aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* scd:nks: Support decryption using ECDH.Werner Koch2022-10-201-74/+307
| | | | | | | | | | | | | | | | | | * scd/app-nks.c (struct fid_cache_s): Add field 'algo'. (keygripstr_from_pk_file): Add arg 'r_algo' to return the algo. (find_fid_by_keyref): Ditto. (get_dispserialno): New. (make_prompt): New. (verify_pin): Provide better prompts. (do_decipher): Support ECDH. (parse_pwidstr): Add hack tospecify any pwid.. (do_change_pin): Support Signature Card V2.0 (NKS15) style NullPIN. Provide a better prompt. -- GnuPG-bug-id: 4938, 6252 Signed-off-by: Werner Koch <[email protected]> Backported-from-master: af45d884aa1c3eccbc6972a2e5197ece3fd1987a
* scd:nks: Add do_with_keygrip and implement a cache.Werner Koch2022-10-201-90/+349
| | | | | | | | | | | | | | | * scd/app-nks.c (struct fid_cache_s): New. (struct app_local_s): Add field 'fid_cache'. (do_deinit): Release the cache. (keygripstr_from_pk_file): Implement the cache. (find_fid_by_keyref): New (do_sign, do_decipher): Use new function. (do_with_keygrip): New. -- Signed-off-by: Werner Koch <[email protected]> Backported-from-master: 1e72a1a218490c0fc07811a02ddad6cc38913f77 GnuPG-bug-id: 6252
* scd:nks: Allow retrieving certificates from a Signature Card v.20Werner Koch2022-10-201-165/+302
| | | | | | | | | | | | | * scd/app-nks.c: Major rework to support non-RSA cards. -- This is a fist step so support this ECC card. The code has been reworked while taking care that old cards should keep on working. Signed-off-by: Werner Koch <[email protected]> Backported-from-master: f05a32e5c9db7d0840c74fccc350a9e0ff5fb819 GnuPG-bug-id: 6252
* gpg: Move NETLIBS after GPG_ERROR_LIBS (another).NIIBE Yutaka2022-10-181-1/+1
| | | | | | | | | | * g10/Makefile.am (t_keydb_LDADD): Add NETLIBS after GPG_ERROR_LIBS. -- Fixes-commit: b26bb03ed96f380ad603f7ad902862625233c931 GnuPG-bug-id: 6244 Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Fix build with no LDAP support.NIIBE Yutaka2022-10-181-0/+2
| | | | | | | | | | | | * dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize. -- Cherry-pick master commit of: 7011286ce6e1fb56c2989fdafbd11b931c489faa GnuPG-bug-id: 6239 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Move NETLIBS after GPG_ERROR_LIBS.NIIBE Yutaka2022-10-181-6/+6
| | | | | | | | | | | | * g10/Makefile.am (LDADD): Remove NETLIBS. (gpg_LDADD, gpgv_LDADD): Add NETLIBS after GPG_ERROR_LIBS. (gpgcompose_LDADD, t_keydb_get_keyblock_LDADD): Likewise. (t_stutter_LDADD): Likewise. -- GnuPG-bug-id: 6244 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Report an error for receiving key from agent.NIIBE Yutaka2022-10-131-0/+1
| | | | | | | | | * g10/export.c (do_export_one_keyblock): Report an error. -- GnuPG-bug-id: 5151 Signed-off-by: NIIBE Yutaka <[email protected]>
* Post release updatesWerner Koch2022-10-133-2/+6
| | | | | | -- Also switch speedo to use https instead of ftp for download.
* Release 2.2.40gnupg-2.2.40Werner Koch2022-10-102-4/+29
|
* po: Auto updateWerner Koch2022-10-101-1/+3
| | | | --
* gpg: For de-vs use AES-128 instead of 3DES as implicit preference.Werner Koch2022-10-101-2/+10
| | | | | | | | | | | | | | | * g10/pkclist.c (select_algo_from_prefs): Change implicit cipher algorithm. -- Although 3DES is still a compliant algorithm, some other software does not consider it has compliant but also does not set preference accordingly. Thus it is better to switch the implicit cipher algorithm similar to what we already did with SHA-1. Note that in GnuPG 2.3 3DES is already not anymore used here. GnuPG-bug-id: 6063
* sm: Fix reporting of bad passphrase errorIngo Klöcker2022-10-101-1/+4
| | | | | | | | | * sm/minip12.c (p12_parse): Set badpass flag to result in ctx. -- Fixes-commit: 4c14bbf56fb544541bd65f9d6e6e0b81779dcab6 GnuPG-bug-id: 5713, 6037 (cherry picked from commit a47b3a4087349f3873eb04a83dc2a0f512cacf86)
* wkd: Implement --blacklist option for gpg-wks-clientWerner Koch2022-10-073-4/+193
| | | | | | | | | | | | | * tools/gpg-wks-client.c (blacklist_array, blacklist_array_len): New. (parse_arguments): Install blacklist. (read_file): New. (cmp_blacklist, add_blacklist, is_in_blacklist): New. (mirror_one_key): Check list. * tools/gpg-wks.h (opt): Remove field blacklist. -- GnuPG-bug-id: 6224 (cherry picked from commit b0b4e24c4fa80c10d310a229f5a0c65a57ad9393)
* wkd: Restrict gpg-wks-client --mirror to the given domains.Werner Koch2022-10-071-16/+62
| | | | | | | | | | | | | | * tools/gpg-wks-client.c (domain_matches_mbox): New. (mirror_one_key): Skip non-matching domains. (command_mirror): Change args to allow for several domains. -- Although dirmngr returns only the keys matching a certain domain, those keys still may have user ids from other domains. Now we publish only the user-ids as specified on the command line. GnuPG-bug-id: T6224 (cherry picked from commit 0a151548b623813d48516a4629b7c3884875a384)
* wkd: Silence gpg-wks-client diagnostics from gpg.Werner Koch2022-10-072-13/+13
| | | | | | | | | | | | | * tools/gpg-wks-client.c (add_user_id): PAss --quiet to gpg unless we are running in double verbose mode. (decrypt_stream): Ditto (encrypt_response): Ditto. (mirror_one_keys_userid): Ditto. * tools/wks-util.c (wks_get_key): Ditto. (wks_list_key): Ditto. (wks_filter_uid): Ditto. (cherry picked from commit 4364283f757fceab454d48d461a9f88c31247a07)
* wkd: New command --mirror for gpg-wks-client.Werner Koch2022-10-075-30/+306
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * tools/gpg-wks-client.c (aMirror,oBlacklist,oNoAutostart): New. (opts): Add --mirror, --no-autostart, and --blacklist. (parse_arguments): Parse new options. (main): Implement aMirror. (mirror_one_key_parm): New. (mirror_one_keys_userid, mirror_one_key): New. (command_mirror): New. * tools/gpg-wks.h (struct uidinfo_list_s): Add fields flags. * tools/wks-util.c (wks_cmd_install_key): Factor some code out to ... (wks_install_key_core): new. * tools/call-dirmngr.c (wkd_dirmngr_ks_get): New. -- This implements the basic LDAP to WKD mirroring. The blacklist option and domain restrictions are not yet fully implemented. Take care: In OpenLDAP you may need to increase the paged result limit by using a configuration like: dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcLimits olcLimits: dn.subtree="dc=example,dc=org" size.prtotal=unlimited GnuPG-bug-id: 6224 Backported-from-master: 7ccd489aa2e5c5ef6c4554c9f04dd74394b43409
* common: Protect against a theoretical integer overflow in tlv.cWerner Koch2022-10-071-0/+5
| | | | | | | | * common/tlv.c (parse_ber_header): Protect agains integer overflow. -- Although there is no concrete case where we use the (nhdr + length), it is better to protect against this already here.
* dirmngr: Support paged LDAP mode for KS_GETWerner Koch2022-10-073-37/+215
| | | | | | | | | | | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (PAGE_SIZE): New. (struct ks_engine_ldap_local_s): Add several new fields. (ks_ldap_clear_state): Release them. (search_and_parse): Factored out from ks_ldap_get and extended to support the paged mode. (ks_ldap_get): Implement the pages mode for --first and --next. * dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first mode. * dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS. -- The paged mode allows to retrieve more items than the servers usually limit (e.g. 1000 for an LDS). This patch also allows to use --first without a patter to retrieve all keyblocks (except for disabled and revoked keys). GnuPG-bug-id: 6224 Backported-from-master: 7a01e806eac4cd7a65eaf3e17dcd2f117ec2d327
* dirmngr: New options --first and --next for KS_GET.Werner Koch2022-10-076-132/+344
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/server.c (cmd_ks_get): Add option --first and --next. (start_command_handler): Free that new ldap state. * dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New. (ks_ldap_new_state, ks_ldap_clear_state): New. (ks_ldap_free_state): New. (return_one_keyblock): New. Mostly factored out from .... (ks_ldap_get): here. Implement --first/--next feature. * dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to ks_get_flags. * dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New. (KS_GET_FLAG_FIRST): New. (KS_GET_FLAG_NEXT): New. * dirmngr/dirmngr.h (struct server_control_s): Add member ks_get_state. (struct ks_engine_ldap_local_s): New forward reference. -- This feature allows to fetch keyblock by keyblock from an LDAP server. This way tools can process and maybe filter each keyblock in a more flexible way. Here is an example where two keyblocks for one mail address are returned: $ gpg-connect-agent --dirmngr > ks_get --ldap --first <[email protected]> [... First keyblock is returned ] OK > ks_get --next [ ... Next keyblock is returned ] OK > ks_get --next ERR 167772218 No data <Dirmngr> GnuPG_bug_id: 6224 Backported-from-master: 4de98d4468f37bfb8352426830d5d5642ded7536
* gpg: Show just keyserver and port with --send-keys.Werner Koch2022-10-071-0/+25
| | | | * g10/call-dirmngr.c (ks_status_cb): Mangle the keyserver url
* dirmngr: Minor fix for baseDN fallback.Werner Koch2022-10-071-37/+20
| | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data behind the EOS. (interrogate_ldap_dn): Stylistic change. -- This also updates the my_ldap_connect description. GnuPG-bug-id: 6047 (cherry picked from commit 11aa5a93a754fe978d0f35d7fbeb4767b6b6df05)
* dirnmgr: Fix the function prototype.NIIBE Yutaka2022-10-071-1/+1
| | | | | | | | | | * dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with no arguments. -- Signed-off-by: NIIBE Yutaka <[email protected]> (cherry picked from commit 530d709607e54465ce47c1fc7d2554ea3b0bea6b)
* dirmngr: Change interrogate_ldap_dn for better memory semantics.NIIBE Yutaka2022-10-071-28/+12
| | | | | | | | | | | | * dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found, memory allocated. (my_ldap_connect): Follow the change, removing needless allocation. -- GnuPG-bug-id: 6047 Signed-off-by: NIIBE Yutaka <[email protected]> (cherry picked from commit 4b2066afb4988c32a030330acf51b7b0dc190041)
* dirmngr: Interrogate LDAP server when base DN specified.Joey Berkovitz2022-10-071-7/+26
| | | | | | | | | | | * dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP server when basedn specified. -- GnuPG-bug-id: 6047 Signed-off-by: Joey Berkovitz <[email protected]> (cherry picked from commit 3257385378bb3f19ebf089538f0efe2154487989)
* dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND.Werner Koch2022-10-071-2/+8
| | | | | * dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if server supports this.
* dirmngr: Factor out interrogate_ldap_dn function.Werner Koch2022-10-071-66/+71
| | | | | | | | | * dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New. -- GnuPG-bug-id: 6047 Signed-off-by: NIIBE Yutaka <[email protected]> Backported-from-master: 993820c315216584e23d36299920007abfeb3a32
* po: Fix wrong LF in the German translationWerner Koch2022-10-071-6/+3
| | | | | | | | -- Reported-by: [email protected] Also fix one typo
* gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.Werner Koch2022-09-291-2/+7
| | | | | | | | * g10/encrypt.c (check_encryption_compliance): Check gcrypt compliance before emitting an ENCRYPTION_COMPLIANCE_MODE status. -- GnuPG-bug-id: 6221
* doc: Typo fix in a comment.Werner Koch2022-09-281-1/+1
| | | | --
* dirmngr: Fix lost flags during LDAP uploadWerner Koch2022-09-282-36/+39
| | | | | | | | | | * dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const. Use strtokenize instead of strtok style parsing. -- This fixes a problem with resulted in a General Error for the second key to be uploaded in the same session. But only if the colon format to specify a keyserver with flags was used.
* dirmngr: New server flag "areconly" (A-record-only)Werner Koch2022-09-286-3/+51
| | | | | | | | | | | | | | | * dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly. * dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly" * dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag. * dirmngr/dirmngr_ldap.c: Add option --areconly (connect_ldap): Implement option. * dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option. -- This flag is used to pass the Windows specific option LDAP_OPT_AREC_EXCLUSIVE. It is ignored on other systems. Signed-off-by: Werner Koch <[email protected]>
* gpg: Don't consider unknown keys as non-compliant while decrypting.Werner Koch2022-09-221-4/+4
| | | | | | | | | | * g10/mainproc.c (proc_encrypted): Change compliance logic. -- For the description of the proplem see https://dev.gnupg.org/T6205#163306 GnuPG-bug-id: 6205
* dirmngr: Fix CRL DP error fallback to other schemes.Werner Koch2022-09-161-28/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | * dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop. Remove the unused issuername_uri stuff. -- It is quite common that LDAP servers are blocked and thuis the HTTP access point should be used instead. This worked well for certificates where the DP are given in this form: crlDP: ldap://x500.bund.de/[...] http://x500.bund.de/[...] issuer: none but it failed for this form crlDP: ldap://x500.bund.de/[...] issuer: none crlDP: http://x500.bund.de/[...] issuer: none because the LAST_ERR thing terminated the outer loop. This pacth fixes this and also cleans up the code to be more robust. Note that the common workaround of using --ignore-ldap-dp will now only be needed if the firewall uses packet dropping instead of proper ICMP rejects.
* build: Update gpg-error.m4.NIIBE Yutaka2022-09-151-1/+2
| | | | | | | | * m4/gpg-error.m4: Update from libgpg-error. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* Post release updatesWerner Koch2022-09-022-1/+7
| | | | --
* Release 2.2.39gnupg-2.2.39Werner Koch2022-09-021-1/+4
|
* speedo: Authenticode sign two more tools.Werner Koch2022-09-021-0/+2
| | | | --
* common: Make nvc_lookup more robust.Werner Koch2022-09-011-1/+12
| | | | | | | | * common/name-value.c (nvc_first): Allow for NULL arg. (nvc_lookup): Allow for PK being NULL. -- GnuPG-bug-id: 6176
* Post release updatesWerner Koch2022-09-0127-670/+653
| | | | --
* Release 2.2.38gnupg-2.2.38Werner Koch2022-09-011-1/+10
|
* po: Update Japanese Translation.NIIBE Yutaka2022-09-011-7/+6
| | | | | | -- Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: New option --debug-cache-expired-certs.Werner Koch2022-08-313-3/+14
| | | | | | | | * dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs: * dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New. (opts): Add option. (parse_rereadable_options): Set option. * dirmngr/certcache.c (put_cert): Handle the option.
* gpg: Add descriptions for --auto-key-import and --include-key-importWerner Koch2022-08-312-27/+28
| | | | | | | -- Actually we once had them but they got lost at some point. The German translation is also up-to-date now.
* common,w32: Fix an encoding problem of the printed timezone.Werner Koch2022-08-311-1/+40
| | | | | | | | * common/gettime.c (w32_strftime) [W32]: New function. (strftime) [W32]: New refinition macro. -- GnuPG-bug-id: 5073
* gpg: Emit STATUS_FAILURE for --require-compliance errorsWerner Koch2022-08-313-10/+9
| | | | | | | | * g10/misc.c (compliance_failure): Do not fallback to CO_GNUPG. Print compliance failure error and status for CO_DE_VS. * g10/mainproc.c (proc_encrypted): Call compliance_failure in the require-compliance error case. * g10/encrypt.c (check_encryption_compliance): Ditto.
* scd: Add npth_unprotect/npth_protect for blocking operations.NIIBE Yutaka2022-08-311-0/+20
| | | | | | | | | | * scd/ccid-driver.c (ccid_open_usb_reader): Name the thread. (ccid_vendor_specific_setup, ccid_open_usb_reader): Wrap blocking operations by npth_unprotect/npth_protect. -- Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Reject certificate which is not valid into cache.NIIBE Yutaka2022-08-311-0/+14
| | | | | | | | | | | | | | | | * dirmngr/certcache.c (put_cert): When PERMANENT, reject the certificate which is obviously invalid. -- With this change, invalid certificates from system won't be registered into cache. Then, an intermediate certificate which is issued by an entity certified by such an invalid certificate will be also rejected with GPG_ERR_INV_CERT_OBJ. With less invalid certificates in cache, it helps the validate_cert_chain function work better. GnuPG-bug-id: 6142 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Fix assertion failure due to errors in encrypt_filter.Werner Koch2022-08-313-6/+9
| | | | | | | | | | | | | | | | * common/iobuf.c (iobuf_copy): Use log_assert. Explicitly cast error return value. * g10/build-packet.c (do_plaintext): Check for iobuf_copy error. * g10/encrypt.c (encrypt_filter): Immediately set header_okay. -- Fixes-commit: 8066f8a3470f9d2f3682a28641a7b09eca29a105 which caused the assertion failure on error. The second fix avoids repeated error message about non-compliant keys. GnuPG-bug-id: 6174
* gpg: Make --require-compliance work for -seWerner Koch2022-08-301-140/+146
| | | | | | | | | | | | * g10/encrypt.c (encrypt_crypt, encrypt_filter): Factor common code out to ... (create_dek_with_warnings): new (check_encryption_compliance): and new. * g10/encrypt.c (encrypt_filter): Add the compliance check. -- GnuPG-bug-id: 6174
* gpg: Rename a function.Werner Koch2022-08-295-9/+10
| | | | * g10/cipher.c (cipher_filter): Rename to cipher_file_cfb.
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-21 19:55:09 +0000