1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

8855 Commits

Author SHA1 Message Date
NIIBE Yutaka
cd29ab0435
gpg: Fix double-free in gpg --card-edit.
* g10/card-util.c (change_name): Don't free ISONAME here.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-30 08:56:05 +09:00
Werner Koch
2302e180c0
gpg: use iobuf_read for higher detached signing speed
* g10/sign.c (sign_file): Use iobuf_read instead of iobuf_get for
reading data from detached file.
--

This patch reduces iobuf_read per byte processing overhead and speeds
up detached signing.

Detached signing speed on AMD Ryzen 5800X (4.3GiB file, SHA256):

         gpg process
         user time
 before: 3.951s
 after:  1.898s (2.0x faster)

GnuPG-bug-id: T5826
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>

Backported-from-master: f8943ce098f6f193da791faf43fff823568697d9

Numbers above are given for the version in master but should be
similar for here (2.2).
2022-11-29 11:58:11 +01:00
Jussi Kivilinna
15b8d100c9
g10/plaintext: do_hash: use iobuf_read for higher performance
* g10/plaintext.c (do_hash): Use iobuf_read instead of iobuf_get for
reading data; Use gcry_md_write instead of gcry_md_putc for hash data.
--

This patch reduces iobuf_read per byte processing overhead and speeds
up detached signature verifying.

Detached verifying speed on AMD Ryzen 5800X (4.3GiB file, SHA256):

         gpg process
         user time
 before: 9.410s
 after:  1.913s (4.9x faster)

GnuPG-bug-id: T5826
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>
(cherry picked from commit 4e27b9defc608f1fa31ca50f1ed1d5761b73b480)
2022-11-29 11:48:55 +01:00
Werner Koch
11f3232716
gpg: Make --require-compliance work with out --status-fd
* g10/mainproc.c (proc_encrypted): Set complaince_de_vs also if
require-compliance is set.
--

Without this fix require-compliance would fail if no --status-fd was
used.
2022-11-28 08:22:51 +01:00
Werner Koch
791c162c70
Update NEWS for 2.2.41
--
2022-11-25 14:00:39 +01:00
NIIBE Yutaka
ff266aef29
w32: Fix for make check.
* tests/gpgsm/Makefile.am: Add $(EXEEXT).

--

Fixes-commit: a27e6505daabd7ea1405244d128ad3c2ef5bb6f6
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-25 13:59:22 +01:00
NIIBE Yutaka
8b1061a5de
tests: Fix to support --enable-all-tests and variants.
* tests/gpgscm/tests.scm (test::scm): Add VARIANT argument.
(tests::new): Likewise.
(open-log-file, report): Support VARIANT.
* tests/gpgme/all-tests.scm (setup-c, setup-py): Follow the change.
* tests/gpgsm/all-tests.scm (setup): Likewise.
* tests/gpgsm/run-tests.scm: Likewise.
* tests/migrations/all-tests.scm: Likewise.
* tests/migrations/run-tests.scm: Likewise.
* tests/openpgp/all-tests.scm: Likewise.
* tests/openpgp/run-tests.scm: Likewise.

--

Fixes-commit: 1c88104a3f00f7ca3790fbaab8f67b2b68cd6e18
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-25 13:59:21 +01:00
NIIBE Yutaka
ddfc90e524
tests:w32: Fix for non-dot file name for Windows.
* tests/migrations/from-classic.scm (assert-migrated): Handle the case
on Windows.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-25 13:59:19 +01:00
NIIBE Yutaka
4ea7f03c10
tests:gpgscm:w32: Fix for GetTempPath.
* tests/gpgscm/ffi.c (do_get_temp_path): Remove the last backslash.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-25 13:59:17 +01:00
NIIBE Yutaka
44cbe6fbc0
tests: Keep .log files in objdir.
* tests/gpgscm/tests.scm (open-log-file): Keep the log file in objdir.

--

Before the change, it is at ephemeral temp directory which is removed.
This is not useful at all.  Possibly, it was done before the introduce
of ephemeral temp directory for each test and not changed.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-25 13:59:16 +01:00
NIIBE Yutaka
b94fe0e007
tests: Use 233 for invalid value of FD.
* tests/openpgp/issue2941.scm: Use 233.

--

On Windows machine (emulated by Wine), 23 may be valid value for
handle.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-25 13:59:15 +01:00
NIIBE Yutaka
1e62c4b7c2
w32: Exclude tests with HOME.
* common/t-session-env.c [HAVE_W32_SYSTEM] (test_all): HOME is not
defined, so, exclude the tests.

--

Backport master commit of:
	b47a23f5fac551727d24f65765e21485ed2bb02c

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-25 13:59:13 +01:00
NIIBE Yutaka
b13c0b595e
w32: Fix for make check.
* common/Makefile.am (module_tests): Exclude t-exechelp and
t-exectool.
* common/t-stringhelp.c (mygetcwd): Convert '\' to '/'.
* tests/gpgme/Makefile.am: Add $(EXEEXT).
* tests/migrations/Makefile.am: Likewise.
* tests/openpgp/Makefile.am: Likewise.

--

Backport master commit of:
	39d478f5ba5d74cdd1d2e40311ff120c932bac37

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-25 13:59:10 +01:00
Werner Koch
2e18c371d2
scd: Redact --debug cardio output of a VERIFY APDU.
* scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a
VERIFY.
(send_apdu_ccid): Ditto.
--

This should handle the most common case.
GnuPG-bug-id: 5085
2022-11-25 13:58:22 +01:00
Werner Koch
ce50dea7cf
gpg: Add a notation to encryption subkeys in de-vs mode.
* g10/keygen.c (struct opaque_data_usage_and_pk): Add cpl_notation.
(do_add_notation): New.
(keygen_add_key_flags_and_expire): Set cpl@gnupg.org notation if
requested.
(write_keybinding): Request notation for subkeys in de-vs mode.
--

GnuPG-bug-id: 6279
2022-11-25 13:58:14 +01:00
Werner Koch
84aba39491
scd:nks: Fix ECC signing if key not given by keygrip.
* scd/app-nks.c (keygripstr_from_pk_file): Set r_algo if not in cache.
2022-11-25 13:56:47 +01:00
Werner Koch
6ba5b6b854
agent: Allow trustlist on Windows in Unicode homedirs.
* agent/trustlist.c (agent_marktrusted): Use gnupg_access.
2022-11-25 13:56:27 +01:00
Werner Koch
c1f5fcff42
gpg: Fix trusted introducer for user-ids with only the mbox.
* g10/trustdb.c (check_regexp): Kludge to match user-ids with only an
mbox.
--
(Also re-indented the function)
GnuPG-bug-id: 6238
2022-11-25 13:56:24 +01:00
Werner Koch
290f458ad6
gpg: Import stray revocation certificates.
* g10/kbnode.c (new_kbnode2): New.
* g10/import.c (delete_inv_parts): New arg r_otherrevsigs to store
misplaced revocations.
(import_revoke_cert): Allow to pass an entire list.
(import_one): Import revocations found by delete_inv_parts.
--

It might be useful to distribute revocations of old keys along with
new keys.  This is in particicualrr useful for WKD stored keys.  This
patch allows to put unrelated standalone revocations into a key.  For
example they can simply appended to a keyblock.  Right now it is a bit
inaesthetic to see diagnostics about misplaced or bad revocation
signatures.

Backported-from-master: 7aaedfb10767c74f3e6868dd1563cbbf1282ab2f
2022-11-25 13:56:22 +01:00
Werner Koch
af1d4ff2ea
gpg: Make --list-packets work w/o --no-armor for plain OCB packets.
* g10/armor.c (is_armored): Add PKT_ENCRYPTED_AEAD.
--

With this fix it is now possible to feed a vanilla packet of type 20
without first forcing gpg to assume binary mode.
2022-11-25 13:56:15 +01:00
Werner Koch
865386c0cf
gpg: New option --compatibility-flags
* g10/gpg.c (oCompatibilityFlags): New.
(opts): Add option.
(compatibility_flags): New list.
(main): Set flags and print help.
* g10/options.h (opt): Add field compatibility_flags.
--

No flags are yet defined but it is good to have the framework.
2022-11-25 13:56:01 +01:00
Werner Koch
adbe5a35a5
scd:nks: Support non-ESIGN signing with the Signature Card v2
* scd/app-nks.c (do_sign): Handle ECC for NKS cards
--

Backported-from-master: 959c627892121ce9707bfa36f2510216b4f6f247
GnuPG-bug-id: 6252
2022-11-25 13:55:16 +01:00
Werner Koch
19791a1d4c
scd: Use app_get_slot at more places.
--

This is helpful for backporting other changes.
2022-11-25 13:55:13 +01:00
Werner Koch
ea222a0d9c
scd: Use APP_LEARN_FLAG_KEYPAIRINFO with more apps.
* scd/app-nks.c (do_learn_status_core): Use new flag.
* scd/app-sc-hsm.c (do_learn_status): Ditto.
--

The flag was already backported to some apps but not to these.
2022-11-25 13:55:12 +01:00
Werner Koch
12273efdf4
doc: Make uploading of 2.2 manuals easier
--
2022-11-25 13:55:10 +01:00
NIIBE Yutaka
44dc253c4c
build: Update gpg-error.m4.
* m4/gpg-error.m4: Update from libgpg-error 1.46.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-11-25 13:55:00 +01:00
Werner Koch
1e69676981
scd:nks: Don't flag the ESIGN keypair EF as encryption capable.
* scd/app-nks.c (filelist): Tweak 0x4531.
--

Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.

(cherry picked from commit 3a2fb1c30633373d17880469e0b84ab2a9524585)
2022-10-20 12:22:08 +02:00
Werner Koch
f24904ee35
scd:nks: Some code cleanup.
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--

Also added a couple of comments.

(cherry picked from commit b92b3206e72b635fd815eaf85e7acc67c2a52ffe)
2022-10-20 12:22:08 +02:00
Werner Koch
5cd25f4ca4
scd:nks: Support the Telesec ESIGN application.
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--

This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.

Note: The design of the FID cache needs to be reconsidered.  Until
that the lookup here has been disabled.  The do_sign code should be
revamped to be similar to what we do in app-p15.

GnuPG-bug-id: 5219, 4938, 6252
Backported-from-master: 07eaf006c2763a6b40d2734b1c6704da466e0ed0
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
b199582789
scd:nks: Return USAGE information for KEYINFO command.
* scd/app-nks.c (set_usage_string): New.
(do_learn_status_core, do_readkey): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/command.c (send_keyinfo): Add arg usage.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 5264d3f58e8a8362900c3518bdd683ff9a23cccc
GnuPG-bug-id: 6252

This backports only the NKS parts of the original patch

Signed-off-by: Werner Koch <wk@gnupg.org>
2022-10-20 12:22:08 +02:00
Werner Koch
77b008d1e7
scd:nks: Handle APP_READKEY_FLAG_INFO.
* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
(get_nks_tag): New.
(do_learn_status_core): Use it.  Make sure not to mange the
KEYPAIRINFO line if no usage is known.
(do_readkey): Output the KEYPAIRINFO for the keygrip case.
--

Note that this only handles the most common case of providing a
keygrip.  $AUTHKEYID and ODLM are not yet supported.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 63320ba2f8147ee86f4406c9590f6b28cad4771d)
2022-10-20 12:22:08 +02:00
Ingo Klöcker
8bccd95b38
scd:nks: Add support for signing plain SHA-2 digests.
* scd/app-nks.c (do_sign): Handle plain SHA-2 digests and verify
encoding of ASN.1 encoded hashes.
--

This makes it possible to create CSRs for NetKey card keys which are
signed with SHA256 by default.

GnuPG-bug-id: 5184
(cherry picked from commit 8fe976d5b9a0f2902868737dd502c749565222a6)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
3c1acb7b9f
scd:nks: Support READKEY with keygrip and for "NKS-IDLM" keyref.
* scd/app-nks.c (do_readkey): Allow KEYGRIP access.
Support NKS-IDLM.XXXX keyref.

--

GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 3b392630881350baabeba16fa760bad04be94d03)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
0979ae3491
scd:nks: Factor out pubkey retrieval from keygrip handling.
* scd/app-nks.c (pubkey_from_pk_file): New.
(keygripstr_from_pk_file): Use pubkey_from_pk_file.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit b7c087375d84c31ab8a645cd81e6b1e6185cb30d)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
1f2823e0be
scd:nks: Add support of KEYGRIP for do_readcert.
* scd/app-nks.c (do_readcert): Support KEYGRIP.

--

GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 4020cd9d656264bec5e7fb5e45c5e06eff8656c3)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
ea7234d2f5
scd:nks: Factor out iteration over filelist.
* scd/app-nks.c (iterate_over_filelist): New.
(do_with_keygrip): Use iterate_over_filelist.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 6c4365847666cefac73ccc743a99fac473da2186)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
c9eb4c0632
scd:nks: Fix caching keygrip (more).
* scd/app-nks.c (keygripstr_from_pk_file): Distinguish by APP_ID.

--

GnuPG-bug-id: 5150, 5161
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 87d2c579cc38c1d2787945650125fb0e0336652c
Fixes-commit: 00f594e3ecb26b010e87d5491b648369e7a92408
2022-10-20 12:22:08 +02:00
Werner Koch
cf5f6896f8
scd:nks: Minor additions to the basic IDLM application support.
* scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys.
(keygripstr_from_pk_file): Handle special value.
(do_readcert): Ditto.
(do_writecert): Ditto.
--

This allows to get information about the keys from the card.  However
the do_readkey still requires a fallback to readcert.  This does not
work because there are no certificates yet on the card.  The fix is to
fully implement do_readkey.

(cherry picked from commit 806547d9d243b26c2275fc00c645ee39d258b49b)
2022-10-20 12:22:08 +02:00
NIIBE Yutaka
f1bd7369a7
scd,nks: Fix caching keygrip.
* scd/app-nks.c (keygripstr_from_pk_file): Identify by cfid if
available.
--

GnuPG-bug-id: 5150, 6252
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 920154370834ad8d947aed19c9d914a27dde6baa:
2022-10-20 12:22:08 +02:00
Werner Koch
c1c3331cf9
scd:nks: Emit the algo string with KEYPAIRINFO
* scd/app-nks.c (do_learn_status_core): Emit the algo string as part
of a KEYPAIRINFO.
(struct fid_cache_s): Add field algostr.
(flush_fid_cache): Release it.
(keygripstr_from_pk_file): Fill it and add it to the cache.  Use a
single exit label.  Set algostr.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 26da47ae53d51e16ae6867cd419ddbf124a94933
Backported-from-master: 006944b856ee2202905290e8a2f5523a7877d444
GnuPG-bug-id: 6252, 5144

This has been backported to keep this, and only this, module in sync
with master. All other changes from the original patch have been
stripped.
2022-10-20 12:22:08 +02:00
Werner Koch
fe698586b5
scd:nks: Implement writecert for the Signature card v2.
* scd/iso7816.c (CMD_UPDATE_BINARY): New.
(iso7816_update_binary): New.
* scd/app-nks.c (do_deinit): Factor some code out to...
(flush_fid_cache): new.
(do_writecert): New.
(app_select_nks): Register new handler.
--

This has been backported only to make the following backpoorts easier.
The code is only used in 2.3; for details see the original commit
message.

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: c1663c690b29d2dea8bc782c42de5eca08a24cc9
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
c99870f790
scd:nks: Fix certificate read problem with TCOS signature card v2.
* scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN.
(do_readcert): Test for the app_id.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 07aef873ebc77241e9a2be225537319f6fc15a41
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
a974d8aefa
scd:nks: Fix remaining tries warning in --reset mode.
* scd/app-nks.c (do_change_pin): Change computation of 'remaining'.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 2429e8559844e27de478d7e90834a714b3748834
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
60ba61e78e
scd:nks: Add framework to support IDKey cards.
* scd/app-nks.c (NKS_APP_IDLM): New.
(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
(do_learn_status): Always send CHV-STATUS.
(find_fid_by_keyref): Basic support for IDLM only use.
(do_learn_status_core): Ditto.
(do_readcert): Ditto.
(verify_pin): Ditto.
(parse_pwidstr): Ditto.
(do_with_keygrip): Ditto.
(switch_application): Ditto.
(app_select_nks): Fallback to IDLM.
--

Backported-from-master: 1f6a39092fe4b5f02bc4741a0a23d102d30f4063
GnuPG-bug-id: 6252

Also not directly required for the Signature Card 2.0, it is easier to
port this patch as well.
2022-10-20 12:22:07 +02:00
Werner Koch
a83281176c
scd:nks: Get the PIN prompts right for the Signature Card
* scd/app-nks.c (get_dispserialno): Move more to the top.
(do_getattr): Add $DISPSERIALNO and SERIALNO.  Make CHV-STATUS work
with NKS15.
(verify_pin): Use dedicated min. PIN lengths.
(parse_pwidstr): Support NKS15
--

GnuPG-bug-id: 4938
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit aecc008acb64ebbb6c667c4a128af4e61da57f84)
2022-10-20 12:22:07 +02:00
Werner Koch
bbef2d1790
scd:nks: Support decryption using ECDH.
* scd/app-nks.c (struct fid_cache_s): Add field 'algo'.
(keygripstr_from_pk_file): Add arg 'r_algo' to return the algo.
(find_fid_by_keyref): Ditto.
(get_dispserialno): New.
(make_prompt): New.
(verify_pin): Provide better prompts.
(do_decipher): Support ECDH.
(parse_pwidstr): Add hack tospecify any pwid..
(do_change_pin): Support Signature Card V2.0 (NKS15) style NullPIN.
Provide a better prompt.
--

GnuPG-bug-id: 4938, 6252
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: af45d884aa1c3eccbc6972a2e5197ece3fd1987a
2022-10-20 12:22:07 +02:00
Werner Koch
f5e0469d6e
scd:nks: Add do_with_keygrip and implement a cache.
* scd/app-nks.c (struct fid_cache_s): New.
(struct app_local_s): Add field 'fid_cache'.
(do_deinit): Release the cache.
(keygripstr_from_pk_file): Implement the cache.
(find_fid_by_keyref): New
(do_sign, do_decipher): Use new function.
(do_with_keygrip): New.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 1e72a1a218490c0fc07811a02ddad6cc38913f77
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
471e610fcd
scd:nks: Allow retrieving certificates from a Signature Card v.20
* scd/app-nks.c: Major rework to support non-RSA cards.
--

This is a fist step so support this ECC card.  The code has been
reworked while taking care that old cards should keep on working.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported-from-master: f05a32e5c9db7d0840c74fccc350a9e0ff5fb819
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
NIIBE Yutaka
256b3c0578
gpg: Move NETLIBS after GPG_ERROR_LIBS (another).
* g10/Makefile.am (t_keydb_LDADD): Add NETLIBS after GPG_ERROR_LIBS.

--

Fixes-commit: b26bb03ed96f380ad603f7ad902862625233c931
GnuPG-bug-id: 6244
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-18 10:24:54 +09:00
NIIBE Yutaka
a5c3821664
dirmngr: Fix build with no LDAP support.
* dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize.

--

Cherry-pick master commit of:
	7011286ce6e1fb56c2989fdafbd11b931c489faa

GnuPG-bug-id: 6239
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-18 10:16:11 +09:00