* configure.ac (NEED_NTBTLS_VERSION): Require at least 0.2.0 so that
we can remove a conditional compilation.
* dirmngr/http.c (struct proxy_info_s): New.
(release_proxy_info): New to keep proxy information in one object.
(send_request): Factor some code out to ...
(get_proxy_for_url): this,
(send_request_basic_checks): this,
(send_request_set_sni): this,
(run_ntbtls_handshake): this,
(run_gnutls_handshake): and this.
--
Note that this also removes some never used code. For example the
NTBTLS handshake has code taken from GNUTLS which was never used due
to the different ways on how the certificates are checked.
The proxy code has been factored out to make to prepare further
authentication methods. The proxy_info_t was introduced for the same
reason.
Tested against gnutls and ntbtls builds. No proxy tests yet done,
because we need more sophisticated tests anyway.
GnuPG-bug-id: 5768
Modelled after key_expires/key_expires_d.
This should be useful to detect upcoming certification expiry, so the
certifications can be renewed in advance of the expiry.
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
* dirmngr/server.c (cmd_keyserver): Ignore also hkps://none.
(ensure_keyserver): Better ignore also "none" with a hkp or hpks
scheme.
--
GnuPG-bug-id: 6708
* g10/trustdb.c (tdb_clear_ownertrusts): Detect stale validity
records.
--
GnuPG-bug-id: 6399
This problem was introduced by an actually very useful patch
2002-12-13 David Shaw <dshaw@jabberwocky.com>
[...]
* import.c (import_keys_internal): Used here so we don't rebuild
the trustdb if it is still clean.
(import_one, chk_self_sigs): Only mark trustdb dirty if the key
that is being imported has any sigs other than self-sigs.
Suggested by Adrian von Bidder.
[the last part]
The bug exhibited itself only after signing a key, deleting that key
and then re-importing the original non-signed key.
* dirmngr/ldap-misc.c (rfc4517toisotime): Correct index.
--
Obviously the parser assumes the standard ISO format with the 'T'
before the hour. That is not correct here. We need this parser for
the modifyTimestamp thingy.
* g10/keygen.c (parse_expire_string_with_ct): New function, optionally
supply the creation time.
(parse_expire_string): Use parse_expire_string_with_ct with no
creation time.
(proc_parameter_file): Use parse_expire_string_with_ct possibly with
the creation time.
--
Cherry-pick from master commit of:
b07b5144ff
GnuPG-bug-id: 5252
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* build-aux/speedo.mk (AUTHENTICODE_FILES): Add keyboxd.exe
--
This should prevent that keyboxd.exe is blocked on systems that
only allow signed executables.
* dirmngr/dirmngr.c (gpgrt_opt_t): Use string for oFakedSystemTime.
(oFakedSystemTime): Use similar conversion as gpgsm has.
* dirmngr/dirmngr.texi (faked-system-time): Document it.
--
For testing X509 certificates this is usually required and
then confusing that the example from the gpgsm man page
does not work for dirmngr.
* sm/minip12.c (struct bufferlist_s): New.
(struct tlv_ctx_s): Add bufferlist.
(tlv_register_buffer): New.
(tlv_release): Release bufferlist.
(tlv_expect_object): Handle octet string cramming.
(tlv_expect_octet_string): Ditto.
(cram_octet_string): Changed interface. We don't need the
input_consumed value anymore.
* sm/minip12.c (parse_shrouded_key_bag): Also parse the attribute set.
* sm/t-minip12.c (main): Add option --no-extra.
(cert_collect_cb, run_tests_from_file): Fix memory leak
* tests/cms/samplekeys/t5793-openssl.pfx: New from T5793.
* tests/cms/samplekeys/t5793-test.pfx: Ditto.
* tests/cms/samplekeys/Description-p12: Add them.
* tests/cms/Makefile.am (EXTRA_DIST): Add samplekeys.
--
This should finish the rewrite of the pkcsc#12 parser for now. More
fun is likely to come.
GnuPG-bug-id: 6536, 5793
* sm/minip12.c: Reworked most of the parser.
(p12_set_verbosity): Add arg debug and change all callers.
* sm/t-minip12.c: Major rewrite to run regression tests unattended.
* sm/Makefile.am (module_maint_tests): Move t-Minit to ...
(module_tests): here.
* tests/cms/samplekeys/Description-p12: New.
--
Note that cram_octet_string stuff has not yet been reworked. I need
to locate the sample files first.
GnuPG-bug-id: 6536
* tools/gpg-wks-client.c (opt): New option --no-add-revocs.
(main): Make --add-revocs the default.
(command_send): Rename to ...
(command_create): to match the command name.
* tools/wks-util.c (wks_get_key): Change from export-minimal to
export-clean
--
To properly work with tusted introducers et al. it is important to also
upload valid key signatures to the Web Key Directory.
* kbx/keybox-dump.c (_keybox_dump_find_dups): Close FP on the error
paths.
--
GnuPG-bug-id: 6495
Signed-off-by: zhangguangzhi <zhangguangzhi3@huawei.com>
* dirmngr/dirmngr.c (oIgnoreCRLExtension): New.
(opts): Add --ignore-crl-extension.
(parse_rereadable_options): Add to list/
* dirmngr/dirmngr.h (opt): Add ignored_crl_extensions.
* dirmngr/crlcache.c (crl_cache_insert): Implement option.
--
This option is is useful for debugging problems with new CRL
extensions. It is similar to --ignore-cert-extension.
GnuPG-bug-id: 6545
* sm/call-dirmngr.c (run_command_inq_cb): Support SENDCERT_SKI.
* dirmngr/crlcache.c (crl_cache_insert): Print the CRL name along with
the unknown OID nortice.
* dirmngr/http.h (struct http_redir_info_s): Add restrict_redir.
* dirmngr/ks-engine-hkp.c (send_request): Set it depending on flags.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/t-http-basic.c (test_http_prepare_redirect): Always set it.
* dirmngr/http.c (http_prepare_redirect): Remove location rewriting
unless the flag is set.
--
GnuPG-bug-id: 6477
* tools/gpgtar.c: Add option --no-compress.
* tools/gpgtar.h (opt): Add field no_compress.
* tools/gpgtar-create.c (gpgtar_create): Pass -z0 to gpg.
--
This option is probably easier to remember than --gpg-args '-z0'.
* sm/gpgsm.c (oInputSizeHint): New.
(opts): Add "--input-size-hint".
(main): Set option.
* sm/server.c (option_handler): Add option "input-size-hint".
* sm/gpgsm.h (struct server_control_s): Add field input_size_hint.
* sm/encrypt.c (gpgsm_encrypt): Set the toatl file size.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--
This option allows to set a value for the progress output line. Note
that as of now there is no other way to set the file size.
GnuPG-bug-id: 6534
* common/iobuf.c (iobuf_get_filelength): Change return type to
uint64_t and remove the overflow args. For Windows always use
GetFileSizeEx which is available since the long EOL-ed Windows XP.
* g10/sign.c (write_plaintext_packet): Adjust for changed
iobuf_get_filelength.
* g10/encrypt.c (encrypt_simple, encrypt_crypt): Ditto.
* g10/photoid.c (generate_photo_id): Ditto. Also add an upper limit.
* g10/filter.h (progress_filter_context_t): Change amount values to
use uint64_t.
* g10/progress.c (write_status_progress): Change accordingly.
--
GnuPG-bug-id: 6534
