* src/gpgme.c (gpgme_set_ctx_flag): Add flags "export-session-key" and
"override-session-key".
(gpgme_get_ctx_flag): Ditto.
(gpgme_set_export_session_keys): Remove.
(gpgme_get_export_session_keys): Remove.
* src/gpgme.def, src/libgpgme.vers: Remove them.
* src/context.h (struct gpgme_context): Add field
override_session_key.
* src/decrypt-verify.c (decrypt_verify_start): Pass
override_session_key value to the engine.
* src/decrypt.c (decrypt_start): Ditto.
* src/engine.c (_gpgme_engine_op_decrypt): Ditto.
(_gpgme_engine_op_decrypt_verify): Ditto.
* src/engine-backend.h (struct engine_ops): Extend DECRYPT and
DECRYPT_VERIFY_START with override_session_key.
* src/engine-uiserver.c (_uiserver_decrypt): Add stub arg
override_session_key.
(uiserver_decrypt): Ditto.
(uiserver_decrypt_verify): Ditto.
* src/engine-gpgsm.c (gpgsm_decrypt): Ditto.
* src/engine-gpg.c (gpg_decrypt): Add arg override_session_key and set
corresponding gpg option.
* tests/run-decrypt.c (print_result): Print the session key if
available.
(main): Add options --export-session-key and --override-session-key.
--
To keep the number of context manipulation functions at bay, this
patches removes the just added gpgme_set_export_session_keys and
gpgme_get_export_session_keys by flags for the generic context
function.
The patch also implements the --override-session-key feature.
GnuPG-bug-id: 2754
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.h.in (gpgme_get_ctx_flag): New.
* src/gpgme.c (gpgme_set_ctx_flag): Move down the file and add a trace
statement.
(gpgme_get_ctx_flag): New.
* src/gpgme.def, src/libgpgme.vers: Add new interface.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/gpgme.c (gpgme_set_export_session_keys): New function.
(gpgme_get_export_session_keys): New function.
* src/gpgme.h.in (struct _gpgme_op_decrypt_result): Add session_key
member.
(gpgme_{set,get}_export_session_keys): Declare new functions.
* src/libgpgme.vers, src/gpgme.def: Export new functions in shared
object.
* src/engine.h: (_gpgme_engine_op_decrypt) Add export_session_key
parameter.
(_gpgme_engine_op_decrypt_verify): Add export_session_key parameter.
* src/engine-backend.h: (struct engine_ops): Change function
pointer declarations to match.
* src/context.h (struct gpgme_context): Add export_session_keys member.
* src/decrypt.c (release_op_data): Free result.session_key.
(_gpgme_decrypt_status_handler): Store a copy of the exported session
key.
(decrypt_start): Pass export_session_keys from the context.
* src/decrypt-verify.c (decrypt_verify_start): Pass
export_session_keys from context.
* src/engine.c (_gpgme_engine_op_decrypt): Pass through
export_session_key flag.
(_gpgme_engine_op_decrypt_verify): Pass through export_session_key
flag.
* src/engine-gpg.c (gpg_decrypt): If export_session_key is set, add
--export-session-key to argument list.
* src/engine-gpgsm.c (gpgsm_decrypt): Ignore export_session_key for
now, since gpgsm offers no such mechanism.
* src/engine-uiserver.c (_uiserver_decrypt): If export_session_key is
set, add --export-session-key flag to cmd.
* doc/gpgme.texi: Document new functions and session_key member of
decrypt_result_t.
* doc/uiserver.texi: Add --export-session-key flag to DECRYPT command.
--
gpg(1) documents session key export as useful for key escrow, and is
rightly dubious of that use case. However, session key export is also
useful in other use cases. Two examples from MUA development (where
this functionality would be specifically useful to me right now):
* If the MUA stores a local copy of the session key upon decrypting
the message, it can re-decrypt the message without expensive
asymmetric operations. When rendering a thread with dozens of
encrypted messages, this can represent a significant speedup.
* A user may have expired encryption-capable secret key material,
along with many messages encrypted to that material. If she stores
the session keys for those messages she wants to keep, she can
destroy her secret key material and make any messages she has
deleted completely unrecoverable, even to an attacker who gets her
remaining secret keys in the future.
This patchset makes a two specific implementation decisions that could
have gone in different ways. I welcome feedback on preferred outcomes.
0) session key representation: we currently represent the session key
as an opaque textual string, rather than trying to provide any
sort of in-memory structure. While it wouldn't be hard to parse
the data produced by gpg's --export-session-key, I chose to use
the opaque string rather than lock in a particular data format.
1) API/ABI: i've added a member to gpgme_op_decrypt_result_t. This
has the potential to cause an out-of-bound memory access if
someone uses code compiled against the newer verision, but linked
at runtime against an older version. I've attempted to limit that
risk by documenting that users must verify
gpgme_get_export_session_keys() before accessing this new struct
member -- this means that code expecting this capability will
require the symbol at link-time, and will refuse to link against
older versions.
Another approach to solving this problem would be to avoid
modifying gpgme_op_decrypt_result_t, and to introduce instead a
new function gpgme_op_session_key(), which could be called in the
same places as gpgme_op_decrypt_result(). Depending on the
representation of the session key, this might introduce new
memory-management burdens on the user of the library, and the
session key is certainly part of a decryption result, so it seemed
simpler to go with what i have here.
If anyone has strong preferences that these choices should be solved
in a different way, i'm happy to hear them.
Additionally, I note that i'm also still pretty unclear about how the
"UI Server" fits into this whole ecosystem. In particular, I don't
know whether it's kosher to just add an --export-session-key flag to
the DECRYPT operation without actually having implemented it anywhere,
but i don't see where i would actually implement it either :/
If this patch (or some variant) is adopted, i will supply another
patch that permits offering a session key during decryption (e.g. "gpg
--override-session-key"), but I wanted to get these implementation
choices ironed out first.
Gnupg-Bug-Id: 2754
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
On the concern of adding a new field to a structure: It may not be
clearly documented but we don't expect that a user ever allocates such
a structure - those result structure may only be created bu gpgme and
are read-only for the user. Adding a new member constitutes a
compatible ABI change and thus an older SO may not be used by code
compiled with a header for the newer API. Unless someone tinkers with
the build system, this should never happen. We have added new fields
to result structure may times and I can't remember any problems.
- wk
* lang/qt/src/job.cpp,
lang/qt/src/job.h (Job::context): New.
* lang/qt/src/threadedjobmixin.cpp
(ThreadedJobMixin::~ThreadedJobMixin): New. Unregister context.
(ThreadedJobMixin::lateInitialization): Register context.
* NEWS: Update for cpp and qt.
--
The global map hack is necessary because the job class does
not know about the context which is held in threadedjobmixin.
Adding a virtual function in Job would be an ABI break which
I'd like to avoid at this point. Although QGpgME's API will
need a big ABI break to make it ABI maintainable. The virtual
jobs -> implementation classes are nearly unmaintainable ABI wise.
The context is exposed to provide more flexibility to users, e.g.
to add a passphrase callback or to set the sender in a context.
* doc/gpgme.texi: Documentationabout gpgme_op_decrypt_verify_start was
stored under the name gpgme_op_decrypt_verify instead.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* src/gpgme.c (gpgme_set_armor, gpgme_set_textmode,
gpgme_set_offline): Ensure that non-zero values actually set the
appropriate internal bit.
--
The documentation for these functions says things like "disabled if
YES is zero, and enabled otherwise", where YES is an integer.
However, if you pass an even integer, it will be aliased back to 0
because the context member variables are declared as single bits.
This should make the implementation match the documentation.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* src/posix-io.c (_gpgme_io_select): Return EMFILE instead of EBADF.
--
Also EBADF seem more correct, EMFILE (Too man open files) gives
a clearer message to the user that there are somehow too many files
open. The problem can be exhibited by running lots of threads,
We should eventually move to poll but that would be a large change and
so we better fix it with the planned migration of the I/O subsystem to
libgpgrt (currently known as libgpg-error).
Signed-off-by: Werner Koch <wk@gnupg.org>
* gpg/t-thread-keylist-verify.c,
gpg/t-thread-keylist.c: Reduce threads to 100
--
Due to the limit of FD_SETSIZE the
number of parallel threads is limited. So some systems
run into this problem when running the testsuite.
* src/keylist.c (op_data_t): Add field keydb_search_err.
(keylist_status_handler): Parse STATUS_ERROR into that var.
(gpgme_op_keylist_next): Use that err instead of GPG_ERR_EOF.
--
With a recent GnuPG version this allows to detect a keyring with wrong
permissions (i.e. no read access). GPG_ERR_OPEN_KEYRING will be
returned instead of GPG_ERR_EOF.
Signed-off-by: Werner Koch <wk@gnupg.org>
* tests/gpg/t-thread-keylist-verify.c (start_keylist): Mark
arg as unused. Release context.
(start_verify): Ditto.
(main): Mark args as unused.
* tests/gpg/t-thread-keylist.c (start_keylist): Mark
arg as unused. Release context.
(main): Mark args as unused.
* configure.ac: Require libgpg-error 1.17. No longer
check for pthread.
* doc/gpgme.texi: Document removed neccessity for thread
safe gpgme flavours.
* src/sema.h (DEFINE_GLOBAL_LOCK),
(DEFINE_STATIC_LOCK, INIT_LOCK, DECLARE_LOCK)
(DESTROY_LOCK, LOCK, UNLOCK): Change to gpgrt equivalents.
* src/posix-sema.c, src/w32-sema.c: Removed.
* src/Makefile.am: Remove libpthread and
Update accordingly.
* src/ath.c, src/ath.h (ath_mutex_init)
(ath_mutex_destroy, ath_mutex_lock, ath_mutex_unlock): Removed.
* src/ath.h (ATH_MUTEX_INITIALIZER): Removed.
* src/version.c (do_subsystem_inits): sema_subsystem_init is
no longer required.
* tests/gpg/Makefile.am: Add new threading tests.
(t_thread1_LDADD, t_cancel_LDADD):
Use just gpgme.
* tests/gpg/t-thread-keylist-verify.c,
tests/gpg/t-thread-keylist.c: New.
* src/gpgme-config.in: Use -lgpgme for thread-model pthread.
--
Using gpgrt locks instead of pthread locks removes
the neccessity to link pthread directly to gpgme and
have a different, thread safe flavor of gpgme. Now
gpgme is thread-safe if the conditions mentioned
in the doc are met.
As the cpp bindings linked against libgpgme
and not libgpgme-pthread this fixes threading problems
with them.
libgpgme-pthread is removed but gpgme-config still supports
--thread=pthread for compatibility with find scripts.
* src/w32-io.c (fd_table_lock): New.
(new_fd): Lock allocation of a new slot.
(release_fd): Lock deallocation of a slot.
--
Note that we lock only the allocation but not the sanitiy checks we do
further down in the code.
Signed-off-by: Werner Koch <wk@gnupg.org>
* src/w32-util.c (find_program_at_standard_place): Use access to check
whether the binary is at CSIDL_PROGRAM_FILES before testing
CSIDL_PROGRAM_FILESX86.
--
Suggested-by: ticho
Fixes-commit: a82e9b182f
GnuPG-bug-id: 2814
Signed-off-by: Werner Koch <wk@gnupg.org>
* lang/qt/src/qgpgme_export.h,
lang/qt/src/qgpgme_version.h: Change license to GPLv2+
--
These files were based on copies from the cpp version/export
headers. This change is meant to clarify the licensing by
bringing it in line with the overall licesense of the
qgpgme library.
* lang/qt/src/defaultkeygenerationjob.cpp
(DefaultKeyGenerationJob::start): Explicitly connect pointer
in the QPointer.
--
Commit message written by Andre Heinecke <aheinecke@intevation.de>
* configure.ac (VERSION_MAJOR, VERSION_MINOR, VERSION_MICRO): New
subst variables for the version header.
* lang/cpp/src/GpgmeppConfigVersion.cmake.in,
lang/cpp/src/gpgmepp_version.h.in,
lang/qt/src/QGpgmeConfigVersion.cmake.in,
lang/qt/src/qgpgme_version.h.in: Use new variables.
--
Using the LT_* variables was just wrong. Reporting the
package version also makes more sense then the library version.
Having different versions might make ABI breaks more visible
by increasing the major version number, but to have different
versions in the same package is too confusing imo and gpgme
uses a versioning that is unrelated to the library version number.
* lang/qt/src/Makefile.am: Install cmake config file in qgpgme subdir.
--
Putting it together with Gpgmepp was done for historic reasons
but the proper way is for each library to have its own subdir.
* lang/qt/src/dn.cpp (DN, DN::Attribute): New public API.
* lang/qt/src/dn.h: New.
* lang/qt/src/Makefile.am: Update accordingly.
--
This is a general useful API to work with X509 distinguished
names and is useful when doing CMS with GpgME.
Adding this class from libkleo allows kmails messagelib to
avoid any KDE UI Frameworks and so can be used more versatile
in the future.
This class can be combined with libkleos DNAttributeMapper
to have the same bevavior as before in libkleo when using
DN::prettyDN calls can be converted from:
Kleo::DN(uid).prettyDN();
to:
QGpgME::DN dn(uid);
uid.setAttributeOrder(
Kleo::DNAttributeMapper::instance()->attributeOrder());
dn.prettyDN();
* lang/cpp/src/Makefile.am,
lang/qt/src/Makefile.am: Install version headers in include
subdirs.
--
This change was requested on the gnupg-devel mailing list to
avoid placing these headers into the top level include directories.
There is currently no known user of these headers so changing it
now should not break things downstream.
This follows weeks of discussion on the gnupg-devel mailing list.
Hopefully it will make it easier for people using Python to use GnuPG
in the future.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
* configure.ac: Set LT version to C27/A16/R0. Note that the LT
versions for cpp and Qt have already been updated.
Signed-off-by: Werner Koch <wk@gnupg.org>
* lang/python/pyme/core.py (Context.get_key): Raise errors.KeyNotFound
if the key is not found. This error is both a KeyError for idiomatic
error handling as well as a GPGMEError so we don't break existing
code.
* lang/python/pyme/errors.py (KeyNotFound): New class.
* lang/python/tests/support.py (no_such_key): New variable.
* lang/python/tests/t-keylist.py: Test the new behavior.
Signed-off-by: Justus Winter <justus@g10code.com>
