1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

8038 Commits

Author SHA1 Message Date
Werner Koch
ebe727ef59
dirmngr: Validate SRV records in WKD queries.
* dirmngr/server.c (proc_wkd_get): Check the returned SRV record names
to mitigate rogue DNS servers.
--

I am not sure wether this really is very useful because the security
relies on a trustworthy DNS system anyway.  However, that check is
easy enough to do.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-27 12:24:23 +02:00
Werner Koch
ddee9f9409
common: New function to validate domain names.
* common/mbox-util.c (is_valid_domain_name): New.
* common/t-mbox-util.c (run_dns_test): New test.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-27 12:24:23 +02:00
Jiří Keresteš
967d3649d2 scd: Add support for Trustica Cryptoucan. 2018-07-26 11:44:50 +09:00
NIIBE Yutaka
1111251945 Register DCO for Jiri Kerestes.
--
2018-07-26 11:44:10 +09:00
Werner Koch
bd4048c533
dirmngr: Print a WARNING status for DNS config problems.
* dirmngr/dirmngr-status.h: New.
* dirmngr/dirmngr.h: Include dirmngr-status.h and move some prototypes
to that file.
* dirmngr/t-support.c: New.
* dirmngr/Makefile.am (dirmngr_SOURCES): Add dirmngr-status.h.
(t_common_src): Add t-support.c.
* dirmngr/server.c (dirmngr_status_printf): Bypass if CTRL is NULL.
* dirmngr/dns-stuff.c: Include dirmngr-status.h.
(libdns_init): Print WARNING status line.  Change call callers to take
and pass a CTRL argument.
* g10/call-dirmngr.c (ks_status_cb): Print info for new WARNING
status.
--

To test this you can change RESOLV_CONF_NAME in dns-stuff.c and run
gpg --recv-key -v SOMETHING.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-25 14:35:04 +02:00
Werner Koch
9aa1b368ef
gpg: Use 128 MiB as default AEAD chunk size.
* g10/gpg.c (oDebugAllowLargeChunks): New.
(opts): New option --debug-allow-large-chunks.
(main): Implement that option.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-24 09:58:02 +02:00
NIIBE Yutaka
1c9584dabb Register DCO fo Michael Haubenwallner.
--
2018-07-17 14:14:39 +09:00
Werner Koch
011ab7ec66
doc: Add NEWS about the 2.2.9 release
--
2018-07-12 20:51:02 +02:00
Werner Koch
76989d5bd8
gpg: Remove multiple subkey bindings during export-clean.
* g10/key-clean.c (clean_one_subkey_dupsigs): New.
(clean_all_subkeys): Call it.
--

GnuPG-bug-id: 3804
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-09 12:01:02 +02:00
Werner Koch
c2fd65ec84
gpg: Let export-clean remove expired subkeys.
* g10/key-clean.h (KEY_CLEAN_NONE, KEY_CLEAN_INVALID)
(KEY_CLEAN_ENCR, KEY_CLEAN_AUTHENCR, KEY_CLEAN_ALL): New.
* g10/key-clean.c (clean_one_subkey): New.
(clean_all_subkeys): Add arg CLEAN_LEVEL.
* g10/import.c (import_one): Call clean_all_subkeys with
KEY_CLEAN_NONE.
* g10/export.c (do_export_stream): Call clean_all_subkeys depedning on
the export clean options.
--

GnuPG-bug-id: 3622
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-09 09:49:21 +02:00
Werner Koch
6c3567196f
gpg: Split key cleaning function for clarity.
* g10/key-clean.c (clean_key): Rename to clean_all_uids and split
subkey cleaning into ...
(clean_all_subkeys): new.  Call that always after the former clean_key
invocations.
--

Note that the clean_all_subkeys function will later be extended.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-09 08:15:50 +02:00
Werner Koch
135e46ea48
gpg: Move key cleaning functions to a separate file.
* g10/trust.c (mark_usable_uid_certs, clean_sigs_from_uid)
(clean_uid_from_key, clean_one_uid, clean_key): Move to ...
* g10/key-clean.c: new file.
* g10/key-clean.h: New.
* g10/Makefile.am (gpg_sources): Add new files.
* g10/export.c, g10/import.c, g10/keyedit.c, g10/trustdb.c: Include
new header.
* g10/trustdb.h (struct key_item, is_in_klist): Move to ...
* g10/keydb.h: here.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-06 11:40:16 +02:00
Werner Koch
cb71573f37
po: Add flag options for xgettext.
* po/Makevars (XGETTEXT_OPTIONS): Add --flag options.
--

GnuPG-bug-id: 4053, 4054
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-05 21:39:53 +02:00
Werner Koch
f7526c7bc7
gpg: Prepare for signatures with ISSUER_FPR but without ISSUER.
* g10/getkey.c (get_pubkey_for_sig): New.
(get_pubkeyblock_for_sig): New.
* g10/mainproc.c (issuer_fpr_raw): Give global scope.
(check_sig_and_print): Use get_pubkeyblock_for_sig.
* g10/pkclist.c (check_signatures_trust): Use get_pubkey_for_sig.
* g10/sig-check.c (check_signature2): Ditto.
(check_signature_over_key_or_uid): Ditto.
--

GnuPG-bug-id: 4046

The whole getkey stuff is still a mess with way to much duplication
and missing caching of already fetched data.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-05 20:55:32 +02:00
Werner Koch
9ea9b9db7e
doc: Typo fix in a comment.
--
2018-07-05 09:42:06 +02:00
Werner Koch
faf3c70c77
tools: Add experimental code for a pairing protocol
* configure.ac (GNUPG_CACHE_DIR): New const.
* tools/Makefile.am (libexec_PROGRAMS): Add gpg-pair-tool.
(gpg_pair_tool_SOURCES, gpg_pair_tool_CFLAGS)
(gpg_pair_tool_LDADD): New.
* tools/gpg-pair-tool.c: New.
--

This is a first try on a protocol to pair two devices so that they can
agree on a shared secret to exchange secret keys.  The idea is that if
you want to sync your secret keys to another machine (e.g. from
desktop to mobile) you have physical access to both devices and thus a
pairing protocol allows to authenitcate the connection using a short
string.  See the source for a protocol description.

How to test:

  $ gpg-pair-tool -va --homedir . --initiate >msg.commit
  $ gpg-pair-tool -va --homedir 2ndhome --respond  \
                                        <msg.commit >msg.dhpart1
  $ gpg-pair-tool -va --homedir . --respond \
                                        <msg.dhpart1 >msg.dhpart2
  $ gpg-pair-tool -va --homedir 2ndhome --respond \
                                        <msg.dhpart2 >msg.confirm

Now set the SAS as printed by the responder into SAS and run

  $ gpg-pair-tool -va --homedir . --respond --sas $SAS <msg.confirm

Storing the secret on disk is obviously not the right thing to do.
With the new PUT_SECRET and GET_SECRET commands of gpg-agent we can
change this to store it all in gpg-agent instead.  This will make it
also easier for gpg to access the secret and we won't need an option
to return it from gpg-pair-tool.  Thus gpg-pair-tool can be dedicated
to run the protocol and maybe to popup info dialogs.

Adding a second expiration time for running the protocol in addition
to the expiration of the secret is probably a better idea than just
that simple catch-all TTL.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-05 09:40:35 +02:00
Werner Koch
01cd66f9fa
gpg: Ignore too large user ids during import.
* g10/import.c (read_block): Add special treatment for bad user ids
and comment packets.
--

See
GnuPG-bug-id: 4022
for an example of a bogus user id.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-04 09:58:05 +02:00
Werner Koch
60e7e102a1
indent: Fix indentation of read_block in g10/import.c
--

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-04 09:45:52 +02:00
Werner Koch
214b007726
gpg: Extra check for sign usage when verifying a data signature.
* g10/sig-check.c (check_signature_end_simple): Check sign usage.
--

Without this patch the signature verification fails only due to the
missing back signature.  This check better explains what went wrong.

GnuPG-bug-id: 4014
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-04 09:01:10 +02:00
NIIBE Yutaka
996febbab2 g10: Fix memory leak for PKT_signature.
* g10/getkey.c (buf_to_sig): Free by free_seckey_enc.
* g10/gpgcompose.c (signature): Likewise.
* g10/sign.c (write_signature_packets): Likewise.

--

Reported-by: Philippe Antoine
GnuPG-bug-id: 4047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-07-03 09:07:03 +09:00
Werner Koch
8a915cd9fa
agent: New commands PUT_SECRET and GET_SECRET.
* agent/agent.h (CACHE_MODE_DATA): New const.
* agent/cache.c (DEF_CACHE_TTL_DATA): new.
(housekeeping): Tweak for CACHE_MODE_DATA.
(cache_mode_equal): Ditto.
(agent_get_cache): Ditto.
(agent_put_cache): Implement CACHE_MODE_DATA.
* agent/command.c (MAXLEN_PUT_SECRET): New.
(parse_ttl): New.
(cmd_get_secret): New.
(cmd_put_secret): New.
(register_commands): Register new commands.
--

These commands allow to store secrets in memory for the lifetime of
the gpg-agent process.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-02 21:36:19 +02:00
Werner Koch
58baf40af6
common: New function percent_data_escape.
* common/percent.c (percent_data_escape): New.
* common/t-percent.c (test_percent_data_escape): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-02 20:25:30 +02:00
Werner Koch
3978df943d
agent: Fix segv running in --server mode
* agent/command.c (start_command_handler): Do not write to
CLIENT_CREDS after an error.
--

assuan_get_peercred is special insofar that it returns a pointer into
CTX.  Writing data via this pointer should never be done.

Fixes-commit: 28aa6890588cc108639951bb4bef03ac17743046
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-07-02 20:25:30 +02:00
NIIBE Yutaka
1aacd12471 libdns: For SOCKS connection, just fails.
* dirmngr/dns.c (dns_res_exec): If it's DNS_SO_SOCKS_CONN, don't
iterate to other server, but return the error immediately.

--

In the function libdns_switch_port_p in dns-stuff.c, this patch
allows to fallback using TOR_PORT2 correctly.

Fixes-commit: bcdbf8b8ebe9d61160e0b007dabe1b6462ffbc93
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-07-02 10:37:49 +09:00
Werner Koch
592deeddb9
gpg: Print revocation reason for "rev" records.
* g10/main.h: Add prototype.
* g10/keylist.c (list_keyblock_print): Print revocation info.
(list_keyblock_colon): Ditto.

* g10/test-stubs.c (get_revocation_reason): New stub.
* g10/gpgv.c (get_revocation_reason): New stub.
--

GnuPG-bug-id: 1173
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-21 20:28:51 +02:00
Werner Koch
b7cd2c2093
gpg: Print revocation reason for "rvs" records.
* g10/import.c (get_revocation_reason): New.
(list_standalone_revocation): Extend function.
--

Note that this function extends the "rvs" field signature-class (field
11) with the revocation reason.  GPGME does not yet parse this but it
can be expected that the comma delimiter does not break other parsers.

A new field is added to the "rvs" (and in future also the "rev")
record to carry a record specific comment.  Hopefully all parsers
meanwhile learned the lesson from other new fields and don't bail out
on more fields than they know about.

This is partial solution to
GnuPG-bug-id: 1173

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-21 20:03:44 +02:00
Werner Koch
386b9c4f25
gpg: Let --show-keys print revocation certificates.
* g10/import.c (list_standalone_revocation): New.
(import_revoke_cert): Call new function.
--

GnuPG-bug-id: 4018
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-21 15:06:40 +02:00
Werner Koch
7e9aa307f7
build: Remove duplicates from AC_CHECK_FUNCS
* configure.ac (AC_CHECK_FUNCS): Fold most calls into one.
--

A few functions were tested two times which slightly increases the size
of the configure script.  Also put the functions in sorted order into
the macro.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-21 12:58:29 +02:00
NIIBE Yutaka
861f1da073 libdns: Let kernel to decide the local port.
* dirmngr/dns.c (LEAVE_SELECTION_OF_PORT_TO_KERNEL): New.
(dns_socket): Don't select ephemeral port in user space.

--

There is no good reason to bind local port aggressively.  It might be
some reason to do so, then, a user can specify it in /etc/resolv.conf
by the second argument of "interface" directive.

At least, it causes a problem on Windows.  Binding a specified port in
user space can trigger the Firewall dialog on Windows.  Since it can
be considered valid question, it is better not to bind with an
ephemeral port which is selected in user space, by default.

GnuPG-bug-id: 3610
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-06-20 08:59:05 +09:00
Werner Koch
08147f8bbd
wks: Take name of sendmail from configure.
* configure.ac (NAME_OF_SENDMAIL): New ac_define.
* tools/send-mail.c (run_sendmail): Use it.
--

We used to ac_subst the SENDMAIL in the old keyserver via mail script.
We cab reuse this to avoid a fixed name for sendmail in the
send-mail.c helper.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-19 08:07:59 +02:00
NIIBE Yutaka
a4a054bf14 libdns: Fix for non-FQDN hostname.
* dirmngr/dns.c (dns_resconf_open): Clear search[0] for non-FQDN
hostname.

--

GnuPG-bug-id: T3803
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-06-18 10:13:35 +09:00
NIIBE Yutaka
bcdbf8b8eb libdns: Fix connect and try next nameserver when ECONNREFUSED.
* dirmngr/dns.c (dns_so_check): When EINVAL, release the association
by connect with AF_UNSPEC and try again.  Also try again for
ECONNREFUSED.
(dns_res_exec): Try next nameserver when ECONNREFUSED.

--

GnuPG-bug-id: T3374
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-06-15 12:58:29 +09:00
NIIBE Yutaka
1c0b6681e4 libdns: Clear struct sockaddr_storage by zero.
* dirmngr/dns.c (dns_resconf_pton): Clear SS.
(dns_resconf_setiface): Clear ->IFACE.
(dns_hints_root, send_query): Clear SS.

--

POSIX requires clear the structure of struct sockaddr_in6.  On macOS,
in some case like bind, it is better to clear even for struct
sockaddr_in.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-06-15 10:38:22 +09:00
NIIBE Yutaka
3e6ad302ea libdns: Sync to upstream.
* dirmngr/dns.c (dns_nssconf_loadfile): Handle exclamation mark.

--

Reverting local change, merge upstream's debug-tracing branch.
(commit 21281fc1b63bb74d51762b8e363c49b1a258783d)

Fixes-commit: d4c0187dd93163f12e9f953366adef81ecf526a6
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-06-14 13:10:57 +09:00
NIIBE Yutaka
5b40338f12 dirmngr: Fix recursive resolver mode.
* dirmngr/dns-stuff.c (libdns_init): Initialize options.recurse.

--

To reproduce an error, run:

    ./t-dns-stuff --debug --recursive-resolver www.gnupg.org

Then, it returns "No name" error.  That's because there was only setup
for root servers, and no setup for recursive query in fact.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-06-14 13:01:45 +09:00
Werner Koch
cb52eb76b3
Some preparations to eventuallt use gpgrt_argparse.
* configure.ac (GNUPG_DEF_COPYRIGHT_LINE: New.
* tools/watchgnupg.c (print_version): USe this macro.
* common/init.c (_init_common_subsystems): Register argparse
functions.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-12 16:11:19 +02:00
Werner Koch
440472663d
Require libgpg-error 1.29 and remove internal logging functions.
* configure.ac (NEED_GPG_ERROR_VERSION): Set to 1.29
* common/util.h: Remove replacement error codes.
* common/logging.h: Remove fallback to internal logging functions.
* common/logging.c: Remove.
* common/Makefile.am (common_sources): Remove logging.c

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-12 13:46:00 +02:00
Werner Koch
fe621cc64b
gpg: Do not import revocations with --show-keys.
* g10/import.c (import_revoke_cert): Add arg 'options'.  Take care of
IMPORT_DRY_RUN.
--

GnuPG-bug-id: 4017
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-12 09:07:16 +02:00
NIIBE Yutaka
8f99299a54 card: Fix memory leak for fetch-url sub command.
* g10/card-util.c (fetch_url): Release INFO.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2018-06-12 15:54:18 +09:00
Daniel Kahn Gillmor
2ddfb5bef9
gpg: Add new usage option for drop-subkey filters.
* g10/import.c (impex_filter_getval): Add new "usage" property for
drop-subkey filter.
--

For example, this permits extraction of only encryption-capable
subkeys like so:

    gpg --export-filter 'drop-subkey=usage !~ e' --export $FPR

GnuPG-Bug-id: 4019
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2018-06-12 08:19:19 +02:00
Werner Koch
615b9d1fb7
doc: Include release info from 2.2.8
--
2018-06-11 08:55:20 +02:00
Werner Koch
d2bc66f241
gpg: Set some list options with --show-keys
* g10/gpg.c (main): Set some list options.
--

The new command --show-keys is commonly used to check the content of a
file with keys.  In this case it can be expected that all included
subkeys and uids are of interested, even when they are already expired
or have been revoked.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-11 08:48:21 +02:00
Werner Koch
13f135c7a2
gpg: Sanitize diagnostic with the original file name.
* g10/mainproc.c (proc_plaintext): Sanitize verbose output.
--

This fixes a forgotten sanitation of user supplied data in a verbose
mode diagnostic.  The mention CVE is about using this to inject
status-fd lines into the stderr output.  Other harm good as well be
done.  Note that GPGME based applications are not affected because
GPGME does not fold status output into stderr.

CVE-id: CVE-2018-12020
GnuPG-bug-id: 4012
2018-06-08 10:45:21 +02:00
Werner Koch
26746fe65d
gpg: Improve import's repair-key duplicate signature detection.
* g10/key-check.c (key_check_all_keysigs): Factor some code out to ...
(remove_duplicate_sigs): new.
(key_check_all_keysigs): Call remove_duplicate_sigs again after
reordering.
--

This is a follupup for commit 26bce2f01d2029ea2b8a8dbbe36118e3c83c5cba
to cleanup the code and to add a second de-duplicate step when needed.

GnuPG-bug-id: 3994
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-07 18:41:17 +02:00
Werner Koch
26bce2f01d
gpg: Fix import's repair-key duplicate signature detection.
* g10/packet.h (PKG_siganture): Add field 'help_counter'.
* g10/key-check.c (sig_comparison): Take care of HELP_COUNTER.
(key_check_all_keysigs): De-duplicate on a per-block base.
--

The key_check_all_keysigs first does a detection of duplicate
signature.  This is done over all signatures at once.  The problem
here is for example:

   key
   uid_1
     sig_uid_1.1
     sig_uid_1.2
   subkey_1
     sig_sub_1.1
   subkey_2
     sig_sub_2.1
     sig_sub_2.2  (duplicate of sig_sub_1.1)

Now the de-duplication deletes the first signature and keeps the
second.  That works in most cases for foreign signature on userids but
in the above constellation the code simply removes sig_sub_1.1 so that
subkey_1 has no binding signature anymore.  In a later step during
import the missing binding is detected and subkey_1 is removed because
it is not anymore valid.  The sig_sub_2.2 will also be removed later
because it does not check out for subkey_2 (that is as expected).

The fix is to let the de-duplication work only on blocks (ie. within
the signatures of a user id or a subkey).  This will not detect all
duplicates but that does not harm because later steps will detect and
remove them.

In the above case (with this patch applied) the second phase of
key_check_all_keysigs will reorder key signatures and move the
duplicate sig_sub_2.2 directly after sig_sub_1.1.  This duplicates the
signature and for cleanness we should kick the de-duplication process
again.  This will be done with a followup patch.

GnuPG-bug-id: 3994
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-07 17:22:58 +02:00
Werner Koch
1bc6b51742
gpg: Improve verbose output during import.
* g10/import.c (chk_self_sigs): Print the subkeyid in addition to the
keyid.
(delete_inv_parts): Ditto.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-07 10:30:07 +02:00
Werner Koch
7ffc1ac7dd
agent: Add DBUS_SESSION_BUS_ADDRESS et al. to the startup list.
* agent/gpg-agent.c (agent_copy_startup_env): Replace explicit list
with the standard list.
--

Although the function agent_copy_startup_env is newer than
session_env_list_stdenvnames the latter was not used.  When
DBUS_SESSION_BUS_ADDRESS was added to the latter it was forgotten to
add it to the former as well.  Having all stdnames here seems to be
the Right Thing (tm) to do.

GnuPG-bug-id: 3947
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-06 18:29:15 +02:00
Werner Koch
70f26e4263
doc: Typo fixes
--

Reported-by: Claus Assmann <ca+gnupg-users@esmtp.org>
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-06 17:25:51 +02:00
Werner Koch
344b548dc7
gpg: Also detect a plaintext packet before an encrypted packet.
* g10/mainproc.c (proc_encrypted): Print warning and later force an
error.
--

Note that when this error is triggered the plaintext from the literal
data packet has already been outputted before the BEGIN_DECRYPTION
status line.  We fail only later to get more information.  Callers
need to check and act upon the decryption error code anyway.

Thanks to Marcus for pointing out this case.

GnuPG-bug-id: 4000
Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-06 15:46:34 +02:00
Werner Koch
257661d6ae
gpg: New command --show-keys.
* g10/gpg.c (aShowKeys): New const.
(opts): New command --show-keys.
(main): Implement command.
* g10/import.c (import_keys_internal): Don't print stats in show-only
mode.
(import_one): Be silent in show-only mode.
--

Using

  --import --import-options show-only

to look at a key is too cumbersome.  Provide this shortcut and also
remove some diagnostic cruft in this case.

Signed-off-by: Werner Koch <wk@gnupg.org>
2018-06-06 11:57:34 +02:00