1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

8936 Commits

Author SHA1 Message Date
Werner Koch
615c9717c1
dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if
server supports this.
2022-10-07 13:19:10 +02:00
Werner Koch
44960e702e
dirmngr: Factor out interrogate_ldap_dn function.
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New.
--

GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 993820c315216584e23d36299920007abfeb3a32
2022-10-07 13:16:57 +02:00
Werner Koch
fe7114ebf3
po: Fix wrong LF in the German translation
--

Reported-by: mario.haustein@hrz.tu-chemnitz.de

Also fix one typo
2022-10-07 11:53:42 +02:00
Werner Koch
07c6743148
gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.
* g10/encrypt.c (check_encryption_compliance): Check gcrypt compliance
before emitting an ENCRYPTION_COMPLIANCE_MODE status.
--

GnuPG-bug-id: 6221
2022-09-29 14:15:47 +02:00
Werner Koch
d7a0df4478
doc: Typo fix in a comment.
--
2022-09-28 15:41:16 +02:00
Werner Koch
32ce7ac0c6
dirmngr: Fix lost flags during LDAP upload
* dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const.
Use strtokenize instead of strtok style parsing.
--

This fixes a problem with resulted in a General Error for the second
key to be uploaded in the same session.  But only if the colon format
to specify a keyserver with flags was used.
2022-09-28 15:40:22 +02:00
Werner Koch
6300035ba1
dirmngr: New server flag "areconly" (A-record-only)
* dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly.
* dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly"
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag.
* dirmngr/dirmngr_ldap.c: Add option --areconly
(connect_ldap): Implement option.
* dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option.
--

This flag is used to pass the Windows specific option
LDAP_OPT_AREC_EXCLUSIVE.  It is ignored on other systems.

Signed-off-by: Werner Koch <wk@gnupg.org>
2022-09-28 09:43:25 +02:00
Werner Koch
05b7e4a405
gpg: Don't consider unknown keys as non-compliant while decrypting.
* g10/mainproc.c (proc_encrypted):  Change compliance logic.
--

For the description of the proplem see
  https://dev.gnupg.org/T6205#163306

GnuPG-bug-id: 6205
2022-09-22 10:25:36 +02:00
Werner Koch
289fbc550d
dirmngr: Fix CRL DP error fallback to other schemes.
* dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop.
Remove the unused issuername_uri stuff.
--

It is quite common that LDAP servers are blocked and thuis the HTTP
access point should be used instead.  This worked well for
certificates where the DP are given in this form:

        crlDP: ldap://x500.bund.de/[...]
               http://x500.bund.de/[...]
               issuer: none

but it failed for this form

        crlDP: ldap://x500.bund.de/[...]
               issuer: none
        crlDP: http://x500.bund.de/[...]
               issuer: none

because the LAST_ERR thing terminated the outer loop.  This pacth
fixes this and also cleans up the code to be more robust.

Note that the common workaround of using --ignore-ldap-dp will now
only be needed if the firewall uses packet dropping instead of proper
ICMP rejects.
2022-09-16 16:54:39 +02:00
NIIBE Yutaka
ed1264e74b
build: Update gpg-error.m4.
* m4/gpg-error.m4: Update from libgpg-error.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-15 11:57:33 +09:00
Werner Koch
268e876ee2
Post release updates
--
2022-09-02 15:40:09 +02:00
Werner Koch
7c2078a680
Release 2.2.39 gnupg-2.2.39 2022-09-02 14:48:56 +02:00
Werner Koch
fc99ff8aff
speedo: Authenticode sign two more tools.
--
2022-09-02 12:05:26 +02:00
Werner Koch
8c22b00268
common: Make nvc_lookup more robust.
* common/name-value.c (nvc_first): Allow for NULL arg.
(nvc_lookup): Allow for PK being NULL.
--

GnuPG-bug-id: 6176
2022-09-01 17:35:41 +02:00
Werner Koch
9eb03b722c
Post release updates
--
2022-09-01 13:35:39 +02:00
Werner Koch
0b786fde77
Release 2.2.38 gnupg-2.2.38 2022-09-01 12:05:21 +02:00
NIIBE Yutaka
d1490c6df9 po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-01 14:53:44 +09:00
Werner Koch
ea34325c54
dirmngr: New option --debug-cache-expired-certs.
* dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs:
* dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New.
(opts): Add option.
(parse_rereadable_options): Set option.
* dirmngr/certcache.c (put_cert): Handle the option.
2022-08-31 18:13:25 +02:00
Werner Koch
a95a31cd2f
gpg: Add descriptions for --auto-key-import and --include-key-import
--

Actually we once had them but they got lost at some point.  The German
translation is also up-to-date now.
2022-08-31 18:06:16 +02:00
Werner Koch
0b91fa0f13
common,w32: Fix an encoding problem of the printed timezone.
* common/gettime.c (w32_strftime) [W32]: New function.
(strftime) [W32]: New refinition macro.
--

GnuPG-bug-id: 5073
2022-08-31 17:32:45 +02:00
Werner Koch
e05fb5ca37
gpg: Emit STATUS_FAILURE for --require-compliance errors
* g10/misc.c (compliance_failure): Do not fallback to CO_GNUPG.  Print
compliance failure error and status for CO_DE_VS.
* g10/mainproc.c (proc_encrypted): Call compliance_failure in the
require-compliance error case.
* g10/encrypt.c (check_encryption_compliance): Ditto.
2022-08-31 15:34:17 +02:00
NIIBE Yutaka
e1169e8f8a
scd: Add npth_unprotect/npth_protect for blocking operations.
* scd/ccid-driver.c (ccid_open_usb_reader): Name the thread.
(ccid_vendor_specific_setup, ccid_open_usb_reader): Wrap
blocking operations by npth_unprotect/npth_protect.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-08-31 13:50:07 +02:00
NIIBE Yutaka
14ccabe7f8
dirmngr: Reject certificate which is not valid into cache.
* dirmngr/certcache.c (put_cert): When PERMANENT, reject the
certificate which is obviously invalid.

--

With this change, invalid certificates from system won't be registered
into cache.  Then, an intermediate certificate which is issued by an
entity certified by such an invalid certificate will be also rejected
with GPG_ERR_INV_CERT_OBJ.  With less invalid certificates in cache,
it helps the validate_cert_chain function work better.

GnuPG-bug-id: 6142
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-08-31 13:47:51 +02:00
Werner Koch
aa0c942521
gpg: Fix assertion failure due to errors in encrypt_filter.
* common/iobuf.c (iobuf_copy): Use log_assert.  Explicitly cast error
return value.
* g10/build-packet.c (do_plaintext): Check for iobuf_copy error.

* g10/encrypt.c (encrypt_filter): Immediately set header_okay.
--

Fixes-commit: 8066f8a3470f9d2f3682a28641a7b09eca29a105
which caused the assertion failure on error.

The second fix avoids repeated error message about non-compliant keys.

GnuPG-bug-id: 6174
2022-08-31 13:35:41 +02:00
Werner Koch
f88cb12f8e
gpg: Make --require-compliance work for -se
* g10/encrypt.c (encrypt_crypt, encrypt_filter): Factor common code
out to ...
(create_dek_with_warnings): new
(check_encryption_compliance): and new.

* g10/encrypt.c (encrypt_filter): Add the compliance check.
--

GnuPG-bug-id: 6174
2022-08-30 18:55:24 +02:00
Werner Koch
15cf36f6a8
gpg: Rename a function.
* g10/cipher.c (cipher_filter): Rename to cipher_file_cfb.
2022-08-29 13:13:45 +02:00
Werner Koch
5b24c41ba7
gpg: Very minor cleanup in decrypt_data.
* g10/decrypt-data.c (decrypt_data): Show also the aead algo with
--show-session-key.  Remove meanwhile superfluous NULL-ptr test.
2022-08-29 13:07:43 +02:00
Jussi Kivilinna
e92812a475
g10/decrypt-data: disable output estream buffering to reduce overhead
* g10/decrypt-data.c (decrypt_data): Disable estream buffering for
output file.
--

Here estream is filled with iobuf_copy which already uses large buffers
so additional buffering in estream was just adding memory copy overhead.

GnuPG-bug-id: T5828
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
2022-08-29 12:12:31 +02:00
Werner Koch
afa64aceab
Post release updates
--
2022-08-24 17:16:22 +02:00
Werner Koch
8e60f88571
Release 2.2.37 gnupg-2.2.37 2022-08-24 15:20:29 +02:00
Werner Koch
77b6896f7a
gpgsm: New option --compatibility-flags.
* sm/gpgsm.c (oCompatibilityFlags): New option.
(compatibility_flags): new.
(main): Parse and print them in verbose mode.
* sm/gpgsm.h (opt): Add field compat_glags.:
(COMPAT_ALLOW_KA_TO_ENCR): New.
* sm/keylist.c (print_capabilities): Take care of the new flag.
* sm/certlist.c (cert_usage_p): Ditto.

* common/miscellaneous.c (parse_compatibility_flags): New.
* common/util.h (struct compatibility_flags_s): New.
--

Backported-from-master: f0b373cec93bb01f02b9c0a3ab1f3e242b381c3f
Backported-from-master: ce63eaa4f8f3f41aafcaddd8d658dacd522334a8
2022-08-19 10:49:20 +02:00
Werner Koch
b356eddf3d
gpgconf: Make --auto-key-import and --include-key-block visible again.
* tools/gpgconf-comp.c: Add options.
--

Fixes-commit: 7a3a1ef3707194e1086c452d005319c519905d3e
GnuPG-bug-id: 6138
2022-08-17 17:01:44 +02:00
Werner Koch
3591112fdb
agent: Fix bug introduced earlier today.
* agent/findkey.c (agent_write_private_key): Fix condition.
--

Fixes-commit: 755920d4335730fbf25e24342dc9c8a8a772dac3
2022-08-16 16:41:23 +02:00
Werner Koch
891b941bbf
doc: Prepare NEWS
--
2022-08-16 14:44:21 +02:00
Werner Koch
914ee72475
gpg: Fix "generate" command in --card-edit.
* g10/card-util.c (get_info_for_key_operation): Get the APPTYPE before
testing for it.

* g10/card-util.c (current_card_status): Always try to update the
shadow keys.
* g10/call-agent.c (agent_scd_getattr): Handle $AUTHKEYID.
--

The first part fixed a regression introduced today.
GnuPG-bug-id: 5100

The second part is usually not required because our ssh-agent code
anyway looks for the OpenPGP.3 key.  However, this helps to put the
Display S/N into the shadow key so that we get a better prompt to
insert the card.
2022-08-16 14:07:38 +02:00
Werner Koch
2d23a72690
gpg: Update shadow-keys with --card-status also for non-openpgp cards.
* agent/command.c (cmd_readkey): Also allow for $AUTHKEYID in card
mode.
* g10/call-agent.c (agent_update_shadow_keys): new.
* g10/card-util.c (current_card_status): Call it.
2022-08-16 13:02:25 +02:00
Werner Koch
755920d433
agent: Let READKEY update the display-s/n of the Token entry.
* agent/findkey.c (agent_write_private_key): Factor file name
generation out to ...
(fname_from_keygrip): new.
(write_extended_private_key): Add and implement new arg MAYBE_UPDATE.
(agent_write_shadow_key): Ditto.

* agent/command.c (cmd_readkey): Update the shadow-key in card mode.
--

GnuPG-bug-id 6135
2022-08-16 12:02:51 +02:00
Werner Koch
8e393e2592
gpg: Fix --card-status to handle lowercase APPTYPEs
* g10/card-util.c (current_card_status): Use ascii_strcasecmp.
2022-08-16 11:21:39 +02:00
NIIBE Yutaka
27ae89db6e
gpg: Fix detecting OpenPGP card by serialno.
* g10/card-util.c (get_info_for_key_operation): Use ->apptype to
determine card's APP.
(current_card_status): Even if its SERIALNO is not like OpenPGP card,
it's OpenPGP card when app says so.
--

GnuPG-bug-id: 5100
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 157f1de64e437cecd75335e9f4077ba9835e3da0
2022-08-16 10:56:46 +02:00
Werner Koch
12ad952978
common: In private key mode write "Key:" always last in name-value.
* common/name-value.c (nvc_write): Take care of Key. Factor some code
out to ...
(write_one_entry): new.
--

The key item is in general not manual editable thus we put it at the
end of a file.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c9fa28bfad297b17e76341ffb40383ce92da5d44)
2022-08-16 10:02:59 +02:00
Werner Koch
dc9b242628
agent: Create and use Token entries to track the display s/n.
* agent/divert-scd.c (linefeed_to_percent0A): New.
(ask_for_card): Add arg grip.  Read Token and Label items and use
them.
(divert_pksign, divert_pkdecrypt): Pass down grip.
* agent/findkey.c (write_extended_private_key): Add args serialno,
keyref, and dispserialno.  Writen Token item.
(agent_write_private_key): Add args serialno, keyref, and
dispserialno.
(read_key_file): Add arg r_keymeta.
(agent_keymeta_from_file): New.
(agent_write_shadow_key): Remove leading spaces from serialno and keyid.
* agent/protect-tool.c (agent_write_private_key): Ditto.
* agent/learncard.c (agent_handle_learn): Get DISPSERIALNO and pass to
agent_write_shadow_key.
* agent/command-ssh.c (card_key_available): Ditto.
--

GnuPG-bug-id: 6135

This patch backports some changes from master but also adds the
Display-S/N tracking.
2022-08-15 12:49:56 +02:00
Werner Koch
706adf6691
common: New function nve_set.
* common/name-value.c (nve_set): New.
(nvc_set): Use nve_set.
(nvc_delete_named): New.
(nvc_get_string): New.
(nvc_get_boolean): New.
--

This function is required to allow updating a specific line.  The
other new functions are backported from master
2022-08-15 12:14:44 +02:00
Werner Koch
f2a81e3745
gpg: Fix wrong error message for keytocard.
* g10/call-agent.c (agent_keytocard): Emit SC_OP_FAILURE.
--

GnuPG-bug-id: 6122
2022-08-04 12:44:19 +02:00
Werner Koch
6583abedf3
common: Silence warnings from AllowSetForegroundWindow.
* common/sysutils.c (gnupg_allow_set_foregound_window): Print warning
only with debug flag set.
2022-08-03 11:12:16 +02:00
Werner Koch
94908857e1
dirmngr: Fix failed malloc error message.
* dirmngr/ocsp.c (check_signature): Fix error printing of xtrymalloc.
2022-08-03 11:12:13 +02:00
Werner Koch
ebb736b2c3
gpgconf: Add config file for Windows Registry dumps.
* tools/gpgconf.c (show_registry_entries_from_file): New.
(show_configs): Call it.
* doc/examples/gpgconf.rnames: New.
* doc/Makefile.am (examples): Add it.
2022-08-03 09:26:44 +02:00
Werner Koch
e8011a7cec
gpg: Make symmetric + pubkey encryption de-vs compliant.
* g10/mainproc.c (proc_encrypted): Make symmetric + pubkey encryption
de-vs compliant.

* g10/mainproc.c (struct symlist_item): New.
(struct mainproc_context): Add field symenc_list.
(release_list): Free that list.
(proc_symkey_enc): Record infos from symmetric session packet.
(proc_encrypted): Check symkey packet algos
--

The original check was too strong because it is in fact compliant to
encrypt with a symmetric key and and public key.  Thus decryption
should issue a compliance status.

In addition we now check that the cipher algorithms used to
symmetrically encrypt the session key are all compliant.  This is
similar to our check for all public key encrypted session key packets.

GnuPG-bug-id: 6119
Fixes-commit: b03fab09e188f7bb10237d4f20455e4026737e4e
2022-08-02 18:36:56 +02:00
Werner Koch
6bc9592318
gpgconf: Improve registry dumping.
* common/w32-reg.c (read_w32_registry_string): Map REG_DWORD to a
string.
(read_w32_reg_string): Add arg r_hklm_fallback and change all callers.
(show_configs): Indicate whether the HKLM fallback was used.
* tools/gpgconf.c (show_other_registry_entries): Fix the Outlook Addin
Registry key.  Indicate whether the HKLM fallback was used.
2022-08-02 12:25:23 +02:00
Werner Koch
890e616593
gpg: For de-vs use SHA-256 instead of SHA-1 as implicit preference.
* g10/pkclist.c (select_algo_from_prefs): Change implicit hash
algorithm.
--

GnuPG-bug-id: 6043
2022-07-28 10:39:45 +02:00
Werner Koch
d0bd91ba73
agent: New option --no-user-trustlist and --sys-trustlist-name.
* agent/gpg-agent.c (oNoUserTrustlist,oSysTrustlistName): New.
(opts): Add new option names.
(parse_rereadable_options): Parse options.
(finalize_rereadable_options): Reset allow-mark-trusted for the new
option.
* agent/agent.h (opt): Add fields no_user_trustlist and
sys_trustlist_name.
* agent/trustlist.c (make_sys_trustlist_name): New.
(read_one_trustfile): Use here.
(read_trustfiles): Use here.  Implement --no-user-trustlist.  Also
repalce "allow_include" by "systrust" and adjust callers.
--

With the global options we can now avoid that a user changes the
Root-CA trust by editing the trustlist.txt.  However, to implement
this we need a new option so that we don't need to rely on some magic
like --no-allow-mark-trusted has been put into a force section.

The second option makes system administration easier as it allows to
keep the trustlist in a non-distributed file.

GnuPG-bug-id: 5990
Backported-from-master: 1530d04725d475bf29328eab40b42f72ff8aa06b
2022-07-27 17:02:29 +02:00