aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--NEWS10
-rw-r--r--agent/call-scd.c41
-rw-r--r--agent/command.c2
-rw-r--r--agent/protect.c6
-rw-r--r--common/exechelp-posix.c50
-rw-r--r--common/gettime.c9
-rw-r--r--configure.ac14
-rw-r--r--doc/Makefile.am4
-rw-r--r--doc/examples/README2
-rw-r--r--doc/examples/qualified.txt (renamed from doc/qualified.txt)12
-rw-r--r--doc/gpgsm.texi14
-rw-r--r--doc/howto-create-a-server-cert.texi14
-rw-r--r--doc/wks.texi4
-rw-r--r--g10/getkey.c15
-rw-r--r--g10/keygen.c9
-rw-r--r--g10/keyid.c4
-rw-r--r--g10/main.h4
-rw-r--r--scd/apdu.c3
-rw-r--r--scd/apdu.h3
-rw-r--r--scd/iso7816.c3
-rw-r--r--sm/certreqgen-ui.c2
-rw-r--r--sm/certreqgen.c4
-rw-r--r--sm/gpgsm.c2
-rw-r--r--sm/qualified.c2
24 files changed, 107 insertions, 126 deletions
diff --git a/NEWS b/NEWS
index 2dd4e53a0..6cf076d74 100644
--- a/NEWS
+++ b/NEWS
@@ -1,9 +1,7 @@
-Noteworthy changes in version 2.2.2 (unreleased)
+Noteworthy changes in version 2.3.0 (unreleased)
------------------------------------------------
-
-Noteworthy changes in version 2.2.1 (2017-09-19)
-------------------------------------------------
+ Changes also found in 2.2.1:
* gpg: Fix formatting of the user id in batch mode key generation
if only "name-email" is given.
@@ -23,6 +21,10 @@ Noteworthy changes in version 2.2.1 (2017-09-19)
certificates are configured. If build with GNUTLS, this was
already the case.
+ Release dates of 2.2.x versions:
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ Version 2.2.1 (2017-09-19)
+
Noteworthy changes in version 2.2.0 (2017-08-28)
------------------------------------------------
diff --git a/agent/call-scd.c b/agent/call-scd.c
index cf61a3546..6ce0cddfb 100644
--- a/agent/call-scd.c
+++ b/agent/call-scd.c
@@ -89,7 +89,6 @@ struct inq_needpin_parm_s
const char *getpin_cb_desc;
assuan_context_t passthru; /* If not NULL, pass unknown inquiries
up to the caller. */
- int any_inq_seen;
/* The next fields are used by inq_writekey_parm. */
const unsigned char *keydata;
@@ -727,7 +726,6 @@ inq_needpin (void *opaque, const char *line)
size_t pinlen;
int rc;
- parm->any_inq_seen = 1;
if ((s = has_leading_keyword (line, "NEEDPIN")))
{
line = s;
@@ -811,30 +809,6 @@ hash_algo_option (int algo)
}
-static gpg_error_t
-cancel_inquire (ctrl_t ctrl, gpg_error_t rc)
-{
- gpg_error_t oldrc = rc;
-
- /* The inquire callback was called and transact returned a
- cancel error. We assume that the inquired process sent a
- CANCEL. The passthrough code is not able to pass on the
- CANCEL and thus scdaemon would stuck on this. As a
- workaround we send a CANCEL now. */
- rc = assuan_write_line (ctrl->scd_local->ctx, "CAN");
- if (!rc) {
- char *line;
- size_t len;
-
- rc = assuan_read_line (ctrl->scd_local->ctx, &line, &len);
- if (!rc)
- rc = oldrc;
- }
-
- return rc;
-}
-
-
/* Create a signature using the current card. MDALGO is either 0 or
* gives the digest algorithm. DESC_TEXT is an additional parameter
* passed to GETPIN_CB. */
@@ -875,7 +849,6 @@ agent_card_pksign (ctrl_t ctrl,
inqparm.getpin_cb_arg = getpin_cb_arg;
inqparm.getpin_cb_desc = desc_text;
inqparm.passthru = 0;
- inqparm.any_inq_seen = 0;
inqparm.keydata = NULL;
inqparm.keydatalen = 0;
@@ -888,9 +861,6 @@ agent_card_pksign (ctrl_t ctrl,
put_membuf_cb, &data,
inq_needpin, &inqparm,
NULL, NULL);
- if (inqparm.any_inq_seen && (gpg_err_code(rc) == GPG_ERR_CANCELED ||
- gpg_err_code(rc) == GPG_ERR_ASS_CANCELED))
- rc = cancel_inquire (ctrl, rc);
if (rc)
{
@@ -974,7 +944,6 @@ agent_card_pkdecrypt (ctrl_t ctrl,
inqparm.getpin_cb_arg = getpin_cb_arg;
inqparm.getpin_cb_desc = desc_text;
inqparm.passthru = 0;
- inqparm.any_inq_seen = 0;
inqparm.keydata = NULL;
inqparm.keydatalen = 0;
snprintf (line, DIM(line), "PKDECRYPT %s", keyid);
@@ -982,9 +951,6 @@ agent_card_pkdecrypt (ctrl_t ctrl,
put_membuf_cb, &data,
inq_needpin, &inqparm,
padding_info_cb, r_padding);
- if (inqparm.any_inq_seen && (gpg_err_code(rc) == GPG_ERR_CANCELED ||
- gpg_err_code(rc) == GPG_ERR_ASS_CANCELED))
- rc = cancel_inquire (ctrl, rc);
if (rc)
{
@@ -1111,15 +1077,11 @@ agent_card_writekey (ctrl_t ctrl, int force, const char *serialno,
parms.getpin_cb_arg = getpin_cb_arg;
parms.getpin_cb_desc= NULL;
parms.passthru = 0;
- parms.any_inq_seen = 0;
parms.keydata = keydata;
parms.keydatalen = keydatalen;
rc = assuan_transact (ctrl->scd_local->ctx, line, NULL, NULL,
inq_writekey_parms, &parms, NULL, NULL);
- if (parms.any_inq_seen && (gpg_err_code(rc) == GPG_ERR_CANCELED ||
- gpg_err_code(rc) == GPG_ERR_ASS_CANCELED))
- rc = cancel_inquire (ctrl, rc);
return unlock_scd (ctrl, rc);
}
@@ -1344,7 +1306,6 @@ agent_card_scd (ctrl_t ctrl, const char *cmdline,
inqparm.getpin_cb_arg = getpin_cb_arg;
inqparm.getpin_cb_desc = NULL;
inqparm.passthru = assuan_context;
- inqparm.any_inq_seen = 0;
inqparm.keydata = NULL;
inqparm.keydatalen = 0;
@@ -1354,8 +1315,6 @@ agent_card_scd (ctrl_t ctrl, const char *cmdline,
pass_data_thru, assuan_context,
inq_needpin, &inqparm,
pass_status_thru, assuan_context);
- if (inqparm.any_inq_seen && gpg_err_code(rc) == GPG_ERR_ASS_CANCELED)
- rc = cancel_inquire (ctrl, rc);
assuan_set_flag (ctrl->scd_local->ctx, ASSUAN_CONVEY_COMMENTS, saveflag);
if (rc)
diff --git a/agent/command.c b/agent/command.c
index f2a668306..fd39c680f 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -874,7 +874,7 @@ static const char hlp_genkey[] =
"\n"
" C: GENKEY\n"
" S: INQUIRE KEYPARAM\n"
- " C: D (genkey (rsa (nbits 2048)))\n"
+ " C: D (genkey (rsa (nbits 3072)))\n"
" C: END\n"
" S: D (public-key\n"
" S: D (rsa (n 326487324683264) (e 10001)))\n"
diff --git a/agent/protect.c b/agent/protect.c
index c257861e2..9b262a978 100644
--- a/agent/protect.c
+++ b/agent/protect.c
@@ -159,7 +159,7 @@ calibrate_s2k_count_one (unsigned long count)
/* Measure the time we need to do the hash operations and deduce an
- S2K count which requires about 100ms of time. */
+ S2K count which requires roughly some targeted amount of time. */
static unsigned long
calibrate_s2k_count (void)
{
@@ -171,11 +171,11 @@ calibrate_s2k_count (void)
ms = calibrate_s2k_count_one (count);
if (opt.verbose > 1)
log_info ("S2K calibration: %lu -> %lums\n", count, ms);
- if (ms > 100)
+ if (ms > AGENT_S2K_CALIBRATION)
break;
}
- count = (unsigned long)(((double)count / ms) * 100);
+ count = (unsigned long)(((double)count / ms) * AGENT_S2K_CALIBRATION);
count /= 1024;
count *= 1024;
if (count < 65536)
diff --git a/common/exechelp-posix.c b/common/exechelp-posix.c
index 7237993a2..3acf74ad6 100644
--- a/common/exechelp-posix.c
+++ b/common/exechelp-posix.c
@@ -784,30 +784,32 @@ gnupg_wait_processes (const char **pgmnames, pid_t *pids, size_t count,
}
}
- if (ec == 0)
- for (i = 0; i < count; i++)
- {
- if (WIFEXITED (r_exitcodes[i]) && WEXITSTATUS (r_exitcodes[i]) == 127)
- {
- log_error (_("error running '%s': probably not installed\n"),
- pgmnames[i]);
- ec = GPG_ERR_CONFIGURATION;
- }
- else if (WIFEXITED (r_exitcodes[i]) && WEXITSTATUS (r_exitcodes[i]))
- {
- if (dummy)
- log_error (_("error running '%s': exit status %d\n"),
- pgmnames[i], WEXITSTATUS (r_exitcodes[i]));
- else
- r_exitcodes[i] = WEXITSTATUS (r_exitcodes[i]);
- ec = GPG_ERR_GENERAL;
- }
- else if (!WIFEXITED (r_exitcodes[i]))
- {
- log_error (_("error running '%s': terminated\n"), pgmnames[i]);
- ec = GPG_ERR_GENERAL;
- }
- }
+ for (i = 0; i < count; i++)
+ {
+ if (r_exitcodes[i] == -1)
+ continue;
+
+ if (WIFEXITED (r_exitcodes[i]) && WEXITSTATUS (r_exitcodes[i]) == 127)
+ {
+ log_error (_("error running '%s': probably not installed\n"),
+ pgmnames[i]);
+ ec = GPG_ERR_CONFIGURATION;
+ }
+ else if (WIFEXITED (r_exitcodes[i]) && WEXITSTATUS (r_exitcodes[i]))
+ {
+ if (dummy)
+ log_error (_("error running '%s': exit status %d\n"),
+ pgmnames[i], WEXITSTATUS (r_exitcodes[i]));
+ else
+ r_exitcodes[i] = WEXITSTATUS (r_exitcodes[i]);
+ ec = GPG_ERR_GENERAL;
+ }
+ else if (!WIFEXITED (r_exitcodes[i]))
+ {
+ log_error (_("error running '%s': terminated\n"), pgmnames[i]);
+ ec = GPG_ERR_GENERAL;
+ }
+ }
xfree (dummy);
return gpg_err_make (GPG_ERR_SOURCE_DEFAULT, ec);
diff --git a/common/gettime.c b/common/gettime.c
index 3e1ee5569..4ad99f54d 100644
--- a/common/gettime.c
+++ b/common/gettime.c
@@ -222,6 +222,8 @@ isotime_p (const char *string)
for (s++, i=9; i < 15; i++, s++)
if (!digitp (s))
return 0;
+ if (*s == 'Z')
+ s++;
if ( !(!*s || (isascii (*s) && isspace(*s)) || *s == ':' || *s == ','))
return 0; /* Wrong delimiter. */
@@ -354,9 +356,10 @@ string2isotime (gnupg_isotime_t atime, const char *string)
}
-/* Scan an ISO timestamp and return an Epoch based timestamp. The only
- supported format is "yyyymmddThhmmss" delimited by white space, nul, a
- colon or a comma. Returns (time_t)(-1) for an invalid string. */
+/* Scan an ISO timestamp and return an Epoch based timestamp. The
+ only supported format is "yyyymmddThhmmss[Z]" delimited by white
+ space, nul, a colon or a comma. Returns (time_t)(-1) for an
+ invalid string. */
time_t
isotime2epoch (const char *string)
{
diff --git a/configure.ac b/configure.ac
index 70c122615..b43cb60b4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -27,8 +27,8 @@ min_automake_version="1.14"
# another commit and push so that the git magic is able to work.
m4_define([mym4_package],[gnupg])
m4_define([mym4_major], [2])
-m4_define([mym4_minor], [2])
-m4_define([mym4_micro], [2])
+m4_define([mym4_minor], [3])
+m4_define([mym4_micro], [0])
# To start a new development series, i.e a new major or minor number
# you need to mark an arbitrary commit before the first beta release
@@ -122,7 +122,6 @@ use_tls_library=no
large_secmem=no
show_tor_support=no
-
GNUPG_BUILD_PROGRAM(gpg, yes)
GNUPG_BUILD_PROGRAM(gpgsm, yes)
# The agent is a required part and can't be disabled anymore.
@@ -250,6 +249,15 @@ fi
AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE,
[Size of secure memory buffer])
+AC_MSG_CHECKING([calibrated passphrase-stretching (s2k) duration])
+AC_ARG_WITH(agent-s2k-calibration,
+ AC_HELP_STRING([--with-agent-s2k-calibration=MSEC],
+ [calibrate passphrase stretching (s2k) to MSEC milliseconds]),
+ agent_s2k_calibration=$withval, agent_s2k_calibration=100)
+AC_MSG_RESULT($agent_s2k_calibration milliseconds)
+AC_DEFINE_UNQUOTED(AGENT_S2K_CALIBRATION, $agent_s2k_calibration,
+ [Agent s2k calibration time (ms)])
+
AC_MSG_CHECKING([whether to enable trust models])
AC_ARG_ENABLE(trust-models,
AC_HELP_STRING([--disable-trust-models],
diff --git a/doc/Makefile.am b/doc/Makefile.am
index 89079b383..c0c7fd0b7 100644
--- a/doc/Makefile.am
+++ b/doc/Makefile.am
@@ -22,7 +22,7 @@ AM_CPPFLAGS =
include $(top_srcdir)/am/cmacros.am
examples = examples/README examples/scd-event examples/trustlist.txt \
- examples/vsnfd.prf examples/debug.prf \
+ examples/vsnfd.prf examples/debug.prf examples/qualified.txt \
examples/systemd-user/README \
examples/systemd-user/dirmngr.service \
examples/systemd-user/dirmngr.socket \
@@ -43,7 +43,7 @@ helpfiles = help.txt help.be.txt help.ca.txt help.cs.txt \
profiles =
-EXTRA_DIST = samplekeys.asc mksamplekeys com-certs.pem qualified.txt \
+EXTRA_DIST = samplekeys.asc mksamplekeys com-certs.pem \
gnupg-logo.eps gnupg-logo.pdf gnupg-logo.png gnupg-logo-tr.png \
gnupg-module-overview.png gnupg-module-overview.pdf \
gnupg-card-architecture.png gnupg-card-architecture.pdf \
diff --git a/doc/examples/README b/doc/examples/README
index 77ee80741..4d6a5be87 100644
--- a/doc/examples/README
+++ b/doc/examples/README
@@ -9,3 +9,5 @@ trustlist.txt A list of trustworthy root certificates
gpgconf.conf A sample configuration file for gpgconf.
systemd-user Sample files for a Linux-only init system.
+
+qualified.txt Sample file for qualified.txt.
diff --git a/doc/qualified.txt b/doc/examples/qualified.txt
index c0e4da582..eba11f244 100644
--- a/doc/qualified.txt
+++ b/doc/examples/qualified.txt
@@ -29,7 +29,7 @@
#
# Germany
#
-# The information for Germany is available
+# The information for Germany is available
# at http://www.bundesnetzagentur.de
#*******************************************
@@ -74,7 +74,7 @@ DB:45:3D:1B:B0:1A:F3:23:10:6B:DE:D0:09:61:57:AA:F4:25:E0:5B de
#Serial number: 02
# Issuer: /CN=9R-CA 1:PN/O=Regulierungsbehörde für
# Telekommunikation und Post/C=DE
-# Subject: /CN=9R-CA 1:PN/O=Regulierungsbehörde für
+# Subject: /CN=9R-CA 1:PN/O=Regulierungsbehörde für
# Telekommunikation und Post/C=DE
# validity: 2004-11-25 14:59:11 through 2007-12-31 14:56:59
# key type: 1024 bit RSA
@@ -118,7 +118,7 @@ A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D de
# key usage: certSign
# policies: 1.3.36.8.1.1:N:
# chain length: unlimited
-# [checked: 2008-06-25]
+# [checked: 2008-06-25]
44:7E:D4:E3:9A:D7:92:E2:07:FA:53:1A:2E:F5:B8:02:5B:47:57:B0 de
# ID: 0x46A2CC8A
@@ -130,7 +130,7 @@ A0:8B:DF:3B:AA:EE:3F:9D:64:6C:47:81:23:21:D4:A6:18:81:67:1D de
# key usage: certSign
# policies: 1.3.36.8.1.1:N:
# chain length: unlimited
-# [checked: 2008-06-25]
+# [checked: 2008-06-25]
AC:A7:BE:45:1F:A6:BF:09:F2:D1:3F:08:7B:BC:EB:7F:46:A2:CC:8A de
@@ -215,7 +215,7 @@ E0:BF:1B:91:91:6B:88:E4:F1:15:92:22:CE:37:23:96:B1:4A:2E:5C de
# key type: 2048 bit RSA
# key usage: certSign crlSign
# chain length: 1
-#[checked: 2007-12-13 via received ZIP file with qualified signature from
+#[checked: 2007-12-13 via received ZIP file with qualified signature from
# /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag
# /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg]
C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA de
@@ -230,7 +230,7 @@ C9:2F:E6:50:DB:32:59:E0:CE:65:55:F3:8C:76:E0:B8:A8:FE:A3:CA de
# key type: 2048 bit RSA
# key usage: certSign crlSign
# chain length: 1
-#[checked: 2007-12-13 via received ZIP file with qualified signature from
+#[checked: 2007-12-13 via received ZIP file with qualified signature from
# /CN=Dr. Matthias Stehle/O=Deutscher Sparkassenverlag
# /C=DE/SerialNumber=DSV0000000008/SN=Stehle/GN=Matthias Georg"]
D5:C7:50:F2:FE:4E:EE:D7:C7:B1:E4:13:7B:FB:54:84:3A:7D:97:9B de
diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi
index 5d79ce54e..b187a54d5 100644
--- a/doc/gpgsm.texi
+++ b/doc/gpgsm.texi
@@ -843,15 +843,9 @@ purposes.
Note that even if a certificate is listed in this file, this does not
mean that the certificate is trusted; in general the certificates listed
-in this file need to be listed also in @file{trustlist.txt}.
-
-This is a global file an installed in the data directory
-(e.g. @file{@value{DATADIR}/qualified.txt}). GnuPG installs a suitable
-file with root certificates as used in Germany. As new Root-CA
-certificates may be issued over time, these entries may need to be
-updated; new distributions of this software should come with an updated
-list but it is still the responsibility of the Administrator to check
-that this list is correct.
+in this file need to be listed also in @file{trustlist.txt}. This is a global
+file an installed in the sysconf directory (e.g.
+@file{@value{SYSCONFDIR}/qualified.txt}).
Every time @command{gpgsm} uses a certificate for signing or verification
this file will be consulted to check whether the certificate under
@@ -1073,7 +1067,7 @@ key. The algorithm must be capable of signing. This is a required
parameter. The only supported value for @var{algo} is @samp{rsa}.
@item Key-Length: @var{nbits}
-The requested length of a generated key in bits. Defaults to 2048.
+The requested length of a generated key in bits. Defaults to 3072.
@item Key-Grip: @var{hexstring}
This is optional and used to generate a CSR or certificate for an
diff --git a/doc/howto-create-a-server-cert.texi b/doc/howto-create-a-server-cert.texi
index 55f1a91a4..30e28bdd0 100644
--- a/doc/howto-create-a-server-cert.texi
+++ b/doc/howto-create-a-server-cert.texi
@@ -31,14 +31,14 @@ Let's continue:
@cartouche
@example
- What keysize do you want? (2048)
- Requested keysize is 2048 bits
+ What keysize do you want? (3072)
+ Requested keysize is 3072 bits
@end example
@end cartouche
-Hitting enter chooses the default RSA key size of 2048 bits. Smaller
-keys are too weak on the modern Internet. If you choose a larger
-(stronger) key, your server will need to do more work.
+Hitting enter chooses the default RSA key size of 3072 bits. Keys
+smaller than 2048 bits are too weak on the modern Internet. If you
+choose a larger (stronger) key, your server will need to do more work.
@cartouche
@example
@@ -124,7 +124,7 @@ request:
@example
These parameters are used:
Key-Type: RSA
- Key-Length: 2048
+ Key-Length: 3072
Key-Usage: sign, encrypt
Name-DN: CN=example.com
Name-DNS: example.com
@@ -224,7 +224,7 @@ To see the content of your certificate, you may now enter:
aka: (dns-name example.com)
aka: (dns-name www.example.com)
validity: 2015-07-01 16:20:51 through 2016-07-01 16:20:51
- key type: 2048 bit RSA
+ key type: 3072 bit RSA
key usage: digitalSignature keyEncipherment
ext key usage: clientAuth (suggested), serverAuth (suggested), [...]
fingerprint: 0F:9C:27:B2:DA:05:5F:CB:33:D8:19:E9:65:B9:4F:BD:B1:98:CC:57
diff --git a/doc/wks.texi b/doc/wks.texi
index 029dbf0c0..55dfee6d5 100644
--- a/doc/wks.texi
+++ b/doc/wks.texi
@@ -303,11 +303,11 @@ the submission address:
The output of the last command looks similar to this:
@example
- sec rsa2048 2016-08-30 [SC]
+ sec rsa3072 2016-08-30 [SC]
C0FCF8642D830C53246211400346653590B3795B
uid [ultimate] key-submission@@example.net
bxzcxpxk8h87z1k7bzk86xn5aj47intu@@example.net
- ssb rsa2048 2016-08-30 [E]
+ ssb rsa3072 2016-08-30 [E]
@end example
Take the hash of the string "key-submission", which is
diff --git a/g10/getkey.c b/g10/getkey.c
index 852c53286..486330ad9 100644
--- a/g10/getkey.c
+++ b/g10/getkey.c
@@ -144,7 +144,7 @@ static int lookup (ctrl_t ctrl, getkey_ctx_t ctx, int want_secret,
kbnode_t *ret_keyblock, kbnode_t *ret_found_key);
static kbnode_t finish_lookup (kbnode_t keyblock,
unsigned int req_usage, int want_exact,
- unsigned int *r_flags);
+ int want_secret, unsigned int *r_flags);
static void print_status_key_considered (kbnode_t keyblock, unsigned int flags);
@@ -1734,7 +1734,7 @@ get_pubkey_fromfile (ctrl_t ctrl, PKT_public_key *pk, const char *fname)
/* Warning: node flag bits 0 and 1 should be preserved by
* merge_selfsigs. FIXME: Check whether this still holds. */
merge_selfsigs (ctrl, keyblock);
- found_key = finish_lookup (keyblock, pk->req_usage, 0, &infoflags);
+ found_key = finish_lookup (keyblock, pk->req_usage, 0, 0, &infoflags);
print_status_key_considered (keyblock, infoflags);
if (found_key)
pk_from_block (pk, keyblock, found_key);
@@ -3428,7 +3428,7 @@ merge_selfsigs (ctrl_t ctrl, kbnode_t keyblock)
*/
static kbnode_t
finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
- unsigned int *r_flags)
+ int want_secret, unsigned int *r_flags)
{
kbnode_t k;
@@ -3570,6 +3570,13 @@ finish_lookup (kbnode_t keyblock, unsigned int req_usage, int want_exact,
continue;
}
+ if (want_secret && agent_probe_secret_key (NULL, pk))
+ {
+ if (DBG_LOOKUP)
+ log_debug ("\tno secret key\n");
+ continue;
+ }
+
if (DBG_LOOKUP)
log_debug ("\tsubkey might be fine\n");
/* In case a key has a timestamp of 0 set, we make sure
@@ -3757,7 +3764,7 @@ lookup (ctrl_t ctrl, getkey_ctx_t ctx, int want_secret,
* merge_selfsigs. */
merge_selfsigs (ctrl, keyblock);
found_key = finish_lookup (keyblock, ctx->req_usage, ctx->exact,
- &infoflags);
+ want_secret, &infoflags);
print_status_key_considered (keyblock, infoflags);
if (found_key)
{
diff --git a/g10/keygen.c b/g10/keygen.c
index 2b17a1e09..e959ee901 100644
--- a/g10/keygen.c
+++ b/g10/keygen.c
@@ -46,11 +46,10 @@
#include "../common/mbox-util.h"
-/* The default algorithms. If you change them remember to change them
- also in gpg.c:gpgconf_list. You should also check that the value
+/* The default algorithms. If you change them, you should ensure the value
is inside the bounds enforced by ask_keysize and gen_xxx. See also
get_keysize_range which encodes the allowed ranges. */
-#define DEFAULT_STD_KEY_PARAM "rsa2048/cert,sign+rsa2048/encr"
+#define DEFAULT_STD_KEY_PARAM "rsa3072/cert,sign+rsa3072/encr"
#define FUTURE_STD_KEY_PARAM "ed25519/cert,sign+cv25519/encr"
/* When generating keys using the streamlined key generation dialog,
@@ -1623,7 +1622,7 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root,
if (nbits < 1024)
{
- nbits = 2048;
+ nbits = 3072;
log_info (_("keysize invalid; using %u bits\n"), nbits );
}
else if (nbits > maxsize)
@@ -2092,7 +2091,7 @@ get_keysize_range (int algo, unsigned int *min, unsigned int *max)
default:
*min = opt.compliance == CO_DE_VS ? 2048: 1024;
*max = 4096;
- def = 2048;
+ def = 3072;
break;
}
diff --git a/g10/keyid.c b/g10/keyid.c
index d733156f8..c519bc581 100644
--- a/g10/keyid.c
+++ b/g10/keyid.c
@@ -73,7 +73,7 @@ pubkey_letter( int algo )
is copied to the supplied buffer up a length of BUFSIZE-1.
Examples for the output are:
- "rsa2048" - RSA with 2048 bit
+ "rsa3072" - RSA with 3072 bit
"elg1024" - Elgamal with 1024 bit
"ed25519" - ECC using the curve Ed25519.
"E_1.2.3.4" - ECC using the unsupported curve with OID "1.2.3.4".
@@ -83,7 +83,7 @@ pubkey_letter( int algo )
If the option --legacy-list-mode is active, the output use the
legacy format:
- "2048R" - RSA with 2048 bit
+ "3072R" - RSA with 3072 bit
"1024g" - Elgamal with 1024 bit
"256E" - ECDSA using a curve with 256 bit
diff --git a/g10/main.h b/g10/main.h
index 87417ee37..48503602b 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -31,7 +31,9 @@
(i.e. uncompressed) rather than 1 (zip). However, the real world
issues of speed and size come into play here. */
-#if GPG_USE_AES128
+#if GPG_USE_AES256
+# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES256
+#elif GPG_USE_AES128
# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_AES
#elif GPG_USE_CAST5
# define DEFAULT_CIPHER_ALGO CIPHER_ALGO_CAST5
diff --git a/scd/apdu.c b/scd/apdu.c
index 97624ebad..1b25ceb95 100644
--- a/scd/apdu.c
+++ b/scd/apdu.c
@@ -496,6 +496,7 @@ host_sw_string (long err)
case SW_HOST_ABORTED: return "aborted";
case SW_HOST_NO_PINPAD: return "no pinpad";
case SW_HOST_ALREADY_CONNECTED: return "already connected";
+ case SW_HOST_CANCELLED: return "cancelled";
default: return "unknown host status error";
}
}
@@ -602,7 +603,7 @@ pcsc_error_to_sw (long ec)
{
case 0: rc = 0; break;
- case PCSC_E_CANCELLED: rc = SW_HOST_ABORTED; break;
+ case PCSC_E_CANCELLED: rc = SW_HOST_CANCELLED; break;
case PCSC_E_NO_MEMORY: rc = SW_HOST_OUT_OF_CORE; break;
case PCSC_E_TIMEOUT: rc = SW_HOST_CARD_IO_ERROR; break;
case PCSC_E_NO_SERVICE:
diff --git a/scd/apdu.h b/scd/apdu.h
index 6751e8c9b..8a0d4bda8 100644
--- a/scd/apdu.h
+++ b/scd/apdu.h
@@ -71,7 +71,8 @@ enum {
SW_HOST_NO_READER = 0x1000c,
SW_HOST_ABORTED = 0x1000d,
SW_HOST_NO_PINPAD = 0x1000e,
- SW_HOST_ALREADY_CONNECTED = 0x1000f
+ SW_HOST_ALREADY_CONNECTED = 0x1000f,
+ SW_HOST_CANCELLED = 0x10010
};
struct dev_list;
diff --git a/scd/iso7816.c b/scd/iso7816.c
index 081b0808c..29208c254 100644
--- a/scd/iso7816.c
+++ b/scd/iso7816.c
@@ -93,8 +93,9 @@ map_sw (int sw)
case SW_HOST_CARD_IO_ERROR: ec = GPG_ERR_EIO; break;
case SW_HOST_GENERAL_ERROR: ec = GPG_ERR_GENERAL; break;
case SW_HOST_NO_READER: ec = GPG_ERR_ENODEV; break;
- case SW_HOST_ABORTED: ec = GPG_ERR_CANCELED; break;
+ case SW_HOST_ABORTED: ec = GPG_ERR_INV_RESPONSE; break;
case SW_HOST_NO_PINPAD: ec = GPG_ERR_NOT_SUPPORTED; break;
+ case SW_HOST_CANCELLED: ec = GPG_ERR_CANCELED; break;
default:
if ((sw & 0x010000))
diff --git a/sm/certreqgen-ui.c b/sm/certreqgen-ui.c
index 9772a3baf..4f8a1ac9d 100644
--- a/sm/certreqgen-ui.c
+++ b/sm/certreqgen-ui.c
@@ -138,7 +138,7 @@ gpgsm_gencertreq_tty (ctrl_t ctrl, estream_t output_stream)
unsigned int nbits;
int minbits = 1024;
int maxbits = 4096;
- int defbits = 2048;
+ int defbits = 3072;
const char *keyusage;
char *subject_name;
membuf_t mb_email, mb_dns, mb_uri, mb_result;
diff --git a/sm/certreqgen.c b/sm/certreqgen.c
index 44318702a..1d610c1bb 100644
--- a/sm/certreqgen.c
+++ b/sm/certreqgen.c
@@ -26,7 +26,7 @@
$ cat >foo <<EOF
%echo Generating a standard key
Key-Type: RSA
- Key-Length: 2048
+ Key-Length: 3072
Name-DN: CN=test cert 1,OU=Aegypten Project,O=g10 Code GmbH,L=Ddorf,C=DE
Name-Email: [email protected]
# Do a commit here, so that we can later print a "done"
@@ -468,7 +468,7 @@ proc_parameters (ctrl_t ctrl, struct para_data_s *para,
/* Check the keylength. NOTE: If you change this make sure that it
macthes the gpgconflist item in gpgsm.c */
if (!get_parameter (para, pKEYLENGTH, 0))
- nbits = 2048;
+ nbits = 3072;
else
nbits = get_parameter_uint (para, pKEYLENGTH);
if ((nbits < 1024 || nbits > 4096) && !cardkeyid)
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 10eff0a84..fa37f63be 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -1785,7 +1785,7 @@ main ( int argc, char **argv)
/* The next one is an info only item and should match what
proc_parameters actually implements. */
es_printf ("default_pubkey_algo:%lu:\"%s:\n", GC_OPT_FLAG_DEFAULT,
- "RSA-2048");
+ "RSA-3072");
}
break;
diff --git a/sm/qualified.c b/sm/qualified.c
index 564e77929..6a7b47306 100644
--- a/sm/qualified.c
+++ b/sm/qualified.c
@@ -58,7 +58,7 @@ read_list (char *key, char *country, int *lnr)
if (!listname)
{
- listname = make_filename (gnupg_datadir (), "qualified.txt", NULL);
+ listname = make_filename (gnupg_sysconfdir (), "qualified.txt", NULL);
listfp = fopen (listname, "r");
if (!listfp && errno != ENOENT)
{
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-12 13:09:14 +0000