* g10/getkey.c (getkey_ctx_s): Add field "extra_list".
(get_pubkey_byname): Store strings in the context.
(getkey_end): Free EXTRA_LIST.
--
This fixes a use-after-free bug. It showed up with:
gpg --auto-key-locate local --locate-key wk@gnupg.org
The key was shown but also all other following keys in the keyring.
Bisecting showed d47e84946ee010917cfc3501062721b74afbb771 as culprit
but the actual cause was a part of:
Regression-due-to: b06f96ba4f57f55194efcd37a0e3a2aa5450b974
Signed-off-by: Werner Koch <wk@gnupg.org>
g10/keyring.c (keyring_search): Only mark the cache as completely
filled if we start the scan from the beginning of the keyring.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Reported-by: NIIBE Yutaka <gniibe@fsij.org>
A new feature (e8c53fc) turned up a bug whereby checking if a search
term matches multiple keys in the keyring causes the cache to be
inconsistent.
When we look for a key on the keyring, we iterate over each of the
keyblocks starting with the keyblock following the last result. For
each keyblock, we iterate over the public key and any subkeys. As we
iterate over each key, we first insert it into the cache and then
check if the key matches. If so, we are done.
In pseudo code:
for (i = last_result + 1; i < num_records; i ++)
keyblock = get_keyblock (i)
for (j = 1; j < len(keyblock); j ++)
key = keyblock[j]
update_cache (key)
if (compare (key, search_terms))
return ok
cache_filled = true
return ENOFOUND
When we look for the next match, we start with the following keyblock.
The result is that any subkeys following the key that matched are not
added to the cache (in other words, when a keyblock matches, the inner
loop did not necessarily complete and the subsequent search doesn't
resume it).
This patch includes a straightforward fix: only indicate the cache as
complete if we started the scan from the beginning of the keyring and
really didn't find anything.
* g10/trustdb.c (init_trustdb): If we can't read the trust model from
the trust DB, default to TM_PGP, not TM_TOFU_PGP.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/tofu.c (opendbs): If the TOFU DB format is set to auto and there
is no TOFU DB, default to the flat format.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/options.h (opt): Add field only_sign_text_ids.
* g10/gpg.c (enum cmd_and_opt_values): Add value oOnlySignTextIDs.
(opts): Handle oOnlySignTextIDs.
(main): Likewise.
* g10/keyedit.c (sign_uids): If OPT.ONLY_SIGN_TEXT_IDS is set, don't
select non-text based IDs automatically.
(keyedit_menu): Adapt the prompt asking to sign all user ids according
to OPT.ONLY_SIGN_TEXT_IDS.
* doc/gpg.texi: Document the new option --only-sign-text-ids.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
GnuPG-bug-id: 1241
Debian-bug-id: 569702
* g10/gpg.c (check_user_ids): New function.
(main): Check that any user id specifications passed to --local-user
and --remote-user correspond to exactly 1 user. Check that any user
id specifications passed to --default-key correspond to at most 1
user. Warn if any user id specifications passed to --local-user or
--default-user are possible ambiguous (are not specified by long keyid
or fingerprint).
* g10/getkey.c (parse_def_secret_key): Don't warn about possible
ambiguous key descriptions here.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
GnuPG-bug-id: 1128
Debian-debug-id: 544490
* g10/decrypt-data.c (decrypt_data): If OPT.UNWRAP_ENCRYPTION is set,
copy the data to the output file instead of continuing to process it.
* g10/gpg.c (enum cmd_and_opt_values): Add new value oUnwrap.
(opts): Handle oUnwrap.
(main): Likewise.
* g10/options.h (opt): Add field unwrap_encryption.
* g10/plaintext.c (handle_plaintext): Break the output file selection
functionality into ...
(get_output_file): ... this new function.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
GnuPG-bug-id: 1060
Debian-bug-id: 282061
* g10/tofu.c (fingerprint_str): Die with the error code returned by
the failed function.
(time_ago_str): Ditto. Do not make a comma translatable.
(fingerprint_format): Use "%zu" for a size_t.
--
Also wrapped some long strings.
In general we should not use log_fatal or use xmalloc functions but
properly return an error code and use xtrymalloc like functions.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/tofu.c (show_statistics): Also show when the most recently
signed message was observed.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
Suggested-by: MFPA <2014-667rhzu3dc-lists-groups@riseup.net>
* g10/tofu.c (show_statistics): Break the time delta to string code
into...
(time_ago_str): ... this new function.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/tofu.c (fingerprint_pp): Split this function into...
(fingerprint_str): ... this function...
(fingerprint_format): ... and this function.
(record_binding): Store the unformatted fingerprint in the DB. Only
use the formatting fingerprint when displaying a message to the user.
(get_trust): Likewise.
(show_statistics): Likewise.
(tofu_register): Likewise.
(tofu_get_validity): Likewise.
(tofu_set_policy): Likewise.
(tofu_get_policy): Likewise.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/import.c (transfer_secret_keys): Return GPG_ERR_NOT_PROCESSED
when stub_key_skipped.
(import_secret_one): Notify a user, suggesting --card-status.
--
Migration to 2.1 might be confusing with smartcard. With this patch,
a user can learn to run gpg ---card-status.
Thanks to intrigeri for the report.
Debian-bug-id: 795881
* g10/sqlite.c (sqlite3_stepx): When making sure that there is no
second SQL statement, ignore newlines.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* common/util.h (zb32_encode): Move prototype to ...
* common/zb32.h: new. Include this for all callers of zb32_encode.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/trustdb.c (validate_keys): If tdbio_update_version_record fails,
RC does not contain the error code. Save the error code in rc2 and
use that.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/keydb.c (keydb_rebuild_caches): Only mark the cached as prepared
if it is actually prepared, which it only is if the resource is a
keybox.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/sqlite.h (enum sqlite_arg_type): Add SQLITE_ARG_BLOB.
(sqlite3_stepx_callback): New declaration.
(sqlite3_stepx): Change the callback's type to sqlite3_stepx_callback,
which passes an additional parameter, the sqlite3_stmt *. Update
users.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/tofu.c (sqlite3_exec_printf): Move from here...
* g10/sqlite.c (sqlite3_exec_printf): ... to this new file. Don't
mark as static.
* g10/tofu.c (sqlite3_stepx): Move from here...
* g10/sqlite.c (sqlite3_stepx): ... to this new file. Don't
mark as static.
* g10/tofu.c (enum sqlite_arg_type): Move from here...
* g10/sqlite.h (enum sqlite_arg_type): ... to this new file.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/mainproc.c (check_sig_and_print): Do not call the informational
get_validity if we are not going to use it.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/main.h: Add rejection_shown flag to each weakhash struct
* g10/misc.c (print_digest_algo_note, additional_weak_digest): Do not
treat MD5 separately; (print_digest_rejected_note): Use
weakhash.rejection_shown instead of static shown.
* g10/options.h (opt): Change from additional_weak_digests to
weak_digests.
* g10/sig-check.c: Do not treat MD5 separately.
* g10/gpg.c (main): Explicitly set MD5 as weak.
* g10/gpgv.c (main): Explicitly set MD5 as weak.
--
Previously, only one weak digest rejection message was shown, of
whichever was the first type encountered. This meant that if "gpg
--weak-digest SHA224" encountered both an MD5 digest and a SHA224
digest, it would only show the user that the MD5 digest was rejected.
In order to let the user know which algorithms were rejected, we
needed to move the "shown" flag into a per-weak-algorithm location.
Given this additional complication, it made no sense to continue to
treat MD5 specially, so it is added as a default weak algorithm in the
same opt.weak_digests data structure as any other.
Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* g10/tofu.c: Include <sched.h>.
(batch_update_started): New variable.
(begin_transaction): If we've been in batch mode for a while, then
commit any extant batch transactions.
(tofu_begin_batch_update): If we are not in batch mode, initialize
batch_update_started.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/tofu.c (struct db): Rename begin_transaction to savepoint_batch.
Rename end_transaction to savepoint_batch_commit. Update users.
Remove field rollback. Add fields savepoint_inner and
savepoint_inner_commit. Add field batch_update.
(dump_cache): New function.
(batch_update): New variable.
(begin_transaction). New function.
(end_transaction): New function.
(rollback_transaction): New function.
(tofu_begin_batch_update): New function.
(tofu_end_batch_update): New function.
(closedb): End any pending batch transaction.
(closedbs): Assert that none of the DBs have a started batch
transaction if we not in batch mode.
(record_binding): Use the begin_transaction, end_transaction and
rollback_transaction functions instead of including the SQL inline.
Also start a batch mode transaction if we are using the flat format.
(tofu_register): Use the begin_transaction, end_transaction and
rollback_transaction functions instead of including the SQL inline.
* g10/gpgv.c (tofu_begin_batch_update): New function.
(tofu_end_batch_update): New function.
* g10/test-stubs.c (tofu_begin_batch_update): New function.
(tofu_end_batch_update): New function.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/tofu.c: Include <stdarg.h>.
(prepares_saved) [DEBUG_TOFU_CACHE]: New variable.
(queries) [DEBUG_TOFU_CACHE]: New variable.
(struct db): Add fields prevp, begin_transaction, end_transaction,
rollback, record_binding_get_old_policy, record_binding_update,
record_binding_update2, get_policy_select_policy_and_conflict,
get_trust_bindings_with_this_email, get_trust_gather_other_user_ids,
get_trust_gather_other_keys, register_already_seen, and
register_insert.
[DEBUG_TOFU_CACHE]: Add field hits.
(STRINGIFY): New macro.
(STRINGIFY2): New macro.
(enum sqlite_arg_type): New enum.
(sqlite3_stepx): New function.
(combined_db): Remove variable.
(opendb): Don't cache the combined db.
(struct dbs): New struct. Update users to use this as the head of the
local DB list rather than overloading struct db.
(unlink_db): New function.
(link_db): New function.
(db_cache): New variable.
(db_cache_count): New variable.
(DB_CACHE_ENTRIES): Define.
(getdb): If the dbs specific cache doesn't include the DB, look at
DB_CACHE. Only if that also doesn't include the DB open the
corresponding DB.
(closedb): New function.
(opendbs): Don't open the combined DB. Just return an initialized
struct dbs.
(closedbs): Don't close the dbs specific dbs. Attach them to the
front of DB_CACHE. If DB_CACHE contains more than DB_CACHE_ENTRIES,
close enough dbs from the end of the DB_CACHE list such that DB_CACHE
only contains DB_CACHE_ENTRIES. Don't directly close the dbs, instead
use the new closedb function.
[DEBUG_TOFU_CACHE]: Print out some statistics.
(record_binding): Use sqlite3_stepx instead of sqlite3_exec or
sqlite3_exec_printf.
(get_policy): Likewise.
(get_trust): Likewise.
(tofu_register): Likewise.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* common/srv.c: Merge into dirmngr/dns-stuff.c. Delete file.
* common/srv.h: Merge into dirmngr/dns-stuff.h. Delete file.
* common/Makefile.am (common_sources): Remove srv.c and srv.h.
* g10/keyserver.c: Do not include srv.h. The code using it is anyway
disabled.
* dirmngr/http.c: Remove header srv.h and stubs.
* dirmngr/t-dns-stuff.c: Add option --srv.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/trustdb.c (init_trustdb): If the saved trust model is unknown,
default to tofu+pgp instead of pgp.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/trustdb.c (validate_one_keyblock): When checking trust regular
expressions, treat the tofu+pgp trust model the same as the pgp trust
model.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/tofu.c (get_trust): If the policy is auto or none, check if the
key is ultimately trusted. If so, return that.
(tofu_register): If the key is ultimately trusted, don't show any
statistics.
(tofu_get_validity): Likewise.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Suggested-by: Andre Heinecke <aheinecke@intevation.de>
* g10/trustdb.c (init_trustdb): Recognize tofu and tofu+pgp as
possibly saved trust models. Also register the ultimately trusted
keys if the trust model is tofu or tofu+pgp.
(check_trustdb): Don't skip if the trust model is tofu or tofu+pgp.
(update_trustdb): Likewise.
(tdb_check_trustdb_stale): Likewise.
(validate_keys): If the trust model is TOFU, just write out the
ultimately trusted keys.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/tofu.c (initdb): Make the version check and the database
initialization atomic.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Co-authored-by: Andre Heinecke <aheinecke@intevation.de>
* configure.ac: Add option --dsiable-tofu and --disable-sqlite.
(NEED_SQLITE_VERSION): New var.
(USE_TOFU): New ac_define and am_conditional.
* autogen.sh (build-w32): Add PKG_CONFIG_LIBDIR to configure so that
pkg-config find the correct .pc file.
* g10/Makefile.am (tofu_source): New. Build only if enabled.
* g10/gpg.c (parse_trust_model)[!USE_TOFU]: Disable tofu models.
(parse_tofu_policy)[!USE_TOFU]: Disable all.
(parse_tofu_db_format)[!USE_TOFU]: Disable all.
(main) <aTOFUPolicy>[!USE_TOFU]: Skip.
* g10/keyedit.c (show_key_with_all_names_colon)[!USE_TOFU]: Do not
call tofu functions.
* g10/keylist.c (list_keyblock_colon)[!USE_TOFU]: Ditto.
* g10/trustdb.c (tdb_get_validity_core)[!USE_TOFU]: Skip tofu
processing.
--
This allows to build a minimal version of GnuPG. It is also currently
required to build for Windows.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/tofu.c (signature_stats_collect_cb): If the time_ago column is
NULL, then both time_ago and count should be 0.
(get_trust): Reverse the direction of the join so that we also get
statistics about bindings without any signatures.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/tofu.c (get_trust): Use the right variable to display the
conflicting key.
--
Signed-off-by: Neal H. Walfield <neal@walfield.org>
Reported-by: Andre Heinecke <aheinecke@intevation.de>
* g10/revoke.c (gen_desig_revoke): Add additional parameter ctrl.
Check that the secret key is available. If not, display an error
message.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
Regression-due-to: 8459bcf9
* g10/main.h: Improve function documentation.
* g10/packet.h.h: Improve function documentation.
* g10/sig-check.c: Improve function documentation and some comments.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/misc.c (print_md5_rejected_note): Rename to ..
(print_digest_rejected_note): this. Parameterize function to take an
enum gcry_md_algos.
* g10/sig-check.c: Use print_digest_rejected_note() when rejecting
signatures.
--
76afaed65e3b0ddfa4923cb577ada43217dd4b18 allowed extra --weak-digests,
but removed the one call to print_md5_rejected_note(). This replaces
and generalizes that warning.
Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* g10/options.h: Add additional_weak_digests linked list to opts.
* g10/main.h: Declare weakhash linked list struct and
additional_weak_digest() function to insert newly-declared weak
digests into opts.
* g10/misc.c: (additional_weak_digest): New function.
(print_digest_algo_note): Check for deprecated digests; use proper
gcry_md_algos type.
* g10/sig-check.c: (do_check): Reject weak digests in addition to MD5.
* g10/gpg.c: Add --weak-digest option to gpg.
* doc/gpg.texi: Document gpg --weak-digest option.
* g10/gpgv.c: Add --weak-digest option to gpgv.
* doc/gpgv.texi: Document gpgv --weak-digest option.
--
gpg and gpgv treat signatures made over MD5 as unreliable, unless the
user supplies --allow-weak-digests to gpg. Signatures over any other
digest are considered acceptable.
Despite SHA-1 being a mandatory-to-implement digest algorithm in RFC
4880, the collision-resistance of SHA-1 is weaker than anyone would
like it to be.
Some operators of high-value targets that depend on OpenPGP signatures
may wish to require their signers to use a stronger digest algorithm
than SHA1, even if the OpenPGP ecosystem at large cannot deprecate
SHA1 entirely today.
This changeset adds a new "--weak-digest DIGEST" option for both gpg
and gpgv, which makes it straightforward for anyone to treat any
signature or certification made over the specified digest as
unreliable.
This option can be supplied multiple times if the operator wishes to
deprecate multiple digest algorithms, and will be ignored completely
if the operator supplies --allow-weak-digests (as before).
MD5 is still always considered weak, regardless of any further
--weak-digest options supplied.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Capitialized some comments, shorted a line in do_check, and changed
subject to name the option. -wk
* g10/tofu.c (get_trust): If a conflict occurs when MAY_ASK is false,
set conflict to the key. When prompting the user, don't show the
conflicting key if the conflicting key is the current key.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>
* g10/trustdb.c (tdb_get_validity_core): Silence a warning.
* g10/tofu.c (tofu_register): Move SIG_DIGEST computation to the top
so that it is not uninitialized in case of an early error.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac: Check for sqlite3.
(SQLITE3_CFLAGS): AC_SUBST it.
(SQLITE3_LIBS): Likewise.
* g10/Makefile.am (AM_CFLAGS): Add $(SQLITE3_CFLAGS).
(gpg2_SOURCES): Add tofu.h and tofu.c.
(gpg2_LDADD): Add $(SQLITE3_LIBS).
* g10/tofu.c: New file.
* g10/tofu.h: New file.
* g10/options.h (trust_model): Define TM_TOFU and TM_TOFU_PGP.
(tofu_db_format): Define.
* g10/packet.h (PKT_signature): Add fields digest and digest_len.
* g10/gpg.c: Include "tofu.h".
(cmd_and_opt_values): Declare aTOFUPolicy, oTOFUDefaultPolicy,
oTOFUDBFormat.
(opts): Add them.
(parse_trust_model): Recognize the tofu and tofu+pgp trust models.
(parse_tofu_policy): New function.
(parse_tofu_db_format): New function.
(main): Initialize opt.tofu_default_policy and opt.tofu_db_format.
Handle aTOFUPolicy, oTOFUDefaultPolicy and oTOFUDBFormat.
* g10/mainproc.c (do_check_sig): If the signature is good, copy the
hash to SIG->DIGEST and set SIG->DIGEST_LEN appropriately.
* g10/trustdb.h (get_validity): Add arguments sig and may_ask. Update
callers.
(tdb_get_validity_core): Add arguments sig and may_ask. Update
callers.
* g10/trust.c (get_validity) Add arguments sig and may_ask. Pass them
to tdb_get_validity_core.
* g10/trustdb.c: Include "tofu.h".
(trust_model_string): Handle TM_TOFU and TM_TOFU_PGP.
(tdb_get_validity_core): Add arguments sig and may_ask. If
OPT.TRUST_MODEL is TM_TOFU or TM_TOFU_PGP, compute the TOFU trust
level. Combine it with the computed PGP trust level, if appropriate.
* g10/keyedit.c: Include "tofu.h".
(show_key_with_all_names_colon): If the trust mode is tofu or
tofu+pgp, then show the trust policy.
* g10/keylist.c: Include "tofu.h".
(public_key_list): Also show the PGP stats if the trust model is
TM_TOFU_PGP.
(list_keyblock_colon): If the trust mode is tofu or
tofu+pgp, then show the trust policy.
* g10/pkclist.c: Include "tofu.h".
* g10/gpgv.c (get_validity): Add arguments sig and may_ask.
(enum tofu_policy): Define.
(tofu_get_policy): New stub.
(tofu_policy_str): Likewise.
* g10/test-stubs.c (get_validity): Add arguments sig and may_ask.
(enum tofu_policy): Define.
(tofu_get_policy): New stub.
(tofu_policy_str): Likewise.
* doc/DETAILS: Describe the TOFU Policy field.
* doc/gpg.texi: Document --tofu-set-policy, --trust-model=tofu,
--trust-model=tofu+pgp, --tofu-default-policy and --tofu-db-format.
* tests/openpgp/Makefile.am (TESTS): Add tofu.test.
(TEST_FILES): Add tofu-keys.asc, tofu-keys-secret.asc,
tofu-2183839A-1.txt, tofu-BC15C85A-1.txt and tofu-EE37CF96-1.txt.
(CLEANFILES): Add tofu.db.
(clean-local): Add tofu.d.
* tests/openpgp/tofu.test: New file.
* tests/openpgp/tofu-2183839A-1.txt: New file.
* tests/openpgp/tofu-BC15C85A-1.txt: New file.
* tests/openpgp/tofu-EE37CF96-1.txt: New file.
* tests/openpgp/tofu-keys.asc: New file.
* tests/openpgp/tofu-keys-secret.asc: New file.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/encrypt.c (use_mdc): Make it a global func.
* g10/sign.c (sign_symencrypt_file): Use that function to decide
whether to use an MDC.
* tests/openpgp/conventional-mdc.test: Add a simple test case.
--
We used --force-mdc in sign+symenc mode (-cs) only with --force-mdc.
That broke our assumption from commit 625e292 (GnuPG 2.1.9) that all
uses of modern ciphers are using MDC.
Reported-by: Ben Kibbey <bjk@luxsci.net>
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/options.h (opt): Add field "print_dane_records".
* g10/gpg.c (oPrintDANERecords): new.
(opts): Add --print-dane-records.
(main): Set that option.
* g10/export.c (do_export): Remove EXPORT_DANE_FORMAT handling.
(do_export_stream): Add EXPORT_DANE_FORMAT handling.
* g10/keylist.c (list_keyblock_pka): Implement DANE record printing.
* g10/gpgv.c (export_pubkey_buffer): New stub.
* g10/test-stubs.c (export_pubkey_buffer): New stub.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/dirmngr.c (parse_rereadable_options): Do tilde expansion and
check for cert file existance in option --hkp-cacert.
--
GnuPG-bug-id: 2120
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/mainproc.c (proc_encrypted): Fail for modern messages w/o MDC.
--
This change turns the missing MDC warning into an error if the message
has been encrypted using a cipher with a non-64 bit block length cipher
and it is not Twofish.
We can assume that such messages are created by code which should have
been able to create MDC packets. AES was introduced with 1.0.3 on
2000-09-18 shortly after MDC (1.0.2 on 2000-07-12). We need to
exclude Twofish because that might have been used before MDC.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/dirmngr-conf.skel: New.
* g10/Makefile.am (EXTRA_DIST): Add file.
(install-data-local, uninstall-local): Install that file.
* g10/openfile.c (copy_options_file): Add arg "name", return a value,
simplify with xstrconcat, and factor warning message out to:
(try_make_homedir): here. Also install dirmngr.conf.
* g10/options.skel: Remove --keyserver entry.
--
The option --keyserver in gpg has been deprecated in favor of
--keyserver in dirmngr.conf. Thus we need to install a skeleton file
for dirmngr to set a default keyserver.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keyserver.c (keyserver_refresh): Change return type to
gpg_error_t. Use gpg_dirmngr_ks_list to print the name of the
keyserver to use.
(keyserver_search): Do not print the "no keyserver" error
message. The same error is anyway returned from dirmngr.
* g10/call-dirmngr.c (ks_status_parm_s): Add field "keyword".
(ks_status_cb): Handle other status keywords.
(gpg_dirmngr_ks_list): New.
* tools/gpgconf-comp.c (gc_options_gpg): Deprecate "keyserver".
(gc_options_dirmngr): Add "Keyserver" group and "keyserver".
--
Along with the corresponding dirmngr change this option allows to
configure the keyserver only in dirmngr.conf. Existing
configurations will continue to work. However, GUIs using gpgconf
now the keyserver option under the dirmngr (aka Key Acquirer) tab
unless they are in export mode in which the keyserver option is also
show for gpg.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keyedit.c (print_and_check_one_sig): Add arg "extended" and
print an asterisk for the chosen selfsig.
(check_all_keysigs): Add arg "only_selfsig"
(keyedit_menu) <cmdCHECK>: Add optional arg "selfsig".
--
Using "check selfsig" prints only the self-signatures and indicates
the chosen selfsig with an asterisk.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/sig-check.c (signature_check2): Avoid copying PK to RET_PK.
Instead, directly use the provided storage. If none is provided
allocate some.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/sign.c (do_sign): Let verify signature by gpg-agent.
* agent/pksign.c (agent_pksign_do): Call gcry_pk_verify for RSA.
--
RSA signature verification should be done to prevent attacks against
RSA CRT implementations and not to return invalid signature to
adversary. Newer libgcrypt does so. For older libgcrypt and
smartcards, gpg-agent does signature verification.
* g10/call-dirmngr.c (create_context): Send option and print a verbose
error.
--
It is in general a bad idea to use honor-keyserver-url but if Dirmngr
is running in TOR mode we should not allow this option at all. We let
Dirmngr know about the use of this option and let Dirmngr tell use
whether TOR mode is active so that we can print a hint to disable that
keyserver option.
A future extension in gpgconf may disable that option directly but a
user may still override that and thus we better check.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/trustdb.c (search_skipfnc): Fix dummy argument
--
This is required due to the prototype change in
commit 9acbeac23668a1d0dabca27d7825430d76e095c2
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keyedit.c (keyedit_menu): When complaining that a user ID or key
must be selected, indicate what command to use to do this.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/getkey.c (merge_selfsigs_main): Stop looking for self-signed
data belonging to the public key when we encounter an attribute packet
or a subkey packet, not just a user id packet. When looking for
self-signed data belonging to a user id packet, stop when we see a
user attribute packet.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/getkey.c (skip_unusable): Also mark the key as unusable if it
has been revoked or has expired.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/getkey.c: Improve documentation and comments for most
functions. Move documentation for public functions from here...
* g10/keydb.h: ... to here.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/getkey.c (have_secret_key_with_kid): Once we find the relevent
key or subkey, stop searching.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
Only a single key or subkey will ever be selected per keyblock.
* g10/getkey.c (lookup): Also don't skip legacy keys if the search
mode is KEYDB_SEARCH_MODE_NEXT.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
We currently don't skip keys if the search mode is
KEYDB_SEARCH_MODE_FIRST. Since we change KEYDB_SEARCH_MODE_FIRST to
KEYDB_SEARCH_MODE_NEXT (to avoid a reset), it only makes sense to have
the same semantics for KEYDB_SEARCH_MODE_NEXT.
* g10/keydb.h (get_seckey_byname): Rename from this...
(get_seckey_default): ... to this. Drop the parameter name. Update
users.
* g10/getkey.c (get_seckey_byname): Rename from this...
(get_seckey_default): ... to this. Drop the parameter name. Drop the
code which assumed that NAME is not NULL.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/keydb.h (get_keyblock_byfprint): Remove prototype. Replace use
of this function with get_pubkey_byfprint.
* g10/getkey.c (get_pubkey_byname): Remove function.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/getkey.c (get_pubkey_byname): If R_KEYBLOCK is not NULL, return
the keyblock in R_KEYBLOCK independent of whether PK is set or not.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
Currently, no caller invokes get_pubkey_byname with PK==NULL and
R_KEYBLOCK != NULL. Thus, this change does not change any behavior.
* g10/getkey.c (get_pubkey_byname): Remove function.
(lookup): Replace use of get_pubkey_byname by get_pubkey_byfprint.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/keydb.h (get_pubkey_end): Remove declaration. Replace use of
function with getkey_end.
* g10/getkey.c (get_pubkey_byname): Remove function.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* kbx/keybox-search-desc.h (struct keydb_search_desc.skipfnc): Change
third parameter to be the index of the user id packet in the keyblock
rather than the packet itself. Update users.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
The keybox code doesn't work directly with keyblocks. As such, the
matched user packet is not readily available to pass to
DESC[n].SKIPFNC. But, we do know the index of the user id packet that
matched. Thus, pass that instead. If the skip function needs the
user id packet, it can use the key id to look up the key block and
find the appropriate packet.
* g10/getkey.c (struct getkey_ctx_s): Remove field found_key.
(lookup): Add argument ret_found_key. If not NULL, set it to the
found key. Update callers.
(pk_from_block): Add argument found_key. Use it instead of
CTX->FOUND_KEY. Update callers.
(finish_lookup): Return a KBNODE (the found key) instead of an int.
Don't set CTX->FOUND_KEY. Return the found key instead.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/getkey.c (struct getkey_ctx_s): Remove field keyblock.
(finish_lookup): Add parameter keyblock. Update caller to pass this.
(lookup): Add new local variable keyblock. Use this instead of
ctx->keyblock for referencing the keyblock.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/test.c: Include string.h.
(prepend_srcdir): New. Taken from Libgcrypt.
(test_free): New.
* g10/t-keydb.c (do_test): Malloc the filename.
* g10/Makefile.am (AM_CPPFLAGS): Remove -DSOURCE_DIR
(EXTRA_DIST): Add t-keydb-keyring.kbx.
--
Using SOURCE_DIR should in general work but we have seen problems when
doing this in Libgcrypt. Using the srcdir variable gives us anyway
more flexibility and aligns with the way we do it in tests/openpgp.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/test.c: Include stdio.h and stdlib.h.
(verbose): New.
(print_results): Rename to exit_tests.
(main): Remove atexit and call exit_tests. Set verbose.
(ASSERT, ABORT): Call exit_tests instead of exit.
--
Calling exit from an exit handler is undefined behaviour. It works on
Linux but other systems will hit an endless loop. That is indeed
unfortunate but we can't do anything about it. Calling _exit() would
be possible but that may lead to other problems. Thus we change to
call a custom exit function :-(.
Using "make check verbose=1" is supported by tests/openpgp and thus
we add the same mechanism here.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keydb.c (keyblock_cache): Don't declare this variable. Instead...
(struct keyblock_cache): ... turn its type into this first class
object...
(struct keydb_handle): ... and instantiate it once per database
handle. Update all users.
(keydb_rebuild_caches): Don't invalidate the keyblock cache.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/keydb.c (keydb_get_keyblock): If the iobuf_seek fails when
reading from the cache, then simply clear the cache and try reading
from the database.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/gpg.c (opts): Remove --no-sig-create-check.
* g10/options.h (struct opt): Remove field no_sig_create_check.
* g10/sign.c (do_sign): Always check unless it is RSA and we are using
Libgcrypt 1.7.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keydb.c (keydb_new): If we fail to open a keyring or keybox
correctly release all resources.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/keydb.c: Improve code comments and documentation of internal
interfaces. Improve documentation of public APIs and move that to...
* g10/keydb.h: ... this file.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/keydb.c (struct keydb_handle): Add new field is_reset.
(keydb_new): Initialize hd->is_reset to 1.
(keydb_locate_writable): Set hd->is_reset to 1.
(keydb_search): Set hd->is_reset to 0. Don't cache a key not found if
the search started from the beginning of the database.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/keydb.c (keydb_search_first): Reset the handle before starting
the search.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
This bug hasn't shown up yet in practice, because keydb_search_first
is always called immediately after a keydb_new. This changes cleans
up the semantics and will hopefully prevent future bugs.
* g10/keydb.c (struct kid_list_s): Rename from this...
(struct kid_not_found_cache_bucket): ... to this. Update users.
Remove field state.
(kid_list_t): Remove type.
(KID_NOT_FOUND_CACHE_BUCKETS): Define. Use this instead of a literal.
(kid_found_table): Rename from this...
(kid_not_found_cache_bucket): ... to this. Update users.
(kid_found_table_count): Rename from this...
(kid_not_found_cache_count): ... to this. Update users.
(kid_not_found_p): Only return whether a key with the specified key id
is definitely not in the database.
(kid_not_found_insert): Remove parameter found. Update callers.
(keydb_search): Only insert a key id in the not found cache if it is
not found. Rename local variable once_found to already_in_cache.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
Commit e0873a33 started tracking whether key ids where definitely in
the database. This information is, however, never used and thus just
unnecessarily inflates the cache. This patch effectively reverts that
change (however, e0873a33 contains two separate changes and this only
reverts that change).
* g10/keyedit.c (sign_uids): Write an ERROR status for a signing
failure.
(menu_adduid, menu_addrevoker, menu_revsig): Ditto.
(menu_revuid, menu_revkey, menu_revsubkey): Ditto.
--
This change helps GPA to show better error messages.
Signed-off-by: Werner Koch <wk@gnupg.org>
* common/status.h (STATUS_FAILURE): New.
* g10/cpr.c (write_status_failure): New.
* g10/gpg.c (main): Call write_status_failure for all commands which
print an error message here.
* g10/call-agent.c (start_agent): Print an STATUS_ERROR if we can't
set the pinentry mode.
--
This status line can be used similar to the error code returned by
commands send over the Assuan interface in gpgsm. We don't emit them
in gpgsm because there we already have that Assuan interface to return
proper error code. This change helps GPGME to return better error
codes.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/parse-packet.c (parse): Use an int to compare to -1. Use
buf32_to_ulong.
--
Regression-due-to: 0add91ae1ca3718e8140af09294c595f47c958d3
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/packet.h (PKT_signature): Change revkey's type from a struct
revocation_key ** to a struct revocation_key *. Update users.
--
revkey was a pointer into the raw data. But, C doesn't guarantee that
there is no padding. Thus, we copy the data.
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/parse-packet.c (parse): We don't handle copying packets with a
partial body length to an output stream. If this occurs, log an error
and abort.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/parse-packet.c (dbg_copy_all_packets): Check that OUT is not
NULL.
(copy_all_packets): Likewise.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/parse-packet.c (parse_signature): Make sure PKTLEN doesn't
underflow. Be more careful that a read doesn't read more data than
PKTLEN says is available.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/packet.h: Add documentation for functions defined in
parse-packet.c.
* g10/parse-packet.c: Improve comments for many functions.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/packet.h (enum_sig_subpkt): Remove argument RET_N. Update
callers.
* g10/parse-packet.c (enum_sig_subpkt): Remove argument RET_N.
--
Remove the RET_N argument, because it is unused and because it is
meaningless: it's not clear whether it is an offset into SIG->HASHED
or SIG->UNHASHED.
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* g10/parse-packet.c (mpi_read): Improve documentation. Correctly
handle an EOF. On overflow, correctly return the number of bytes read
from the pipeline.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* common/iobuf.h (iobuf_open_fd_or_name): Remove prototype. Replace
use with either iobuf_open or iobuf_fdopen_nc, as appropriate.
* common/iobuf.c (iobuf_open): Remove function.
--
Signed-off-by: Neal H. Walfield <neal@g10code.com>.
* kbx/keybox.h (KEYBOX_WITH_X509): Do not define.
* sm/Makefile.am (AM_CPPFLAGS): Define it here.
(common_libs): Change to libkeybox509.a
* g10/Makefile.am (AM_CFLAGS): remove KSBA_CFLAGS.
(gpg2_LDADD, gpgv2_LDADD): Remove KSBA_LIBS
* kbx/Makefile.am (noinst_LIBRARIES): Add libkeybox509.a.
(libkeybox509_a_SOURCES): New.
(libkeybox_a_CFLAGS): New.
(libkeybox509_a_CFLAGS): New.
(kbxutil_CFLAGS): New.
* kbx/keybox-search.c (has_keygrip) [!KEYBOX_WITH_X509]: Declare args
as unused.
--
There is no real need to link to Libksba in gpg.
Signed-off-by: Werner Koch <wk@gnupg.org>