1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Commit Graph

9382 Commits

Author SHA1 Message Date
Ingo Klöcker
65bc5ea95e scd:p15: Fix logic for appending product name to MANUFACTURER.
* scd/app-p15.c (do_getattr): Append product name to MANUFACTURER if
manufacturer_id does not already contain a bracket and if we have a
product name.
2021-05-18 09:45:06 +02:00
Werner Koch
6dfae2f402
gpg: Use a more descriptive prompt for symmetric decryption.
* g10/keydb.h (GETPASSWORD_FLAG_SYMDECRYPT): New.
(passphrase_to_dek_ext): Remove this obsolete prototype.
* g10/passphrase.c (passphrase_get): Add arg flags.  Use new flag
value.
(passphrase_to_dek): Add arg flags and pass it on.
* g10/mainproc.c (proc_symkey_enc): Use new flag.

* sm/decrypt.c (pwri_decrypt): Use "passphrase".
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 03f83bcda5)

Note that we keep on using the term "passphrase" although "password"
would be better.  There are however so many occurance of this and
given it is a bike shedding topic we fix that in the PO files.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-17 19:48:15 +02:00
Werner Koch
1406f551f1
dirmngr: LDAP search by a mailbox now ignores revoked keys.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Ignore revoked
and disable keys in mail mode.
--

The LDAP schema has a revoked and a disabled flag.  The former will be
set if a revoked key is uploaded; the latter can be set by other
means.   With this change a search by mailbox does not anymore return
keys with these LDAP attributes set.  This allows to better maintain a
directory with multiple keys per mailbox.

Doing the same for expired keys could also be done but requires more
effort.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-17 16:36:36 +02:00
Werner Koch
eeb65d3bbd
sm: Ask for the password for password based decryption (pwri)
* sm/decrypt.c (pwri_decrypt): Add arg ctrl.  Ask for passphrase.

* sm/export.c (export_p12): Mark string as translatable.
* sm/import.c (parse_p12): Ditto.
--

This is finishes the support for PWRI.

The N_() marks are added so that we don't rely of the side-effect of
having the same strings in protect-tool.c

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-17 15:42:27 +02:00
Werner Koch
02029f9eab
sm: Support decryption of password based encryption (pwri)
* sm/decrypt.c (pwri_parse_pbkdf2): New.
(pwri_decrypt): New.
(prepare_decryption): Support pwri.
(gpgsm_decrypt): Test for PWRI.  Move IS_DE_VS flag to DFPARM.
--

Note that this is not finished because we need to implement a password
callback.  For now "abc" is used as passwort.

Latest libksba is also required to return the required info.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-14 18:56:10 +02:00
NIIBE Yutaka
58b330e935 scd: Remove wrong assertion and add protection to PCSC.COUNT.
* scd/apdu.c (apdu_dev_list_finish): Fix for calling
release_pcsc_context.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-14 13:06:10 +09:00
Werner Koch
310b064f52
agent: Use SHA-256 for SSH fingerprint by default
* agent/gpg-agent.c (parse_rereadable_options): Change default ssh
fingerprint digest.
(main): Ditto.
--

Co-authored-by: Jakub Jelen <jjelen@redhat.com>
GnuPG-bug-id: 5434
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-12 08:55:51 +02:00
Werner Koch
965bb0693c
A few minor code cleanups and typo fixes.
* agent/command-ssh.c (ssh_handler_request_identities): Remove double
check of ERR.
* g10/getkey.c (get_pubkey_byname): Remove double use of break.
* g10/pkglue.c (pk_encrypt): Handle possible NULL-ptr access due to
failed malloc.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-11 09:06:34 +02:00
NIIBE Yutaka
ac731dbbbd gpg: Fix allocation for EXTRAHASH.
* g10/sign.c (clearsign_file): Fix the size to allocate.

--

GnuPG-bug-id: 5430
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-11 14:49:06 +09:00
NIIBE Yutaka
32baa9acfb scd: Serialize READER_TABLE access for PC/SC.
* scd/apdu.c (apdu_dev_list_start): Remove locking READER_TABLE_LOCK.
Don't increment PCSC.COUNT here.
(apdu_dev_list_finish): Don't decrement PCSC.COUNT here.
(apdu_open_reader): Protect access with READER_TABLE_LOCK.

--

GnuPG-bug-id: 5416
Fixes-commit: 8d81fd7c01
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-11 10:25:12 +09:00
NIIBE Yutaka
ec5591dc4e scd: Fix close_pcsc_reader.
* scd/apdu.c (close_pcsc_reader): Don't touch .RDRNAME field.
(apdu_dev_list_finish): Clear .RDRNAME field and replace call of
close_pcsc_reader by release_pcsc_context.  Add assertion.

--

GnuPG-bug-id: 5416
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-10 10:49:21 +09:00
NIIBE Yutaka
cccc9bd5db scd: Make sure releasing PC/SC context.
* scd/apdu.c (release_pcsc_context): New.
(close_pcsc_reader): Use release_pcsc_context.  Add assertion.
(apdu_dev_list_start): Replace call of close_pcsc_reader
into release_pcsc_context, add condition.

--

GnuPG-bug-id: 5416
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-10 10:31:08 +09:00
NIIBE Yutaka
0498ea8fbd scd: Increment PCSC.COUNT correctly.
* scd/apdu.c (open_pcsc_reader): PCSC.COUNT should
be incremented before possible call of close_pcsc_reader.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-07 11:25:20 +09:00
NIIBE Yutaka
5d1b413106 scd: Fix memory leak for RDRNAME and serialize access.
* scd/apdu.c (close_pcsc_reader): Move locking to...
(apdu_close_reader): ... here, as it's also needed for CCID driver.
Free RDRNAME when closed.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-07 10:48:13 +09:00
NIIBE Yutaka
039aed9d40 scd: Fix declarations for PC/SC access.
* scd/apdu.c (pcsc_begin_transaction, pcsc_transmit): Use HANDLE.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-07 07:11:17 +09:00
NIIBE Yutaka
53bdc6288f scd: Recover the partial match for PORTSTR for PC/SC.
* scd/apdu.c (apdu_open_reader): Allow partial match of
PORTSTR again just like 2.2 does.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-06 19:08:34 +09:00
NIIBE Yutaka
d6fe82d3d1 scd: When reader is specified, make sure only open once.
* scd/apdu.c (apdu_open_reader): Make sure not to try multiple times,
when PORTSTR is specified.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-05-06 19:05:30 +09:00
Werner Koch
8d81fd7c01
scd: Fix PC/SC removed card problem
* scd/apdu.c (pcsc_cancel): New.
(pcsc_init): Load new function.
(connect_pcsc_card): Use it after a removed card error.
--

Well, that was easier than I expected yesterday.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 09:14:25 +02:00
Werner Koch
1f846823b3
scd:p15: Fix the name of a card.
--
2021-04-28 18:31:51 +02:00
Werner Koch
bb8e3996e4
scd: Fix problem with reader list becoming empty.
* scd/apdu.c (close_pcsc_reader): Do not decrement refcount if already
zero.  Always release context if or becomes zero.
(apdu_dev_list_start): Unlock prior to close_pcsc_reader.  For PC/SC
increment the count.  Always release the lock.
(apdu_dev_list_finish): No more unlocking.  Use close_pcsc_reader
instead of code duplication.

* scd/apdu.c (pcsc_error_string): Add an error code.
* scd/scdaemon.c (scd_kick_the_loop): Fix a diagnostic.
--

There was an obvious bug in that the pcsc.count could go below zero
and thus there was no chance to get the context release.  Releasing
and recreating the context is at least under Windows important to get
rit of the PCSC_E_SERVICE_STOPPED.

Also removes a potential problem in holding the reader_table_lock
between calls to apdu_dev_list_start apdu_dev_list_finish.  There is
no need for this.  Instead we bump the pcsc.count.

The reader_table_lock strategy should be reviewed; we may be able to
remove it.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-28 18:21:56 +02:00
Werner Koch
178e4eb655
build: Allow running sign-release target from the dist dir.
--

This is a kludge to avoid a new configure run only to then cd down do
dist.  Just cd to dist and run make sign-release.
2021-04-28 18:21:56 +02:00
Kirill Elagin
f209d7d2db scd: Fix unblock PIN by a Reset Code with KDF.
* scd/app-openpgp.c (do_change_pin): Use correct CHVNO=1 for
pin2hash_if_kdf, for user's PIN.

--

GnuPG-bug-id: 5413
Signed-off-by: Kirill Elagin <kirelagin@gmail.com>
2021-04-27 20:34:35 +09:00
Werner Koch
4fcfac6feb
gpg: Fix mailbox based search via AKL keyserver method.
* g10/keyserver.c (keyserver_import_name): Rename to ...
(keyserver_import_mbox): this.  And use mail search mode.
* g10/getkey.c (get_pubkey_byname): Change the two callers.
--

In contrast to a search via keyserver_import_ntds the older
keyserver_import_name used a full match of the provided name despite
that it is only called with an addr-spec (mbox).  Due to the mode the
pattern send to dirmngr was prefixed with a '=' and thus dirmngr used
an exact search;.  This did only work for provided user ids like
"foo@example.org" but not for "<foo@example.org>" or
"Foo <foo@xample.org>".  The old code dates back to 2010.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-26 15:32:51 +02:00
Werner Koch
99db4b0c7f
gpg: Do not use import-clean for LDAP keyserver imports.
* g10/options.h (opts): New field expl_import_only.
* g10/import.c (parse_import_options): Set it.
* g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP.
--

I can be assumed that configured LDAP servers are somehow curated and
not affected by rogue key signatures as the HKP servers are.  Thus we
don't clean the key anymore so that key certifications are kept even
if the public key has not yet been imported.

See-commit: 6c26e593df
GnuPG-bug-id: 5387
2021-04-26 14:15:21 +02:00
Werner Koch
100037ac0f
gpg: Auto import keys specified with --trusted-keys.
* g10/getkey.c (get_pubkey_with_ldap_fallback): New.
* g10/trustdb.c (verify_own_keys): Use it.
2021-04-25 20:03:07 +02:00
Werner Koch
cc5aa68b63
scd:p15: Fix last commit and improve D-TRUST detection.
* scd/app-p15.c (read_p15_info): Improve D-TRUST card detection.
(do_getattr): Fix faulty code for the last commit.  Append the product
name to MANUFACTURER.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-25 16:35:36 +02:00
Werner Koch
21e3f750bd
scd:p15: Shorten the displayed s/n of RSCS cards
* scd/app-p15.c (get_dispserialno): Add dedicated handling for RSCS.
--

In fact we fix the display of the s/n because the s/n was taken from a
certificate.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-25 14:53:34 +02:00
Werner Koch
3cbc66410d
gpg: Replace an obsolete trustdb function.
* g10/trustdb.c (tdb_register_trusted_keyid): Make static.
(tdb_register_trusted_key): Replace register_trusted_keyid by
tdb_register_trusted_key.
* g10/keygen.c (do_generate_keypair): Ditto.
* g10/trust.c (register_trusted_keyid): Remove.
2021-04-23 20:45:25 +02:00
Werner Koch
0b875aa11a
agent,w32: Silence the get_peercred failed diagnostic
--
2021-04-23 09:52:57 +02:00
Werner Koch
883f1a5173
doc: Typo fix
--
2021-04-23 08:50:39 +02:00
Werner Koch
50293ec2eb
gpg: Allow decryption w/o public key but with correct card inserted.
* agent/command.c (cmd_readkey): Add option --no-data and special
handling for $SIGNKEYID and $AUTHKEYID.
* g10/call-agent.c (agent_scd_getattr): Create shadow keys for KEY-FPR
output.
* g10/skclist.c (enum_secret_keys): Automagically get a missing public
key for the current card.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-23 08:50:39 +02:00
Werner Koch
84c2d97cca
agent: Require verbose level 2 for handler started/terminated notices.
* agent/gpg-agent.c (do_start_connection_thread): Silence diags even
more.
2021-04-23 08:50:39 +02:00
bobwxc
ad7d2e6fb1 po: Update Simplified Chinese Translation.
--

Reviewed-by: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: bobwxc <bobwxc@yeah.net>
2021-04-23 11:18:12 +09:00
NIIBE Yutaka
97ba94e52b tools: Fix for --disable-tpm2d.
* tools/gpgconf-comp.c: Conditionalize with BUILD_WITH_TPM2D.

--

GnuPG-bug-id: 5408
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-04-23 11:10:04 +09:00
Werner Koch
4237a2b0a5
speedo: Automatically select Authenticode signing cert.
--

This is required because GlobalSign re-issued the certificate (which
actually required to install InternetExploder in addition to Edge) and
now we have two certs to select from.  The /a option seems to use the
latest generated certificate.
2021-04-22 11:33:55 +02:00
Werner Koch
9e24f2a45c
scd: Fix PSO_CSV for 512 bit curves
* scd/iso7816.c (iso7816_pso_csv): Use BER-TLV instead of SIMPLE-TLV

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-22 11:04:30 +02:00
Werner Koch
d36c4dc95b
tests: Make sure that the build keyboxd is used.
* tests/openpgp/defs.scm (create-gpghome): Add keyboxd-program.
--

GnuPG-bug-id: 5406
2021-04-22 08:46:24 +02:00
Werner Koch
2fce99d73a
card: New option --shadow for command list.
* tools/card-call-scd.c (scd_readkey): Add arg create_shadow.
* tools/gpg-card.c (list_one_kinfo): Add arg create_shadow and pass it
down to scd-readkey.  Change all callers to convey this arg.
(cmd_list): Add option --shadow.
2021-04-21 21:04:09 +02:00
Werner Koch
8f2c9cb735
agent: Silence error messages for READKEY --card
* agent/command.c (cmd_readkey): Test for shadow key before creating
it.
2021-04-21 21:00:28 +02:00
Werner Koch
ec36eca08c
gpg: Allow fingerprint based lookup with --locate-external-key.
* g10/keyserver.c (keyserver_import_fprint_ntds): New.
* g10/getkey.c (get_pubkey_byname): Detect an attempt to search by
fingerprint in no_local mode.
--

See the man page.  For testing use

  gpg --auto-key-locate local,wkd,keyserver --locate-external-key  \
    FINGERPRINT

with at least one LDAP keyserver given in dirmngr.conf.  On Windows
"ntds" may be used instead or in addtion to "keyserver".

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-21 18:32:21 +02:00
Werner Koch
f79e9540ca
keyboxd: Fix searching for exact mail addresses.
* kbx/kbxserver.c (cmd_search): Use the openpgp hack for calling
classify_user_id.
* kbx/backend-sqlite.c (run_select_statement): Remove angle brackets
in exact addrspec mode.
* g10/call-keyboxd.c (keydb_search): Do not duplicate the left angle
bracket.
* sm/keydb.c (keydb_search): Ditto.
--

Note that the openpgp hack flag of classify_user_id is actually a
misnomer because we actually hack a round a problem in gpgsm.  And it
is only over there that we don't set it there.  In keyboxd the flag
should be set.  And we need to remove the angle brackets of course
because that is how we create the addrspec column values.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-21 14:40:08 +02:00
Werner Koch
d153e4936e
gpg,sm: Ignore the log-file option from common.conf.
* g10/gpg.c (main): Don't use the default log file from common.conf.
* sm/gpgsm.c (main): Ditto.
--

That was acutally not intended and contradicts the description in
doc/example/common.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-21 14:40:08 +02:00
Ingo Klöcker
b096757f62 po: Fix typo in German translation.
--
2021-04-20 17:10:53 +02:00
Werner Koch
defd5793b6
Post release updates
--
2021-04-20 15:07:02 +02:00
Werner Koch
cbbdb88627
Release 2.3.1 2021-04-20 12:28:09 +02:00
Werner Koch
bc554b336f
po: Auto update
--
2021-04-20 12:27:44 +02:00
Werner Koch
cf39868361
po: Update German translation.
--
2021-04-20 12:24:59 +02:00
Werner Koch
45918813f0
Support log-file option from common.conf for all daemon.
* agent/gpg-agent.c: Include comopt.h.
(main): Read log-file option from common.conf.
(reread_configuration): Ditto.
* dirmngr/dirmngr.c: Include comopt.h.
(main): Read log-file option from common.conf.
(reread_configuration): Ditto.
* kbx/keyboxd.c: Include comopt.h.
(main): Read log-file option from common.conf.
(reread_configuration): Ditto.
* scd/scdaemon.c: Include comopt.h.
(main): Read log-file option from common.conf.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-20 10:50:10 +02:00
Werner Koch
b657d6c3bd
gpgconf: Fix a diagnostic output.
* tools/gpgconf-comp.c (gc_component_launch): Fix diagnostic.
* doc/examples/common.conf: Fix example.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-20 10:27:04 +02:00
Werner Koch
51419d6341
sm: New command --show-certs
* sm/keylist.c (do_show_certs): New.
(gpgsm_show_certs): New.
* sm/gpgsm.c (aShowCerts): New.
(opts): Add --show-certs.
(main): Call gpgsm_show_certs.
--

I have been using libksba test programs for countless times to look at
certificates and I always wanted to add such a feature to gpgsm.  This
is simply much more convenient.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-20 09:37:56 +02:00