aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
...
* po: Apply removal of dirmngr/ldap-wrapper-ce.c.NIIBE Yutaka2019-11-191-1/+0
| | | | | | * po/POTFILES.in: Update. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr,gpg: Better diagnostic in case of bad TLS certificates.Werner Koch2019-11-183-7/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | * doc/DETAILS: Specify new status code "NOTE". * dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a bad TLS certificate. * g10/call-dirmngr.c (ks_status_cb): Detect this status. -- For example a gpg -v --locate-external-keys [email protected] now yields gpg: Note: server uses an invalid certificate gpg: (further info: bad cert for 'posteo.net': \ Hostname does not match the certificate) gpg: error retrieving '[email protected]' via WKD: Wrong name gpg: error reading key: Wrong name (without -v the "further info" line is not shown). Note that even after years Posteo is not able to provide a valid certificate for their .net addresses. Anyway, this help to show the feature. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Forward http redirect warnings to gpg.Werner Koch2019-11-185-1/+24
| | | | | | | | | | | | | | | | * dirmngr/http.c: Include dirmngr-status.h (http_prepare_redirect): Emit WARNING status lines for redirection problems. * dirmngr/http.h: Include fwddecl.h. (struct http_redir_info_s): Add field ctrl. * dirmngr/ks-engine-hkp.c (send_request): Set it. * dirmngr/ks-engine-http.c (ks_http_fetch): Set it. * g10/call-dirmngr.c (ks_status_cb): Detect the two new warnings. -- This should make it easier to diagnose problems with bad WKD servers. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Fixed typo in recently added diagnostic.Werner Koch2019-11-182-2/+2
| | | | --
* scd,ccid: Fix detection of supported readers with pinpad.NIIBE Yutaka2019-11-151-3/+4
| | | | | | | * scd/ccid-driver.c (ccid_transceive_secure): When not supported, return CCID_DRIVER_ERR_NOT_SUPPORTED. Signed-off-by: NIIBE Yutaka <[email protected]>
* dirmngr: Use IPv4 or IPv6 interface only if available.Werner Koch2019-11-124-3/+119
| | | | | | | | | | | | | | | * dirmngr/dns-stuff.c (cached_inet_support): New variable. (dns_stuff_housekeeping): New. (check_inet_support): New. * dirmngr/http.c (connect_server): Use only detected interfaces. * dirmngr/dirmngr.c (housekeeping_thread): Flush the new cache. -- This currently works only for Windows but that is where users really ran into problems. The old workaround was to configure disable-ipv4 or disable-ipv6. Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Tune down err on missing ldapservers fileAndre Heinecke2019-11-121-1/+1
| | | | | | | | | | | | * dirmngr/dirmngr.c (parse_ldapservers_file): Tune down error in case no such file exists. -- This is hardly an error because by default such a file does not exist. This caused trouble in support because people think "Oh the system prints an error". GnuPG-Bug-Id: T3539
* dirmngr: Remove cruft from dirmngr_ldapWerner Koch2019-11-116-708/+58
| | | | | | | | | | | | | | | | | | | * configure.ac (USE_LDAPWRAPPER): Remove ac_define and conditional. * dirmngr/Makefile.am: Remove USE_LDAPWRAPPER and considere true. * dirmngr/ldap-wrapper-ce.c: Remove. * dirmngr/ldap-wrapper.c: Remove USE_LDAPWRAPPER stuff. Minor chnages to debug output. * dirmngr/dirmngr_ldap.c: Remove USE_LDAPWRAPPER stuff. Remove my_ldap macros. (fetch_ldap) [W32]: Use ldap_sslinit. -- Note that the ldap_sslinit stuff for Windows has not been tested. This patch removes the whole wrapper-but-linked business because we do not need it anymore. WindowsCE for which we used it is pretty dead. Signed-off-by: Werner Koch <[email protected]>
* gpg: Forbid the creation of SHA-1 third-party key signatures.Werner Koch2019-11-111-7/+44
| | | | | | | | | | | * g10/sign.c (SIGNHINT_KEYSIG, SIGNHINT_SELFSIG): New. (do_sign): Add arg signhints and inhibit SHA-1 signatures. Change callers to pass 0. (complete_sig): Add arg signhints and pass on. (make_keysig_packet, update_keysig_packet): Set signhints. -- Signed-off-by: Werner Koch <[email protected]>
* dirmngr: Rename an enum value for clarity.Werner Koch2019-11-111-3/+3
| | | | | | | | | | * dirmngr/ldapserver.h: Rename LDAPSERVER_OPT. -- Using _OPT is not good because it does not describe for what this configuration group is used. _SESSION immediately shows the purpose. Signed-off-by: Werner Koch <[email protected]>
* gpgsm: Allow sepcification of ldaps servers.Werner Koch2019-11-099-17/+145
| | | | | | | | | | | | | | | | | | | | | | | | | | | * sm/gpgsm.h (struct keyserver_spec): Add field use_ldaps. * sm/gpgsm.c (parse_keyserver_line): Parse flags. * sm/call-dirmngr.c (prepare_dirmngr): Send ldaps flag to the dirmngr. * dirmngr/dirmngr.h (struct ldap_server_s): Add field use_ldaps. * dirmngr/ldapserver.c (ldapserver_parse_one): Parse flags. * dirmngr/ldap.c (start_cert_fetch_ldap): Call wrapper with --tls. * dirmngr/dirmngr_ldap.c: New option --tls. (fetch_ldap): Make use of that option. -- There was no way to specify an LDAPS server in dirmngr_ldapserver.socnf or with gpgsm's --keyserver option. This patch fixes this. Eventually we should allow to replace host and port by a partial URI in the same way ldap_initialize does it. For backward compatibility we do not yet do that. Although the dirmngr code accepts an URL (eg. taken from a certificate), I can't see how the scheme was ever used. Thus the patch also detects an ldaps scheme and uses this. That part has not been tested, though. Signed-off-by: Werner Koch <[email protected]>
* doc: Document gpgsm's --keyserver option.Werner Koch2019-11-073-4/+21
| | | | | | | | -- Also fix a few related entries. Signed-off-by: Werner Koch <[email protected]>
* doc: Improved description of status PLAINTEXT_LENGTH.Werner Koch2019-11-071-1/+4
| | | | | | -- GnuPG-bug-id: 4741
* gpg: Fix a potential loss of key sigs during import with self-sigs-only.Werner Koch2019-11-072-7/+12
| | | | | | | | | | | * g10/import.c (import_one_real): Don't do the final clean in the merge case. -- This fixes a regression introduced with self-sigs-only. GnuPG-bug-id: 4628 Signed-off-by: Werner Koch <[email protected]>
* gpg: Add option --allow-weak-key-signatures.Werner Koch2019-11-076-6/+45
| | | | | | | | | | | | * g10/gpg.c (oAllowWeakKeySignatures): New. (opts): Add --allow-weak-key-signatures. (main): Set it. * g10/options.h (struct opt): Add flags.allow_weak_key_signatures. * g10/misc.c (print_sha1_keysig_rejected_note): New. * g10/sig-check.c (check_signature_over_key_or_uid): Print note and act on new option. Signed-off-by: Werner Koch <[email protected]>
* gpg: Print rfc4880bis note only in verbose mode.Werner Koch2019-11-071-1/+1
| | | | | | * g10/gpg.c (main): Change condition for an info diagnostic. Signed-off-by: Werner Koch <[email protected]>
* doc: Make clear that by default RFC-4880bis features are used.Werner Koch2019-11-072-13/+9
| | | | --
* gpg: Remove an unused variable.Werner Koch2019-11-061-2/+0
| | | | | | * g10/delkey.c (do_delete_key): here. Signed-off-by: Werner Koch <[email protected]>
* gpg: Do not require --batch when using --log-file.Werner Koch2019-11-061-5/+1
| | | | | | * g10/gpg.c (main): Remove a long standing FIXME. Signed-off-by: Werner Koch <[email protected]>
* doc: Document the --unwrap command.Werner Koch2019-11-061-0/+9
| | | | | | -- Signed-off-by: Werner Koch <[email protected]>
* scd,ccid: Fix GEMPC_EZIO handling.NIIBE Yutaka2019-10-281-5/+5
| | | | | | | | * scd/ccid-driver.c (ccid_transceive_secure): Fix for 08e6:34c2. Fixes-commit: c933c15d587a1c0df3f4b3bf37d8d15164dd318f GnuPG-bug-id: 4654 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: More fix of get_best_pubkey_byname.NIIBE Yutaka2019-10-171-1/+0
| | | | | | | | * g10/getkey.c (get_best_pubkey_byname): Remove useless req_usage setting of CTX. Fixes-commit: f2734381ae1431e395a0bed16df2f4d5d13aa2c5 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Fix two other cases in get_best_pubkey_byname.NIIBE Yutaka2019-10-171-29/+34
| | | | | | | | | * g10/getkey.c (pubkey_cmp): Handle a primary key with PUBKEY_USAGE_ENC, and make sure new key is for encryption. (get_best_pubkey_byname): Add comment for ranking. GnuPG-bug-id: 4713 Signed-off-by: NIIBE Yutaka <[email protected]>
* doc: Fix documentation about --locate-keys.NIIBE Yutaka2019-10-161-7/+7
| | | | | | | | | * doc/gpg.texi (--locate-keys): Remove mentioning signing keys. -- GnuPG-bug-id: 4713 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Fix get_best_pubkey_byname to consider the first match.NIIBE Yutaka2019-10-161-19/+39
| | | | | | | | | | | | * g10/getkey.c (get_best_pubkey_byname): Always use PK0 to search by get_pubkey_byname. Add initial call to pubkey_cmp to fill BEST at first before the loop. -- Fixes-commit: 44604209c1cfe18532d13eda63d8c1f86a6e12ec GnuPG-bug-id: 4713 Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Also delete key-binding signature when deleting a subkey.Werner Koch2019-10-151-14/+7
| | | | | | | | | * g10/delkey.c (do_delete_key): Simplify and correct subkey deletion. -- GnuPG-bug-id: 4665, 4457 Fixes-commit: cc6069ac6ecd57dcbb808f28d54fd9f89dc55014 Signed-off-by: Werner Koch <[email protected]>
* gpg: Put the first key in candidates correctly.NIIBE Yutaka2019-10-151-19/+18
| | | | | | | | | | | | * g10/getkey.c (get_best_pubkey_byname): After the call of get_pubkey_byname, set up CTX with KEYDB_SEARCH_MODE_LONG_KID to enter the loop. -- Fixes-commit: 7535f1d47a35e30f736f0e842844555f7a4a9841 GnuPG-bug-id: 4713 Signed-off-by: NIIBE Yutaka <[email protected]>
* scd,ccid: Add 08e6:34c2 (GEMPC_EZIO).NIIBE Yutaka2019-10-152-7/+22
| | | | | | | * scd/ccid-driver.c (ccid_transceive_secure): Add pinpad support for 08e6:34c2 which supports extended APDU exchange. Signed-off-by: NIIBE Yutaka <[email protected]>
* doc: Fix c+p bug in the examples for --import-filter.Werner Koch2019-10-121-5/+5
| | | | | | | -- Reported-by: Steve McIntyre Signed-off-by: Werner Koch <[email protected]>
* gpg: The first key should be in candidates.NIIBE Yutaka2019-10-091-1/+8
| | | | | | | | | | * g10/getkey.c (get_best_pubkey_byname): Handle the first key as the initial candidate for the selection. -- GnuPG-bug-id: 4713 Signed-off-by: NIIBE Yutaka <[email protected]>
* doc: Clarify that code assignments for g10 code and me terminated.Werner Koch2019-10-071-1/+5
| | | | | | -- Signed-off-by: Werner Koch <[email protected]>
* kbx: Implement update for the STORE command.Werner Koch2019-10-073-1/+56
| | | | | | | * kbx/backend-kbx.c (be_kbx_update): New. * kbx/frontend.c (kbxd_store): Call it. Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix a memory leak in get_best_pubkey_byname.NIIBE Yutaka2019-10-071-1/+4
| | | | | | * g10/getkey.c (get_best_pubkey_byname): Free the public key parts. Signed-off-by: NIIBE Yutaka <[email protected]>
* gpg: Ignore all SHA-1 signatures in 3rd party key signatures.Werner Koch2019-10-031-6/+2
| | | | | | | | | | | * g10/sig-check.c (check_signature_over_key_or_uid): No cut-off date and remove debug output. -- With 2.2 we do not not support SHA-1 key signatures anymore even if that means that the WoT shrinks. Signed-off-by: Werner Koch <[email protected]>
* gpg: Be prepared for chosen-prefix SHA-1 collisions in key signatures.Werner Koch2019-10-031-15/+29
| | | | | | | | * g10/sig-check.c (check_signature_over_key_or_uid): Reject cewrtain SHA-1 based signatures. -- Signed-off-by: Werner Koch <[email protected]>
* gpg: Read the UBID from the keybox and detect wrong blob type.Werner Koch2019-10-012-7/+46
| | | | | | | | | | | * g10/keydb-private.h (struct keydb_handle_s): Add fields for UBID. * g10/call-keyboxd.c (search_status_cb): New. (keydb_search): Set new UBID fields. -- The UBID is not yet used but may come handy later. Signed-off-by: Werner Koch <[email protected]>
* kbx: Add first version of STORE command to keyboxd.Werner Koch2019-10-018-20/+324
| | | | | | | | | | | | | * kbx/Makefile.am (keyboxd_CFLAGS): -DKEYBOX_WITH_X509. (keyboxd_LDADD): Add libksba. * kbx/kbxserver.c (cmd_store): New. * kbx/frontend.c (kbxd_store): New. * kbx/backend-support.c (is_x509_blob): New. (be_fingerprint_from_blob): New. * kbx/backend-kbx.c (be_kbx_seek): Add args FPR and FPRLEN. (be_kbx_insert): New. Signed-off-by: Werner Koch <[email protected]>
* common: New function hex2fixedbuf.Werner Koch2019-10-013-1/+71
| | | | | | | | | | * common/convert.c (hex2fixedbuf): New. -- This function is useful for converting hex strings received via assuan if they have a known length. For example keygrips or the new UBID. Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix --recv-key in case of a given fingerprint.Werner Koch2019-09-301-1/+2
| | | | | | | | | | | * g10/keyserver.c (keyserver_retrieval_screener): Compare against actual length. -- This was a long standing and annoying regression due to changes for v5 keys. Really simple to fix :-). Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix expand GPG groups when resolving a keyWerner Koch2019-09-304-33/+55
| | | | | | | | | | | | | | | | | * g10/expand-group.c (expand_group): Add arg prepend_input. * g10/pkclist.c (build_pk_list): Adjust for it. * g10/getkey.c (key_byname): Keep the expanded names in the CTX and don't premature free them. (get_pubkey_byname): Append the namelist to the extra_list. -- The original patch didn't kept the expanded list in the context and also would duplicate names which are not group names. The latter does not really harm but the former lead to a use after free. Original patch was applied just a few weeks ago. Fixes-commit: e825aea2ba3529c333d7ec2c76e63998cb83d999 Signed-off-by: Werner Koch <[email protected]>
* gpg: Fix a recently introduced printf format buglet.Werner Koch2019-09-271-1/+1
| | | | | | * g10/parse-packet.c (dump_sig_subpkt): Fix format error. Signed-off-by: Werner Koch <[email protected]>
* Merge branch 'switch-to-gpgk' into masterWerner Koch2019-09-2761-507/+7194
|\ | | | | | | | | | | | | | | | | | | | | | | -- Resolved Conflicts: * common/asshelp.c: Keep the new code in master for spawing under Windows. * g10/Makefile.am: Keep all new file. * g10/photoid.c: Pass CTRL to pct_expando. Signed-off-by: Werner Koch <[email protected]>
| * kbx: Fix error code return in keyboxd.switch-to-gpgkWerner Koch2019-09-272-2/+6
| | | | | | | | | | | | | | | | * kbx/frontend.c (kbxd_add_resource): Print a diagnostic on error. * kbx/backend-kbx.c (be_kbx_add_resource): Acttually returh the error code. Signed-off-by: Werner Koch <[email protected]>
| * kbx: Store the UBIB in the blob.Werner Koch2019-09-273-12/+78
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * kbx/keybox-blob.c (create_blob_header): New blob flag UBIB. (create_blob_finish): Write the UBIB. * kbx/keybox-dump.c (print_ubib): New. (_keybox_dump_blob): Print UBIB flag. * kbx/keybox-search.c (has_ubid): Compare the stored UBIB if available. -- This make scanning the keybox for a given UBIB much faster once it has been stored. Signed-off-by: Werner Koch <[email protected]>
| * kbx,gpg: Allow lookup using a UBID.Werner Koch2019-09-277-7/+64
| | | | | | | | | | | | | | | | | | | | | | | | * common/userids.c (classify_user_id): Detect UBIDs. * kbx/backend-cache.c (blob_table_put): Store the public key type. (be_cache_search): Add search mode for UBIDs. * kbx/backend.h (struct db_request_part_s): Add cache.seqno_ubid. * g10/keydb.c (keydb_search_desc_dump): Fix printing of keygrip. Add ubid printing. * g10/call-keyboxd.c (keydb_search): Support search by UBID. Signed-off-by: Werner Koch <[email protected]>
| * kbx: First take on a cache for the keyboxd.Werner Koch2019-09-279-44/+1420
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * kbx/backend.h (enum database_types): Add DB_TYPE_CACHE. (struct db_request_part_s): Add seqno fields. (struct db_request_s): Add infos for the cache backend. * kbx/backend-support.c (struct backend_handle_s): Add 'backend_id'. (strdbtype): Support DB_TYPE_CACHE. (be_generic_release_backend): Ditto. (be_find_request_part): New. (be_return_pubkey): New arg UBID and chnage status name. * kbx/backend-cache.c: New. * kbx/backend-kbx.c (be_kbx_init_request_part): New. (be_kbx_search): Factor some code out to a support function. (be_kbx_seek): New. * kbx/frontend.c (kbxd_add_resource): Support DB_TYPE_CACHE. (kbxd_search): Support the NEXR operation with the cache. * kbx/keybox-search-desc.h (KEYDB_SEARCH_MODE_UBID): New. (struct keydb_search_desc): Add field u.ubid. * kbx/keybox-search.c (has_ubid): New. (keybox_search): Support the UBID search. -- This adds a caching backend to the keyboxd. This tries to accommodate for duplicate use of fingerprints and thus be correct in case a fingerprint is used in several keys. It also turned out that we need to have a unique identifier (UBID) to identify a keyblock or X.509 certificate. In particular with an OpenPGP keyblob we can't easily use the primary fingerprint as an identifier because that fingerprint may also be used as subkey in another key. Thus using a hash of the entire keyblock is a better identifier to be used to address a keyblock for restarting a search or for identifying the keyblock to be updated. Note that this new UBID is not a permanent identifier because it changes with all keyblock update; it should be viewed as a handle to the keyblock or X509 cert.
| * doc: Minor doc updates and a typo fix.Werner Koch2019-09-252-8/+8
| | | | | | | | --
| * tests: Add two user-id parsing test cases.Werner Koch2019-09-171-0/+6
| | | | | | | | | | | | -- Signed-off-by: Werner Koch <[email protected]>
| * gpg: First rough implementation of keyboxd access for key lookup.Werner Koch2019-09-106-104/+380
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * g10/Makefile.am: Add nPth flags. * g10/gpg.c: Include npth.h. (gpg_deinit_default_ctrl): Deinit call-keyboxd local data. (main): Init nPth. * g10/keydb-private.h (struct keydb_handle_s): Add field 'kbl' and remove the search result and the assuan context. * g10/call-keyboxd.c (struct keyboxd_local_s): Add more fields. (lock_datastream, unlock_datastream): New. (gpg_keyboxd_deinit_session_data): Adjust for changed data structures. (prepare_data_pipe): New. (open_context): Return kbl instead of an Assuan context. Init mutexes etc. (close_context): Merge into ... (keydb_release): here. Adjust for changed data structures. (datastream_thread): New. (keydb_get_keyblock): Implement datastream stuff. (keydb_search): Ditto. * common/asshelp.c (wait_for_sock): Add arg connect_flags. (start_new_service): Set FDPASSING flag for the keyboxd. -- This code as a lot of rough edges, in particular it relies on a well behaving keyboxd. We need to add code to shutdown the datastream reader thread in case of errors and to properly get it up again. We also need to make really sure that both threads run in lockstep so that the datastream thread is only active while we are sending a command to the keyboxd. We should also see whether we can depend nPth initialization on the --use-keyboxd option to avoid any problems with nPth. And we need to test on Windows. Signed-off-by: Werner Koch <[email protected]>
| * kbx: Allow fd-passing for the keyboxd.Werner Koch2019-09-102-6/+109
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * kbx/kbxserver.c: Include host2net.h (struct server_local_s): Add field outstream. (prepare_outstream): New. (kbxd_writen): New. (kbxd_write_data_line): Write to file descrptor. Disable the slow human reader friendly data line formatting. (cmd_search, cmd_next): Disable data logging. (kbxd_start_command_handler): Add OUTPUT command. * kbx/keyboxd.c (main): Enable log monitor. -- Signed-off-by: Werner Koch <[email protected]>
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-14 17:05:40 +0000