* src/gpgme.h.in (gpgme_op_setexpire_start, gpgme_op_setexpire): New.
* src/libgpgme.vers, src/gpgme.def: Add new functions.
* src/genkey.c (setexpire): New.
(gpgme_op_setexpire_start, gpgme_op_setexpire): New.
* src/engine.h, src/engine.c: (_gpgme_engine_op_setexpire): New.
* src/engine-backend.h (engine_ops): Add 'setexpire' and adjust all
engine initializers.
* src/engine-gpg.c (gpg_setexpire): New.
(_gpgme_engine_ops_gpg): Set setexpire to gpg_setexpire.
* doc/gpgme.texi: Document new functions.
* tests/run-genkey.c: Add option --setexpire.
--
This extends GPGME to support the --quick-set-expire command
added by GnuPG 2.1.22. This allows changing subkeys expiry
date without going through the editinteractor interface.
Co-authored-by: Andre Heinecke <aheinecke@gnupg.org>
GnuPG-bug-id: 4999
* src/gpgme.h.in: Clarify that the trustlist function should not be
used.
* src/engine.c (_gpgme_engine_op_trustlist): Always return an error.
* src/engine-backend.h (struct engine_ops): Remove trustlist member.
* src/engine-gpg.c (gpg_trustlist): Remove.
(struct engine_ops): Remove that member. Also in all other engines.
* tests/gpg/t-trustlist.c: Remove.
* lang/python/tests/t-trustlist.py: Remove.
--
This never worked in reality because the required feature has been
removed from GnuPG version 1.3.2 soon after introduction of this
feature in gpgme - 17 years ago. It was anyway marked as
experimental. We keep the API and ABI, though.
GnuPG-bug-id: 4834
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/gpgme.texi (gpgme_verify_result_t): Explain
GPGME_STATUS_NO_ERROR more clearly.
--
This might help to avoid misunderstandings how the
status can be interpreted and explains why a verify
of unsigned PGP Data returns no error.
As a reaction to CVE-2020-10759 discovered by Justin Steven.
* doc/gpgme.texi: Fixes version number from 1.8.0 to
1.9.0 for GPGME_CREATE_NOEXPIRE.
GnuPG-Bug-Id: T4922
Signed-off-by: dupgit <olivier.delhomme@free.fr>
* src/engine-gpg.c (gpg_keylist_build_options): Send --with-keygrip
if --with-secret is used.
--
Since GnuPG 2.2.19 the keygrip was not anymore send if only
--with-secret was used in a public key listing. Given that
--with-secret requires computation of the keygrip anyway, there is no
point in not requesting the keyrip in this case.
GnuPG-bug-id: 4820
* src/gpgme.h.in (struct _gpgme_user_id): Add field 'uidhash'.
* src/key.c (gpgme_key_unref): Free it.
* src/keylist.c (keylist_colon_handler): Set it.
* tests/run-keylist.c (main): Print it.
--
The uidhash value is part of gpg's output since the year 2005. This
now adds support to gpgme. The application for uidhash is to select
a user id in an edit interactor: Instead of giving the number of the
user id, the uidhash value can be be used to avoid tracking the user
id numbers.
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/Makefile.am: Remove uiserver.texi
* doc/gpgme.texi: Remove UI-Server mentions.
* doc/uiserver.texi: Removed.
--
This prepares the removal of UI Server from implementing
applications like Kleopatra.
The only user of the UI Server is GpgEX and even that
does not need it at all and is better served with process
calls.
GnuPG-Bug-Id: T4030
* src/context.h (gpgme_context): Add new flag for extended-edit.
* src/engine-gpg.c (append_args_from_sig_notations): Add flags to
control the kind of notations.
(gpg_edit): Respect extended-edit and notations.
(gpg_encrypt_sign, gpg_sign): Update call to
append_args_from_sig_notations.
* src/gpgme.c (gpgme_set_ctx_flag, gpgme_get_ctx_flag): Support
extended-edit.
* NEWS, doc/gpgme.texi: Mention extended-edit.
--
This provides a way to get the extended key-edit interface without
breaking bad state machines that rely on the current command flow.
A use case for this is to enable multiple local signatures, which
can be used together with annotations for:
GnuPG-Bug-Id: T4734
* src/context.h (gpgme_context): Extend with trust_model.
* src/engine-gpg.c (engine_gpg): Extend with trust_model.
(gpg_set_engine_flags): Take trust_model from context.
(build_argv): Handle trust_model.
(gpg_release): Free trust_model.
* src/gpgme.c (gpgme_set_ctx_flag): Handle trust-model flag.
(gpgme_release): Release trust-model.
* doc/gpgme.texi: Document new flag for gpgme_set_ctx_flag.
(Context Flags): New subsection for the context flags.
* tests/run-keylist.c (show_usage, main): Add new --trust-model
parameter.
--
This gives a GPGME user fine grained control over the
trust-model.
Changing the trust model for only a single application depends
on:
GnuPG-Bug-Id: T4134
Maniphest Tasks: T4134
Differential Revision: https://dev.gnupg.org/D466
* gpgme.spec.in: Added gpgme-python-howto.info build on the grounds
that it now deals with certain possible installation issues and end
users encountering them would want the docs to hand.
* doc/gpgme.texi: updated the copyright year to this year.
* src/gpgme.h.in (gpgme_data_new_from_estream): New.
* src/data-estream.c: New.
* src/data.h (gpgme_data): New union member e_stream.
--
The estream functions (gpgrt_fopen et al.) are any waypart of the
required libgpg-error library and thus it makes sense to provide this
convenience interface.
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/gpgme.texi (GPGME_KEYLIST_MODE_EXTERN),
(GPGME_KEYLIST_MODE_LOCATE, GPGME_KEYLIST_MODE_LOCAL): Mention
command line flags for CMS and OpenPGP Protocol.
--
This might help new users coming to gnupg to understand what
the flags do.
* src/engine-gpg.c (engine_gpg): Add diagnostics member.
(gpg_release): Release diagnostics data.
(gpg_new): Set up logger-fd and diagnostics.
(gpg_getauditlog): New. Copy diagnostics to a user data.
(engine_ops): Add getauditlog.
* src/engine-gpgsm.c (gpgsm_getauditlog): Return not implemented
for GPGME_AUDITLOG_DIAG.
* src/getauditlog.c (getauditlog_start): Don't reset engine
for diagnostics.
* src/gpgme.h.in (GPGME_AUDITLOG_DIAG): New.
(GPGME_AUDITLOG_DEFAULT): New alias to 0.
* tests/run-decrypt.c (show_usage, main): Add --diagnostics.
* doc/gpgme.texi(Additional Logs): Document getauditlog.
--
This enables users of GPGME to get more verbose information
from gpg which can assist users in figuring out a problem
that was before hidden behind a generalized error like
"Decryption Failed".
For GPGSM it is not yet available as it is problematic to
get it properly in server mode and GPGSM already had the
original audit log mechanism in place.
GPGME_AUDITLOG_DEFAULT was added for a more explicit
documentation.
* src/gpgme.h.in (_gpgme_op_decrypt_result): Add flag
legacy_cipher_nomdc.
* src/decrypt.c (parse_status_error): Set this flag.
* tests/run-decrypt.c (print_result): print it.
(main): Print the result even on error.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/decrypt.c (struct op_data_t): Add field not_integrity_protected.
(parse_decryption_info): Set this. Also rename mode to aead_algo for
clarity.
(_gpgme_decrypt_status_handler): Force failure in case of a missing
MDC.
--
This extra check makes sure that a missing or stripped MDC in
- gpg < 2.1
- or gpg 2.2 with an old cipher algorithm
will lead to a decryption failure. gpg 2.3 will always fail in this
case. Implementing this check here and not backporting the 2.3 change
to 2.2 has the benefit that all GPGME using applications are protected
but scripts relying on rfc2440 (i.e. without MDC) will only break when
migrating to 2.3.
Note that S/MIME has no integrity protection mechanism but gpgsm
neither emits a DECRYPTION_INFO status line, so an error will not be
triggered. If in the future gpgsm supports authenticated encryption
it may issue a DECRYPTION_INFO line to force a failure here but it
will in that case also emit a DECRYPTION_FAILED anyway.
GnuPG-bug-id: 3981
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/op-support.c (_gpgme_parse_plaintext): Add arg r_mime.
* src/decrypt.c (_gpgme_decrypt_status_handler): Ser mime flag.
* src/verify.c (_gpgme_verify_status_handler): Ditto.
* src/gpgme.h.in (gpgme_op_verify_result_t): Append fields 'is_mime'
and '_unused'.
(gpgme_op_decrypt_result_t): New field 'is_mime'. Shrink '_unused'.
* tests/run-decrypt.c (print_result): Print MIME flag.
* tests/run-verify.c (print_result): Ditto.
--
Note that this flag (Liternal Data packet's 'm' mode) is only
specified in RFC-4880bis. To use it you currently need to add
"rfc4880bis" to the the gpg.conf.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/engine-gpg.c (append_args_from_recipients_string): Add new
flags.
--
Now you can use gpgme to encrypt without first importing a key.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/engine-gpg.c (struct engine_gpg): New flag.offline.
(gpg_set_engine_flags): Set it. Also fix setting of no_symkey_cache.
(build_argv): Pass --disable-dirmngr in offline mode.
--
GnuPG-bug-id: 3831
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.h.in (gpgme_op_encrypt_ext_start) New.
(gpgme_op_encrypt_ext): New.
(gpgme_op_encrypt_sign_ext_start): New.
(gpgme_op_encrypt_sign_ext): New.
* src/libgpgme.vers, tests/run-encrypt.c: Add them.
* src/encrypt.c (encrypt_start): Add arg recpstring.
(gpgme_op_encrypt): Factor code out to ...
(gpgme_op_encrypt_ext): new function with new arg recpstring.
(gpgme_op_encrypt_start): Factor code out to ...
(gpgme_op_encrypt_ext_start): new function with new arg recpstring.
* src/encrypt-sign.c (encrypt_sign_start): Add arg recpstring.
(gpgme_op_encrypt_sign): Factor code out to ...
(gpgme_op_encrypt_sign_ext): new function with new arg recpstring.
(gpgme_op_encrypt_sign_start): Factor code out to ...
(gpgme_op_encrypt_sign_ext_start): new function with new arg
recpstring.
* src/engine-backend.h (struct engine_ops): Change fields encrypt and
encrypt_sign.
* src/engine.c (_gpgme_engine_op_encrypt): Add arg recpstring and pass
to engine.
(_gpgme_engine_op_encrypt_sign): Ditto.
* src/engine-gpg.c (append_args_from_recipients_string): New.
(gpg_encrypt): Add arg recpstring and call new function as needed.
(gpg_encrypt_sign): Ditto.
* src/engine-gpgsm.c (set_recipients_from_string): New.
(gpgsm_encrypt): Add arg recpstring and call new function as needed.
* src/engine-uiserver.c (set_recipients_from_string): New.
(uiserver_encrypt): Add arg recpstring and call new function as
needed.
* tests/run-encrypt.c (xstrdup): New.
(main): Add option --keystring.
* src/gpgme-json.c (get_keys): Simplify.
(op_encrypt): Modify to make use of the extended encrypt function.
--
This new feature can be used to avoid the need for a key lookup and
thus several extra calls to the backend.
Note that run-test uses a semicolon as delimiter because that make
testing the feature on the command line much easier.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.h.in (_gpgme_op_import_result): Move new field
'skipped_v3_keys' to the end.
--
The ABI break has not made it into a release.
Also document the new field.
Fixes-commit: a630a1e3e7
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/data.c (_gpgme_data_new): Check for failed selftest.
* tests/run-support.h (make_filename): Print a message on mallooc
failure.
(init_gpgme_basic): New.
* tests/run-identify.c (main): Call init_gpgme_basic becuase we do not
need to setup a protocol.
* tests/t-data.c: Define PGM and include run-support.h.
(make_filename): Remove.
(main): Call init_gpgme_basic.
--
Note: This patch may break applications which used gpgme_data but no
gpgme_new without having called the required gpgme_check_version.
GPGME can be used without a protocol for example to work with the data
object abstraction. Thus a call to gpgme_data_new also needs to check
the result of the core selftests - including on whether
gpgme_check_version has been called.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.c (gpgme_set_ctx_flag, gpgme_get_ctx_flag): New flag
"auto-key-retrieve".
* src/context.h (gpgme_context): New field auto_key_retrieve.
* src/engine-backend.h (struct engine_ops): Add arg auto_key_retrieve
to field 'decrypt'.
* src/engine-gpg.c (gpg_decrypt): Add arg auto_key_retrieve and pass
option --auto-key-retrieve to gpg. Adjust all callers.
(gpg_verify): Ditto.
* src/engine-gpgsm.c (gpgsm_decrypt): Add dummy arg auto_key_retrieve.
* src/engine-uiserver.c (uiserver_decrypt): Ditto.
* tests/run-verify.c (main): Add option --auto-key-retrieve.
--
This makes the --auto-key-retrieve option available in the GPGME API.
Test plan:
Run
GPGME_DEBUG=9:out tests/run-verify SIGNEDFILE
with and without its new option --auto-key-retrieve and check in the
trace stored in "out" whether --auto-key-retrieve was passed to gpg.
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/gpgme.texi (since): New macro. Use it to add version
information to those APIs that are mentioned in the NEWS file.
Signed-off-by: Marcus Brinkmann <mb@g10code.com>
GnuPG-bug-id: 3137
* src/decrypt.c (op_data_t): Add flag any_no_seckey.
(_gpgme_decrypt_status_handler): Consult that flag.
(_gpgme_decrypt_status_handler): Set that flag.
--
The NO_SECKEY is emitted instead of an "S ERROR pkdecrypt_failed" if
gpg knowns that a key has been encrypted to that key (cf. "S ENC_TO").
it is not fool proffof but in the majority of cases we can provide a
better error message than just DECRYPTION_FAILED.
GnuPG-bug-id: 3270
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/gpgme.texi (Passphrase Callback): Mention pinentry_mode and
restrictions.
(Pinentry Mode): Fix wording and clarify versions that need
loopback mode for passphrase_cb to work.
* configure.ac <c>: Bump LT version to C29/A18/R0.
<cpp>: Bump LT version to C10/A4/R0.
<qt>: Bump LT version to C9/A2/R0.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.h.in (GPGME_ENCRYPT_WRAP): New const.
(gpgme_decrypt_flags_t): New enum.
(GPGME_DECRYPT_VERIFY): New const
(GPGME_DECRYPT_UNWRAP): New const
(gpgme_op_decrypt_ext_start): New func.
(gpgme_op_decrypt_ext): New func.
* src/decrypt-verify.c (gpgme_op_decrypt_ext_start): New.
(gpgme_op_decrypt_ext): New.
(decrypt_verify_start): Add arg FLAGS. Replace call to
engine_op_decrypt_verify by the plain decrypt with the flag set.
(gpgme_op_decrypt_verify_start): Pass the flag.
(gpgme_op_decrypt_verify): Pass the flag.
* src/decrypt.c (decrypt_start): Rename to ...
(_gpgme_decrypt_start): this. Add arg FLAGS. Pass FLAGS to
engine_op_decrypt.
(gpgme_op_decrypt_start): Adjust for chnage pass 0 for FLAG.
(gpgme_op_decrypt_start): Ditto.
* src/engine.c (_gpgme_engine_op_decrypt_verify): Remove.
(_gpgme_engine_op_decrypt): Add arg FLAGS.
* src/gpgme.def, src/libgpgme.vers: Add new functions.
* src/engine-backend.h (struct engine_ops): Remove member
'decrypt_verify'. Add FLAGS to 'decrypt'. Adjust all initialization.
* src/engine-uiserver.c (uiserver_decrypt): Remove.
(uiserver_decrypt_verify): Remove.
(_uiserver_decrypt): Rename to ...
(uiserver_decrypt): this. Replace arg VERIFY by new arg FLAGS.
* src/engine-gpg.c (gpg_decrypt): Support GPGME_DECRYPT_UNWRAP.
(gpg_encrypt): Support GPGME_ENCRYPT_WRAP.
* tests/run-decrypt.c (main): New option --unwrap.
* tests/run-encrypt.c (main): New option --wrap.
--
Manual testing of that wrap/unwrap feature can be done this way:
./run-encrypt --verbose --key Alice /etc/motd > x
./run-decrypt --verbose --unwrap x > y
./run-encrypt --verbose --key Bob --wrap y > z
1. The message was first encrypted to Alice.
2. Alice decrypts the message receiving a valid OpenPGP message.
3. Alice encrypt that message to Bob
This will also work with encrypted and signed messages; the signature
will be kept intact during re-encryption. Requires GnuPG 2.1.12.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/dirinfo.c (WANT_GPG_WKS_CLIENT_NAME): New const.
(struct dirinfo): New field 'gpg_wks_client_name'.
(get_gpgconf_item): Build it on demand.
(gpgme_get_dirinfo): New value "gpg-wks-client-name" for WHAT.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.h.in (GPGME_ENCRYPT_THROW_KEYIDS): New flag.
* src/engine-gpg.c (gpg_encrypt): Implement flag
(gpg_encrypt_sign): Implement flag.
* tests/run-encrypt.c (main): New option --throw-keyids.
--
It would be nice to also selectively hide recipients (that is gpg
--hidden-recipient) but our API does not ye allow this because it is
based on key objects. A possible way to implement that would be a API
to set processing flags into a key but this is complicated due to the
reference counting and thus the possibility that a key object is used
by different context.
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/gpgme.texi (gpgme_op_encrypt_sign_start): recp is an array of
gpgme_key_t, not a single element.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* NEWS: Update.
* doc/gpgme.texi (gpgme_op_createkey): Clarify the meaning of the
'expire' parameter.
(GPGME_CREATE_NOEXPIRE): Document new flag.
(gpgme_op_createsubkey): Clarify the meaning of the 'expire'
parameter.
* src/engine-gpg.c (gpg_add_algo_usage_expire): Fix handling of the
expiration time.
* src/gpgme.h.in (GPGME_CREATE_NOEXPIRE): New macro.
--
Previously, the documentation stated that the expiration time was an
absolute timestamp. However, this value was passed using the
'seconds=N' syntax to GnuPG which specifies the expiration time in
seconds relative to the creation time. Fix the documentation.
Furthermore, the documentation stated that using 0 results in keys
that do not expire. This was communicated to GnuPG by using the
implicit default. However, as of GnuPG 2.1.17, the default was
changed to create keys that expire within a reasonable timespan.
Fix this discrepancy by aligning the behavior with recent GnuPG
versions: 0 means use a reasonable default, and introduce a flag that
can be used to create keys that do not expire. Communicate this
explicitly to GnuPG.
Signed-off-by: Justus Winter <justus@g10code.com>
--
While educating students we can also get them to use useful habits, in
particular to parenthese bit tests.
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/gpgme.texi (gpgme_sigsum_t summary): Clarify what "you
can check one bit means"
--
It was unclear which bit to test for is. And tests
with students have shown that they would "test" for
this one bit by using if(sig.summary == GPGME_SIGSUM_VALID)
which would fail because valid sigs are also SIGSUM_GREEN.
So lets give an example for people not used to checking bits and
clarify through this example which bit is meant to be checked.
* src/engine-gpg.c (struct engine_gpg): New field
override_session_key.
(gpg_release): Free that field.
(gpg_decrypt): With gnupg 2.1.16 use --override-session-key-fd.
* tests/run-decrypt.c (main): Fix setting over the override key.
--
Note that this works only with gnupg 2.1.16 and later.
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/gpgme.texi: Document requirements of verifying that it is OK to
use session_key.
* tests/run-decrypt.c: Ensure that we fail if we're unable to access
the session key, so that we do not violate the guidance above.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Changed the description
-@code{gpgme_set_ctx_flag (ctx, "export-session-key")} returns
-@code{GPG_ERR_NO_ERROR} or @code{gpgme_get_ctx_flag (ctx,
-"export-session-key")} returns @code{"1"}.
+@code{gpgme_set_ctx_flag (ctx, "export-session-key")} returns success
+or @code{gpgme_get_ctx_flag (ctx, "export-session-key")} returns true
+(non-empty string).
to get gpgme_get_ctx_flag for boolean values in sync with its own
description.
Note that I don't agree with the above suggestion but it does not
really harm to have it in the man page.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.c (gpgme_set_ctx_flag): Add flags "export-session-key" and
"override-session-key".
(gpgme_get_ctx_flag): Ditto.
(gpgme_set_export_session_keys): Remove.
(gpgme_get_export_session_keys): Remove.
* src/gpgme.def, src/libgpgme.vers: Remove them.
* src/context.h (struct gpgme_context): Add field
override_session_key.
* src/decrypt-verify.c (decrypt_verify_start): Pass
override_session_key value to the engine.
* src/decrypt.c (decrypt_start): Ditto.
* src/engine.c (_gpgme_engine_op_decrypt): Ditto.
(_gpgme_engine_op_decrypt_verify): Ditto.
* src/engine-backend.h (struct engine_ops): Extend DECRYPT and
DECRYPT_VERIFY_START with override_session_key.
* src/engine-uiserver.c (_uiserver_decrypt): Add stub arg
override_session_key.
(uiserver_decrypt): Ditto.
(uiserver_decrypt_verify): Ditto.
* src/engine-gpgsm.c (gpgsm_decrypt): Ditto.
* src/engine-gpg.c (gpg_decrypt): Add arg override_session_key and set
corresponding gpg option.
* tests/run-decrypt.c (print_result): Print the session key if
available.
(main): Add options --export-session-key and --override-session-key.
--
To keep the number of context manipulation functions at bay, this
patches removes the just added gpgme_set_export_session_keys and
gpgme_get_export_session_keys by flags for the generic context
function.
The patch also implements the --override-session-key feature.
GnuPG-bug-id: 2754
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.h.in (gpgme_get_ctx_flag): New.
* src/gpgme.c (gpgme_set_ctx_flag): Move down the file and add a trace
statement.
(gpgme_get_ctx_flag): New.
* src/gpgme.def, src/libgpgme.vers: Add new interface.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.c (gpgme_set_export_session_keys): New function.
(gpgme_get_export_session_keys): New function.
* src/gpgme.h.in (struct _gpgme_op_decrypt_result): Add session_key
member.
(gpgme_{set,get}_export_session_keys): Declare new functions.
* src/libgpgme.vers, src/gpgme.def: Export new functions in shared
object.
* src/engine.h: (_gpgme_engine_op_decrypt) Add export_session_key
parameter.
(_gpgme_engine_op_decrypt_verify): Add export_session_key parameter.
* src/engine-backend.h: (struct engine_ops): Change function
pointer declarations to match.
* src/context.h (struct gpgme_context): Add export_session_keys member.
* src/decrypt.c (release_op_data): Free result.session_key.
(_gpgme_decrypt_status_handler): Store a copy of the exported session
key.
(decrypt_start): Pass export_session_keys from the context.
* src/decrypt-verify.c (decrypt_verify_start): Pass
export_session_keys from context.
* src/engine.c (_gpgme_engine_op_decrypt): Pass through
export_session_key flag.
(_gpgme_engine_op_decrypt_verify): Pass through export_session_key
flag.
* src/engine-gpg.c (gpg_decrypt): If export_session_key is set, add
--export-session-key to argument list.
* src/engine-gpgsm.c (gpgsm_decrypt): Ignore export_session_key for
now, since gpgsm offers no such mechanism.
* src/engine-uiserver.c (_uiserver_decrypt): If export_session_key is
set, add --export-session-key flag to cmd.
* doc/gpgme.texi: Document new functions and session_key member of
decrypt_result_t.
* doc/uiserver.texi: Add --export-session-key flag to DECRYPT command.
--
gpg(1) documents session key export as useful for key escrow, and is
rightly dubious of that use case. However, session key export is also
useful in other use cases. Two examples from MUA development (where
this functionality would be specifically useful to me right now):
* If the MUA stores a local copy of the session key upon decrypting
the message, it can re-decrypt the message without expensive
asymmetric operations. When rendering a thread with dozens of
encrypted messages, this can represent a significant speedup.
* A user may have expired encryption-capable secret key material,
along with many messages encrypted to that material. If she stores
the session keys for those messages she wants to keep, she can
destroy her secret key material and make any messages she has
deleted completely unrecoverable, even to an attacker who gets her
remaining secret keys in the future.
This patchset makes a two specific implementation decisions that could
have gone in different ways. I welcome feedback on preferred outcomes.
0) session key representation: we currently represent the session key
as an opaque textual string, rather than trying to provide any
sort of in-memory structure. While it wouldn't be hard to parse
the data produced by gpg's --export-session-key, I chose to use
the opaque string rather than lock in a particular data format.
1) API/ABI: i've added a member to gpgme_op_decrypt_result_t. This
has the potential to cause an out-of-bound memory access if
someone uses code compiled against the newer verision, but linked
at runtime against an older version. I've attempted to limit that
risk by documenting that users must verify
gpgme_get_export_session_keys() before accessing this new struct
member -- this means that code expecting this capability will
require the symbol at link-time, and will refuse to link against
older versions.
Another approach to solving this problem would be to avoid
modifying gpgme_op_decrypt_result_t, and to introduce instead a
new function gpgme_op_session_key(), which could be called in the
same places as gpgme_op_decrypt_result(). Depending on the
representation of the session key, this might introduce new
memory-management burdens on the user of the library, and the
session key is certainly part of a decryption result, so it seemed
simpler to go with what i have here.
If anyone has strong preferences that these choices should be solved
in a different way, i'm happy to hear them.
Additionally, I note that i'm also still pretty unclear about how the
"UI Server" fits into this whole ecosystem. In particular, I don't
know whether it's kosher to just add an --export-session-key flag to
the DECRYPT operation without actually having implemented it anywhere,
but i don't see where i would actually implement it either :/
If this patch (or some variant) is adopted, i will supply another
patch that permits offering a session key during decryption (e.g. "gpg
--override-session-key"), but I wanted to get these implementation
choices ironed out first.
Gnupg-Bug-Id: 2754
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
On the concern of adding a new field to a structure: It may not be
clearly documented but we don't expect that a user ever allocates such
a structure - those result structure may only be created bu gpgme and
are read-only for the user. Adding a new member constitutes a
compatible ABI change and thus an older SO may not be used by code
compiled with a header for the newer API. Unless someone tinkers with
the build system, this should never happen. We have added new fields
to result structure may times and I can't remember any problems.
- wk
* doc/gpgme.texi: Documentationabout gpgme_op_decrypt_verify_start was
stored under the name gpgme_op_decrypt_verify instead.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* configure.ac: Require libgpg-error 1.17. No longer
check for pthread.
* doc/gpgme.texi: Document removed neccessity for thread
safe gpgme flavours.
* src/sema.h (DEFINE_GLOBAL_LOCK),
(DEFINE_STATIC_LOCK, INIT_LOCK, DECLARE_LOCK)
(DESTROY_LOCK, LOCK, UNLOCK): Change to gpgrt equivalents.
* src/posix-sema.c, src/w32-sema.c: Removed.
* src/Makefile.am: Remove libpthread and
Update accordingly.
* src/ath.c, src/ath.h (ath_mutex_init)
(ath_mutex_destroy, ath_mutex_lock, ath_mutex_unlock): Removed.
* src/ath.h (ATH_MUTEX_INITIALIZER): Removed.
* src/version.c (do_subsystem_inits): sema_subsystem_init is
no longer required.
* tests/gpg/Makefile.am: Add new threading tests.
(t_thread1_LDADD, t_cancel_LDADD):
Use just gpgme.
* tests/gpg/t-thread-keylist-verify.c,
tests/gpg/t-thread-keylist.c: New.
* src/gpgme-config.in: Use -lgpgme for thread-model pthread.
--
Using gpgrt locks instead of pthread locks removes
the neccessity to link pthread directly to gpgme and
have a different, thread safe flavor of gpgme. Now
gpgme is thread-safe if the conditions mentioned
in the doc are met.
As the cpp bindings linked against libgpgme
and not libgpgme-pthread this fixes threading problems
with them.
libgpgme-pthread is removed but gpgme-config still supports
--thread=pthread for compatibility with find scripts.
* src/status-table.c (_gpgme_status_to_string): Return "" for EOF.
* src/engine-gpg.c (read_status): Ditto. The old code accidently used
GPGME_STATUS_EOF which is the integer 0 and neiteyr NULL nor a string.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.h.in (gpgme_interact_cb_t): New.
(GPGME_INTERACT_CARD): New.
(gpgme_op_interact_start, gpgme_op_interact): New.
* src/libgpgme.vers, src/gpgme.def: Add new functions.
* src/edit.c (op_data_t): Rename fnc to fnc_old and change users. Add
fnc.
(edit_status_handler): Call old or new callback.
(command_handler): Ditto.
(interact_start): New.
(gpgme_op_interact_start, gpgme_op_interact_start): New.
* src/status-table.c (_gpgme_status_to_string): New.
* tests/gpg/t-edit.c (edit_fnc): Rename to interact_fnc and change
type of STATUS. Use gpgme_io_writen.
(main): s/gpgme_op_edit/gpgme_op_interact/.
--
This change will eventually allow us to remove all those status codes
from gpgme.h.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/edit.c (command_handler): Handle special error code.
* src/engine-gpg.c (read_status): Ditto.
* src/engine-gpgsm.c (status_handler): Ditto.
* src/engine-uiserver.c (status_handler): Ditto.
* src/util.h (GPG_ERR_FALSE): Define for older libgpg-error versions.
--
An edit callback may now simply return GPG_ERR_FALSE to indicate that
it did not handled the status code. GPGME will the do the appropriate
action, which is to send an empty line.
Note that it is highly unlikely that GPG_ERR_FALSE has ever been used
by an application as return value from an edit interactor.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.h.in (struct _gpgme_signature): Remove field 'tofu'. Add
field 'key'.
(struct _gpgme_key): Add field 'fpr'.
(struct _gpgme_user_id): Add field 'tofu'.
(struct _gpgme_tofu_info): Remove fields 'address' and 'fpr'.
* src/key.c (gpgme_key_unref): Release TOFU and FPR.
* src/keylist.c (keylist_colon_handler): Store the fingerprint of the
first subkey also in KEY.
* src/verify.c (release_tofu_info): Remove.
(release_op_data): Release KEY.
(parse_tofu_user): Rewrite for new data structure.
(parse_tofu_stats): Ditto.
(parse_tofu_stats_long): Ditto.
* tests/run-verify.c (print_result): Ditto.
* tests/run-keylist.c (main): Print more fields.
--
TOFU information are now associated with the user ID and not with a
separate object.
Note that this breaks code relying on the former non-released TOFU
feature. The C++ bindings won't work right now.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/engine-gpg.c: Include data.h.
(add_input_size_hint): New.
(gpg_decrypt, gpg_encrypt, gpg_encrypt_sign, gpg_sign)
(gpg_verify): Call new function,
* tests/run-encrypt.c (status_cb): Print to stderr.
(progress_cb): New.o
(main): Add option --progress. Print full-status lines. Provide a
size for the input data.
Signed-off-by: Werner Koch <wk@gnupg.org>
* configure.ac (CC_FOR_BUILD): New.
* doc/mkdefsinc.c: New. Taken from GnuPG and modified for gpgme.
* doc/Makefile.am (EXTRA_DIST): Add defsincdate and mkdefsinc.c
(BUILT_SOURCES): new.
(gpgme.texi): New dependency.
(mkdefsinc, defsincdate, defs.inc): New rules.
(dist-hook): New.
* doc/gpgme.texi: Include defs.inc. Remove version.texi.
--
GnuPG-bug-id: 2352
That new system should also yield more approriate date infos for the
manual.
* src/gpgme.h.in (gpgme_encrypt_flags_t): New flag
GPGME_ENCRYPT_SYMMETRIC.
* src/engine-gpg.c (gpg_encrypt): Also add --symmetric if the flag
is given.
* NEWS: Mention new flag.
* tests/run-encrypt.c (show_usage): Extend for --symmetric.
(main): Handle --symmetric.
(main): Set passphrase_cb in loopback mode.
(main): Fix encrypt call if no recipients are given.
* tests/gpg/t-encrypt-mixed.c: New.
* tests/gpg/Makefile.am (c_tests): Add new test.
* doc/gpgme.texi: Document new flag.
* src/gpgme.h.in (GPGME_DATA_ENCODING_MIME): New.
* src/data.c (gpgme_data_set_encoding): Adjust check.
* src/engine-gpg.c (have_gpg_version): New.
(gpg_encrypt, gpg_encrypt_sign): Pass flag '--mimemode'.
(gpg_sign): Ditto.
* lang/cpp/src/data.h (GpgME): Add MimeEncoding.
* lang/cpp/src/data.cpp (encoding, setEncoding): Support MimeEncoding.
* src/gpgme-tool.c (server_data_encoding): Add flag --mime.
--
This feature allows an application to declare that the encrypted or
signed data is a valid MIME part.
What is missing is a way to return that information to the application
after decryption/verification. This can be done by setting the
encoding of the output data object; however this requires some
internal additions to our processing model.
Signed-off-by: Werner Koch <wk@gnupg.org>
* doc/gpgme.texi (Passphrase Callback): Document as context
attribute.
(gpgme_set_passphrase_cb): Note that this requires LOOPBACK mode
with GnuPG 2.1.
* src/gpgme.h.in (gpgme_set_ctx_flag): New prototype.
* src/gpgme.c (gpgme_set_ctx_flag): New.
* src/gpgme.def, src/libgpgme.vers: Add new function.
* src/context.h (struct gpgme_context): Add FULL_STATUS.
* src/decrypt.c (_gpgme_decrypt_status_handler): Do not call the
status callback if FULL_STATUS is set.
* src/genkey.c (genkey_status_handler): Ditto.
* src/passphrase.c (_gpgme_passphrase_status_handler): Ditto.
* src/sign.c (_gpgme_sign_status_handler): Ditto.
* src/engine-backend.h (struct engine_ops): Add SET_STATUS_CB and add
adjust all definitions of that variable.
* src/engine.c (_gpgme_engine_set_status_cb): New.
* src/op-support.c (_gpgme_op_reset): Call this function.
* src/engine-gpg.c (struct engine_gpg): Add fields MON_CB and
MON_CB_VALUE.
(gpg_set_status_cb): New.
(_gpgme_engine_ops_gpg): Register that function.
(read_status): Call the monitor callback.
* src/engine-gpgsm.c (struct engine_gpgsm): Add fields MON_CB and
MON_CB_VALUE.
(_gpgme_engine_ops_gpgsm): Register that function.
(gpgsm_assuan_simple_command): Change first arg to be an engine
context and adjust call callers. Call the monitor callback.
* src/engine-uiserver.c (struct engine_uiserver): Add fields MON_CB
and MON_CB_VALUE.
(_gpgme_engine_ops_uiserver): Register that function.
(uiserver_assuan_simple_command): Change first arg to be an engine
context and adjust call callers. Call the monitor callback.
* tests/run-verify.c (status_cb): New.
(print_result): Print algo names.
(main): Add option --status.
--
This new feature is mainly intended for bug tracking. Having access
to the raw status lines might also be useful for applications, though.
Signed-off-by: Werner Koch <wk@gnupg.org>