1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

1342 Commits

Author SHA1 Message Date
Werner Koch
c3bab200d9
Require gpgrt 1.51
* configure.ac (NEED_GPGRT_VERSION): Bump to 1.51.

* g10/keydb.c (internal_keydb_update_keyblock) [!USE_TOFU]: Mark an
arg unused.
* common/homedir.c (create_common_conf) [!BUILD_WITH_KEYBOXD]: Mark an
arg unused.
2024-12-04 11:04:41 +01:00
Werner Koch
7b0be541a9
w32: Introduce Registry key GNUPG_ASSUME_COMPLIANCE.
* common/compliance.c (get_assumed_de_vs_compliance): Also consider a
registry entry.
--

On Windows it is easier to set the registry key than to use an envvar.
2024-12-04 11:02:33 +01:00
Werner Koch
73f3d98444
common: Change daemon startup timeout from 5 to 8 seconds.
* common/asshelp.c (SECS_TO_WAIT_FOR_AGENT): Change from 5 to 8
seconds.
(SECS_TO_WAIT_FOR_KEYBOXD): Ditto.
(SECS_TO_WAIT_FOR_DIRMNGR): Ditto.
--

Experience on Windows showed that right after re-booting we may need
some more time to get things up.
2024-11-25 10:37:02 +01:00
Werner Koch
e5f450f3bb
gpg: Consider Kyber to be de-vs compliant.
* common/compliance.c (gnupg_pk_is_compliant) <CO_DE_VS>: Consider
Brainpool Kyber variants compliant.
(gnupg_pk_is_allowed): Ditto.
(assumed_de_vs_compliance): Remove variable.
(get_assumed_de_vs_compliance): New.
(get_compliance_cache): Use new accessor.
(gnupg_status_compliance_flag): Ditto.
--

Use

  GNUPG_ASSUME_COMPLIANCE=de-vs gpg --compliance=de-vs ....

for testing.  This returns 2023 instead of 23 to indicate the
non-approval state.

GnuPG-bug-id: 6638
2024-11-14 15:15:11 +01:00
Werner Koch
51b7bb9106
common: Fix test for the assumed compliance.
* common/compliance.c (gnupg_status_compliance_flag): Fix test.
--

In general the cache is used to query this flag but in this function
it is used directly and we need to adjust the test.

Thanks to Ingo for reporting this.
2024-10-21 17:08:59 +02:00
NIIBE Yutaka
71840b57f4
common: Fix a race condition in creating socketdir.
* common/homedir.c (_gnupg_socketdir_internal): Check return code
of gnupg_mkdir and handle the case of GPG_ERR_EEXIST.

--

GnuPG-bug-id: 7332
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-10-16 10:04:18 +09:00
NIIBE Yutaka
57dce1ee62
common,gpg,scd,sm: Fix for Curve25519 OID supporting new and old.
* common/util.h (openpgp_curve_to_oid): Add new argument to select OID
by OpenPGP version.
* common/openpgp-oid.c (openpgp_curve_to_oid): Implement returning
selected OID for Curve25519.
* common/openpgp-fpr.c (compute_openpgp_fpr_ecc): Follow the change,
selecting by the version.
* g10/export.c (match_curve_skey_pk): Likewise.
(transfer_format_to_openpgp): Likewise.
* g10/gpg.c (list_config): Likewise, print new OID.
* g10/keygen.c (ecckey_from_sexp): Likewise, selecting by the version.
* sm/encrypt.c (ecdh_encrypt): Likewise, don't care.
* sm/minip12.c (build_ecc_key_sequence): Likewise, new OID.
* scd/app-openpgp.c (ecdh_params, gen_challenge): Likewise, don't
care.
(ecc_read_pubkey, change_keyattr_from_string, ecc_writekey): Likewise,
old OID.

--

GnuPG-bug-id: 7316
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-10-08 15:25:41 +09:00
NIIBE Yutaka
f5703994d4
common,gpg,scd,sm: Use openpgp_oid_or_name_to_curve to get curve.
* common/sexputil.c (pubkey_algo_string): Use
openpgp_oid_or_name_to_curve.
* g10/card-util.c (current_card_status, ask_card_keyattr): Likewise.
* scd/app-piv.c (writekey_ecc): Likewise.
* sm/fingerprint.c (gpgsm_get_key_algo_info): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-10-08 14:58:29 +09:00
Werner Koch
b287fb5775
Implement GNUPG_ASSUME_COMPLIANCE envvar for testing
* common/compliance.c (assumed_de_vs_compliance): New.
(get_compliance_cache): Check envvar and fake compliance.
(gnupg_status_compliance_flag): Return 2023 for de-vs if in faked
mode.
* g10/gpg.c (gpgconf_list): For compliance_de_vs return 23 or 2023.
--

The user visible changes are that

   GNUPG_ASSUME_COMPLIANCE=de-vs gpgconf --list-options gpg \
     | awk -F: '$1=="compliance_de_vs" {print $8}'

returns 2023 if "compliance de-vs" is found in gpg.conf.  If
eventually the software is arpproved the returned value will be 23 and
not 1 as it was before.  Consumers should check whether they see value
of true (Kleopatra does this right now) and also check whether the
value is > 2000 and in this case print a beta/non-approved warning.

The envvar is currently used to assume that the underlying libgcrypt
is compliant and approved.  This is not yet the case but eventually
libgcrypt will announce this itself and from then on the envvar is not
anymore required for testing.
2024-10-07 09:59:26 +02:00
NIIBE Yutaka
a269a27c4c
common: Fix gnupg_exec_tool_stream for INEXTRA==NULL.
* common/exectool.c (gnupg_exec_tool_stream): Initialize extrapipe.

--

Fixes-commit: af6c47b2910f394faf582800d60d88e9b4dcf834
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-09-25 11:17:51 +09:00
Werner Koch
11387b24a5
common: Add debug code to gnupg_exec_tool_stream
* common/exectool.c (gnupg_exec_tool_stream): Add diagnostic.
--

This should help if something is broken with poll.
2024-09-24 15:26:58 +02:00
Werner Koch
2125f228d3
build: Remove configure option --enable-gpg-is-gpg2
* configure.ac (--enable-gpg-is-gpg2): Remove option.
(USE_GPG2_HACK): Remove var.
* common/homedir.c (gnupg_module_name): Remove code for gpg2
installation option.
* g10/keygen.c (generate_keypair): Ditto.
* g10/Makefile.am (noinst_PROGRAMS): Ditto.
* doc/gpg.texi: Ditto.
* doc/gpgv.texi: Ditto.
--

This option and all its build stuff does not make anymore sense.  gpg1
is way too old for anyone to use on a regualar base along with a
standard gpg.  It is better to rename that single gpg (1.4) binary to
gpg1 and adjust any scripts.
2024-09-11 14:30:40 +02:00
Werner Koch
8896bbd0f9
gpg: Switch Kyber to the final algo id and add it to the menu.
* common/openpgpdefs.h (pubkey_algo_t): Switch algo id for Kyber to 8.
* g10/keygen.c (do_generate_keypair): Remove the experimental algo
note ...
(write_keybinding): and the experimental notation data.
(ask_algo): Add a mode 16 for a Kyber subkey.
(generate_subkeypair): Set parameters for mode 16.
--

GnuPG-bug-id: 6815
2024-08-27 10:44:17 +02:00
Werner Koch
41b06b5579
common: Do not call the agent with the obsolete --use-standard-socket.
* common/asshelp.c (start_new_service): Drop that option.
--

This avoids a useless warnings.
2024-08-22 18:30:51 +02:00
Werner Koch
690fd61a0c
sm: More improvements for PKCS#12 parsing for latest IVBB changes.
* common/tlv.h (TLV_PARSER_FLAG_T5793): New.
(tlv_parser_new): New macro.  Rename function with an underscore.
(tlv_next_with_flag): New.
* common/tlv-parser.c (struct tlv_parser_s): Remove const from buffer.
Add fields crammed, lasttlv, and origoff.  Remove bufferlist ands ist
definition.
(dump_to_file): New but disabled debug helper.
(parse_tag): Print more info on error.
(_tlv_parser_new): Add args lasttlv and LNO.  Take a copy of the data.
(_tlv_parser_release): Free the copy of the buffer and return the
recorded TLV object from tlv_parser_new.
(_tlv_peek, tlv_parser_peek, _tlv_parser_peek_null): Remove.
(_tlv_push): Record crammed length.
(_tlv_pop): Restore crammed length.
(_tlv_parser_next): Add arg flags.  More debug output.  Handle cramming
here.  Take care of cramming here.
(tlv_expect_object): Simplify to adjust for changes in _tlv_parser_next.
(tlv_expect_octet_string): Remove arg encapsulates.  Adjust for
changes in _tlv_parser_next.  Change all allers.
(tlv_expect_null): New.
(cram_octet_string): Rewrite.
(need_octet_string_cramming): Remove.

* sm/minip12.c (dump_to_file): New.  Enablein debug mode and if a
envvar ist set.  Replace all explict but disabled dumping to call this
function.
(parse_bag_encrypted_data): Replace tlv_peek_null and a peeking for an
optional SET by non-peeking code.
(parse_cert_bag): Ditto.
(parse_shrouded_key_bag): Replace tlv_peek_null by non-peeking code.
(parse_bag_encrypted_data): Use the new TLV_PARSER_FLAG_T5793 to
enable the Mozilla workaround.
(parse_bag_encrypted_data): Replace the 'renewed_tlv' code by the new
tlv_parser_release semantics.
(parse_shrouded_key_bag): Ditto.
(parse_shrouded_key_bag): Create a new context instead of using the
former encapsulated mechanism for tlv_expect_octet_string.
(parse_bag_data): Ditto.
(p12_parse): Ditto.
--

GnuPG-bug-id: 7213

Fixing this took way too long; I should have earlier explained the
code to a co-hacker to find the problem myself in my code by this.
2024-08-06 17:51:01 +02:00
Werner Koch
ea123af9b5
Revert "common: Fix tlv-parser for constructed OCTET-STRING."
--
This reverts commit cc78b26a4729db2280334214e21a8847e95d2ab0.
2024-07-23 13:54:15 +02:00
Jakub Jelen
4bdd43fdca
dotlock: Avoid leaking directory handle.
* common/dotlock.c (dotlock_detect_tname): Close directory on errors.

--

GnuPG-bug-id: 7201
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
2024-07-22 13:38:09 +09:00
NIIBE Yutaka
cc78b26a47
common: Fix tlv-parser for constructed OCTET-STRING.
* common/tlv-parser.c (tlv_expect_octet_string): Fix assignment of N
value.

--

Before the change, need_octet_string_cramming returns always false,
because N==0.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-07-12 15:57:48 +09:00
NIIBE Yutaka
2b19474aab
common: On Windows, we care about how PIPE handles are inherited.
* agent/gpg-agent.c (handle_connections): It's for POSIX.
* kbx/keyboxd.c (handle_connections): Ditto.
* scd/app.c (handle_connections): Ditto.
* scd/scdaemon.c (handle_connections): Ditto.
tpm2d/tpm2daemon.c (handle_connections): Ditto.
* tests/gpgscm/ffi.c (do_pipe): Use GNUPG_PIPE_BOTH.
(do_inbound_pipe): Use GNUPG_PIPE_INBOUND.
(do_outbound_pipe): Use GNUPG_PIPE_OUTBOUND.
* common/call-gpg.c (_gpg_encrypt): Specify outbound and inbound.
(_gpg_decrypt): Likewise.
* common/exechelp-posix.c (gnupg_create_pipe): Add an argument.
* common/exechelp-w32.c (create_pipe_and_estream): Care about
how PIPE handles are inherited to child process.
(gnupg_create_pipe): Add an argument.
* common/exechelp.h: Add enum values.

--

Fixes-commit: af6c47b2910f394faf582800d60d88e9b4dcf834
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-07-09 15:15:13 +09:00
NIIBE Yutaka
af6c47b291
common,kbx,tests: Clean up the PIPE function API.
* common/call-gpg.c (_gpg_encrypt, _gpg_decrypt): Simply, use
gnupg_create_pipe.
* tests/gpgscm/ffi.c (do_inbound_pipe): Likewise.
* common/exechelp.h (gnupg_create_inbound_pipe): Use gnupg_fd_t
for native pipe descriptor and don't expose other end of pipe.
(gnupg_create_outbound_pipe): Ditto.
* common/exechelp-posix.c (create_pipe_and_estream): Clean up.
(gnupg_create_inbound_pipe): Fail if R_FD or R_FP is NULL.
(gnupg_create_outbound_pipe: Ditto.
* common/exechelp-w32.c (create_pipe_and_estream): Clean up.
(gnupg_create_inbound_pipe): Fail if R_FD or R_FP is NULL.
(gnupg_create_outbound_pipe: Ditto.
(gnupg_create_pipe): Move the code from original
create_pipe_and_estream to call _open_osfhandle.
* common/exectool.c (gnupg_exec_tool_stream): Follow the change of
API.
* kbx/kbx-client-util.c (prepare_data_pipe): Likewise.

--

GnuPG-bug-id: 7194
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-07-09 10:41:03 +09:00
NIIBE Yutaka
953dd67368
Use gpgrt_process_spawn API from libgpg-error.
* agent/genkey.c (do_check_passphrase_pattern): Use the gpgrt API.
* common/asshelp.c (start_new_service): Ditto.
* common/exechelp.h: Remove gnupg_process_spawn API.
* common/exechelp-posix.c: Remove gnupg_process_spawn implementation.
* common/exechelp-w32.c: Likewise.
* common/exectool.c (gnupg_exec_tool_stream): Use the gpgrt API.
* common/t-exechelp.c (test_pipe_stream): Remove.
* dirmngr/ldap-wrapper.c (destroy_wrapper, ldap_reaper_thread): Use
the gpgrt API.
(ldap_wrapper_connection_cleanup, ldap_wrapper): Ditto.
* dirmngr/ldap.c, g10/call-keyboxd.c: No need to include exechelp.h.
* g10/photoid.c (run_with_pipe, show_photo): Use the gpgrt API.
* g13/be-encfs.c (run_umount_helper, run_encfs_tool): Ditto.
* g13/g13.c, g13/mount.c, g13/runner.c: No need to include exechelp.h.
* scd/apdu.c: No need to include exechelp.h.
* scd/app.c (report_change): Use the gpgrt API.
* sm/export.c, sm/import.c: No need to include exechelp.h.
* tests/gpgscm/ffi.c (proc_object_finalize, proc_wrap)
(do_process_spawn_io, do_process_spawn_fd, do_process_wait): Use the
gpgrt API.
* tools/gpg-auth.c: No need to include exechelp.h.
* tools/gpg-card.c (cmd_gpg): Use the gpgrt API.
* tools/gpg-connect-agent.c: No need to include exechelp.h.
* tools/gpg-mail-tube.c (mail_tube_encrypt, prepare_for_appimage)
(start_gpg_encrypt): Use the gpgrt API.
* tools/gpgconf-comp.c (gpg_agent_runtime_change)
(scdaemon_runtime_change, tpm2daemon_runtime_change)
(dirmngr_runtime_change, keyboxd_runtime_change)
(gc_component_launch, gc_component_check_options)
(retrieve_options_from_program): Ditto.
* tools/gpgconf.c (show_versions_via_dirmngr): Ditto.
* tools/gpgtar-create.c (gpgtar_create): Ditto.
* tools/gpgtar-extract.c (gpgtar_extract): Ditto.
* tools/gpgtar-list.c (gpgtar_list): Ditto.

--

GnuPG-bug-id: 7192
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-07-09 10:04:16 +09:00
Werner Koch
6a40cfa6c0
gpg: Print a warning if the (draft) Kyber algorithm is used.
* g10/keygen.c (do_generate_keypair): Check for draf Kyber stuff.
2024-07-05 11:12:12 +02:00
NIIBE Yutaka
e02880d512
common:w32: Fix for 64-bit Windows.
* common/exectool.c (gnupg_exec_tool_stream): 64-bit Windows is LLP64.

--

GnuPG-bug-id: 7139
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-06-06 08:56:27 +09:00
NIIBE Yutaka
8624482160
common:w32: Fix INEXTRA handling.
* common/exectool.c (gnupg_exec_tool_stream): On Windows, it's
HANDLE which a child process inherits.

--

GnuPG-bug-id: 7139
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-06-04 14:53:10 +09:00
Werner Koch
d2dca58338
common: New function tokenize_to_strlist.
* common/strlist.c (append_to_strlist_try): Factor code out to ...
(do_append_to_strlist): new.
(tokenize_to_strlist): New.

* common/t-strlist.c (test_tokenize_to_strlist): New.
2024-05-31 17:36:41 +02:00
Daniel Kahn Gillmor
42b0e9558a
indent: Fix spelling
--

These are non-substantive corrections for minor spelling mistakes
within the GnuPG codebase.

With something like this applied to the codebase, and a judiciously
tuned spellchecker integrated as part of a standard test suite, it
should be possible to keep a uniform orthography within the project.

GnuPG-bug-id: 7116
2024-05-31 12:28:32 +02:00
NIIBE Yutaka
fc3fde1bde
spawn: Remove spawn callback, introduce gnupg_spawn_actions.
* common/exechelp-posix.c (call_spawn_cb): Remove.
(gnupg_spawn_actions_new, gnupg_spawn_actions_release)
(gnupg_spawn_actions_set_environ, gnupg_spawn_actions_set_atfork)
(gnupg_spawn_actions_set_redirect)
(gnupg_spawn_actions_set_inherit_fds): New.
(my_exec, spawn_detached): Use spawn actions.
(gnupg_spawn_helper): Remove.
(gnupg_process_spawn): Remove callback, introduce gnupg_spawn_actions.
* common/exechelp-w32.c: Ditto.
* common/exechelp.h: Ditto.
* agent/genkey.c (do_check_passphrase_pattern): Follow the change of
gnupg_process_spawn API.
* common/asshelp.c (start_new_service): Likewise.
* common/exectool.c (gnupg_exec_tool_stream): Likewise.
* common/t-exechelp.c (test_pipe_stream): Likewise.
* dirmngr/ldap-wrapper.c (ldap_wrapper): Likewise.
* g10/photoid.c (run_with_pipe): Likewise.
* scd/app.c (report_change): Likewise.
* tests/gpgscm/ffi.c (do_process_spawn_io, do_process_spawn_fd):
Likewise.
* tools/gpg-card.c (cmd_gpg): Likewise.
* tools/gpgconf-comp.c (gpg_agent_runtime_change): Likewise.
(scdaemon_runtime_change, tpm2daemon_runtime_change)
(dirmngr_runtime_change, keyboxd_runtime_change)
(gc_component_launch, gc_component_check_options)
(retrieve_options_from_program): Likewise.
* tools/gpgconf.c (show_versions_via_dirmngr): Likewise.
* tools/gpgtar-create.c (gpgtar_create): Likewise.
* tools/gpgtar-extract.c (gpgtar_extract): Likewise.
* tools/gpgtar-list.c (gpgtar_list): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-05-31 15:36:39 +09:00
NIIBE Yutaka
34045ed9e1
common: Fix process termination check at release.
* src/exechelp-posix.c (gnupg_process_release): When NOT terminated,
terminate and wait.
* src/exechelp-w32.c (gnupg_process_release): Likewise.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-05-30 13:39:31 +09:00
NIIBE Yutaka
0cb7f6fbb7
common: Remove unused function.
* common/exechelp-posix.c (my_error): Remove.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-05-15 11:57:49 +09:00
NIIBE Yutaka
9128d81bb7
agent:kem:ecc: Support a key on smartcard.
* agent/agent.h (agent_card_ecc_kem): New.
* agent/divert-scd.c (agent_card_ecc_kem): New.
* agent/pkdecrypt.c (ecc_extract_pk_from_key): New.
(ecc_extract_sk_from_key): New.
(ecc_raw_kem, get_cardkey, ecc_get_curve): New.
(ecc_pgp_kem_decrypt): Support a key on smartcard for ECC.
(composite_pgp_kem_decrypt): Handle a case of a key on smartcard.
* common/sexputil.c (get_ecc_curve_from_key): New.
* common/util.h (get_ecc_curve_from_key): New.

--

GnuPG-bug-id: 7097
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-04-26 14:18:03 +09:00
Werner Koch
dd650b2c7b
gpg: Support Kyber with Brainpool512r1.
* common/openpgp-oid.c (oidtable): Add GCRY_KEM_RAW_BP512.
* agent/pkdecrypt.c (ecc_table): Support bp512
* g10/pkglue.c (do_encrypt_kem): Ditto.

* tests/openpgp/samplekeys: Add sample keys for kyber_bp256, bp384,
and bp512.
* tests/openpgp/privkeys: Add corresponding private keys.
* tests/openpgp/samplemsgs:  Add sample messages for those keys.
--

GnuPG-bug-id: 6815
2024-04-23 17:41:28 +02:00
Werner Koch
32ec480024
gpg: Support encryption with kyber_bp256 and kyber_bp384
* common/openpgp-oid.c (oidtable): Support KEM for bp256 and bp384.
* g10/pkglue.c (do_encrypt_kem): Ditto.
--

GnuPG-bug-id: 6815

Note, this needs the very latest Libgcrypt to work properly
2024-04-23 16:25:05 +02:00
Werner Koch
54741685ce
Remove the deprecated gcry_set_log_handler.
* common/miscellaneous.c (my_gcry_logger): Remove.
(setup_libgcrypt_logging): Do not call the deprecated
gcry_set_log_handler.
* kbx/kbxutil.c (my_gcry_logger): Remove.
* tools/no-libgcrypt.c (gcry_set_log_handler): Remove stub.
2024-04-23 16:21:49 +02:00
Werner Koch
e591fd25ad
gpg: Support encryption with kyber_cv448.
* g10/pkglue.c (do_encrypt_kem): Support cv25519 w/o 0x40
prefix. Support X448.
(ECC_POINT_LEN_MAX): New.
(ECC_HASH_LEN_MAX): New.
* common/openpgp-oid.c (oidtable): Support X448 KEM.
--

This needs more work.  For example we should use a parameter table
like what we do in agent/pkdecrypt.c.

GnuPG-bug-id: 6815
2024-04-23 11:31:49 +02:00
Werner Koch
f305e703d5
Require Libgcrypt 1.11.0
* configure.ac (NEED_LIBGCRYPT_VERSION): Set to 1.11.0
* agent/pkdecrypt.c (struct ecc_params): Move constants to the top.
--

It does not make anymore sense to allow building with older Libgcrypt
versions.  After all PQ key support is a major feature and for this we
need Libgcrypt.
2024-04-23 11:09:40 +02:00
Werner Koch
ba3c873934
gpg: Prepare Kyber encryption code for more variants.
* common/openpgp-oid.c (oidtable): Add field kem_algo.
(openpgp_oid_to_kem_algo): New.
* g10/pkglue.c (do_encrypt_kem): Add support for Kyber1024.
--
GnuPG-bug-id: 6815
2024-04-18 14:37:40 +02:00
Werner Koch
4e32ff209d
gpg: Fix minor Kyber display things.
* common/compliance.c (gnupg_pk_is_compliant): Make Kyber known.
* g10/misc.c (openpgp_pk_algo_name): Add "Kyber".
2024-04-15 13:25:07 +02:00
Werner Koch
4c20d2d273
gpg: Add arg session_algo to pk_decrypt.
* common/kem.c: Move constants to the top.  Add some documentation.
* g10/pkglue.c (pk_encrypt): Add arguments session_key and factor code
out to ...
(do_encrypt_rsa_elg): here,
(do_encrypt_ecdh): and here,
(do_encrypt_kem): and here.
* g10/encrypt.c (write_pubkey_enc): Call with session key algorithm.
--

This makes it easier to review the code.
2024-04-15 09:23:54 +02:00
Werner Koch
84ddb24e30
gpg: Make Kyber creation more flexible.
* common/openpgp-oid.c (openpgp_is_curve_supported): Allow the
abbreviated curve name.
* g10/pkglue.c (pk_encrypt): Add debug output.
* g10/seskey.c (encode_session_key): Handle Kyber session key like
ECDH.  This is just a stub.
* g10/keygen.c (ecckey_from_sexp): Use the modern OID for cv25519.
(parse_key_parameter_part): Allow more Kyber variants.
--

Test by creating an ed25519 key and using

 gpg --quick-add-key --batch --passphrase ""  <fingerprint> <algo>

to create several subkeys.  Tested with ALGOs:

  kyber768
  kyber1024
  ky768_cv25519
  ky768_bp256
  kyber768_nistp256
  ky1024_cv448

All curves capable of encryption should work.

GnuPG-bug-id: 6815
2024-04-10 08:48:49 +02:00
NIIBE Yutaka
aee6b1131b
common: Rename to kem.c from kmac.c.
* common/Makefile.am (common_sources): Fix to kem.c.
* common/kem.c: Rename.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-04-10 11:14:25 +09:00
NIIBE Yutaka
04b81ec236
common,agent: Factor out KEM functions into common/kem.c.
* common/util.h (compute_kmac256): Remove.
(gnupg_ecc_kem_kdf, gnupg_kem_combiner): New.
* common/kmac.c (compute_kmac256): Don't expose.
(gnupg_ecc_kem_kdf, gnupg_kem_combiner): New.
* agent/pkdecrypt.c (agent_hybrid_pgp_kem_decrypt): Use
gnupg_ecc_kem_kdf and gnupg_kem_combiner.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-04-10 11:09:29 +09:00
Werner Koch
03d53c88cc
gpg: Allow to create a Kyber key from keygrips.
* agent/cvt-openpgp.c (extract_private_key): Support Kyber algorithms.
* common/openpgp-oid.c (map_gcry_pk_to_openpgp): Map KEM to Kyber.
* common/sexputil.c (get_pk_algo_from_key): Increase buffer for use
with "kyber1024".
* g10/call-agent.c (agent_get_keyinfo): Fix warning.
* g10/keygen.c (do_create_from_keygrip): Support Kyber.
(ask_algo): Ditto.
--

To test create a standard key and the use --edit-key and "addkey" with
selection 13 and use the comma delimited keygrips.

GnuPG-bug-id: 7014
2024-04-05 16:16:53 +02:00
Werner Koch
97f5159495
gpg: Initial support for generating Kyber subkeys.
* common/openpgpdefs.h (PUBKEY_ALGO_KY768_25519): Remove.
(PUBKEY_ALGO_KY1024_448): Remove.
(PUBKEY_ALGO_KYBER): New.  Use them everywhere instead of the removed.

* g10/build-packet.c (gpg_mpi_write_nohdr): Rename to
(gpg_mpi_write_opaque_nohdr): this.  Change callers.
(gpg_mpi_write_opaque_32): New.
(do_key): Support Kyber keys using the revised format.
* g10/gpg.h (MAX_EXTERN_KEYPARM_BITS): New.
* g10/parse-packet.c (read_octet_string): Add arg nbytes so support
reading with a length prefix.  Adjust callers.
(parse_key): Parse Kyber public keys.
* g10/misc.c (pubkey_get_npkey): Support Kyber.
(pubkey_get_nskey): Ditto.

* g10/keyid.c (pubkey_string): Support dual algorithms.
(do_hash_public_key): Support Kyber.
(nbits_from_pk): Ditto.
(keygrip_from_pk): Return the Kyber part for the ECC+Kyber dual algo.

* g10/keygen.c (struct common_gen_cb_parm_s): Add genkey_result2.
Note that this callback is not yet used.
(ecckey_from_sexp): Add optional arg sexp2 and use it for Kyber.
Change callers.
(ecckey_from_sexp): Do not leak LIST in case of an error.
(common_gen): Add arg keyparms2, change callers, and support Kyber.
(gen_kyber): New.
(get_keysize_range): Support Kyber.
(fixup_keysize): Simplify and support Kyber.
(do_create): Handle Kyber.
(parse_key_parameter_part): Remove algo strings "ky768" and "ky1024"
and add a generic "kyber" with default parameters.
--

This uses a revised format which is more aligned with the usual
OpenPGP structure.  A lot of things are still missing.  For example
support for handling two keygrips and checking both of them in a -K
listing.  There is also only ky768_bp384 as fixed algorithm for now.
No passphrase for the Kyber part of the dual algorithm is on purpose.

A test was done using

  gpg --quick-gen-key pqc1 nistp256

and then running

  gpg -v --quick-add-key <fingerprint> kyber

which creates a v5 subkey on a v4 primary key.  A second test using

  gpg --quick-gen-key pqc2 Ed448

followed by a --quick-add-key created a v5 key with a v5 subkey.

GnuPG-bug-id: 6815
2024-04-03 18:01:11 +02:00
Werner Koch
6c1dd3afd1
common: Extend openpgp_oid_to_curve to return an abbreviated name.
* common/openpgp-oid.c (oidtable): Add column "abbr" and set them for
Brainpool.
(openpgp_oid_to_curve): Rename arg "canon" to "mode" and implement
mode 2.
--

For dual algorithms (PQC) we need shorter versions of brainpool to
avoid names which otherwise might be capped when printed.
2024-04-03 14:13:57 +02:00
Werner Koch
fa33b18940
common: Allow building with libgcrypt 1.10 for now.
* common/kmac.c (compute_kmac256): Return an error for older gcrypt
versions.
--

Except for the new KEM module there is no hard requirement for
libgcrypt 1.11 *yet*.
2024-04-03 09:43:37 +02:00
NIIBE Yutaka
1fa24e2841
common: Add KMAC.
* common/Makefile.am (common_sources): Add kmac.c.
* common/kmac.c: New.
* common/util.h (compute_kmac256): New.

--

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2024-03-29 15:26:42 +09:00
Werner Koch
f9919bcc48
gpg,gpgsm: New option --disable-fd-translation.
* common/sysutils.c (no_translate_sys2libc_fd) [W32]: New global.
(disable_translate_sys2libc_fd): New.
(translate_sys2libc_fd): Make static and cobuild only for Windows.
(translate_sys2libc_fd_int): Use no_translate_sys2libc_fd flag.

* g10/gpg.c, sm/gpgsm.c (oDisableFdTranslation): New const.
(opts): Add option "disable-fd-translation".
(main): Set option.
--

GnuPG-bug-id: 7060
2024-03-26 15:46:56 +01:00
Werner Koch
a0bfbdaaa2
Allow installation with a gpgconf.ctl changed homedir.
* common/homedir.c (gpgconf_ctl): Add field "gnupg".
(parse_gpgconf_ctl): Support keyword "gnupg".
(my_gnupg_dirname): New.
(my_fixed_default_homedir): New.
(gnupg_registry_dir): New.
(standard_homedir): Use my_gnupg_dirname and my_fixed_default_homedir.
(default_homedir): Use gnupg_registry_dir and
my_fixed_default_homedir.
(_gnupg_socketdir_internal): Use my_gnupg_dirname.  Increase size of
prefixbuffer.
(gnupg_sysconfdir): Use my_gnupg_dirname.
* tools/gpgconf.c (list_dirs): Use gnupg_registry_dir.
(show_other_registry_entries): Ditto.
--

This will be useful to install versions of GnuPG VS-Desktop and GnuPG
Desktop in addition to a standard GnuPG version.  Only basic tests on
Unix done; Windows testing is still outstanding.

GnuPG-bug-id: 7040
2024-03-21 17:41:10 +01:00
Werner Koch
fb3fe38d28
common: Use a common gpgconf.ctl parser for Unix and Windows.
* common/homedir.c (gpgconf_ctl): new struct.
(string_is_true): New.
(parse_gpgconf_ctl): New.  Based on the former code in unix_rootdir.
(check_portable_app): Use parse_gpgconf_ctl and the new struct.
(unix_rootdir): Ditto.
--

This is a unification of the gpgconf.ctl mechanism.  For backward
compatibility we need to keep the empty (or actually only comments)
method as used formerly under Windows.  Iff one really wants a
portable application the new portable keyword should be used, though.

Noet that the Windows portable stuff has not been tested for quite
some time.
2024-03-21 15:47:43 +01:00
Werner Koch
4485930f9f
Merge branch 'STABLE-BRANCH-2-4'
--
Resolved conflicts:
	NEWS
	common/exechelp-w32.c
	configure.ac
2024-03-12 16:00:55 +01:00