1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-28 11:11:32 +01:00

8849 Commits

Author SHA1 Message Date
Werner Koch
c6324ee07a
common: Change argument order of log_printhex.
* common/logging.c (log_printhex): Chnage order of args.  Make it
printf alike.  Change all callers.
* configure.ac: Add -Wno-format-zero-length
--

This makes it consistent with modern libgpgrt logging and thus eases
back porting from newer GnuPG versions which use libgpgrt logging.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-05-12 18:51:47 +02:00
Werner Koch
aec7d136e4
sm: Always allow authorityInfoAccess lookup if CRLs are also enabled.
* sm/certchain.c (find_up): Disable external lookups in offline mode.
Always allow AKI lookup if CRLs are also enabled.
--

GnuPG-bug-id: 4898
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 19:07:36 +02:00
Werner Koch
d57209553d
sm: Lookup missing issuers first using authorityInfoAccess.
* sm/call-dirmngr.c (gpgsm_dirmngr_lookup): Add optional arg URL and
adjust all callers.
* sm/certchain.c (oidstr_caIssuers): New.
(struct find_up_store_certs_s): Add additional fields.
(find_up_store_certs_cb): Store the fingerprint.
(find_up_via_auth_info_access): New.
(find_up): Try the AIA URI first.
--

Note that --auto-issuer-key-retrieve is required to use that.

GnuPG-bug-id: 4898
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 18:05:44 +02:00
Werner Koch
3b27c26241
dirmngr: Allow http URLs with "LOOKUP --url"
* dirmngr/crlfetch.c (read_cert_via_http): New.
(fetch_cert_by_url): Implement http scheme.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 18:05:41 +02:00
Werner Koch
7dbfd92b3e
gpg: Add missing options --no-include-key-block.
* g10/gpg.c (opts): Add it.
--

This got lost when backporting from master.

Fixes-commit: 95b42278cafe7520d87168fb993ba715699e6bb6
GnuPG-bug-id: 4856
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 09:13:52 +02:00
Werner Koch
37b116db20
gpg: Make AEAD modes subject to compliance checks.
* g10/decrypt-data.c (decrypt_data): Move aead algo detection up.
--

Note that the AEAD modes are not yet approved for --compliance=de-vs

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 08:53:20 +02:00
Werner Koch
ab7a0b0702
gpg: Show AEAD preferences
* g10/packet.h (preftype_t): Add PREFTYPE_AEAD.
* g10/keyedit.c (show_prefs): Print AEAD preferences.
* g10/getkey.c (fixup_uidnode): Set AEAD flags.
(merge_selfsigs): Ditto.
--

Although we are not able to create such keys we should be abale to
show them.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 08:36:28 +02:00
Werner Koch
1dfe71c62b
gpg: Support decryption of the new AEAD packet
* common/openpgpdefs.h (aead_algo_t): New.
(pkttype_t): Add PKT_ENCRYPTED_AEAD.
* g10/decrypt-data.c (struct decode_filter_context_s): Add fields for
AEAD.
(aead_set_nonce_and_ad): New.
(aead_checktag): New.
(decrypt_data): Support AEAD.
(aead_underflow): New.
(aead_decode_filter): New.
* g10/dek.h (DEK): Add field use_aead.  Turn use_mdc,
algo_info_printed, and symmetric into bit flags.
* g10/mainproc.c (struct mainproc_context): Add field
seen_pkt_encrypted_aead.
(release_list): Clear it.
(have_seen_pkt_encrypted_aead): New.
(symkey_decrypt_seskey): Support AEAD.
(proc_symkey_enc): Ditto.
(proc_encrypted): Ditto.
(proc_plaintext): Ditto.
* g10/misc.c (MY_GCRY_CIPHER_MODE_EAX): New.
(openpgp_aead_test_algo): New.
(openpgp_aead_algo_name): New.
(openpgp_aead_algo_info): New.
* g10/packet.h (PKT_symkey_enc): Add field use_aead.
(PKT_user_id): Add field flags.aead
(PKT_public_key): Ditto.
(PKT_encrypted): Add fields for AEAD.
* g10/parse-packet.c (parse): Handle PKT_ENCRYPTED_AEAD.
(parse_symkeyenc): Support AEAD.
(parse_encrypted): Ditto.
(dump_sig_subpkt): Dump AEAD preference packet.
(parse_encrypted_aead): New.
--

This patch allows to decrypt data encrypted using the new AEAD
mechanism as specified in rfc4880bis.  Although preferences are used
to enable this new mode, it is useful to have at least a decryption
option in case a user switches between GnuPG 2.2 and newer versions.

The new AEAD mechanism is much faster than the current CFB+MDC and
thus 2.2 will allow faster decryption of symmetric only decryption.

This patch is based on the current master (2.3) code base and includes
a few other patches.  In particular
commit 44be675b759d27bac310c2de8bae1b7882a26b65
(gpg: More check for symmetric key encryption.)
is included.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-16 08:25:55 +02:00
Werner Koch
144b95cc9d
gpg: Improve symmetric decryption speed by about 25%
* g10/decrypt-data.c (mdc_decode_filter, decode_filter): Fatcor buffer
filling code out to ...
(fill_buffer): new.
--

This patch includes the master commit
d989373f1a46139ed0fbc4d4a91069b78617ad9
and
5d6c080522e1666943b75c99124fb69b985b6941

Benchmarking on our usual X220 shows for a 1.3GiB non-compressed
non-armored AES encrypted file (ECDH encrypted but the symmetric
decryption takes the majority of the time, reading from stdin writing
to /dev/null):

|            | before    | after     |
|------------+-----------+-----------|
| real       | 0m15.006s | 0m11.849s |
| user       | 0m14.304s | 0m11.259s |
| sys        | 0m0.640s  | 0m0.537s  |
| throughput | 90 MiB/s  | 115 MiB/s |

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 20:51:10 +02:00
Werner Koch
2f39e00b6b
gpg: Reformat parts of decrypt-data.c
* g10/decrypt-data.c (struct decode_filter_context_s): Rename 'defer'
to 'holdback' and 'defer_filled' to 'holdbacklen'.  Increase size of
holdback to allow for future AEAD decryption.  Turn 'partial' and
'eof_seen' into bit fields.
(decrypt_data): Replace write_status_text by write_Status_printf.
Indent parts of the code.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 20:00:34 +02:00
Werner Koch
ddc74f50d4
sm,dirmngr: Restrict allowed parameters used with rsaPSS.
* sm/certcheck.c (extract_pss_params): Check the used PSS params.
* dirmngr/crlcache.c (finish_sig_check): Ditto.
* dirmngr/validate.c (check_cert_sig): Ditto.
--

GnuPG-bug-id: 4538

# ------------------------ >8 ------------------------
See
https://www.metzdowd.com/pipermail/cryptography/2019-November/035449.html

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:45:58 +02:00
Werner Koch
24d563749f
sm: Support rsaPSS verification also for CMS signatures.
* sm/certcheck.c (gpgsm_check_cert_sig): Factor PSS parsing out to ...
(extract_pss_params): new.
(gpgsm_check_cms_signature): Implement PSS.
--

GnuPG-bug-id: 4538
2020-04-15 15:45:34 +02:00
Werner Koch
8bf17eb94d
dirmngr: Support rsaPSS also in the general validate module.
* dirmngr/validate.c (hash_algo_from_buffer): New.
(uint_from_buffer): New.
(check_cert_sig): Support rsaPSS.
* sm/certcheck.c (gpgsm_check_cert_sig): Fix small memory leak on
error.
--

Yes, I know that there is a lot of code duplication.  In fact some of
the code is ugly and it would be better if we enhance Libgcrypt to
guarantee that returned memory buffers via gcry_sexp_extract_param are
allways Nul terminated and we should also enhance that function to
directly extract into an unsigned int or char *.

GnuPG-bug-id: 4538
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:44:37 +02:00
Werner Koch
0626cc8fed
sm,dirmngr: Support rsaPSS signature verification.
* sm/certcheck.c (hash_algo_from_buffer): New.
(uint_from_buffer): New.
(gpgsm_check_cert_sig): Handle PSS.
* dirmngr/crlcache.c (hash_algo_from_buffer): New.
(uint_from_buffer): New.
(start_sig_check): Detect PSS and extract hash algo.  New arg to
return a PSS flag.
(finish_sig_check): New arg use_pss.  Extract PSS args and use them.
(crl_parse_insert): Pass use_pss flag along.
--

GnuPG-bug-id: 4538
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:43:06 +02:00
Werner Koch
4d37cc72b8
common: New function to map hash algo names.
* common/sexputil.c (hash_algo_to_string): New.
--

Libgcrypt expects lowercase names and it is cumbersome to downcase
those retrieved via gcry_md_algo_name.  It is easier and also faster
to use a dedicated map function.
2020-04-15 15:43:00 +02:00
Werner Koch
39e2260d7e
scd:p15: Return a display S/N via Assuan.
* scd/app-p15.c (make_pin_prompt): Factor some code out to ...
(get_dispserialno): this.
(do_getattr): Use new fucntion for a $DISPSERIALNO.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:42:35 +02:00
Werner Koch
beaa2cbb7f
scd:p15: Show a pretty PIN prompt.
* scd/app-p15.c (struct prkdf_object_s): New fields common_name and
serial_number.
(release_prkdflist): Free them.
(keygrip_from_prkdf): Parse cert and set them.
(any_control_or_space): New.
(make_pin_prompt): New.
(verify_pin): Construct a pretty PIN prompt.
(do_sign): Remove debug output.
--

The D-Trust card has the SerialNumber part of the Subject printed on
the front matter, we assume this is also possible with other cards and
thus we show this as serial number.

The holder of the card is also extracted from the card's subject.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:42:01 +02:00
Werner Koch
9e6a3290da
scd: Return GPG_ERR_BAD_PIN on 0x63Cn status word.
* scd/iso7816.c (map_sw): Detect 0x63Cn status code.
--

I really wonder when that got lost and we ended up with a simple card
error.

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported from master.
2020-04-15 15:38:13 +02:00
Werner Koch
9497d25c56
scd: Factor common PIN status check out.
* scd/iso7816.h (ISO7816_VERIFY_ERROR): New.
(ISO7816_VERIFY_NO_PIN): New.
(ISO7816_VERIFY_BLOCKED): New.
(ISO7816_VERIFY_NULLPIN): New.
(ISO7816_VERIFY_NOT_NEEDED): New.
* scd/iso7816.c (iso7816_verify_status): New.
* scd/app-nks.c (get_chv_status): Use new function.
--

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master:
- Removed the non-existant app-piv.c patches.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:35:55 +02:00
Werner Koch
471b06e91b
scd:p15: Fix decrypt followed by sign problem for D-Trust cards.
* scd/iso7816.c (iso7816_select_mf): New.
* scd/app-p15.c (card_product_t): New.
(struct app_local_s): Add field 'card_product'.
(read_ef_tokeninfo): Detect D-Trust card.
(prepare_verify_pin): Switch to D-Trust AID.
(do_decipher): Restore a SE for D-TRust cards.  Change the padding
indicator to 0x81.

* common/percent.c (percent_data_escape): new.  Taken from master.
--

Using what I learned from a USB trace running the Governikus Signer
Software on Windows this fixes the left over problem with the new
D-Trust card support.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master.  This required to add the percent_data_escape
function we introduced in master on 2018-07-02:

    commit 58baf40af641f8cbf597e508a292e85ae94688f1
    common: New function percent_data_escape.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:31:56 +02:00
Werner Koch
4148976841
scd:p15: Emit MANUFACTURER, $ENCRKEYID, $SIGNKEYID.
* scd/app-p15.c (read_ef_tokeninfo): Store manufacturer_id.
(do_getattr): Implement MANUFACTURER, $ENCRKEYID and $SIGNKEYID.
(send_keypairinfo): Also print usage flags.
--

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:21:25 +02:00
Werner Koch
88b456bdf4
gpg: Use the new MANUFACTURER attribute.
* g10/call-agent.h (struct agent_card_info_s): Add manufacturer fields.
* g10/call-agent.c (agent_release_card_info): Release them.
(learn_status_cb): Parse MANUFACTURER attribute.
* g10/card-util.c (get_manufacturer): Remove.
(current_card_status): Use new attribute.
--

This does away with the duplicated OpenPGP vendor tables; they are now
at a better place (app-openpgp.c).

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master:
- Removed the gpg-card stuff.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:18:41 +02:00
Werner Koch
431b3e68e0
scd:openpgp: New attribute "MANUFACTURER".
* scd/app-openpgp.c (get_manufacturer): New..
(do_getattr): Add new attribute "MANUFACTURER".
(do_learn_status): Always print it.
--

This will make it easy to maintain the list of OpenPGP vendors at just
one place.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master:

.. or well in master and 2.2

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:16:05 +02:00
Werner Koch
b0cb2c2ab8
scd:p15: Rename some variables and functions for clarity.
* scd/app-p15.c: Rename keyinfo to prkdf.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from master.  Removed the do_with_keygrip related parts
because that function is not available.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:13:42 +02:00
Werner Koch
133b6ff8cd
scd:p15: Cache the PIN.
* scd/app-p15.c (struct prkdf_object_s): Add flag pin_verified.
(verify_pin): Make use of it.
--

Theee is still a problem with the APDUs we send: Switching between
signing and decryption does work but not in the other way.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-15 15:10:54 +02:00
NIIBE Yutaka
2f08a4f25d gpg: ECDH: Accept longer padding.
* g10/pubkey-enc.c (get_it): Remove check which mandates shorter
padding.

--

Cherry-picked master commit of:
	fd79cadf7ba5ce45dfb5e266975f58bf5c7ce145

According to the section 8 of RFC 6637, the sender MAY use 21 bytes of
padding for AES-128 to provide 40-byte "m".

Reported-by: Metin Savignano
GnuPG-bug-id: 4908
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-04-08 09:39:29 +09:00
Werner Koch
b95a0bfbba
scd:p15: Add missing keygrip retrieval for decryption.
* scd/app-p15.c (do_decipher): Get the keygrip.
--

This was lost during the backport.

Fixes-commit: 4af38ea5e450b3eb79af98b9876b2b968110a459
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-01 17:43:05 +02:00
Werner Koch
4af38ea5e4
scd:p15: Support decryption with CardOS 5 cards.
* scd/app-p15.c (do_decipher): New.
--

tested using the D-TRUSt card and a SCR3310 reader.  The Kobil KAAN
Advanced, I used for the signing tests could not be used because it
supports only Short APDU Level exchange.

Signed-off-by: Werner Koch <wk@gnupg.org>

Back ported from master.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-01 16:11:29 +02:00
Werner Koch
ce9406ca37
scd:p15: Factor PIN verification out to a new function.
* scd/app-p15.c (do_sign): Factor code out to ...
(prepare_verify_pin, verify_pin): new functions.
--

Signed-off-by: Werner Koch <wk@gnupg.org>

Bakc ported from master

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-01 16:05:54 +02:00
Werner Koch
e730444e7b
scd:p15: Support signing with CardOS 5 cards.
* scd/app-help.c (app_help_get_keygrip_string_pk): Add optional arg
r_pkey and change all callers.
(app_help_get_keygrip_string): Ditto.
* scd/app-p15.c (struct cdf_object_s): Use bit flags
(struct aodf_object_s): Ditto.  Add field 'fid'.
(struct prkdf_object_s): Ditto.  Add fields keygrip, keyalgo, and
keynbits.
(parse_certid): Allow a keygrip instead of a certid aka keyref.
(read_ef_aodf): Store the FID.
(keygripstr_from_prkdf): Rename to ...
(keygrip_from_prkdf): this.  Remove arg r_gripstr and implement cache.
Change callers to directly use the values from the object.  Also store
the algo and length of the key ion the object.
(keyref_from_keyinfo): New. Factored out code.
(do_sign): Support SHA-256 and >2048 bit RSA keys.
common/scd:p15: Support signing with CardOS 5 cards.
* common/util.h (KEYGRIP_LEN): New.
--

This has been tested with a D-Trust card featuring 3072 bit keys.
Note that non-repudiation key for a qualified signature does not yet
work because we do not yet support rsaPSS padding.  Thus a gpgsm
--learn shows a couple of Bad Signature errors for this key.

Signed-off-by: Werner Koch <wk@gnupg.org>

Back ported from master:
- Removed do_with_keygrip
- Added KEYGRIP_LEN
- app_help_get_keygrip_string_pk actually added.
- Move keygrip_from_prkdf in do_sign before the verification.
  It used to work in master only because there it is implictly
  called prior to signing by do_with_keygrip

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-01 16:00:31 +02:00
Werner Koch
368f006a28
scd:p15: Read certificates in extended mode.
* scd/app-p15.c (readcert_by_cdf): Allow reading in extended mode.
* scd/app-common.h (app_get_slot): New.
--

Signed-off-by: Werner Koch <wk@gnupg.org>

(Back ported from master)

Added app_get_slot.
2020-04-01 15:01:43 +02:00
Werner Koch
64142caafe
scd: Add function for binary read in extended mode.
* scd/iso7816.c (iso7816_read_binary): Factor code out to ...
(iso7816_read_binary_ext): new function.  Add arg extended_mode.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-04-01 14:55:30 +02:00
Werner Koch
135af66525
scd:p15: Improve diagnostics
--

This removes almost all log_debug calls and uses opt.verbose and
log_info to show card information.  Also avoid too long and thus
harder to read lines.

Signed-off-by: Werner Koch <wk@gnupg.org>

(back ported from master)
2020-04-01 14:54:47 +02:00
Werner Koch
60b0aa7e57
scd:p15: Detect CardOS 5 cards and print some basic infos.
* scd/app-p15.c (read_ef_odf): Detect the home_DF on the fly.  Silence
the garbage warning for null bytes.
(print_tokeninfo_tokenflags): New.
(read_ef_tokeninfo): Print manufacturer, label, and flags.
(app_select_p15): No need to use the app_get_slot macro.
(CARD_TYPE_CARDOS_50): New const.
(card_atr_list): Detect CardOS 5.0
--

The card under test is a "Test-Signaturkarte D-TRUST Card 3.1" for a
mere 49 Euro and no specs available.  D-Trust is a branch of the
German Bundesdruckerei.  Compare that to Telesec and Yubikey who have
always been nice enough to send bunches of sample cards without a need
to wade through lots of forms and not even asking for money.  Guess
which cards I prefer.

Signed-off-by: Werner Koch <wk@gnupg.org>

(backported from master)
2020-04-01 14:50:37 +02:00
Werner Koch
76d2a02dfe
wks: Take name of sendmail from configure.
* configure.ac (NAME_OF_SENDMAIL): New ac_define.
* tools/send-mail.c (run_sendmail): Use it.
--

We used to ac_subst the SENDMAIL in the old keyserver via mail script.
We can reuse this to avoid a fixed name for sendmail in the
send-mail.c helper.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 08147f8bbdca40c98c2a094fa48fab15b8339c80)
GnuPG-bug-id: 4886
2020-03-30 17:38:26 +02:00
Werner Koch
011a2f5fb7
agent: Print an error if gpg-protect reads the extended key format.
* agent/protect-tool.c (read_key): Detect simple extended key format.
--

This is a quick hack to get a useful error messages.  The real fix is
to replace the protect tool by a more useful new tool.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-30 17:33:24 +02:00
Werner Koch
2b4b0b1223
sm: Fix possible NULL deref in error messages of --gen-key.
* sm/certreqgen.c: Protect printing the line numbers in case of !R.
--

GnuPG-bug-id: 4895
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-30 17:32:42 +02:00
Werner Koch
1424c12e4c
sm: Consider certificates w/o CRL DP as valid.
* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP.
* common/audit.c (proc_type_verify): Print "n/a" if a cert has no
distribution point.
* sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check.
* sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New.
(opts): Add option --enable-issuer-based-crl-check.
(main): Set option.
--

If the issuer does not provide a DP and the user wants such an issuer,
we expect that a certificate does not need revocation checks.  The new
option --enable-issuer-based-crl-check can be used to revert to the
old behaviour which requires that a suitable LDAP server has been
configured to lookup a CRL by issuer.

Signed-off-by: Werner Koch <wk@gnupg.org>

(cherry picked from master)
2020-03-27 21:20:13 +01:00
Werner Koch
bc7e56d9dc
Post release updates
--
2020-03-20 17:34:20 +01:00
Werner Koch
5094bb08ed
Release 2.2.20
* build-aux/speedo.mk (sign-installer): Fix syntax error.
gnupg-2.2.20
2020-03-20 16:35:49 +01:00
Werner Koch
dae1e384c4
po: Auto-update
--
2020-03-20 15:17:19 +01:00
Werner Koch
b27d30df62
Copyright notice updates et al.
--
2020-03-19 15:48:12 +01:00
Werner Koch
67556218c0
po: Update German translation
--
2020-03-19 14:27:58 +01:00
Werner Koch
b92860a8b9
gpgconf: Take care of --homedir when reading/updating options.
* tools/gpgconf-comp.c (gc_component_check_options): Take care of
--homedir.
(retrieve_options_from_program): Ditto.
--

Note that due to the large changes in master we could not backport the
patch from there.

GnuPG-bug-id: 4882
2020-03-19 13:01:42 +01:00
NIIBE Yutaka
8aec6d6fd8 po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-03-19 09:28:41 +09:00
NIIBE Yutaka
133248b297
scd: Fix pinpad handling when KDF enabled.
* scd/app-openpgp.c (do_getattr): Send the KDF DO information.

--

Fixes-commit: 95c7498b76231d3297541172d878f6a26702539b
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 11da441016222337284c519ff56aca34e3042373)
2020-03-18 16:05:20 +01:00
NIIBE Yutaka
b27e20a95c
scd: Disable pinpad if it's impossible by KDF DO.
* scd/app-openpgp.c (struct app_local_s): Add pinpad.disabled field.
(do_getattr): Set pinpad.disabled field.
(check_pinpad_request): Use the pinpad.disabled field.
(do_setattr): Update pinpad.disabled field.

--

GnuPG-bug-id: 4832
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 95c7498b76231d3297541172d878f6a26702539b)
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-18 16:02:32 +01:00
Werner Koch
fbe3184752
gpg: Print a hint for --batch mode and --delete-secret-key.
* g10/delkey.c: Include shareddefs.h.
(delete_keys): Print a hint.
--

The option --yes has some side-effects so it is not desirable to use it
automatically.  The code in master (2.3) has special treatment of
confirm messages and thus this patch is only for 2.2.

GnuPG-bug-id: 4667
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-18 15:26:43 +01:00
Werner Koch
25dc0e5b1e
dirmngr: Improve finding OCSP cert.
* dirmngr/certcache.c (find_cert_bysubject): Add better debug output
and try to locate by keyid.
--

This change was suggested in T4536
but we do not have any test cases for this.

GnuPG-bug-id: 4536
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 4699e294cc9e59f35262adca26ca291927acca9e)

The bug report meanwhile has a test description but I have not done
the testing yet.  I port this back to 2.2 anyway given that no
regression have been reported for master in nearly a year.
2020-03-18 14:14:00 +01:00
Daniel Kahn Gillmor
b6d89d1944
gpg: Update --trusted-key to accept fingerprint as well as long key id.
* g10/trustdb.c (tdb_register_trusted_key): accept fingerprint as well
as long key ID.
* doc/gpg.texi: document that --trusted-key can accept a fingerprint.
--

GnuPG-bug-id: 4855
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Fixed uses or return and kept the old string to avoid breaking
translations.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 810ea2cc684480c6aadceb2a10dd00f3fa67f2fb)

Remove the test for FPRLEN which we do not have in 2.2

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-03-18 14:01:17 +01:00