* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.
--
Backport master commit of:
53eddf9b9ea01210f71b851b5cb92a5f1cdb6f7d
This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).
GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* tools/gpgconf.c: Assign short options -X and -V
(show_version_gnupg): Print the vsd version if available.
--
These changes are helpful for phone support.
* sm/minip12.c: Update from master.
* sm/import.c (parse_p12): Pass NULL for curve.
--
Over the last years we had a couple of changes not backported to 2.2.
However, to support DFN p12 files and probably other p12 files we need
to update the minip12.c module. Instead of picking commits we take
the module verbatim, which is relatively easy because it was
originally designed to be a standalone module.
Summary of commits taken from master:
sm: Improve pkcs#12 debug output.
sm: Rework the PKCS#12 parser to support DFN issued keys.
sm: Fix parsing encrypted data.
sm: Do not print certain issuer not found diags in quiet mode.
sm: Silence some output on --quiet
sm: Replace all assert calls by log_assert.
doc: Typo fixes in code comments
sm: Add support to export ECC private keys.
Detailed log messages for those commits:
commit 52f9e13c0cb3b42c469e2d00352ab36948ca1e55
sm: Improve pkcs#12 debug output.
* sm/minip12.c (parse_shrouded_key_bag): Fix offset diagnostic.
(parse_cert_bag): Ditto.
(parse_bag_data): Remove debug output. Pass startoffset.
Fix offset diagnostic.
commit a4e04375e84ecb7ea0d02e153cb27988fca4c2d0
sm: Rework the PKCS#12 parser to support DFN issued keys.
* sm/minip12.c (struct p12_parse_ctx_s): New. Use this instead of
passing several parameters to most functions.
(parse_pag_data): Factor things out to ...
parse_shrouded_key_bag): new.
(parse_cert_bag): New.
(parse_bag_data): New.
(p12_parse): Setup the parse context.
To support newer pkcs#12 files like those issued by the DFN we
need to support another ordering of data elements. This rework
reflects the P12 data structure a bit better than our old ad-hoc
hacks. Tests could only be done with the certificate parts and
not the encrypted private keys.
GnuPG-bug-id: 6037
commit 6c50834c0905b55ee2da18728194dd4c93c377bf
sm: Fix parsing encrypted data.
* sm/minip12.c (cram_octet_string): Finish when N==0.
(parse_bag_encrypted_data): Support constructed data with multiple
octet strings.
GnuPG-bug-id: 5793
commit a170f0e73f38e474b6d4463433fe344eca865fa5
sm: Do not print certain issuer not found diags in quiet mode.
* sm/certchain.c (find_up_dirmngr): Print one diagnostic only in
verbose mode. Do not print issuer not found diags in quiet mode.
* sm/minip12.c (parse_bag_data): Add missing verbose condition.
GnuPG-bug-id: 4757
commit 615d2e4fb15859320ea0ebec1bb457c692c57f0a
sm: Silence some output on --quiet
* sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
* sm/gpgsm.c: Include minip12.h.
(set_debug): Call p12_set_verbosity.
* sm/import.c (parse_p12): Dump keygrip only in debug mode.
* sm/minip12.c (opt_verbose, p12_set_verbosity): New.
(parse_bag_encrypted_data): Print info messages only in verbose
mode.
GnuPG-bug-id: 4757
commit 9ee975d588ee99550917e3d459dd6f79057f5c30
gpgsm: Replace all assert calls by log_assert.
commit 9bc9d0818b0e636a9dbc0dd24edf53eae95dd8e7
doc: Typo fixes in code comments
commit 5da6925a334c68d736804d8f19a684a678409d99
sm: Add support to export ECC private keys.
* sm/minip12.c [TEST]: Remove test code. Include util.h, tlv.h. and
openpgpdefs.h. Remove the class and tag constants and replace
them by those from tlv.h.
(builder_add_oid, builder_add_mpi): New.
(build_key_sequence): Rename to ...
(build_rsa_key_sequence): this.
(build_ecc_key_sequence): New.
(p12_build): Call RSA or ECC builder.
(p12_raw_build): Ditto.
* sm/export.c (gpgsm_p12_export): Use correct armor header for ECC.
(sexp_to_kparms): Support ECC.
GnuPG-bug-id: 4921
* common/tlv-builder.c: New.
* common/tlv.c: Remove stuff only used by GnuPG 1.
(put_tlv_to_membuf, get_tlv_length): Move to ...
* common/tlv-builder.c: here.
* common/tlv.h (tlv_builder_t): New.
--
Such code should actually go into libksba and we will eventually do
that. However, for now it is easier to keep it here.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 5ea878274ef51c819368f021c69c518b9aef6f82)
- Add coverity meta comment from
commit a95ddffdcd58383cce93677be5e7e11c5c229a98
* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--
Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong. Fixed by always using a break to
terminate the escape detection loop. Might have happened for all
status lines which may wrap.
GnuPG-bug-id: T6027
* common/iobuf.c (iobuf_cancel): Use gnupg_remove
* common/mischelp.c (same_file_p): Allow for Unicode names.
--
Note that the second patch is used to handle Unicode filenames which
are symbolic links.
* scd/apdu.c (all_zero_p): New.
(send_le): Use it.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 9b6f574928546e6905a92c3e74d72478f1585c66)
* scd/app-p15.c (any_control_or_space_mem): New.
(get_dispserialno): Add new code.
--
This works with my test cards and now reflects what's printed on the
front matter of the card.
* scd/app-p15.c (readcert_by_cdf): Do not use extended mode if the CDF
object has no length info. Add debug output when reading a cert.
(read_p15_info): No more need to disable extended mode for GeNUA cards.
* scd/scdaemon.c (debug_flags): Add "card".
* scd/scdaemon.h (DBG_CARD_VALUE, DBG_CARD): New.
--
Some information from parsing the card are often very helpful.
However, the card_io triggered APDU dumps are in most cases too heavy.
Thus this new debug flag.
* g10/parse-packet.c (mpi_read_detect_0_removal): New.
(parse_key): Use mpi_read_detect_0_removal for PUBKEY_ALGO_EDDSA
to tweak the checksum.
--
GnuPG-bug-id: 5120
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
--
This also includes a speedo update for the Scute based authenticode
thing which has been manually added to speedo.mk at the end of the
release process of 2.2.35.
* g10/mainproc.c (proc_symkey_enc): Issue new error code.
(proc_encrypted): Ditto.
--
This allows GPGME to return a better error message than "bad session
key" to the user. Technically we could get run into these errors also
in other cases but this more unlikley. For the command line use we
don't do anything to not change the expected output of the command
line interface.
GnuPG-bug-id: 5943
* g10/gpg.c (main): Set LOG_NO_REGISTRY.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-connect-agent.c (main): Ditto.
* tools/gpgconf.c (main): Ditto.
(show_other_registry_entries): Print "DefaultLogFile".
--
The intention of this mostly forgotten registry entry was to allow for
easy debugging of the tools. However, with the global config
files (and in 2.3 with common.conf) things are anyway better. We
disable the use for the commonly used tools so that it does not look
like calling gpg on the command line seems to block with no output if
the log server (e.g. tcp://1.2.3.4:11111) is not reachable.
* scd/ccid-driver.c (ccid_dev_scan): Use loop var and not the count.
--
Due to an assignment out of bounds this might lead to a crash if there
are more than 15 readers. In any case it fixes a memory leak.
Kudos to the friendly auditor who found that bug.
Fixes-commit: 8a41e73c31adb86d4a7dca4da695e5ad1347811f
* scd/app-p15.c (CARD_PRODUCT_GENUA): New.
(cardproduct2str): Add it.
(read_p15_info): Detect and set GENUA
(make_pin_prompt): Take holder string from the AODF.
* scd/app-p15.c (auth_type_t): New.
(struct aodf_object_s): Add field auth_type.
(read_ef_aodf): Distinguish between pin and authkey types. Include
the authtype in the verbose mode diags.
--
Note that the bulk of changes are just indentation changes. There
should be no functional change.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e387cc97c82313457e4f79729a137e5871891bc1)
* scd/app-p15.c (CARD_TYPE_AET): New.
(cardtype2str): Add string.
(card_atr_list): Add corresponding ATR.
(app_local_s): New flag no_extended_mode. Turn two other flags into
bit flags.
(select_ef_by_path): Hack to handle the 3FFF thing.
(readcert_by_cdf): Do not use extended mode for AET.
(app_select_p15): Set no_extended_mode.
---
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 544ec7872aed24c296ea34fac777eca287f7bb47)
* common/dotlock.c (read_lockfile): Return FD in R_FD.
(dotlock_take_unix): Fix a race condition by new read_lockfile and
checking with fstat. Describe one race condition in comment.
(dotlock_release_unix): Follow the change of read_lockfile.
--
GnuPG-bug-id: 5884
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* tools/gpgtar.c: New option --with-log.
* tools/gpgtar.h (opt): Add field with_log.
* tools/gpgtar-extract.c (gpgtar_extract): Move directory string
building up. Add option --log-file if needed.
* tools/gpgtar-create.c (gpgtar_create): Make tmpbuf static becuase it
is used outside of its scope.
* tools/gpgtar-list.c (gpgtar_list): Ditto.
* dirmngr/server.c (proc_wkd_get): Take care of DNS server failures
--
Unfortunately there are resolver setups which don't handle SRV records
but return a server error. We let a not found error pass, because
that merely means the domain does not exists.
GnuPG-bug-id: 4729
* tools/gpgtar.h (opt): Add new flags.
* tools/gpgtar.c: new options --batch, --yes, --no, --status-fd, and
--require-compliance.
(main): Init signals.
* tools/gpgtar-create.c: Add new header files.
(gpgtar_create): Rework to use a pipe for encryption and signing.
* tools/gpgtar-list.c: Add new header files.
(gpgtar_list): Rework to use a pipe for decryption.
* tools/gpgtar-extract.c: Add new header files.
(gpgtar_extract): Rework to use a pipe for decryption.
--
Fixes-commit: 40dbee86f3043aff8a8c2055521e270318e33068
* g10/misc.c (openpgp_cipher_algo_mode_name): New.
* g10/decrypt-data.c (decrypt_data): Use function here.
--
With out this change we would see
gpg: cipher algorithm 'AES256' may not be used in
--compliance=de-vs mode
This is confusing because AES256 is compliant. Now we see
gpg: cipher algorithm 'AES256.OCB' may not be used in
--compliance=de-vs mode
which gives a hint on the problem.
* common/mapstrings.c (struct intmapping_s): New.
(map_static_strings): New.
* common/stringhelp.c (do_strconcat): Rename to ...
(vstrconcat): this and make global.
* common/t-mapstrings.c (test_map_static_strings): New test.