aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* wkd: Silence gpg-wks-client diagnostics from gpg.Werner Koch2022-10-072-13/+13
| | | | | | | | | | | | | * tools/gpg-wks-client.c (add_user_id): PAss --quiet to gpg unless we are running in double verbose mode. (decrypt_stream): Ditto (encrypt_response): Ditto. (mirror_one_keys_userid): Ditto. * tools/wks-util.c (wks_get_key): Ditto. (wks_list_key): Ditto. (wks_filter_uid): Ditto. (cherry picked from commit 4364283f757fceab454d48d461a9f88c31247a07)
* wkd: New command --mirror for gpg-wks-client.Werner Koch2022-10-075-30/+306
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * tools/gpg-wks-client.c (aMirror,oBlacklist,oNoAutostart): New. (opts): Add --mirror, --no-autostart, and --blacklist. (parse_arguments): Parse new options. (main): Implement aMirror. (mirror_one_key_parm): New. (mirror_one_keys_userid, mirror_one_key): New. (command_mirror): New. * tools/gpg-wks.h (struct uidinfo_list_s): Add fields flags. * tools/wks-util.c (wks_cmd_install_key): Factor some code out to ... (wks_install_key_core): new. * tools/call-dirmngr.c (wkd_dirmngr_ks_get): New. -- This implements the basic LDAP to WKD mirroring. The blacklist option and domain restrictions are not yet fully implemented. Take care: In OpenLDAP you may need to increase the paged result limit by using a configuration like: dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcLimits olcLimits: dn.subtree="dc=example,dc=org" size.prtotal=unlimited GnuPG-bug-id: 6224 Backported-from-master: 7ccd489aa2e5c5ef6c4554c9f04dd74394b43409
* common: Protect against a theoretical integer overflow in tlv.cWerner Koch2022-10-071-0/+5
| | | | | | | | * common/tlv.c (parse_ber_header): Protect agains integer overflow. -- Although there is no concrete case where we use the (nhdr + length), it is better to protect against this already here.
* dirmngr: Support paged LDAP mode for KS_GETWerner Koch2022-10-073-37/+215
| | | | | | | | | | | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (PAGE_SIZE): New. (struct ks_engine_ldap_local_s): Add several new fields. (ks_ldap_clear_state): Release them. (search_and_parse): Factored out from ks_ldap_get and extended to support the paged mode. (ks_ldap_get): Implement the pages mode for --first and --next. * dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first mode. * dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS. -- The paged mode allows to retrieve more items than the servers usually limit (e.g. 1000 for an LDS). This patch also allows to use --first without a patter to retrieve all keyblocks (except for disabled and revoked keys). GnuPG-bug-id: 6224 Backported-from-master: 7a01e806eac4cd7a65eaf3e17dcd2f117ec2d327
* dirmngr: New options --first and --next for KS_GET.Werner Koch2022-10-076-132/+344
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/server.c (cmd_ks_get): Add option --first and --next. (start_command_handler): Free that new ldap state. * dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New. (ks_ldap_new_state, ks_ldap_clear_state): New. (ks_ldap_free_state): New. (return_one_keyblock): New. Mostly factored out from .... (ks_ldap_get): here. Implement --first/--next feature. * dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to ks_get_flags. * dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New. (KS_GET_FLAG_FIRST): New. (KS_GET_FLAG_NEXT): New. * dirmngr/dirmngr.h (struct server_control_s): Add member ks_get_state. (struct ks_engine_ldap_local_s): New forward reference. -- This feature allows to fetch keyblock by keyblock from an LDAP server. This way tools can process and maybe filter each keyblock in a more flexible way. Here is an example where two keyblocks for one mail address are returned: $ gpg-connect-agent --dirmngr > ks_get --ldap --first <[email protected]> [... First keyblock is returned ] OK > ks_get --next [ ... Next keyblock is returned ] OK > ks_get --next ERR 167772218 No data <Dirmngr> GnuPG_bug_id: 6224 Backported-from-master: 4de98d4468f37bfb8352426830d5d5642ded7536
* gpg: Show just keyserver and port with --send-keys.Werner Koch2022-10-071-0/+25
| | | | * g10/call-dirmngr.c (ks_status_cb): Mangle the keyserver url
* dirmngr: Minor fix for baseDN fallback.Werner Koch2022-10-071-37/+20
| | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data behind the EOS. (interrogate_ldap_dn): Stylistic change. -- This also updates the my_ldap_connect description. GnuPG-bug-id: 6047 (cherry picked from commit 11aa5a93a754fe978d0f35d7fbeb4767b6b6df05)
* dirnmgr: Fix the function prototype.NIIBE Yutaka2022-10-071-1/+1
| | | | | | | | | | * dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with no arguments. -- Signed-off-by: NIIBE Yutaka <[email protected]> (cherry picked from commit 530d709607e54465ce47c1fc7d2554ea3b0bea6b)
* dirmngr: Change interrogate_ldap_dn for better memory semantics.NIIBE Yutaka2022-10-071-28/+12
| | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found, memory allocated. (my_ldap_connect): Follow the change, removing needless allocation. -- GnuPG-bug-id: 6047 Signed-off-by: NIIBE Yutaka <[email protected]> (cherry picked from commit 4b2066afb4988c32a030330acf51b7b0dc190041)
* dirmngr: Interrogate LDAP server when base DN specified.Joey Berkovitz2022-10-071-7/+26
| | | | | | | | | | | * dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP server when basedn specified. -- GnuPG-bug-id: 6047 Signed-off-by: Joey Berkovitz <[email protected]> (cherry picked from commit 3257385378bb3f19ebf089538f0efe2154487989)
* dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND.Werner Koch2022-10-071-2/+8
| | | | | * dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if server supports this.
* dirmngr: Factor out interrogate_ldap_dn function.Werner Koch2022-10-071-66/+71
| | | | | | | | | * dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New. -- GnuPG-bug-id: 6047 Signed-off-by: NIIBE Yutaka <[email protected]> Backported-from-master: 993820c315216584e23d36299920007abfeb3a32
* po: Fix wrong LF in the German translationWerner Koch2022-10-071-6/+3
| | | | | | | | -- Reported-by: [email protected] Also fix one typo
* gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.Werner Koch2022-09-291-2/+7
| | | | | | | | * g10/encrypt.c (check_encryption_compliance): Check gcrypt compliance before emitting an ENCRYPTION_COMPLIANCE_MODE status. -- GnuPG-bug-id: 6221
* doc: Typo fix in a comment.Werner Koch2022-09-281-1/+1
| | | | --
* dirmngr: Fix lost flags during LDAP uploadWerner Koch2022-09-282-36/+39
| | | | | | | | | | * dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const. Use strtokenize instead of strtok style parsing. -- This fixes a problem with resulted in a General Error for the second key to be uploaded in the same session. But only if the colon format to specify a keyserver with flags was used.
* dirmngr: New server flag "areconly" (A-record-only)Werner Koch2022-09-286-3/+51
| | | | | | | | | | | | | | | * dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly. * dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly" * dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag. * dirmngr/dirmngr_ldap.c: Add option --areconly (connect_ldap): Implement option. * dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option. -- This flag is used to pass the Windows specific option LDAP_OPT_AREC_EXCLUSIVE. It is ignored on other systems. Signed-off-by: Werner Koch <[email protected]>
* gpg: Don't consider unknown keys as non-compliant while decrypting.Werner Koch2022-09-221-4/+4
| | | | | | | | | | * g10/mainproc.c (proc_encrypted): Change compliance logic. -- For the description of the proplem see https://dev.gnupg.org/T6205#163306 GnuPG-bug-id: 6205
* dirmngr: Fix CRL DP error fallback to other schemes.Werner Koch2022-09-161-28/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop. Remove the unused issuername_uri stuff. -- It is quite common that LDAP servers are blocked and thuis the HTTP access point should be used instead. This worked well for certificates where the DP are given in this form: crlDP: ldap://x500.bund.de/[...] http://x500.bund.de/[...] issuer: none but it failed for this form crlDP: ldap://x500.bund.de/[...] issuer: none crlDP: http://x500.bund.de/[...] issuer: none because the LAST_ERR thing terminated the outer loop. This pacth fixes this and also cleans up the code to be more robust. Note that the common workaround of using --ignore-ldap-dp will now only be needed if the firewall uses packet dropping instead of proper ICMP rejects.
* build: Update gpg-error.m4.NIIBE Yutaka2022-09-151-1/+2
| | | | | | | | * m4/gpg-error.m4: Update from libgpg-error. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* Post release updatesWerner Koch2022-09-022-1/+7
| | | | --
* Release 2.2.39gnupg-2.2.39Werner Koch2022-09-021-1/+4
|
* speedo: Authenticode sign two more tools.Werner Koch2022-09-021-0/+2
| | | | --
* common: Make nvc_lookup more robust.Werner Koch2022-09-011-1/+12
| | | | | | | | * common/name-value.c (nvc_first): Allow for NULL arg. (nvc_lookup): Allow for PK being NULL. -- GnuPG-bug-id: 6176
* Post release updatesWerner Koch2022-09-0127-670/+653
| | | | --
* Release 2.2.38gnupg-2.2.38Werner Koch2022-09-011-1/+10
|
* po: Update Japanese Translation.NIIBE Yutaka2022-09-011-7/+6
| | | | | | -- Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: New option --debug-cache-expired-certs.Werner Koch2022-08-313-3/+14
| | | | | | | | * dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs: * dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New. (opts): Add option. (parse_rereadable_options): Set option. * dirmngr/certcache.c (put_cert): Handle the option.
* gpg: Add descriptions for --auto-key-import and --include-key-importWerner Koch2022-08-312-27/+28
| | | | | | | -- Actually we once had them but they got lost at some point. The German translation is also up-to-date now.
* common,w32: Fix an encoding problem of the printed timezone.Werner Koch2022-08-311-1/+40
| | | | | | | | * common/gettime.c (w32_strftime) [W32]: New function. (strftime) [W32]: New refinition macro. -- GnuPG-bug-id: 5073
* gpg: Emit STATUS_FAILURE for --require-compliance errorsWerner Koch2022-08-313-10/+9
| | | | | | | | * g10/misc.c (compliance_failure): Do not fallback to CO_GNUPG. Print compliance failure error and status for CO_DE_VS. * g10/mainproc.c (proc_encrypted): Call compliance_failure in the require-compliance error case. * g10/encrypt.c (check_encryption_compliance): Ditto.
* scd: Add npth_unprotect/npth_protect for blocking operations.NIIBE Yutaka2022-08-311-0/+20
| | | | | | | | | | * scd/ccid-driver.c (ccid_open_usb_reader): Name the thread. (ccid_vendor_specific_setup, ccid_open_usb_reader): Wrap blocking operations by npth_unprotect/npth_protect. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Reject certificate which is not valid into cache.NIIBE Yutaka2022-08-311-0/+14
| | | | | | | | | | | | | | | | * dirmngr/certcache.c (put_cert): When PERMANENT, reject the certificate which is obviously invalid. -- With this change, invalid certificates from system won't be registered into cache. Then, an intermediate certificate which is issued by an entity certified by such an invalid certificate will be also rejected with GPG_ERR_INV_CERT_OBJ. With less invalid certificates in cache, it helps the validate_cert_chain function work better. GnuPG-bug-id: 6142 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Fix assertion failure due to errors in encrypt_filter.Werner Koch2022-08-313-6/+9
| | | | | | | | | | | | | | | | * common/iobuf.c (iobuf_copy): Use log_assert. Explicitly cast error return value. * g10/build-packet.c (do_plaintext): Check for iobuf_copy error. * g10/encrypt.c (encrypt_filter): Immediately set header_okay. -- Fixes-commit: 8066f8a3470f9d2f3682a28641a7b09eca29a105 which caused the assertion failure on error. The second fix avoids repeated error message about non-compliant keys. GnuPG-bug-id: 6174
* gpg: Make --require-compliance work for -seWerner Koch2022-08-301-140/+146
| | | | | | | | | | | | * g10/encrypt.c (encrypt_crypt, encrypt_filter): Factor common code out to ... (create_dek_with_warnings): new (check_encryption_compliance): and new. * g10/encrypt.c (encrypt_filter): Add the compliance check. -- GnuPG-bug-id: 6174
* gpg: Rename a function.Werner Koch2022-08-295-9/+10
| | | | * g10/cipher.c (cipher_filter): Rename to cipher_file_cfb.
* gpg: Very minor cleanup in decrypt_data.Werner Koch2022-08-291-3/+6
| | | | | * g10/decrypt-data.c (decrypt_data): Show also the aead algo with --show-session-key. Remove meanwhile superfluous NULL-ptr test.
* g10/decrypt-data: disable output estream buffering to reduce overheadJussi Kivilinna2022-08-291-0/+2
| | | | | | | | | | | | * g10/decrypt-data.c (decrypt_data): Disable estream buffering for output file. -- Here estream is filled with iobuf_copy which already uses large buffers so additional buffering in estream was just adding memory copy overhead. GnuPG-bug-id: T5828 Signed-off-by: Jussi Kivilinna <[email protected]>
* Post release updatesWerner Koch2022-08-242-1/+8
| | | | --
* Release 2.2.37gnupg-2.2.37Werner Koch2022-08-241-1/+3
|
* gpgsm: New option --compatibility-flags.Werner Koch2022-08-197-9/+164
| | | | | | | | | | | | | | | | | * sm/gpgsm.c (oCompatibilityFlags): New option. (compatibility_flags): new. (main): Parse and print them in verbose mode. * sm/gpgsm.h (opt): Add field compat_glags.: (COMPAT_ALLOW_KA_TO_ENCR): New. * sm/keylist.c (print_capabilities): Take care of the new flag. * sm/certlist.c (cert_usage_p): Ditto. * common/miscellaneous.c (parse_compatibility_flags): New. * common/util.h (struct compatibility_flags_s): New. -- Backported-from-master: f0b373cec93bb01f02b9c0a3ab1f3e242b381c3f Backported-from-master: ce63eaa4f8f3f41aafcaddd8d658dacd522334a8
* gpgconf: Make --auto-key-import and --include-key-block visible again.Werner Koch2022-08-172-0/+7
| | | | | | | | * tools/gpgconf-comp.c: Add options. -- Fixes-commit: 7a3a1ef3707194e1086c452d005319c519905d3e GnuPG-bug-id: 6138
* agent: Fix bug introduced earlier today.Werner Koch2022-08-161-1/+1
| | | | | | | * agent/findkey.c (agent_write_private_key): Fix condition. -- Fixes-commit: 755920d4335730fbf25e24342dc9c8a8a772dac3
* doc: Prepare NEWSWerner Koch2022-08-161-0/+43
| | | | --
* gpg: Fix "generate" command in --card-edit.Werner Koch2022-08-162-1/+10
| | | | | | | | | | | | | | | | | | * g10/card-util.c (get_info_for_key_operation): Get the APPTYPE before testing for it. * g10/card-util.c (current_card_status): Always try to update the shadow keys. * g10/call-agent.c (agent_scd_getattr): Handle $AUTHKEYID. -- The first part fixed a regression introduced today. GnuPG-bug-id: 5100 The second part is usually not required because our ssh-agent code anyway looks for the OpenPGP.3 key. However, this helps to put the Display S/N into the shadow key so that we get a better prompt to insert the card.
* gpg: Update shadow-keys with --card-status also for non-openpgp cards.Werner Koch2022-08-164-2/+32
| | | | | | | * agent/command.c (cmd_readkey): Also allow for $AUTHKEYID in card mode. * g10/call-agent.c (agent_update_shadow_keys): new. * g10/card-util.c (current_card_status): Call it.
* agent: Let READKEY update the display-s/n of the Token entry.Werner Koch2022-08-165-64/+174
| | | | | | | | | | | | | * agent/findkey.c (agent_write_private_key): Factor file name generation out to ... (fname_from_keygrip): new. (write_extended_private_key): Add and implement new arg MAYBE_UPDATE. (agent_write_shadow_key): Ditto. * agent/command.c (cmd_readkey): Update the shadow-key in card mode. -- GnuPG-bug-id 6135
* gpg: Fix --card-status to handle lowercase APPTYPEsWerner Koch2022-08-161-6/+6
| | | | * g10/card-util.c (current_card_status): Use ascii_strcasecmp.
* gpg: Fix detecting OpenPGP card by serialno.NIIBE Yutaka2022-08-161-4/+5
| | | | | | | | | | | | * g10/card-util.c (get_info_for_key_operation): Use ->apptype to determine card's APP. (current_card_status): Even if its SERIALNO is not like OpenPGP card, it's OpenPGP card when app says so. -- GnuPG-bug-id: 5100 Signed-off-by: NIIBE Yutaka <[email protected]> Backported-from-master: 157f1de64e437cecd75335e9f4077ba9835e3da0
* common: In private key mode write "Key:" always last in name-value.Werner Koch2022-08-161-13/+40
| | | | | | | | | | | | | * common/name-value.c (nvc_write): Take care of Key. Factor some code out to ... (write_one_entry): new. -- The key item is in general not manual editable thus we put it at the end of a file. Signed-off-by: Werner Koch <[email protected]> (cherry picked from commit c9fa28bfad297b17e76341ffb40383ce92da5d44)
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-21 14:56:58 +0000