): Use it.
(tofu_register_signature): Likewise.
(tofu_register_encryption): Likewise.
(tofu_set_policy): Likewise.
(tofu_get_policy): Likewise.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-11-21 16:39:53 +01:00
NIIBE Yutaka
1c0b140ccc g10: Fix flags to open for lock of ToFU.
* g10/tofu.c (busy_handler): Fix the flags and utime is not needed.

--

The argument flags must include one of O_RDONLY, O_WRONLY, or O_RDWR.
Adding O_TRUNC, the file is updated.  So, utime is not needed.

Fixes-commit: b2e1b17efa
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-11-18 20:32:22 +09:00
NIIBE Yutaka
b2e1b17efa g10: Fix creating a lock for ToFU.
* g10/tofu.c (busy_handler): Add third argument which is mandatory for
O_CREATE flag.

--

Reported-by: Kristian Fiskerstrand
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-11-18 09:32:34 +09:00
Werner Koch
5210ff70bc
doc: Typo fixes.
--

Reported-by: Nathan Musoke <nathan.musoke@gmail.com>
2016-11-17 15:29:35 +01:00
Werner Koch
c4506a3f15
common: Rename keybox_file_rename to gnupg_rename_file.
* kbx/keybox-util.c (keybox_file_rename): Rename to ...
* common/sysutils.c (gnupg_rename_file): this.  Change all callers.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-16 17:43:59 +01:00
Werner Koch
43bfaf2c54
gpg: New option --override-session-key-fd.
* g10/gpg.c (oOverrideSessionKeyFD): New.
(opts): Add option --override-session-key-fd.
(main): Handle that option.
(read_sessionkey_from_fd): New.
--

The override-session-key feature was designed to mitigate the effect
of the British RIP act by allowing to keep the private key private and
hand out only a session key.  For that use case the leaking of the
session key would not be a problem.  However there are other use
cases, for example fast re-decryption after an initial decryption,
which would benefit from concealing the session key from other users.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-16 09:03:03 +01:00
Werner Koch
500e594c2d
gpgv: New option --enable-special-filenames.
* g10/gpgv.c (oEnableSpecialFilenames): New.
(opts): Add option --enable-special-filenames.
(main): Implement that option.
--

This is the same option we have in gpg.  It allows to use commands
like

 gpgv --enable-special-filenames -- '-&3' - <msg 3<msg.sig

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 20:11:59 +01:00
Werner Koch
b47603a0ac
gpg: Add new compliance mode "de-vs".
* g10/options.h (CO_DE_VS): New.
(GNUPG): Also allow CO_DE_VS.
* g10/gpg.c (oDE_VS): New.
(parse_compliance_option): Add "de-vs".
(set_compliance_option): Set "de-vs".
* g10/misc.c (compliance_option_string): Return a description string.
(compliance_failure): Ditto.
* g10/keygen.c (ask_algo): Take care of CO_DE_VS.
(get_keysize_range): Ditto.
(ask_curve): Add new field to CURVES and trun flags into bit flags.
Allow only Brainpool curves in CO_DE_VS mode.
--

As of now this compliance mode only restricts the set of algorithms
and curves which can be created.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 17:50:03 +01:00
Werner Koch
4bd12b571e
doc: Add comment to make clear that KBNODE is deprecated.
--

kbnode_t has replaced KBNODE for new code years ago, but that should
be documented.  No bulk changes please to keep git blame easy to read.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 16:29:08 +01:00
Werner Koch
8ea3b4c410
gpg: Use usual free semantics for packet structure free functions.
* g10/free-packet.c (free_attributes): Turn function into a nop for a
NULL arg.
(free_user_id): Ditto.
(free_compressed): Ditto.
(free_encrypted): Ditto.
(free_plaintext): Ditto.
(release_public_key_parts): Avoid extra check for NULL.
* g10/getkey.c (get_best_pubkey_byname): Ditto.
--

This change avoid surprises because it is common that function named
like free and taking a pointer also have similar semantics.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 16:24:09 +01:00
Justus Winter
12834e84ac g10: Optimize key iteration.
* g10/getkey.c (get_best_pubkey_byname): Use the node returned by
'getkey_next' instead of doing another lookup.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-15 15:38:09 +01:00
Justus Winter
d20107f6da g10: Fix memory leak.
* g10/getkey.c (finish_lookup): Clarify that we do not return a
reference.
(lookup): Clarify the relation between RET_KEYBLOCK and RET_FOUND_KEY.
Check arguments.  Actually release the node if it is not returned.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-15 15:38:09 +01:00
Justus Winter
1d03cc77e1 g10: Fix iteration over getkey results.
* g10/getkey.c (getkey_next): Fix invocation of 'lookup'.  If we want
to use RET_FOUND_KEY, RET_KEYBLOCK must be valid.

Fixes-commit: 8ea72a776a
Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-15 15:38:09 +01:00
Justus Winter
bd60742925 g10: Fix use-after-free.
* g10/getkey.c (pubkey_cmp): Make a copy of the user id.
(get_best_pubkey_byname): Free the user ids.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-15 15:38:09 +01:00
NIIBE Yutaka
1f7639ebbe g10: Fix memory leak.
* g10/keyedit.c (menu_adduid): Don't copy 'sig'.

--

Fixes-commit: 809d67e740
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-11-15 21:10:51 +09:00
Werner Koch
f86b1a15ad
gpg: New option --compliance.
* g10/gpg.c (oCompliance): New.
(opts): Add "--compliance".
(parse_tofu_policy): Use a generic description string for "help".
(parse_compliance_option): New.
(main): Add option oCompliance.  Factor out code for compliance
setting to ...
(set_compliance_option): new.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 13:06:49 +01:00
Justus Winter
809d67e740 g10: Fix memory leak.
* g10/keyedit.c (menu_adduid): Deallocate 'sig'.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-15 11:46:40 +01:00
Justus Winter
2cd281c4de g10: Fix memory leak.
* g10/mainproc.c (check_sig_and_print): Free 'pk'.

Fixes-commit: 37e3c89725
Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-14 17:33:18 +01:00
Werner Koch
5d13581f47
gpg,sm: Add STATUS_ERROR keydb_search and keydb_add-resource.
* g10/keydb.c (keydb_add_resource): Make ANY_REGISTERED
file-global.  Write a STATUS_ERROR.
(maybe_create_keyring_or_box): Check for non-accessible but existant
file.
(keydb_search): Write a STATUS_ERROR if no keyring has been registered
but continue to return NOT_FOUND.
* sm/keydb.c (keydb_add_resource): Rename ANY_PUBLIC to ANY_REGISTERED
and make file-global.  Write a STATUS_ERROR.
(keydb_search): Write a STATUS_ERROR if no keyring has been registered
but continue to return NOT_FOUND.  Also add new arg CTRL and change
all callers to pass it down.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-10 17:07:28 +01:00
Werner Koch
088d955bd8
gpg: Improve error message for --quick-gen-key.
* g10/keygen.c (parse_algo_usage_expire): Use a different error
message for an unknown algorithm name.
--

GnuPG-bug-id: 2832
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-10 12:18:33 +01:00
Justus Winter
5840353d8b g10: Fix crash.
* g10/getkey.c (get_best_pubkey_byname): If 'get_pubkey_byname' does
not return a getkey context, then it can return at most one key,
therefore there is nothing to rank.  Also, always initialize '*retctx'
to be on the safe side.

GnuPG-bug-id: 2828
Fixes: ab89164be0
Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-07 12:57:30 +01:00
Werner Koch
4d7dc432b5
Change all http://www.gnu.org in license notices to https://
--
2016-11-05 12:02:19 +01:00
Werner Koch
2312a7f836
indent: Move comments inside the block.
--

This fixes a few

  if (foo)
    /* A comment
       with several
       lines.  */
    {
    }

Which has the problem that the block is visually not related to the
"if" and might thus falsely be considered a standalone block.

Also adds a asterisk on the left side of longer comments.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-04 14:52:08 +01:00
Werner Koch
c1ea0b577a
agent: Extend the PINENTRY_LAUNCHED inquiry and status.
* agent/call-pinentry.c (start_pinentry): Get flavor and version and
pass it to agent_inq_pinentry_launched.
* agent/command.c (agent_inq_pinentry_launched): Add arg EXTRA.
* g10/server.c (gpg_proxy_pinentry_notify): Print a new diagnostic.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-03 20:10:38 +01:00
Justus Winter
ab89164be0 g10: Improve and unify key selection for -r and --locate-keys.
* g10/getkey.c (struct pubkey_cmp_cookie): New type.
(key_is_ok, uid_is_ok, subkey_is_ok): New functions.
(pubkey_cmp): Likewise.
(get_best_pubkey_byname): Likewise.
* g10/keydb.h (get_best_pubkey_byname): New prototype.
* g10/keylist.c (locate_one): Use the new function.
* g10/pkclist.c (find_and_check_key): Likewise.
* tests/openpgp/Makefile.am (XTESTS): Add new test.
(TEST_FILES): Add new files.
* tests/openpgp/key-selection.scm: New file.
* tests/openpgp/key-selection/0.asc: Likewise.
* tests/openpgp/key-selection/1.asc: Likewise.
* tests/openpgp/key-selection/2.asc: Likewise.
* tests/openpgp/key-selection/3.asc: Likewise.
* tests/openpgp/key-selection/4.asc: Likewise.
--

When a name resembling a mail address is given to either --locate-keys
or --recipient, rank the search results and use only the most relevant
key.

This also lets us query which key will be used for encryption using
--locate-keys.  However, note that --locate-keys may also return keys
incapable of encryption, though it will prefer keys that have an
encryption subkey.

GnuPG-bug-id: 2359
Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-03 15:04:18 +01:00
Werner Koch
488b183811
common: Improve compare_string_versions.
* common/stringhelp.c: Include limits.h.
(compare_version_strings): Change semantics to behave like strcmp.
Include the patch lebel in the comparison.  Allow checking a single
version string.
* common/t-stringhelp.c (test_compare_version_strings): Adjust test
vectors and a few new vectors.
* g10/call-agent.c (warn_version_mismatch): Adjust to new sematics.
* g10/call-dirmngr.c (warn_version_mismatch): Ditto.
* sm/call-agent.c (warn_version_mismatch): Ditto.
* sm/call-dirmngr.c (warn_version_mismatch): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-02 17:58:11 +01:00
Daniel Kahn Gillmor
68b59bbc42 Spelling: correct spelling of "passphrase".
There were several different variant spellings of "passphrase".  This
should fix them all for all English text.

I did notice that po/it.po contains multiple instances of
"passhprase", which also looks suspect to me, but i do not know
Italian, so i did not try to correct it.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-11-02 12:53:58 +01:00
Justus Winter
5d4f1408d0 g10,w32: Fix build on Windows.
* g10/tofu.c (begin_transaction): Use the new 'gnupg_usleep'.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-02 12:45:18 +01:00
Neal H. Walfield
7a634e48b1 g10: Avoid gratuitious SQLite aborts and starving writers.
* g10/tofu.c: Include <time.h>, <utime.h>, <fcntl.h> and <unistd.h>.
(tofu_dbs_s): Add fields want_lock_file and want_lock_file_ctime.
(begin_transaction): Only yield if DBS->WANT_LOCK_FILE_CTIME has
changed since we took the lock.  Don't use gpgrt_yield to yield, but
sleep for 100ms.  After taking the batch lock, update
DBS->WANT_LOCK_FILE_CTIME.  Also take the batch lock the first time we
take the real lock.  When taking the real lock, use immediate not
deferred mode to avoid gratuitious aborts.
(end_transaction): When dropping the outermost real lock, drop the
batch lock.
(busy_handler): New function.
(opendbs): Set the busy handler to it when opening the DB.  Initialize
CTRL->TOFU.DBS->WANT_LOCK_FILE.
(tofu_closedbs): Free DBS->WANT_LOCK_FILE.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

By default, SQLite defers transactions until they are actually needed.
A consequence of this is that if we have two readers and both decide
to do a write, then one has to abort.  To avoid this problem, we can
make the outermost transaction an immediate transaction.  This has the
disadvantage that we only allow a single reader at a time, but at
least we don't have gratuitous aborts anymore.

A second problem is that SQLite apparently doesn't actually create a
queue of waiters.  The result is that doing a sched_yield between
dropping and retaking the batch transaction is not enough to allow the
other process to make progress.  Instead, we need to wait a
while (emperically: 100ms seems reasonable).  To avoid waiting when
there is no contention, we use a new file's timestamp to signal that
there is a waiter.
2016-10-30 19:10:42 -07:00
Neal H. Walfield
eec365a02b g10: Avoid reading in keys when possible.
* g10/tofu.c (build_conflict_set): If CONFLICT_SET contains a single
element, don't bother to check for cross sigs.  Add parameter PK.
Update callers.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-10-30 11:03:51 -07:00
Neal H. Walfield
614ca00676 g10: Fix bit setting.
* g10/tofu.c (build_conflict_set): Fix bit setting.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Fixes-commit: 1f1f56e606
2016-10-30 10:55:58 -07:00
Werner Koch
b6f08dbb0b
gpg: Enable the Issuer Fingerprint from rfc4880bis
* g10/build-packet.c (build_sig_subpkt_from_sig): Always write the new
Issuer Fingerprint sub-packet.
* g10/mainproc.c (check_sig_and_print): Always consider that
sub-packet.
--

The specs for this sub-packet have been pushed to the OpenPGP WG's
repo today.

See-also: https://mailarchive.ietf.org/arch/msg/\
	openpgp/GvPo2eSL9GW9WcGhOocY7KBa9FY

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-10-28 21:01:51 +02:00
Werner Koch
8fced66be3
gpg: Verify multiple detached signatures with different hash algos.
* g10/mainproc.c (proc_tree): Loose check.  Enable all algos.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-10-27 19:56:42 +02:00
Justus Winter
8ea72a776a g10: Fix iteration over getkey results.
* g10/getkey.c (getkey_next): Return the public key in PK even if
RET_KEYBLOCK is NULL.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-10-27 15:31:30 +02:00
Justus Winter
445f0c13d7 Fix typos.
--
Signed-off-by: Justus Winter <justus@g10code.com>
2016-10-27 14:59:56 +02:00
Justus Winter
66a0091d74 g10: Assert preconditions.
* g10/getkey.c (get_pubkey_byname): Assert preconditions.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-10-27 14:43:29 +02:00
Werner Koch
a15ed5a1fd
gpg: Convey --quick option to dirmngr for --auto-key-retrieve.
* g10/call-dirmngr.c (gpg_dirmngr_ks_get): Add arg 'quick'.
(gpg_dirmngr_wkd_get): Ditto.
* g10/keyserver.c (keyserver_get): Add arg 'quick'.
(keyserver_get_chunk): Add arg 'quick'.
(keyserver_import_fprint): Ditto.  Change callers to pass 0 for it.
(keyserver_import_keyid): Ditto.
(keyserver_import_wkd): Ditto.
* g10/mainproc.c (check_sig_and_print): Call the 3 fucntions with
QUICK set.
--

Note that this option has not yet been implemented by dirmngr.
Dirmngr will simply ignore it for now.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-10-27 09:06:10 +02:00
NIIBE Yutaka
ca0ee4e381 g10: Fix ECDH, clarifying the format.
* g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Returns error when
it's short.  Clarify the format.  Handle other prefixes correctly.

--
With the scdaemon's change, there is no case NBYTES < SECRET_X_SIZE.
This fixes the break of ECDH with X25519.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-27 13:04:45 +09:00
Arnaud Fontaine
b648f28f9f g10: ECDH shared point format.
* g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Improve handling of
ECDH shared point format.

--
This handles the case where the result comes from scdaemon.

Signed-off-by: Arnaud Fontaine <arnaud.fontaine at ssi.gouv.fr>
2016-10-27 12:16:30 +09:00
Werner Koch
9d6146d6f9
gpg: Replace two sprintf calls.
* g10/keygen.c (print_status_key_created): Use snprintf for now.
(ask_expire_interval): Replace xmalloc and sprintf by xasprintf.
--

Future updates: Replace code like

   r = xcalloc (1, sizeof *r + 20 );
   r->key = pKEYLENGTH;
   sprintf( r->u.value, "%u", info.key_attr[0].nbits);

by something like

   r = new_r_with_value ("%u", info.key_attr[0].nbits);
   r->key = pKEYLENGTH;

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-10-24 13:12:05 +02:00
NIIBE Yutaka
b1828c17fc scd: Use canonical curve name of libgcrypt.
* scd/app-openpgp.c (send_key_attr): Use curve instead of OID.
(ecdh_params): New.
(ecc_read_pubkey): Use ecdh_params.  Use curve name.
(ecc_writekey): Likewise.
(ecc_curve): Rename from ecc_oid.
(parse_algorithm_attribute): Use ecc_curve.
* g10/call-agent.c (learn_status_cb): Use openpgp_is_curve_supported to
intern the curve name string.
* g10/card-util.c (card_status): Conver curve name to alias for print.
--
Now, sdcaemon answer for KEY-ATTR is in the canonical curve name
instead of the alias.  Since it is used of key generation for
card encryption key with backup, it should be canonical name.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-24 11:22:44 +09:00
NIIBE Yutaka
acef095164 g10: Fix card keygen for decryption.
* g10/keygen.c (do_generate_keypair): Fix arguments.

--

Reported-by: Grumpy
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-24 07:52:40 +09:00
NIIBE Yutaka
987bbb2276 g10: More card key generation change.
* g10/keygen.c (gen_card_key): Add back ALGO as the second argument.
Don't get ALGO by KEY-ATTR by this function.  It's caller to provide
ALGO.  Don't do that by both of caller and callee.
(generate_keypair): Only put paramerters needed.  Use parameters
for ALGO to call gen_card_key.
(generate_card_subkeypair): Get ALGO and call gen_card_key with it.

--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-22 08:45:35 +09:00
Andre Heinecke
f7e50634be g10: Write first keybox record in binary mode
* g10/keydb.c (maybe_create_keyring_or_box): Open in binary mode.

--
This fixes keybox corruption on windows.

Signed-off-by: Andre Heinecke <aheinecke@intevation.de>
2016-10-21 15:02:19 +02:00
NIIBE Yutaka
d2653b1a6d g10,scd: Fix ECC keygen.
* g10/keygen.c (generate_keypair): For card key generation, fill
parameters by KEY-ATTR.

* scd/app-openpgp.c (ecc_read_pubkey): OID should be freed at last,
after its reference by OIDBUF is finished.
(ecc_writekey): Likewise.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-21 21:37:04 +09:00
NIIBE Yutaka
dafce6f698 g10: Don't ask keysize for for non-RSA card.
* g10/card-util.c (card_status): Bug fix for keyno.
(ask_card_rsa_keysize, do_change_rsa_keysize): Rename.
(generate_card_keys): Only ask keysize when RSA.
(card_generate_subkey): Likewise.

--

Co-authored-by: Arnaud Fontaine <arnaud.fontaine@ssi.gouv.fr>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-21 14:15:05 +09:00
NIIBE Yutaka
161cb22f13 g10: Support ECC for gen_card_key.
* g10/keygen.c (gen_card_key): Remove the first argument of ALGO.
(do_generate_keypair, generate_card_subkeypair): Follow the change.

--
ALGO is determined by the key attribute of the card.

Co-authored-by: Arnaud Fontaine <arnaud.fontaine@ssi.gouv.fr>
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-21 13:59:09 +09:00
NIIBE Yutaka
6e85ac77af Fix use cases of snprintf.
* agent/call-pinentry.c, agent/call-scd.c, agent/command.c,
build-aux/speedo/w32/g4wihelp.c, common/get-passphrase.c,
dirmngr/dirmngr.c, g10/call-agent.c, g10/cpr.c, g10/keygen.c,
g10/openfile.c, g10/passphrase.c, scd/app-openpgp.c, scd/scdaemon.c,
sm/call-agent.c, sm/call-dirmngr.c, sm/certreqgen.c: Fix assuming C99.

--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-21 12:04:46 +09:00
NIIBE Yutaka
9a34e2142b agent, g10: Fix keygen.
* agent/command.c (cmd_readkey): Get length after card_readkey.
* g10/keygen.c (gen_card_key): Fix off-by-one error.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-20 20:01:46 +09:00
NIIBE Yutaka
980c037bed g10: smartcard keygen change.
* g10/call-agent.c (scd_genkey_cb_append_savedbytes): Remove.
(scd_genkey_cb): Only handle KEY-CREATED-AT and PROGRESS.
(agent_scd_genkey): Remove INFO argument.  CREATETIME is now in/out
argument.
(agent_readkey): Use READKEY --card instead of SCD READKEY.
* g10/keygen.c (gen_card_key): Use READKEY --card command of the agent
to retrieve public key information from card and let the agent make
a file for private key with shadow info.
--

This change removes gpg's KEY-DATA handling for SCD GENKEY.  Information
with KEY-DATA is simply not used.  Instead, it is read by READKEY --card
command of gpg-agent.  This can consolidate public key handling in a
single method by READKEY.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-10-20 13:30:47 +09:00
Neal H. Walfield
95d0f3e5ee g10: Be more careful when checking if a binding is signed by a UTK.
* g10/tofu.c (signed_by_utk): When checking if a key is signed by an
ultimately trusted key, only consider the signatures on the specified
user id.
* tests/openpgp/tofu.scm: Add test for the above.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-10-13 21:14:55 +02:00
Neal H. Walfield
4c0389f8eb g10: Be more careful when checking cross signatures.
* g10/tofu.c (cross_sigs): When checking cross signatures, only
consider the signatures on the specified user id.
* tests/openpgp/tofu.scm: Add test for the above.
* tests/openpgp/tofu/cross-sigs/
  1938C3A0E4674B6C217AC0B987DB2814EC38277E-1.gpg:
  New file.
* tests/openpgp/tofu/cross-sigs/
  1938C3A0E4674B6C217AC0B987DB2814EC38277E-1.txt: New file.
* tests/openpgp/tofu/cross-sigs/
  1938C3A0E4674B6C217AC0B987DB2814EC38277E-2.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
  1938C3A0E4674B6C217AC0B987DB2814EC38277E-2.txt: New file.
* tests/openpgp/tofu/cross-sigs/
  1938C3A0E4674B6C217AC0B987DB2814EC38277E-3.txt: New file.
* tests/openpgp/tofu/cross-sigs/
  1938C3A0E4674B6C217AC0B987DB2814EC38277E-secret.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
  DC463A16E42F03240D76E8BA8B48C6BD871C2247-1.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
  DC463A16E42F03240D76E8BA8B48C6BD871C2247-1.txt: New file.
* tests/openpgp/tofu/cross-sigs/
  DC463A16E42F03240D76E8BA8B48C6BD871C2247-2.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
  DC463A16E42F03240D76E8BA8B48C6BD871C2247-2.txt: New file.
* tests/openpgp/tofu/cross-sigs/
  DC463A16E42F03240D76E8BA8B48C6BD871C2247-3.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
  DC463A16E42F03240D76E8BA8B48C6BD871C2247-3.txt: New file.
* tests/openpgp/tofu/cross-sigs/
  DC463A16E42F03240D76E8BA8B48C6BD871C2247-4.gpg: New file.
* tests/openpgp/tofu/cross-sigs/
  DC463A16E42F03240D76E8BA8B48C6BD871C2247-secret.gpg: New file.
* tests/openpgp/tofu/cross-sigs/README: New file.

--
Signed-off-by: Neal H. Walfield
2016-10-13 12:44:59 +02:00
Neal H. Walfield
e09166c772 g10: Still check if the key is an UTK or cross signed in batch mode.
* g10/tofu.c (get_trust): If POLICY is ask, but we can't ask, don't
bail immediately.  Instead, check if the key in question is an
ultimately trusted key or cross signed.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-10-13 12:40:03 +02:00
Neal H. Walfield
5bf92e51df g10: If an sqlite operation fails, map the error code to GPG_ERR_GENERAL
* g10/tofu.c (get_policy): If an sqlite operation fails, map the error
  code to GPG_ERR_GENERAL.
(ask_about_binding): Likewise.
(build_conflict_set): Likewise.
(get_trust): Likewise.
(show_statistics): Likewise.
(tofu_register_signature): Likewise.
(tofu_register_encryption): Likewise.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-10-13 12:32:03 +02:00
Neal H. Walfield
3ad17e72fa g10: When changing a TOFU binding's policy, update the conflict info
* g10/tofu.c (record_binding): Take an additional argument, CONFLICT.
Set the binding's conflict accordingly.  Update callers.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-10-12 21:42:10 +02:00
Neal H. Walfield
ca84f65c7c g10: Make a singular string singular.
* g10/tofu.c (ask_about_binding): Make the singular string singular.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-10-12 21:40:03 +02:00
Neal H. Walfield
6fdf37f083 g10: Correctly determine whether a binding has a conflict.
* g10/tofu.c (build_conflict_set): A binding has a conflict is
conflict is *not* NULL, not if it is NULL.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-10-12 21:39:12 +02:00
Neal H. Walfield
78eda335fd g10: Fix a column's type in TOFU DB.
* g10/tofu.c (initdb): Change policy from a boolean to an integer.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Reported-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Note: sqlite ignores type information so this change has no real
impact.
2016-10-12 21:37:34 +02:00
Werner Koch
1a24c67e20
Revert "g10: Fix singular term."
--

This reverts commit b0d2526bc4.

The number of format elements may not change in ngettext.  The entire
construct is anyway wrong because ngettext is passed a different value
than what is used in the printf.

We need to rework the use of most strings in tofu.c.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-10-07 08:06:13 +02:00
Werner Koch
5d43d28aa3
gpg: Put extra parens around bit tests.
* g10/options.h (DBG_MPI): New.
* g10/gpg.c (set_debug): Use macro or extra parens for binary operator.
* g10/parse-packet.c (set_packet_list_mode): Use dbg macro.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-10-07 07:54:38 +02:00
Justus Winter
b0d2526bc4 g10: Fix singular term.
* g10/tofu.c (ask_about_binding): Fix singular message.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-10-06 14:33:20 +02:00
Justus Winter
73000d1ce0 g10: Use appropriate variant of 'abs'.
* g10/tofu.c (ask_about_binding): Use 'labs' instead of 'abs'.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-10-06 14:32:10 +02:00
Justus Winter
6b626824c8 g10: Fix testing for debug flag.
* g10/parse-packet.c (set_packet_list_mode): Fix testing for debug
flag.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-10-06 14:17:55 +02:00
Werner Koch
a43739a245
agent: Remove the warning for the GKR hijacking.
* g10/call-agent.c (check_hijacking): Remove.
(start_agent): Remove call.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-30 19:38:03 +02:00
Werner Koch
cbf2ac6669
gpg: Improve WKD by importing only the requested UID.
* g10/keyserver.c: Include mbox-util.h.
(keyserver_import_wkd): Do not use the global import options but
employ an import filter.
--

We also make sure that an mbox has been passed to keyserver_import_wkd
so it may also be called with a complete user id (which is currently
not the case).

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-28 15:35:31 +02:00
Werner Koch
80393661bd
gpg: Reject import if an import filter removed all user ids.
* g10/import.c (any_uid_left): New.
(import_one): Check that a UID is left.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-28 15:32:04 +02:00
Werner Koch
c9237bf2ba
gpg: Make import filter data object more flexible.
* g10/main.h (import_filter_t): New.
* g10/import.c (struct import_filter_s): Declare struct.
(import_keep_uid, import_drop_sig): Replace by ...
(import_filter): new.  Adjust all users.
(cleanup_import_globals): Move code to ...
(release_import_filter): new.
(save_and_clear_import_filter): New.
(restore_import_filter): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-28 13:47:34 +02:00
Werner Koch
829949f382
gpg: Make sure that internal key import is done with a binary stream.
* g10/import.c (import_keys_internal): Open stream in binary mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-28 13:36:28 +02:00
NIIBE Yutaka
4e4843e735 agent, sm: Set CTX after start_agent.
* g10/call-agent.c (agent_keytocard): Assign parm.ctx after start_agent.
* sm/call-agent.c (gpgsm_agent_pksign, gpgsm_scd_pksign)
(gpgsm_agent_readkey, gpgsm_agent_scd_serialno)
(gpgsm_agent_scd_keypairinfo, gpgsm_agent_marktrusted)
(gpgsm_agent_passwd, gpgsm_agent_get_confirmation)
(gpgsm_agent_ask_passphrase, gpgsm_agent_keywrap_key)
(gpgsm_agent_export_key): Likewise.

--

Reported-by: Rainer Perske
GnuPG-bug-id: 2699
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-09-27 14:45:21 +09:00
Neal H. Walfield
df5353b95e g10: When adding a user id, make sure the keyblock has been prepared.
* g10/keyedit.c (keyedit_quick_adduid): Call merge_keys_and_selfsig on
KEYBLOCK before adding the user id.
* tests/openpgp/quick-key-manipulation.scm: Make sure that the key
capabilities don't change when adding a user id.
(key-data): New function.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
GnuPG-bug-id: 2697
2016-09-22 21:32:31 +02:00
Werner Koch
998643666c
gpg: Fix regression in fingerprint printing.
* g10/keylist.c (list_keyblock_print): Do not depend calling
print_fingerprint on opt.keyid_format.
--

Regression-due-to: d757009a24
Debian-bug-id: 838153
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-19 17:48:04 +02:00
Justus Winter
086d219d96 g10: Fix memory leak.
* g10/tofu.c (build_conflict_set): Free 'kb_all'.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-09-19 12:32:50 +02:00
Werner Koch
18bbefa27f
gpg: Avoid malloc failure due to no key signatures
* g10/keyedit.c (check_all_keysigs): Check early for no key
signatures.  Use xtrycalloc.
--

GnuPG-bug-id: 2690
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-19 08:27:56 +02:00
Daniel Kahn Gillmor
0d67241e31 Fix more spelling
* NEWS, acinclude.m4, agent/command-ssh.c, agent/command.c,
  agent/gpg-agent.c, agent/keyformat.txt, agent/protect-tool.c,
  common/asshelp.c, common/b64enc.c, common/recsel.c, doc/DETAILS,
  doc/HACKING, doc/Notes, doc/TRANSLATE, doc/dirmngr.texi,
  doc/faq.org, doc/gpg-agent.texi, doc/gpg.texi, doc/gpgsm.texi,
  doc/instguide.texi, g10/armor.c, g10/gpg.c, g10/keyedit.c,
  g10/mainproc.c, g10/pkclist.c, g10/tofu.c, g13/sh-cmd.c,
  g13/sh-dmcrypt.c, kbx/keybox-init.c, m4/pkg.m4, sm/call-dirmngr.c,
  sm/gpgsm.c, tests/Makefile.am, tests/gpgscm/Manual.txt,
  tests/gpgscm/scheme.c, tests/openpgp/gpgv-forged-keyring.scm,
  tests/openpgp/multisig.test, tests/openpgp/verify.scm,
  tests/pkits/README, tools/applygnupgdefaults,
  tools/gpg-connect-agent.c, tools/mime-maker.c, tools/mime-parser.c:
  minor spelling cleanup.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-09-17 16:00:37 +09:00
Neal H. Walfield
6e930f0e40 g10: On failure, propagate the return code.
* g10/tofu.c (tofu_register_encryption): If get_trust fails, set RC.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-16 15:35:21 +02:00
Neal H. Walfield
3825847300 g10: Improve some comments and a string.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-16 15:35:20 +02:00
Neal H. Walfield
221b0bd0e5 g10: Don't ignore failure. On failure, rollback.
* g10/tofu.c (tofu_set_policy): If record_binding fails, fail.  If the
function fails, rollback the transaction.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-16 15:35:20 +02:00
Neal H. Walfield
c2e563421e g10: Load the key block if the supplied user id list is NULL.
* g10/tofu.c (tofu_register_encryption): Load the key block if
USER_ID_LIST is NULL.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-16 15:35:19 +02:00
Neal H. Walfield
af196342bf g10: Use the accessor functions for accessing and comparing key ids
* g10/tofu.c (get_trust): Use the pk_main_keyid accessor function.
(tofu_register_signature): Likewise.
(tofu_register_encryption): Likewise.
(tofu_set_policy): Likewise and also use pk_keyid and keyid_cmp.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-16 15:35:18 +02:00
Justus Winter
c0e620cee8 g10: Add missing header.
* g10/trustdb.c: Include 'mbox-util.h'.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-09-15 14:46:06 +02:00
Neal H. Walfield
3f7f744731 g10: Only consider bindings matching the signer's user id.
* g10/trustdb.c (tdb_get_validity_core): If the signer's user id
subpacket is present, only consider matching user ids.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-15 12:21:35 +02:00
Neal H. Walfield
dcc6466305 g10: Don't include the signature when printing a binding's validity.
* g10/mainproc.c (check_sig_and_print): When printing information
about a binding don't include the current signature.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-15 12:21:34 +02:00
Neal H. Walfield
9799b5d18f g10: Fix whitespace.
* g10/tofu.c (show_statistics): Fix whitespace.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-14 15:22:11 +02:00
Neal H. Walfield
05b2b13efd g10: Correctly compute the euclidean distance.
* g10/tofu.c (write_stats_status): Correctly compute the euclidean
distance.
(show_statistics): Likewise.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-14 15:22:10 +02:00
Neal H. Walfield
ca91caabb5 g10: Change the default TOFU policy for UTKs to good.
* g10/tofu.c (get_trust): Change the default TOFU policy for UTKs to
good.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-14 15:22:09 +02:00
Neal H. Walfield
9d62b79e62 g10: Add missing static qualifier.
* g10/tofu.c (cross_sigs): Add missing static qualifier.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-14 15:22:09 +02:00
Neal H. Walfield
8df8aa13c7 g10: Default to the "good" TOFU policy for keys signed by a UTK.
* g10/tofu.c (signed_by_utk): New function.
(get_trust): If a key is signed by an ultimately trusted key, then
set any bindings to good.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-14 15:22:08 +02:00
Werner Koch
f4e11f2e9e
gpg: Emit a new error status line in --quick-adduid.
* g10/keyedit.c (menu_adduid): Emit an ERROR status for an existsing
user id.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-14 10:59:18 +02:00
Werner Koch
0fd332bc1f
gpg: Allow use of "default" algo for--quick-addkey.
* g10/keygen.c (quick_generate_keypair): Write a status error.
(parse_algo_usage_expire): Set a default curve.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-14 09:46:10 +02:00
Werner Koch
30a011cfd6
gpg: Improve usability of --quick-gen-key.
* g10/keygen.c (FUTURE_STD_): New constants.
(parse_expire_string): Handle special keywords.
(parse_algo_usage_expire): Allow "future-default".  Simplify call to
parse_expire_string.
(quick_generate_keypair): Always allow an expiration date.  Replace
former "test-default" by "future-default".
--

Using an expiration date is pretty common, thus we now allow the
creation of a standard key with expiration date.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-13 11:30:54 +02:00
Werner Koch
31fc420727
gpg: Avoid mixing up status and colon line output.
* g10/keylist.c (list_keyblock_colon): Avoid calling functions which
trigger a status line output before having printed a LF.
--

Status lines like KEY_CONSIDERED and KEYEPXIRED were messing up the
colons output, like here:

  pub:[GNUPG:] KEY_CONSIDERED 94A5C9A03C2FE5CA3B095D8E1FDF723CF46[...]

Reported-by: Andreas Stieger <astieger@suse.com>
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-12 17:45:01 +02:00
Ben Kibbey
937ec53eff Fix symbol conflict.
* g10/gpgcompose.c: Rename struct siginfo to signinfo.
--

Fixes android-ndk and OpenIndiana (Solaris) builds.

Signed-off-by: Ben Kibbey <bjk@luxsci.net>
2016-09-10 13:42:09 -04:00
Daniel Kahn Gillmor
d757009a24
gpg: print fingerprint regardless of keyid-format
* g10/keylist.c (print_fingerprint): use compact format independent of
  keyid-format; (print_key_line): always print the fingerprint

--

The choice of fingerprint display should be independent of the
keyid-format.

Currently, the representation of the fingerprint changes depending on
whether the user has specified --keyid-format to anything besides
"none".  (this is common, for example, if someone happens to have
"keyid-format long" in their gpg.conf for interoperability with older
versions of gpg)

With this changeset, keyid-format governs only the format of the
displayed keyID, while the fingerprint display is governed only by the
fingerprint options:

 [default]::
    compact fpr of pubkey only
 --with-fingerprint::
    human-readable form of fpr of pubkey only
 --with-fingerprint --with-fingerprint::
    human-readable form of pubkey and subkey
 --with-subkey-fingerprint:
    compact fpr for pubkey and subkeys

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-09-09 08:17:49 +02:00
Werner Koch
30a9f53a0f
gpg: Remove option --yes from gpgv
* g10/gpgv.c (opts): Remove --yes.
(main): Always set opt.ANSWER_YES.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-08 14:34:13 +02:00
Werner Koch
a8363b7d0b
gpg: Add options --output and --yes to gpgv.
* g10/gpgv.c (oOutput, oAnswerYes): New.
(opts): Add --output and --yes.
(main): Implement options.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-08 10:50:51 +02:00
Werner Koch
bbe940c095
gpg: Make --output work with --verify.
* g10/mainproc.c (proc_plaintext): Handle opt.output.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-08 00:45:45 +02:00
Neal H. Walfield
bde29a46ce g10: Use the time a signature was seen, not the embedded time, for stats
* g10/tofu.c (ask_about_binding): Use the time that a signature was
seen, not allegedly generated, when generating statistics.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-07 11:17:47 +02:00
Neal H. Walfield
ee06b3f788 g10: Check for a new binding a bit later.
* g10/tofu.c (build_conflict_set): Check for the current key after
looking for conflicts and removing any '!'.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Fixes-commit: 1f1f56e6
2016-09-07 10:53:28 +02:00
Neal H. Walfield
7b3e8572e3 g10: Change TOFU code to respect --faked-system-time.
* g10/tofu.c (record_binding): New parameter now.  Update callers.
Don't use SQLite's strftime('%s','now') to get the current time, use
NOW.
(ask_about_binding): Likewise.
(get_trust): New parameter now.  Update callers.
(show_statistics): Likewise.
(tofu_register_signature): Don't use SQLite's strftime('%s','now') to
get the current time, use gnupg_get_time().
(tofu_register_encryption): Likewise.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-07 10:28:39 +02:00
Neal H. Walfield
56c18408d4 g10: Use the correct conversion function.
* g10/tofu.c (show_statistics): Use string_to_ulong, not
string_to_long.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Fixes-commit: 875ac921
2016-09-07 10:06:58 +02:00
Neal H. Walfield
1f90d3c71e g10: Add missing sqrtu32.h and sqrtu32.c.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Fixes-commit: 875ac92.
2016-09-07 08:55:17 +02:00
Werner Koch
97a67d42dc
gpg: Fix format string issues in tofu.
* g10/tofu.c (write_stats_status): Use ulong for MESSSAGES.  Fix
format strings.  Simplify by using the new write_status_printf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-07 08:41:48 +02:00
Werner Koch
c894fa8d37
g10: Temporary hack to repalce missing sqrtu32.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-07 08:40:18 +02:00
Neal H. Walfield
13ddc17ddb g10: Make sure some functions are passed a primary key.
* g10/tofu.c (get_trust): Make sure the caller provides a primary key.
(tofu_register_signature): Likewise.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-06 22:40:59 +02:00
Neal H. Walfield
ee19eacd1d g10: Tweak TOFU's verbosity.
* g10/tofu.c (time_ago_str): Only show the most significant unit.
* g10/tofu.c (show_statistics): Tweak the output.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-06 22:40:01 +02:00
Neal H. Walfield
67cef405cb g10: Only show the TOFU warning once per key.
* g10/tofu.c (show_statistics): Return whether to call show_warning.
Move the warning from here...
(show_warning): ... to this new function.
(tofu_get_validity): If show_statistics returns a non-zero value, call
show_warning.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-06 22:10:57 +02:00
Neal H. Walfield
875ac9216f g10: Record and show statistics for encrypted messages when using TOFU
* g10/tofu.c: Include "sqrtu32.h".
(struct tofu_dbs_s.s): Rename get_trust_gather_other_keys to
get_trust_gather_signature_stats.  Add new field
get_trust_gather_encryption_stats.
(initdb): Create the encryptions table.
(ask_about_binding): Show the encryption statistics too.
(tofu_register): Rename from this...
(tofu_register_signature): ... to this and update callers.
(tofu_register_encryption): New function.
(write_stats_status): Add parameters encryption_count,
encryption_first_done and encryption_most_recent.  Update callers.
Compute the trust using the euclidean distance of the signature and
signature count.  Compare with twice the threshold.  Include
encryption count information in the TFS and TOFU_STATS lines.
(show_statistics): Also get information about the encrypted messages.
* g10/trustdb.c (tdb_get_validity_core): Use it.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-06 21:37:48 +02:00
Neal H. Walfield
a9e6db6c7e g10: Simplify the binding statistics shown for a TOFU conflict.
* g10/tofu.c (ask_about_binding): Simplify binding statistics.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-06 21:37:47 +02:00
Neal H. Walfield
9082bde01c g10: Don't add user attributes to the TOFU DB.
* g10/trustdb.c (tdb_get_validity_core): Skip user attributes.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-05 16:48:51 +02:00
Neal H. Walfield
1f1f56e606 g10: Refactor cross sig check code.
* g10/tofu.c (BINDING_NEW): New enum value.
(BINDING_CONFLICT): Likewise.
(BINDING_EXPIRED): Likewise.
(BINDING_REVOKED): Likewise.
(ask_about_binding): Move cross sig check from here...
(get_trust): ... and the conflict set building from here...
(build_conflict_set): ... to this new function.
(format_conflict_msg_part1): Replace parameter conflict with
conflict_set.  Drop parameter fingerprint.  Update callers.
(ask_about_binding): Drop unused parameter conflict and redundant
parameter bindings_with_this_email_count.  Rename parameter
bindings_with_this_email to conflict_set.  Update callers.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-05 15:14:27 +02:00
Werner Koch
0ac671f8a2
common: Add an assuan logging monitor.
* common/asshelp.c (my_log_monitor): New var.
(my_libassuan_log_handler): Run that monitor.
(setup_libassuan_logging): Add arg to set a log monitor and change all
callers.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-05 11:58:48 +02:00
Werner Koch
0a4a03e531
gpg: New export filter drop-subkey.
* g10/import.c (impex_filter_getval): Add properties for key packets.
* g10/export.c (export_drop_subkey): New var.
(cleanup_export_globals): Release that var.
(parse_and_set_export_filter): Add filter "drop-subkey".
(apply_drop_subkey_filter): New.
(do_export_stream): Run that filter.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-05 09:52:04 +02:00
Werner Koch
c8e0d37f41
gpg: Use a common filter_getval for import and export.
* g10/import.c (filter_getval): Rename to ...
(impex_filter_getval): this.  Make global.
(apply_keep_uid_filter, apply_drop_sig_filter): Adjust.
* g10/export.c (filter_getval): Remove.
(apply_drop_sig_filter): Use impex_filter_getval.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-05 09:52:04 +02:00
Neal H. Walfield
85fad6c34c g10: End transaction earlier.
* g10/tofu.c (ask_about_binding): End the transaction earlier.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-01 23:32:00 +02:00
Neal H. Walfield
b410a3cb76 g10: Don't consider cross-signed keys to be in conflict.
* g10/tofu.c (cross_sigs): New function.
(ask_about_binding): If apparently conflicting keys are cross signed,
then don't mark them as conflicting.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

If two keys are cross signed, then the same person (probably)
controlled them both.  In this case, don't raise a TOFU conflict.
This usually occurs when someone transitions to a new key.  When that
person rotates to a third key, she will typically only cross sign it
with the second key.  As such, we check this transitively to avoid
declaring a conflict between the 1st and 3rd key.
2016-09-01 23:32:00 +02:00
Werner Koch
38d369de13
gpg: Avoid homedir creation by --list-config
* g10/gpg.c (main): Do not register a key for the list config
commands.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-01 19:22:48 +02:00
Werner Koch
fde9fa81d3
gpg: Simplify code to print VALIDSIG.
* g10/mainproc.c (check_sig_and_print): Use hexfingerprint and
write_status_printf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-01 16:39:41 +02:00
Werner Koch
6bdadae005
gpg: Add new function write_status_printf.
* g10/cpr.c (write_status_printf): New.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-01 16:39:41 +02:00
Werner Koch
37e3c89725
gpg: Fix printing of pubkey algo in --verbose signature verify.
* g10/sig-check.c (check_signature2): Replace arg PK by R_PK and
change the semantics.  Also clear the other R_ args on function entry,
use gpg_error() and change retturn type to gpg_error_t.
* g10/mainproc.c (do_check_sig): Add arg R_PK.
(list_node): Pass NULL for new arg.
(check_sig_and_print): Rework to make use of the returned PK.
--

The output

gpg: textmode signature, digest algorithm SHA256, key algorithm rsa2048

showed the pubkey algo of the primary key which was surprising.
Changed to print the algo of the subkey used for verification.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-01 16:39:41 +02:00
Neal H. Walfield
44690befad g10: Fix typo.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-01 14:31:55 +02:00
Neal H. Walfield
3d44e5e8a8 g10: When asking about a TOFU binding conflict, default to unknown.
* g10/tofu.c (ask_about_binding): Default to unknown.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-01 14:31:31 +02:00
Neal H. Walfield
f2e5cb6ffb g10: Add support for TRUST_NEVER.
* g10/pkclist.c (do_we_trust): Handle TRUST_NEVER, which can be
returned by the TOFU trust model.
(do_we_trust_pre): Print a different message if TRUSTLEVEL is
TRUST_NEVER.
(check_signatures_trust): Improve comment.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-01 13:29:56 +02:00
Neal H. Walfield
0cb0ea1633 g10: Improve text.
* g10/tofu.c (show_statistics): Improve the text (key and user id, not
just key).

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-01 13:17:54 +02:00
Neal H. Walfield
00c2850393 g10: Remove unused parameter.
* g10/tofu.c (show_statistics): Remove unused parameter sig_exclude.
Update callers.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-01 13:17:06 +02:00
Werner Koch
3e67b50490
gpg: Copy the correct digest for use by TOFU.
* g10/mainproc.c (do_check_sig): Use the current digest algo.
--

Note that the digest context may have several algos enabled, which is
is case if keys with different hash preferences signed the data.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-09-01 12:52:21 +02:00
Neal H. Walfield
4cbd2a690c g10: Be careful to not be in a transaction during long operations
* g10/tofu.c (begin_transaction): New parameter only_batch.  If set,
only start a batch transaction if there is none and one has been
requested.  Update callers.
(tofu_suspend_batch_transaction): New function.
(tofu_resume_batch_transaction): Likewise.
(ask_about_binding): Take a ctrl_t, not a tofu_dbs_t.  Update
callers.  Gather statistics within a transaction.  Suspend any batch
transaction when getting user input.
(get_trust): Take a ctrl_t, not a tofu_dbs_t.  Update callers.
Enclose in a transaction.
(tofu_get_validity): Use a batch transaction, not a normal
transaction.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-09-01 12:43:34 +02:00
Neal H. Walfield
edfb6934ca g10: On a TOFU conflict, show whether the uids are expired or revoked
* g10/tofu.c (struct signature_stats): Add fields is_expired and
is_revoked.
(signature_stats_prepend): Clear *stats when allocating it.
(ask_about_binding): Also show whether the user ids are expired or
revoked.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-31 17:52:50 +02:00
Neal H. Walfield
28c235ae75 g10: Always trust ultimately trusted keys.
* g10/tofu.c (get_trust): Always return TRUST_ULTIMATE for ultimately
trusted keys.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-31 13:53:36 +02:00
Neal H. Walfield
5b48960a8a g10: Fix error detection.
* g10/tofu.c: first_seen == 0 is not an error.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

Fixes-commit: 0f1f02ac
Regression-due-to: 45bb9a2a
2016-08-31 12:11:58 +02:00
Neal H. Walfield
e4d5e3cb0d g10: Update a key's TOFU policy in a transaction.
* g10/tofu.c (tofu_set_policy): Do the update in a transaction.
* g10/gpg.c (main): Do a TOFU policy update in a batch transaction.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-31 11:47:50 +02:00
Neal H. Walfield
247eef005c g10: Fix the show old policy functionality when changing a TOFU policy.
* g10/tofu.c (record_binding): Fix the show old policy functionality.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-31 11:39:35 +02:00
Neal H. Walfield
70df5a8fd7 g10: Drop unused argument.
* g10/tofu.c (begin_transaction): Remove unused option only_batch.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-31 10:58:18 +02:00
Neal H. Walfield
268f6b7a34 gpg: Move state local to tofu.c to a private structure.
* g10/gpg.h (struct server_control_s.tofu): Move fields in_transaction
and batch_update_started from here...
* g10/tofu.c (struct tofu_dbs_s): ... to here.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-31 10:47:05 +02:00
Neal H. Walfield
b8184d2d74 gpg: Avoid name spaces clash with future sqlite versions (2).
* g10/gpgsql.h (gpgsql_arg_type): Rename SQLITE_ARG_END to
GPGSQL_ARG_END, SQLITE_ARG_INT to GPGSQL_ARG_INT, SQLITE_ARG_LONG_LONG
to GPGSQL_ARG_LONG_LONG, SQLITE_ARG_STRING to GPGSQL_ARG_STRING, and
SQLITE_ARG_BLOB to GPGSQL_ARG_BLOB.

--
This commit completes the work started in b1ba460.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-31 10:14:19 +02:00
Werner Koch
76304a971f
gpg: Fix regression in gpgv's printing of the keyid.
* g10/keyid.c (keystr): Take care of KF_NONE != KF_DEFAULT.
--

Debian-bug-id: 836144
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-31 08:48:28 +02:00
Neal H. Walfield
371ae66e9d g10: Improve TOFU batch update code.
* g10/gpg.h (tofu): Rename field batch_update_ref to
batch_updated_wanted.
* g10/tofu.c (struct tofu_dbs_s): Rename field batch_update to
in_batch_transaction.
(begin_transaction): Only end an extant batch transaction if we are
not in a normal transaction.  When ending a batch transaction, really
end it.  Update ctrl->tofu.batch_update_started when starting a batch
transaction.
(end_transaction): Only release a batch transaction if ONLY_BATCH is
true.  When releasing a batch transaction, assert that there is no
open normal transaction.  Only allow DBS to be NULL if ONLY_BATCH is
true.
(tofu_begin_batch_update): Don't update
ctrl->tofu.batch_update_started.
(opendbs): Call end_transaction unconditionally.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-30 16:06:40 +02:00
Neal H. Walfield
3beeaa70bd g10: Improve TOFU debugging output and some comments.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-30 16:06:39 +02:00
Neal H. Walfield
d0451440c0 g10: If a key has no valid user ids, change TOFU to return TRUST_NEVER.
* g10/tofu.c (tofu_get_validity): If a key has no valid (non-expired)
user ids, change TOFU to return TRUST_NEVER.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-30 16:06:38 +02:00
Neal H. Walfield
6052c14709 g10: Change tofu_register & tofu_get_validity to process multiple uids.
* g10/tofu.c (tofu_register): Take a list of user ids, not a single
user id.  Only register the bindings, don't compute the trust.  Thus,
change return type to an int and remove the may_ask parameter.  Update
callers.
(tofu_get_validity): Take a list of user ids, not a single user id.
Update callers.  Observe signatures made by expired user ids, but
don't include them in the trust calculation.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-30 16:06:37 +02:00
Neal H. Walfield
33e97813d7 g10: Support nested transactions on the TOFU DB.
* g10/gpg.h (struct server_control_s): New field in_transaction.
* g10/tofu.c (struct tofu_dbs_s): Remove fields savepoint_inner and
savepoint_inner_commit.
(begin_transaction): Increment CTRL->TOFU.IN_TRANSACTION.  Name the
savepoint according to the nesting level.
(end_transaction): Name the savepoint according to the nesting level.
Decrement CTRL->TOFU.IN_TRANSACTION.
(rollback_transaction): Likewise.  Only ever rollback a non-batch
transaction.
(opendbs): Assert that there are no outstanding transactions.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-30 15:54:41 +02:00
Neal H. Walfield
4c2abb221b g10: Print the info text in more situations.
* g10/tofu.c (ask_about_binding): Print the info text when the policy
is ask and there are multiple bindings with the email address.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-30 15:54:40 +02:00
Neal H. Walfield
0858f141a8 g10: Print the formatted text.
* g10/tofu.c (ask_about_binding): Print the formatted text, not the
unformatted text.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-30 15:54:39 +02:00
Neal H. Walfield
8dda861ad8 g10: When showing a user id's trust, pass the current signature.
* g10/mainproc.c (check_sig_and_print): Consistently pass SIG to
get_validity.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-08-30 15:54:38 +02:00
Werner Koch
bdbd03608b
gpg: Make decryption of -R work w/o --try-secret-key or --default-key.
* g10/getkey.c (enum_secret_keys): At state 3 enumerate the keys in all
cases not just when --try-all-secrets is used.
--

Regression-due-to: 82b90eee10
Reported-by: Carola Grunwald
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-29 07:56:03 +02:00
Werner Koch
0a5a854510
gpg: Fix false negatives in Ed25519 signature verification.
* g10/pkglue.c (pk_verify): Fix Ed25519 signatrue values.
* tests/openpgp/verify.scm (msg_ed25519_rshort): New
(msg_ed25519_sshort): New.
("Checking that a valid Ed25519 signature is verified as such"): New.
--

About one out of 256 signature won't verify due to stripped zero
bytes.  See the source comment for details.

Reported-by: Andre Heinecke
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-25 16:18:00 +02:00
Werner Koch
74a082bc10
common: Rename an odd named function.
* common/openpgp-oid.c (oid_crv25519): Rename to oid_cv25519.
(openpgp_oid_is_crv25519): Rename to openpgp_oid_is_cv25519.  Change
callers.

--

We use "cv25519" everywhere else and thus the test function should not
have a surprising name.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-25 15:16:32 +02:00
Werner Koch
19d12be3ce
gpg: New option --with-tofu-info.
* g10/gpg.c (oWithTofuInfo): New.
(opts): Add --with-tofu-info.
(main): Set opt.with_tofu_info.
* g10/options.h (struct opt): Add field WITH_TOFU_INFO.
* g10/tofu.c (show_statistics): Add optional arg OUTFP and enter
special mode if not NULL.  Change all callers.
(tofu_write_tfs_record): New.
* g10/keylist.c (list_keyblock_colon): Do not print the tofu policy as
part of the "uid" record.  Print a new "tfs" record if the new option
is set.
* tests/openpgp/tofu.scm (getpolicy): Change from UID to TFS record.
--

A separate option is required to avoid slowing down key listings.
Foer example the current code takes for a keylisting in tofu+pgp mode
17 seconds while it takes more than 5 minutes if the option is used.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-25 09:37:56 +02:00
Werner Koch
0f1f02acc1
gpg: Change TOFU_STATS to return timestamps.
* g10/tofu.c (write_stats_status): Add arg FP to print a colon
formated line.  Adjust for changed TOFU_STATS interface.
(show_statistics): Let the query return timestamps and use
gnupg_get-time to compute the "time ago" values.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-24 19:56:14 +02:00
Werner Koch
1b55e86442
gpg: Add import filter "drop-sig".
* g10/import.c (import_drop_sig): New variable.
(cleanup_import_globals): Release that.
(parse_and_set_import_filter): Add filter "drop-sig".
(filter_getval): Implement properties for drop-sig.
(apply_drop_sig_filter): New.
(import_one): Apply that filter.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-18 16:15:49 +02:00
Werner Koch
de6e3217cd
gpg: New option --sender
* g10/options.h (struct opt): Add field 'sender_list'.
* g10/gpg.c: Include mbox-util.h.
(oSender): New.
(opts): Add option "--sender".
(main): Parse option.
--

This option will eventually be used for more advanced purposes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-18 10:08:34 +02:00
Daniel Kahn Gillmor
61c2a1fa6d
Call log_set_prefix() with human-readable labels.
* agent/preset-passphrase.c, agent/protect-tool.c, dirmngr/dirmngr.c
* dirmngr/t-http.c, g10/gpg.c, g10/gpgv.c, g13/g13-syshelp.c
* g13/g13.c, kbx/kbxutil.c, scd/scdaemon.c, sm/gpgsm.c
* tests/gpgscm/main.c, tools/gpg-check-pattern.c
* tools/gpg-connect-agent.c, tools/gpgconf.c, tools/gpgtar.c
* tools/symcryptrun.c: Invoke log_set_prefix() with
human-readable labels.

--

Some invocations of log_set_prefix() were done with raw numeric values
instead of values that humans can understand.  Use symbolic
representations instead of numeric for better readability.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-08-12 12:16:19 +02:00
Werner Koch
70b5d7c43a
gpg: New option --input-size-hint.
* g10/options.h: Include stdint.h.
(struct opt): Add field 'input_size_hint'.
* g10/gpg.c (oInputSizeHint): New.
(opts): Add --input-size-hint.
(main): Set opt.input_size_hint.
* g10/progress.c (write_status_progress): Use the hint.
--

This is a prerequisite to fix
GnuPG-bug-id: 2368

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-11 21:32:55 +02:00
Werner Koch
ed5c1b0b8a
gpg: Print the signer's UID during verification.
* g10/parse-packet.c (parse_signature): Sanitize the value stored in
SIGNERS_UID.
* g10/mainproc.c (issuer_fpr_string): New.
(check_sig_and_print): Print the signers' UID.  Print the issuer
fingerprint in --rfc4880bis mode.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-10 19:53:53 +02:00
Werner Koch
5b59999ce0
gpg: Remove tofu database format "split".
* g10/options.h (struct opt): Remove field tofu_db_format.
* g10/gpg.h (server_control_s): Add fields tofu.batch_update_ref and
tofu.batch_update_started.
* g10/gpg.c (parse_tofu_db_format): Remove.
(main): Make option --tofu-db-format obsolete.
* g10/tofu.c: Major rework.  Remove the pretty complicated and slower
split format and with that all the caching.  Use the dbs struct
directly.  Move global vars for batch update into CTRL.  Change
calling conventions of some function to take CTRL or DBS pointers
instead of  the former low-level database pointer.
--

The split database format might have been nice for use with Unison but
it bypasses the concept of a relational database by doing parts of
this itself and also risking deadlocks.  Working with the Tofu
database for debugging or experiments is also not possible with parts
of the database logic implemented in gpg.

The Tofu support is quite new and we can assume that it is not in real
use now.  Thus we better remove that now so that we do not need to
maintain it for all future.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-10 16:55:04 +02:00
Justus Winter
a27410a251 g10: Fix opening of trust database.
* g10/tdbio.c (tdbio_set_dbname): This function explicitly checks for
the file size, but handled the case of a zero-sized file incorrectly
by returning success.  Fix this by initializing the database in that
case.
* tests/openpgp/Makefile.am (XTESTS): Add new test.
* tests/openpgp/issue2417.scm: New file.

GnuPG-bug-id: 2417
Signed-off-by: Justus Winter <justus@g10code.com>
2016-08-10 16:50:29 +02:00
Werner Koch
16feb1e0ea
gpg: Extend the PROGRESS line to give the used unit.
* g10/progress.c (write_status_progress): Print the units parameter.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-09 16:28:39 +02:00
Ben Kibbey
49829c29e5 Cleanup initialization of libgcrypt.
* common/init.c (init_common_subsystems): Initialize libgcrypt.
* dirmngr/Makefile.am (dirmngr_ldap): Link with libgcrypt.

--
Most other modules already call gcry_check_version() after
init_common_subsystems() so may as well move initialization of libgcrypt
to here. Also fixes a warning in the system log from gpgconf --homedir.

Signed-off-by: Ben Kibbey <bjk@luxsci.net>
2016-08-09 10:47:46 +02:00
Werner Koch
491d6fdabb
gpg: Cleanup of dek_to_passphrase function (part 2).
* g10/passphrase.c (passphrase_get): Remove arg KEYID.  Change arg
MODE to NOCACHE.
(passphrase_to_dek): Remove args KEYID and PUBKEY_ALGO.  Split arg
MODE into CREATE and NOCACHE.  Change all callers and adjust stubs.
(passphrase_clear_cache): Remove args KEYID and ALGO.  They are not
used.  Change caller.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-08 20:32:08 +02:00
Werner Koch
5b614973fe
gpg: Cleanup of dek_to_passphrase function (part 1).
* g10/passphrase.c (passphrase_to_dek_ext): Remove args CUSTDESC and
CUSTPROMPT.  Merge into the passphrase_to_dek wrapper.
(passphrase_get): Remove args CUSTOM_DESCRIPTION and CUSTOM_PROMPT.
--

The function is nowadays only used for symmetric encryption.  Thus we
do not need all the former advanced stuff.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-08 18:47:27 +02:00
Daniel Kahn Gillmor
c9387e41db
gpg: Avoid publishing the GnuPG version by default
* g10/gpg.c (main): initialize opt.emit_version to 0
* doc/gpg.texi: document different default for --emit-version

--

The version of GnuPG in use is not particularly helpful.  It is not
cryptographically verifiable, and it doesn't distinguish between
significant version differences like 2.0.x and 2.1.x.

Additionally, it leaks metadata that can be used to distinguish users
from one another, and can potentially be used to target specific
attacks if there are known behaviors that differ between major
versions.

It's probably better to take the more parsimonious approach to
metadata production by default.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-08-05 12:23:04 +02:00
Werner Koch
c8cc804f56
gpg: Make sure that keygrips are printed for each subkey.
* g10/keylist.c (list_keyblock_colon): Print an emprty grip in case of
an error.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-04 15:34:14 +02:00
Werner Koch
54a1ed20e2
gpg: Always print the fingerprint in colons mode.
* g10/keylist.c (list_keyblock_colon): Remove arg FPR.  Always print
fingerprint records.  For secret keys always print keygrip records.
--

The fingerprint should always be used thus we should always print it.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-04 15:01:52 +02:00
NIIBE Yutaka
6f284e6ed6 g10: Fix checking key for signature validation.
* g10/sig-check.c (check_signature2): Not only subkey, but also primary
key should have flags.valid=1.

--

The tweak of gpgv in e32c575e0f only makes
sense with this change.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-08-04 16:21:39 +09:00
Daniel Kahn Gillmor
dc107b7850 More cleanup of "allow to".
* README, agent/command.c, agent/keyformat.txt, common/i18n.c,
  common/iobuf.c, common/keyserver.h, dirmngr/cdblib.c,
  dirmngr/ldap-wrapper.c, doc/DETAILS, doc/TRANSLATE,
  doc/announce-2.1.txt, doc/gpg.texi, doc/gpgsm.texi,
  doc/scdaemon.texi, doc/tools.texi, doc/whats-new-in-2.1.txt,
  g10/export.c, g10/getkey.c, g10/import.c, g10/keyedit.c, m4/ksba.m4,
  m4/libgcrypt.m4, m4/ntbtls.m4, po/ca.po, po/cs.po, po/da.po,
  po/de.po, po/el.po, po/eo.po, po/es.po, po/et.po, po/fi.po,
  po/fr.po, po/gl.po, po/hu.po, po/id.po, po/it.po, po/ja.po,
  po/nb.po, po/pl.po, po/pt.po, po/ro.po, po/ru.po, po/sk.po,
  po/sv.po, po/tr.po, po/uk.po, po/zh_CN.po, po/zh_TW.po,
  scd/app-p15.c, scd/ccid-driver.c, scd/command.c, sm/gpgsm.c,
  sm/sign.c, tools/gpgconf-comp.c, tools/gpgtar.h: replace "Allow to"
  with clearer text.

In standard English, the normal construction is "${XXX} allows ${YYY}
to" -- that is, the subject (${XXX}) of the sentence is allowing the
object (${YYY}) to do something.  When the object is missing, the
phrasing sounds awkward, even if the object is implied by context.
There's almost always a better construction that isn't as awkward.

These changes should make the language a bit clearer.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-08-03 16:55:33 +02:00
Daniel Kahn Gillmor
cd45cf782b Fix spelling and grammar.
* agent/learncard.c: s/coccured/occurred/
* doc/dirmngr.texi: s/ommitted/omitted/, s/orginally/originally/,
  s/reponses/responses/i
* doc/gpg-agent.texi, doc/dirmngr.texi, doc/gpg.texi: Fix "allows
  to" to more conventional english usage.
* doc/tools.texi, g10/gpgcommpose.c, tests/openpgp/armor.scm,
  tests/openpgp/armor.test: s/occured/occurred/
* tools/gpgsplit.c: s/calcualting/calculating/
* sm/server.c: s/formated/formatted/

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-08-03 16:54:01 +02:00
Werner Koch
48a2c93a18
gpg,gpgsm: Block signals during keyring/keybox update.
* kbx/keybox-util.c (keybox_file_rename): Add arg BLOCK_SIGNALS.
* kbx/keybox-update.c (rename_tmp_file): Block all signals when doing
a double rename.
* g10/keyring.c (rename_tmp_file): Block all signals during the double
rename.
--

This might fix
Debian-bug-id: 831510

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-08-03 15:31:27 +02:00
Justus Winter
4ba11251af g10: Fix key import statistics.
'transfer_secret_keys' collects statistics on a subkey-basis, while
the other code does not.  This leads to inflated numbers when
importing secret keys.  E.g. 'count' is incremented by the main
parsing loop in 'import', and again in 'transfer_secret_keys', leading
to a total of 3 if one key with two secret subkeys is imported.

* g10/import.c (import_secret_one): Adjust to the fact that
'transfer_secret_keys' collects subkey statistics.
* tests/openpgp/Makefile.am (TESTS): Add new test.
* tests/openpgp/issue2346.scm: New file.
* tests/openpgp/samplekeys/issue2346.gpg: Likewise.

GnuPG-bug-id: 2346
Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-25 12:50:35 +02:00
Justus Winter
d9839c9d30 g10: Properly ignore legacy keys in the keyring cache.
* g10/keyring.c (keyring_rebuild_cache): Properly ignore legacy keys
in the keyring cache.
* tests/migrations/Makefile.am (TESTS): Add new test.
* tests/migrations/common.scm (GPG-no-batch): New variable.
(run-test): New function.
* tests/migrations/issue2276.scm: New file.
* tests/migrations/issue2276.tar.asc: Likewise.

GnuPG-bug-id: 2276
Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-22 14:17:24 +02:00
Justus Winter
45bb9a2a46 g10: Fix error handling.
* g10/tofu.c (show_statistics): Fix error handling, 0 is a valid
duration.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-21 18:22:18 +02:00
Justus Winter
8a6f8e1e39 g10: Drop superfluous begin transaction.
* g10/tofu.c (record_binding): We only need a transaction for the
split format.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-21 18:07:22 +02:00
Justus Winter
1af2fd44f0 g10: Fix crash.
* g10/tofu.c (tofu_closedbs): Fix freeing database handles up to the
cache limit.  Previously, this would crash if db_cache_count == count.

Reported-by: Ben Kibbey <bjk@luxsci.net>
Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-21 11:49:33 +02:00
Justus Winter
d21efa3988 g10: Fix building without trust models.
* g10/pkclist.c (write_trust_status): Fall back to the previous
behavior.

Fixes-commit: ae188932
Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-15 12:35:08 +02:00
Werner Koch
1e9bc66a9a
gpg: Remove options --print-dane-records and --print-pka-records.
* g10/gpg.c (main): Remove options but print a dedicated warning.
* g10/options.h (struct opt): Remove fields 'print_dane_records' and
'print_pka_records'.
* g10/keylist.c (list_keyblock): Do not call list_keyblock_pka.
(list_keyblock_pka): Remove.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-14 15:19:36 +02:00
Werner Koch
3b8ed7650d
gpg: Fix regression due to the new --mimemode options.
* g10/gpg.c (opts): Re-add oTextmodeShort.
--

Regression-due-to: e148c3caa9
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-13 18:29:40 +02:00
Daiki Ueno
82b90eee10
gpg: Make --try-all-secrets work for hidden recipients
* g10/getkey.c (enum_secret_keys): Really enumerate all secret
keys if --try-all-secrets is specified.
--

GnuPG-bug-id: 1985
Signed-off-by: Daiki Ueno <ueno@gnu.org>

- Add new arg CTRL to getkey_byname call.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-13 18:15:52 +02:00
Werner Koch
7b96a8d736
gpg: Do not print a the short keyid if the high word is zero.
* g10/keyid.c (format_keyid): Always returh long keyid ifor KF_LONG.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-13 17:19:56 +02:00
Werner Koch
e148c3caa9
gpg: New option --mimemode.
* g10/gpg.c (oMimemode): New.
(opts): Add --mimemode.
(main): Use --mimemode only in rfc4880bis compliance mode.
* g10/options.h (struct opt): Add field "mimemode".
* g10/build-packet.c (do_plaintext): Allow for mode 'm'.
* g10/encrypt.c (encrypt_simple, encrypt_crypt): Use 'm' if requested.
* g10/plaintext.c (handle_plaintext): Handle 'm' mode.
* g10/sign.c (write_plaintext_packet): Handle 'm' mode.
(sign_file, sign_symencrypt_file): Use 'm' if requested.
--

Thsi patch prepares for a proposed change in RFC4880bis to support a
MIME flag.  A literal data packet with the mime flag set is handled
like a 't' or 'u' but CR are not removed.  The PLAINTEXT status line
will also indicate a MIME content.

If --mimemode is used without --rfc4880bis 't' will be used.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-13 13:31:12 +02:00
Werner Koch
9b075575cd
gpg: Extend import-option import-export to print PKA or DANE.
* g10/export.c (do_export_stream): Move PKA and DANE printing helper
code to ...
(print_pka_or_dane_records): this fucntion.
(write_keyblock_to_output): Add arg OPTIOSN and call
print_pka_or_dane_records if requested.
--

It is now possible to print a DANE record given a a file with a key
without importing the key first:

  gpg --export-options export-dane \
      --import-options import-export \
      --import-filter keep-uid='mbox =~ alpha' \
      --import FILE_WITH_KEY

Using the filter we only print a user id with the substring "alpha" in
the addr-spec.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-12 15:13:34 +02:00
Werner Koch
0f5b105d96
gpg: Move a function from import.c to export.c.
* g10/import.c (write_keyblock_to_output): Move to ...
* g10/export.c (write_keyblock_to_output): here.  Add arg WITH_ARMOR.
Also make sure never to export ring trust packets.
2016-07-12 15:13:34 +02:00
NIIBE Yutaka
e32c575e0f gpgv: Tweak default options for extra security.
* g10/gpgv.c (main): Set opt.no_sig _cache, so that it doesn't depend on
cached status.  Similarly, set opt.flags.require_cross_cert for backsig
validation for subkey signature.

--

It is common that an organization distributes binary keyrings with
signature cache (Tag 12, Trust Packet) and people use gpgv to validate
signature with such keyrings.  In such a use case, it is possible that
the key validation itself is skipped.

For the purpose of gpgv validation of signatures, we should not depend
on signature cache in keyrings (if any), but we should validate the key
by its self signature for primary key, and back signature for subkey.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-07-09 10:20:02 +09:00
Werner Koch
cbe467e794
gpg: Add export options "export-pka" and "export-dane".
* g10/options.h (EXPORT_PKA_FORMAT): New.
* g10/keylist.c (list_keyblock_pka): Do not use DANE flag.
* g10/export.c: Include zb32.h.
(parse_export_options): Add options "export-pka" and "export-dane".
(do_export): Do not armor if either of these option is set.
(print_pka_or_dane_records): New.
(do_export_stream): Implement new options.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-07 17:35:20 +02:00
Werner Koch
b05878f32a
gpg: Split a too large export function.
* g10/export.c (do_export_stream): Factor some code out to ...
(do_export_one_keyblock): new.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-07 17:35:20 +02:00
Werner Koch
a479804c86
gpg: New options --recipient-file and --hidden-recipient-file.
* g10/gpg.c (oRecipientFile, oHiddenRecipientFile): New.
(opts): Add options --recipient-file and --hidden-recipient-file.
(main): Implement them.  Also remove duplicate code from similar
options.
* g10/keydb.h (PK_LIST_FROM_FILE): New.
(PK_LIST_SHIFT): Bump up.
* g10/pkclist.c (expand_group): Take care of PK_LIST_FROM_FILE.
(find_and_check_key): Add and implement arg FROM_FILE.
(build_pk_list): Pass new value for new arg.
* g10/getkey.c (get_pubkey_fromfile): New.
* g10/gpgv.c (read_key_from_file): New stub.
* g10/test-stubs.c (read_key_from_file): New stub.
* g10/server.c (cmd_recipient): Add flag --file.
* g10/import.c (read_key_from_file): New.

* tests/openpgp/defs.scm (key-file1): New.
(key-file2): New.
* tests/openpgp/setup.scm: Add their private keys and import the
key-file1.
* tests/openpgp/encrypt.scm: Add new test.

--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-06 15:35:19 +02:00
Werner Koch
073be51a86
gpg: New option --no-keyring.
* g10/gpg.c (oNoKeyring): New.
(opts): Add "--no-keyring".
(main): Do not register any keyring if the option is used.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-06 15:33:53 +02:00
Werner Koch
fdfde91595
gpg: Document use of node flags in import.c and remove unused args.
* g10/import.c (NODE_GOOD_SELFSIG): New.  Use instead of 1.
(NODE_BAD_SELFSIG): New.  Use instead of 2.
(NODE_DELETION_MARK): New.  Use instead of 4.
(NODE_FLAG_A): New.  Use to mark new nodes in merge_blocks.
(chk_self_sigs): Remove unused args FNAME and PK.
(import_one): Adjust call.  Simplify error return because
chk_self_sigs does not return an error code.
(append_uid, append_key, merge_sigs, merge_keysigs): Remove unsued
args FNAME and KEYID.
(merge_blocks, import_one, import_secret_one)
(import_revoke_cert): Remove unused arg FNAME.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-06 11:29:19 +02:00
Werner Koch
7e0c48eb6f
gpg: Get rid of an unused arg in a function in getkey.c.
* g10/getkey.c (pk_from_block): Remove unused arg CTX.  Change all
callers.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-06 08:55:34 +02:00
Werner Koch
9385dfeb9d
gpg: Change calling convention for a function in getkey.c
* g10/getkey.c (merge_selfsigs): Remove arg CTX.  Add args REQ_USAGE
and WANT_EXACT.
(finish_lookup): Adjust caller.  Set LOOKUP_NOT_SELECTED here...
(lookup): and not here.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-06 08:55:30 +02:00
Werner Koch
5d1a9c4dc8
gpg: Fix possible out-of-bounds read in is_armored.
* g10/armor.c (check_input): Call is_armored only if LEN >= 2.
(unarmor_pump): Use a 2 byte buffer for is_armored.
--

Fixes-commit: 605276ef8c
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-05 18:49:06 +02:00
Justus Winter
a6b87981f7 g10: Fix out-of-bounds read.
* g10/armor.c (use_armor_filter): We need two bytes for 'is_armored'.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-05 12:38:15 +02:00
Werner Koch
9177a89773
gpg: Avoid spurious failures on keyblocks with no or only deleted nodes.
* g10/import.c (write_keyblock_to_output): Clear ERR on success.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-03 11:56:10 +02:00
Werner Koch
7bfc86c938
gpg: New option --export-filter
* g10/gpg.c (oExportFilter): New.
(opts): Add --export-filter.
(main): Handle option.
* g10/export.c: Include recsel.h, init.h, and mbox-util.h.
(export_keep_uid): New global var.
(cleanup_export_globals): New.
(parse_and_set_export_filter): New.
(filter_getval): New.
(apply_keep_uid_filter): New.
(do_export_stream): Apply filter if set.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-01 16:50:12 +02:00
Werner Koch
5137bf73cc
gpg: New option --import-filter
* g10/gpg.c (oImportFilter): New.
(opts): Add --import-filter.
(main): Handle option.
* g10/import.c: Include recsel.h, init.h, and mbox-util.h.
(import_keep_uid): New global var.
(cleanup_import_globals): New.
(parse_and_set_import_filter): New.
(filter_getval): New.
(apply_keep_uid_filter): New.
(import_one): Apply filter if set.
--

Funny new option.  It can for example be used to export a key with
only one user id:

  gpg --no-options --import --import-options import-export \
      --import-filter keep-uid='mbox=wk@gnupg.org'         \
     < full-key.pub > key-with-one-uid.pub

More features will eventually be added.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-01 16:28:29 +02:00
Werner Koch
f015552374
gpg: Allow to cache the mbox in a user id struct.
* g10/packet.h (PKT_user_id): Add field 'mbox'.
* g10/free-packet.c (free_user_id): Free that.
--

This will be required by the coming import filter.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-01 16:27:43 +02:00
Werner Koch
d8bce478be
gpg: Make sure a user ID packet has always a terminating Nul in memory.
* g10/keygen.c (write_uid): Avoid overflow.
--

Also the actual length if the user ID is given by LEN, using NAME
diretcly is often more convenient.
2016-07-01 16:27:43 +02:00
Justus Winter
78aeb236fe g10: Fix memory leak.
* g10/keyserver.c (parse_keyserver_uri): Free URI.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-01 14:16:18 +02:00
Justus Winter
c454922ffa g10: Fix memory leak.
* g10/import.c (transfer_secret_keys): Release curve from the previous
iteration.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-01 13:43:01 +02:00
Justus Winter
ff77b92aae g10: Fix build with disabled kbnode cache.
* g10/kbnode.c (release_unused_nodes): Fix build with disabled kbnode
cache.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-01 12:50:29 +02:00
Justus Winter
44d4c69572 g10: Fix memory leak.
* g10/trustdb.c (tdb_get_validity_core): Fix kbnode leak.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-01 12:48:57 +02:00
Justus Winter
5fafd18d47 g10: Fix memory leak.
* g10/keygen.c (keygen_set_std_prefs): Fix memory leak.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-01 11:41:20 +02:00
Justus Winter
6bfbc368f9 Fix trivial memory leaks in tests.
* dirmngr/t-ldap-parse-uri.c (check_ldap_escape_filter): Free result.
* g10/t-stutter.c (main): Free file name.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-07-01 09:47:48 +02:00
Justus Winter
401db0eebb g10: Fix memory leak.
* g10/export.c (do_export_stream): Free secret parameters.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-06-30 18:50:16 +02:00
Justus Winter
eb4cdbefb0 g10: Fix memory leak.
* g10/keygen.c (read_parameter_file): Free 'line'.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-06-30 18:50:16 +02:00
Justus Winter
1de362af90 g10: Fix memory leak.
* g10/sign.c (mk_notation_policy_etc): Free 'mbox'.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-06-30 18:50:16 +02:00
Justus Winter
6b9a89e4c7 common: Fix memory leak.
* g10/textfilter.c (copy_clearsig_text): Free buffer.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-06-30 18:50:16 +02:00
Justus Winter
29beea6462 g10: Fix keybox-related memory leaks.
* g10/keydb.c (keydb_release): Clear keyblock cache.
(keydb_get_keyblock): Revert previous change.
* kbx/keybox-blob.c (create_blob_finish): Free previous buffer, free
fixups after applying them.
(_keybox_release_blob): Free buffer.  Currently, the buffer has been
extracted before the keybox is released, but this is the right thing
to do here.

Fixes-commit: c57501cc
Signed-off-by: Justus Winter <justus@g10code.com>
2016-06-30 18:50:16 +02:00
Justus Winter
5869f518cb g10: Fix memory leak.
* g10/compress.c (release_context): Free buffers.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-06-30 18:50:16 +02:00
Justus Winter
84f262102b g10: Fix memory leak.
* g10/sign.c (write_plaintext_packet): Free packet.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-06-30 18:50:16 +02:00
Justus Winter
abae8a9dc8 g10: Fix memory leak.
* g10/mainproc.c (release_list): Do not exit early if list is NULL,
there are other resources that must be released.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-06-30 15:31:37 +02:00
Justus Winter
dbcb342eaf w32: Fix build.
* g10/keyedit.c (keyedit_quick_revuid): Fix call to
'check_trustdb_stale'.

Fixes-commit: 55d112ee
Signed-off-by: Justus Winter <justus@g10code.com>
2016-06-30 15:28:42 +02:00
Daniel Kahn Gillmor
55d112eeb0
g10: Implement gpg --quick-revuid
* g10/revoke.c (get_default_uid_revocation_reason): New.
* g10/keyedit.c (menu_revuid): Break out creation of uid revocation
into new function core_revuid.
* g10/keyedit.c (keyedit_quick_revuid): New. Selects key and
uid, invokes core_revuid.
* g10/gpg.c (main): Handle --quick-revuid argument.
* doc/gpg.texi: Document --quick-revuid.

--

This functionality is a counterpart to --quick-adduid, and will be
useful for projects that depend programmatically on gpg to revoke user
IDs (one such example is "monkeysphere-host revoke-servicename").

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

- Minor re-indentation work.
- Changed a "0 == memcmp" to "!memcmp"
- Removed tests/openpgp/quick-key-manipulation.test from the
  Makefile.  This test needs to be converted to gpgscm.
- Removed example from whats-new-in-2.1.txt because that is generated.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-30 11:45:13 +02:00
Justus Winter
c57501cc5f g10: Fix memory leaks.
* g10/keydb.c (keydb_get_keyblock): Free 'sigstatus' and 'iobuf'.
* g10/t-keydb-get-keyblock.c: Fix trivial memory leaks.
* g10/t-keydb.c: Likewise.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-06-28 18:21:50 +02:00
Werner Koch
20ca075d96
gpg: Add hack to --quick-gen-key to create Curve25519 keys.
* g10/keygen.c (quick_generate_keypair): Add special algo string
"test-default".
--

Well, this is a hack to quickly create keys with the algorithms we
will eventually use as defaults.  Usage:

  gpg -v --quick-gen-key --passphrase '' --batch USERID test-default

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-28 15:53:59 +02:00
NIIBE Yutaka
52f65281f9 g10: Fix --list-packets.
* g10/gpg.c (main): Call set_packet_list_mode after assignment of
opt.list_packets.
* g10/mainproc.c (do_proc_packets): Don't stop processing with
--list-packets as the comment says.
* g10/options.h (list_packets): Fix the comment.
* g10/parse-packet.c: Fix the condition for opt.list_packets.

--

Debian-bug-id: 828109
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-06-28 15:56:48 +09:00
Werner Koch
7bca3be65e
gpg: New import option "import-export".
* g10/import.c (parse_import_options): Add option "import-export".
(write_keyblock_to_output): New.
(import_one): Implement option.
--

We are now in the import export business.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-24 13:11:37 +02:00
Werner Koch
1e5959ec05
gpg: New import option "import-show".
* g10/options.h (IMPORT_SHOW): New.
* g10/import.c (parse_import_options): Add "import-show".
(import_one): Implement that.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-23 20:01:15 +02:00
Werner Koch
09c6f71351
gpg: Do not print the validity after key generation.
* g10/keylist.c (struct keylist_context): Add field NO_VALIDITY.
(list_keyblock_print): Take care of it.
(list_keyblock_direct): Add arg NO_VALIDITY.
* g10/keygen.c (do_generate_keypair): Merge keyblock and print w/o
validity.
--

It will always be ultimate and by not printing it we avoid a lot of
garbage output due to the trustdb re-calculation.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-23 20:01:15 +02:00
NIIBE Yutaka
6f5ff1cfe4 g10: Fix regression of card-edit/fetch.
* g10/card-util.c (fetch_url): Call keyserver_fetch instead of
keyserver_import_fprint.

--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-06-23 12:12:43 +09:00
Werner Koch
955baf0436
gpg: Add experimental support for an issuer fpr.
* common/openpgpdefs.h (SIGSUBPKT_ISSUER_FPR): New.
* g10/build-packet.c (build_sig_subpkt_from_sig): Add arg PKSK and
insert the issuer fpr if needed.
* g10/sign.c (write_signature_packets): Pass signing key.
(make_keysig_packet): Ditto.
(update_keysig_packet): Ditto.
* g10/parse-packet.c (dump_sig_subpkt): Print issuer fpr.
(parse_one_sig_subpkt): Detect issuer fpr.
(can_handle_critical): Add issuer fpr.
* g10/mainproc.c (check_sig_and_print): Try to get key via fingerprint.
* g10/gpgv.c (keyserver_import_fprint): New stub.
* g10/test-stubs.c (keyserver_import_fprint): New stub.
--

This support is enabled with the --rfc4880bis option and intended to
test to recently proposed issuer fpr.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-20 23:59:18 +02:00
Werner Koch
ee2d9061d7
gpg: New option --rfc4880bis.
* g10/options.h (struct opt): Add field flags.rfc4880bis.
* g10/gpg.c (oRFC4880bis): new.
(opts): add --rfc4880bis.
(main): Implement that and print a warning.
--

This is option enables experimental features which may be dropped or
changed with the next release.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-20 23:59:18 +02:00
Niibe Yutaka
35a3ce2acf g10: Fix another race condition for trustdb access.
* g10/tdbio.c (create_version_record): Call create_hashtable to always
make hashtable, together with the version record.
(get_trusthashrec): Remove call to create_hashtable.

--

GnuPG-bug-id: 1675
Thanks to Scott Moser for a reproducible script and patience.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-06-15 08:49:50 +09:00
Werner Koch
b56aebe766
gpg: Print the subkey's curve and not the primary key curve.
* g10/keylist.c (list_keyblock_colon): Use PK2 for the subkey's curve.
--

Reported-by: mantorix at vollbio punkt de
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-14 23:15:32 +02:00
Werner Koch
f980cd2e0e
gpg: Avoid endless loop in a tofu error case.
* g10/tofu.c (get_trust): Do not jump to out.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-14 12:04:01 +02:00
Werner Koch
1affdf1efc
gpg: Split tofu's get_trust function into several smaller ones.
* g10/tofu.c (get_trust): Factor code out to ...
(format_conflict_msg_part1): new and to ...
(ask_about_binding): new.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-14 12:02:22 +02:00
Werner Koch
5ddccf4fc6
doc: Consistently use 'keyserver'.
--
GnuPG-bug-id: 2383

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-14 09:06:44 +02:00
Werner Koch
9e126af215
gpg: Un-deprecate option --auto-key-retrieve.
* g10/gpg.c (main): Remove deprecation warning.
--

Most options for the keyserver have been moved to dirmngr and thus it
does not make sense to favor "--keyserver-options auto-key-retrieve"
over the direct options --auto-key-retrieve and --no-auto-key-retrieve.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-13 11:32:38 +02:00
Werner Koch
61e7fd68c0
gpg: New option --disable-signer-uid, create Signer's UID sub-packet.
* g10/gpg.c (oDisableSignerUID): New.
(opts): New option '--disable-signer-uid'.
(main): Set option.
* g10/options.h (opt): Add field flags.disable_signer_uid.
* g10/sign.c: Include mbox-util.h.
(mk_notation_policy_etc): Embed the signer's uid.
* g10/mainproc.c (check_sig_and_print): Do not use WKD for auto key
retrieval if --disable-signer-uid is used.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-13 11:24:09 +02:00
Werner Koch
08c82b1b55
gpg: Try Signer's User ID sub-packet with --auto-key-retrieve.
* g10/packet.h (PKT_signature): Add field 'signers_uid'.
* g10/parse-packet.c (parse_signature): Set this field.
* g10/free-packet.c (free_seckey_enc): Free field.
(copy_signature): Copy field.
* g10/mainproc.c (akl_has_wkd_method): New.
(check_sig_and_print): Extend NEWSIG status.  If WKD is enabled try to
locate a missing key via the signature's Signer's User ID sub-packet.
Do this right before trying a keyserver lookup.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-13 10:40:34 +02:00
Werner Koch
18b03e756b
gpg,indent: Re-indent and chnage var names in sign.c
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-13 09:37:53 +02:00
Werner Koch
334e993a71
gpg: Remove C-99ism, re-indent, and simplify one function.
* g10/call-agent.c (struct keyinfo_data): Rename to
keyinfo_data_parm_s.
(agent_get_keyinfo): Replace C-99 style init.
(keyinfo_status_cb): Use new fucntion split_fields.
* g10/export.c (match_curve_skey_pk): Add missings returns error
cases.
(cleartext_secret_key_to_openpgp): Better clear PK->PKEY first.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-11 20:42:28 +02:00
Daniel Kahn Gillmor
c41c46fa84
g10: Export cleartext keys as cleartext
* g10/export.c (do_export_stream): If a key is stored by the agent in
cleartext, then try to export it as cleartext.
* tests/openpgp/export.test: For secret keys that are stored in
cleartext, test should try to export without pinentry interaction.
--

This restores the behavior of GnuPG 2.0 and 1.4 when exporting
passphraseless secret keys, and fixes the test suite accordingly.

GnuPG-bug-id: 2070, 2324
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-06-11 11:18:58 +02:00
Daniel Kahn Gillmor
a3cb72af79
g10: Allow receiving cleartext secret keys from agent
* g10/export.c (match_curve_skey_pk): New function, testing whether an
OpenPGP public key and an S-expression use the same curve.
* g10/export.c (cleartext_secret_key_to_openpgp): New function,
filling in the secret key parameters of a PKT_public_key object from
a corresponding cleartext S-expression.
* g10/export.c, g10/main.h (receive_seckey_from_agent): Add cleartext
parameter, enabling retrieval of the secret key, unlocked.
* g10/export.c (do_export_stream): Send cleartext as 0, keeping current
behavior.
* g10/keygen.c (card_store_key_with_backup): Use cleartext=0 to ensure
that smartcard backups are all passphrase-locked.
--

This sets up internal functionality to be capable of exporting
cleartext secret keys, but does not change any existing behavior.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-06-11 11:16:19 +02:00
Daniel Kahn Gillmor
7de7432076
g10: Add openpgp_protected flag to agent secret key export functions
* g10/call-agent.c, g10/call-agent.h (agent_export_key): Add
openpgp_protected flag.
* g10/export.c (receive_seckey_from_agent): Request openpgp_protected
secret keys from agent.
* agent/command.c (hlp_export_key): EXPORT_KEY help text: add a
brief description of the effect of --openpgp.
--

The --openpgp flag for gpg-agent's EXPORT_KEY actually forces
encryption in a certain (RFC 4880-compatible format).  This changeset
exposes that functionality in internal functions, and clarifies
functionality in the agent's help text.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-06-11 11:14:00 +02:00
Daniel Kahn Gillmor
00f30cc01c
g10: report whether key in agent is passphrase-protected or not
* g10/call-agent.c, g10/call-agent.h (agent_get_keyinfo): add
  r_cleartext parameter to report whether a key is stored without
  passphrase protection.
* g10/gpgv.c, g10/test-stubs.c: augment dummy agent_get_keyinfo to
  match new API.
* g10/export.c, g10/keyedit.c, g10/keygen.c, g10/keylist.c,
  g10/sign.c: pass NULL to agent_get_keyinfo since we do not yet
  need to know whether agent is passphrase-protected.

--

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-06-11 11:09:09 +02:00
Werner Koch
6790115fd9
w32: Fix recent build regression.
* common/homedir.c (_gnupg_socketdir_internal) [W32]: Add definition
for NAME.
* g10/gpg.c (main) [W32]:  Fix use og gnupg_homedir.

* agent/gpg-agent.c (remove_socket): Remove unused var P.
* scd/scdaemon.c (cleanup): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-08 15:14:06 +02:00
Werner Koch
fb88f37c40
common: Remove homedir arg from start_new_{dirmngr,gpg_agent}.
* common/asshelp.c (start_new_gpg_agent): Remove arg 'homedir' in
favor of gnupg_homedir ().  Change all callers.
(start_new_dirmngr): Ditto.
* common/get-passphrase.c (gnupg_prepare_get_passphrase): Remove arg
'homedir'.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-07 13:09:00 +02:00
Werner Koch
22a7ef01aa
Replace use of opt.homedir by accessor functions.
* common/homedir.c (the_gnupg_homedir): New var.
(gnupg_set_homedir): New.
(gnupg_homedir): New.
* g10/options.h (struct opt): Remove 'homedir' and replace all users
by the new accessor functions.
* g13/g13-common.h (struct opt): Ditto.
* scd/scdaemon.h (struct opt): Ditto.
* sm/gpgsm.h (struct opt): Ditto.
* dirmngr/dirmngr.h (struct opt): Ditto.
* agent/preset-passphrase.c (opt_homedir): Ditto.
* agent/protect-tool.c (opt_homedir): Ditto.
--

This will make detection of a non-default homedir easier.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-07 10:59:46 +02:00
NIIBE Yutaka
abeeb84a94 gpg: Fix command line parsing of --quick-addkey and --quick-gen-key.
* g10/gpg.c (main): Compose a block by curly braces.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-06-07 14:16:32 +09:00
Werner Koch
7257ea2d45
gpg: Use --keyid-format=none by default.
* g10/gpg.c (main): Init keyid_format to KF_NONE.
* g10/keyid.c (format_keyid): Ditto.
(keystrlen): Ditto.
--

GnuPG-bug-id: 2379
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-06 17:03:47 +02:00
Werner Koch
1d1cb86694
gpg: Add option --with-subkey-fingerprint.
* g10/gpg.c (oWithSubkeyFingerprint): New.
(opts): Add --with-subkey-fingerprint[s].
(main): Set that option.
* g10/options.h (struct opt): Add 'with_subkey_fingerprint'.
* g10/keylist.c (list_keyblock_print): Print subkey fingerprint.
(print_fingerprint): Tweak printing to use compact format if
desirable.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-06 16:56:18 +02:00
Werner Koch
b047388d57
gpg: Implement --keyid-format=none.
* g10/gpg.c (main): Add option "none" to --keyid-format.
* g10/options.h (KF_NONE): New.
* g10/keyid.c (format_keyid): Implement that.
(keystr): Use format "long" is KF_NONE is in use.
(keystr_with_sub): Ditto.
* g10/keylist.c (list_keyblock_print): Adjust indentaion for KF_NONE.
Factor some code out to ...
(print_key_line): new.
(print_fingerprint): Add mode 20.
* g10/mainproc.c (list_node): Use print_key_line.  Replace MAINKEY by
flags.primary in the PK.  Fix putting a " revoked..." string into the
colons format.
* g10/pkclist.c (do_edit_ownertrust): Use print_key_line.  This
slightly changes the putput format.
* g10/revoke.c (gen_standard_revoke): Use print_key_line.  This may
also put "expires: " into the output.
--

Due to user experience problems with the keyid and we better allow to
show the fingerprint instead.  Note that we do not support v3 keys
anymore and thus there is no technical need for a user to know the
keyid.

GnuPG-bug-id: 2379
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-06-06 16:03:22 +02:00
Werner Koch
e792eb1bb4
indent: Wrap strings in debug messages.
--
2016-06-06 12:24:53 +02:00