diff options
| -rw-r--r-- | ChangeLog | 4 | ||||
| -rw-r--r-- | Makefile.am | 2 | ||||
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | agent/ChangeLog | 2 | ||||
| -rw-r--r-- | agent/gpg-agent.c | 5 | ||||
| -rw-r--r-- | doc/gpg.texi | 11 | ||||
| -rw-r--r-- | doc/gpgsm.texi | 9 | ||||
| -rw-r--r-- | g10/ChangeLog | 6 | ||||
| -rw-r--r-- | g10/Makefile.am | 9 | ||||
| -rw-r--r-- | g10/gpg.c | 8 | ||||
| -rw-r--r-- | keyserver/ChangeLog | 5 | ||||
| -rw-r--r-- | keyserver/Makefile.am | 15 | ||||
| -rw-r--r-- | scd/ChangeLog | 4 | ||||
| -rw-r--r-- | scd/app-p15.c | 4 | ||||
| -rw-r--r-- | scd/scdaemon.c | 5 | ||||
| -rw-r--r-- | sm/ChangeLog | 5 | ||||
| -rw-r--r-- | sm/gpgsm.c | 47 | ||||
| -rw-r--r-- | tools/ChangeLog | 8 | ||||
| -rw-r--r-- | tools/gpgconf-comp.c | 3 | ||||
| -rwxr-xr-x | tools/gpgsm-gencert.sh | 66 |
20 files changed, 173 insertions, 50 deletions
@@ -1,3 +1,7 @@ +2006-10-20 Werner Koch <[email protected]> + + * Makefile.am (stowinstall): Add convenience target. + 2006-10-18 Werner Koch <[email protected]> * configure.ac: svn revison magic fixes for old bashs. Suggested diff --git a/Makefile.am b/Makefile.am index c19f7c3f1..996ed02e9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -79,5 +79,7 @@ SUBDIRS = m4 intl gl include jnlib common ${kbx} \ dist-hook: echo "$(VERSION)" > $(distdir)/VERSION +stowinstall: + $(MAKE) $(AM_MAKEFLAGS) install prefix=/usr/local/stow/gnupg @@ -4,6 +4,11 @@ Noteworthy changes in version 1.9.94 * Keys for gpgsm may now be specified using a keygrip. A keygrip is indicated by a prefixing it with an ampersand. + * gpgconf now supports switching the CMS cipher algo (e.g. to AES). + + * New command --gpgconf-test for all major tools. This may be used to + check whether the configuration file is sane. + Noteworthy changes in version 1.9.93 (2006-10-18) ------------------------------------------------- diff --git a/agent/ChangeLog b/agent/ChangeLog index 84ee1a7c8..83692d461 100644 --- a/agent/ChangeLog +++ b/agent/ChangeLog @@ -1,5 +1,7 @@ 2006-10-23 Werner Koch <[email protected]> + * gpg-agent.c (main): New command --gpgconf-test. + * minip12.c (parse_bag_encrypted_data, parse_bag_data): Allow for a salt of 20 bytes. diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 60a7cffb4..5201be8d5 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -61,6 +61,7 @@ enum cmd_and_opt_values oNoVerbose = 500, aGPGConfList, + aGPGConfTest, oOptions, oDebug, oDebugAll, @@ -105,6 +106,7 @@ enum cmd_and_opt_values static ARGPARSE_OPTS opts[] = { { aGPGConfList, "gpgconf-list", 256, "@" }, + { aGPGConfTest, "gpgconf-test", 256, "@" }, { 301, NULL, 0, N_("@Options:\n ") }, @@ -620,6 +622,7 @@ main (int argc, char **argv ) switch (pargs.r_opt) { case aGPGConfList: gpgconf_list = 1; break; + case aGPGConfTest: gpgconf_list = 2; break; case oBatch: opt.batch=1; break; case oDebugWait: debug_wait = pargs.r.ret_int; break; @@ -719,6 +722,8 @@ main (int argc, char **argv ) log_debug ("... okay\n"); } + if (gpgconf_list == 2) + agent_exit (0); if (gpgconf_list) { char *filename; diff --git a/doc/gpg.texi b/doc/gpg.texi index 1337cd15c..6849b19ae 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -365,12 +365,13 @@ those of the given name. The new keyring is written to stdout or to the file given with option @option{--output}. Use together with @option{--armor} to mail those keys. -@item --send-keys +@item --send-keys @code{key IDs} @opindex send-keys -Same as @option{--export} but sends the keys to a keyserver. Option -@option{--keyserver} must be used to give the name of this -keyserver. Don't send your complete keyring to a keyserver --- select -only those keys which are new or changed by you. +Similar to @option{--export} but sends the keys to a keyserver. +Fingerprints may be used instead of key IDs. Option @option{--keyserver} +must be used to give the name of this keyserver. Don't send your +complete keyring to a keyserver --- select only those keys which are new +or changed by you. @item --export-secret-keys @itemx --export-secret-subkeys diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index b184634ee..64a662879 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -490,10 +490,19 @@ certificate. @table @gnupgtabopt @item --include-certs @var{n} +@opindex include-certs Using @var{n} of -2 includes all certificate except for the root cert, -1 includes all certs, 0 does not include any certs, 1 includes only the signers cert (this is the default) and all other positive values include up to @var{n} certificates starting with the signer cert. + + +@item --cipher-algo @var{oid} +@opindex cipher-algo +Use the cipher algorithm with the ASN.1 object identifier @var{oid} for +encryption. For convenience the strings @code{3DES}, @code{AES} and +@code{AES256} may be used instead of their OIDs. The default is +@code{3DES} (1.2.840.113549.3.7). @end table diff --git a/g10/ChangeLog b/g10/ChangeLog index 293e2973a..2ab1d0f80 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,9 @@ +2006-10-23 Werner Koch <[email protected]> + + * gpg.c (main): New command --gpgconf-test. + + * Makefile.am (bzip2_source): New. + 2006-10-20 Werner Koch <[email protected]> * getkey.c (classify_user_id): Reserve '&' for search by keygrip. diff --git a/g10/Makefile.am b/g10/Makefile.am index cc0192c1b..0c91105fc 100644 --- a/g10/Makefile.am +++ b/g10/Makefile.am @@ -33,11 +33,18 @@ needed_libs = ../gl/libgnu.a ../common/libcommon.a ../jnlib/libjnlib.a bin_PROGRAMS = gpg2 gpgv2 +if ENABLE_BZIP2_SUPPORT +bzip2_source = compress-bz2.c +else +bzip2_source = +endif + + common_source = \ gpg.h \ build-packet.c \ compress.c \ - compress-bz2.c \ + $(bzip2_source) \ filter.h \ free-packet.c \ getkey.c \ @@ -110,6 +110,7 @@ enum cmd_and_opt_values aLSignKey, aListConfig, aGPGConfList, + aGPGConfTest, aListPackets, aEditKey, aDeleteKeys, @@ -408,6 +409,7 @@ static ARGPARSE_OPTS opts[] = { #endif { aListConfig, "list-config", 256, "@"}, { aGPGConfList, "gpgconf-list", 256, "@" }, + { aGPGConfTest, "gpgconf-test", 256, "@" }, { aListPackets, "list-packets",256, "@"}, { aExportOwnerTrust, "export-ownertrust", 256, "@"}, { aImportOwnerTrust, "import-ownertrust", 256, "@"}, @@ -2026,6 +2028,7 @@ main (int argc, char **argv ) case aCheckKeys: case aListConfig: case aGPGConfList: + case aGPGConfTest: case aListPackets: case aImport: case aFastImport: @@ -3183,7 +3186,7 @@ main (int argc, char **argv ) SELinux, this is so that the rings are added to the list of secured files. */ if( ALWAYS_ADD_KEYRINGS - || (cmd != aDeArmor && cmd != aEnArmor) ) + || (cmd != aDeArmor && cmd != aEnArmor && cmd != aGPGConfTest) ) { if (ALWAYS_ADD_KEYRINGS || (cmd != aCheckKeys && cmd != aListSigs && cmd != aListKeys @@ -3202,6 +3205,9 @@ main (int argc, char **argv ) FREE_STRLIST(nrings); FREE_STRLIST(sec_nrings); + if (cmd == aGPGConfTest) + g10_exit(0); + if( pwfd != -1 ) /* Read the passphrase now. */ read_passphrase_from_fd( pwfd ); diff --git a/keyserver/ChangeLog b/keyserver/ChangeLog index a8837f58b..fac34ff38 100644 --- a/keyserver/ChangeLog +++ b/keyserver/ChangeLog @@ -1,3 +1,8 @@ +2006-10-20 Werner Koch <[email protected]> + + * Makefile.am: Reporder macros for better readability. + (gpg2keys_finger_LDADD): Add GPG_ERROR_LIBS. + 2006-10-19 David Shaw <[email protected]> * gpgkeys_hkp.c (curl_mrindex_writer): Print a warning if we see diff --git a/keyserver/Makefile.am b/keyserver/Makefile.am index d72da1406..fd86fa168 100644 --- a/keyserver/Makefile.am +++ b/keyserver/Makefile.am @@ -40,18 +40,17 @@ common_libs = ../gl/libgnu.a ../common/libcommon.a ../jnlib/libjnlib.a other_libs = $(LIBICONV) $(LIBINTL) $(CAPLIBS) gpg2keys_ldap_SOURCES = gpgkeys_ldap.c ksutil.c ksutil.h no-libgcrypt.c -gpg2keys_hkp_SOURCES = gpgkeys_hkp.c ksutil.c ksutil.h no-libgcrypt.c -gpg2keys_finger_SOURCES = gpgkeys_finger.c ksutil.c ksutil.h no-libgcrypt.c -gpg2keys_curl_SOURCES = gpgkeys_curl.c ksutil.c ksutil.h no-libgcrypt.c - - gpg2keys_ldap_CPPFLAGS = $(LDAP_CPPFLAGS) $(AM_CPPFLAGS) -gpg2keys_ldap_LDADD = $(LDAPLIBS) $(NETLIBS) \ - $(other_libs) +gpg2keys_ldap_LDADD = $(LDAPLIBS) $(NETLIBS) $(other_libs) -gpg2keys_finger_LDADD = $(common_libs) $(LIBGCRYPT_LIBS) \ +gpg2keys_finger_SOURCES = gpgkeys_finger.c ksutil.c ksutil.h no-libgcrypt.c +gpg2keys_ldap_CPPFLAGS = $(AM_CPPFLAGS) +gpg2keys_finger_LDADD = $(common_libs) $(GPG_ERROR_LIBS) \ $(NETLIBS) $(other_libs) + +gpg2keys_curl_SOURCES = gpgkeys_curl.c ksutil.c ksutil.h no-libgcrypt.c +gpg2keys_hkp_SOURCES = gpgkeys_hkp.c ksutil.c ksutil.h no-libgcrypt.c if FAKE_CURL gpg2keys_curl_SOURCES += curl-shim.c curl-shim.h gpg2keys_curl_CPPFLAGS = $(AM_CPPFLAGS) diff --git a/scd/ChangeLog b/scd/ChangeLog index d584495c3..df9e75a4f 100644 --- a/scd/ChangeLog +++ b/scd/ChangeLog @@ -1,3 +1,7 @@ +2006-10-23 Werner Koch <[email protected]> + + * scdaemon.c (main): New command --gpgconf-test. + 2006-10-17 Werner Koch <[email protected]> * Makefile.am (scdaemon_LDADD): Link against libcommonpth. diff --git a/scd/app-p15.c b/scd/app-p15.c index 8e786dd97..f6b3eff4d 100644 --- a/scd/app-p15.c +++ b/scd/app-p15.c @@ -2712,7 +2712,7 @@ do_getattr (app_t app, ctrl_t ctrl, const char *name) general rule for it so we need to decide case by case. */ if (app->app_local->card_type == CARD_TYPE_BELPIC) { - /* The eID card has a card number printed on the fron matter + /* The eID card has a card number printed on the front matter which seems to be a good indication. */ unsigned char *buffer; const unsigned char *p; @@ -2938,7 +2938,7 @@ do_sign (app_t app, const char *keyidstr, int hashalgo, /* Due to the fact that the non-repudiation signature on a BELPIC - card requires a ver verify immediately before the DSO we set the + card requires a verify immediately before the DSO we set the MSE before we do the verification. Other cards might allow to do this also but I don't want to break anything, thus we do it only for the BELPIC card here. */ diff --git a/scd/scdaemon.c b/scd/scdaemon.c index c962f3f77..0ee3f4bc6 100644 --- a/scd/scdaemon.c +++ b/scd/scdaemon.c @@ -63,6 +63,7 @@ enum cmd_and_opt_values oNoVerbose = 500, aGPGConfList, + aGPGConfTest, oOptions, oDebug, oDebugAll, @@ -97,6 +98,7 @@ enum cmd_and_opt_values static ARGPARSE_OPTS opts[] = { { aGPGConfList, "gpgconf-list", 256, "@" }, + { aGPGConfTest, "gpgconf-test", 256, "@" }, { 301, NULL, 0, N_("@Options:\n ") }, @@ -450,6 +452,7 @@ main (int argc, char **argv ) switch (pargs.r_opt) { case aGPGConfList: gpgconf_list = 1; break; + case aGPGConfTest: gpgconf_list = 2; break; case oQuiet: opt.quiet = 1; break; case oVerbose: opt.verbose++; break; case oBatch: opt.batch=1; break; @@ -552,6 +555,8 @@ main (int argc, char **argv ) log_debug ("... okay\n"); } + if (gpgconf_list == 2) + scd_exit (0); if (gpgconf_list) { /* List options and default values in the GPG Conf format. */ diff --git a/sm/ChangeLog b/sm/ChangeLog index 23847ab69..e4e30616f 100644 --- a/sm/ChangeLog +++ b/sm/ChangeLog @@ -1,3 +1,8 @@ +2006-10-23 Werner Koch <[email protected]> + + * gpgsm.c (main): Remap common cipher algo names to their OIDs. + (main): New command --gpgconf-test. + 2006-10-20 Werner Koch <[email protected]> * keydb.c (classify_user_id): Parse keygrip for the '&' identifier. diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 8abae14b4..2439c55e6 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -90,6 +90,7 @@ enum cmd_and_opt_values { aCallProtectTool, aPasswd, aGPGConfList, + aGPGConfTest, aDumpKeys, aDumpChain, aDumpSecretKeys, @@ -265,6 +266,7 @@ static ARGPARSE_OPTS opts[] = { N_("invoke gpg-protect-tool")}, { aPasswd, "passwd", 256, N_("change a passphrase")}, { aGPGConfList, "gpgconf-list", 256, "@" }, + { aGPGConfTest, "gpgconf-test", 256, "@" }, { aDumpKeys, "dump-cert", 256, "@"}, { aDumpKeys, "dump-keys", 256, "@"}, @@ -781,7 +783,7 @@ main ( int argc, char **argv) create_dotlock (NULL); /* register locking cleanup */ i18n_init(); - opt.def_cipher_algoid = "1.2.840.113549.3.7"; /*des-EDE3-CBC*/ + opt.def_cipher_algoid = "3DES"; /*des-EDE3-CBC*/ opt.homedir = default_homedir (); #ifdef HAVE_W32_SYSTEM @@ -880,6 +882,7 @@ main ( int argc, char **argv) switch (pargs.r_opt) { case aGPGConfList: + case aGPGConfTest: set_cmd (&cmd, pargs.r_opt); do_not_setup_keys = 1; nogreeting = 1; @@ -1265,18 +1268,32 @@ main ( int argc, char **argv) } /* Must do this after dropping setuid, because the mapping functions - may try to load an module and we may have disabled an algorithm. */ - if ( !gcry_cipher_map_name (opt.def_cipher_algoid) - || !gcry_cipher_mode_from_oid (opt.def_cipher_algoid)) - log_error (_("selected cipher algorithm is invalid\n")); - - if (def_digest_string) + may try to load an module and we may have disabled an algorithm. + We remap the commonly used algorithms to the OIDs for + convenience. We need to work with the OIDs because they are used + to check whether the encryption mode is actually available. */ + if (!strcmp (opt.def_cipher_algoid, "3DES") ) + opt.def_cipher_algoid = "1.2.840.113549.3.7"; + else if (!strcmp (opt.def_cipher_algoid, "AES") + || !strcmp (opt.def_cipher_algoid, "AES128")) + opt.def_cipher_algoid = "2.16.840.1.101.3.4.1.2"; + else if (!strcmp (opt.def_cipher_algoid, "AES256") ) + opt.def_cipher_algoid = "2.16.840.1.101.3.4.1.42"; + + if (cmd != aGPGConfList) { - opt.def_digest_algo = gcry_md_map_name (def_digest_string); - xfree (def_digest_string); - def_digest_string = NULL; - if (our_md_test_algo(opt.def_digest_algo) ) - log_error (_("selected digest algorithm is invalid\n")); + if ( !gcry_cipher_map_name (opt.def_cipher_algoid) + || !gcry_cipher_mode_from_oid (opt.def_cipher_algoid)) + log_error (_("selected cipher algorithm is invalid\n")); + + if (def_digest_string) + { + opt.def_digest_algo = gcry_md_map_name (def_digest_string); + xfree (def_digest_string); + def_digest_string = NULL; + if (our_md_test_algo(opt.def_digest_algo) ) + log_error (_("selected digest algorithm is invalid\n")); + } } if (log_get_errorcount(0)) @@ -1411,9 +1428,15 @@ main ( int argc, char **argv) GC_OPT_FLAG_NONE ); printf ("prefer-system-dirmngr:%lu:\n", GC_OPT_FLAG_NONE ); + printf ("cipher-algo:%lu:\"3DES:\n", + GC_OPT_FLAG_DEFAULT ); } break; + case aGPGConfTest: + /* This is merely a dummy command to test whether the + configuration file is valid. */ + break; case aServer: if (debug_wait) diff --git a/tools/ChangeLog b/tools/ChangeLog index 0de5f3336..c29689bde 100644 --- a/tools/ChangeLog +++ b/tools/ChangeLog @@ -1,3 +1,11 @@ +2006-10-23 Werner Koch <[email protected]> + + * gpgconf-comp.c <gpgsm>: Add --cipher-algo. + +2006-10-20 Werner Koch <[email protected]> + + * gpgsm-gencert.sh: Enhanced the main menu. + 2006-10-12 Werner Koch <[email protected]> * Makefile.am (gpg-zip, gpgsplit): Do not install due to a diff --git a/tools/gpgconf-comp.c b/tools/gpgconf-comp.c index 04a61a193..65cdc0a82 100644 --- a/tools/gpgconf-comp.c +++ b/tools/gpgconf-comp.c @@ -676,6 +676,9 @@ static gc_option_t gc_options_gpgsm[] = { "auto-issuer-key-retrieve", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC, "gnupg", "fetch missing issuer certificates", GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM }, + { "cipher-algo", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED, + "gnupg", "|NAME|use cipher algorithm NAME", + GC_ARG_TYPE_STRING, GC_BACKEND_GPGSM }, GC_OPTION_NULL }; diff --git a/tools/gpgsm-gencert.sh b/tools/gpgsm-gencert.sh index 19e961f03..ea96bb2e9 100755 --- a/tools/gpgsm-gencert.sh +++ b/tools/gpgsm-gencert.sh @@ -84,29 +84,53 @@ query_user_menu() echo "You selected: $ANSWER" >&2 } -query_user_menu "Key type" "RSA" "existing key" "OPENPGP.1" "OPENPGP.3" -case "$ANSWER" in - RSA) - KEY_TYPE=$ANSWER - query_user_menu "Key length" "1024" "2048" - KEY_LENGTH=$ANSWER - KEY_GRIP= - ;; - existing*) - # User requested to use an existing key; need to set some dummy defaults - KEY_TYPE=RSA - KEY_LENGTH=1024 - query_user "Keygrip " - KEY_GRIP=$ANSWER - ;; - *) - KEY_TYPE="card:$ANSWER" - KEY_LENGTH= - KEY_GRIP= - ;; -esac +KEY_TYPE="" +while [ -z "$KEY_TYPE" ]; do + query_user_menu "Key type" "RSA" "Existing key" "Direct from card" + case "$ANSWER" in + RSA) + KEY_TYPE=$ANSWER + query_user_menu "Key length" "1024" "2048" + KEY_LENGTH=$ANSWER + KEY_GRIP= + ;; + Existing*) + # User requested to use an existing key; need to set some dummy defaults + query_user "Keygrip " + if [ -n "$ANSWER" ]; then + KEY_TYPE=RSA + KEY_LENGTH=1024 + KEY_GRIP=$ANSWER + fi + ;; + Direct*) + tmp=$(echo 'SCD SERIALNO' | gpg-connect-agent | \ + awk '$2 == "SERIALNO" {print $3}') + if [ -z "$tmp" ]; then + echo "No card found" >&2 + else + echo "Card with S/N $tmp found" >&2 + tmp=$(echo 'SCD LEARN --force' | gpg-connect-agent | \ + awk '$2 == "KEYPAIRINFO" {printf " %s", $4}') + sshid=$(echo 'SCD GETATTR $AUTHKEYID' | gpg-connect-agent | \ + awk '$2 == "$AUTHKEYID" {print $3}') + [ -n "$sshid" ] && echo "gpg-agent uses $sshid as ssh key" >&2 + query_user_menu "Select key " $tmp "back" + if [ "$ANSWER" != "back" ]; then + KEY_TYPE="card:$ANSWER" + KEY_LENGTH= + KEY_GRIP= + fi + fi + ;; + *) + exit 1 + ;; + esac +done + query_user_menu "Key usage" "sign, encrypt" "sign" "encrypt" KEY_USAGE=$ANSWER |