| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/card-util.c (uif, cmdUIF): New.
(card_edit): Add call to uif by cmdUIF.
* scd/app-openpgp.c (do_getattr): Support UIF-1, UIF-2, and UIF-3.
(do_setattr): Likewise.
(do_learn_status): Learn UIF-1, UIF-2, and UIF-3.
--
GnuPG-bug-id: 4158
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 0cb65564e022fface5ada4de8e0c2c4c3d0ac8ad)
Also included the relevant part from
commit 0240345728a84d8f235ce05889e83963e52742eb
Note that this patch is mainly to simplifying backporting and not to
support the UIF.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-openpgp.c (struct app_local_s): Add new flag.
(get_cached_data): Force chace use if flag is set.
(app_select_openpgp): Avoid reading DO 6E multiple times.
--
The do not cache property of 6E was introduced so that we can change
for example key attributes without getting into with the cache.
However, for initial reading the cache makes a lot of sense and thus we
now use this hack to only temporary cache. A better strategy would be
to clear the cache when we change card data but that is more error
prone.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit d5fb5983232cf4d60cf6aa00d0ae5a16cf948e19)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/iso7816.c (CMD_SELECT_DATA): New.
(iso7816_select_data): New.
* scd/app-openpgp.c (do_readcert): Allow OpenPGP.1 and OPENPGP.2
(do_writecert): Ditto.
(do_setattr): Add CERT-1 and CERT-2.
--
This has been tested with a Zeitcontrol 3.4 card. A test with a
Yubikey 5 (firmware 5.2.6) claiming to support 3.4 failed.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 37b1c5c2004c1147a13b388863aaa8f0caf7d71f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-openpgp.c (do_change_pin): Allow prefixing the CHVNO with
"OPENPGP."
--
The generic keyref allows for better error detection in case a keyref
is send to a wrong card. This has been taken from master commit
3231ecdafd71ac47b734469b07170756979ede72 which has additional changed
for gpg-card-tool, which is only available there.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 6651a0640d0f1b4dd161210dc55974d9b93b7253)
|
| |
|
|
|
|
|
|
| |
* scd/app-openpgp.c (do_getattr): Support Gnuk, as well.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 43bbc25b0f57dec24412886ff46041e0b1f3de26)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-openpgp.c (verify_a_chv): Add currently unused arg ctrl.
Adjust callers.
(verify_chv3): Ditto.
(verify_chv2): Add arg ctrl. Adjust callers.
(change_keyattr): Ditto.
(change_rsa_keyattr): Ditto.
(change_keyattr_from_string): Ditto.
(rsa_writekey): Ditto.
(ecc_writekey): Ditto.
--
This helps in backporting from master.
|
| |
|
|
|
| |
* scd/app-openpgp.c: Remope assert.h. Replace all assert by
log_assert.
|
| |
|
|
|
|
|
|
|
|
|
| |
* scd/app-openpgp.c (count_sos_bits): New. Count as sos_write does.
(store_fpr): For ECC, use count_sos_bits.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 95156ef9bfb6a3a525454d50ae2f5b538ccbd774)
and
(cherry picked from commit f482e4bd121ff2862bfb53a82f1d5c2cf3524a10)
|
| |
|
|
|
| |
* scd/app-openpgp.c (app_select_openpgp): Move AID definition to ...
(openpgp_aid): new.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* scd/app-openpgp.c (struct app_local_s): s/extcap_v3/is_v3/.
s/max_certlen_3/max_certlen. Change users.
--
The extcap_v3 flag is set if the version is 3 or later and as such
does not only declare that the v3 extcap layout is used. Make this
clear by renaming.
Likewise for max_certlen_3.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit bbdb48ec0ddd99ce23fcba42949c00a2594fb9a5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sm/minip12.c (oid_hmacWithSHA1): New. Also for the SHA-2 algos.
(digest_algo_from_oid): New.
(set_key_iv_pbes2): Add arg digest_algo.
(crypt_block): Ditto.
(decrypt_block): Ditto.
(parse_bag_encrypted_data): Parse the optional prf part and get the
hmac algorithm.
(parse_shrouded_key_bag): Ditto.
(p12_build): Pass SHA1 for digest_algo.
* sm/t-minip12.c (run_one_test): Print failed values in verbose mode.
* tests/samplekeys/nistp256-openssl-self-signed.p12: New.
* tests/samplekeys/Description-p12: Add this one.
* tests/Makefile.am (EXTRA_DIST): Ditto.
--
This supports the modern algorithms, i.e. using SHA256 for the KDF
which is the default in openssl unless the -legacy option is used.
GnuPG-bug-id: 6536
|
| |
|
|
|
|
|
|
|
|
| |
* common/iobuf.c (file_filter, sock_filter): Add missing mapping.
--
GnuPG-bug-id: 6528
(cherry picked from commit 5e94470d053ec93f79acb03635e67839a5a1e6a8)
Also includes commit a3be97df4ddfce008dcc6e877e9fb98c71656ec6
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sm/minip12.c (need_octet_string_cramming): New.
(tlv_expect_object, tlv_expect_octet_string): Run the test before
cramming.
* sm/minip12.c (ENABLE_DER_STRUCT_DUMPING): New but undefined macro
for debug purposes.
(bag_decrypted_data_p, bag_data_p): Use macro to allow dumping.
--
This bug was exhibited by importing a gpgsm exported EC certificate.
We use an extra test instead of retrying to allow retruning an error
from malloc failure. And well, for easier reading of the code.
GnuPG-bug-id: 6536
(cherry picked from commit c1f78634ec3927ddcfdc4687bc6e408c658a0ece)
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* common/dotlock.c (next_wait_interval): New.
(dotlock_take_unix): Use new function.
(dotlock_take_w32): Ditto.
--
In particular when using a dotlock file for protecting the spawning
and several processes try to spawn the agent or another component, we
often run into long delays. The solution is to is to exponential
backoff and also to reduce the initial delay from 50ms to 4ms. We
further limit the maximum wait period to about 2 seconds and then
repeat at intervals of 512, 1024 and 2048ms. In the wait-forever case
we add a small random value to have different intervals per process.
GnuPG-bug-id: 3380
For testing this code snippet in the spawning function might be
useful:
const char *s;
if ((s=getenv("hold_gpg_file")))
while (!gnupg_access (s, F_OK))
gnupg_sleep (1);
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/http.c (enum auth_negotiate_states): New.
(struct proxy_info_s): Add new fields.
(release_proxy_info): Free Windows stuff.
(proxy_get_token): New. Implemented only for Windows for now.
(run_proxy_connect): Add support for auth method Negotiation.
(store_header): Keep some header lines separate.
--
The code does something but I have not yet been able to test it due
to problems setting up Squid with AD authentication. As of now it
will respond with a failure but that should not be worse than not to
implement Negotiation.
Supporting Negotiation using GSS for Unix should eventually also be
done.
GnuPG-bug-id: 6719
|
| |
|
|
|
|
|
| |
* dirmngr/http.c (send_request): Add arg 'skip'. Adjust all callers.
--
GnuPG-bug-id: 6719
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* common/b64dec.c (b64decode): New.
* common/t-b64.c: Change license to LGPL.
(oops): New macro.
(hex2buffer): New.
(test_b64decode): New.
(main): Default to run the new test.
* common/Makefile.am (module_maint_tests): Move t-b64 to ...
(module_tests): here.
--
Sometimes we have a short base64 encoded string we need todecode.
This function makes it simpler.
License change of the test module justified because I am the single
author of the code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/http.c (cookie_s): Add fields pending, up_to_empty_line,
last_was_lf, and last_was_lfcr.
(http_context_s): Add field keep-alive.
(http_wait_response): Set up_to_empty_line. Take care of keep_alive
flag.
(coookie_read): Implement detection of empty lines.
(cookie_write): Free the pending buffer.
--
The problem we fix here is that we already buffered stuff beyond the
empty line which marks the start of the content-length counting. Thus
we tried to wait for more bytes despite that everything had already
been read. This bug might have showed up more often in the real world
since the we changed the BUFSIZ on Windows from 512 byte to 8k. It
also depends on the length of the headers and whether the server
closed the connection so that we ignored the Content-Length.
The bug was introduced earlier than 2010 and could have the effect
that a connection got stuck until the network layer timed out.
Note that the keep-alive parts of the patch are not yet used.
|
| |
|
|
|
|
|
|
| |
* common/stringhelp.c (gnupg_memstr): New.
* common/mbox-util.c (my_memstr): Remove.
(is_valid_mailbox_mem): Use gnupg_memstr.
* common/recsel.c (my_memstr): Remove.
(recsel_select): Use gnupg_memstr.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/http.c: Remove gnutls version specific code.
(send_request): Factor some code out to ...
(run_proxy_connect): new.
(mk_proxy_request): new.
(mk_std_request): new.
* configure.ac (NEED_GNUTLS_VERSION): Require 3.2.
--
This patch is to factor out some code and also to remove support for
legacy gnutls versions. Note that gnutls 3.2 was released 10 years
ago.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/call-agent.c (struct keyinfo_data_parm_s): Remove CARD_AVAILABLE
field.
(keyinfo_status_cb): Don't touch CARD_AVAILABLE field.
(agent_probe_secret_key); Don't check CARD_AVAILABLE field.
* g10/import.c (do_transfer): Check if it's card key or not.
--
In 2.2 branch, gpg-agent doesn't have a capability to report if card
is available or not by KEYINFO command. Thus, this clean up.
GnuPG-bug-id: 3456
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/call-agent.c (keyinfo_status_cb): Parse more fields.
(agent_probe_secret_key): Use KEYINFO and returns bigger value
representing the preference.
--
Backport the commit of:
8748c50bfaa8df2b1e59c301d15fd6b9ddbd9c47
GnuPG-bug-id: 3456
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
| |
* dirmngr/ks-engine-http.c (ks_http_fetch): Return better error codes.
* dirmngr/ks-engine-hkp.c (send_request): Ditto.
* dirmngr/t-http.c (main): New option --try-proxy.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* dirmngr/http.c [W32]: Include winhttp.h
(w32_get_internet_session): New.
(w32_get_proxy): New.
(get_proxy_for_url): Implement automatic proxy detection and fix error
in last patch.
(http_reinitialize): New.
* dirmngr/dirmngr.c (dirmngr_sighup_action): Call reinitialize.
* dirmngr/Makefile.am (NETLIBS) [W32]: Link with winhttp.
--
GnuPG-bug-id: 5768
|
| |
|
|
|
|
|
|
|
|
|
| |
* dirmngr/http.c (make_fp_write, make_fp_read): New.
(http_raw_connect): Use new functions.
(http_wait_response): Ditto.
(send_request): Ditto. Change proxy error diagnostic.
(connect_server): Improve error message for host not found.
--
GnuPG-bug-id: 5768
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (NEED_NTBTLS_VERSION): Require at least 0.2.0 so that
we can remove a conditional compilation.
* dirmngr/http.c (struct proxy_info_s): New.
(release_proxy_info): New to keep proxy information in one object.
(send_request): Factor some code out to ...
(get_proxy_for_url): this,
(send_request_basic_checks): this,
(send_request_set_sni): this,
(run_ntbtls_handshake): this,
(run_gnutls_handshake): and this.
--
Note that this also removes some never used code. For example the
NTBTLS handshake has code taken from GNUTLS which was never used due
to the different ways on how the certificates are checked.
The proxy code has been factored out to make to prepare further
authentication methods. The proxy_info_t was introduced for the same
reason.
Tested against gnutls and ntbtls builds. No proxy tests yet done,
because we need more sophisticated tests anyway.
GnuPG-bug-id: 5768
|
| |
|
|
|
|
|
|
| |
* g10/gpg.c (main): Ignore --no-utf8-strings only on Windows.
--
Fixes-commit: b912f07cdf00043b97fca54e4113fab277726e03
Reported-by: Ingo Klöcker
|
| |
|
|
|
|
|
|
|
| |
* dirmngr/server.c (cmd_keyserver): Ignore also hkps://none.
(ensure_keyserver): Better ignore also "none" with a hkp or hpks
scheme.
--
GnuPG-bug-id: 6708
|
| |
|
|
|
|
|
|
|
|
| |
* build-aux/speedo/w32/inst.nsi: Convert to UTF-8. Add Unicode
statement.
* build-aux/speedo.mk (installer): Remove -INPUTCHARSET.
--
GnuPG-bug-id: 6448
(cherry picked from commit 7e1f36b2425e0ee041bd16b1ec51b8128329aab9)
|
| |
|
|
|
|
|
|
|
|
| |
* build-aux/speedo/w32/inst.nsi: Re-enable run-once check.
* build-aux/speedo/w32/exdll.c: New.
* build-aux/speedo.mk (g4wihelp.dll): Change build commands.
--
GnuPG-bug-id: 6448
(cherry picked from commit 7359665addda3d47768ed0d64cdb45a65ad2b03d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/gpg.c (oAddDesigRevoker): New.
(opts): Add new option.
* g10/options.h (opt): Add field desig_revokers.
* g10/keygen.c (get_parameter_idx): New.
(get_parameter): Make use of get_parameter_idx.
(prepare_desig_revoker): New.
(get_parameter_revkey): Add arg idx.
(proc_parameter_file): Add designated revokers.
(do_generate_keypair): Write all designated revokers.
--
(cherry picked from commit 3d094e2bcf6c9ed2cd405623f2dbc6131d04366f)
Support for v5 desig revokers has been removed. However, we should
check whether we can add a longer v4 desig revoker fingerprint in
addition to the regular v4 desig revoker.
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
|
| |
* common/sysutils.c (gnupg_remove): Detect /dev/null.
--
GnuPG-bug-id: 6556
(cherry picked from commit 7f9e05d73f2ca1ecde1b7ba406d139a19d007998)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* agent/trustlist.c (struct trustitem_s): Add field de_vs.
(read_one_trustfile): Parse it.
(istrusted_internal): Emit TRUSTLISTFLAG status line.
* sm/gpgsm.h (struct rootca_flags_s): Add field de_vs.
* sm/call-agent.c (istrusted_status_cb): Detect the flags.
* sm/sign.c (write_detached_signature): Remove unused vars.
--
Right now this flag has no effect; we first need to specify the exact
behaviour.
GnuPG-bug-id: 5079
(cherry picked from commit a5360ae4c7bfe6df6754409d5bd5c5a521ae5e6f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* agent/trustlist.c (struct trustitem_s): Add flag "qual".
(read_one_trustfile): Rename arg "allow_include" to "systrust" and
change callers. Parse new flag "qual".
(istrusted_internal): Print all flags.
* sm/call-agent.c (istrusted_status_cb): Detect the "qual" flag.
* sm/gpgsm.h (struct rootca_flags_s): Add flag "qualified".
* sm/certchain.c (do_validate_chain): Take care of the qualified flag.
--
(cherry picked from commit 7c8c6060616ab91f5490e91a0fb9efc9aee9f58e)
|
| |
|
|
|
|
|
|
|
|
|
| |
* sm/sign.c: Include tlv.h.
(write_detached_signature): New,
(gpgsm_sign): Fixup binary detached signatures.
--
This helps some other software to verify detached signatures.
(cherry picked from commit 8996b0b655952fa6b5bb678a92d3106f72f80f2a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* common/ksba-io-support.c: Include tlv.h
(struct reader_cb_parm_s): Add new fields.
(starts_with_sequence): New.
(simple_reader_cb): Handle stripping.
* common/ksba-io-support.h (GNUPG_KSBA_IO_STRIP): New.
(gnupg_ksba_create_reader): Handle the new flag.
* sm/verify.c (gpgsm_verify): Use the new flag for detached
signatures.
--
Note that this works only if --assume-binary is given. The use case
for the feature is PDF signature checking where the PDF specs require
that the detached signature is padded with zeroes.
(cherry picked from commit 2a13f7f9dc75265ece649e30fecd3dc694b1240e)
|
| |
|
|
| |
--
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/trustdb.c (tdb_clear_ownertrusts): Detect stale validity
records.
--
GnuPG-bug-id: 6399
This problem was introduced by an actually very useful patch
2002-12-13 David Shaw <[email protected]>
[...]
* import.c (import_keys_internal): Used here so we don't rebuild
the trustdb if it is still clean.
(import_one, chk_self_sigs): Only mark trustdb dirty if the key
that is being imported has any sigs other than self-sigs.
Suggested by Adrian von Bidder.
[the last part]
The bug exhibited itself only after signing a key, deleting that key
and then re-importing the original non-signed key.
|
| |
|
|
|
|
|
|
| |
* dirmngr/server.c (ensure_keyserver): Detect special value "none"
(cmd_keyserver): Ignore "none" and "hkp://none".
--
GnuPG-bug-id: 6708
|
| |
|
|
|
|
|
|
|
|
|
| |
* dirmngr/server.c [USE_LDAP] (cmd_ad_query): Conditionalize.
--
Cherry-pick master commit of:
dc13361524c1477b2106c7385f2059f9ea111b84
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* configure.ac: Check sigdescr_np.
--
Fixes-commit: cdb053620a4ca4e3b97bf47e62f8935bcda460cb
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/import.c (do_transfer): Force the overridden key import
even when smartcard is available.
--
Cherry picked from 2.4 branch:
0ec10fbd0d4007997cec59da9a514797bc0531a8
Fixes-commit: 2c1297055041b4657ea1a927acac978c2b09a483
GnuPG-bug-id: 3456
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/import.c (do_transfer): Force importing when it's card
reference.
--
Cherry-picked from 2.4 branch:
2c1297055041b4657ea1a927acac978c2b09a483
GnuPG-bug-id: 3456
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/call-agent.c (agent_probe_secret_key): Change semantics of
return value.
* g10/call-agent.h (agent_probe_secret_key): Change comment.
* g10/delkey.c (do_delete_key): Follow the change.
* g10/getkey.c (get_seckey, parse_def_secret_key): Likewise.
(finish_lookup, have_secret_key_with_kid): Likewise.
* g10/gpgv.c (agent_probe_secret_key): Likewise.
* g10/keyedit.c (keyedit_menu, quick_find_keyblock): Likewise.
(show_key_with_all_names_colon): Likewise.
* g10/revoke.c (gen_desig_revoke, gen_revoke): Likewise
* g10/test-stubs.c (agent_probe_secret_key): Likewise.
--
Cherry picked from 2.4 branch of:
853d5b7677ea01f65c9bc5160cd8509b62f486f7
GnuPG-bug-id: 3416
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* sm/gpgsm.h (opt): Re-purpose unused flag always_trust.
(struct server_control_s): Add "always_trust".
(VALIDATE_FLAG_BYPASS): New.
* sm/gpgsm.c (oAlwaysTrust): New.
(opts): Add "--always-trust"
(main): Set option.
* sm/server.c (option_handler): Add option "always-trust".
(reset_notify): Clear that option.
(cmd_encrypt): Ditto.
(cmd_getinfo): Add sub-command always-trust.
* sm/certchain.c (gpgsm_validate_chain): Handle VALIDATE_FLAG_BYPASS.
* sm/certlist.c (gpgsm_add_to_certlist): Set that flag for recipients
in always-trust mode.
--
GnuPG-bug-id: 6559
|
| |
|
|
|
|
|
|
|
| |
* m4/libassuan.m4: Update from libassuan master.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit fa29c86582487880364b710fd9679c8e77c8dce6)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac (GNUPG_FUNC_MKDIR_TAKES_ONE_ARG): Do not use.
* acinclude.m4 (GNUPG_FUNC_MKDIR_TAKES_ONE_ARG): Remove unused macro
defs.
(GNUPG_CHECK_FAQPROG): Ditto.
(GNUPG_CHECK_DOCBOOK_TO_TEXI): Ditto.
(GNUPG_CHECK_MLOCK): Ditto.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 6397cf5fbe3bbc1f616431b011f76e031a387d4c)
|
