1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

6603 Commits

Author SHA1 Message Date
Neal H. Walfield
bfeafe2d3f g10: Use es_fopen instead of open.
* g10/tofu.c: Don't include <utime.h>, <fcntl.h> or <unistd.h>.
(busy_handler): Replace use of open with es_fopen.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

Thanks for Werner for pointing this out: es_fopen is more portable
than open.
2016-11-22 17:12:38 +01:00
Neal H. Walfield
44c17bcb00 g10: If the set of UTKs changes, invalidate any changed policies.
* g10/trustdb.c (tdb_utks): New function.
* g10/tofu.c (check_utks): New function.
(initdb): Call it.
* tests/openpgp/tofu.scm: Modify test to check the effective policy of
keys whose effective policy changes when we change the set of UTKs.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

If the set of ultimately trusted keys changes, then it is possible
that a binding's effective policy changes.  To deal with this, we
detect when the set of ultimately trusted keys changes and invalidate
all cached policies.
2016-11-22 15:24:05 +01:00
NIIBE Yutaka
5c2db9dedf scd: Fix receive buffer size.
* scd/apdu.c (send_le): Fix the size, adding two for status
bytes to Le.

--

This is long standing bug.  So far, Le was not exact value.
Since forthcoming change will introduce exact value of expected length
of response data, this change is needed.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-11-22 20:53:57 +09:00
Justus Winter
a3b258d1d1 gpgscm: Refactor.
* tests/gpgscm/scheme.c (opexe_0): Reduce code duplication.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-22 12:09:47 +01:00
Justus Winter
d8df804272 gpgscm: Fix property lists.
* tests/gpgscm/opdefines.h (put, get): Check arguments.  Also rename
to 'set-symbol-property' and 'symbol-property', the names used by
Guile, because put and get are too unspecific.
* tests/gpgscm/scheme.c (hasprop): Only symbols have property lists.
(get_property): New function.
(set_property): Likewise.
(opexe_4): Use the new functions.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-22 12:09:47 +01:00
Justus Winter
7b4e2ea274 gpgscm: Fix installation of error handler.
* tests/gpgscm/ffi.scm: Set '*error-hook*' again so that the
interpreter will use our function.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-22 12:09:47 +01:00
Justus Winter
66834eb838 gpgscm: Use a static pool of cells for small integers.
* tests/gpgscm/scheme-private.h (struct scheme): New fields for the
static integer cells.
* tests/gpgscm/scheme.c (_alloc_cellseg): New function.
(alloc_cellseg): Use the new function.
(MAX_SMALL_INTEGER): New macro.
(initialize_small_integers): New function.
(mk_small_integer): Likewise.
(mk_integer): Return a small integer if possible.
(_s_return): Do not free 'op' if it is a small integer.
(s_save): Use a small integer to box the opcode.
(scheme_init_custom_alloc): Initialize small integers.
(scheme_deinit): Free chunk of small integers.
* tests/gpgscm/scheme.h (USE_SMALL_INTEGERS): New macro.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-22 12:09:47 +01:00
Justus Winter
893a3f7fb4 tests: Delay querying the avaliable algorithms.
* tests/openpgp/defs.scm: Set verbosity earlier, turn 'all-*-algos'
into promises.
* tests/openpgp/conventional-mdc.scm: Force the promises.
* tests/openpgp/conventional.scm: Likewise.
* tests/openpgp/encrypt-dsa.scm: Likewise.
* tests/openpgp/encrypt.scm: Likewise.
* tests/openpgp/gpgtar.scm: Likewise.
* tests/openpgp/sigs.scm: Likewise.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-22 12:09:47 +01:00
Justus Winter
6ce14a805f g10: Fix memory leak.
* g10/tofu.c (tofu_notice_key_changed): Remove spurious duplicate call
to 'hexfingerprint'.

Fixes-commit: 037f9de09298a31026ea2ab5fbd4a599b11cc34f
Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-22 12:09:47 +01:00
Neal H. Walfield
037f9de092 g10: Cache the effective policy. Recompute it when required.
* g10/tofu.c (initdb): Add column effective_policy to the bindings
table.
(record_binding): New parameters effective_policy and set_conflict.
Save the effective policy.  If SET_CONFLICT is set, then set conflict
according to CONFLICT.  Otherwise, preserve the current value of
conflict.  Update callers.
(get_trust): Don't compute the effective policy here...
(get_policy): ... do it here, if it was not cached.  Take new
parameters, PK, the public key, and NOW, the time that the operation
started.  Update callers.
(show_statistics): New parameter PK.  Pass it to get_policy.  Update
callers.
(tofu_notice_key_changed): New function.
* g10/gpgv.c (tofu_notice_key_changed): New stub.
* g10/import.c (import_revoke_cert): Take additional argument CTRL.
Pass it to keydb_update_keyblock.
* g10/keydb.c (keydb_update_keyblock): Take additional argument CTRL.
Update callers.
[USE_TOFU]: Call tofu_notice_key_changed.
* g10/test-stubs.c (tofu_notice_key_changed): New stub.
* tests/openpgp/tofu.scm: Assume that manually setting a binding's
policy to auto does not cause the tofu engine to forget about any
conflict.

--
Signed-off-by: Neal H. Walfield <neal@g10code.com>

We now store the computed policy in the tofu DB (in the
effective_policy column of the bindings table) to avoid computing it
every time, which is expensive.  Further, policy is never overridden
in case of a conflict.  Instead, we detect a conflict if CONFLICT is
not empty.

This change is backwards compatible to existing DBs.  The only minor
incompatibility is that unresolved conflicts won't be automatically
resolved in case we import a direct signature, or cross signatures.
2016-11-21 22:47:30 +01:00
Neal H. Walfield
182efc5b5d g10: Correctly parameterize ngettext.
* g10/tofu.c (ask_about_binding): Correctly parameterize ngettext.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-11-21 21:22:02 +01:00
Neal H. Walfield
7142b293c8 g10: Don't use the same variable for multiple SQL compiled statements
* g10/tofu.c (struct tofu_dbs_s): Remove unused field
record_binding_update2.  Replace register_insert with
register_signature and register_encryption.
(tofu_register_signature): Don't use dbs->s.register_insert, but
dbs->s.register_signature.
(tofu_register_encryption): Don't use dbs->s.register_insert, but
dbs->s.register_encryption.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-11-21 21:13:15 +01:00
Neal H. Walfield
91a0483c5d g10: Add a convenience function for checking if a key is a primary key
* g10/keydb.h (pk_is_primary): New function.
* g10/tofu.c (get_trust): Use it.
(tofu_register_signature): Likewise.
(tofu_register_encryption): Likewise.
(tofu_set_policy): Likewise.
(tofu_get_policy): Likewise.

Signed-off-by: Neal H. Walfield <neal@g10code.com>
2016-11-21 16:39:53 +01:00
Werner Koch
362afb4f60
build: Add repo-only maintainer script append-signature.sh.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-21 11:51:32 +01:00
Daniel Kahn Gillmor
2c97fa84c1 doc: Clarify dirmngr --homedir option.
--

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-11-21 17:33:31 +09:00
Daniel Kahn Gillmor
0540cfbee4 doc: Ship example gpg-agent-browser.socket in examples/systemd-user/.
* doc/Makefile.am: Ship gpg-agent-browser.socket alongside the other
systemd user service example files.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-11-21 16:37:24 +09:00
NIIBE Yutaka
9a707a223a agent: Fix npth + daemon mode problem.
* agent/gpg-agent.c (main): Remove duplicated initialization in daemon
mode.

--
The commit f57dc2b1e6f28d164f882373535dbcb0d632ca17 fixes a part of
problem (for missing initialization of supervised mode).  It was
actually put in wrong place.

Fixes-commit: 9f92b62a51d2d60f038fdbe01602865c5933fa95
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-11-21 11:18:33 +09:00
Werner Koch
7e174fcc74
Post release updates.
--
2016-11-18 21:50:34 +01:00
Werner Koch
0a641ad25d
Release 2.1.16 gnupg-2.1.16 2016-11-18 16:52:04 +01:00
Werner Koch
5b5bf9bab8
po: Auto-update
--
2016-11-18 15:45:05 +01:00
Werner Koch
e8ce5e3a25
po: Update the German translation
--

Note that the TOFU related strings are updated because more changes
are expected after the next release.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-18 15:42:43 +01:00
Ineiev
11aaa9c6d4
po: Update Russian translation. 2016-11-18 15:27:54 +01:00
NIIBE Yutaka
1c0b140ccc g10: Fix flags to open for lock of ToFU.
* g10/tofu.c (busy_handler): Fix the flags and utime is not needed.

--

The argument flags must include one of O_RDONLY, O_WRONLY, or O_RDWR.
Adding O_TRUNC, the file is updated.  So, utime is not needed.

Fixes-commit: b2e1b17efa952afcf7aeec8b15e9d0088dba587a
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-11-18 20:32:22 +09:00
Werner Koch
833eef974a
dirmngr: Use a longer timer tick interval.
* dirmngr/dirmngr.c (TIMERTICK_INTERVAL): Always use 60 seconds like
we did for WindowsCE.
--

Given that the timer tick is only used for housekeeping tasks and
these are done every 10 minutes, it makes no sense to use 2 seconds.
The minor drawback is tha the housekeeping may be delayed by one
minute.

NB: For the purpose of power saving, we already make sure that the
process wakes up at the full second so that it is synchronized to the
wakeup time of other processes.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-18 08:30:33 +01:00
Daniel Kahn Gillmor
b3a9172012
dirmngr: More w32 system daemon cleanup
* dirmngr/dirmngr.c (handle_tick): Remove w32 tests for
shutdown_pending; no longer needed.

--

In d83ba4897bf217d1045c58d1b99e52bd31c58812, we removed the
Windows-specific system daemon features, where shutdown_pending was
set from w32_service_control().  shutdown_pending is now never
assigned outside of handle_signal() or within an inotify test, neither
of which are available on w32.

As a result, this stanza in handle_tick() should be dead code, and can
be removed to keep things simple.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

s/win32/w32/ to please RMS ;-)  -wk
2016-11-18 08:30:33 +01:00
NIIBE Yutaka
b2e1b17efa g10: Fix creating a lock for ToFU.
* g10/tofu.c (busy_handler): Add third argument which is mandatory for
O_CREATE flag.

--

Reported-by: Kristian Fiskerstrand
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-11-18 09:32:34 +09:00
NIIBE Yutaka
b6066ab18a scd: Don't limit to ST-2xxx for PC/SC.
* scd/apdu.c (pcsc_vendor_specific_init): Only check vender ID.

--

Some other products by Cherry works with pinpad, although it only works
for smaller keys (RSA 1024).  TPDU support is good for larger keys.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-11-18 08:54:04 +09:00
Daniel Kahn Gillmor
8fb4822524
dirmngr: Use a default keyserver if none is explicitly set
* configure.ac: Define DIRMNGR_DEFAULT_KEYSERVER.
* dirmngr/server.c (ensure_keyserver): Use it if no keyservers are set.
* doc/dirmngr.texi: Document this behavior.

--

A user who doesn't specify a keyserver, but asks gnupg to fetch a key
currently just gets a simple error messages "No keyserver available".

If the user is asking to contact a keyserver, we should have a
reasonable default, and not require them to fiddle with settings when
they might not know what settings to choose.  This patch makes the
default hkps://hkps.pool.sks-keyservers.net.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-11-17 15:29:35 +01:00
Daniel Kahn Gillmor
7c1613d415
dirmngr: Add system CAs if no hkp-cacert is given
* dirmngr/dirmngr.c (http_session_new): If the user isn't talking to
the HKPS pool, and they have not specified any hkp-cacert, then we
should default to the system CAs, rather than nothing.
* doc/dirmngr.texi: Document choice of CAs.

--

Consider three possible classes of dirmngr configuration:

 a) no hkps:// keyserver URLs at all (communication with keyservers is
    entirely in the clear)

 b) hkps:// keyserver URLs, but no hkp-cacert directives

 c) hkps:// keyserver URLs, and at least one hkp-cacert directive

class (a) provides no confidentiality of requests.

class (b) currently will never work because the server certificate
cannot be validated.

class (c) is currently supported as intended.

This patch allows users with configurations in class (b) to work as
most users expect (relying on the system certificate authorities),
without affecting users in classes (a) or (c).

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

o minor indentation fix
  - wk
2016-11-17 15:29:35 +01:00
Daniel Kahn Gillmor
c4e02a3b7a
dirmngr: Register hkp-cacert even if the file doesn't exist yet
* dirmngr/dirmngr.c (parse_readable_options): If we're unable to turn
an argument for hkp-cacert into an absolute filename, terminate
completely.
* dirmngr/http.c (http_register_tls_ca): Show a warning if file is not
immediately accessible, but register it anyway.

--

Without this changeset, the condition of the filesystem when dirmngr
is initialized will have an effect on later activities of dirmngr.

For example, if a file identified by a hkp-cacert directive doesn't
exist when dirmngr starts, dirmngr will behave as though it simply
didn't have the hkp-cacert directive set at all, even if the file
should appear later.

dirmngr currently behaves differently if no hkp-cacert directives have
been set then it does when at least one hkp-cacert directive has been
set.  For example, its choice of CA cert for
hkps://hkps.pool.sks-keyservers.net depends on whether a TLS CA file
has been registered.  That behavior shouldn't additionally depend on
the state of the filesystem at the time of dirmngr launch.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2016-11-17 15:29:35 +01:00
Werner Koch
5210ff70bc
doc: Typo fixes.
--

Reported-by: Nathan Musoke <nathan.musoke@gmail.com>
2016-11-17 15:29:35 +01:00
Justus Winter
4f189325a4 gpgscm: Re-enable the garbage collector in case of errors.
* tests/gpgscm/scheme.c (opexe_0): Enable gc before calling 'Error_1'.

Fixes-commit: 83c184a66b73f312425b01008f0495610e5329a4
Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-17 13:25:14 +01:00
Justus Winter
fc53a4d06e gpgscm: Fix string.
* tests/gpgscm/scheme.c (type_to_string): Fix string.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-17 13:24:54 +01:00
Werner Koch
bd91f92ace
dirmngr: Auto-sownload the swdb.lst
* dirmngr/dirmngr.h (struct opt): Add field allow_version_check.
* dirmngr/dirmngr.c (oAllowVersionCheck): New.
(opts): Add --allow-version-check.
(network_activity_seen): New variable.
(parse_rereadable_options): Set opt.allow_version_check.
(main) <aGPGConfList>: Do not anymore set the no change flag for
Windows.  Add allow-version-check.
(netactivity_action): Set network_activity_seen.
(housekeeping_thread): Call dirmngr_load_swdb.
* tools/gpgconf-comp.c (gc_options_dirmngr): Add allow-version-check.
Make "use-tor" available at Basic level.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-17 10:14:14 +01:00
Werner Koch
c45ca316a5
dirmngr: Improve downloading of swdb.lst.
* dirmngr/loadswdb.c (time_of_saved_swdb): Aslo return the "verified"
timestamp.
(dirmngr_load_swdb): Avoid unnecessary disk or network access witout
FORCE.  Do not update swdb.lst if it did not change.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-17 10:08:20 +01:00
Werner Koch
d8da5bc50b
gpgconf: Change the displayed names of the components.
Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-17 10:07:59 +01:00
Werner Koch
52c10a280a
dirmngr: Add command to only load the swdb.
* dirmngr/loadswdb.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add that file.
* dirmngr/server.c: Remove includes cpparray.h and exectool.h.
(cmd_loadswdb): New.
(parse_version_number,parse_version_string): Remove.
(my_mktmpdir, cmp_version): Remove.
(fetch_into_tmpdir): Remove.
(struct verify_swdb_parm_s): Remove.
(verify_swdb_status_cb): Remove.
(cmd_versioncheck): Remove.
(register_commands): Register LOADSWDB.  Remove VERSIONCHECK.
--

This change is required to to the new design where gpgconf does the
version check w/o network access and only dirmngr is responsible for
getting the swdb.

In the next installment the loading will be triggered as needed.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-16 21:22:39 +01:00
Werner Koch
4839e6d002
scd,dirmngr: Keep the standard fds when daemonizing.
* dirmngr/dirmngr.c (main): Before calling setsid do not close the
standard fds but connect them to /dev/null.
* scd/scdaemon.c (main): Ditto.  Noet that the old test for a log
stream was even reverted.

--

Note that this was fixed for gpg-agent 10 years ago on 2006-11-09.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-16 21:17:47 +01:00
Werner Koch
c4506a3f15
common: Rename keybox_file_rename to gnupg_rename_file.
* kbx/keybox-util.c (keybox_file_rename): Rename to ...
* common/sysutils.c (gnupg_rename_file): this.  Change all callers.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-16 17:43:59 +01:00
Werner Koch
c564790df7
wks: Always build gpg-wks-client.
* tools/Makefile.am (gpg_wks_client): Remove macro.
(libexec_PROGRAMS): Add gpg-wks-client.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-16 12:48:27 +01:00
Werner Koch
43bfaf2c54
gpg: New option --override-session-key-fd.
* g10/gpg.c (oOverrideSessionKeyFD): New.
(opts): Add option --override-session-key-fd.
(main): Handle that option.
(read_sessionkey_from_fd): New.
--

The override-session-key feature was designed to mitigate the effect
of the British RIP act by allowing to keep the private key private and
hand out only a session key.  For that use case the leaking of the
session key would not be a problem.  However there are other use
cases, for example fast re-decryption after an initial decryption,
which would benefit from concealing the session key from other users.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-16 09:03:03 +01:00
Werner Koch
500e594c2d
gpgv: New option --enable-special-filenames.
* g10/gpgv.c (oEnableSpecialFilenames): New.
(opts): Add option --enable-special-filenames.
(main): Implement that option.
--

This is the same option we have in gpg.  It allows to use commands
like

 gpgv --enable-special-filenames -- '-&3' - <msg 3<msg.sig

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 20:11:59 +01:00
Werner Koch
b47603a0ac
gpg: Add new compliance mode "de-vs".
* g10/options.h (CO_DE_VS): New.
(GNUPG): Also allow CO_DE_VS.
* g10/gpg.c (oDE_VS): New.
(parse_compliance_option): Add "de-vs".
(set_compliance_option): Set "de-vs".
* g10/misc.c (compliance_option_string): Return a description string.
(compliance_failure): Ditto.
* g10/keygen.c (ask_algo): Take care of CO_DE_VS.
(get_keysize_range): Ditto.
(ask_curve): Add new field to CURVES and trun flags into bit flags.
Allow only Brainpool curves in CO_DE_VS mode.
--

As of now this compliance mode only restricts the set of algorithms
and curves which can be created.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 17:50:03 +01:00
Werner Koch
4bd12b571e
doc: Add comment to make clear that KBNODE is deprecated.
--

kbnode_t has replaced KBNODE for new code years ago, but that should
be documented.  No bulk changes please to keep git blame easy to read.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 16:29:08 +01:00
Werner Koch
8ea3b4c410
gpg: Use usual free semantics for packet structure free functions.
* g10/free-packet.c (free_attributes): Turn function into a nop for a
NULL arg.
(free_user_id): Ditto.
(free_compressed): Ditto.
(free_encrypted): Ditto.
(free_plaintext): Ditto.
(release_public_key_parts): Avoid extra check for NULL.
* g10/getkey.c (get_best_pubkey_byname): Ditto.
--

This change avoid surprises because it is common that function named
like free and taking a pointer also have similar semantics.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 16:24:09 +01:00
Justus Winter
12834e84ac g10: Optimize key iteration.
* g10/getkey.c (get_best_pubkey_byname): Use the node returned by
'getkey_next' instead of doing another lookup.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-15 15:38:09 +01:00
Justus Winter
d20107f6da g10: Fix memory leak.
* g10/getkey.c (finish_lookup): Clarify that we do not return a
reference.
(lookup): Clarify the relation between RET_KEYBLOCK and RET_FOUND_KEY.
Check arguments.  Actually release the node if it is not returned.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-15 15:38:09 +01:00
Justus Winter
1d03cc77e1 g10: Fix iteration over getkey results.
* g10/getkey.c (getkey_next): Fix invocation of 'lookup'.  If we want
to use RET_FOUND_KEY, RET_KEYBLOCK must be valid.

Fixes-commit: 8ea72a776a88f3c851e812d258355be80caa1bc1
Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-15 15:38:09 +01:00
Justus Winter
bd60742925 g10: Fix use-after-free.
* g10/getkey.c (pubkey_cmp): Make a copy of the user id.
(get_best_pubkey_byname): Free the user ids.

Signed-off-by: Justus Winter <justus@g10code.com>
2016-11-15 15:38:09 +01:00
Werner Koch
26c7c1d72c
sm: New stub option --compliance.
* sm/gpgsm.c (oCompliance): New.
(opts): Add "--compliance".
(main): Implement as stub.

Signed-off-by: Werner Koch <wk@gnupg.org>
2016-11-15 13:13:36 +01:00