aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* scd:nks: Minor additions to the basic IDLM application support.Werner Koch2022-10-201-15/+25
| | | | | | | | | | | | | | | * scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys. (keygripstr_from_pk_file): Handle special value. (do_readcert): Ditto. (do_writecert): Ditto. -- This allows to get information about the keys from the card. However the do_readkey still requires a fallback to readcert. This does not work because there are no certificates yet on the card. The fix is to fully implement do_readkey. (cherry picked from commit 806547d9d243b26c2275fc00c645ee39d258b49b)
* scd,nks: Fix caching keygrip.NIIBE Yutaka2022-10-201-3/+4
| | | | | | | | | | * scd/app-nks.c (keygripstr_from_pk_file): Identify by cfid if available. -- GnuPG-bug-id: 5150, 6252 Signed-off-by: NIIBE Yutaka <[email protected]> Backported-from-master: 920154370834ad8d947aed19c9d914a27dde6baa:
* scd:nks: Emit the algo string with KEYPAIRINFOWerner Koch2022-10-201-15/+48
| | | | | | | | | | | | | | | | | | | * scd/app-nks.c (do_learn_status_core): Emit the algo string as part of a KEYPAIRINFO. (struct fid_cache_s): Add field algostr. (flush_fid_cache): Release it. (keygripstr_from_pk_file): Fill it and add it to the cache. Use a single exit label. Set algostr. -- Signed-off-by: Werner Koch <[email protected]> Backported-from-master: 26da47ae53d51e16ae6867cd419ddbf124a94933 Backported-from-master: 006944b856ee2202905290e8a2f5523a7877d444 GnuPG-bug-id: 6252, 5144 This has been backported to keep this, and only this, module in sync with master. All other changes from the original patch have been stripped.
* scd:nks: Implement writecert for the Signature card v2.Werner Koch2022-10-203-8/+134
| | | | | | | | | | | | | | | | | | * scd/iso7816.c (CMD_UPDATE_BINARY): New. (iso7816_update_binary): New. * scd/app-nks.c (do_deinit): Factor some code out to... (flush_fid_cache): new. (do_writecert): New. (app_select_nks): Register new handler. -- This has been backported only to make the following backpoorts easier. The code is only used in 2.3; for details see the original commit message. Signed-off-by: Werner Koch <[email protected]> Backported-from-master: c1663c690b29d2dea8bc782c42de5eca08a24cc9 GnuPG-bug-id: 6252
* scd:nks: Fix certificate read problem with TCOS signature card v2.Werner Koch2022-10-201-0/+2
| | | | | | | | | | * scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN. (do_readcert): Test for the app_id. -- Signed-off-by: Werner Koch <[email protected]> Backported-from-master: 07aef873ebc77241e9a2be225537319f6fc15a41 GnuPG-bug-id: 6252
* scd:nks: Fix remaining tries warning in --reset mode.Werner Koch2022-10-201-9/+10
| | | | | | | | | * scd/app-nks.c (do_change_pin): Change computation of 'remaining'. -- Signed-off-by: Werner Koch <[email protected]> Backported-from-master: 2429e8559844e27de478d7e90834a714b3748834 GnuPG-bug-id: 6252
* scd:nks: Add framework to support IDKey cards.Werner Koch2022-10-201-51/+124
| | | | | | | | | | | | | | | | | | | | | * scd/app-nks.c (NKS_APP_IDLM): New. (struct app_local_s): Replace NKS_VERSION by the global APPVERSION. (do_learn_status): Always send CHV-STATUS. (find_fid_by_keyref): Basic support for IDLM only use. (do_learn_status_core): Ditto. (do_readcert): Ditto. (verify_pin): Ditto. (parse_pwidstr): Ditto. (do_with_keygrip): Ditto. (switch_application): Ditto. (app_select_nks): Fallback to IDLM. -- Backported-from-master: 1f6a39092fe4b5f02bc4741a0a23d102d30f4063 GnuPG-bug-id: 6252 Also not directly required for the Signature Card 2.0, it is easier to port this patch as well.
* scd:nks: Get the PIN prompts right for the Signature CardWerner Koch2022-10-201-56/+136
| | | | | | | | | | | | | * scd/app-nks.c (get_dispserialno): Move more to the top. (do_getattr): Add $DISPSERIALNO and SERIALNO. Make CHV-STATUS work with NKS15. (verify_pin): Use dedicated min. PIN lengths. (parse_pwidstr): Support NKS15 -- GnuPG-bug-id: 4938 Signed-off-by: Werner Koch <[email protected]> (cherry picked from commit aecc008acb64ebbb6c667c4a128af4e61da57f84)
* scd:nks: Support decryption using ECDH.Werner Koch2022-10-201-74/+307
| | | | | | | | | | | | | | | | | | * scd/app-nks.c (struct fid_cache_s): Add field 'algo'. (keygripstr_from_pk_file): Add arg 'r_algo' to return the algo. (find_fid_by_keyref): Ditto. (get_dispserialno): New. (make_prompt): New. (verify_pin): Provide better prompts. (do_decipher): Support ECDH. (parse_pwidstr): Add hack tospecify any pwid.. (do_change_pin): Support Signature Card V2.0 (NKS15) style NullPIN. Provide a better prompt. -- GnuPG-bug-id: 4938, 6252 Signed-off-by: Werner Koch <[email protected]> Backported-from-master: af45d884aa1c3eccbc6972a2e5197ece3fd1987a
* scd:nks: Add do_with_keygrip and implement a cache.Werner Koch2022-10-201-90/+349
| | | | | | | | | | | | | | | * scd/app-nks.c (struct fid_cache_s): New. (struct app_local_s): Add field 'fid_cache'. (do_deinit): Release the cache. (keygripstr_from_pk_file): Implement the cache. (find_fid_by_keyref): New (do_sign, do_decipher): Use new function. (do_with_keygrip): New. -- Signed-off-by: Werner Koch <[email protected]> Backported-from-master: 1e72a1a218490c0fc07811a02ddad6cc38913f77 GnuPG-bug-id: 6252
* scd:nks: Allow retrieving certificates from a Signature Card v.20Werner Koch2022-10-201-165/+302
| | | | | | | | | | | | | * scd/app-nks.c: Major rework to support non-RSA cards. -- This is a fist step so support this ECC card. The code has been reworked while taking care that old cards should keep on working. Signed-off-by: Werner Koch <[email protected]> Backported-from-master: f05a32e5c9db7d0840c74fccc350a9e0ff5fb819 GnuPG-bug-id: 6252
* gpg: Move NETLIBS after GPG_ERROR_LIBS (another).NIIBE Yutaka2022-10-181-1/+1
| | | | | | | | | | * g10/Makefile.am (t_keydb_LDADD): Add NETLIBS after GPG_ERROR_LIBS. -- Fixes-commit: b26bb03ed96f380ad603f7ad902862625233c931 GnuPG-bug-id: 6244 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix build with no LDAP support.NIIBE Yutaka2022-10-181-0/+2
| | | | | | | | | | | | * dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize. -- Cherry-pick master commit of: 7011286ce6e1fb56c2989fdafbd11b931c489faa GnuPG-bug-id: 6239 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Move NETLIBS after GPG_ERROR_LIBS.NIIBE Yutaka2022-10-181-6/+6
| | | | | | | | | | | | * g10/Makefile.am (LDADD): Remove NETLIBS. (gpg_LDADD, gpgv_LDADD): Add NETLIBS after GPG_ERROR_LIBS. (gpgcompose_LDADD, t_keydb_get_keyblock_LDADD): Likewise. (t_stutter_LDADD): Likewise. -- GnuPG-bug-id: 6244 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Report an error for receiving key from agent.NIIBE Yutaka2022-10-131-0/+1
| | | | | | | | | * g10/export.c (do_export_one_keyblock): Report an error. -- GnuPG-bug-id: 5151 Signed-off-by: NIIBE Yutaka <[email protected]>
* Post release updatesWerner Koch2022-10-133-2/+6
| | | | | | -- Also switch speedo to use https instead of ftp for download.
* Release 2.2.40gnupg-2.2.40Werner Koch2022-10-102-4/+29
|
* po: Auto updateWerner Koch2022-10-101-1/+3
| | | | --
* gpg: For de-vs use AES-128 instead of 3DES as implicit preference.Werner Koch2022-10-101-2/+10
| | | | | | | | | | | | | | | * g10/pkclist.c (select_algo_from_prefs): Change implicit cipher algorithm. -- Although 3DES is still a compliant algorithm, some other software does not consider it has compliant but also does not set preference accordingly. Thus it is better to switch the implicit cipher algorithm similar to what we already did with SHA-1. Note that in GnuPG 2.3 3DES is already not anymore used here. GnuPG-bug-id: 6063
* sm: Fix reporting of bad passphrase errorIngo Klöcker2022-10-101-1/+4
| | | | | | | | | * sm/minip12.c (p12_parse): Set badpass flag to result in ctx. -- Fixes-commit: 4c14bbf56fb544541bd65f9d6e6e0b81779dcab6 GnuPG-bug-id: 5713, 6037 (cherry picked from commit a47b3a4087349f3873eb04a83dc2a0f512cacf86)
* wkd: Implement --blacklist option for gpg-wks-clientWerner Koch2022-10-073-4/+193
| | | | | | | | | | | | | * tools/gpg-wks-client.c (blacklist_array, blacklist_array_len): New. (parse_arguments): Install blacklist. (read_file): New. (cmp_blacklist, add_blacklist, is_in_blacklist): New. (mirror_one_key): Check list. * tools/gpg-wks.h (opt): Remove field blacklist. -- GnuPG-bug-id: 6224 (cherry picked from commit b0b4e24c4fa80c10d310a229f5a0c65a57ad9393)
* wkd: Restrict gpg-wks-client --mirror to the given domains.Werner Koch2022-10-071-16/+62
| | | | | | | | | | | | | | * tools/gpg-wks-client.c (domain_matches_mbox): New. (mirror_one_key): Skip non-matching domains. (command_mirror): Change args to allow for several domains. -- Although dirmngr returns only the keys matching a certain domain, those keys still may have user ids from other domains. Now we publish only the user-ids as specified on the command line. GnuPG-bug-id: T6224 (cherry picked from commit 0a151548b623813d48516a4629b7c3884875a384)
* wkd: Silence gpg-wks-client diagnostics from gpg.Werner Koch2022-10-072-13/+13
| | | | | | | | | | | | | * tools/gpg-wks-client.c (add_user_id): PAss --quiet to gpg unless we are running in double verbose mode. (decrypt_stream): Ditto (encrypt_response): Ditto. (mirror_one_keys_userid): Ditto. * tools/wks-util.c (wks_get_key): Ditto. (wks_list_key): Ditto. (wks_filter_uid): Ditto. (cherry picked from commit 4364283f757fceab454d48d461a9f88c31247a07)
* wkd: New command --mirror for gpg-wks-client.Werner Koch2022-10-075-30/+306
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * tools/gpg-wks-client.c (aMirror,oBlacklist,oNoAutostart): New. (opts): Add --mirror, --no-autostart, and --blacklist. (parse_arguments): Parse new options. (main): Implement aMirror. (mirror_one_key_parm): New. (mirror_one_keys_userid, mirror_one_key): New. (command_mirror): New. * tools/gpg-wks.h (struct uidinfo_list_s): Add fields flags. * tools/wks-util.c (wks_cmd_install_key): Factor some code out to ... (wks_install_key_core): new. * tools/call-dirmngr.c (wkd_dirmngr_ks_get): New. -- This implements the basic LDAP to WKD mirroring. The blacklist option and domain restrictions are not yet fully implemented. Take care: In OpenLDAP you may need to increase the paged result limit by using a configuration like: dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcLimits olcLimits: dn.subtree="dc=example,dc=org" size.prtotal=unlimited GnuPG-bug-id: 6224 Backported-from-master: 7ccd489aa2e5c5ef6c4554c9f04dd74394b43409
* common: Protect against a theoretical integer overflow in tlv.cWerner Koch2022-10-071-0/+5
| | | | | | | | * common/tlv.c (parse_ber_header): Protect agains integer overflow. -- Although there is no concrete case where we use the (nhdr + length), it is better to protect against this already here.
* dirmngr: Support paged LDAP mode for KS_GETWerner Koch2022-10-073-37/+215
| | | | | | | | | | | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (PAGE_SIZE): New. (struct ks_engine_ldap_local_s): Add several new fields. (ks_ldap_clear_state): Release them. (search_and_parse): Factored out from ks_ldap_get and extended to support the paged mode. (ks_ldap_get): Implement the pages mode for --first and --next. * dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first mode. * dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS. -- The paged mode allows to retrieve more items than the servers usually limit (e.g. 1000 for an LDS). This patch also allows to use --first without a patter to retrieve all keyblocks (except for disabled and revoked keys). GnuPG-bug-id: 6224 Backported-from-master: 7a01e806eac4cd7a65eaf3e17dcd2f117ec2d327
* dirmngr: New options --first and --next for KS_GET.Werner Koch2022-10-076-132/+344
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/server.c (cmd_ks_get): Add option --first and --next. (start_command_handler): Free that new ldap state. * dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New. (ks_ldap_new_state, ks_ldap_clear_state): New. (ks_ldap_free_state): New. (return_one_keyblock): New. Mostly factored out from .... (ks_ldap_get): here. Implement --first/--next feature. * dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to ks_get_flags. * dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New. (KS_GET_FLAG_FIRST): New. (KS_GET_FLAG_NEXT): New. * dirmngr/dirmngr.h (struct server_control_s): Add member ks_get_state. (struct ks_engine_ldap_local_s): New forward reference. -- This feature allows to fetch keyblock by keyblock from an LDAP server. This way tools can process and maybe filter each keyblock in a more flexible way. Here is an example where two keyblocks for one mail address are returned: $ gpg-connect-agent --dirmngr > ks_get --ldap --first <[email protected]> [... First keyblock is returned ] OK > ks_get --next [ ... Next keyblock is returned ] OK > ks_get --next ERR 167772218 No data <Dirmngr> GnuPG_bug_id: 6224 Backported-from-master: 4de98d4468f37bfb8352426830d5d5642ded7536
* gpg: Show just keyserver and port with --send-keys.Werner Koch2022-10-071-0/+25
| | | | * g10/call-dirmngr.c (ks_status_cb): Mangle the keyserver url
* dirmngr: Minor fix for baseDN fallback.Werner Koch2022-10-071-37/+20
| | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data behind the EOS. (interrogate_ldap_dn): Stylistic change. -- This also updates the my_ldap_connect description. GnuPG-bug-id: 6047 (cherry picked from commit 11aa5a93a754fe978d0f35d7fbeb4767b6b6df05)
* dirnmgr: Fix the function prototype.NIIBE Yutaka2022-10-071-1/+1
| | | | | | | | | | * dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with no arguments. -- Signed-off-by: NIIBE Yutaka <[email protected]> (cherry picked from commit 530d709607e54465ce47c1fc7d2554ea3b0bea6b)
* dirmngr: Change interrogate_ldap_dn for better memory semantics.NIIBE Yutaka2022-10-071-28/+12
| | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found, memory allocated. (my_ldap_connect): Follow the change, removing needless allocation. -- GnuPG-bug-id: 6047 Signed-off-by: NIIBE Yutaka <[email protected]> (cherry picked from commit 4b2066afb4988c32a030330acf51b7b0dc190041)
* dirmngr: Interrogate LDAP server when base DN specified.Joey Berkovitz2022-10-071-7/+26
| | | | | | | | | | | * dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP server when basedn specified. -- GnuPG-bug-id: 6047 Signed-off-by: Joey Berkovitz <[email protected]> (cherry picked from commit 3257385378bb3f19ebf089538f0efe2154487989)
* dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND.Werner Koch2022-10-071-2/+8
| | | | | * dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if server supports this.
* dirmngr: Factor out interrogate_ldap_dn function.Werner Koch2022-10-071-66/+71
| | | | | | | | | * dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New. -- GnuPG-bug-id: 6047 Signed-off-by: NIIBE Yutaka <[email protected]> Backported-from-master: 993820c315216584e23d36299920007abfeb3a32
* po: Fix wrong LF in the German translationWerner Koch2022-10-071-6/+3
| | | | | | | | -- Reported-by: [email protected] Also fix one typo
* gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.Werner Koch2022-09-291-2/+7
| | | | | | | | * g10/encrypt.c (check_encryption_compliance): Check gcrypt compliance before emitting an ENCRYPTION_COMPLIANCE_MODE status. -- GnuPG-bug-id: 6221
* doc: Typo fix in a comment.Werner Koch2022-09-281-1/+1
| | | | --
* dirmngr: Fix lost flags during LDAP uploadWerner Koch2022-09-282-36/+39
| | | | | | | | | | * dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const. Use strtokenize instead of strtok style parsing. -- This fixes a problem with resulted in a General Error for the second key to be uploaded in the same session. But only if the colon format to specify a keyserver with flags was used.
* dirmngr: New server flag "areconly" (A-record-only)Werner Koch2022-09-286-3/+51
| | | | | | | | | | | | | | | * dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly. * dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly" * dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag. * dirmngr/dirmngr_ldap.c: Add option --areconly (connect_ldap): Implement option. * dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option. -- This flag is used to pass the Windows specific option LDAP_OPT_AREC_EXCLUSIVE. It is ignored on other systems. Signed-off-by: Werner Koch <[email protected]>
* gpg: Don't consider unknown keys as non-compliant while decrypting.Werner Koch2022-09-221-4/+4
| | | | | | | | | | * g10/mainproc.c (proc_encrypted): Change compliance logic. -- For the description of the proplem see https://dev.gnupg.org/T6205#163306 GnuPG-bug-id: 6205
* dirmngr: Fix CRL DP error fallback to other schemes.Werner Koch2022-09-161-28/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop. Remove the unused issuername_uri stuff. -- It is quite common that LDAP servers are blocked and thuis the HTTP access point should be used instead. This worked well for certificates where the DP are given in this form: crlDP: ldap://x500.bund.de/[...] http://x500.bund.de/[...] issuer: none but it failed for this form crlDP: ldap://x500.bund.de/[...] issuer: none crlDP: http://x500.bund.de/[...] issuer: none because the LAST_ERR thing terminated the outer loop. This pacth fixes this and also cleans up the code to be more robust. Note that the common workaround of using --ignore-ldap-dp will now only be needed if the firewall uses packet dropping instead of proper ICMP rejects.
* build: Update gpg-error.m4.NIIBE Yutaka2022-09-151-1/+2
| | | | | | | | * m4/gpg-error.m4: Update from libgpg-error. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* Post release updatesWerner Koch2022-09-022-1/+7
| | | | --
* Release 2.2.39gnupg-2.2.39Werner Koch2022-09-021-1/+4
|
* speedo: Authenticode sign two more tools.Werner Koch2022-09-021-0/+2
| | | | --
* common: Make nvc_lookup more robust.Werner Koch2022-09-011-1/+12
| | | | | | | | * common/name-value.c (nvc_first): Allow for NULL arg. (nvc_lookup): Allow for PK being NULL. -- GnuPG-bug-id: 6176
* Post release updatesWerner Koch2022-09-0127-670/+653
| | | | --
* Release 2.2.38gnupg-2.2.38Werner Koch2022-09-011-1/+10
|
* po: Update Japanese Translation.NIIBE Yutaka2022-09-011-7/+6
| | | | | | -- Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: New option --debug-cache-expired-certs.Werner Koch2022-08-313-3/+14
| | | | | | | | * dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs: * dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New. (opts): Add option. (parse_rereadable_options): Set option. * dirmngr/certcache.c (put_cert): Handle the option.
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-15 14:10:34 +0000