| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
* dirmngr/server.c (cmd_ks_del): New.
(percentplus_line_to_strlist): New.
* dirmngr/ks-action.c (ks_action_del): New.
* dirmngr/ks-engine-ldap.c (ks_ldap_del): New.
--
GnuPG-bug-id: 5447
Backported-from-master: 9d356a172e7cc492707a6466d30ede8eb0dcf92d
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sm/call-agent.c (istrusted_status_cb): Clear the helper flags.
--
GnuPG-bug-id: 7738
Fixes-commit: 09d4b8f496dd461a21d5ba0297710d683b16def4
which introduced the caching but go the flags wrong. The fallout from
this was that the qualified signature consent was show for non QES
certificates. Other flags are almost always the same and thus no
other harm was done.
Backported-from-master: 67a3020d0f3beed89270f2d004c3da5ee9cbfc63
|
| |
|
|
|
|
|
|
|
|
| |
* common/sexputil.c (uncompress_ecc_q_in_canon_sexp): Only call memcmp
if the lengths are equal.
--
GnuPG-bug-id: 7662
Signed-off-by: Collin Funk <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sm/gpgsm.h (COMPAT_DE_VS_TRUSTLIST): New.
* sm/gpgsm.c (compatibility_flags): Add flag "de-vs-trustlist"
* sm/call-agent.c (istrusted_status_cb): Apply the compatibility flag.
* sm/certchain.c (do_validate_chain): Handle the "de-vs" flag similar
to the "qualified" flag.
* sm/keylist.c (cert_has_de_vs_flag): New.
(print_compliance_flags): Print compliance string only if the flag is
set or if the compatibiliy flag is set.
--
In de-vs compliance mode we now look at the de-vs flag from the
trustlist.txt and print a certificate as VS-NfD compliant only if this
flag is set. Obviously this now requires that --with-validation has
been used. To revert to the old behaviour a new compatibility flag
can be set.
The advantage of this new behaviour is that also non-compliant
certificates can be entered into the trustlist.txt and such certs
can be used with the usual warning that the cert is not VS-NfD
compliant.
|
| |
|
|
|
|
|
|
|
|
| |
* g10/getkey.c (merge_selfsigs_main): Do not mask out the group bit.
(merge_selfsigs_subkey): Ditto/
* g10/keygen.c (ask_key_flags_with_mask): Ditto.
(proc_parameter_file): Ditto.
--
Updates-commit: 202ed9e281d5fb95f166faeb6741c75872be464c
|
| |
|
|
|
|
| |
--
Added Alexander. Removed Andre.
|
| |
|
|
|
|
|
|
|
|
| |
* scd/app-p15.c (CARD_PRODUCT_NEXUS): New.
(read_p15_info): Detect Nexus cards.
(get_dispserialno): Use product_id instead of comparing the
manufacturer_id.
(do_sign): Handle Nexus like BELPIC.
(cherry picked from commit b83d86b988bbb05b25dba250a5f01b33b3dbb824)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* common/ksba-io-support.c (has_only_base64): Use memchr since calling
strchr on a non-NUL terminated string is undefined behavior.
--
Signed-off-by: Collin Funk <[email protected]>
This patch has been stripped from Colin's original patch because this
is not just about a warning but an actual bug. That bug was
introduced in 2003 by me. - wk
|
| |
|
|
|
|
|
|
|
|
|
| |
* scd/app-p15.c (read_ef_tokeninfo): Allow for a zero length label.
--
Some versions of the CardOS personalisation software seem to store a
missing labels as zero-length object instead of not storing the object
at all.
Due to a lack of such a card this patch has not been tested.
|
| |
|
|
| |
--
|
| | |
|
| |
|
|
|
|
| |
* tools/gpgconf.c (my_read_reg_string): New. Use it for the registry
listing stuff.
(show_registry_entries_from_file): Use also on Unix.
|
| |
|
|
| |
* build-aux/speedo.mk: Change to use the external sign script.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/scdaemon.c (handle_connections) [W32]: Do not continue the loop
when an event was encountered.
--
Here the event handle is passed to npth_eselect so that this function
can detect the event and reset the event. There is no need to consume
this information here. However, npth_select might also got a ready
file descriptor along with the event and by doing a "continue" we
would miss the ready state of the file descriptor. The fix is to do
nothing here, similar to what we do in gpg-agent.
Fixes-commit: f9acc7d18bb90f47dafe7e32ae92f567756d6b12
GnuPG-bug-id: 2982
(cherry picked from commit a7ec3792c5d1891180265c946bc021cd8a205e54)
|
| |
|
|
|
|
|
|
|
| |
* g10/sig-check.c (check_signature_over_key_or_uid): Do not free in
no-sig-cache mode if allocated by caller.
--
GnuPG-bug-id: 7547
Fixes-commit: 44cdb9d73f1a0b7d2c8483a119b9c4d6caabc1ec
|
| |
|
|
|
|
| |
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
| |
--
|
| | |
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
| |
--
(proofread by the debian-l10n-french team)
GnuPG-bug-id: 7469
|
| |
|
|
|
|
|
| |
* g10/decrypt-data.c (decrypt_data): Print the aead_algo
--
GnuPG-bug-id: 7398
|
| |
|
|
|
|
|
| |
* dirmngr/dirmngr.c (gpgconf_versions): Get and show nPth version.
--
Note that this requires nPth 1.8
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* tools/gpgtar-extract.c (extract_directory): Factor parent directory
creation out to ..
(try_mkdir_p): new.
(extract_regular): Create directory on ENOENT.
* g10/pubkey-enc.c (get_it): Use log_info instead of log_error if the
public key was not found for preference checking.
--
If tarball was created with
tar cf tarball file1.txt foo/file2.txt
the tarball has no entry for foo/ and thus the extraction fails. This
patch fixes this.
GnuPG-bug-id: 7380
The second patch avoid a wrong exit status status line due to the use
of log_error. But the actual cause needs stuill needs tobe
investigated.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/packet.h (PKT_public_key): Increased size of req_usage to 16.
* g10/getkey.c (key_byname): Set allow_adsk in the context if ir was
requested via req_usage.
(finish_lookup): Allow RENC usage matching.
* g10/keyedit.c (append_adsk_to_key): Adjust the assert.
* g10/keygen.c (prepare_adsk): Also allow to find an RENC subkey.
--
If an ADSK is to be added it may happen that an ADSK subkey is found
first and this should then be used even that it does not have the E
usage. However, it used to have that E usage when it was added.
While testing this I found another pecularity: If you do
gpg -k ADSK_SUBKEY_FPR
without the '!' suffix and no corresponding encryption subkey is dound,
you will get an unusabe key error. I hesitate to fix that due to
possible side-effects.
GnuPG-bug-id: 6882
Backported-from-master: d30e345692440b9c6677118c1d20b9d17d80f873
Note that we still use the NO_AKL and not the newer TRY_LDAP in 2.2.
We may want to backport that change as well.
|
| |
|
|
|
|
|
|
|
|
|
| |
* agent/trustlist.c (istrusted_internal): When LISTMODE is enabled,
TRUSTLISTFPR status output should be done.
--
GnuPG-bug-id: 7363
Fixes-commit: 4fa82eec43e8d205fa336113f6ea554923fd6986
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
| |
--
|
| | |
|
| |
|
|
| |
--
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
|
|
|
| |
* dirmngr/crlcache.c (crl_cache_list): Print a summary of URLs.
* sm/call-dirmngr.c (gpgsm_dirmngr_run_command): Print a notice to
stdout if the dirmngr has been disabled.
--
GnuPG-bug-id: 7337
|
| |
|
|
|
|
|
|
| |
* sm/call-agent.c (gpgsm_agent_istrusted): Actually set istrusted
list.
--
Fixes-commit: 9087c1d3637cf1c61744ece0002dc0dc5675d7c9
|
| |
|
|
|
|
|
|
|
| |
* g10/keygen.c (prepare_adsk): Emit status error.
--
This is useful for GPGME.
GnuPG-bug-id: 7322
|
| |
|
|
|
|
|
| |
* sm/gpgsm.c (compatibility_flags): Add flag.
* sm/gpgsm.h (COMPAT_NO_KEYINFO_CACHE): New.
* sm/call-agent.c (gpgsm_agent_istrusted): Act upon it.
(gpgsm_agent_keyinfo): Ditto.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sm/gpgsm.h (struct keyinfo_cache_item_s): New.
(struct server_control_s): Add keyinfo_cache and keyinfo_cache_valid.
* sm/call-agent.c (keyinfo_cache_disabled): New flag.
(release_a_keyinfo_cache): New.
(gpgsm_flush_keyinfo_cache): New.
(struct keyinfo_status_parm_s): New.
(keyinfo_status_cb): Implement a fill mode.
(gpgsm_agent_keyinfo): Implement a cache.
* sm/server.c (reset_notify): Flush the cache.
* sm/gpgsm.c (gpgsm_deinit_default_ctrl): Ditto.
--
In almost all cases we have just a few private keys in the agent and
thus it is better to fetch them early. This does not work in a
restricted connection but we take care and disable the cache in this
case.
This cache gives a a minor speed up.
GnuPG-bug-id: 7308
(cherry picked from commit 241971fac0fc52efc87ed5753a01d18b0672d900)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sm/call-agent.c (struct istrusted_cache_s): New.
(istrusted_cache, istrusted_cache_valid): New.
(istrusted_cache_disabled): New.
(flush_istrusted_cache): New.
(struct istrusted_status_parm_s): New.
(istrusted_status_cb): Fill the cache.
(gpgsm_agent_istrusted): Implement a cache.
--
Not a really measurable performance improvements on Linux but maybe
somewhat on Windows (not yet tested). However, it does not clutter
the log files with IPC calls returning NOT_TRUSTED.
GnuPG-bug-id: 7308
(cherry picked from commit ef2be95258d2e02659e96f6c4df5a9a1a233c8fd)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* agent/trustlist.c (istrusted_internal): Add arg listmode and print
new status line in this mode. Adjust callers.
(agent_listtrusted): Add new args ctrl and status_mode. Get all
trusted keys and then call is_trusted_internal for all of them.
* agent/command.c (cmd_listtrusted): Add new option --status.
--
This allows in a non-restricted connection to list all trusted keys in
one go.
(cherry picked from commit 4275d5fa7a51731544d243ba16628a9958ffe3ce)
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
|
|
|
|
| |
* sm/minip12.c (parse_shrouded_key_bag): Increase size of salt buffer.
--
Reported on the mailing list. The change does not seem to have a big
regression risk, thus applied. See below for the mail
# ------------------------ >8 ------------------------
https://lists.gnupg.org/pipermail/gnupg-users/2024-September/067312.html
|
| |
|
|
|
|
|
|
|
| |
--
Also one old option.
GnuPG-bug-id: 6882
(cherry picked from commit df977729ff3879fdeab7bce339b95ee3fd8ecc42)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sm/gpgsm.h (COMPAT_NO_CHAIN_CACHE): New.
(struct cert_cache_item_s, cert_cache_item_t): New.
(struct server_control_s): Add parent_cert_cache.
* sm/gpgsm.c (compatibility_flags): Add "no-chain-cache".
(parent_cache_stats): New.
(gpgsm_exit): Print the stats with --debug=memstat.
(gpgsm_deinit_default_ctrl): Release the cache.
* sm/certchain.c (gpgsm_walk_cert_chain): Cache the certificates.
(do_validate_chain): Ditto.
--
This gives another boost of 30% (from 6.5 to 4.0 seconds in the test
environment with ~1000 certs). do_validate_chain actually brings us
the speedup becuase the gpgsm_walk_cert_chain is not used during a key
listing. For the latter we actually cache all certificates because
that was easier.
GnuPG-bug-id: 7308
Adjusted for 2.2:
- Add gpgsm_deinit_default_ctrl
- Remove ctrl arg from keydb_new
|
| |
|
|
|
|
|
|
|
|
| |
* kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the
cert object.
* sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral
flag if we know that it is not set.
--
GnuPG-bug-id: 7308
|
| |
|
|
|
|
|
|
|
|
|
| |
* g10/getkey.c (has_key_with_fingerprint): New.
* g10/keyedit.c (menu_addadsk): Replace code by new function.
(keyedit_quick_addadsk): Handle magic arg "default".
* g10/keygen.c (append_all_default_adsks): New.
--
GnuPG-bug-id: 6882
(cherry picked from commit 77afc9ee1c75a28083edf6d98888f9b472c3e39d)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* g10/gpg.c (enum cmd_and_opt_values): Add aQuickAddADSK.
(opts): Add --quick-add-adsk.
(main): Call the actual function.
* g10/keyedit.c (keyedit_quick_addadsk): New.
(menu_addadsk): Add arg adskfpr and change caller.
--
GnuPG-bug-id: 6395
(cherry picked from commit 9f27e448bf1f825906f3c53e3428087d34bbd8fc)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/free-packet.c (copy_public_key): Factor some code out to ...
(copy_public_key_basics): new.
* keygen.c (keygen_add_key_flags_and_expire): Rewrite and make public.
* g10/keyedit.c (enum cmdids): Add cmdADDADSK.
(keyedit_menu): Add command "addadsk".
(menu_addadsk): New.
* g10/options.h (opt): Add field def_new_key_adsks.
* g10/gpg.c (oDefaultNewKeyADSK): New.
(opts): Add --default-new-key-adsk.
(main): Parse option.
* g10/keyedit.c (menu_addadsk): Factor some code out to ...
(append_adsk_to_key): new. Add compliance check.
* g10/keygen.c (pADSK): New.
(para_data_s): Add adsk to the union.
(release_parameter_list): Free the adsk.
(prepare_adsk): New.
(get_parameter_adsk): New.
(get_parameter_revkey): Remove unneeded arg key and change callers.
(proc_parameter_file): Prepare adsk parameter from the configured
fingerprints.
(do_generate_keypair): Create adsk.
--
GnuPG-bug-id: 6882
(cherry picked from commit ed118e2ed521d82c1be7765a0a19d5b4f19afe10)
and modified to adjust to other code changes
|
| |
|
|
|
|
|
|
|
|
| |
* common/strlist.c (append_to_strlist_try): Factor code out to ...
(do_append_to_strlist): new.
(tokenize_to_strlist): New.
* common/t-strlist.c (test_tokenize_to_strlist): New.
(cherry picked from commit d2dca58338a4936b293c3ec6be4572d0e74b6a0d)
|
| |
|
|
|
|
|
|
|
|
|
| |
* common/exechelp.h [HAVE_W32_SYSTEM] (get_max_fds): Don't expose.
(close_all_fds, get_all_open_fds): Likewise.
* common/exechelp-w32.c: Don't expose unused functions.
--
GnuPG-bug-id: 7293
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/trustdb.c (copy_key_item): New.
(validate_keys): Use a stripped down UTK list w/o expired keys.
--
This patch makes sure that an expired trusted key is not used for
trust computation. The test case is to delete a trusted key from the
keyring, import a copy of that key which has already expired, check
that a signed key is not anymore fully trusted and finally import a
prolonged version of the trusted key and check that the signed key is
now again fully trusted.
GnuPG-bug-id: 7200
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/import.c (import_one_real): Rename non_self to non_self_or_utk.
If not set after chk_self_sigs check whether the imported key is an
ultimately trusted key.
--
The revalidation mark was only set if the imported key had a new key
signature. This is in general correct but not if the imported key is
a trusted key.
GnuPG-bug-id: 7200
|
| |
|
|
|
|
|
|
|
|
|
| |
* g10/trustdb.c (store_validation_status): Remove arg 'stored'.
(validate_keys): Remove keyhashtable 'stored' which was never used.
--
This has been here since 2003. The variable was never evaluated -
only stored.
Also added some comments.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/decrypt-data.c (struct decode_filter_context_s): Add flag
checktag_failed.
(aead_checktag): Set flag.
(decrypt_data): Initially clear that flag and check the flag after the
decryption.
* g10/mainproc.c (proc_encrypted): Revert the log_get_errorcount based
check.
--
This fixes a bug where for an OCB encrypted and signed message with
the signing key missing during decryption the DECRYPTION_FAILED status
line was printed along with "WARNING: encrypted message has been
manipulated". This was because we use log_error to show that the
signature could not be verified due to the missing pubkey; the
original fix looked at the error counter and thus triggered the
decryption failed status.
Fixes-commit: 82b39fe254703776209cebb88f428bf2d1eb596b
GnuPG-bug-id: 7042
|
