1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

4208 Commits

Author SHA1 Message Date
NIIBE Yutaka
c27315fc64 scd: Fix check_keypad_request.
* scd/app-openpgp.c (check_keypad_request): 0 means not to use pinpad.
2013-02-05 14:59:29 +09:00
NIIBE Yutaka
e791ac6683 SCD: Add vendor specific initalization.
* scd/ccid-driver.c (ccid_vendor_specific_init): New.
(ccid_open_reader): Call ccid_vendor_specific_init.
2013-02-05 13:37:07 +09:00
NIIBE Yutaka
0407e642f7 SCD: Support P=N format for login data.
* scd/app-openpgp.c (parse_login_data): Support P=N format.
2013-02-05 13:37:07 +09:00
NIIBE Yutaka
bd5eded73a SCD: Better interoperability.
* scd/apdu.c: Fill bTeoPrologue[2] field.
--
ccid-1.4.5 or older requires this field is filled by application.
2013-02-05 13:37:07 +09:00
NIIBE Yutaka
a9ff97a10f SCD: Defaults to use pinpad if the reader has the capability.
* scd/app-openpgp.c (struct app_local_s): Remove VARLEN.
(parse_login_data): "P=0" means to disable pinpad.
(check_keypad_request): Default is to use pinpad if available.
2013-02-05 13:37:06 +09:00
NIIBE Yutaka
334ba6efa5 SCD: handle keypad request on the card.
* scd/app-openpgp.c: Add 2013.
(struct app_local_s): Add keypad structure.
(parse_login_data): Add parsing keypad request on the card.
(check_keypad_request): New.
(verify_a_chv, verify_chv3, do_change_pin): Call check_keypad_request
to determine use of keypad.
2013-02-05 13:37:06 +09:00
NIIBE Yutaka
d5bf83a24c SCD: Minor fix of ccid-driver.
* scd/ccid-driver.c (VENDOR_VEGA): Fix typo.
2013-02-05 13:37:06 +09:00
NIIBE Yutaka
82e1e837c2 SCD: Add support of Covadis VEGA_ALPHA reader.
* scd/ccid-driver.c: Add 2013.
(VENDER_VEGA, VEGA_ALPHA):New.
(ccid_transceive_secure): VEGA_ALPHA is same firmware as GEMPC_PINPAD.
Change bNumberMessage to 0x01, as it works better (was: 0xff).
2013-02-05 13:37:06 +09:00
NIIBE Yutaka
3aae780f9d SCD: Support fixed length PIN input for keypad (PC/SC).
* scd/apdu.c (pcsc_keypad_verify): SUpport fixed length PIN input for
keypad.
(pcsc_keypad_modify): Likewise.
* scd/ccid-driver.c (ccid_transceive_secure): Clean up.
2013-02-05 13:37:06 +09:00
NIIBE Yutaka
40a914a2e3 SCD: Support fixed length PIN input for keypad.
* scd/iso7816.h (struct pininfo_s): Remove MODE and add FIXEDLEN.
* scd/app-dinsig.c (verify_pin): Initialize FIXEDLEN to unknown.
* scd/app-nks.c (verify_pin): Likewise.
* scd/app-openpgp.c (verify_a_chv, verify_chv3, do_change_pin):
Likewise.
* scd/apdu.c (check_pcsc_keypad): Add comment.
(pcsc_keypad_verify, pcsc_keypad_modify): PC/SC driver only support
readers with the feature of variable length input (yet).
(apdu_check_keypad): Set FIXEDLEN.
* scd/ccid-driver.c (ccid_transceive_secure): Add GEMPC_PINPAD
specific settings.
Support fixed length PIN input for keypad.
2013-02-05 13:37:06 +09:00
NIIBE Yutaka
b526f6e223 SCD: API cleanup for keypad handling.
* scd/iso7816.h (struct pininfo_s): Rename from iso7816_pininfo_s.
Change meaning of MODE.
(pininfo_t): Rename from iso7816_pininfo_t.
* scd/sc-copykeys.c: Include "iso7816.h".
* scd/scdaemon.c, scd/command.c: Likewise.
* scd/ccid-driver.c: Include "scdaemon.h" and "iso7816.h".
(ccid_transceive_secure): Follow the change of PININFO_T.
* scd/app.c: Include "apdu.h" after "iso7816.h".
* scd/iso7816.c (iso7816_check_keypad, iso7816_verify_kp)
(iso7816_change_reference_data_kp): Follow the change of API.
* scd/apdu.c (struct reader_table_s): Change API of CHECK_KEYPAD,
KEYPAD_VERIFY, KEYPAD_MODIFY to have arg of PININFO_T.
(check_pcsc_keypad, check_ccid_keypad): Likewise.
(apdu_check_keypad, apdu_keypad_verify, apdu_keypad_modify): Likewise.
(pcsc_keypad_verify, pcsc_keypad_modify, ct_send_apdu)
(pcsc_send_apdu_direct,  pcsc_send_apdu_wrapped, pcsc_send_apdu)
(send_apdu_ccid, ccid_keypad_operation, my_rapdu_send_apdu, send_apdu)
(send_le): Follow the change of API.
* scd/apdu.h (apdu_check_keypad, apdu_keypad_verify)
(apdu_keypad_modify): Change the API.
* scd/app-dinsig.c, scd/app-nks.c, scd/app-openpgp.c: Follow the
change.
2013-02-05 13:37:06 +09:00
NIIBE Yutaka
ca89277cb4 SCD: Clean up. Remove PADLEN for keypad input.
* scd/apdu.c (struct pininfo_s): Use iso7816_pininfo_s.
(struct reader_table_s): Remove last arg from check_keypad method.
(check_pcsc_keypad, check_pcsc_keypad): Remove PIN_PADLEN.
(pcsc_keypad_verify, pcsc_keypad_modify): Don't check PIN_PADLEN.
(send_apdu_ccid, ccid_keypad_operation): Remove PIN_PADLEN.
(apdu_check_keypad, apdu_keypad_verify, apdu_keypad_modify):
Likewise.

* scd/apdu.h (apdu_check_keypad, apdu_keypad_verify)
(apdu_keypad_modify): Remove PIN_PADLEN.

* scd/ccid-driver.c (ccid_transceive_secure): Remove PIN_PADLEN.

* scd/ccid-driver.h (ccid_transceive_secure): Remove PIN_PADLEN.

* scd/iso7816.c (iso7816_check_keypad, iso7816_verify_kp)
(iso7816_change_reference_data_kp): Remove PADLEN.

* scd/iso7816.h (struct iso7816_pininfo_s): Remove PADLEN, PADCHAR.
--
In the OpenPGPcard specification, password comes with no padding.  In
GnuPG, we support keypad input for OpenPGPcard only.  Thus, it is
useless to try to support padding for keypad input.
2013-02-05 13:35:44 +09:00
NIIBE Yutaka
d9f6cc7502 SCD: Add option enable-keypad-varlen and support for GEMPC_PINPAD.
* scd/scdaemon.h (opt): Add enable_keypad_varlen.
* scd/scdaemon.c (cmd_and_opt_values): Add oEnableKeypadVarlen.
(opts, main): Add oEnableKeypadVarlen.
* scd/ccid-driver.c (GEMPC_PINPAD): New.
(ccid_transceive_secure): Add enable_varlen handling.
Enable GEMPC_PINPAD.
--
Note that GEMPC_PINPAD doesn't support variable length keypad input.
The feature of fixed length keypad input will be added soon.
2013-02-05 13:33:44 +09:00
Werner Koch
65eb98966a Convert doc/DETAILS to org-mode
--
Also restructure the file and fix some obviously wrong things.
2013-01-30 18:54:23 +01:00
Werner Koch
50a7badbda Remove unused status codes
* common/status.h (STATUS_BEGIN_STREAM, STATUS_END_STREAM)
(STATUS_SIEXPIRED): Remove unused codes.
2013-01-30 18:51:56 +01:00
Werner Koch
1cd6445eec gpg: Add status line PINENTRY_LAUNCHED.
* common/status.h (STATUS_PINENTRY_LAUNCHED): New.
* g10/server.c (server_local_s): Add field allow_pinentry_notify.
(option_handler): Add option "allow-pinentry-notify".
(gpg_proxy_pinentry_notify): New.
* g10/call-agent.c (default_inq_cb): Factor code out to the new
function.
2013-01-30 12:00:29 +01:00
NIIBE Yutaka
1999446644 agent: Fix a bug of handling return code from npth_join.
* agent/call-pinentry.c (agent_popup_message_stop): Fix npth_join
return code.
--
pth_join returns TRUE (1) on success.  But npth_join (and pthread_join)
returns 0 on success, returns error number on error.
2013-01-25 23:20:46 +09:00
Christian Aistleitner
60c58766ae gpg: Fix honoring --cert-digest-algo when recreating a cert
* g10/sign.c (update_keysig_packet): Override original signature's
digest algo in hashed data and for hash computation.
2013-01-11 13:48:59 +01:00
Werner Koch
7a638c094f Fix spurious cruft from configure summary output.
* configure.ac (build_scdaemon_extra): Remove $tmp cruft.
2013-01-11 13:48:59 +01:00
NIIBE Yutaka
4dddf32c83 SCD: Hold lock for pinpad input.
* scd/apdu.c (apdu_check_keypad, apdu_keypad_verify)
(apdu_keypad_modify): Hold lock to serialize communication.
2013-01-11 11:18:39 +09:00
Werner Koch
b11f84b858 kbx: Switch from MD5 to SHA-1 for the checksum.
* kbx/keybox-blob.c (put_membuf): Use a NULL buf to store zero bytes.
(create_blob_finish): Write just the needed space.
(create_blob_finish): Switch to SHA-1.
* kbx/keybox-dump.c (print_checksum): New.
(_keybox_dump_blob): Print the checksum and the verification status.
--

The checksum was never used in the past.  Due to fast SHA-1
computations in modern CPUs we now use SHA-1.  Eventually we will
support a First blob flag to enable the use of a secret or public
HMAC-SHA1.  The first may be used for authentication of keyblocks and
the latter to mitigate collission attacks on SHA-1.  It is not clear
whether this will be useful at all.
2013-01-08 21:55:34 +01:00
Werner Koch
bbcdb3d3ce kbx: Update blob specification
--
Mainly formatting updates.  The only actual change is the checksum
which is now declared as SHA-1.
2013-01-08 17:49:28 +01:00
Werner Koch
492792378d gpg: Cache keybox searches.
* common/iobuf.c (iobuf_seek): Fix for temp streams.
* g10/pubkey-enc.c (get_session_key, get_it): Add some log_clock calls.
* g10/keydb.c (dump_search_desc): New.
(enum_keyblock_states, struct keyblock_cache): New.
(keyblock_cache_clear): New.
(keydb_get_keyblock, keydb_search): Implement a keyblock cache.
(keydb_update_keyblock, keydb_insert_keyblock, keydb_delete_keyblock)
(keydb_rebuild_caches, keydb_search_reset): Clear the cache.
--

Gpg uses the key database at several places without a central
coordination.  This leads to several scans of the keybox for the same
key.  To improve that we now use a simple cache to store a retrieved
keyblock in certain cases.  In theory this caching could also be done
for old keyrings, but it is a bit more work and questionable whether
it is needed; the keybox scheme is anyway much faster than keyrings.

Using a keybox with 20000 384 bit ECDSA/ECHD keypairs and a 252 byte
sample text we get these values for encrypt and decrypt operations on
an Core i5 4*3.33Ghz system.  The option --trust-model=always is used.
Times are given in milliseconds wall time.

|           | enc | dec | dec,q |
|-----------+-----+-----+-------|
| key 1     |  48 |  96 |    70 |
| key 10000 |  60 |  98 |    80 |
| key 20000 |  69 | 106 |    88 |
| 10 keys   | 540 | 290 |    70 |

The 10 keys test uses a mix of keys, the first one is used for
decryption but all keys are looked up so that information about are
printed.  The last column gives decryption results w/o information
printing (--quiet).

The keybox is always scanned sequentially without using any index.  By
adding an index to the keybox it will be possible to further reduce
the time required for keys stored to the end of the file.
2013-01-08 14:46:06 +01:00
Werner Koch
5c565512b8 Make log_clock easier to read.
* common/logging.c (log_clock): Print in microseconds.
2013-01-08 14:35:27 +01:00
Werner Koch
f3f5721e68 gpg: Remove a function wrapper.
* g10/keydb.h (keydb_search): Remove macro.
* g10/keydb.c (keydb_search2): Rename to keydb_search.  Change all
callers.
2013-01-08 09:43:21 +01:00
NIIBE Yutaka
a776f66036 SCD: Support not-so-smart card readers.
* scd/ccid-driver.c (struct ccid_driver_s): Add auto_voltage,
auto_param, and auto_pps.
(parse_ccid_descriptor): Set auto_voltage, auto_param, and auto_pps.
Support non-autoconf readers.
(update_param_by_atr): New.
(ccid_get_atr): Use 5V for PowerOn when auto_voltage is not supported.
Use 0x10 when nonnull_nad for SetParameters.
Call update_param_by_atr for parsing ATR, and use param for
SetParameters.
Send PPS if reader requires it and card is negotiable.
When bNadValue in the return values of SetParameters == 0,
clear handle->nonnull_nad flag.
--
This change is to support more card readers by the internal driver.
Tested with 08e6:3478 Gemplus PinPad Smart Card Reader.
2013-01-08 15:22:31 +09:00
Werner Koch
f6d7b3f1ee gpg: Set the node flags while retrieving a keyblock.
* g10/keydb.c (parse_keyblock_image): Add args PK_NO and UID_NO and
set the note flags accordingly.
(keydb_get_keyblock): Transfer PK_NO and UID_NO to parse_keyblock_image.
* kbx/keybox-search.c (blob_cmp_fpr, blob_cmp_fpr_part)
(blob_cmp_name, blob_cmp_mail): Return the key/user number.
(keybox_search): Set the key and user number into the found struct.
(keybox_get_keyblock): Add args R_PK_NO and R_UID_NO and set them from
the found struct.
--

getkey.c needs to know whether the correct subkey was found.  Thus we
need to set the node flags the same way we did it with the keyring
storage.
2013-01-07 21:14:52 +01:00
Werner Koch
0baedfd25a New function log_clock.
* common/logging.c (log_clock): New.
* g10/gpg.c (set_debug): Print clock debug flag.
* g10/options.h (DBG_CLOCK_VALUE, DBG_CLOCK): New.
--

To actually use log_clock you need to enable the code in
logginc.c:log_check() and link against librt.  --debug 4096 may then
be used to enable it at runtime.
2013-01-07 16:51:24 +01:00
Werner Koch
fb31462e7e gpg: Allow searching for user ids in a keybox.
* kbx/keybox-search.c (blob_cmp_name): Add arg X509 and adjust for PGP
use.  Change callers.
(blob_cmp_mail): Add arg X509 and find the mailbox offset for PGP.
Chnage callers.
(has_subject_or_alt): Rename to has_username.
(has_username): Allow blobtype PGP.
(has_mail): Ditto.
2013-01-07 15:41:10 +01:00
Werner Koch
7d00e52bd5 gpg: Allow generation of more than 4096 keys in one run.
* g10/getkey.c (cache_public_key): Make room in the cache if needed.
--

To create the selfsigs, the key generation code makes use of the key
cache.  However, after 4096 the cache is filled up and then disabled.
Thus generating more than 4096 keys in one run was not possible.  We
now clear the first half the inserted keys every time the cache gets
full.
2013-01-07 15:37:50 +01:00
NIIBE Yutaka
bb51edc31e Update Japanese Translation.
* po/ja.po: Fix wrong translations for designated revocation.
Reported by Hideki Saito.

Conflicts:
	po/ja.po
2013-01-07 10:51:26 +09:00
NIIBE Yutaka
05a4458e57 Update Japanese Translation.
* po/ja.po: Fix fuzzy translations.
2013-01-05 16:38:11 +09:00
NIIBE Yutaka
709a8f8125 Update Japanese Translation.
* po/ja.po: Update with POT.
2013-01-03 12:03:19 +09:00
NIIBE Yutaka
0fae789c41 Update Japanese Translation.
* po/ja.po: Start from the new one of 2.0.
2013-01-03 12:02:07 +09:00
Werner Koch
79f08fb069 gpg: Add signature cache support to the keybox.
* g10/keydb.c (parse_keyblock_image): Add arg SIGSTATUS.
(keydb_get_keyblock): Handle it.
(build_keyblock_image): Add arg SIGSTATUS.
(keydb_insert_keyblock): Handle it.
* kbx/keybox-blob.c (pgp_create_sig_part): Add arg SIGSTATUS.
(_keybox_create_openpgp_blob): Ditto.
* kbx/kbxutil.c (import_openpgp): Adjust for above change.
* kbx/keybox.h (KEYBOX_FLAG_SIG_INFO): New.
* kbx/keybox-search.c (_keybox_get_flag_location): Handle new flag.
(keybox_get_keyblock): Add arg R_SIGSTATUS.
* kbx/keybox-update.c (keybox_insert_keyblock): Add arg SIGSTATUS.
--

With this change a key listing using the keybox format is now double
as fast as using a keyring.  The memory use dropped as well.  Measured
with about 1500 keys.
2012-12-28 17:17:56 +01:00
Werner Koch
564d10ea5c kbxutil: Improve format of the Sig-Expire lines.
* kbx/keybox-dump.c (_keybox_dump_blob): Print the expirate timestamp.
2012-12-28 17:07:37 +01:00
Werner Koch
a986383424 gpg: First working support for keyboxes.
* g10/getkey.c (get_pubkey_fast): Improve the assertion.
* kbx/keybox.h: Include iobuf.h.
* kbx/keybox-blob.c (keyboxblob_uid): Add field OFF.
(KEYBOX_WITH_OPENPGP): Remove use of this macro.
(pgp_create_key_part_single): New.
(pgp_temp_store_kid): Change to use the keybox-openpgp parser.
(pgp_create_key_part): Ditto.
(pgp_create_uid_part): Ditto.
(pgp_create_sig_part): Ditto.
(pgp_create_blob_keyblock): Ditto.
(_keybox_create_openpgp_blob): Ditto.
* kbx/keybox-search.c (keybox_get_keyblock): New.
* kbx/keybox-update.c (keybox_insert_keyblock): New.
* g10/keydb.c (parse_keyblock_image):
(keydb_get_keyblock): Support keybox.
(build_keyblock_image): New.
(keydb_insert_keyblock): Support keybox.

* kbx/kbxutil.c (import_openpgp, main): Add option --dry-run and print
a kbx file to stdout.

* kbx/keybox-file.c (_keybox_read_blob2): Allow keyblocks up to 10^6
bytes.
--

Import and key listing does now work with the keybox format.  It is
still quite slow and signature caching is completely missing.

Increasing the maximum allowed length for a keyblock was required due
to a 700k keyblock which inhibited kbxutil to list the file.
kbxutil's option name --import-openpgp is not quite appropriate
because it only creates KBX blobs from OpenPGP data.
2012-12-28 14:05:27 +01:00
Werner Koch
f7495f1004 kbxutil: Print algo number and fold similar lines.
* kbx/keybox-defs.h (_keybox_openpgp_key_info): Add field ALGO.
* kbx/keybox-openpgp.c (parse_key): Store algo.
* kbx/kbxutil.c (dump_openpgp_key): Print algo number.
* kbx/keybox-dump.c (_keybox_dump_blob): Print identical Sig-Expire
value lines with a range of indices.
2012-12-28 13:45:41 +01:00
Werner Koch
91e61d5253 gpg: First patches to support a keybox storage backend.
* kbx/keybox-defs.h (_keybox_write_header_blob): Move prototype to ..
* kbx/keybox.h: here.
* kbx/keybox-init.c (keybox_lock): Add dummy function
* g10/keydb.c: Include keybox.h.
(KeydbResourceType): Add KEYDB_RESOURCE_TYPE_KEYBOX.
(struct resource_item): Add field kb.
(maybe_create_keyring_or_box): Add error descriptions to diagnostics.
Add arg IS_BOX.  Write a header for a new keybox file.
(keydb_add_resource): No more need for the force flag.  Rename the
local variable "force" to "create".  Add URL scheme "gnupg-kbx".  Add
magic test to detect a keybox file.  Add basic support for keybox.
(keydb_new, keydb_get_resource_name, keydb_delete_keyblock)
(keydb_locate_writable, keydb_search_reset, keydb_search2): Add
support for keybox.
(lock_all, unlock_all): Ditto.
* g10/Makefile.am (needed_libs): Add libkeybox.a.
(gpg2_LDADD, gpgv2_LDADD): Add KSBA_LIBS as a workaround.

* g10/keydb.h (KEYDB_RESOURCE_FLAG_PRIMARY)
KEYDB_RESOURCE_FLAG_DEFAULT, KEYDB_RESOURCE_FLAG_READONLY): New.
* g10/gpg.c, g10/gpgv.c (main): Use new constants.
--

I did most of these changes back in 2011 and only cleaned them up
now.  More to follow soon.
2012-12-27 15:04:42 +01:00
Werner Koch
f0b33b6fb8 gpg: Import only packets which are allowed in a keyblock.
* g10/import.c (valid_keyblock_packet): New.
(read_block): Store only valid packets.
--

A corrupted key, which for example included a mangled public key
encrypted packet, used to corrupt the keyring.  This change skips all
packets which are not allowed in a keyblock.

GnuPG-bug-id: 1455

(cherry-picked from commit f795a0d59e197455f8723c300eebf59e09853efa)
2012-12-20 12:37:01 +01:00
Werner Koch
d61f7402f2 gpg: Make commit 2b3cb2ee actually work
* g10/sign.c (update_keysig_packet): Use digest_algo.

(cherry-picked from commit d23ec86095714d388acac14b515445fe69f019e9)
2012-12-19 12:40:21 +01:00
Werner Koch
8325d61659 gpg: Suppress "public key already present" in quiet mode.
* g10/pkclist.c (find_and_check_key, build_pk_list): Print a
diagnostic only in non-quiet mode.
2012-12-19 11:21:26 +01:00
Werner Koch
5a66316ea4 faq: Add a section on copyright assignments
--
2012-12-19 11:05:05 +01:00
Werner Koch
0e64e1abd3 State that disclaimers are not anymore needed for translations.
--
2012-12-18 19:56:24 +01:00
Werner Koch
41d564333d common: Add meta option ignore-invalid-option.
* common/argparse.c (iio_item_def_s, IIO_ITEM_DEF): New.
(initialize): Init field IIO_LIST.
(ignore_invalid_option_p): New.
(ignore_invalid_option_add): New.
(ignore_invalid_option_clear): New.
(optfile_parse): Implement meta option.
--

This option is currently of no use.  However, as soon as it has been
deployed in all stable versions of GnuPG, it will allow the use of the
same configuration file with an old and a new version of GnuPG.  For
example: If a new version implements the option "foobar", and a user
uses it in gpg.conf, an old version of gpg would bail out with the
error "invalid option".  To avoid that the following line can be put
above that option in gpg.conf

  ignore-invalid-option foobar

This meta option may be given several times or several option names
may be given as arguments (space delimited).  Note that this option is
not available on the command line.
2012-12-18 18:06:41 +01:00
Werner Koch
6177fb3c87 utf8conv.c: Add hacks for Android.
* common/utf8conv.c [HAVE_ANDROID_SYSTEM]: Do not include iconv.h.
(iconv_open, iconv_close, load_libiconv) [HAVE_ANDROID_SYSTEM]: New
dummy functions.
(set_native_charset) [HAVE_ANDROID_SYSTEM]: Force use of "utf-8".
(jnlib_iconv_open) [HAVE_ANDROID_SYSTEM]: Act the same as under W32.
(jnlib_iconv) [HAVE_ANDROID_SYSTEM]: Ditto.
(jnlib_iconv_close) [HAVE_ANDROID_SYSTEM]: Ditto.
--

Co-authored-by: Hans of Guardian <hans@guardianproject.info>
2012-12-13 16:11:21 +01:00
NIIBE Yutaka
e7dca3e83e SCD: Fix the process of writing key or generating key.
* scd/app-openpgp.c (store_fpr): Flush KEY-FPR and KEY-TIME.
2012-12-13 13:44:43 +09:00
Werner Koch
649b31c663 ssh: Support ECDSA keys.
* agent/command-ssh.c (SPEC_FLAG_IS_ECDSA): New.
(struct ssh_key_type_spec): Add fields CURVE_NAME and HASH_ALGO.
(ssh_key_types): Add types ecdsa-sha2-nistp{256,384,521}.
(ssh_signature_encoder_t): Add arg spec and adjust all callers.
(ssh_signature_encoder_ecdsa): New.
(sexp_key_construct, sexp_key_extract, ssh_receive_key)
(ssh_convert_key_to_blob): Support ecdsa.
(ssh_identifier_from_curve_name): New.
(ssh_send_key_public): Retrieve and pass the curve_name.
(key_secret_to_public): Ditto.
(data_sign): Add arg SPEC and change callers to pass it.
(ssh_handler_sign_request): Get the hash algo from SPEC.
* common/ssh-utils.c (get_fingerprint): Support ecdsa.

* agent/protect.c (protect_info): Add flag ECC_HACK.
(agent_protect): Allow the use of the "curve" parameter.
* agent/t-protect.c (test_agent_protect): Add a test case for ecdsa.

* agent/command-ssh.c (ssh_key_grip): Print a better error code.
--

The 3 standard curves are now supported in gpg-agent's ssh-agent
protocol implementation.  I tested this with all 3 curves and keys
generated by OpenSSH 5.9p1.

Using existing non-ssh generated keys will likely fail for now. To fix
this, the code should first undergo some more cleanup; then the fixes
are pretty straightforward.  And yes, the data structures are way too
complicated.
2012-12-12 18:47:21 +01:00
Werner Koch
f76a0312c3 ssh: Rewrite a function for better maintainability
* agent/command-ssh.c (ssh_signature_encoder_dsa): Rewrite.
--

Using es_fopenmem instead of a preallocated buffer is safer and easier
to read.
2012-12-11 14:50:34 +01:00
Werner Koch
d2777f84be ssh: Improve key lookup for many keys.
* agent/command-ssh.c: Remove dirent.h.
(control_file_s): Add struct item.
(rewind_control_file): New.
(search_control_file): Factor code out to ...
(read_control_file_item): New.
(ssh_handler_request_identities): Change to iterate over entries in
sshcontrol.
--

Formerly we scanned the private key directory for matches of entries
in sshcontrol.  This patch changes it to scan the sshcontrol file and
thus considers only keys configured there.  The rationale for this is
that it is common to have only a few ssh keys but many private keys.
Even if that assumption does not hold true, the scanning of the
sshcontrol file is faster than reading the directory and only then
scanning the ssh control for each directory entry.
2012-12-10 18:27:23 +01:00