1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-10-30 19:58:44 +01:00
Commit Graph

9124 Commits

Author SHA1 Message Date
Werner Koch
fc99ff8aff
speedo: Authenticode sign two more tools.
--
2022-09-02 12:05:26 +02:00
Werner Koch
8c22b00268
common: Make nvc_lookup more robust.
* common/name-value.c (nvc_first): Allow for NULL arg.
(nvc_lookup): Allow for PK being NULL.
--

GnuPG-bug-id: 6176
2022-09-01 17:35:41 +02:00
Werner Koch
9eb03b722c
Post release updates
--
2022-09-01 13:35:39 +02:00
Werner Koch
0b786fde77
Release 2.2.38 2022-09-01 12:05:21 +02:00
NIIBE Yutaka
d1490c6df9 po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-01 14:53:44 +09:00
Werner Koch
ea34325c54
dirmngr: New option --debug-cache-expired-certs.
* dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs:
* dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New.
(opts): Add option.
(parse_rereadable_options): Set option.
* dirmngr/certcache.c (put_cert): Handle the option.
2022-08-31 18:13:25 +02:00
Werner Koch
a95a31cd2f
gpg: Add descriptions for --auto-key-import and --include-key-import
--

Actually we once had them but they got lost at some point.  The German
translation is also up-to-date now.
2022-08-31 18:06:16 +02:00
Werner Koch
0b91fa0f13
common,w32: Fix an encoding problem of the printed timezone.
* common/gettime.c (w32_strftime) [W32]: New function.
(strftime) [W32]: New refinition macro.
--

GnuPG-bug-id: 5073
2022-08-31 17:32:45 +02:00
Werner Koch
e05fb5ca37
gpg: Emit STATUS_FAILURE for --require-compliance errors
* g10/misc.c (compliance_failure): Do not fallback to CO_GNUPG.  Print
compliance failure error and status for CO_DE_VS.
* g10/mainproc.c (proc_encrypted): Call compliance_failure in the
require-compliance error case.
* g10/encrypt.c (check_encryption_compliance): Ditto.
2022-08-31 15:34:17 +02:00
NIIBE Yutaka
e1169e8f8a
scd: Add npth_unprotect/npth_protect for blocking operations.
* scd/ccid-driver.c (ccid_open_usb_reader): Name the thread.
(ccid_vendor_specific_setup, ccid_open_usb_reader): Wrap
blocking operations by npth_unprotect/npth_protect.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-08-31 13:50:07 +02:00
NIIBE Yutaka
14ccabe7f8
dirmngr: Reject certificate which is not valid into cache.
* dirmngr/certcache.c (put_cert): When PERMANENT, reject the
certificate which is obviously invalid.

--

With this change, invalid certificates from system won't be registered
into cache.  Then, an intermediate certificate which is issued by an
entity certified by such an invalid certificate will be also rejected
with GPG_ERR_INV_CERT_OBJ.  With less invalid certificates in cache,
it helps the validate_cert_chain function work better.

GnuPG-bug-id: 6142
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-08-31 13:47:51 +02:00
Werner Koch
aa0c942521
gpg: Fix assertion failure due to errors in encrypt_filter.
* common/iobuf.c (iobuf_copy): Use log_assert.  Explicitly cast error
return value.
* g10/build-packet.c (do_plaintext): Check for iobuf_copy error.

* g10/encrypt.c (encrypt_filter): Immediately set header_okay.
--

Fixes-commit: 8066f8a347
which caused the assertion failure on error.

The second fix avoids repeated error message about non-compliant keys.

GnuPG-bug-id: 6174
2022-08-31 13:35:41 +02:00
Werner Koch
f88cb12f8e
gpg: Make --require-compliance work for -se
* g10/encrypt.c (encrypt_crypt, encrypt_filter): Factor common code
out to ...
(create_dek_with_warnings): new
(check_encryption_compliance): and new.

* g10/encrypt.c (encrypt_filter): Add the compliance check.
--

GnuPG-bug-id: 6174
2022-08-30 18:55:24 +02:00
Werner Koch
15cf36f6a8
gpg: Rename a function.
* g10/cipher.c (cipher_filter): Rename to cipher_file_cfb.
2022-08-29 13:13:45 +02:00
Werner Koch
5b24c41ba7
gpg: Very minor cleanup in decrypt_data.
* g10/decrypt-data.c (decrypt_data): Show also the aead algo with
--show-session-key.  Remove meanwhile superfluous NULL-ptr test.
2022-08-29 13:07:43 +02:00
Jussi Kivilinna
e92812a475
g10/decrypt-data: disable output estream buffering to reduce overhead
* g10/decrypt-data.c (decrypt_data): Disable estream buffering for
output file.
--

Here estream is filled with iobuf_copy which already uses large buffers
so additional buffering in estream was just adding memory copy overhead.

GnuPG-bug-id: T5828
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2022-08-29 12:12:31 +02:00
Werner Koch
afa64aceab
Post release updates
--
2022-08-24 17:16:22 +02:00
Werner Koch
8e60f88571
Release 2.2.37 2022-08-24 15:20:29 +02:00
Werner Koch
77b6896f7a
gpgsm: New option --compatibility-flags.
* sm/gpgsm.c (oCompatibilityFlags): New option.
(compatibility_flags): new.
(main): Parse and print them in verbose mode.
* sm/gpgsm.h (opt): Add field compat_glags.:
(COMPAT_ALLOW_KA_TO_ENCR): New.
* sm/keylist.c (print_capabilities): Take care of the new flag.
* sm/certlist.c (cert_usage_p): Ditto.

* common/miscellaneous.c (parse_compatibility_flags): New.
* common/util.h (struct compatibility_flags_s): New.
--

Backported-from-master: f0b373cec9
Backported-from-master: ce63eaa4f8
2022-08-19 10:49:20 +02:00
Werner Koch
b356eddf3d
gpgconf: Make --auto-key-import and --include-key-block visible again.
* tools/gpgconf-comp.c: Add options.
--

Fixes-commit: 7a3a1ef370
GnuPG-bug-id: 6138
2022-08-17 17:01:44 +02:00
Werner Koch
3591112fdb
agent: Fix bug introduced earlier today.
* agent/findkey.c (agent_write_private_key): Fix condition.
--

Fixes-commit: 755920d433
2022-08-16 16:41:23 +02:00
Werner Koch
891b941bbf
doc: Prepare NEWS
--
2022-08-16 14:44:21 +02:00
Werner Koch
914ee72475
gpg: Fix "generate" command in --card-edit.
* g10/card-util.c (get_info_for_key_operation): Get the APPTYPE before
testing for it.

* g10/card-util.c (current_card_status): Always try to update the
shadow keys.
* g10/call-agent.c (agent_scd_getattr): Handle $AUTHKEYID.
--

The first part fixed a regression introduced today.
GnuPG-bug-id: 5100

The second part is usually not required because our ssh-agent code
anyway looks for the OpenPGP.3 key.  However, this helps to put the
Display S/N into the shadow key so that we get a better prompt to
insert the card.
2022-08-16 14:07:38 +02:00
Werner Koch
2d23a72690
gpg: Update shadow-keys with --card-status also for non-openpgp cards.
* agent/command.c (cmd_readkey): Also allow for $AUTHKEYID in card
mode.
* g10/call-agent.c (agent_update_shadow_keys): new.
* g10/card-util.c (current_card_status): Call it.
2022-08-16 13:02:25 +02:00
Werner Koch
755920d433
agent: Let READKEY update the display-s/n of the Token entry.
* agent/findkey.c (agent_write_private_key): Factor file name
generation out to ...
(fname_from_keygrip): new.
(write_extended_private_key): Add and implement new arg MAYBE_UPDATE.
(agent_write_shadow_key): Ditto.

* agent/command.c (cmd_readkey): Update the shadow-key in card mode.
--

GnuPG-bug-id 6135
2022-08-16 12:02:51 +02:00
Werner Koch
8e393e2592
gpg: Fix --card-status to handle lowercase APPTYPEs
* g10/card-util.c (current_card_status): Use ascii_strcasecmp.
2022-08-16 11:21:39 +02:00
NIIBE Yutaka
27ae89db6e
gpg: Fix detecting OpenPGP card by serialno.
* g10/card-util.c (get_info_for_key_operation): Use ->apptype to
determine card's APP.
(current_card_status): Even if its SERIALNO is not like OpenPGP card,
it's OpenPGP card when app says so.
--

GnuPG-bug-id: 5100
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 157f1de64e
2022-08-16 10:56:46 +02:00
Werner Koch
12ad952978
common: In private key mode write "Key:" always last in name-value.
* common/name-value.c (nvc_write): Take care of Key. Factor some code
out to ...
(write_one_entry): new.
--

The key item is in general not manual editable thus we put it at the
end of a file.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c9fa28bfad)
2022-08-16 10:02:59 +02:00
Werner Koch
dc9b242628
agent: Create and use Token entries to track the display s/n.
* agent/divert-scd.c (linefeed_to_percent0A): New.
(ask_for_card): Add arg grip.  Read Token and Label items and use
them.
(divert_pksign, divert_pkdecrypt): Pass down grip.
* agent/findkey.c (write_extended_private_key): Add args serialno,
keyref, and dispserialno.  Writen Token item.
(agent_write_private_key): Add args serialno, keyref, and
dispserialno.
(read_key_file): Add arg r_keymeta.
(agent_keymeta_from_file): New.
(agent_write_shadow_key): Remove leading spaces from serialno and keyid.
* agent/protect-tool.c (agent_write_private_key): Ditto.
* agent/learncard.c (agent_handle_learn): Get DISPSERIALNO and pass to
agent_write_shadow_key.
* agent/command-ssh.c (card_key_available): Ditto.
--

GnuPG-bug-id: 6135

This patch backports some changes from master but also adds the
Display-S/N tracking.
2022-08-15 12:49:56 +02:00
Werner Koch
706adf6691
common: New function nve_set.
* common/name-value.c (nve_set): New.
(nvc_set): Use nve_set.
(nvc_delete_named): New.
(nvc_get_string): New.
(nvc_get_boolean): New.
--

This function is required to allow updating a specific line.  The
other new functions are backported from master
2022-08-15 12:14:44 +02:00
Werner Koch
f2a81e3745
gpg: Fix wrong error message for keytocard.
* g10/call-agent.c (agent_keytocard): Emit SC_OP_FAILURE.
--

GnuPG-bug-id: 6122
2022-08-04 12:44:19 +02:00
Werner Koch
6583abedf3
common: Silence warnings from AllowSetForegroundWindow.
* common/sysutils.c (gnupg_allow_set_foregound_window): Print warning
only with debug flag set.
2022-08-03 11:12:16 +02:00
Werner Koch
94908857e1
dirmngr: Fix failed malloc error message.
* dirmngr/ocsp.c (check_signature): Fix error printing of xtrymalloc.
2022-08-03 11:12:13 +02:00
Werner Koch
ebb736b2c3
gpgconf: Add config file for Windows Registry dumps.
* tools/gpgconf.c (show_registry_entries_from_file): New.
(show_configs): Call it.
* doc/examples/gpgconf.rnames: New.
* doc/Makefile.am (examples): Add it.
2022-08-03 09:26:44 +02:00
Werner Koch
e8011a7cec
gpg: Make symmetric + pubkey encryption de-vs compliant.
* g10/mainproc.c (proc_encrypted): Make symmetric + pubkey encryption
de-vs compliant.

* g10/mainproc.c (struct symlist_item): New.
(struct mainproc_context): Add field symenc_list.
(release_list): Free that list.
(proc_symkey_enc): Record infos from symmetric session packet.
(proc_encrypted): Check symkey packet algos
--

The original check was too strong because it is in fact compliant to
encrypt with a symmetric key and and public key.  Thus decryption
should issue a compliance status.

In addition we now check that the cipher algorithms used to
symmetrically encrypt the session key are all compliant.  This is
similar to our check for all public key encrypted session key packets.

GnuPG-bug-id: 6119
Fixes-commit: b03fab09e1
2022-08-02 18:36:56 +02:00
Werner Koch
6bc9592318
gpgconf: Improve registry dumping.
* common/w32-reg.c (read_w32_registry_string): Map REG_DWORD to a
string.
(read_w32_reg_string): Add arg r_hklm_fallback and change all callers.
(show_configs): Indicate whether the HKLM fallback was used.
* tools/gpgconf.c (show_other_registry_entries): Fix the Outlook Addin
Registry key.  Indicate whether the HKLM fallback was used.
2022-08-02 12:25:23 +02:00
Werner Koch
890e616593
gpg: For de-vs use SHA-256 instead of SHA-1 as implicit preference.
* g10/pkclist.c (select_algo_from_prefs): Change implicit hash
algorithm.
--

GnuPG-bug-id: 6043
2022-07-28 10:39:45 +02:00
Werner Koch
d0bd91ba73
agent: New option --no-user-trustlist and --sys-trustlist-name.
* agent/gpg-agent.c (oNoUserTrustlist,oSysTrustlistName): New.
(opts): Add new option names.
(parse_rereadable_options): Parse options.
(finalize_rereadable_options): Reset allow-mark-trusted for the new
option.
* agent/agent.h (opt): Add fields no_user_trustlist and
sys_trustlist_name.
* agent/trustlist.c (make_sys_trustlist_name): New.
(read_one_trustfile): Use here.
(read_trustfiles): Use here.  Implement --no-user-trustlist.  Also
repalce "allow_include" by "systrust" and adjust callers.
--

With the global options we can now avoid that a user changes the
Root-CA trust by editing the trustlist.txt.  However, to implement
this we need a new option so that we don't need to rely on some magic
like --no-allow-mark-trusted has been put into a force section.

The second option makes system administration easier as it allows to
keep the trustlist in a non-distributed file.

GnuPG-bug-id: 5990
Backported-from-master: 1530d04725
2022-07-27 17:02:29 +02:00
Ingo Klöcker
abe69b2094
gpg: Look up user ID to revoke by UID hash
* g10/keyedit.c (find_userid_by_namehash, find_userid): New.
(keyedit_quick_revuid): Use find_userid() instead of iterating over the
nodes of the keyblock.
* tests/openpgp/quick-key-manipulation.scm: Add test for revoking a
user ID specified by its hash.
--

This makes it possible to specify the user ID to revoke as UID hash when
calling --quick-revoke-uid.

GnuPG-bug-id: 5936
(cherry picked from commit 35b1755070)
2022-07-27 16:35:59 +02:00
Werner Koch
73a98c1396
wkd: Bind the address to the nonce.
* tools/gpg-wks-server.c (make_pending_fname): New.
(store_key_as_pending, check_and_publish): Use here.
(process_new_key): Pass addrspec to store_key_as_pending.
(expire_one_domain): Expire also the new files.
--

Along with the pass traversal bug this enhancement was
Suggested-by: Philipp Breuch <pbreuch@mail.upb.de>
GnuPG-bug-id: 6098
2022-07-27 11:44:44 +02:00
Ingo Klöcker
22e8dc7927
dirmngr: Ask keyservers to provide the key fingerprints
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Add "fingerprint=on" to
request URL.
--

Some keyservers, e.g. keyserver.ubuntu.com (Hockeypuck), do not
provide the key fingerprints by default. Therefore, we ask for the
fingerprints explicitly.

GnuPG-bug-id: 5741
(cherry picked from commit c7fa4c7f8b)
2022-07-26 09:46:15 +02:00
Ingo Klöcker
ee8f1c10a7
gpg: Request keygrip of key to add via command interface
* g10/keygen.c (ask_algo): Request keygrip via cpr_get.
* doc/help.txt (gpg.keygen.keygrip): New help text.
--

This change makes it possible to add an existing (sub)key to
another key via the status/command interface.

GnuPG-bug-id: 5771
(cherry picked from commit 19b1a28621)
2022-07-25 15:17:42 +02:00
Werner Koch
c1489ca0e1
wkd: Fix path traversal attack on gpg-wks-server.
* tools/gpg-wks-server.c (check_and_publish): Check for invalid
characters in sender controlled data.
* tools/wks-util.c (wks_fname_from_userid): Ditto.
(wks_compute_hu_fname): Ditto.
(ensure_policy_file): Ditto.
2022-07-25 14:50:15 +02:00
NIIBE Yutaka
8c9f879d4a scd:openpgp: Fix workaround for Yubikey heuristics.
* scd/app-openpgp.c (parse_algorithm_attribute): Handle the case
of firmware 5.4, too.

--

Cherry-picked master commit of:
	f34b9147eb

GnuPG-bug-id: 6070
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-13 10:53:56 +09:00
NIIBE Yutaka
225c66f13b scd: Fail when no good algorithm attribute.
* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.

--

Backport master commit of:
	53eddf9b9e

This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).

GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-13 09:47:32 +09:00
NIIBE Yutaka
07e43eda8d scd: Don't inhibit SSH authentication for larger data if it can.
* scd/app-openpgp.c (do_auth): Use command chaining if available.

--

Cherry-picked from master branch of:
	e8fb8e2b3e

GnuPG-bug-id: 5935
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-12 16:11:08 +09:00
Werner Koch
3777bc6528
Post release updates
--
2022-07-06 20:17:29 +02:00
Werner Koch
491645b50e
Release 2.3.36 2022-07-06 19:29:56 +02:00
Werner Koch
f357a5f239
gpgconf: New short options -V and -X
* tools/gpgconf.c: Assign short options -X and -V
(show_version_gnupg): Print the vsd version if available.
--

These changes are helpful for phone support.
2022-06-29 13:17:35 +02:00
NIIBE Yutaka
9e2307ddf0 agent: Flush before calling ftruncate.
* agent/findkey.c (write_extended_private_key): Make sure
it is flushed out.

--

Cherry-picked from master commit of:
	99d2931887

GnuPG-bug-id: 6035
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-06-24 08:41:10 +09:00