| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/keydb.h (GET_PUBKEYBLOCK_FLAG_ADSK): New constant.
* g10/packet.h (PUBKEY_USAGE_XENC_MASK): New constant.
* g10/pubkey-enc.c (get_session_key): Consider an ADSK also as "marked
for encryption use".
(get_it): Print a note if an ADSK key was used. Use the new
get_pubkeyblock flag.
* g10/getkey.c (struct getkey_ctx_s): Add field allow_adsk.
(get_pubkeyblock): Factor all code out to ...
(get_pubkeyblock_ext): new.
(finish_lookup): Add new arg allow_adsk and make use of it.
--
This patch solves two purposes:
- We write a note that the ADSK key was used for decryption
- We avoid running into a
"oops: public key not found for preference check\n"
due to ADSK keys. The error is mostly harmless but lets gpg return
with an exit code of 2.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* g10/options.h (DBG_KEYDB_VALUE): New.
* g10/gpg.c (debug_flags): Add it.
* g10/keydb.c: Replace all DBG_LOOKUP by DBG_KEYDB.
* g10/keyring.c: Ditto.
* g10/call-keyboxd.c: Ditto.
--
Using "lookup" also for key search debugging was not a good idea.
This uses a separate flag for the latter.
|
| |
|
|
|
|
|
| |
* g10/compress.c (init_compress): Increase buffersize.
--
This may speed up things a little bit.
|
| |
|
|
|
|
|
|
|
| |
* g10/export.c (export_secret_ssh_key): Free memory on errrors.
--
GnuPG-bug-id: 7201
Signed-off-by: Jakub Jelen <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* g10/call-agent.c (agent_probe_any_secret_key): No second keygrip
is not an error.
--
GnuPG-bug-id: 7195
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* agent/genkey.c (do_check_passphrase_pattern): Use the gpgrt API.
* common/asshelp.c (start_new_service): Ditto.
* common/exechelp.h: Remove gnupg_process_spawn API.
* common/exechelp-posix.c: Remove gnupg_process_spawn implementation.
* common/exechelp-w32.c: Likewise.
* common/exectool.c (gnupg_exec_tool_stream): Use the gpgrt API.
* common/t-exechelp.c (test_pipe_stream): Remove.
* dirmngr/ldap-wrapper.c (destroy_wrapper, ldap_reaper_thread): Use
the gpgrt API.
(ldap_wrapper_connection_cleanup, ldap_wrapper): Ditto.
* dirmngr/ldap.c, g10/call-keyboxd.c: No need to include exechelp.h.
* g10/photoid.c (run_with_pipe, show_photo): Use the gpgrt API.
* g13/be-encfs.c (run_umount_helper, run_encfs_tool): Ditto.
* g13/g13.c, g13/mount.c, g13/runner.c: No need to include exechelp.h.
* scd/apdu.c: No need to include exechelp.h.
* scd/app.c (report_change): Use the gpgrt API.
* sm/export.c, sm/import.c: No need to include exechelp.h.
* tests/gpgscm/ffi.c (proc_object_finalize, proc_wrap)
(do_process_spawn_io, do_process_spawn_fd, do_process_wait): Use the
gpgrt API.
* tools/gpg-auth.c: No need to include exechelp.h.
* tools/gpg-card.c (cmd_gpg): Use the gpgrt API.
* tools/gpg-connect-agent.c: No need to include exechelp.h.
* tools/gpg-mail-tube.c (mail_tube_encrypt, prepare_for_appimage)
(start_gpg_encrypt): Use the gpgrt API.
* tools/gpgconf-comp.c (gpg_agent_runtime_change)
(scdaemon_runtime_change, tpm2daemon_runtime_change)
(dirmngr_runtime_change, keyboxd_runtime_change)
(gc_component_launch, gc_component_check_options)
(retrieve_options_from_program): Ditto.
* tools/gpgconf.c (show_versions_via_dirmngr): Ditto.
* tools/gpgtar-create.c (gpgtar_create): Ditto.
* tools/gpgtar-extract.c (gpgtar_extract): Ditto.
* tools/gpgtar-list.c (gpgtar_list): Ditto.
--
GnuPG-bug-id: 7192
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
| |
* g10/keygen.c (do_generate_keypair): Check for draf Kyber stuff.
|
| |
|
|
| |
* g10/keylist.c (list_keyblock_direct): Set check_sigs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/options.h (opt): Add show_only_session_key and turn
show_session_key into a bit flag.
* g10/gpg.c (oShowOnlySessionKey): New.
(opts): Add "show-only-session-key".
(main): Set flag.
* g10/mainproc.c (proc_encrypted): Handle the new option.
* g10/decrypt-data.c (decrypt_data): Ditto. Add compliance error flag
to the DECRYPTION_INFO status line.
--
This new option is somehow related to
GnuPG-bug-id: 1825
|
| |
|
|
|
|
|
|
|
| |
* g10/import.c (parse_import_options): Rename option.
* g10/options.h (IMPORT_NO_SECKEY): Rename to IMPORT_ONLY_PUBKEYS.
Change all users.
--
GnuPG-bug-id: 7146
|
| |
|
|
|
|
|
| |
* g10/import.c (parse_import_options): Add "no-seckeys".
--
GnuPG-bug-id: 7146
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/keygen.c (PQC_STD_KEY_PARAM): New.
(quickgen_set_para): Always store the provided NBITS.
(parse_key_parameter_string): Detect the special value "pqc".
(quick_generate_keypair): Ditto.
--
With this change we can finally do a
gpg --quick-gen-key --batch --passphrase='' [email protected] pqc
and get a full key. Currently with a brainpoolp386r1 primary key and
a Kyber768_brainpoolp256 subkey.
|
| |
|
|
|
|
|
|
|
| |
* g10/getkey.c (lookup): Skip keys with unknown algos.
--
If the local store has private keys with an algorithm not supported by
thi version of gpg, gpg used to bail out. Thus decryption of proper
messages was not possible. This fix skips such secret keys.
|
| |
|
|
|
|
|
|
|
|
| |
* g10/getkey.c (has_key_with_fingerprint): New.
* g10/keyedit.c (menu_addadsk): Replace code by new function.
(keyedit_quick_addadsk): Handle magic arg "default".
* g10/keygen.c (append_all_default_adsks): New.
--
GnuPG-bug-id: 6882
|
| |
|
|
|
|
| |
* g10/packet.h (PUBKEY_USAGE_BASIC_MASK): New.
* g10/getkey.c (merge_selfsigs_subkey): Mask the default.
(merge_selfsigs_main): Ditto.
|
| |
|
|
|
|
|
|
|
|
| |
* g10/keylist.c (print_revokers): Add arg with_colon, adjust callers,
add human printable format.
(list_keyblock_print): Call print_revokers.
--
Designated revokers were only printed in --with-colons mode. For
quick inspection of a key it is useful to see them right away.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/options.h (opt): Move the definition of struct akl to global
scope.
* g10/keydb.h (enum get_pubkey_modes): Add GET_PUBKEY_TRY_LDAP.
* g10/getkey.c (get_pubkey_byname): Implement GET_PUBKEY_BYNAME.
* g10/keygen.c (prepare_desig_revoker): Use it here.
(prepare_adsk): and here.
--
The revoker key is required before we create it along with a new key.
This is because the we need to know the algo and also to make sure
that the key really exists.
GnuPG-bug-id: 7133
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/keyserver.c (keyserver_import_mbox): Add arg flags and change
callers.
(keyserver_import_ldap): Remove. It has always returned a not
implemented error since 2.1.
* g10/getkey.c (get_pubkey_byname): Repurpose LDAP to do basically the
same as KEYSERVER.
--
The old LDAP mechanism to locate a server via SRV records has long
been gone (since 2014) due to the dropping of the keyserver helpers.
The new purpose better reflects reality and can be used in
environments where keys are provided by an in-house LDAP server.
|
| |
|
|
|
|
| |
--
The fprint is too uncommon in our code base and to similar to fprintf.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/options.h (opt): Add field def_new_key_adsks.
* g10/gpg.c (oDefaultNewKeyADSK): New.
(opts): Add --default-new-key-adsk.
(main): Parse option.
* g10/keyedit.c (menu_addadsk): Factor some code out to ...
(append_adsk_to_key): new. Add compliance check.
* g10/keygen.c (pADSK): New.
(para_data_s): Add adsk to the union.
(release_parameter_list): Free the adsk.
(prepare_adsk): New.
(get_parameter_adsk): New.
(get_parameter_revkey): Remove unneeded arg key and change callers.
(proc_parameter_file): Prepare adsk parameter from the configured
fingerprints.
(do_generate_keypair): Create adsk.
--
GnuPG-bug-id: 6882
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
--
These are non-substantive corrections for minor spelling mistakes
within the GnuPG codebase.
With something like this applied to the codebase, and a judiciously
tuned spellchecker integrated as part of a standard test suite, it
should be possible to keep a uniform orthography within the project.
GnuPG-bug-id: 7116
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* common/exechelp-posix.c (call_spawn_cb): Remove.
(gnupg_spawn_actions_new, gnupg_spawn_actions_release)
(gnupg_spawn_actions_set_environ, gnupg_spawn_actions_set_atfork)
(gnupg_spawn_actions_set_redirect)
(gnupg_spawn_actions_set_inherit_fds): New.
(my_exec, spawn_detached): Use spawn actions.
(gnupg_spawn_helper): Remove.
(gnupg_process_spawn): Remove callback, introduce gnupg_spawn_actions.
* common/exechelp-w32.c: Ditto.
* common/exechelp.h: Ditto.
* agent/genkey.c (do_check_passphrase_pattern): Follow the change of
gnupg_process_spawn API.
* common/asshelp.c (start_new_service): Likewise.
* common/exectool.c (gnupg_exec_tool_stream): Likewise.
* common/t-exechelp.c (test_pipe_stream): Likewise.
* dirmngr/ldap-wrapper.c (ldap_wrapper): Likewise.
* g10/photoid.c (run_with_pipe): Likewise.
* scd/app.c (report_change): Likewise.
* tests/gpgscm/ffi.c (do_process_spawn_io, do_process_spawn_fd):
Likewise.
* tools/gpg-card.c (cmd_gpg): Likewise.
* tools/gpgconf-comp.c (gpg_agent_runtime_change): Likewise.
(scdaemon_runtime_change, tpm2daemon_runtime_change)
(dirmngr_runtime_change, keyboxd_runtime_change)
(gc_component_launch, gc_component_check_options)
(retrieve_options_from_program): Likewise.
* tools/gpgconf.c (show_versions_via_dirmngr): Likewise.
* tools/gpgtar-create.c (gpgtar_create): Likewise.
* tools/gpgtar-extract.c (gpgtar_extract): Likewise.
* tools/gpgtar-list.c (gpgtar_list): Likewise.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* g10/keygen.c (card_store_key_with_backup): Avoid double free and
simplify error handling.
--
This is part of
GnuPG-bug-id: 7129
Co-authored-by: Jakub Jelen <[email protected]>
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| | |
--
Fixed conflicts in:
NEWS
g10/call-agent.c
g10/options.h
kbx/kbxutil.c
tools/gpgconf.c
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/armor.c (radix64_read): Detect the end of armor when
there is no CRC24 checksum.
--
Cherry-pick master commit of:
3a344d6236521d768793e8b34a96a18ce13bab0e
GnuPG-bug-id: 7071
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/options.h (LIST_SHOW_OWNERTRUST): New.
* g10/keylist.c (print_key_line): Show wonertrust and always show
whether a key is disabled.
* g10/gpg.c (parse_list_options): Add "show-ownertrust".
* g10/gpgv.c (get_ownertrust_string): Add stub.
* g10/test-stubs.c (get_ownertrust_string): Add stub.
--
Note that in a --with-colons listing the ownertrust has always been
emitted and the disabled state is marked in that listing with a
special 'D' usage.
|
| | |
| |
| |
| |
| |
| |
| | |
* g10/gpg.c (aQuickSetOwnertrust): New.
(opts): Add new command.
(main): Implement it.
* g10/keyedit.c (keyedit_quick_set_ownertrust): New.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* g10/call-agent.c (agent_probe_any_secret_key): Act on --quiet.
--
When using the extra-socket this disagnostic will be printed because a
listing of all secret keys is not allowed by a remote gpg.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/keygen.c (print_key_flags): Print "RENC" if set.
(ask_key_flags_with_mask): Remove RENC from the possible set of
usages. Add a direct way to set it iff the key is encryption capable.
--
This could be done by using "set your own capabilities" for an RSA
key. In fact it was always set in this case.
GnuPG-bug-id: 7072
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/mainproc.c (proc_encrypted): Force a decryption failure if any
error has been seen.
* g10/decrypt-data.c (aead_checktag): Issue an ERROR line.
--
GnuPG-bug-id: 7042
Note that gpg in any case returns a failure exit code but due to
double forking GPGME would not see it.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/keylist.c (list_all): Handle error from list_keyblock.
(list_one): Ditto.
(locate_one): Ditto.
(list_keyblock): Detect write error, print, and return it.
(list_keyblock_direct): Return error from list_keyblock.
* g10/import.c (import_one_real): Break on listing error.
--
Test by using
gpg -k >/dev/full
GnuPG-bug-id: 6185
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* g10/keygen.c (parse_key_parameter_part): Change Kyber defaults.
--
Also kyber1024 is now a shortcut for ky1024_bp384. This change is to
align it with the original wussler draft.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/keygen.c (struct opaque_data_usage_and_pk): New.
(do_add_notation): New.
(keygen_add_key_flags_from_oduap): New.
(write_keybinding): Prepare for de-vs cplimance notation. Add a
notation to Kyber subkeys.
--
This code is based on the 2.2
commit b284412786d71c1cf382e1dff3a36ec6cce11556
However the de-vs notation is currently ineffective as long as
Libgcrypt won't claim compliance.
The new notation fips203.ipd.2023-08-24 has been added to allow
detection of subkeys which have been crated with a pre-final FIPS203
spec for Kyber.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/gpg.c (oRequirePQCEncryption): New.
(opts): Add option.
(main): Set option.
* g10/mainproc.c (print_pkenc_list): Print a warning.
* g10/options.h (flags): Add flag require_pqc_encryption.
* g10/getkey.c (finish_lookup): Skip non-pqc keys if the option is
set.
--
GnuPG-bug-id: 6815
|
| | |
| |
| |
| |
| | |
* g10/keylist.c (print_keygrip): New.
(list_keyblock_print): Use new function to print the keygrip.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* common/openpgp-oid.c (oidtable): Add GCRY_KEM_RAW_BP512.
* agent/pkdecrypt.c (ecc_table): Support bp512
* g10/pkglue.c (do_encrypt_kem): Ditto.
* tests/openpgp/samplekeys: Add sample keys for kyber_bp256, bp384,
and bp512.
* tests/openpgp/privkeys: Add corresponding private keys.
* tests/openpgp/samplemsgs: Add sample messages for those keys.
--
GnuPG-bug-id: 6815
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* common/openpgp-oid.c (oidtable): Support KEM for bp256 and bp384.
* g10/pkglue.c (do_encrypt_kem): Ditto.
--
GnuPG-bug-id: 6815
Note, this needs the very latest Libgcrypt to work properly
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/pkglue.c (do_encrypt_kem): Support cv25519 w/o 0x40
prefix. Support X448.
(ECC_POINT_LEN_MAX): New.
(ECC_HASH_LEN_MAX): New.
* common/openpgp-oid.c (oidtable): Support X448 KEM.
--
This needs more work. For example we should use a parameter table
like what we do in agent/pkdecrypt.c.
GnuPG-bug-id: 6815
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* common/openpgp-oid.c (oidtable): Add field kem_algo.
(openpgp_oid_to_kem_algo): New.
* g10/pkglue.c (do_encrypt_kem): Add support for Kyber1024.
--
GnuPG-bug-id: 6815
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/options.h (LIST_SHOW_OWNERTRUST): New.
* g10/keylist.c (print_key_line): Show wonertrust and always show
whether a key is disabled.
* g10/gpg.c (parse_list_options): Add "show-ownertrust".
* g10/gpgv.c (get_ownertrust_string): Add stub.
* g10/test-stubs.c (get_ownertrust_string): Add stub.
--
Note that in a --with-colons listing the ownertrust has always been
emitted and the disabled state is marked in that listing with a
special 'D' usage.
|
| | |
| |
| |
| |
| |
| |
| | |
* g10/gpg.c (aQuickSetOwnertrust): New.
(opts): Add new command.
(main): Implement it.
* g10/keyedit.c (keyedit_quick_set_ownertrust): New.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/gpg.c (oWithoutSubkeyFingerprint): New.
(opts): Add "without-subkey-fingerprint".
(main): Make --with-subkey-fingerprint the default. Implementation
the without option.
--
Given that the default for the keyid format is none, the subkey
fingerprints are important to do anything with a subkey. Thus we make
the old option the default and provide a new option to revert it.
|
| | |
| |
| |
| |
| | |
* common/compliance.c (gnupg_pk_is_compliant): Make Kyber known.
* g10/misc.c (openpgp_pk_algo_name): Add "Kyber".
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/build-packet.c (do_pubkey_enc): Support Kyber.
* g10/pkglue.c (do_encrypt_kem): Implement.
--
Note that the code does only work for ky768_cv25519 for now.
GnuPG-bug-id: 6815
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* common/kem.c: Move constants to the top. Add some documentation.
* g10/pkglue.c (pk_encrypt): Add arguments session_key and factor code
out to ...
(do_encrypt_rsa_elg): here,
(do_encrypt_ecdh): and here,
(do_encrypt_kem): and here.
* g10/encrypt.c (write_pubkey_enc): Call with session key algorithm.
--
This makes it easier to review the code.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/pubkey-enc.c (get_it): Use algo and fingerprint for the
fixed-info. Keep a testing mode.
* g10/options.h (COMPAT_T7014_OLD): New.
* g10/gpg.c (compatibility_flags): Add "t71014-old" flag.
--
GnuPG-bug-id: 6815
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/pkglue.c (pk_encrypt): Remove superfluous arguments and reanem
variable rc to err.
* g10/encrypt.c (write_pubkey_enc): Adjust for this change.
--
We used to pass PK as well as information which could be taken
directly from PK. Using ERR instead of RC is just for more uniform
naming of variables.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* g10/packet.h (PKT_pubkey_enc): Add field seskey_algo.
(struct pubkey_enc_list): Ditto.
* g10/misc.c (pubkey_get_nenc): Change value for Kyber from 4 to 3.
* g10/parse-packet.c (parse_pubkeyenc): Store the Kyber algo in the
new field and adjust data. Do not store the length byte in data[2].
* g10/build-packet.c (do_pubkey_enc): Take the session algo for Kyber
from the new field.
* g10/encrypt.c (write_pubkey_enc): Ses the seskey_algo.
* g10/mainproc.c (proc_pubkey_enc): Copy it.
* g10/pubkey-enc.c (get_it): Support Kyber decryption.
* g10/seskey.c (encode_session_key): Handle Kyber different from ECDH.
--
Having always the single byte in the packet data than to store and
retrieve it from an MPI is much easier. Thus this patch changes the
original internal format. With this chnages decryption of the slighly
modified test data works now. See the bug tracker for test data.
GnuPG-bug-id: 6815
|
| | |
| |
| |
| | |
--
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* common/openpgp-oid.c (openpgp_is_curve_supported): Allow the
abbreviated curve name.
* g10/pkglue.c (pk_encrypt): Add debug output.
* g10/seskey.c (encode_session_key): Handle Kyber session key like
ECDH. This is just a stub.
* g10/keygen.c (ecckey_from_sexp): Use the modern OID for cv25519.
(parse_key_parameter_part): Allow more Kyber variants.
--
Test by creating an ed25519 key and using
gpg --quick-add-key --batch --passphrase "" <fingerprint> <algo>
to create several subkeys. Tested with ALGOs:
kyber768
kyber1024
ky768_cv25519
ky768_bp256
kyber768_nistp256
ky1024_cv448
All curves capable of encryption should work.
GnuPG-bug-id: 6815
|
