From 4ae81d9c44ebb47f654cc4b03ce5a5706d8dd4a6 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 17 Jul 2025 09:13:41 +0200 Subject: agent: Minor robustness improvement * agent/divert-scd.c (agent_card_ecc_kem): Add extra robustness check for len==0. --- agent/divert-scd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/agent/divert-scd.c b/agent/divert-scd.c index 7e0d8eccb..15d1abd8d 100644 --- a/agent/divert-scd.c +++ b/agent/divert-scd.c @@ -517,7 +517,7 @@ agent_card_ecc_kem (ctrl_t ctrl, const unsigned char *ecc_ct, if (len == ecc_point_len) memcpy (ecc_ecdh, ecdh, len); - else if ((len - 1) * 2 == ecc_point_len - 1 && ecdh[0] == 0x02) + else if (len && (len - 1) * 2 == ecc_point_len - 1 && ecdh[0] == 0x02) { /* It's x-coordinate-only (compressed) point representation. */ memcpy (ecc_ecdh, ecdh, len); -- cgit v1.2.3 From 16c110400ecba5055f5e646f9f5949c7c8d1f70a Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 24 Jul 2025 10:34:13 +0200 Subject: gpg: Start using macros for the signature classes. * g10/packet.h (SIGCLASS_): New constants. * g10/keydb.h (IS_SUBKEY_SIG): Use them. --- g10/keydb.h | 14 +++++++------- g10/packet.h | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 7 deletions(-) diff --git a/g10/keydb.h b/g10/keydb.h index 68bc81840..255110cc7 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -37,14 +37,14 @@ || IS_SUBKEY_REV(s) \ || IS_ATTST_SIGS(s) ) #define IS_SIG(s) (!IS_CERT(s)) -#define IS_KEY_SIG(s) ((s)->sig_class == 0x1f) -#define IS_UID_SIG(s) (((s)->sig_class & ~3) == 0x10) +#define IS_KEY_SIG(s) ((s)->sig_class == SIGCLASS_KEY) +#define IS_UID_SIG(s) (((s)->sig_class & ~3) == SIGCLASS_CERT) #define IS_ATTST_SIGS(s) ((s)->sig_class == 0x16) -#define IS_SUBKEY_SIG(s) ((s)->sig_class == 0x18) -#define IS_BACK_SIG(s) ((s)->sig_class == 0x19) -#define IS_KEY_REV(s) ((s)->sig_class == 0x20) -#define IS_UID_REV(s) ((s)->sig_class == 0x30) -#define IS_SUBKEY_REV(s) ((s)->sig_class == 0x28) +#define IS_SUBKEY_SIG(s) ((s)->sig_class == SIGCLASS_SUBKEY) +#define IS_BACK_SIG(s) ((s)->sig_class == SIGCLASS_BACKSIG) +#define IS_KEY_REV(s) ((s)->sig_class == SIGCLASS_KEYREV) +#define IS_UID_REV(s) ((s)->sig_class == SIGCLASS_CERTREV) +#define IS_SUBKEY_REV(s) ((s)->sig_class == SIGCLASS_SUBREV) struct getkey_ctx_s; typedef struct getkey_ctx_s *GETKEY_CTX; diff --git a/g10/packet.h b/g10/packet.h index ac6df7d5c..e385966d3 100644 --- a/g10/packet.h +++ b/g10/packet.h @@ -69,6 +69,21 @@ /* The usage bits which define encryption. */ #define PUBKEY_USAGE_XENC_MASK (PUBKEY_USAGE_ENC | PUBKEY_USAGE_RENC) +/* The signature classes. */ +#define SIGCLASS_DATA 0x00 /* Signature on a binary document. */ +#define SIGCLASS_TEXT 0x01 /* Signature on a text document. */ +#define SIGCLASS_SALONE 0x02 /* Standalone signature. */ +#define SIGCLASS_CERT 0x10 /* User ID certification signature. */ +#define SIGCLASS_CERT11 0x11 /* User ID certification signature. */ +#define SIGCLASS_CERT12 0x12 /* User ID certification signature. */ +#define SIGCLASS_CERT13 0x13 /* User ID certification signature. */ +#define SIGCLASS_SUBKEY 0x18 /* Key binding signature. */ +#define SIGCLASS_BACKSIG 0x19 /* Primary key binding signature. */ +#define SIGCLASS_KEY 0x1f /* Direct key signature (on primary key) */ +#define SIGCLASS_KEYREV 0x20 /* Key revoction signature. */ +#define SIGCLASS_SUBREV 0x28 /* Subkey revocation signature. */ +#define SIGCLASS_CERTREV 0x30 /* Certification revocation signature. */ + /* Bitflags to convey hints on what kind of signature is created. */ #define SIGNHINT_KEYSIG 1 #define SIGNHINT_SELFSIG 2 -- cgit v1.2.3 From 1c5a2b963b39f99379fe3f53607f103d44b1845a Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 24 Jul 2025 10:37:24 +0200 Subject: gpg: Use the new constants in one function. * g10/sign.c (make_keysig_packet): Use signature class constants. -- Having macros for the signature classes should make the code easier to understand for newbies. --- g10/sign.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/g10/sign.c b/g10/sign.c index 399d5d76d..413a6025d 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -1814,9 +1814,13 @@ make_keysig_packet (ctrl_t ctrl, u32 pk_keyid[2], pksk_keyid[2]; unsigned int signhints; - log_assert ((sigclass >= 0x10 && sigclass <= 0x13) || sigclass == 0x1F - || sigclass == 0x20 || sigclass == 0x18 || sigclass == 0x19 - || sigclass == 0x30 || sigclass == 0x28 ); + log_assert ((sigclass&~3) == SIGCLASS_CERT + || sigclass == SIGCLASS_KEY + || sigclass == SIGCLASS_KEYREV + || sigclass == SIGCLASS_SUBKEY + || sigclass == SIGCLASS_BACKSIG + || sigclass == SIGCLASS_CERTREV + || sigclass == SIGCLASS_SUBREV ); if (pksk->version >= 5) sigversion = 5; @@ -1853,14 +1857,15 @@ make_keysig_packet (ctrl_t ctrl, /* Hash the public key certificate. */ hash_public_key (md, pk); - if (sigclass == 0x18 || sigclass == 0x19 || sigclass == 0x28) + if (sigclass == SIGCLASS_SUBKEY || sigclass == SIGCLASS_BACKSIG + || sigclass == SIGCLASS_SUBREV) { /* Hash the subkey binding/backsig/revocation. */ hash_public_key (md, subpk); if ((subpk->pubkey_usage & PUBKEY_USAGE_RENC)) signhints |= SIGNHINT_ADSK; } - else if (sigclass != 0x1F && sigclass != 0x20) + else if (sigclass != SIGCLASS_KEY && sigclass != SIGCLASS_KEYREV) { /* Hash the user id. */ hash_uid (md, sigversion, uid); -- cgit v1.2.3 From bcf94337fb39fd4b9c42490392a795ac8c8886b2 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 24 Jul 2025 10:38:23 +0200 Subject: agent: Allow colon delimited fingerprints for ISTRUSTED. * agent/command.c (cmd_istrusted): Improve arg parser. --- agent/command.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/agent/command.c b/agent/command.c index a9eb0104e..dcb758e37 100644 --- a/agent/command.c +++ b/agent/command.c @@ -541,14 +541,26 @@ cmd_istrusted (assuan_context_t ctx, char *line) { ctrl_t ctrl = assuan_get_pointer (ctx); int rc, n, i; - char *p; + char *p, *pn; char fpr[41]; /* Parse the fingerprint value. */ + pn = NULL; /* Indicates that we have not reparsed. */ + parseagain: for (p=line,n=0; hexdigitp (p); p++, n++) ; if (*p || !(n == 40 || n == 32)) - return set_error (GPG_ERR_ASS_PARAMETER, "invalid fingerprint"); + { + if (!pn && *p && strchr (p, ':')) + { + for (pn=p=line; *p ; p++) + if (*p != ':') + *pn++ = *p; + *pn = 0; + goto parseagain; + } + return set_error (GPG_ERR_ASS_PARAMETER, "invalid fingerprint"); + } i = 0; if (n==32) { -- cgit v1.2.3 From 11d3a83b04786c74fdbbbcdc99074c75666bd722 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 24 Jul 2025 11:17:28 +0200 Subject: gpg: Add a notation with version information to signatures. * common/compliance.c (gnupg_manu_notation_value): New. * g10/build-packet.c (name_value_to_notation): New. * g10/options.h (COMPAT_NO_MANU): New. (LIST_SHOW_HIDDEN_NOTATIONS): New. (VERIFY_SHOW_HIDDEN_NOTATIONS): New. * g10/gpg.c (compatibility_flags): Add "no-manu". (parse_list_options): Add "show-hidden-notations". (main): Ditto for verify-options. * g10/import.c (list_standalone_revocation): Implement new list option. * g10/mainproc.c (check_sig_and_print):Ditto * g10/keyedit.c (keyedit_print_one_sig): Ditto. * g10/keylist.c (list_signature_print): Ditto. (show_notation): Handle hidden notation. * sm/keylist.c (oidtranstbl): Add OID for manu. * g10/sign.c (mk_notation_policy_etc): Add arg with_manu and insert extra notation. (write_signature_packets): Request manu notation in certain cases. (make_keysig_packet): Ditto. -- See DETAILS for a description of the format. Obviously this leaks the version of the used GnuPG version (major and minor only) and the fact that it was generated by GnuPG. However, by close inspection of the order of packets and and other meta data similar information can be found. We include this information to help the support desk to figure out problems. Sometimes users have very very old versions and the help desk needs to employ core developers to figure the cause. Having this information may eventually allow for better user support. This feature can be disabled unless certain compliance modes are enabled. --- common/compliance.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++ common/compliance.h | 1 + doc/DETAILS | 50 ++++++++++++++++++++++++++++++++++--- doc/gpg.texi | 16 +++++++++--- g10/build-packet.c | 35 +++++++++++++++++++------- g10/gpg.c | 7 +++++- g10/import.c | 4 ++- g10/keyedit.c | 4 ++- g10/keylist.c | 14 +++++++---- g10/mainproc.c | 4 ++- g10/options.h | 3 +++ g10/packet.h | 1 + g10/sign.c | 54 ++++++++++++++++++++++++++++++++++------ sm/keylist.c | 1 + 14 files changed, 234 insertions(+), 31 deletions(-) diff --git a/common/compliance.c b/common/compliance.c index 6c271c199..db17e4aba 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -751,6 +751,77 @@ gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance) } + +/* This function returns the value for the "manu" LibrePGP/rfc4880bis + * notation. See doc/DETAILS for a description. This value is also + * used for the manuNotation in X.509/CMS. */ +const char * +gnupg_manu_notation_value (enum gnupg_compliance_mode compliance) +{ + static char buffer[48]; /* Empty string indicates not yet initialized */ + static char buffer2[40]; + + if (!*buffer) + { + char *buf; + const char *s; + int n; + const char *fields[4]; + const char *vers1, *vers2; + int vers1len, vers2len; + int arch_id, os_id; + + arch_id = 0; + buf = gcry_get_config (0, "cpu-arch"); + if (buf && (n=split_fields_colon (buf, fields, DIM (fields))) >= 2) + { + if (!strcmp (fields[1], "x86") && n > 2) + { + if (!strcmp (fields[2], "amd64")) + arch_id = 2; + else if (!strcmp (fields[2], "i386")) + arch_id = 1; + } + else if (!strcmp (fields[1], "arm")) + arch_id = 3; + } + gcry_free (buf); +#ifdef HAVE_W32_SYSTEM + os_id = 1; +#elif defined(__linux__) + os_id = 2; +#elif defined (__unix__) || defined(__APPLE__) + os_id = 3; +#else + os_id = 0; +#endif + vers1 = PACKAGE_VERSION; + for (s=vers1, n=0; *s; s++) + if (*s=='.') + if (++n == 2) + break; + vers1len = s-vers1; + + vers2 = gcry_check_version (NULL); + for (s=vers2, n=0; *s; s++) + if (*s=='.') + if (++n == 2) + break; + vers2len = s-vers2; + + snprintf (buffer2, sizeof buffer2, "2,%.*s+%.*s,%d,%d", + vers1len, vers1, vers2len, vers2, arch_id, os_id); + snprintf (buffer, sizeof buffer, "%s,%d", + buffer2, get_assumed_de_vs_compliance ()? 2023 : 23); + } + + if (compliance == CO_DE_VS) + return buffer; + else + return buffer2; +} + + /* Parse the value of --compliance. Returns the value corresponding * to the given STRING according to OPTIONS of size LENGTH, or -1 * indicating that the lookup was unsuccessful, or the list of options diff --git a/common/compliance.h b/common/compliance.h index 111fdc74b..1ab39d607 100644 --- a/common/compliance.h +++ b/common/compliance.h @@ -78,6 +78,7 @@ int gnupg_gcrypt_is_compliant (enum gnupg_compliance_mode compliance); const char *gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance); +const char *gnupg_manu_notation_value (enum gnupg_compliance_mode compliance); struct gnupg_compliance_option { diff --git a/doc/DETAILS b/doc/DETAILS index 0504c80bb..246c4227d 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -1666,6 +1666,7 @@ Status codes are: 1.3.6.1.4.1.11591.2 GnuPG 1.3.6.1.4.1.11591.2.1 notation 1.3.6.1.4.1.11591.2.1.1 pkaAddress + 1.3.6.1.4.1.11591.2.1.2 manuNotation (as IA5String) 1.3.6.1.4.1.11591.2.2 X.509 extensions 1.3.6.1.4.1.11591.2.2.1 standaloneCertificate 1.3.6.1.4.1.11591.2.2.2 wellKnownPrivateKey @@ -1774,7 +1775,6 @@ Description of some debug flags: - T6390 :: Notes on use of X25519 in GnuPG (https://dev.gnupg.org/T6390) - ** v3 fingerprints For packet version 3 we calculate the keyids this way: - RSA :: Low 64 bits of n @@ -1782,12 +1782,56 @@ Description of some debug flags: calculate a RMD160 hash value from it. This is used as the fingerprint and the low 64 bits are the keyid. -** gnupg.org notations +** Used notations + + - manu :: LibrePGP/rfc4880bis defined standard notation used by + GnuPG and other implementaions to convey additional + information about the implementation used to create + a key or signature. This is a list of comma delimited + values with these defined fields: + + | field | name | defined values | + |-------+------------------+------------------------| + | 1 | software product | see: prod-id | + | 2 | software version | e.g. "2.2", "2.5+1.12" | + | 3 | architecture | see: arch-id | + | 4 | operating system | see: os-id | + | 5 | compliance class | e.g. "23", "2023" | + + | prod-id | name | + |---------+-------------| + | 1 | PGP | + | 2 | GnuPG | + | 3 | Greenshield | + | 4 | RNP | + + | arch-id | cpu | + |---------+-------| + | 1 | i686 | + | 2 | amd64 | + | 3 | arm64 | + | 4 | riscv | + + | os-id | os | + |-------+---------| + | 1 | Windows | + | 2 | Linux | + | 3 | BSD | + + If a value for a field is not known, the empty string + may be used. The values are also used for the X.509/CMS + extension 1.3.6.1.4.1.11591.2.1.2. The compliance class + values are 23 for "de-vs" and 2023 for non-approved "de-vs". + + This notation shall be human readable. It is defined in + away to minimize its size but to be easily viewable by + standard software. - rem@gnupg.org :: Used by Kleopatra to implement the tag feature. These tags are used to mark keys for easier searching and grouping. - + - cpl@gnupg.org :: Used by GnuPG to mark the compliance of + encryption subkeys. ** Simplified revocation certificates Revocation certificates consist only of the signature packet; diff --git a/doc/gpg.texi b/doc/gpg.texi index 63e87e528..91bc73e8c 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1420,11 +1420,15 @@ give the opposite meaning. The options are: @item show-notations @itemx show-std-notations @itemx show-user-notations + @itemx show-hidden-notations @opindex list-options:show-notations @opindex list-options:show-std-notations @opindex list-options:show-user-notations + @opindex list-options:show-hidden-notations Show all, IETF standard, or user-defined signature notations in the - @option{--check-signatures} listings. Defaults to no. + @option{--check-sigs} listings. Hidden notations are those which + are automatically inserted by an implementation and not worthy to + mention. Defaults to no. @item show-x509-notations @opindex list-options:show-x509-notations @@ -1513,11 +1517,15 @@ the opposite meaning. The options are: @item show-notations @itemx show-std-notations @itemx show-user-notations + @itemx show-hidden-notations @opindex verify-options:show-notations @opindex verify-options:show-std-notations @opindex verify-options:show-user-notations + @opindex verify-options:show-hidden-notations Show all, IETF standard, or user-defined signature notations in the - signature being verified. Defaults to IETF standard. + signature being verified. Hidden notations are those which are + automatically inserted by an implementation and not worthy to + mention. Defaults to IETF standard. @item show-keyserver-urls @opindex verify-options:show-keyserver-urls @@ -3374,7 +3382,9 @@ given once only the name of the program and the major number is emitted, given twice the minor is also emitted, given thrice the micro is added, and given four times an operating system identification is also emitted. @option{--no-emit-version} (default) disables the version -line. +line. Note that unless the @option{--compatibility-flags} have +a "no-manu" flag set, the GnuPG and Libgcrypt major and minor version +(e.g. "2.6+1.11") is included in signature packets and keys. @item --sig-notation @{@var{name}=@var{value}@} @itemx --cert-notation @{@var{name}=@var{value}@} diff --git a/g10/build-packet.c b/g10/build-packet.c index 57a67d9f4..0eb83463f 100644 --- a/g10/build-packet.c +++ b/g10/build-packet.c @@ -1577,17 +1577,18 @@ notation_value_to_human_readable_string (struct notation *notation) return xstrdup (notation->value); } -/* Turn the notation described by the string STRING into a notation. - - STRING has the form: - - -name - Delete the notation. - - name@domain.name=value - Normal notation - - !name@domain.name=value - Notation with critical bit set. - - The caller must free the result using free_notation(). */ +/* Turn the notation described by the string STRING into a notation. + * + * STRING has the form: + * + * - -name - Delete the notation. + * - name@domain.name=value - Normal notation + * - !name@domain.name=value - Notation with critical bit set. + * + * The caller must free the result using free_notation(). */ struct notation * -string_to_notation(const char *string,int is_utf8) +string_to_notation (const char *string, int is_utf8) { const char *s; int saw_at=0; @@ -1676,6 +1677,22 @@ string_to_notation(const char *string,int is_utf8) return NULL; } + +/* Turn the notation described by NAME and VALUE into a notation. + * This will be a human readble non-critical notation. + * The caller must free the result using free_notation(). */ +struct notation * +name_value_to_notation (const char *name, const char *value) +{ + struct notation *notation; + + notation = xcalloc (1, sizeof *notation); + notation->name = xstrdup (name); + notation->value = xstrdup (value); + return notation; +} + + /* Like string_to_notation, but store opaque data rather than human readable data. */ struct notation * diff --git a/g10/gpg.c b/g10/gpg.c index 296d5fceb..5cd546ba0 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -1059,6 +1059,7 @@ static struct compatibility_flags_s compatibility_flags [] = { COMPAT_PARALLELIZED, "parallelized" }, { COMPAT_T7014_OLD, "t7014-old" }, { COMPAT_COMPR_KEYS, "compr-keys" }, + { COMPAT_NO_MANU, "no-manu" }, { 0, NULL } }; @@ -2116,6 +2117,8 @@ parse_list_options(char *str) NULL}, {"show-user-notations",LIST_SHOW_USER_NOTATIONS,NULL, N_("show user-supplied notations during signature listings")}, + {"show-hidden-notations",LIST_SHOW_HIDDEN_NOTATIONS,NULL, + NULL}, {"show-x509-notations",LIST_SHOW_X509_NOTATIONS,NULL, NULL }, {"store-x509-notations",LIST_STORE_X509_NOTATIONS,NULL, NULL }, {"show-keyserver-urls",LIST_SHOW_KEYSERVER_URLS,NULL, @@ -3498,7 +3501,9 @@ main (int argc, char **argv) NULL}, {"show-user-notations",VERIFY_SHOW_USER_NOTATIONS,NULL, N_("show user-supplied notations during signature verification")}, - {"show-keyserver-urls",VERIFY_SHOW_KEYSERVER_URLS,NULL, + {"show-hidden-notations",VERIFY_SHOW_HIDDEN_NOTATIONS,NULL, + NULL}, + {"show-keyserver-urls",VERIFY_SHOW_KEYSERVER_URLS,NULL, N_("show preferred keyserver URLs during signature verification")}, {"show-uid-validity",VERIFY_SHOW_UID_VALIDITY,NULL, N_("show user ID validity during signature verification")}, diff --git a/g10/import.c b/g10/import.c index 5985d177b..6e33ac976 100644 --- a/g10/import.c +++ b/g10/import.c @@ -3541,7 +3541,9 @@ list_standalone_revocation (ctrl_t ctrl, PKT_signature *sig, int sigrc) show_notation (sig, 3, 0, ((opt.list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0) + - ((opt.list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0)); + ((opt.list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0) + + + ((opt.list_options & LIST_SHOW_HIDDEN_NOTATIONS) ? 4:0)); if (sig->flags.pref_ks && (opt.list_options & LIST_SHOW_KEYSERVER_URLS)) diff --git a/g10/keyedit.c b/g10/keyedit.c index b0f8ea5ed..1afaad6a9 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -299,7 +299,9 @@ keyedit_print_one_sig (ctrl_t ctrl, estream_t fp, ((opt. list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0) + ((opt. - list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0)); + list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0) + + ((opt. + list_options & LIST_SHOW_HIDDEN_NOTATIONS) ? 4:0)); if (sig->flags.pref_ks && ((opt.list_options & LIST_SHOW_KEYSERVER_URLS) || extended)) diff --git a/g10/keylist.c b/g10/keylist.c index 7bd25de74..1c531126f 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -638,6 +638,7 @@ show_keyserver_url (PKT_signature * sig, int indent, int mode) * Defined bits in WHICH: * 1 - standard notations * 2 - user notations + * 4 - print notations normally hidden */ void show_notation (PKT_signature * sig, int indent, int mode, int which) @@ -653,6 +654,9 @@ show_notation (PKT_signature * sig, int indent, int mode, int which) /* There may be multiple notations in the same sig. */ for (nd = notations; nd; nd = nd->next) { + if (!(which & 4) && !strcmp (nd->name, "manu")) + continue; + if (mode != 2) { int has_at = !!strchr (nd->name, '@'); @@ -1522,11 +1526,11 @@ list_signature_print (ctrl_t ctrl, kbnode_t keyblock, kbnode_t node, if (sig->flags.notation && (opt.list_options & LIST_SHOW_NOTATIONS)) show_notation (sig, 3, 0, ((opt. - list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0) - + - ((opt. - list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : - 0)); + list_options & LIST_SHOW_STD_NOTATIONS) ? 1 : 0) + + ((opt. + list_options & LIST_SHOW_USER_NOTATIONS) ? 2 : 0) + + ((opt. + list_options & LIST_SHOW_HIDDEN_NOTATIONS) ? 4 : 0)); if (sig->flags.notation && (opt.list_options diff --git a/g10/mainproc.c b/g10/mainproc.c index ebbe4a6a7..22d12799d 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -2492,7 +2492,9 @@ check_sig_and_print (CTX c, kbnode_t node) show_notation (sig, 0, 1, (((opt.verify_options&VERIFY_SHOW_STD_NOTATIONS)?1:0) - + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0))); + + ((opt.verify_options&VERIFY_SHOW_USER_NOTATIONS)?2:0) + + ((opt.verify_options &VERIFY_SHOW_HIDDEN_NOTATIONS)? 4:0) + )); else show_notation (sig, 0, 2, 0); } diff --git a/g10/options.h b/g10/options.h index fe81a0baf..cd5c19f45 100644 --- a/g10/options.h +++ b/g10/options.h @@ -400,6 +400,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define COMPAT_PARALLELIZED 1 /* Use threaded hashing for signatures. */ #define COMPAT_T7014_OLD 2 /* Use initial T7014 test data. */ #define COMPAT_COMPR_KEYS 4 /* Allow import of compressed keys. (T7014) */ +#define COMPAT_NO_MANU 8 /* Do not include a "manu" notation. */ /* Compliance test macros. */ #define GNUPG (opt.compliance==CO_GNUPG || opt.compliance==CO_DE_VS) @@ -466,6 +467,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define LIST_STORE_X509_NOTATIONS (1<<18) #define LIST_SHOW_OWNERTRUST (1<<19) #define LIST_SHOW_TRUSTSIG (1<<20) +#define LIST_SHOW_HIDDEN_NOTATIONS (1<<21) #define VERIFY_SHOW_PHOTOS (1<<0) #define VERIFY_SHOW_POLICY_URLS (1<<1) @@ -476,6 +478,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode; #define VERIFY_SHOW_UID_VALIDITY (1<<5) #define VERIFY_SHOW_UNUSABLE_UIDS (1<<6) #define VERIFY_SHOW_PRIMARY_UID_ONLY (1<<9) +#define VERIFY_SHOW_HIDDEN_NOTATIONS (1<<21) #define KEYSERVER_HTTP_PROXY (1<<0) #define KEYSERVER_TIMEOUT (1<<1) diff --git a/g10/packet.h b/g10/packet.h index e385966d3..8162ad802 100644 --- a/g10/packet.h +++ b/g10/packet.h @@ -914,6 +914,7 @@ void build_attribute_subpkt(PKT_user_id *uid,byte type, const void *buf,u32 buflen, const void *header,u32 headerlen); struct notation *string_to_notation(const char *string,int is_utf8); +struct notation *name_value_to_notation (const char *name, const char *value); struct notation *blob_to_notation(const char *name, const char *data, size_t len); struct notation *sig_to_notation(PKT_signature *sig); diff --git a/g10/sign.c b/g10/sign.c index 413a6025d..1e8bd8f95 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -66,18 +66,21 @@ typedef struct pt_extra_hash_data_s *pt_extra_hash_data_t; /* - * Create notations and other stuff. It is assumed that the strings in - * STRLIST are already checked to contain only printable data and have - * a valid NAME=VALUE format. + * Create notations and other stuff. It is assumed that the strings + * in STRLIST are already checked to contain only printable data and + * have a valid NAME=VALUE format. If with_manu is set a "manu" + * notation is also added: a value of 1 includes it in the standard + * way and a value of 23 assumes that the data is de-vs compliant. */ static void mk_notation_policy_etc (ctrl_t ctrl, PKT_signature *sig, - PKT_public_key *pk, PKT_public_key *pksk) + PKT_public_key *pk, PKT_public_key *pksk, int with_manu) { const char *string; char *p = NULL; strlist_t pu = NULL; struct notation *nd = NULL; + struct notation *ndmanu = NULL; struct expando_args args; log_assert (sig->version >= 4); @@ -94,6 +97,15 @@ mk_notation_policy_etc (ctrl_t ctrl, PKT_signature *sig, else if (IS_CERT(sig) && opt.cert_notations) nd = opt.cert_notations; + if (with_manu) + { + ndmanu = name_value_to_notation + ("manu", + gnupg_manu_notation_value (with_manu == 23? CO_DE_VS : CO_GNUPG)); + ndmanu->next = nd; + nd = ndmanu; + } + if (nd) { struct notation *item; @@ -113,6 +125,10 @@ mk_notation_policy_etc (ctrl_t ctrl, PKT_signature *sig, xfree (item->altvalue); item->altvalue = NULL; } + /* Restore the original nd and release ndmanu. */ + nd = ndmanu; + ndmanu->next = NULL; + free_notation (ndmanu); } /* Set policy URL. */ @@ -920,7 +936,7 @@ write_plaintext_packet (iobuf_t out, iobuf_t inp, /* * Write the signatures from the SK_LIST to OUT. HASH must be a * non-finalized hash which will not be changes here. EXTRAHASH is - * either NULL or the extra data tro be hashed into v5 signatures. + * either NULL or the extra data to be hashed into v5 signatures. */ static int write_signature_packets (ctrl_t ctrl, @@ -930,6 +946,7 @@ write_signature_packets (ctrl_t ctrl, int status_letter, const char *cache_nonce) { SK_LIST sk_rover; + int with_manu; /* Loop over the certificates with secret keys. */ for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) @@ -966,7 +983,16 @@ write_signature_packets (ctrl_t ctrl, BUG (); build_sig_subpkt_from_sig (sig, pk, 0); - mk_notation_policy_etc (ctrl, sig, NULL, pk); + + if (opt.compliance == CO_DE_VS + && gnupg_rng_is_compliant (CO_DE_VS)) + with_manu = 23; /* FIXME: Also check that the algos are compliant?*/ + else if (!(opt.compat_flags & COMPAT_NO_MANU)) + with_manu = 1; + else + with_manu = 0; + + mk_notation_policy_etc (ctrl, sig, NULL, pk, with_manu); if (opt.flags.include_key_block && IS_SIG (sig)) err = mk_sig_subpkt_key_block (ctrl, sig, pk); else @@ -1813,6 +1839,7 @@ make_keysig_packet (ctrl_t ctrl, gcry_md_hd_t md; u32 pk_keyid[2], pksk_keyid[2]; unsigned int signhints; + int with_manu; log_assert ((sigclass&~3) == SIGCLASS_CERT || sigclass == SIGCLASS_KEY @@ -1884,7 +1911,20 @@ make_keysig_packet (ctrl_t ctrl, sig->sig_class = sigclass; build_sig_subpkt_from_sig (sig, pksk, signhints); - mk_notation_policy_etc (ctrl, sig, pk, pksk); + + with_manu = 0; + if ((signhints & SIGNHINT_SELFSIG) /* Only for self-signatures. */ + && ((sigclass&~3) == SIGCLASS_CERT /* on UIDs and subkeys. */ + || sigclass == SIGCLASS_SUBKEY)) + { + if (opt.compliance == CO_DE_VS + && gnupg_rng_is_compliant (CO_DE_VS)) + with_manu = 23; /* Always in de-vs mode. */ + else if (!(opt.compat_flags & COMPAT_NO_MANU)) + with_manu = 1; + } + + mk_notation_policy_etc (ctrl, sig, pk, pksk, with_manu); /* Crucial that the call to mksubpkt comes LAST before the calls * to finalize the sig as that makes it possible for the mksubpkt diff --git a/sm/keylist.c b/sm/keylist.c index 41e7ca309..faa515ef5 100644 --- a/sm/keylist.c +++ b/sm/keylist.c @@ -179,6 +179,7 @@ static struct /* GnuPG extensions */ { "1.3.6.1.4.1.11591.2.1.1", "pkaAddress" }, + { "1.3.6.1.4.1.11591.2.1.2", "manuNotation" }, { "1.3.6.1.4.1.11591.2.2.1", "standaloneCertificate" }, { "1.3.6.1.4.1.11591.2.2.2", "wellKnownPrivateKey" }, { "1.3.6.1.4.1.11591.2.6.1", "gpgUsageCert", OID_FLAG_KP }, -- cgit v1.2.3 From 67a3020d0f3beed89270f2d004c3da5ee9cbfc63 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 24 Jul 2025 12:30:01 +0200 Subject: gpgsm: Fix caching of the trustlist's flags. * sm/call-agent.c (istrusted_status_cb): Clear the helper flags. -- GnuPG-bug-id: 7738 Fixes-commit: ef2be95258d2e02659e96f6c4df5a9a1a233c8fd which introduced the caching but go the flags wrong. The fallout from this was that the qualified signature consent was show for non QES certificates. Other flags are almost always the same and thus no other harm was done. --- sm/call-agent.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sm/call-agent.c b/sm/call-agent.c index f2b7b6fba..c2875626b 100644 --- a/sm/call-agent.c +++ b/sm/call-agent.c @@ -979,6 +979,9 @@ istrusted_status_cb (void *opaque, const char *line) } else if ((s = has_leading_keyword (line, "TRUSTLISTFPR")) && *s) { + /* We see this only with the "LISTTRUSTED --status" command but + * not with ISTRUSTED. Thus the cache will only be filled by + * the former command. */ istrusted_cache_t ci; ci = xtrymalloc (sizeof *ci + strlen (s)); @@ -988,6 +991,9 @@ istrusted_status_cb (void *opaque, const char *line) memset (&ci->flags, 0, sizeof ci->flags); ci->next = parm->cache; parm->cache = ci; + /* Also need to clear the parm's flags which will be copied to + * the cache. */ + memset (&parm->flags, 0, sizeof ci->flags); } return 0; } -- cgit v1.2.3 From e3cc410003a91e7ab4c267e1285c0c4c57775be9 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 24 Jul 2025 14:12:37 +0200 Subject: gpgv: New option --print-notation. * g10/keylist.c (print_matching_notations): New. * g10/mainproc.c (check_sig_and_print): Call this. * g10/options.h (opt): Add field print_notations. * g10/gpgv.c (oPrintNotation): New. (opts): Add "print-notation". (main): Implement. -- I had the code floating around but can't remember what triggered me to write this. But it might eventually be useful, so better apply it. --- doc/HACKING | 20 ++++++++++++++++++++ doc/gpgv.texi | 5 +++++ g10/gpgv.c | 7 +++++++ g10/keylist.c | 35 +++++++++++++++++++++++++++++++++++ g10/main.h | 1 + g10/mainproc.c | 1 + g10/options.h | 1 + 7 files changed, 70 insertions(+) diff --git a/doc/HACKING b/doc/HACKING index cb7e400fc..8cf49f4bd 100644 --- a/doc/HACKING +++ b/doc/HACKING @@ -443,3 +443,23 @@ plaintext packets and so on. The file g10/encode.c might be a good starting point to see how it is used - actually this is the other way: constructing messages using pushed filters but it may be easier to understand. + +** Notes on how to create test data + +On 2016-02-28 we created a lot of AEAD test data using a command +similar to this: + +--8<---------------cut here---------------start------------->8--- +for algo in eax ocb; do + for csize in 6 7 12 13 14 30; do + for len in 0 $(seq 0 200) $(seq 8100 8200) $(seq 16350 16400) \ + $(seq 20000 20100); do + awk symenc-aead-eax-c$csize-$len.asc + done + done +done +--8<---------------cut here---------------end--------------->8--- diff --git a/doc/gpgv.texi b/doc/gpgv.texi index 159c8dddb..005ff422f 100644 --- a/doc/gpgv.texi +++ b/doc/gpgv.texi @@ -122,6 +122,11 @@ refer to the file descriptor n and not to a file with that name. @opindex assert-pubkey-algo This option works in the same way as described for @command{gpg}. +@item --print-notation @var{name} +@itemx -N @var{name} +If the signature verifies print the notation @var{name} to stdout if +it exists. + @end table @mansect return value diff --git a/g10/gpgv.c b/g10/gpgv.c index 6d3d25f50..686fc8891 100644 --- a/g10/gpgv.c +++ b/g10/gpgv.c @@ -58,6 +58,7 @@ enum cmd_and_opt_values { oQuiet = 'q', oVerbose = 'v', oOutput = 'o', + oPrintNotation = 'N', oBatch = 500, oKeyring, oIgnoreTimeConflict, @@ -91,6 +92,8 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_s (oWeakDigest, "weak-digest", N_("|ALGO|reject signatures made with ALGO")), ARGPARSE_s_n (oEnableSpecialFilenames, "enable-special-filenames", "@"), + ARGPARSE_s_s (oPrintNotation, "print-notation", + N_("|NAME|print the notation NAME to stdout")), ARGPARSE_s_s (oDebug, "debug", "@"), ARGPARSE_s_s (oAssertPubkeyAlgo,"assert-pubkey-algo", "@"), @@ -267,6 +270,10 @@ main( int argc, char **argv ) } break; + case oPrintNotation: + append_to_strlist (&opt.print_notations, pargs.r.ret_str); + break; + default : pargs.err = ARGPARSE_PRINT_ERROR; break; } } diff --git a/g10/keylist.c b/g10/keylist.c index 1c531126f..42e9f65f5 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -709,6 +709,41 @@ show_notation (PKT_signature * sig, int indent, int mode, int which) } +/* Output all the notation data in SIG matching a name given by + * --print-notation to stdout. */ +void +print_matching_notations (PKT_signature *sig) +{ + notation_t nd, notations; + strlist_t sl; + const char *s; + + if (!opt.print_notations) + return; + + notations = sig_to_notation (sig); + for (nd = notations; nd; nd = nd->next) + { + for (sl=opt.print_notations; sl; sl = sl->next) + if (!strcmp (sl->d, nd->name)) + break; + if (!sl || !*nd->value) + continue; + es_fprintf (es_stdout, "%s: ", nd->name); + for (s = nd->value; *s; s++) + { + if (*s == '\n') + es_fprintf (es_stdout, "\n%*s", (int)strlen (nd->name)+2, ""); + else if (*s >= ' ' || *s != '\t') + es_putc (*s, es_stdout); + } + es_putc ('\n', es_stdout); + } + + free_notation (notations); +} + + static void print_signature_stats (struct keylist_context *s) { diff --git a/g10/main.h b/g10/main.h index c0a3d5fa2..5d96b5e27 100644 --- a/g10/main.h +++ b/g10/main.h @@ -488,6 +488,7 @@ void show_preferences (PKT_user_id *uid, int indent, int mode, int verbose); void show_policy_url(PKT_signature *sig,int indent,int mode); void show_keyserver_url(PKT_signature *sig,int indent,int mode); void show_notation(PKT_signature *sig,int indent,int mode,int which); +void print_matching_notations (PKT_signature *sig); void dump_attribs (const PKT_user_id *uid, PKT_public_key *pk); void set_attrib_fd(int fd); void print_key_info (ctrl_t ctrl, estream_t fp, int indent, diff --git a/g10/mainproc.c b/g10/mainproc.c index 22d12799d..5a7961099 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -2497,6 +2497,7 @@ check_sig_and_print (CTX c, kbnode_t node) )); else show_notation (sig, 0, 2, 0); + print_matching_notations (sig); } /* Fill PKSTRBUF with the algostring in case we later need it. */ diff --git a/g10/options.h b/g10/options.h index cd5c19f45..28fc2207a 100644 --- a/g10/options.h +++ b/g10/options.h @@ -214,6 +214,7 @@ struct int no_encrypt_to; int encrypt_to_default_key; int interactive; + strlist_t print_notations; /* Name of notations to print. */ struct notation *sig_notations; struct notation *cert_notations; strlist_t sig_policy_url; -- cgit v1.2.3 From bcbd225f7345dad0bd19a00fef36b0a21d7c6d2a Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 24 Jul 2025 14:23:41 +0200 Subject: artwork: Add some icons from experiments -- These were floating around the working directory. Ley's keep them in the repo. --- artwork/gnupg-favicon-3.ico | Bin 0 -> 1150 bytes artwork/gnupg-lock-rb-256x256tr.png | Bin 0 -> 18957 bytes artwork/gnupg-lock.png | Bin 0 -> 258441 bytes artwork/gnupg-logo-1500x500-inv.png | Bin 0 -> 26326 bytes 4 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 artwork/gnupg-favicon-3.ico create mode 100644 artwork/gnupg-lock-rb-256x256tr.png create mode 100644 artwork/gnupg-lock.png create mode 100644 artwork/gnupg-logo-1500x500-inv.png diff --git a/artwork/gnupg-favicon-3.ico b/artwork/gnupg-favicon-3.ico new file mode 100644 index 000000000..89a496069 Binary files /dev/null and b/artwork/gnupg-favicon-3.ico differ diff --git a/artwork/gnupg-lock-rb-256x256tr.png b/artwork/gnupg-lock-rb-256x256tr.png new file mode 100644 index 000000000..202a4c29a Binary files /dev/null and b/artwork/gnupg-lock-rb-256x256tr.png differ diff --git a/artwork/gnupg-lock.png b/artwork/gnupg-lock.png new file mode 100644 index 000000000..d98ccab8a Binary files /dev/null and b/artwork/gnupg-lock.png differ diff --git a/artwork/gnupg-logo-1500x500-inv.png b/artwork/gnupg-logo-1500x500-inv.png new file mode 100644 index 000000000..b317ecb43 Binary files /dev/null and b/artwork/gnupg-logo-1500x500-inv.png differ -- cgit v1.2.3 From 197142f03bdefa26e40890c6490da0bb6014f96d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Thu, 24 Jul 2025 14:25:33 +0200 Subject: tools: Add an experimental Windows descryption script. -- I am not sure whether this really works. --- tools/decrypt.bat | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 tools/decrypt.bat diff --git a/tools/decrypt.bat b/tools/decrypt.bat new file mode 100644 index 000000000..808689a11 --- /dev/null +++ b/tools/decrypt.bat @@ -0,0 +1,31 @@ +@echo on +rem Decrypt all files in the input to the output directory. +rem The input directory and the suffixes are defined by +rem constants given below. + +rem Set the input/output directories and the suffixes. +set INDIR=c:\input-files +set OUTDIR=c:\output-files +set INSUFFIX=.gpg +set OUTSUFFIX= +set LOGFILE=%APPDATA%\decrypt.log + +rem No serviceable parts below. + +set GPGARGS=--batch --yes --log-file "%LOGFILE%" --require-compliance +cd %INDIR% +mkdir %OUTDIR% 2>nul +for /R %%f in (*%INSUFFIX%) do ( + setlocal enabledelayedexpansion + for %%i in ("%%f") do ( + set filename=%%~ni + ) + set OUTPATH=%OUTDIR%\!filename!%OUTSUFFIX% + echo Decrypting %%f into !OUTPATH! >> "%LOGFILE%" + gpg %GPGARGS% -o "!OUTPATH!" -d -- "%%f" + if !errorlevel! neq 0 ( + echo Operation failed with return code: %errorlevel% >> "%LOGFILE%" + ) else ( + echo Operation finished successfully >> "%LOGFILE%" + ) +) -- cgit v1.2.3 From 9d356a172e7cc492707a6466d30ede8eb0dcf92d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 25 Jul 2025 15:06:38 +0200 Subject: dirmngr: Implement command KS_DEL for ldap servers. * dirmngr/ks-action.c (ks_action_del): Change some variable names and comments. * dirmngr/ks-engine-ldap.c (ks_ldap_del): Implement. -- GnuPG-bug-id: 5447 Tested using OpenLDAP on Linux and with an LDS and AD on Windows. --- dirmngr/ks-action.c | 6 +-- dirmngr/ks-action.h | 2 +- dirmngr/ks-engine-ldap.c | 112 ++++++++++++++++++++++++++++++++++++++++++++--- dirmngr/ks-engine.h | 2 +- dirmngr/server.c | 7 ++- g10/sign.c | 2 +- 6 files changed, 114 insertions(+), 17 deletions(-) diff --git a/dirmngr/ks-action.c b/dirmngr/ks-action.c index 6be2072e9..dd1865d4f 100644 --- a/dirmngr/ks-action.c +++ b/dirmngr/ks-action.c @@ -551,7 +551,7 @@ ks_action_put (ctrl_t ctrl, uri_item_t keyservers, /* Delete an OpenPGP key from all KEYSERVERS which use LDAP. The key * is specifified by PATTERNS. */ gpg_error_t -ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t patterns) +ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t fprlist) { gpg_error_t err = 0; gpg_error_t first_err = 0; @@ -567,7 +567,7 @@ ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t patterns) || uri->parsed_uri->opaque ) { any_server = 1; - err = ks_ldap_del (ctrl, uri->parsed_uri, patterns); + err = ks_ldap_del (ctrl, uri->parsed_uri, fprlist); if (err && !first_err) first_err = err; } @@ -575,7 +575,7 @@ ks_action_del (ctrl_t ctrl, uri_item_t keyservers, strlist_t patterns) } if (!any_server) - err = gpg_error (GPG_ERR_NO_KEYSERVER); /* Actual: No LDAP keyserver */ + err = gpg_error (GPG_ERR_NO_KEYSERVER); /* No LDAP keyserver */ else if (!err && first_err) err = first_err; return err; diff --git a/dirmngr/ks-action.h b/dirmngr/ks-action.h index d222d6afe..0df497266 100644 --- a/dirmngr/ks-action.h +++ b/dirmngr/ks-action.h @@ -34,7 +34,7 @@ gpg_error_t ks_action_put (ctrl_t ctrl, uri_item_t keyservers, void *data, size_t datalen, void *info, size_t infolen); gpg_error_t ks_action_del (ctrl_t ctrl, uri_item_t keyservers, - strlist_t patterns); + strlist_t fprlist); gpg_error_t ks_action_query (ctrl_t ctrl, const char *ldapserver, unsigned int ks_get_flags, const char *filter, char **attr, diff --git a/dirmngr/ks-engine-ldap.c b/dirmngr/ks-engine-ldap.c index ff4f005f4..9bb604707 100644 --- a/dirmngr/ks-engine-ldap.c +++ b/dirmngr/ks-engine-ldap.c @@ -3048,15 +3048,113 @@ ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri, } -/* Delete the keys given by PATTERNS from the keyserver identified by - * URI. */ +/* Delete the keys given by the list of fingerprints in FPRLIST from + * the keyserver identified by URI. The function stops at the first + * error encountered. */ gpg_error_t -ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t patterns) +ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t fprlist) { - (void)ctrl; - (void)uri; - (void)patterns; - return gpg_error (GPG_ERR_NOT_IMPLEMENTED); + gpg_error_t err = 0; + int ldap_err; + unsigned int serverinfo; + LDAP *ldap_conn = NULL; + char *basedn = NULL; + char *dn = NULL; + strlist_t fpr; + unsigned int count = 0; + unsigned int totalcount = 0; + + if (dirmngr_use_tor ()) + { + return no_ldap_due_to_tor (ctrl); + } + + for (fpr = fprlist; fpr; fpr = fpr->next) + totalcount++; + + err = my_ldap_connect (uri, 0, &ldap_conn, &basedn, NULL, NULL, &serverinfo); + if (err || !basedn) + { + if(opt.verbose) + log_info ("%s: connecting to server failed\n", __func__); + if (!err) + err = gpg_error (GPG_ERR_GENERAL); /* (no baseDN) */ + goto leave; + } + + if (!(serverinfo & SERVERINFO_REALLDAP)) + { + if(opt.verbose) + log_info ("%s: The PGP.com keyserver is not supported\n", __func__); + err = gpg_error (GPG_ERR_NOT_SUPPORTED); + goto leave; + } + + if (!(serverinfo & SERVERINFO_SCHEMAV2)) + { + if(opt.verbose) + log_info ("%s: The keyserver does not support the v2 schema\n", + __func__); + err = gpg_error (GPG_ERR_NOT_SUPPORTED); + goto leave; + } + + if (opt.verbose) + log_info ("%s: Using DN: %s,%s\n", __func__, + (serverinfo & SERVERINFO_NTDS)? "CN=" + /* */ : "pgpCertID=", + basedn); + for (fpr = fprlist; fpr; fpr = fpr->next) + { + if ((serverinfo & SERVERINFO_NTDS)) + { + xfree (dn); + dn = xtryasprintf ("CN=%s,%s", fpr->d, basedn); + } + else + { + unsigned int off; + + /* Simle method to get the keyID. Note that a v5 key + * (len>40) has the keyid at the left. If the length is + * less than 17 we assume a keyid has been given. */ + off = strlen (fpr->d); + if (off <= 40 && off > 16) + off = off - 16; + else + off = 0; + + xfree (dn); + dn = xtryasprintf ("pgpCertID=%.16s,%s", fpr->d+off, basedn); + } + + npth_unprotect (); + ldap_err = ldap_delete_ext_s (ldap_conn, dn, NULL, NULL); + npth_protect (); + if (ldap_err == LDAP_SUCCESS) + { + if (opt.verbose) + log_info ("%s: key %s deleted\n", __func__, fpr->d); + count++; + } + else + { + log_error ("%s: error deleting key %s: %s\n", + __func__, fpr->d, ldap_err2string (ldap_err)); + err = ldap_err_to_gpg_err (ldap_err); + break; /* Stop at the first failed deletion. */ + } + } + log_info ("%s: number of keys deleted: %u of %u\n", + __func__, count, totalcount); + + + leave: + if (ldap_conn) + ldap_unbind (ldap_conn); + xfree (dn); + xfree (basedn); + return err; } diff --git a/dirmngr/ks-engine.h b/dirmngr/ks-engine.h index dfc626d56..005d07490 100644 --- a/dirmngr/ks-engine.h +++ b/dirmngr/ks-engine.h @@ -82,7 +82,7 @@ gpg_error_t ks_ldap_get (ctrl_t ctrl, parsed_uri_t uri, gpg_error_t ks_ldap_put (ctrl_t ctrl, parsed_uri_t uri, void *data, size_t datalen, void *info, size_t infolen); -gpg_error_t ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t patterns); +gpg_error_t ks_ldap_del (ctrl_t ctrl, parsed_uri_t uri, strlist_t fprlist); gpg_error_t ks_ldap_query (ctrl_t ctrl, parsed_uri_t uri, unsigned int ks_get_flags, const char *filter, char **attrs, diff --git a/dirmngr/server.c b/dirmngr/server.c index 3ad939a6b..747d0a914 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -2723,11 +2723,10 @@ cmd_ks_put (assuan_context_t ctx, char *line) static const char hlp_ks_del[] = - "KS_DEL --ldap {}\n" + "KS_DEL --ldap {}\n" "\n" - "Delete the keys matching PATTERN from the configured OpenPGP LDAP server\n" - "The pattern should be a fingerprint.\n" - "The option --ldap is mandatory.\n"; + "Delete the keys specified by primary keys FINGERPRINTS from the\n" + "configured OpenPGP LDAP server. The option --ldap is mandatory."; static gpg_error_t cmd_ks_del (assuan_context_t ctx, char *line) { diff --git a/g10/sign.c b/g10/sign.c index 1e8bd8f95..b3bda581c 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -825,7 +825,7 @@ write_onepass_sig_packets (SK_LIST sk_list, IOBUF out, int sigclass ) /* * Helper to write the plaintext (literal data) packet. At - * R_EXTRAHASH a malloced object with the with the extra data hashed + * R_EXTRAHASH a malloced object with the extra data hashed * into v5 signatures is stored. */ static int -- cgit v1.2.3 From 75b616d0d866c244091ca751e2777539db4caf31 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 25 Jul 2025 15:51:02 +0200 Subject: po: Translate a new string to German. -- --- po/de.po | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/po/de.po b/po/de.po index 7da629ec1..aede80192 100644 --- a/po/de.po +++ b/po/de.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-2.4.1\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"PO-Revision-Date: 2025-06-02 15:40+0200\n" +"PO-Revision-Date: 2025-07-25 15:50+0200\n" "Last-Translator: Werner Koch \n" "Language-Team: German\n" "Language: de\n" @@ -2693,6 +2693,9 @@ msgstr "|FD|Statusinfo auf FD (Dateihandle) ausgeben" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|Weise mit ALGO erstellte Signaturen zurück" +msgid "|NAME|print the notation NAME to stdout" +msgstr "|NAME|Gebe die \"Notation\" NAME auf stdout aus" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Aufruf: gpgv [Optionen] [Dateien] (-h für Hilfe)" -- cgit v1.2.3 From 0844b90ec282b5bd33ecfd8d3174a03176f29c0d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 25 Jul 2025 15:51:33 +0200 Subject: po: msgmerge -- --- po/ca.po | 3 +++ po/cs.po | 3 +++ po/da.po | 3 +++ po/el.po | 3 +++ po/eo.po | 3 +++ po/es.po | 3 +++ po/et.po | 3 +++ po/fi.po | 3 +++ po/fr.po | 3 +++ po/gl.po | 3 +++ po/hu.po | 3 +++ po/id.po | 3 +++ po/it.po | 3 +++ po/ja.po | 3 +++ po/nb.po | 3 +++ po/nl.po | 3 +++ po/pl.po | 3 +++ po/pt.po | 3 +++ po/ro.po | 3 +++ po/ru.po | 3 +++ po/sk.po | 3 +++ po/sv.po | 3 +++ po/tr.po | 3 +++ po/uk.po | 3 +++ po/zh_CN.po | 3 +++ po/zh_TW.po | 3 +++ 26 files changed, 78 insertions(+) diff --git a/po/ca.po b/po/ca.po index 69187fa15..30ad2159f 100644 --- a/po/ca.po +++ b/po/ca.po @@ -2897,6 +2897,9 @@ msgstr "|FD|escriu informació d'estat en aquest FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Forma d'ús: gpgv [opcions] [fitxers] (-h per a veure l'ajuda)" diff --git a/po/cs.po b/po/cs.po index 6c7227e2c..f70c565f8 100644 --- a/po/cs.po +++ b/po/cs.po @@ -2692,6 +2692,9 @@ msgstr "|FD|zapsat informace o stavu do tohoto FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGORITMUS|zamítnout podpisy založené na ALGORITMU" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Použití: gpg [volby] [soubory] (-h pro pomoc)" diff --git a/po/da.po b/po/da.po index 7b649a05a..c4f865e0a 100644 --- a/po/da.po +++ b/po/da.po @@ -2944,6 +2944,9 @@ msgstr "|FD|skriv statusinformation til denne FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Brug: gpgv [tilvalg] [filer] (-h for hjælp)" diff --git a/po/el.po b/po/el.po index 4c9457803..b9b453c7d 100644 --- a/po/el.po +++ b/po/el.po @@ -2818,6 +2818,9 @@ msgstr "|FD|εγγραφή των πληροφοριών κατάστασης σ msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Χρήση: gpgv [επιλογές] [αρχεία] (-h για βοήθεια)" diff --git a/po/eo.po b/po/eo.po index e24fae7c6..ce723aab6 100644 --- a/po/eo.po +++ b/po/eo.po @@ -2793,6 +2793,9 @@ msgstr "|FD|skribi statusinformojn al FD (dosierpriskribilo)" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + #, fuzzy msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Uzado: gpg [opcioj] [dosieroj] (-h por helpo)" diff --git a/po/es.po b/po/es.po index 3baf69798..e1dbf9399 100644 --- a/po/es.po +++ b/po/es.po @@ -2773,6 +2773,9 @@ msgstr "|FD|escribe información de estado en este descriptor de fichero" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|rechaza firmas hechas con ALGO" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Uso: gpgv [opciones] [ficheros] (-h para ayuda)" diff --git a/po/et.po b/po/et.po index 9b49b1139..b71bc2412 100644 --- a/po/et.po +++ b/po/et.po @@ -2802,6 +2802,9 @@ msgstr "|FP|kirjuta olekuinfo sellesse failipidemesse" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Kasuta: gpgv [võtmed] [failid] (-h näitab abiinfot)" diff --git a/po/fi.po b/po/fi.po index ea5a46645..85120dfd5 100644 --- a/po/fi.po +++ b/po/fi.po @@ -2820,6 +2820,9 @@ msgstr "|FD|tilatiedot kirjoitetaan FD:iin" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Käyttö: gpgv [valitsimet] [tiedostot] (-h näyttää ohjeen)" diff --git a/po/fr.po b/po/fr.po index 6699bf5eb..82aac3d5a 100644 --- a/po/fr.po +++ b/po/fr.po @@ -2720,6 +2720,9 @@ msgstr "|FD|écrire l'état sur ce descripteur" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|rejeter les signatures faites avec ALGO" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Utilisation : gpgv [options] [fichiers] (-h pour l'aide)" diff --git a/po/gl.po b/po/gl.po index 0b2b07a78..3bb345c14 100644 --- a/po/gl.po +++ b/po/gl.po @@ -2810,6 +2810,9 @@ msgstr "|DF|escribi-la información de estado a este DF" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Uso: gpgv [opcións] [ficheiros] (-h para ve-la axuda)" diff --git a/po/hu.po b/po/hu.po index 2654d337f..283cca9b8 100644 --- a/po/hu.po +++ b/po/hu.po @@ -2802,6 +2802,9 @@ msgstr "|ÁL|állapotinformációk írása ÁL állományleíróra" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Használat: gpgv [opciók] [fájlok] (-h a súgóhoz)" diff --git a/po/id.po b/po/id.po index 480d494a0..12d4917e5 100644 --- a/po/id.po +++ b/po/id.po @@ -2808,6 +2808,9 @@ msgstr "|FD|tulis info status ke FD ini" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Pemakaian: gpgv [opsi] [file] (-h untuk bantuan)" diff --git a/po/it.po b/po/it.po index d79178034..46c9f7e85 100644 --- a/po/it.po +++ b/po/it.po @@ -2704,6 +2704,9 @@ msgstr "|FD|scrivi le informazioni di stato sul FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|rifiuta le firme fatte con ALGO" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Uso: gpgv [opzioni] [file] (-h per l'aiuto)" diff --git a/po/ja.po b/po/ja.po index ff50d19cb..4a0e66d96 100644 --- a/po/ja.po +++ b/po/ja.po @@ -2618,6 +2618,9 @@ msgstr "|FD|このFDにステイタス情報を書き出す" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|ALGOで作成された署名を拒絶する" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "使い方: gpgv [オプション] [ファイル] (ヘルプは -h)" diff --git a/po/nb.po b/po/nb.po index c57fab67d..f1f5552b2 100644 --- a/po/nb.po +++ b/po/nb.po @@ -2730,6 +2730,9 @@ msgstr "|FD|skrive statusinfo til denne FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|avvis signaturer som er laget med valgt ALGOritme" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Bruk: gpgv [valg] [filer] (-h for hjelp)" diff --git a/po/nl.po b/po/nl.po index da858d528..f5702d1b7 100644 --- a/po/nl.po +++ b/po/nl.po @@ -2771,6 +2771,9 @@ msgstr "|FD|statusinformatie naar deze bestandsindicator (FD) schrijven" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|handtekeningen gemaakt met ALGO verwerpen" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Gebruik: gpgv [opties] [bestanden] (-h voor hulp)" diff --git a/po/pl.po b/po/pl.po index 3faf79100..880f74ff3 100644 --- a/po/pl.po +++ b/po/pl.po @@ -2661,6 +2661,9 @@ msgstr "|FD|pisanie opisu stanu do deskryptora FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|odrzucanie podpisów wykonanych podanym ALGOrytmem" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Składnia: gpgv [opcje] [pliki] (-h wyświetla pomoc)" diff --git a/po/pt.po b/po/pt.po index cf143b463..42b96b7fd 100644 --- a/po/pt.po +++ b/po/pt.po @@ -2706,6 +2706,9 @@ msgstr "|FD|escrever informações de status para este FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|rejeitar assinaturas feitas com ALGO" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Uso: gpgv [opções] [ficheiros] (-h para ajuda)" diff --git a/po/ro.po b/po/ro.po index ade7bb1d6..6489151a4 100644 --- a/po/ro.po +++ b/po/ro.po @@ -2874,6 +2874,9 @@ msgstr "|FD|scrie informaţii de stare în acest FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Folosire: gpgv [opţiuni] [fişiere] (-h pentru ajutor)" diff --git a/po/ru.po b/po/ru.po index cde80adf8..88f223da0 100644 --- a/po/ru.po +++ b/po/ru.po @@ -2732,6 +2732,9 @@ msgstr "|FD|выводить информацию в файл с дескрип msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|отвергать подписи, сделанные по данному алгоритму" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Вызов: gpgv [параметры] [файлы] (-h - подсказка)" diff --git a/po/sk.po b/po/sk.po index bc1a819e1..b075047ac 100644 --- a/po/sk.po +++ b/po/sk.po @@ -2822,6 +2822,9 @@ msgstr "|FD|zapísať informácie o stave do tohto FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Použitie: gpgv [možnosti] [súbory] (-h pre pomoc)" diff --git a/po/sv.po b/po/sv.po index 85de7c22d..95521e160 100644 --- a/po/sv.po +++ b/po/sv.po @@ -3004,6 +3004,9 @@ msgstr "|FD|skriv statusinformation till denna FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Användning: gpgv [flaggor] [filer] (-h för hjälp)" diff --git a/po/tr.po b/po/tr.po index 14eebb652..8b4e939ee 100644 --- a/po/tr.po +++ b/po/tr.po @@ -2650,6 +2650,9 @@ msgstr "|FD|durum bilgisini bu FD'ye yaz" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|ALGO ile yapılan algoritmaları reddet" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Kullanım: gpgv [seçenekler] [dosyalar] (yardım için -h)" diff --git a/po/uk.po b/po/uk.po index 20a98dd6a..ff9bca2f2 100644 --- a/po/uk.po +++ b/po/uk.po @@ -2771,6 +2771,9 @@ msgstr "|FD|записувати до дескриптора файла дані msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|відкидати підписи, створені за допомогою алгоритму ALGO" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "Використання: gpgv [параметри] [файли] (-h — довідка)" diff --git a/po/zh_CN.po b/po/zh_CN.po index 8e0c267af..0d236b296 100644 --- a/po/zh_CN.po +++ b/po/zh_CN.po @@ -2620,6 +2620,9 @@ msgstr "|FD|把状态信息写入文件描述符 FD" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|拒绝由 ALGO 生成的签名" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "用法:gpgv [选项] [文件] (-h 获取帮助)" diff --git a/po/zh_TW.po b/po/zh_TW.po index 183967815..29489b9ff 100644 --- a/po/zh_TW.po +++ b/po/zh_TW.po @@ -2588,6 +2588,9 @@ msgstr "|檔案描述子|把狀態資訊寫入指定檔案描述子" msgid "|ALGO|reject signatures made with ALGO" msgstr "|ALGO|駁回使用演算法建立的簽章" +msgid "|NAME|print the notation NAME to stdout" +msgstr "" + msgid "Usage: gpgv [options] [files] (-h for help)" msgstr "用法: gpgv [選項] [檔案] (或用 -h 求助)" -- cgit v1.2.3 From 5aa89960aee3b4e1d84deca669433e2b14a4b00e Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 25 Jul 2025 15:52:14 +0200 Subject: Release 2.5.10 --- NEWS | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 6e3eb152a..cae3bbfe8 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,20 @@ -Noteworthy changes in version 2.5.10 (unreleased) +Noteworthy changes in version 2.5.10 (2025-07-25) ------------------------------------------------- + * gpg: Add a notation with version information to signatures. See + doc/DETAILS for, well, details. [rG11d3a83b04] + + * gpgv: New option --print-notation. [rGe3cc410003] + + * gpgsm: Fix caching of the trustlist's flags. [T7738] + + * agent: Fix for smartcard decryption returning x-coordinate only. + [T7709] + + * agent: Another fix for a regression with unknown curves and ssh. + See also 2.5.4. [rG55db12472f] + + * dirmngr: Implement command KS_DEL for ldap servers. [T5447] Release-info: https://dev.gnupg.org/T7719 -- cgit v1.2.3 From ca9faeb25ccb743c7d2fab4dd93025e9d4a25d36 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 25 Jul 2025 16:06:27 +0200 Subject: Post release updates -- --- NEWS | 6 ++++++ configure.ac | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index cae3bbfe8..b0e7dff1e 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,9 @@ +Noteworthy changes in version 2.5.11 (unreleased) +------------------------------------------------- + + Release-info: https://dev.gnupg.org/T7743 + + Noteworthy changes in version 2.5.10 (2025-07-25) ------------------------------------------------- diff --git a/configure.ac b/configure.ac index 8eeb98204..023604b8a 100644 --- a/configure.ac +++ b/configure.ac @@ -29,7 +29,7 @@ min_automake_version="1.16.3" m4_define([mym4_package],[gnupg]) m4_define([mym4_major], [2]) m4_define([mym4_minor], [5]) -m4_define([mym4_micro], [10]) +m4_define([mym4_micro], [11]) # To start a new development series, i.e a new major or minor number # you need to mark an arbitrary commit before the first beta release -- cgit v1.2.3 From fe62b4b00bc6b396be12561f66997a4a80cb12d2 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 29 Jul 2025 15:15:43 +0900 Subject: agent: Fix for smartcard decryption, checking compressed format. * agent/agent.h (agent_card_pkdecrypt): Fix the type of R_BUF. * agent/call-scd.c (agent_card_pkdecrypt): Likewise. * agent/divert-scd.c (divert_pkdecrypt): Follow the change. * agent/divert-scd.c (agent_card_ecc_kem): The prefix may be 0x02 or 0x03 depending on hidden y-coordinate. -- Fixes-commit: 4ad08a8998fa16f8329fb57b0a47fe7a9b973700 GnuPG-bug-id: 7709 Signed-off-by: NIIBE Yutaka --- agent/agent.h | 3 ++- agent/call-scd.c | 2 +- agent/divert-scd.c | 7 ++++--- 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/agent/agent.h b/agent/agent.h index e891981b2..d1192f505 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -769,7 +769,8 @@ int agent_card_pkdecrypt (ctrl_t ctrl, void *getpin_cb_arg, const char *desc_text, const unsigned char *indata, size_t indatalen, - char **r_buf, size_t *r_buflen, int *r_padding); + unsigned char **r_buf, size_t *r_buflen, + int *r_padding); int agent_card_readcert (ctrl_t ctrl, const char *id, char **r_buf, size_t *r_buflen); diff --git a/agent/call-scd.c b/agent/call-scd.c index 28669206c..f47deb83e 100644 --- a/agent/call-scd.c +++ b/agent/call-scd.c @@ -609,7 +609,7 @@ agent_card_pkdecrypt (ctrl_t ctrl, void *getpin_cb_arg, const char *desc_text, const unsigned char *indata, size_t indatalen, - char **r_buf, size_t *r_buflen, int *r_padding) + unsigned char **r_buf, size_t *r_buflen, int *r_padding) { int rc; char line[ASSUAN_LINELENGTH]; diff --git a/agent/divert-scd.c b/agent/divert-scd.c index 15d1abd8d..e0b5164b5 100644 --- a/agent/divert-scd.c +++ b/agent/divert-scd.c @@ -394,7 +394,7 @@ divert_pkdecrypt (ctrl_t ctrl, int depth; const unsigned char *ciphertext; size_t ciphertextlen; - char *plaintext; + unsigned char *plaintext; size_t plaintextlen; bin2hex (grip, 20, hexgrip); @@ -504,7 +504,7 @@ agent_card_ecc_kem (ctrl_t ctrl, const unsigned char *ecc_ct, size_t ecc_point_len, unsigned char *ecc_ecdh) { gpg_error_t err = 0; - char *ecdh = NULL; + unsigned char *ecdh = NULL; size_t len; int rc; char hexgrip[KEYGRIP_LEN*2+1]; @@ -517,7 +517,8 @@ agent_card_ecc_kem (ctrl_t ctrl, const unsigned char *ecc_ct, if (len == ecc_point_len) memcpy (ecc_ecdh, ecdh, len); - else if (len && (len - 1) * 2 == ecc_point_len - 1 && ecdh[0] == 0x02) + else if (len && (len - 1) * 2 == ecc_point_len - 1 + && (ecdh[0] & ~1) == 0x02) { /* It's x-coordinate-only (compressed) point representation. */ memcpy (ecc_ecdh, ecdh, len); -- cgit v1.2.3