aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* agent: Add option --pss to pksign to be used by smartcards.Werner Koch2020-08-105-8/+31
| | | | | | | | | | | | | | | * agent/command.c (cmd_sethash): Add option --pss and allow for --hash=null. * agent/agent.h (struct server_control_s): Add digest.is_pss and zero where needed. * agent/pksign.c (agent_pksign_do): Allow for PSS with cards. * scd/command.c (cmd_pksign): Add for --hash=none. -- This is not a full implementaion of PSS but allows scdaemon card drivers to detect already PSS formatted data. Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix trustdb for v5key.NIIBE Yutaka2020-08-074-31/+89
| | | | | | | | | | | | | | | | | | | | | | | * g10/keydb.h (fpr20_from_pk): New. * g10/keyid.c (fpr20_from_pk): New. * g10/tdbio.c (tdbio_search_trust_byfpr): Use fpr20_from_pk. * g10/trustdb.c (keyid_from_fpr20): New. (verify_own_keys): Use keyid_from_fpr20. (tdb_update_ownertrust): Use fpr20_from_pk. (update_min_ownertrust): Likewise. (update_validity): Likewise. -- For the compatibility of existing implementation, we keep the format of trustdb untouched. The format of trustdb uses 20-byte fingerprint for the trust record entry. To handle both of v4key (with 20-byte fingerprint) and v5 key (with 32-byte fingerprint), we introduce FPR20 fingerprint, internally. For v4key, FPR20 is as same as v4 fingerprint. For v5key, FPR20 is constructed from v5key fingerprint. GnuPG-bug-id: 5000 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Fix short key ID for v5key.NIIBE Yutaka2020-08-072-3/+8
| | | | | | | | | | * g10/keyid.c (keyid_from_pk): Return keyid[0] for v5key. * g10/keyring.c (keyring_search): Handle short key ID for v5key. -- GnuPG-bug-id: 5000 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpgsm: New option --chuid.Werner Koch2020-08-062-1/+23
| | | | | | | | | | * sm/gpgsm.c (oChUid, opts): New option --chuid. (main): Implement option. -- This option will at least be useful for Scute. Signed-off-by: Werner Koch <[email protected]>
* gpgconf: New option --chuid.Werner Koch2020-08-063-1/+19
| | | | | | | | * tools/gpgconf.c (oChUid, opts): New option --chuid. (main): Implement. -- Signed-off-by: Werner Koch <[email protected]>
* common: New helper function gnupg_chuid.Werner Koch2020-08-062-0/+99
| | | | | | | * common/sysutils.c (try_set_envvar): New. (gnupg_chuid): New. Signed-off-by: Werner Koch <[email protected]>
* kbx: Support v5key for short kid and long kid.NIIBE Yutaka2020-08-061-2/+32
| | | | | | | | * kbx/keybox-search.c (has_short_kid): Support v5key. (has_long_kid): Likewise. GnuPG-bug-id: 5000 Signed-off-by: NIIBE Yutaka <[email protected]>
* build: Remove expired key of David Shaw from distsigkey.gpg.Werner Koch2020-08-061-0/+0
| | | | --
* gpg: Add level 16 to --gen-randomWerner Koch2020-08-051-32/+45
| | | | | | | | | | | * g10/gpg.c (main): Add that hack. -- This is an yet undocumented hack to allow printing hex encoded random number with gpg. The level is forced to be 1 which is is good for almost all uses. Note that --armor is ignored. Signed-off-by: Werner Koch <[email protected]>
* sm: Also show the SHA-256 fingerprint.Werner Koch2020-08-042-3/+16
| | | | | | | | * sm/keylist.c (list_cert_colon): Emit a new "fp2" record. (list_cert_raw): Print the SHA2 fingerprint. (list_cert_std): Ditto. Signed-off-by: Werner Koch <[email protected]>
* w32: Fix cast from intptr_t of _get_osfhandle.NIIBE Yutaka2020-08-031-1/+1
| | | | | | * common/exectool.c (gnupg_exec_tool_stream): Cast to unsigned long. Signed-off-by: NIIBE Yutaka <[email protected]>
* agent: Fix coercion for pinentry_pid handling.NIIBE Yutaka2020-07-311-1/+1
| | | | | | | | | | | | * agent/call-pinentry.c (start_pinentry): Don't use pid_t. -- When pid_t is 64-bit integer and unsigned long is 32-bit, it never matches, because left hand side does not fill upper 32-bit. Signed-off-by: NIIBE Yutaka <[email protected]>
* scd: Silence compiler warning.NIIBE Yutaka2020-07-311-3/+3
| | | | | | * scd/app-openpgp.c (build_ecc_privkey_template): Fix allocation size. Signed-off-by: NIIBE Yutaka <[email protected]>
* w32: Add NETLIBS for sm/t-minip12.NIIBE Yutaka2020-07-301-1/+1
| | | | | | | | | * sm/Makefile.am (t_minip12_LDADD): Add NETLIBS. -- GnuPG-bug-id: 4944 Signed-off-by: NIIBE Yutaka <[email protected]>
* w32: More adding NETLIBS.NIIBE Yutaka2020-07-301-1/+1
| | | | | | | | | * common/Makefile.am (t_common_ldadd): Add $(NETLIBS). -- GnuPG-bug-id: 4994 Signed-off-by: NIIBE Yutaka <[email protected]>
* w32: Add link to $(NETLIB) for -lws2_32.NIIBE Yutaka2020-07-303-3/+3
| | | | | | | | | | | * dirmngr/Makefile.am (dirmngr_LDADD): Add $(NETLIBS). * sm/Makefile.am (gpgsm_LDADD): Ditto. * tools/Makefile.am (gpg_wks_client_LDADD): Ditto. -- GnuPG-bug-id: 4994 Signed-off-by: NIIBE Yutaka <[email protected]>
* Revert patches applied wrongly.NIIBE Yutaka2020-07-282-0/+21
| | | | | | | | | -- In the experiment for 4994, and patches were wrongly applied. Fixes-commit: 46d185f60397f68830bfdfb99627b29aea5016f1 Signed-off-by: NIIBE Yutaka <[email protected]>
* kbx: Fix short KID and long KID handling for FPR32.NIIBE Yutaka2020-07-271-1/+1
| | | | | | | * kbx/keybox-search.c (blob_cmp_fpr_part): For FPR32, it's the first part in the fingerprint. Signed-off-by: NIIBE Yutaka <[email protected]>
* scd: Fix closing reader and reeleasing context in PC/SC.NIIBE Yutaka2020-07-171-0/+7
| | | | | | | | | | * scd/apdu.c (close_pcsc_reader): Unlock the reader_table_lock. (apdu_dev_list_finish): Release the context when no readers. -- Fixes-commit: 46d185f60397f68830bfdfb99627b29aea5016f1 Signed-off-by: NIIBE Yutaka <[email protected]>
* Use gpgrt's new option parser for symcryptrun.NIIBE Yutaka2020-07-171-79/+63
| | | | | | * tools/symcryptrun.c: Follow API change of the new option parser. Signed-off-by: NIIBE Yutaka <[email protected]>
* scd: PC/SC: Don't release the context when it's in use.NIIBE Yutaka2020-07-173-22/+1
| | | | | | | | | | * scd/apdu.c (close_pcsc_reader): Check if it's not in the loop. -- GnuPG-bug-id: 4998 Reported-by: Kevin Locke Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg-card: Fix type of historyname.NIIBE Yutaka2020-07-171-1/+1
| | | | | | | | | * tools/gpg-card.c (interactive_loop): Remove const qualifier. -- Fixes-commit: d70b8769c888f42896ae3ef4972bf82e9b5a0c32 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Do not close stdout after --export-ssh-keyWerner Koch2020-07-161-2/+3
| | | | | | | | | * g10/export.c (export_ssh_key): Do not close stdout. -- stdout should never be closed; this fixes this minor bug. Signed-off-by: Werner Koch <[email protected]>
* common: Avoid undefined behavior of left shift operator.NIIBE Yutaka2020-07-161-5/+11
| | | | | | | | | | | * common/iobuf.c (block_filter): Handle an error earlier. Make sure it's unsigned. -- GnuPG-bug-id: 4975 Suggested-by: lutianxiong <[email protected]> Signed-off-by: NIIBE Yutaka <[email protected]>
* regexp: Import change from JimTcl.NIIBE Yutaka2020-07-152-4/+19
| | | | | | | | | | | | | | | | * regexp/jimregexp.h, regexp/jimregexp.c: Fix from JimTcl. -- Apply the change in JimTcl: commit ac35b8a6ec417f75b5ec86ca64ea1614a8170a38 Author: Steve Bennett <[email protected]> Date: Mon May 4 20:43:46 2020 +1000 regexp: Improved error message Signed-off-by: NIIBE Yutaka <[email protected]>
* gpgsm: Make rsaPSS a compliant scheme in de-vs mode.Werner Koch2020-07-141-8/+4
| | | | | | | -- GnuPG-bug-id: 4538 Signed-off-by: Werner Koch <[email protected]>
* agent: Fix regression with --newsymkey in loopback mode.Werner Koch2020-07-141-2/+5
| | | | | | | | | | | | | | * agent/command.c (cmd_get_passphrase): Never repeat in loopback mode; same as with !OPT_NEWSYMKEY. -- In loopback mode there shall not be any repeat because the caller is expected to do any confirmation before passing a new passphrase to gpg. Fixes-commit: eace4bbe1ded8b01f9ad52ebc1871f2fd13c3a08 GnuPG-bug-id: 4991 Signed-off-by: Werner Koch <[email protected]>
* gpg: Reword warning about decryption w/o using a non-encrypt key.Werner Koch2020-07-141-2/+3
| | | | --
* dirmngr: Handle EAFNOSUPPORT at connect_server.NIIBE Yutaka2020-07-131-0/+9
| | | | | | | | | * dirmngr/http.c (connect_server): Skip server with EAFNOSUPPORT. -- GnuPG-bug-id: 4977 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: For decryption, support use of a key with no 'encrypt' usage.NIIBE Yutaka2020-07-101-5/+9
| | | | | | | | | | * g10/pubkey-enc.c (get_session_key): Don't skip at no PUBKEY_USAGE_ENC. Emit information the key has no 'encrypt' usage. -- GnuPG-bug-id: 4246 Signed-off-by: NIIBE Yutaka <[email protected]>
* doc: Add news entries from the latest 2.2 releases.Werner Koch2020-07-091-0/+75
| | | | --
* gpg: Print a note if no args are given to --delete-keyWerner Koch2020-07-091-1/+4
| | | | | | | | | | | | -- It is a bit surprising that nothing happens if no key is specified to --delete-key et al. Although this is common Unix behaviour the use might have expected that it behaves like --export and deletes all keys. Sure we don't do the latter, so a short notice will help. GnuPG-bug-id: 4959 Signed-off-by: Werner Koch <[email protected]>
* Do not use the pinentry's qualitybarWerner Koch2020-07-083-3/+3
| | | | | | | | | | | | | | | | * agent/genkey.c (agent_ask_new_passphrase): No qualitybar. * g10/call-agent.c (agent_get_passphrase): Ditto. * sm/call-agent.c (gpgsm_agent_ask_passphrase): Ditto. -- The concept of a passphrase quality indicator is anyway questionable because user are smart enough to trick them out and they also tend to limit the actually used entropy. Except for the red/green switching (to show whether constraints are fulfilled) our qualitybar is pretty bad and thus worse than none. Signed-off-by: Werner Koch <[email protected]>
* gpgsm: Replace all assert calls by log_assert.Werner Koch2020-07-0819-44/+29
| | | | | | -- Signed-off-by: Werner Koch <[email protected]>
* gpg: Use integrated passphrase repeat entry also for -c.Werner Koch2020-07-083-7/+33
| | | | | | | | * g10/call-agent.c (agent_get_passphrase): Add arg newsymkey. * g10/passphrase.c (passphrase_get): Add arg newsymkey. (passphrase_to_dek): Pass it on. Signed-off-by: Werner Koch <[email protected]>
* agent: New option --newsymkey for GET_PASSPHRASEWerner Koch2020-07-084-58/+322
| | | | | | | | | | | | | * agent/call-pinentry.c (agent_get_passphrase): Add arg pininfo. * agent/genkey.c (check_passphrase_constraints): New arg no_empty. * agent/command.c (reenter_passphrase_cmp_cb): New. (cmd_get_passphrase): Add option --newsymkey. -- This new option allows to present a passphrase with the usual repeat box as it is used by gpg-agent's internal key generation. Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix flaw in symmetric algorithm selection in mixed mode.Werner Koch2020-07-073-18/+10
| | | | | | | | | | | | | | | | * g10/encrypt.c (setup_symkey): Use default_cipher_algo function instead of the fallback s2k_cipher_algo. Fix error code. (encrypt_simple): Use setup_symkey. -- Aside of removing code duplication this patch fixes the flaw that the S2K cipher algorithm was used when mixing public key and symmetric encryption or signatures with symmetric encrypion. The default_algorithm function should be used here so that the command line option --cipher-algo and --personal-cipher-preferences have an effect. Signed-off-by: Werner Koch <[email protected]>
* sm: Exclude rsaPSS from de-vs compliance mode.Werner Koch2020-07-0316-89/+175
| | | | | | | | | | | | | | | * common/compliance.h (PK_ALGO_FLAG_RSAPSS): New. * common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and test rsaPSS. Adjust all callers. (gnupg_pk_is_allowed): Ditto. * sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function. (gpgsm_get_hash_algo_from_sigval): New. * sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval arg. Add arg pkalgoflags. Use the PK_ALGO_FLAG_RSAPSS. * sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to also get the algo flags. Pass algo flags along. Signed-off-by: Werner Koch <[email protected]>
* scd:nks: Implement writecert for the Signature card v2.Werner Koch2020-07-023-8/+133
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * scd/iso7816.c (CMD_UPDATE_BINARY): New. (iso7816_update_binary): New. * scd/app-nks.c (do_deinit): Factor some code out to... (flush_fid_cache): new. (do_writecert): New. (app_select_nks): Register new handler. -- This can be used with gpg-card to write the 3 extra certificates of a Telesec TCOS Signature Card v2. The card with the qualified signature is distributed with the keys for encryption and advanced signatures but without the certificates. The certificates can be downloaded from the website after an mail confirmation. Unpacked the downloaded zipfile has these certificates: auth_zert.crt sig_zert.crt enc_zert.crt Using gpg-card issue these commands: writecert NKS-NKS3.4531 <sig_zert.crt writecert NKS-NKS3.45B1 <enc_zert.crt writecert NKS-NKS3.4571 <auth_zert.crt Don't mix that up, tight now there is no checking that the certificates match the public key. I also need to write another patch to actually implement signing and encryption with these nistp256 certificates. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Silence annoying warning for missing default ldap server file.Werner Koch2020-07-021-5/+8
| | | | | | | * dirmngr/dirmngr.c (parse_ldapserver_file): Add arg ignore_enoent. (main): Use that arg for the default file. Signed-off-by: Werner Koch <[email protected]>
* Support a history file in gpg-card and gpg-connect-agent.Werner Koch2020-07-029-7/+216
| | | | | | | | | | | | | | | | | | | | | | | | * common/gpgrlhelp.c (read_write_history): New. (gnupg_rl_initialize): Register new function. * common/ttyio.c (my_rl_rw_history): New var. (tty_private_set_rl_hooks): Add arg read_write_history. (tty_read_history): New. (tty_write_history): New. * tools/gpg-card.c (HISTORYNAME): New. (oNoHistory): New enum value. (opts): New option --no-history. (cmd_history): New. (cmds): New command "history". (interactive_loop): Read and save the history. * tools/gpg-connect-agent.c (HISTORYNAME): New. (opts): New option --no-history. (main): Read and save the history. New command /history. -- Yeah, finally we have stored history; I should have added this much earlier. Signed-off-by: Werner Koch <[email protected]>
* scd:nks: Fix certificate read problem with TCOS signature card v2.Werner Koch2020-06-301-0/+2
| | | | | | | * scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN. (do_readcert): Test for the app_id. Signed-off-by: Werner Koch <[email protected]>
* scd: Change how the removed card flag is set.Werner Koch2020-06-301-13/+14
| | | | | | | | | | | | * scd/command.c (cmd_serialno): Set/clear card removed flags for all connections using the current card. -- This seems to solve the problems I had in gpg-card and ssh. I am not sure why the old code was done this way - maybe an oversight when adding support for multiple cards. Signed-off-by: Werner Koch <[email protected]>
* card: Better detect removed cards. Add TCOS PIN menu.Werner Koch2020-06-303-53/+199
| | | | | | | | | | | | | | | | | | | | | | | | | * tools/card-call-scd.c (scd_change_pin): Add arg 'nullpin'. * tools/gpg-card.h (struct card_info_s): Add field 'card_removed'. * tools/gpg-card.c (fixup_scd_errors): New. (maybe_set_card_removed): New. (list_one_kinfo): Change type of first arg to get access to INFO. Set card_removed flag. (list_all_kinfo): Improve label alignment. (cmd_list): Check that the current card is still available. (cmd_passwd): Add option --nullpin and menu to chnage TCOS PINs. (dispatch_command): Handle card_removed flag. (interactive_loop): Ditto. -- Note that that I was not able to change the NullPIN of the standard PIN using a Signature V2 Brainpool test card. Changing the NullPIN of the QES PIN worked, though. I checked the commands send to scdaemon and they were correct - I used the very same command with gpg-connect-agent last week to set a Pin for a production Brainpool Signature card. Thus this might be a problem with this specific test card. Signed-off-by: Werner Koch <[email protected]>
* ecc: Support Ed448/X448 key generation.NIIBE Yutaka2020-06-301-2/+5
| | | | | | | * g10/keygen.c (ask_curve): Support Ed448/X448 keys. (generate_keypair): Support switch to X448 key. Signed-off-by: NIIBE Yutaka <[email protected]>
* scd: Shorten cardio debug output for all zeroes.Werner Koch2020-06-291-4/+33
| | | | | | | * scd/apdu.c (all_zero_p): New. (send_le): Use it. Signed-off-by: Werner Koch <[email protected]>
* sm: Fix regression in Friday's commitWerner Koch2020-06-291-2/+2
| | | | | | | | * sm/gpgsm.c (main): Set ERR also for encrypt. -- Fixes-commit: ccbb0cfeefed096a9841b6557d10eef12d55b721 Signed-off-by: Werner Koch <[email protected]>
* sm: Try not to output a partial new message after an error.Werner Koch2020-06-261-2/+19
| | | | | | | | | | | | | | | | | * sm/gpgsm.c (main) <aSign,aEncr>: Uses gpgrt_fcancel on error. -- When creating a signature or encrypting and the respective key is not available or the user canceled the PIN entry gpgsm prints the initial part of the message due to internal buffering in gpgrt. By using gpgrt_fcancel we can avoid this at least as long as the data is less than the standard buffer size (which is currently 8k). If is not a complete solution but the best we can do easily. Outputting to the tty is anyway more of a testing aid than for real use. This makes use of the new gpgrt_fcancel API. Signed-off-by: Werner Koch <[email protected]>
* sm: Print the serial number of a cert also in decimal.Werner Koch2020-06-263-3/+89
| | | | | | | | | | | | * sm/certdump.c: Include membuf.h. (gpgsm_print_serial_decimal): New. * sm/keylist.c (list_cert_raw): Print s/n also in decimal (list_cert_std): Ditto. -- Many CA's print the serial number in decimal on their cards. Signed-off-by: Werner Koch <[email protected]>
* scd:nks: Fix remaining tries warning in --reset mode.Werner Koch2020-06-251-9/+10
| | | | | | * scd/app-nks.c (do_change_pin): Chnage computaion of 'remaining'. Signed-off-by: Werner Koch <[email protected]>
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-09 20:54:30 +0000