1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-10 21:38:50 +01:00
Commit Graph

9913 Commits

Author SHA1 Message Date
NIIBE Yutaka
2c1aaed621
build: Update m4 files.
* m4/ksba.m4: Update from libksba master.
* m4/libassuan.m4: Update from libassuan master.
* m4/libgcrypt.m4: Update from libgcrypt master.
* m4/npth.m4: Update from npth master.
* m4/ntbtls.m4: Update from npth master.

--

GnuPG-bug-id: 5034
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-02 10:21:27 +09:00
Werner Koch
4583f4fe2e
gpg: Merge --rfc4880bis features into --gnupg
* g10/gpg.c (oRFC4880bis): Remove.
(opts): Make --rfc4880bis a Noop.
(compliance_options): Make rfc4880bis to gnupg.
(set_compliance_option): Remove rfc4880bis stuff.
(main): Ditto.  Note that this now activates the --mimemode option.
* g10/keygen.c (keygen_set_std_prefs): Remove rfc4880bis protection.
(keygen_upd_std_prefs): Always announce support for v5 keys.
(read_parameter_file): Activate the v4 and v5 keywords.
--
2022-10-31 16:14:18 +01:00
Werner Koch
5a2cef801d
gpg: Allow only OCB for AEAD encryption.
* g10/gpg.c (opts): New option--force-ocb as alias for force-aead.
Turn --aead-algo and --personal-aead-preferences into dummy options.
(build_list_md_test_algo, build_list_aead_algo_name): Remove.
(my_strusage): Remove output of AEAD algos.
(main): Remove code from the --aead options.
* g10/encrypt.c (encrypt_seskey): Make file local.
(use_aead): Remove requirement for rfc4880bis.  Always return
AEAD_ALGO_OCB.
* g10/main.h (DEFAULT_AEAD_ALGO): Removed unused macro.
* g10/misc.c (default_aead_algo): Remove.
* g10/pkclist.c (select_aead_from_pklist): Return AEAD_ALGO_OCB or 0.
(select_algo_from_prefs): Remove personal AEAD algo setting.
* g10/keygen.c (keygen_set_std_prefs): Remove AEAD preference option
parsing.
* g10/options.h (opt): Remove def_aead_algo and personal_aead_prefs.
--

Due to the meanwhile expired patent on OCB there is no more reason for
using EAX.  Thus we forcefully use OCB if the AEAD feature flag is set
on a key.
2022-10-31 15:51:21 +01:00
Werner Koch
03f04dfb9a
gpg: New option --compatibility-flags
* g10/gpg.c (oCompatibilityFlags): New.
(opts): Add option.
(compatibility_flags): New list.
(main): Set flags and print help.
* g10/options.h (opt): Add field compatibility_flags.
--

No flags are yet defined but it is good to have the framework.
2022-10-31 15:01:24 +01:00
Werner Koch
b71a14238d
gpgsm: Also announce AES256-CBC in signatures.
* sm/sign.c (gpgsm_sign): Add new capability.
--

It might be better to have this.  No concrete bug report, though.
2022-10-28 15:24:17 +02:00
Werner Koch
0ef54e644f
gpg: Fix trusted introducer for user-ids with only the mbox.
* g10/trustdb.c (check_regexp): Kludge to match user-ids with only an
mbox.
--
(Also re-indented the function)
GnuPG-bug-id: 6238
2022-10-28 11:20:04 +02:00
Werner Koch
7aaedfb107
gpg: Import stray revocation certificates.
* g10/kbnode.c (new_kbnode2): New.
* g10/import.c (delete_inv_parts): New arg r_otherrevsigs to store
misplaced revocations.
(import_revoke_cert): Allow to pass an entire list.
(import_one): Import revocations found by delete_inv_parts.
--

It might be useful to distribute revocations of old keys along with
new keys.  This is in particicualrr useful for WKD stored keys.  This
patch allows to put unrelated standalone revocations into a key.  For
example they can simply appended to a keyblock.  Right now it is a bit
inaesthetic to see diagnostics about misplaced or bad revocation
signatures.
2022-10-28 09:30:49 +02:00
NIIBE Yutaka
ed6eb90192
agent: Automatically convert to extended key format by KEYATTR.
* agent/command.c (cmd_keyattr): Reject when disabled extended key
format.  Handle the case when key is in non-extended format.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-28 14:49:47 +09:00
Werner Koch
9c4691c73e
card: New commands "gpg" and "gpgsm".
* tools/gpg-card.c: Include exechelp.h
(cmd_gpg): New.
(enum cmdids): Add cmdGPG and cmdGPGSM.
(cmds): Add commands "gpg" and "gpgsm"
(dispatch_command, interactive_loop): Call them.
--

It is too cumbersome to leave the gpg-card shell just for running a
quick gpg or gpgsm command.  Thus we add these new commands.

Take care: As of now we don't have proper shell-quoting rules
implemented.  This will eventually be done.
2022-10-25 14:11:47 +02:00
Werner Koch
f3198f9d70
card: Also show fingerprints of known X.509 certificates
* tools/gpg-card.c (list_one_kinfo): Show fpr.
--

The fingerprint is actually more useful than the Subject-DN.
2022-10-25 11:57:23 +02:00
Werner Koch
8361e13ef2
scd:nks: Support non-ESIGN signing with the Signature Card v2
* scd/app-nks.c (do_sign): Handle ECC for NKS cards
2022-10-25 11:57:23 +02:00
Werner Koch
6bd0dd762c
gpgsm: Allow ECC encryption keys with just keyAgreement specified.
* sm/certlist.c (cert_usage_p): Allow keyAgreement for ECC.
* sm/fingerprint.c (gpgsm_is_ecc_key): New.
--

For ECC encryption keys keyAgreement is the keyUsage we want.
2022-10-25 11:57:23 +02:00
Werner Koch
50efcf2eb0
gpgsm: Use macro constants for cert_usage_p.
* sm/certlist.c (USE_MODE_): New.  Use them for easier reading.
2022-10-25 11:57:23 +02:00
NIIBE Yutaka
b9d05774f5
build: Update gpg-error.m4.
* m4/gpg-error.m4: Update from libgpg-error 1.46.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-24 12:11:47 +09:00
bobwxc
e4ac00960c
po: Update Simplified Chinese Translation.
--

Reviewed-by: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: bobwxc <bobwxc@yeah.net>
2022-10-24 10:39:00 +09:00
NIIBE Yutaka
de01fb8131
agent,common,dirmngr,tests,tools: Remove spawn PREEXEC argument.
* common/exechelp-posix.c (do_exec): Remove PREEXEC argument.
(gnupg_spawn_process): Likewise.
(gnupg_spawn_process_fd): Follow the change of do_exec.
(gnupg_spawn_process_detached): Likewise.
* common/exechelp-w32.c (gnupg_spawn_process): Remove PREEXEC.
* common/exechelp.h (gnupg_spawn_process): Remove PREEXEC.
* agent/genkey.c (do_check_passphrase_pattern): Follow the change.
* common/exectool.c (gnupg_exec_tool_stream): Likewise.
* dirmngr/ldap-wrapper.c (ldap_wrapper): Likewise.
* tests/gpgscm/ffi.c (do_spawn_process): Likewise.
* tools/gpgconf-comp.c (gc_component_check_options): Likewise.
(retrieve_options_from_program): Likewise.
* tools/gpgconf.c (show_versions_via_dirmngr): Likewise.
* tools/gpgtar-create.c (gpgtar_create): Likewise.
* tools/gpgtar-extract.c (gpgtar_extract): Likewise.
* tools/gpgtar-list.c (gpgtar_list): Likewise.

--

PREEXEC is not portable feature and it's not used.

GnuPG-bug-id: 6249
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-20 14:19:19 +09:00
NIIBE Yutaka
0f13ccd0e0
gpg: Move NETLIBS after GPG_ERROR_LIBS.
* g10/Makefile.am (LDADD): Remove NETLIBS.
(gpg_LDADD, gpgv_LDADD): Add NETLIBS after GPG_ERROR_LIBS.
((t_keydb_LDADD, t_keydb_get_keyblock_LDADD): Likewise.
(t_stutter_LDADD): Likewise.

--

Forward port 2.2 commit of:
	b26bb03ed9

GnuPG-bug-id: 6244
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-18 10:28:42 +09:00
NIIBE Yutaka
cf2d52cfc3
gpg: Use GCRY_KDF_ONESTEP_KDF with newer libgcrypt in future.
* g10/ecdh.c (derive_kek): Use GCRY_KDF_ONESTEP_KDF.

--

This change is not yet enabled.  We will be able to use the code when
we update NEED_LIBGCRYPT_VERSION to 1.11.0.  Before the update, gpg
compiled with libgcrypt 1.11.0 can't work with older libgcrypt
runtime.

GnuPG-bug-id: 5964
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-14 14:49:37 +09:00
NIIBE Yutaka
fe28e088a9
common,w32: Fix struct stat on Windows.
* common/sysutils.c [HAVE_W32_SYSTEM] (gnupg_stat): Select
appropriate structure.

--

GnuPG-bug-id: 5897
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-14 14:06:08 +09:00
NIIBE Yutaka
c51139f2bc
agent,w32: Support Win32-OpenSSH emulation by gpg-agent.
* agent/agent.h (start_command_handler_ssh_stream): New.
* agent/command-ssh.c (start_command_handler_ssh_stream): New.
* agent/gpg-agent.c (oWin32OpenSSHSupport): New.
(W32_DEFAILT_AGENT_PIPE_NAME): New.
(main): Add oWin32OpenSSHSupport support.
(win32_openssh_thread): New.
(handle_connections): Spawn win32_openssh_thread.
* configure.ac (NEED_GPGRT_VERSION): Require libgpg-error 1.46.

--

GnuPG-bug-id: 3883
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-14 13:52:54 +09:00
NIIBE Yutaka
5f1ce6cef5
common: Don't use FD2INT for POSIX-only code.
* common/iobuf.c [!HAVE_W32_SYSTEM] (iobuf_get_filelength): Use fp.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-14 13:48:09 +09:00
NIIBE Yutaka
7011286ce6
dirmngr: Fix build with no LDAP support.
* dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize.

--

GnuPG-bug-id: 6239
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-14 09:58:41 +09:00
Werner Koch
edf3b8aa53
Post release updates
--
2022-10-13 18:27:32 +02:00
Werner Koch
6f12f952da
Release 2.3.8 2022-10-13 17:53:29 +02:00
Werner Koch
0bb0450c4a
speedo: Fix location of gpg-wks-client
--
2022-10-13 17:53:27 +02:00
Werner Koch
219dce6b33
speedo: Fix for a libgpg-error-config regression.
--
2022-10-13 11:41:20 +02:00
Werner Koch
99f2bd250c
po: Auto update
--
2022-10-13 10:16:54 +02:00
Emir SARI
970b250d65
po: Update Turkish translation
--
2022-10-13 10:09:57 +02:00
Petr Pisar
8046fcac63
po: Update Czech translation.
--
2022-10-13 10:05:16 +02:00
Alexander Kulbartsch
55eef71dbe
wkd: gpg-wks-client --send checks if build with sendmail support
* tools/gpg-wks-client.c (main): Return GPG_ERR_NOT_IMPLEMENTED if
gnupg was build without sendmail support.  (NAME_OF_SENDMAIL=="")
2022-10-13 09:24:03 +02:00
Werner Koch
1383aa4750
agent: Introduce attribute "Remote-list" to KEYINFO.
* agent/command.c (do_one_keyinfo): Add arg list_mode.  Check
attribute Remote-list.
(cmd_keyinfo): Change semantics to return nothing in restricted list
mode.
2022-10-12 11:30:35 +02:00
Werner Koch
b0b4e24c4f
wkd: Implement --blacklist option for gpg-wks-client
* tools/gpg-wks-client.c (blacklist_array, blacklist_array_len): New.
(parse_arguments): Install blacklist.
(read_file): New.
(cmp_blacklist, add_blacklist, is_in_blacklist): New.
(mirror_one_key): Check list.
* tools/gpg-wks.h (opt): Remove field blacklist.
--

GnuPG-bug-id: 6224
2022-10-07 17:35:44 +02:00
Werner Koch
0a151548b6
wkd: Restrict gpg-wks-client --mirror to the given domains.
* tools/gpg-wks-client.c (domain_matches_mbox): New.
(mirror_one_key): Skip non-matching domains.
(command_mirror): Change args to allow for several domains.
--

Although dirmngr returns only the keys matching a certain domain,
those keys still may have user ids from other domains.  Now we publish
only the user-ids as specified on the command line.

GnuPG-bug-id: T6224
2022-10-07 15:59:53 +02:00
Werner Koch
4364283f75
wkd: Silence gpg-wks-client diagnostics from gpg.
* tools/gpg-wks-client.c (add_user_id): PAss --quiet to gpg unless we
are running in double verbose mode.
(decrypt_stream): Ditto
(encrypt_response): Ditto.
(mirror_one_keys_userid): Ditto.
* tools/wks-util.c (wks_get_key): Ditto.
(wks_list_key): Ditto.
(wks_filter_uid): Ditto.
2022-10-07 15:01:14 +02:00
Werner Koch
94d13f53a3
common: Protect against a theoretical integer overflow in tlv.c
* common/tlv.c (parse_ber_header): Protect agains integer overflow.
--

Although there is no concrete case where we use the (nhdr + length),
it is better to protect against this already here.
2022-10-07 14:20:53 +02:00
Werner Koch
64002ffdfc
po: Fix wrong LF in the German translation
--

Reported-by: mario.haustein@hrz.tu-chemnitz.de

Also fix one fuzzy and and a German Typo
2022-10-07 09:53:42 +02:00
NIIBE Yutaka
d68a803c47
gpg: Fix wrong use of FD2INT with iobuf_fdopen_nc.
* g10/decrypt.c (decrypt_message_fd): Use INPUT_FD directly.
* g10/encrypt.c (encrypt_crypt): Use FILEFD directly.

--

Before 8402815d, original code was with iobuf_open_fd_or_name, which
used gnupg_fd_t for the file descriptor (FD2INT was relevant at that
time).  After the change, because it's not gnupg_fd_t but int, use of
FD2INT is irrelevant.

Fixes-commit: 8402815d8e
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-07 11:16:55 +09:00
Werner Koch
7ccd489aa2
wkd: New command --mirror for gpg-wks-client.
* tools/gpg-wks-client.c (aMirror,oBlacklist,oNoAutostart): New.
(opts): Add ----mirror, --no-autostart, and --blacklist.
(parse_arguments): Parse new options.
(main): Parse common.conf.  Implement aMirror.
(mirror_one_key_parm): New.
(mirror_one_keys_userid, mirror_one_key): New.
(command_mirror): New.

* tools/gpg-wks.h (struct uidinfo_list_s): Add fields flags.
* tools/wks-util.c (wks_cmd_install_key): Factor some code out to ...
(wks_install_key_core): new.

* tools/call-dirmngr.c (wkd_dirmngr_ks_get): New.
--

This implements the basic LDAP to WKD mirroring.  The blacklist
option and domain restrictions are not yet fully implemented.

Take care: In OpenLDAP you may need to increase the paged result limit
by using a configuration like:

  dn: olcDatabase={1}mdb,cn=config
  changetype: modify
  replace: olcLimits
  olcLimits: dn.subtree="dc=example,dc=org" size.prtotal=unlimited

GnuPG-bug-id: 6224
2022-10-06 18:38:29 +02:00
Werner Koch
7a01e806ea
dirmngr: Support paged LDAP mode for KS_GET
* dirmngr/ks-engine-ldap.c (PAGE_SIZE): New.
(struct ks_engine_ldap_local_s): Add several new fields.
(ks_ldap_clear_state): Release them.
(search_and_parse): Factored out from ks_ldap_get and extended to
support the paged mode.
(ks_ldap_get):  Implement the pages mode for --first and --next.
* dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first
mode.
* dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS.
--

The paged mode allows to retrieve more items than the servers usually
limit (e.g. 1000 for an LDS).  This patch also allows to use --first
without a patter to retrieve all keyblocks (except for disabled and
revoked keys).

GnuPG-bug-id: 6224
2022-10-05 15:15:14 +02:00
Werner Koch
4de98d4468
dirmngr: New options --first and --next for KS_GET.
* dirmngr/server.c (cmd_ks_get): Add option --first and --next.
(start_command_handler): Free that new ldap state.
* dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New.
(ks_ldap_new_state, ks_ldap_clear_state): New.
(ks_ldap_free_state): New.
(return_one_keyblock): New.  Mostly factored out from ....
(ks_ldap_get): here.  Implement --first/--next feature.

* dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to
ks_get_flags.
* dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New.
(KS_GET_FLAG_FIRST): New.
(KS_GET_FLAG_NEXT): New.

* dirmngr/dirmngr.h (struct server_control_s): Add member
ks_get_state.
(struct ks_engine_ldap_local_s): New forward reference.
--

This feature allows to fetch keyblock by keyblock from an LDAP server.
This way tools can process and maybe filter each keyblock in a more
flexible way.  Here is an example where two keyblocks for one mail
address are returned:

  $ gpg-connect-agent --dirmngr
  > ks_get --ldap --first  <foo@example.org>
  [... First keyblock is returned ]
  OK
  > ks_get --next
  [ ... Next keyblock is returned ]
  OK
  > ks_get --next
  ERR 167772218 No data <Dirmngr>

GnuPG_bug_id: 6224
2022-10-04 12:44:29 +02:00
Werner Koch
3390951ffd
gpg: Show just keyserver and port with --send-keys.
* g10/call-dirmngr.c (ks_status_cb): Mangle the keyserver url
2022-09-30 16:40:31 +02:00
Werner Koch
11aa5a93a7
dirmngr: Minor fix for baseDN fallback.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data
behind the EOS.
(interrogate_ldap_dn): Stylistic change.
--

This also updates the my_ldap_connect description.

GnuPG-bug-id: 6047
2022-09-29 15:59:43 +02:00
Werner Koch
2e22184ba5
gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.
* g10/encrypt.c (check_encryption_compliance): Check gcrypt compliance
before emitting an ENCRYPTION_COMPLIANCE_MODE status.
--

GnuPG-bug-id: 6221
Ported-from: 07c6743148
2022-09-29 15:16:35 +02:00
Werner Koch
46f9b0071f
gpg: Fix assertion failure due to errors in encrypt_filter.
* common/iobuf.c (iobuf_copy): Use log_assert.  Explicitly cast error
return value.
* g10/build-packet.c (do_plaintext): Check for iobuf_copy error.

* g10/encrypt.c (encrypt_filter): Immediately set header_okay.
--

The second fix avoids repeated error message about non-compliant keys.

Updates-commit: a51067a21f
Ported-from: aa0c942521
GnuPG-bug-id: 6174
2022-09-29 15:09:56 +02:00
Werner Koch
a51067a21f
gpg: Make --require-compliance work for -se
* g10/encrypt.c (encrypt_crypt, encrypt_filter): Factor common code
out to ...
(create_dek_with_warnings): new
(check_encryption_compliance): and new.

* g10/encrypt.c (encrypt_filter): Add the compliance check.
--

GnuPG-bug-id: 6174
Ported-from: f88cb12f8e
2022-09-29 15:03:26 +02:00
NIIBE Yutaka
530d709607
dirnmgr: Fix the function prototype.
* dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with
no arguments.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-29 09:53:13 +09:00
NIIBE Yutaka
4b2066afb4
dirmngr: Change interrogate_ldap_dn for better memory semantics.
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found,
memory allocated.
(my_ldap_connect): Follow the change, removing needless allocation.

--

GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-29 09:48:30 +09:00
Joey Berkovitz
3257385378
dirmngr: Interrogate LDAP server when base DN specified.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP
server when basedn specified.

--

GnuPG-bug-id: 6047
Signed-off-by: Joey Berkovitz <joeyberkovitz@gmail.com>
2022-09-29 09:33:21 +09:00
NIIBE Yutaka
03f3923337
Register DCO for Joey Berkovitz.
--
2022-09-29 09:27:47 +09:00
Werner Koch
536b5cd663
dirmngr: Fix lost flags during LDAP upload
* dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const.
Use strtokenize instead of strtok style parsing.
--

This fixes a problem with resulted in a General Error for the second
key to be uploaded in the same session.  But only if the colon format
to specify a keyserver with flags was used.
2022-09-28 15:43:48 +02:00