| Commit message (Collapse) | Author | Files | Lines |
|---|
|
* sm/call-agent.c (istrusted_status_cb): Clear the helper flags.
--
GnuPG-bug-id: 7738
Fixes-commit: ef2be95258d2e02659e96f6c4df5a9a1a233c8fd
which introduced the caching but go the flags wrong. The fallout from
this was that the qualified signature consent was show for non QES
certificates. Other flags are almost always the same and thus no
other harm was done.
|
|
* common/compliance.c (gnupg_manu_notation_value): New.
* g10/build-packet.c (name_value_to_notation): New.
* g10/options.h (COMPAT_NO_MANU): New.
(LIST_SHOW_HIDDEN_NOTATIONS): New.
(VERIFY_SHOW_HIDDEN_NOTATIONS): New.
* g10/gpg.c (compatibility_flags): Add "no-manu".
(parse_list_options): Add "show-hidden-notations".
(main): Ditto for verify-options.
* g10/import.c (list_standalone_revocation): Implement new list option.
* g10/mainproc.c (check_sig_and_print):Ditto
* g10/keyedit.c (keyedit_print_one_sig): Ditto.
* g10/keylist.c (list_signature_print): Ditto.
(show_notation): Handle hidden notation.
* sm/keylist.c (oidtranstbl): Add OID for manu.
* g10/sign.c (mk_notation_policy_etc): Add arg with_manu and insert
extra notation.
(write_signature_packets): Request manu notation in certain cases.
(make_keysig_packet): Ditto.
--
See DETAILS for a description of the format. Obviously this leaks the
version of the used GnuPG version (major and minor only) and the fact
that it was generated by GnuPG. However, by close inspection of the
order of packets and and other meta data similar information can be
found. We include this information to help the support desk to figure
out problems. Sometimes users have very very old versions and the
help desk needs to employ core developers to figure the cause. Having
this information may eventually allow for better user support. This
feature can be disabled unless certain compliance modes are enabled.
|
|
* sm/minip12.c (p12_parse): Fix creating new TLV with old TLV.
* sm/t-minip12.c (one_file): Release RESULT.
* tests/gpgscm/ffi.c (do_process_wait): Call gpgrt_process_release.
* tools/gpgconf-comp.c (retrieve_options_from_program): Release PARGS.
* tools/gpgtar-extract.c (gpgtar_extract): Release PROC on leave.
* tools/gpgtar-list.c (gpgtar_list): Release PROC on leave.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* sm/certchain.c (gpgsm_walk_cert_chain): Handle an empty subject.
--
During import a certificate was imported but gpgsm used log_error when
trying to figure out whether this is a root cert. This patch changes
this to just print a note.
GnuPG-bug-id: 7171
|
|
* sm/verify.c (gpgsm_verify): Always print info that a certs-only
message has been processed.
--
Prior to this patch the message was only printed if no data file has
been given.
Reported-by: Albrecht Dreß
|
|
* sm/certlist.c (gpgsm_add_to_certlist): Remove the on-demand setting
of the current time.
|
|
* sm/certlist.c (gpgsm_add_to_certlist): Track expired error. Make
the expired check easier to read by using if and case.
--
Original ChangeLog:
If all selected certificates are expired, don't mislead the user
saying that no certificate was found. Instead, return the error
of the first certificate selected.
* sm/certlist.c: if one expired certificate was found, don't return
no certificate found, return instead the expiration error
I heavily changed Ramon's original patch and hope that I don't
introduced a regression to his patch. - [email protected]
|
|
* sm/certchain.c (check_validity_period_cm): Add arg no_log_expired to
avoid bumping of the error counter due to the do_list function.
* sm/certlist.c (gpgsm_add_to_certlist): Set no_log_expired when
checking the expiration.
--
I modified the original patch to make the patch smaller and the code
easier to read. - [email protected]
|
|
* sm/certlist.c (gpgsm_add_to_certlist): Also check for not yet valid
certs.
|
|
* sm/certchain.c (check_validity_period_cm): Make function global.
* sm/certlist.c (gpgsm_add_to_certlist): If an expired certificate is
found, continue looking for another one.
--
This enables the user to select a certificate by subject, and keep
old expired certificates in the store in case he wishes to decrypt
or verify an old file. This makes renewal of certificate smoother.
Due to a broken patch I had to massage the patch and while doing this
also fixed the indentation and moved a declaration to the begin of a
block. - [email protected]
|
|
* agent/command.c (cmd_learn): Allow for s/n argument.
* agent/learncard.c (agent_handle_learn): Ditto.
* agent/call-scd.c (agent_card_learn): Ditto. Pass it on to scd.
* scd/command.c (cmd_switchcard): Factor most code out to ...
(switchcard_core): new.
(cmd_learn): Add option --demand to specify a s/n.
* sm/gpgsm.c (main): Allow a s/n argument for --learn-card.
--
This help Kleopatra to get a stable certificate listing.
GnuPG-bug-id: 7379
|
|
* sm/misc.c (setup_pinentry_env): Remove.
|
|
* sm/gpgsm.c (oNoProtection): New.
(opts): Add "--no-protection".
(main): PArse it.
* sm/gpgsm.h (struct server_control_s): Add field no_protection.
* sm/server.c (option_handler): Add option "no-protection".
(reset_notify): Clear option.
* sm/export.c (export_p12): Use empty passphrase if option is set.
|
|
* sm/call-agent.c (gpgsm_agent_genkey): Add arg no_protection.
* sm/certreqgen.c (struct reqgen_ctrl_s): Add field no_protection.
(read_parameters): Add keyword "%no-protection".
(proc_parameters): Pass no_protection to gpgsm_agent_genkey.
|
|
* sm/keylist.c (list_internal_keys): Detect write errors to the output
stream.
* sm/server.c (any_failure_printed): New var.
(gpgsm_status2): Handle new var. Move statusfp init to ...
(gpgsm_init_statusfp): new function.
(gpgsm_exit_failure_status): New.
* sm/gpgsm.c (main): Explicit statusfp init.
(gpgsm_exit): Print failure status on error.
--
Test by using
gpgsm -k >/dev/full
gpgsm -k --wit-colons >/dev/full
and also by redirecting to a file on a small partition.
GnuPG-bug-id: 6185
|
|
* sm/call-agent.c (gpgsm_agent_istrusted): Actually set istrusted
list.
--
Fixes-commit: 9087c1d3637cf1c61744ece0002dc0dc5675d7c9
|
|
* dirmngr/crlcache.c (crl_cache_list): Print a summary of URLs.
* sm/call-dirmngr.c (gpgsm_dirmngr_run_command): Print a notice to
stdout if the dirmngr has been disabled.
--
GnuPG-bug-id: 7337
|
|
* common/util.h (openpgp_curve_to_oid): Add new argument to select OID
by OpenPGP version.
* common/openpgp-oid.c (openpgp_curve_to_oid): Implement returning
selected OID for Curve25519.
* common/openpgp-fpr.c (compute_openpgp_fpr_ecc): Follow the change,
selecting by the version.
* g10/export.c (match_curve_skey_pk): Likewise.
(transfer_format_to_openpgp): Likewise.
* g10/gpg.c (list_config): Likewise, print new OID.
* g10/keygen.c (ecckey_from_sexp): Likewise, selecting by the version.
* sm/encrypt.c (ecdh_encrypt): Likewise, don't care.
* sm/minip12.c (build_ecc_key_sequence): Likewise, new OID.
* scd/app-openpgp.c (ecdh_params, gen_challenge): Likewise, don't
care.
(ecc_read_pubkey, change_keyattr_from_string, ecc_writekey): Likewise,
old OID.
--
GnuPG-bug-id: 7316
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* common/sexputil.c (pubkey_algo_string): Use
openpgp_oid_or_name_to_curve.
* g10/card-util.c (current_card_status, ask_card_keyattr): Likewise.
* scd/app-piv.c (writekey_ecc): Likewise.
* sm/fingerprint.c (gpgsm_get_key_algo_info): Likewise.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* sm/gpgsm.c (compatibility_flags): Add flag.
* sm/gpgsm.h (COMPAT_NO_KEYINFO_CACHE): New.
* sm/call-agent.c (gpgsm_agent_istrusted): Act upon it.
(gpgsm_agent_keyinfo): Ditto.
|
|
* sm/gpgsm.h (struct keyinfo_cache_item_s): New.
(struct server_control_s): Add keyinfo_cache and keyinfo_cache_valid.
* sm/call-agent.c (keyinfo_cache_disabled): New flag.
(release_a_keyinfo_cache): New.
(gpgsm_flush_keyinfo_cache): New.
(struct keyinfo_status_parm_s): New.
(keyinfo_status_cb): Implement a fill mode.
(gpgsm_agent_keyinfo): Implement a cache.
* sm/server.c (reset_notify): Flush the cache.
* sm/gpgsm.c (gpgsm_deinit_default_ctrl): Ditto.
--
In almost all cases we have just a few private keys in the agent and
thus it is better to fetch them early. This does not work in a
restricted connection but we take care and disable the cache in this
case.
This cache gives a a minor speed up.
GnuPG-bug-id: 7308
|
|
* sm/call-agent.c (struct istrusted_cache_s): New.
(istrusted_cache, istrusted_cache_valid): New.
(istrusted_cache_disabled): New.
(flush_istrusted_cache): New.
(struct istrusted_status_parm_s): New.
(istrusted_status_cb): Fill the cache.
(gpgsm_agent_istrusted): Implement a cache.
--
Not a really measurable performance improvements on Linux but maybe
somewhat on Windows (not yet tested). However, it does not clutter
the log files with IPC calls returning NOT_TRUSTED.
GnuPG-bug-id: 7308
|
|
* sm/minip12.c (parse_shrouded_key_bag): Increase size of salt buffer.
--
Reported on the mailing list. The change does not seem to have a big
regression risk, thus applied. See below for the mail
# ------------------------ >8 ------------------------
https://lists.gnupg.org/pipermail/gnupg-users/2024-September/067312.html
|
|
* sm/certchain.c (find_up_dirmngr): Skip if we know that there is no
dirmngr.
|
|
* sm/certchain.c (ask_marktrusted): Avoid fingerprint printing in
quiet mode
--
And also don't print it anymore after the agent told us that the
feature has been disabled.
|
|
* sm/gpgsm.h (COMPAT_NO_CHAIN_CACHE): New.
(struct cert_cache_item_s, cert_cache_item_t): New.
(struct server_control_s): Add parent_cert_cache.
* sm/gpgsm.c (compatibility_flags): Add "no-chain-cache".
(parent_cache_stats): New.
(gpgsm_exit): Print the stats with --debug=memstat.
(gpgsm_deinit_default_ctrl): Release the cache.
* sm/certchain.c (gpgsm_walk_cert_chain): Cache the certificates.
(do_validate_chain): Ditto.
--
This gives another boost of 30% (from 6.5 to 4.0 seconds in the test
environment with ~1000 certs). do_validate_chain actually brings us
the speedup becuase the gpgsm_walk_cert_chain is not used during a key
listing. For the latter we actually cache all certificates because
that was easier.
GnuPG-bug-id: 7308
|
|
* kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the
cert object.
* sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral
flag if we know that it is not set.
--
GnuPG-bug-id: 7308
|
|
* sm/gpgsm.c (oAssertSigner, oNoop): New.
(opts): Add option --assert-signer.
(assert_signer_true): New var.
(main): Set new option.
(gpgsm_exit): Handle assert_signer_true.
* sm/gpgsm.h (opt): Add field assert_signer_list.
* sm/verify.c (is_x509_fingerprint): New.
(check_assert_signer_list): New.
(gpgsm_verify): Handle option.
--
GnuPG-bug-id: 7286
|
|
* common/tlv.h (TLV_PARSER_FLAG_T5793): New.
(tlv_parser_new): New macro. Rename function with an underscore.
(tlv_next_with_flag): New.
* common/tlv-parser.c (struct tlv_parser_s): Remove const from buffer.
Add fields crammed, lasttlv, and origoff. Remove bufferlist ands ist
definition.
(dump_to_file): New but disabled debug helper.
(parse_tag): Print more info on error.
(_tlv_parser_new): Add args lasttlv and LNO. Take a copy of the data.
(_tlv_parser_release): Free the copy of the buffer and return the
recorded TLV object from tlv_parser_new.
(_tlv_peek, tlv_parser_peek, _tlv_parser_peek_null): Remove.
(_tlv_push): Record crammed length.
(_tlv_pop): Restore crammed length.
(_tlv_parser_next): Add arg flags. More debug output. Handle cramming
here. Take care of cramming here.
(tlv_expect_object): Simplify to adjust for changes in _tlv_parser_next.
(tlv_expect_octet_string): Remove arg encapsulates. Adjust for
changes in _tlv_parser_next. Change all allers.
(tlv_expect_null): New.
(cram_octet_string): Rewrite.
(need_octet_string_cramming): Remove.
* sm/minip12.c (dump_to_file): New. Enablein debug mode and if a
envvar ist set. Replace all explict but disabled dumping to call this
function.
(parse_bag_encrypted_data): Replace tlv_peek_null and a peeking for an
optional SET by non-peeking code.
(parse_cert_bag): Ditto.
(parse_shrouded_key_bag): Replace tlv_peek_null by non-peeking code.
(parse_bag_encrypted_data): Use the new TLV_PARSER_FLAG_T5793 to
enable the Mozilla workaround.
(parse_bag_encrypted_data): Replace the 'renewed_tlv' code by the new
tlv_parser_release semantics.
(parse_shrouded_key_bag): Ditto.
(parse_shrouded_key_bag): Create a new context instead of using the
former encapsulated mechanism for tlv_expect_octet_string.
(parse_bag_data): Ditto.
(p12_parse): Ditto.
--
GnuPG-bug-id: 7213
Fixing this took way too long; I should have earlier explained the
code to a co-hacker to find the problem myself in my code by this.
|
|
* sm/t-minip12.c (cram_file): New.
(main): Add option --cram.
--
This is sometimes useful to convert constructed octet strings into
primitive octet strings.
|
|
* agent/genkey.c (do_check_passphrase_pattern): Use the gpgrt API.
* common/asshelp.c (start_new_service): Ditto.
* common/exechelp.h: Remove gnupg_process_spawn API.
* common/exechelp-posix.c: Remove gnupg_process_spawn implementation.
* common/exechelp-w32.c: Likewise.
* common/exectool.c (gnupg_exec_tool_stream): Use the gpgrt API.
* common/t-exechelp.c (test_pipe_stream): Remove.
* dirmngr/ldap-wrapper.c (destroy_wrapper, ldap_reaper_thread): Use
the gpgrt API.
(ldap_wrapper_connection_cleanup, ldap_wrapper): Ditto.
* dirmngr/ldap.c, g10/call-keyboxd.c: No need to include exechelp.h.
* g10/photoid.c (run_with_pipe, show_photo): Use the gpgrt API.
* g13/be-encfs.c (run_umount_helper, run_encfs_tool): Ditto.
* g13/g13.c, g13/mount.c, g13/runner.c: No need to include exechelp.h.
* scd/apdu.c: No need to include exechelp.h.
* scd/app.c (report_change): Use the gpgrt API.
* sm/export.c, sm/import.c: No need to include exechelp.h.
* tests/gpgscm/ffi.c (proc_object_finalize, proc_wrap)
(do_process_spawn_io, do_process_spawn_fd, do_process_wait): Use the
gpgrt API.
* tools/gpg-auth.c: No need to include exechelp.h.
* tools/gpg-card.c (cmd_gpg): Use the gpgrt API.
* tools/gpg-connect-agent.c: No need to include exechelp.h.
* tools/gpg-mail-tube.c (mail_tube_encrypt, prepare_for_appimage)
(start_gpg_encrypt): Use the gpgrt API.
* tools/gpgconf-comp.c (gpg_agent_runtime_change)
(scdaemon_runtime_change, tpm2daemon_runtime_change)
(dirmngr_runtime_change, keyboxd_runtime_change)
(gc_component_launch, gc_component_check_options)
(retrieve_options_from_program): Ditto.
* tools/gpgconf.c (show_versions_via_dirmngr): Ditto.
* tools/gpgtar-create.c (gpgtar_create): Ditto.
* tools/gpgtar-extract.c (gpgtar_extract): Ditto.
* tools/gpgtar-list.c (gpgtar_list): Ditto.
--
GnuPG-bug-id: 7192
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* sm/keylist.c (list_cert_colon): Rework listing of user IDs.
--
Only in colon mode this did not work. Note that an updated libksba is
anyway required to parse a certificate with an empty Subject.
GnuPG-bug-id: 7171
|
|
--
These are non-substantive corrections for minor spelling mistakes
within the GnuPG codebase.
With something like this applied to the codebase, and a judiciously
tuned spellchecker integrated as part of a standard test suite, it
should be possible to keep a uniform orthography within the project.
GnuPG-bug-id: 7116
|
|
* sm/certcheck.c (gpgsm_check_cms_signature): Do not free s_sig on
error. Its owned and freed by the caller.
--
This is part of
GnuPG-bug-id: 7129
Signed-off-by: Jakub Jelen <[email protected]>
Fixes-commit: 969abcf40cdfc65f3ee859c5e62889e1a8ccde91
|
|
* sm/keydb.c (keydb_search): Init skipped.
--
Skipped is not actually used.
This is part of
GnuPG-bug-id: 7129
Reported-by: Jakub Jelen <[email protected]>
|
|
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): Add a prompt for
extensions.
--
An example for an extension would be extKeyUsage for authentication:
2.5.29.37 n 301406082B0601050507030206082B06010505070301
|
|
* common/sysutils.c (no_translate_sys2libc_fd) [W32]: New global.
(disable_translate_sys2libc_fd): New.
(translate_sys2libc_fd): Make static and cobuild only for Windows.
(translate_sys2libc_fd_int): Use no_translate_sys2libc_fd flag.
* g10/gpg.c, sm/gpgsm.c (oDisableFdTranslation): New const.
(opts): Add option "disable-fd-translation".
(main): Set option.
--
GnuPG-bug-id: 7060
|
|
* agent/gpg-agent.c (parse_rereadable_options): Use make_filename_try
for opt.pinentry_program. Change definition accordingly.
* g10/gpg.c (main): Use make_filename for agent_program,
dirmngr_program, and keyboxd_program. Change definition accordingly.
* sm/gpgsm.c (main): Ditto.
* tools/gpg-card.c (parse_arguments): Ditto.
* tools/gpg-connect-agent.c (main): Ditto.
* tools/gpg-wks-client.c (parse_arguments): Likewise. Do it also for
option --output.
(process_confirmation_request): Print a note for a successful sent.
--
GnuPG-bug-id: 7017
|
|
* sm/minip12.c (parse_bag_encrypted_data): Need 32 bytes.
--
GnuPG-bug-id: 6757
|
|
* sm/minip12.c (p12_parse): set err on the different error paths
--
GnuPG-bug-id: 6973
Fixes-commit: 101433dfb42b333e48427baf9dd58ac4787c9786
Signed-off-by: Ángel González <[email protected]>
|
|
* sm/encrypt.c (ecdh_encrypt): Cipher is AES192 for id-aes192-wrap.
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* sm/minip12.c (struct p12_parse_ctx_s): Add privatekey2.
(parse_shrouded_key_bag): Handle a second private key.
(p12_parse_free_kparms): New.
* sm/import.c (parse_p12): Factor some code out to ...
(p12_to_skey): this.
(parse_p12): Use p12_parse_free_kparms.
--
Take care: We allow parsing of a second private key but we are not yet
able to import the second private key.
The whole things is required to at least import the certificates of
current pkcs#12 files as created by the German Elster tax system. No
test data, sorry.
|
|
* sm/verify.c (gpgsm_verify): Improve verify.leave status line.
--
Suggested-by: Jakob Bohm
|
|
* g10/call-keyboxd.c (keydb_default_status_cb): New.
(keydb_update_keyblock): Add new status callback.
(keydb_insert_keyblock): Ditto.
(keydb_delete_keyblock): Ditto.
(search_status_cb): Also try the new status callback.
* sm/keydb.c (keydb_default_status_cb): New.
(keydb_insert_cert): Add new status callback.
(keydb_delete): Ditto
(search_status_cb): Also try the new status callback.
--
GnuPG-bug-id: 6838
|
|
* sm/keylist.c (list_cert_colon): Map not_trusted to 'n' for non-root
certs like we do for root certs.
--
GnuPG-bug-id: 6841
|
|
* g10/call-agent.c (agent_get_passphrase): Call
assuan_begin_confidential and assuan_end_confidential.
* sm/call-agent.c (gpgsm_agent_ask_passphrase): Ditto.
--
GnuPG-bug-id: 6654
The drawback of this solution is that we don't see any IPC lines from
the assuan_transact. Everything else would require larger changes to
libassuan.
|
|
* sm/minip12.c (parse_bag_encrypted_data): Set the badpass flag.
(parse_shrouded_key_bag): Ditto.
--
|
|
* g10/call-agent.c (default_inq_cb): Call assuan_begin_confidential
and assuan_end_confidential.
* sm/call-agent.c (default_inq_cb): Likewise.
--
Cherry pick from master commit of:
ec1446f9446506b5fbdf90cdeb9cbe1f410a657e
GnuPG-bug-id: 6654
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* g10/call-agent.c (default_inq_cb): Call assuan_begin_confidential
and assuan_end_confidential.
* sm/call-agent.c (default_inq_cb): Likewise.
--
GnuPG-bug-id: 6654
Signed-off-by: NIIBE Yutaka <[email protected]>
|
|
* common/compliance.h (PK_ALGO_FLAG_ECC18): New.
* common/compliance.c (gnupg_pk_is_allowed): Implement.
* sm/decrypt.c (gpgsm_decrypt): Pass new flag.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--
GnuPG-bug-id: 6802
|
