1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

307 Commits

Author SHA1 Message Date
NIIBE Yutaka
b9b0c18320
common,gpg,sm,tools: Don't remove translate_sys2libc_fd_int.
* common/sysutils.c (translate_sys2libc_fd_int): Recover.
(translate_sys2libc_fdstr): Remove.
(check_special_filename): Follow the change.
* common/sysutils.h (translate_sys2libc_fd_int): Recover.
(translate_sys2libc_fdstr): Remove.
* g10/gpg.c, g10/gpgv.c, sm/gpgsm.c: Revert the changes.
* tools/gpg-auth.c, tools/gpg-card.c, tools/gpg-pair-tool.c: Likewise.
* tools/gpg-wks-client.c, tools/gpgconf.c: Likewise.

--

GnuPG-bug-id: 6551
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-06-27 14:44:01 +09:00
NIIBE Yutaka
2756147e39
gpg,sm,tools: Use string for option --*-fd.
* g10/gpg.c (opts): Use string for oLoggerFD, oOverrideSessionKeyFD,
oStatusFD, oAttributeFD, oCommandFD, and oPassphraseFD.
(main): Use translate_sys2libc_fdstr.
* g10/gpgv.c (opts): Use string for oLoggerFD, and oStatusFD.
(main): Use translate_sys2libc_fdstr.
* sm/gpgsm.c (opts): Use string for oLoggerFD, oStatusFD, and
oPassphraseFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpg-auth.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
tools/gpg-card.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpg-pair-tool.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpg-wks-client.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpgconf.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpgtar-create.c (gpgtar_create): Fix for opt.status_fd.
* tools/gpgtar-extract.c (gpgtar_extract): Fix for opt.status_fd.
* tools/gpgtar-list.c (gpgtar_list): Fix for opt.status_fd.
* tools/gpgtar.c (opts): Use string for oStatusFD.
(main): Use translate_sys2libc_fdstr.
* tools/gpgtar.h (opts): Use string for oStatusFD.

--

GnuPG-bug-id: 6551
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-06-23 13:22:00 +09:00
Werner Koch
7e681da1b2
sm: Emit STATUS_FAILURE for non-implemented commands.
* sm/gpgsm.c (main): Do it here.
2023-05-24 12:13:53 +02:00
Werner Koch
08ff55bd44
kbx: Use custom estream buffering
* kbx/keybox-init.c (ll_buffer_size): New var intialized to 128k
(stream_buffers): New var.
(keybox_set_buffersize): New.
(_keybox_ll_open, _keybox_ll_close): Implement buffering.

* sm/gpgsm.c (oKbxBufferSize): New.
(opts): Add option --kbx-buffer-size.
(main): Call keybox_set_buffersize.

* g10/gpg.c: Include keybox.h.
* (oKbxBufferSize): New.
(opts): Add option --kbx-buffer-size.
(main): Call keybox_set_buffersize.
--

Running a test on Windows using a pubring.kbx with
Total number of blobs:     2098
              openpgp:     1294
                 x509:      803
and a size of 42MiB with

gpgsm -k --with-validation --disable-dirmngr --kbx-buffer-size N >nul

gives these performance figures using procmon

| N(k) | file events | time(s) |
|------+-------------+---------|
|    0 |     4900000 |      86 |
|   16 |     2456000 |      58 |
|   32 |     1233000 |      43 |
|   64 |      622000 |      37 |
|  128 |      317000 |      32 |
|  256 |      164000 |      31 |
|  512 |       88000 |      30 |

Using _open instead of CreateFile give the same number of file events
but increased the time slight by one second for the measured buffer
size of 64k and 128k.   Benchmarks for gpg have not been conducted.
2023-05-08 09:40:14 +02:00
Werner Koch
e4ac3e7dec
gpgsm: New option --no-pretty-dn
* sm/gpgsm.c (oNoPrettyDN): New.
(opts): Add --no-pretty-dn.
(main): Implement.
* sm/gpgsm.h (opt): Add no_pretty_dn.
* sm/certdump.c (gpgsm_es_print_name): Act upon.
2023-03-16 09:46:05 +01:00
Werner Koch
d2d1db8860
gpg,gpgsm: New option --log-time
* g10/gpg.c (oLogTime): New.
(opts): Add "log-time".
(opt_log_time): New var.
(main): Implement.
* sm/gpgsm.c (oLogTime): New.
(opts): Add "log-time".
(opt_log_time): New var.
(main): Implement.
2023-03-08 15:10:52 +01:00
Werner Koch
b6abaed2b5
gpgsm: Print revocation date and reason in cert listings.
* dirmngr/ocsp.c (ocsp_isvalid): Add args r_revoked_at and
r_revocation_reason.
* dirmngr/server.c (cmd_isvalid): Emit a new REVOCATIONINFO status.
(cmd_checkocsp): Ditto.

* sm/call-dirmngr.c (struct isvalid_status_parm_s): Add new fields.
(isvalid_status_cb): Parse REVOCATIONINFO.
(gpgsm_dirmngr_isvalid): Add args r_revoked_at and
r_revocation_reason.

* sm/gpgsm.h (struct server_control_s): Add fields revoked_art and
revocation_reason.
* sm/keylist.c (list_cert_raw): Print revocation date.
(list_cert_std): Ditto.
--

Note that for now we do this only for OCSP because it is an important
piece of information when using the chain model.  For a sample key see
commit 7fa1d3cc821dca1ea8e1c80a0bdd527177c185ee.
2022-12-05 16:42:08 +01:00
Werner Koch
2d8ac55d26
gpgsm: Change default algo to AES-256.
* sm/gpgsm.c (DEFAULT_CIPHER_ALGO): Change.
2022-12-01 10:12:21 +01:00
Werner Koch
203dcc19eb
common: New common option no-autostart.
* common/comopt.c (opts): Add "no-autostart".
(parse_comopt): Set it.
* common/comopt.h (comopt): Add no_autostart.

* g10/gpg.c (main): Take care of the new option.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-connect-agent.c (INCLUDED_BY_MAIN_MODULE): Add.
(main): Parse common options and handle new option.
* tools/gpg-card.c (main): Ditto.
(cmd_yubikey): Fix minor error reporting issue.

* common/util.h (GNUPG_MODULE_NAME_CARD): New const.
* common/homedir.c (gnupg_module_name): Support it.
--

Having a global option makes it easier to use disable autostart on a
server which is required to use a remote gpg-agent reliable.
2022-08-22 12:05:02 +02:00
Werner Koch
f0b373cec9
gpgsm: New option --compatibility-flags.
* sm/gpgsm.c (oCompatibilityFlags): New option.
(compatibility_flags): new.
(main): Parse and print them in verbose mode.
* sm/gpgsm.h (opt): Add field compat_glags.:
(COMPAT_ALLOW_KA_TO_ENCR): New.
* sm/keylist.c (print_capabilities): Take care of the new flag.
* sm/certlist.c (cert_usage_p): Ditto.
2022-06-13 17:50:26 +02:00
Werner Koch
22fef189b1
w32: Do no use Registry item DefaultLogFile for the main tools.
* g10/gpg.c (main): Set LOG_NO_REGISTRY.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-connect-agent.c (main): Ditto.
* tools/gpgconf.c (main): Ditto.
(show_other_registry_entries): Print "DefaultLogFile".
--

The intention of this mostly forgotten registry entry was to allow for
easy debugging of the tools.  However, with the global config file
common.conf things are anyway better.  We disable the use for the
commonly used tools so that it does not look like calling gpg on the
command line seems to block with no output if the log
server (e.g. tcp://1.2.3.4:11111) is not reachable.
2022-04-20 09:30:56 +02:00
Werner Koch
f8075257af
gpgsm: New option --require-compliance
* sm/gpgsm.c (oRequireCompliance): New.
(opts): Add --require-compliance.
(main): Set option.
* sm/gpgsm.h (opt): Add field require_compliance.
(gpgsm_errors_seen): Declare.
* sm/verify.c (gpgsm_verify): Emit error if non de-vs compliant.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
--
2022-03-08 19:28:16 +01:00
Werner Koch
e23dc755fa
sm: New option --ignore-cert-with-oid.
* sm/gpgsm.c (oIgnoreCertWithOID): New.
(opts): Add option.
(main): Store its value.
* sm/call-agent.c (learn_cb): Test against that list.
2022-02-03 14:17:10 +01:00
Werner Koch
623a427b0c
sm: Partly revert last commit.
* sm/gpgsm.c (set_debug): Remove doubled code.
--

It was already there; sorry.

Fixes-commit: 51edea995d352a7b557fb0315fa5091dc42065cb
2022-02-01 15:20:29 +01:00
Werner Koch
51edea995d
gpg,sm: Set --verbose and clear --quiet in debug mode.
* g10/gpg.c (set_debug): Tweak options.
* sm/gpgsm.c (set_debug): Ditto.
2022-02-01 15:13:13 +01:00
Werner Koch
f2d1187fcd
gpgsm: Retire the new --ldapserver.
* sm/gpgsm.c (oKeyServer_deprecated): New.
(opts): Assign "ldapserver" to the new option and mark it as obsolete.
--

We want to use "ldapserver" in dirmngr but need to keep using
"keyserver" in gpgsm for existant versions of Kleopatra etc.

GnuPG-bug-id: 5801
2022-01-27 15:23:42 +01:00
Werner Koch
0b4fdbd5f4
gpgconf: Return --ldapserver and --keyserver from dirmngr.
* dirmngr/dirmngr.c: Reorder two option groups.
* tools/gpgconf-comp.c (known_options_gpgsm): Rename "keyserver" to
"ldapserver" and set level to invisible.
(known_options_dirmngr): Add "ldapserver" at the basic level.
* sm/gpgsm.c (opts): No more help text for "ldapserver".
--

GnuPG-bug-id: 5800
2022-01-25 20:24:25 +01:00
Werner Koch
5f39db70c0
gpg,gpgsm: Add option --min-rsa-length.
* common/compliance.c (min_compliant_rsa_length): New.
(gnupg_pk_is_compliant): Take in account.
(gnupg_pk_is_allowed): Ditto.
(gnupg_set_compliance_extra_info): New.
* g10/gpg.c (oMinRSALength): New.
(opts): Add --min-rsa-length.
(main): Set value.
* g10/options.h (opt): Add field min_rsa_length.
* sm/gpgsm.c (oMinRSALength): New.
(opts): Add --min-rsa-length.
(main): Set value.
* sm/gpgsm.h (opt): Add field min_rsa_length.
2021-11-18 20:49:37 +01:00
Werner Koch
89df86157e
sm: New option --ldapserver as an alias for --keyserver.
* sm/gpgsm.c (opts): Add option --ldapserver and make --keyserver an
alias.
--

We should use "keyserver" for OpenPGP and thus it is better to allow
for "ldapserver" here - it is the same convention as now used in
dirmngr.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d6df1bf84969bf5f5781e33bc1c2f6cb2aee0093)
2021-06-16 13:04:34 +02:00
Werner Koch
bebc71d229
gpg,sm: Simplify keyserver spec parsing.
* common/keyserver.h: Remove.
* sm/gpgsm.h (struct keyserver_spec): Remove.
(opt): Change keyserver to a strlist_t.
* sm/gpgsm.c (keyserver_list_free): Remove.
(parse_keyserver_line): Remove.
(main): Store keyserver in an strlist.
* sm/call-dirmngr.c (prepare_dirmngr): Adjust for the strlist.  Avoid
an ambiguity in dirmngr by adding a prefix if needed.

* g10/options.h (struct keyserver_spec): Move definition from
keyserver.h to here.  Remove most fields.
* g10/keyserver.c (free_keyserver_spec): Adjust.
(cmp_keyserver_spec): Adjust.
(parse_keyserver_uri): Simplify.
(keyidlist): Remove fakev3 arg which does not make any sense because
we don't even support v3 keys.
--

We now rely on the dirmngr to parse the keyserver specs.  Thus a bad
specification will not be caught immediately.  However, even before
that dirmngr had stricter tests.

Signed-off-by: Werner Koch <wk@gnupg.org>
Ported-from: 9f586700ec4ceac97fd47cd799878a8847342ffa
2021-06-16 12:03:13 +02:00
Werner Koch
4980fb3c6d
sm: Support AES-GCM decryption.
* tests/cms/samplemsgs/: Add sample messages.
* sm/gpgsm.c (main): Use gpgrt_fcancel on decryption error.
* sm/decrypt.c (decrypt_gcm_filter): New.
(gpgsm_decrypt): Use this filter if requested.  Check authtag.
--

Note that the sample message pwri-sample.gcm.p7m is broken: The
authtag is duplicated to the authEncryptedContentInfo.  I used a
temporary code during testing hack to that test message out.
2021-06-02 11:03:55 +02:00
Werner Koch
d153e4936e
gpg,sm: Ignore the log-file option from common.conf.
* g10/gpg.c (main): Don't use the default log file from common.conf.
* sm/gpgsm.c (main): Ditto.
--

That was acutally not intended and contradicts the description in
doc/example/common.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-21 14:40:08 +02:00
Werner Koch
51419d6341
sm: New command --show-certs
* sm/keylist.c (do_show_certs): New.
(gpgsm_show_certs): New.
* sm/gpgsm.c (aShowCerts): New.
(opts): Add --show-certs.
(main): Call gpgsm_show_certs.
--

I have been using libksba test programs for countless times to look at
certificates and I always wanted to add such a feature to gpgsm.  This
is simply much more convenient.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-20 09:37:56 +02:00
Werner Koch
d13c5bc244
gpg,gpgsm: Move use-keyboxd to the new conf file common.conf
* common/comopt.c, common/comopt.h: New.
* common/Makefile.am: Add them.
* g10/gpg.c: Include comopt.h.
(main): Also parse common.conf.
* sm/gpgsm.c: Include comopt.h.
(main): Set a flag for the --no-logfile option.  Parse common.conf.

* tools/gpgconf-comp.c (known_options_gpg): Remove "use-keyboxd", add
pseudo option "use_keyboxd".
(known_pseudo_options_gpg): Add pseudo option "use_keyboxd".
(known_options_gpgsm): Remove "use-keyboxd".

* tests/openpgp/defs.scm (create-gpghome): Create common.conf.

* doc/examples/common.conf: New.
--

Note that --use-keybox still works but prints a warning.  We will
eventually remove this option becuase it was marked as an experimental
feature anyway.

It would be too confusing if gpg and gpgsm use different key storages.
Further, other components (e.g. dirmngr or gpg-wks-client) which call
gpg or gpgsm need to be aware that the keyboxd is used and pass that
option on the command line.  Now that common.conf is always read (even
if --no-options is used) those tools will work instantly.
2021-04-19 11:33:19 +02:00
Werner Koch
a4021d9be4
sm: Init nPth which might be used by some helper code.
* sm/gpgsm.c: Include npth.h.
(main): Init nPth.
--

Actually we currently do not use extra threads but we need to link to
the npth version of the common functions because there is an option to
use threads.  Now, without initialized npth, we could experience a
crash in gnupg_sleep, which uses npth_usleep in the npth based common
functions.

Fixes-commit: 046f419f806036248c058c4bd44368f8596287b7
2021-03-08 21:53:29 +01:00
Werner Koch
615d2e4fb1
sm: Silence some output on --quiet
* sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
* sm/gpgsm.c: Include minip12.h.
(set_debug): Call p12_set_verbosity.
* sm/import.c (parse_p12): Dump keygrip only in debug mode.
* sm/minip12.c (opt_verbose, p12_set_verbosity): New.
(parse_bag_encrypted_data): Print info messages only in verbose mode.
--

GnuPG-bug-id: 4757
2021-02-24 08:40:06 +01:00
Werner Koch
2b75b25605
Require GpgRT version 1.41.
* configure.ac (NEED_GPG_ERROR_VERSION): Rename to NEED_GPGRT_VERSION
and set to 1.41.
* common/sysutils.c (gnupg_access): Remove code for older gpgrt
versions.
* kbx/backend-sqlite.c: Ditto.
* sm/gpgsm.c (main): Ditto.
--

We already have a requirement for a newer Libgcrypt and thus we can
also require a more recent libgpgrt (aka libgpg-error) which was
released before Libgcrypt.
2021-02-10 08:32:57 +01:00
Werner Koch
4dcef0e178
Replace most calls to open by a new wrapper.
* common/sysutils.c (any8bitchar) [W32]: New.
(gnupg_open): New.  Replace most calls to open by this.
* common/iobuf.c (any8bitchar) [W32]: New.
(direct_open) [W32]: Use CreateFileW if needed.
--

This is yet another step for full Unicode support on Windows.

GnuPG-bug-id: 5098
2020-10-20 14:08:35 +02:00
Werner Koch
c94ee1386e
Replace all calls to access by gnupg_access
* common/sysutils.c (gnupg_access): New.  Replace all calls to access
by this wrapper.
* common/homedir.c (w32_shgetfolderpath): Change to return UTF-8
directory name.
(standard_homedir): Adjust for change.
(w32_commondir, gnupg_cachedir): Ditto.
--

Also use SHGetFolderPathW instead of SHGetFolderPathA on Windows.

This is required to correctly handle non-ascii filenames on Windows.

GnuPG-bug-id: 5098
2020-10-20 12:15:55 +02:00
Werner Koch
046f419f80
sm: New options to prepare the use of keyboxd.
* sm/Makefile.am (AM_CFLAGS): Add npth flags.
(common_libs): Use npth version of the lib.
(gpgsm_LDADD): Add npth libs.
* sm/gpgsm.c (oUseKeyboxd, oKeyboxdProgram): New.
(opts): New options --use-keyboxd and --keyboxd-program.
(main): Set them.
(gpgsm_deinit_default_ctrl): New.
(main): Call it.
* sm/server.c (gpgsm_server): Ditto.
* sm/gpgsm.h (opt): Add fields use_keyboxd and keyboxd_program.
(keydb_local_s): New type.
(struct server_control_s): Add field keybd_local.
* sm/keydb.c: Include assuan.h, asshelp.h, and kbx-client-util.h.
(struct keydb_local_s): New.
(struct keydb_handle): Add fields for keyboxd use.
(gpgsm_keydb_deinit_session_data): New.
(warn_version_mismatch): New.
(create_new_context): New.
(open_context): New.
(keydb_new): Implement keyboxd mode.
(keydb_release): Ditto.
(keydb_get_resource_name): Ditto.

* sm/keydb.c: Add stub support for all other functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-09-03 13:49:20 +02:00
Werner Koch
e7677da479
sm: Do not require a default keyring for --gpgconf-list.
* sm/gpgsm.c (main): No default keyring for gpgconf mode.
--

GnuPG-bug-id: 4867
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-25 11:36:12 +02:00
NIIBE Yutaka
f3e424d4e7 Silence compiler warnings.
* common/openpgp-oid.c (map_openpgp_pk_to_gcry): Use cast for enum
conversion.
* dirmngr/dns-stuff.c (get_dns_srv): Use explicit conversion from
int to float.
* sm/gpgsm.c (parse_keyserver_line): Initialize ERR.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-08-19 13:21:32 +09:00
Werner Koch
6bcb609e1b
Add --chuid to gpg, gpg-card, and gpg-connect-agent.
* g10/gpg.c (oChUid): New.
(opts): Add --chuid.
(main): Implement --chuid.  Delay setting of homedir until the new
chuid is done.
* sm/gpgsm.c (main): Delay setting of homedir until the new chuid is
done.
* tools/gpg-card.c (oChUid): New.
(opts): Add --chuid.
(changeuser): New helper var.
(main): Implement --chuid.
* tools/gpg-connect-agent.c (oChUid): New.
(opts): Add --chuid.
(main): Implement --chuid.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-14 12:19:11 +02:00
Werner Koch
646a30fd39
gpgsm: New option --chuid.
* sm/gpgsm.c (oChUid, opts): New option --chuid.
(main): Implement option.
--

This option will at least be useful for Scute.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-08-06 16:03:57 +02:00
Werner Koch
4f1c257c03
sm: Fix regression in Friday's commit
* sm/gpgsm.c (main): Set ERR also for encrypt.
--
Fixes-commit: ccbb0cfeefed096a9841b6557d10eef12d55b721

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-29 15:00:04 +02:00
Werner Koch
ccbb0cfeef
sm: Try not to output a partial new message after an error.
* sm/gpgsm.c (main) <aSign,aEncr>:  Uses gpgrt_fcancel on error.
--

When creating a signature or encrypting and the respective key is not
available or the user canceled the PIN entry gpgsm prints the initial
part of the message due to internal buffering in gpgrt.  By using
gpgrt_fcancel we can avoid this at least as long as the data is less
than the standard buffer size (which is currently 8k).  If is not a
complete solution but the best we can do easily.  Outputting to the
tty is anyway more of a testing aid than for real use.

This makes use of the new gpgrt_fcancel API.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-06-26 15:21:31 +02:00
Werner Koch
68b857df13
sm: Allow decryption using dhSinglePass-stdDH-sha1kdf-scheme.
* sm/decrypt.c (ecdh_decrypt): Support
dhSinglePass-stdDH-sha1kdf-scheme.  Factor key derive code out to ...
(ecdh_derive_kek): new global function.  Allow for hashs shorter than
the key.
(hash_ecc_cms_shared_info): Make file-only.
* sm/encrypt.c (ecdh_encrypt): Replace derive code by a call to the
new ecdh_derive_kek.  Add test code to create data using
dhSinglePass-stdDH-sha1kdf-scheme.
* sm/gpgsm.h (opt): Add member force_ecdh_sha1kdf.
* sm/gpgsm.c: Add option --debug-force-ecdh-sha1kdf.
--

I did some test against

  Governikus_Signer:       2.9.2.0
  MCard security Provider: 2.4.0
  Algorithm catalog from:  05.12.2019

using a Signature Card v2.0 and a nistp256 certificate.  Encrypting
with Governikus used the stdDH-sha1kdf scheme which we can now
decrypt.  Encrypting with GPGSM uses for that curve the recommended
scheme sha256kdf but Governikus was not able to decrypt this (no
usable error message).  Encrypting using stdDH-sha1kdf with GPGSM by
using the new --debug-force-ecdh-sha1kdf option showed that
Governikus was able to decrypt this.

FWIW: RFC5753 (Use of Elliptic Curve Cryptography (ECC) Algorithms)
has this requirement:

   Implementations that support EnvelopedData with the
   ephemeral-static ECDH standard primitive:

   - MUST support the dhSinglePass-stdDH-sha256kdf-scheme key
     agreement algorithm, the id-aes128-wrap key wrap algorithm, and
     the id-aes128-cbc content encryption algorithm; and

which Governikus seems not to fulfill.

GnuPG-bug-id: 4098
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-08 18:08:50 +02:00
Werner Koch
34b628db46
sm: Cleanup the use of GCRY_PK_ECC and GCRY_PK_ECDSA.
* common/sexputil.c (pubkey_algo_to_string): New.
* sm/certcheck.c (do_encode_md): Replace GCRY_PK_ECDSA by GCRY_PK_ECC.
* sm/certreqgen-ui.c (check_keygrip): Add all ECC algorithms.
* sm/gpgsm.c (our_pk_test_algo): Also allow EdDSA.
* sm/verify.c (gpgsm_verify): Map ECC algo to ECDSA.  Use new pubkey
algo name function

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-08 15:10:13 +02:00
Werner Koch
0b583a555e
sm: Consider certificates w/o CRL DP as valid.
* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP.
* common/audit.c (proc_type_verify): Print "n/a" if a cert has no
distribution point.
* sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check.
* sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New.
(opts): Add option --enable-issuer-based-crl-check.
(main): Set option.
--

If the issuer does not provide a DP and the user wants such an issuer,
we expect that a certificate does not need revocation checks.  The new
option --enable-issuer-based-crl-check can be used to revert to the
old behaviour which requires that a suitable LDAP server has been
configured to lookup a CRL by issuer.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-27 21:16:07 +01:00
Werner Koch
451cd1b392
gpgconf: Further simplify the gpgconf option processing.
* common/gc-opt-flags.h (GC_OPT_FLAG_RUNTIME): Move to ...
* tools/gpgconf-comp.c: here.
(known_options_scdaemon): Remove "options".
(known_options_dirmngr): Remove "options".
(known_options_gpgsm): Remove "options".
(known_options_gpg): Remove "options" and "keyserver".
(struct gc_option_s): Rename active t gpgconf_list.
(gc_component_list_options): Do not act upon active.
(option_check_validity): Ditto.
(is_known_option): Make it work correctly for unknown options.
(retrieve_options_from_program): Use renamed flag gpgconf_list only to
detect duplicated items from --gpgconf-list.  Do not set runtime.
Only e set the options if set by --gpgconf-list; never clear them.
* agent/gpg-agent.c: Simplify the --gpgconf-list output.
* dirmngr/dirmngr.c: Ditto.
* g10/gpg.c: Ditto.
* kbx/keyboxd.c: Ditto.
* scd/scdaemon.c: Ditto.
* sm/gpgsm.c: Ditto.
* tests/openpgp/gpgconf.scm: Use "compliance" instead of "keyserver"
for the string arg test.
--

There is no need to read the list of options from the components
unless they convey a default value.  It is better to consult only the
list we have in gpgconf-comp.c to decide on whether an option should
be displayed.   Right, this might mess up thing if a newer gpgconf
version is used with an older component, but we already print warnings
in this case and in general we do not want to support this anymore -
the times of gpg 1.4. and 2.0 are long over now.

GnuPG-bug-id: 4788
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-14 19:12:41 +01:00
Werner Koch
9bc3e7ec03
gpgsm: Re-group the options in the --help output.
--

This looks better and is also required for further simplifications of
gpgconf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-06 16:21:10 +01:00
Werner Koch
4423e9dcde
gpgconf: Support reading global options (part 2).
* tools/gpgconf-comp.c: Remove all regular option descriptions.  They
are now read in from the component.  Also remove a few meanwhile
obsolete options.
* agent/gpg-agent.c: Add option description which were only set in
gpgconf-comp.c.
* dirmngr/dirmngr.c: Ditto.
* scd/scdaemon.c: Ditto.
* sm/gpgsm.c: Ditto.
* g10/gpg.c: Ditto.
--

This second part removes all regular option descriptions because they
can be read from the components.  A few were missing in the components
and thus moved to there.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-06 10:09:26 +01:00
Werner Koch
2c823bd878
Use gpgrt's new option parser for gpgc, gpgsm, and gpg-agent.
* g10/gpgv.c: Use new option parser.
* sm/gpgsm.c: Ditto.
* agent/gpg-agent.c: Ditto.
(opts): Add option --no-options.
--

This is the next part of changes.  The latest libgpg-error is required
so that that re-reading options (SIGHUP) works.

GnuPG-bug-id: 4788
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-02-20 14:59:58 +01:00
Werner Koch
0e8f6e2aa9
gpg: Use gpgrt's new option parser to provide a global conf file.
* common/util.h: Remove argparse.h.
* common/argparse.c: Undef GPGRT_ENABLE_ARGPARSE_MACROS.
* configure.ac (GPGRT_ENABLE_ARGPARSE_MACROS): Define.
* agent/gpg-agent.c: Undef GPGRT_ENABLE_ARGPARSE_MACROS and include
argparse.h.  Do this also for all main modules which use our option
parser except for gpg.  Replace calls to strusage by calls to
gpgrt_strusage everywhere.

* g10/gpg.c (opts): Change type to gpgrt_opt_t.  Flag oOptions and
oNoOptions with ARGPARSE_conffile and ARGPARSE_no_conffile.
(main): Change type of pargs to gpgrt_argparse_t.  Rework the option
parser to make use of the new gpgrt_argparser.
--

This is not yet finished but a make check works.  gpg has the most
complex and oldest option handling and thus this is the first
migration target.  SE-Linux checks and version-ed config files are
missing and will be added later.

GnuPG-bug-id: 4788
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-02-20 11:13:32 +01:00
Werner Koch
6aff8a1328
build: Always use EXTERN_UNLESS_MAIN_MODULE pattern.
* common/util.h (EXTERN_UNLESS_MAIN_MODULE): Add the definion only
here but now without the Norcroft-C.  Change all other places where it
gets defined.
* common/iobuf.h (iobuf_debug_mode): Declare unconditionally as
extern.
* common/iobuf.c (iobuf_debug_mode): Define it here.
* agent/gpg-agent.c (INCLUDED_BY_MAIN_MODULE): Define here and also in
all main modules of all other programs.

* g10/main.h: Put util.h before the local header files.
--

This change is required for use with gcc/ld's LTO feature which does
not allow common blocks.  Further gcc 10 will make -fno-common the
default and thus this chnage is always needed.  What a pitty.

Co-authored-by: Tomáš Mráz
GnuPG-bug-id: 4831
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 21d9bd8b87a9f793a106095e3838eb71825189d7)

- Applied respective chnages also to gpg-card and keyboxd.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-02-10 16:50:47 +01:00
Werner Koch
14aa797bb8
gpg,sm: Avoid useless ASFW diagnostic in loopback mode.
* common/sysutils.c (inhibit_set_foregound_window): New var.
(gnupg_inhibit_set_foregound_window): New func.
(gnupg_allow_set_foregound_window): Use var.
* g10/gpg.c (main): Inhibit in loopback mode.
* sm/gpgsm.c (main): Ditto.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-01-13 15:20:49 +01:00
Werner Koch
6e1c99bc39
gpgsm: Allow sepcification of ldaps servers.
* sm/gpgsm.h (struct keyserver_spec): Add field use_ldaps.
* sm/gpgsm.c (parse_keyserver_line): Parse flags.
* sm/call-dirmngr.c (prepare_dirmngr): Send ldaps flag to the dirmngr.

* dirmngr/dirmngr.h (struct ldap_server_s): Add field use_ldaps.
* dirmngr/ldapserver.c (ldapserver_parse_one): Parse flags.
* dirmngr/ldap.c (start_cert_fetch_ldap): Call wrapper with --tls.

* dirmngr/dirmngr_ldap.c: New option --tls.
(fetch_ldap): Make use of that option.
--

There was no way to specify an LDAPS server in
dirmngr_ldapserver.socnf or with gpgsm's --keyserver option.  This
patch fixes this.  Eventually we should allow to replace host and port
by a partial URI in the same way ldap_initialize does it.  For backward
compatibility we do not yet do that.

Although the dirmngr code accepts an URL (eg. taken from a
certificate), I can't see how the scheme was ever used.  Thus the
patch also detects an ldaps scheme and uses this.  That part has not
been tested, though.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-11-09 11:29:59 +01:00
Werner Koch
6e041b7b35
sm: Add a couple of debug calls to the keydb module.
* sm/gpgsm.h (DBG_CLOCK_VALUE, DBG_CLOCK): New.
(DBG_LOOKUP_VALUE, DBG_LOOKUP): New.
* sm/gpgsm.c: new debug flags "lookup" and "clock"
* sm/keydb.c: Add log_clock calls to most functions.
(keydb_search_desc_dump): New.
(keydb_search) [DBG_LOOKUP]: Print descrh decription.
* sm/keylist.c (list_cert_std): Flush FP in debug mode to better
syncronize the output with the debug output
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-05-15 08:52:21 +02:00
Werner Koch
5f3864fb64
sm: Add yet inactive options to support authenticode
* sm/gpgsm.c (opts): New options --authenticode and --attribute.
* sm/gpgsm.h (opt): Add vars authenticode and attribute_list.
* sm/sign.c (add_signed_attribute): New but inactive.
(gpgsm_sign): Use new options.
--

Because libksba 1.4 is not yet ready the new code is not yet active.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-04-30 08:28:54 +02:00
Werner Koch
aa58d2a49b
sm: Allow decryption even if expired other keys are configured.
* sm/gpgsm.c (main): Add special handling for bad keys in decrypt
mode.
--

The problem can easily be tested by adding --encrypt-to EXPIRED_KEY to
a decryption command.  With that patch the errors are printed but
decryption continues and the process returns success unless other
errors occur.

GnuPG-bug-id: 4431
Signed-off-by: Werner Koch <wk@gnupg.org>
2019-03-26 13:31:06 +01:00