security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity
9,699 Commits 100 Branches 301 Tags 232 MiB
Commit Graph

1017 Commits

Author SHA1 Message Date
NIIBE Yutaka dd600bbc84 scd: Support specifying keygrip for learn command. 
* scd/command.c (cmd_learn): Allow keygrip argument.

--

GnuPG-bug-id: 6002
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-06-10 13:54:03 +09:00
NIIBE Yutaka 273b8ec193 scd,openpgp: Support READCERT by keygrip. 
* scd/app-openpgp.c (do_readcert): Allow use of keygrip.

--

GnuPG-bug-id: 6002
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-06-10 11:45:26 +09:00
Werner Koch 3a2fb1c306
scd:nks: Don't flag the ESIGN keypair EF as encryption capable. 
* scd/app-nks.c (filelist): Tweak 0x4531.
--

Actually the certificate has no encryption usage but we should also
tell that via KEYINFO so that this key is never tried to create an
encryption certificate.
 2022-06-01 17:55:49 +02:00
Werner Koch b92b3206e7
scd:nks: Some code cleanup. 
* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
(parse_keyref): new.
(do_readcert): Use new function instead of partly duplicated code.
Make detection of keygrip more robust.
(do_readkey): Make detection of keygrip more robust.
(do_with_keygrip): Use get_nks_tag.
--

Also added a couple of comments.
 2022-06-01 17:52:42 +02:00
Werner Koch 07eaf006c2
scd:nks: Support the Telesec ESIGN application. 
* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
(readcert_from_ef): Considere an all zero certificate as not found.
(do_sign): Support ECC and the ESIGN application.
--

This allows me to create qualified signatures using my Telesec card.
There is of course more work to do but this is the first step.

Note: The design of the FID cache needs to be reconsidered.  Until
that the lookup here has been disabled.  The do_sign code should be
revamped to be similar to what we do in app-p15.

GnuPG-bug-id: 5219, 4938
 2022-05-29 15:55:26 +02:00
NIIBE Yutaka 5264d3f58e scd: Return USAGE information for KEYINFO command. 
* scd/command.c (hlp_keyinfo): Update.
(send_keyinfo): Add a USAGE argument.
* scd/scdaemon.h (send_keyinfo): Add a USAGE argument.
* scd/app-nks.c (set_usage_string): New.
(do_learn_status_core, do_readkey): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/app-openpgp.c (get_usage_string): New.
(send_keypair_info): Use get_usage_string.
(send_keyinfo_if_available): Add USAGE to call send_keyinfo,
using get_usage_string.
* scd/app-p15.c (set_usage_string): New.
(send_keypairinfo): Use set_usage_string.
(do_with_keygrip): Add USAGE to call send_keyinfo,
using set_usage_string.
* scd/app-piv.c (do_with_keygrip): Add USAGE to call send_keyinfo.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-05-26 12:01:16 +09:00
NIIBE Yutaka 64c8786105 scd,piv: Fix status report of KEYPAIRINFO. 
* scd/app-piv.c (do_readkey): Use "-" for usage when not available.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-05-26 11:57:31 +09:00
NIIBE Yutaka 052f58422d agent,scd: Make sure to set CONFIDENTIAL flag in Assuan. 
* agent/call-scd.c (inq_needpin): Call assuan_begin_confidential
and assuan_end_confidential, and wipe the memory after use.
* agent/command.c (cmd_preset_passphrase): Likewise.
(cmd_put_secret): Likewise.
* scd/command.c (pin_cb): Likewise.

--

GnuPG-bug-id: 5977
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-05-25 14:53:06 +09:00
NIIBE Yutaka ea97683d58 scd: Support automatic card selection for READCERT with keygrip. 
* scd/command.c (cmd_readcert): Select by KEYGRIP.

--

GnuPG-bug-id: 6003
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-05-24 16:17:01 +09:00
NIIBE Yutaka 1b1684cf61 scd: Fix use of SCardListReaders for PC/SC. 
* scd/apdu.c (apdu_dev_list_start): Initialize NREADER.

--

Reported-by: Ludovic Rousseau
GnuPG-bug-id: 5979
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-05-17 10:19:44 +09:00
NIIBE Yutaka 53eddf9b9e scd: Fail when no good algorithm attribute. 
* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.

--

This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).

GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-05-11 11:16:26 +09:00
Werner Koch 5e5df82b5f
scd:openpgp: New card vendor. 
--

BTW, we should add a function to read out the entire table so that you
can ask scdaemon for that list.  iirc,  Kleopatra still uses a copy of
the table.
 2022-05-10 16:21:27 +02:00
Werner Koch 3d7d7e8bfd
scd:p15: Improve the displayed S/N for Technology Nexus cards. 
* scd/app-p15.c (any_control_or_space_mem): New.
(get_dispserialno): Add new code.
--

This works with my test cards and now reflects what's printed on the
front matter of the card.
 2022-05-06 11:43:07 +02:00
Werner Koch 6f612fd5f6
scd:p15: Fix the the sanity check of the displayed S/N. 
* scd/app-p15.c (any_control_or_space): Fix loop.
--

This check is only done to avoid printing wrongly encoded S/N for
human consumption.
e
 2022-05-06 11:39:30 +02:00
NIIBE Yutaka 054d14887e scd: Add workaround for ECC attribute on Yubikey. 
* scd/app-openpgp.c (parse_algorithm_attribute): Skip possibly bogus
octet in a key attribute.

--

GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-05-06 18:27:11 +09:00
Werner Koch bbcca7357b
scd:p15: Fix reading certificates without length info. 
* scd/app-p15.c (readcert_by_cdf): Do not use extended mode if the CDF
object has no length info.  Add debug output when reading a cert.
(read_p15_info): No more need to disable extended mode for GeNUA cards.
 2022-05-05 13:39:03 +02:00
Werner Koch 7dc5693926
scd: New debug flags "card". 
* scd/scdaemon.c (debug_flags): Add "card".
* scd/scdaemon.h (DBG_CARD_VALUE, DBG_CARD): New.
--

Some information from parsing the card are often very helpful.
However, the card_io triggered APDU dumps are in most cases too heavy.
Thus this new debug flag.
 2022-05-05 13:35:56 +02:00
NIIBE Yutaka 2848fe4c84 scd: Fix hard-coded constant for RSA auth. 
* scd/app-openpgp.c (do_auth): Allow larger data for RSA-4096.

--

OpenPGPcard specification says that it will be rejected by the card
when it's larger.  We have been the check on host side too, but it was
written when it only had a support for RSA-2048.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-04-25 11:14:10 +09:00
NIIBE Yutaka e8fb8e2b3e scd: Don't inhibit SSH authentication for larger data if it can. 
* scd/app-openpgp.c (do_auth): Use command chaining if available.

--

GnuPG-bug-id: 5935
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-04-22 11:50:19 +09:00
Werner Koch dd727ec968
scd: Renamed a constant in ccid-driver.c 
* scd/ccid-driver.c (MAX_DEVICE): Rename to CCID_MAX_DEVICE.
--

Just for documentation reasons.
 2022-04-14 10:26:40 +02:00
Werner Koch 6294ae282d
scd: Minor code reorganization 
* scd/ccid-driver.c: Move struct defines to the top.
--
 2022-04-14 10:15:23 +02:00
Werner Koch 8ac92f0e80
scd: Fix memory leak in ccid-driver. 
* scd/ccid-driver.c (ccid_dev_scan): Use loop var and not the count.
--

Due to an assignment out of bounds this might lead to a crash if there
are more than 15 readers.  In any case it fixes a memory leak.
Kudos to the friendly auditor who found that bug.

Fixes-commit: 8a41e73c31
 2022-04-14 10:15:23 +02:00
Werner Koch 618aa8689a
scd:p15: Improve the PIN prompt for Genua cards. 
* scd/app-p15.c (CARD_PRODUCT_GENUA): New.
(cardproduct2str): Add it.
(read_p15_info): Detect and set GENUA
(make_pin_prompt): Take holder string from the AODF.
 2022-04-13 13:06:27 +02:00
Werner Koch 0dcc249852
scd: Support for GeNUA cards. 
* scd/app-p15.c (read_p15_info): Disable extended mode for Genua
cards.
 2022-04-11 17:48:45 +02:00
NIIBE Yutaka f584ad9504 scd,tpm2d: Fix for consistent use of socket FD. 
* scd/command.c (scd_command_handler): Use gnupg_fd_t for the argument
but no INT2FD to listen.  Use GNUPG_INVALID_FD.
* tpm2d/command.c (tpm2d_command_handler): Likewise.
* scd/scdaemon.c (start_connection_thread): Follow the change.
* tpm2d/tpm2daemon.c (start_connection_thread): Likewise.
* scd/scdaemon.h (scd_command_handler): Use gnupg_fd_t.
* tpm2d/tpm2daemon.h (tpm2d_command_handler): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-03-31 21:03:13 +09:00
NIIBE Yutaka a67a09be30 scd,w32: Fix socket resource leak. 
* scd/scdaemon.c (main): Use gnupg_fd_t for socket, and use
assuan_sock_close for the socket allocated by assuan_sock_new.
(handle_connections): Use gnupg_fd_t for listen_fd.
Use assuan_sock_close for the socket by npth_accept.

--

GnuPG-bug-id: 5029
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-03-29 09:55:02 +09:00
NIIBE Yutaka c6dd9ff929 scd: Fix DEVINFO with no --watch. 
* scd/app.c (app_send_devinfo): Fix for outputing once.
* scd/command.c (hlp_devinfo): Fix comment.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-03-15 15:19:11 +09:00
NIIBE Yutaka 665b59a066 Fix previous commit. 
--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-03-11 14:09:22 +09:00
NIIBE Yutaka 934864d399 scd: Enhance PASSWD command to accept KEYGRIP optionally. 
* scd/command.c (cmd_passwd): Handle KEYGRIP optionally.

--

GnuPG-bug-id: 5862
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-03-10 11:11:38 +09:00
NIIBE Yutaka d577ed2956 scd: Use same idiom for same work. 
* scd/command.c (cmd_serialno, cmd_getattr): Use 'while' instead of
'for'.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-03-10 11:02:11 +09:00
NIIBE Yutaka 58e6990eaa scd: Fix PK_AUTH with --challenge-response option. 
* scd/app.c (app_auth): It's only APPTYPE_OPENPGP which supports
the challenge response interaction.
* scd/command.c (cmd_pkauth): It only wants if it works or not.

--

GnuPG-bug-id: 5862
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-03-04 10:11:38 +09:00
NIIBE Yutaka 44621120a2 scd: Add --challenge-response option to PK_AUTH for OpenPGP card. 
* scd/app-openpgp.c (rmd160_prefix, sha1_prefix, sha224_prefix)
(sha256_prefix, sha384_prefix, sha512_prefix): Move the scope up.
(gen_challenge): New.
(do_auth): Support challenge-response check if it signs correctly.
* scd/app.c (app_auth): Remove the check INDATA and INDATALEN.
* scd/command.c (cmd_pkauth): Support --challenge-response option.

--

GnuPG-bug-id: 5862
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-03-03 17:45:49 +09:00
NIIBE Yutaka 8e650dbd48 scd: Let READKEY support --format=ssh option. 
* scd/command.c (do_readkey): Support --format=ssh option.
* common/ssh-utils.c (ssh_public_key_in_base64): New.
* common/ssh-utils.h (ssh_public_key_in_base64): New declaration.

--

Code duplication (agent/command-ssh.c) will be cleaned up later.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-03-02 14:07:46 +09:00
Werner Koch 597253ca17
scd:p15: Used extended mode already for RSA 2048 
* scd/app-p15.c (do_sign, do_decipher): Replace GT by GE.
--
 2022-02-21 12:17:08 +01:00
NIIBE Yutaka f9c9938b28 scd,pcsc: Fix error handling for a reader with reader-port. 
* scd/apdu.c (apdu_open_reader): Make sure dl->idx is always
incremented to handle error from open_pcsc_reader correctly.

--

Reported-by: Anže Jenšterle
GnuPG-bug-id: 5758
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2022-01-04 14:56:29 +09:00
NIIBE Yutaka a575b0aba5 scd:openpgp: Support longer data for INTERNAL_AUTHENTICATE. 
* scd/app-openpgp.c (do_auth): Use extended Lc, when supported.

--

GnuPG-bug-id: 5682
Co-authored-by: Klas Lindfors
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-11-15 11:40:41 +09:00
Jakub Jelen c0b1bcc5c6 scd: Avoid memory leak. 
* scd/command.c (cmd_readkey): Free allocated memory on failure path.

--

GnuPG-bug-id: 5393
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
 2021-11-12 15:35:38 +09:00
Werner Koch c36f9917bb
scd: Add new OpenPGP card vendor. 
--
 2021-11-04 16:35:41 +01:00
NIIBE Yutaka 49f7fcb90b scd: Simplify the loop of DEVINFO. 
* scd/app.c (app_send_devinfo): Factor out lock/unlock.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-11-02 14:06:16 +09:00
NIIBE Yutaka 99e00ec6db scd: Fix the previous commit. 
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-10-29 11:47:17 +09:00
NIIBE Yutaka 48e824b6ea scd: Modify DEVINFO behavior to support looping forever. 
* scd/app.c (struct mrsw_lock): Add notify_cond member.
(notify_cond): Remove.
(card_list_r_lock, card_list_r_unlock): Rename.
(card_list_w_lock, card_list_w_unlock): Rename.
(card_list_signal, card_list_wait): New, fixing thinko about
notify/wakeup with MRSW lock.
(app_send_devinfo): Support looping.
(select_application): Notify app_send_devinfo thread for newly
detected device.
(initialize_module_command): Initialize notify_cond member.
(app_wait): Remove.
* scd/command.c (cmd_devinfo): Use new API of app_send_devinfo.
* scd/scdaemon.h (app_wait): Remove.

--

GnuPG-bug-id: 5359
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-10-29 10:58:26 +09:00
NIIBE Yutaka 3918fa1a94 agent,dirmngr,kbx,scd,tpm2d: Use gnupg_sleep. 
* agent/findkey.c (unprotect): Use gnupg_sleep.
* agent/gpg-agent.c (handle_connections): Likewise.
* dirmngr/crlfetch.c (handle_connections): Likewise.
* kbx/keyboxd.c (handle_connections): Likewise.
* tpm2d/tpm3daemon.c (handle_connections): Likewise.
* scd/scdaemon.c (handle_connections): Likewise.
* scd/command.c (cmd_lock): Likewise.
* dirmngr/ldap-wrapper.c (ldap_reaper_thread): Likewise.
(ldap_wrapper_wait_connections): Use gnupg_usleep.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-10-05 14:05:56 +09:00
Werner Koch 255d4d5815
sm: Add LotW support to the key listing 
* sm/certdump.c (parse_dn_part): Translate OID to "Callsign"
* sm/keylist.c (oidtranstbl): Some more OIDs.
--

This is Ham thingy to make it easier to read LotW certificates.

Signed-off-by: Werner Koch <wk@gnupg.org>
 2021-09-09 13:30:22 +02:00
NIIBE Yutaka 1565baa93a scd: Don't release the context until list_finish for PC/SC. 
* scd/apdu.c (apdu_dev_list_start): Increment PCSC.COUNT here.
(apdu_dev_list_finish): Decrement PCSC.COUNT.

--

GnuPG-bug-id: 5416
Fixes-commit: 32baa9acfb
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-08-20 15:22:28 +09:00
NIIBE Yutaka 5c8124b8b9 scd: Small clean up for card access. 
* scd/app.c (app_get_challenge): Remove the check to ref_count.
* scd/command.c (send_client_notifications): Update comments.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-07-22 11:22:47 +09:00
NIIBE Yutaka 50ad29f9a7 scd: Fix direct use of card with no ctrl->card_ctx. 
* scd/app.c (maybe_switch_app): Remove check of ref_count.

--

Fixes-commit: 0d6b4210cf
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-07-22 09:43:30 +09:00
NIIBE Yutaka 0d6b4210cf scd: Fix access to list of cards (3/3). 
* scd/app-common.h (card_reset): Simplify more.
(select_additional_application): Supply CARD.
(card_ref, card_unref): Remove.
(card_get, card_put): New.
* scd/app.c (card_reset): No locking/unlocking inside.
(app_switch_current_card): Fix comment.
(select_additional_application): No locking/unlocking inside.
(do_with_keygrip): New, unlocked version.
(card_get): New, with support of KEYGRIP.
(card_unref): Remove.
(card_put): New.
(app_write_learn_status, app_readcert: No locking/unlocking inside.
(app_readkey, app_getattr, app_setattr, app_sign, app_auth): Likewise.
(app_decipher, app_writecert, app_writekey): Likewise.
(app_genkey, app_get_challenge, app_change_pin): Likewise.
(app_check_pin, app_switch_active_app): Likewise.
* scd/command.c (do_reset): Use card_get/card_put.
(open_card_with_request): Use card_get/card_put, return CARD locked.
(cmd_serialno): Follow the change of open_card_with_request.
(cmd_switchapp): Use card_get/card_put.
(cmd_learn, cmd_readcert, cmd_readkey, cmd_pksign): Likewise.
(cmd_pkauth, cmd_pkdecrypt, cmd_getattr): Likewise.
(cmd_setattr, cmd_writecert, cmd_writekey): Likewise.
(cmd_genkey, cmd_random, cmd_passwd): Likewise.
(cmd_checkpin, cmd_getinfo, cmd_restart): Likewise.
(cmd_disconnect, cmd_apdu, cmd_devinfo): Likewise.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-07-21 17:22:26 +09:00
NIIBE Yutaka b436fb6766 scd: Fix access to list of cards (2/3). 
* scd/app-common.h (card_reset, select_application): Simplify.
* scd/app.c (card_reset, select_application): Simplify.
* scd/command.c (do_reset): Follow the change.
(open_card, open_card_with_request): Follow the change.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-07-21 15:59:03 +09:00
NIIBE Yutaka 216945a80e scd: Fix access to list of cards (1/3). 
* scd/app.c (card_list_lock): Use MRSW lock.
(lock_r_card_list, unlock_r_card_list): New.
(lock_w_card_list, unlock_w_card_list): New.
(app_dump_state, app_send_devinfo): Use the MRSW lock.
(select_application, app_switch_current_card): Likewise.
(scd_update_reader_status_file): Likewise.
(initialize_module_command, send_card_and_app_list): Likewise.
(app_do_with_keygrip, app_wait): Likewise.

--

GnuPG-bug-id: 5524
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
 2021-07-21 15:34:16 +09:00
Werner Koch 924c8221fb
scd: Silence compiler waring about unused args. 
--
 2021-07-08 14:11:10 +02:00