* dirmngr/ks-engine-ldap.c (my_ldap_connect): Remove the
password_param thing because we set the password directly without an
intermediate var.
--
Reported-by: Ingo Kloecker
(cherry picked from commit 8bd5172539)
* dirmngr/server.c (make_keyserver_item): Fix default port for ldaps.
Move a tmpstr out of the blocks.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Improve diagnostics.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 8de9d54ac8)
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Use LDAP_OPT_TIMEOUT.
* dirmngr/dirmngr.c (main): Move --ldaptimeout setting to ...
(parse_rereadable_options): here.
--
Note that this has not yet been tested. In fact a test with OpenLDAP
using a modified route got stuck in the connection attempt. Maybe it
works on Windows - will be tested later.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 317d5947b8)
* dirmngr/dirmngr.c (opts): Add option --ldapserver.
(ldapserver_list_needs_reset): New var.
(parse_rereadable_options): Implement option.
(main): Ignore dirmngr_ldapservers.conf if no --ldapserver is used.
* dirmngr/server.c (cmd_ldapserver): Add option --clear and list
configured servers if none are given.
--
This option allows to specify LDAP keyserver in dirmngr instead of
using gpgsm.conf.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ff17aee5d1)
* dirmngr/server.c (cmd_ldapserver): Strip an optional prefix.
(make_keyserver_item): Handle non-URL ldap specs.
* dirmngr/dirmngr.h (struct ldap_server_s): Add fields starttls,
ldap_over_tls, and ntds.
* dirmngr/ldapserver.c (ldapserver_parse_one): Add for an empty host
string. Improve error messages for the non-file case. Support flags.
* dirmngr/ks-action.c (ks_action_help): Handle non-URL ldap specs.
(ks_action_search, ks_action_get, ks_action_put): Ditto.
* dirmngr/ks-engine-ldap.c: Include ldapserver.h.
(ks_ldap_help): Handle non-URL ldap specs.
(my_ldap_connect): Add args r_host and r_use_tls. Rewrite to support
URLs and non-URL specified keyservers.
(ks_ldap_get): Adjust for changes in my_ldap_connect.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.
--
The idea here is to unify our use of URLS or colon delimited ldap
keyserver specification. The requirement for percent escaping, for
example the bindname in an URLs, is cumbersome and prone to errors.
This we allow our classic colon delimited format as an alternative.
That format makes it also easy to specify flags to tell dirmngr
whether to use starttls or ldap-over-tls. The code is nearly 100%
compatible to existing specification. There is one ambiguity if the
hostname for CRL/X509 searches is just "ldap"; this can be solved by
prefixing it with "ldap:" (already implemented in gpgsm).
GnuPG-bug-id: 5405, 5452
Ported-from: 2b4cddf908
* common/keyserver.h: Remove.
* sm/gpgsm.h (struct keyserver_spec): Remove.
(opt): Change keyserver to a strlist_t.
* sm/gpgsm.c (keyserver_list_free): Remove.
(parse_keyserver_line): Remove.
(main): Store keyserver in an strlist.
* sm/call-dirmngr.c (prepare_dirmngr): Adjust for the strlist. Avoid
an ambiguity in dirmngr by adding a prefix if needed.
* g10/options.h (struct keyserver_spec): Move definition from
keyserver.h to here. Remove most fields.
* g10/keyserver.c (free_keyserver_spec): Adjust.
(cmp_keyserver_spec): Adjust.
(parse_keyserver_uri): Simplify.
(keyidlist): Remove fakev3 arg which does not make any sense because
we don't even support v3 keys.
--
We now rely on the dirmngr to parse the keyserver specs. Thus a bad
specification will not be caught immediately. However, even before
that dirmngr had stricter tests.
Signed-off-by: Werner Koch <wk@gnupg.org>
Ported-from: 9f586700ec
* dirmngr/http.h (HTTP_PARSE_NO_SCHEME_CHECK): New.
* dirmngr/http.c (http_parse_uri): Use this flag. Change all callers
to use the new macro for better readability.
(do_parse_uri): Add pseudo scheme "opaque".
(uri_query_value): New.
--
This scheme can be used to convey arbitrary strings in a parsed_uri_t
object.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 72124fadaf)
* sm/keydb.c (struct keydb_local_s): Add field saved_search_result.
(keydb_push_found_state): Implement for keyboxd.
(keydb_pop_found_state): Ditto.
(keydb_get_cert): Do not release the cert so that the function can be
used again to get the same cert. This is the same behaviour as in
pubring.kbx mode.
* sm/certchain.c, sm/import.c: Improve some error messages.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tools/gpgtar-create.c (fillup_entry_w32): Move parentheses.
--
Fixes-commit: 8b8925a2bd
The bug is so obvious that I wonder why it was not reported more often
on Windows. (Adding 1 to MAXDWORD (0xfffffff) always gives 0 for the
product).
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/cvt-openpgp.c (do_unprotect): Only modify SKEY when it is
correctly decrypted.
--
GnuPG-bug-id: 5122
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* common/compliance.c (gnupg_cipher_is_allowed): Allow GCM for gpgsm
in decrypt mode.
* tests/cms/samplemsgs/pwri-sample.gcm.p7m: Remove duplicated authtag
--
We allow GCM in de-vs mode for decryption although this has not been
evaluation. It is decryption and thus no serious harm may happen.
* tests/cms/samplemsgs/: Add sample messages.
* sm/gpgsm.c (main): Use gpgrt_fcancel on decryption error.
* sm/decrypt.c (decrypt_gcm_filter): New.
(gpgsm_decrypt): Use this filter if requested. Check authtag.
--
Note that the sample message pwri-sample.gcm.p7m is broken: The
authtag is duplicated to the authEncryptedContentInfo. I used a
temporary code during testing hack to that test message out.
* g10/openfile.c (overwrite_filep): Use gnupg_access.
--
As said, this is just an obvious but partial fix. We need to review
things for the output module.
Signed-off-by: Werner Koch <wk@gnupg.org>
* sm/keylist.c (list_cert_raw): Print the OpenPGP fpr.
--
This is useful for debugging for example if an OpenPGP key is used to
create an X.509 cert.
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command.c (cmd_genkey): Use goto instead of return.
* agent/cvt-openpgp.c (convert_from_openpgp_main): Ditto.
* agent/genkey.c (agent_ask_new_passphrase): Fix typo to free correct
pointer
(agent_genkey): Release memory
* agent/gpg-agent.c (check_own_socket): Free sockname
* agent/protect-tool.c (read_key): Free buf.
(agent_askpin): Free passphrase
--
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Changed original patch to not add a free before a GPG_ERR_BUG.
Signed-off-by: Werner Koch <wk@gnupg.org>
GnuPG-bug-id: 5393
* dirmngr/ks-engine-ldap.c (extract_keys): Return the fingerprint if
available.
(ks_ldap_search): Ditto.
(extract_keys): Make sure to free the ldap values also in corner
cases.
(my_ldap_value_free): New.
(ks_ldap_get): Ditto.
(ks_ldap_search): Ditto.
(my_ldap_connect): Ditto.
--
For background see these comments from gpgme:
/* The output for external keylistings in GnuPG is different from all
the other key listings. We catch this here with a special
preprocessor that reformats the colon handler lines. */
/* The format is:
pub:<keyid>:<algo>:<keylen>:<creationdate>:<expirationdate>:<flags>
as defined in 5.2. Machine Readable Indexes of the OpenPGP
HTTP Keyserver Protocol (draft). Modern versions of the SKS
keyserver return the fingerprint instead of the keyid. We
detect this here and use the v4 fingerprint format to convert
it to a key id.
We want:
pub:o<flags>:<keylen>:<algo>:<keyid>:<creatdate>:<expdate>::::::::
*/
Regarding the freeing of values: I was not able to find a
specification stating it is okay to pass NULL to ldap_value_free, thus
the new wrapper. Also add robustness measures in case ldap_get_value
returns an empty array.
GnuPG-bug-id: 5441
Signed-off-by: Werner Koch <wk@gnupg.org>
* agent/command.c (cmd_keyinfo): Factor some code out to ...
(get_keyinfo_on_cards): ... new.
(cmd_havekey): Add --list mode.
* g10/gpg.h (struct server_control_s): Add new caching vars.
* g10/gpg.c (gpg_deinit_default_ctrl): Release cache.
* g10/call-agent.c (agent_probe_any_secret_key): Init and try to use
the keygrip cache.
(agent_genkey): Clear the cache.
(agent_import_key): Ditto.
* g10/keylist.c (list_all, list_one): Pass ctrl to
agent_probe_any_secret_key.
* g10/getkey.c (lookup): Ditto.
--
With this change we first ask the agent for a list of all secret
keygrips and use that list instead of asking the agent for each public
key. Speeds up my "gpg -K" with a lot of secret and public keys by
more than 25%.
Signed-off-by: Werner Koch <wk@gnupg.org>
* g10/keydb.h (GETPASSWORD_FLAG_SYMDECRYPT): New.
(passphrase_to_dek_ext): Remove this obsolete prototype.
* g10/passphrase.c (passphrase_get): Add arg flags. Use new flag
value.
(passphrase_to_dek): Add arg flags and pass it on.
* g10/mainproc.c (proc_symkey_enc): Use new flag.
* sm/decrypt.c (pwri_decrypt): Use "passphrase".
--
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 03f83bcda5)
Note that we keep on using the term "passphrase" although "password"
would be better. There are however so many occurance of this and
given it is a bike shedding topic we fix that in the PO files.
Signed-off-by: Werner Koch <wk@gnupg.org>
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Ignore revoked
and disable keys in mail mode.
--
The LDAP schema has a revoked and a disabled flag. The former will be
set if a revoked key is uploaded; the latter can be set by other
means. With this change a search by mailbox does not anymore return
keys with these LDAP attributes set. This allows to better maintain a
directory with multiple keys per mailbox.
Doing the same for expired keys could also be done but requires more
effort.
Signed-off-by: Werner Koch <wk@gnupg.org>
* sm/decrypt.c (pwri_decrypt): Add arg ctrl. Ask for passphrase.
* sm/export.c (export_p12): Mark string as translatable.
* sm/import.c (parse_p12): Ditto.
--
This is finishes the support for PWRI.
The N_() marks are added so that we don't rely of the side-effect of
having the same strings in protect-tool.c
Signed-off-by: Werner Koch <wk@gnupg.org>
* sm/decrypt.c (pwri_parse_pbkdf2): New.
(pwri_decrypt): New.
(prepare_decryption): Support pwri.
(gpgsm_decrypt): Test for PWRI. Move IS_DE_VS flag to DFPARM.
--
Note that this is not finished because we need to implement a password
callback. For now "abc" is used as passwort.
Latest libksba is also required to return the required info.
Signed-off-by: Werner Koch <wk@gnupg.org>