1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-23 10:29:58 +01:00

8935 Commits

Author SHA1 Message Date
Werner Koch
73a98c1396
wkd: Bind the address to the nonce.
* tools/gpg-wks-server.c (make_pending_fname): New.
(store_key_as_pending, check_and_publish): Use here.
(process_new_key): Pass addrspec to store_key_as_pending.
(expire_one_domain): Expire also the new files.
--

Along with the pass traversal bug this enhancement was
Suggested-by: Philipp Breuch <pbreuch@mail.upb.de>
GnuPG-bug-id: 6098
2022-07-27 11:44:44 +02:00
Ingo Klöcker
22e8dc7927
dirmngr: Ask keyservers to provide the key fingerprints
* dirmngr/ks-engine-hkp.c (ks_hkp_search): Add "fingerprint=on" to
request URL.
--

Some keyservers, e.g. keyserver.ubuntu.com (Hockeypuck), do not
provide the key fingerprints by default. Therefore, we ask for the
fingerprints explicitly.

GnuPG-bug-id: 5741
(cherry picked from commit c7fa4c7f8bf375e3739ef8361f38b6b31113b8bf)
2022-07-26 09:46:15 +02:00
Ingo Klöcker
ee8f1c10a7
gpg: Request keygrip of key to add via command interface
* g10/keygen.c (ask_algo): Request keygrip via cpr_get.
* doc/help.txt (gpg.keygen.keygrip): New help text.
--

This change makes it possible to add an existing (sub)key to
another key via the status/command interface.

GnuPG-bug-id: 5771
(cherry picked from commit 19b1a28621c614b81f596e363b1ce49dd9fae115)
2022-07-25 15:17:42 +02:00
Werner Koch
c1489ca0e1
wkd: Fix path traversal attack on gpg-wks-server.
* tools/gpg-wks-server.c (check_and_publish): Check for invalid
characters in sender controlled data.
* tools/wks-util.c (wks_fname_from_userid): Ditto.
(wks_compute_hu_fname): Ditto.
(ensure_policy_file): Ditto.
2022-07-25 14:50:15 +02:00
NIIBE Yutaka
8c9f879d4a scd:openpgp: Fix workaround for Yubikey heuristics.
* scd/app-openpgp.c (parse_algorithm_attribute): Handle the case
of firmware 5.4, too.

--

Cherry-picked master commit of:
	f34b9147eb3070bce80d53febaa564164cd6c977

GnuPG-bug-id: 6070
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-13 10:53:56 +09:00
NIIBE Yutaka
225c66f13b scd: Fail when no good algorithm attribute.
* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.

--

Backport master commit of:
	53eddf9b9ea01210f71b851b5cb92a5f1cdb6f7d

This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).

GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-13 09:47:32 +09:00
NIIBE Yutaka
07e43eda8d scd: Don't inhibit SSH authentication for larger data if it can.
* scd/app-openpgp.c (do_auth): Use command chaining if available.

--

Cherry-picked from master branch of:
	e8fb8e2b3e66d5ea8a3dc90afdc14611abf2c3da

GnuPG-bug-id: 5935
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-07-12 16:11:08 +09:00
Werner Koch
3777bc6528
Post release updates
--
2022-07-06 20:17:29 +02:00
Werner Koch
491645b50e
Release 2.3.36 gnupg-2.2.36 2022-07-06 19:29:56 +02:00
Werner Koch
f357a5f239
gpgconf: New short options -V and -X
* tools/gpgconf.c: Assign short options -X and -V
(show_version_gnupg): Print the vsd version if available.
--

These changes are helpful for phone support.
2022-06-29 13:17:35 +02:00
NIIBE Yutaka
9e2307ddf0 agent: Flush before calling ftruncate.
* agent/findkey.c (write_extended_private_key): Make sure
it is flushed out.

--

Cherry-picked from master commit of:
	99d2931887e5ba0db9007024b3420b110603d5be

GnuPG-bug-id: 6035
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-06-24 08:41:10 +09:00
Werner Koch
4c14bbf56f
sm: Update pkcs#12 module from master
* sm/minip12.c: Update from master.
* sm/import.c (parse_p12): Pass NULL for curve.
--

Over the last years we had a couple of changes not backported to 2.2.
However, to support DFN p12 files and probably other p12 files we need
to update the minip12.c module.  Instead of picking commits we take
the module verbatim, which is relatively easy because it was
originally designed to be a standalone module.

Summary of commits taken from master:

  sm: Improve pkcs#12 debug output.
  sm: Rework the PKCS#12 parser to support DFN issued keys.
  sm: Fix parsing encrypted data.
  sm: Do not print certain issuer not found diags in quiet mode.
  sm: Silence some output on --quiet
  sm: Replace all assert calls by log_assert.
  doc: Typo fixes in code comments
  sm: Add support to export ECC private keys.

Detailed log messages for those commits:

  commit 52f9e13c0cb3b42c469e2d00352ab36948ca1e55

    sm: Improve pkcs#12 debug output.

    * sm/minip12.c (parse_shrouded_key_bag): Fix offset diagnostic.
    (parse_cert_bag): Ditto.
    (parse_bag_data): Remove debug output.  Pass startoffset.
    Fix offset diagnostic.

  commit a4e04375e84ecb7ea0d02e153cb27988fca4c2d0

    sm: Rework the PKCS#12 parser to support DFN issued keys.

    * sm/minip12.c (struct p12_parse_ctx_s): New.  Use this instead of
    passing several parameters to most functions.
    (parse_pag_data): Factor things out to  ...
    parse_shrouded_key_bag): new.
    (parse_cert_bag): New.
    (parse_bag_data): New.
    (p12_parse): Setup the parse context.

    To support newer pkcs#12 files like those issued by the DFN we
    need to support another ordering of data elements.  This rework
    reflects the P12 data structure a bit better than our old ad-hoc
    hacks.  Tests could only be done with the certificate parts and
    not the encrypted private keys.

GnuPG-bug-id: 6037

  commit 6c50834c0905b55ee2da18728194dd4c93c377bf

    sm: Fix parsing encrypted data.

    * sm/minip12.c (cram_octet_string): Finish when N==0.
    (parse_bag_encrypted_data): Support constructed data with multiple
    octet strings.

GnuPG-bug-id: 5793

  commit a170f0e73f38e474b6d4463433fe344eca865fa5

    sm: Do not print certain issuer not found diags in quiet mode.

    * sm/certchain.c (find_up_dirmngr): Print one diagnostic only in
    verbose mode.  Do not print issuer not found diags in quiet mode.
    * sm/minip12.c (parse_bag_data): Add missing verbose condition.

GnuPG-bug-id: 4757

  commit 615d2e4fb15859320ea0ebec1bb457c692c57f0a

    sm: Silence some output on --quiet

    * sm/encrypt.c (gpgsm_encrypt): Take care of --quiet.
    * sm/gpgsm.c: Include minip12.h.
    (set_debug): Call p12_set_verbosity.
    * sm/import.c (parse_p12): Dump keygrip only in debug mode.
    * sm/minip12.c (opt_verbose, p12_set_verbosity): New.
    (parse_bag_encrypted_data): Print info messages only in verbose
    mode.

GnuPG-bug-id: 4757

  commit 9ee975d588ee99550917e3d459dd6f79057f5c30

    gpgsm: Replace all assert calls by log_assert.

  commit 9bc9d0818b0e636a9dbc0dd24edf53eae95dd8e7

    doc: Typo fixes in code comments

  commit 5da6925a334c68d736804d8f19a684a678409d99

    sm: Add support to export ECC private keys.

    * sm/minip12.c [TEST]: Remove test code.  Include util.h, tlv.h. and
    openpgpdefs.h.  Remove the class and tag constants and replace
    them by those from tlv.h.
    (builder_add_oid, builder_add_mpi): New.
    (build_key_sequence): Rename to ...
    (build_rsa_key_sequence): this.
    (build_ecc_key_sequence): New.
    (p12_build): Call RSA or ECC builder.
    (p12_raw_build): Ditto.
    * sm/export.c (gpgsm_p12_export): Use correct armor header for ECC.
    (sexp_to_kparms): Support ECC.

GnuPG-bug-id: 4921
2022-06-21 18:22:14 +02:00
Werner Koch
d21ced1e35
common: Add an easy to use DER builder.
* common/tlv-builder.c: New.
* common/tlv.c: Remove stuff only used by GnuPG 1.
(put_tlv_to_membuf, get_tlv_length): Move to ...
* common/tlv-builder.c: here.
* common/tlv.h (tlv_builder_t): New.
--

Such code should actually go into libksba and we will eventually do
that.  However, for now it is easier to keep it here.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 5ea878274ef51c819368f021c69c518b9aef6f82)

- Add coverity meta comment from
  commit a95ddffdcd58383cce93677be5e7e11c5c229a98
2022-06-20 15:54:29 +02:00
Werner Koch
7b1db7192e
g10: Fix garbled status messages in NOTATION_DATA
* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--

Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong.  Fixed by always using a break to
terminate the escape detection loop.  Might have happened for all
status lines which may wrap.

GnuPG-bug-id: T6027
2022-06-14 11:39:31 +02:00
NIIBE Yutaka
aeee62593a agent,scd: Make sure to set CONFIDENTIAL flag in Assuan.
* agent/call-scd.c (inq_needpin): Call assuan_begin_confidential
and assuan_end_confidential, and wipe the memory after use.
* agent/command.c (cmd_preset_passphrase): Likewise.
* scd/command.c (pin_cb): Likewise.

--

Backport the change of master commit of:
	052f58422dca1044aba7acb4cf57416e7a8cb01f

GnuPG-bug-id: 5977
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-06-09 14:28:08 +09:00
Werner Koch
cc1d475f98
dirmngr,w32: Silence compiler warnings for the LDAP API.
--
2022-06-03 15:36:58 +02:00
Werner Koch
dfc01118ce
w32: Avoid warning about not including winsock2.h after windows.h
* common/dynload.h: Include winsock2.h first.
2022-06-03 15:00:20 +02:00
Werner Koch
10db566489
w32: Allow Unicode filenames for iobuf_cancel.
* common/iobuf.c (iobuf_cancel): Use gnupg_remove
* common/mischelp.c (same_file_p): Allow for Unicode names.
--

Note that the second patch is used to handle Unicode filenames which
are symbolic links.
2022-06-03 11:19:09 +02:00
Werner Koch
e3db6c74a6
scd:p15: Fix accidental commit of debug code
* scd/app-p15.c (do_sign): Revert MSE setting.
--

Fixes-commit: 91acbdc93c8a6ae06b483a27c8bb7c33a978108d
2022-06-01 12:19:56 +02:00
Werner Koch
62becf599e
scd: Shorten cardio debug output for all zeroes.
* scd/apdu.c (all_zero_p): New.
(send_le): Use it.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 9b6f574928546e6905a92c3e74d72478f1585c66)
2022-06-01 12:07:05 +02:00
NIIBE Yutaka
7bc794c311 scd: Fix use of SCardListReaders for PC/SC.
* scd/apdu.c (open_pcsc_reader): Initialize NREADER.

--

Backport master commit of:
	1b1684cf6192d9edb90a54ebe4a0e66b3d59a44b

Reported-by: Ludovic Rousseau
GnuPG-bug-id: 5979
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-17 10:25:34 +09:00
NIIBE Yutaka
a5217c9000 scd: Add workaround for ECC attribute on Yubikey.
* scd/app-openpgp.c (parse_algorithm_attribute): Skip possibly bogus
octet in a key attribute.

--

Apply master commit of:
	054d14887ef8fa1cbadef4ed2ea28213f25f5d25

GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-10 14:21:09 +09:00
Werner Koch
91acbdc93c
scd:p15: Improve the displayed S/N for Technology Nexus cards.
* scd/app-p15.c (any_control_or_space_mem): New.
(get_dispserialno): Add new code.
--

This works with my test cards and now reflects what's printed on the
front matter of the card.
2022-05-06 11:37:47 +02:00
Werner Koch
8efe738c4a
scd:p15: Fix the the sanity check of the displayed S/N.
* scd/app-p15.c (any_control_or_space): Fix loop.
--

This check is only done to avoid printing wrongly encoded S/N for
human consumption.
e
2022-05-06 11:35:02 +02:00
Werner Koch
7f029eef6c
scd:p15: Fix reading certificates without length info.
* scd/app-p15.c (readcert_by_cdf): Do not use extended mode if the CDF
object has no length info.  Add debug output when reading a cert.
(read_p15_info): No more need to disable extended mode for GeNUA cards.
2022-05-05 14:12:50 +02:00
Werner Koch
d60f930d9b
scd: New debug flags "card".
* scd/scdaemon.c (debug_flags): Add "card".
* scd/scdaemon.h (DBG_CARD_VALUE, DBG_CARD): New.
--

Some information from parsing the card are often very helpful.
However, the card_io triggered APDU dumps are in most cases too heavy.
Thus this new debug flag.
2022-05-05 14:12:23 +02:00
Werner Koch
36a5509e11
gpg: Minor robustness fix.
* g10/parse-packet.c (mpi_read_detect_0_removal): Protect agains
failed gcry_mpi_scan.
--

Fixes-commit: 3fcef7371480cce392d690897d42955f1b19c12a
2022-05-05 14:02:02 +02:00
NIIBE Yutaka
06e82e997a tests: Add a test for Ed25519 keys for non-protected secret.
* tests/openpgp/issue5120.scm: New.

--

Applied the master commit of:
	602c37ac0678d690a5b68d6c1749b8daa3d5f328

GnuPG-bug-id: 5120, 5953
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-05-02 10:41:15 +09:00
NIIBE Yutaka
3fcef73714 gpg: Handle leading-zeros private key for Ed25519.
* g10/parse-packet.c (mpi_read_detect_0_removal): New.
(parse_key): Use mpi_read_detect_0_removal for PUBKEY_ALGO_EDDSA
to tweak the checksum.

--

GnuPG-bug-id: 5120
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-04-28 15:12:01 +09:00
NIIBE Yutaka
3192939a10 Revert "gpg: Accept Ed25519 private key in SOS which reserves leading zeros."
This reverts commit 14de7b1e5904e78fcbe413a82d0f19b750bd8830.
2022-04-28 11:09:44 +09:00
bobwxc
e5c6ead817 po: Update Simplified Chinese Translation.
--

Reviewed-by: NIIBE Yutaka <gniibe@fsij.org>
Signed-off-by: bobwxc <bobwxc@yeah.net>
2022-04-28 09:49:38 +09:00
Werner Koch
740c02f33a
Post release updates
--

This also includes a speedo update for the Scute based authenticode
thing which has been manually added to speedo.mk at the end of the
release process of 2.2.35.
2022-04-25 19:05:15 +02:00
Werner Koch
f7bc6f5049
Release 2.2.35 gnupg-2.2.35 2022-04-25 18:07:53 +02:00
Werner Koch
47ee0101dd
po: Fix a fuzzy in the German translation
--
2022-04-25 18:05:53 +02:00
Werner Koch
fd93b1a48f
po: Auto update
--
2022-04-25 18:04:21 +02:00
Werner Koch
86d84464ae
gpg: Avoid NULL ptr access due to corrupted packets.
* g10/parse-packet.c (parse_signature): Do not create an opaque MPI
with NULL and length > 0
(parse_key): Ditto.
--

GnuPG-bug-id: 5940, 5946
2022-04-25 15:29:11 +02:00
NIIBE Yutaka
9c0a24b4a5
agent: Not writing password into file.
* agent/genkey.c (do_check_passphrase_pattern): Use stream to invoke
pattern check program.

--

GnuPG-bug-id: 5917
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-04-25 11:45:12 +02:00
Werner Koch
f021ecd576
gpg: Emit an ERROR status as hint for a bad passphrase.
* g10/mainproc.c (proc_symkey_enc): Issue new error code.
(proc_encrypted): Ditto.
--

This allows GPGME to return a better error message than "bad session
key" to the user.  Technically we could get run into these errors also
in other cases but this more unlikley.  For the command line use we
don't do anything to not change the expected output of the command
line interface.

GnuPG-bug-id: 5943
2022-04-25 11:18:40 +02:00
Werner Koch
24ab4f933f
po: Update German translation
--
2022-04-20 09:26:32 +02:00
Werner Koch
a5faaf8bee
w32: Do no use Registry item DefaultLogFile for the main tools.
* g10/gpg.c (main): Set LOG_NO_REGISTRY.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-connect-agent.c (main): Ditto.
* tools/gpgconf.c (main): Ditto.
(show_other_registry_entries): Print "DefaultLogFile".
--

The intention of this mostly forgotten registry entry was to allow for
easy debugging of the tools.  However, with the global config
files (and in 2.3 with common.conf) things are anyway better.  We
disable the use for the commonly used tools so that it does not look
like calling gpg on the command line seems to block with no output if
the log server (e.g. tcp://1.2.3.4:11111) is not reachable.
2022-04-20 09:20:35 +02:00
Werner Koch
74f9e3e6c4
Prepare NEWS for the next release
--
2022-04-14 15:44:12 +02:00
Werner Koch
c8c71fc716
gpg: Replace an assert by a log_fatal.
* g10/build-packet.c (do_signature): Use log_fatal.
--
GnuPG-bug-id: 5809
2022-04-14 13:53:55 +02:00
Werner Koch
58532fe56c
scd: Minor code reorganization
* scd/ccid-driver.c: Move struct defines to the top.
(MAX_DEVICE): Rename to CCID_MAX_DEVICE.
2022-04-14 10:25:15 +02:00
Werner Koch
c4b14be48f
scd: Fix memory leak in ccid-driver.
* scd/ccid-driver.c (ccid_dev_scan): Use loop var and not the count.
--

Due to an assignment out of bounds this might lead to a crash if there
are more than 15 readers.  In any case it fixes a memory leak.
Kudos to the friendly auditor who found that bug.

Fixes-commit: 8a41e73c31adb86d4a7dca4da695e5ad1347811f
2022-04-14 10:17:28 +02:00
Werner Koch
e99670f944
scd:p15: Improve the PIN prompt for Genua cards.
* scd/app-p15.c (CARD_PRODUCT_GENUA): New.
(cardproduct2str): Add it.
(read_p15_info): Detect and set GENUA
(make_pin_prompt): Take holder string from the AODF.
2022-04-13 13:58:37 +02:00
Werner Koch
44ec383cde
scd:p15: Support for GeNUA cards.
* scd/app-p15.c (read_p15_info): Disable extended mode for Genua
cards.
2022-04-13 13:58:26 +02:00
Werner Koch
29fd805818
scd:p15: Prepare AODF parsing for other authentication types.
* scd/app-p15.c (auth_type_t): New.
(struct aodf_object_s): Add field auth_type.
(read_ef_aodf): Distinguish between pin and authkey types.  Include
the authtype in the verbose mode diags.
--

Note that the bulk of changes are just indentation changes.  There
should be no functional change.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e387cc97c82313457e4f79729a137e5871891bc1)
2022-04-13 13:56:58 +02:00
Werner Koch
80cf64c651
scd:p15: Add basic support for AET JCOP cards.
* scd/app-p15.c (CARD_TYPE_AET): New.
(cardtype2str): Add string.
(card_atr_list): Add corresponding ATR.
(app_local_s): New flag no_extended_mode.  Turn two other flags into
bit flags.
(select_ef_by_path): Hack to handle the 3FFF thing.
(readcert_by_cdf): Do not use extended mode for AET.
(app_select_p15): Set no_extended_mode.
---
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 544ec7872aed24c296ea34fac777eca287f7bb47)
2022-04-13 13:32:09 +02:00
NIIBE Yutaka
d9a8d3353a common,unix: Backport dotlock changes from GnuPG 2.3.
* common/dotlock.c (read_lockfile): Return FD in R_FD.
(dotlock_take_unix): Fix a race condition by new read_lockfile and
checking with fstat.  Describe one race condition in comment.
(dotlock_release_unix): Follow the change of read_lockfile.

--

GnuPG-bug-id: 5884
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-03-29 11:24:23 +09:00
Werner Koch
3b251c8366
dirmngr: Escape more characters in WKD requests.
* dirmngr/server.c (proc_wkd_get): Also escape '#' and '+'
--
GnuPG-bug-id: 5902
2022-03-28 16:13:52 +02:00