1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-25 10:49:57 +01:00

8963 Commits

Author SHA1 Message Date
Werner Koch
a974d8aefa
scd:nks: Fix remaining tries warning in --reset mode.
* scd/app-nks.c (do_change_pin): Change computation of 'remaining'.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 2429e8559844e27de478d7e90834a714b3748834
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
60ba61e78e
scd:nks: Add framework to support IDKey cards.
* scd/app-nks.c (NKS_APP_IDLM): New.
(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
(do_learn_status): Always send CHV-STATUS.
(find_fid_by_keyref): Basic support for IDLM only use.
(do_learn_status_core): Ditto.
(do_readcert): Ditto.
(verify_pin): Ditto.
(parse_pwidstr): Ditto.
(do_with_keygrip): Ditto.
(switch_application): Ditto.
(app_select_nks): Fallback to IDLM.
--

Backported-from-master: 1f6a39092fe4b5f02bc4741a0a23d102d30f4063
GnuPG-bug-id: 6252

Also not directly required for the Signature Card 2.0, it is easier to
port this patch as well.
2022-10-20 12:22:07 +02:00
Werner Koch
a83281176c
scd:nks: Get the PIN prompts right for the Signature Card
* scd/app-nks.c (get_dispserialno): Move more to the top.
(do_getattr): Add $DISPSERIALNO and SERIALNO.  Make CHV-STATUS work
with NKS15.
(verify_pin): Use dedicated min. PIN lengths.
(parse_pwidstr): Support NKS15
--

GnuPG-bug-id: 4938
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit aecc008acb64ebbb6c667c4a128af4e61da57f84)
2022-10-20 12:22:07 +02:00
Werner Koch
bbef2d1790
scd:nks: Support decryption using ECDH.
* scd/app-nks.c (struct fid_cache_s): Add field 'algo'.
(keygripstr_from_pk_file): Add arg 'r_algo' to return the algo.
(find_fid_by_keyref): Ditto.
(get_dispserialno): New.
(make_prompt): New.
(verify_pin): Provide better prompts.
(do_decipher): Support ECDH.
(parse_pwidstr): Add hack tospecify any pwid..
(do_change_pin): Support Signature Card V2.0 (NKS15) style NullPIN.
Provide a better prompt.
--

GnuPG-bug-id: 4938, 6252
Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: af45d884aa1c3eccbc6972a2e5197ece3fd1987a
2022-10-20 12:22:07 +02:00
Werner Koch
f5e0469d6e
scd:nks: Add do_with_keygrip and implement a cache.
* scd/app-nks.c (struct fid_cache_s): New.
(struct app_local_s): Add field 'fid_cache'.
(do_deinit): Release the cache.
(keygripstr_from_pk_file): Implement the cache.
(find_fid_by_keyref): New
(do_sign, do_decipher): Use new function.
(do_with_keygrip): New.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
Backported-from-master: 1e72a1a218490c0fc07811a02ddad6cc38913f77
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
Werner Koch
471e610fcd
scd:nks: Allow retrieving certificates from a Signature Card v.20
* scd/app-nks.c: Major rework to support non-RSA cards.
--

This is a fist step so support this ECC card.  The code has been
reworked while taking care that old cards should keep on working.

Signed-off-by: Werner Koch <wk@gnupg.org>

Backported-from-master: f05a32e5c9db7d0840c74fccc350a9e0ff5fb819
GnuPG-bug-id: 6252
2022-10-20 12:22:07 +02:00
NIIBE Yutaka
256b3c0578
gpg: Move NETLIBS after GPG_ERROR_LIBS (another).
* g10/Makefile.am (t_keydb_LDADD): Add NETLIBS after GPG_ERROR_LIBS.

--

Fixes-commit: b26bb03ed96f380ad603f7ad902862625233c931
GnuPG-bug-id: 6244
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-18 10:24:54 +09:00
NIIBE Yutaka
a5c3821664
dirmngr: Fix build with no LDAP support.
* dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize.

--

Cherry-pick master commit of:
	7011286ce6e1fb56c2989fdafbd11b931c489faa

GnuPG-bug-id: 6239
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-18 10:16:11 +09:00
NIIBE Yutaka
b26bb03ed9
gpg: Move NETLIBS after GPG_ERROR_LIBS.
* g10/Makefile.am (LDADD): Remove NETLIBS.
(gpg_LDADD, gpgv_LDADD): Add NETLIBS after GPG_ERROR_LIBS.
(gpgcompose_LDADD, t_keydb_get_keyblock_LDADD): Likewise.
(t_stutter_LDADD): Likewise.

--

GnuPG-bug-id: 6244
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-18 10:08:20 +09:00
NIIBE Yutaka
6f0066db2c
gpg: Report an error for receiving key from agent.
* g10/export.c (do_export_one_keyblock): Report an error.

--

GnuPG-bug-id: 5151
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-10-13 18:35:34 +02:00
Werner Koch
70ec346fb4
Post release updates
--

Also switch speedo to use https instead of ftp for download.
2022-10-13 17:02:47 +02:00
Werner Koch
2e9f8a511d
Release 2.2.40 gnupg-2.2.40 2022-10-10 12:32:35 +02:00
Werner Koch
21db05100d
po: Auto update
--
2022-10-10 11:53:14 +02:00
Werner Koch
5df1c247be
gpg: For de-vs use AES-128 instead of 3DES as implicit preference.
* g10/pkclist.c (select_algo_from_prefs): Change implicit cipher
algorithm.
--

Although 3DES is still a compliant algorithm, some other software does
not consider it has compliant but also does not set preference
accordingly.  Thus it is better to switch the implicit cipher algorithm
similar to what we already did with SHA-1.

Note that in GnuPG 2.3 3DES is already not anymore used here.

GnuPG-bug-id: 6063
2022-10-10 11:22:57 +02:00
Ingo Klöcker
94092793f6
sm: Fix reporting of bad passphrase error
* sm/minip12.c (p12_parse): Set badpass flag to result in ctx.
--

Fixes-commit: 4c14bbf56fb544541bd65f9d6e6e0b81779dcab6
GnuPG-bug-id: 5713, 6037
(cherry picked from commit a47b3a4087349f3873eb04a83dc2a0f512cacf86)
2022-10-10 09:17:10 +02:00
Werner Koch
cd020284c9
wkd: Implement --blacklist option for gpg-wks-client
* tools/gpg-wks-client.c (blacklist_array, blacklist_array_len): New.
(parse_arguments): Install blacklist.
(read_file): New.
(cmp_blacklist, add_blacklist, is_in_blacklist): New.
(mirror_one_key): Check list.
* tools/gpg-wks.h (opt): Remove field blacklist.
--

GnuPG-bug-id: 6224
(cherry picked from commit b0b4e24c4fa80c10d310a229f5a0c65a57ad9393)
2022-10-07 17:44:44 +02:00
Werner Koch
88042821d8
wkd: Restrict gpg-wks-client --mirror to the given domains.
* tools/gpg-wks-client.c (domain_matches_mbox): New.
(mirror_one_key): Skip non-matching domains.
(command_mirror): Change args to allow for several domains.
--

Although dirmngr returns only the keys matching a certain domain,
those keys still may have user ids from other domains.  Now we publish
only the user-ids as specified on the command line.

GnuPG-bug-id: T6224
(cherry picked from commit 0a151548b623813d48516a4629b7c3884875a384)
2022-10-07 17:44:16 +02:00
Werner Koch
b18b9b972e
wkd: Silence gpg-wks-client diagnostics from gpg.
* tools/gpg-wks-client.c (add_user_id): PAss --quiet to gpg unless we
are running in double verbose mode.
(decrypt_stream): Ditto
(encrypt_response): Ditto.
(mirror_one_keys_userid): Ditto.
* tools/wks-util.c (wks_get_key): Ditto.
(wks_list_key): Ditto.
(wks_filter_uid): Ditto.

(cherry picked from commit 4364283f757fceab454d48d461a9f88c31247a07)
2022-10-07 17:43:58 +02:00
Werner Koch
a946343f14
wkd: New command --mirror for gpg-wks-client.
* tools/gpg-wks-client.c (aMirror,oBlacklist,oNoAutostart): New.
(opts): Add --mirror, --no-autostart, and --blacklist.
(parse_arguments): Parse new options.
(main): Implement aMirror.
(mirror_one_key_parm): New.
(mirror_one_keys_userid, mirror_one_key): New.
(command_mirror): New.

* tools/gpg-wks.h (struct uidinfo_list_s): Add fields flags.
* tools/wks-util.c (wks_cmd_install_key): Factor some code out to ...
(wks_install_key_core): new.

* tools/call-dirmngr.c (wkd_dirmngr_ks_get): New.
--

This implements the basic LDAP to WKD mirroring.  The blacklist
option and domain restrictions are not yet fully implemented.

Take care: In OpenLDAP you may need to increase the paged result limit
by using a configuration like:

  dn: olcDatabase={1}mdb,cn=config
  changetype: modify
  replace: olcLimits
  olcLimits: dn.subtree="dc=example,dc=org" size.prtotal=unlimited

GnuPG-bug-id: 6224
Backported-from-master: 7ccd489aa2e5c5ef6c4554c9f04dd74394b43409
2022-10-07 17:42:25 +02:00
Werner Koch
c300253181
common: Protect against a theoretical integer overflow in tlv.c
* common/tlv.c (parse_ber_header): Protect agains integer overflow.
--

Although there is no concrete case where we use the (nhdr + length),
it is better to protect against this already here.
2022-10-07 14:21:20 +02:00
Werner Koch
a70a3204c2
dirmngr: Support paged LDAP mode for KS_GET
* dirmngr/ks-engine-ldap.c (PAGE_SIZE): New.
(struct ks_engine_ldap_local_s): Add several new fields.
(ks_ldap_clear_state): Release them.
(search_and_parse): Factored out from ks_ldap_get and extended to
support the paged mode.
(ks_ldap_get):  Implement the pages mode for --first and --next.
* dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first
mode.
* dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS.
--

The paged mode allows to retrieve more items than the servers usually
limit (e.g. 1000 for an LDS).  This patch also allows to use --first
without a patter to retrieve all keyblocks (except for disabled and
revoked keys).

GnuPG-bug-id: 6224
Backported-from-master: 7a01e806eac4cd7a65eaf3e17dcd2f117ec2d327
2022-10-07 13:54:34 +02:00
Werner Koch
20cb9319d9
dirmngr: New options --first and --next for KS_GET.
* dirmngr/server.c (cmd_ks_get): Add option --first and --next.
(start_command_handler): Free that new ldap state.
* dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New.
(ks_ldap_new_state, ks_ldap_clear_state): New.
(ks_ldap_free_state): New.
(return_one_keyblock): New.  Mostly factored out from ....
(ks_ldap_get): here.  Implement --first/--next feature.

* dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to
ks_get_flags.
* dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New.
(KS_GET_FLAG_FIRST): New.
(KS_GET_FLAG_NEXT): New.

* dirmngr/dirmngr.h (struct server_control_s): Add member
ks_get_state.
(struct ks_engine_ldap_local_s): New forward reference.
--

This feature allows to fetch keyblock by keyblock from an LDAP server.
This way tools can process and maybe filter each keyblock in a more
flexible way.  Here is an example where two keyblocks for one mail
address are returned:

  $ gpg-connect-agent --dirmngr
  > ks_get --ldap --first  <foo@example.org>
  [... First keyblock is returned ]
  OK
  > ks_get --next
  [ ... Next keyblock is returned ]
  OK
  > ks_get --next
  ERR 167772218 No data <Dirmngr>

GnuPG_bug_id: 6224
Backported-from-master: 4de98d4468f37bfb8352426830d5d5642ded7536
2022-10-07 13:49:55 +02:00
Werner Koch
2b2f8a1a0c
gpg: Show just keyserver and port with --send-keys.
* g10/call-dirmngr.c (ks_status_cb): Mangle the keyserver url
2022-10-07 13:37:09 +02:00
Werner Koch
4cf8dc2d96
dirmngr: Minor fix for baseDN fallback.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data
behind the EOS.
(interrogate_ldap_dn): Stylistic change.
--

This also updates the my_ldap_connect description.

GnuPG-bug-id: 6047
(cherry picked from commit 11aa5a93a754fe978d0f35d7fbeb4767b6b6df05)
2022-10-07 13:35:21 +02:00
NIIBE Yutaka
73cc5e073c
dirnmgr: Fix the function prototype.
* dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with
no arguments.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 530d709607e54465ce47c1fc7d2554ea3b0bea6b)
2022-10-07 13:22:03 +02:00
NIIBE Yutaka
98fbac6141
dirmngr: Change interrogate_ldap_dn for better memory semantics.
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found,
memory allocated.
(my_ldap_connect): Follow the change, removing needless allocation.

--

GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 4b2066afb4988c32a030330acf51b7b0dc190041)
2022-10-07 13:21:37 +02:00
Joey Berkovitz
5516f92224
dirmngr: Interrogate LDAP server when base DN specified.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP
server when basedn specified.

--

GnuPG-bug-id: 6047
Signed-off-by: Joey Berkovitz <joeyberkovitz@gmail.com>
(cherry picked from commit 3257385378bb3f19ebf089538f0efe2154487989)
2022-10-07 13:21:20 +02:00
Werner Koch
615c9717c1
dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if
server supports this.
2022-10-07 13:19:10 +02:00
Werner Koch
44960e702e
dirmngr: Factor out interrogate_ldap_dn function.
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New.
--

GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
Backported-from-master: 993820c315216584e23d36299920007abfeb3a32
2022-10-07 13:16:57 +02:00
Werner Koch
fe7114ebf3
po: Fix wrong LF in the German translation
--

Reported-by: mario.haustein@hrz.tu-chemnitz.de

Also fix one typo
2022-10-07 11:53:42 +02:00
Werner Koch
07c6743148
gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.
* g10/encrypt.c (check_encryption_compliance): Check gcrypt compliance
before emitting an ENCRYPTION_COMPLIANCE_MODE status.
--

GnuPG-bug-id: 6221
2022-09-29 14:15:47 +02:00
Werner Koch
d7a0df4478
doc: Typo fix in a comment.
--
2022-09-28 15:41:16 +02:00
Werner Koch
32ce7ac0c6
dirmngr: Fix lost flags during LDAP upload
* dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const.
Use strtokenize instead of strtok style parsing.
--

This fixes a problem with resulted in a General Error for the second
key to be uploaded in the same session.  But only if the colon format
to specify a keyserver with flags was used.
2022-09-28 15:40:22 +02:00
Werner Koch
6300035ba1
dirmngr: New server flag "areconly" (A-record-only)
* dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly.
* dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly"
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag.
* dirmngr/dirmngr_ldap.c: Add option --areconly
(connect_ldap): Implement option.
* dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option.
--

This flag is used to pass the Windows specific option
LDAP_OPT_AREC_EXCLUSIVE.  It is ignored on other systems.

Signed-off-by: Werner Koch <wk@gnupg.org>
2022-09-28 09:43:25 +02:00
Werner Koch
05b7e4a405
gpg: Don't consider unknown keys as non-compliant while decrypting.
* g10/mainproc.c (proc_encrypted):  Change compliance logic.
--

For the description of the proplem see
  https://dev.gnupg.org/T6205#163306

GnuPG-bug-id: 6205
2022-09-22 10:25:36 +02:00
Werner Koch
289fbc550d
dirmngr: Fix CRL DP error fallback to other schemes.
* dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop.
Remove the unused issuername_uri stuff.
--

It is quite common that LDAP servers are blocked and thuis the HTTP
access point should be used instead.  This worked well for
certificates where the DP are given in this form:

        crlDP: ldap://x500.bund.de/[...]
               http://x500.bund.de/[...]
               issuer: none

but it failed for this form

        crlDP: ldap://x500.bund.de/[...]
               issuer: none
        crlDP: http://x500.bund.de/[...]
               issuer: none

because the LAST_ERR thing terminated the outer loop.  This pacth
fixes this and also cleans up the code to be more robust.

Note that the common workaround of using --ignore-ldap-dp will now
only be needed if the firewall uses packet dropping instead of proper
ICMP rejects.
2022-09-16 16:54:39 +02:00
NIIBE Yutaka
ed1264e74b
build: Update gpg-error.m4.
* m4/gpg-error.m4: Update from libgpg-error.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-15 11:57:33 +09:00
Werner Koch
268e876ee2
Post release updates
--
2022-09-02 15:40:09 +02:00
Werner Koch
7c2078a680
Release 2.2.39 gnupg-2.2.39 2022-09-02 14:48:56 +02:00
Werner Koch
fc99ff8aff
speedo: Authenticode sign two more tools.
--
2022-09-02 12:05:26 +02:00
Werner Koch
8c22b00268
common: Make nvc_lookup more robust.
* common/name-value.c (nvc_first): Allow for NULL arg.
(nvc_lookup): Allow for PK being NULL.
--

GnuPG-bug-id: 6176
2022-09-01 17:35:41 +02:00
Werner Koch
9eb03b722c
Post release updates
--
2022-09-01 13:35:39 +02:00
Werner Koch
0b786fde77
Release 2.2.38 gnupg-2.2.38 2022-09-01 12:05:21 +02:00
NIIBE Yutaka
d1490c6df9 po: Update Japanese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-09-01 14:53:44 +09:00
Werner Koch
ea34325c54
dirmngr: New option --debug-cache-expired-certs.
* dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs:
* dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New.
(opts): Add option.
(parse_rereadable_options): Set option.
* dirmngr/certcache.c (put_cert): Handle the option.
2022-08-31 18:13:25 +02:00
Werner Koch
a95a31cd2f
gpg: Add descriptions for --auto-key-import and --include-key-import
--

Actually we once had them but they got lost at some point.  The German
translation is also up-to-date now.
2022-08-31 18:06:16 +02:00
Werner Koch
0b91fa0f13
common,w32: Fix an encoding problem of the printed timezone.
* common/gettime.c (w32_strftime) [W32]: New function.
(strftime) [W32]: New refinition macro.
--

GnuPG-bug-id: 5073
2022-08-31 17:32:45 +02:00
Werner Koch
e05fb5ca37
gpg: Emit STATUS_FAILURE for --require-compliance errors
* g10/misc.c (compliance_failure): Do not fallback to CO_GNUPG.  Print
compliance failure error and status for CO_DE_VS.
* g10/mainproc.c (proc_encrypted): Call compliance_failure in the
require-compliance error case.
* g10/encrypt.c (check_encryption_compliance): Ditto.
2022-08-31 15:34:17 +02:00
NIIBE Yutaka
e1169e8f8a
scd: Add npth_unprotect/npth_protect for blocking operations.
* scd/ccid-driver.c (ccid_open_usb_reader): Name the thread.
(ccid_vendor_specific_setup, ccid_open_usb_reader): Wrap
blocking operations by npth_unprotect/npth_protect.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-08-31 13:50:07 +02:00
NIIBE Yutaka
14ccabe7f8
dirmngr: Reject certificate which is not valid into cache.
* dirmngr/certcache.c (put_cert): When PERMANENT, reject the
certificate which is obviously invalid.

--

With this change, invalid certificates from system won't be registered
into cache.  Then, an intermediate certificate which is issued by an
entity certified by such an invalid certificate will be also rejected
with GPG_ERR_INV_CERT_OBJ.  With less invalid certificates in cache,
it helps the validate_cert_chain function work better.

GnuPG-bug-id: 6142
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2022-08-31 13:47:51 +02:00