| Commit message (Collapse) | Author | Files | Lines |
|---|
|
--
This is helpful for backporting other changes.
|
|
* scd/app-openpgp.c (parse_algorithm_attribute): Handle the case
of firmware 5.4, too.
--
Cherry-picked master commit of:
f34b9147eb3070bce80d53febaa564164cd6c977
GnuPG-bug-id: 6070
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
(change_keyattr): Follow the change.
(app_select_openpgp): Handle the error of parse_algorithm_attribute.
--
Backport master commit of:
53eddf9b9ea01210f71b851b5cb92a5f1cdb6f7d
This change allows following invocation of app_select_openpgp, which
may work well (if the problem is device side for initial connection).
GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (do_auth): Use command chaining if available.
--
Cherry-picked from master branch of:
e8fb8e2b3e66d5ea8a3dc90afdc14611abf2c3da
GnuPG-bug-id: 5935
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (parse_algorithm_attribute): Skip possibly bogus
octet in a key attribute.
--
Apply master commit of:
054d14887ef8fa1cbadef4ed2ea28213f25f5d25
GnuPG-bug-id: 5963
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (do_auth): Use extended Lc, when supported.
--
GnuPG-bug-id: 5682
Co-authored-by: Klas Lindfors
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
--
|
|
* scd/app-openpgp.c (do_change_pin): Use correct CHVNO=1 for
pin2hash_if_kdf, for user's PIN.
--
GnuPG-bug-id: 5413
Signed-off-by: Kirill Elagin <[email protected]>
(cherry picked from commit f209d7d2db0e963a6ad1fa8c4f0c034ba0297842)
|
|
* scd/scdaemon.h (opt): Add field opcsc_shared.
* scd/scdaemon.c (opcscShared): New.
(opts): Add "--pcsc-shared".
(main): Set flag.
* scd/apdu.c (connect_pcsc_card): Use it.
(pcsc_get_status): Take flag in account.
* scd/app-openpgp.c (verify_chv2): Do not auto verify chv1 in shared
mode.
--
This option should in general not be used. The patch tries to limit
bad effects but using shared mode is somewhat dangerous depending on
the other PC/SC users.
(cherry picked from commit 5732e7a8e97cebf8e850c472e644e2a9b040836f)
|
|
* common/openpgp-oid.c (openpgp_curve_to_oid): Add optional arg R_NBITS.
Change all callers.
--
In particular for ed25519 and cv25519 it is quite useful to have an
ability to get the required algorithm.
(cherry picked from commit 24095101a5069f15a9aea7512498ac436a76814a)
|
|
* scd/app-common.h (APP_READKEY_FLAG_ADVANCED): New.
(struct app_ctx_s): Replace param advanced by flags in readkey.
Change all users.
|
|
* scd/app-common.h (struct app_ctx_s): Add parameter ctrl to function
pointers for readkey, setattr, sign, auth, decipher, and check_pin.
--
This is a yet another patch to allow for easier backporting.
|
|
* scd/app-common.h (struct app_ctx_s): Rename unused field
card_version to cardversion.
* scd/app.c (app_new_register): Add code rom 2.3 to detect the Yubikey
and set cardversion.
(app_get_dispserialno): New.
* scd/app-openpgp.c (do_getattr): Use app_get_dispserialno.
|
|
* scd/app-common.h (cardtype_t): New.
(apptype_t): New.
(struct app_ctx_s): Change type of field apptype. Add fields
appversion and cardtype. Adjust all app-*.c for the new type.
* scd/app.c (supported_app_list): New.
(strapptype): New.
(apptype_from_name): New.
(app_dump_state): Use strapptype.
(app_write_learn_status): Ditto.
(app_getattr): Ditto.
(check_conflict): Use apptype_from_name and integer comparison.
* scd/app-openpgp.c: Replace app->card_version by app->appversion.
--
This is another patch to make backporting from 2.3 easier.
|
|
* scd/app-common.h (APP_WRITEKEY_FLAG_FORCE): New.
(APP_READKEY_FLAG_INFO): New.
(APP_LEARN_FLAG_KEYPAIRINFO): New.
(APP_LEARN_FLAG_MULTI): New.
(struct app_ctx_s): New forward declaration.
(struct app_ctx_s): Add members prep_reselect, reselect, and
with_keygrip.
(KEYGRIP_ACTION_SEND_DATA): New.
(KEYGRIP_ACTION_WRITE_STATUS): New.
(KEYGRIP_ACTION_LOOKUP): New.
(APP_CARD): New macro.
* scd/scdaemon.h: Include app-common.h and remove from all other
files.
(app_t): Move typedef to ...
* scd/app-common.h: here.
--
These changes will make it easier to backport changes from 2.3 to 2.2.
Signed-off-by: Werner Koch <[email protected]>
|
|
* scd/app-openpgp.c (build_privkey_template): Adding another argument
of ecc_d_fixed_len to handle variable-size MPI.
--
Backport from master commit of:
a25c99b156ca9acaa7712e9c09a6df0a7a23c833
GnuPG-bug-id: 5163
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
--
GnuPG-bug-id: 5071
Also fixed one in keyformat.txt [wk].
(cherry picked from commit 572bcacc287d24d0a2cc56442f9fb6a9ac49e12d)
|
|
* scd/app-openpgp.c (check_keyidstr): Call get_public_key.
--
GnuPG-bug-id: 5065
Fixes-commit: 1049f06c6d2e1a833af4c73ea67a05417bbd0967
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
--
It does not make sense to keep support form GnuPG 1 here given that we
don't intend to ever backport any of the current stuff to the legacy
version.
Signed-off-by: Werner Koch <[email protected]>
|
|
* scd/app-openpgp.c (struct app_local_s): Add keygrip_str.
(store_keygrip): New.
(read_public_key): Store the keygrip.
(get_public_key): Sitto.
(send_keypair_info): USe the stored keygrip.
(check_keyidstr): New. Factored out from other functions and
extended.
(do_sign): Use check_keyidstr.
(do_auth): Ditto.
(do_decipher): Ditto.
(do_check_pin): Ditto.
--
This code is a backport of commits:
b0f0791e4ade845b2a0e2a94dbda4f3bf1ceb039
cd: Factor out a function to check keyidstr.
4c4999b8185ace55eb5f3a6fa7d3dc0a77267b63
scd:openpgp: Allow PKSIGN with keygrip also for OPENPGP.3.
e769609cd3c12d2e26955538399172016f78d2d4
scd: Allow KEYGRIP as KEYIDSTR.
Co-authored-by: NIIBE Yutaka <[email protected]>
Signed-off-by: Werner Koch <[email protected]>
|
|
* scd/app-openpgp.c (get_public_key): Handle wrong code for Yubikey.
--
Backport master commit of:
0db9c83555b4a8a0c52f96e96ec20dbfd3d75272
Yubikey version 5 s/n 609074582 returns 0x6982, version 5.2.4 s/n
610616049 returns 0x6581, where 0x6a88 is expected.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (build_ecc_privkey_template): Fix allocation size.
--
Cherry-picked from master commit of:
2a34a2afea5fcb5f4ed206afa110650db3dd7ef0
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (do_learn_status): Report any error.
--
Backport master commit of:
862d9c6face9b4ad61f6e59bf1ba9b5f5d05c58c
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (verify_chv2): Call verify_a_chv with chvno=1
when needed.
--
Backport of master commit of:
6e51f2044aebb885ea81dae259db1b7f477b1c44
Fixes-commit: d2f1a0a791db3eb03c003365cbcd010bd8066edb
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (verify_chv2): Make sure loading keys.
--
Fixes-commit: d2f1a0a791db3eb03c003365cbcd010bd8066edb
Reported-by: Michał Górny
GnuPG-bug-id: 5039
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (verify_chv2): Check availability of keys in
question.
--
Backport master commit of:
af189be481df02a77e088aa0a60a1fc02dfa12bf
With buggy Gnuk (<= 1.2.15), when no encr/auth keys are available,
it fails decrementing the signature error counter. This change
can avoid the issue.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (compare_fingerprint): Relax the condition.
--
Cherry-picked from master commit of:
f3df8dbb696fed192501fa7f741c2e0e0936a3d5
GnuPG-bug-id: 4957
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* common/logging.c (log_printhex): Chnage order of args. Make it
printf alike. Change all callers.
* configure.ac: Add -Wno-format-zero-length
--
This makes it consistent with modern libgpgrt logging and thus eases
back porting from newer GnuPG versions which use libgpgrt logging.
Signed-off-by: Werner Koch <[email protected]>
|
|
* scd/app-openpgp.c (get_manufacturer): New..
(do_getattr): Add new attribute "MANUFACTURER".
(do_learn_status): Always print it.
--
This will make it easy to maintain the list of OpenPGP vendors at just
one place.
Signed-off-by: Werner Koch <[email protected]>
Backported from master:
.. or well in master and 2.2
Signed-off-by: Werner Koch <[email protected]>
|
|
* scd/app-openpgp.c (do_getattr): Send the KDF DO information.
--
Fixes-commit: 95c7498b76231d3297541172d878f6a26702539b
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 11da441016222337284c519ff56aca34e3042373)
|
|
* scd/app-openpgp.c (struct app_local_s): Add pinpad.disabled field.
(do_getattr): Set pinpad.disabled field.
(check_pinpad_request): Use the pinpad.disabled field.
(do_setattr): Update pinpad.disabled field.
--
GnuPG-bug-id: 4832
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit 95c7498b76231d3297541172d878f6a26702539b)
Signed-off-by: Werner Koch <[email protected]>
|
|
* scd/app-openpgp.c (send_keypair_info): Return usage.
--
Signed-off-by: Werner Koch <[email protected]>
|
|
* g10/call-agent.c (agent_scd_keypairinfo): Use --keypairinfo.
* sm/call-agent.c (gpgsm_agent_scd_keypairinfo): Ditto.
* scd/app-openpgp.c (do_getattr): Add attributes "$ENCRKEYID" and
"$SIGNKEYID".
* scd/app-nks.c (do_getattr): Add attributes too.
--
We already have $AUTHKEYID to locate the keyref of the key to be used
with ssh. It will also be useful to have default keyref for
encryption and signing. For example, this will allow us to replace
the use of "OPENPGP.2" by a app type specific keyref.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 2b1135cf920cf3d863813d60f032d476dcccfb58)
Removed changes for the non-existing app-piv.c.
Added support for NKS.
|
|
* g10/card-util.c (current_card_status): String changes.
(change_sex): Description change.
(cmds): Add "salutation"; keep "sex" as an alias.
--
Note that we can't change the used values or tags but at least the UI
should show reflect the real purpose of the field.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 166f3f9ec40888e10cb0c51017944bfc57503fc1)
|
|
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
|
|
* g10/ecdh.c (kek_params_table): Use CIPHER_ALGO_AES192 for
ECC strength 384, according to RFC-6637.
--
Reported-by: Trevor Bentley
Signed-off-by: NIIBE Yutaka <[email protected]>
(cherry picked from commit af3efd149f555d36a455cb2ea311ff81caf5124c)
|
|
* scd/app-openpgp.c (do_setattr): Add new table item to flush a
different tag.
--
For whatever reasons the OpenPGP card reads the 3 CA fingerprints from
one object but sets them individually using 3 different tags. The
cache flushing was not prepared for this and so a changed CA
fingerprint showed only up after a card reset. This patch fixes it.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit c9f4c1f0de06672c6ae2b793d86cc001d131f9a6)
Fixed conflict by removing the UIF-* entries from the table.
|
|
* scd/app.c (app_genkey): Add arg keytype.
* scd/app-common.h (struct app_ctx_s): Fitto for the genkey member.
* scd/command.c (cmd_genkey): Adjust for change.
* scd/iso7816.c (do_generate_keypair): Replace arg read_only by new
args p1 and p2.
(iso7816_read_public_key): Adjust for this.
(iso7816_generate_keypair): Add new args p1 and p2.
* scd/app-openpgp.c (do_genkey): Adjust for changes.
--
The OpenPGP card creates keys according to parameters read from a data
object. Other cards we are about to implement require a direct
specification of the requested keytype. This patch implements the
required changes.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 9a9cb0257aebb1480b999fdf9d90904083eb8e3c)
|
|
* scd/app-openpgp.c (do_change_pin): Allow prefixing the CHVNO with
"OPENPGP."
--
The generic keyref allows for better error detection in case a keyref
is send to a wrong card. This has been taken from master commit
3231ecdafd71ac47b734469b07170756979ede72 which has additional changed
for gpg-card-tool, which is only available there.
Signed-off-by: Werner Koch <[email protected]>
|
|
* scd/command.c (cmd_passwd): Add option --clear.
(send_status_printf): New.
* scd/app-common.h (APP_CHANGE_FLAG_CLEAR): New.
* scd/app-nks.c (do_change_pin): Return an error if that option is
used.
* scd/app-openpgp.c (do_change_pin): Ditto.
--
Card application may support this option to clear the PIN verification
status of a specific PIN.
Signed-off-by: Werner Koch <[email protected]>
(cherry picked from commit 29929e65521279eabc98a67c766fe485057405a9)
|
|
* scd/app-openpgp.c (do_learn_status): Report KDF attr.
* g10/card-util.c (current_card_status): Output KDF for with_colons.
--
Backport of master commit: 05d163aebc04db109ec5e004eb04a4b3796f6421
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (do_sign): Clear DID_CHV1 after signing.
--
Cherry-picked from master commit of:
78f542e1f4495195db2e668f9cd41657fb1afc77
We have a corner case: In "not forced" situation and authenticated,
and it is changed to "forced", card implementaiton can actually accept
signing, but GnuPG requires authentication, because it is "forced".
GnuPG-bug-id: 4177
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (do_setattr): Clear auth state.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* g10/card-util.c (gen_kdf_data): Support single salt.
(kdf_setup): Can have argument for single salt.
* scd/app-openpgp.c (pin2hash_if_kdf): Support single salt.
--
Gnuk has "admin-less" mode. To support "admin-less" mode with KDF
feature, salt should be same for user and admin. Thus, I introduce a
valid use of single salt.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (change_rsa_keyattr): Try usual RSA.
--
In the OpenPGP card specification, there are multiple options to
support RSA (having P and Q or not, etc.), and it is implementation
dependent. Since GnuPG doesn't have knowledge which card
implementation support which option and there is no way (yet) for card
to express itself which key attributes are supported, we haven't
supported key attribute change back to RSA. But, many card
implementation uses P and Q, try this option. If other cases,
factory-reset would be easier option.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* g10/call-agent.c (learn_status_cb): Parse the capability for KDF.
* g10/card-util.c (gen_kdf_data, kdf_setup): New.
(card_edit): New admin command cmdKDFSETUP to call kdf_setup.
* scd/app-openpgp.c (do_getattr): Emit KDF capability.
--
GnuPG-bug-id: 3823
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (pin2hash_if_kdf): Check the content of KDF DO.
--
Length check added by gniibe.
Signed-off-by: Arnaud Fontaine <[email protected]>
|
|
* scd/app-openpgp.c (get_cached_data): Return NULL for Data Object
with no data.
--
When GET_DATA returns no data with success (90 00), this routine
firstly returned buffer with length zero, and secondly (with cache)
returned NULL, which is inconsistent. Now, it returns NULL for both
cases.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (do_getattr, do_setattr): Add KDF support.
(pin2hash_if_kdf): New.
(verify_a_chv): Add PINLEN arg. Use pin2hash_if_kdf.
(verify_chv2, do_sign): Follow the change of verify_a_chv.
(verify_chv3, do_change_pin): Use pin2hash_if_kdf.
--
GnuPG-bug-id: 3152
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* scd/app-openpgp.c (do_decipher): Support larger length.
--
Reported-by: Achim Pietig <[email protected]>
Signed-off-by: NIIBE Yutaka <[email protected]>
|
