1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

10448 Commits

Author SHA1 Message Date
Werner Koch
b7f45ee6ad
gpg: Allow to create revocations even with non-compliant algos.
* g10/sign.c (do_sign): Skip compliance check for revocation certs.
--

It just does not make sense to inhibit the creation of revocations
depending on the compliance mode.  We do this only for key revocation
but not for another kind of revocation because the rationale for uid
or subkey revocation is more complicated to explain.
2024-01-10 17:18:34 +01:00
Werner Koch
275ced5067
scd:p15: Allow signing for CVISION cards
* scd/app-p15.c (do_sign): Add code for Starcos 3.2 and the CVISION
product.
--

The code for the Starcos cards has been implemented according to the
3.52 manual However, this does not work with my test cards.  Protocol
analysis shows that decryption can be used for the cryptovision
product.  Thus we do it the same for now.
2024-01-10 14:35:26 +01:00
Werner Koch
6233a17ac9
g13: New option --no-mount.
* g13/g13.c (oNoMount): New.
(opts): Add --no-mount.
(main): Implement this.
* g13/g13-common.h (opt): Add field no_mount.
* common/status.h (STATUS_PLAINDEV): New.
* g13/sh-cmd.c (has_option): Uncomment.
(cmd_mount): Add option --no-mount and pass down.
* g13/sh-dmcrypt.c (sh_dmcrypt_mount_container): Add arg nomount and
emit PLAINDEV status line.
(sh_dmcrypt_umount_container): Rund findmnt before umount.
--

This option can be used to decrypt a device but not to mount it.  For
example to run fsck first.  A command or option to run fsck before a
mount will eventually be added.

The use of findmnt is needed so that we can easily remove a device
which has not been mounted.
2024-01-09 19:52:04 +01:00
Werner Koch
4ca017e43b
gpg: Print a useful error id SKI algo 253 is found.
* g10/parse-packet.c (parse_key): Detect the SKI algo 253.
--

As long as we have not yet implemented this we should at least be
able to detect this case.
2024-01-09 17:25:48 +01:00
Werner Koch
880dde8e5b
scd:p15: Allow PIN verification and decryption for CVISION cards.
* scd/app-p15.c (CARD_PRODUCT_CVISION): New.
(IS_STARCOS_3): New.
(read_p15_info): Detect this product.
(prepare_verify_pin): Add special handling for this product.
(do_decipher): Use dedicated MSE for Starcos 3 cards.
--

To check the verification run

  gpg-card verify User_PIN

For our test cards the "Benutzer-PIN" must be given.  For decryption
tests gpgsm can be used; --always-trust helps to avoid chain issues.
2024-01-09 17:12:20 +01:00
Werner Koch
35fd89b168
gpgconf: Adjust -X command for the new VERSION file format
* tools/gpgconf.c (show_version_gnupg): Read and parse the entire
VERSION file.
--

GnuPG-bug-id: 6918
2024-01-09 12:52:57 +01:00
Werner Koch
45f6357881
common,w32: Remove duplicated backslashes when setting the homedir.
* common/homedir.c (copy_dir_with_fixup) [W32]: Fold double
backslashes.
--

This is in general no problem but when we hash or compare the directory
to test whether tit is the standard home directory, we may use a
different socket file and thus a second instance of a daemon.

GnuPG-bug-id: 6833
2024-01-09 10:13:54 +01:00
Werner Koch
2cb97713e9
gpg: Improve error return for --quick-add-subkey and -add-adsk.
* g10/keyedit.c (keyedit_quick_addkey): Emit a ERROR status line.
(keyedit_quick_addadsk): Ditto.
--

GnuPG-bug-id: 6880
2024-01-05 11:33:51 +01:00
Werner Koch
3f8cb9b339
scd: Add support for SCE 7.0
* scd/app-common.h (CARDTYPE_SCE7): New.
* scd/app.c (strcardtype): Support it.
(atr_to_cardtype): New.
(app_new_register): Try to get the cardtype from atr_to_cardtype.
* scd/app-piv.c (app_select_piv): Tweak for SCE7.  Add general method
to construct a S/N from the Card UUID.
--

The test cards I have are rsa2048 with X.509 certificates.  I don't
have the entire chain but loading the certificates work.  For testing
I created an OpenPGP key from the keys and tested signing and
decryption.

GnuPG-bug-id: 6919
2024-01-04 16:29:33 +01:00
Werner Koch
4c04143d81
gpg: Choose key from inserted card over a non-inserted card
* g10/call-agent.c (agent_probe_secret_key): Do not return an error
but 0.
* g10/getkey.c (finish_lookup): Improve the selection of secret keys.
--

GnuPG-bug-id: 6831
2024-01-02 10:19:57 +01:00
NIIBE Yutaka
591a53d716
gpg: Don't call keybox_compress when KEYDB_RESOURCE_FLAG_READONLY.
* g10/keydb.c (keydb_add_resource): Check the FLAGS to call
keybox_compress.

--

GnuPG-bug-id: 6811
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-29 10:57:26 +09:00
NIIBE Yutaka
6ddaf2be9f
common: Remove t-b64.c.
* common/Makefile.am (module_tests): Remove t-b64.
(t_b64_LDADD): Remove.
* common/t-b64.c: Remove.

--

GnuPG-bug-id: 6734
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-26 15:07:44 +09:00
NIIBE Yutaka
7cde533ce8
agent,kbx: Fix reliable_homedir_inotify (2/2).
* agent/gpg-agent.c (main): The value of reliable_homedir_inotify
doesn't not related to nodetach, and it's only zero in the specific
condition.
* kbx/keyboxd.c (handle_connections): Remove the last argument.
(main): Remove reliable_homedir_inotify, as it's always one.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-26 13:29:49 +09:00
NIIBE Yutaka
c44f0bc91e
agent,kbx: Fix reliable_homedir_inotify (1/2).
* agent/gpg-agent.c (reliable_homedir_inotify): Remove the global.
(handle_connections): Add reliable_homedir_inotify as an arg.
Don't call gnupg_inotify_watch_delete_self when it's not reliable.
(check_others_thread): No check of reliable_homedir_inotify repeatedly
in the loop.
* kbx/keyboxd.c (reliable_homedir_inotify): Remove the global.
(handle_connections): Add reliable_homedir_inotify as an arg.
(handle_tick): No check of reliable_homedir_inotify in the loop.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-26 13:29:40 +09:00
NIIBE Yutaka
2be53b214d
tools: Fix argparse table of gpgconf.
* tools/gpgconf.c (opts): Use ARGPARSE macros.

--

GnuPG-bug-id: 6902
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-25 10:09:41 +09:00
Werner Koch
2764ee309a
Merge branch 'STABLE-BRANCH-2-4'
--

Fixed conflicts in
        NEWS
	g10/encrypt.c
	sm/encrypt.c
	sm/sign.c
2023-12-22 13:45:02 +01:00
Werner Koch
431239b83d
doc: Explain why socket activation is a problem
--
2023-12-22 13:19:40 +01:00
Werner Koch
239c1fdc28
common: Add keyword socketdir to gpgconf.ctl
* common/homedir.c (enum wantdir_values): New enums.
(unix_rootdir): Change arg to use the enums.  Adjust all callers.  Add
support for the socketdir keyword.
(_gnupg_socketdir_internal): Take care of the socketdir keyword in
gpgconf.ctl.

* doc/tools.texi (Files used by gpgconf): Briefly explain the
gpgconf.ctl syntax.
2023-12-22 12:47:39 +01:00
NIIBE Yutaka
2376cdff13
scd:openpgp: Add the length check for new PIN.
* scd/app-openpgp.c (do_change_pin): Make sure new PIN length
is longer than MINLEN.

--

GnuPG-bug-id: 6843
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-22 13:32:40 +09:00
Werner Koch
853f36e596
Register DCO for Mario Haustein
--
2023-12-21 11:50:16 +01:00
NIIBE Yutaka
91255c3afd
tools: Remove the dotlock tool.
* tools/Makefile.am (libexec_PROGRAMS): Remove dotlock.
* tools/dotlock.c: Remove.

--

It's integrated into gpgconf (--lock/--unlock).

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-21 12:35:55 +09:00
Werner Koch
f2904737e5
scd:p15: Add a diagnostic for unsupported DTRUST4 features.
* scd/app-p15.c (do_sign): Add a diagnostic.
2023-12-20 16:52:47 +01:00
Mario Haustein via Gnupg-devel
0b85a9ac09
scd:p15: Add support for D-Trust Card 4.1/4.4
* scd/app-p15.c (CARD_PRODUCT_DTRUST4) New.
(app_select_p15): This cards uses a different AID for PKCS#15
application
(do_sign): The card doesn't support MSE SET, but requires MSE RESTORE to
a predefined template.
(do_decipher): Ditto.
2023-12-20 16:47:25 +01:00
Mario Haustein via Gnupg-devel
812f988059
scd:p15: Add support for CardOS 5.4
* scd/app-p15.c (CARD_TYPE_CARDOS_54): New.
2023-12-20 16:42:00 +01:00
Werner Koch
5d651fc8fd
doc: Explain what to put into mailcap for gpg-wks-client.
--
2023-12-20 15:30:37 +01:00
NIIBE Yutaka
4dd4e9d2f1
agent: Fix homedir check wrt --disable-check-own-socket option.
* agent/gpg-agent.c (handle_connections): Don't disable use of inotify
when it has the --disable-check-own-socket option.

--

Before the fix, it checks the homedir using the gnupg_stat function
when --disable-check-own-socket is enabled, without trying use of
inotify.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 16:13:49 +09:00
NIIBE Yutaka
93b5ba38dc
tools: Integrate the dotlock tool into gpgconf.
* tools/gpgconf.c (dotlock_tool): New.
(main): Add --lock and --unlock commands.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:06:03 +09:00
NIIBE Yutaka
1f04993cd0
common: Add dotlock util under libexec.
* tools/Makefile.am (libexec_PROGRAMS): Add dotlock.
* tools/dotlock.c: Finish the first implementation.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:50 +09:00
NIIBE Yutaka
b298322d36
common: Clean up the temporary file at dotlock_destroy.
* common/dotlock.c (dotlock_destroy): Clean up the temporary file
created when it fails.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:36 +09:00
NIIBE Yutaka
2f6fec3f48
common: Support not-removing the lockfile by dotlock_destroy.
* common/dotlock.c (dotlock_destroy): Keep the lock
when DOTLOCK_LOCK_BY_PARENT.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:22 +09:00
NIIBE Yutaka
5488ad0517
common: Fix a possible resource leak for dotlock.
* common/dotlock.c (dotlock_destroy_unix): Don't release ->TNAME here.
(dotlock_destroy): Release the memory unconditionally.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-20 11:05:12 +09:00
Werner Koch
8eff1d4c51
common: Improve the parsing of gpgconf.ctl variables.
* common/homedir.c (unix_rootdir): Simplify.
--

This also relaxes the syntax in that the equal sign may now be
surrounded by any number of spaces.
2023-12-19 10:04:49 +01:00
NIIBE Yutaka
6b4fd3a5da
common: Enhance dotlock, so that we can have a CLI util.
* common/dotlock.h (DOTLOCK_LOCK_BY_PARENT, DOTLOCK_LOCKED): New.
* common/dotlock.c [HAVE_POSIX_SYSTEM]: Include <dirent.h>.
(dotlock_get_process_id, dotlock_detect_tname): New.
(dotlock_create_unix): Handle the case when no_write option is
specified.  Not creating the lock file, but detect the the file of
tname.
(dotlock_create) [HAVE_POSIX_SYSTEM]: Add support of
DOTLOCK_LOCK_BY_PARENT and DOTLOCK_LOCKED for dotlock CLI util.
(dotlock_take_unix): Support the case of DOTLOCK_LOCK_BY_PARENT.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-19 15:59:41 +09:00
NIIBE Yutaka
1c5584c395
kbx: Create public-keys.d, after creating the homedir.
* kbx/keyboxd.c (create_directories): Following the behavior of
gpg-agent, call create_public_keys_directory after mkdir.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-19 15:56:13 +09:00
Werner Koch
bd8346f7ab
keyboxd: Pass lock info back to gpg and gpgsm.
* g10/call-keyboxd.c (keydb_default_status_cb): New.
(keydb_update_keyblock): Add new status callback.
(keydb_insert_keyblock): Ditto.
(keydb_delete_keyblock): Ditto.
(search_status_cb): Also try the new status callback.
* sm/keydb.c (keydb_default_status_cb): New.
(keydb_insert_cert): Add new status callback.
(keydb_delete): Ditto
(search_status_cb): Also try the new status callback.
--

GnuPG-bug-id: 6838
2023-12-18 16:23:19 +01:00
Werner Koch
c99282fc78
keyboxd: Timeout on failure to get the database lock.
* kbx/backend-sqlite.c (dblock_info_cb): New.
(create_or_open_database): Add arg ctrl.  Add a 10 second timeout.
Avoid warning on error if not locked.
(be_sqlite_add_resource): Do not open the database here.
(be_sqlite_search): ... but do it here.
--

Note that we need to delay the initalization to the first use of the
database so that we actually have a recipient for the status messages.

GnuPG-bug-id: 6838
2023-12-18 15:25:45 +01:00
Werner Koch
937aeb1904
common: Add an info callback to dotlock.
* common/dotlock.h (enum dotlock_reasons): New.
(DOTLOCK_PREPARE_CREATE): New flag.
* common/dotlock.c (struct dotlock_handle): Add info_cb and
info_cb_value.
(dotlock_create): Support the new flag.
(dotlock_finish_create): New.
(read_lockfile): Silence in case of ENOENT.
(dotlock_set_info_cb): New.  Use callback after all error and info
messages.
(dotlock_take_unix, dotlock_take_w32): Allow termination by callback.
2023-12-18 15:21:26 +01:00
NIIBE Yutaka
4e94b004a6
scd: Debug output is only enabled with an option.
* scd/command.c (pin_cb): Check if DBG_IPC for log_debug.
(send_client_notifications): Check opt.verbose to output a message.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-18 11:25:01 +09:00
Werner Koch
f57717bf23
common: Improve error return for dotlock.
* common/dotlock.c (dotlock_take_unix): Return a ETIMEDOUT insteaad of
EACCESS on timeout.
(dotlock_take_w32): Ditto.
2023-12-12 16:31:30 +01:00
NIIBE Yutaka
37fa36a329
doc: Fix description of scdaemon for --disable-ccid.
--

Cherry-picked from 2.4 branch of the commit:

	6b93b92111cb8ce6d06c6f71bd62cfb314663b8c

GnuPG-bug-id: 6871
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-12 14:30:59 +09:00
NIIBE Yutaka
6b93b92111
doc: Fix description of scdaemon for --disable-ccid.
--

GnuPG-bug-id: 6871
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2023-12-12 14:26:49 +09:00
Ahelenia Ziemiańska
1ded50dd5b
po: Fix quotes in Polish Translation.
--

Cherry-pick from 2.4 commit of:
	fa677a37cef007cad4ae772c96849b03931c5263

Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
2023-12-07 12:01:25 +09:00
Ahelenia Ziemiańska
fa677a37ce
po: Fix quotes in Polish Translation.
--

Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
2023-12-07 11:59:20 +09:00
Daniel Cerqueira
548d4aad5f
po: Update Portuguese Translation.
--

Cherry-picked from 2.4 branch of commit:
	a14f73a1921e6cd002a58ff8a5ba3d39129729f3

This commit log (with no ChangeLog entry) is written by gniibe,
following the practice; Translation update don't need a ChangeLog
entry in a commit log.

Signed-off-by: Daniel Cerqueira <dan.git@brilhante.top>
2023-12-01 15:23:49 +09:00
Daniel Cerqueira
a14f73a192
po: Update Portuguese Translation.
--

This commit log (with no ChangeLog entry) is written by gniibe,
following the practice; Translation update don't need a ChangeLog
entry in a commit log.

Signed-off-by: Daniel Cerqueira <dan.git@brilhante.top>
2023-11-30 08:57:52 +09:00
Werner Koch
73aa6dc6e4
gpgsm: Set validity flag in keylisting to n for untrusted root cert.
* sm/keylist.c (list_cert_colon): Map not_trusted to 'n' for non-root
certs like we do for root certs.
--

GnuPG-bug-id: 6841
2023-11-27 13:39:45 +01:00
Werner Koch
4c456bf075
scd:openpgp: Fallback to default ECDH params in writekey.
* scd/app-openpgp.c (ecc_writekey): Use default ECDH parameters and
remove the now useless check.
--

This seems to be better than bailing out.  In almost all cases our
standard parameters are used and if not, well, the fingerprint will be
wrong.

GnuPG-bug-id: 6378
2023-11-23 16:01:58 +01:00
Werner Koch
09329d52b5
agent: Update the key file only if changed (slight return).
* agent/findkey.c (read_key_file): Add optional arg r_orig_key_value
to return the old Key value.  Change all callers.
(agent_write_private_key): Detect whether the Key entry was really
changed.
--

GnuPG-bug-id: 6829
2023-11-21 12:24:17 +01:00
Werner Koch
813bb65d95
common: Check wether to set the modified flag in nve_set.
* common/name-value.c (nvc_set): Factor code out to ...
(nve_set): here.
2023-11-21 08:56:24 +01:00
Werner Koch
cf2d3f7ba0
agent: Update the key file only if not changed.
* common/name-value.c (struct name_value_container): Add flag
"modified".
(nvc_modified): New.
(nvc_new): Set flag.
(_nvc_add): Set flag.
(nvc_delete): Set flag.
(nvc_set): Set flag unless value did not change.
(nve_set): Add arg PK.  Change the caller.
* agent/findkey.c (agent_write_private_key): Update only if modified.
--

This helps software which uses a file system watcher to track changes
to private keys.  In particular smartcard triggered changes are a
problem for such software because this may at worst trigger another
smartcard read.

GnuPG-bug-id: 6829
2023-11-21 08:37:41 +01:00