...
 
Commits (18)
gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
In this version we adopt GnuPG's upstream approach of making keyserver
access default to self-sigs-only. This defends against receiving
flooded OpenPGP certificates. To revert to the previous behavior (not
recommended!), add the following directive to ~/.gnupg/gpg.conf:
keyserver-options no-self-sigs-only
We also adopt keys.openpgp.org as the default keyserver, since it avoids
the associated bandwidth waste of fetching third-party certifications
that will not be used. To revert to the older SKS keyserver network (not
recommended!), add the following directive to ~/.gnupg/dirmngr.conf:
keyserver hkps://hkps.pool.sks-keyservers.net
Note: we do *not* adopt upstream's choice of import-clean for the
keyserver default, since it can lead to data loss, see
https://dev.gnupg.org/T4628 for more details.
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Wed, 21 Aug 2019 14:53:47 -0400
gnupg2 (2.1.11-7+exp1) experimental; urgency=medium
The gnupg package now provides the "modern" version of GnuPG.
......
gnupg2 (2.2.12-1+deb10u1) buster; urgency=medium
* drop unneeded patch for printing revocation certificates
* backport bugfix and stability patches from upstream 2.2.13
* backport bugfix and stability patches from upstream 2.2.14
* backport documentation, stability, ssh, and WKD patches from upstream 2.2.15
* backport documentation and bugfix patches from upstream 2.2.16
* import bugfixes and cleanup around secret key handling from 2.2.14
* backport bugfixes, documentation, WKD, and keyserver fixes from 2.2.17
* import efficiency and security fixes from upstream STABLE-BRANCH-2-2
* avoid using SKS pool CA unless the keyserver is hkps.pool.sks-keyservers.net
* drop import-clean from default keyserver options, to avoid data loss
* use keys.openpgp.org as the default keyserver
* enable merging certificate updates even if update has no user ID
* update Vcs-Git: to point to debian/buster branch
* Adopt migrate-pubring-from-classic-gpg robustness fixes (Closes: #931385)
* add new CI test: debian/tests/simple-tests
* debian/tests/gpgv-win32: make arch-specific (Closes: #905563)
-- Daniel Kahn Gillmor <dkg@fifthhorseman.net> Sun, 21 Jul 2019 15:39:05 -0400
gnupg2 (2.2.12-1) unstable; urgency=medium
* New upstream release
......
......@@ -41,7 +41,7 @@ Build-Depends-Indep:
libnpth-mingw-w64-dev (>= 1.2),
libz-mingw-w64-dev,
mingw-w64,
Vcs-Git: https://salsa.debian.org/debian/gnupg2.git
Vcs-Git: https://salsa.debian.org/debian/gnupg2.git -b debian/buster
Vcs-Browser: https://salsa.debian.org/debian/gnupg2
Homepage: https://www.gnupg.org/
Rules-Requires-Root: no
......
[DEFAULT]
debian-branch = debian/master
debian-branch = debian/buster
pristine-tar = True
upstream-vcs-tag = gnupg-%(version)s
......
......@@ -48,6 +48,8 @@ else
esac
fi
GPG=("$GPG" --homedir "$GHD" --batch)
# ensure that there is a pubring.gpg to migrate:
if ! [ -f "$GHD/pubring.gpg" ]; then
printf 'There is no %s/pubring.gpg, no need to migrate\n' "$GHD" >&2
......@@ -62,15 +64,45 @@ fi
BACKUP="$(mktemp -d "$GHD/migrate-from-classic-backup.$(date +%F).XXXXXX")"
printf 'Migrating from:\n%s\n[Backing up to %s]\n' "$(ls -l "$GHD/pubring.gpg")" "$BACKUP" >&2
"$GPG" --export-ownertrust > "$BACKUP/ownertrust.txt"
"${GPG[@]}" --export-ownertrust > "$BACKUP/ownertrust.txt"
mv "$GHD/pubring.gpg" "$BACKUP/"
"$GPG" --import-options import-local-sigs,keep-ownertrust,repair-pks-subkey-bug --import < "$BACKUP/pubring.gpg"
"$GPG" --import-ownertrust < "$BACKUP/ownertrust.txt"
"$GPG" --check-trustdb
revert() {
printf >&2 'Restoring pubring.gpg...\n'
cp "$BACKUP/pubring.gpg" "$GHD/pubring.gpg"
}
trap revert EXIT
if ! "${GPG[@]}" --status-file "$BACKUP/import-status" --import-options import-local-sigs,keep-ownertrust,repair-pks-subkey-bug --import < "$BACKUP/pubring.gpg" ; then
cat >&2 <<EOF
Keyring import was not completely successful (see error message above,
and the LIMITATIONS section of migrate-pubring-from-classic-gpg(1) for
more details).
If you suspect a bug in the migration script, please use:
reportbug gnupg-utils --subject='migrate-pubring-from-classic-gpg partial failure'
And include the above output (redacted for privacy as needed) in the
body of the report.
Continuing with the rest of the migration anyway...
EOF
fi
"${GPG[@]}" --import-ownertrust < "$BACKUP/ownertrust.txt"
"${GPG[@]}" --check-trustdb
if ! [ -f "$GHD/pubring.kbx" ]; then
printf 'No keybox was created at %s/pubring.kbx. Something went wrong!\n' "$GHD" >&2
cat >&2 <<EOF
No keybox was created at $GHD/pubring.kbx. Something went wrong!
Please report a bug in the migration script, using:
reportbug gnupg-utils --subject='migrate-pubring-from-classic-gpg no pubring.kbx ($BACKUP)'
EOF
exit 1
fi
trap - EXIT
printf 'Migration completed successfully:\n%s\n' "$(ls -l "$GHD/pubring.kbx")" >&2
......@@ -12,8 +12,8 @@ migrate\-pubring\-from\-classic\-gpg \- Migrate a public keyring from "classic"
.B migrate\-pubring\-from\-classic\-gpg
migrates the public keyring in GnuPG home directory GPGHOMEDIR from
the "classic" keyring format to the "modern" keybox format using GnuPG
versions 2.1 or 2.2.
the "classic" keyring format (pubring.gpg) to the "modern" keybox format using GnuPG
versions 2.1 or 2.2 (pubring.kbx).
Specifying
.B \-\-default
......@@ -30,6 +30,50 @@ The program sends quite a bit of text (perhaps too much) to stderr.
During a migration, the tool backs up several pieces of data in a
timestamped subdirectory of the GPGHOMEDIR.
.SH LIMITATIONS
The keybox format rejects a number of OpenPGP certificates that the
"classic" keyring format used to accept. These filters are defensive,
since the certificates rejected are unsafe -- either cryptographically
unsound, or dangerously non-performant. This means that some
migrations may produce warning messages about the migration being
incomplete. This is generally a good thing!
Known limitations:
.B Flooded certificates
.RS 4
Some OpenPGP certificates have been flooded with bogus certifications
as part of an attack on the SKS keyserver network (see
https://tools.ietf.org/html/draft-dkg-openpgp-abuse-resistant-keystore-03#section-2.1).
The keybox format rejects import of any OpenPGP certificate larger
than 5MiB. As of GnuPG 2.2.17, if gpg encounters such a flooded
certificate will retry the import while stripping all third-party
certifications (see "self-sigs-only" in gpg(1)).
The typical error message when migrating a keyring with a flooded
certificate will be something like:
.RE
.RS 8
error writing keyring 'pubring.kbx': Provided object is too large
.RE
.B OpenPGPv3 public keys (a.k.a. "PGP-2" keys)
.RS 4
Modern OpenPGP implementations use so-called "OpenPGP v4" public keys.
Older versions of the public key format have serious known problems.
See https://tools.ietf.org/html/rfc4880#section-5.5.2 for more details
about and reasons for v3 key deprecation.
The keybox format skips v3 keys entirely during migration, and GnuPG
will produce a message like:
.RE
.RS 8
skipped PGP-2 keys: 1
.RE
.SH ENVIRONMENT VARIABLES
.B GNUPGHOME
......
From: Werner Koch <wk@gnupg.org>
Date: Mon, 17 Dec 2018 18:46:26 +0100
Subject: Silence compiler warnings new with gcc 8.
* dirmngr/dns.c: Include gpgrt.h. Silence -Warray-bounds also gcc.
* tests/gpgscm/scheme.c: Include gpgrt.h.
(Eval_Cycle): Ignore -Wimplicit-fallthrough.
--
The funny use of case and labels in the CASE macro seems confuse the
fallthrough detection.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 21fc089148678f59edb02e0e16bed65b709fb972)
---
dirmngr/dns.c | 17 ++++++++++++-----
tests/gpgscm/scheme.c | 12 ++++++++++++
2 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/dirmngr/dns.c b/dirmngr/dns.c
index 77f83f4..968fc3d 100644
--- a/dirmngr/dns.c
+++ b/dirmngr/dns.c
@@ -77,6 +77,7 @@ typedef int socket_fd_t;
#include <netdb.h> /* struct addrinfo */
#endif
+#include "gpgrt.h" /* For GGPRT_GCC_VERSION */
#include "dns.h"
@@ -7521,9 +7522,13 @@ static unsigned char *dns_so_tcp_recv_buffer(struct dns_socket *so) {
}
-#if defined __clang__
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Warray-bounds"
+
+#if GPGRT_GCC_VERSION >= 80000
+# pragma GCC diagnostic push
+# pragma GCC diagnostic ignored "-Warray-bounds"
+#elif defined __clang__
+# pragma clang diagnostic push
+# pragma clang diagnostic ignored "-Warray-bounds"
#endif
static int dns_so_tcp_send(struct dns_socket *so) {
@@ -7589,8 +7594,10 @@ static int dns_so_tcp_recv(struct dns_socket *so) {
return 0;
} /* dns_so_tcp_recv() */
-#if __clang__
-#pragma clang diagnostic pop
+#if GPGRT_GCC_VERSION >= 80000
+# pragma GCC diagnostic pop
+#elif __clang__
+# pragma clang diagnostic pop
#endif
diff --git a/tests/gpgscm/scheme.c b/tests/gpgscm/scheme.c
index 4384841..b188e36 100644
--- a/tests/gpgscm/scheme.c
+++ b/tests/gpgscm/scheme.c
@@ -44,6 +44,8 @@
# endif
#endif
+#include "gpgrt.h" /* For GGPRT_GCC_VERSION */
+
/* Used for documentation purposes, to signal functions in 'interface' */
#define INTERFACE
@@ -3438,6 +3440,11 @@ int list_length(scheme *sc, pointer a) {
+#if GPGRT_GCC_VERSION >= 80000
+# pragma GCC diagnostic push
+# pragma GCC diagnostic ignored "-Wimplicit-fallthrough"
+#endif
+
#define s_retbool(tf) s_return(sc,(tf) ? sc->T : sc->F)
/* kernel of this interpreter */
@@ -5323,6 +5330,11 @@ Eval_Cycle(scheme *sc, enum scheme_opcodes op) {
}
}
+#if GPGRT_GCC_VERSION >= 80000
+# pragma GCC diagnostic pop
+#endif
+
+
typedef int (*test_predicate)(pointer);
static int is_any(pointer p) {
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Mon, 28 Jan 2019 12:58:13 +0900
Subject: agent: Clear bogus pinentry cache, when it causes an error.
* agent/agent.h (PINENTRY_STATUS_*): Expose to public.
(struct pin_entry_info_s): Add status.
* agent/call-pinentry.c (agent_askpin): Clearing the ->status
before the loop, let the assuan_transact set ->status. When
failure with PINENTRY_STATUS_PASSWORD_FROM_CACHE, it returns
soon.
* agent/findkey.c (unprotect): Clear the pinentry cache,
when it causes an error.
--
Cherry-picked from master commit of:
02a2633a7f0b7d91aa48ea615fb3a0edfd6ed6bb
Debian-bug-id: 919856
GnuPG-bug-id: 4348
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 9109bb9919f84d5472b7e62e84b961414a79d3c2)
---
agent/agent.h | 11 ++++++++++-
agent/call-pinentry.c | 37 ++++++++++++++++++-------------------
agent/findkey.c | 12 +++++++++++-
3 files changed, 39 insertions(+), 21 deletions(-)
diff --git a/agent/agent.h b/agent/agent.h
index 97ac15d..b07ea57 100644
--- a/agent/agent.h
+++ b/agent/agent.h
@@ -265,6 +265,14 @@ struct server_control_s
};
+/* Status of pinentry. */
+enum
+ {
+ PINENTRY_STATUS_CLOSE_BUTTON = 1 << 0,
+ PINENTRY_STATUS_PIN_REPEATED = 1 << 8,
+ PINENTRY_STATUS_PASSWORD_FROM_CACHE = 1 << 9
+ };
+
/* Information pertaining to pinentry requests. */
struct pin_entry_info_s
{
@@ -274,7 +282,8 @@ struct pin_entry_info_s
int failed_tries; /* Number of tries so far failed. */
int with_qualitybar; /* Set if the quality bar should be displayed. */
int with_repeat; /* Request repetition of the passphrase. */
- int repeat_okay; /* Repetition worked. */
+ int repeat_okay; /* Repetition worked. */
+ unsigned int status; /* Status. */
gpg_error_t (*check_cb)(struct pin_entry_info_s *); /* CB used to check
the PIN */
void *check_cb_arg; /* optional argument which might be of use in the CB */
diff --git a/agent/call-pinentry.c b/agent/call-pinentry.c
index b68d0a8..1f3bd52 100644
--- a/agent/call-pinentry.c
+++ b/agent/call-pinentry.c
@@ -891,13 +891,6 @@ setup_qualitybar (ctrl_t ctrl)
return 0;
}
-enum
- {
- PINENTRY_STATUS_CLOSE_BUTTON = 1 << 0,
- PINENTRY_STATUS_PIN_REPEATED = 1 << 8,
- PINENTRY_STATUS_PASSWORD_FROM_CACHE = 1 << 9
- };
-
/* Check the button_info line for a close action. Also check for the
PIN_REPEATED flag. */
static gpg_error_t
@@ -962,7 +955,6 @@ agent_askpin (ctrl_t ctrl,
const char *errtext = NULL;
int is_pin = 0;
int saveflag;
- unsigned int pinentry_status;
if (opt.batch)
return 0; /* fixme: we should return BAD PIN */
@@ -1073,6 +1065,7 @@ agent_askpin (ctrl_t ctrl,
pininfo->with_repeat = 0; /* Pinentry does not support it. */
}
pininfo->repeat_okay = 0;
+ pininfo->status = 0;
for (;pininfo->failed_tries < pininfo->max_tries; pininfo->failed_tries++)
{
@@ -1106,10 +1099,9 @@ agent_askpin (ctrl_t ctrl,
saveflag = assuan_get_flag (entry_ctx, ASSUAN_CONFIDENTIAL);
assuan_begin_confidential (entry_ctx);
- pinentry_status = 0;
rc = assuan_transact (entry_ctx, "GETPIN", getpin_cb, &parm,
inq_quality, entry_ctx,
- pinentry_status_cb, &pinentry_status);
+ pinentry_status_cb, &pininfo->status);
assuan_set_flag (entry_ctx, ASSUAN_CONFIDENTIAL, saveflag);
/* Most pinentries out in the wild return the old Assuan error code
for canceled which gets translated to an assuan Cancel error and
@@ -1121,7 +1113,7 @@ agent_askpin (ctrl_t ctrl,
/* Change error code in case the window close button was clicked
to cancel the operation. */
- if ((pinentry_status & PINENTRY_STATUS_CLOSE_BUTTON)
+ if ((pininfo->status & PINENTRY_STATUS_CLOSE_BUTTON)
&& gpg_err_code (rc) == GPG_ERR_CANCELED)
rc = gpg_err_make (gpg_err_source (rc), GPG_ERR_FULLY_CANCELED);
@@ -1148,12 +1140,19 @@ agent_askpin (ctrl_t ctrl,
/* More checks by utilizing the optional callback. */
pininfo->cb_errtext = NULL;
rc = pininfo->check_cb (pininfo);
- if (gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
- && pininfo->cb_errtext)
- errtext = pininfo->cb_errtext;
- else if (gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
- || gpg_err_code (rc) == GPG_ERR_BAD_PIN)
- errtext = (is_pin? L_("Bad PIN") : L_("Bad Passphrase"));
+ /* When pinentry cache causes an error, return now. */
+ if (rc
+ && (pininfo->status & PINENTRY_STATUS_PASSWORD_FROM_CACHE))
+ return unlock_pinentry (ctrl, rc);
+
+ if (gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE)
+ {
+ if (pininfo->cb_errtext)
+ errtext = pininfo->cb_errtext;
+ else if (gpg_err_code (rc) == GPG_ERR_BAD_PASSPHRASE
+ || gpg_err_code (rc) == GPG_ERR_BAD_PIN)
+ errtext = (is_pin? L_("Bad PIN") : L_("Bad Passphrase"));
+ }
else if (rc)
return unlock_pinentry (ctrl, rc);
}
@@ -1161,12 +1160,12 @@ agent_askpin (ctrl_t ctrl,
if (!errtext)
{
if (pininfo->with_repeat
- && (pinentry_status & PINENTRY_STATUS_PIN_REPEATED))
+ && (pininfo->status & PINENTRY_STATUS_PIN_REPEATED))
pininfo->repeat_okay = 1;
return unlock_pinentry (ctrl, 0); /* okay, got a PIN or passphrase */
}
- if ((pinentry_status & PINENTRY_STATUS_PASSWORD_FROM_CACHE))
+ if ((pininfo->status & PINENTRY_STATUS_PASSWORD_FROM_CACHE))
/* The password was read from the cache. Don't count this
against the retry count. */
pininfo->failed_tries --;
diff --git a/agent/findkey.c b/agent/findkey.c
index 78c3b1a..89a18fa 100644
--- a/agent/findkey.c
+++ b/agent/findkey.c
@@ -632,7 +632,17 @@ unprotect (ctrl_t ctrl, const char *cache_nonce, const char *desc_text,
pi->check_cb_arg = &arg;
rc = agent_askpin (ctrl, desc_text, NULL, NULL, pi, hexgrip, cache_mode);
- if (!rc)
+ if (rc)
+ {
+ if ((pi->status & PINENTRY_STATUS_PASSWORD_FROM_CACHE))
+ {
+ log_error ("Clearing pinentry cache which caused error %s\n",
+ gpg_strerror (rc));
+
+ agent_clear_passphrase (ctrl, hexgrip, cache_mode);
+ }
+ }
+ else
{
assert (arg.unprotected_key);
if (arg.change_required)
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 25 Jan 2019 10:15:39 +0900
Subject: dirmngr: Fix initialization of assuan's nPth hook.
* dirmngr/dirmngr.c (main): Move assuan_set_system_hooks to...
(thread_init): ... here.
--
Cherry picked master commit of:
1f8817475f59ede3f28f57edc10ba56bbdd08b49
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 7f4c3eb0a039621c564b6095ab5f810524843157)
---
dirmngr/dirmngr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c
index 76843bd..ffbb108 100644
--- a/dirmngr/dirmngr.c
+++ b/dirmngr/dirmngr.c
@@ -802,6 +802,7 @@ static void
thread_init (void)
{
npth_init ();
+ assuan_set_system_hooks (ASSUAN_SYSTEM_NPTH);
gpgrt_set_syscall_clamp (npth_unprotect, npth_protect);
/* Now with NPth running we can set the logging callback. Our
@@ -877,7 +878,6 @@ main (int argc, char **argv)
assuan_set_malloc_hooks (&malloc_hooks);
assuan_set_assuan_log_prefix (log_get_prefix (NULL));
assuan_set_gpg_err_source (GPG_ERR_SOURCE_DEFAULT);
- assuan_set_system_hooks (ASSUAN_SYSTEM_NPTH);
assuan_sock_init ();
setup_libassuan_logging (&opt.debug, dirmngr_assuan_log_monitor);
From: Werner Koch <wk@gnupg.org>
Date: Tue, 8 Jan 2019 11:21:07 +0100
Subject: doc: Mark keyserver-options timeout and http-proxy as obsolete.
--
(cherry picked from commit 6c000d4b78b836686e5a2789cc88a41e465e4400)
(cherry picked from commit 9fd6ba268f1fdf77cc5baa6e8fd3ab28e432e49b)
---
doc/gpg.texi | 30 +++++-------------------------
1 file changed, 5 insertions(+), 25 deletions(-)
diff --git a/doc/gpg.texi b/doc/gpg.texi
index 1eed9fa..1597f9e 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -1895,32 +1895,12 @@ are available for all keyserver types, some common options are:
retrieving keys by subkey id.
@item timeout
- Tell the keyserver helper program how long (in seconds) to try and
- perform a keyserver action before giving up. Note that performing
- multiple actions at the same time uses this timeout value per action.
- For example, when retrieving multiple keys via @option{--receive-keys}, the
- timeout applies separately to each key retrieval, and not to the
- @option{--receive-keys} command as a whole. Defaults to 30 seconds.
-
- @item http-proxy=@var{value}
- This option is deprecated.
- Set the proxy to use for HTTP and HKP keyservers.
- This overrides any proxy defined in @file{dirmngr.conf}.
-
- @item verbose
- This option has no more function since GnuPG 2.1. Use the
- @code{dirmngr} configuration options instead.
-
- @item debug
- This option has no more function since GnuPG 2.1. Use the
- @code{dirmngr} configuration options instead.
-
- @item check-cert
- This option has no more function since GnuPG 2.1. Use the
- @code{dirmngr} configuration options instead.
-
+ @itemx http-proxy=@var{value}
+ @itemx verbose
+ @itemx debug
+ @itemx check-cert
@item ca-cert-file
- This option has no more function since GnuPG 2.1. Use the
+ These options have no more function since GnuPG 2.1. Use the
@code{dirmngr} configuration options instead.
@end table
From: Werner Koch <wk@gnupg.org>
Date: Wed, 30 Jan 2019 11:28:14 +0100
Subject: gpg: Allow generating Ed25519 key from an existing key.
* g10/misc.c (map_pk_gcry_to_openpgp): Add EdDSA mapping.
--
Due to this missing mapping a "gpg --export --full-gen-key" with
selection "13 - Existing key" did not worked for an ed25519 key.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 346a98fabe03adf2e202e36fc2aa24b1c2571154)
(cherry picked from commit 31d2a1eecaee766919b18bc42b918d9168f601f8)
---
g10/misc.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/g10/misc.c b/g10/misc.c
index d9ebf48..8144471 100644
--- a/g10/misc.c
+++ b/g10/misc.c
@@ -508,6 +508,7 @@ map_pk_gcry_to_openpgp (enum gcry_pk_algos algo)
{
switch (algo)
{
+ case GCRY_PK_EDDSA: return PUBKEY_ALGO_EDDSA;
case GCRY_PK_ECDSA: return PUBKEY_ALGO_ECDSA;
case GCRY_PK_ECDH: return PUBKEY_ALGO_ECDH;
default: return algo < 110 ? (pubkey_algo_t)algo : 0;
From: Werner Koch <wk@gnupg.org>
Date: Wed, 30 Jan 2019 14:40:26 +0100
Subject: gpg: Emit an ERROR status if no key was found with --list-keys.
* g10/keylist.c (list_one): Emit status line.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 140fda8c61422ec055c3f7e214cc35706c4320dd)
(cherry picked from commit 14ea581a1c040b53b0ad4c51136a7948363b1e4b)
---
g10/keylist.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/g10/keylist.c b/g10/keylist.c
index 66b03bb..262ea8d 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -610,6 +610,7 @@ list_one (ctrl_t ctrl, strlist_t names, int secret, int mark_secret)
{
log_error ("error reading key: %s\n", gpg_strerror (rc));
getkey_end (ctrl, ctx);
+ write_status_error ("keylist.getkey", rc);
return;
}
From: Werner Koch <wk@gnupg.org>
Date: Tue, 22 Jan 2019 10:06:15 +0100
Subject: gpg: Stop early when trying to create a primary Elgamal key.
* g10/misc.c (openpgp_pk_test_algo2): Add extra check.
--
The problem is that --key-gen --batch with a parameter file didn't
detect that Elgamal is not capable of signing and so an error was only
triggered at the time the self-signature was created. See the code
comment for details.
GnuPG-bug-id: 4329
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f97dc55ff1b041071bc3cbe98aa761bf77bb7ac8)
(cherry picked from commit f5d3b982e44c5cfc60e9936020102a598b635187)
---
g10/misc.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/g10/misc.c b/g10/misc.c
index 86baff9..d9ebf48 100644
--- a/g10/misc.c
+++ b/g10/misc.c
@@ -644,6 +644,13 @@ openpgp_pk_test_algo2 (pubkey_algo_t algo, unsigned int use)
if (!ga)
return gpg_error (GPG_ERR_PUBKEY_ALGO);
+ /* Elgamal in OpenPGP used to support signing and Libgcrypt still
+ * does. However, we removed the signing capability from gpg ages
+ * ago. This function should reflect this so that errors are thrown
+ * early and not only when we try to sign using Elgamal. */
+ if (ga == GCRY_PK_ELG && (use & (PUBKEY_USAGE_CERT | PUBKEY_USAGE_SIG)))
+ return gpg_error (GPG_ERR_WRONG_PUBKEY_ALGO);
+
/* Now check whether Libgcrypt has support for the algorithm. */
return gcry_pk_algo_info (ga, GCRYCTL_TEST_ALGO, NULL, &use_buf);
}
From: Werner Koch <wk@gnupg.org>
Date: Tue, 18 Dec 2018 08:21:03 +0100
Subject: wks: Do not use compression for the encrypted data.
* tools/gpg-wks-client.c (encrypt_response): Add arg -z0.
* tools/gpg-wks-server.c (encrypt_stream): Ditto.
--
If for example a server was built without the development packages of
the compression libraries installed, the server will not be able to
decrypt a request. In theory this can't happen due to the preference
system but it is just to easy to create the server's key using a
different version of gpg and then use gpg-wks-server built
differently.
For the short messages we exchange compression is not really required
and thus we better do without to make the system more robust.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 70a8db0333e3c22403b3647f8b5f924f6dace719)
(cherry picked from commit 16424d8a34c7f6af1071fd19dfc180cb7d17c052)
---
tools/gpg-wks-client.c | 1 +
tools/gpg-wks-server.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/tools/gpg-wks-client.c b/tools/gpg-wks-client.c
index c8ff166..78e4fe4 100644
--- a/tools/gpg-wks-client.c
+++ b/tools/gpg-wks-client.c
@@ -1151,6 +1151,7 @@ encrypt_response (estream_t *r_output, estream_t input, const char *addrspec,
ccparray_put (&ccp, "--status-fd=2");
ccparray_put (&ccp, "--always-trust");
ccparray_put (&ccp, "--armor");
+ ccparray_put (&ccp, "-z0"); /* No compression for improved robustness. */
if (fake_submission_addr)
ccparray_put (&ccp, "--auto-key-locate=clear,local");
else
diff --git a/tools/gpg-wks-server.c b/tools/gpg-wks-server.c
index 1a0ba8f..f83ef65 100644
--- a/tools/gpg-wks-server.c
+++ b/tools/gpg-wks-server.c
@@ -586,6 +586,7 @@ encrypt_stream (estream_t *r_output, estream_t input, const char *keyfile)
ccparray_put (&ccp, "--always-trust");
ccparray_put (&ccp, "--no-keyring");
ccparray_put (&ccp, "--armor");
+ ccparray_put (&ccp, "-z0"); /* No compression for improved robustness. */
ccparray_put (&ccp, "--recipient-file");
ccparray_put (&ccp, keyfile);
ccparray_put (&ccp, "--encrypt");
From: Werner Koch <wk@gnupg.org>
Date: Fri, 22 Feb 2019 14:09:02 +0100
Subject: agent: Fix for suggested Libgcrypt use.
* agent/divert-scd.c (divert_pkdecrypt): Skip a flags parameter.
--
The libgcrypt docs say that a "flags" parameter should always be used
in the input of pkdecrypt. Thus we should allow that parameter also
when parsing an s-expression to figure out the algorithm for use with
scdaemon.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit a12c3a566e2e4b10bc02976a2819070877ee895c)
(cherry picked from commit 0a95b153811f36739d1b20f23920bad0bb07c68b)
---
agent/divert-scd.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/agent/divert-scd.c b/agent/divert-scd.c
index 88b35cd..aff5055 100644
--- a/agent/divert-scd.c
+++ b/agent/divert-scd.c
@@ -476,6 +476,7 @@ divert_pkdecrypt (ctrl_t ctrl, const char *desc_text,
char *kid;
const unsigned char *s;
size_t n;
+ int depth;
const unsigned char *ciphertext;
size_t ciphertextlen;
char *plaintext;
@@ -484,7 +485,6 @@ divert_pkdecrypt (ctrl_t ctrl, const char *desc_text,
(void)desc_text;
*r_padding = -1;
-
s = cipher;
if (*s != '(')
return gpg_error (GPG_ERR_INV_SEXP);
@@ -500,6 +500,21 @@ divert_pkdecrypt (ctrl_t ctrl, const char *desc_text,
n = snext (&s);
if (!n)
return gpg_error (GPG_ERR_INV_SEXP);
+
+ /* First check whether we have a flags parameter and skip it. */
+ if (smatch (&s, n, "flags"))
+ {
+ depth = 1;
+ if (sskip (&s, &depth) || depth)
+ return gpg_error (GPG_ERR_INV_SEXP);
+ if (*s != '(')
+ return gpg_error (GPG_ERR_INV_SEXP);
+ s++;
+ n = snext (&s);
+ if (!n)
+ return gpg_error (GPG_ERR_INV_SEXP);
+ }
+
if (smatch (&s, n, "rsa"))
{
if (*s != '(')
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Fri, 25 Jan 2019 12:08:09 +0900
Subject: agent: Support --mode=ssh option for CLEAR_PASSPHRASE.
* agent/command.c (cmd_clear_passphrase): Add support for SSH.
--
GnuPG-bug-id: 4340
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit ae966bbe9b16ed68a51391afdde615339755e22d)
(cherry picked from commit 77a285a0a94994ee9b42289897f9bf3075c7192d)
---
agent/command.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/agent/command.c b/agent/command.c
index 60eb6ad..50385b8 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -1568,19 +1568,24 @@ static const char hlp_clear_passphrase[] =
"may be used to invalidate the cache entry for a passphrase. The\n"
"function returns with OK even when there is no cached passphrase.\n"
"The --mode=normal option is used to clear an entry for a cacheid\n"
- "added by the agent.\n";
+ "added by the agent. The --mode=ssh option is used for a cacheid\n"
+ "added for ssh.\n";
static gpg_error_t
cmd_clear_passphrase (assuan_context_t ctx, char *line)
{
ctrl_t ctrl = assuan_get_pointer (ctx);
char *cacheid = NULL;
char *p;
- int opt_normal;
+ cache_mode_t cache_mode = CACHE_MODE_USER;
if (ctrl->restricted)
return leave_cmd (ctx, gpg_error (GPG_ERR_FORBIDDEN));
- opt_normal = has_option (line, "--mode=normal");
+ if (has_option (line, "--mode=normal"))
+ cache_mode = CACHE_MODE_NORMAL;
+ else if (has_option (line, "--mode=ssh"))
+ cache_mode = CACHE_MODE_SSH;
+
line = skip_options (line);
/* parse the stuff */
@@ -1593,12 +1598,9 @@ cmd_clear_passphrase (assuan_context_t ctx, char *line)
if (!*cacheid || strlen (cacheid) > 50)
return set_error (GPG_ERR_ASS_PARAMETER, "invalid length of cacheID");
- agent_put_cache (ctrl, cacheid,
- opt_normal ? CACHE_MODE_NORMAL : CACHE_MODE_USER,
- NULL, 0);
+ agent_put_cache (ctrl, cacheid, cache_mode, NULL, 0);
- agent_clear_passphrase (ctrl, cacheid,
- opt_normal ? CACHE_MODE_NORMAL : CACHE_MODE_USER);
+ agent_clear_passphrase (ctrl, cacheid, cache_mode);
return 0;
}
From: Werner Koch <wk@gnupg.org>
Date: Thu, 7 Mar 2019 11:34:03 +0100
Subject: dirmngr: Add CSRF protection exception for protonmail.
* dirmngr/http.c (same_host_p): Add exception table.
--
Please: Adding entries to this table shall be an exception and not the
rule.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 134c3c16523b1a267ebdd2df6339240fd9e1e3b3)
(cherry picked from commit 557c721e787e7e6d311ccb48d8aa677123061cf5)
---
dirmngr/http.c | 45 ++++++++++++++++++++++++++++++++++++++++-----
1 file changed, 40 insertions(+), 5 deletions(-)
diff --git a/dirmngr/http.c b/dirmngr/http.c
index 9f4afc8..7fdd06a 100644
--- a/dirmngr/http.c
+++ b/dirmngr/http.c
@@ -3514,16 +3514,51 @@ uri_query_lookup (parsed_uri_t uri, const char *key)
}
-/* Return true if both URI point to the same host. */
+/* Return true if both URI point to the same host for the purpose of
+ * redirection check. A is the original host and B the host given in
+ * the Location header. As a temporary workaround a fixed list of
+ * exceptions is also consulted. */
static int
same_host_p (parsed_uri_t a, parsed_uri_t b)
{
- return a->host && b->host && !ascii_strcasecmp (a->host, b->host);
+ static struct
+ {
+ const char *from; /* NULL uses the last entry from the table. */
+ const char *to;
+ } allow[] =
+ {
+ { "protonmail.com", "api.protonmail.com" },
+ { NULL, "api.protonmail.ch" },
+ { "protonmail.ch", "api.protonmail.com" },
+ { NULL, "api.protonmail.ch" }
+ };
+ int i;
+ const char *from;
+
+ if (!a->host || !b->host)
+ return 0;
+
+ if (!ascii_strcasecmp (a->host, b->host))
+ return 1;
+
+ from = NULL;
+ for (i=0; i < DIM (allow); i++)
+ {
+ if (allow[i].from)
+ from = allow[i].from;
+ if (!from)
+ continue;
+ if (!ascii_strcasecmp (from, a->host)
+ && !ascii_strcasecmp (allow[i].to, b->host))
+ return 1;
+ }
+
+ return 0;
}
/* Prepare a new URL for a HTTP redirect. INFO has flags controlling
- * the operaion, STATUS_CODE is used for diagnostics, LOCATION is the
+ * the operation, STATUS_CODE is used for diagnostics, LOCATION is the
* value of the "Location" header, and R_URL reveives the new URL on
* success or NULL or error. Note that INFO->ORIG_URL is
* required. */
@@ -3594,8 +3629,8 @@ http_prepare_redirect (http_redir_info_t *info, unsigned int status_code,
}
else if (same_host_p (origuri, locuri))
{
- /* The host is the same and thus we can take the location
- * verbatim. */
+ /* The host is the same or on an exception list and thus we can
+ * take the location verbatim. */
http_release_parsed_uri (origuri);
http_release_parsed_uri (locuri);
newurl = xtrystrdup (location);
From: Werner Koch <wk@gnupg.org>
Date: Mon, 18 Mar 2019 14:10:16 +0100
Subject: gpg: Do not bail out on v5 keys in the local keyring.
* g10/parse-packet.c (parse_key): Return GPG_ERR_UNKNOWN_VERSION
instead of invalid packet.
* g10/keydb.c (parse_keyblock_image): Do not map the unknown version
error to invalid keyring.
(keydb_search): Skip unknown version errors simlar to legacy keys.
* g10/keyring.c (keyring_rebuild_cache): Skip keys with unknown
versions.
* g10/import.c (read_block): Handle unknown version.
--
When using gpg 2.3 the local keyring may contain v5 keys. This patch
allows the use of such a keyring also with a 2.2 version which does
not support v5 keys. We will probably need some more tweaking here
but this covers the most common cases of listing keys and also
importing v5 keys.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit de70a2f377c1647417fb8a2b6476c3744a901296)
---
g10/import.c | 6 ++++--
g10/keydb.c | 13 +++++++++----
g10/keylist.c | 2 ++
g10/keyring.c | 2 ++
g10/parse-packet.c | 2 +-
5 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/g10/import.c b/g10/import.c
index f76ca0c..aeab4e0 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -860,12 +860,14 @@ read_block( IOBUF a, int with_meta,
skip_sigs = 0;
while ((rc=parse_packet (&parsectx, pkt)) != -1)
{
- if (rc && (gpg_err_code (rc) == GPG_ERR_LEGACY_KEY
+ if (rc && ((gpg_err_code (rc) == GPG_ERR_LEGACY_KEY
+ || gpg_err_code (rc) == GPG_ERR_UNKNOWN_VERSION)
&& (pkt->pkttype == PKT_PUBLIC_KEY
|| pkt->pkttype == PKT_SECRET_KEY)))
{
in_v3key = 1;
- ++*r_v3keys;
+ if (gpg_err_code (rc) != GPG_ERR_UNKNOWN_VERSION)
+ ++*r_v3keys;
free_packet (pkt, &parsectx);
init_packet (pkt);
continue;
diff --git a/g10/keydb.c b/g10/keydb.c
index 03fadfd..0475f85 100644
--- a/g10/keydb.c
+++ b/g10/keydb.c
@@ -1249,9 +1249,12 @@ parse_keyblock_image (iobuf_t iobuf, int pk_no, int uid_no,
}
if (err)
{
- log_error ("parse_keyblock_image: read error: %s\n",
- gpg_strerror (err));
- err = gpg_error (GPG_ERR_INV_KEYRING);
+ if (gpg_err_code (err) != GPG_ERR_UNKNOWN_VERSION)
+ {
+ log_error ("parse_keyblock_image: read error: %s\n",
+ gpg_strerror (err));
+ err = gpg_error (GPG_ERR_INV_KEYRING);
+ }
break;
}
@@ -1955,7 +1958,9 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc,
rc = keybox_search (hd->active[hd->current].u.kb, desc,
ndesc, KEYBOX_BLOBTYPE_PGP,
descindex, &hd->skipped_long_blobs);
- while (rc == GPG_ERR_LEGACY_KEY);
+ while (gpg_err_code (rc) == GPG_ERR_LEGACY_KEY
+ || gpg_err_code (rc) == GPG_ERR_UNKNOWN_VERSION)
+ ;
break;
}
diff --git a/g10/keylist.c b/g10/keylist.c
index 7b3fde1..85fcdba 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -527,6 +527,8 @@ list_all (ctrl_t ctrl, int secret, int mark_secret)
{
if (gpg_err_code (rc) == GPG_ERR_LEGACY_KEY)
continue; /* Skip legacy keys. */
+ if (gpg_err_code (rc) == GPG_ERR_UNKNOWN_VERSION)
+ continue; /* Skip keys with unknown versions. */
log_error ("keydb_get_keyblock failed: %s\n", gpg_strerror (rc));
goto leave;
}
diff --git a/g10/keyring.c b/g10/keyring.c
index 25ef507..a8dd462 100644
--- a/g10/keyring.c
+++ b/g10/keyring.c
@@ -1476,6 +1476,8 @@ keyring_rebuild_cache (ctrl_t ctrl, void *token, int noisy)
{
if (gpg_err_code (rc) == GPG_ERR_LEGACY_KEY)
continue; /* Skip legacy keys. */
+ if (gpg_err_code (rc) == GPG_ERR_UNKNOWN_VERSION)
+ continue; /* Skip keys with unknown version. */
log_error ("keyring_get_keyblock failed: %s\n", gpg_strerror (rc));
goto leave;
}
diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index ff348ec..05f63e9 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -2296,7 +2296,7 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen,
log_error ("packet(%d) with unknown version %d\n", pkttype, version);
if (list_mode)
es_fputs (":key packet: [unknown version]\n", listfp);
- err = gpg_error (GPG_ERR_INV_PACKET);
+ err = gpg_error (GPG_ERR_UNKNOWN_VERSION);
goto leave;
}
From: Werner Koch <wk@gnupg.org>
Date: Fri, 15 Mar 2019 19:11:32 +0100
Subject: gpg: During secret key import print "sec" instead of "pub".
* g10/keyedit.c (show_basic_key_info): New arg 'print_sec'. Remove
useless code for "sub" and "ssb".
* g10/import.c (import_one): Pass FROM_SK to show_basic_key_info. Do
not print the first keyinfo in FROM_SK mode.
printing.
--
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f64477db86568bdc28c313bfeb8b95d8edf05a3c)
(cherry picked from commit db2d75f1ffede2ea77163b487a15e60249daffa0)
---
g10/gpgcompose.c | 5 +++--
g10/import.c | 11 +++++++----
g10/keyedit.c | 23 ++++++++++++++---------
g10/keyedit.h | 2 +-
4 files changed, 25 insertions(+), 16 deletions(-)
diff --git a/g10/gpgcompose.c b/g10/gpgcompose.c
index 226f793..aec0b4a 100644
--- a/g10/gpgcompose.c
+++ b/g10/gpgcompose.c
@@ -3058,10 +3058,11 @@ keyedit_menu (ctrl_t ctrl, const char *username, strlist_t locusr,
}
void
-show_basic_key_info (ctrl_t ctrl, KBNODE keyblock)
+show_basic_key_info (ctrl_t ctrl, KBNODE keyblock, int made_from_sec)
{
(void)ctrl;
- (void) keyblock;
+ (void)keyblock;
+ (void)made_from_sec;
}
int
diff --git a/g10/import.c b/g10/import.c
index 29de8ff..a5f4f38 100644
--- a/g10/import.c
+++ b/g10/import.c
@@ -1653,7 +1653,8 @@ update_key_origin (kbnode_t keyblock, u32 curtime, int origin, const char *url)
* the internal errorcount, so that invalid input can be detected by
* programs which called gpg. If SILENT is no messages are printed -
* even most error messages are suppressed. ORIGIN is the origin of
- * the key (0 for unknown) and URL the corresponding URL.
+ * the key (0 for unknown) and URL the corresponding URL. FROM_SK
+ * indicates that the key has been made from a secret key.
*/
static gpg_error_t
import_one (ctrl_t ctrl,
@@ -1697,9 +1698,11 @@ import_one (ctrl_t ctrl,
keyid_from_pk( pk, keyid );
uidnode = find_next_kbnode( keyblock, PKT_USER_ID );
- if (opt.verbose && !opt.interactive && !silent)
+ if (opt.verbose && !opt.interactive && !silent && !from_sk)
{
- log_info( "pub %s/%s %s ",
+ /* Note that we do not print this info in FROM_SK mode
+ * because import_one already printed that. */
+ log_info ("pub %s/%s %s ",
pubkey_string (pk, pkstrbuf, sizeof pkstrbuf),
keystr_from_pk(pk), datestr_from_pk(pk) );
if (uidnode)
@@ -1730,7 +1733,7 @@ import_one (ctrl_t ctrl,
print_import_check (pk, uidnode->pkt->pkt.user_id);
merge_keys_and_selfsig (ctrl, keyblock);
tty_printf ("\n");
- show_basic_key_info (ctrl, keyblock);
+ show_basic_key_info (ctrl, keyblock, from_sk);
tty_printf ("\n");
if (!cpr_get_answer_is_yes ("import.okay",
"Do you want to import this key? (y/N) "))
diff --git a/g10/keyedit.c b/g10/keyedit.c
index b717960..f95f02f 100644
--- a/g10/keyedit.c
+++ b/g10/keyedit.c
@@ -3662,13 +3662,14 @@ show_key_with_all_names (ctrl_t ctrl, estream_t fp,
/* Display basic key information. This function is suitable to show
- information on the key without any dependencies on the trustdb or
- any other internal GnuPG stuff. KEYBLOCK may either be a public or
- a secret key. This function may be called with KEYBLOCK containing
- secret keys and thus the printing of "pub" vs. "sec" does only
- depend on the packet type and not by checking with gpg-agent. */
+ * information on the key without any dependencies on the trustdb or
+ * any other internal GnuPG stuff. KEYBLOCK may either be a public or
+ * a secret key. This function may be called with KEYBLOCK containing
+ * secret keys and thus the printing of "pub" vs. "sec" does only
+ * depend on the packet type and not by checking with gpg-agent. If
+ * PRINT_SEC ist set "sec" is printed instead of "pub". */
void
-show_basic_key_info (ctrl_t ctrl, kbnode_t keyblock)
+show_basic_key_info (ctrl_t ctrl, kbnode_t keyblock, int print_sec)
{
KBNODE node;
int i;
@@ -3681,13 +3682,17 @@ show_basic_key_info (ctrl_t ctrl, kbnode_t keyblock)
|| node->pkt->pkttype == PKT_SECRET_KEY)
{
PKT_public_key *pk = node->pkt->pkt.public_key;
+ const char *tag;
+
+ if (node->pkt->pkttype == PKT_SECRET_KEY || print_sec)
+ tag = "sec";
+ else
+ tag = "pub";
/* Note, we use the same format string as in other show
functions to make the translation job easier. */
tty_printf ("%s %s/%s ",
- node->pkt->pkttype == PKT_PUBLIC_KEY ? "pub" :
- node->pkt->pkttype == PKT_PUBLIC_SUBKEY ? "sub" :
- node->pkt->pkttype == PKT_SECRET_KEY ? "sec" :"ssb",
+ tag,
pubkey_string (pk, pkstrbuf, sizeof pkstrbuf),
keystr_from_pk (pk));
tty_printf (_("created: %s"), datestr_from_pk (pk));
diff --git a/g10/keyedit.h b/g10/keyedit.h
index d1f453a..af5e996 100644
--- a/g10/keyedit.h
+++ b/g10/keyedit.h
@@ -50,7 +50,7 @@ void keyedit_quick_set_expire (ctrl_t ctrl,
char **subkeyfprs);
void keyedit_quick_set_primary (ctrl_t ctrl, const char *username,
const char *primaryuid);
-void show_basic_key_info (ctrl_t ctrl, kbnode_t keyblock);
+void show_basic_key_info (ctrl_t ctrl, kbnode_t keyblock, int print_sec);
int keyedit_print_one_sig (ctrl_t ctrl, estream_t fp,
int rc, kbnode_t keyblock,
kbnode_t node, int *inv_sigs, int *no_key,
From: Werner Koch <wk@gnupg.org>
Date: Tue, 5 Mar 2019 12:39:11 +0100
Subject: gpg: Make invalid primary key algos obvious in key listings.
* g10/keylist.c (print_key_line): Print a warning for invalid algos.
--
Non-OpenPGP compliant keys now show a warning flag on the sec or pub
line like in:
gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
sec cv25519 2019-01-30 [INVALID_ALGO]
4239F3D606A19258E7A88C3F9A3F4F909C5034C5
uid [ultimate] ffffff
Instead of showing the usage flags "[CE]". Without this patch only
the error message is printed and the reason for it was not immediately
obvious (cv25519 is encryption only but we always consider the primary
key as having the "C" flag).
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit db87132b10664718b7db6ec1dad584b54d1fb265)
(cherry picked from commit d2a7f9078a4673ec53733e4f69fd17a8f1ac962d)
---
g10/keylist.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/g10/keylist.c b/g10/keylist.c
index 262ea8d..7b3fde1 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -2059,10 +2059,18 @@ print_key_line (ctrl_t ctrl, estream_t fp, PKT_public_key *pk, int secret)
tty_fprintf (fp, "/%s", keystr_from_pk (pk));
tty_fprintf (fp, " %s", datestr_from_pk (pk));
- if ((opt.list_options & LIST_SHOW_USAGE))
+ if (pk->flags.primary
+ && !(openpgp_pk_algo_usage (pk->pubkey_algo)
+ & (PUBKEY_USAGE_CERT| PUBKEY_USAGE_SIG|PUBKEY_USAGE_AUTH)))
+ {
+ /* A primary key which is really not capable to sign. */
+ tty_fprintf (fp, " [INVALID_ALGO]");
+ }
+ else if ((opt.list_options & LIST_SHOW_USAGE))
{
tty_fprintf (fp, " [%s]", usagestr_from_pk (pk, 0));
}
+
if (pk->flags.revoked)
{
tty_fprintf (fp, " [");
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Mon, 25 Feb 2019 10:44:16 +0900
Subject: gpgscm: Build well even if NDEBUG defined.
* gpgscm/scheme.c (gc_reservation_failure): Fix adding ";".
[!NDEBUG] (scheme_init_custom_alloc): Don't init seserved_lineno.
--
Cherry icked from master commit of:
e140c6d4f581be1a60a34b67b16430452f3987e8
In some build environment, NDEBUG is defined (although it's
bad practice). This change supports such a situation.
GnuPG-bug-id: 3959
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 8161afb9dddaba839be92fbe9d85c05235eda825)
---
tests/gpgscm/scheme.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/tests/gpgscm/scheme.c b/tests/gpgscm/scheme.c
index b188e36..b4960b0 100644
--- a/tests/gpgscm/scheme.c
+++ b/tests/gpgscm/scheme.c
@@ -874,7 +874,7 @@ gc_reservation_failure(struct scheme *sc)
{
#ifdef NDEBUG
fprintf(stderr,
- "insufficient reservation\n")
+ "insufficient reservation\n");
#else
fprintf(stderr,
"insufficient %s reservation in line %d\n",
@@ -5627,7 +5627,9 @@ int scheme_init_custom_alloc(scheme *sc, func_alloc malloc, func_dealloc free) {
sc->fcells = 0;
sc->inhibit_gc = GC_ENABLED;
sc->reserved_cells = 0;
+#ifndef NDEBUG
sc->reserved_lineno = 0;
+#endif
sc->no_memory=0;
sc->inport=sc->NIL;
sc->outport=sc->NIL;
......@@ -17,6 +17,7 @@ This is a sensible default in 2017.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 7955262151a5c755814dd23414e6804f79125355)
(cherry picked from commit 121286d9d1506dbaad9ba33bae2e459814fe5849)
---
doc/gpgsm.texi | 2 +-
doc/howto-create-a-server-cert.texi | 14 +++++++-------
......
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 3 Mar 2019 10:22:34 -0500
Subject: gpgv: Improve documentation for keyring choices
* doc/gpgv.texi: Improve documentation for keyring choices
--
From the existing documentation, it's not clear whether the default
keyring will always be mixed into the set of keyrings, or whether it
will be skipped if a --keyring is present. The updated text here
attempts to describe the keyring selection logic more completely.
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit a7b2a87f940dba078867c44f1f50d46211d51719)
---
doc/gpgv.texi | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/doc/gpgv.texi b/doc/gpgv.texi
index a052861..2dd9576 100644
--- a/doc/gpgv.texi
+++ b/doc/gpgv.texi
@@ -59,13 +59,14 @@ no configuration files and only a few options are implemented.
That does also mean that it does not check for expired or revoked
keys.
-By default a keyring named @file{trustedkeys.kbx} is used; if that
-does not exist a keyring named @file{trustedkeys.gpg} is used. The
-default keyring is assumed to be in the home directory of GnuPG,
-either the default home directory or the one set by an option or an
-environment variable. The option @code{--keyring} may be used to
-specify a different keyring or even multiple keyrings.
-
+If no @code{--keyring} option is given, @code{gpgv} looks for a
+``default'' keyring named @file{trustedkeys.kbx} (preferred) or
+@file{trustedkeys.gpg} in the home directory of GnuPG, either the
+default home directory or the one set by the @code{--homedir} option
+or the @code{GNUPGHOME} environment variable. If any @code{--keyring}
+option is used, @code{gpgv} will not look for the default keyring. The
+@code{--keyring} option may be used multiple times and all specified
+keyrings will be used together.
@noindent
@mansect options
From: Werner Koch <wk@gnupg.org>
Date: Thu, 28 Feb 2019 14:43:42 +0100
Subject: sm: Don't mark a cert as de-vs compliant if it leads to SHA-1 sigs.
* sm/keylist.c (print_compliance_flags): Also check the digest_algo.
Add new arg 'cert'.
--
A certificate with algorithm sha1WithRSAEncryption can be de-vs
compliant (e.g. if the next in the chain used sha256WithRSAEncryption
to sign it and RSA is long enough) but flagging it as such is useless
because that certificate can't be used because it will create
signatures using the non-compliant SHA-1 algorithm.
Well, it could be used for encryption. But also evaluating the
key-usage flags here would make it harder for the user to understand
why certain certificates are listed as de-vs compliant and others are
not.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 2c75af9f65d15653ed1bc191f1098ae316607041)
Reworked to also pass the CERT. Note that 2.2 won't get the PK
Screening feature.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit be69bf0cbd11cb8c0d452e07066669aacc6caafa)
---
sm/keylist.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/sm/keylist.c b/sm/keylist.c
index 9997da8..3fe75a1 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -348,10 +348,19 @@ email_kludge (const char *name)
/* Print the compliance flags to field 18. ALGO is the gcrypt algo
* number. NBITS is the length of the key in bits. */
static void
-print_compliance_flags (int algo, unsigned int nbits, estream_t fp)
+print_compliance_flags (ksba_cert_t cert, int algo, unsigned int nbits,
+ estream_t fp)
{
+ int hashalgo;
+
if (gnupg_pk_is_compliant (CO_DE_VS, algo, NULL, nbits, NULL))
- es_fputs (gnupg_status_compliance_flag (CO_DE_VS), fp);
+ {
+ hashalgo = gcry_md_map_name (ksba_cert_get_digest_algo (cert));
+ if (gnupg_digest_is_compliant (CO_DE_VS, hashalgo))
+ {
+ es_fputs (gnupg_status_compliance_flag (CO_DE_VS), fp);
+ }
+ }
}
@@ -526,7 +535,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
es_putc (':', fp); /* End of field 15. */
es_putc (':', fp); /* End of field 16. */
es_putc (':', fp); /* End of field 17. */
- print_compliance_flags (algo, nbits, fp);
+ print_compliance_flags (cert, algo, nbits, fp);
es_putc (':', fp); /* End of field 18. */
es_putc ('\n', fp);
From: Werner Koch <wk@gnupg.org>
Date: Fri, 1 Mar 2019 15:23:49 +0100
Subject: sm: Print Yubikey attestation extensions with --dump-cert.
* sm/keylist.c (oidtranstbl): Add Yubikey OIDs.
(OID_FLAG_HEX): New.
(print_hex_extn): New.
(list_cert_raw): Make use of that flag.
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 86c241a8c9a952ea8007066b70b04f435e2e483e)
(cherry picked from commit b3c8ce9e4343f1b68b9ba94bdd71b7d8e13b139a)
---
sm/keylist.c | 40 +++++++++++++++++++++++++++++++++++++---
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/sm/keylist.c b/sm/keylist.c
index 3fe75a1..6efc6bd 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -84,6 +84,8 @@ struct
#define OID_FLAG_SKIP 1
/* The extension is a simple UTF8String and should be printed. */
#define OID_FLAG_UTF8 2
+/* The extension can be trnted as a hex string. */
+#define OID_FLAG_HEX 4
/* A table mapping OIDs to a descriptive string. */
static struct
@@ -193,6 +195,12 @@ static struct
/* Extensions used by the Bundesnetzagentur. */
{ "1.3.6.1.4.1.8301.3.5", "validityModel" },
+ /* Yubikey extensions for attestation certificates. */
+ { "1.3.6.1.4.1.41482.3.3", "yubikey-firmware-version", OID_FLAG_HEX },
+ { "1.3.6.1.4.1.41482.3.7", "yubikey-serial-number", OID_FLAG_HEX },
+ { "1.3.6.1.4.1.41482.3.8", "yubikey-pin-touch-policy", OID_FLAG_HEX },
+ { "1.3.6.1.4.1.41482.3.9", "yubikey-formfactor", OID_FLAG_HEX },
+
{ NULL }
};
@@ -685,6 +693,21 @@ print_utf8_extn (estream_t fp, int indent,
}
+/* Print the extension described by (DER,DERLEN) in hex. */
+static void
+print_hex_extn (estream_t fp, int indent,
+ const unsigned char *der, size_t derlen)
+{
+ if (indent < 0)
+ indent = - indent;
+
+ es_fprintf (fp, "%*s(", indent, "");
+ for (; derlen; der++, derlen--)
+ es_fprintf (fp, "%02X%s", *der, derlen > 1? " ":"");
+ es_fprintf (fp, ")\n");
+}
+
+
/* List one certificate in raw mode useful to have a closer look at
the certificate. This one does no beautification and only minimal
output sanitation. It is mainly useful for debugging. */
@@ -1022,16 +1045,27 @@ list_cert_raw (ctrl_t ctrl, KEYDB_HANDLE hd,
if ((flag & OID_FLAG_SKIP))
continue;
- es_fprintf (fp, " %s: %s%s%s%s [%d octets]\n",
+ es_fprintf (fp, " %s: %s%s%s%s",
i? "critExtn":" extn",
- oid, s?" (":"", s?s:"", s?")":"", (int)len);
+ oid, s?" (":"", s?s:"", s?")":"");
if ((flag & OID_FLAG_UTF8))
{
if (!cert_der)
cert_der = ksba_cert_get_image (cert, NULL);
- assert (cert_der);
+ log_assert (cert_der);
+ es_fprintf (fp, "\n");
print_utf8_extn_raw (fp, -15, cert_der+off, len);
}
+ else if ((flag & OID_FLAG_HEX))
+ {
+ if (!cert_der)
+ cert_der = ksba_cert_get_image (cert, NULL);
+ log_assert (cert_der);
+ es_fprintf (fp, "\n");
+ print_hex_extn (fp, -15, cert_der+off, len);
+ }
+ else
+ es_fprintf (fp, " [%d octets]\n", (int)len);
}
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 21 Feb 2019 12:26:09 +0900
Subject: tests: Add "disable-scdaemon" in gpg-agent.conf.
* tests/openpgp/defs.scm: Add "disable-scdaemon". Remove
"scdaemon-program".
* tests/gpgme/gpgme-defs.scm, tests/gpgsm/gpgsm-defs.scm: Likewise.
* tests/inittests, tests/pkits/inittests: Add "disable-scdaemon"
--
Before this change, running "make check" accesses USB device by
scdaemon on host computer. If there is any smartcard/token available,
it may affect test results. Because default key choice depends on
smartcard/token availability now and existing tests have nothing about
testing smartcard/token, disabling scdaemon is good.
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 64b7c6fd1945bc206cf56979633dfca8a7494374)
(cherry picked from commit 150d5452318eafa6aa800ff3b87f8f8eb35ed203)
---
tests/gpgme/gpgme-defs.scm | 3 +--
tests/gpgsm/gpgsm-defs.scm | 5 +----
tests/inittests | 1 +
tests/openpgp/defs.scm | 5 +----
tests/pkits/inittests | 1 +
5 files changed, 5 insertions(+), 10 deletions(-)
diff --git a/tests/gpgme/gpgme-defs.scm b/tests/gpgme/gpgme-defs.scm
index 0de589f..bc40b3c 100644
--- a/tests/gpgme/gpgme-defs.scm
+++ b/tests/gpgme/gpgme-defs.scm
@@ -67,8 +67,7 @@
(create-file
"gpg-agent.conf"
(string-append "pinentry-program " (tool 'pinentry))
- (string-append "scdaemon-program " (tool 'scdaemon))
- )
+ "disable-scdaemon")
(start-agent)
diff --git a/tests/gpgsm/gpgsm-defs.scm b/tests/gpgsm/gpgsm-defs.scm
index f118642..848bc75 100644
--- a/tests/gpgsm/gpgsm-defs.scm
+++ b/tests/gpgsm/gpgsm-defs.scm
@@ -67,10 +67,7 @@
"faked-system-time 1008241200")
(create-file "gpg-agent.conf"
(string-append "pinentry-program " (tool 'pinentry))
- (if (assoc "scdaemon" gpg-components)
- (string-append "scdaemon-program " (tool 'scdaemon))
- "# No scdaemon available")
- )
+ "disable-scdaemon")
(start-agent)
(create-file
"trustlist.txt"
diff --git a/tests/inittests b/tests/inittests
index 6fbccfb..9090674 100755
--- a/tests/inittests
+++ b/tests/inittests
@@ -85,6 +85,7 @@ EOF
cat > gpg-agent.conf <<EOF
no-grab
pinentry-program /home/wk/work/pinentry/gtk/pinentry-gtk
+disable-scdaemon
EOF
cat > trustlist.txt <<EOF
diff --git a/tests/openpgp/defs.scm b/tests/openpgp/defs.scm
index 7e41d19..94c5beb 100644
--- a/tests/openpgp/defs.scm
+++ b/tests/openpgp/defs.scm
@@ -355,10 +355,7 @@
(if (flag "--extended-key-format" *args*)
"enable-extended-key-format" "#enable-extended-key-format")
(string-append "pinentry-program " (tool 'pinentry))
- (if (assoc "scdaemon" gpg-components)
- (string-append "scdaemon-program " (tool 'scdaemon))
- "# No scdaemon available")
- ))
+ "disable-scdaemon"))
;; Initialize the test environment, install appropriate configuration
;; and start the agent, without any keys.