1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-11-09 21:28:51 +01:00
Commit Graph

10017 Commits

Author SHA1 Message Date
Werner Koch
3491faa3bb
gpg: Remove experimental feature to export w/o user-ids.
* g10/options.h (IMPORT_DROP_UIDS, EXPORT_DROP_UIDS): Remove.
* g10/import.c (parse_import_options): Remove option import-drop-uids.
(import_one_real): Remove drop uids code.
(remove_all_uids): Remove function.
* g10/export.c (parse_export_options): Remove option export-drop-uids.
(do_export_one_keyblock): Remove drop uids code.
2021-02-02 12:57:00 +01:00
Werner Koch
a06c79b614
card: List keys of pkcs#15 cards.
* tools/gpg-card.c (list_p15): New.
(list_card): Call it.
2021-02-02 12:40:07 +01:00
Werner Koch
0c080ed579
scd:p15: Read PuKDF and minor refactoring.
* scd/app-p15.c (pukdf_object_t): New.
(struct app_local_s): Add field public_key_info.
(release_pukdflist): New.
(select_and_read_record): No diagnostic in case of not_found.
(read_first_record): New.  Factored out from the read_ef_ fucntions.
(read_ef_pukdf): New.  Basically a copy of read_ef_prkdf for now.
(read_p15_info): Also read the public keys.

(cardtype2str): New.
(read_ef_tokeninfo): Print a string with the cardtype.
2021-02-02 12:38:03 +01:00
Werner Koch
0737dc8187
sm: Add a few OIDs and merge OID tables.
* sm/keylist.c (OID_FLAG_KP): New.
(key_purpose_map): Merge into ...
(oidtranstbl): this.
(get_oid_desc): New arg 'matchflag'.  Use function in place of direct
access to key_purpose_map.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-02-01 10:28:52 +01:00
Werner Koch
90c514868f
Include the library version in the compliance checks.
* common/compliance.c (gnupg_gcrypt_is_compliant): New.
(gnupg_rng_is_compliant): Also check library version.
* g10/mainproc.c (proc_encrypted): Use new function.
(check_sig_and_print): Ditto.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* sm/verify.c (gpgsm_verify): Ditto
--

This will eventually allow us to declare Libgcrypt 1.9 to be de-vs
compliant.  GnuPG can use this information then for its own checks.
As of now GnuPG tests the version of the used library but that is a
bit cumbersome to maintain.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-28 15:48:08 +01:00
Werner Koch
1e197c29ed
scd:p15: Make file selection more robust.
* scd/app-p15.c: Include host2net.h.
(DEFAULT_HOME_DF): New.
(select_and_read_binary): Replace slot by app.  Change callers.  Use
select_ef_by_path.
(select_and_read_record): ditto.
(select_ef_by_path): Make use use the home_df.
(parse_certid): Adjust for always set home_df.
(print_tokeninfo_tokenflags): Ditto.
(app_select_p15): Take the home_df from the FCI returned by select.
--

This uses modern APDUs and always selectd starting at the PCKS-15 home
DF.  We could have made this much simpler but the goal is to keep
support for older cards although we can't test that easily.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-27 18:39:42 +01:00
Werner Koch
7620473cd0
scd: Define new status word
* scd/apdu.h (SW_NO_CURRENT_EF): New.
--

This merely to show better diagnostics.
Used for example by CardOS 5.3.
2021-01-27 18:31:12 +01:00
Werner Koch
5bcbc8cee3
scd:p15: Factor the commonKeyAttributes parser out.
* scd/app-p15.c (read_ef_prkdf): Fix detection of unsupported key
 objects.  Factor some code out to ...
(parse_common_key_attr): new.
--
2021-01-27 13:28:12 +01:00
Werner Koch
b08418d22c
gpg: Fix ugly error message for an unknown symkey algorithm.
* g10/mainproc.c (proc_symkey_enc): Do not continue with an unknown
algorithm.
--

Trying to encrypt data created with

 printf "\x8c\x49\x05\x0e\x0a\x03\x01"

fails in version 2.2.19 with

 gpg: packet(3) with unknown version 5

but with later versions with

  gpg: encrypted with unknown algorithm 14
  gpg: Ohhhh jeeee: ... this is a bug \
       ([...]/passphrase.c:433:passphrase_to_dek)

so we better catch this case earlier.

Reported-by: Tavis Ormandy
Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-27 11:49:20 +01:00
Werner Koch
fb84674d6c
scd:p15: Factor the commonObjectAttributes parser out.
* scd/app-p15.c (parse_common_obj_attr): New.
(read_ef_prkdf): Use new function.
(read_ef_aodf): Ditto.
2021-01-26 19:10:12 +01:00
Werner Koch
fc287c0552
scd:p15: First step towards real CardOS 5 support.
* scd/iso7816.c (iso7816_select_path): Add arg from_cdf.
* scd/app-nks.c (do_readkey): Adjust for this change.

* scd/app-p15.c (CARD_TYPE_CARDOS_53): New.
(IS_CARDOS_5): New.
(card_atr_list): Add standard ATR for CardOS 5.3.
(select_and_read_binary): Remove the fallback to record read hack.
(select_and_read_record): New.
(select_ef_by_path): Rework and support CardOS feature.
(read_ef_prkdf): Use read record for CardOS.
(read_ef_cdf): Ditto.
(read_ef_aodf): Ditto.  Also fix bug in the detection of other
unsupported attribute types.
(verify_pin): Use IS_CARDOS_5 macro.
(app_select_p15): Force direct method for CardOS.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-26 17:42:55 +01:00
Werner Koch
224e26cf7b
agent: Support ssh-agent extensions for environment variables.
* common/session-env.c (session_env_list_stdenvnames): Extend to allow
return all names as one string.
* agent/command-ssh.c (SSH_REQUEST_EXTENSION): New.
(SSH_RESPONSE_EXTENSION_FAILURE): New.
(request_specs): Add handler for the extension command.
(ssh_handler_extension): New.
--

The extension mechanism is specified in
https://tools.ietf.org/html/draft-miller-ssh-agent-04

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-25 10:35:06 +01:00
Werner Koch
60499d9894
scd:p15: Show the ATR as part of the TokenInfo diagnostics.
* scd/app-p15.c (read_ef_tokeninfo): Print the ATR in verbose mode.
--

It is convenient to see the ATR close to the other info,

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-21 10:44:43 +01:00
Werner Koch
9500432b7a
Require Libgcrypt 1.9
* configure.ac: Require at least Libgcrypt 1.9.0.  Remove all
GCRYPT_VERSION_NUMBER dependent code.
--

Only Libgcrypt 1.9 implements EAX which is a mandatory algorithm in
RFC4880bis.

Signed-off-by: Werner Koch <wk@gnupg.org>
2021-01-19 10:33:03 +01:00
Werner Koch
93d5d7ea2a
tools: Add option --clock to watchgnupg
* tools/watchgnupg.c (print_fd_and_time) [ENABLE_LOG_CLOCK]: Use
clock_gettime.
(print_version): New option --clock.
2021-01-12 09:31:20 +01:00
bobwxc
ecaabc2d8f po: Update Simplified Chinese Translation.
--

GnuPG-bug-id: 5189
Signed-off-by: bobwxc <bobwxc@yeah.net>
2021-01-12 10:07:39 +09:00
Werner Koch
b6967d3191
gpg,w32: Fix gnupg_remove.
* common/sysutils.c (map_w32_to_errno): New.
(gnupg_w32_set_errno): New.
(gnupg_remove) [w32]: Set ERRNO
--

To support Unicode gnupg_remove was changed to use DeleteFileW and not
properly tested because the code was alreadt used in Windows CE.
However, ERRNO was not set and thus Dirmngr failed due to

 if (!gnupg_remove (fname))
   log_info (_("removed stale te[...] file '%s'\n"), fname);
 else if (errno != ENOENT)
   {
     err = gpg_error_from_syserror ();
     log_error (_("problem remov[...] file '%s': %s\n"),
                fname, gpg_strerror (err));
     goto leave;
   }

GnuPG-bug-id: 5230
2021-01-11 14:19:06 +01:00
Ingo Klöcker
7eef40cc11 I meant "SHA-2 digests" in the previous commit.
GnuPG-bug-id: 5184
2021-01-06 15:04:49 +01:00
Ingo Klöcker
8fe976d5b9 scd:nks: Add support for signing plain SHA-3 digests.
* scd/app-nks.c (do_sign): Handle plain SHA-3 digests and verify
encoding of ASN.1 encoded hashes.
--

This makes it possible to create CSRs for NetKey card keys which are
signed with SHA256 by default.

GnuPG-bug-id: 5184
2021-01-06 12:19:11 +01:00
NIIBE Yutaka
f4a8be0950 po: Fix Simplified Chinese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-01-05 10:54:07 +09:00
NIIBE Yutaka
6850f21d08 po: Fix Simplified Chinese Translation.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2021-01-05 10:44:01 +09:00
bobwxc
bfb073c732 po: Update Simplified Chinese Translation.
--

GnuPG-bug-id: 5189
Signed-off-by: bobwxc <bobwxc@yeah.net>
2021-01-05 10:08:05 +09:00
Werner Koch
c008e8d20e
wkd: Minor permission fix for created files.
* tools/wks-util.c (wks_cmd_install_key): Don't set u+x on the file.
(ensure_policy_file): No need to make the policy file group writable.
--

The policy file is rarely changed thus no need to g+w.  Setting +x on
a plain file does not make sense at all.

GnuPG-bug-id: 5214
2020-12-30 15:03:46 +01:00
Yao Wei
22f7dddc34 Update Traditional Chinese doc/help.zh_TW.txt
--

Signed-off-by: Yao Wei <mwei@debian.org>
2020-12-28 17:16:11 +09:00
Werner Koch
15e065dee8
doc: Add instructions on how to setup an Active Directory.
--
2020-12-23 14:45:55 +01:00
bobwxc
ea3fb3dc94 doc: Update Simplified Chinese doc/help.zh_CN.txt.
--

GnuPG-bug-id: 5189
Signed-off-by: bobwxc  <bobwxc@yeah.net>
2020-12-23 11:38:50 +09:00
NIIBE Yutaka
eeea4f0fab doc: Update Japanese doc/help.ja.txt.
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-23 11:25:03 +09:00
Werner Koch
fc0eaa9add
common: Remove superfluous debug output from dotlock.c.
* common/dotlock.c (dotlock_create_unix): Remove debug output.
--

This was left over from developement about 10 years ago.  Exhibits
itself when using sshfs.

GnuPG-bug-id: 5193
2020-12-21 19:43:35 +01:00
Werner Koch
e0cbb97925
doc: Explain LDAP keyserver parameters 2020-12-21 16:06:16 +01:00
Werner Koch
355e2992c0
dirmngr: Do not block threads in LDAP keyserver calls.
* dirmngr/ks-engine-ldap.c: Wrap some ldap calls.
--

The former gpgkeys_ldap module has once been ported to dirmngr but
unfortunately the dirmngr_ldap wrapper has not been used so that we
have internal LDAP calls with these problems:

- No usable timeouts.
- On non-Windows platforms a lot of extra libs and possibly even a
  second copy of Libgcrypt is pulled in.
- Only one threads runs at a time.

This patch mitigates the last point.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-18 11:57:14 +01:00
Werner Koch
4a3836e2b2
gpg: New AKL method "ntds"
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Change the new
support for KEYDB_SEARCH_MODE_MAIL.
(ks_ldap_get): Add a debug.
* g10/options.h (AKL_NTDS): New.
* g10/keyserver.c (keyserver_import_ntds): New.
(keyserver_get_chunk): Allow KEYDB_SEARCH_MODE_MAIL.
* g10/getkey.c (parse_auto_key_locate): Support "ntds".
(get_pubkey_byname): Ditto.
2020-12-17 18:25:34 +01:00
Werner Koch
1194e4f7e2
dirmngr: Support "ldap:///" for the current AD user.
* dirmngr/http.h (struct parsed_uri_s): Add field ad_current.
* dirmngr/ldap-parse-uri.c (ldap_parse_uri): Set it.
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Take care of ad_current.
--

Ported from 2.2.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-17 18:25:11 +01:00
Werner Koch
2cadcce3e8
dirmngr: Allow LDAP searches via fingerprint.
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Add arg
serverinfo and allow searching by fingerprint.
(ks_ldap_get, ks_ldap_search): First connect then create teh filter.
--

With the new schema we can finally search by fingerprint.
2020-12-17 10:20:28 +01:00
Werner Koch
2b06afbf26
dirmngr: Finalize Active Directory LDAP Schema
--

With these modifications it is now possible to store and retrieve keys
from an AD without manually tweaking the schema.  Permissions need to
be set manuallay, though.
2020-12-17 10:17:22 +01:00
Werner Koch
a2434ccabd
dirmngr: Store all version 2 schema attributes.
* g10/call-dirmngr.c (ks_put_inq_cb): Emit "fpr" records.
* dirmngr/ks-engine-ldap.c (extract_attributes): Add args
extract-state and schemav2.  Add data for the new schema version.
remove the legacy code to handle UIDs in the "pub" line.
(ks_ldap_put): Set new attributes for NTDS use the fingerprint as CN.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-15 13:36:19 +01:00
Werner Koch
2c6bb03cfb
dirmngr: Remove superfluous attribute from the LDAP schema.
--

I accidently added a gpgSubCertID attribute not realizing that the
pgpSubKeyID already carries the long keyid.  Remove that.  Note that
the pgpkeyID has the short keyid and the long keyid has the name
pgpCertID.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-15 08:52:06 +01:00
Werner Koch
e9ddd61fe9
dirmngr: Support the new Active Directory schema
* dirmngr/ks-engine-ldap.c (SERVERINFO_): New constants.
(my_ldap_connect): Relace args pgpkeyattrp and real_ldapp by a new
serverinfo arg.  Set the new info flags.
(ks_ldap_get): Adjust for change.
(ks_ldap_search): Ditto.
(ks_ldap_put): Ditto.  Replace xmalloc by xtrymalloc.  Change the DN
for use with NTDS (aka Active Directory).
* doc/ldap/gnupg-ldap-init.ldif (pgpSoftware): Update definition of
pgpVersion.
* doc/ldap/gnupg-ldap-ad-init.ldif: New.
* doc/ldap/gnupg-ldap-ad-schema.ldif: New.
--

This is a first take on better Active Directory support.  The main
change for NTDS in the code is that the an top-RDN of CN is used
instead of the old pgpCertID.  More changes to come; for example using
and storing the fingerprint.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-14 19:29:49 +01:00
Werner Koch
cc056eb534
dirmngr: Do not store the useless pgpSignerID in the LDAP.
* dirmngr/ks-engine-ldap.c (extract_attributes): Do not store the
pgpSignerID.
* g10/call-dirmngr.c (ks_put_inq_cb): Do not emit sig records.
--

The pgpSignerID has no use in the LDAP and thus don't store it.
David's idea back in 2004 was
              /* This bit is really for the benefit of people who
                 store their keys in LDAP servers.  It makes it easy
                 to do queries for things like "all keys signed by
                 Isabella".  */
See-commit: 3ddd4410ae

I consider this dangerous because such a query is not able to validate
the signature, does not get revocation signatures, and also has no
information about the validity of the signatures.  Further many keys
are spammed tehse days with faked signatures and it does not make
sense to blow up the LDAP with such garbage.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-14 19:29:49 +01:00
Werner Koch
37a899d0e4
dirmngr: Fix adding keys to an LDAP server.
* dirmngr/ks-engine-ldap.c (ks_ldap_put): Extract attribites into
addlist.
--

The code used the wrong list which resulting in adding attributes
marked for deletion.  In particular Active Directory does not accept
such an data and rejects them.  The bug was introduced into 2.1 while
porting the code from the old keyserver helpers to dirmngr.

Fixes-commit: 51341badb6
Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-14 19:29:49 +01:00
NIIBE Yutaka
3b39263088 scd:nks: Support READKEY with keygrip and for "NKS-IDLM" keyref.
* scd/app-nks.c (do_readkey): Allow KEYGRIP access.
Support NKS-IDLM.XXXX keyref.

--

GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-11 14:08:40 +09:00
NIIBE Yutaka
b7c087375d scd:nks: Factor out pubkey retrieval from keygrip handling.
* scd/app-nks.c (pubkey_from_pk_file): New.
(keygripstr_from_pk_file): Use pubkey_from_pk_file.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-11 14:06:52 +09:00
NIIBE Yutaka
4020cd9d65 scd:nks: Add support of KEYGRIP for do_readcert.
* scd/app-nks.c (do_readcert): Support KEYGRIP.

--

GnuPG-bug-id: 5150
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-10 10:40:35 +09:00
NIIBE Yutaka
6c43658476 scd:nks: Factor out iteration over filelist.
* scd/app-nks.c (iterate_over_filelist): New.
(do_with_keygrip): Use iterate_over_filelist.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-10 10:40:11 +09:00
Werner Koch
c7c88648b7
wks-client: Improve an error message
* tools/gpg-wks-client.c (read_confirmation_request): Print trust
letter.
--

The trust letter gives a hint on what's wrong with the key.

Signed-off-by: Werner Koch <wk@gnupg.org>
2020-12-09 10:59:51 +01:00
NIIBE Yutaka
a9aa30ed2c scd:ccid:spr532: Extend abort_cmd for initialization time.
* scd/ccid-driver.c (abort_cmd): Add INIT argument to support
synchronize until success, even ignoring timeout.
(bulk_in): Normal use case of abort_cmd.
(ccid_vendor_specific_init): Initial use case of abort_cmd.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-09 12:54:43 +09:00
NIIBE Yutaka
f503730272 scd:ccid: Call libusb_clear_halt in ccid_vendor_specific_setup.
* scd/ccid-driver.c (ccid_vendor_specific_setup): Only for SPR532,
call libusb_clear_halt.

--

GnuPG-bug-id: 5167
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-09 12:52:08 +09:00
NIIBE Yutaka
ffabc29d5e scd:ccid: Revert the addition of libusb_clear_halt for EP_INTR.
* scd/ccid-driver.c (ccid_setup_intr): Don't call libusb_clear_halt.

--

GnuPG-bug-id: 5167
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-09 12:40:47 +09:00
NIIBE Yutaka
946555ea3c scd:yubikey: Fix support of Yubikey NEO.
* scd/app-openpgp.c (get_public_key): Yubikey NEO also has this issue.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-08 17:45:18 +09:00
NIIBE Yutaka
eda3c688fc agent: Allow decryption with card but no file.
* agent/pkdecrypt.c (agent_pkdecrypt): Support decryption with card
but without a stub key.

--

GnuPG-bug-id: 5170
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-08 15:15:45 +09:00
NIIBE Yutaka
9beab36dfa agent: Clean up the API of agent_pkdecrypt.
* agent/agent.h (agent_pkdecrypt): Use gpg_error_t type.
* agent/pkdecrypt.c (agent_pkdecrypt): Use gpg_error_t type.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2020-12-08 15:06:33 +09:00