| Commit message (Collapse) | Author | Files | Lines |
|---|
|
* agent/command.c (cmd_learn): Add option --reallyforce.
* agent/findkey.c (agent_write_private_key): Implement reallyforce.
Also add arg reallyforce and pass it along the call chain.
* g10/call-agent.c (agent_scd_learn): Pass --reallyforce with a
special force value.
* g10/keygen.c (card_store_key_with_backup): Use that force value.
--
This was a regression in 2.2.42. We took the easy path to fix it by
getting the behaviour back to what we did prior to 2.2.42. With GnuPG
2.4.4 we use an entire different and safer approach by introducing an
ephemeral private key store.
GnuPG-bug-id: 6944
|
|
* agent/agent.h (opt): Remove enable_extended_key_format.
* agent/gpg-agent.c (enum cmd_and_opt_values): Turn
oDisableExtendedKeyFormat and oEnableExtendedKeyFormat into dummy
options.
* agent/protect.c (do_encryption): Remove arg use_ocb and
corresponding code.
(agent_protect): Ditto. Change all callers.
* agent/command.c (cmd_readkey): Do not test for key availability here
but defer that agent_write_shadow_key.
* agent/findkey.c (agent_write_private_key): Simplify due to the
removal of disable-extended-key-format.
(write_extended_private_key): Fold into agent_write_private_key.
Remove the maybe_update arg.
(agent_write_shadow_key): Ditto. Simplify.
--
GnuPG-bug-id: 6386
Backported-from-master: 6d792ae2eb46b3c411d36a87f0d08fbfc1b65cc9
But with large changes to get 2.2 more aligned with master again. This
is not finished; in particular the bug is not fixed; this comes wit
the next patch.
|
|
* agent/findkey.c (agent_write_private_key): Factor file name
generation out to ...
(fname_from_keygrip): new.
(write_extended_private_key): Add and implement new arg MAYBE_UPDATE.
(agent_write_shadow_key): Ditto.
* agent/command.c (cmd_readkey): Update the shadow-key in card mode.
--
GnuPG-bug-id 6135
|
|
* agent/divert-scd.c (linefeed_to_percent0A): New.
(ask_for_card): Add arg grip. Read Token and Label items and use
them.
(divert_pksign, divert_pkdecrypt): Pass down grip.
* agent/findkey.c (write_extended_private_key): Add args serialno,
keyref, and dispserialno. Writen Token item.
(agent_write_private_key): Add args serialno, keyref, and
dispserialno.
(read_key_file): Add arg r_keymeta.
(agent_keymeta_from_file): New.
(agent_write_shadow_key): Remove leading spaces from serialno and keyid.
* agent/protect-tool.c (agent_write_private_key): Ditto.
* agent/learncard.c (agent_handle_learn): Get DISPSERIALNO and pass to
agent_write_shadow_key.
* agent/command-ssh.c (card_key_available): Ditto.
--
GnuPG-bug-id: 6135
This patch backports some changes from master but also adds the
Display-S/N tracking.
|
|
* agent/command-ssh.c (sexp_key_construct): Do not put an empty string
into an S-expression.
(stream_read_string): Do not not try to a read a zero length block.
--
Actually we could handles this different by not putting a comment tag
into the s-expression, however this requires more code and at other
places we already return "(none)" instead of an empty comment.
The second fix is more or less a cosmetic thing to get better error
messages in case the underlying read system call returns an error.
GnuPG-bug-id: 5794
|
|
* agent/command-ssh.c (ssh_handler_request_identities): Skip unknown
curves.
--
For example when using my standard ed25519 token and testing cards
with only Brainpool support, the ssh-agent failed due to the unknown
curves seen on the card. This patches fixes this by ignoring keys
with unknown curves.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 2d2391dfc25cfe160581b1bb4b4b8fc4764ac304)
|
|
--
We need to use es_fopen on Windows to cope with non-ascii file names.
This is quite a large but fortunately straightforward change. At a
very few places we keep using stdio (for example due to the use of
popen).
GnuPG-bug-id: 5098
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: 390497ea115e1aca93feec297a5bd6ae7b1ba6dd
|
|
* agent/command.c (cmd_genkey): Add option --timestamp.
(cmd_import_key): Ditto.
* agent/genkey.c (store_key): Add arg timestamp and change callers.
(agent_genkey): Ditto.
* agent/findkey.c (write_extended_private_key): Add args timestamp and
newkey to write a Created line.
(agent_write_private_key): Add arg timestamp.
(agent_write_shadow_key): Ditto.
* agent/protect-tool.c (agent_write_private_key): Ditto as dummy arg.
--
Signed-off-by: Werner Koch <[email protected]>
Backported-from-master: 0da923a1240ac78d60c92cdd8488c4e405c3243b
Signed-off-by: Werner Koch <[email protected]>
|
|
* agent/command-ssh.c (ssh_key_to_protected_buffer): Update
the length by the second call of gcry_sexp_sprint.
--
GnuPG-bug-id: 4502
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c (struct ssh_key_type_spec): Add field
alt_curve_name.
(ssh_key_types): Add some alternate curve names.
(ssh_identifier_from_curve_name): Lookup also bey alternative names
and return the canonical name.
(ssh_key_to_blob): Simplify the ECDSA case by using gcry_pk_get_curve
instead of the explicit mapping.
(ssh_receive_key): Likewise. Use ssh_identifier_from_curve_name to
validate the curve name. Remove the reverse mapping because since
GnuPG-2.2 Libgcrypt 1.7 is required.
(ssh_handler_request_identities): Log an error message.
--
This change will make it easier to support other curves, in particular
those from tokens. Libgcrypt has a large list of alias names which we
now use to to make the mapping more flexible.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit d93797c8a7892fe26672c551017468e9f8099ef6)
|
|
* agent/command-ssh.c (ssh_handler_add_identity): Handle other errors
than EOF.
--
GnuPG-bug-id: 4221
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 7385e1babf6eef586c79ad23f8e541aaf608c4e5)
|
|
* agent/command-ssh.c (ssh_handler_sign_request): Simplify detection
of flags.
--
Signed-off-by: Werner Koch <[email protected]>
|
|
* agent/command-ssh.c (ssh_handler_sign_request): if a flag is passed
during an signature request that we do not know how to apply, return
GPG_ERR_UNKNOWN_OPTION.
--
https://tools.ietf.org/html/draft-miller-ssh-agent-02#section-4.5 says:
If the agent does not support the requested flags, or is otherwise
unable or unwilling to generate the signature (e.g. because it
doesn't have the specified key, or the user refused confirmation of a
constrained key), it must reply with a SSH_AGENT_FAILURE message.
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
GnuPG-bug-id: 3880
|
|
* agent/command-ssh.c: repoint documentation reference.
--
Damien Miller is now documenting the ssh-agent protocol via the IETF.
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
|
|
* agent/command-ssh.c (SSH_AGENT_RSA_SHA2_256): New.
(SSH_AGENT_RSA_SHA2_512): New.
(ssh_handler_sign_request): Override SPEC when FLAGS
is specified.
--
GnuPG-bug-id: 3880
Reported-by: Daniel Kahn Gillmor <[email protected]>
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/cache.c (agent_put_cache): Add arg 'ctrl' and change all
callers to pass it.
(agent_get_cache): Ditto.
* agent/cache.c (struct cache_items_s): Add field 'restricted'.
(housekeeping): Adjust debug output.
(agent_flush_cache): Ditto.
(agent_put_cache): Ditto. Take RESTRICTED into account.
(agent_get_cache): Ditto.
--
If requests are coming from different sources they should not share the
same cache. This way we make sure that a Pinentry pops up for a
remote request to a key we have already used locally.
GnuPG-bug-id: 3858
Signed-off-by: Werner Koch <[email protected]>
|
|
* configure.ac: Check ucred.h as well as sys/ucred.h.
* agent/command-ssh.c: Add inclusion of ucred.h.
--
It was T2981, adding ucred.h for Solaris. We also need sys/ucred.h
for FreeBSD and macOS.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* configure.ac: Check sys/ucred.h instead of ucred.h.
* agent/command-ssh.c: Include sys/ucred.h.
--
It's *BSD and macOS thing.
Fixes-commit: f7f806afa5083617f4aba02fc3b285b06a7d73d4
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c (serve_mmapped_ssh_request): Add const
qualifier.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c (ssh_key_to_protected_buffer): If the empty
passphrase is supplied, do not protect the key.
GnuPG-bug-id: 2856
Signed-off-by: Justus Winter <[email protected]>
|
|
* agent/agent.h (opt): New field 'ssh_fingerprint_digest'.
* agent/command-ssh.c (data_sign, ssh_identity_register): Honor the
option for strings used to communicate with the user.
* agent/findkey.c (agent_modify_description): Likewise.
* agent/gpg-agent.c (cmd_and_opt_values): New value.
(opts): New option '--ssh-fingerprint-digest'.
(parse_rereadable_options): Set the default to MD5 for now.
(main): Handle the new option.
* doc/gpg-agent.texi: Document the new option.
--
OpenSSH has transitioned from using MD5 to compute key fingerprints to
SHA256. This patch makes the digest used when communicating key
fingerprints to the user (e.g. in pinentry dialogs) configurable.
For now this patch conservatively defaults to MD5.
GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <[email protected]>
|
|
* agent/command-ssh.c (add_control_entry): Hand in the key, write both
the MD5- and the SHA256-based fingerprint to the 'sshcontrol' file
when adding ssh keys.
(ssh_identity_register): Adapt callsite.
GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <[email protected]>
|
|
* common/ssh-utils.c (get_fingerprint): Add and honor 'algo' parameter.
(ssh_get_fingerprint{,_string}): Likewise.
* common/ssh-utils.h (ssh_get_fingerprint{,_string}): Update prototypes.
* common/t-ssh-utils.c (main): Adapt accordingly.
* agent/command-ssh.c (agent_raw_key_from_file): Likewise.
(ssh_identity_register): Likewise.
* agent/command.c (do_one_keyinfo): Likewise.
* agent/findkey.c (modify_description): Likewise.
--
This lays the foundation to support other algorithms.
GnuPG-bug-id: 2106
Signed-off-by: Justus Winter <[email protected]>
|
|
* agent/call-pinentry.c (start_pinentry): Add const to tbl.
* agent/command-ssh.c (request_specs): Add const.
(ssh_key_types): Likewise.
(request_spec_lookup): Add const to the return value and SPEC.
(ssh_request_process): Likewise.
* agent/protect.c (protect_info): Add const.
(agent_unprotect): Add const to algotable.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
--
In addition, fix trailing spaces in tests/inittests.
GnuPG-bug-id: 3121
Reported-by: ka7 (klemens)
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c (ssh_key_to_protected_buffer): Not touch ERR.
* agent/command.c (cmd_genkey, cmd_import_key): Clean up.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/call-pinentry.c (start_pinentry): Return RC.
* agent/command-ssh.c (ssh_handler_request_identities): Don't set ERR.
* agent/findkey.c (try_unprotect_cb): Return ERR.
(unprotect): Don't set RC.
* agent/gpg-agent.c (handle_connections): Don't set fd.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c (stream_read_cstring): Just call
stream_read_string.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c (get_client_pid): Use 0 to initialize.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/Makefile.am (AM_CPPFLAGS): Remove -I$(top_srcdir)/common.
* agent/call-pinentry.c, agent/call-scd.c: Follow the change.
* agent/command-ssh.c, agent/command.c, agent/cvt-openpgp.c: Ditto.
* agent/divert-scd.c, agent/findkey.c, agent/genkey.c: Ditto.
* agent/gpg-agent.c, agent/pksign.c, agent/preset-passphrase.c: Ditto.
* agent/protect-tool.c, agent/protect.c, agent/trustlist.c: Ditto.
* agent/w32main.c: Ditto.
--
For openpty function, we need to include util.h on some OS.
We also have util.h in common/, so this change is needed.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c: Add sys/socket.h and sys/un.h.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* configure.ac: Simply check getpeerucred and ucred.h, and structure
members.
* agent/command-ssh.c: Include ucred.h.
(get_client_pid) [HAVE_STRUCT_SOCKPEERCRED_PID]: Use sockpeercred
structure for OpenBSD.
[LOCAL_PEERPID]: Use LOCAL_PEERPID for macOS.
[LOCAL_PEEREID]: Use LOCAL_PEEREID for NetBSD.
[HAVE_GETPEERUCRED]: Use getpeerucred for OpenSolaris.
--
This change also addresses following bug.
GnuPG-bug-id: 2981.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c (card_key_list): Return 0 when
agent_card_serialno returns an error.
(ssh_handler_request_identities): Handle errors for card listing
and proceed to other cases.
--
GnuPG-bug-id: 2980
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
--
This fixes extra word repetitions (like "the the" or "is is") in the
code and docs.
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
|
|
* agent/command-ssh.c (card_key_list): Care the case of no cards.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/call-scd.c (card_cardlist_cb, agent_card_cardlist): New.
* agent/command-ssh.c (card_key_list): New.
(ssh_handler_request_identities): Call card_key_list and loop for the
list to send public keys for all available cards.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* configure.ac: Check for SO_PEERCRED et al.
* agent/agent.h (server_control_s): Add field 'client_pid'.
* agent/command.c (start_command_handler): Set CLIENT_PID.
* agent/command-ssh.c (get_client_pid): New.
(start_command_handler_ssh): Set CLIENT_PID.
* agent/call-pinentry.c (start_pinentry): Tell Pinentry the client-pid.
Signed-off-by: Werner Koch <[email protected]>
|
|
--
Also some http:// -> https:// fixes.
Signed-off-by: Werner Koch <[email protected]>
|
|
* agent/call-scd.c (agent_card_serialno): Add DEMAND argument.
* agent/command-ssh.c (card_key_available): Follow the change.
* agent/learncard.c (agent_handle_learn): Likewise.
* agent/divert-scd.c (ask_for_card): Use DEMAND argument.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
--
|
|
--
Signed-off-by: Justus Winter <[email protected]>
|
|
* agent/findkey.c (agent_write_shadow_key): New.
* agent/command-ssh.c (card_key_available): Use agent_write_shadow_key.
* agent/learncard.c (agent_handle_learn): Likewise.
* agent/command.c (cmd_readkey): Add --card option.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* NEWS, acinclude.m4, agent/command-ssh.c, agent/command.c,
agent/gpg-agent.c, agent/keyformat.txt, agent/protect-tool.c,
common/asshelp.c, common/b64enc.c, common/recsel.c, doc/DETAILS,
doc/HACKING, doc/Notes, doc/TRANSLATE, doc/dirmngr.texi,
doc/faq.org, doc/gpg-agent.texi, doc/gpg.texi, doc/gpgsm.texi,
doc/instguide.texi, g10/armor.c, g10/gpg.c, g10/keyedit.c,
g10/mainproc.c, g10/pkclist.c, g10/tofu.c, g13/sh-cmd.c,
g13/sh-dmcrypt.c, kbx/keybox-init.c, m4/pkg.m4, sm/call-dirmngr.c,
sm/gpgsm.c, tests/Makefile.am, tests/gpgscm/Manual.txt,
tests/gpgscm/scheme.c, tests/openpgp/gpgv-forged-keyring.scm,
tests/openpgp/multisig.test, tests/openpgp/verify.scm,
tests/pkits/README, tools/applygnupgdefaults,
tools/gpg-connect-agent.c, tools/mime-maker.c, tools/mime-parser.c:
minor spelling cleanup.
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
|
|
* agent/command-ssh.c (ssh_handler_request_identities): Keep error
message same.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c (sexp_key_construct): Lowercase the algo name.
--
We need to use a lowercase version of the algo in S-expression.
Unfortunately Libgcrypt has no function for this, thus we need to
malloc and first.
Fixes-commit: ebf24e3
Signed-off-by: Werner Koch <[email protected]>
|
|
* agent/command-ssh.c (ssh_handler_request_identities): Skip a key with
error, not giving up to handle the request itself.
* agent/cvt-openpgp.c (extract_private_key): Support "ecdsa" key.
--
Note that "ecdsa" key is still in use by old versions of gpg-agent
through its SSH handling (until 2.1.14). With old versions of
gpg-agent, adding ECDSA key by ssh-add command, "ecdsa" key will be
created. So, "ecdsa" key should be supported.
For g10/gpg, "ecdsa" and "ecdh" was only used in some experimental
versions of libgcrypt, with parameters. We now use "ecc" for all cases
in released versions.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* common/util.h (get_pk_algo_from_key): New.
* common/sexputil.c (get_pk_algo_from_key): The implementation.
* agent/gpg-agent.c: Remove include of openpgpdefs.h.
* agent/command-ssh.c (struct ssh_key_type_spec): Use integer ALGO.
(ssh_key_types): Update with GCRY_PK_*.
(make_cstring, sexp_extract_identifier): Remove.
(sexp_key_construct): Use gcry_pk_algo_name to get ALGO string.
(ssh_key_to_blob): Use cadr to get value list.
(ssh_key_type_lookup): Lookup with integer ALGO.
(ssh_receive_key): Follow the change of ssh_key_type_lookup.
(ssh_send_key_public): Likewise. Use get_pk_algo_from_key to get ALGO.
--
This fixes the regresson introduced by the commit
894789c3299dc47a8c1ccaaa7070382f0fae0262.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c (file_to_buffer): Remove.
(ssh_handler_request_identities): Use agent_public_key_from_file.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* agent/command-ssh.c (ssh_identity_register): Add a key to sshcontrol
even if it is already in the private key store.
* tests/openpgp/ssh.scm: Test this.
GnuPG-bug-id: 2316
Signed-off-by: Justus Winter <[email protected]>
|
|
* common/homedir.c (the_gnupg_homedir): New var.
(gnupg_set_homedir): New.
(gnupg_homedir): New.
* g10/options.h (struct opt): Remove 'homedir' and replace all users
by the new accessor functions.
* g13/g13-common.h (struct opt): Ditto.
* scd/scdaemon.h (struct opt): Ditto.
* sm/gpgsm.h (struct opt): Ditto.
* dirmngr/dirmngr.h (struct opt): Ditto.
* agent/preset-passphrase.c (opt_homedir): Ditto.
* agent/protect-tool.c (opt_homedir): Ditto.
--
This will make detection of a non-default homedir easier.
Signed-off-by: Werner Koch <[email protected]>
|
