| Commit message (Collapse) | Author | Files | Lines |
|---|
|
--
|
|
* tools/gpg-wks-client.c (main): Return GPG_ERR_NOT_IMPLEMENTED if
gnupg was build without sendmail support. (NAME_OF_SENDMAIL=="")
|
|
* agent/command.c (do_one_keyinfo): Add arg list_mode. Check
attribute Remote-list.
(cmd_keyinfo): Change semantics to return nothing in restricted list
mode.
|
|
* tools/gpg-wks-client.c (blacklist_array, blacklist_array_len): New.
(parse_arguments): Install blacklist.
(read_file): New.
(cmp_blacklist, add_blacklist, is_in_blacklist): New.
(mirror_one_key): Check list.
* tools/gpg-wks.h (opt): Remove field blacklist.
--
GnuPG-bug-id: 6224
|
|
* tools/gpg-wks-client.c (domain_matches_mbox): New.
(mirror_one_key): Skip non-matching domains.
(command_mirror): Change args to allow for several domains.
--
Although dirmngr returns only the keys matching a certain domain,
those keys still may have user ids from other domains. Now we publish
only the user-ids as specified on the command line.
GnuPG-bug-id: T6224
|
|
* tools/gpg-wks-client.c (add_user_id): PAss --quiet to gpg unless we
are running in double verbose mode.
(decrypt_stream): Ditto
(encrypt_response): Ditto.
(mirror_one_keys_userid): Ditto.
* tools/wks-util.c (wks_get_key): Ditto.
(wks_list_key): Ditto.
(wks_filter_uid): Ditto.
|
|
* common/tlv.c (parse_ber_header): Protect agains integer overflow.
--
Although there is no concrete case where we use the (nhdr + length),
it is better to protect against this already here.
|
|
--
Reported-by: mario.haustein@hrz.tu-chemnitz.de
Also fix one fuzzy and and a German Typo
|
|
* g10/decrypt.c (decrypt_message_fd): Use INPUT_FD directly.
* g10/encrypt.c (encrypt_crypt): Use FILEFD directly.
--
Before 8402815d, original code was with iobuf_open_fd_or_name, which
used gnupg_fd_t for the file descriptor (FD2INT was relevant at that
time). After the change, because it's not gnupg_fd_t but int, use of
FD2INT is irrelevant.
Fixes-commit: 8402815d8e0e04a44362968f88b3d484d2395402
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* tools/gpg-wks-client.c (aMirror,oBlacklist,oNoAutostart): New.
(opts): Add ----mirror, --no-autostart, and --blacklist.
(parse_arguments): Parse new options.
(main): Parse common.conf. Implement aMirror.
(mirror_one_key_parm): New.
(mirror_one_keys_userid, mirror_one_key): New.
(command_mirror): New.
* tools/gpg-wks.h (struct uidinfo_list_s): Add fields flags.
* tools/wks-util.c (wks_cmd_install_key): Factor some code out to ...
(wks_install_key_core): new.
* tools/call-dirmngr.c (wkd_dirmngr_ks_get): New.
--
This implements the basic LDAP to WKD mirroring. The blacklist
option and domain restrictions are not yet fully implemented.
Take care: In OpenLDAP you may need to increase the paged result limit
by using a configuration like:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcLimits
olcLimits: dn.subtree="dc=example,dc=org" size.prtotal=unlimited
GnuPG-bug-id: 6224
|
|
* dirmngr/ks-engine-ldap.c (PAGE_SIZE): New.
(struct ks_engine_ldap_local_s): Add several new fields.
(ks_ldap_clear_state): Release them.
(search_and_parse): Factored out from ks_ldap_get and extended to
support the paged mode.
(ks_ldap_get): Implement the pages mode for --first and --next.
* dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first
mode.
* dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS.
--
The paged mode allows to retrieve more items than the servers usually
limit (e.g. 1000 for an LDS). This patch also allows to use --first
without a patter to retrieve all keyblocks (except for disabled and
revoked keys).
GnuPG-bug-id: 6224
|
|
* dirmngr/server.c (cmd_ks_get): Add option --first and --next.
(start_command_handler): Free that new ldap state.
* dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New.
(ks_ldap_new_state, ks_ldap_clear_state): New.
(ks_ldap_free_state): New.
(return_one_keyblock): New. Mostly factored out from ....
(ks_ldap_get): here. Implement --first/--next feature.
* dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to
ks_get_flags.
* dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New.
(KS_GET_FLAG_FIRST): New.
(KS_GET_FLAG_NEXT): New.
* dirmngr/dirmngr.h (struct server_control_s): Add member
ks_get_state.
(struct ks_engine_ldap_local_s): New forward reference.
--
This feature allows to fetch keyblock by keyblock from an LDAP server.
This way tools can process and maybe filter each keyblock in a more
flexible way. Here is an example where two keyblocks for one mail
address are returned:
$ gpg-connect-agent --dirmngr
> ks_get --ldap --first <foo@example.org>
[... First keyblock is returned ]
OK
> ks_get --next
[ ... Next keyblock is returned ]
OK
> ks_get --next
ERR 167772218 No data <Dirmngr>
GnuPG_bug_id: 6224
|
|
* g10/call-dirmngr.c (ks_status_cb): Mangle the keyserver url
|
|
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data
behind the EOS.
(interrogate_ldap_dn): Stylistic change.
--
This also updates the my_ldap_connect description.
GnuPG-bug-id: 6047
|
|
* g10/encrypt.c (check_encryption_compliance): Check gcrypt compliance
before emitting an ENCRYPTION_COMPLIANCE_MODE status.
--
GnuPG-bug-id: 6221
Ported-from: 07c6743148d4abd30fb8bf08b07eb9755fdfff2d
|
|
* common/iobuf.c (iobuf_copy): Use log_assert. Explicitly cast error
return value.
* g10/build-packet.c (do_plaintext): Check for iobuf_copy error.
* g10/encrypt.c (encrypt_filter): Immediately set header_okay.
--
The second fix avoids repeated error message about non-compliant keys.
Updates-commit: a51067a21f688086bd8e44234a88ae367582cc76
Ported-from: aa0c942521d89f4f0aac90bacaf8a7a7cefc88d8
GnuPG-bug-id: 6174
|
|
* g10/encrypt.c (encrypt_crypt, encrypt_filter): Factor common code
out to ...
(create_dek_with_warnings): new
(check_encryption_compliance): and new.
* g10/encrypt.c (encrypt_filter): Add the compliance check.
--
GnuPG-bug-id: 6174
Ported-from: f88cb12f8e3c1234a094d09e2505d3a3eec4cbfe
|
|
* dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with
no arguments.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found,
memory allocated.
(my_ldap_connect): Follow the change, removing needless allocation.
--
GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP
server when basedn specified.
--
GnuPG-bug-id: 6047
Signed-off-by: Joey Berkovitz <joeyberkovitz@gmail.com>
|
|
--
|
|
* dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const.
Use strtokenize instead of strtok style parsing.
--
This fixes a problem with resulted in a General Error for the second
key to be uploaded in the same session. But only if the colon format
to specify a keyserver with flags was used.
|
|
* g10/parse-packet.c (enum_sig_subpkt): Show "buffer shorter than
subpacket" only in debug mode.
(parse_signature): Show "signature packet without timestamp / keyid"
only in souble verbose mode.
* g10/sig-check.c (check_signature_metadata_validity): Use ISO
timestamp in UTC for the signature expired note.
--
I have seen to many of these diagnostics and in particular the first
one seems to be a connected to the others. Thus it does not make
sense to show them in standard verbose mode.
The ISO timestamp is much easier to read than than the localized
timestamp and switching from localtime to UTC should not harm.
|
|
* dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly.
* dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly"
* dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag.
* dirmngr/dirmngr_ldap.c: Add option --areconly
(connect_ldap): Implement option.
* dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option.
--
This flag is used to pass the Windows specific option
LDAP_OPT_AREC_EXCLUSIVE. It is ignored on other systems.
Signed-off-by: Werner Koch <wk@gnupg.org>
|
|
* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if
server supports this.
|
|
* g10/mainproc.c (proc_encrypted): Change compliance logic.
--
For the description of the proplem see
https://dev.gnupg.org/T6205#163306
GnuPG-bug-id: 6205
|
|
* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New.
--
GnuPG-bug-id: 6047
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* tools/gpg-connect-agent.c (main): Set dirs.
* tools/gpg-card.c (main): Ditto.
--
Fixes-commit: 203dcc19eb48228c60036691fe87fb37e29369a4
|
|
* dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop.
Remove the unused issuername_uri stuff.
--
It is quite common that LDAP servers are blocked and thuis the HTTP
access point should be used instead. This worked well for
certificates where the DP are given in this form:
crlDP: ldap://x500.bund.de/[...]
http://x500.bund.de/[...]
issuer: none
but it failed for this form
crlDP: ldap://x500.bund.de/[...]
issuer: none
crlDP: http://x500.bund.de/[...]
issuer: none
because the LAST_ERR thing terminated the outer loop. This pacth
fixes this and also cleans up the code to be more robust.
Note that the common workaround of using --ignore-ldap-dp will now
only be needed if the firewall uses packet dropping instead of proper
ICMP rejects.
|
|
--
|
|
* dirmngr/dns.c: Use __noreturn__.
* doc/yat2m.c: Likewise.
* g10/main.h: Likewise.
--
GnuPG-bug-id: 4002
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* m4/ldap.m4: Define LDAP_DEPRECATED when test.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* common/homedir.c (unix_rootdir): Add ".enable" statement to
gpgconf.ctl
* tests/gpgconf.ctl.in: Use this statement.
* tests/cms/Makefile.am (OLD_TESTS_ENVIRONMENT): Enable .enable.
(TESTS_ENVIRONMENT): Ditto.
* tests/gpgme/Makefile.am (TESTS_ENVIRONMENT): Ditto.
* tests/migrations/Makefile.am (TESTS_ENVIRONMENT): Ditto.
* tests/openpgp/Makefile.am (TESTS_ENVIRONMENT): Ditto.
* tests/pkits/Makefile.am (TESTS_ENVIRONMENT): Ditto.
* tests/tpm2dtests/Makefile.am (TESTS_ENVIRONMENT): Ditto.
--
Without that it was required to delete the gpgconf.ctl to run manual
tests.
What a hack.
|
|
* common/init.h: Remove GPG_ERR_SOURCE_UNKNOWN check.
--
GnuPG-bug-id: 6200
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* kbx/keybox-defs.h (GPG_ERR_SOURCE_DEFAULT): Define here, when not
defined.
* kbx/kbxutil.c: Let keybox-defs.h include gpg-error.h.
--
GnuPG-bug-id: 6200
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* dirmngr/ks-action.c [USE_LDAP] (ks_action_help): Recover variables.
* dirmngr/server.c [USE_LDAP] (dirmngr/server.c): Likewise.
--
Fixes-commit: 3d7dbf16618db4d0dc602daadbde098d4a14b528
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* common/t-recsel.c (main): Don't need to call init_common_subsystems.
--
GnuPG-bug-id: 6200
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* dirmngr/dns.c (dns_a_parse0, dns_a_push0, dns_a_cmp0): New.
(dns_a_print0, dns_aaaa_parse0, dns_aaaa_cmp0): New.
(dns_aaaa_print0, dns_mx_parse0, dns_mx_push0, dns_mx_cmp0): New.
(dns_mx_print0, dns_mx_cname0, dns_ns_parse0, dns_ns_push0): New.
(dns_ns_cmp0, dns_ns_print0, dns_ns_cname0, dns_cname_parse0): New.
(dns_cname_push0, dns_cname_cmp0, dns_cname_print0): New.
(dns_cname_cname0, dns_soa_parse0, dns_soa_push0): New.
(dns_soa_cmp0, dns_soa_print0, dns_srv_parse0, dns_srv_push0): New.
(dns_srv_cmp0, dns_srv_print0, dns_srv_cname0, dns_opt_parse0): New.
(dns_opt_push0, dns_opt_cmp0, dns_opt_print0, dns_ptr_parse0): New.
(dns_ptr_push0, dns_ptr_cmp0, dns_ptr_print0, dns_ptr_cname0): New.
(dns_sshfp_parse0, dns_sshfp_push0, dns_sshfp_cmp0): New.
(dns_sshfp_print0, dns_txt_parse0, dns_txt_push0, dns_txt_cmp0): New.
(struct dns_rrtype): Add function prototypes.
(dns_rrtypes): Use "0" variant of functions.
(DNS_PRAGMA_PUSH, DNS_PRAGMA_POP): Remove.
--
Original code was pretty badly written ignoring the type system of C,
but modern compiler encourages use of the type system. No
architectural changes, but only things mechanically possible.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* agent/protect.c (agent_get_shadow_info_type): It's a write only
variable, useful for debugging.
* g10/key-check.c (key_check_all_keysigs): Likewise.
* g10/keyedit.c (show_basic_key_info, menu_expire): Likewise.
* scd/app-sc-hsm.c (read_ef_prkd): Likewise.
* dirmngr/crlfetch.c (fetch_next_ksba_cert): Initialize the vars.
* dirmngr/ks-action.c (ks_action_help): Remove unused variables.
* dirmngr/server.c (make_keyserver_item): Likewise.
* dirmngr/validate.c (check_cert_sig): Initialize the variable.
* scd/app-p15.c (select_and_read_record): Likewise.
* tests/gpgscm/scheme.c (scheme_init_new): A function with no args.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* tools/Makefile.am: gpg-auth is one in libexec_PROGRAMS.
* tools/gpg-auth.c: Support use by root for login user.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* common/gettime.c (gnupg_get_time): It has no arguments.
* common/signal.c (gnupg_block_all_signals): Likewise.
(gnupg_unblock_all_signals): Likewise.
* common/utf8conv.c (get_native_charset): Likewise.
* g10/cpr.c (is_status_enabled, cpr_enabled): Likewise.
* g10/getkey.c (getkey_disable_caches): Likewise.
* g10/keygen.c (ask_expiredate): Likewise.
* g10/passphrase.c (have_static_passphrase): Likewise.
(get_last_passphrase): Likewise.
* g10/tdbio.c (tdbio_is_dirty, tdbio_sync): Likewise.
(tdbio_get_dbname, open_db, tdbio_db_matches_options): Likewise.
(tdbio_read_nextcheck): Likewise.
* g10/trustdb.c (how_to_fix_the_trustdb): Likewise.
* scd/scdaemon.c (scd_get_socket_name): Likewise.
* sm/passphrase.c (have_static_passphrase): Likewise.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* sm/minip12.c (p12_parse): Set badpass flag to result in ctx.
--
Fixes-commit: a4e04375e84ecb7ea0d02e153cb27988fca4c2d0
GnuPG-bug-id: 5713, 6037
|
|
This reverts commit 8e63e813c7404e1dae1def98e0f45d148f71082d.
The change broke adding existing ECDH encryption subkeys to a key.
GnuPG-bug-id: 5555
|
|
* agent/gpg-agent.c (main): Print an error message if no-autostart is
set in common.conf.
|
|
* g10/packet.h (PUBKEY_USAGE_RENC): New.
(PUBKEY_USAGE_TIME): New.
(PUBKEY_USAGE_GROUP): New.
* g10/getkey.c (parse_key_usage): Set the new key flags.
* g10/keyedit.c (show_key_with_all_names_colon): Show the new key
flags.
* g10/keyid.c (usagestr_from_pk): Ditto
* g10/keylist.c (print_capabilities): Ditto.
* g10/keygen.c (parse_usagestr): Parse line and set new flags.
(quickgen_set_para): Show flags.
--
See draft-koch-openpgp-2015-rfc4880bis-00 for the current version.
Actually these flags have been in the draft for years now. This patch
is a first step to make use of them.
|
|
* tools/gpg-auth.c (getpin): Use comment.
(inq_needpin): Support "POPUPPINPADPROMPT" protocol response.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* common/ssh-utils.c (ssh_public_key_in_base64): Use standard name for
ECC curve.
--
See oidtable in common/openpgp-oid.c.
Fixes-commit: 8e650dbd48fa5fde6d8f08154e6a892d495e9227
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* tools/gpg-auth.c (authenticate): Put key_list->comment to assuan
user's pointer.
(getpin): Show SSH key comment if any.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
|
* tools/gpg-auth.c (my_strusage): Fix usage string.
(main): Use gpg-agent to get scdaemon socket.
(authenticate): Return GPG_ERR_NOT_FOUND when no success.
(ga_scd_connect): Use DBG_IPC.
(inq_needpin): Change API for getpin.
(put_second_field_cb): New, to get the second field.
(scd_get_pubkey): Use put_second_field_cb.
(ga_filter_by_authorized_keys): Put NULL at the PREV->next.
(getpin): Flush the standard output.
Include the last terminating NUL.
Return the length.
--
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
|
