aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* dirmngr: Fix handling of CNAMEed keyserver pools.Werner Koch2018-04-263-1/+36
| | | | | | | | | | | | * dirmngr/ks-engine-hkp.c (map_host): Don't use the cname for HTTPHOST. * dirmngr/server.c (make_keyserver_item): Map keys.gnupg.net. -- For a description of the problem see the comment in make_keyserver_item. GnuPG-bug-id: 3755 Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Add the used TLS library to the debug output.Werner Koch2018-04-252-4/+15
| | | | | | | | | | | * dirmngr/http.c (send_request): Print the used TLS library in debug mode. -- We allow two different TLS libararies and thus it is useful to see that in the debug output of bug reports. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Allow redirection from https to http for CRLsWerner Koch2018-04-255-21/+40
| | | | | | | | | | | | | | | | | * dirmngr/ks-engine.h (KS_HTTP_FETCH_NOCACHE): New flag. (KS_HTTP_FETCH_TRUST_CFG): Ditto. (KS_HTTP_FETCH_NO_CRL): Ditto. (KS_HTTP_FETCH_ALLOW_DOWNGRADE): Ditto. * dirmngr/ks-engine-http.c (ks_http_fetch): Replace args send_no_cache and extra_http_trust_flags by a new flags arg. Allow redirectiong from https to http it KS_HTTP_FETCH_ALLOW_DOWNGRADE is set. * dirmngr/loadswdb.c (fetch_file): Call with KS_HTTP_FETCH_NOCACHE. * dirmngr/ks-action.c (ks_action_get): Ditto. (ks_action_fetch): Ditto. * dirmngr/crlfetch.c (crl_fetch): Call with the appropriate flags. -- Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Implement CRL fetching via https.Werner Koch2018-04-2510-131/+133
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/http.h (HTTP_FLAG_TRUST_CFG): New flag. * dirmngr/http.c (http_register_cfg_ca): New. (http_session_new) [HTTP_USE_GNUTLS]: Implement new trust flag. * dirmngr/certcache.c (load_certs_from_dir): Call new function. (cert_cache_deinit): Ditto. * dirmngr/http-ntbtls.c (gnupg_http_tls_verify_cb): Ditto. * dirmngr/ks-engine-http.c (ks_http_fetch): Add new args 'send_no_cache' and 'extra_http_trust_flags'. Change all callers to provide the default value. * dirmngr/crlfetch.c (crl_fetch): Rewrite to make use of ks_http_fetch. -- The old code simply did not use https for downloading of CRLS. Instead it rewrote https to http under the assumption that the CRL service was also available without encryption. Note that a CRL is self-standing and thus it does not need to have extra authenticity as provided by TLS. These days we should not use any unencrypted content and thus this patch. Be aware that cacert.org give a https CRL DP but that currently redirects to to http! This is a downgrade attack which we detect and don't allow. The outcome is that it is right now not possible to use CAcert certificates. Signed-off-by: Werner Koch <[email protected]>
* g10: Fix printing the keygrip with --card-status.NIIBE Yutaka2018-04-251-1/+1
| | | | | | | | | * g10/card-util.c (current_card_status): Keygrip for Auth is 3. -- Fixes-commit: fd595c9d3642dba437fbe0f6e25d7aaaae095f94 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fallback to CRL if no default OCSP responder is configured.Werner Koch2018-04-242-47/+59
| | | | | | | | | * dirmngr/server.c (cmd_isvalid): Use option second arg to trigger OCSP checkibng. Fallback to CRL if no default OCSP responder has been configured. * sm/call-dirmngr.c (gpgsm_dirmngr_isvalid): Adjust accordingly. Signed-off-by: Werner Koch <[email protected]>
* doc: Update NEWS and add an example to gpg.texi.Werner Koch2018-04-232-1/+23
| | | | --
* Revert "po: correct label tags in Polish translation"Werner Koch2018-04-231-34/+34
| | | | | | | | | | -- The changed tags need to be kept localized because the description text refers them. Using the English for the tag and then the translated version in the description confuses users. Fixes-commit: a5290dace7f85d66272af3e14f9f2bc43d2a4af8.
* Revert "po: correct label tags in Finnish translation"Werner Koch2018-04-231-24/+24
| | | | | | | | | | -- The changed tags need to be kept localized because the description text refers them. Using the English for the tag and then the translated version in the description confuses users. Fixes-commit: e12475429578add12a53fb2232cb45dc9e2aae1b.
* dirmngr: More binary I/O on Windows for CRLsAndre Heinecke2018-04-201-2/+5
| | | | | | | | | | | | | | | | * dirmngr/crlcache.c (lock_db_file, crl_cache_insert): Open cache file in binary mode. -- CRLs on Windows would have line ending entries converted. This did not cause problems in a surprising amount of cases but can lead to unexpected and random parse / read errors. Especially with large CRLs like cacert. This bug has been around since 2004. GnuPG-Bug-Id: T3923 Signed-off-by: Andre Heinecke <[email protected]>
* doc: Remove unneccesary empty flags in vsndf.prfAndre Heinecke2018-04-201-1/+1
| | | | | | * doc/examples/vsnfd.prf (max-cache-ttl): Remove empty flags. Signed-off-by: Andre Heinecke <[email protected]>
* po: more updates to Spanish translationemma peel2018-04-161-110/+105
| | | | Signed-off-by: Daniel Kahn Gillmor <[email protected]>
* po: correct attribution for Spanish translationemma peel2018-04-161-3/+2
| | | | Signed-off-by: Daniel Kahn Gillmor <[email protected]>
* po: correct label tags in Polish translationemma peel2018-04-161-34/+34
| | | | Signed-off-by: Daniel Kahn Gillmor <[email protected]>
* po: correct label tags in Finnish translationemma peel2018-04-161-24/+24
| | | | Signed-off-by: Daniel Kahn Gillmor <[email protected]>
* build: New target "release" to automate the release process.Werner Koch2018-04-151-2/+73
| | | | | | | | | | | | | | * Makefile.am (RELEASE_ARCHIVE_DIR): New. (RELEASE_SIGNING_KEY): New. (AM_DISTCHECK_CONFIGURE_FLAGS): Remove removed --enable-gpg2-is-gpg, (RELEASE_NAME, RELEASE_W32_STEM_NAME): New. (release, sign-release): New. -- This requires GNU make and also some other decent utilities; however, they are anyway required for building the W32 installer. Signed-off-by: Werner Koch <[email protected]>
* g10: Fix memory leak in check_sig_and_print.NIIBE Yutaka2018-04-131-0/+1
| | | | | | | | | * g10/mainproc.c (check_sig_and_print): Free the public key. -- GnuPG-bug-id: 3900 Signed-off-by: NIIBE Yutaka <[email protected]>
* g10: Push compress filter only if compressed.NIIBE Yutaka2018-04-131-5/+8
| | | | | | | | | | | | * g10/compress.c (handle_compressed): Fix memory leak. -- All other calls of push_compress_filter checks ALGO, so, do it here, too. GnuPG-bug-id: 3898 Signed-off-by: NIIBE Yutaka <[email protected]>
* po: Update Spanish translationemma peel2018-04-121-2183/+1536
| | | | | | -- Signed-off-by: Daniel Kahn Gillmor <[email protected]>
* gpg: Extend the "sig" record in --list-mode.Werner Koch2018-04-1210-21/+55
| | | | | | | | | | | | | | | | | | | | | | | | * g10/getkey.c (get_user_id_string): Add arg R_NOUID. Change call callers. (get_user_id): Add arg R_NOUID. Change call callers. * g10/mainproc.c (issuer_fpr_string): Make global. * g10/keylist.c (list_keyblock_colon): Print a '?' for a missing key also in --list-mode. Print the "issuer fpr" field also if there is an issuer fingerprint subpacket. -- Scripts used to rely on the "User ID not found" string even in the --with-colons listing. However, that is not a good idea because that string is subject to translations etc. Now we have an explicit way of telling that a key is missing. For example: gpg --list-sigs --with-colons | \ awk -F: '$1=="sig" && $2=="?" {if($13){print $13}else{print $5}}' Prints all keyids or fingerprint of signing keys for which we do not have the key in our local keyring. Signed-off-by: Werner Koch <[email protected]>
* gpg: Extend the ERRSIG status line with a fingerprint.Werner Koch2018-04-123-23/+50
| | | | | | | | | | | | | | * g10/mainproc.c (issuer_fpr_raw): New. (issuer_fpr_string): Re-implement using issuer_fpr_rtaw. (check_sig_and_print): Don't free ISSUER_FPR. Use ISSUER_FPR_RAW. Use write_status_printf. Extend ERRSIG status. -- Modern OpenPGP implementations put the ISSUER_FPR into the signature to make it easier to discover the, public needed to check the signature. This is also useful in error messages and thus we add it. Signed-off-by: Werner Koch <[email protected]>
* gpg: Relax printing of STATUS_FAILURE.Werner Koch2018-04-121-1/+1
| | | | | | | | | | | | | | | | * g10/gpg.c (g10_exit): Print STATUS_FAILURE only based on passed return code and not on the presence of any call to log_error. -- This fixes an actual regression in GPGME where FAILURE is considered for example by a signature verify operation. The operation will simply fail and not just record that that a signature could not be verified. In particular for files with more than one signature a log_error if often called to show that a pubkey is missing for one of the signatures. Using that log_error is correct in that case. Fixes-commit: 0336e5d1a7b9d46e06c838e6a98aecfcc9542882 Signed-off-by: Werner Koch <[email protected]>
* agent,dirmngr: Add "getenv" to the getinfo command.Werner Koch2018-04-122-1/+37
| | | | | | | | | | | * agent/command.c (cmd_getinfo): Add sub-command getenv. * dirmngr/server.c (cmd_getinfo): Ditto. -- It is sometimes helpful to be able to inspect certain envvars in a running agent. For example "http_proxy". Signed-off-by: Werner Koch <[email protected]>
* build: Update getswdb version check to 2.2Andre Heinecke2018-04-121-2/+2
| | | | | * build-aux/getswdb.sh: Check for gnupg22_ver gnupg21_ver no longer exists.
* po: Update Japanese translation.NIIBE Yutaka2018-04-121-53/+48
| | | | | | -- Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: New option --no-symkey-cache.Werner Koch2018-04-115-2/+22
| | | | | | | | | | * g10/gpg.c (oNoSymkeyCache): New. (opts): Add that option. (main): Set var. * g10/options.h (struct opt): New field no_symkey_cache. * g10/passphrase.c (passphrase_to_dek): Implement that feature. Signed-off-by: Werner Koch <[email protected]>
* agent: Improve the unknown ssh flag detection.Werner Koch2018-04-101-24/+31
| | | | | | | | * agent/command-ssh.c (ssh_handler_sign_request): Simplify detection of flags. -- Signed-off-by: Werner Koch <[email protected]>
* agent: unknown flags on ssh signing requests cause an error.T3880-fixT3880Daniel Kahn Gillmor2018-04-091-1/+9
| | | | | | | | | | | | | | | | | | * agent/command-ssh.c (ssh_handler_sign_request): if a flag is passed during an signature request that we do not know how to apply, return GPG_ERR_UNKNOWN_OPTION. -- https://tools.ietf.org/html/draft-miller-ssh-agent-02#section-4.5 says: If the agent does not support the requested flags, or is otherwise unable or unwilling to generate the signature (e.g. because it doesn't have the specified key, or the user refused confirmation of a constrained key), it must reply with a SSH_AGENT_FAILURE message. Signed-off-by: Daniel Kahn Gillmor <[email protected]> GnuPG-bug-id: 3880
* agent: change documentation reference for ssh-agent protocol.Daniel Kahn Gillmor2018-04-091-2/+4
| | | | | | | | | | * agent/command-ssh.c: repoint documentation reference. -- Damien Miller is now documenting the ssh-agent protocol via the IETF. Signed-off-by: Daniel Kahn Gillmor <[email protected]>
* Post release updatesWerner Koch2018-04-092-1/+5
| | | | --
* Release 2.2.6gnupg-2.2.6Werner Koch2018-04-091-1/+44
|
* po: Auto-update.Werner Koch2018-04-0925-893/+2284
| | | | --
* po: Update German translationWerner Koch2018-04-091-41/+82
| | | | | | -- Signed-off-by: Werner Koch <[email protected]>
* doc: Typo fix in gpg.texiWerner Koch2018-04-091-1/+1
| | | | | | -- Reported-by: Cody Brownstein
* gpg,w32: Fix empty homedir when only a drive letter is used.Werner Koch2018-04-091-32/+63
| | | | | | | | | | | | | | | | | * common/homedir.c (copy_dir_with_fixup): New. (default_homedir): Use here. (gnupg_set_homedir): And here . -- This actually fixes a couple of cases for Windows. Both --home-dir and GNUPGHOME. The interpretation of "c:" -> "c:/" might not be the correct one but because we need an absolute dir anyway it is the less surprising one. Note that this does not include a full syntax check and fixup and thus it is very well possible that the result is not an absolute directory. GnuPG-bug-id: 3720 Signed-off-by: Werner Koch <[email protected]>
* doc: Add an example for --default-new-key-algoWerner Koch2018-04-092-5/+14
| | | | --
* doc: Document --key-edit:change-usageWerner Koch2018-04-092-3/+14
| | | | | | | | * g10/keyedit.c (menu_changeusage): Make strings translatable. -- GnuPG-bug-id: 3816 Signed-off-by: Werner Koch <[email protected]>
* gpg: Check that a key may do certifications.Werner Koch2018-04-061-0/+21
| | | | | | | | | | * g10/sig-check.c (check_signature_end_simple): Check key usage for certifications. (check_signature_over_key_or_uid): Request usage certification. -- GnuPG-bug-id: 3844 Signed-off-by: Werner Koch <[email protected]>
* gpg: Emit FAILURE stati now in almost all cases.Werner Koch2018-04-063-11/+65
| | | | | | | | | | | | | | | | * g10/cpr.c (write_status_failure): Make it print only once. * g10/gpg.c (wrong_args): Bump error counter. (g10_exit): Print a FAILURE status if we ever did a log_error etc. (main): Use log_error instead of log_fatal at one place. Print a FAILURE status for a bad option. Ditto for certain exit points so that we can see different error locations. -- This makes it easier to detect errors by tools which have no way to get the exit code (e.g. due to double forking). GnuPG-bug-id: 3872 Signed-off-by: Werner Koch <[email protected]>
* doc: Add a code comment about back signatures.Werner Koch2018-04-061-1/+3
| | | | --
* gpg: Re-indent sig-check.c and use signature class macros.Werner Koch2018-04-062-387/+372
| | | | | | | | | | * g10/keydb.h (IS_BACK_SIG): New. * g10/sig-check.c: Re-indent and use macros. -- This makes the code easier to understand. Signed-off-by: Werner Koch <[email protected]>
* agent: Support SSH signature flags.NIIBE Yutaka2018-04-061-1/+16
| | | | | | | | | | | | | * agent/command-ssh.c (SSH_AGENT_RSA_SHA2_256): New. (SSH_AGENT_RSA_SHA2_512): New. (ssh_handler_sign_request): Override SPEC when FLAGS is specified. -- GnuPG-bug-id: 3880 Reported-by: Daniel Kahn Gillmor <[email protected]> Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Add new OpenPGP card vendor.Werner Koch2018-04-051-0/+1
| | | | | | -- Signed-off-by: Werner Koch <[email protected]>
* g10: Let card-edit/key-attr show message when change.NIIBE Yutaka2018-04-051-8/+14
| | | | | | | * g10/card-util.c (ask_card_rsa_keysize): Don't show message here. (ask_card_keyattr): Show message when change, also for ECC. Signed-off-by: NIIBE Yutaka <[email protected]>
* tests: Fix no gpg-agent upon removal of GNUPGHOME.NIIBE Yutaka2018-04-047-13/+28
| | | | | | | | | | | | | | | | | | | | | | * tests/gpgscm/gnupg.scm (with-ephemeral-home-directory): Add teadown-fn. * tests/gpgsm/export.scm: Use -no-atexit version and stop-agent. * tests/openpgp/decrypt-session-key.scm: Likewise. * tests/openpgp/decrypt-unwrap-verify.scm: Likewise. * tests/openpgp/defs.scm (have-opt-always-trust): Likewise. (setup-environment-no-atexit): New. (start-agent): Support no use of atexit. * tests/gpgsm/gpgsm-defs.scm (setup-gpgsm-environment-no-atexit): New. * tests/migrations/common.scm (untar-armored): Follow the change of with-ephemeral-home-directory. -- When gpg-agent detects homedir removal, it will automatically exit. Then, call of 'gpgconf --kill all' will fail. So, stop-agent should be called before the removal of homedir. Signed-off-by: NIIBE Yutaka <[email protected]>
* scd: Writing KDF resets auth state.NIIBE Yutaka2018-04-031-1/+7
| | | | | | * scd/app-openpgp.c (do_setattr): Clear auth state. Signed-off-by: NIIBE Yutaka <[email protected]>
* g10: Fix filtering by PK->REQ_USAGE.NIIBE Yutaka2018-04-021-0/+2
| | | | | | | | | * g10/getkey.c (get_pubkey_byfprint): Filter by PK->REQ_USAGE. -- GnuPG-bug-id: 3844 Signed-off-by: NIIBE Yutaka <[email protected]>
* po: Update Japanese translation.NIIBE Yutaka2018-03-301-39/+73
| | | | | | -- Signed-off-by: NIIBE Yutaka <[email protected]>
* g10: Fix card-edit/kdf-setup for single salt.NIIBE Yutaka2018-03-301-1/+3
| | | | | | * g10/card-util.c (gen_kdf_data): Use SALT_USER. Signed-off-by: NIIBE Yutaka <[email protected]>
* g10,scd: Support single salt for KDF data object.NIIBE Yutaka2018-03-302-23/+54
| | | | | | | | | | | | | | * g10/card-util.c (gen_kdf_data): Support single salt. (kdf_setup): Can have argument for single salt. * scd/app-openpgp.c (pin2hash_if_kdf): Support single salt. -- Gnuk has "admin-less" mode. To support "admin-less" mode with KDF feature, salt should be same for user and admin. Thus, I introduce a valid use of single salt. Signed-off-by: NIIBE Yutaka <[email protected]>
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-20 22:47:41 +0000