1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

8602 Commits

Author SHA1 Message Date
Werner Koch
b8df8321e1
scd: Add option --info to emit KEYPAIRINFO by readkey command.
* scd/command.c (do_readkey): Implement this.
* scd/app-help.c (app_help_get_keygrip_string_pk): Make HEXKEYGRIP
parm optional.  Add arg R_ALGOSTR.
--

This patch basically mimics what we do in 2.3.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-05-03 20:15:03 +02:00
NIIBE Yutaka
c2ba6bea4c
common: Fix gnupg_wait_processes, by skipping invalid PID.
* common/exechelp-posix.c (gnupg_wait_processes): Skip invalid PID.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit d82dae5d2229a30dbc78aadc4d544d30dac76a1c)
2021-05-03 19:05:14 +02:00
Werner Koch
bbf4bd3bfc
agent: Skip unknown unknown ssh curves seen on cards.
* agent/command-ssh.c (ssh_handler_request_identities): Skip unknown
curves.
--

For example when using my standard ed25519 token and testing cards
with only Brainpool support, the ssh-agent failed due to the unknown
curves seen on the card.  This patches fixes this by ignoring keys
with unknown curves.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 2d2391dfc25cfe160581b1bb4b4b8fc4764ac304)
2021-05-03 18:59:07 +02:00
Werner Koch
a456303ae3
gpgconf: Do not i18n an empty string to the PO files meta data.
* tools/gpgconf-comp.c (my_dgettext): Ignore empty strings.
--

GnuPG-bug-id: 5363
(cherry picked from commit 18d884f8411a0ca263a8aa588bb49eb0dae9ee19)
2021-04-29 19:56:42 +02:00
Werner Koch
26a024057d
gpg: No warning in quiet mode for S2K mode 0.
--
2021-04-29 19:51:39 +02:00
Werner Koch
f9198189e3
doc: Fix option name.
--
2021-04-29 19:50:58 +02:00
Werner Koch
8bc808a98f
w32: Silence a compiler warning in dirmngr.c
--

(cherry picked from commit 683ff00bb1454d82914b2bddbf316057221971c1)
2021-04-29 19:45:00 +02:00
Werner Koch
5eec40f3d8
scd: New option --pcsc-shared.
* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (verify_chv2): Do not auto verify chv1 in shared
mode.
--

This option should in general not be used.  The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.

(cherry picked from commit 5732e7a8e97cebf8e850c472e644e2a9b040836f)
2021-04-29 19:43:23 +02:00
Werner Koch
96577e2e46
scd: Rewrite READKEY to allow for compressed points.
* scd/app-help.c (app_help_pubkey_from_cert): New.  Taken from 2.3.
* scd/command.c (cmd_readkey): Rewrite using new helper.
--

Actually the readkey functions needs to return the uncompressed points
but if there is no readkey function, like in app-p15.c, readcert is
used and here we need to extract and the key and uncompress the point.

Noet that the --advanced flag did not and still does not work if the
key is fetched via readcert.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 16:07:14 +02:00
Werner Koch
7637d39fe2
scd:p15: Update from current GnuPG 2.3
--

This reflects the state of
commit 1f846823b397d68eaa8a31422f78c99f8e9ff738
featuring these commits:

1f846823b scd:p15: Fix the name of a card.
cc5aa68b6 scd:p15: Fix last commit and improve D-TRUST detection.
21e3f750b scd:p15: Shorten the displayed s/n of RSCS cards
30f90fc85 scd:p15: Support attribute KEY-FPR.
ecb9265b8 scd:p15: Match private keys with certificates also by ...
e17d3f866 scd:p15: New flag APP_LEARN_FLAG_REREAD.
1c16878ef scd: Replace all assert macros by the log_assert macro.
7f9126363 scd:p15: Return labels for keys and certificates.
651c07a73 scd:p15: For CardOS make use of ISO7816_VERIFY_NOT_NEEDED.
de4d3c99a scd:p15: Return the creation time of the keys.
592f48011 scd:p15: Make RSA with SHA512 work with CardOS.
a494b29af scd:p15: Support ECDSA and ECDH for CardOS.
964363e78 scd:p15: Make $SIGNKEY et al determination more fault ...
85082a83c scd:p15: Allow to use an auth object label with cmd CHECKPIN.
ef29a960b scd:p15: New attribute CHV-LABEL.
bf1d7bc36 scd:p15: Implement CHV-STATUS attribute
0f191a070 scd:p15: Fix faulty removal of a test code change.
08b5ac492 scd:p15: Support special extended usage flags for OpenPGP ...
d51a5ca10 scd:p15: Read out the access flags.
cfdaf2bcc scd:p15: Get the label value of all objects for better diag...
33aaa37e5 scd:p15: Make it code work again for D-Trust cards.
488eaedc9 scd:p15: Extract extended usage flagsand act upon them.
0c080ed57 scd:p15: Read PuKDF and minor refactoring.
1e197c29e scd:p15: Make file selection more robust.
5bcbc8cee scd:p15: Factor the commonKeyAttributes parser out.
fb84674d6 scd:p15: Factor the commonObjectAttributes parser out.
fc287c055 scd:p15: First step towards real CardOS 5 support.
60499d989 scd:p15: Show the ATR as part of the TokenInfo diagnostics.
00037f499 scd:p15: Print the internal card type.
c7b9a4ee4 scd:p15: Improve support for some CardOS based cards.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 15:26:36 +02:00
Werner Koch
5b8593135f
common: Extend the openpgp_curve_to_oid function.
* common/openpgp-oid.c (openpgp_curve_to_oid): Add optional arg R_NBITS.
Change all callers.
--

In particular for ed25519 and cv25519 it is quite useful to have an
ability to get the required algorithm.

(cherry picked from commit 24095101a5069f15a9aea7512498ac436a76814a)
2021-04-29 12:57:00 +02:00
Werner Koch
f3c98b8cb5
common: New module to compute openpgp fingerprints
* common/openpgp-fpr.c: New.
* common/Makefile.am (common_sources): Add it.
--

This function is targeted to handle keys on smartcards.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 2f2bdd9c0894eb43f719da8b529b4c7a46f742a0)
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 12:37:04 +02:00
Werner Koch
c825117c5f
common: New function to uncompress an ECC public key.
* common/sexputil.c (ec2os): New.
(uncompress_ecc_q_in_canon_sexp): New.

* common/t-sexputil.c (fail2): new.
(test_ecc_uncompress): New.
(main): Run new test.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 935765b451aadc63fbba763a4a00f4efa0254436)
2021-04-29 12:31:14 +02:00
Werner Koch
473e649ea1
common: New function cmp_canon_sexp.
* common/sexputil.c (cmp_canon_sexp): New.
(cmp_canon_sexp_def_tcmp): New.
* common/t-sexputil.c (test_cmp_canon_sexp): Add a simple test.
--

To be used to fix
GnuPG-bug-id: 5061

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit b6ba6a79ce9336f1b53f16f3d1190dd009fb166e)
2021-04-29 12:25:46 +02:00
Werner Koch
0eed0ced9b
scd: New function send_keyinfo to assist in backporting.
* scd/command.c (send_keyinfo): New.
2021-04-29 12:18:48 +02:00
Werner Koch
3db99b8861
scd: Minor changes to assist in backporting from 2.3
* scd/command.c (send_status_direct): Return an error code.
* scd/app-common.h (APP_LEARN_FLAG_REREAD): New.
2021-04-29 11:43:46 +02:00
Werner Koch
72a7d45a23
scd: Extend an internal function to also return the algo.
* scd/app-help.c (app_help_get_keygrip_string_pk): Add optional arg
r_algo.  Change all callers.
(app_help_get_keygrip_string): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 10:52:43 +02:00
Werner Koch
91dd74f3d7
scd: New function for iso7816 PSO_CSV.
* scd/iso7816.c (iso7816_pso_csv): New.
2021-04-29 10:44:12 +02:00
Werner Koch
855d14d390
scd: Extend iso7816_select_path
* scd/iso7816.c (iso7816_select_path): Add arg top_fd.
* scd/app-nks.c (do_readkey): Adjust for this change
(select_ef_by_path: Ditto.

* common/tlv.h: Include membuf.h.
--

Including membuf.h is just for easier backporting.  In 2.3 it is
actually required in tlv.h but in 2.2 we right now only use it
indirect.
2021-04-29 10:38:29 +02:00
Werner Koch
3ce69d8387
scd: Add new status codes.
* scd/apdu.h (SW_SM_NOT_SUP, SW_CC_NOT_SUP, SW_FILE_STRUCT)
(SW_NO_CURRENT_EF): New.
* scd/apdu.c (apdu_strerror): Map them to strings.
* scd/iso7816.c (map_sw): ... and to gpg-error.
2021-04-29 10:14:53 +02:00
Werner Koch
ec9e8e0d6a
scd: Extend ISO binary and record reading functions.
* scd/iso7816.c (iso7816_read_binary_ext): Add optional arg r_sw and
change callers.
(iso7816_read_record): Factor all code out to ...
(iso7816_read_record_ext): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-29 10:03:12 +02:00
Werner Koch
1303b0ed84
gpg: Do not use self-sigs-only for LDAP keyserver imports.
* dirmngr/ks-engine-ldap.c (ks_ldap_get): Print a SOURCE status.
* g10/options.h (opts): New field expl_import_self_sigs_only.
* g10/import.c (parse_import_options): Set it.
* g10/keyserver.c (keyserver_get_chunk): Add special options for LDAP.
--

I can be assumed that configured LDAP servers are somehow curated and
not affected by rogue key signatures as the HKP servers are.  Thus we
can allow the import of key signature from LDAP keyservers by default.

GnuPG-bug-id: 5387
2021-04-13 14:50:05 +02:00
bobwxc
b0a7132856 po: Update Simplified Chinese Translation.
--

Signed-off-by: bobwxc <bobwxc@yeah.net>
2021-04-08 13:58:07 +09:00
NIIBE Yutaka
f8ae51977c scd: Fix CCID driver for SCM SPR332/SPR532.
* scd/ccid-driver.c (ccid_vendor_specific_pinpad_setup): New.
(ccid_vendor_specific_setup): Only send CLEAR_HALT.
(ccid_transceive_secure): Each time, use send_escape_cmd.

--

Cherry-pick master commit of:
	ab66c4357595b8a10ca25fd735f439fe795919b2

GnuPG-bug-id: 5297
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-04-08 13:45:38 +09:00
Werner Koch
18551c6dc2
gpg: Fix new pseudo option compliance_de_vs
* g10/gpg.c (gpgconf_list): Take opt.compliance also in account.
--

This makes it a one-stop check.
2021-04-06 09:30:24 +02:00
Werner Koch
8ef0f53cb0
common: Make the compliance check more robust.
* common/compliance.c (get_compliance_cache): New.
(gnupg_rng_is_compliant): Use per mode cache.
(gnupg_gcrypt_is_compliant): Ditto.
--

This addresses the problem tha the check might be called with
different compliance values and thus it should return the
corresponding cached result.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported from 2.3.  Added PGP6 support which was removed from 2.3.
2021-04-01 13:21:33 +02:00
Werner Koch
9feffc03f3
gpgconf: Return a new pseudo option compliance_de_vs.
* tools/gpgconf-comp.c (gc_options_gpg): Add "compliance_de_vs".
* g10/gpg.c (gpgconf_list): Return that pseudo option.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-04-01 13:19:10 +02:00
Werner Koch
a50093893c
gpgconf: Fix argv overflow if --homedir is used.
* tools/gpgconf-comp.c (gc_component_launch): Fix crash due to too
small array.
--

GnuPG-bug-id: 5366

Depending on the stack layout this could have led to zeroing out the
PID variable if --homedir was used and thus under Windows to a leaked
handle.  However, gpgconf is a short running process and thus no
really harm.

Co-authored-by: cbiedl@gnupg.com
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-03-26 14:53:39 +01:00
Werner Koch
87d7b7e075
gpg: New option --force-sign-key
* g10/gpg.c (oForceSignKey,opts): New option "--force-sign-key".
(main): Set it.
* g10/options.h (opt): New flag flags.force_sign_key.
* g10/keyedit.c (sign_uids): Use new flag.
--

GnuPG-bug-id: 4584
2021-03-11 11:32:00 +01:00
Werner Koch
f3e68e39da
sm: Do away with the locked flag in keydb.c
* sm/keydb.c (struct keydb_handle): Remove field locked.
(keydb_lock): Remove use of locked flag.
(lock_all): Ditto.
(unlock_all): Ditto.
(keydb_set_flags): Use dotlock_is_locked instead of the locked flag.
(keydb_insert_cert): Ditto.
(keydb_delete): Ditto.
(keydb_search): s/keydb_lock/lock_all/.
(keydb_set_cert_flags): Ditto.
(keydb_clear_some_cert_flags): Ditto.

* sm/keydb.c (maybe_create_keybox): s/access/gnupg_access/.
--

We already keep the lock state in the dotlock module so it does not
make sense to add and sync another one here.  Instead we use a new
dotlock function to test whether we are locked.
2021-03-02 19:16:28 +01:00
Werner Koch
67b82a9c60
common: New function dotlock_is_locked.
* common/dotlock.c (dotlock_is_locked): New.
(dotlock_take): Set locked flag also in disabled mode.  No more
warning if the lock has already been taken.
(dotlock_release): Clear locked flag also in disabled mode.  No more
warning if the lock has not been taken.
--

This allow to use dotlock_take and dotlock_release even if they have
already been called.  Before this changes this worked too but a
diagnostic was printed.
2021-03-02 19:11:53 +01:00
Werner Koch
677245ba0e
sm: Lock kbx files also before a search.
* sm/keydb.c (keydb_search): Lock files.
--

This is required for Windows to avoid update locks.  We use it also on
Unix so that the locking behaviour is more or less indentical.

GnuPG-bug-id: 4505
2021-03-02 19:03:00 +01:00
Werner Koch
2b9ae79ad8
sm: On Windows close the kbx files at several places.
* kbx/keybox-search.c (keybox_search_reset) [W32]: Always close.

* kbx/keybox-init.c (keybox_close_all_files): New.
* sm/keydb.c (keydb_close_all_files): New.
* sm/call-dirmngr.c (gpgsm_dirmngr_isvalid): Call new function.
(gpgsm_dirmngr_lookup): Ditto.
(gpgsm_dirmngr_run_command): Ditto.
--

We need to make sure that there are no open files on Windows.  Thus we
close them at several strategic locations.

GnuPG-bug-id: 4505
2021-03-02 19:01:07 +01:00
Werner Koch
c99f3599d8
sm: Remove unused function.
* sm/keydb.c (keydb_insert_cert): Remove.
* kbx/keybox-update.c (keybox_update_cert): Remove stub.
2021-03-02 13:49:55 +01:00
Nicolas Fella via Gnupg-devel
0441ed6e1c
gpg: Keep temp files when opening images via xdg-open
* g10/photoid.c (get_default_photo_command): Change parameter for
xdg-open.
--

xdg-open spawns the user's preferred image viewer and then exits.
Therefore we must not remove the temp file when it exits,
otherwise by the time the actual image viewer is started the file
doesn't exist any more.

Signed-off-by: Nicolas Fella <nicolas.fella@gmx.de>
2021-03-01 09:47:21 +01:00
Werner Koch
e5af401fc4
sm: Silence some other pkcs#12 import prattle
* sm/minip12.c (parse_bag_data): Print a regular log_info only in
verbose mode.
--
2021-03-01 09:46:59 +01:00
Werner Koch
b8998e5ee0
doc: Explain how Tor is detected.
--
2021-02-24 11:09:37 +01:00
Werner Koch
bcdbf0fcf3
sm: Silence some output on --quiet
* sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
* sm/gpgsm.c: Include minip12.h.
(set_debug): Call p12_set_verbosity.
* sm/import.c (parse_p12): Dump keygrip only in debug mode.
* sm/minip12.c (opt_verbose, p12_set_verbosity): New.
(parse_bag_encrypted_data): Print info messages only in verbose mode.
--

GnuPG-bug-id: 4757
2021-02-24 08:38:13 +01:00
Werner Koch
41979ed730
scd: Change parameters of readkey fucntion pointer.
* scd/app-common.h (APP_READKEY_FLAG_ADVANCED): New.
(struct app_ctx_s): Replace param advanced by flags in readkey.
Change all users.
2021-02-19 10:10:28 +01:00
Werner Koch
669786cf64
scd: Pass ctrl parameter to more app functions.
* scd/app-common.h (struct app_ctx_s): Add parameter ctrl to function
pointers for readkey, setattr, sign, auth, decipher, and check_pin.
--

This is a yet another patch to allow for easier backporting.
2021-02-19 09:56:44 +01:00
Werner Koch
f8588369bc
scd: Detect Yubikey and provide nicer display-s/n.
* scd/app-common.h (struct app_ctx_s): Rename unused field
card_version to cardversion.
* scd/app.c (app_new_register): Add code rom 2.3 to detect the Yubikey
and set cardversion.
(app_get_dispserialno): New.
* scd/app-openpgp.c (do_getattr): Use app_get_dispserialno.
2021-02-19 09:20:29 +01:00
Werner Koch
43b3ec5aee
scd: Change the apptype from a string to an enum.
* scd/app-common.h (cardtype_t): New.
(apptype_t): New.
(struct app_ctx_s): Change type of field apptype.  Add fields
appversion and cardtype.  Adjust all app-*.c for the new type.
* scd/app.c (supported_app_list): New.
(strapptype): New.
(apptype_from_name): New.
(app_dump_state): Use strapptype.
(app_write_learn_status): Ditto.
(app_getattr): Ditto.
(check_conflict): Use apptype_from_name and integer comparison.
* scd/app-openpgp.c: Replace app->card_version by app->appversion.
--

This is another patch to make backporting from 2.3 easier.
2021-02-19 09:17:06 +01:00
Werner Koch
6380126b31
scd: Add some compatibility code for easier backporting.
* scd/app-common.h (APP_WRITEKEY_FLAG_FORCE): New.
(APP_READKEY_FLAG_INFO): New.
(APP_LEARN_FLAG_KEYPAIRINFO): New.
(APP_LEARN_FLAG_MULTI): New.
(struct app_ctx_s): New forward declaration.
(struct app_ctx_s): Add members prep_reselect, reselect, and
with_keygrip.
(KEYGRIP_ACTION_SEND_DATA): New.
(KEYGRIP_ACTION_WRITE_STATUS): New.
(KEYGRIP_ACTION_LOOKUP): New.
(APP_CARD): New macro.
* scd/scdaemon.h: Include app-common.h and remove from all other
files.
(app_t): Move typedef to ...
* scd/app-common.h: here.
--

These changes will make it easier to backport changes from 2.3 to 2.2.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-02-19 08:30:36 +01:00
Werner Koch
55f46b33df
dirmngr: Support new gpgNtds parameter in LDAP keyserver URLs.
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Support a new gpgNtds
extension.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Do ldap_init always with
hostname - which is NULL and thus the same if not given.  Fix minor
error in error code handling.
--

Note that "gpgNtds" is per RFC-4512 case insensitive and has not yet
been officially regisetered.  Thus for correctness the OID can be
used:

  1.3.6.1.4.1.11591.2.5          LDAP URL extensions
  1.3.6.1.4.1.11591.2.5.1          gpgNtds=1 (auth. with current user)

Note that the value must be 1; all other values won't enable AD
authentication and are resevered for future use.
2021-02-17 17:31:36 +01:00
Werner Koch
cdc828f690
dirmngr: Rewrite a weird function by straighter code.
* dirmngr/ldap-parse-uri.c (ldap_uri_p): Use ascii-memcasecmp.
--

Note that the first test on ldaps or ldaps in the original code did
not worked at all so that the Mixed Case part took over there.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-02-17 16:15:59 +01:00
Werner Koch
3c7b1f3f5f
common: Fix compiler warning
--
2021-02-17 15:28:05 +01:00
Werner Koch
db687d15e6
doc: Remove man page for symcryptrun.
--

The tool has no more configure option to build it and thus the man
page does not make sense.  We keep the actual file for reference,
though.

GnuPG-bug-id: 5290
2021-02-09 18:28:09 +01:00
bobwxc
4ca8ca5f7f po: Update Simplified Chinese Translation.
--

Signed-off-by: bobwxc <bobwxc@yeah.net>
2021-02-09 11:12:25 +09:00
Werner Koch
6e258babe7
Include the library version in the compliance checks.
* common/compliance.c (gnupg_gcrypt_is_compliant): New.
(gnupg_rng_is_compliant): Also check library version.
* g10/mainproc.c (proc_encrypted): Use new function.
(check_sig_and_print): Ditto.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* sm/verify.c (gpgsm_verify): Ditto
--

This will eventually allow us to declare Libgcrypt 1.9 to be de-vs
compliant.  GnuPG can use this information then for its own checks.
As of now GnuPG tests the version of the used library but that is a
bit cumbersome to maintain.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 90c514868ff5fcf6d39490d4874ac3a31ba9e85f)
2021-01-28 16:01:53 +01:00
Werner Koch
9037be5f40
gpg: Fix ugly error message for an unknown symkey algorithm.
* g10/mainproc.c (proc_symkey_enc): Do not continue with an unknown
algorithm.
--

Trying to encrypt data created with

 printf "\x8c\x49\x05\x0e\x0a\x03\x01"

fails in version 2.2.19 with

 gpg: packet(3) with unknown version 5

but with later versions with

  gpg: encrypted with unknown algorithm 14
  gpg: Ohhhh jeeee: ... this is a bug \
       ([...]/passphrase.c:433:passphrase_to_dek)

so we better catch this case earlier.

Reported-by: Tavis Ormandy
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-27 11:45:33 +01:00