aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* gpg: Allow to create a Kyber key from keygrips.Werner Koch2024-04-056-13/+97
| | | | | | | | | | | | | | | | * agent/cvt-openpgp.c (extract_private_key): Support Kyber algorithms. * common/openpgp-oid.c (map_gcry_pk_to_openpgp): Map KEM to Kyber. * common/sexputil.c (get_pk_algo_from_key): Increase buffer for use with "kyber1024". * g10/call-agent.c (agent_get_keyinfo): Fix warning. * g10/keygen.c (do_create_from_keygrip): Support Kyber. (ask_algo): Ditto. -- To test create a standard key and the use --edit-key and "addkey" with selection 13 and use the comma delimited keygrips. GnuPG-bug-id: 7014
* agent: Fix error handling of READKEY.Werner Koch2024-04-051-1/+3
| | | | | | | * agent/command.c (cmd_readkey): Jump to leave on reading error. -- Fixes-commit: d7a3c455c5e29b19b66772f86dda925064e34896
* gpg: Support dual keygrips.Werner Koch2024-04-0510-45/+180
| | | | | | | | | | | | | | | | | * g10/keyid.c (keygrip_from_pk): Add arg get_second to support dual algos. Implement for Kyber. (hexkeygrip_from_pk): Extend for dual algos. * g10/call-agent.c (agent_keytotpm): Bail out for dual algos. (agent_keytocard): Ditto. (agent_probe_secret_key): Handle dual algos. (agent_probe_any_secret_key): Ditto. (agent_get_keyinfo): Allow for dual algos but take only the first key. * g10/export.c (do_export_one_keyblock): Bail out for dual algos. -- This also adds some fixmes which we eventually need to address. GnuPG-bug-id: 6815
* agent: Make "PKDECRYPT --kem" with optional value work.Werner Koch2024-04-053-6/+11
| | | | | | | | | | | | * agent/command.c (cmd_pkdecrypt): Fix comparison. * agent/agent.h (enum kemids): Rename type and strip trailing comma. * agent/pkdecrypt.c (agent_hybrid_pgp_kem_decrypt): Allow building with Libgcrypt < 1.11 -- Eventually we should change the libgcrypt requirement in configure.
* agent: Add initial support for hybrid ECC+PQC decryption with KEM.NIIBE Yutaka2024-04-053-7/+362
| | | | | | | | | | | | | | | | | * agent/agent.h (enum kemid): New. (agent_kem_decrypt): New. * agent/command.c (cmd_pkdecrypt): Support --kem option to call agent_kem_decrypt. * agent/pkdecrypt.c (reverse_buffer): New. (agent_hybrid_pgp_kem_decrypt): New. (agent_kem_decrypt): New. -- Now, it only supports X25519 + ML-KEM. GnuPG-bug-id: 7014 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Initial support for generating Kyber subkeys.Werner Koch2024-04-039-110/+461
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * common/openpgpdefs.h (PUBKEY_ALGO_KY768_25519): Remove. (PUBKEY_ALGO_KY1024_448): Remove. (PUBKEY_ALGO_KYBER): New. Use them everywhere instead of the removed. * g10/build-packet.c (gpg_mpi_write_nohdr): Rename to (gpg_mpi_write_opaque_nohdr): this. Change callers. (gpg_mpi_write_opaque_32): New. (do_key): Support Kyber keys using the revised format. * g10/gpg.h (MAX_EXTERN_KEYPARM_BITS): New. * g10/parse-packet.c (read_octet_string): Add arg nbytes so support reading with a length prefix. Adjust callers. (parse_key): Parse Kyber public keys. * g10/misc.c (pubkey_get_npkey): Support Kyber. (pubkey_get_nskey): Ditto. * g10/keyid.c (pubkey_string): Support dual algorithms. (do_hash_public_key): Support Kyber. (nbits_from_pk): Ditto. (keygrip_from_pk): Return the Kyber part for the ECC+Kyber dual algo. * g10/keygen.c (struct common_gen_cb_parm_s): Add genkey_result2. Note that this callback is not yet used. (ecckey_from_sexp): Add optional arg sexp2 and use it for Kyber. Change callers. (ecckey_from_sexp): Do not leak LIST in case of an error. (common_gen): Add arg keyparms2, change callers, and support Kyber. (gen_kyber): New. (get_keysize_range): Support Kyber. (fixup_keysize): Simplify and support Kyber. (do_create): Handle Kyber. (parse_key_parameter_part): Remove algo strings "ky768" and "ky1024" and add a generic "kyber" with default parameters. -- This uses a revised format which is more aligned with the usual OpenPGP structure. A lot of things are still missing. For example support for handling two keygrips and checking both of them in a -K listing. There is also only ky768_bp384 as fixed algorithm for now. No passphrase for the Kyber part of the dual algorithm is on purpose. A test was done using gpg --quick-gen-key pqc1 nistp256 and then running gpg -v --quick-add-key <fingerprint> kyber which creates a v5 subkey on a v4 primary key. A second test using gpg --quick-gen-key pqc2 Ed448 followed by a --quick-add-key created a v5 key with a v5 subkey. GnuPG-bug-id: 6815
* common: Extend openpgp_oid_to_curve to return an abbreviated name.Werner Koch2024-04-032-14/+39
| | | | | | | | | | | * common/openpgp-oid.c (oidtable): Add column "abbr" and set them for Brainpool. (openpgp_oid_to_curve): Rename arg "canon" to "mode" and implement mode 2. -- For dual algorithms (PQC) we need shorter versions of brainpool to avoid names which otherwise might be capped when printed.
* tests: Add a sample PDF with a signatureWerner Koch2024-04-031-0/+0
| | | | --
* common: Allow building with libgcrypt 1.10 for now.Werner Koch2024-04-031-0/+4
| | | | | | | | | * common/kmac.c (compute_kmac256): Return an error for older gcrypt versions. -- Except for the new KEM module there is no hard requirement for libgcrypt 1.11 *yet*.
* agent: Add --another option for hybrid crypto.NIIBE Yutaka2024-04-012-6/+15
| | | | | | | | | | * agent/agent.h (struct server_control_s): Add have_keygrip1. * agent/command.c (reset_notify): Clear have_keygrip1 field. (cmd_havekey): Add --another option handling. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* common: Add KMAC.NIIBE Yutaka2024-03-293-2/+140
| | | | | | | | | | * common/Makefile.am (common_sources): Add kmac.c. * common/kmac.c: New. * common/util.h (compute_kmac256): New. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* gpgsm: Allow to add extensions at the --gen-key prompt.Werner Koch2024-03-272-0/+10
| | | | | | | | | | * sm/certreqgen-ui.c (gpgsm_gencertreq_tty): Add a prompt for extensions. -- An example for an extension would be extKeyUsage for authentication: 2.5.29.37 n 301406082B0601050507030206082B06010505070301
* scd:openpgp: Fix data_objects specification for F9 and FA.NIIBE Yutaka2024-03-271-2/+2
| | | | | | | | | * scd/app-openpgp.c (data_objects): These are constructed objects. -- GnuPG-bug-id: 7058 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg,gpgsm: New option --disable-fd-translation.Werner Koch2024-03-266-9/+50
| | | | | | | | | | | | | | * common/sysutils.c (no_translate_sys2libc_fd) [W32]: New global. (disable_translate_sys2libc_fd): New. (translate_sys2libc_fd): Make static and cobuild only for Windows. (translate_sys2libc_fd_int): Use no_translate_sys2libc_fd flag. * g10/gpg.c, sm/gpgsm.c (oDisableFdTranslation): New const. (opts): Add option "disable-fd-translation". (main): Set option. -- GnuPG-bug-id: 7060
* scd: Add new OpenPGP vendorWerner Koch2024-03-261-0/+1
| | | | --
* Allow installation with a gpgconf.ctl changed homedir.Werner Koch2024-03-214-26/+145
| | | | | | | | | | | | | | | | | | | | | | | * common/homedir.c (gpgconf_ctl): Add field "gnupg". (parse_gpgconf_ctl): Support keyword "gnupg". (my_gnupg_dirname): New. (my_fixed_default_homedir): New. (gnupg_registry_dir): New. (standard_homedir): Use my_gnupg_dirname and my_fixed_default_homedir. (default_homedir): Use gnupg_registry_dir and my_fixed_default_homedir. (_gnupg_socketdir_internal): Use my_gnupg_dirname. Increase size of prefixbuffer. (gnupg_sysconfdir): Use my_gnupg_dirname. * tools/gpgconf.c (list_dirs): Use gnupg_registry_dir. (show_other_registry_entries): Ditto. -- This will be useful to install versions of GnuPG VS-Desktop and GnuPG Desktop in addition to a standard GnuPG version. Only basic tests on Unix done; Windows testing is still outstanding. GnuPG-bug-id: 7040
* common: Use a common gpgconf.ctl parser for Unix and Windows.Werner Koch2024-03-212-202/+252
| | | | | | | | | | | | | | | | | * common/homedir.c (gpgconf_ctl): new struct. (string_is_true): New. (parse_gpgconf_ctl): New. Based on the former code in unix_rootdir. (check_portable_app): Use parse_gpgconf_ctl and the new struct. (unix_rootdir): Ditto. -- This is a unification of the gpgconf.ctl mechanism. For backward compatibility we need to keep the empty (or actually only comments) method as used formerly under Windows. Iff one really wants a portable application the new portable keyword should be used, though. Noet that the Windows portable stuff has not been tested for quite some time.
* gpg: Make sure a DECRYPTION_OKAY is never issued for a bad OCB tag.Werner Koch2024-03-142-1/+6
| | | | | | | | | | | | * g10/mainproc.c (proc_encrypted): Force a decryption failure if any error has been seen. * g10/decrypt-data.c (aead_checktag): Issue an ERROR line. -- GnuPG-bug-id: 7042 Note that gpg in any case returns a failure exit code but due to double forking GPGME would not see it.
* gpg: new list-option store-x509-notations.Werner Koch2024-03-144-8/+54
| | | | | | | | | | * g10/options.h (LIST_STORE_X509_NOTATIONS): New. * g10/gpg.c (parse_list_options): Add "store-x509-notations". * g10/keylist.c (print_x509_notations): Add arg PK and code to write a file. (list_signature_print): Add arg lastpk and handle new option. (list_keyblock_print): Track last key or subkey and pass to list_signature_print.
* gpg: new list-option show-x509-notationsWerner Koch2024-03-126-16/+134
| | | | | | | | | | | * g10/gpg.c (parse_list_options): Add new option. * g10/options.h (LIST_SHOW_X509_NOTATIONS): New. * g10/build-packet.c (search_sig_notations): New. * g10/keylist.c (print_x509_notations): New. (list_signature_print): Use macros for the sig classes. Call print_x509_notations. (list_keyblock_print): Call list_signature_print if x509 notation printing is enabled.
* card: Use xstrdup for module names.Werner Koch2024-03-121-2/+2
| | | | --
* Merge branch 'STABLE-BRANCH-2-4'Werner Koch2024-03-12103-1134/+1484
|\ | | | | | | | | | | | | | | -- Resolved conflicts: NEWS common/exechelp-w32.c configure.ac
| * Post release updatesWerner Koch2024-03-072-1/+8
| | | | | | | | --
| * Release 2.4.5gnupg-2.4.5Werner Koch2024-03-071-1/+39
| |
| * po: msgmergeWerner Koch2024-03-0723-92/+118
| | | | | | | | --
| * po: Fix a fuzzy in the German, Polish and Japanese translationWerner Koch2024-03-073-23/+28
| | | | | | | | --
| * scd: Improve code reability of ccid-driver.cWerner Koch2024-03-071-96/+49
| | | | | | | | | | * scd/ccid-driver.c (my_npth_unprotect, my_npth_protect): New. Replace all direct uses by these wrappers.
| * scd: Add support for ACR-122UWerner Koch2024-03-072-1/+7
| | | | | | | | | | | | | | | | | | * scd/ccid-driver.h (VENDOR_ACR, ACR_122U): New. * scd/ccid-driver.c (ccid_open_usb_reader): Do not call libsub_set_interface_alt_setting for this reader. -- Co-authored-by: [email protected]
| * scd: Let the CCID module auto detach the kernel driver.Werner Koch2024-03-073-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | * scd/ccid-driver.c (ccid_open_usb_reader): Call libusb_set_auto_detach_kernel_driver. * scd/scdaemon.c (oCompatibilityFlags): New. (opts): Add option "compatibility-flags". (compatibility_flags): New. (main): Parse flags. * scd/scdaemon.h (opt): Add field compat_flags. (COMPAT_CCID_NO_AUTO_DETACH): New.
| * doc: Typo fix in commentWerner Koch2024-03-061-1/+1
| | | | | | | | --
| * wks: Make gpg-wks-client --mirror work w/o args.Werner Koch2024-03-062-2/+2
| | | | | | | | | | | | | | | | | | * tools/gpg-wks-client.c (mirror_one_key): Test for no domain specified. -- The code did not really work if no domain was given. It worked but filtered out all keys so that no key was actually exported.
| * gpg: Fix mixed invocation with --trusted-keys and --no-options.Werner Koch2024-03-042-45/+69
| | | | | | | | | | | | | | | | | | | | | | | | * g10/trustdb.c: Move a function and some definitions around. (user_utk_list): Rename to trusted_key_list. Change all users. (any_trusted_key_seen): New. (tdb_register_trusted_key): Set it here. Handle the new value "none". (verify_own_keys): Do not delete a trusted key from the trustdb if a trusted-key option was not used. -- GnuPG-bug-id: 7025
| * wks: Add option --realclean to gpg-wks-client.Werner Koch2024-03-044-4/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * tools/gpg-wks-client.c (oRealClean): New. (opts): Add "realclean". (parse_arguments): Implement. (main): Take a copy of the module name to fix bad assignment from a former patch. * tools/gpg-wks-server.c (main): Ditto. * tools/gpg-wks.h (opt): Add field realclean. * tools/wks-util.c (wks_get_key): Call gpg with export-realclean depending on the new option. -- The default for gpg-wks-client is to install keys with all valid key signatures. The new option will eventually allow to install the keys only with key signatures done by trusted-keys. Also the export-option is in gpg, it requires one more gpg patch to make it actually work.
| * gpg: Prepare for a new export option export-realclean.Werner Koch2024-03-0411-46/+105
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * g10/options.h (EXPORT_REALCLEAN): New. Also re-assign other values to keep them more in sync with the corresponding import values. * g10/export.c (parse_export_options): Add "export-realclean". (do_export_stream): Call clean_all_uids directly with the options arg. * g10/import.c (import_one_real): Change for direct use of options in clean_all_uids. * g10/key-clean.c (is_trusted_key_sig): New. Stub for now. (clean_sigs_from_uid): Re-purpose self_only to a general options arg. Implement EXPORT_REALCLEAN code path. (clean_one_uid): Re-purpose self_only to a general options arg. (clean_all_uids): Ditto. * g10/keyedit.c (keyedit_menu): Use EXPORT_MINIMAL instead of a simple flag. (menu_clean): Re-purpose self_only to a general options arg. * g10/keyid.c (fpr20_from_pk): Factor code out to .... (fpr20_from_fpr): new. Remove useless case for ARRAY being NULL. * g10/tdbio.c (tdbio_search_trust_byfpr): Add arg fprlen and use fpr20_from_fpr if needed. (tdbio_search_trust_bypk): Pass 20 for the fingerprint length. -- Note that this code has no function yet. Another patch will follow to extract the trusted-keys flag from the trustdb.
| * build: Extend getswdb.sh to allow a verified downloadWerner Koch2024-02-291-4/+92
| | | | | | | | --
| * build: Make getswdb.sh usable outside the GniPG tree.Werner Koch2024-02-291-2/+24
| | | | | | | | --
| * gpg: Emit status lines for errors in the compression layer.Werner Koch2024-02-272-15/+39
| | | | | | | | | | | | | | | | | | | | | | * g10/compress-bz2.c: Replace all log_fatal by log_error, write_status_error, and g10_exit. (do_uncompress): Ditto. -- This gives gpgme a better way to detect corrupted data in the compression layer. GnuPG-bug-id: 6977
| * Allow tilde expansion for the foo-program options.Werner Koch2024-02-2711-33/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * agent/gpg-agent.c (parse_rereadable_options): Use make_filename_try for opt.pinentry_program. Change definition accordingly. * g10/gpg.c (main): Use make_filename for agent_program, dirmngr_program, and keyboxd_program. Change definition accordingly. * sm/gpgsm.c (main): Ditto. * tools/gpg-card.c (parse_arguments): Ditto. * tools/gpg-connect-agent.c (main): Ditto. * tools/gpg-wks-client.c (parse_arguments): Likewise. Do it also for option --output. (process_confirmation_request): Print a note for a successful sent. -- GnuPG-bug-id: 7017
| * agent: Allow GET_PASSPHRASE in restricted mode.Werner Koch2024-02-251-5/+4
| | | | | | | | | | | | | | | | | | | | * agent/command.c (cmd_get_passphrase): Allow use in restricted mode but ignore the cacheid. -- The use case is symmetric encryption via the extra-socket. To avoid that the gpg running on the server has access to the cache we set the cache id to NULL so that the cache is not used at all.
| * gpg: Fix gpg_mpi_write for the unused opaque case.Werner Koch2024-02-211-1/+3
| | | | | | | | | | | | | | | | | | * g10/build-packet.c (gpg_mpi_write): Take care of the fact that get_opaque already returns a bit-exact value. -- Fixes-commit: ab17f7b6c392782718f57eaea94fc18a0ff49389 Reported-by: Falko Strenzke <[email protected]>
| * wks: Allow command style args for gpg-wks-client.Werner Koch2024-02-212-11/+21
| | | | | | | | | | | | | | | | | | | | * tools/gpg-wks-client.c (wrong_args): Take two args. Change all callers. (main): Pass ARGPARSE_FLAG_COMMAND for recent gpgrt version. -- This requires gpgrt 1.48. Of course "gpg-wks-client --create ..." continues to work.
| * g13: Allow command line style "g13 mount foo".Werner Koch2024-02-201-0/+3
| | | | | | | | | | | | | | | | * g13/g13.c (main): Set flag ARGPARSE_FLAG_COMMAND. -- This requires gpgrt 1.48. Of course "g13 --mount foo" continues to work.
| * scd:p15: Fix typo in a commentMario Haustein2024-02-201-1/+1
| |
| * scd:p15: Add ECC support for D-Trust Card 4.1/4.4Mario Haustein2024-02-201-6/+4
| | | | | | | | | | | | * scd/app-p15.c (do_sign): Add MSE RESTORE parameters for D-Trust ECC cards. (do_decipher): Ditto.
| * scd:p15: Take derive usage into account for decryption (2).Werner Koch2024-02-201-1/+2
| | | | | | | | | | | | | | * scd/app-p15.c (do_getattr): Yet another palce to fix. -- GnuPG-bug-id: 7000 Co-authored-by: Mario Haustein <[email protected]>
| * scd:p15: Handle duplicate certificate ids.Werner Koch2024-02-201-2/+44
| | | | | | | | | | | | | | | | | | | | | | * scd/app-p15.c (struct app_local_s): Add field cdf_dup_counter. (objid_in_cdflist_p): New. (read_p15_info): Clear the counter. (read_ef_cdf): Detect and fix duplicate IDs. -- GnuPG-bug-id: 7001 Reported-by: Mario Haustein <[email protected]>
| * scd:p15: Take derive usage into account for decryption.Werner Koch2024-02-201-15/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * scd/app-p15.c (set_usage_string): Map usageflags.derive also to 'e'. (do_auth): Allow usageflags.sign_recover. (do_decipher): Allow usageflags.derive. (do_with_keygrip): Take usageflags.derive into account. (do_gettatr): Ditto. (do_decipher): Take a missing AODF for authentication not needed. -- This is required for D-Trust ECC cards. The AODF thing is unrelated but seems to be a good idea. GnuPG-bug-id: 7000
| * dirmngr: Fix keep-alive flag handling.NIIBE Yutaka2024-02-161-1/+9
| | | | | | | | | | | | | | | | | | | | * dirmngr/http.c (run_proxy_connect): Set KEEP_ALIVE if not Basic Authentication. Fix resource leak of FP_WRITE. -- GnuPG-bug-id: 6997 Signed-off-by: NIIBE Yutaka <[email protected]>
| * dirmngr: Fix the regression of use of proxy for TLS connection.NIIBE Yutaka2024-02-161-12/+2
| | | | | | | | | | | | | | | | | | | | | | * dirmngr/http.c (run_proxy_connect): Don't set keep_alive, since it causes resource leak of FP_WRITE. Don't try to read response body to fix the hang. -- GnuPG-bug-id: 6997 Signed-off-by: NIIBE Yutaka <[email protected]>
| * speedo: Add config variable for the timestamp service.Werner Koch2024-02-151-4/+11
| | | | | | | | --
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-09 10:57:19 +0000