- 20 Jan, 2023 4 commits
-
-
Werner Koch authored
* common/compliance.c (gnupg_pk_is_allowed): Handle EdDSA. * g10/gpg.c (oOverrideComplianceCheck): Remove. (opts): Turn --override-compliance-check into a dummy option. * g10/options.h (opt): Remove override_compliance_check. * g10/sig-check.c (check_key_verify_compliance): Remove use of that option. -- The introduction of --override-compliance-check actually hid the real cause for the signature verification problem in de-vs mode for the Ed25519 key. The real fix is to handle the EdDSA algorithm in gnupg_pk_is_allowed. Fixes-commit: fb26e144 GnuPG-bug-id: 5655
-
Werner Koch authored
* g10/mainproc.c (check_sig_and_print): Do not check whether status is enabled when checking compliance.
-
Werner Koch authored
-- Note that we now print Copyright g10 Code instead of FSF.
-
Werner Koch authored
* tools/wks-util.c (write_to_file): Rename to ... (wks_write_to_file): this, make global, and support NULL for fname. * tools/gpg-wks-client.c (command_check): Write to key.
-
- 19 Jan, 2023 4 commits
-
-
Werner Koch authored
-- Note that --unwrap is an option and not a command. Thus it modifies the behaviour of the default operation or of -d.
-
Werner Koch authored
* common/miscellaneous.c (is_file_compressed): Add detect code. -- GnuPG-bug-id: 6332
-
Werner Koch authored
* tools/call-dirmngr.c (wkd_get_status_cb): Deetect and output warning and note stati from dirmngr. -- This is in particular helpful to check for non-proper TLS certificates.
-
Werner Koch authored
* common/iobuf.c (file_filter_ctx_t): Add fields for the peek feature. (file_filter): Implement peeking. (iobuf_ioctl): Add new IOBUF_IOCTL_PEEK. * common/iobuf.h (IOBUF_IOCTL_PEEK, IOBUFCTRL_PEEK): New. * common/miscellaneous.c (is_file_compressed): Rewrite. Detect PDF. * g10/encrypt.c (encrypt_simple): Peek before detecting compression. (encrypt_crypt): Ditto. * g10/sign.c (sign_file): Also detect already compressed data. * g10/options.h (opt): Add explicit_compress_option. * g10/gpg.c (main): Set opt.explicit_compress_option for -z. -- Note that this patch also introduces a compression check for signing which was never done in the past. GnuPG-bug-id: 6332
-
- 18 Jan, 2023 2 commits
-
-
Werner Koch authored
--
-
Werner Koch authored
* tools/gpgtar-create.c (gpgtar_create): Do not close the status_fd in spawn. * tools/gpgtar-extract.c (gpgtar_extract): Ditto. * tools/gpgtar-list.c (gpgtar_list): Ditto. -- Note that this fix does not handle file descripotors passed via the --gpg-args options. GnuPG-bug-id: 6348
-
- 12 Jan, 2023 1 commit
-
-
Werner Koch authored
* common/compliance.c (gnupg_pk_is_compliant): Also consider the gcrypt vids for ECDSA et al. (gnupg_pk_is_allowed): Ditto. * sm/verify.c (gpgsm_verify): Consider the curve. Print a compliance notice for a non-compliant key. * sm/certchain.c (gpgsm_validate_chain): Silence the "switching to chain model".
-
- 11 Jan, 2023 3 commits
-
-
Werner Koch authored
* dirmngr/dirmngr.c (post_option_parsing): Add arg CMD. (main): Pass the current command. -- Updates-commit: 9f37e93d
-
Werner Koch authored
* common/init.c (_init_common_subsystems): Test and set the DEP Policy. -- Note that this change will now definitely require Windows XP SP3.
-
Werner Koch authored
-- Unfortunately the a reflow took place.
-
- 21 Dec, 2022 1 commit
-
-
NIIBE Yutaka authored
* tests/gpgme/Makefile.am: Don't use setup.scm/ dir. * tests/gpgme/all-tests.scm: Fix the name of the environment. -- GnuPG-bug-id: 6313 Fixes-commit: c19ea75f Signed-off-by:
NIIBE Yutaka <gniibe@fsij.org>
-
- 16 Dec, 2022 15 commits
-
-
Werner Koch authored
--
-
Werner Koch authored
-
Werner Koch authored
--
-
Werner Koch authored
-- They were obvious.
-
Petr Pisar authored
--
-
Werner Koch authored
* common/mapstrings.c (map_static_macro_string): Add hack. --
-
Werner Koch authored
--
-
Werner Koch authored
--
-
Werner Koch authored
* g10/export.c (do_export_one_keyblock): Handle a cancel for the primary key special. -- GnuPG-bug-id: 6093
-
Werner Koch authored
* g10/cipher-aead.c (do_flush): Use %llu and a cast. * g10/decrypt-data.c (aead_underflow): Ditto. -- Fixes-commit: b2cedc10 We don't use the system's printf but the one implemented by us (gpgrt's estream-printf) thus the PRIu64 may or may not be correct. We can't do much about the -Wformat errors due to our different implementation.
-
Werner Koch authored
--
-
Werner Koch authored
--
-
Werner Koch authored
-
Werner Koch authored
-- Reported-by: Andreas Metzler GnuPG-bug-id: 6309
-
NIIBE Yutaka authored
* tests/gpgme/Makefile.am: Create directories for logs. -- Signed-off-by:
NIIBE Yutaka <gniibe@fsij.org>
-
- 12 Dec, 2022 1 commit
-
-
Werner Koch authored
* agent/command.c (cmd_scd): Allow it. -- This is important because Scute uses "SCD SERIALNO --all".
-
- 09 Dec, 2022 2 commits
-
-
Werner Koch authored
* scd/app-p15.c (select_and_read_record): Special case deleted records. Support 3 byte TLVs. (read_ef_prkdf): Skip deleted records. (read_ef_pukdf): Ditto. (read_ef_cdf): Ditto. (read_ef_aodf): Ditto. -- This fixes a problem with some CardOS 5 applications.
-
NIIBE Yutaka authored
* agent/Makefile.am [HAVE_W32CE_SYSTEM]: Remove. * am/cmacros.am [HAVE_W32CE_SYSTEM]: Remove. * autogen.sh: Remove W32ce_ variables. * configure.ac: Likewise. * dirmngr/Makefile.am (extra_bin_ldflags): Remove. * g10/Makefile.am [HAVE_W32CE_SYSTEM]: Remove. * kbx/Makefile.am: Likewise. * sm/Makefile.am (extra_bin_ldflags): Remove. * tools/Makefile.am (extra_bin_ldflags): Remove. -- Signed-off-by:
NIIBE Yutaka <gniibe@fsij.org>
-
- 06 Dec, 2022 1 commit
-
-
Werner Koch authored
* tools/gpg-wks.h (struct uidinfo_list_s): Add fields expired and revoked. * tools/wks-util.c (append_to_uidinfo_list): Add args expired and revoked. (set_expired_revoked): New. (wks_list_key): Set expired and revoked. (wks_cmd_install_key): Skip expired uids. * tools/gpg-wks-client.c (command_check): Print flags. (command_send): Ignore expired keys. (mirror_one_key): Ditto. * g10/export.c (do_export_stream): Silence warning. -- GnuPG-bug-id: 6292
-
- 05 Dec, 2022 5 commits
-
-
Werner Koch authored
* sm/certchain.c (is_cert_still_valid): Print revocation reason.
-
Werner Koch authored
* sm/keydb.c (keydb_set_cert_flags): Fix error test.
-
Werner Koch authored
* dirmngr/ocsp.c (ocsp_isvalid): Add args r_revoked_at and r_revocation_reason. * dirmngr/server.c (cmd_isvalid): Emit a new REVOCATIONINFO status. (cmd_checkocsp): Ditto. * sm/call-dirmngr.c (struct isvalid_status_parm_s): Add new fields. (isvalid_status_cb): Parse REVOCATIONINFO. (gpgsm_dirmngr_isvalid): Add args r_revoked_at and r_revocation_reason. * sm/gpgsm.h (struct server_control_s): Add fields revoked_art and revocation_reason. * sm/keylist.c (list_cert_raw): Print revocation date. (list_cert_std): Ditto. -- Note that for now we do this only for OCSP because it is an important piece of information when using the chain model. For a sample key see commit 7fa1d3cc.
-
Werner Koch authored
* sm/certchain.c (check_cert_policy): Print non-critical policy warning only in verbose mode.
-
Werner Koch authored
* sm/call-dirmngr.c (gpgsm_dirmngr_isvalid): Do not use option --force-default-responder. * sm/certchain.c (is_cert_still_valid): Rename arg for clarity. (gpgsm_validate_chain): Always switch to chain model. -- The trustlist.txt may indicate that a root CA issues certificates which shall be validated using the chain model. This is for example the case for qualified signatures. Before this change we did this only if the default shell model indicated that a certificate has expired. This optimization is technically okay but has one problem: The chain model requires the use of OCSP but we switch to this only when running the chain model validation. To catch revoked certificates using OCSP we need to always switch to the chain model unless OCSP has been enabled anyway. Note that the old --force-default-responder option is not anymore used. Test cases are certificates issued by # CN=TeleSec qualified Root CA 1 # O=Deutsche Telekom AG # C=DE # 2.5.4.97=USt-IdNr. DE 123475223 90:C6:13:6C:7D:EF:EF:E9:7C:C7:64:F9:D2:67:8E:AD:03:E5:52:96 \ S cm qual relax A sample revoked certificate is -----BEGIN CERTIFICATE----- MIIDTzCCAvSgAwIBAgIQIXfquQjq32B03CdaflIbiDAMBggqhkjOPQQDAgUAMHEx CzAJBgNVBAYTAkRFMRwwGgYDVQQKDBNEZXV0c2NoZSBUZWxla29tIEFHMSMwIQYD VQQDDBpUZWxlU2VjIFBLUyBlSURBUyBRRVMgQ0EgMTEfMB0GA1UEYQwWVVN0LUlk TnIuIERFIDEyMzQ3NTIyMzAeFw0yMDA2MjIxMDQ1NDJaFw0yMzA2MjUyMzU5MDBa MDAxCzAJBgNVBAYTAkRFMRUwEwYDVQQDDAxLb2NoLCBXZXJuZXIxCjAIBgNVBAUT ATMwWjAUBgcqhkjOPQIBBgkrJAMDAggBAQcDQgAEbkEXUuXTriWOwqQhjlh11oCc 6Z8lQdQDz3zY/OEh8fMJS7AKBNo8zkpPKDJ2olPph18b1goEbLiqHQsPRPahDaOC AaowggGmMB8GA1UdIwQYMBaAFP/0iep1rMXT0iQ0+WUqBvLM6bqBMB0GA1UdDgQW BBQEI3xsIUDnoOx+gLYbG63v5/f9kjAOBgNVHQ8BAf8EBAMCBkAwDAYDVR0TAQH/ BAIwADAgBgNVHREEGTAXgRV3ZXJuZXIua29jaEBnbnVwZy5jb20wPQYDVR0gBDYw NDAyBgcEAIvsQAECMCcwJQYIKwYBBQUHAgEWGWh0dHA6Ly9wa3MudGVsZXNlYy5k ZS9jcHMwgYQGCCsGAQUFBwEBBHgwdjBLBggrBgEFBQcwAoY/aHR0cDovL3RxcmNh MS5wa2kudGVsZXNlYy5kZS9jcnQvVGVsZVNlY19QS1NfZUlEQVNfUUVTX0NBXzEu Y3J0MCcGCCsGAQUFBzABhhtodHRwOi8vcGtzLnRlbGVzZWMuZGUvb2NzcHIwXgYI KwYBBQUHAQMEUjBQMAgGBgQAjkYBATAIBgYEAI5GAQQwOgYGBACORgEFMDAwLhYo aHR0cHM6Ly93d3cudGVsZXNlYy5kZS9zaWduYXR1cmthcnRlL2FnYhMCZW4wDAYI KoZIzj0EAwIFAANHADBEAiAqgB8gyZyj05CRdHD5KJcpG68DzQECYnYP6ZPasUYK AQIgI1GtRMJWvFTIKsZpgY+ty0pRb5/K09fbmvaSAKFpv/I= -----END CERTIFICATE-----
-
- 02 Dec, 2022 1 commit
-
-
Werner Koch authored
* agent/command.c (cmd_export_key): Add option --mode1003. (command_has_option): Ditto. * g10/build-packet.c (do_key): Implement mode 1003. * g10/parse-packet.c (parse_key): Ditto. * g10/options.h (EXPORT_MODE1003): New.o * g10/call-agent.c (agent_export_key): Add arg mode1003. * g10/export.c (parse_export_options): Add "mode1003" (secret_key_to_mode1003): New. (receive_seckey_from_agent): Add arg mode1003. (do_export_one_keyblock): Pass option down. -- This option allows to export a secret key in GnuPG's native format. Thus no re-encryption is required and further the public key parameters are also authenticated if a protection passphrase has been used. Note that --import is not yet able to handle this new mode. Although old version of GnuPG will bail out with "invalid packet" if a mode1003 exported secret key is seen.
-