| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/getkey.c (get_keyblock_byfpr_fast): Add arg primary_only and
implement.
* g10/import.c (import_one_real): Simplify filling the fpr buffer with
zeroes.
(import_one_real): Find key only by primary fingerprint.
--
This should have been done early: When looking up the original
keyblock we want to update, we need to lookup it up only using the
primary key. This avoids to find a key which has the primary key also
has a subkey.
GnuPG-bug-id: 7527
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
|
|
|
|
| |
* g10/call-agent.c (agent_crosslink_keys): New.
* g10/keygen.c (common_gen): Store the Link attribute.
--
The Link attribute may be useful to quickly find the other part of a
composite private key.
GnuPG-bug-id: 6638
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* g10/options.h (flags): Add field disable_pqc_encryption.
* g10/gpg.c (oDisablePQCEncryption): New.
(opts): Add --option.
(main): Set option.
* g10/getkey.c (finish_lookup): Skip subkeys if option is set.
--
This option can be used to avoid the use of Kyber encryption subkeys
if this does not make sense (i.e. protection of local files).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* kbx/keybox-fwddecl.h: New.
* kbx/keybox.h: Replace typedef for KEYBOX_HANDLE by including the new
file.
* g10/keydb-private.h: Ditto.
--
The duplicated typedef was a bit ugly and will fail, depending on
compiler, iof for example building without keyboxd. Fix only tested
in the standard case but the fix is obvious.
|
| |
|
|
|
|
|
|
|
| |
* tests/gpgscm/ffi.c (do_process_spawn_io): Fix use of FD_ISSET.
--
This bug was detected on an i686 with gcc 4.1 and Linux 2.6.18
Fixes-commit: 1b0ce9918c321a5060fb7c59a234ab683187e8c1
|
| |
|
|
|
|
|
|
|
| |
* tests/gpgscm/scheme.c (MY_GCC_VERSION): New.
(type_to_string): Use gcc build in only when supported.
--
Note that we do not wnat to use the GPGRT macro to keep this file as
close to upstream as possible.
|
| |
|
|
|
|
|
|
| |
* g10/keygen.c (adjust_algo_for_ecdh_ecdsa): New.
(parse_algo_usage_expire): Adjust key algo.
--
GnuPG-bug-id: 7506
|
| |
|
|
|
|
| |
--
Signed-off-by: Daniel Cerqueira <[email protected]>
|
| |
|
|
|
|
|
|
| |
* g10/gpg.c (set_compliance_option) <oDE_VS>: Change.
--
This version has not yet been evaluated and thus we are able to
change it to a more useful default.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* g10/gpg.c (set_compliance_option): Base most settings on oGnuPG.
For oGnuPG explictly clear the allow_old_cipher_algos flag.
--
Note that --allow-old-cipher-algos must now come after a compliance
settings. This avoids a bug when first setting oRFC2440 and then
oGnuPG which would not clear the flag.
GnuPG-bug-id: T7501
|
| |
|
|
|
|
|
|
|
|
| |
* doc/gpg.texi (Compliance options): Explain that when multiple
--compliance options are given, the final one supersedes any previous
option.
--
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/gpg.c (set_compliance_option): oPGP7 and oPGP8 both restore
policy-relevant default options before setting the compliance flag.
--
With this change, any ordering of --compliance options will always
result in the options selected from the last option given.
GnuPG-bug-id: 7501
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/gpg.c (set_compliance_option): oGnuPG restores default
policy-affected options, moved from...
(main): ...here. Invoke set_compliance_option(oGnuPG) directly
instead of just setting opt.compliance.
--
Some of these default option values (flags.dsa2, rfc2440_text,
allow_non_selfsigned_uid, allow_freeform_uid) had to be inferrerd from
the fact that the opt struct is static and therefore initialized to
zero by the compiler.
With this change, --compliance=gnupg now completely reverts to the
defaults that were changed from other --compliance= options.
GnuPG-bug-id: T7501
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/gpg.c (set_compliance_option): clear
opt.flags.require_cross_cert with oRFC2440
--
This aligns with the expectations in RFC 2440, which doesn't specify
any cross-certifications. As doc/gpg.texi says: "This is dangerous",
but it aligns with the specification.
The comment above says that 4880 is the same as 2440, "but with [...]
--require-cross-certification", so we align the code with the intent
from the comment. It looks like opt.require_cross_cert was turned on
by default after that comment (and the oRFC2440 section) was written,
but the oRFC2440 section was never updated to turn it off.
Signed-off-by: Daniel Kahn Gillmor <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* sm/gpgsm.c (oNoProtection): New.
(opts): Add "--no-protection".
(main): PArse it.
* sm/gpgsm.h (struct server_control_s): Add field no_protection.
* sm/server.c (option_handler): Add option "no-protection".
(reset_notify): Clear option.
* sm/export.c (export_p12): Use empty passphrase if option is set.
|
| |
|
|
|
|
|
| |
* sm/call-agent.c (gpgsm_agent_genkey): Add arg no_protection.
* sm/certreqgen.c (struct reqgen_ctrl_s): Add field no_protection.
(read_parameters): Add keyword "%no-protection".
(proc_parameters): Pass no_protection to gpgsm_agent_genkey.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* agent/command-ssh.c (ssh_send_available_keys): Adjust key counter
for skipped keys.
--
Fixes-commit: 8b8a8b246c443d5631a88ec59b88edf00aa0ff51
which introduced a regression due to an extra variable for counting
the keys.
The bug showed up for example if a card with a Brainpool Auth key was
also used. Unfortunately OpenSSH still does not allow for Brainpool
keys.
|
| |
|
|
|
|
|
|
|
| |
* g10/armor.c (radix64_read): Set ->any_data if any data is available.
--
GnuPG-bug-id: 7071
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* configure.ac (GPG_ERR_ENABLE_ERRNO_MACROS): Remove.
--
It was for Windows CE.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
| |
* build-aux/speedo.mk (dist-source): Exclude them.
--
GnuPG-bug-id: 7442
|
| |
|
|
|
|
|
|
|
| |
* agent/findkey.c (read_key_file): Free BUF.
--
Fixes-commit: 434a641d40cbff82beb9f485e0adca72419bfdf2
Signed-off-by: Sorah Fukumori <[email protected]>
|
| |
|
|
|
|
| |
--
Not tested.
|
| |
|
|
|
|
| |
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* tools/gpg-authcode-sign.sh: Skip too short files and rename certain
files to ".dll".
--
osslsigncode requires file suffixes of exe or dll but not dll-x or
dll-ex which we use in our gpg4win build system. This adds
workarounds for this and for short dummy files.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/card-util.c (USER_PIN_DEFAULT): Move to the top. Same for the
other constants.
(show_pin_hint): New.
(generate_card_keys): Use show_pin_hint.
(do_change_keyattr): Also show pin hint here.
(change_name): And here.
--
We used to show a hint for the default PINs only before generate.
However it is often useful to first change the attributes and thus the
hint should be show here as well.
The above is only done if no name has yet been set, thus before
setting the name we also show the hint.
|
| |
|
|
| |
--
|
| | |
|
| |
|
|
| |
--
|
| | |
|
| |
|
|
|
| |
--
GnuPG-bug-id: 7479
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* agent/gpg-agent.c (opts): Rename option supervised.
* dirmngr/dirmngr.c (opts): Ditto.
--
The --supervised way to start gpg-agent has been deprecated for 2.5
years and will probably entirely removed with version 2.6.0. To allow
its use until its removal the systemd service description need to be
adjusted to use this option. The reason for the deprecation are
conflicts with the way systemd starts gpg-agent and gpg expects how
gpg-agent is started. In particular gpg expects that the gpg-agent
matching its own version is started. Further the systemd way is not
portable to other platforms and long term experience on Windows has
show that the standard way of starting gpg-agent is less error prone.
Note to those who want to re-introduse this option: Pretty please do
not use socket names conflicting with our standard socket names. For
example use /run/user/1000/foo-gnupg/S.gpg-agent.
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
|
| |
* g10/keygen.c (card_write_key_to_backup_file): Fix error handing by
removing the RC variable. Add warning note.
--
GnuPG-bug-id: 2169
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* g10/encrypt.c (create_dek_with_warnings): Forcefully use AES-256 if
PQC encryption was required or if all recipient keys are Kyber keys.
--
If --require-pqc-encryption was set, then it should be safe to always
force AES-256, without even checking if we are encrypting to Kyber keys
(if some recipients do not have Kyber keys, --require-pqc-encryption
will fail elsewhere).
Otherwise, we force AES-256 if we encrypt *only* to Kyber keys -- unless
the user explicitly requested another algo, in which case we assume they
know what they are doing.
GnuPG-bug-id: 7472
Signed-off-by: Damien Goutte-Gattat <[email protected]>
Man page entry extended
Signed-off-by: Werner Koch <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* g10/pubkey-enc.c (get_it): Do not error out when decrypting a session
key of less than 32 octets encrypted to a Kyber key.
--
GnuPG-bug-id: 7472
Signed-off-by: Damien Goutte-Gattat <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
| |
--
(proofread by the debian-l10n-french team)
GnuPG-bug-id:7469
Changed original patch to use positional arguments for
"un hachage de %1$u bits n'est pa[...]"
|
| |
|
|
|
|
| |
--
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
| |
* scd/app.c (report_change): Use gpgrt_spawn_actions_set_env_rev.
--
It's UTF-8 string.
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* agent/call-scd.c (agent_card_pkdecrypt): Remove unused variables.
--
Fixes-commit: fe147645d2397dd77b646a253965c5994f360f26
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
| |
* g10/keygen.c (ask_algo): Fix condition. Continue the loop when
failure.
--
Fixes-commit: e7891225788ab5f6d050a06643b1f488c227771f
GnuPG-bug-id: 7309, 7457
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* g10/parse-packet.c (parse_signature): Increase the cap for hashed
subpackets to 30000. Print the value in the error message. Do not
return an error but skip a too long signature.
--
The limit of 10000 served us well for decades but given the option to
put a key into the signature, a larger limit will eventually be
useful. The second part makes things a bit robust against rogue
subpackets on a keyserver.
|
| |
|
|
|
| |
* build-aux/speedo.mk (W32VERSION): Default to 64 bit.
* build-aux/speedo/w32/inst.nsi: Remove the doc dir.
|
| |
|
|
|
|
|
| |
* g10/trustdb.c (validate_keys): Take care of --quiet.
--
GnuPG-bug-id: 7351
|
| |
|
|
| |
--
|
| | |
|
| |
|
|
| |
--
|
| |
|
|
| |
--
|
| |
|
|
|
|
|
|
|
|
|
| |
* agent/call-scd.c (prepare_setdata): New.
(agent_card_pksign): Use prepare_setdata for SETDATA.
(agent_card_pkdecrypt): Likewise.
--
GnuPG-bug-id: 7436
Signed-off-by: NIIBE Yutaka <[email protected]>
|
| |
|
|
|
|
|
|
|
| |
* configure.ac (NEED_GPGRT_VERSION): Bump to 1.51.
* g10/keydb.c (internal_keydb_update_keyblock) [!USE_TOFU]: Mark an
arg unused.
* common/homedir.c (create_common_conf) [!BUILD_WITH_KEYBOXD]: Mark an
arg unused.
|
