1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-27 11:10:13 +01:00

8746 Commits

Author SHA1 Message Date
NIIBE Yutaka
500151e6da
libdns: Avoid using compound literals (5).
* dirmngr/dns.h (dns_rr_foreach): Don't use dns_rr_i_new.
Call dns_rr_grep with NULL.
* dirmngr/dns.c (dns_rr_grep): Support NULL for error_.

--

Here we still use C99 feature of struct member initialization in
dns_rr_foreach, for struct dns_rr_i.  Note that in C99, it guarantees
non-specified member fields are initialized by zero.  So, there's no
need to use dns_rr_i_new at all.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit a1ccfe2b37847cce0db2fb94a7365c9fa501eda4)
2019-03-07 13:02:48 +01:00
NIIBE Yutaka
229302aecf
libdns: Avoid using compound literals (4).
* dirmngr/dns.h (dns_d_new*): Remove.
* dirmngr/dns.c (parse_packet): Use dns_d_init with automatic
variable.
(parse_domain): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 7313a112f9c7ada61d24285313d2e2d069a672e8)
2019-03-07 13:02:29 +01:00
NIIBE Yutaka
f0de4fc990
libdns: Avoid using compound literals (3).
* dirmngr/dns.h (dns_p_new): Remove.
* dirmngr/dns.c (dns_hosts_query): Use dns_p_init with automatic
variable.
(dns_hints_query, dns_res_glue, parse_packet, query_hosts)
(send_query, show_hints, echo_port): Likewise.

--

Implicit automatic allocation by compound literals is confusing
for C90 code.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 72efb7840258808cd892b90d871ea1cc1c31d7f5)
2019-03-07 13:02:05 +01:00
NIIBE Yutaka
ff7d01fc6d
libdns: Avoid using compound literals (2).
* dirmngr/dns.h (dns_strsection1, dns_strsection3): Remove.
(dns_strclass1, dns_strclass3): Remove.
(dns_strtype1, dns_strtype3): Remove.
(dns_strsection, dns_strclass, dns_strtype): Directly use the
function.
* dirmngr/dns.c (dns_strsection): Use automatic variable.
(dns_strclass, dns_strtype): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 455ef62d29a112de05897139716265d07e4c6ae3)
2019-03-07 13:01:47 +01:00
NIIBE Yutaka
1318d1e2d5
libdns: Avoid using compound literals.
* dirmngr/dns.c (dns_inet_pton, dns_so_tcp_keep): Use automatic
variables.
(dns_poll, dns_send_nopipe): Likewise, adding const qualifier.

--

Compound literals is a feature of C99.  Because we only use C90 plus
some limited features, in the project, it's better to avoid it.

Besides, we make sure when it's read-only.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 1c405499388fd5bed0968ab5c6c5d1b3373537b9)
2019-03-07 13:01:34 +01:00
Werner Koch
557c721e78
dirmngr: Add CSRF protection exception for protonmail.
* dirmngr/http.c (same_host_p): Add exception table.
--

Please: Adding entries to this table shall be an exception and not the
rule.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 134c3c16523b1a267ebdd2df6339240fd9e1e3b3)
2019-03-07 11:34:59 +01:00
Werner Koch
5d73c231e4
gpgtar: Make option -C work for archive creation.
* tools/gpgtar-create.c (gpgtar_create): Switch to the -C directory.
--

The -C option is pretty useful given that pattern are always relative
to the current directory.  In contrast to GNU tar, the switching is
done only once.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit b3a7a5140784b5a015107b5c5c73b15ae44e71dc)
2019-03-07 10:56:18 +01:00
Werner Koch
2e4151a341
gpgtar: Improve error messages.
* tools/gpgtar.h (struct tarinfo_s): New.
* tools/gpgtar.c (cmd, skip_crypto, files_from, null_names): Move
global vars more to the top.
(set_cmd): Rename 'cmd' to 'c'.
* tools/gpgtar-list.c (parse_header): Add arg 'info' and improve error
messages.
(read_header): Add arg 'info' and update counter.
(skip_data): Ditto.
(gpgtar_list): Pass info object to read functions.
(gpgtar_read_header): Add arg 'info'.
* tools/gpgtar-extract.c (gpgtar_extract): add arg 'info' and pass on.
(extract_regular): Add arg 'info' and update counter.
--

This now prints the block number of a header with error.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 72feb8fa8280aba674573a1afc955a92e8065242)
2019-03-07 10:55:21 +01:00
Werner Koch
d2a7f9078a
gpg: Make invalid primary key algos obvious in key listings.
* g10/keylist.c (print_key_line): Print a warning for invalid algos.
--

Non-OpenPGP compliant keys now show a warning flag on the sec or pub
line like in:

  gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
  sec   cv25519 2019-01-30 [INVALID_ALGO]
        4239F3D606A19258E7A88C3F9A3F4F909C5034C5
  uid           [ultimate] ffffff

Instead of showing the usage flags "[CE]".  Without this patch only
the error message is printed and the reason for it was not immediately
obvious (cv25519 is encryption only but we always consider the primary
key as having the "C" flag).

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit db87132b10664718b7db6ec1dad584b54d1fb265)
2019-03-07 10:54:39 +01:00
Werner Koch
b3c8ce9e43
sm: Print Yubikey attestation extensions with --dump-cert.
* sm/keylist.c (oidtranstbl): Add Yubikey OIDs.
(OID_FLAG_HEX): New.
(print_hex_extn): New.
(list_cert_raw): Make use of that flag.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 86c241a8c9a952ea8007066b70b04f435e2e483e)
2019-03-07 10:53:52 +01:00
NIIBE Yutaka
150d545231
tests: Add "disable-scdaemon" in gpg-agent.conf.
* tests/openpgp/defs.scm: Add "disable-scdaemon".  Remove
  "scdaemon-program".
* tests/gpgme/gpgme-defs.scm, tests/gpgsm/gpgsm-defs.scm: Likewise.
* tests/inittests, tests/pkits/inittests: Add "disable-scdaemon"

--

Before this change, running "make check" accesses USB device by
scdaemon on host computer.  If there is any smartcard/token available,
it may affect test results.  Because default key choice depends on
smartcard/token availability now and existing tests have nothing about
testing smartcard/token, disabling scdaemon is good.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 64b7c6fd1945bc206cf56979633dfca8a7494374)
2019-03-07 10:50:17 +01:00
Werner Koch
e7eafe1019
scd: Fix flushing of CA-FPR data objects
* scd/app-openpgp.c (do_setattr): Add new table item to flush a
different tag.

--

For whatever reasons the OpenPGP card reads the 3 CA fingerprints from
one object but sets them individually using 3 different tags.  The
cache flushing was not prepared for this and so a changed CA
fingerprint showed only up after a card reset.  This patch fixes it.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c9f4c1f0de06672c6ae2b793d86cc001d131f9a6)

Fixed conflict by removing the UIF-* entries from the table.
2019-03-07 10:39:46 +01:00
NIIBE Yutaka
77a285a0a9
agent: Support --mode=ssh option for CLEAR_PASSPHRASE.
* agent/command.c (cmd_clear_passphrase): Add support for SSH.

--

GnuPG-bug-id: 4340
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit ae966bbe9b16ed68a51391afdde615339755e22d)
2019-03-07 10:34:34 +01:00
Daniel Kahn Gillmor
a7b2a87f94
gpgv: Improve documentation for keyring choices
* doc/gpgv.texi: Improve documentation for keyring choices

--

From the existing documentation, it's not clear whether the default
keyring will always be mixed into the set of keyrings, or whether it
will be skipped if a --keyring is present.  The updated text here
attempts to describe the keyring selection logic more completely.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2019-03-07 07:55:51 +01:00
Werner Koch
be69bf0cbd
sm: Don't mark a cert as de-vs compliant if it leads to SHA-1 sigs.
* sm/keylist.c (print_compliance_flags): Also check the digest_algo.
Add new arg 'cert'.
--

A certificate with algorithm sha1WithRSAEncryption can be de-vs
compliant (e.g. if the next in the chain used sha256WithRSAEncryption
to sign it and RSA is long enough) but flagging it as such is useless
because that certificate can't be used because it will create
signatures using the non-compliant SHA-1 algorithm.

Well, it could be used for encryption.  But also evaluating the
key-usage flags here would make it harder for the user to understand
why certain certificates are listed as de-vs compliant and others are
not.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 2c75af9f65d15653ed1bc191f1098ae316607041)

Reworked to also pass the CERT.  Note that 2.2 won't get the PK
Screening feature.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-28 15:13:22 +01:00
Daniel Kahn Gillmor
121286d9d1
gpgsm: default to 3072-bit keys.
* doc/gpgsm.texi, doc/howto-create-a-server-cert.texi: : update
default to 3072 bits.
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): update default to
3072 bits.
* sm/certreqgen.c (proc_parameters): update default to 3072 bits.
* sm/gpgsm.c (main): print correct default_pubkey_algo.

--

3072-bit RSA is widely considered to be 128-bit-equivalent security.
This is a sensible default in 2017.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>

Gbp-Pq: Topic update-defaults
Gbp-Pq: Name 0014-gpgsm-default-to-3072-bit-keys.patch
(cherry picked from commit 7955262151a5c755814dd23414e6804f79125355)
2019-02-28 11:00:31 +01:00
Werner Koch
92e26ade5c
conf: New option --show-socket.
* tools/gpgconf-comp.c (gc_component_t): Move this enum to ...
* tools/gpgconf.h: here.
* tools/gpgconf.c (oShowSocket): New.
(opts): Add new option.
(main): Implement new option.
--

This is a convenience options for software which directly connects to
gpg-agent and thus needs to new the socket.  By using --show-socket
along with --launch that software can also autostart the agent or the
dirmngr.  Without this two calls to gpgconf would be required.

Actually the same behaviour can be achieved by running
gpg-connect-agent to query the running gpg-agent's socket via GETINFO.
The gpg-connect also makes sure that the agent is started.  This is
not anymore suggested because gpgconf shall in future be used for all
such things.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit ac485b4f253ad6bbd2bc648650b56d60fc82f89d)
2019-02-26 13:15:58 +01:00
Werner Koch
0eb8095626
scd: Don't let the "undefined" app cause a conflict error.
* scd/app.c (check_conflict): Ignore "undefined".

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 5ecc7a02609dde65096ddb12e0ff8f6bce3b774a)
2019-02-25 08:50:31 +01:00
Werner Koch
54c56230e3
sm: Fix certificate creation with key on card.
* sm/certreqgen.c (create_request): Fix for certmode.
--

When using an existing key from a card for certificate signing (in
contrast to the default of generating a CSR), the code tried to use
the same key for signing instead of the Signing-Key parameter.  It is
perfectly okay to use the regular signing path via gpg-agent for
certificate creation - only self-signed certificates with a key on the
card require the direct use of the card key (via "SCD PKSIGN").

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c1000c673814e552923cf1361346d7dfeee55608)
2019-02-25 08:49:59 +01:00
Werner Koch
0a95b15381
agent: Fix for suggested Libgcrypt use.
* agent/divert-scd.c (divert_pkdecrypt): Skip a flags parameter.
--

The libgcrypt docs say that a "flags" parameter should always be used
in the input of pkdecrypt.  Thus we should allow that parameter also
when parsing an s-expression to figure out the algorithm for use with
scdaemon.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit a12c3a566e2e4b10bc02976a2819070877ee895c)
2019-02-25 08:49:31 +01:00
NIIBE Yutaka
8161afb9dd gpgscm: Build well even if NDEBUG defined.
* gpgscm/scheme.c (gc_reservation_failure): Fix adding ";".
[!NDEBUG] (scheme_init_custom_alloc): Don't init seserved_lineno.

--

Cherry icked from master commit of:
	e140c6d4f581be1a60a34b67b16430452f3987e8

In some build environment, NDEBUG is defined (although it's
bad practice).  This change supports such a situation.

GnuPG-bug-id: 3959
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-25 10:48:12 +09:00
Neal H. Walfield
14e5435afb gpg: Fix comparison.
* g10/gpgcompose.c (literal_name): Complain if passed zero arguments,
not one or fewer.

--

Cherry-picked master commit of:
	1ed21eee79749b976b4a935f2279b162634e9c5e

Signed-off-by: Neal H. Walfield <neal@walfield.org>
2019-02-19 15:53:12 +09:00
NIIBE Yutaka
005e951714 agent: Fix cancellation handling for scdaemon.
* agent/call-scd.c (cancel_inquire): Remove.
(agent_card_pksign, agent_card_pkdecrypt, agent_card_writekey)
(agent_card_scd): Don't call cancel_inquire.

--

Cherry-picked master commit of:
	9f5e50e7c85aa8b847d38010241ed570ac114fc3

Since libassuan 2.1.0, cancellation command "CAN" is handled within
the library, by assuan_transact.  So, cancel_inquire just caused
spurious "CAN" command to scdaemon which resulted an error.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-19 15:52:18 +09:00
NIIBE Yutaka
90e5f49b6a scd: Distinguish cancel by user and protocol error.
* scd/apdu.h (SW_HOST_CANCELLED): New.
* scd/apdu.c (host_sw_string): Support SW_HOST_CANCELLED.
(pcsc_error_to_sw): Return SW_HOST_CANCELLED for PCSC_E_CANCELLED.
* scd/iso7816.c (map_sw): Return GPG_ERR_INV_RESPONSE for
SW_HOST_ABORTED and GPG_ERR_CANCELED for SW_HOST_CANCELLED.

--
Cherry-picked master commit of:
	2396055c096884d521c26b76f26263a146207c24

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-19 15:51:14 +09:00
NIIBE Yutaka
6e422b5135 common: Fix gnupg_wait_processes.
* common/exechelp-posix.c (gnupg_wait_processes): Loop for r_exitcodes
even if we already see an error.

--

Cherry-picked master commit of:
	eeb3da6eb717ed6a1a1069a7611eb37503e8672d

The value stored by waitpid for exit code is encoded;  It requires
decoded by WEXITSTATUS macro, regardless of an error.

For example, when one of processes is already exited and another is
still running, it resulted wrong value of in r_exitcodes[n].

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-19 15:49:55 +09:00
Ingvar Hagelund
a09bba976d po: Correct a simple typo in the Norwegian translation
Signed-off-by: Ingvar Hagelund <ingvar@redpill-linpro.com>
2019-02-14 09:46:39 -05:00
Werner Koch
e5580ae788
Post release updates
--
2019-02-12 18:37:40 +01:00
Werner Koch
7922e2dd1c
Release 2.2.13 gnupg-2.2.13 2019-02-12 16:30:31 +01:00
Werner Koch
d1df96bf1c
po: Auto-update
--
2019-02-12 16:30:29 +01:00
Werner Koch
d1bee9d1ef
sm: In --gen-key with "key from card" show also the algorithm.
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): Get and show algo.
--

This extends the prompt to show something like

  Serial number of the card: FF020001008A77F6
  Available keys:
     (1) 4130F84FA3704F4645924AEC3FFA48AD26D33656 PIV.9A nistp384
     (2) AB2988FB8C227BCD5175BF92F66AA3A95AE83214 PIV.9E rsa2048
     (3) DB7DDAEAA88534BA45CCD7A9B761425103EA2090 PIV.9C rsa2048
     (4) BABB48C3D80ACCF9839F101DF2910966C8B988DF PIV.9D nistp256
  Your selection? 1

Having the algorithm here is helpful in particular because right now
we support only RSA with X.509.  Take care: PIV card based certificate
creation does not yet work.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 0328976c94adc2c518c7a7763a35319a0000c5e2)

Note that 2.2 does not support PIV cards, but the feature also works
also with other cards.
2019-02-11 10:59:36 +01:00
Werner Koch
d29d73264f
common: Provide function to get public key algo names in our format.
* common/sexputil.c (pubkey_algo_string): New.
--

The new gpg format for public key algorithms is useful at other places
as well.  Thus we make this new function available.  Note that the
code we use in gpg is not based on s-expressions and thus a new
function was required.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 03bf8e967adb2dd13329ba1089deb419d49e55c0)

Not yet used in 2.2 but will likely be needed by future backports.
2019-02-11 10:59:35 +01:00
Werner Koch
ee8d1a9e6c
common: New functions get_option_value and ascii_strupr.
* common/server-help.c (get_option_value): New.
* common/stringhelp.c (ascii_strupr): New.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e2f18023b3b3b7e55b35218f65e37448d1011172)

This might come handy when we eventually backport other changes.
2019-02-11 10:59:34 +01:00
Werner Koch
14816c7980
scd: Make app_genkey and supporting ISO function more flexible.
* scd/app.c (app_genkey): Add arg keytype.
* scd/app-common.h (struct app_ctx_s): Fitto for the genkey member.
* scd/command.c (cmd_genkey): Adjust for change.
* scd/iso7816.c (do_generate_keypair): Replace arg read_only by new
args p1 and p2.
(iso7816_read_public_key): Adjust for this.
(iso7816_generate_keypair): Add new args p1 and p2.
* scd/app-openpgp.c (do_genkey): Adjust for changes.
--

The OpenPGP card creates keys according to parameters read from a data
object.  Other cards we are about to implement require a direct
specification of the requested keytype.  This patch implements the
required changes.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 9a9cb0257aebb1480b999fdf9d90904083eb8e3c)
2019-02-11 10:59:32 +01:00
Werner Koch
c075274aac
scd: Fix parameter name of app_change_key.
* scd/app-common.h (APP_GENKEY_FLAG_FORCE): New.
* scd/app.c (app_change_pin): Rename arg reset_mode to flags and
change from int to unsigned int.
--

This is basically a documentation fix.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c26af8ac263ea006ed32e110a09271e4bfbf1f37)
2019-02-11 10:59:25 +01:00
Werner Koch
6651a0640d
scd: Allow standard keyref scheme for app-openpgp.
* scd/app-openpgp.c (do_change_pin): Allow prefixing the CHVNO with
"OPENPGP."
--

The generic keyref allows for better error detection in case a keyref
is send to a wrong card.  This has been taken from master commit
3231ecdafd71ac47b734469b07170756979ede72 which has additional changed
for gpg-card-tool, which is only available there.

Signed-off-by: Werner Koch <wk@gnupg.org>
2019-02-11 10:59:22 +01:00
Werner Koch
14ea581a1c
gpg: Emit an ERROR status if no key was found with --list-keys.
* g10/keylist.c (list_one): Emit status line.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 140fda8c61422ec055c3f7e214cc35706c4320dd)
2019-02-11 10:40:32 +01:00
NIIBE Yutaka
c16685b2f5 po: Update Japanese translation.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-06 17:16:08 +09:00
NIIBE Yutaka
9109bb9919 agent: Clear bogus pinentry cache, when it causes an error.
* agent/agent.h (PINENTRY_STATUS_*): Expose to public.
(struct pin_entry_info_s): Add status.
* agent/call-pinentry.c (agent_askpin): Clearing the ->status
before the loop, let the assuan_transact set ->status.  When
failure with PINENTRY_STATUS_PASSWORD_FROM_CACHE, it returns
soon.
* agent/findkey.c (unprotect): Clear the pinentry cache,
when it causes an error.

--

Cherry-picked from master commit of:
	      02a2633a7f0b7d91aa48ea615fb3a0edfd6ed6bb

Debian-bug-id: 919856
GnuPG-bug-id: 4348
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-06 16:54:14 +09:00
NIIBE Yutaka
7f4c3eb0a0 dirmngr: Fix initialization of assuan's nPth hook.
* dirmngr/dirmngr.c (main): Move assuan_set_system_hooks to...
(thread_init): ... here.

--

Cherry picked master commit of:
	1f8817475f59ede3f28f57edc10ba56bbdd08b49

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-02-06 16:51:29 +09:00
Jakub Bogusz
900ae94797
po: Update Polish translation
--
2019-01-31 20:05:14 +01:00
Werner Koch
31d2a1eeca
gpg: Allow generating Ed25519 key from an existing key.
* g10/misc.c (map_pk_gcry_to_openpgp): Add EdDSA mapping.
--

Due to this missing mapping a "gpg --export --full-gen-key" with
selection "13 - Existing key" did not worked for an ed25519 key.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 346a98fabe03adf2e202e36fc2aa24b1c2571154)
2019-01-30 11:29:06 +01:00
Werner Koch
5e5f3ca0c2
gpg: Implement searching keys via keygrip.
* kbx/keybox-defs.h (struct _keybox_openpgp_key_info): Add field grip.
* kbx/keybox-openpgp.c (struct keyparm_s): New.
(keygrip_from_keyparm): New.
(parse_key): Compute keygrip.
* kbx/keybox-search.c (blob_openpgp_has_grip): New.
(has_keygrip): Call it.
--

This has been marked for too long as not yet working.  However, it is
a pretty useful feature and will come pretty handy when looking for
all keys matching one keygrip.

Can be optimized a lot by storing the keygrip in the meta data.  This
will be done along with the upgrade of KBX for v5 fingerprints.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c128667b3cba749dd14262e032d4c260a2b0acd3)
2019-01-29 20:19:22 +01:00
Werner Koch
b78f293cf0
common: Provide some convenient OpenPGP related constants.
* common/openpgpdefs.h (OPENPGP_MAX_NPKEY): New.
(OPENPGP_MAX_NSKEY): New.
(OPENPGP_MAX_NSIG): New.
(OPENPGP_MAX_NENC): New.
* g10/packet.h: Define PUBKEY_MAX using the new consts.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f382984966a31a4cbe572bce5370590c5490ed1e)
2019-01-29 20:18:52 +01:00
Werner Koch
dddbb26155
common: New helper functions for OpenPGP curve OIDs.
* common/openpgp-oid.c (openpgp_oidbuf_to_str): Factor most code out
to ...
(openpgp_oidbuf_to_str): new.
(openpgp_oidbuf_is_ed25519): New.
(openpgp_oidbuf_is_cv25519): New.
--

At some places it is more convenient (and faster) to directly work on
buffers and avoid the way via opaque MPIs.  These 3 new functions
allow for that.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 4a1558d0c7190cf13d35385e47291a7aa121be3e)
2019-01-29 20:17:29 +01:00
Werner Koch
9fd6ba268f
doc: Mark keyserver-options timeout and http-proxy as obsolete.
--

(cherry picked from commit 6c000d4b78b836686e5a2789cc88a41e465e4400)
2019-01-22 10:15:36 +01:00
Werner Koch
d4082ff430
scd: Add option --clear to PASSWD.
* scd/command.c (cmd_passwd): Add option --clear.
(send_status_printf): New.
* scd/app-common.h (APP_CHANGE_FLAG_CLEAR): New.
* scd/app-nks.c (do_change_pin): Return an error if that option is
used.
* scd/app-openpgp.c (do_change_pin): Ditto.
--

Card application may support this option to clear the PIN verification
status of a specific PIN.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 29929e65521279eabc98a67c766fe485057405a9)
2019-01-22 10:14:55 +01:00
Werner Koch
9309175de8
scd: One new and one improved 7816 function.
* scd/apdu.c (apdu_send_direct): New arg R_SW.
* scd/command.c (cmd_apdu): Ditto.
* scd/iso7816.c (iso7816_apdu_direct): New arg R_SW.
(iso7816_general_authenticate): New.
* scd/app-nks.c (get_chv_status, get_nks_version): Pass NULL for new
arg.
--

iso7816_general_authenticate will be used for the PIV card support.
The new arg to iso7816_apdu_direct and apdu_send_direct allows to get
the raw status word back without the need to handle an output buffer.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 70bb5c7931598590b1acfae90bf4657f5911d2d3)
2019-01-22 10:13:28 +01:00
Werner Koch
11a65159f9
ssh: Simplify the curve name lookup.
* agent/command-ssh.c (struct ssh_key_type_spec): Add field
alt_curve_name.
(ssh_key_types): Add some alternate curve names.
(ssh_identifier_from_curve_name): Lookup also bey alternative names
and return the canonical name.
(ssh_key_to_blob): Simplify the ECDSA case by using gcry_pk_get_curve
instead of the explicit mapping.
(ssh_receive_key): Likewise.  Use ssh_identifier_from_curve_name to
validate the curve name.  Remove the reverse mapping because since
GnuPG-2.2 Libgcrypt 1.7 is required.
(ssh_handler_request_identities): Log an error message.
--

This change will make it easier to support other curves, in particular
those from tokens.  Libgcrypt has a large list of alias names which we
now use to to make the mapping more flexible.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d93797c8a7892fe26672c551017468e9f8099ef6)
2019-01-22 10:13:04 +01:00
Werner Koch
f5d3b982e4
gpg: Stop early when trying to create a primary Elgamal key.
* g10/misc.c (openpgp_pk_test_algo2): Add extra check.
--

The problem is that --key-gen --batch with a parameter file didn't
detect that Elgamal is not capable of signing and so an error was only
triggered at the time the self-signature was created.  See the code
comment for details.

GnuPG-bug-id: 4329
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f97dc55ff1b041071bc3cbe98aa761bf77bb7ac8)
2019-01-22 10:08:06 +01:00
NIIBE Yutaka
9dc76d599c scd: Fix for USB INTERRUPT transfer.
* scd/ccid-driver.c (intr_cb): When LIBUSB_TRANSFER_NO_DEVICE,
just handle this event as failure.

--

Cherry-picked from master commit:

	5ab3bc422a5cc1a646c168b547f2b6538b3a4ffa

It used to try another interrupt transfer request to make sure
if it fails again.

GnuPG-bug-id: 4308
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2019-01-17 08:13:17 +09:00