From cvs at cvs.gnupg.org Fri Apr 1 10:48:23 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Fri Apr 1 10:48:38 2005 Subject: gnupg/g10 (keygen.c) Message-ID: Date: Friday, April 1, 2005 @ 11:03:15 Author: wk Path: /cvs/gnupg/gnupg/g10 Modified: keygen.c (keygen_set_std_prefs): Explain the chosen order of AES key sizes. ----------+ keygen.c | 14 +++++++++++++- 1 files changed, 13 insertions(+), 1 deletion(-) Index: gnupg/g10/keygen.c diff -u gnupg/g10/keygen.c:1.147 gnupg/g10/keygen.c:1.148 --- gnupg/g10/keygen.c:1.147 Mon Mar 14 20:19:20 2005 +++ gnupg/g10/keygen.c Fri Apr 1 11:03:15 2005 @@ -325,7 +325,7 @@ byte sym[MAX_PREFS], hash[MAX_PREFS], zip[MAX_PREFS]; int nsym=0, nhash=0, nzip=0, val, rc=0; int mdc=1, modify=0; /* mdc defaults on, modify defaults off. */ - char dummy_string[45]; /* enough for 15 items */ + char dummy_string[45+1]; /* Enough for 15 items. */ if (!string || !ascii_strcasecmp (string, "default")) { @@ -335,6 +335,18 @@ { dummy_string[0]='\0'; + /* The rationale why we use the order AES256,192,128 is + for compatibility reasons with PGP. If gpg would + define AES128 first, we would get the somewhat + confusing situation: + + gpg -r pgpkey -r gpgkey ---gives--> AES256 + gpg -r gpgkey -r pgpkey ---gives--> AES + + Note that by using --personal-cipher-preferences it is + possible to prefer AES128. + */ + /* Make sure we do not add more than 15 items here, as we could overflow the size of dummy_string. */ if(!check_cipher_algo(CIPHER_ALGO_AES256)) From cvs at cvs.gnupg.org Fri Apr 1 18:07:33 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Fri Apr 1 18:07:37 2005 Subject: gnupg/g10 (ChangeLog mainproc.c) Message-ID: Date: Friday, April 1, 2005 @ 18:22:34 Author: dshaw Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog mainproc.c * mainproc.c (proc_plaintext): Properly handle SIG+LITERAL (old-style PGP) signatures that use hashes other than SHA-1, RIPEMD160, or MD5. ------------+ ChangeLog | 6 ++++++ mainproc.c | 54 +++++++++++++++++++++++++++++++++++------------------- 2 files changed, 41 insertions(+), 19 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.717 gnupg/g10/ChangeLog:1.718 --- gnupg/g10/ChangeLog:1.717 Thu Mar 31 19:11:53 2005 +++ gnupg/g10/ChangeLog Fri Apr 1 18:22:34 2005 @@ -1,3 +1,9 @@ +2005-04-01 David Shaw + + * mainproc.c (proc_plaintext): Properly handle SIG+LITERAL + (old-style PGP) signatures that use hashes other than SHA-1, + RIPEMD160, or MD5. + 2005-03-31 David Shaw * exec.h, exec.c (set_exec_path): Remove some dead code and change Index: gnupg/g10/mainproc.c diff -u gnupg/g10/mainproc.c:1.163 gnupg/g10/mainproc.c:1.164 --- gnupg/g10/mainproc.c:1.163 Thu Feb 10 05:06:30 2005 +++ gnupg/g10/mainproc.c Fri Apr 1 18:22:34 2005 @@ -600,7 +600,6 @@ } - static void proc_plaintext( CTX c, PACKET *pkt ) { @@ -621,45 +620,62 @@ * See: Russ Allbery's mail 1999-02-09 */ any = clearsig = only_md5 = 0; - for(n=c->list; n; n = n->next ) { - if( n->pkt->pkttype == PKT_ONEPASS_SIG ) { - if( n->pkt->pkt.onepass_sig->digest_algo ) { + for(n=c->list; n; n = n->next ) + { + if( n->pkt->pkttype == PKT_ONEPASS_SIG ) + { + /* For the onepass signature case */ + if( n->pkt->pkt.onepass_sig->digest_algo ) + { md_enable( c->mfx.md, n->pkt->pkt.onepass_sig->digest_algo ); if( !any && n->pkt->pkt.onepass_sig->digest_algo - == DIGEST_ALGO_MD5 ) - only_md5 = 1; + == DIGEST_ALGO_MD5 ) + only_md5 = 1; else - only_md5 = 0; + only_md5 = 0; any = 1; - } + } if( n->pkt->pkt.onepass_sig->sig_class != 0x01 ) - only_md5 = 0; - } + only_md5 = 0; + } else if( n->pkt->pkttype == PKT_GPG_CONTROL && n->pkt->pkt.gpg_control->control - == CTRLPKT_CLEARSIGN_START ) { + == CTRLPKT_CLEARSIGN_START ) + { + /* For the clearsigned message case */ size_t datalen = n->pkt->pkt.gpg_control->datalen; const byte *data = n->pkt->pkt.gpg_control->data; /* check that we have at least the sigclass and one hash */ if ( datalen < 2 ) - log_fatal("invalid control packet CTRLPKT_CLEARSIGN_START\n"); + log_fatal("invalid control packet CTRLPKT_CLEARSIGN_START\n"); /* Note that we don't set the clearsig flag for not-dash-escaped * documents */ clearsig = (*data == 0x01); for( data++, datalen--; datalen; datalen--, data++ ) - md_enable( c->mfx.md, *data ); + md_enable( c->mfx.md, *data ); any = 1; - break; /* no pass signature pakets are expected */ - } - } + break; /* no pass signature packets are expected */ + } + else if(n->pkt->pkttype==PKT_SIGNATURE) + { + /* For the SIG+LITERAL case that PGP used to use. */ + md_enable( c->mfx.md, n->pkt->pkt.signature->digest_algo ); + any=1; + } + } - if( !any && !opt.skip_verify ) { - /* no onepass sig packet: enable all standard algos */ + if( !any && !opt.skip_verify ) + { + /* This is for the old GPG LITERAL+SIG case. It's not legal + according to 2440, so hopefully it won't come up that + often. There is no good way to specify what algorithms to + use in that case, so these three are the historical + answer. */ md_enable( c->mfx.md, DIGEST_ALGO_RMD160 ); md_enable( c->mfx.md, DIGEST_ALGO_SHA1 ); md_enable( c->mfx.md, DIGEST_ALGO_MD5 ); - } + } if( opt.pgp2_workarounds && only_md5 && !opt.skip_verify ) { /* This is a kludge to work around a bug in pgp2. It does only * catch those mails which are armored. To catch the non-armored From cvs at cvs.gnupg.org Thu Apr 7 10:15:51 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 7 10:15:54 2005 Subject: gnupg/g10 (ChangeLog app-openpgp.c card-util.c ccid-driver.c) Message-ID: Date: Thursday, April 7, 2005 @ 10:31:24 Author: wk Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog app-openpgp.c card-util.c ccid-driver.c * ccid-driver.c (ccid_slot_status): Fixed debug messages. * card-util.c (card_edit): Add command "verify". Enhanced admin command to allow optional arguments "on", "off" and "verify". (card_status): Print private DOs in colon mode. * app-openpgp.c (do_check_pin): Add hack to allow verification of CHV3. ---------------+ ChangeLog | 10 ++++++++++ app-openpgp.c | 47 ++++++++++++++++++++++++++++++++++++++++++++--- card-util.c | 37 +++++++++++++++++++++++++++++++++++-- ccid-driver.c | 6 +++--- 4 files changed, 92 insertions(+), 8 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.719 gnupg/g10/ChangeLog:1.720 --- gnupg/g10/ChangeLog:1.719 Tue Apr 5 19:09:12 2005 +++ gnupg/g10/ChangeLog Thu Apr 7 10:31:23 2005 @@ -1,3 +1,13 @@ +2005-04-07 Werner Koch + + * ccid-driver.c (ccid_slot_status): Fixed debug messages. + + * card-util.c (card_edit): Add command "verify". Enhanced admin + command to allow optional arguments "on", "off" and "verify". + (card_status): Print private DOs in colon mode. + * app-openpgp.c (do_check_pin): Add hack to allow verification of + CHV3. + 2005-04-01 Werner Koch * keygen.c (keygen_set_std_prefs): Explain the chosen order of Index: gnupg/g10/app-openpgp.c diff -u gnupg/g10/app-openpgp.c:1.24 gnupg/g10/app-openpgp.c:1.25 --- gnupg/g10/app-openpgp.c:1.24 Wed Mar 30 12:39:13 2005 +++ gnupg/g10/app-openpgp.c Thu Apr 7 10:31:23 2005 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * - * $Id: app-openpgp.c,v 1.24 2005/03/30 10:39:13 wk Exp $ + * $Id: app-openpgp.c,v 1.25 2005/04/07 08:31:23 wk Exp $ */ #include @@ -1545,7 +1545,12 @@ cheap check on the PIN: If there is something wrong with the PIN entry system, only the regular CHV will get blocked and not the dangerous CHV3. KEYIDSTR is the usual card's serial number; an - optional fingerprint part will be ignored. */ + optional fingerprint part will be ignored. + + There is a special mode if the keyidstr is "[CHV3]" with + the "[CHV3]" being a literal string: The Admin Pin is checked if + and only if the retry counter is still at 3. +*/ static int do_check_pin (app_t app, const char *keyidstr, int (pincb)(void*, const char *, char **), @@ -1554,6 +1559,7 @@ unsigned char tmp_sn[20]; const char *s; int n; + int admin_pin = 0; if (!keyidstr || !*keyidstr) return gpg_error (GPG_ERR_INV_VALUE); @@ -1570,6 +1576,8 @@ ; /* No fingerprint given: we allow this for now. */ else if (*s == '/') ; /* We ignore a fingerprint. */ + else if (!strcmp (s, "[CHV3]") ) + admin_pin = 1; else return gpg_error (GPG_ERR_INV_ID); @@ -1585,7 +1593,40 @@ problem and the check above is merely for a graceful failure between operations. */ - return verify_chv2 (app, pincb, pincb_arg); + if (admin_pin) + { + void *relptr; + unsigned char *value; + size_t valuelen; + int count; + + relptr = get_one_do (app, 0x00C4, &value, &valuelen); + if (!relptr || valuelen < 7) + { + log_error (_("error retrieving CHV status from card\n")); + xfree (relptr); + return gpg_error (GPG_ERR_CARD); + } + count = value[6]; + xfree (relptr); + + if (!count) + { + log_info (_("card is permanently locked!\n")); + return gpg_error (GPG_ERR_BAD_PIN); + } + else if (value[6] < 3) + { + log_info (_("verification of Admin PIN is currently prohibited " + "through this command\n")); + return gpg_error (GPG_ERR_GENERAL); + } + + app->did_chv3 = 0; /* Force verification. */ + return verify_chv3 (app, pincb, pincb_arg); + } + else + return verify_chv2 (app, pincb, pincb_arg); } Index: gnupg/g10/card-util.c diff -u gnupg/g10/card-util.c:1.32 gnupg/g10/card-util.c:1.33 --- gnupg/g10/card-util.c:1.32 Mon Mar 21 16:24:48 2005 +++ gnupg/g10/card-util.c Thu Apr 7 10:31:23 2005 @@ -287,6 +287,7 @@ int rc; unsigned int uval; const unsigned char *thefpr; + int i; if (serialno && serialnobuflen) *serialno = 0; @@ -363,6 +364,17 @@ info.chvretry[0], info.chvretry[1], info.chvretry[2]); fprintf (fp, "sigcount:%lu:::\n", info.sig_counter); + for (i=0; i < 4; i++) + { + if (info.private_do[i]) + { + fprintf (fp, "private_do:%d:", i+1); + print_string (fp, info.private_do[i], + strlen (info.private_do[i]), ':'); + fputs (":\n", fp); + } + } + fputs ("cafpr:", fp); print_sha1_fpr_colon (fp, info.cafpr1valid? info.cafpr1:NULL); print_sha1_fpr_colon (fp, info.cafpr2valid? info.cafpr2:NULL); @@ -1282,7 +1294,7 @@ enum cmdids { cmdNOP = 0, - cmdQUIT, cmdADMIN, cmdHELP, cmdLIST, cmdDEBUG, + cmdQUIT, cmdADMIN, cmdHELP, cmdLIST, cmdDEBUG, cmdVERIFY, cmdNAME, cmdURL, cmdFETCH, cmdLOGIN, cmdLANG, cmdSEX, cmdCAFPR, cmdFORCESIG, cmdGENERATE, cmdPASSWD, cmdPRIVATEDO, cmdINVCMD @@ -1314,6 +1326,7 @@ { "forcesig", cmdFORCESIG, 1, N_("toggle the signature force PIN flag")}, { "generate", cmdGENERATE, 1, N_("generate new keys")}, { "passwd" , cmdPASSWD, 0, N_("menu to change or unblock the PIN")}, + { "verify" , cmdVERIFY, 0, N_("verify the PIN and list all data")}, /* Note, that we do not announce this command yet. */ { "privatedo", cmdPRIVATEDO, 0, NULL }, { NULL, cmdINVCMD, 0, NULL } @@ -1485,13 +1498,33 @@ break; case cmdADMIN: - allow_admin=!allow_admin; + if ( !strcmp (arg_string, "on") ) + allow_admin = 1; + else if ( !strcmp (arg_string, "off") ) + allow_admin = 0; + else if ( !strcmp (arg_string, "verify") ) + { + /* Force verification of the Admin Command. However, + this is only done if the retry counter is at initial + state. */ + char *tmp = xmalloc (strlen (serialnobuf) + 6 + 1); + strcpy (stpcpy (tmp, serialnobuf), "[CHV3]"); + allow_admin = !agent_scd_checkpin (tmp); + xfree (tmp); + } + else /* Toggle. */ + allow_admin=!allow_admin; if(allow_admin) tty_printf(_("Admin commands are allowed\n")); else tty_printf(_("Admin commands are not allowed\n")); break; + case cmdVERIFY: + agent_scd_checkpin (serialnobuf); + redisplay = 1; + break; + case cmdLIST: redisplay = 1; break; Index: gnupg/g10/ccid-driver.c diff -u gnupg/g10/ccid-driver.c:1.22 gnupg/g10/ccid-driver.c:1.23 --- gnupg/g10/ccid-driver.c:1.22 Wed Mar 16 20:10:54 2005 +++ gnupg/g10/ccid-driver.c Thu Apr 7 10:31:23 2005 @@ -52,7 +52,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Date: 2005/03/16 19:10:54 $ + * $Date: 2005/04/07 08:31:23 $ */ @@ -1303,12 +1303,12 @@ { if (!retries) { - fprintf (stderr, "CALLING USB_CLEAR_HALT\n"); + DEBUGOUT ("USB: CALLING USB_CLEAR_HALT\n"); usb_clear_halt (handle->idev, handle->ep_bulk_in); usb_clear_halt (handle->idev, handle->ep_bulk_out); } else - fprintf (stderr, "RETRYING AGIAN\n"); + DEBUGOUT ("USB: RETRYING bulk_in AGAIN\n"); retries++; goto retry; } From cvs at cvs.gnupg.org Thu Apr 7 11:56:50 2005 From: cvs at cvs.gnupg.org (cvs user werner) Date: Thu Apr 7 11:56:56 2005 Subject: misc-scripts (mkdiff) Message-ID: Date: Thursday, April 7, 2005 @ 11:56:50 Author: werner Path: /cvs/wk/misc-scripts Modified: mkdiff Use bzip2 --------+ mkdiff | 14 +++++++------- 1 files changed, 7 insertions(+), 7 deletions(-) From cvs at cvs.gnupg.org Sat Apr 9 18:25:45 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Sat Apr 9 18:25:48 2005 Subject: GNUPG-1-9-BRANCH gnupg/agent (ChangeLog command-ssh.c) Message-ID: Date: Saturday, April 9, 2005 @ 18:41:28 Author: mo Path: /cvs/gnupg/gnupg/agent Tag: GNUPG-1-9-BRANCH Modified: ChangeLog command-ssh.c 2005-04-03 Moritz Schulte * command-ssh.c (ssh_request_spec): New member: secret_input. (REQUEST_SPEC_DEFINE): New argument: secret_input. (request_specs): Add secret_input flag. (request_spec_lookup): New function ... (ssh_request_process): ... use it here; depending on secret_input flag allocate secure or non-secure memory. ---------------+ ChangeLog | 9 +++ command-ssh.c | 157 ++++++++++++++++++++++++++++++++++---------------------- 2 files changed, 106 insertions(+), 60 deletions(-) Index: gnupg/agent/ChangeLog diff -u gnupg/agent/ChangeLog:1.59.2.72 gnupg/agent/ChangeLog:1.59.2.73 --- gnupg/agent/ChangeLog:1.59.2.72 Wed Mar 2 21:36:50 2005 +++ gnupg/agent/ChangeLog Sat Apr 9 18:41:28 2005 @@ -1,3 +1,12 @@ +2005-04-03 Moritz Schulte + + * command-ssh.c (ssh_request_spec): New member: secret_input. + (REQUEST_SPEC_DEFINE): New argument: secret_input. + (request_specs): Add secret_input flag. + (request_spec_lookup): New function ... + (ssh_request_process): ... use it here; depending on secret_input + flag allocate secure or non-secure memory. + 2005-03-02 Moritz Schulte * command-ssh.c (sexp_key_extract): Removed FIXME, since Index: gnupg/agent/command-ssh.c diff -u gnupg/agent/command-ssh.c:1.1.4.15 gnupg/agent/command-ssh.c:1.1.4.16 --- gnupg/agent/command-ssh.c:1.1.4.15 Thu Mar 3 11:15:07 2005 +++ gnupg/agent/command-ssh.c Sat Apr 9 18:41:28 2005 @@ -107,6 +107,7 @@ unsigned char type; ssh_request_handler_t handler; const char *identifier; + unsigned int secret_input; } ssh_request_spec_t; /* Type for "key modifier functions", which are necessary since @@ -160,26 +161,26 @@ /* Prototypes. */ static gpg_error_t ssh_handler_request_identities (ctrl_t ctrl, - estream_t request, - estream_t response); + estream_t request, + estream_t response); static gpg_error_t ssh_handler_sign_request (ctrl_t ctrl, - estream_t request, - estream_t response); + estream_t request, + estream_t response); static gpg_error_t ssh_handler_add_identity (ctrl_t ctrl, - estream_t request, - estream_t response); + estream_t request, + estream_t response); static gpg_error_t ssh_handler_remove_identity (ctrl_t ctrl, - estream_t request, - estream_t response); + estream_t request, + estream_t response); static gpg_error_t ssh_handler_remove_all_identities (ctrl_t ctrl, - estream_t request, - estream_t response); + estream_t request, + estream_t response); static gpg_error_t ssh_handler_lock (ctrl_t ctrl, - estream_t request, - estream_t response); + estream_t request, + estream_t response); static gpg_error_t ssh_handler_unlock (ctrl_t ctrl, - estream_t request, - estream_t response); + estream_t request, + estream_t response); static gpg_error_t ssh_key_modifier_rsa (const char *elems, gcry_mpi_t *mpis); static gpg_error_t ssh_signature_encoder_rsa (estream_t signature_blob, @@ -195,19 +196,19 @@ /* Associating request types with the corresponding request handlers. */ -#define REQUEST_SPEC_DEFINE(id, name) \ - { SSH_REQUEST_##id, ssh_handler_##name, #name } +#define REQUEST_SPEC_DEFINE(id, name, secret_input) \ + { SSH_REQUEST_##id, ssh_handler_##name, #name, secret_input } static ssh_request_spec_t request_specs[] = { - REQUEST_SPEC_DEFINE (REQUEST_IDENTITIES, request_identities), - REQUEST_SPEC_DEFINE (SIGN_REQUEST, sign_request), - REQUEST_SPEC_DEFINE (ADD_IDENTITY, add_identity), - REQUEST_SPEC_DEFINE (ADD_ID_CONSTRAINED, add_identity), - REQUEST_SPEC_DEFINE (REMOVE_IDENTITY, remove_identity), - REQUEST_SPEC_DEFINE (REMOVE_ALL_IDENTITIES, remove_all_identities), - REQUEST_SPEC_DEFINE (LOCK, lock), - REQUEST_SPEC_DEFINE (UNLOCK, unlock) + REQUEST_SPEC_DEFINE (REQUEST_IDENTITIES, request_identities, 1), + REQUEST_SPEC_DEFINE (SIGN_REQUEST, sign_request, 0), + REQUEST_SPEC_DEFINE (ADD_IDENTITY, add_identity, 1), + REQUEST_SPEC_DEFINE (ADD_ID_CONSTRAINED, add_identity, 1), + REQUEST_SPEC_DEFINE (REMOVE_IDENTITY, remove_identity, 0), + REQUEST_SPEC_DEFINE (REMOVE_ALL_IDENTITIES, remove_all_identities, 0), + REQUEST_SPEC_DEFINE (LOCK, lock, 0), + REQUEST_SPEC_DEFINE (UNLOCK, unlock, 0) }; #undef REQUEST_SPEC_DEFINE @@ -1733,13 +1734,15 @@ gcry_sexp_t key_public; DIR *dir; gpg_error_t err; - gpg_error_t ret_err; int ret; FILE *ctrl_fp = NULL; char *cardsn; + gpg_error_t ret_err; /* Prepare buffer stream. */ + sleep (5); + key_directory = NULL; key_secret = NULL; key_public = NULL; @@ -2460,8 +2463,10 @@ gcry_sexp_release (key); - ret_err = stream_write_byte (response, - err ? SSH_RESPONSE_FAILURE : SSH_RESPONSE_SUCCESS); + if (! err) + ret_err = stream_write_byte (response, SSH_RESPONSE_SUCCESS); + else + ret_err = stream_write_byte (response, SSH_RESPONSE_FAILURE); return ret_err; } @@ -2496,8 +2501,10 @@ xfree (key_blob); gcry_sexp_release (key); - ret_err = stream_write_byte (response, - err ? SSH_RESPONSE_FAILURE : SSH_RESPONSE_SUCCESS); + if (! err) + ret_err = stream_write_byte (response, SSH_RESPONSE_SUCCESS); + else + ret_err = stream_write_byte (response, SSH_RESPONSE_FAILURE); return ret_err; } @@ -2523,8 +2530,11 @@ gpg_error_t err; err = ssh_identities_remove_all (); - ret_err = stream_write_byte (response, - err ? SSH_RESPONSE_FAILURE : SSH_RESPONSE_SUCCESS); + + if (! err) + ret_err = stream_write_byte (response, SSH_RESPONSE_SUCCESS); + else + ret_err = stream_write_byte (response, SSH_RESPONSE_FAILURE); return ret_err; } @@ -2559,8 +2569,11 @@ gpg_error_t err; err = ssh_lock (); - ret_err = stream_write_byte (response, - err ? SSH_RESPONSE_FAILURE : SSH_RESPONSE_SUCCESS); + + if (! err) + ret_err = stream_write_byte (response, SSH_RESPONSE_SUCCESS); + else + ret_err = stream_write_byte (response, SSH_RESPONSE_FAILURE); return ret_err; } @@ -2572,22 +2585,45 @@ gpg_error_t err; err = ssh_unlock (); - ret_err = stream_write_byte (response, - err ? SSH_RESPONSE_FAILURE : SSH_RESPONSE_SUCCESS); + + if (! err) + ret_err = stream_write_byte (response, SSH_RESPONSE_SUCCESS); + else + ret_err = stream_write_byte (response, SSH_RESPONSE_FAILURE); return ret_err; } +static ssh_request_spec_t * +request_spec_lookup (int type) +{ + ssh_request_spec_t *spec; + unsigned int i; + + for (i = 0; i < DIM (request_specs); i++) + if (request_specs[i].type == type) + break; + if (i == DIM (request_specs)) + { + log_info ("ssh request %u is not supported\n", type); + spec = NULL; + } + else + spec = request_specs + i; + + return spec; +} + static int ssh_request_process (ctrl_t ctrl, estream_t stream_sock) { + ssh_request_spec_t *spec; estream_t response; estream_t request; unsigned char request_type; gpg_error_t err; - unsigned int i; int send_err; int ret; unsigned char *request_data; @@ -2617,7 +2653,26 @@ log_info ("received ssh request of length %u\n", (unsigned int)request_data_size); - request = es_mopen (NULL, 0, 0, 1, realloc_secure, gcry_free, "r+"); + if (! request_data_size) + { + send_err = 1; + goto out; + /* Broken request; FIXME. */ + } + + request_type = request_data[0]; + spec = request_spec_lookup (request_type); + if (! spec) + { + send_err = 1; + goto out; + /* Unknown request; FIXME. */ + } + + if (spec->secret_input) + request = es_mopen (NULL, 0, 0, 1, realloc_secure, gcry_free, "r+"); + else + request = es_mopen (NULL, 0, 0, 1, gcry_realloc, gcry_free, "r+"); if (! request) { err = gpg_error_from_errno (errno); @@ -2629,7 +2684,7 @@ err = gpg_error_from_errno (errno); goto out; } - err = stream_write_data (request, request_data, request_data_size); + err = stream_write_data (request, request_data + 1, request_data_size - 1); if (err) goto out; es_rewind (request); @@ -2641,38 +2696,20 @@ goto out; } - err = stream_read_byte (request, &request_type); - if (err) - { - send_err = 1; - goto out; - } - - for (i = 0; i < DIM (request_specs); i++) - if (request_specs[i].type == request_type) - break; - if (i == DIM (request_specs)) - { - log_info ("ssh request %u is not supported\n", request_type); - send_err = 1; - goto out; - } - if (opt.verbose) log_info ("ssh request handler for %s (%u) started\n", - request_specs[i].identifier, request_specs[i].type); + spec->identifier, spec->type); - err = (*request_specs[i].handler) (ctrl, request, response); + err = (*spec->handler) (ctrl, request, response); if (opt.verbose) { if (err) log_info ("ssh request handler for %s (%u) failed: %s\n", - request_specs[i].identifier, request_specs[i].type, - gpg_strerror (err)); + spec->identifier, spec->type, gpg_strerror (err)); else log_info ("ssh request handler for %s (%u) ready\n", - request_specs[i].identifier, request_specs[i].type); + spec->identifier, spec->type); } if (err) From cvs at cvs.gnupg.org Sat Apr 9 18:42:05 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Sat Apr 9 18:42:07 2005 Subject: libgcrypt/cipher (ChangeLog md.c tiger.c) Message-ID: Date: Saturday, April 9, 2005 @ 18:57:54 Author: mo Path: /cvs/libgcrypt/libgcrypt/cipher Modified: ChangeLog md.c tiger.c 2005-04-09 Moritz Schulte * tiger.c: Do not forget to include file types.h. * md.c: Likewise. These changes make Libgcrypt actually INCLUDE the Tiger algorithm. -----------+ ChangeLog | 6 ++++++ md.c | 1 + tiger.c | 1 + 3 files changed, 8 insertions(+) Index: libgcrypt/cipher/ChangeLog diff -u libgcrypt/cipher/ChangeLog:1.228 libgcrypt/cipher/ChangeLog:1.229 --- libgcrypt/cipher/ChangeLog:1.228 Wed Mar 30 21:06:08 2005 +++ libgcrypt/cipher/ChangeLog Sat Apr 9 18:57:54 2005 @@ -1,3 +1,9 @@ +2005-04-09 Moritz Schulte + + * tiger.c: Do not forget to include file types.h. + * md.c: Likewise. These changes make Libgcrypt actually INCLUDE + the Tiger algorithm. + 2005-03-30 Moritz Schulte * ac.c (_gcry_ac_data_from_sexp): Use length of SEXP_CUR, not Index: libgcrypt/cipher/md.c diff -u libgcrypt/cipher/md.c:1.82 libgcrypt/cipher/md.c:1.83 --- libgcrypt/cipher/md.c:1.82 Fri Dec 19 20:49:35 2003 +++ libgcrypt/cipher/md.c Sat Apr 9 18:57:54 2005 @@ -25,6 +25,7 @@ #include #include +#include "types.h" #include "g10lib.h" #include "cipher.h" #include "ath.h" Index: libgcrypt/cipher/tiger.c diff -u libgcrypt/cipher/tiger.c:1.29 libgcrypt/cipher/tiger.c:1.30 --- libgcrypt/cipher/tiger.c:1.29 Mon Aug 23 15:33:15 2004 +++ libgcrypt/cipher/tiger.c Sat Apr 9 18:57:54 2005 @@ -23,6 +23,7 @@ #include #include +#include "types.h" #include "g10lib.h" #include "memory.h" #include "cipher.h" From cvs at cvs.gnupg.org Sun Apr 10 20:44:34 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Sun Apr 10 20:44:37 2005 Subject: libgcrypt/cipher (ChangeLog md.c tiger.c) Message-ID: Date: Sunday, April 10, 2005 @ 21:00:28 Author: mo Path: /cvs/libgcrypt/libgcrypt/cipher Modified: ChangeLog md.c tiger.c Reverted last change, as it was unnecessary. -----------+ ChangeLog | 6 ------ md.c | 1 - tiger.c | 1 - 3 files changed, 8 deletions(-) Index: libgcrypt/cipher/ChangeLog diff -u libgcrypt/cipher/ChangeLog:1.229 libgcrypt/cipher/ChangeLog:1.230 --- libgcrypt/cipher/ChangeLog:1.229 Sat Apr 9 18:57:54 2005 +++ libgcrypt/cipher/ChangeLog Sun Apr 10 21:00:27 2005 @@ -1,9 +1,3 @@ -2005-04-09 Moritz Schulte - - * tiger.c: Do not forget to include file types.h. - * md.c: Likewise. These changes make Libgcrypt actually INCLUDE - the Tiger algorithm. - 2005-03-30 Moritz Schulte * ac.c (_gcry_ac_data_from_sexp): Use length of SEXP_CUR, not Index: libgcrypt/cipher/md.c diff -u libgcrypt/cipher/md.c:1.83 libgcrypt/cipher/md.c:1.84 --- libgcrypt/cipher/md.c:1.83 Sat Apr 9 18:57:54 2005 +++ libgcrypt/cipher/md.c Sun Apr 10 21:00:27 2005 @@ -25,7 +25,6 @@ #include #include -#include "types.h" #include "g10lib.h" #include "cipher.h" #include "ath.h" Index: libgcrypt/cipher/tiger.c diff -u libgcrypt/cipher/tiger.c:1.30 libgcrypt/cipher/tiger.c:1.31 --- libgcrypt/cipher/tiger.c:1.30 Sat Apr 9 18:57:54 2005 +++ libgcrypt/cipher/tiger.c Sun Apr 10 21:00:27 2005 @@ -23,7 +23,6 @@ #include #include -#include "types.h" #include "g10lib.h" #include "memory.h" #include "cipher.h" From cvs at cvs.gnupg.org Sun Apr 10 23:56:44 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Sun Apr 10 23:56:47 2005 Subject: GNUPG-1-9-BRANCH gnupg/common (ChangeLog simple-pwquery.c) Message-ID: Date: Monday, April 11, 2005 @ 00:12:31 Author: marcus Path: /cvs/gnupg/gnupg/common Tag: GNUPG-1-9-BRANCH Modified: ChangeLog simple-pwquery.c 2005-04-11 Marcus Brinkmann * simple-pwquery.c (simple_pwquery): Use spwq_secure_free. ------------------+ ChangeLog | 4 ++++ simple-pwquery.c | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) Index: gnupg/common/ChangeLog diff -u gnupg/common/ChangeLog:1.30.2.45 gnupg/common/ChangeLog:1.30.2.46 --- gnupg/common/ChangeLog:1.30.2.45 Thu Mar 3 11:15:07 2005 +++ gnupg/common/ChangeLog Mon Apr 11 00:12:31 2005 @@ -1,3 +1,7 @@ +2005-04-11 Marcus Brinkmann + + * simple-pwquery.c (simple_pwquery): Use spwq_secure_free. + 2005-03-03 Werner Koch * Makefile.am (AM_CFLAGS): Added PTH_CFLAGS. Noted by Kazu Yamamoto. Index: gnupg/common/simple-pwquery.c diff -u gnupg/common/simple-pwquery.c:1.1.2.9 gnupg/common/simple-pwquery.c:1.1.2.10 --- gnupg/common/simple-pwquery.c:1.1.2.9 Thu Feb 24 18:36:11 2005 +++ gnupg/common/simple-pwquery.c Mon Apr 11 00:12:31 2005 @@ -541,7 +541,7 @@ if (fd != -1) close (fd); if (pw) - spwq_free (pw); + spwq_secure_free (pw); return result; } From cvs at cvs.gnupg.org Mon Apr 11 00:54:55 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Mon Apr 11 00:55:00 2005 Subject: GNUPG-1-9-BRANCH gnupg/tools (ChangeLog Makefile.am symcryptrun.c) Message-ID: Date: Monday, April 11, 2005 @ 01:10:52 Author: marcus Path: /cvs/gnupg/gnupg/tools Tag: GNUPG-1-9-BRANCH Added: symcryptrun.c Modified: ChangeLog Makefile.am 2005-04-11 Marcus Brinkmann * Makefile.am (bin_PROGRAMS): Add symcryptrun. (symcryptrun_SOURCES, symcryptrun_LDADD): New variables. * symcryptrun.c: New file. ---------------+ ChangeLog | 6 Makefile.am | 7 symcryptrun.c | 848 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 860 insertions(+), 1 deletion(-) Index: gnupg/tools/ChangeLog diff -u gnupg/tools/ChangeLog:1.25.2.64 gnupg/tools/ChangeLog:1.25.2.65 --- gnupg/tools/ChangeLog:1.25.2.64 Wed Mar 9 11:11:14 2005 +++ gnupg/tools/ChangeLog Mon Apr 11 01:10:52 2005 @@ -1,3 +1,9 @@ +2005-04-11 Marcus Brinkmann + + * Makefile.am (bin_PROGRAMS): Add symcryptrun. + (symcryptrun_SOURCES, symcryptrun_LDADD): New variables. + * symcryptrun.c: New file. + 2005-03-09 Werner Koch * gpgconf-comp.c : Add honor-http-proxy. Index: gnupg/tools/Makefile.am diff -u gnupg/tools/Makefile.am:1.31.2.12 gnupg/tools/Makefile.am:1.31.2.13 --- gnupg/tools/Makefile.am:1.31.2.12 Thu Feb 24 18:36:11 2005 +++ gnupg/tools/Makefile.am Mon Apr 11 01:10:52 2005 @@ -30,7 +30,7 @@ bin_SCRIPTS = gpgsm-gencert.sh -bin_PROGRAMS = gpgconf gpg-connect-agent +bin_PROGRAMS = gpgconf gpg-connect-agent symcryptrun if !HAVE_W32_SYSTEM bin_PROGRAMS += watchgnupg endif @@ -39,6 +39,11 @@ gpgconf_LDADD = ../jnlib/libjnlib.a ../common/libcommon.a @LIBINTL@ +symcryptrun_SOURCES = symcryptrun.c +symcryptrun_LDADD = -lutil ../jnlib/libjnlib.a ../common/libcommon.a \ + ../common/libsimple-pwquery.a $(LIBGCRYPT_LIBS) \ + $(GPG_ERROR_LIBS) $(LIBINTL) + watchgnupg_SOURCES = watchgnupg.c gpg_connect_agent_SOURCES = gpg-connect-agent.c no-libgcrypt.c Index: gnupg/tools/symcryptrun.c diff -u /dev/null gnupg/tools/symcryptrun.c:1.1.2.1 --- /dev/null Mon Apr 11 01:10:52 2005 +++ gnupg/tools/symcryptrun.c Mon Apr 11 01:10:52 2005 @@ -0,0 +1,848 @@ +/* symcryptrun.c - Tool to call simple symmetric encryption tools. + * Copyright (C) 2005 Free Software Foundation, Inc. + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + + +/* Sometimes simple encryption tools are already in use for a long + time and there is a desire to integrate them into the GnuPG + framework. The protocols and encryption methods might be + non-standard or not even properly documented, so that a + full-fledged encryption tool with an interface like gpg is not + doable. This simple wrapper program provides a solution: It + operates by calling the encryption/decryption module and providing + the passphrase for a key (or even the key directly) using the + standard pinentry mechanism through gpg-agent. */ + +/* This program is invoked in the following way: + + symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE \ + [--decrypt | --encrypt] + + For encryption, the plain text must be provided on STDIN, and the + ciphertext will be output to STDOUT. For decryption vice versa. + + CLASS can currently only be "confucius". + + PROGRAM must be the path to the crypto engine. + + KEYFILE must contain the secret key, which may be protected by a + passphrase. The passphrase is retrieved via the pinentry program. + + + The GPG Agent _must_ be running before starting symcryptrun. + + The possible exit status codes: + + 0 Success + 1 Some error occured + 2 No valid passphrase was provided + 3 The operation was canceled by the user + + Other classes may be added in the future. */ + + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_LOCALE_H +#include +#endif +#ifdef HAVE_LANGINFO_CODESET +#include +#endif +#include + +#define JNLIB_NEED_LOG_LOGV +#include "i18n.h" +#include "../common/util.h" + +/* FIXME: Bah. For spwq_secure_free. */ +#define SIMPLE_PWQUERY_IMPLEMENTATION 1 +#include "../common/simple-pwquery.h" + + +/* Used by gcry for logging */ +static void +my_gcry_logger (void *dummy, int level, const char *fmt, va_list arg_ptr) +{ + /* translate the log levels */ + switch (level) + { + case GCRY_LOG_CONT: level = JNLIB_LOG_CONT; break; + case GCRY_LOG_INFO: level = JNLIB_LOG_INFO; break; + case GCRY_LOG_WARN: level = JNLIB_LOG_WARN; break; + case GCRY_LOG_ERROR:level = JNLIB_LOG_ERROR; break; + case GCRY_LOG_FATAL:level = JNLIB_LOG_FATAL; break; + case GCRY_LOG_BUG: level = JNLIB_LOG_BUG; break; + case GCRY_LOG_DEBUG:level = JNLIB_LOG_DEBUG; break; + default: level = JNLIB_LOG_ERROR; break; } + log_logv (level, fmt, arg_ptr); +} + + +/* Constants to identify the commands and options. */ +enum cmd_and_opt_values + { + aNull = 0, + oQuiet = 'q', + oVerbose = 'v', + + oNoVerbose = 500, + oLogFile, + oHomedir, + oClass, + oProgram, + oKeyfile, + oDecrypt, + oEncrypt, + }; + + +/* The list of commands and options. */ +static ARGPARSE_OPTS opts[] = + { + { 301, NULL, 0, N_("@\nCommands:\n ") }, + + { oDecrypt, "decrypt", 0, N_("decryption modus")}, + { oEncrypt, "encrypt", 0, N_("encryption modus")}, + + { 302, NULL, 0, N_("@\nOptions:\n ") }, + + { oClass, "class", 2, N_("tool class (confucius)")}, + { oProgram, "program", 2, N_("program filename")}, + + { oKeyfile, "keyfile", 2, N_("secret key file (required)")}, + + { oVerbose, "verbose", 0, N_("verbose") }, + { oQuiet, "quiet", 0, N_("quiet") }, + { oLogFile, "log-file", 2, N_("use a log file for the server")}, + + /* Hidden options. */ + { oNoVerbose, "no-verbose", 0, "@"}, + { oHomedir, "homedir", 2, "@" }, + + {0} + }; + + +/* We keep all global options in the structure OPT. */ +struct +{ + int verbose; /* Verbosity level. */ + int quiet; /* Be extra quiet. */ + const char *homedir; /* Configuration directory name */ + + char *class; + char *program; + char *keyfile; +} opt; + + +/* Print usage information and and provide strings for help. */ +static const char * +my_strusage (int level) +{ + const char *p; + + switch (level) + { + case 11: p = "symcryptrun (GnuPG)"; + break; + case 13: p = VERSION; break; + case 17: p = PRINTABLE_OS_NAME; break; + case 19: p = _("Please report bugs to <" PACKAGE_BUGREPORT ">.\n"); + break; + case 1: + case 40: p = _("Usage: symcryptrun [options] (-h for help)"); + break; + case 41: + p = _("Syntax: symcryptrun --class CLASS --program PROGRAM " + "--keyfile KEYFILE [options...] COMMAND\n" + "Call a simple symmetric encryption tool\n"); + break; + case 31: p = "\nHome: "; break; + case 32: p = opt.homedir; break; + case 33: p = "\n"; break; + + default: p = NULL; break; + } + return p; +} + + +/* Initialize the gettext system. */ +static void +i18n_init(void) +{ +#ifdef USE_SIMPLE_GETTEXT + set_gettext_file (PACKAGE_GT); +#else +# ifdef ENABLE_NLS + setlocale (LC_ALL, ""); + bindtextdomain (PACKAGE_GT, LOCALEDIR); + textdomain (PACKAGE_GT); +# endif +#endif +} + + +/* Class Confucius. + + "Don't worry that other people don't know you; + worry that you don't know other people." Analects--1.16. */ + +/* Create temporary directory with mode 0700. Returns a dynamically + allocated string with the filename of the directory. */ +static char * +confucius_mktmpdir (void) +{ + int res; + char *tmpdir; + + tmpdir = tmpnam (NULL); + if (!tmpdir) + { + log_error (_("cannot create temporary directory name: %s\n"), + strerror (errno)); + return NULL; + } + tmpdir = strdup (tmpdir); + if (!tmpdir) + { + log_error (_("cannot copy temporary directory name: %s\n"), + strerror (errno)); + return NULL; + } + res = mkdir (tmpdir, 0700); + if (res < 0) + { + log_error (_("cannot create temporary directory %s: %s\n"), + tmpdir, strerror (errno)); + return NULL; + } + + return tmpdir; +} + + +/* Buffer size for I/O operations. */ +#define CONFUCIUS_BUFSIZE 4096 + +/* Buffer size for output lines. */ +#define CONFUCIUS_LINESIZE 4096 + + +/* Copy the file IN to OUT, either of which may be "-". */ +static int +confucius_copy_file (const char *infile, const char *outfile) +{ + FILE *in; + int in_is_stdin = 0; + FILE *out; + int out_is_stdout = 0; + char data[CONFUCIUS_BUFSIZE]; + ssize_t data_len; + + if (infile[0] == '-' && infile[1] == '\0') + { + /* FIXME: Is stdin in binary mode? */ + in = stdin; + in_is_stdin = 1; + } + else + { + in = fopen (infile, "rb"); + if (!in) + { + log_error (_("could not open %s for writing: %s\n"), + infile, strerror (errno)); + return 1; + } + } + + if (outfile[0] == '-' && outfile[1] == '\0') + { + /* FIXME: Is stdout in binary mode? */ + out = stdout; + out_is_stdout = 1; + } + else + { + out = fopen (outfile, "wb"); + if (!out) + { + log_error (_("could not open %s for writing: %s\n"), + infile, strerror (errno)); + return 1; + } + } + + /* Now copy the data. */ + while ((data_len = fread (data, 1, sizeof (data), in)) > 0) + { + if (fwrite (data, 1, data_len, out) != data_len) + { + log_error (_("error writing to %s: %s\n"), outfile, + strerror (errno)); + goto copy_err; + } + } + if (data_len < 0 || ferror (in)) + { + log_error (_("error reading from %s: %s\n"), infile, strerror (errno)); + goto copy_err; + } + + /* Close IN if appropriate. */ + if (!in_is_stdin && fclose (in) && ferror (in)) + { + log_error (_("error closing %s: %s\n"), infile, strerror (errno)); + goto copy_err; + } + + /* Close OUT if appropriate. */ + if (!out_is_stdout && fclose (out) && ferror (out)) + { + log_error (_("error closing %s: %s\n"), infile, strerror (errno)); + goto copy_err; + } + + return 0; + + copy_err: + if (!out_is_stdout) + unlink (outfile); + return 1; +} + + +/* Get a passphrase in secure storage (if possible). If AGAIN is + true, then this is a repeated attempt. If CANCELED is not a null + pointer, it will be set to true or false, depending on if the user + canceled the operation or not. On error (including cancelation), a + null pointer is returned. The passphrase must be deallocated with + confucius_drop_pass. */ +char * +confucius_get_pass (int again, int *canceled) +{ + int err; + char *pw; +#ifdef HAVE_LANGINFO_CODESET + char *orig_codeset = NULL; +#endif + + if (canceled) + *canceled = 0; + +#ifdef ENABLE_NLS + /* The Assuan agent protocol requires us to transmit utf-8 strings */ + orig_codeset = bind_textdomain_codeset (PACKAGE_GT, NULL); +#ifdef HAVE_LANGINFO_CODESET + if (!orig_codeset) + orig_codeset = nl_langinfo (CODESET); +#endif + if (orig_codeset && !strcmp (orig_codeset, "UTF-8")) + orig_codeset = NULL; + if (orig_codeset) + { + /* We only switch when we are able to restore the codeset later. */ + orig_codeset = xstrdup (orig_codeset); + if (!bind_textdomain_codeset (PACKAGE_GT, "utf-8")) + orig_codeset = NULL; + } +#endif + + pw = simple_pwquery (NULL, + again ? _("does not match - try again"):NULL, + _("Passphrase:"), NULL, &err); + +#ifdef ENABLE_NLS + if (orig_codeset) + { + bind_textdomain_codeset (PACKAGE_GT, orig_codeset); + xfree (orig_codeset); + } +#endif + + if (!pw) + { + if (err) + log_error (_("error while asking for the passphrase: %s\n"), + gpg_strerror (err)); + else + { + log_info (_("cancelled\n")); + if (canceled) + *canceled = 1; + } + } + + return pw; +} + + +/* Drop a passphrase retrieved with confucius_get_pass. */ +void +confucius_drop_pass (char *pass) +{ + if (pass) + spwq_secure_free (pass); +} + + +/* Run a confucius crypto engine. If MODE is oEncrypt, encryption is + requested. If it is oDecrypt, decryption is requested. INFILE and + OUTFILE are the temporary files used in the process. */ +int +confucius_process (int mode, char *infile, char *outfile) +{ + char *const args[] = { opt.program, + mode == oEncrypt ? "-m1" : "-m2", + "-q", infile, + "-z", outfile, + "-s", opt.keyfile, + mode == oEncrypt ? "-af" : "-f", + NULL }; + int cstderr[2]; + int master; + int slave; + int res; + pid_t pid; + pid_t wpid; + int tries = 0; + + signal (SIGPIPE, SIG_IGN); + + if (!opt.program) + { + log_error (_("no --program option provided\n")); + return 1; + } + + if (mode != oDecrypt && mode != oEncrypt) + { + log_error (_("only --decrypt and --encrypt are supported\n")); + return 1; + } + + if (!opt.keyfile) + { + log_error (_("no --keyfile option provided\n")); + return 1; + } + + if (pipe (cstderr) < 0) + { + log_error (_("could not create pipe: %s\n"), strerror (errno)); + return 1; + } + + if (openpty (&master, &slave, NULL, NULL, NULL) == -1) + { + log_error (_("could not create pty: %s\n"), strerror (errno)); + close (cstderr[0]); + close (cstderr[1]); + return -1; + } + + /* We don't want to deal with the worst case scenarios. */ + assert (master > 2); + assert (slave > 2); + assert (cstderr[0] > 2); + assert (cstderr[1] > 2); + + pid = fork (); + if (pid < 0) + { + log_error (_("could not fork: %s\n"), strerror (errno)); + close (master); + close (slave); + close (cstderr[0]); + close (cstderr[1]); + return 1; + } + else if (pid == 0) + { + /* Child. */ + + /* Close the parent ends. */ + close (master); + close (cstderr[0]); + + /* Change controlling terminal. */ + if (login_tty (slave)) + { + /* It's too early to output a debug message. */ + _exit (1); + } + + dup2 (cstderr[1], 2); + close (cstderr[1]); + + /* Now kick off the engine program. */ + execv (opt.program, args); + log_error (_("execv failed: %s\n"), strerror (errno)); + _exit (1); + } + else + { + /* Parent. */ + char buffer[CONFUCIUS_LINESIZE]; + int buffer_len = 0; + fd_set fds; + int slave_closed = 0; + int stderr_closed = 0; + + close (slave); + close (cstderr[1]); + + /* Listen on the output FDs. */ + do + { + FD_ZERO (&fds); + + if (!slave_closed) + FD_SET (master, &fds); + if (!stderr_closed) + FD_SET (cstderr[0], &fds); + + res = select (FD_SETSIZE, &fds, NULL, NULL, NULL); + if (res < 0) + { + log_error (_("select failed: %s\n"), strerror (errno)); + + kill (pid, SIGTERM); + close (master); + close (cstderr[0]); + return 1; + } + + if (FD_ISSET (cstderr[0], &fds)) + { + /* We got some output on stderr. This is just passed + through via the logging facility. */ + + res = read (cstderr[0], &buffer[buffer_len], + sizeof (buffer) - buffer_len - 1); + if (res < 0) + { + log_error (_("read failed: %s\n"), strerror (errno)); + + kill (pid, SIGTERM); + close (master); + close (cstderr[0]); + return 1; + } + else + { + char *newline; + + buffer_len += res; + for (;;) + { + buffer[buffer_len] = '\0'; + newline = strchr (buffer, '\n'); + if (newline) + { + *newline = '\0'; + log_error ("%s\n", buffer); + buffer_len -= newline + 1 - buffer; + memmove (buffer, newline + 1, buffer_len); + } + else if (buffer_len == sizeof (buffer) - 1) + { + /* Overflow. */ + log_error ("%s\n", buffer); + buffer_len = 0; + } + else + break; + } + + if (res == 0) + stderr_closed = 1; + } + } + else if (FD_ISSET (master, &fds)) + { + char data[512]; + + res = read (master, data, sizeof (data)); + if (res < 0) + { + if (errno == EIO) + { + /* Slave-side close leads to readable fd and + EIO. */ + slave_closed = 1; + } + else + { + log_error (_("pty read failed: %s\n"), strerror (errno)); + + kill (pid, SIGTERM); + close (master); + close (cstderr[0]); + return 1; + } + } + else if (res == 0) + /* This never seems to be what happens on slave-side + close. */ + slave_closed = 1; + else + { + /* Check for password prompt. */ + if (data[res - 1] == ':') + { + char *pass; + int canceled; + + pass = confucius_get_pass (tries ? 1 : 0, &canceled); + if (!pass) + { + kill (pid, SIGTERM); + close (master); + close (cstderr[0]); + return canceled ? 3 : 1; + } + write (master, pass, strlen (pass)); + write (master, "\n", 1); + confucius_drop_pass (pass); + + tries++; + } + } + } + } + while (!stderr_closed || !slave_closed); + + close (master); + close (cstderr[0]); + + wpid = waitpid (pid, &res, 0); + if (wpid < 0) + { + log_error (_("waitpid failed: %s\n"), strerror (errno)); + + kill (pid, SIGTERM); + return 1; + } + else + { + /* Shouldn't happen, as we don't use WNOHANG. */ + assert (wpid != 0); + + if (!WIFEXITED (res)) + { + log_error (_("child aborted with status %i\n"), res); + return 1; + } + + if (WEXITSTATUS (res)) + { + /* We probably exceeded our number of attempts at guessing + the password. */ + if (tries >= 3) + return 2; + else + return 1; + } + + return 0; + } + } + + /* Not reached. */ +} + + +/* Class confucius main program. If MODE is oEncrypt, encryption is + requested. If it is oDecrypt, decryption is requested. The other + parameters are taken from the global option data. */ +int +confucius_main (int mode) +{ + int res; + char *tmpdir; + char *infile; + char *outfile; + + tmpdir = confucius_mktmpdir (); + if (!tmpdir) + return 1; + + /* TMPDIR + "/" + "in" + "\0". */ + infile = malloc (strlen (tmpdir) + 1 + 2 + 1); + if (!infile) + { + log_error (_("cannot allocate infile string: %s\n"), strerror (errno)); + rmdir (tmpdir); + return 1; + } + strcpy (infile, tmpdir); + strcat (infile, "/in"); + + /* TMPDIR + "/" + "out" + "\0". */ + outfile = malloc (strlen (tmpdir) + 1 + 3 + 1); + if (!outfile) + { + log_error (_("cannot allocate outfile string: %s\n"), strerror (errno)); + free (infile); + rmdir (tmpdir); + return 1; + } + strcpy (outfile, tmpdir); + strcat (outfile, "/out"); + + /* Create INFILE and fill it with content. */ + res = confucius_copy_file ("-", infile); + if (res) + { + free (outfile); + free (infile); + rmdir (tmpdir); + return res; + } + + /* Run the engine and thus create the output file, handling + passphrase retrieval. */ + res = confucius_process (mode, infile, outfile); + if (res) + { + unlink (outfile); + unlink (infile); + free (outfile); + free (infile); + rmdir (tmpdir); + return res; + } + + /* Dump the output file to stdout. */ + res = confucius_copy_file (outfile, "-"); + if (res) + { + unlink (outfile); + unlink (infile); + free (outfile); + free (infile); + rmdir (tmpdir); + return res; + } + + unlink (outfile); + unlink (infile); + free (outfile); + free (infile); + rmdir (tmpdir); + return 0; +} + + +/* symcryptrun's entry point. */ +int +main (int argc, char **argv) +{ + ARGPARSE_ARGS pargs; + int no_more_options = 0; + int mode = 0; + int res; + char *logfile = NULL; + + set_strusage (my_strusage); + log_set_prefix ("symcryptrun", 1); + + /* Try to auto set the character set. */ + set_native_charset (NULL); + + i18n_init(); + + opt.homedir = default_homedir (); + + /* Parse the command line. */ + pargs.argc = &argc; + pargs.argv = &argv; + pargs.flags = 1; /* Do not remove the args. */ + while (!no_more_options && optfile_parse (NULL, NULL, NULL, &pargs, opts)) + { + switch (pargs.r_opt) + { + case oDecrypt: mode = oDecrypt; break; + case oEncrypt: mode = oEncrypt; break; + + case oQuiet: opt.quiet = 1; break; + case oVerbose: opt.verbose++; break; + case oNoVerbose: opt.verbose = 0; break; + case oHomedir: opt.homedir = pargs.r.ret_str; break; + + case oClass: opt.class = pargs.r.ret_str; break; + case oProgram: opt.program = pargs.r.ret_str; break; + case oKeyfile: opt.keyfile = pargs.r.ret_str; break; + + case oLogFile: logfile = pargs.r.ret_str; break; + + default: pargs.err = 2; break; + } + } + + if (!mode) + log_error (_("either %s or %s must be given\n"), + "--decrypt", "--encrypt"); + + if (log_get_errorcount (0)) + exit (1); + + if (logfile) + log_set_file (logfile); + + gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); + if (!gcry_check_version (NEED_LIBGCRYPT_VERSION) ) + { + log_fatal( _("libgcrypt is too old (need %s, have %s)\n"), + NEED_LIBGCRYPT_VERSION, gcry_check_version (NULL) ); + } + gcry_set_log_handler (my_gcry_logger, NULL); + gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0); + + if (!opt.class) + { + log_error (_("no class provided\n")); + res = 1; + } + else if (!strcmp (opt.class, "confucius")) + res = confucius_main (mode); + else + { + log_error (_("class %s is not supported\n"), opt.class); + res = 1; + } + + return res; +} From cvs at cvs.gnupg.org Mon Apr 11 01:38:42 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Mon Apr 11 01:38:47 2005 Subject: GNUPG-1-9-BRANCH gnupg/tools (ChangeLog symcryptrun.c) Message-ID: Date: Monday, April 11, 2005 @ 01:54:39 Author: marcus Path: /cvs/gnupg/gnupg/tools Tag: GNUPG-1-9-BRANCH Modified: ChangeLog symcryptrun.c 2005-04-11 Marcus Brinkmann * symcryptrun.c: Implement config file parsing. ---------------+ ChangeLog | 2 + symcryptrun.c | 87 +++++++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 82 insertions(+), 7 deletions(-) Index: gnupg/tools/ChangeLog diff -u gnupg/tools/ChangeLog:1.25.2.65 gnupg/tools/ChangeLog:1.25.2.66 --- gnupg/tools/ChangeLog:1.25.2.65 Mon Apr 11 01:10:52 2005 +++ gnupg/tools/ChangeLog Mon Apr 11 01:54:39 2005 @@ -1,5 +1,7 @@ 2005-04-11 Marcus Brinkmann + * symcryptrun.c: Implement config file parsing. + * Makefile.am (bin_PROGRAMS): Add symcryptrun. (symcryptrun_SOURCES, symcryptrun_LDADD): New variables. * symcryptrun.c: New file. Index: gnupg/tools/symcryptrun.c diff -u gnupg/tools/symcryptrun.c:1.1.2.1 gnupg/tools/symcryptrun.c:1.1.2.2 --- gnupg/tools/symcryptrun.c:1.1.2.1 Mon Apr 11 01:10:52 2005 +++ gnupg/tools/symcryptrun.c Mon Apr 11 01:54:39 2005 @@ -115,6 +115,8 @@ oVerbose = 'v', oNoVerbose = 500, + oOptions, + oNoOptions, oLogFile, oHomedir, oClass, @@ -143,10 +145,12 @@ { oVerbose, "verbose", 0, N_("verbose") }, { oQuiet, "quiet", 0, N_("quiet") }, { oLogFile, "log-file", 2, N_("use a log file for the server")}, + { oOptions, "options" , 2, N_("|FILE|read options from FILE")}, /* Hidden options. */ { oNoVerbose, "no-verbose", 0, "@"}, { oHomedir, "homedir", 2, "@" }, + { oNoOptions, "no-options", 0, "@" },/* shortcut for --options /dev/null */ {0} }; @@ -771,10 +775,15 @@ main (int argc, char **argv) { ARGPARSE_ARGS pargs; - int no_more_options = 0; + int orig_argc; + char **orig_argv; + FILE *configfp = NULL; + char *configname = NULL; + unsigned configlineno; int mode = 0; int res; char *logfile = NULL; + int default_config = 1; set_strusage (my_strusage); log_set_prefix ("symcryptrun", 1); @@ -786,11 +795,55 @@ opt.homedir = default_homedir (); + /* Check whether we have a config file given on the commandline */ + orig_argc = argc; + orig_argv = argv; + pargs.argc = &argc; + pargs.argv = &argv; + pargs.flags= 1|(1<<6); /* do not remove the args, ignore version */ + while (arg_parse( &pargs, opts)) + { + if (pargs.r_opt == oOptions) + { /* Yes there is one, so we do not try the default one, but + read the option file when it is encountered at the + commandline */ + default_config = 0; + } + else if (pargs.r_opt == oNoOptions) + default_config = 0; /* --no-options */ + else if (pargs.r_opt == oHomedir) + opt.homedir = pargs.r.ret_str; + } + + if (default_config) + configname = make_filename (opt.homedir, "symcryptrun.conf", NULL ); + + argc = orig_argc; + argv = orig_argv; + pargs.argc = &argc; + pargs.argv = &argv; + pargs.flags= 1; /* do not remove the args */ + next_pass: + if (configname) + { + configlineno = 0; + configfp = fopen (configname, "r"); + if (!configfp) + { + if (!default_config) + { + log_error (_("option file `%s': %s\n"), + configname, strerror(errno) ); + exit(1); + } + xfree (configname); + configname = NULL; + } + default_config = 0; + } + /* Parse the command line. */ - pargs.argc = &argc; - pargs.argv = &argv; - pargs.flags = 1; /* Do not remove the args. */ - while (!no_more_options && optfile_parse (NULL, NULL, NULL, &pargs, opts)) + while (optfile_parse (configfp, configname, &configlineno, &pargs, opts)) { switch (pargs.r_opt) { @@ -800,7 +853,6 @@ case oQuiet: opt.quiet = 1; break; case oVerbose: opt.verbose++; break; case oNoVerbose: opt.verbose = 0; break; - case oHomedir: opt.homedir = pargs.r.ret_str; break; case oClass: opt.class = pargs.r.ret_str; break; case oProgram: opt.program = pargs.r.ret_str; break; @@ -808,9 +860,30 @@ case oLogFile: logfile = pargs.r.ret_str; break; - default: pargs.err = 2; break; + case oOptions: + /* Config files may not be nested (silently ignore them) */ + if (!configfp) + { + xfree(configname); + configname = xstrdup(pargs.r.ret_str); + goto next_pass; + } + break; + case oNoOptions: break; /* no-options */ + case oHomedir: /* Ignore this option here. */; break; + + default : pargs.err = configfp? 1:2; break; } } + if (configfp) + { + fclose( configfp ); + configfp = NULL; + configname = NULL; + goto next_pass; + } + xfree (configname); + configname = NULL; if (!mode) log_error (_("either %s or %s must be given\n"), From cvs at cvs.gnupg.org Mon Apr 11 13:42:31 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Mon Apr 11 13:42:36 2005 Subject: libgcrypt/src (ChangeLog cipher.h gcrypt.h) Message-ID: Date: Monday, April 11, 2005 @ 13:58:29 Author: mo Path: /cvs/libgcrypt/libgcrypt/src Modified: ChangeLog cipher.h gcrypt.h 2005-04-11 Moritz Schulte * gcrypt.h (gcry_md_algos): Added: GCRY_MD_WHIRLPOOL. * cipher.h (_gcry_digest_spec_whirlpool): Declare. -----------+ ChangeLog | 5 +++++ cipher.h | 1 + gcrypt.h | 3 ++- 3 files changed, 8 insertions(+), 1 deletion(-) Index: libgcrypt/src/ChangeLog diff -u libgcrypt/src/ChangeLog:1.162 libgcrypt/src/ChangeLog:1.163 --- libgcrypt/src/ChangeLog:1.162 Wed Mar 30 20:40:02 2005 +++ libgcrypt/src/ChangeLog Mon Apr 11 13:58:29 2005 @@ -1,3 +1,8 @@ +2005-04-11 Moritz Schulte + + * gcrypt.h (gcry_md_algos): Added: GCRY_MD_WHIRLPOOL. + * cipher.h (_gcry_digest_spec_whirlpool): Declare. + 2005-03-30 Moritz Schulte * libgcrypt.vers: Added: gcry_ac_io_init, gry_ac_io_init_va. Index: libgcrypt/src/cipher.h diff -u libgcrypt/src/cipher.h:1.18 libgcrypt/src/cipher.h:1.19 --- libgcrypt/src/cipher.h:1.18 Fri Feb 13 13:44:12 2004 +++ libgcrypt/src/cipher.h Mon Apr 11 13:58:29 2005 @@ -71,6 +71,7 @@ extern gcry_md_spec_t _gcry_digest_spec_sha512; extern gcry_md_spec_t _gcry_digest_spec_sha384; extern gcry_md_spec_t _gcry_digest_spec_tiger; +extern gcry_md_spec_t _gcry_digest_spec_whirlpool; /* Declarations for the pubkey cipher specifications. */ extern gcry_pk_spec_t _gcry_pubkey_spec_rsa; Index: libgcrypt/src/gcrypt.h diff -u libgcrypt/src/gcrypt.h:1.130 libgcrypt/src/gcrypt.h:1.131 --- libgcrypt/src/gcrypt.h:1.130 Wed Mar 30 20:40:02 2005 +++ libgcrypt/src/gcrypt.h Mon Apr 11 13:58:29 2005 @@ -962,7 +962,8 @@ GCRY_MD_MD4 = 301, GCRY_MD_CRC32 = 302, GCRY_MD_CRC32_RFC1510 = 303, - GCRY_MD_CRC24_RFC2440 = 304 + GCRY_MD_CRC24_RFC2440 = 304, + GCRY_MD_WHIRLPOOL = 305 }; /* Flags used with the open function. */ From cvs at cvs.gnupg.org Mon Apr 11 13:46:35 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Mon Apr 11 13:46:36 2005 Subject: libgcrypt/tests (ChangeLog basic.c) Message-ID: Date: Monday, April 11, 2005 @ 14:02:35 Author: mo Path: /cvs/libgcrypt/libgcrypt/tests Modified: ChangeLog basic.c 2005-04-11 Moritz Schulte * basic.c (check_digests): Add tests for Whirlpool. -----------+ ChangeLog | 4 ++++ basic.c | 27 +++++++++++++++++++++++++++ 2 files changed, 31 insertions(+) Index: libgcrypt/tests/ChangeLog diff -u libgcrypt/tests/ChangeLog:1.54 libgcrypt/tests/ChangeLog:1.55 --- libgcrypt/tests/ChangeLog:1.54 Wed Mar 30 21:05:25 2005 +++ libgcrypt/tests/ChangeLog Mon Apr 11 14:02:35 2005 @@ -1,3 +1,7 @@ +2005-04-11 Moritz Schulte + + * basic.c (check_digests): Add tests for Whirlpool. + 2005-03-30 Moritz Schulte * ac-schemes.c: New file. Index: libgcrypt/tests/basic.c diff -u libgcrypt/tests/basic.c:1.27 libgcrypt/tests/basic.c:1.28 --- libgcrypt/tests/basic.c:1.27 Fri Oct 31 06:06:05 2003 +++ libgcrypt/tests/basic.c Mon Apr 11 14:02:35 2005 @@ -757,6 +757,33 @@ "TUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+-", "00B83EB4E53440C5 76AC6AAEE0A74858 25FD15E70A59FFE4" }, #endif + { GCRY_MD_WHIRLPOOL, "", + "\x19\xFA\x61\xD7\x55\x22\xA4\x66\x9B\x44\xE3\x9C\x1D\x2E\x17\x26" + "\xC5\x30\x23\x21\x30\xD4\x07\xF8\x9A\xFE\xE0\x96\x49\x97\xF7\xA7" + "\x3E\x83\xBE\x69\x8B\x28\x8F\xEB\xCF\x88\xE3\xE0\x3C\x4F\x07\x57" + "\xEA\x89\x64\xE5\x9B\x63\xD9\x37\x08\xB1\x38\xCC\x42\xA6\x6E\xB3" }, + { GCRY_MD_WHIRLPOOL, "a", + "\x8A\xCA\x26\x02\x79\x2A\xEC\x6F\x11\xA6\x72\x06\x53\x1F\xB7\xD7" + "\xF0\xDF\xF5\x94\x13\x14\x5E\x69\x73\xC4\x50\x01\xD0\x08\x7B\x42" + "\xD1\x1B\xC6\x45\x41\x3A\xEF\xF6\x3A\x42\x39\x1A\x39\x14\x5A\x59" + "\x1A\x92\x20\x0D\x56\x01\x95\xE5\x3B\x47\x85\x84\xFD\xAE\x23\x1A" }, + { GCRY_MD_WHIRLPOOL, "a", + "\x8A\xCA\x26\x02\x79\x2A\xEC\x6F\x11\xA6\x72\x06\x53\x1F\xB7\xD7" + "\xF0\xDF\xF5\x94\x13\x14\x5E\x69\x73\xC4\x50\x01\xD0\x08\x7B\x42" + "\xD1\x1B\xC6\x45\x41\x3A\xEF\xF6\x3A\x42\x39\x1A\x39\x14\x5A\x59" + "\x1A\x92\x20\x0D\x56\x01\x95\xE5\x3B\x47\x85\x84\xFD\xAE\x23\x1A" }, + { GCRY_MD_WHIRLPOOL, + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", + "\xDC\x37\xE0\x08\xCF\x9E\xE6\x9B\xF1\x1F\x00\xED\x9A\xBA\x26\x90" + "\x1D\xD7\xC2\x8C\xDE\xC0\x66\xCC\x6A\xF4\x2E\x40\xF8\x2F\x3A\x1E" + "\x08\xEB\xA2\x66\x29\x12\x9D\x8F\xB7\xCB\x57\x21\x1B\x92\x81\xA6" + "\x55\x17\xCC\x87\x9D\x7B\x96\x21\x42\xC6\x5F\x5A\x7A\xF0\x14\x67" }, + { GCRY_MD_WHIRLPOOL, + "!", + "\x0C\x99\x00\x5B\xEB\x57\xEF\xF5\x0A\x7C\xF0\x05\x56\x0D\xDF\x5D" + "\x29\x05\x7F\xD8\x6B\x20\xBF\xD6\x2D\xEC\xA0\xF1\xCC\xEA\x4A\xF5" + "\x1F\xC1\x54\x90\xED\xDC\x47\xAF\x32\xBB\x2B\x66\xC3\x4F\xF9\xAD" + "\x8C\x60\x08\xAD\x67\x7F\x77\x12\x69\x53\xB2\x26\xE4\xED\x8B\x01" }, { 0 }, }; int i; From cvs at cvs.gnupg.org Mon Apr 11 13:48:51 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Mon Apr 11 13:48:54 2005 Subject: libgcrypt/doc (ChangeLog gcrypt.texi) Message-ID: Date: Monday, April 11, 2005 @ 14:04:51 Author: mo Path: /cvs/libgcrypt/libgcrypt/doc Modified: ChangeLog gcrypt.texi 2005-04-11 Moritz Schulte * gcrypt.texi (Available hash algorithms): Add entry for Whirlpool. 2005-03-30 Moritz Schulte * gcrypt.texi (Working with IO objects): Document ac io objects; adjust ac scheme functions, which do now use io objects. -------------+ ChangeLog | 9 ++ gcrypt.texi | 184 ++++++++++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 158 insertions(+), 35 deletions(-) Index: libgcrypt/doc/ChangeLog diff -u libgcrypt/doc/ChangeLog:1.46 libgcrypt/doc/ChangeLog:1.47 --- libgcrypt/doc/ChangeLog:1.46 Sat Mar 19 19:56:32 2005 +++ libgcrypt/doc/ChangeLog Mon Apr 11 14:04:51 2005 @@ -1,3 +1,12 @@ +2005-04-11 Moritz Schulte + + * gcrypt.texi (Available hash algorithms): Add entry for Whirlpool. + +2005-03-30 Moritz Schulte + + * gcrypt.texi (Working with IO objects): Document ac io objects; + adjust ac scheme functions, which do now use io objects. + 2005-03-19 Moritz Schulte * gcrypt.texi (Working with cipher handles): Clarify CTS mode. Index: libgcrypt/doc/gcrypt.texi diff -u libgcrypt/doc/gcrypt.texi:1.48 libgcrypt/doc/gcrypt.texi:1.49 --- libgcrypt/doc/gcrypt.texi:1.48 Sat Mar 19 19:56:32 2005 +++ libgcrypt/doc/gcrypt.texi Mon Apr 11 14:04:51 2005 @@ -1572,6 +1572,10 @@ This is the OpenPGP cyclic redundancy check function. It yields an output of 3 bytes. +@item GCRY_MD_WHIRLPOOL +This is the Whirlpool algorithm which yields a message digest of 64 +bytes. + @end table @c end table of hash algorithms @@ -2662,6 +2666,7 @@ @menu * Available asymmetric algorithms:: List of algorithms supported by the library. * Working with sets of data:: How to work with sets of data. +* Working with IO objects:: How to work with IO objects. * Working with handles:: How to use handles. * Working with keys:: How to work with keys. * Using cryptographic functions:: How to perform cryptographic operations. @@ -2696,7 +2701,8 @@ In the context of this interface the term `data set' refers to a list of `named MPI values' that is used by functions performing -cryptographic operations. +cryptographic operations; a named MPI value is a an MPI value, +associated with a label. Such data sets are used for representing keys, since keys simply consist of a variable amount of numbers. Furthermore some functions @@ -2704,10 +2710,10 @@ functions. This section documents the data types, symbols and functions that are -relevant for working with such data sets. +relevant for working with data sets. @deftp {Data type} gcry_ac_data_t -A data set, that is simply a list of named MPI values. +A single data set. @end deftp The following flags are supported: @@ -2715,7 +2721,10 @@ @table @code @item GCRY_AC_FLAG_DEALLOC Used for storing data in a data set. If given, the data will be -released by the library. +released by the library. Note that whenever one of the ac functions +is about to release objects because of this flag, the objects are +expected to be stored in memory allocated through the Libgcrypt memory +management. In other words: gcry_free() is used instead of free(). @item GCRY_AC_FLAG_COPY Used for storing/retrieving data in/from a data set. If given, the @@ -2741,7 +2750,8 @@ @end deftypefun @deftypefun gcry_error_t gcry_ac_data_copy (gcry_ac_data_t *@var{data_cp}, gcry_ac_data_t @var{data}) -Create a copy of the data set @var{data} and store it in @var{data_cp}. +Create a copy of the data set @var{data} and store it in +@var{data_cp}. FIXME: exact semantics undefined. @end deftypefun @deftypefun unsigned int gcry_ac_data_length (gcry_ac_data_t @var{data}) @@ -2752,7 +2762,9 @@ @deftypefun gcry_error_t gcry_ac_data_get_name (gcry_ac_data_t @var{data}, unsigned int @var{flags}, char *@var{name}, gcry_mpi_t *@var{mpi}) Store the value labelled with @var{name} found in @var{data} in @var{mpi}. If @var{flags} contains GCRY_AC_FLAG_COPY, store a copy of -the @var{mpi} value contained in the data set. @var{mpi} may be NULL. +the @var{mpi} value contained in the data set. @var{mpi} may be NULL +(this might be useful for checking the existence of an MPI with +extracting it). @end deftypefun @deftypefun gcry_error_t gcry_ac_data_get_index (gcry_ac_data_t @var{data}, unsigned int flags, unsigned int @var{index}, const char **@var{name}, gcry_mpi_t *@var{mpi}) @@ -2766,6 +2778,104 @@ Destroys any values contained in the data set @var{data}. @end deftypefun +@deftypefun gcry_error_t gcry_ac_data_to_sexp (gcry_ac_data_t @var{data}, gcry_sexp_t *@var{sexp}, const char **@var{identifiers}) +This function converts the data set @var{data} into a newly created +S-Expression, which is to be stored in @var{sexp}; @var{identifiers} +is a NULL terminated list of C strings, which specifies the structure +of the S-Expression. + +Example: + +If @var{identifiers} is a list of pointers to the strings ``foo'' and +``bar'' and if @var{data} is a data set containing the values ``val1 = +0x01'' and ``val2 = 0x02'', then the resulting S-Expression will look +like this: (foo (bar ((val1 0x01) (val2 0x02))). +@end deftypefun + +@deftypefun gcry_error gcry_ac_data_from_sexp (gcry_ac_data_t *@var{data}, gcry_sexp_t @var{sexp}, const char **@var{identifiers}) +This function converts the S-Expression @var{sexp} into a newly +created data set, which is to be stored in @var{data}; +@var{identifiers} is a NULL terminated list of C strings, which +specifies the structure of the S-Expression. If the list of +identifiers does not match the structure of the S-Expression, the +function fails. +@end deftypefun + +@node Working with IO objects +@section Working with IO objects + +Note: IO objects are currently only used in the context of message +encoding/decoding and encryption/signature schemes. + +@deftp {Data type} {gcry_ac_io_t} +@code{gcry_ac_io_t} is the type to be used for IO objects. +@end deftp + +IO objects provide an uniform IO layer on top of different underlying +IO mechanisms; either they can be used for providing data to the +library (mode is GCRY_AC_IO_READABLE) or they can be used for +retrieving data from the library (mode is GCRY_AC_IO_WRITABLE). + +IO object need to be initialized by calling on of the following +functions: + +@deftypefun void gcry_ac_io_init (gcry_ac_io_t *@var{ac_io}, gcry_ac_io_mode_t @var{mode}, gcry_ac_io_type_t @var{type}, ...); +Initialize @var{ac_io} according to @var{mode}, @var{type} and the +variable list of arguments. The list of variable arguments to specify +depends on the given @var{type}. +@end deftypefun + +@deftypefun void gcry_ac_io_init_va (gcry_ac_io_t *@var{ac_io}, gcry_ac_io_mode_t @var{mode}, gcry_ac_io_type_t @var{type}, va_list @var{ap}); +Initialize @var{ac_io} according to @var{mode}, @var{type} and the +variable list of arguments @var{ap}. The list of variable arguments +to specify depends on the given @var{type}. +@end deftypefun + +The following types of IO objects exist: + +@table @code +@item GCRY_AC_IO_STRING +In case of GCRY_AC_IO_READABLE the IO object will provide data from a +memory string. Arguments to specify at initialization time: +@table @code +@item unsigned char * +Pointer to the beginning of the memory string +@item size_t +Size of the memory string +@end table +In case of GCRY_AC_IO_WRITABLE the object will store retrieved data in +a newly allocated memory string. Arguments to specify at +initialization time: +@table @code +@item unsigned char ** +Pointer to address, at which the pointer to the newly created memory +string is to be stored +@item size_t * +Pointer to address, at which the size of the newly created memory +string is to be stored +@end table + +@item GCRY_AC_IO_CALLBACK +In case of GCRY_AC_IO_READABLE the object will forward read requests +to a provided callback function. Arguments to specify at +initialization time: +@table @code +@item gcry_ac_data_read_cb_t +Callback function to use +@item void * +Opaque argument to provide to the callback function +@end table +In case of GCRY_AC_IO_WRITABLE the object will forward write requests +to a provided callback function. Arguments to specify at +initialization time: +@table @code +@item gcry_ac_data_write_cb_t +Callback function to use +@item void * +Opaque argument to provide to the callback function +@end table +@end table + @node Working with handles @section Working with handles @@ -2775,7 +2885,7 @@ @deftypefun gcry_error_t gcry_ac_open (gcry_ac_handle_t *@var{handle}, int @var{algorithm}, int @var{flags}) Creates a new handle for the algorithm @var{algorithm} and stores it -in @var{handle}. @var{flags} is not used yet. +in @var{handle}. @var{flags} is not used currently. @var{algorithm} must be a valid algorithm ID, see @xref{Available algorithms}, for a list of supported algorithms and the according @@ -2839,7 +2949,7 @@ has the following meanings: @table @code @item = 0 -Let @acronym{Libgcrypt} device what exponent should be used. +Let @acronym{Libgcrypt} decide what exponent should be used. @item = 1 Request the use of a ``secure'' exponent; this is required by some specification to be 65537. @@ -3026,33 +3136,37 @@ The functions implementing schemes: -@deftypefun gcry_error_t gcry_ac_data_encrypt_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key_public}, unsigned char *@var{m}, size_t @var{m_n}, unsigned char **@var{c}, size_t *@var{c_n}) -Encrypts the plain text contained in @var{m} of size @var{m_n} through -@var{handle} and @var{key_public} according to @var{scheme}, -@var{flags} and @var{opts}. The encrypted message is stored in -@var{c} and @var{c_n}. -@end deftypefun - -@deftypefun gcry_error_t gcry_ac_data_decrypt_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key_secret}, unsigned char *@var{c}, size_t @var{c_n}, unsigned char **@var{m}, size_t *@var{m_n}) -Decrypts the cipher text contained in @var{c} of size @var{c_n} -through @var{handle} and @var{key_secret} according to @var{scheme}, -@var{flags} and @var{opts}. The decrypted message is stored in -@var{m} and @var{m_n}. -@end deftypefun - -@deftypefun gcry_error_t gcry_ac_data_sign_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key_secret}, unsigned char *@var{m}, size_t @var{m_n}, unsigned char **@var{s}, size_t *@var{s_n}) -Signs the message contained in @var{m} of size @var{m_n} through -@var{handle} and @var{key_secret} according to @var{scheme}, -@var{flags} and @var{opts}. The signature is stored in @var{s} and -@var{s_n}. -@end deftypefun - -@deftypefun gcry_error_t gcry_ac_data_verify_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key_public}, unsigned char *@var{m}, size_t @var{m_n}, unsigned char *@var{s}, size_t @var{s_n}) -Verifies that the signature contained in @var{s} and @var{s_n} is -indeed the result of signing the message contained in @var{m} of size -@var{m_n} through @var{handle} and the secret key belonging to -@var{key_public} according to @var{scheme}, @var{flags} and -@var{opts}. +@deftypefun gcry_error_t gcry_ac_data_encrypt_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key}, gcry_ac_io_t *@var{io_message}, gcry_ac_io_t *@var{io_cipher}) +Encrypts the plain text readable from @var{io_message} through +@var{handle} with the public key @var{key} according to @var{scheme}, +@var{flags} and @var{opts}. If @var{opts} is not NULL, it has to be a +pointer to a structure specific to the chosen scheme (gcry_ac_es_*_t). +The encrypted message is written to @var{io_cipher}. +@end deftypefun + +@deftypefun gcry_error_t gcry_ac_data_decrypt_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key}, gcry_ac_io_t *@var{io_cipher}, gcry_ac_io_t *@var{io_message}) +Decrypts the cipher text readable from @var{io_cipher} through +@var{handle} with the secret key @var{key} according to @var{scheme}, +@var{flags} and @var{opts}. If @var{opts} is not NULL, it has to be a +pointer to a structure specific to the chosen scheme (gcry_ac_es_*_t). +The decrypted message is written to @var{io_message}. +@end deftypefun + +@deftypefun gcry_error_t gcry_ac_data_sign_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key}, gcry_ac_io_t *@var{io_message}, gcry_ac_io_t *@var{io_signature}) +Signs the message readable from @var{io_message} through @var{handle} +with the secret key @var{key} according to @var{scheme}, @var{flags} +and @var{opts}. If @var{opts} is not NULL, it has to be a pointer to +a structure specific to the chosen scheme (gcry_ac_ssa_*_t). The +signature is written to @var{io_signature}. +@end deftypefun + +@deftypefun gcry_error_t gcry_ac_data_verify_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key}, gcry_ac_io_t *@var{io_message}, gcry_ac_io_t *@var{io_signature}) +Verifies through @var{handle} that the signature readable from +@var{io_signature} is indeed the result of signing the message +readable from @var{io_message} with the secret key belonging to the +public key @var{key} according to @var{scheme} and @var{opts}. If +@var{opts} is not NULL, it has to be an anonymous structure +(gcry_ac_ssa_*_t) specific to the chosen scheme. @end deftypefun @node Handle-independent functions From cvs at cvs.gnupg.org Mon Apr 11 13:50:25 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Mon Apr 11 13:50:28 2005 Subject: libgcrypt (ChangeLog configure.ac) Message-ID: Date: Monday, April 11, 2005 @ 14:06:25 Author: mo Path: /cvs/libgcrypt/libgcrypt Modified: ChangeLog configure.ac 2005-04-11 Moritz Schulte * configure.ac: Integrate Whirlpool. --------------+ ChangeLog | 4 ++++ configure.ac | 9 +++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) Index: libgcrypt/ChangeLog diff -u libgcrypt/ChangeLog:1.165 libgcrypt/ChangeLog:1.166 --- libgcrypt/ChangeLog:1.165 Tue Feb 22 18:54:27 2005 +++ libgcrypt/ChangeLog Mon Apr 11 14:06:25 2005 @@ -1,3 +1,7 @@ +2005-04-11 Moritz Schulte + + * configure.ac: Integrate Whirlpool. + 2005-01-04 Werner Koch Updated to automake 1.9. Index: libgcrypt/configure.ac diff -u libgcrypt/configure.ac:1.73 libgcrypt/configure.ac:1.74 --- libgcrypt/configure.ac:1.73 Tue Feb 22 18:54:27 2005 +++ libgcrypt/configure.ac Mon Apr 11 14:06:25 2005 @@ -19,7 +19,7 @@ # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA # # (Process this file with autoconf to produce a configure script.) -AC_REVISION($Revision: 1.73 $) +AC_REVISION($Revision: 1.74 $) AC_PREREQ(2.59) min_automake_version="1.9.3" @@ -96,7 +96,7 @@ # Definitions for message digests. available_digests="crc md4 md5 rmd160 sha1 sha256" -available_digests_64="sha512 tiger" +available_digests_64="sha512 tiger whirlpool" enabled_digests="" # Definitions for random modules. @@ -738,6 +738,11 @@ AC_DEFINE_UNQUOTED(USE_TIGER, $found, [Defined if this module should be included]) +LIST_MEMBER(whirlpool, $enabled_digests) +test "$found" = "1" && GCRYPT_DIGESTS="$GCRYPT_DIGESTS whirlpool.lo" +AC_DEFINE_UNQUOTED(USE_WHIRLPOOL, $found, + [Defined if this module should be included]) + # rmd160 and sha1 should be included always. GCRYPT_DIGESTS="$GCRYPT_DIGESTS rmd160.lo sha1.lo" AC_DEFINE_UNQUOTED(USE_RMD160, 1, [Defined if this module should be included]) From cvs at cvs.gnupg.org Mon Apr 11 17:53:17 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Mon Apr 11 17:53:20 2005 Subject: GNUPG-1-9-BRANCH gnupg/agent (call-scd.c divert-scd.c) Message-ID: Date: Monday, April 11, 2005 @ 18:09:18 Author: wk Path: /cvs/gnupg/gnupg/agent Tag: GNUPG-1-9-BRANCH Modified: call-scd.c divert-scd.c typo fixes --------------+ call-scd.c | 2 +- divert-scd.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) Index: gnupg/agent/call-scd.c diff -u gnupg/agent/call-scd.c:1.13.2.11 gnupg/agent/call-scd.c:1.13.2.12 --- gnupg/agent/call-scd.c:1.13.2.11 Fri Feb 25 17:14:55 2005 +++ gnupg/agent/call-scd.c Mon Apr 11 18:09:18 2005 @@ -87,7 +87,7 @@ /* This function must be called once to initialize this module. This has to be done before a second thread is spawned. We can't do the static initialization because Pth emulation code might not be able - to do a static init; in particualr, it is not possible for W32. */ + to do a static init; in particular, it is not possible for W32. */ void initialize_module_call_scd (void) { Index: gnupg/agent/divert-scd.c diff -u gnupg/agent/divert-scd.c:1.14.2.4 gnupg/agent/divert-scd.c:1.14.2.5 --- gnupg/agent/divert-scd.c:1.14.2.4 Sat Feb 21 14:05:22 2004 +++ gnupg/agent/divert-scd.c Mon Apr 11 18:09:18 2005 @@ -112,7 +112,7 @@ because the scdaemon is currently not always able to detect the presence of a card. With a fully working scdaemon this would not be required; i.e. the pkcs#15 - support does not require it becuase OpenSC correclty + support does not require it because OpenSC correclty detects a present card. */ agent_reset_scd (ctrl); if (asprintf (&desc, From cvs at cvs.gnupg.org Mon Apr 11 17:54:07 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Mon Apr 11 17:54:09 2005 Subject: GNUPG-1-9-BRANCH gnupg/common (ChangeLog Makefile.am util.h) Message-ID: Date: Monday, April 11, 2005 @ 18:10:03 Author: wk Path: /cvs/gnupg/gnupg/common Tag: GNUPG-1-9-BRANCH Modified: ChangeLog Makefile.am util.h * sexputil.c: New. -------------+ ChangeLog | 6 +++++- Makefile.am | 1 + util.h | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-) Index: gnupg/common/ChangeLog diff -u gnupg/common/ChangeLog:1.30.2.46 gnupg/common/ChangeLog:1.30.2.47 --- gnupg/common/ChangeLog:1.30.2.46 Mon Apr 11 00:12:31 2005 +++ gnupg/common/ChangeLog Mon Apr 11 18:10:03 2005 @@ -1,3 +1,7 @@ +2005-04-07 Werner Koch + + * sexputil.c: New. + 2005-04-11 Marcus Brinkmann * simple-pwquery.c (simple_pwquery): Use spwq_secure_free. @@ -442,7 +446,7 @@ (atoi_1,atoi_2,atoi_4,xtoi_1,xtoi_2): New. - Copyright 2001, 2002 Free Software Foundation, Inc. + Copyright 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without Index: gnupg/common/Makefile.am diff -u gnupg/common/Makefile.am:1.15.2.13 gnupg/common/Makefile.am:1.15.2.14 --- gnupg/common/Makefile.am:1.15.2.13 Thu Mar 3 11:15:07 2005 +++ gnupg/common/Makefile.am Mon Apr 11 18:10:03 2005 @@ -27,6 +27,7 @@ util.h i18n.h \ errors.h \ sexp-parse.h \ + sexputil.c \ maperror.c \ sysutils.c sysutils.h \ homedir.c \ Index: gnupg/common/util.h diff -u gnupg/common/util.h:1.12.2.15 gnupg/common/util.h:1.12.2.16 --- gnupg/common/util.h:1.12.2.15 Fri Feb 25 17:14:55 2005 +++ gnupg/common/util.h Mon Apr 11 18:10:03 2005 @@ -120,6 +120,9 @@ const void *buffer, size_t nbytes); gpg_error_t b64enc_finish (struct b64state *state); +/*-- sexputil.c */ +gpg_error_t keygrip_from_canon_sexp (const unsigned char *key, size_t keylen, + unsigned char *grip); /*-- homedir. c --*/ const char *default_homedir (void); From cvs at cvs.gnupg.org Mon Apr 11 18:04:09 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Mon Apr 11 18:04:12 2005 Subject: GNUPG-1-9-BRANCH gnupg/scd (ChangeLog app-openpgp.c app.c ccid-driver.c command.c) Message-ID: Date: Monday, April 11, 2005 @ 18:20:10 Author: wk Path: /cvs/gnupg/gnupg/scd Tag: GNUPG-1-9-BRANCH Modified: ChangeLog app-openpgp.c app.c ccid-driver.c command.c * app-openpgp.c (do_check_pin): Add hack to allow verification of CHV3. (get_public_key): Don't use gcry functions to create S-expressions. (do_deinit, do_readkey, do_genkey, send_keypair_info): Adjust for above change. ---------------+ ChangeLog | 30 +++++++++++ app-openpgp.c | 146 ++++++++++++++++++++++++++++++++++++++------------------ app.c | 2 ccid-driver.c | 89 +++++++++++++++++++++++----------- command.c | 66 ++++++++++++++++++------- 5 files changed, 242 insertions(+), 91 deletions(-) Index: gnupg/scd/ChangeLog diff -u gnupg/scd/ChangeLog:1.25.2.71 gnupg/scd/ChangeLog:1.25.2.72 --- gnupg/scd/ChangeLog:1.25.2.71 Tue Mar 29 22:46:18 2005 +++ gnupg/scd/ChangeLog Mon Apr 11 18:20:10 2005 @@ -1,3 +1,11 @@ +2005-04-07 Werner Koch + + * app-openpgp.c (do_check_pin): Add hack to allow verification of + CHV3. + (get_public_key): Don't use gcry functions to create S-expressions. + (do_deinit, do_readkey, do_genkey, send_keypair_info): Adjust for + above change. + 2005-03-29 Moritz Schulte * app-openpgp.c (retrieve_fpr_from_card): New function. @@ -6,6 +14,19 @@ (get_public_key): Implement retrival of key through expernal helper (gpg) in case the openpgp card is not cooperative enough. +2005-03-16 Werner Koch + + * ccid-driver.c (parse_ccid_descriptor): Make SCM workaround + reader type specific. + (scan_or_find_devices): Do not check the interface subclass in the + SPR532 kludge, as this depends on the firmware version. + (ccid_get_atr): Get the Slot status first. This solves the + problem with readers hanging on recent Linux 2.6.x. + (bulk_in): Add argument TIMEOUT and changed all callers to pass an + appropriate one. Change the standard timeout from 10 to 5 seconds. + (ccid_slot_status): Add a retry code with an initial short timeout. + (do_close_reader): Do an usb_reset before closing the reader. + 2005-02-25 Werner Koch * app-openpgp.c (get_public_key): Make sure not to return negative @@ -42,6 +63,15 @@ (reset_pcsc_reader, pcsc_get_status, pcsc_send_apdu) (open_pcsc_reader): Do proper error code mapping. +2005-03-16 Werner Koch + + * ccid-driver.c (parse_ccid_descriptor): Make SCM workaround + reader type specific. + (scan_or_find_devices): Do not check the interface subclass in the + SPR532 kludge, as this depends on the firmware version. + (ccid_get_atr): Get the Slot status first. This solves the + problem with readers hanging on recent Linux 2.6.x. + 2005-02-22 Werner Koch * app-openpgp.c (app_local_s): New field PK. Index: gnupg/scd/app-openpgp.c diff -u gnupg/scd/app-openpgp.c:1.9.2.28 gnupg/scd/app-openpgp.c:1.9.2.29 --- gnupg/scd/app-openpgp.c:1.9.2.28 Tue Mar 29 22:46:18 2005 +++ gnupg/scd/app-openpgp.c Mon Apr 11 18:20:10 2005 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * - * $Id: app-openpgp.c,v 1.9.2.28 2005/03/29 20:46:18 mo Exp $ + * $Id: app-openpgp.c,v 1.9.2.29 2005/04/11 16:20:10 wk Exp $ */ #include @@ -108,7 +108,14 @@ struct { int read_done; /* True if we have at least tried to read them. */ - gcry_sexp_t key; /* Might be NULL if key is not available. */ + unsigned char *key; /* This is a malloced buffer with a canonical + encoded S-expression encoding a public + key. Might be NULL if key is not + available. */ + size_t keylen; /* The length of the above S-expression. Thsi + is usullay only required for corss checks + because the length of an S-expression is + implicitly available. */ } pk[3]; /* Keep track of card capabilities. */ @@ -156,7 +163,7 @@ for (i=0; i < DIM (app->app_local->pk); i++) { - gcry_sexp_release (app->app_local->pk[i].key); + xfree (app->app_local->pk[i].key); app->app_local->pk[i].read_done = 0; } xfree (app->app_local); @@ -864,6 +871,10 @@ mpi = NULL; ret = 0; +#warning This part should get rewritten for clarity + /* We should use an algorithm similar to the one used by gpgme. + This will reduce the size of the code at least by 50%. [wk] */ + while (1) { /* FIXME? */ @@ -1041,7 +1052,9 @@ presence of the app->app_local->pk[KEYNO-1].key field. Note that GnuPG 1.x does not need this and it would be too time - consuming to send it just for the fun of it. */ + consuming to send it just for the fun of it. However, given that we + use the same code in gpg 1.4, we can't use the gcry S-expresion + here but need to open encode it. */ #if GNUPG_MAJOR_VERSION > 1 static gpg_error_t get_public_key (app_t app, int keyno) @@ -1050,9 +1063,10 @@ unsigned char *buffer; const unsigned char *keydata, *m, *e; size_t buflen, keydatalen, mlen, elen; - gcry_sexp_t sexp; unsigned char *mbuf = NULL; unsigned char *ebuf = NULL; + unsigned char *keybuf = NULL; + unsigned char *keybuf_p; if (keyno < 1 || keyno > 3) return gpg_error (GPG_ERR_INV_ID); @@ -1062,8 +1076,9 @@ if (app->app_local->pk[keyno].read_done) return 0; - gcry_sexp_release (app->app_local->pk[keyno].key); + xfree (app->app_local->pk[keyno].key); app->app_local->pk[keyno].key = NULL; + app->app_local->pk[keyno].keylen = 0; if (app->card_version > 0x0100) { @@ -1191,16 +1206,29 @@ buffer = NULL; } - err = gcry_sexp_build (&sexp, NULL, - "(public-key (rsa (n %b) (e %b)))", - (int)mlen, m,(int)elen, e); - if (err) + /* Allocate a buffer to construct the S-expression. */ + /* FIXME: We should provide a generalized S-expression creation + mechanism. */ + keybuf = xtrymalloc (50 + 2*35 + mlen + elen + 1); + if (!keybuf) { - log_error ("error formatting the key into an S-expression: %s\n", - gpg_strerror (err)); + err = gpg_error_from_errno (errno); goto leave; } - app->app_local->pk[keyno].key = sexp; + + sprintf (keybuf, "(10:public-key(3:rsa(1:n%u", (unsigned int) mlen); + keybuf_p = keybuf + strlen (keybuf); + memcpy (keybuf_p, m, mlen); + keybuf_p += mlen; + sprintf (keybuf_p, ")(1:e%u", (unsigned int)elen); + keybuf_p += strlen (keybuf_p); + memcpy (keybuf_p, e, elen); + keybuf_p += elen; + strcpy (keybuf_p, ")))"); + keybuf_p += strlen (keybuf_p); + + app->app_local->pk[keyno].key = keybuf; + app->app_local->pk[keyno].keylen = (keybuf_p - keybuf); leave: /* Set a flag to indicate that we tried to read the key. */ @@ -1224,7 +1252,6 @@ /* Note that GnuPG 1.x does not need this and it would be too time consuming to send it just for the fun of it. */ #if GNUPG_MAJOR_VERSION > 1 - gcry_sexp_t sexp; unsigned char grip[20]; char gripstr[41]; char idbuf[50]; @@ -1235,15 +1262,14 @@ goto leave; assert (keyno >= 1 && keyno <= 3); - sexp = app->app_local->pk[keyno-1].key; - if (!sexp) - goto leave; /* No such key. */ + if (!app->app_local->pk[keyno-1].key) + goto leave; /* No such key - ignore. */ - if (!gcry_pk_get_keygrip (sexp, grip)) - { - err = gpg_error (GPG_ERR_INTERNAL); - goto leave; - } + err = keygrip_from_canon_sexp (app->app_local->pk[keyno-1].key, + app->app_local->pk[keyno-1].keylen, + grip); + if (err) + goto leave; for (i=0; i < 20; i++) sprintf (gripstr+i*2, "%02X", grip[i]); @@ -1303,9 +1329,7 @@ { gpg_error_t err; int keyno; - size_t n; unsigned char *buf; - gcry_sexp_t sexp; if (!strcmp (keyid, "OPENPGP.1")) keyno = 1; @@ -1320,24 +1344,11 @@ if (err) return err; - sexp = app->app_local->pk[keyno-1].key; - if (!sexp) - return gpg_error (GPG_ERR_NO_PUBKEY); - - n = gcry_sexp_sprint (sexp, GCRYSEXP_FMT_CANON, NULL, 0); - if (!n) - return gpg_error (GPG_ERR_BUG); - buf = xtrymalloc (n); + buf = app->app_local->pk[keyno-1].key; if (!buf) - return gpg_error_from_errno (errno); - n = gcry_sexp_sprint (sexp, GCRYSEXP_FMT_CANON, buf, n); - if (!n) - { - xfree (buf); - return gpg_error (GPG_ERR_BUG); - } + return gpg_error (GPG_ERR_NO_PUBKEY); *pk = buf; - *pklen = n; + *pklen = app->app_local->pk[keyno-1].keylen;; return 0; } @@ -1590,7 +1601,7 @@ else app->did_chv1 = app->did_chv2 = 0; - /* Note to translators: Do not translate the "|*|" prefixes but + /* TRANSLATORS: Do not translate the "|*|" prefixes but keep it at the start of the string. We need this elsewhere to get some infos on the string. */ rc = pincb (pincb_arg, chvno == 3? _("|AN|New Admin PIN") : _("|N|New PIN"), @@ -1661,7 +1672,9 @@ flush_cache (app); /* Obviously we need to remove the cached public key. */ - gcry_sexp_release (app->app_local->pk[keyno].key); + xfree (app->app_local->pk[keyno].key); + app->app_local->pk[keyno].key = NULL; + app->app_local->pk[keyno].keylen = 0; app->app_local->pk[keyno].read_done = 0; /* Check whether a key already exists. */ @@ -2142,7 +2155,11 @@ cheap check on the PIN: If there is something wrong with the PIN entry system, only the regular CHV will get blocked and not the dangerous CHV3. KEYIDSTR is the usual card's serial number; an - optional fingerprint part will be ignored. */ + optional fingerprint part will be ignored. + + There is a special mode if the keyidstr is "[CHV3]" with + the "[CHV3]" being a literal string: The Admin Pin is checked if + and only if the retry counter is still at 3. */ static int do_check_pin (app_t app, const char *keyidstr, int (pincb)(void*, const char *, char **), @@ -2151,6 +2168,7 @@ unsigned char tmp_sn[20]; const char *s; int n; + int admin_pin = 0; if (!keyidstr || !*keyidstr) return gpg_error (GPG_ERR_INV_VALUE); @@ -2167,6 +2185,8 @@ ; /* No fingerprint given: we allow this for now. */ else if (*s == '/') ; /* We ignore a fingerprint. */ + else if (!strcmp (s, "[CHV3]") ) + admin_pin = 1; else return gpg_error (GPG_ERR_INV_ID); @@ -2177,12 +2197,46 @@ return gpg_error (GPG_ERR_INV_CARD); if (memcmp (app->serialno, tmp_sn, 16)) return gpg_error (GPG_ERR_WRONG_CARD); + /* Yes, there is a race conditions: The user might pull the card right here and we won't notice that. However this is not a problem and the check above is merely for a graceful failure between operations. */ - return verify_chv2 (app, pincb, pincb_arg); + if (admin_pin) + { + void *relptr; + unsigned char *value; + size_t valuelen; + int count; + + relptr = get_one_do (app, 0x00C4, &value, &valuelen, NULL); + if (!relptr || valuelen < 7) + { + log_error (_("error retrieving CHV status from card\n")); + xfree (relptr); + return gpg_error (GPG_ERR_CARD); + } + count = value[6]; + xfree (relptr); + + if (!count) + { + log_info (_("card is permanently locked!\n")); + return gpg_error (GPG_ERR_BAD_PIN); + } + else if (value[6] < 3) + { + log_info (_("verification of Admin PIN is currently prohibited " + "through this command\n")); + return gpg_error (GPG_ERR_GENERAL); + } + + app->did_chv3 = 0; /* Force verification. */ + return verify_chv3 (app, pincb, pincb_arg); + } + else + return verify_chv2 (app, pincb, pincb_arg); } @@ -2415,7 +2469,9 @@ flush_cache (app); - gcry_sexp_release (app->app_local->pk[keyno].key); + xfree (app->app_local->pk[keyno].key); + app->app_local->pk[keyno].key = NULL; + app->app_local->pk[keyno].keylen = 0; app->app_local->pk[keyno].read_done = 0; rc = iso7816_put_data (app->slot, Index: gnupg/scd/app.c diff -u gnupg/scd/app.c:1.3.2.13 gnupg/scd/app.c:1.3.2.14 --- gnupg/scd/app.c:1.3.2.13 Fri Feb 25 17:14:54 2005 +++ gnupg/scd/app.c Mon Apr 11 18:20:10 2005 @@ -489,7 +489,7 @@ /* Perform a VERIFY operation without doing anything lese. This may - be used to initialze a the PION cache for long lasting other + be used to initialze a the PIN cache for long lasting other operations. Its use is highly application dependent. */ int app_check_pin (APP app, const char *keyidstr, Index: gnupg/scd/ccid-driver.c diff -u gnupg/scd/ccid-driver.c:1.1.2.24 gnupg/scd/ccid-driver.c:1.1.2.25 --- gnupg/scd/ccid-driver.c:1.1.2.24 Thu Feb 3 14:20:57 2005 +++ gnupg/scd/ccid-driver.c Mon Apr 11 18:20:10 2005 @@ -1,5 +1,5 @@ /* ccid-driver.c - USB ChipCardInterfaceDevices driver - * Copyright (C) 2003, 2004 Free Software Foundation, Inc. + * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. * Written by Werner Koch. * * This file is part of GnuPG. @@ -52,7 +52,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: ccid-driver.c,v 1.1.2.24 2005/02/03 13:20:57 wk Exp $ + * $Date: 2005/04/11 16:20:10 $ */ @@ -223,7 +223,7 @@ int use_crc); static int bulk_out (ccid_driver_t handle, unsigned char *msg, size_t msglen); static int bulk_in (ccid_driver_t handle, unsigned char *buffer, size_t length, - size_t *nread, int expected_type, int seqno); + size_t *nread, int expected_type, int seqno, int timeout); /* Convert a little endian stored 4 byte value into an unsigned integer. */ @@ -446,12 +446,20 @@ send a frame of n*wMaxPacketSize back to us. Given that wMaxPacketSize is 64 for these readers we set the IFSD to a value lower than that: - 64 - 10 CCID header - 4 T1frame - 2 reserved = 48 */ + 64 - 10 CCID header - 4 T1frame - 2 reserved = 48 + Product Ids: + 0xe001 - SCR 331 + 0x5111 - SCR 331-DI + 0x5115 - SCR 335 + 0xe003 - SPR 532 + */ if (handle->id_vendor == VENDOR_SCM - /* FIXME: check whether it is the same - firmware version for all drivers. */ - && handle->bcd_device < 0x0519 - && handle->max_ifsd > 48) + && handle->max_ifsd > 48 + && ( (handle->id_product == 0xe001 && handle->bcd_device < 0x0516) + ||(handle->id_product == 0x5111 && handle->bcd_device < 0x0620) + ||(handle->id_product == 0x5115 && handle->bcd_device < 0x0519) + ||(handle->id_product == 0xe003 && handle->bcd_device < 0x0504) + )) { DEBUGOUT ("enabling workaround for buggy SCM readers\n"); handle->max_ifsd = 48; @@ -699,9 +707,7 @@ && ifcdesc->bInterfaceProtocol == 0) || (ifcdesc->bInterfaceClass == 255 && dev->descriptor.idVendor == 0x04e6 - && dev->descriptor.idProduct == 0xe003 - && ifcdesc->bInterfaceSubClass == 1 - && ifcdesc->bInterfaceProtocol == 1))) + && dev->descriptor.idProduct == 0xe003))) { idev = usb_open (dev); if (!idev) @@ -974,11 +980,13 @@ rc = bulk_out (handle, msg, msglen); if (!rc) - bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_SlotStatus,seqno); + bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_SlotStatus, + seqno, 2000); handle->powered_off = 1; } if (handle->idev) { + usb_reset (handle->idev); usb_release_interface (handle->idev, handle->ifc_no); usb_close (handle->idev); handle->idev = NULL; @@ -1102,10 +1110,10 @@ BUFFER and return the actual read number if bytes in NREAD. SEQNO is the sequence number used to send the request and EXPECTED_TYPE the type of message we expect. Does checks on the ccid - header. Returns 0 on success. */ + header. TIMEOUT is the timeout value in ms. Returns 0 on success. */ static int bulk_in (ccid_driver_t handle, unsigned char *buffer, size_t length, - size_t *nread, int expected_type, int seqno) + size_t *nread, int expected_type, int seqno, int timeout) { int i, rc; size_t msglen; @@ -1117,9 +1125,7 @@ rc = usb_bulk_read (handle->idev, handle->ep_bulk_in, buffer, length, - 10000 /* ms timeout */ ); - /* Fixme: instead of using a 10 second timeout we should better - handle the timeout here and retry if appropriate. */ + timeout); if (rc < 0) { DEBUGOUT_1 ("usb_bulk_read error: %s\n", strerror (errno)); @@ -1175,7 +1181,7 @@ } -/* Note that this fucntion won't return the error codes NO_CARD or +/* Note that this function won't return the error codes NO_CARD or CARD_INACTIVE */ static int send_escape_cmd (ccid_driver_t handle, @@ -1206,7 +1212,8 @@ rc = bulk_out (handle, msg, msglen); if (rc) return rc; - rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_Escape, seqno); + rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_Escape, + seqno, 5000); return rc; } @@ -1276,7 +1283,9 @@ unsigned char msg[100]; size_t msglen; unsigned char seqno; + int retries = 0; + retry: msg[0] = PC_to_RDR_GetSlotStatus; msg[5] = 0; /* slot */ msg[6] = seqno = handle->seqno++; @@ -1288,7 +1297,21 @@ rc = bulk_out (handle, msg, 10); if (rc) return rc; - rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_SlotStatus, seqno); + rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_SlotStatus, + seqno, retries? 1000 : 200); + if (rc == CCID_DRIVER_ERR_CARD_IO_ERROR && retries < 3) + { + if (!retries) + { + fprintf (stderr, "CALLING USB_CLEAR_HALT\n"); + usb_clear_halt (handle->idev, handle->ep_bulk_in); + usb_clear_halt (handle->idev, handle->ep_bulk_out); + } + else + fprintf (stderr, "RETRYING AGIAN\n"); + retries++; + goto retry; + } if (rc && rc != CCID_DRIVER_ERR_NO_CARD && rc != CCID_DRIVER_ERR_CARD_INACTIVE) return rc; @@ -1303,6 +1326,7 @@ unsigned char *atr, size_t maxatrlen, size_t *atrlen) { int rc; + int statusbits; unsigned char msg[100]; unsigned char *tpdu; size_t msglen, tpdulen; @@ -1311,6 +1335,15 @@ unsigned int edc; int i; + /* First check whether a card is available. */ + rc = ccid_slot_status (handle, &statusbits); + if (rc) + return rc; + if (statusbits == 2) + return CCID_DRIVER_ERR_NO_CARD; + + /* For an inactive and also for an active card, issue the PowerOn + command to get the ATR. */ msg[0] = PC_to_RDR_IccPowerOn; msg[5] = 0; /* slot */ msg[6] = seqno = handle->seqno++; @@ -1323,7 +1356,8 @@ rc = bulk_out (handle, msg, msglen); if (rc) return rc; - rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_DataBlock, seqno); + rc = bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_DataBlock, + seqno, 5000); if (rc) return rc; @@ -1367,7 +1401,8 @@ if (rc) return rc; /* Note that we ignore the error code on purpose. */ - bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_Parameters, seqno); + bulk_in (handle, msg, sizeof msg, &msglen, RDR_to_PC_Parameters, + seqno, 5000); handle->t1_ns = 0; handle->t1_nr = 0; @@ -1414,7 +1449,7 @@ rc = bulk_in (handle, msg, sizeof msg, &msglen, - RDR_to_PC_DataBlock, seqno); + RDR_to_PC_DataBlock, seqno, 5000); if (rc) return rc; @@ -1510,7 +1545,7 @@ msg = recv_buffer; rc = bulk_in (handle, msg, sizeof recv_buffer, &msglen, - RDR_to_PC_DataBlock, seqno); + RDR_to_PC_DataBlock, seqno, 5000); if (rc) return rc; @@ -1683,7 +1718,7 @@ msg = recv_buffer; rc = bulk_in (handle, msg, sizeof recv_buffer, &msglen, - RDR_to_PC_DataBlock, seqno); + RDR_to_PC_DataBlock, seqno, 5000); if (rc) return rc; @@ -1692,7 +1727,7 @@ if (tpdulen < 4) { - usb_clear_halt (handle->idev, 0x82); + usb_clear_halt (handle->idev, handle->ep_bulk_in); return CCID_DRIVER_ERR_ABORTED; } #ifdef DEBUG_T1 @@ -1960,7 +1995,7 @@ msg = recv_buffer; rc = bulk_in (handle, msg, sizeof recv_buffer, &msglen, - RDR_to_PC_DataBlock, seqno); + RDR_to_PC_DataBlock, seqno, 5000); if (rc) return rc; Index: gnupg/scd/command.c diff -u gnupg/scd/command.c:1.19.2.18 gnupg/scd/command.c:1.19.2.19 --- gnupg/scd/command.c:1.19.2.18 Thu Feb 24 22:40:48 2005 +++ gnupg/scd/command.c Mon Apr 11 18:20:10 2005 @@ -108,7 +108,7 @@ static void -reset_notify (ASSUAN_CONTEXT ctx) +reset_notify (assuan_context_t ctx) { CTRL ctrl = assuan_get_pointer (ctx); @@ -117,7 +117,7 @@ static int -option_handler (ASSUAN_CONTEXT ctx, const char *key, const char *value) +option_handler (assuan_context_t ctx, const char *key, const char *value) { ctrl_t ctrl = assuan_get_pointer (ctx); @@ -248,6 +248,10 @@ time_t stamp; /* Clear the remove flag so that the open_card is able to reread it. */ + + /* FIXME: We can't do that if we are in a locked state. Retrun an + appropriate erro r in that case. IF the card has not been + removed we may very well continue. */ if (ctrl->server_local->card_removed) do_reset (ctrl, 0); @@ -333,9 +337,10 @@ The URL to be used for locating the entire public key. + Note, that this function may be even be used on a locked card. */ static int -cmd_learn (ASSUAN_CONTEXT ctx, char *line) +cmd_learn (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int rc = 0; @@ -481,9 +486,10 @@ /* READCERT + Note, that this function may be even be used on a locked card. */ static int -cmd_readcert (ASSUAN_CONTEXT ctx, char *line) +cmd_readcert (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int rc; @@ -524,7 +530,10 @@ /* READKEY Return the public key for the given cert or key ID as an standard - S-Expression. */ + S-Expression. + + Note, that this function may be even be used on a locked card. + */ static int cmd_readkey (assuan_context_t ctx, char *line) { @@ -619,14 +628,16 @@ The client should use this command to tell us the data he want to sign. */ static int -cmd_setdata (ASSUAN_CONTEXT ctx, char *line) +cmd_setdata (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int n; char *p; unsigned char *buf; - /* parse the hexstring */ + /* FIXME: If we are locked return an error. */ + + /* Parse the hexstring. */ for (p=line,n=0; hexdigitp (p); p++, n++) ; if (*p) @@ -652,7 +663,7 @@ static int pin_cb (void *opaque, const char *info, char **retstr) { - ASSUAN_CONTEXT ctx = opaque; + assuan_context_t ctx = opaque; char *command; int rc; unsigned char *value; @@ -687,7 +698,7 @@ */ static int -cmd_pksign (ASSUAN_CONTEXT ctx, char *line) +cmd_pksign (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int rc; @@ -695,6 +706,8 @@ size_t outdatalen; char *keyidstr; + /* FIXME: If we are locked return an error. */ + if ((rc = open_card (ctrl, NULL))) return rc; @@ -738,7 +751,7 @@ */ static int -cmd_pkauth (ASSUAN_CONTEXT ctx, char *line) +cmd_pkauth (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int rc; @@ -746,6 +759,8 @@ size_t outdatalen; char *keyidstr; + /* FIXME: If we are locked return an error. */ + if ((rc = open_card (ctrl, NULL))) return rc; @@ -785,7 +800,7 @@ */ static int -cmd_pkdecrypt (ASSUAN_CONTEXT ctx, char *line) +cmd_pkdecrypt (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int rc; @@ -793,6 +808,8 @@ size_t outdatalen; char *keyidstr; + /* FIXME: If we are locked return an error. */ + if ((rc = open_card (ctrl, NULL))) return rc; @@ -834,14 +851,15 @@ This command is used to retrieve data from a smartcard. The allowed names depend on the currently selected smartcard application. NAME must be percent and '+' escaped. The value is - returned through status message, see the LESRN command for details. + returned through status message, see the LEARN command for details. However, the current implementation assumes that Name is not escaped; this works as long as noone uses arbitrary escaping. + Note, that this function may even be used on a locked card. */ static int -cmd_getattr (ASSUAN_CONTEXT ctx, char *line) +cmd_getattr (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int rc; @@ -858,6 +876,8 @@ /* (We ignore any garbage for now.) */ + /* FIXME: Applications should not return sensistive data if the card + is locked. */ rc = app_getattr (ctrl->app_ctx, ctrl, keyword); TEST_CARD_REMOVAL (ctrl, rc); @@ -878,7 +898,7 @@ setattr function of the actually used application (app-*.c) for details. */ static int -cmd_setattr (ASSUAN_CONTEXT ctx, char *orig_line) +cmd_setattr (assuan_context_t ctx, char *orig_line) { CTRL ctrl = assuan_get_pointer (ctx); int rc; @@ -887,6 +907,8 @@ size_t nbytes; char *line, *linebuf; + /* FIXME: If we are locked return an error. */ + if ((rc = open_card (ctrl, NULL))) return rc; @@ -932,13 +954,15 @@ */ static int -cmd_genkey (ASSUAN_CONTEXT ctx, char *line) +cmd_genkey (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int rc; char *keyno; int force = has_option (line, "--force"); + /* FIXME: If we are locked return an error. */ + /* Skip over options. */ while ( *line == '-' && line[1] == '-' ) { @@ -974,9 +998,11 @@ /* RANDOM Get NBYTES of random from the card and send them back as data. + + Note, that this function may be even be used on a locked card. */ static int -cmd_random (ASSUAN_CONTEXT ctx, char *line) +cmd_random (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int rc; @@ -1016,13 +1042,15 @@ Change the PIN or reset thye retry counter of the card holder verfication vector CHVNO. */ static int -cmd_passwd (ASSUAN_CONTEXT ctx, char *line) +cmd_passwd (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int rc; char *chvnostr; int reset_mode = has_option (line, "--reset"); + /* FIXME: If we are locked return an error. */ + /* Skip over options. */ while (*line == '-' && line[1] == '-') { @@ -1061,12 +1089,14 @@ */ static int -cmd_checkpin (ASSUAN_CONTEXT ctx, char *line) +cmd_checkpin (assuan_context_t ctx, char *line) { CTRL ctrl = assuan_get_pointer (ctx); int rc; char *keyidstr; + /* FIXME: If we are locked return an error. */ + if ((rc = open_card (ctrl, NULL))) return rc; From cvs at cvs.gnupg.org Mon Apr 11 18:05:04 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Mon Apr 11 18:05:06 2005 Subject: GNUPG-1-9-BRANCH gnupg/sm (ChangeLog call-agent.c call-dirmngr.c) Message-ID: Date: Monday, April 11, 2005 @ 18:21:05 Author: wk Path: /cvs/gnupg/gnupg/sm Tag: GNUPG-1-9-BRANCH Modified: ChangeLog call-agent.c call-dirmngr.c * call-dirmngr.c (start_dirmngr): Use PATHSEP_C instead of ':'. * call-agent.c (start_agent): Ditto. ----------------+ ChangeLog | 5 +++++ call-agent.c | 2 +- call-dirmngr.c | 2 +- 3 files changed, 7 insertions(+), 2 deletions(-) Index: gnupg/sm/ChangeLog diff -u gnupg/sm/ChangeLog:1.101.2.90 gnupg/sm/ChangeLog:1.101.2.91 --- gnupg/sm/ChangeLog:1.101.2.90 Thu Mar 17 20:10:37 2005 +++ gnupg/sm/ChangeLog Mon Apr 11 18:21:05 2005 @@ -1,3 +1,8 @@ +2005-03-31 Werner Koch + + * call-dirmngr.c (start_dirmngr): Use PATHSEP_C instead of ':'. + * call-agent.c (start_agent): Ditto. + 2005-03-17 Werner Koch * certcheck.c: Fixed use of DBG_CRYPTO and DBG_X509. Index: gnupg/sm/call-agent.c diff -u gnupg/sm/call-agent.c:1.35.2.10 gnupg/sm/call-agent.c:1.35.2.11 --- gnupg/sm/call-agent.c:1.35.2.10 Mon Dec 20 17:17:24 2004 +++ gnupg/sm/call-agent.c Mon Apr 11 18:21:05 2005 @@ -144,7 +144,7 @@ } *p++ = 0; pid = atoi (p); - while (*p && *p != ':') + while (*p && *p != PATHSEP_C) p++; prot = *p? atoi (p+1) : 0; if (prot != 1) Index: gnupg/sm/call-dirmngr.c diff -u gnupg/sm/call-dirmngr.c:1.16.2.12 gnupg/sm/call-dirmngr.c:1.16.2.13 --- gnupg/sm/call-dirmngr.c:1.16.2.12 Mon Dec 20 17:17:24 2004 +++ gnupg/sm/call-dirmngr.c Mon Apr 11 18:21:05 2005 @@ -218,7 +218,7 @@ } *p++ = 0; pid = atoi (p); - while (*p && *p != ':') + while (*p && *p != PATHSEP_C) p++; prot = *p? atoi (p+1) : 0; if (prot != 1) From cvs at cvs.gnupg.org Mon Apr 11 18:05:48 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Mon Apr 11 18:05:51 2005 Subject: GNUPG-1-9-BRANCH gnupg/tools (ChangeLog gpg-connect-agent.c) Message-ID: Date: Monday, April 11, 2005 @ 18:21:49 Author: wk Path: /cvs/gnupg/gnupg/tools Tag: GNUPG-1-9-BRANCH Modified: ChangeLog gpg-connect-agent.c * gpg-connect-agent.c (start_agent): Use PATHSEP_C instead of ':'. ---------------------+ ChangeLog | 4 ++++ gpg-connect-agent.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) Index: gnupg/tools/ChangeLog diff -u gnupg/tools/ChangeLog:1.25.2.66 gnupg/tools/ChangeLog:1.25.2.67 --- gnupg/tools/ChangeLog:1.25.2.66 Mon Apr 11 01:54:39 2005 +++ gnupg/tools/ChangeLog Mon Apr 11 18:21:49 2005 @@ -6,6 +6,10 @@ (symcryptrun_SOURCES, symcryptrun_LDADD): New variables. * symcryptrun.c: New file. +2005-03-31 Werner Koch + + * gpg-connect-agent.c (start_agent): Use PATHSEP_C instead of ':'. + 2005-03-09 Werner Koch * gpgconf-comp.c : Add honor-http-proxy. Index: gnupg/tools/gpg-connect-agent.c diff -u gnupg/tools/gpg-connect-agent.c:1.1.2.2 gnupg/tools/gpg-connect-agent.c:1.1.2.3 --- gnupg/tools/gpg-connect-agent.c:1.1.2.2 Fri Feb 25 17:14:54 2005 +++ gnupg/tools/gpg-connect-agent.c Mon Apr 11 18:21:49 2005 @@ -325,7 +325,7 @@ -/* Connect to teh agebnt and send the standard options. */ +/* Connect to the agent and send the standard options. */ static assuan_context_t start_agent (void) { @@ -357,7 +357,7 @@ } *p++ = 0; pid = atoi (p); - while (*p && *p != ':') + while (*p && *p != PATHSEP_C) p++; prot = *p? atoi (p+1) : 0; if (prot != 1) From cvs at cvs.gnupg.org Mon Apr 11 19:06:22 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Mon Apr 11 19:06:24 2005 Subject: GNUPG-1-9-BRANCH gnupg/tools (ChangeLog symcryptrun.c) Message-ID: Date: Monday, April 11, 2005 @ 19:22:23 Author: wk Path: /cvs/gnupg/gnupg/tools Tag: GNUPG-1-9-BRANCH Modified: ChangeLog symcryptrun.c (confucius_mktmpdir): Changed to use mkdtmp(3). ---------------+ ChangeLog | 4 ++++ symcryptrun.c | 29 +++++++---------------------- 2 files changed, 11 insertions(+), 22 deletions(-) Index: gnupg/tools/ChangeLog diff -u gnupg/tools/ChangeLog:1.25.2.67 gnupg/tools/ChangeLog:1.25.2.68 --- gnupg/tools/ChangeLog:1.25.2.67 Mon Apr 11 18:21:49 2005 +++ gnupg/tools/ChangeLog Mon Apr 11 19:22:23 2005 @@ -1,3 +1,7 @@ +2005-04-11 Werner Koch + + * symcryptrun.c (confucius_mktmpdir): Changed to use mkdtmp(3). + 2005-04-11 Marcus Brinkmann * symcryptrun.c: Implement config file parsing. Index: gnupg/tools/symcryptrun.c diff -u gnupg/tools/symcryptrun.c:1.1.2.2 gnupg/tools/symcryptrun.c:1.1.2.3 --- gnupg/tools/symcryptrun.c:1.1.2.2 Mon Apr 11 01:54:39 2005 +++ gnupg/tools/symcryptrun.c Mon Apr 11 19:22:23 2005 @@ -227,32 +227,17 @@ static char * confucius_mktmpdir (void) { - int res; - char *tmpdir; + char *name; - tmpdir = tmpnam (NULL); - if (!tmpdir) - { - log_error (_("cannot create temporary directory name: %s\n"), - strerror (errno)); - return NULL; - } - tmpdir = strdup (tmpdir); - if (!tmpdir) - { - log_error (_("cannot copy temporary directory name: %s\n"), - strerror (errno)); - return NULL; - } - res = mkdir (tmpdir, 0700); - if (res < 0) + name = strdup ("/tmp/gpg-XXXXXX"); + if (!name || !mkdtemp (name)) { - log_error (_("cannot create temporary directory %s: %s\n"), - tmpdir, strerror (errno)); + log_error (_("can't create temporary directory `%s': %s\n"), + name?name:"", strerror (errno)); return NULL; } - return tmpdir; + return name; } @@ -702,7 +687,7 @@ tmpdir = confucius_mktmpdir (); if (!tmpdir) return 1; - + /* TMPDIR + "/" + "in" + "\0". */ infile = malloc (strlen (tmpdir) + 1 + 2 + 1); if (!infile) From cvs at cvs.gnupg.org Mon Apr 11 20:08:09 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Mon Apr 11 20:08:12 2005 Subject: gnupg/g10 (ChangeLog g10.c keyserver.c main.h misc.c) Message-ID: Date: Monday, April 11, 2005 @ 20:24:10 Author: wk Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog g10.c keyserver.c main.h misc.c * g10.c (main, add_notation_data, add_policy_url) (add_keyserver_url): Use isascii() to protect the isfoo macros and to replace direct tests. Possible problems noted by Christian Biere. * keyserver.c (parse_keyserver_uri): Ditto. * g10.c (main): Declare --pipemode deprecated. * misc.c (deprecated_command): New. -------------+ ChangeLog | 11 +++++++++++ g10.c | 16 ++++++++++------ keyserver.c | 3 ++- main.h | 2 ++ misc.c | 9 +++++++++ 5 files changed, 34 insertions(+), 7 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.720 gnupg/g10/ChangeLog:1.721 --- gnupg/g10/ChangeLog:1.720 Thu Apr 7 10:31:23 2005 +++ gnupg/g10/ChangeLog Mon Apr 11 20:24:09 2005 @@ -1,5 +1,16 @@ +2005-04-11 Werner Koch + + * g10.c (main, add_notation_data, add_policy_url) + (add_keyserver_url): Use isascii() to protect the isfoo macros and + to replace direct tests. Possible problems noted by Christian + Biere. + * keyserver.c (parse_keyserver_uri): Ditto. + 2005-04-07 Werner Koch + * g10.c (main): Declare --pipemode deprecated. + * misc.c (deprecated_command): New. + * ccid-driver.c (ccid_slot_status): Fixed debug messages. * card-util.c (card_edit): Add command "verify". Enhanced admin Index: gnupg/g10/g10.c diff -u gnupg/g10/g10.c:1.300 gnupg/g10/g10.c:1.301 --- gnupg/g10/g10.c:1.300 Tue Apr 5 19:09:12 2005 +++ gnupg/g10/g10.c Mon Apr 11 20:24:09 2005 @@ -1919,7 +1919,11 @@ "--list-ownertrust","--export-ownertrust",""); case aExportOwnerTrust: set_cmd( &cmd, aExportOwnerTrust); break; case aImportOwnerTrust: set_cmd( &cmd, aImportOwnerTrust); break; - case aPipeMode: set_cmd( &cmd, aPipeMode); break; + case aPipeMode: + deprecated_command ("--pipemode"); + set_cmd( &cmd, aPipeMode); + break; + case aRebuildKeydbCaches: set_cmd( &cmd, aRebuildKeydbCaches); break; #ifdef ENABLE_CARD_SUPPORT @@ -2266,7 +2270,7 @@ char *pt=pargs.r.ret_str; while(*pt) { - if(!isdigit(*pt)) + if (!isascii (*pt) || !isdigit (*pt)) break; pt++; @@ -3856,7 +3860,7 @@ if( *s=='@') saw_at=1; - if( !*s || (*s & 0x80) || (!isgraph(*s) && !isspace(*s)) ) + if( !*s || !isascii (*s) || (!isgraph(*s) && !isspace(*s)) ) { log_error(_("a notation name must have only printable characters " "or spaces, and end with an '='\n") ); @@ -3873,7 +3877,7 @@ /* we only support printable text - therefore we enforce the use * of only printable characters (an empty value is valid) */ for( s++; *s ; s++ ) { - if ((*s & 0x80)) + if ( isascii (*s) ) highbit = 1; else if (iscntrl(*s)) { log_error(_("a notation value must not use" @@ -3904,7 +3908,7 @@ } for(i=0;i Date: Tuesday, April 12, 2005 @ 18:08:51 Author: dshaw Path: /cvs/gnupg/gnupg/util Added: memrchr.c Modified: ChangeLog assuan-buffer.c assuan-client.c Fix minor build problem on OSX (need a replacement for memrchr) -----------------+ ChangeLog | 8 ++++++++ assuan-buffer.c | 4 ++++ assuan-client.c | 1 + memrchr.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 59 insertions(+) Index: gnupg/util/ChangeLog diff -u gnupg/util/ChangeLog:1.185 gnupg/util/ChangeLog:1.186 --- gnupg/util/ChangeLog:1.185 Tue Apr 5 19:09:12 2005 +++ gnupg/util/ChangeLog Tue Apr 12 18:08:51 2005 @@ -1,3 +1,11 @@ +2005-04-12 David Shaw + + * assuan-client.c: Fix warning on OSX. + + * memrchr.c: New replacement function. + + * assuan-buffer.c: Use it here. + 2005-04-04 Werner Koch * memory.c (xcalloc, xcalloc_secure): New wrappers. Index: gnupg/util/assuan-buffer.c diff -u gnupg/util/assuan-buffer.c:1.1 gnupg/util/assuan-buffer.c:1.2 --- gnupg/util/assuan-buffer.c:1.1 Tue Apr 5 19:09:12 2005 +++ gnupg/util/assuan-buffer.c Tue Apr 12 18:08:51 2005 @@ -34,6 +34,10 @@ #endif #include "assuan-defs.h" +#ifndef HAVE_MEMRCHR +void *memrchr(const void *s, int c, size_t n); +#endif + static int writen (assuan_context_t ctx, const char *buffer, size_t length) { Index: gnupg/util/assuan-client.c diff -u gnupg/util/assuan-client.c:1.1 gnupg/util/assuan-client.c:1.2 --- gnupg/util/assuan-client.c:1.1 Tue Apr 5 19:09:12 2005 +++ gnupg/util/assuan-client.c Tue Apr 12 18:08:51 2005 @@ -28,6 +28,7 @@ #include #include #include +#include #include "assuan-defs.h" Index: gnupg/util/memrchr.c diff -u /dev/null gnupg/util/memrchr.c:1.1 --- /dev/null Tue Apr 12 18:08:51 2005 +++ gnupg/util/memrchr.c Tue Apr 12 18:08:51 2005 @@ -0,0 +1,46 @@ +/* memrchr.c - libc replacement function + * Copyright (C) 2005 Free Software Foundation, Inc. + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +/* + memrchr() is a GNU function that might not be available everywhere. + It's basically the inverse of memchr() - search backwards in a + memory block for a particular character. +*/ + +#include +#include + +/* There are many ways to optimize this, but this is a simple + unoptimized implementation. */ +void * +memrchr(const void *s, int c, size_t n) +{ + const unsigned char *start=s,*end=s+n-1; + + while(end>=start) + { + if(*end==c) + return (void *)end; + else + end--; + } + + return NULL; +} From cvs at cvs.gnupg.org Tue Apr 12 17:54:56 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Tue Apr 12 17:54:59 2005 Subject: gnupg (ChangeLog configure.ac) Message-ID: Date: Tuesday, April 12, 2005 @ 18:11:04 Author: dshaw Path: /cvs/gnupg/gnupg Modified: ChangeLog configure.ac Check for memrchr() --------------+ ChangeLog | 4 ++++ configure.ac | 5 ++--- 2 files changed, 6 insertions(+), 3 deletions(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.246 gnupg/ChangeLog:1.247 --- gnupg/ChangeLog:1.246 Tue Apr 5 19:09:13 2005 +++ gnupg/ChangeLog Tue Apr 12 18:11:03 2005 @@ -1,3 +1,7 @@ +2005-04-12 David Shaw + + * configure.ac: Check for memrchr() + 2005-03-31 Werner Koch * configure.ac: New option --disable-agent-support. Define Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.138 gnupg/configure.ac:1.139 --- gnupg/configure.ac:1.138 Tue Apr 5 19:09:12 2005 +++ gnupg/configure.ac Tue Apr 12 18:11:03 2005 @@ -19,7 +19,7 @@ dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA dnl dnl (Process this file with autoconf to produce a configure script.) -dnlAC_REVISION($Revision: 1.138 $)dnl +dnlAC_REVISION($Revision: 1.139 $)dnl AC_PREREQ(2.59) min_automake_version="1.9.3" @@ -863,8 +863,7 @@ AC_CHECK_FUNCS(memmove gettimeofday getrusage setrlimit clock_gettime) AC_CHECK_FUNCS(atexit raise getpagesize strftime nl_langinfo setlocale) AC_CHECK_FUNCS(waitpid wait4 sigaction sigprocmask rand pipe stat getaddrinfo) -AC_REPLACE_FUNCS(mkdtemp timegm) -AC_REPLACE_FUNCS(isascii) +AC_REPLACE_FUNCS(mkdtemp timegm isascii memrchr) AC_CHECK_TYPES([struct sigaction, sigset_t],,,[#include ]) From cvs at cvs.gnupg.org Wed Apr 13 11:23:29 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Wed Apr 13 11:23:31 2005 Subject: GNUPG-1-9-BRANCH gnupg/common (sexputil.c) Message-ID: Date: Wednesday, April 13, 2005 @ 11:39:38 Author: wk Path: /cvs/gnupg/gnupg/common Tag: GNUPG-1-9-BRANCH Added: sexputil.c Added missing file ------------+ sexputil.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 63 insertions(+) Index: gnupg/common/sexputil.c diff -u /dev/null gnupg/common/sexputil.c:1.1.2.1 --- /dev/null Wed Apr 13 11:39:38 2005 +++ gnupg/common/sexputil.c Wed Apr 13 11:39:38 2005 @@ -0,0 +1,63 @@ +/* sexputil.c - Utility fnctions for S-expressions. + * Copyright (C) 2005 Free Software Foundation, Inc. + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +/* This file implements a few utility functions useful when working + with canonical encrypted S-expresions (i.e. not the S-exprssion + objects from libgcrypt). */ + +#include +#include +#include +#include +#include +#include +#ifdef HAVE_LOCALE_H +#include +#endif + +#include "util.h" + + +/* Return the so called "keygrip" which is the SHA-1 hash of the + public key parameters expressed in a way depended on the algorithm. + + KEY is expected to be an canonical encoded S-expression with a + public or private key. KEYLEN is the length of that buffer. + + GRIP must be at least 20 bytes long On success 0 is return, on + error an aerror code. */ +gpg_error_t +keygrip_from_canon_sexp (const unsigned char *key, size_t keylen, + unsigned char *grip) +{ + gpg_error_t err; + gcry_sexp_t sexp; + + if (!grip) + return gpg_error (GPG_ERR_INV_VALUE); + err = gcry_sexp_sscan (&sexp, NULL, key, keylen); + if (err) + return err; + if (!gcry_pk_get_keygrip (sexp, grip)) + err = gpg_error (GPG_ERR_INTERNAL); + gcry_sexp_release (sexp); + return err; +} + From cvs at cvs.gnupg.org Thu Apr 14 10:24:57 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Thu Apr 14 10:25:00 2005 Subject: gpgme/gpgme (ChangeLog wait-global.c) Message-ID: Date: Thursday, April 14, 2005 @ 10:41:12 Author: marcus Path: /cvs/gpgme/gpgme/gpgme Modified: ChangeLog wait-global.c 2005-04-14 Marcus Brinkmann * wait-global.c (gpgme_wait): If no context is found, and we should not hang, set *status to 0 and return NULL. Reported by Igor Belyi . ---------------+ ChangeLog | 6 ++++++ wait-global.c | 6 ++++++ 2 files changed, 12 insertions(+) Index: gpgme/gpgme/ChangeLog diff -u gpgme/gpgme/ChangeLog:1.394 gpgme/gpgme/ChangeLog:1.395 --- gpgme/gpgme/ChangeLog:1.394 Thu Mar 24 14:09:54 2005 +++ gpgme/gpgme/ChangeLog Thu Apr 14 10:41:12 2005 @@ -1,3 +1,9 @@ +2005-04-14 Marcus Brinkmann + + * wait-global.c (gpgme_wait): If no context is found, and we + should not hang, set *status to 0 and return NULL. + Reported by Igor Belyi . + 2005-03-24 Marcus Brinkmann * data.h (EOPNOTSUPP) [_WIN32]: Remove definition. Index: gpgme/gpgme/wait-global.c diff -u gpgme/gpgme/wait-global.c:1.12 gpgme/gpgme/wait-global.c:1.13 --- gpgme/gpgme/wait-global.c:1.12 Thu Mar 24 14:05:12 2005 +++ gpgme/gpgme/wait-global.c Thu Apr 14 10:41:12 2005 @@ -350,6 +350,12 @@ ctx = dctx; hang = 0; } + else if (!hang) + { + ctx = NULL; + if (status) + *status = NULL; + } } } while (hang); From cvs at cvs.gnupg.org Thu Apr 14 10:28:00 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Thu Apr 14 10:28:04 2005 Subject: gpgme (THANKS) Message-ID: Date: Thursday, April 14, 2005 @ 10:44:18 Author: marcus Path: /cvs/gpgme/gpgme Modified: THANKS Add Igor Belyi . --------+ THANKS | 1 + 1 files changed, 1 insertion(+) Index: gpgme/THANKS diff -u gpgme/THANKS:1.8 gpgme/THANKS:1.9 --- gpgme/THANKS:1.8 Tue Dec 7 20:06:29 2004 +++ gpgme/THANKS Thu Apr 14 10:44:18 2005 @@ -9,6 +9,7 @@ Alfons Hoogervorst alfons@proteus.demon.nl Enno Cramer uebergeek@web.de Frank Heckenbach frank@g-n-u.de +Igor Belyi gpgme@katehok.ac93.org Jan-Oliver Wagner jan@intevation.de Johannes Poehlmann jhp@caldera.de Jose C. García Sogo jose@jaimedelamo.eu.org From cvs at cvs.gnupg.org Thu Apr 14 10:28:43 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Thu Apr 14 10:28:45 2005 Subject: gpgme/gpgme (wait-global.c) Message-ID: Date: Thursday, April 14, 2005 @ 10:45:00 Author: marcus Path: /cvs/gpgme/gpgme/gpgme Modified: wait-global.c Fix last change. ---------------+ wait-global.c | 2 +- 1 files changed, 1 insertion(+), 1 deletion(-) Index: gpgme/gpgme/wait-global.c diff -u gpgme/gpgme/wait-global.c:1.13 gpgme/gpgme/wait-global.c:1.14 --- gpgme/gpgme/wait-global.c:1.13 Thu Apr 14 10:41:12 2005 +++ gpgme/gpgme/wait-global.c Thu Apr 14 10:45:00 2005 @@ -354,7 +354,7 @@ { ctx = NULL; if (status) - *status = NULL; + *status = 0; } } } From cvs at cvs.gnupg.org Thu Apr 14 10:33:03 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Thu Apr 14 10:33:06 2005 Subject: gpgme/gpgme (ChangeLog wait-global.c) Message-ID: Date: Thursday, April 14, 2005 @ 10:49:20 Author: marcus Path: /cvs/gpgme/gpgme/gpgme Modified: ChangeLog wait-global.c 2005-04-14 Marcus Brinkmann * wait-global.c (gpgme_wait): Use LI->ctx when checking a context in the list, not the user-provided CTX. ---------------+ ChangeLog | 4 ++++ wait-global.c | 10 ++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) Index: gpgme/gpgme/ChangeLog diff -u gpgme/gpgme/ChangeLog:1.395 gpgme/gpgme/ChangeLog:1.396 --- gpgme/gpgme/ChangeLog:1.395 Thu Apr 14 10:41:12 2005 +++ gpgme/gpgme/ChangeLog Thu Apr 14 10:49:20 2005 @@ -1,5 +1,9 @@ 2005-04-14 Marcus Brinkmann + * wait-global.c (gpgme_wait): Use LI->ctx when checking a context + in the list, not the user-provided CTX. + Reported by Igor Belyi . + * wait-global.c (gpgme_wait): If no context is found, and we should not hang, set *status to 0 and return NULL. Reported by Igor Belyi . Index: gpgme/gpgme/wait-global.c diff -u gpgme/gpgme/wait-global.c:1.14 gpgme/gpgme/wait-global.c:1.15 --- gpgme/gpgme/wait-global.c:1.14 Thu Apr 14 10:45:00 2005 +++ gpgme/gpgme/wait-global.c Thu Apr 14 10:49:20 2005 @@ -331,13 +331,15 @@ LOCK (ctx_list_lock); for (li = ctx_active_list; li; li = li->next) { - for (i = 0; i < ctx->fdt.size; i++) - if (ctx->fdt.fds[i].fd != -1) + gpgme_ctx_t actx = li->ctx; + + for (i = 0; i < actx->fdt.size; i++) + if (actx->fdt.fds[i].fd != -1) break; - if (i == ctx->fdt.size) + if (i == actx->fdt.size) { gpgme_error_t err = 0; - _gpgme_engine_io_event (ctx->engine, GPGME_EVENT_DONE, &err); + _gpgme_engine_io_event (actx->engine, GPGME_EVENT_DONE, &err); } } UNLOCK (ctx_list_lock); From cvs at cvs.gnupg.org Thu Apr 14 13:42:11 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 14 13:42:14 2005 Subject: dirmngr/src (ChangeLog ldap.c) Message-ID: Date: Thursday, April 14, 2005 @ 13:58:29 Author: wk Path: /cvs/dirmngr/dirmngr/src Modified: ChangeLog ldap.c (start_cert_fetch_ldap): Really return ERR. -----------+ ChangeLog | 4 ++++ ldap.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) Index: dirmngr/src/ChangeLog diff -u dirmngr/src/ChangeLog:1.45 dirmngr/src/ChangeLog:1.46 --- dirmngr/src/ChangeLog:1.45 Thu Mar 17 11:46:05 2005 +++ dirmngr/src/ChangeLog Thu Apr 14 13:58:29 2005 @@ -1,3 +1,7 @@ +2005-04-14 Werner Koch + + * ldap.c (start_cert_fetch_ldap): Really return ERR. + 2005-03-17 Werner Koch * http.c (parse_response): Changed MAXLEN and LEN to size-t to Index: dirmngr/src/ldap.c diff -u dirmngr/src/ldap.c:1.47 dirmngr/src/ldap.c:1.48 --- dirmngr/src/ldap.c:1.47 Tue Mar 15 18:42:30 2005 +++ dirmngr/src/ldap.c Thu Apr 14 13:58:29 2005 @@ -1248,7 +1248,7 @@ *context = NULL; } - return 0; + return err; } @@ -1273,7 +1273,7 @@ /* Fetch the next certificate. Return 0 on success, GPG_ERR_EOF if no (more) certificates are available or any other error - code. GPG_ERR_TRUNCATED may be returned to indicate tha the result + code. GPG_ERR_TRUNCATED may be returned to indicate that the result has been truncated. */ gpg_error_t fetch_next_cert_ldap (cert_fetch_context_t context, From cvs at cvs.gnupg.org Thu Apr 14 19:09:24 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 14 19:09:28 2005 Subject: GNUPG-1-9-BRANCH gnupg/scd (ChangeLog app-openpgp.c command.c) Message-ID: Date: Thursday, April 14, 2005 @ 19:25:43 Author: wk Path: /cvs/gnupg/gnupg/scd Tag: GNUPG-1-9-BRANCH Modified: ChangeLog app-openpgp.c command.c (retrieve_key_material): Rewritten. Return a proper error code. (retrieve_next_token): Removed. (retrieve_fpr_from_card): Rewritten to make use of DO caching and to take the KEYNO as arg. (get_public_key): Renamed variable for clarity. ---------------+ ChangeLog | 28 +++ app-openpgp.c | 394 +++++++++++++++++++------------------------------------- command.c | 361 ++++++++++++++++++++++++++++++++++++++++----------- 3 files changed, 447 insertions(+), 336 deletions(-) Index: gnupg/scd/ChangeLog diff -u gnupg/scd/ChangeLog:1.25.2.72 gnupg/scd/ChangeLog:1.25.2.73 --- gnupg/scd/ChangeLog:1.25.2.72 Mon Apr 11 18:20:10 2005 +++ gnupg/scd/ChangeLog Thu Apr 14 19:25:43 2005 @@ -1,3 +1,31 @@ +2005-04-14 Werner Koch + + * app-openpgp.c (retrieve_key_material): Rewritten. Return a + proper error code. + (retrieve_next_token): Removed. + (retrieve_fpr_from_card): Rewritten to make use of DO caching and + to take the KEYNO as arg. + (get_public_key): Renamed variable for clarity. + +2005-04-12 Werner Koch + + Basic support for several sessions. + + * command.c (scd_command_handler): Replace the primary_connection + stuff by a real connection list. Release the local context on + exit. + (scd_update_reader_status_file): Update accordingly. Send signal + to all connections who registered an event signal. + (cmd_lock, cmd_unlock, register_commands): New commands LOCK and + UNLOCK. + (cmd_setdata, cmd_pksign, cmd_pkauth, cmd_pkdecrypt, cmd_setattr) + (cmd_genkey, cmd_passwd, cmd_checkpin): Return an error if reader + is locked. + (do_reset): Handle locking. + (open_card): Ditto. Share the reader slot with other sessions. + (get_reader_slot): New. + (update_card_removed): New. Use it in the TEST_CARD_REMOVAL macro. + 2005-04-07 Werner Koch * app-openpgp.c (do_check_pin): Add hack to allow verification of Index: gnupg/scd/app-openpgp.c diff -u gnupg/scd/app-openpgp.c:1.9.2.29 gnupg/scd/app-openpgp.c:1.9.2.30 --- gnupg/scd/app-openpgp.c:1.9.2.29 Mon Apr 11 18:20:10 2005 +++ gnupg/scd/app-openpgp.c Thu Apr 14 19:25:43 2005 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * - * $Id: app-openpgp.c,v 1.9.2.29 2005/04/11 16:20:10 wk Exp $ + * $Id: app-openpgp.c,v 1.9.2.30 2005/04/14 17:25:43 wk Exp $ */ #include @@ -784,266 +784,149 @@ } /* Retrieve the fingerprint from the card inserted in SLOT and write - the according hex representation (40 hex digits plus NUL character) - to FPR. */ + the according hex representation to FPR. Caller must have provide + a buffer at FPR of least 41 bytes. Returns 0 on success or an + error code. */ +#if GNUPG_MAJOR_VERSION > 1 static gpg_error_t -retrieve_fpr_from_card (int slot, char *fpr) +retrieve_fpr_from_card (app_t app, int keyno, char *fpr) { - const unsigned char *value; - unsigned char *data; - size_t data_n; - gpg_error_t err; - size_t value_n; - unsigned int i; + gpg_error_t err = 0; + void *relptr; + unsigned char *value; + size_t valuelen; + int i; - data = NULL; + assert (keyno >=0 && keyno <= 2); - err = iso7816_get_data (slot, 0x6E, &data, &data_n); - if (err) - /* FIXME */ - goto out; - - value = find_tlv (data, data_n, 0x00C5, &value_n); - if (! (value - && (! (value_n > (data_n - (value - data)))) - && (value_n >= 60))) /* FIXME: Shouldn't this be "== 60"? */ + relptr = get_one_do (app, 0x00C5, &value, &valuelen, NULL); + if (relptr && valuelen >= 60) { - /* FIXME? */ - err = gpg_error (GPG_ERR_CARD); /* */ - goto out; + for (i = 0; i < 20; i++) + sprintf (fpr + (i * 2), "%02X", value[(keyno*20)+i]); } - - /* Copy out third key FPR. */ - for (i = 0; i < 20; i++) - sprintf (fpr + (i * 2), "%02X", (value + (2 * 20))[i]); - - out: - - xfree (data); - + else + err = gpg_error (GPG_ERR_NOT_FOUND); + xfree (relptr); return err; } +#endif /*GNUPG_MAJOR_VERSION > 1*/ -/* Retrieve the next token from S, using ":" as delimiter. */ -static char * -retrieve_next_token (char *s) -{ - char *p; - - p = strtok (s, ":"); - if (! p) - log_error ("error while extracting token\n"); - return p; -} - -/* Retrieve the secret key material for the key, whose fingerprint is - FPR, from gpg output, which can be read through the stream FP. The - RSA modulus will be stored in m/mlen, the secret exponent in - e/elen. Return zero on success, one on failure. */ -static int -retrieve_key_material (FILE *fp, const char *fpr, +/* Retrieve the public key material for the RSA key, whose fingerprint + is FPR, from gpg output, which can be read through the stream FP. + The RSA modulus will be stored at the address of M and MLEN, the + public exponent at E and ELEN. Returns zero on success, an error + code on failure. Caller must release the allocated buffers at M + and E if the function returns success. */ +#if GNUPG_MAJOR_VERSION > 1 +static gpg_error_t +retrieve_key_material (FILE *fp, const char *hexkeyid, const unsigned char **m, size_t *mlen, const unsigned char **e, size_t *elen) { - size_t line_size; - ssize_t line_ret; - char *line; - int ret; - int found_key; - char *token; - int pkd_n; - unsigned char *m_new; - unsigned char *e_new; - size_t m_new_n; - size_t e_new_n; - int is_rsa; - gcry_mpi_t mpi; - gcry_error_t err; - size_t max_length; - - line_size = 0; - line = NULL; - found_key = 0; - pkd_n = 0; - m_new = NULL; - e_new = NULL; - mpi = NULL; - ret = 0; - -#warning This part should get rewritten for clarity - /* We should use an algorithm similar to the one used by gpgme. - This will reduce the size of the code at least by 50%. [wk] */ - - while (1) - { - /* FIXME? */ - max_length = 1024; - line_ret = read_line (fp, &line, &line_size, &max_length); - if (line_ret < 0) - { - ret = 1; - break; - } - if (! line_ret) - /* EOF. */ - /* FIXME? */ - break; + gcry_error_t err = 0; + char *line = NULL; /* read_line() buffer. */ + size_t line_size = 0; /* Helper for for read_line. */ + int found_key = 0; /* Helper to find a matching key. */ + unsigned char *m_new = NULL; + unsigned char *e_new = NULL; + size_t m_new_n = 0; + size_t e_new_n = 0; + + /* Loop over all records until we have found the subkey + corresponsing to the fingerprint. Inm general the first record + should be the pub record, but we don't rely on that. Given that + we only need to look at one key, it is sufficient to compare the + keyid so that we don't need to look at "fpr" records. */ + for (;;) + { + char *p; + char *fields[6]; + int nfields; + size_t max_length; + gcry_mpi_t mpi; + int i; - token = retrieve_next_token (line); - if (! found_key) + max_length = 4096; + i = read_line (fp, &line, &line_size, &max_length); + if (!i) + break; /* EOF. */ + if (i < 0) { - /* Key not found yet, search for key entry. */ - if ((! strcmp (token, "pub")) || (! strcmp (token, "sub"))) - { - /* Reached next key entry, parse it. */ - - /* This is the trust level (right, FIXME?). */ - token = retrieve_next_token (NULL); - if (! token) - { - ret = 1; - break; - } - - /* This is the size. */ - token = retrieve_next_token (NULL); - if (! token) - { - ret = 1; - break; - } - - /* This is the algorithm (right, FIXME?). */ - token = retrieve_next_token (NULL); - if (! token) - { - ret = 1; - break; - } - is_rsa = ! strcmp (token, "1"); - - /* This is the fingerprint. */ - token = retrieve_next_token (NULL); - if (! token) - { - ret = 1; - break; - } - - if (! strcmp (token, fpr)) - { - /* Found our key. */ - if (! is_rsa) - { - /* FIXME. */ - ret = 1; - break; - } - found_key = 1; - } - } - } - else - { - if (! strcmp (token, "sub")) - /* Next key entry, break. */ - break; - - if (! strcmp (token, "pkd")) - { - if ((pkd_n == 0) || (pkd_n == 1)) - { - /* This is the pkd index. */ - token = retrieve_next_token (NULL); - if (! token) - { - /* FIXME. */ - ret = 1; - break; - } - - /* This is the pkd size. */ - token = retrieve_next_token (NULL); - if (! token) - { - /* FIXME. */ - ret = 1; - break; - } - - /* This is the pkd mpi. */ - token = retrieve_next_token (NULL); - if (! token) - { - /* FIXME. */ - ret = 1; - break; - } - - err = gcry_mpi_scan (&mpi, GCRYMPI_FMT_HEX, token, 0, NULL); - if (err) - { - log_error ("error while converting pkd %i from hex: %s\n", - pkd_n, gcry_strerror (err)); - ret = 1; - break; - } - - if (pkd_n == 0) - err = gcry_mpi_aprint (GCRYMPI_FMT_STD, - &m_new, &m_new_n, mpi); - else - err = gcry_mpi_aprint (GCRYMPI_FMT_STD, - &e_new, &e_new_n, mpi); - if (err) - { - log_error ("error while converting pkd %i to std: %s\n", - pkd_n, gcry_strerror (err)); - ret = 1; - break; - } - gcry_mpi_release (mpi); - mpi = NULL; - pkd_n++; - } - else - { - /* Too many pkd entries. */ - /* FIXME */ - ret = 1; - break; - } - } + err = gpg_error_from_errno (errno); + goto leave; /* Error. */ } - } - if (ret) - goto out; - - if (pkd_n < 2) - { - /* Not enough pkds retrieved. */ - ret = 1; - goto out; - } + if (!max_length) + { + err = gpg_error (GPG_ERR_TRUNCATED); + goto leave; /* Line truncated - we better stop processing. */ + } - *m = m_new; - *mlen = m_new_n; - *e = e_new; - *elen = e_new_n; + /* Parse the line into fields. */ + for (nfields=0, p=line; p && nfields < DIM (fields); nfields++) + { + fields[nfields] = p; + p = strchr (p, ':'); + if (p) + *(p++) = 0; + } + if (!nfields) + continue; /* No fields at all - skip line. */ - out: + if (!found_key) + { + if ( (!strcmp (fields[0], "sub") || !strcmp (fields[0], "pub") ) + && nfields > 4 && !strcmp (fields[4], hexkeyid)) + found_key = 1; + continue; + } + + if ( !strcmp (fields[0], "sub") || !strcmp (fields[0], "pub") ) + break; /* Next key - stop. */ - if (ret) + if ( strcmp (fields[0], "pkd") ) + continue; /* Not a key data record. */ + i = 0; /* Avoid erroneous compiler warning. */ + if ( nfields < 4 || (i = atoi (fields[1])) < 0 || i > 1 + || (!i && m_new) || (i && e_new)) + { + err = gpg_error (GPG_ERR_GENERAL); + goto leave; /* Error: Invalid key data record or not an RSA key. */ + } + + err = gcry_mpi_scan (&mpi, GCRYMPI_FMT_HEX, fields[3], 0, NULL); + if (err) + mpi = NULL; + else if (!i) + err = gcry_mpi_aprint (GCRYMPI_FMT_STD, &m_new, &m_new_n, mpi); + else + err = gcry_mpi_aprint (GCRYMPI_FMT_STD, &e_new, &e_new_n, mpi); + gcry_mpi_release (mpi); + if (err) + goto leave; + } + + if (m_new && e_new) { - gcry_free (m_new); - gcry_free (e_new); + *m = m_new; + *mlen = m_new_n; + m_new = NULL; + *e = e_new; + *elen = e_new_n; + e_new = NULL; } - gcry_mpi_release (mpi); - gcry_free (line); + else + err = gpg_error (GPG_ERR_GENERAL); - return ret; + leave: + xfree (m_new); + xfree (e_new); + xfree (line); + return err; } +#endif /*GNUPG_MAJOR_VERSION > 1*/ + /* Get the public key for KEYNO and store it as an S-expresion with the APP handle. On error that field gets cleared. If we already @@ -1158,52 +1041,49 @@ The helper we use here is gpg itself, which should know about the key in any case. */ - char fpr_long[41]; - char *fpr = fpr_long + 24; - char *command; + char fpr[41]; + char *hexkeyid; + char *command = NULL; FILE *fp; int ret; - command = NULL; + buffer = NULL; /* We don't need buffer. */ - err = retrieve_fpr_from_card (app->slot, fpr_long); + err = retrieve_fpr_from_card (app, keyno, fpr); if (err) { log_error ("error while retrieving fpr from card: %s\n", gpg_strerror (err)); goto leave; } + hexkeyid = fpr + 24; ret = asprintf (&command, "gpg --list-keys --with-colons --with-key-data '%s'", - fpr_long); + fpr); if (ret < 0) { err = gpg_error_from_errno (errno); - log_error ("error while creating pipe command " - "for retrieving key: %s\n", gpg_strerror (err)); goto leave; } fp = popen (command, "r"); - if (! fp) + free (command); + if (!fp) { err = gpg_error_from_errno (errno); - log_error ("error while creating pipe: %s\n", gpg_strerror (err)); + log_error ("running gpg failed: %s\n", gpg_strerror (err)); goto leave; } - ret = retrieve_key_material (fp, fpr, &m, &mlen, &e, &elen); + err = retrieve_key_material (fp, hexkeyid, &m, &mlen, &e, &elen); fclose (fp); - if (ret) + if (err) { - /* FIXME? */ - err = gpg_error (GPG_ERR_INTERNAL); - log_error ("error while retrieving key material through pipe\n"); + log_error ("error while retrieving key material through pipe: %s\n", + gpg_strerror (err)); goto leave; } - - buffer = NULL; } /* Allocate a buffer to construct the S-expression. */ @@ -1216,11 +1096,11 @@ goto leave; } - sprintf (keybuf, "(10:public-key(3:rsa(1:n%u", (unsigned int) mlen); + sprintf (keybuf, "(10:public-key(3:rsa(1:n%u:", (unsigned int) mlen); keybuf_p = keybuf + strlen (keybuf); memcpy (keybuf_p, m, mlen); keybuf_p += mlen; - sprintf (keybuf_p, ")(1:e%u", (unsigned int)elen); + sprintf (keybuf_p, ")(1:e%u:", (unsigned int)elen); keybuf_p += strlen (keybuf_p); memcpy (keybuf_p, e, elen); keybuf_p += elen; Index: gnupg/scd/command.c diff -u gnupg/scd/command.c:1.19.2.19 gnupg/scd/command.c:1.19.2.20 --- gnupg/scd/command.c:1.19.2.19 Mon Apr 11 18:20:10 2005 +++ gnupg/scd/command.c Thu Apr 14 19:25:43 2005 @@ -26,6 +26,9 @@ #include #include #include +#ifdef USE_GNU_PTH +# include +#endif #include @@ -38,11 +41,6 @@ #define MAXLEN_PIN 100 -/* We keep track of the primary client using scdaemon. This one will - for example receive signal on card change. */ -static ctrl_t primary_connection; - - #define set_error(e,t) assuan_set_error (ctx, ASSUAN_ ## e, (t)) @@ -52,20 +50,65 @@ int _r = (r); \ if (gpg_err_code (_r) == GPG_ERR_CARD_NOT_PRESENT \ || gpg_err_code (_r) == GPG_ERR_CARD_REMOVED) \ - (c)->server_local->card_removed = 1; \ + update_card_removed ((c)->reader_slot, 1); \ } while (0) +#define IS_LOCKED(c) \ + (locked_session && locked_session != (c)->server_local \ + && (c)->reader_slot != -1 && locked_session->ctrl_backlink \ + && (c)->reader_slot == locked_session->ctrl_backlink->reader_slot) + -/* Data used to associate an Assuan context with local server data */ +/* Data used to associate an Assuan context with local server data. + This object describes the local properties of one session. */ struct server_local_s { + /* We keep a list of all active sessions with the anchor at + SESSION_LIST (see below). This field is used for linking. */ + struct server_local_s *next_session; + + /* This object is usually assigned to a CTRL object (which is + globally visible). While enumeratin all sessions we sometimes + need to access data of the CTRL object; thus we keep a + backpointer here. */ + ctrl_t ctrl_backlink; + + /* The Assuan context used by this session/server. */ assuan_context_t assuan_ctx; + int event_signal; /* Or 0 if not used. */ - int card_removed; /* True if the card has been removed and a - reset is required to continue - operation. */ + + /* True if the card has been removed and a reset is required to + continue operation. */ + int card_removed; }; +/* To keep track of all running sessions, we link all active server + contexts and the anchor in this variable. */ +static struct server_local_s *session_list; + +/* If a session has been locked we store a link to its server object + in this variable. */ +static struct server_local_s *locked_session; + + + + +/* Update the CARD_REMOVED element of all sessions using the reader + given by SLOT to VALUE */ +static void +update_card_removed (int slot, int value) +{ + struct server_local_s *sl; + + for (sl=session_list; sl; sl = sl->next_session) + if (sl->ctrl_backlink + && sl->ctrl_backlink->reader_slot == slot) + sl->card_removed = value; +} + + + /* Check whether the option NAME appears in LINE */ static int has_option (const char *line, const char *name) @@ -79,10 +122,13 @@ /* Reset the card and free the application context. With DO_CLOSE set - to true, close the reader and don't do just a reset. */ + to true and this is the last session with a reference to teh + reader, close the reader and don't do just a reset. */ static void do_reset (ctrl_t ctrl, int do_close) { + int slot = ctrl->reader_slot; + if (ctrl->card_ctx) { card_close (ctrl->card_ctx); @@ -97,20 +143,61 @@ } if (ctrl->reader_slot != -1) { - if (do_close || apdu_reset (ctrl->reader_slot)) + struct server_local_s *sl; + + /* If we are the only session with the reader open we may close + it. If not, do a reset unless the a lock is held on the + reader. */ + for (sl=session_list; sl; sl = sl->next_session) + if (sl != ctrl->server_local + && sl->ctrl_backlink->reader_slot == ctrl->reader_slot) + break; + if (sl) /* There is another session with the reader open. */ + { + if ( IS_LOCKED (ctrl) ) /* If it is locked, release it. */ + ctrl->reader_slot = -1; + else + { + if (do_close) /* Always mark reader unused. */ + ctrl->reader_slot = -1; + else if (apdu_reset (ctrl->reader_slot)) /* Reset only if + not locked */ + { + /* The reset failed. Mark the reader as closed. */ + ctrl->reader_slot = -1; + } + + if (locked_session && ctrl->server_local == locked_session) + { + locked_session = NULL; + log_debug ("implicitly unlocking due to RESET\n"); + } + } + } + else /* No other session has the reader open. */ { - apdu_close_reader (ctrl->reader_slot); - ctrl->reader_slot = -1; + if (do_close || apdu_reset (ctrl->reader_slot)) + { + apdu_close_reader (ctrl->reader_slot); + ctrl->reader_slot = -1; + } + if ( IS_LOCKED (ctrl) ) + { + log_debug ("WARNING: cleaning up stale session lock\n"); + locked_session = NULL; + } } } - ctrl->server_local->card_removed = 0; + + /* Reset card removed flag for the current reader. */ + update_card_removed (slot, 0); } static void reset_notify (assuan_context_t ctx) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); do_reset (ctrl, 0); } @@ -134,6 +221,27 @@ } +/* Return the slot of the current reader or open the reader if no + other sessions are using a reader. Note, that we currently support + only one reader but most of the code (except for this function) + should be able to cope with several readers. */ +static int +get_reader_slot (void) +{ + struct server_local_s *sl; + int slot= -1; + + for (sl=session_list; sl; sl = sl->next_session) + if (sl->ctrl_backlink + && (slot = sl->ctrl_backlink->reader_slot) != -1) + break; + + if (slot == -1) + slot = apdu_open_reader (opt.reader_port); + + return slot; +} + /* If the card has not yet been opened, do it. Note that this function returns an Assuan error, so don't map the error a second time */ @@ -154,10 +262,13 @@ if (ctrl->card_ctx) return 0; /* Already initialized using a card context. */ + if ( IS_LOCKED (ctrl) ) + return gpg_error (GPG_ERR_EBUSY); + if (ctrl->reader_slot != -1) slot = ctrl->reader_slot; else - slot = apdu_open_reader (opt.reader_port); + slot = get_reader_slot (); ctrl->reader_slot = slot; if (slot == -1) err = gpg_error (GPG_ERR_CARD); @@ -177,9 +288,7 @@ err = card_open (&ctrl->card_ctx); } - if (gpg_err_code (err) == GPG_ERR_CARD_NOT_PRESENT) - ctrl->server_local->card_removed = 1; - + TEST_CARD_REMOVAL (ctrl, err); return map_to_assuan_status (err); } @@ -248,12 +357,12 @@ time_t stamp; /* Clear the remove flag so that the open_card is able to reread it. */ - - /* FIXME: We can't do that if we are in a locked state. Retrun an - appropriate erro r in that case. IF the card has not been - removed we may very well continue. */ if (ctrl->server_local->card_removed) - do_reset (ctrl, 0); + { + if ( IS_LOCKED (ctrl) ) + return gpg_error (GPG_ERR_EBUSY); + do_reset (ctrl, 0); + } if ((rc = open_card (ctrl, *line? line:NULL))) return rc; @@ -342,7 +451,7 @@ static int cmd_learn (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc = 0; int idx; @@ -491,7 +600,7 @@ static int cmd_readcert (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc; unsigned char *cert; size_t ncert; @@ -630,12 +739,13 @@ static int cmd_setdata (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int n; char *p; unsigned char *buf; - /* FIXME: If we are locked return an error. */ + if (locked_session && locked_session != ctrl->server_local) + return gpg_error (GPG_ERR_EBUSY); /* Parse the hexstring. */ for (p=line,n=0; hexdigitp (p); p++, n++) @@ -700,13 +810,14 @@ static int cmd_pksign (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc; unsigned char *outdata; size_t outdatalen; char *keyidstr; - /* FIXME: If we are locked return an error. */ + if ( IS_LOCKED (ctrl) ) + return gpg_error (GPG_ERR_EBUSY); if ((rc = open_card (ctrl, NULL))) return rc; @@ -753,13 +864,14 @@ static int cmd_pkauth (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc; unsigned char *outdata; size_t outdatalen; char *keyidstr; - /* FIXME: If we are locked return an error. */ + if ( IS_LOCKED (ctrl) ) + return gpg_error (GPG_ERR_EBUSY); if ((rc = open_card (ctrl, NULL))) return rc; @@ -802,13 +914,14 @@ static int cmd_pkdecrypt (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc; unsigned char *outdata; size_t outdatalen; char *keyidstr; - /* FIXME: If we are locked return an error. */ + if ( IS_LOCKED (ctrl) ) + return gpg_error (GPG_ERR_EBUSY); if ((rc = open_card (ctrl, NULL))) return rc; @@ -861,7 +974,7 @@ static int cmd_getattr (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc; char *keyword; @@ -900,14 +1013,15 @@ static int cmd_setattr (assuan_context_t ctx, char *orig_line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc; char *keyword; int keywordlen; size_t nbytes; char *line, *linebuf; - /* FIXME: If we are locked return an error. */ + if ( IS_LOCKED (ctrl) ) + return gpg_error (GPG_ERR_EBUSY); if ((rc = open_card (ctrl, NULL))) return rc; @@ -956,12 +1070,13 @@ static int cmd_genkey (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc; char *keyno; int force = has_option (line, "--force"); - /* FIXME: If we are locked return an error. */ + if ( IS_LOCKED (ctrl) ) + return gpg_error (GPG_ERR_EBUSY); /* Skip over options. */ while ( *line == '-' && line[1] == '-' ) @@ -1004,7 +1119,7 @@ static int cmd_random (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc; size_t nbytes; unsigned char *buffer; @@ -1044,12 +1159,13 @@ static int cmd_passwd (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc; char *chvnostr; int reset_mode = has_option (line, "--reset"); - /* FIXME: If we are locked return an error. */ + if ( IS_LOCKED (ctrl) ) + return gpg_error (GPG_ERR_EBUSY); /* Skip over options. */ while (*line == '-' && line[1] == '-') @@ -1091,11 +1207,12 @@ static int cmd_checkpin (assuan_context_t ctx, char *line) { - CTRL ctrl = assuan_get_pointer (ctx); + ctrl_t ctrl = assuan_get_pointer (ctx); int rc; char *keyidstr; - /* FIXME: If we are locked return an error. */ + if ( IS_LOCKED (ctrl) ) + return gpg_error (GPG_ERR_EBUSY); if ((rc = open_card (ctrl, NULL))) return rc; @@ -1122,15 +1239,83 @@ } +/* LOCK [--wait] + + Grant exclusive card access to this session. Note that there is + no lock counter used and a second lock from the same session will + get ignore. A single unlock (or RESET) unlocks the session. + Return GPG_ERR_EBUSY if another session has locked the reader. + + If the option --wait is given the command will wait until a + lock has been released. + */ +static int +cmd_lock (assuan_context_t ctx, char *line) +{ + ctrl_t ctrl = assuan_get_pointer (ctx); + int rc = 0; + + retry: + if (locked_session) + { + if (locked_session != ctrl->server_local) + rc = gpg_error (GPG_ERR_EBUSY); + } + else + locked_session = ctrl->server_local; + +#ifdef USE_GNU_PTH + if (rc && has_option (line, "--wait")) + { + pth_sleep (1); /* Better implement an event mechanism. However, + for card operations this should be + sufficient. */ + goto retry; + } +#endif /*USE_GNU_PTH*/ + + if (rc) + log_error ("cmd_lock failed: %s\n", gpg_strerror (rc)); + return map_to_assuan_status (rc); +} + + +/* UNLOCK + + Release exclusive card access. + */ +static int +cmd_unlock (assuan_context_t ctx, char *line) +{ + ctrl_t ctrl = assuan_get_pointer (ctx); + int rc = 0; + + if (locked_session) + { + if (locked_session != ctrl->server_local) + rc = gpg_error (GPG_ERR_EBUSY); + else + locked_session = NULL; + } + else + rc = gpg_error (GPG_ERR_NOT_LOCKED); + + if (rc) + log_error ("cmd_unlock failed: %s\n", gpg_strerror (rc)); + return map_to_assuan_status (rc); +} + + + /* Tell the assuan library about our commands */ static int -register_commands (ASSUAN_CONTEXT ctx) +register_commands (assuan_context_t ctx) { static struct { const char *name; - int (*handler)(ASSUAN_CONTEXT, char *line); + int (*handler)(assuan_context_t, char *line); } table[] = { { "SERIALNO", cmd_serialno }, { "LEARN", cmd_learn }, @@ -1148,6 +1333,8 @@ { "RANDOM", cmd_random }, { "PASSWD", cmd_passwd }, { "CHECKPIN", cmd_checkpin }, + { "LOCK", cmd_lock }, + { "UNLOCK", cmd_unlock }, { NULL } }; int i, rc; @@ -1172,7 +1359,7 @@ scd_command_handler (int listen_fd) { int rc; - ASSUAN_CONTEXT ctx; + assuan_context_t ctx; struct server_control_s ctrl; memset (&ctrl, 0, sizeof ctrl); @@ -1204,20 +1391,24 @@ scd_exit (2); } assuan_set_pointer (ctx, &ctrl); + + /* Allocate and initialize the server object. Put it into the list + of active sessions. */ ctrl.server_local = xcalloc (1, sizeof *ctrl.server_local); + ctrl.server_local->next_session = session_list; + session_list = ctrl.server_local; + ctrl.server_local->ctrl_backlink = &ctrl; ctrl.server_local->assuan_ctx = ctx; if (DBG_ASSUAN) assuan_set_log_stream (ctx, log_get_stream ()); - /* Store the primary connection's assuan context. */ - if (!primary_connection) - primary_connection = &ctrl; - /* We open the reader right at startup so that the ticker is able to update the status file. */ if (ctrl.reader_slot == -1) - ctrl.reader_slot = apdu_open_reader (opt.reader_port); + { + ctrl.reader_slot = get_reader_slot (); + } /* Command processing loop. */ for (;;) @@ -1241,13 +1432,26 @@ } } - /* The next client will be the primary conenction if this one - terminates. */ - if (primary_connection == &ctrl) - primary_connection = NULL; + /* Cleanup. */ + do_reset (&ctrl, 1); - do_reset (&ctrl, 1); /* Cleanup. */ + /* Release the server object. */ + if (session_list == ctrl.server_local) + session_list = ctrl.server_local->next_session; + else + { + struct server_local_s *sl; + + for (sl=session_list; sl->next_session; sl = sl->next_session) + if (sl->next_session == ctrl.server_local) + break; + if (!sl->next_session) + BUG (); + sl->next_session = ctrl.server_local->next_session; + } + xfree (ctrl.server_local); + /* Release the Assuan context. */ assuan_deinit_server (ctx); } @@ -1256,14 +1460,14 @@ buffers. The variable elements are pairs of (char *, size_t), terminated with a (NULL, 0). */ void -send_status_info (CTRL ctrl, const char *keyword, ...) +send_status_info (ctrl_t ctrl, const char *keyword, ...) { va_list arg_ptr; const unsigned char *value; size_t valuelen; char buf[950], *p; size_t n; - ASSUAN_CONTEXT ctx = ctrl->server_local->assuan_ctx; + assuan_context_t ctx = ctrl->server_local->assuan_ctx; va_start (arg_ptr, keyword); @@ -1299,7 +1503,7 @@ } -/* This fucntion is called by the ticker thread to check for changes +/* This function is called by the ticker thread to check for changes of the reader stati. It updates the reader status files and if requested by the caller also send a signal to the caller. */ void @@ -1328,6 +1532,7 @@ char *fname; char templ[50]; FILE *fp; + struct server_local_s *sl; log_info ("updating status of slot %d to 0x%04X\n", slot, status); @@ -1344,33 +1549,31 @@ } xfree (fname); - /* Set the card removed flag. We will set this on any - card change because a reset or SERIALNO request must be - done in any case. */ - if (primary_connection && primary_connection->server_local - && last[slot].any ) - primary_connection->server_local->card_removed = 1; + /* Set the card removed flag for all current sessions. We + will set this on any card change because a reset or + SERIALNO request must be done in any case. */ + if (last[slot].any) + update_card_removed (slot, 1); last[slot].any = 1; last[slot].status = status; last[slot].changed = changed; - /* Send a signal to the primary client, if any. */ - if (primary_connection && primary_connection->server_local - && primary_connection->server_local->assuan_ctx) - { - pid_t pid = assuan_get_pid (primary_connection - ->server_local->assuan_ctx); - int signo = primary_connection->server_local->event_signal; - - log_info ("client pid is %d, sending signal %d\n", pid, signo); + /* Send a signal to all clients who applied for it. */ + for (sl=session_list; sl; sl = sl->next_session) + if (sl->event_signal && sl->assuan_ctx) + { + pid_t pid = assuan_get_pid (sl->assuan_ctx); + int signo = sl->event_signal; + log_info ("client pid is %d, sending signal %d\n", + pid, signo); #ifndef HAVE_W32_SYSTEM - if (pid != (pid_t)(-1) && pid && signo > 0) - kill (pid, signo); + if (pid != (pid_t)(-1) && pid && signo > 0) + kill (pid, signo); #endif - } + } } } } From cvs at cvs.gnupg.org Thu Apr 14 19:25:48 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 14 19:25:50 2005 Subject: LIBGCRYPT-1-2-BRANCH libgcrypt/src (ChangeLog gcrypt.h sexp.c) Message-ID: Date: Thursday, April 14, 2005 @ 19:42:07 Author: wk Path: /cvs/libgcrypt/libgcrypt/src Tag: LIBGCRYPT-1-2-BRANCH Modified: ChangeLog gcrypt.h sexp.c (whitespacep): New. (sexp_sscan): Replace isdigit and isspace by whitespacep and digitp. -----------+ ChangeLog | 6 ++++++ gcrypt.h | 2 +- sexp.c | 45 +++++++++++++++++++++++++++++++-------------- 3 files changed, 38 insertions(+), 15 deletions(-) Index: libgcrypt/src/ChangeLog diff -u libgcrypt/src/ChangeLog:1.151.2.12 libgcrypt/src/ChangeLog:1.151.2.13 --- libgcrypt/src/ChangeLog:1.151.2.12 Tue Feb 22 18:59:21 2005 +++ libgcrypt/src/ChangeLog Thu Apr 14 19:42:07 2005 @@ -1,3 +1,9 @@ +2005-04-14 Werner Koch + + * sexp.c (whitespacep): New. + (sexp_sscan): Replace isdigit and isspace by whitespacep and + digitp. + 2005-02-22 Werner Koch * global.c (_gcry_malloc): Make sure ERRNO is set if we return Index: libgcrypt/src/gcrypt.h diff -u libgcrypt/src/gcrypt.h:1.125.2.6 libgcrypt/src/gcrypt.h:1.125.2.7 --- libgcrypt/src/gcrypt.h:1.125.2.6 Wed Jan 5 17:07:31 2005 +++ libgcrypt/src/gcrypt.h Thu Apr 14 19:42:07 2005 @@ -49,7 +49,7 @@ autoconf (using the AM_PATH_GCRYPT macro) check that this header matches the installed library. Note: Do not edit the next line as configure may fix the string here. */ -#define GCRYPT_VERSION "1.2.1" +#define GCRYPT_VERSION "1.2.2-cvs" /* Internal: We can't use the convenience macros for the multi precision integer functions when building this library. */ Index: libgcrypt/src/sexp.c diff -u libgcrypt/src/sexp.c:1.40.2.1 libgcrypt/src/sexp.c:1.40.2.2 --- libgcrypt/src/sexp.c:1.40.2.1 Tue Sep 21 12:19:11 2004 +++ libgcrypt/src/sexp.c Thu Apr 14 19:42:07 2005 @@ -54,11 +54,28 @@ #define TOKEN_SPECIALS "-./_:*+=" + + static gcry_error_t sexp_sscan (gcry_sexp_t *retsexp, size_t *erroff, const char *buffer, size_t length, int argflag, va_list arg_ptr, void **arg_list); + +/* Return true if P points to a byte containing a whitespace according + to the S-expressions definition. */ +#undef whitespacep +static GPG_ERR_INLINE int +whitespacep (const unsigned char *p) +{ + switch (*p) + { + case ' ': case '\t': case '\v': case '\f': case '\r': case '\n': return 1; + default: return 0; + } +} + + #if 0 static void dump_mpi( gcry_mpi_t a ) @@ -902,7 +919,7 @@ /* FIXME: invent better error codes (?). */ - if (! erroff) + if (!erroff) erroff = &dummy_erroff; /* Depending on wether ARG_LIST is non-zero or not, this macro gives @@ -911,7 +928,7 @@ #define ARG_NEXT(storage, type) \ do \ { \ - if (! arg_list) \ + if (!arg_list) \ storage = va_arg (arg_ptr, type); \ else \ storage = *((type *) (arg_list[arg_counter++])); \ @@ -937,7 +954,7 @@ for (p = buffer, n = length; n; p++, n--) { - if (tokenp && (! hexfmt)) + if (tokenp && !hexfmt) { if (strchr (tokenchars, *p)) continue; @@ -966,9 +983,9 @@ case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': - if (! ((n > 2) - && (p[1] >= '0') && (p[1] <= '7') - && (p[2] >= '0') && (p[2] <= '7'))) + if (!((n > 2) + && (p[1] >= '0') && (p[1] <= '7') + && (p[2] >= '0') && (p[2] <= '7'))) { *erroff = p - buffer; /* Invalid octal value. */ @@ -980,7 +997,7 @@ break; case 'x': - if (! ((n > 2) && isxdigit(p[1]) && isxdigit(p[2]))) + if (!((n > 2) && isxdigit(p[1]) && isxdigit(p[2]))) { *erroff = p - buffer; /* Invalid hex value. */ @@ -1055,14 +1072,14 @@ STORE_LEN (c.pos, datalen); for (hexfmt++; hexfmt < p; hexfmt++) { - if (isspace (*hexfmt)) + if (whitespacep (hexfmt)) continue; *c.pos++ = hextobyte (hexfmt); hexfmt++; } hexfmt = NULL; } - else if (! isspace (*p)) + else if (!whitespacep (p)) { *erroff = p - buffer; err = GPG_ERR_SEXP_BAD_HEX_CHAR; @@ -1075,7 +1092,7 @@ } else if (digptr) { - if (isdigit (*p)) + if (digitp (p)) ; else if (*p == ':') { @@ -1133,7 +1150,7 @@ BUG (); MAKE_SPACE (nm); - if ((! gcry_is_secure (c.sexp->d)) + if ((!gcry_is_secure (c.sexp->d)) && gcry_mpi_get_flag ( m, GCRYMPI_FLAG_SECURE)) { /* We have to switch to secure allocation. */ @@ -1275,7 +1292,7 @@ } else if (*p == ']') { - if (! disphint) + if (!disphint) { *erroff = p - buffer; /* Open display hint. */ @@ -1283,7 +1300,7 @@ } disphint = NULL; } - else if (isdigit (*p)) + else if (digitp (p)) { if (*p == '0') { @@ -1295,7 +1312,7 @@ } else if (strchr (tokenchars, *p)) tokenp = p; - else if (isspace (*p)) + else if (whitespacep (p)) ; else if (*p == '{') { From cvs at cvs.gnupg.org Thu Apr 14 19:34:02 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 14 19:34:04 2005 Subject: libgcrypt/src (ChangeLog sexp.c) Message-ID: Date: Thursday, April 14, 2005 @ 19:50:16 Author: wk Path: /cvs/libgcrypt/libgcrypt/src Modified: ChangeLog sexp.c (whitespacep): New. (sexp_sscan): Replaced isdigit and isspace by whitespacep and digitp. -----------+ ChangeLog | 6 ++++++ sexp.c | 44 +++++++++++++++++++++++++++++--------------- 2 files changed, 35 insertions(+), 15 deletions(-) Index: libgcrypt/src/ChangeLog diff -u libgcrypt/src/ChangeLog:1.163 libgcrypt/src/ChangeLog:1.164 --- libgcrypt/src/ChangeLog:1.163 Mon Apr 11 13:58:29 2005 +++ libgcrypt/src/ChangeLog Thu Apr 14 19:50:16 2005 @@ -1,3 +1,9 @@ +2005-04-14 Werner Koch + + * sexp.c (whitespacep): New. + (sexp_sscan): Replaced isdigit and isspace by whitespacep and + digitp. + 2005-04-11 Moritz Schulte * gcrypt.h (gcry_md_algos): Added: GCRY_MD_WHIRLPOOL. Index: libgcrypt/src/sexp.c diff -u libgcrypt/src/sexp.c:1.42 libgcrypt/src/sexp.c:1.43 --- libgcrypt/src/sexp.c:1.42 Tue Oct 12 10:55:42 2004 +++ libgcrypt/src/sexp.c Thu Apr 14 19:50:16 2005 @@ -58,6 +58,20 @@ const char *buffer, size_t length, int argflag, va_list arg_ptr, void **arg_list); +/* Return true if P points to a byte containing a whitespace according + to the S-expressions definition. */ +#undef whitespacep +static GPG_ERR_INLINE int +whitespacep (const unsigned char *p) +{ + switch (*p) + { + case ' ': case '\t': case '\v': case '\f': case '\r': case '\n': return 1; + default: return 0; + } +} + + #if 0 static void dump_mpi( gcry_mpi_t a ) @@ -901,7 +915,7 @@ /* FIXME: invent better error codes (?). */ - if (! erroff) + if (!erroff) erroff = &dummy_erroff; /* Depending on wether ARG_LIST is non-zero or not, this macro gives @@ -910,7 +924,7 @@ #define ARG_NEXT(storage, type) \ do \ { \ - if (! arg_list) \ + if (!arg_list) \ storage = va_arg (arg_ptr, type); \ else \ storage = *((type *) (arg_list[arg_counter++])); \ @@ -936,7 +950,7 @@ for (p = buffer, n = length; n; p++, n--) { - if (tokenp && (! hexfmt)) + if (tokenp && !hexfmt) { if (strchr (tokenchars, *p)) continue; @@ -965,9 +979,9 @@ case '0': case '1': case '2': case '3': case '4': case '5': case '6': case '7': - if (! ((n > 2) - && (p[1] >= '0') && (p[1] <= '7') - && (p[2] >= '0') && (p[2] <= '7'))) + if (!((n > 2) + && (p[1] >= '0') && (p[1] <= '7') + && (p[2] >= '0') && (p[2] <= '7'))) { *erroff = p - buffer; /* Invalid octal value. */ @@ -979,7 +993,7 @@ break; case 'x': - if (! ((n > 2) && isxdigit(p[1]) && isxdigit(p[2]))) + if (!((n > 2) && hexdigitp (p+1) && hexdigitp (p+2))) { *erroff = p - buffer; /* Invalid hex value. */ @@ -1054,14 +1068,14 @@ STORE_LEN (c.pos, datalen); for (hexfmt++; hexfmt < p; hexfmt++) { - if (isspace (*hexfmt)) + if (whitespacep (hexfmt)) continue; *c.pos++ = hextobyte (hexfmt); hexfmt++; } hexfmt = NULL; } - else if (! isspace (*p)) + else if (!whitespacep (p)) { *erroff = p - buffer; err = GPG_ERR_SEXP_BAD_HEX_CHAR; @@ -1074,7 +1088,7 @@ } else if (digptr) { - if (isdigit (*p)) + if (digitp (p)) ; else if (*p == ':') { @@ -1132,8 +1146,8 @@ BUG (); MAKE_SPACE (nm); - if ((! gcry_is_secure (c.sexp->d)) - && gcry_mpi_get_flag ( m, GCRYMPI_FLAG_SECURE)) + if (!gcry_is_secure (c.sexp->d) + && gcry_mpi_get_flag ( m, GCRYMPI_FLAG_SECURE)) { /* We have to switch to secure allocation. */ gcry_sexp_t newsexp; @@ -1274,7 +1288,7 @@ } else if (*p == ']') { - if (! disphint) + if (!disphint) { *erroff = p - buffer; /* Open display hint. */ @@ -1282,7 +1296,7 @@ } disphint = NULL; } - else if (isdigit (*p)) + else if (digitp (p)) { if (*p == '0') { @@ -1294,7 +1308,7 @@ } else if (strchr (tokenchars, *p)) tokenp = p; - else if (isspace (*p)) + else if (whitespacep (p)) ; else if (*p == '{') { From cvs at cvs.gnupg.org Thu Apr 14 19:35:22 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 14 19:35:25 2005 Subject: LIBGCRYPT-1-2-BRANCH libgcrypt/src (sexp.c) Message-ID: Date: Thursday, April 14, 2005 @ 19:51:42 Author: wk Path: /cvs/libgcrypt/libgcrypt/src Tag: LIBGCRYPT-1-2-BRANCH Modified: sexp.c Do it also for isxdigit. --------+ sexp.c | 2 +- 1 files changed, 1 insertion(+), 1 deletion(-) Index: libgcrypt/src/sexp.c diff -u libgcrypt/src/sexp.c:1.40.2.2 libgcrypt/src/sexp.c:1.40.2.3 --- libgcrypt/src/sexp.c:1.40.2.2 Thu Apr 14 19:42:07 2005 +++ libgcrypt/src/sexp.c Thu Apr 14 19:51:42 2005 @@ -997,7 +997,7 @@ break; case 'x': - if (!((n > 2) && isxdigit(p[1]) && isxdigit(p[2]))) + if (!((n > 2) && hexdigitp (p+1) && hexdigitp (p+2))) { *erroff = p - buffer; /* Invalid hex value. */ From cvs at cvs.gnupg.org Fri Apr 15 03:17:25 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Fri Apr 15 03:17:28 2005 Subject: GNUPG-1-9-BRANCH gnupg (ChangeLog configure.ac tools/ChangeLog tools/Makefile.am) Message-ID: Date: Friday, April 15, 2005 @ 03:33:46 Author: marcus Path: /cvs/gnupg/gnupg Tag: GNUPG-1-9-BRANCH Modified: ChangeLog configure.ac tools/ChangeLog tools/Makefile.am 2005-04-15 Marcus Brinkmann * configure.ac: Add --enable-symcryptrun, disabled by default. Define automake variable BUILD_SYMCRYPTRUN. Check for openpty -lutil, define LIBUTIL_LIBS. tools/ 2005-04-15 Marcus Brinkmann * Makefile.am: Define symcryptrun make variable depending on BUILD_SYMCRYPTUN. (bin_PROGRAMS): Add ${symcryptrun} instead symcryptrun. (symcryptrun_LDADD): Use $(LIBUTIL_LIBS) instead of -lutil. -------------------+ ChangeLog | 6 ++++++ configure.ac | 12 ++++++++++++ tools/ChangeLog | 7 +++++++ tools/Makefile.am | 10 ++++++++-- 4 files changed, 33 insertions(+), 2 deletions(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.131.2.68 gnupg/ChangeLog:1.131.2.69 --- gnupg/ChangeLog:1.131.2.68 Thu Mar 3 11:15:07 2005 +++ gnupg/ChangeLog Fri Apr 15 03:33:46 2005 @@ -1,3 +1,9 @@ +2005-04-15 Marcus Brinkmann + + * configure.ac: Add --enable-symcryptrun, disabled by default. + Define automake variable BUILD_SYMCRYPTRUN. + Check for openpty -lutil, define LIBUTIL_LIBS. + 2005-03-03 Werner Koch * acinclude.m4 (GNUPG_PTH_VERSION_CHECK): Accidently used Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.36.2.80 gnupg/configure.ac:1.36.2.81 --- gnupg/configure.ac:1.36.2.80 Thu Feb 3 14:20:57 2005 +++ gnupg/configure.ac Fri Apr 15 03:33:46 2005 @@ -66,6 +66,7 @@ GNUPG_BUILD_PROGRAM(gpgsm, yes) GNUPG_BUILD_PROGRAM(agent, yes) GNUPG_BUILD_PROGRAM(scdaemon, yes) +GNUPG_BUILD_PROGRAM(symcryptrun, no) AC_SUBST(PACKAGE) @@ -469,6 +470,16 @@ AC_CHECK_FUNCS(usb_create_match) # +# libutil has openpty() and login_tty(). +# +AC_CHECK_LIB(util, openpty, + [ LIBUTIL_LIBS="$LIBUTIL_LIBS -lutil" + AC_DEFINE(HAVE_LIBUTIL,1, + [defined if libutil is available]) + ]) +AC_SUBST(LIBUTIL_LIBS) + +# # Check wether it is necessary to link against libdl. # LIBS="" @@ -1046,6 +1057,7 @@ AM_CONDITIONAL(BUILD_GPGSM, test "$build_gpgsm" = "yes") AM_CONDITIONAL(BUILD_AGENT, test "$build_agent" = "yes") AM_CONDITIONAL(BUILD_SCDAEMON, test "$build_scdaemon" = "yes") +AM_CONDITIONAL(BUILD_SYMCRYPTRUN, test "$build_symcryptrun" = "yes") Index: gnupg/tools/ChangeLog diff -u gnupg/tools/ChangeLog:1.25.2.68 gnupg/tools/ChangeLog:1.25.2.69 --- gnupg/tools/ChangeLog:1.25.2.68 Mon Apr 11 19:22:23 2005 +++ gnupg/tools/ChangeLog Fri Apr 15 03:33:46 2005 @@ -1,3 +1,10 @@ +2005-04-15 Marcus Brinkmann + + * Makefile.am: Define symcryptrun make variable depending on + BUILD_SYMCRYPTUN. + (bin_PROGRAMS): Add ${symcryptrun} instead symcryptrun. + (symcryptrun_LDADD): Use $(LIBUTIL_LIBS) instead of -lutil. + 2005-04-11 Werner Koch * symcryptrun.c (confucius_mktmpdir): Changed to use mkdtmp(3). Index: gnupg/tools/Makefile.am diff -u gnupg/tools/Makefile.am:1.31.2.13 gnupg/tools/Makefile.am:1.31.2.14 --- gnupg/tools/Makefile.am:1.31.2.13 Mon Apr 11 01:10:52 2005 +++ gnupg/tools/Makefile.am Fri Apr 15 03:33:46 2005 @@ -30,7 +30,13 @@ bin_SCRIPTS = gpgsm-gencert.sh -bin_PROGRAMS = gpgconf gpg-connect-agent symcryptrun +if BUILD_SYMCRYPTRUN + symcryptrun = symcryptrun +else + symcryptrun = +endif + +bin_PROGRAMS = gpgconf gpg-connect-agent ${symcryptrun} if !HAVE_W32_SYSTEM bin_PROGRAMS += watchgnupg endif @@ -40,7 +46,7 @@ gpgconf_LDADD = ../jnlib/libjnlib.a ../common/libcommon.a @LIBINTL@ symcryptrun_SOURCES = symcryptrun.c -symcryptrun_LDADD = -lutil ../jnlib/libjnlib.a ../common/libcommon.a \ +symcryptrun_LDADD = $(LIBUTIL_LIBS) ../jnlib/libjnlib.a ../common/libcommon.a \ ../common/libsimple-pwquery.a $(LIBGCRYPT_LIBS) \ $(GPG_ERROR_LIBS) $(LIBINTL) From cvs at cvs.gnupg.org Fri Apr 15 04:08:23 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Fri Apr 15 04:08:26 2005 Subject: GNUPG-1-9-BRANCH gnupg (ChangeLog configure.ac tools/ChangeLog tools/symcryptrun.c) Message-ID: Date: Friday, April 15, 2005 @ 04:24:44 Author: marcus Path: /cvs/gnupg/gnupg Tag: GNUPG-1-9-BRANCH Modified: ChangeLog configure.ac tools/ChangeLog tools/symcryptrun.c 2005-04-15 Marcus Brinkmann * configure.ac: Check for /usr/bin/shred and define SHRED. tools/ 2005-04-15 Marcus Brinkmann * symcryptrun.c (remove_file): New function. (confucius_copy_file): Accept new argument PLAIN and shred the file if it is set on error. ---------------------+ ChangeLog | 2 + configure.ac | 23 +++++++++----- tools/ChangeLog | 4 ++ tools/symcryptrun.c | 80 +++++++++++++++++++++++++++++++++++++++++++------- 4 files changed, 90 insertions(+), 19 deletions(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.131.2.69 gnupg/ChangeLog:1.131.2.70 --- gnupg/ChangeLog:1.131.2.69 Fri Apr 15 03:33:46 2005 +++ gnupg/ChangeLog Fri Apr 15 04:24:44 2005 @@ -1,5 +1,7 @@ 2005-04-15 Marcus Brinkmann + * configure.ac: Check for /usr/bin/shred and define SHRED. + * configure.ac: Add --enable-symcryptrun, disabled by default. Define automake variable BUILD_SYMCRYPTRUN. Check for openpty -lutil, define LIBUTIL_LIBS. Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.36.2.81 gnupg/configure.ac:1.36.2.82 --- gnupg/configure.ac:1.36.2.81 Fri Apr 15 03:33:46 2005 +++ gnupg/configure.ac Fri Apr 15 04:24:44 2005 @@ -470,8 +470,18 @@ AC_CHECK_FUNCS(usb_create_match) # -# libutil has openpty() and login_tty(). +# Check wether it is necessary to link against libdl. +# +LIBS="" +AC_SEARCH_LIBS(dlopen, c dl,,,) +DL_LIBS=$LIBS +AC_SUBST(DL_LIBS) + +# +# Checks for symcryptrun: # + +# libutil has openpty() and login_tty(). AC_CHECK_LIB(util, openpty, [ LIBUTIL_LIBS="$LIBUTIL_LIBS -lutil" AC_DEFINE(HAVE_LIBUTIL,1, @@ -479,13 +489,10 @@ ]) AC_SUBST(LIBUTIL_LIBS) -# -# Check wether it is necessary to link against libdl. -# -LIBS="" -AC_SEARCH_LIBS(dlopen, c dl,,,) -DL_LIBS=$LIBS -AC_SUBST(DL_LIBS) +# shred is used to clean temporary plain text files. +AC_PATH_PROG(SHRED, shred, /usr/bin/shred) +AC_DEFINE_UNQUOTED(SHRED, + "${SHRED}", [defines the filename of the shred program]) # # OpenSC is needed by the SCdaemon - if it is not availbale we can only Index: gnupg/tools/ChangeLog diff -u gnupg/tools/ChangeLog:1.25.2.69 gnupg/tools/ChangeLog:1.25.2.70 --- gnupg/tools/ChangeLog:1.25.2.69 Fri Apr 15 03:33:46 2005 +++ gnupg/tools/ChangeLog Fri Apr 15 04:24:44 2005 @@ -1,5 +1,9 @@ 2005-04-15 Marcus Brinkmann + * symcryptrun.c (remove_file): New function. + (confucius_copy_file): Accept new argument PLAIN and shred the + file if it is set on error. + * Makefile.am: Define symcryptrun make variable depending on BUILD_SYMCRYPTUN. (bin_PROGRAMS): Add ${symcryptrun} instead symcryptrun. Index: gnupg/tools/symcryptrun.c diff -u gnupg/tools/symcryptrun.c:1.1.2.3 gnupg/tools/symcryptrun.c:1.1.2.4 --- gnupg/tools/symcryptrun.c:1.1.2.3 Mon Apr 11 19:22:23 2005 +++ gnupg/tools/symcryptrun.c Fri Apr 15 04:24:44 2005 @@ -217,6 +217,61 @@ } +/* Unlink a file, and shred it if SHRED is true. */ +int +remove_file (char *name, int shred) +{ + if (!shred) + return unlink (name); + else + { + int status; + pid_t pid; + + pid = fork (); + if (pid == 0) + { + /* Child. */ + + /* -f forces file to be writable, and -u unlinks it afterwards. */ + char *args[] = { SHRED, "-uf", name, NULL }; + + execv (SHRED, args); + _exit (127); + } + else if (pid < 0) + { + /* Fork failed. */ + status = -1; + } + else + { + /* Parent. */ + + if (TEMP_FAILURE_RETRY (waitpid (pid, &status, 0)) != pid) + status = -1; + } + + if (!WIFEXITED (status)) + { + log_error (_("%s on %s aborted with status %i\n"), + SHRED, name, status); + unlink (name); + return 1; + } + else if (WEXITSTATUS (status)) + { + log_error (_("%s on %s failed with status %i\n"), SHRED, name, + WEXITSTATUS (status)); + unlink (name); + return 1; + } + + return 0; + } +} + + /* Class Confucius. "Don't worry that other people don't know you; @@ -248,9 +303,11 @@ #define CONFUCIUS_LINESIZE 4096 -/* Copy the file IN to OUT, either of which may be "-". */ +/* Copy the file IN to OUT, either of which may be "-". If PLAIN is + true, and the copying fails, and OUT is not STDOUT, then shred the + file instead unlinking it. */ static int -confucius_copy_file (const char *infile, const char *outfile) +confucius_copy_file (char *infile, char *outfile, int plain) { FILE *in; int in_is_stdin = 0; @@ -327,7 +384,8 @@ copy_err: if (!out_is_stdout) - unlink (outfile); + remove_file (outfile, plain); + return 1; } @@ -712,7 +770,7 @@ strcat (outfile, "/out"); /* Create INFILE and fill it with content. */ - res = confucius_copy_file ("-", infile); + res = confucius_copy_file ("-", infile, mode == oEncrypt); if (res) { free (outfile); @@ -726,8 +784,8 @@ res = confucius_process (mode, infile, outfile); if (res) { - unlink (outfile); - unlink (infile); + remove_file (outfile, mode == oDecrypt); + remove_file (infile, mode == oEncrypt); free (outfile); free (infile); rmdir (tmpdir); @@ -735,19 +793,19 @@ } /* Dump the output file to stdout. */ - res = confucius_copy_file (outfile, "-"); + res = confucius_copy_file (outfile, "-", mode == oDecrypt); if (res) { - unlink (outfile); - unlink (infile); + remove_file (outfile, mode == oDecrypt); + remove_file (infile, mode == oEncrypt); free (outfile); free (infile); rmdir (tmpdir); return res; } - unlink (outfile); - unlink (infile); + remove_file (outfile, mode == oDecrypt); + remove_file (infile, mode == oEncrypt); free (outfile); free (infile); rmdir (tmpdir); From cvs at cvs.gnupg.org Fri Apr 15 10:48:20 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Fri Apr 15 10:48:22 2005 Subject: GNUPG-1-9-BRANCH gnupg/tools (ChangeLog symcryptrun.c) Message-ID: Date: Friday, April 15, 2005 @ 11:04:43 Author: marcus Path: /cvs/gnupg/gnupg/tools Tag: GNUPG-1-9-BRANCH Modified: ChangeLog symcryptrun.c 2005-04-15 Marcus Brinkmann * symcryptrun.c (TEMP_FAILURE_RETRY): Define if not defined. ---------------+ ChangeLog | 2 ++ symcryptrun.c | 15 +++++++++++++++ 2 files changed, 17 insertions(+) Index: gnupg/tools/ChangeLog diff -u gnupg/tools/ChangeLog:1.25.2.70 gnupg/tools/ChangeLog:1.25.2.71 --- gnupg/tools/ChangeLog:1.25.2.70 Fri Apr 15 04:24:44 2005 +++ gnupg/tools/ChangeLog Fri Apr 15 11:04:43 2005 @@ -1,5 +1,7 @@ 2005-04-15 Marcus Brinkmann + * symcryptrun.c (TEMP_FAILURE_RETRY): Define if not defined. + * symcryptrun.c (remove_file): New function. (confucius_copy_file): Accept new argument PLAIN and shred the file if it is set on error. Index: gnupg/tools/symcryptrun.c diff -u gnupg/tools/symcryptrun.c:1.1.2.4 gnupg/tools/symcryptrun.c:1.1.2.5 --- gnupg/tools/symcryptrun.c:1.1.2.4 Fri Apr 15 04:24:44 2005 +++ gnupg/tools/symcryptrun.c Fri Apr 15 11:04:43 2005 @@ -217,6 +217,21 @@ } +/* This is in the GNU C library in unistd.h. */ + +#ifndef TEMP_FAILURE_RETRY +/* Evaluate EXPRESSION, and repeat as long as it returns -1 with `errno' + set to EINTR. */ + +# define TEMP_FAILURE_RETRY(expression) \ + (__extension__ \ + ({ long int __result; \ + do __result = (long int) (expression); \ + while (__result == -1L && errno == EINTR); \ + __result; })) +#endif + + /* Unlink a file, and shred it if SHRED is true. */ int remove_file (char *name, int shred) From cvs at cvs.gnupg.org Sat Apr 16 19:16:14 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Sat Apr 16 19:16:16 2005 Subject: LIBGCRYPT-1-2-BRANCH libgcrypt/cipher (ChangeLog ac.c serpent.c) Message-ID: Date: Saturday, April 16, 2005 @ 19:32:43 Author: mo Path: /cvs/libgcrypt/libgcrypt/cipher Tag: LIBGCRYPT-1-2-BRANCH Modified: ChangeLog ac.c serpent.c 2005-04-16 Moritz Schulte * ac.c (_gcry_ac_init): New function. Replace strdup calls with calls to gcry_strdup. -----------+ ChangeLog | 5 +++++ ac.c | 12 +++++++++--- serpent.c | 2 +- 3 files changed, 15 insertions(+), 4 deletions(-) Index: libgcrypt/cipher/ChangeLog diff -u libgcrypt/cipher/ChangeLog:1.211.2.11 libgcrypt/cipher/ChangeLog:1.211.2.12 --- libgcrypt/cipher/ChangeLog:1.211.2.11 Wed Mar 23 09:52:21 2005 +++ libgcrypt/cipher/ChangeLog Sat Apr 16 19:32:43 2005 @@ -1,3 +1,8 @@ +2005-04-16 Moritz Schulte + + * ac.c (_gcry_ac_init): New function. + Replace strdup calls with calls to gcry_strdup. + 2005-03-23 Werner Koch * rndw32.c (_gcry_rndw32_gather_random_fast): While adding data Index: libgcrypt/cipher/ac.c diff -u libgcrypt/cipher/ac.c:1.13.2.1 libgcrypt/cipher/ac.c:1.13.2.2 --- libgcrypt/cipher/ac.c:1.13.2.1 Mon Aug 9 12:39:51 2004 +++ libgcrypt/cipher/ac.c Sat Apr 16 19:32:43 2005 @@ -151,7 +151,7 @@ data_new->data[i].mpi = NULL; /* Name. */ - data_new->data[i].name = strdup (data->data[i].name); + data_new->data[i].name = gcry_strdup (data->data[i].name); if (! data_new->data[i].name) err = gpg_err_code_from_errno (errno); @@ -531,7 +531,7 @@ { /* Create copies. */ - name_add = strdup (name); + name_add = gcry_strdup (name); if (! name_add) err = GPG_ERR_ENOMEM; if (! err) @@ -666,7 +666,7 @@ { /* Return copies to the user. */ if (name) - name_return = strdup (data->data[idx].name); + name_return = gcry_strdup (data->data[idx].name); if (mpi) mpi_return = gcry_mpi_copy (data->data[idx].mpi); @@ -1388,3 +1388,9 @@ return gcry_error (err); } + +gcry_err_code_t +_gcry_ac_init (void) +{ + return 0; +} Index: libgcrypt/cipher/serpent.c diff -u libgcrypt/cipher/serpent.c:1.4.2.3 libgcrypt/cipher/serpent.c:1.4.2.4 --- libgcrypt/cipher/serpent.c:1.4.2.3 Wed Jan 5 17:29:38 2005 +++ libgcrypt/cipher/serpent.c Sat Apr 16 19:32:43 2005 @@ -1,5 +1,5 @@ /* serpent.c - Implementation of the Serpent encryption algorithm. - * Copyright (C) 2003 Free Software Foundation, Inc. + * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * From cvs at cvs.gnupg.org Sat Apr 16 19:17:09 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Sat Apr 16 19:17:11 2005 Subject: LIBGCRYPT-1-2-BRANCH libgcrypt/src (ChangeLog g10lib.h global.c) Message-ID: Date: Saturday, April 16, 2005 @ 19:33:40 Author: mo Path: /cvs/libgcrypt/libgcrypt/src Tag: LIBGCRYPT-1-2-BRANCH Modified: ChangeLog g10lib.h global.c 2005-04-16 Moritz Schulte * g10lib.h (_gcry_ac_init): Declare. * global.c (global_init): Call _gcry_ac_init; don't forget to set err. -----------+ ChangeLog | 5 +++++ g10lib.h | 1 + global.c | 8 +++++--- 3 files changed, 11 insertions(+), 3 deletions(-) Index: libgcrypt/src/ChangeLog diff -u libgcrypt/src/ChangeLog:1.151.2.13 libgcrypt/src/ChangeLog:1.151.2.14 --- libgcrypt/src/ChangeLog:1.151.2.13 Thu Apr 14 19:42:07 2005 +++ libgcrypt/src/ChangeLog Sat Apr 16 19:33:40 2005 @@ -1,3 +1,8 @@ +2005-04-16 Moritz Schulte + + * g10lib.h (_gcry_ac_init): Declare. + * global.c (global_init): Call _gcry_ac_init; don't forget to set err. + 2005-04-14 Werner Koch * sexp.c (whitespacep): New. Index: libgcrypt/src/g10lib.h diff -u libgcrypt/src/g10lib.h:1.26.2.1 libgcrypt/src/g10lib.h:1.26.2.2 --- libgcrypt/src/g10lib.h:1.26.2.1 Mon Dec 6 18:36:34 2004 +++ libgcrypt/src/g10lib.h Sat Apr 16 19:33:40 2005 @@ -239,6 +239,7 @@ gcry_err_code_t _gcry_cipher_init (void); gcry_err_code_t _gcry_md_init (void); gcry_err_code_t _gcry_pk_init (void); +gcry_err_code_t _gcry_ac_init (void); gcry_err_code_t _gcry_pk_module_lookup (int id, gcry_module_t *module); void _gcry_pk_module_release (gcry_module_t module); Index: libgcrypt/src/global.c diff -u libgcrypt/src/global.c:1.45.2.3 libgcrypt/src/global.c:1.45.2.4 --- libgcrypt/src/global.c:1.45.2.3 Tue Feb 22 18:59:21 2005 +++ libgcrypt/src/global.c Sat Apr 16 19:33:40 2005 @@ -67,11 +67,13 @@ err = ath_init (); if (! err) - _gcry_cipher_init (); + err = _gcry_cipher_init (); if (! err) - _gcry_md_init (); + err = _gcry_md_init (); if (! err) - _gcry_pk_init (); + err = _gcry_pk_init (); + if (! err) + err = _gcry_ac_init (); if (err) /* FIXME? */ From cvs at cvs.gnupg.org Sat Apr 16 19:17:16 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Sat Apr 16 19:17:18 2005 Subject: LIBGCRYPT-1-2-BRANCH libgcrypt (ChangeLog THANKS) Message-ID: Date: Saturday, April 16, 2005 @ 19:33:47 Author: mo Path: /cvs/libgcrypt/libgcrypt Tag: LIBGCRYPT-1-2-BRANCH Modified: ChangeLog THANKS 2005-02-03 Moritz Schulte * THANKS: Updated. -----------+ ChangeLog | 4 ++++ THANKS | 1 + 2 files changed, 5 insertions(+) Index: libgcrypt/ChangeLog diff -u libgcrypt/ChangeLog:1.158.2.5 libgcrypt/ChangeLog:1.158.2.6 --- libgcrypt/ChangeLog:1.158.2.5 Wed Jan 5 14:52:33 2005 +++ libgcrypt/ChangeLog Sat Apr 16 19:33:47 2005 @@ -1,3 +1,7 @@ +2005-02-03 Moritz Schulte + + * THANKS: Updated. + 2005-01-05 Werner Koch Released 1.2.1. Index: libgcrypt/THANKS diff -u libgcrypt/THANKS:1.79.2.2 libgcrypt/THANKS:1.79.2.3 --- libgcrypt/THANKS:1.79.2.2 Thu Dec 16 17:32:52 2004 +++ libgcrypt/THANKS Sat Apr 16 19:33:47 2005 @@ -72,6 +72,7 @@ Michael Fischer v. Mollard mfvm@gmx.de Michael Roth mroth@nessie.de Michael Sobolev mss@despair.transas.com +Michele Baldessari michele@pupazzo.org Modestas Vainius geromanas@mailas.com Neil Spring nspring@cs.washington.edu Newton Hammet newton@hammet.net From cvs at cvs.gnupg.org Sat Apr 16 20:03:30 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sat Apr 16 20:03:34 2005 Subject: gnupg (ChangeLog configure.ac) Message-ID: Date: Saturday, April 16, 2005 @ 20:20:01 Author: dshaw Path: /cvs/gnupg/gnupg Modified: ChangeLog configure.ac * configure.ac: Add --disable-old-hkp option that can be used along with --with-libcurl to build the curl version of HKP. --------------+ ChangeLog | 5 +++++ configure.ac | 10 +++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.247 gnupg/ChangeLog:1.248 --- gnupg/ChangeLog:1.247 Tue Apr 12 18:11:03 2005 +++ gnupg/ChangeLog Sat Apr 16 20:20:01 2005 @@ -1,3 +1,8 @@ +2005-04-16 David Shaw + + * configure.ac: Add --disable-old-hkp option that can be used + along with --with-libcurl to build the curl version of HKP. + 2005-04-12 David Shaw * configure.ac: Check for memrchr() Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.139 gnupg/configure.ac:1.140 --- gnupg/configure.ac:1.139 Tue Apr 12 18:11:03 2005 +++ gnupg/configure.ac Sat Apr 16 20:20:01 2005 @@ -19,7 +19,7 @@ dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA dnl dnl (Process this file with autoconf to produce a configure script.) -dnlAC_REVISION($Revision: 1.139 $)dnl +dnlAC_REVISION($Revision: 1.140 $)dnl AC_PREREQ(2.59) min_automake_version="1.9.3" @@ -635,6 +635,8 @@ # Are we doing HTTP? +old_hkp=yes + if test x"$try_http" = xyes ; then if test x$libcurl_protocol_HTTP = xyes ; then AC_SUBST(GPGKEYS_CURL,"gpgkeys_curl$EXEEXT") @@ -642,11 +644,17 @@ if test x$libcurl_protocol_HTTPS = xyes ; then AC_DEFINE(HTTPS_VIA_LIBCURL,1,[Define if HTTPS is handled via libcurl]) fi + + AC_ARG_ENABLE(old-hkp, + AC_HELP_STRING([--disable-old-hkp],[disable old HKP processing code and use the new]),old_hkp=$enableval) + else AC_SUBST(GPGKEYS_HTTP,"gpgkeys_http$EXEEXT") fi fi +AM_CONDITIONAL(OLD_HKP,test x"$old_hkp" != xno) + # Are we doing FTP? We only do FTP if we have libcurl. if test x"$try_ftp" = xyes && test x$libcurl_protocol_FTP = xyes ; then From cvs at cvs.gnupg.org Sat Apr 16 20:34:15 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sat Apr 16 20:34:19 2005 Subject: gnupg/keyserver (5 files) Message-ID: Date: Saturday, April 16, 2005 @ 20:50:47 Author: dshaw Path: /cvs/gnupg/gnupg/keyserver Added: gpgkeys_oldhkp.c Modified: ChangeLog gpgkeys_curl.c ksutil.c ksutil.h * gpgkeys_curl.c (main): If the http-proxy option is given without any arguments, try to get the proxy from the environment. * ksutil.h, ksutil.c (curl_err_to_gpg_err, curl_writer): Copy from gpgkeys_curl.c. * gpgkeys_oldhkp.c: Copy from gpgkeys_hkp.c. ------------------+ ChangeLog | 10 gpgkeys_curl.c | 74 --- gpgkeys_oldhkp.c | 1138 +++++++++++++++++++++++++++++++++++++++++++++++++++++ ksutil.c | 66 +++ ksutil.h | 14 5 files changed, 1239 insertions(+), 63 deletions(-) Index: gnupg/keyserver/ChangeLog diff -u gnupg/keyserver/ChangeLog:1.120 gnupg/keyserver/ChangeLog:1.121 --- gnupg/keyserver/ChangeLog:1.120 Wed Mar 23 00:41:08 2005 +++ gnupg/keyserver/ChangeLog Sat Apr 16 20:50:46 2005 @@ -1,3 +1,13 @@ +2005-04-16 David Shaw + + * gpgkeys_curl.c (main): If the http-proxy option is given without + any arguments, try to get the proxy from the environment. + + * ksutil.h, ksutil.c (curl_err_to_gpg_err, curl_writer): Copy from + gpgkeys_curl.c. + + * gpgkeys_oldhkp.c: Copy from gpgkeys_hkp.c. + 2005-03-22 David Shaw * gpgkeys_ldap.c, ksutil.h, ksutil.c (print_nocr): Moved from Index: gnupg/keyserver/gpgkeys_curl.c diff -u gnupg/keyserver/gpgkeys_curl.c:1.15 gnupg/keyserver/gpgkeys_curl.c:1.16 --- gnupg/keyserver/gpgkeys_curl.c:1.15 Thu Mar 17 17:42:41 2005 +++ gnupg/keyserver/gpgkeys_curl.c Sat Apr 16 20:50:46 2005 @@ -38,73 +38,11 @@ extern char *optarg; extern int optind; -static char proxy[MAX_PROXY+1]; static FILE *input,*output,*console; static CURL *curl; static struct ks_options *opt; static int -curl_err_to_gpg_err(CURLcode error) -{ - switch(error) - { - case CURLE_FTP_COULDNT_RETR_FILE: return KEYSERVER_KEY_NOT_FOUND; - default: return KEYSERVER_INTERNAL_ERROR; - } -} - -static size_t -writer(const void *ptr,size_t size,size_t nmemb,void *stream) -{ - const char *buf=ptr; - size_t i; - static int markeridx=0,begun=0,done=0; - static const char *marker=BEGIN; - - /* scan the incoming data for our marker */ - for(i=0;!done && i<(size*nmemb);i++) - { - if(buf[i]==marker[markeridx]) - { - markeridx++; - if(marker[markeridx]=='\0') - { - if(begun) - done=1; - else - { - /* We've found the BEGIN marker, so now we're looking - for the END marker. */ - begun=1; - marker=END; - markeridx=0; - fprintf(output,BEGIN); - continue; - } - } - } - else - markeridx=0; - - if(begun) - { - /* Canonicalize CRLF to just LF by stripping CRs. This - actually makes sense, since on Unix-like machines LF is - correct, and on win32-like machines, our output buffer is - opened in textmode and will re-canonicalize line endings - back to CRLF. Since we only need to handle armored keys, - we don't have to worry about odd cases like CRCRCR and - the like. */ - - if(buf[i]!='\r') - fputc(buf[i],output); - } - } - - return size*nmemb; -} - -static int get_key(char *getkey) { CURLcode res; @@ -123,7 +61,7 @@ opt->path?opt->path:"/"); curl_easy_setopt(curl,CURLOPT_URL,request); - curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,writer); + curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,curl_writer); curl_easy_setopt(curl,CURLOPT_FILE,output); curl_easy_setopt(curl,CURLOPT_ERRORBUFFER,errorbuffer); @@ -155,6 +93,7 @@ char line[MAX_LINE]; char *thekey=NULL; long follow_redirects=5; + char proxy[MAX_PROXY+1]; console=stderr; @@ -256,6 +195,15 @@ strncpy(proxy,&start[11],MAX_PROXY); proxy[MAX_PROXY]='\0'; } + else if(start[10]=='\0') + { + char *http_proxy=getenv(HTTP_PROXY_ENV); + if(http_proxy) + { + strncpy(proxy,http_proxy,MAX_PROXY); + proxy[MAX_PROXY]='\0'; + } + } } else if(strncasecmp(start,"follow-redirects",16)==0) { Index: gnupg/keyserver/gpgkeys_oldhkp.c diff -u /dev/null gnupg/keyserver/gpgkeys_oldhkp.c:1.1 --- /dev/null Sat Apr 16 20:50:47 2005 +++ gnupg/keyserver/gpgkeys_oldhkp.c Sat Apr 16 20:50:46 2005 @@ -0,0 +1,1138 @@ +/* gpgkeys_oldhkp.c - talk to an HKP keyserver + * Copyright (C) 2001, 2002, 2003, 2004, 2005 Free Software Foundation, Inc. + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +/* This is the original version that uses the iobuf library for + communication. */ + +#include +#include +#include +#include +#include +#include +#include +#ifdef HAVE_GETOPT_H +#include +#endif +#define INCLUDED_BY_MAIN_MODULE 1 +#include "util.h" +#include "http.h" +#include "keyserver.h" +#include "ksutil.h" + +extern char *optarg; +extern int optind; + +static int verbose=0,include_revoked=0,include_disabled=0; +static unsigned int http_flags=0; +static char host[MAX_HOST+1]={'\0'},proxy[MAX_PROXY+1]={'\0'},port[MAX_PORT+1]={'\0'}; +static FILE *input=NULL,*output=NULL,*console=NULL; + +int +urlencode_filter( void *opaque, int control, + IOBUF a, byte *buf, size_t *ret_len) +{ + size_t size = *ret_len; + int rc=0; + + if( control == IOBUFCTRL_FLUSH ) { + const byte *p; + for(p=buf; size; p++, size-- ) { + if( isalnum(*p) || *p == '-' ) + iobuf_put( a, *p ); + else if( *p == ' ' ) + iobuf_put( a, '+' ); + else { + char numbuf[5]; + sprintf(numbuf, "%%%02X", *p ); + iobuf_writestr(a, numbuf ); + } + } + } + else if( control == IOBUFCTRL_DESC ) + *(char**)buf = "urlencode_filter"; + return rc; +} + +int +send_key(int *eof) +{ + int rc,begin=0,end=0,ret=KEYSERVER_INTERNAL_ERROR; + char keyid[17]; + char *request; + struct http_context hd; + unsigned int status; + IOBUF temp = iobuf_temp(); + char line[MAX_LINE]; + + memset(&hd,0,sizeof(hd)); + + request=malloc(strlen(host)+100); + if(!request) + { + fprintf(console,"gpgkeys: out of memory\n"); + return KEYSERVER_NO_MEMORY; + } + + iobuf_push_filter(temp,urlencode_filter,NULL); + + /* Read and throw away input until we see the BEGIN */ + + while(fgets(line,MAX_LINE,input)!=NULL) + if(sscanf(line,"KEY %16s BEGIN\n",keyid)==1) + { + begin=1; + break; + } + + if(!begin) + { + /* i.e. eof before the KEY BEGIN was found. This isn't an + error. */ + *eof=1; + ret=KEYSERVER_OK; + goto fail; + } + + /* Now slurp up everything until we see the END */ + + while(fgets(line,MAX_LINE,input)) + if(sscanf(line,"KEY %16s END\n",keyid)==1) + { + end=1; + break; + } + else + if(iobuf_writestr(temp,line)) + { + fprintf(console,"gpgkeys: internal iobuf error\n"); + goto fail; + } + + if(!end) + { + fprintf(console,"gpgkeys: no KEY %s END found\n",keyid); + *eof=1; + ret=KEYSERVER_KEY_INCOMPLETE; + goto fail; + } + + iobuf_flush_temp(temp); + + sprintf(request,"hkp://%s%s%s/pks/add",host,port[0]?":":"",port[0]?port:""); + + if(verbose>2) + fprintf(console,"gpgkeys: HTTP URL is `%s'\n",request); + + rc=http_open(&hd,HTTP_REQ_POST,request,http_flags,proxy[0]?proxy:NULL); + if(rc) + { + fprintf(console,"gpgkeys: unable to connect to `%s'\n",host); + goto fail; + } + + /* Some keyservers require this Content-Type (e.g. CryptoEx). */ + iobuf_writestr(hd.fp_write, + "Content-Type: application/x-www-form-urlencoded\r\n"); + + sprintf(request,"Content-Length: %u\r\n", + (unsigned)iobuf_get_temp_length(temp)+9); + iobuf_writestr(hd.fp_write,request); + + http_start_data(&hd); + + iobuf_writestr(hd.fp_write,"keytext="); + iobuf_write(hd.fp_write, + iobuf_get_temp_buffer(temp),iobuf_get_temp_length(temp)); + iobuf_put(hd.fp_write,'\n'); + + rc=http_wait_response(&hd,&status); + if(rc) + { + fprintf(console,"gpgkeys: error sending to `%s': %s\n", + host,g10_errstr(rc)); + goto fail; + } + + if((status/100)!=2) + { + fprintf(console,"gpgkeys: remote server returned error %d\n",status); + goto fail; + } + + fprintf(output,"KEY %s SENT\n",keyid); + + ret=KEYSERVER_OK; + + fail: + free(request); + iobuf_close(temp); + http_close(&hd); + + if(ret!=0 && begin) + fprintf(output,"KEY %s FAILED %d\n",keyid,ret); + + return ret; +} + +int +get_key(char *getkey) +{ + int rc,gotit=0; + char search[29]; + char *request; + struct http_context hd; + + /* Build the search string. HKP only uses the short key IDs. */ + + if(strncmp(getkey,"0x",2)==0) + getkey+=2; + + if(strlen(getkey)==32) + { + fprintf(console, + "gpgkeys: HKP keyservers do not support v3 fingerprints\n"); + fprintf(output,"KEY 0x%s BEGIN\n",getkey); + fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_NOT_SUPPORTED); + return KEYSERVER_NOT_SUPPORTED; + } + + if(strlen(getkey)>8) + { + char *offset=&getkey[strlen(getkey)-8]; + + /* fingerprint or long key id. Take the last 8 characters and + treat it like a short key id */ + + sprintf(search,"0x%.8s",offset); + } + else + { + /* short key id */ + + sprintf(search,"0x%.8s",getkey); + } + + fprintf(output,"KEY 0x%s BEGIN\n",getkey); + + request=malloc(strlen(host)+100); + if(!request) + { + fprintf(console,"gpgkeys: out of memory\n"); + return KEYSERVER_NO_MEMORY; + } + + sprintf(request,"hkp://%s%s%s/pks/lookup?op=get&options=mr&search=%s", + host,port[0]?":":"",port[0]?port:"", search); + + if(verbose>2) + fprintf(console,"gpgkeys: HTTP URL is `%s'\n",request); + + rc=http_open_document(&hd,request,http_flags,proxy[0]?proxy:NULL); + if(rc!=0) + { + fprintf(console,"gpgkeys: HKP fetch error: %s\n", + rc==G10ERR_NETWORK?strerror(errno):g10_errstr(rc)); + fprintf(output,"KEY 0x%s FAILED %d\n",getkey, + rc==G10ERR_NETWORK?KEYSERVER_UNREACHABLE:KEYSERVER_INTERNAL_ERROR); + } + else + { + unsigned int maxlen=1024,buflen; + byte *line=NULL; + + while(iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen)) + { + maxlen=1024; + + if(gotit) + { + print_nocr(output,line); + if(strncmp(line,END,strlen(END))==0) + break; + } + else + if(strncmp(line,BEGIN,strlen(BEGIN))==0) + { + print_nocr(output,line); + gotit=1; + } + } + + if(gotit) + fprintf(output,"KEY 0x%s END\n",getkey); + else + { + fprintf(console,"gpgkeys: key %s not found on keyserver\n",getkey); + fprintf(output,"KEY 0x%s FAILED %d\n", + getkey,KEYSERVER_KEY_NOT_FOUND); + } + + m_free(line); + http_close(&hd); + } + + free(request); + + return KEYSERVER_OK; +} + +/* Remove anything and de-urlencode in place. Note + that this requires all brackets to be closed on the same line. It + also means that the result is never larger than the input. */ +void +dehtmlize(char *line) +{ + int parsedindex=0; + char *parsed=line; + + while(*line!='\0') + { + switch(*line) + { + case '<': + while(*line!='>' && *line!='\0') + line++; + + if(*line!='\0') + line++; + break; + + case '&': + if((*(line+1)!='\0' && ascii_tolower(*(line+1))=='l') && + (*(line+2)!='\0' && ascii_tolower(*(line+2))=='t') && + (*(line+3)!='\0' && *(line+3)==';')) + { + parsed[parsedindex++]='<'; + line+=4; + break; + } + else if((*(line+1)!='\0' && ascii_tolower(*(line+1))=='g') && + (*(line+2)!='\0' && ascii_tolower(*(line+2))=='t') && + (*(line+3)!='\0' && *(line+3)==';')) + { + parsed[parsedindex++]='>'; + line+=4; + break; + } + else if((*(line+1)!='\0' && ascii_tolower(*(line+1))=='a') && + (*(line+2)!='\0' && ascii_tolower(*(line+2))=='m') && + (*(line+3)!='\0' && ascii_tolower(*(line+3))=='p') && + (*(line+4)!='\0' && *(line+4)==';')) + { + parsed[parsedindex++]='&'; + line+=5; + break; + } + else if((*(line+1)!='\0' && ascii_tolower(*(line+1))=='q') && + (*(line+2)!='\0' && ascii_tolower(*(line+2))=='u') && + (*(line+3)!='\0' && ascii_tolower(*(line+3))=='o') && + (*(line+4)!='\0' && ascii_tolower(*(line+4))=='t') && + (*(line+5)!='\0' && *(line+5)==';')) + { + parsed[parsedindex++]='"'; + line+=6; + break; + } + + default: + parsed[parsedindex++]=*line; + line++; + break; + } + } + + parsed[parsedindex]='\0'; + + /* Chop off any trailing whitespace. Note that the HKP servers have + \r\n as line endings, and the NAI HKP servers have just \n. */ + + if(parsedindex>0) + { + parsedindex--; + while(isspace(((unsigned char *)parsed)[parsedindex])) + { + parsed[parsedindex]='\0'; + if(parsedindex==0) + break; + parsedindex--; + } + } +} + +int +write_quoted(IOBUF a, const char *buf, char delim) +{ + while(*buf) + { + if(*buf==delim) + { + char quoted[5]; + sprintf(quoted,"%%%02X",delim); + if(iobuf_writestr(a,quoted)) + return -1; + } + else if(*buf=='%') + { + if(iobuf_writestr(a,"%25")) + return -1; + } + else + { + if(iobuf_writebyte(a,*buf)) + return -1; + } + + buf++; + } + + return 0; +} + +/* pub 2048/3CB3B415 1998/04/03 David M. Shaw <dshaw@jabberwocky.com> */ + +/* Luckily enough, both the HKP server and NAI HKP interface to their + LDAP server are close enough in output so the same function can + parse them both. */ + +int +parse_hkp_index(IOBUF buffer,char *line) +{ + int ret=0; + + /* printf("Open %d, LINE: `%s'\n",open,line); */ + + dehtmlize(line); + + /* printf("Now open %d, LINE: `%s'\n",open,line); */ + + if(line[0]=='\0') + return 0; + else if(ascii_strncasecmp(line,"pub",3)==0) + { + char *tok,*keyid,*uid=NULL,number[15]; + int bits=0,type=0,disabled=0,revoked=0; + u32 createtime=0; + + line+=3; + + if(*line=='-') + { + disabled=1; + if(!include_disabled) + return 0; + } + + line++; + + tok=strsep(&line,"/"); + if(tok==NULL || strlen(tok)==0) + return ret; + + if(tok[strlen(tok)-1]=='R') + type=1; + else if(tok[strlen(tok)-1]=='D') + type=17; + + bits=atoi(tok); + + keyid=strsep(&line," "); + + tok=strsep(&line," "); + if(tok!=NULL) + { + char *temp=tok; + + /* The date parser wants '-' instead of '/', so... */ + while(*temp!='\0') + { + if(*temp=='/') + *temp='-'; + + temp++; + } + + createtime=scan_isodatestr(tok); + } + + if(line!=NULL) + { + while(*line==' ' && *line!='\0') + line++; + + if(*line!='\0') + { + if(strncmp(line,"*** KEY REVOKED ***",19)==0) + { + revoked=1; + if(!include_revoked) + return 0; + } + else + uid=line; + } + } + + if(keyid) + { + iobuf_writestr(buffer,"pub:"); + + write_quoted(buffer,keyid,':'); + + iobuf_writestr(buffer,":"); + + if(type) + { + sprintf(number,"%d",type); + write_quoted(buffer,number,':'); + } + + iobuf_writestr(buffer,":"); + + if(bits) + { + sprintf(number,"%d",bits); + write_quoted(buffer,number,':'); + } + + iobuf_writestr(buffer,":"); + + if(createtime) + { + sprintf(number,"%d",createtime); + write_quoted(buffer,number,':'); + } + + iobuf_writestr(buffer,"::"); + + if(revoked) + write_quoted(buffer,"r",':'); + + if(disabled) + write_quoted(buffer,"d",':'); + + if(uid) + { + iobuf_writestr(buffer,"\nuid:"); + write_quoted(buffer,uid,':'); + } + + iobuf_writestr(buffer,"\n"); + + ret=1; + } + } + else if(ascii_strncasecmp(line," ",3)==0) + { + while(*line==' ' && *line!='\0') + line++; + + if(*line!='\0') + { + iobuf_writestr(buffer,"uid:"); + write_quoted(buffer,line,':'); + iobuf_writestr(buffer,"\n"); + } + } + +#if 0 + else if(open) + { + /* Try and catch some bastardization of HKP. If we don't have + certain unchanging landmarks, we can't reliably parse the + response. This only complains about problems within the key + section itself. Headers and footers should not matter. */ + + fprintf(console,"gpgkeys: this keyserver does not support searching\n"); + ret=-1; + } +#endif + + return ret; +} + +void +handle_old_hkp_index(IOBUF inp) +{ + int ret,rc,count=0; + unsigned int buflen; + byte *line=NULL; + IOBUF buffer=iobuf_temp(); + + do + { + unsigned int maxlen=1024; + + /* This is a judgement call. Is it better to slurp up all the + results before prompting the user? On the one hand, it + probably makes the keyserver happier to not be blocked on + sending for a long time while the user picks a key. On the + other hand, it might be nice for the server to be able to + stop sending before a large search result page is + complete. */ + + rc=iobuf_read_line(inp,&line,&buflen,&maxlen); + + ret=parse_hkp_index(buffer,line); + if(ret==-1) + break; + + if(rc!=0) + count+=ret; + } + while(rc!=0); + + m_free(line); + + if(ret>-1) + fprintf(output,"info:1:%d\n%s",count,iobuf_get_temp_buffer(buffer)); + + iobuf_close(buffer); +} + +int +search_key(char *searchkey) +{ + int max=0,len=0,ret=KEYSERVER_INTERNAL_ERROR,rc; + struct http_context hd; + char *search=NULL,*request=NULL; + unsigned char *skey=(unsigned char*) searchkey; + + fprintf(output,"SEARCH %s BEGIN\n",searchkey); + + /* Build the search string. It's going to need url-encoding. */ + + while(*skey!='\0') + { + if(max-len<3) + { + max+=100; + search=realloc(search,max+1); /* Note +1 for \0 */ + if (!search) + { + fprintf(console,"gpgkeys: out of memory\n"); + ret=KEYSERVER_NO_MEMORY; + goto fail; + } + } + + if(isalnum(*skey) || *skey=='-') + search[len++]=*skey; + else if(*skey==' ') + search[len++]='+'; + else + { + sprintf(&search[len],"%%%02X",*skey); + len+=3; + } + + skey++; + } + + if(!search) + { + fprintf(console,"gpgkeys: corrupt input?\n"); + return -1; + } + + search[len]='\0'; + + request=malloc(strlen(host)+100+strlen(search)); + if(!request) + { + fprintf(console,"gpgkeys: out of memory\n"); + ret=KEYSERVER_NO_MEMORY; + goto fail; + } + + sprintf(request,"hkp://%s%s%s/pks/lookup?op=index&options=mr&search=%s", + host,port[0]?":":"",port[0]?port:"",search); + + if(verbose>2) + fprintf(console,"gpgkeys: HTTP URL is `%s'\n",request); + + rc=http_open_document(&hd,request,http_flags,proxy[0]?proxy:NULL); + if(rc) + { + fprintf(console,"gpgkeys: can't search keyserver `%s': %s\n", + host,rc==G10ERR_NETWORK?strerror(errno):g10_errstr(rc)); + } + else + { + unsigned int maxlen=1024,buflen; + byte *line=NULL; + + /* Is it a pksd that knows how to handle machine-readable + format? */ + + rc=iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen); + if(line[0]=='<') + handle_old_hkp_index(hd.fp_read); + else + do + { + fprintf(output,"%s",line); + maxlen=1024; + rc=iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen); + } + while(rc!=0); + + m_free(line); + + http_close(&hd); + + fprintf(output,"SEARCH %s END\n",searchkey); + + ret=KEYSERVER_OK; + } + + fail: + + free(request); + free(search); + + if(ret!=KEYSERVER_OK) + fprintf(output,"SEARCH %s FAILED %d\n",searchkey,ret); + + return ret; +} + +void +fail_all(struct keylist *keylist,int action,int err) +{ + if(!keylist) + return; + + if(action==SEARCH) + { + fprintf(output,"SEARCH "); + while(keylist) + { + fprintf(output,"%s ",keylist->str); + keylist=keylist->next; + } + fprintf(output,"FAILED %d\n",err); + } + else + while(keylist) + { + fprintf(output,"KEY %s FAILED %d\n",keylist->str,err); + keylist=keylist->next; + } +} + +static void +show_help (FILE *fp) +{ + fprintf (fp,"-h\thelp\n"); + fprintf (fp,"-V\tversion\n"); + fprintf (fp,"-o\toutput to this file\n"); +} + +int +main(int argc,char *argv[]) +{ + int arg,action=-1,ret=KEYSERVER_INTERNAL_ERROR; + char line[MAX_LINE]; + int failed=0; + struct keylist *keylist=NULL,*keyptr=NULL; + unsigned int timeout=DEFAULT_KEYSERVER_TIMEOUT; + + console=stderr; + + /* Kludge to implement standard GNU options. */ + if (argc > 1 && !strcmp (argv[1], "--version")) + { + fputs ("gpgkeys_hkp (GnuPG) " VERSION"\n", stdout); + return 0; + } + else if (argc > 1 && !strcmp (argv[1], "--help")) + { + show_help (stdout); + return 0; + } + + while((arg=getopt(argc,argv,"hVo:"))!=-1) + switch(arg) + { + default: + case 'h': + show_help (console); + return KEYSERVER_OK; + + case 'V': + fprintf(stdout,"%d\n%s\n",KEYSERVER_PROTO_VERSION,VERSION); + return KEYSERVER_OK; + + case 'o': + output=fopen(optarg,"w"); + if(output==NULL) + { + fprintf(console,"gpgkeys: Cannot open output file `%s': %s\n", + optarg,strerror(errno)); + return KEYSERVER_INTERNAL_ERROR; + } + + break; + } + + if(argc>optind) + { + input=fopen(argv[optind],"r"); + if(input==NULL) + { + fprintf(console,"gpgkeys: Cannot open input file `%s': %s\n", + argv[optind],strerror(errno)); + return KEYSERVER_INTERNAL_ERROR; + } + } + + if(input==NULL) + input=stdin; + + if(output==NULL) + output=stdout; + + /* Get the command and info block */ + + while(fgets(line,MAX_LINE,input)!=NULL) + { + int version; + char command[MAX_COMMAND+1]; + char option[MAX_OPTION+1]; + char hash; + + if(line[0]=='\n') + break; + + if(sscanf(line,"%c",&hash)==1 && hash=='#') + continue; + + if(sscanf(line,"COMMAND %" MKSTRING(MAX_COMMAND) "s\n",command)==1) + { + command[MAX_COMMAND]='\0'; + + if(strcasecmp(command,"get")==0) + action=GET; + else if(strcasecmp(command,"send")==0) + action=SEND; + else if(strcasecmp(command,"search")==0) + action=SEARCH; + + continue; + } + + if(sscanf(line,"HOST %" MKSTRING(MAX_HOST) "s\n",host)==1) + { + host[MAX_HOST]='\0'; + continue; + } + + if(sscanf(line,"PORT %" MKSTRING(MAX_PORT) "s\n",port)==1) + { + port[MAX_PORT]='\0'; + continue; + } + + if(sscanf(line,"VERSION %d\n",&version)==1) + { + if(version!=KEYSERVER_PROTO_VERSION) + { + ret=KEYSERVER_VERSION_ERROR; + goto fail; + } + + continue; + } + + if(sscanf(line,"OPTION %" MKSTRING(MAX_OPTION) "s\n",option)==1) + { + int no=0; + char *start=&option[0]; + + option[MAX_OPTION]='\0'; + + if(strncasecmp(option,"no-",3)==0) + { + no=1; + start=&option[3]; + } + + if(strcasecmp(start,"verbose")==0) + { + if(no) + verbose--; + else + verbose++; + } + else if(strcasecmp(start,"include-revoked")==0) + { + if(no) + include_revoked=0; + else + include_revoked=1; + } + else if(strcasecmp(start,"include-disabled")==0) + { + if(no) + include_disabled=0; + else + include_disabled=1; + } + else if(strncasecmp(start,"http-proxy",10)==0) + { + if(no) + proxy[0]='\0'; + else if(start[10]=='=') + { + strncpy(proxy,&start[11],MAX_PROXY); + proxy[MAX_PROXY]='\0'; + } + else if(start[10]=='\0') + { + char *http_proxy=getenv(HTTP_PROXY_ENV); + if(http_proxy) + { + strncpy(proxy,http_proxy,MAX_PROXY); + proxy[MAX_PROXY]='\0'; + } + } + } + else if(strcasecmp(start,"broken-http-proxy")==0) + { + if(no) + http_flags&=~HTTP_FLAG_NO_SHUTDOWN; + else + http_flags|=HTTP_FLAG_NO_SHUTDOWN; + } + else if(strcasecmp(start,"try-dns-srv")==0) + { + if(no) + http_flags&=~HTTP_FLAG_TRY_SRV; + else + http_flags|=HTTP_FLAG_TRY_SRV; + } + else if(strncasecmp(start,"timeout",7)==0) + { + if(no) + timeout=0; + else if(start[7]=='=') + timeout=atoi(&start[8]); + else if(start[7]=='\0') + timeout=DEFAULT_KEYSERVER_TIMEOUT; + } + + continue; + } + } + + if(timeout && register_timeout()==-1) + { + fprintf(console,"gpgkeys: unable to register timeout handler\n"); + return KEYSERVER_INTERNAL_ERROR; + } + + /* By suggested convention, if the user gives a :port, then disable + SRV. */ + if(port[0]) + http_flags&=~HTTP_FLAG_TRY_SRV; + + /* If it's a GET or a SEARCH, the next thing to come in is the + keyids. If it's a SEND, then there are no keyids. */ + + if(action==SEND) + while(fgets(line,MAX_LINE,input)!=NULL && line[0]!='\n'); + else if(action==GET || action==SEARCH) + { + for(;;) + { + struct keylist *work; + + if(fgets(line,MAX_LINE,input)==NULL) + break; + else + { + if(line[0]=='\n' || line[0]=='\0') + break; + + work=malloc(sizeof(struct keylist)); + if(work==NULL) + { + fprintf(console,"gpgkeys: out of memory while " + "building key list\n"); + ret=KEYSERVER_NO_MEMORY; + goto fail; + } + + strcpy(work->str,line); + + /* Trim the trailing \n */ + work->str[strlen(line)-1]='\0'; + + work->next=NULL; + + /* Always attach at the end to keep the list in proper + order for searching */ + if(keylist==NULL) + keylist=work; + else + keyptr->next=work; + + keyptr=work; + } + } + } + else + { + fprintf(console,"gpgkeys: no keyserver command specified\n"); + goto fail; + } + + /* Send the response */ + + fprintf(output,"VERSION %d\n",KEYSERVER_PROTO_VERSION); + fprintf(output,"PROGRAM %s\n\n",VERSION); + + if(verbose>1) + { + fprintf(console,"Host:\t\t%s\n",host); + if(port[0]) + fprintf(console,"Port:\t\t%s\n",port); + fprintf(console,"Command:\t%s\n",action==GET?"GET": + action==SEND?"SEND":"SEARCH"); + } + +#if 0 + if(verbose>1) + { + vals=ldap_get_values(ldap,res,"software"); + if(vals!=NULL) + { + fprintf(console,"Server: \t%s\n",vals[0]); + ldap_value_free(vals); + } + + vals=ldap_get_values(ldap,res,"version"); + if(vals!=NULL) + { + fprintf(console,"Version:\t%s\n",vals[0]); + ldap_value_free(vals); + } + } +#endif + + switch(action) + { + case GET: + keyptr=keylist; + + while(keyptr!=NULL) + { + set_timeout(timeout); + + if(get_key(keyptr->str)!=KEYSERVER_OK) + failed++; + + keyptr=keyptr->next; + } + break; + + case SEND: + { + int eof=0; + + do + { + set_timeout(timeout); + + if(send_key(&eof)!=KEYSERVER_OK) + failed++; + } + while(!eof); + } + break; + + case SEARCH: + { + char *searchkey=NULL; + int len=0; + + set_timeout(timeout); + + /* To search, we stick a space in between each key to search + for. */ + + keyptr=keylist; + while(keyptr!=NULL) + { + len+=strlen(keyptr->str)+1; + keyptr=keyptr->next; + } + + searchkey=malloc(len+1); + if(searchkey==NULL) + { + ret=KEYSERVER_NO_MEMORY; + fail_all(keylist,action,KEYSERVER_NO_MEMORY); + goto fail; + } + + searchkey[0]='\0'; + + keyptr=keylist; + while(keyptr!=NULL) + { + strcat(searchkey,keyptr->str); + strcat(searchkey," "); + keyptr=keyptr->next; + } + + /* Nail that last space */ + if(*searchkey) + searchkey[strlen(searchkey)-1]='\0'; + + if(search_key(searchkey)!=KEYSERVER_OK) + failed++; + + free(searchkey); + } + + break; + } + + if(!failed) + ret=KEYSERVER_OK; + + fail: + while(keylist!=NULL) + { + struct keylist *current=keylist; + keylist=keylist->next; + free(current); + } + + if(input!=stdin) + fclose(input); + + if(output!=stdout) + fclose(output); + + return ret; +} Index: gnupg/keyserver/ksutil.c diff -u gnupg/keyserver/ksutil.c:1.6 gnupg/keyserver/ksutil.c:1.7 --- gnupg/keyserver/ksutil.c:1.6 Wed Mar 23 00:41:08 2005 +++ gnupg/keyserver/ksutil.c Sat Apr 16 20:50:46 2005 @@ -24,6 +24,11 @@ #include #include #include +#ifdef FAKE_CURL +#include "curl-shim.h" +#else +#include +#endif #include "keyserver.h" #include "ksutil.h" @@ -312,3 +317,64 @@ str++; } } + +int +curl_err_to_gpg_err(CURLcode error) +{ + switch(error) + { + case CURLE_FTP_COULDNT_RETR_FILE: return KEYSERVER_KEY_NOT_FOUND; + default: return KEYSERVER_INTERNAL_ERROR; + } +} + +size_t +curl_writer(const void *ptr,size_t size,size_t nmemb,void *stream) +{ + const char *buf=ptr; + size_t i; + static int markeridx=0,begun=0,done=0; + static const char *marker=BEGIN; + + /* scan the incoming data for our marker */ + for(i=0;!done && i<(size*nmemb);i++) + { + if(buf[i]==marker[markeridx]) + { + markeridx++; + if(marker[markeridx]=='\0') + { + if(begun) + done=1; + else + { + /* We've found the BEGIN marker, so now we're looking + for the END marker. */ + begun=1; + marker=END; + markeridx=0; + fprintf(stream,BEGIN); + continue; + } + } + } + else + markeridx=0; + + if(begun) + { + /* Canonicalize CRLF to just LF by stripping CRs. This + actually makes sense, since on Unix-like machines LF is + correct, and on win32-like machines, our output buffer is + opened in textmode and will re-canonicalize line endings + back to CRLF. Since we only need to handle armored keys, + we don't have to worry about odd cases like CRCRCR and + the like. */ + + if(buf[i]!='\r') + fputc(buf[i],stream); + } + } + + return size*nmemb; +} Index: gnupg/keyserver/ksutil.h diff -u gnupg/keyserver/ksutil.h:1.8 gnupg/keyserver/ksutil.h:1.9 --- gnupg/keyserver/ksutil.h:1.8 Wed Mar 23 00:41:08 2005 +++ gnupg/keyserver/ksutil.h Sat Apr 16 20:50:46 2005 @@ -21,6 +21,12 @@ #ifndef _KSUTIL_H_ #define _KSUTIL_H_ +#ifdef FAKE_CURL +#include "curl-shim.h" +#else +#include +#endif + #define GET 0 #define SEND 1 #define SEARCH 2 @@ -47,6 +53,12 @@ #define BEGIN "-----BEGIN PGP PUBLIC KEY BLOCK-----" #define END "-----END PGP PUBLIC KEY BLOCK-----" +#ifdef __riscos__ +#define HTTP_PROXY_ENV "GnuPG$HttpProxy" +#else +#define HTTP_PROXY_ENV "http_proxy" +#endif + struct keylist { char str[MAX_LINE]; @@ -88,5 +100,7 @@ int parse_ks_options(char *line,struct ks_options *opt); const char *ks_action_to_string(enum ks_action action); void print_nocr(FILE *stream,const char *str); +int curl_err_to_gpg_err(CURLcode error); +size_t curl_writer(const void *ptr,size_t size,size_t nmemb,void *stream); #endif /* !_KSUTIL_H_ */ From cvs at cvs.gnupg.org Sun Apr 17 00:04:56 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sun Apr 17 00:04:59 2005 Subject: gnupg/keyserver (ChangeLog curl-shim.c curl-shim.h) Message-ID: Date: Sunday, April 17, 2005 @ 00:21:28 Author: dshaw Path: /cvs/gnupg/gnupg/keyserver Modified: ChangeLog curl-shim.c curl-shim.h * curl-shim.h, curl-shim.c (curl_escape, curl_free): Emulate curl_escape and curl_free. -------------+ ChangeLog | 3 ++ curl-shim.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ curl-shim.h | 2 + 3 files changed, 66 insertions(+) Index: gnupg/keyserver/ChangeLog diff -u gnupg/keyserver/ChangeLog:1.121 gnupg/keyserver/ChangeLog:1.122 --- gnupg/keyserver/ChangeLog:1.121 Sat Apr 16 20:50:46 2005 +++ gnupg/keyserver/ChangeLog Sun Apr 17 00:21:28 2005 @@ -1,5 +1,8 @@ 2005-04-16 David Shaw + * curl-shim.h, curl-shim.c (curl_escape, curl_free): Emulate + curl_escape and curl_free. + * gpgkeys_curl.c (main): If the http-proxy option is given without any arguments, try to get the proxy from the environment. Index: gnupg/keyserver/curl-shim.c diff -u gnupg/keyserver/curl-shim.c:1.2 gnupg/keyserver/curl-shim.c:1.3 --- gnupg/keyserver/curl-shim.c:1.2 Sat Feb 12 04:15:02 2005 +++ gnupg/keyserver/curl-shim.c Sun Apr 17 00:21:28 2005 @@ -151,3 +151,64 @@ return handle_error(curl,err,errstr); } + +/* This is not the same exact set that is allowed according to + RFC-2396, but it is what the real curl uses. */ +#define VALID_URI_CHARS "abcdefghijklmnopqrstuvwxyz" \ + "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \ + "0123456789" + +char *curl_escape(char *str,int length) +{ + int len,max,idx,enc_idx=0; + char *enc; + + if(length) + len=length; + else + len=strlen(str); + + enc=malloc(len+1); + if(!enc) + return enc; + + max=len; + + for(idx=0;idxmax) + { + char *tmp; + + max+=100; + + tmp=realloc(enc,max+1); + if(!tmp) + { + free(enc); + return NULL; + } + + enc=tmp; + } + + if(strchr(VALID_URI_CHARS,str[idx])) + enc[enc_idx++]=str[idx]; + else + { + char numbuf[5]; + sprintf(numbuf,"%%%02X",str[idx]); + strcpy(&enc[enc_idx],numbuf); + enc_idx+=3; + } + } + + enc[enc_idx]='\0'; + + return enc; +} + +void curl_free(char *ptr) +{ + free(ptr); +} Index: gnupg/keyserver/curl-shim.h diff -u gnupg/keyserver/curl-shim.h:1.2 gnupg/keyserver/curl-shim.h:1.3 --- gnupg/keyserver/curl-shim.h:1.2 Sat Feb 12 04:15:02 2005 +++ gnupg/keyserver/curl-shim.h Sun Apr 17 00:21:28 2005 @@ -68,5 +68,7 @@ CURLcode curl_easy_setopt(CURL *curl,CURLoption option,...); CURLcode curl_easy_perform(CURL *curl); void curl_easy_cleanup(CURL *curl); +char *curl_escape(char *str,int len); +void curl_free(char *ptr); #endif /* !_CURL_SHIM_H_ */ From cvs at cvs.gnupg.org Sun Apr 17 01:49:32 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sun Apr 17 01:49:35 2005 Subject: gnupg (ChangeLog configure.ac) Message-ID: Date: Sunday, April 17, 2005 @ 02:06:04 Author: dshaw Path: /cvs/gnupg/gnupg Modified: ChangeLog configure.ac * configure.ac: Remove --disable-old-hkp - use new HKP handler for --with-libcurl or --enable-fake-curl. --------------+ ChangeLog | 3 +++ configure.ac | 16 +++++----------- 2 files changed, 8 insertions(+), 11 deletions(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.248 gnupg/ChangeLog:1.249 --- gnupg/ChangeLog:1.248 Sat Apr 16 20:20:01 2005 +++ gnupg/ChangeLog Sun Apr 17 02:06:04 2005 @@ -1,5 +1,8 @@ 2005-04-16 David Shaw + * configure.ac: Remove --disable-old-hkp - use new HKP handler for + --with-libcurl or --enable-fake-curl. + * configure.ac: Add --disable-old-hkp option that can be used along with --with-libcurl to build the curl version of HKP. Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.140 gnupg/configure.ac:1.141 --- gnupg/configure.ac:1.140 Sat Apr 16 20:20:01 2005 +++ gnupg/configure.ac Sun Apr 17 02:06:04 2005 @@ -19,7 +19,7 @@ dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA dnl dnl (Process this file with autoconf to produce a configure script.) -dnlAC_REVISION($Revision: 1.140 $)dnl +dnlAC_REVISION($Revision: 1.141 $)dnl AC_PREREQ(2.59) min_automake_version="1.9.3" @@ -628,14 +628,14 @@ else # If we have neither FTP or HTTP defined, then don't bother to check # for curl. - if test x"$try_ftp" = xyes || test x"$try_http" = xyes ; then - LIBCURL_CHECK_CONFIG([no]) + if test x"$try_hkp" = xyes || test x"$try_ftp" = xyes || test x"$try_http" = xyes ; then + LIBCURL_CHECK_CONFIG([no],,[with_curl=yes]) fi fi -# Are we doing HTTP? +AM_CONDITIONAL(WITH_CURL,test x"$with_curl" = xyes || test x"$fake_curl" = xyes) -old_hkp=yes +# Are we doing HTTP? if test x"$try_http" = xyes ; then if test x$libcurl_protocol_HTTP = xyes ; then @@ -644,17 +644,11 @@ if test x$libcurl_protocol_HTTPS = xyes ; then AC_DEFINE(HTTPS_VIA_LIBCURL,1,[Define if HTTPS is handled via libcurl]) fi - - AC_ARG_ENABLE(old-hkp, - AC_HELP_STRING([--disable-old-hkp],[disable old HKP processing code and use the new]),old_hkp=$enableval) - else AC_SUBST(GPGKEYS_HTTP,"gpgkeys_http$EXEEXT") fi fi -AM_CONDITIONAL(OLD_HKP,test x"$old_hkp" != xno) - # Are we doing FTP? We only do FTP if we have libcurl. if test x"$try_ftp" = xyes && test x$libcurl_protocol_FTP = xyes ; then From cvs at cvs.gnupg.org Sun Apr 17 03:22:51 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sun Apr 17 03:22:55 2005 Subject: gnupg/keyserver (ChangeLog curl-shim.c curl-shim.h) Message-ID: Date: Sunday, April 17, 2005 @ 03:39:25 Author: dshaw Path: /cvs/gnupg/gnupg/keyserver Modified: ChangeLog curl-shim.c curl-shim.h * curl-shim.h, curl-shim.c (handle_error, curl_easy_setopt, curl_easy_perform): Add POST functionality to the curl shim. -------------+ ChangeLog | 3 + curl-shim.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++---------- curl-shim.h | 19 +++++++--- 3 files changed, 110 insertions(+), 22 deletions(-) Index: gnupg/keyserver/ChangeLog diff -u gnupg/keyserver/ChangeLog:1.122 gnupg/keyserver/ChangeLog:1.123 --- gnupg/keyserver/ChangeLog:1.122 Sun Apr 17 00:21:28 2005 +++ gnupg/keyserver/ChangeLog Sun Apr 17 03:39:24 2005 @@ -1,5 +1,8 @@ 2005-04-16 David Shaw + * curl-shim.h, curl-shim.c (handle_error, curl_easy_setopt, + curl_easy_perform): Add POST functionality to the curl shim. + * curl-shim.h, curl-shim.c (curl_escape, curl_free): Emulate curl_escape and curl_free. Index: gnupg/keyserver/curl-shim.c diff -u gnupg/keyserver/curl-shim.c:1.3 gnupg/keyserver/curl-shim.c:1.4 --- gnupg/keyserver/curl-shim.c:1.3 Sun Apr 17 00:21:28 2005 +++ gnupg/keyserver/curl-shim.c Sun Apr 17 03:39:24 2005 @@ -48,6 +48,10 @@ strcpy(curl->errorbuffer,"write error"); break; + case CURLE_HTTP_RETURNED_ERROR: + sprintf(curl->errorbuffer,"url returned error %u",curl->status); + break; + default: strcpy(curl->errorbuffer,"generic error"); break; @@ -103,6 +107,15 @@ case CURLOPT_PROXY: curl->proxy=va_arg(ap,char *); break; + case CURLOPT_POST: + curl->flags.post=va_arg(ap,unsigned int); + break; + case CURLOPT_POSTFIELDS: + curl->postfields=va_arg(ap,char *); + break; + case CURLOPT_FAILONERROR: + curl->flags.failonerror=va_arg(ap,unsigned int); + break; default: /* We ignore the huge majority of curl options */ break; @@ -117,36 +130,97 @@ CURLcode err=CURLE_OK; const char *errstr=NULL; - rc=http_open_document(&curl->hd,curl->url,0,curl->proxy); - if(rc!=0) + if(curl->flags.post) { - if(rc==G10ERR_NETWORK) - errstr=strerror(errno); + rc=http_open(&curl->hd,HTTP_REQ_POST,curl->url,0,curl->proxy); + if(rc!=0) + { + if(rc==G10ERR_NETWORK) + errstr=strerror(errno); + else + errstr=g10_errstr(rc); + + err=CURLE_COULDNT_CONNECT; + } else - errstr=g10_errstr(rc); + { + char content_len[50]; + unsigned int post_len=strlen(curl->postfields); - err=CURLE_COULDNT_CONNECT; + iobuf_writestr(curl->hd.fp_write, + "Content-Type: application/x-www-form-urlencoded\r\n"); + sprintf(content_len,"Content-Length: %u\r\n",post_len); + + iobuf_writestr(curl->hd.fp_write,content_len); + + http_start_data(&curl->hd); + iobuf_write(curl->hd.fp_write,curl->postfields,post_len); + rc=http_wait_response(&curl->hd,&curl->status); + if(rc!=0) + { + if(rc==G10ERR_NETWORK) + errstr=strerror(errno); + else + errstr=g10_errstr(rc); + + err=CURLE_COULDNT_CONNECT; + } + + if(curl->flags.failonerror && curl->status>=300) + err=CURLE_HTTP_RETURNED_ERROR; + } } else { - unsigned int maxlen=1024,buflen,len; - byte *line=NULL; + rc=http_open(&curl->hd,HTTP_REQ_GET,curl->url,0,curl->proxy); + if(rc!=0) + { + if(rc==G10ERR_NETWORK) + errstr=strerror(errno); + else + errstr=g10_errstr(rc); - while((len=iobuf_read_line(curl->hd.fp_read,&line,&buflen,&maxlen))) + err=CURLE_COULDNT_CONNECT; + } + else { - maxlen=1024; - size_t ret; + rc=http_wait_response(&curl->hd,&curl->status); + if(rc) + { + http_close(&curl->hd); - ret=(curl->writer)(line,len,1,curl->file); - if(ret!=len) + if(rc==G10ERR_NETWORK) + errstr=strerror(errno); + else + errstr=g10_errstr(rc); + + err=CURLE_COULDNT_CONNECT; + } + else if(curl->flags.failonerror && curl->status>=300) + err=CURLE_HTTP_RETURNED_ERROR; + else { - err=CURLE_WRITE_ERROR; - break; + unsigned int maxlen=1024,buflen,len; + byte *line=NULL; + + while((len=iobuf_read_line(curl->hd.fp_read, + &line,&buflen,&maxlen))) + { + maxlen=1024; + size_t ret; + + ret=(curl->writer)(line,len,1,curl->file); + if(ret!=len) + { + err=CURLE_WRITE_ERROR; + break; + } + } + + m_free(line); + http_close(&curl->hd); } } - - m_free(line); - http_close(&curl->hd); } return handle_error(curl,err,errstr); Index: gnupg/keyserver/curl-shim.h diff -u gnupg/keyserver/curl-shim.h:1.3 gnupg/keyserver/curl-shim.h:1.4 --- gnupg/keyserver/curl-shim.h:1.3 Sun Apr 17 00:21:28 2005 +++ gnupg/keyserver/curl-shim.h Sun Apr 17 03:39:24 2005 @@ -26,9 +26,10 @@ typedef enum { CURLE_OK=0, - CURLE_FTP_COULDNT_RETR_FILE, - CURLE_COULDNT_CONNECT, - CURLE_WRITE_ERROR + CURLE_COULDNT_CONNECT=7, + CURLE_FTP_COULDNT_RETR_FILE=19, + CURLE_HTTP_RETURNED_ERROR=22, + CURLE_WRITE_ERROR=23 } CURLcode; typedef enum @@ -43,7 +44,10 @@ CURLOPT_VERBOSE, CURLOPT_SSL_VERIFYPEER, CURLOPT_PROXY, - CURLOPT_CAINFO + CURLOPT_CAINFO, + CURLOPT_POST, + CURLOPT_POSTFIELDS, + CURLOPT_FAILONERROR } CURLoption; typedef size_t (*write_func)(char *buffer,size_t size, @@ -56,6 +60,13 @@ char *proxy; write_func writer; void *file; + char *postfields; + unsigned int status; + struct + { + unsigned int post:1; + unsigned int failonerror:1; + } flags; struct http_context hd; } CURL; From cvs at cvs.gnupg.org Sun Apr 17 03:35:31 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sun Apr 17 03:35:33 2005 Subject: gnupg/keyserver (ChangeLog gpgkeys_curl.c ksutil.c ksutil.h) Message-ID: Date: Sunday, April 17, 2005 @ 03:52:04 Author: dshaw Path: /cvs/gnupg/gnupg/keyserver Modified: ChangeLog gpgkeys_curl.c ksutil.c ksutil.h * ksutil.h, ksutil.c (curl_writer), gpgkeys_curl.c (get_key): Pass a context to curl_writer so we can support multiple fetches in a single session. ----------------+ ChangeLog | 4 ++++ gpgkeys_curl.c | 6 +++++- ksutil.c | 37 +++++++++++++++++++++---------------- ksutil.h | 10 +++++++++- 4 files changed, 39 insertions(+), 18 deletions(-) Index: gnupg/keyserver/ChangeLog diff -u gnupg/keyserver/ChangeLog:1.123 gnupg/keyserver/ChangeLog:1.124 --- gnupg/keyserver/ChangeLog:1.123 Sun Apr 17 03:39:24 2005 +++ gnupg/keyserver/ChangeLog Sun Apr 17 03:52:04 2005 @@ -1,5 +1,9 @@ 2005-04-16 David Shaw + * ksutil.h, ksutil.c (curl_writer), gpgkeys_curl.c (get_key): Pass + a context to curl_writer so we can support multiple fetches in a + single session. + * curl-shim.h, curl-shim.c (handle_error, curl_easy_setopt, curl_easy_perform): Add POST functionality to the curl shim. Index: gnupg/keyserver/gpgkeys_curl.c diff -u gnupg/keyserver/gpgkeys_curl.c:1.16 gnupg/keyserver/gpgkeys_curl.c:1.17 --- gnupg/keyserver/gpgkeys_curl.c:1.16 Sat Apr 16 20:50:46 2005 +++ gnupg/keyserver/gpgkeys_curl.c Sun Apr 17 03:52:04 2005 @@ -48,6 +48,9 @@ CURLcode res; char errorbuffer[CURL_ERROR_SIZE]; char request[MAX_URL]; + struct curl_writer_ctx ctx; + + memset(&ctx,0,sizeof(ctx)); if(strncmp(getkey,"0x",2)==0) getkey+=2; @@ -62,7 +65,8 @@ curl_easy_setopt(curl,CURLOPT_URL,request); curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,curl_writer); - curl_easy_setopt(curl,CURLOPT_FILE,output); + ctx.stream=output; + curl_easy_setopt(curl,CURLOPT_FILE,&ctx); curl_easy_setopt(curl,CURLOPT_ERRORBUFFER,errorbuffer); res=curl_easy_perform(curl); Index: gnupg/keyserver/ksutil.c diff -u gnupg/keyserver/ksutil.c:1.7 gnupg/keyserver/ksutil.c:1.8 --- gnupg/keyserver/ksutil.c:1.7 Sat Apr 16 20:50:46 2005 +++ gnupg/keyserver/ksutil.c Sun Apr 17 03:52:04 2005 @@ -329,39 +329,44 @@ } size_t -curl_writer(const void *ptr,size_t size,size_t nmemb,void *stream) +curl_writer(const void *ptr,size_t size,size_t nmemb,void *cw_ctx) { + struct curl_writer_ctx *ctx=cw_ctx; const char *buf=ptr; size_t i; - static int markeridx=0,begun=0,done=0; - static const char *marker=BEGIN; + + if(!ctx->initialized) + { + ctx->marker=BEGIN; + ctx->initialized=1; + } /* scan the incoming data for our marker */ - for(i=0;!done && i<(size*nmemb);i++) + for(i=0;!ctx->done && i<(size*nmemb);i++) { - if(buf[i]==marker[markeridx]) + if(buf[i]==ctx->marker[ctx->markeridx]) { - markeridx++; - if(marker[markeridx]=='\0') + ctx->markeridx++; + if(ctx->marker[ctx->markeridx]=='\0') { - if(begun) - done=1; + if(ctx->begun) + ctx->done=1; else { /* We've found the BEGIN marker, so now we're looking for the END marker. */ - begun=1; - marker=END; - markeridx=0; - fprintf(stream,BEGIN); + ctx->begun=1; + ctx->marker=END; + ctx->markeridx=0; + fprintf(ctx->stream,BEGIN); continue; } } } else - markeridx=0; + ctx->markeridx=0; - if(begun) + if(ctx->begun) { /* Canonicalize CRLF to just LF by stripping CRs. This actually makes sense, since on Unix-like machines LF is @@ -372,7 +377,7 @@ the like. */ if(buf[i]!='\r') - fputc(buf[i],stream); + fputc(buf[i],ctx->stream); } } Index: gnupg/keyserver/ksutil.h diff -u gnupg/keyserver/ksutil.h:1.9 gnupg/keyserver/ksutil.h:1.10 --- gnupg/keyserver/ksutil.h:1.9 Sat Apr 16 20:50:46 2005 +++ gnupg/keyserver/ksutil.h Sun Apr 17 03:52:04 2005 @@ -101,6 +101,14 @@ const char *ks_action_to_string(enum ks_action action); void print_nocr(FILE *stream,const char *str); int curl_err_to_gpg_err(CURLcode error); -size_t curl_writer(const void *ptr,size_t size,size_t nmemb,void *stream); + +struct curl_writer_ctx +{ + int initialized,markeridx,begun,done; + const char *marker; + FILE *stream; +}; + +size_t curl_writer(const void *ptr,size_t size,size_t nmemb,void *cw_ctx); #endif /* !_KSUTIL_H_ */ From cvs at cvs.gnupg.org Sun Apr 17 04:01:59 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sun Apr 17 04:02:03 2005 Subject: gnupg/keyserver (ChangeLog Makefile.am curl-shim.c gpgkeys_hkp.c) Message-ID: Date: Sunday, April 17, 2005 @ 04:18:32 Author: dshaw Path: /cvs/gnupg/gnupg/keyserver Modified: ChangeLog Makefile.am curl-shim.c gpgkeys_hkp.c * gpgkeys_hkp.c: New hkp handler that uses curl or curl-shim. * Makefile.am: Build new gpgkeys_hkp. * curl-shim.c (curl_easy_perform): Cleanup. ---------------+ ChangeLog | 6 Makefile.am | 14 curl-shim.c | 121 +++--- gpgkeys_hkp.c | 969 ++++++++++++++------------------------------------------ 4 files changed, 328 insertions(+), 782 deletions(-) Index: gnupg/keyserver/ChangeLog diff -u gnupg/keyserver/ChangeLog:1.124 gnupg/keyserver/ChangeLog:1.125 --- gnupg/keyserver/ChangeLog:1.124 Sun Apr 17 03:52:04 2005 +++ gnupg/keyserver/ChangeLog Sun Apr 17 04:18:32 2005 @@ -1,5 +1,11 @@ 2005-04-16 David Shaw + * gpgkeys_hkp.c: New hkp handler that uses curl or curl-shim. + + * Makefile.am: Build new gpgkeys_hkp. + + * curl-shim.c (curl_easy_perform): Cleanup. + * ksutil.h, ksutil.c (curl_writer), gpgkeys_curl.c (get_key): Pass a context to curl_writer so we can support multiple fetches in a single session. Index: gnupg/keyserver/Makefile.am diff -u gnupg/keyserver/Makefile.am:1.27 gnupg/keyserver/Makefile.am:1.28 --- gnupg/keyserver/Makefile.am:1.27 Fri Mar 18 00:16:41 2005 +++ gnupg/keyserver/Makefile.am Sun Apr 17 04:18:32 2005 @@ -29,7 +29,7 @@ noinst_SCRIPTS = gpgkeys_test gpgkeys_ldap_SOURCES = gpgkeys_ldap.c ksutil.c ksutil.h -gpgkeys_hkp_SOURCES = gpgkeys_hkp.c ksutil.c ksutil.h +gpgkeys_hkp_SOURCES = ksutil.c ksutil.h gpgkeys_http_SOURCES = gpgkeys_http.c ksutil.c ksutil.h gpgkeys_finger_SOURCES = gpgkeys_finger.c ksutil.c ksutil.h gpgkeys_curl_SOURCES = gpgkeys_curl.c ksutil.c ksutil.h @@ -37,15 +37,25 @@ other_libs = $(LIBICONV) $(LIBINTL) $(CAPLIBS) gpgkeys_ldap_LDADD = ../util/libutil.a @LDAPLIBS@ @NETLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ -gpgkeys_hkp_LDADD = ../util/libutil.a @NETLIBS@ @SRVLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ gpgkeys_http_LDADD = ../util/libutil.a @NETLIBS@ @SRVLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ gpgkeys_finger_LDADD = ../util/libutil.a @NETLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ +if WITH_CURL +gpgkeys_hkp_SOURCES += gpgkeys_hkp.c if FAKE_CURL gpgkeys_curl_SOURCES += curl-shim.c curl-shim.h gpgkeys_curl_CPPFLAGS = -DFAKE_CURL gpgkeys_curl_LDADD = ../util/libutil.a @NETLIBS@ @SRVLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ +gpgkeys_hkp_SOURCES += curl-shim.c curl-shim.h +gpgkeys_hkp_CPPFLAGS = -DFAKE_CURL +gpgkeys_hkp_LDADD = ../util/libutil.a @NETLIBS@ @SRVLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ else gpgkeys_curl_CPPFLAGS = @LIBCURL_CPPFLAGS@ gpgkeys_curl_LDADD = @LIBCURL@ @GETOPT@ +gpgkeys_hkp_CPPFLAGS = @LIBCURL_CPPFLAGS@ +gpgkeys_hkp_LDADD = @LIBCURL@ @GETOPT@ +endif +else +gpgkeys_hkp_SOURCES += gpgkeys_oldhkp.c +gpgkeys_hkp_LDADD = ../util/libutil.a @NETLIBS@ @SRVLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ endif Index: gnupg/keyserver/curl-shim.c diff -u gnupg/keyserver/curl-shim.c:1.4 gnupg/keyserver/curl-shim.c:1.5 --- gnupg/keyserver/curl-shim.c:1.4 Sun Apr 17 03:39:24 2005 +++ gnupg/keyserver/curl-shim.c Sun Apr 17 04:18:32 2005 @@ -30,10 +30,13 @@ #include "util.h" #include "curl-shim.h" -static CURLcode handle_error(CURL *curl,CURLcode err,const char *str) +static CURLcode +handle_error(CURL *curl,CURLcode err,const char *str) { if(curl->errorbuffer) { + /* Make sure you never exceed CURL_ERROR_SIZE, currently set to + 256 in curl-shim.h */ switch(err) { case CURLE_OK: @@ -67,24 +70,29 @@ return err; } -CURLcode curl_global_init(long flags) +CURLcode +curl_global_init(long flags) { return CURLE_OK; } -void curl_global_cleanup(void) {} +void +curl_global_cleanup(void) {} -CURL *curl_easy_init(void) +CURL * +curl_easy_init(void) { return calloc(1,sizeof(CURL)); } -void curl_easy_cleanup(CURL *curl) +void +curl_easy_cleanup(CURL *curl) { free(curl); } -CURLcode curl_easy_setopt(CURL *curl,CURLoption option,...) +CURLcode +curl_easy_setopt(CURL *curl,CURLoption option,...) { va_list ap; @@ -124,7 +132,8 @@ return handle_error(curl,CURLE_OK,NULL); } -CURLcode curl_easy_perform(CURL *curl) +CURLcode +curl_easy_perform(CURL *curl) { int rc; CURLcode err=CURLE_OK; @@ -133,16 +142,7 @@ if(curl->flags.post) { rc=http_open(&curl->hd,HTTP_REQ_POST,curl->url,0,curl->proxy); - if(rc!=0) - { - if(rc==G10ERR_NETWORK) - errstr=strerror(errno); - else - errstr=g10_errstr(rc); - - err=CURLE_COULDNT_CONNECT; - } - else + if(rc==0) { char content_len[50]; unsigned int post_len=strlen(curl->postfields); @@ -156,73 +156,58 @@ http_start_data(&curl->hd); iobuf_write(curl->hd.fp_write,curl->postfields,post_len); rc=http_wait_response(&curl->hd,&curl->status); - if(rc!=0) - { - if(rc==G10ERR_NETWORK) - errstr=strerror(errno); - else - errstr=g10_errstr(rc); - - err=CURLE_COULDNT_CONNECT; - } - - if(curl->flags.failonerror && curl->status>=300) + if(rc==0 && curl->flags.failonerror && curl->status>=300) err=CURLE_HTTP_RETURNED_ERROR; } } else { rc=http_open(&curl->hd,HTTP_REQ_GET,curl->url,0,curl->proxy); - if(rc!=0) - { - if(rc==G10ERR_NETWORK) - errstr=strerror(errno); - else - errstr=g10_errstr(rc); - - err=CURLE_COULDNT_CONNECT; - } - else + if(rc==0) { rc=http_wait_response(&curl->hd,&curl->status); - if(rc) + if(rc==0) { - http_close(&curl->hd); - - if(rc==G10ERR_NETWORK) - errstr=strerror(errno); + if(curl->flags.failonerror && curl->status>=300) + err=CURLE_HTTP_RETURNED_ERROR; else - errstr=g10_errstr(rc); - - err=CURLE_COULDNT_CONNECT; - } - else if(curl->flags.failonerror && curl->status>=300) - err=CURLE_HTTP_RETURNED_ERROR; - else - { - unsigned int maxlen=1024,buflen,len; - byte *line=NULL; - - while((len=iobuf_read_line(curl->hd.fp_read, - &line,&buflen,&maxlen))) { - maxlen=1024; - size_t ret; + unsigned int maxlen=1024,buflen,len; + byte *line=NULL; - ret=(curl->writer)(line,len,1,curl->file); - if(ret!=len) + while((len=iobuf_read_line(curl->hd.fp_read, + &line,&buflen,&maxlen))) { - err=CURLE_WRITE_ERROR; - break; + maxlen=1024; + size_t ret; + + ret=(curl->writer)(line,len,1,curl->file); + if(ret!=len) + { + err=CURLE_WRITE_ERROR; + break; + } } - } - m_free(line); - http_close(&curl->hd); + m_free(line); + http_close(&curl->hd); + } } + else + http_close(&curl->hd); } } + if(rc!=0) + { + if(rc==G10ERR_NETWORK) + errstr=strerror(errno); + else + errstr=g10_errstr(rc); + + err=CURLE_COULDNT_CONNECT; + } + return handle_error(curl,err,errstr); } @@ -232,7 +217,8 @@ "ABCDEFGHIJKLMNOPQRSTUVWXYZ" \ "0123456789" -char *curl_escape(char *str,int length) +char * +curl_escape(char *str,int length) { int len,max,idx,enc_idx=0; char *enc; @@ -282,7 +268,8 @@ return enc; } -void curl_free(char *ptr) +void +curl_free(char *ptr) { free(ptr); } Index: gnupg/keyserver/gpgkeys_hkp.c diff -u gnupg/keyserver/gpgkeys_hkp.c:1.50 gnupg/keyserver/gpgkeys_hkp.c:1.51 --- gnupg/keyserver/gpgkeys_hkp.c:1.50 Wed Mar 23 00:41:08 2005 +++ gnupg/keyserver/gpgkeys_hkp.c Sun Apr 17 04:18:32 2005 @@ -21,81 +21,73 @@ #include #include #include -#include #include #include #include #ifdef HAVE_GETOPT_H #include #endif -#define INCLUDED_BY_MAIN_MODULE 1 -#include "util.h" -#include "http.h" +#ifdef FAKE_CURL +#include "curl-shim.h" +#else +#include +#endif #include "keyserver.h" #include "ksutil.h" extern char *optarg; extern int optind; -static int verbose=0,include_revoked=0,include_disabled=0; -static unsigned int http_flags=0; -static char host[MAX_HOST+1]={'\0'},proxy[MAX_PROXY+1]={'\0'},port[MAX_PORT+1]={'\0'}; -static FILE *input=NULL,*output=NULL,*console=NULL; - -#ifdef __riscos__ -#define HTTP_PROXY_ENV "GnuPG$HttpProxy" -#else -#define HTTP_PROXY_ENV "http_proxy" -#endif +static char proxy[MAX_PROXY+1]; +static FILE *input,*output,*console; +static CURL *curl; +static struct ks_options *opt; +static char errorbuffer[CURL_ERROR_SIZE]; -int -urlencode_filter( void *opaque, int control, - IOBUF a, byte *buf, size_t *ret_len) +static size_t +curl_mrindex_writer(const void *ptr,size_t size,size_t nmemb,void *stream) { - size_t size = *ret_len; - int rc=0; + static int checked=0,swallow=0; - if( control == IOBUFCTRL_FLUSH ) { - const byte *p; - for(p=buf; size; p++, size-- ) { - if( isalnum(*p) || *p == '-' ) - iobuf_put( a, *p ); - else if( *p == ' ' ) - iobuf_put( a, '+' ); - else { - char numbuf[5]; - sprintf(numbuf, "%%%02X", *p ); - iobuf_writestr(a, numbuf ); - } - } + if(!checked) + { + /* If the document begins with a '<', assume it's a HTML + response, which we don't support. Discard the whole message + body. GPG can handle it, but this is an optimization to deal + with it on this side of the pipe. */ + const char *buf=ptr; + if(buf[0]=='<') + swallow=1; + + checked=1; } - else if( control == IOBUFCTRL_DESC ) - *(char**)buf = "urlencode_filter"; - return rc; + + if(swallow || fwrite(ptr,size,nmemb,stream)==nmemb) + return size*nmemb; + else + return 0; } int send_key(int *eof) { - int rc,begin=0,end=0,ret=KEYSERVER_INTERNAL_ERROR; + CURLcode res; + char request[MAX_URL+100]; + int begin=0,end=0,ret=KEYSERVER_INTERNAL_ERROR; char keyid[17]; - char *request; - struct http_context hd; - unsigned int status; - IOBUF temp = iobuf_temp(); char line[MAX_LINE]; + char *key,*encoded_key=NULL; + size_t keylen=8,keymax=8; - memset(&hd,0,sizeof(hd)); - - request=malloc(strlen(host)+100); - if(!request) + key=malloc(9); + strcpy(key,"keytext="); + if(!key) { fprintf(console,"gpgkeys: out of memory\n"); - return KEYSERVER_NO_MEMORY; + ret=KEYSERVER_NO_MEMORY; + goto fail; } - iobuf_push_filter(temp,urlencode_filter,NULL); - /* Read and throw away input until we see the BEGIN */ while(fgets(line,MAX_LINE,input)!=NULL) @@ -123,11 +115,27 @@ break; } else - if(iobuf_writestr(temp,line)) - { - fprintf(console,"gpgkeys: internal iobuf error\n"); - goto fail; - } + { + if(strlen(line)+keylen>keymax) + { + char *tmp; + + keymax+=200; + tmp=realloc(key,keymax+1); + if(!tmp) + { + free(key); + fprintf(console,"gpgkeys: out of memory\n"); + ret=KEYSERVER_NO_MEMORY; + goto fail; + } + + key=tmp; + } + + strcpy(&key[keylen],line); + keylen+=strlen(line); + } if(!end) { @@ -137,57 +145,45 @@ goto fail; } - iobuf_flush_temp(temp); - - sprintf(request,"hkp://%s%s%s/pks/add",host,port[0]?":":"",port[0]?port:""); - - if(verbose>2) - fprintf(console,"gpgkeys: HTTP URL is `%s'\n",request); - - rc=http_open(&hd,HTTP_REQ_POST,request,http_flags,proxy[0]?proxy:NULL); - if(rc) + encoded_key=curl_escape(key,keylen); + if(!encoded_key) { - fprintf(console,"gpgkeys: unable to connect to `%s'\n",host); + fprintf(console,"gpgkeys: out of memory\n"); + ret=KEYSERVER_NO_MEMORY; goto fail; } - /* Some keyservers require this Content-Type (e.g. CryptoEx). */ - iobuf_writestr(hd.fp_write, - "Content-Type: application/x-www-form-urlencoded\r\n"); - - sprintf(request,"Content-Length: %u\r\n", - (unsigned)iobuf_get_temp_length(temp)+9); - iobuf_writestr(hd.fp_write,request); - - http_start_data(&hd); - - iobuf_writestr(hd.fp_write,"keytext="); - iobuf_write(hd.fp_write, - iobuf_get_temp_buffer(temp),iobuf_get_temp_length(temp)); - iobuf_put(hd.fp_write,'\n'); + strcpy(request,"http://"); + strcat(request,opt->host); + strcat(request,":"); + if(opt->port) + strcat(request,opt->port); + else + strcat(request,"11371"); + strcat(request,"/pks/add"); - rc=http_wait_response(&hd,&status); - if(rc) - { - fprintf(console,"gpgkeys: error sending to `%s': %s\n", - host,g10_errstr(rc)); - goto fail; - } + if(opt->verbose>2) + fprintf(console,"gpgkeys: HTTP URL is `%s'\n",request); - if((status/100)!=2) + curl_easy_setopt(curl,CURLOPT_URL,request); + curl_easy_setopt(curl,CURLOPT_POST,1); + curl_easy_setopt(curl,CURLOPT_POSTFIELDS,encoded_key); + curl_easy_setopt(curl,CURLOPT_FAILONERROR,1); + + res=curl_easy_perform(curl); + if(res!=0) { - fprintf(console,"gpgkeys: remote server returned error %d\n",status); - goto fail; + fprintf(console,"gpgkeys: HTTP post error %d: %s\n",res,errorbuffer); + ret=curl_err_to_gpg_err(res); } - - fprintf(output,"KEY %s SENT\n",keyid); + else + fprintf(output,"\nKEY %s SENT\n",keyid); ret=KEYSERVER_OK; fail: - free(request); - iobuf_close(temp); - http_close(&hd); + free(key); + curl_free(encoded_key); if(ret!=0 && begin) fprintf(output,"KEY %s FAILED %d\n",keyid,ret); @@ -195,469 +191,89 @@ return ret; } -int +static int get_key(char *getkey) { - int rc,gotit=0; - char search[29]; - char *request; - struct http_context hd; + CURLcode res; + char request[MAX_URL+100]; + char *offset; + struct curl_writer_ctx ctx; + + memset(&ctx,0,sizeof(ctx)); /* Build the search string. HKP only uses the short key IDs. */ if(strncmp(getkey,"0x",2)==0) getkey+=2; + fprintf(output,"KEY 0x%s BEGIN\n",getkey); + if(strlen(getkey)==32) { fprintf(console, "gpgkeys: HKP keyservers do not support v3 fingerprints\n"); - fprintf(output,"KEY 0x%s BEGIN\n",getkey); fprintf(output,"KEY 0x%s FAILED %d\n",getkey,KEYSERVER_NOT_SUPPORTED); return KEYSERVER_NOT_SUPPORTED; } - if(strlen(getkey)>8) - { - char *offset=&getkey[strlen(getkey)-8]; - - /* fingerprint or long key id. Take the last 8 characters and - treat it like a short key id */ - - sprintf(search,"0x%.8s",offset); - } - else - { - /* short key id */ - - sprintf(search,"0x%.8s",getkey); - } - - fprintf(output,"KEY 0x%s BEGIN\n",getkey); + strcpy(request,"http://"); + strcat(request,opt->host); + strcat(request,":"); + if(opt->port) + strcat(request,opt->port); + else + strcat(request,"11371"); + strcat(request,"/pks/lookup?op=get&options=mr&search=0x"); - request=malloc(strlen(host)+100); - if(!request) - { - fprintf(console,"gpgkeys: out of memory\n"); - return KEYSERVER_NO_MEMORY; - } + /* fingerprint or long key id. Take the last 8 characters and treat + it like a short key id */ + if(strlen(getkey)>8) + offset=&getkey[strlen(getkey)-8]; + else + offset=getkey; - sprintf(request,"hkp://%s%s%s/pks/lookup?op=get&options=mr&search=%s", - host,port[0]?":":"",port[0]?port:"", search); + strcat(request,offset); - if(verbose>2) + if(opt->verbose>2) fprintf(console,"gpgkeys: HTTP URL is `%s'\n",request); - rc=http_open_document(&hd,request,http_flags,proxy[0]?proxy:NULL); - if(rc!=0) + curl_easy_setopt(curl,CURLOPT_URL,request); + curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,curl_writer); + ctx.stream=output; + curl_easy_setopt(curl,CURLOPT_FILE,&ctx); + + res=curl_easy_perform(curl); + if(res!=0) { - fprintf(console,"gpgkeys: HKP fetch error: %s\n", - rc==G10ERR_NETWORK?strerror(errno):g10_errstr(rc)); - fprintf(output,"KEY 0x%s FAILED %d\n",getkey, - rc==G10ERR_NETWORK?KEYSERVER_UNREACHABLE:KEYSERVER_INTERNAL_ERROR); + fprintf(console,"gpgkeys: HTTP fetch error %d: %s\n",res,errorbuffer); + fprintf(output,"\nKEY 0x%s FAILED %d\n",getkey,curl_err_to_gpg_err(res)); } else { - unsigned int maxlen=1024,buflen; - byte *line=NULL; - - while(iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen)) - { - maxlen=1024; - - if(gotit) - { - print_nocr(output,line); - if(strncmp(line,END,strlen(END))==0) - break; - } - else - if(strncmp(line,BEGIN,strlen(BEGIN))==0) - { - print_nocr(output,line); - gotit=1; - } - } - - if(gotit) - fprintf(output,"KEY 0x%s END\n",getkey); + if(ctx.done) + fprintf(output,"\nKEY 0x%s END\n",getkey); else { fprintf(console,"gpgkeys: key %s not found on keyserver\n",getkey); fprintf(output,"KEY 0x%s FAILED %d\n", getkey,KEYSERVER_KEY_NOT_FOUND); } - - m_free(line); - http_close(&hd); } - free(request); - return KEYSERVER_OK; } -/* Remove anything and de-urlencode in place. Note - that this requires all brackets to be closed on the same line. It - also means that the result is never larger than the input. */ -void -dehtmlize(char *line) -{ - int parsedindex=0; - char *parsed=line; - - while(*line!='\0') - { - switch(*line) - { - case '<': - while(*line!='>' && *line!='\0') - line++; - - if(*line!='\0') - line++; - break; - - case '&': - if((*(line+1)!='\0' && ascii_tolower(*(line+1))=='l') && - (*(line+2)!='\0' && ascii_tolower(*(line+2))=='t') && - (*(line+3)!='\0' && *(line+3)==';')) - { - parsed[parsedindex++]='<'; - line+=4; - break; - } - else if((*(line+1)!='\0' && ascii_tolower(*(line+1))=='g') && - (*(line+2)!='\0' && ascii_tolower(*(line+2))=='t') && - (*(line+3)!='\0' && *(line+3)==';')) - { - parsed[parsedindex++]='>'; - line+=4; - break; - } - else if((*(line+1)!='\0' && ascii_tolower(*(line+1))=='a') && - (*(line+2)!='\0' && ascii_tolower(*(line+2))=='m') && - (*(line+3)!='\0' && ascii_tolower(*(line+3))=='p') && - (*(line+4)!='\0' && *(line+4)==';')) - { - parsed[parsedindex++]='&'; - line+=5; - break; - } - else if((*(line+1)!='\0' && ascii_tolower(*(line+1))=='q') && - (*(line+2)!='\0' && ascii_tolower(*(line+2))=='u') && - (*(line+3)!='\0' && ascii_tolower(*(line+3))=='o') && - (*(line+4)!='\0' && ascii_tolower(*(line+4))=='t') && - (*(line+5)!='\0' && *(line+5)==';')) - { - parsed[parsedindex++]='"'; - line+=6; - break; - } - - default: - parsed[parsedindex++]=*line; - line++; - break; - } - } - - parsed[parsedindex]='\0'; - - /* Chop off any trailing whitespace. Note that the HKP servers have - \r\n as line endings, and the NAI HKP servers have just \n. */ - - if(parsedindex>0) - { - parsedindex--; - while(isspace(((unsigned char *)parsed)[parsedindex])) - { - parsed[parsedindex]='\0'; - if(parsedindex==0) - break; - parsedindex--; - } - } -} - -int -write_quoted(IOBUF a, const char *buf, char delim) -{ - while(*buf) - { - if(*buf==delim) - { - char quoted[5]; - sprintf(quoted,"%%%02X",delim); - if(iobuf_writestr(a,quoted)) - return -1; - } - else if(*buf=='%') - { - if(iobuf_writestr(a,"%25")) - return -1; - } - else - { - if(iobuf_writebyte(a,*buf)) - return -1; - } - - buf++; - } - - return 0; -} - -/* pub 2048/3CB3B415 1998/04/03 David M. Shaw <dshaw@jabberwocky.com> */ - -/* Luckily enough, both the HKP server and NAI HKP interface to their - LDAP server are close enough in output so the same function can - parse them both. */ - -int -parse_hkp_index(IOBUF buffer,char *line) -{ - int ret=0; - - /* printf("Open %d, LINE: `%s'\n",open,line); */ - - dehtmlize(line); - - /* printf("Now open %d, LINE: `%s'\n",open,line); */ - - if(line[0]=='\0') - return 0; - else if(ascii_strncasecmp(line,"pub",3)==0) - { - char *tok,*keyid,*uid=NULL,number[15]; - int bits=0,type=0,disabled=0,revoked=0; - u32 createtime=0; - - line+=3; - - if(*line=='-') - { - disabled=1; - if(!include_disabled) - return 0; - } - - line++; - - tok=strsep(&line,"/"); - if(tok==NULL || strlen(tok)==0) - return ret; - - if(tok[strlen(tok)-1]=='R') - type=1; - else if(tok[strlen(tok)-1]=='D') - type=17; - - bits=atoi(tok); - - keyid=strsep(&line," "); - - tok=strsep(&line," "); - if(tok!=NULL) - { - char *temp=tok; - - /* The date parser wants '-' instead of '/', so... */ - while(*temp!='\0') - { - if(*temp=='/') - *temp='-'; - - temp++; - } - - createtime=scan_isodatestr(tok); - } - - if(line!=NULL) - { - while(*line==' ' && *line!='\0') - line++; - - if(*line!='\0') - { - if(strncmp(line,"*** KEY REVOKED ***",19)==0) - { - revoked=1; - if(!include_revoked) - return 0; - } - else - uid=line; - } - } - - if(keyid) - { - iobuf_writestr(buffer,"pub:"); - - write_quoted(buffer,keyid,':'); - - iobuf_writestr(buffer,":"); - - if(type) - { - sprintf(number,"%d",type); - write_quoted(buffer,number,':'); - } - - iobuf_writestr(buffer,":"); - - if(bits) - { - sprintf(number,"%d",bits); - write_quoted(buffer,number,':'); - } - - iobuf_writestr(buffer,":"); - - if(createtime) - { - sprintf(number,"%d",createtime); - write_quoted(buffer,number,':'); - } - - iobuf_writestr(buffer,"::"); - - if(revoked) - write_quoted(buffer,"r",':'); - - if(disabled) - write_quoted(buffer,"d",':'); - - if(uid) - { - iobuf_writestr(buffer,"\nuid:"); - write_quoted(buffer,uid,':'); - } - - iobuf_writestr(buffer,"\n"); - - ret=1; - } - } - else if(ascii_strncasecmp(line," ",3)==0) - { - while(*line==' ' && *line!='\0') - line++; - - if(*line!='\0') - { - iobuf_writestr(buffer,"uid:"); - write_quoted(buffer,line,':'); - iobuf_writestr(buffer,"\n"); - } - } - -#if 0 - else if(open) - { - /* Try and catch some bastardization of HKP. If we don't have - certain unchanging landmarks, we can't reliably parse the - response. This only complains about problems within the key - section itself. Headers and footers should not matter. */ - - fprintf(console,"gpgkeys: this keyserver does not support searching\n"); - ret=-1; - } -#endif - - return ret; -} - -void -handle_old_hkp_index(IOBUF inp) -{ - int ret,rc,count=0; - unsigned int buflen; - byte *line=NULL; - IOBUF buffer=iobuf_temp(); - - do - { - unsigned int maxlen=1024; - - /* This is a judgement call. Is it better to slurp up all the - results before prompting the user? On the one hand, it - probably makes the keyserver happier to not be blocked on - sending for a long time while the user picks a key. On the - other hand, it might be nice for the server to be able to - stop sending before a large search result page is - complete. */ - - rc=iobuf_read_line(inp,&line,&buflen,&maxlen); - - ret=parse_hkp_index(buffer,line); - if(ret==-1) - break; - - if(rc!=0) - count+=ret; - } - while(rc!=0); - - m_free(line); - - if(ret>-1) - fprintf(output,"info:1:%d\n%s",count,iobuf_get_temp_buffer(buffer)); - - iobuf_close(buffer); -} - int search_key(char *searchkey) { - int max=0,len=0,ret=KEYSERVER_INTERNAL_ERROR,rc; - struct http_context hd; - char *search=NULL,*request=NULL; - unsigned char *skey=(unsigned char*) searchkey; - - fprintf(output,"SEARCH %s BEGIN\n",searchkey); - - /* Build the search string. It's going to need url-encoding. */ - - while(*skey!='\0') - { - if(max-len<3) - { - max+=100; - search=realloc(search,max+1); /* Note +1 for \0 */ - if (!search) - { - fprintf(console,"gpgkeys: out of memory\n"); - ret=KEYSERVER_NO_MEMORY; - goto fail; - } - } - - if(isalnum(*skey) || *skey=='-') - search[len++]=*skey; - else if(*skey==' ') - search[len++]='+'; - else - { - sprintf(&search[len],"%%%02X",*skey); - len+=3; - } - - skey++; - } - - if(!search) - { - fprintf(console,"gpgkeys: corrupt input?\n"); - return -1; - } + CURLcode res; + char *request; + char *searchkey_encoded; + int ret=KEYSERVER_INTERNAL_ERROR; - search[len]='\0'; + searchkey_encoded=curl_escape(searchkey,0); - request=malloc(strlen(host)+100+strlen(search)); + request=malloc(MAX_URL+100+strlen(searchkey_encoded)); if(!request) { fprintf(console,"gpgkeys: out of memory\n"); @@ -665,65 +281,55 @@ goto fail; } - sprintf(request,"hkp://%s%s%s/pks/lookup?op=index&options=mr&search=%s", - host,port[0]?":":"",port[0]?port:"",search); + fprintf(output,"SEARCH %s BEGIN\n",searchkey); + + strcpy(request,"http://"); + strcat(request,opt->host); + strcat(request,":"); + if(opt->port) + strcat(request,opt->port); + else + strcat(request,"11371"); + strcat(request,"/pks/lookup?op=index&options=mr&search="); + strcat(request,searchkey_encoded); - if(verbose>2) + if(opt->verbose>2) fprintf(console,"gpgkeys: HTTP URL is `%s'\n",request); - rc=http_open_document(&hd,request,http_flags,proxy[0]?proxy:NULL); - if(rc) + curl_easy_setopt(curl,CURLOPT_URL,request); + curl_easy_setopt(curl,CURLOPT_WRITEFUNCTION,curl_mrindex_writer); + curl_easy_setopt(curl,CURLOPT_FILE,output); + + res=curl_easy_perform(curl); + if(res!=0) { - fprintf(console,"gpgkeys: can't search keyserver `%s': %s\n", - host,rc==G10ERR_NETWORK?strerror(errno):g10_errstr(rc)); + fprintf(console,"gpgkeys: HTTP search error %d: %s\n",res,errorbuffer); + ret=curl_err_to_gpg_err(res); } else { - unsigned int maxlen=1024,buflen; - byte *line=NULL; - - /* Is it a pksd that knows how to handle machine-readable - format? */ - - rc=iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen); - if(line[0]=='<') - handle_old_hkp_index(hd.fp_read); - else - do - { - fprintf(output,"%s",line); - maxlen=1024; - rc=iobuf_read_line(hd.fp_read,&line,&buflen,&maxlen); - } - while(rc!=0); - - m_free(line); - - http_close(&hd); - - fprintf(output,"SEARCH %s END\n",searchkey); - + fprintf(output,"\nSEARCH %s END\n",searchkey); ret=KEYSERVER_OK; } fail: + curl_free(searchkey_encoded); free(request); - free(search); if(ret!=KEYSERVER_OK) - fprintf(output,"SEARCH %s FAILED %d\n",searchkey,ret); + fprintf(output,"\nSEARCH %s FAILED %d\n",searchkey,ret); return ret; } void -fail_all(struct keylist *keylist,int action,int err) +fail_all(struct keylist *keylist,int err) { if(!keylist) return; - if(action==SEARCH) + if(opt->action==KS_SEARCH) { fprintf(output,"SEARCH "); while(keylist) @@ -752,11 +358,10 @@ int main(int argc,char *argv[]) { - int arg,action=-1,ret=KEYSERVER_INTERNAL_ERROR; + int arg,ret=KEYSERVER_INTERNAL_ERROR; char line[MAX_LINE]; int failed=0; struct keylist *keylist=NULL,*keyptr=NULL; - unsigned int timeout=DEFAULT_KEYSERVER_TIMEOUT; console=stderr; @@ -813,57 +418,28 @@ if(output==NULL) output=stdout; + opt=init_ks_options(); + if(!opt) + return KEYSERVER_NO_MEMORY; + /* Get the command and info block */ while(fgets(line,MAX_LINE,input)!=NULL) { - int version; - char command[MAX_COMMAND+1]; + int err; char option[MAX_OPTION+1]; - char hash; if(line[0]=='\n') break; - if(sscanf(line,"%c",&hash)==1 && hash=='#') - continue; - - if(sscanf(line,"COMMAND %" MKSTRING(MAX_COMMAND) "s\n",command)==1) + err=parse_ks_options(line,opt); + if(err>0) { - command[MAX_COMMAND]='\0'; - - if(strcasecmp(command,"get")==0) - action=GET; - else if(strcasecmp(command,"send")==0) - action=SEND; - else if(strcasecmp(command,"search")==0) - action=SEARCH; - - continue; - } - - if(sscanf(line,"HOST %" MKSTRING(MAX_HOST) "s\n",host)==1) - { - host[MAX_HOST]='\0'; - continue; - } - - if(sscanf(line,"PORT %" MKSTRING(MAX_PORT) "s\n",port)==1) - { - port[MAX_PORT]='\0'; - continue; - } - - if(sscanf(line,"VERSION %d\n",&version)==1) - { - if(version!=KEYSERVER_PROTO_VERSION) - { - ret=KEYSERVER_VERSION_ERROR; - goto fail; - } - - continue; + ret=err; + goto fail; } + else if(err==0) + continue; if(sscanf(line,"OPTION %" MKSTRING(MAX_OPTION) "s\n",option)==1) { @@ -878,28 +454,7 @@ start=&option[3]; } - if(strcasecmp(start,"verbose")==0) - { - if(no) - verbose--; - else - verbose++; - } - else if(strcasecmp(start,"include-revoked")==0) - { - if(no) - include_revoked=0; - else - include_revoked=1; - } - else if(strcasecmp(start,"include-disabled")==0) - { - if(no) - include_disabled=0; - else - include_disabled=1; - } - else if(strncasecmp(start,"http-proxy",10)==0) + if(strncasecmp(start,"http-proxy",10)==0) { if(no) proxy[0]='\0'; @@ -918,13 +473,7 @@ } } } - else if(strcasecmp(start,"broken-http-proxy")==0) - { - if(no) - http_flags&=~HTTP_FLAG_NO_SHUTDOWN; - else - http_flags|=HTTP_FLAG_NO_SHUTDOWN; - } +#if 0 else if(strcasecmp(start,"try-dns-srv")==0) { if(no) @@ -932,37 +481,56 @@ else http_flags|=HTTP_FLAG_TRY_SRV; } - else if(strncasecmp(start,"timeout",7)==0) - { - if(no) - timeout=0; - else if(start[7]=='=') - timeout=atoi(&start[8]); - else if(start[7]=='\0') - timeout=DEFAULT_KEYSERVER_TIMEOUT; - } - +#endif continue; } } - if(timeout && register_timeout()==-1) + if(!opt->host) + { + fprintf(console,"gpgkeys: no keyserver host provided\n"); + goto fail; + } + + if(opt->timeout && register_timeout()==-1) { fprintf(console,"gpgkeys: unable to register timeout handler\n"); return KEYSERVER_INTERNAL_ERROR; } + curl_global_init(CURL_GLOBAL_DEFAULT); + curl=curl_easy_init(); + if(!curl) + { + fprintf(console,"gpgkeys: unable to initialize curl\n"); + ret=KEYSERVER_INTERNAL_ERROR; + goto fail; + } + + curl_easy_setopt(curl,CURLOPT_ERRORBUFFER,errorbuffer); + + if(opt->debug) + { + curl_easy_setopt(curl,CURLOPT_STDERR,console); + curl_easy_setopt(curl,CURLOPT_VERBOSE,1); + } + + if(proxy[0]) + curl_easy_setopt(curl,CURLOPT_PROXY,proxy); + +#if 0 /* By suggested convention, if the user gives a :port, then disable SRV. */ - if(port[0]) + if(opt->port) http_flags&=~HTTP_FLAG_TRY_SRV; +#endif /* If it's a GET or a SEARCH, the next thing to come in is the keyids. If it's a SEND, then there are no keyids. */ - if(action==SEND) + if(opt->action==KS_SEND) while(fgets(line,MAX_LINE,input)!=NULL && line[0]!='\n'); - else if(action==GET || action==SEARCH) + else if(opt->action==KS_GET || opt->action==KS_SEARCH) { for(;;) { @@ -1013,112 +581,87 @@ fprintf(output,"VERSION %d\n",KEYSERVER_PROTO_VERSION); fprintf(output,"PROGRAM %s\n\n",VERSION); - if(verbose>1) - { - fprintf(console,"Host:\t\t%s\n",host); - if(port[0]) - fprintf(console,"Port:\t\t%s\n",port); - fprintf(console,"Command:\t%s\n",action==GET?"GET": - action==SEND?"SEND":"SEARCH"); - } - -#if 0 - if(verbose>1) + if(opt->verbose>1) { - vals=ldap_get_values(ldap,res,"software"); - if(vals!=NULL) - { - fprintf(console,"Server: \t%s\n",vals[0]); - ldap_value_free(vals); - } - - vals=ldap_get_values(ldap,res,"version"); - if(vals!=NULL) - { - fprintf(console,"Version:\t%s\n",vals[0]); - ldap_value_free(vals); - } + fprintf(console,"Host:\t\t%s\n",opt->host); + if(opt->port) + fprintf(console,"Port:\t\t%s\n",opt->port); + fprintf(console,"Command:\t%s\n",ks_action_to_string(opt->action)); } -#endif - switch(action) + if(opt->action==KS_GET) { - case GET: keyptr=keylist; while(keyptr!=NULL) { - set_timeout(timeout); + set_timeout(opt->timeout); if(get_key(keyptr->str)!=KEYSERVER_OK) failed++; keyptr=keyptr->next; } - break; - - case SEND: - { - int eof=0; - - do - { - set_timeout(timeout); + } + else if(opt->action==KS_SEND) + { + int eof=0; - if(send_key(&eof)!=KEYSERVER_OK) - failed++; - } - while(!eof); - } - break; + do + { + set_timeout(opt->timeout); - case SEARCH: - { - char *searchkey=NULL; - int len=0; + if(send_key(&eof)!=KEYSERVER_OK) + failed++; + } + while(!eof); + } + else if(opt->action==KS_SEARCH) + { + char *searchkey=NULL; + int len=0; - set_timeout(timeout); + set_timeout(opt->timeout); - /* To search, we stick a space in between each key to search - for. */ + /* To search, we stick a space in between each key to search + for. */ - keyptr=keylist; - while(keyptr!=NULL) - { - len+=strlen(keyptr->str)+1; - keyptr=keyptr->next; - } - - searchkey=malloc(len+1); - if(searchkey==NULL) - { - ret=KEYSERVER_NO_MEMORY; - fail_all(keylist,action,KEYSERVER_NO_MEMORY); - goto fail; - } + keyptr=keylist; + while(keyptr!=NULL) + { + len+=strlen(keyptr->str)+1; + keyptr=keyptr->next; + } - searchkey[0]='\0'; + searchkey=malloc(len+1); + if(searchkey==NULL) + { + ret=KEYSERVER_NO_MEMORY; + fail_all(keylist,KEYSERVER_NO_MEMORY); + goto fail; + } - keyptr=keylist; - while(keyptr!=NULL) - { - strcat(searchkey,keyptr->str); - strcat(searchkey," "); - keyptr=keyptr->next; - } + searchkey[0]='\0'; - /* Nail that last space */ - if(*searchkey) - searchkey[strlen(searchkey)-1]='\0'; + keyptr=keylist; + while(keyptr!=NULL) + { + strcat(searchkey,keyptr->str); + strcat(searchkey," "); + keyptr=keyptr->next; + } - if(search_key(searchkey)!=KEYSERVER_OK) - failed++; + /* Nail that last space */ + if(*searchkey) + searchkey[strlen(searchkey)-1]='\0'; - free(searchkey); - } + if(search_key(searchkey)!=KEYSERVER_OK) + failed++; - break; + free(searchkey); } + else + abort(); if(!failed) ret=KEYSERVER_OK; From cvs at cvs.gnupg.org Sun Apr 17 05:53:30 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sun Apr 17 05:53:37 2005 Subject: gnupg/g10 (ChangeLog keyserver.c sign.c) Message-ID: Date: Sunday, April 17, 2005 @ 06:10:03 Author: dshaw Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog keyserver.c sign.c * keyserver.c (keyserver_spawn): Free some memory. * sign.c (hash_for): Comments. -------------+ ChangeLog | 6 ++++++ keyserver.c | 12 +++++++++++- sign.c | 14 ++++++++++++++ 3 files changed, 31 insertions(+), 1 deletion(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.721 gnupg/g10/ChangeLog:1.722 --- gnupg/g10/ChangeLog:1.721 Mon Apr 11 20:24:09 2005 +++ gnupg/g10/ChangeLog Sun Apr 17 06:10:03 2005 @@ -1,3 +1,9 @@ +2005-04-16 David Shaw + + * keyserver.c (keyserver_spawn): Free some memory. + + * sign.c (hash_for): Comments. + 2005-04-11 Werner Koch * g10.c (main, add_notation_data, add_policy_url) Index: gnupg/g10/keyserver.c diff -u gnupg/g10/keyserver.c:1.85 gnupg/g10/keyserver.c:1.86 --- gnupg/g10/keyserver.c:1.85 Mon Apr 11 20:24:09 2005 +++ gnupg/g10/keyserver.c Sun Apr 17 06:10:03 2005 @@ -800,6 +800,14 @@ } notfound: + /* Leave this commented out or now, and perhaps for a very long + time. All HKPish servers return HTML error messages for + no-key-found. */ + /* + if(!started) + log_info(_("keyserver does not support searching\n")); + else + */ if(count==0) { if(localstr) @@ -851,7 +859,7 @@ int ret=0,i,gotversion=0,outofband=0; STRLIST temp; unsigned int maxlen,buflen; - char *command=NULL,*searchstr=NULL; + char *command,*searchstr=NULL; byte *line=NULL; struct parse_options *kopts; struct exec_info *spawn; @@ -920,6 +928,8 @@ else ret=exec_write(&spawn,command,NULL,NULL,0,0); + m_free(command); + if(ret) return ret; Index: gnupg/g10/sign.c diff -u gnupg/g10/sign.c:1.135 gnupg/g10/sign.c:1.136 --- gnupg/g10/sign.c:1.135 Thu Nov 4 23:28:39 2004 +++ gnupg/g10/sign.c Sun Apr 17 06:10:03 2005 @@ -391,6 +391,20 @@ return rc; } +/* + First try --digest-algo. If that isn't set, see if the recipient + has a preferred algorithm (which is also filtered through + --preferred-digest-prefs). If we're making a signature without a + particular recipient (i.e. signing, rather than signing+encrypting) + then take the first algorithm in --preferred-digest-prefs that is + usable for the pubkey algorithm. If --preferred-digest-prefs isn't + set, then take the OpenPGP default (i.e. SHA-1). + + Possible improvement: Use the highest-ranked usable algorithm from + the signing key prefs either before or after using the personal + list? +*/ + static int hash_for(int pubkey_algo, int packet_version ) { From cvs at cvs.gnupg.org Mon Apr 18 12:21:14 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Mon Apr 18 12:21:18 2005 Subject: dirmngr (10 files) Message-ID: Date: Monday, April 18, 2005 @ 12:37:53 Author: wk Path: /cvs/dirmngr/dirmngr Modified: ChangeLog NEWS configure.ac src/ChangeLog src/certcache.c src/certcache.h src/crlcache.c src/dirmngr.h src/server.c src/validate.c * configure.ac: Require libksba 0.9.11. * certcache.c (find_issuing_cert): Fixed last resort method which should be finding by subject and not by issuer. Try to locate it also using the keyIdentifier method. Improve error reporting. (cmp_simple_canon_sexp): New. (find_cert_bysubject): New. (find_cert_bysn): Ask back to the caller before trying an extarnl lookup. * server.c (get_cert_local_ski): New. * crlcache.c (crl_parse_insert): Also try to locate issuer certificate using the keyIdentifier. Improved error reporting. -----------------+ ChangeLog | 4 + NEWS | 4 + configure.ac | 2 src/ChangeLog | 15 +++- src/certcache.c | 199 ++++++++++++++++++++++++++++++++++++++++++++++++++---- src/certcache.h | 12 +++ src/crlcache.c | 29 ++++++- src/dirmngr.h | 2 src/server.c | 79 ++++++++++++++++++++- src/validate.c | 2 10 files changed, 322 insertions(+), 26 deletions(-) Index: dirmngr/ChangeLog diff -u dirmngr/ChangeLog:1.86 dirmngr/ChangeLog:1.87 --- dirmngr/ChangeLog:1.86 Tue Feb 8 12:30:41 2005 +++ dirmngr/ChangeLog Mon Apr 18 12:37:53 2005 @@ -1,3 +1,7 @@ +2005-04-18 Werner Koch + + * configure.ac: Require libksba 0.9.11. + 2005-02-08 Werner Koch Released 0.9.1. Index: dirmngr/NEWS diff -u dirmngr/NEWS:1.36 dirmngr/NEWS:1.37 --- dirmngr/NEWS:1.36 Tue Feb 8 12:41:46 2005 +++ dirmngr/NEWS Mon Apr 18 12:37:53 2005 @@ -1,6 +1,10 @@ Noteworthy changes in version 0.9.2 ------------------------------------------------ + * Make use of authorityKeyidentifier.keyIdentifier. + + * Fixed a possible hang in the LDAP lookup code. + Noteworthy changes in version 0.9.1 (2005-02-08) ------------------------------------------------ Index: dirmngr/configure.ac diff -u dirmngr/configure.ac:1.71 dirmngr/configure.ac:1.72 --- dirmngr/configure.ac:1.71 Tue Feb 8 12:41:46 2005 +++ dirmngr/configure.ac Mon Apr 18 12:37:53 2005 @@ -31,7 +31,7 @@ NEED_LIBASSUAN_VERSION=0.6.8 -NEED_KSBA_VERSION=0.9.6 +NEED_KSBA_VERSION=0.9.11 PACKAGE=$PACKAGE_NAME Index: dirmngr/src/ChangeLog diff -u dirmngr/src/ChangeLog:1.46 dirmngr/src/ChangeLog:1.47 --- dirmngr/src/ChangeLog:1.46 Thu Apr 14 13:58:29 2005 +++ dirmngr/src/ChangeLog Mon Apr 18 12:37:53 2005 @@ -1,10 +1,23 @@ +2005-04-18 Werner Koch + + * certcache.c (find_issuing_cert): Fixed last resort method which + should be finding by subject and not by issuer. Try to locate it + also using the keyIdentifier method. Improve error reporting. + (cmp_simple_canon_sexp): New. + (find_cert_bysubject): New. + (find_cert_bysn): Ask back to the caller before trying an extarnl + lookup. + * server.c (get_cert_local_ski): New. + * crlcache.c (crl_parse_insert): Also try to locate issuer + certificate using the keyIdentifier. Improved error reporting. + 2005-04-14 Werner Koch * ldap.c (start_cert_fetch_ldap): Really return ERR. 2005-03-17 Werner Koch - * http.c (parse_response): Changed MAXLEN and LEN to size-t to + * http.c (parse_response): Changed MAXLEN and LEN to size_t to match the requirement of read_line. * http.h (http_context_s): Ditto for BUFFER_SIZE. Index: dirmngr/src/certcache.c diff -u dirmngr/src/certcache.c:1.9 dirmngr/src/certcache.c:1.10 --- dirmngr/src/certcache.c:1.9 Tue Feb 1 17:49:15 2005 +++ dirmngr/src/certcache.c Mon Apr 18 12:37:53 2005 @@ -39,10 +39,10 @@ #define MAX_EXTRA_CACHED_CERTS 1000 -/* A certificate cache item. This consists of a the ksba cert object +/* A certificate cache item. This consists of a the KSBA cert object and some meta data for easier lookup. We use a hash table to keep - track of all items and use sue the randomly distributed first byte - of the fingerprint directly as the hash which makes it pretty easy. */ + track of all items and use the (randomly distributed) first byte of + the fingerprint directly as the hash which makes it pretty easy. */ struct cert_item_s { struct cert_item_s *next; /* Next item with the same hash value. */ @@ -138,6 +138,14 @@ return !!n_a; } +/* An alias for the above function to be used with S-expressions + similar to serial numbers. */ +int +cmp_simple_canon_sexp (ksba_sexp_t a, ksba_sexp_t b) +{ + return compare_serialno (a, b); +} + /* Compute the fingerprint of the certificate CERT and put it into the 20 bytes large buffer DIGEST. Return address of this buffer. */ @@ -589,7 +597,7 @@ } -/* Return the certificate matching SUBJEC_DN. SEQ should initially be +/* Return the certificate matching SUBJECT_DN. SEQ should initially be set to 0 and bumped up to get the next subject with that DN. */ ksba_cert_t get_cert_bysubject (const char *subject_dn, unsigned int seq) @@ -630,6 +638,36 @@ cert = get_cert_bysn (issuer_dn, serialno); + if (!cert) + { + char *hexsn, *buf; + /* Ask back to the service requester to return the certificate. + This is because we can assume that he already used the + certificate while checking for the CRL. */ + hexsn = serial_hex (serialno); + if (!hexsn) + { + log_debug ("serial_hex() failed\n"); + return NULL; + } + buf = xtrymalloc (1 + strlen (hexsn) + 1 + strlen (issuer_dn) + 1); + if (!buf) + { + log_error ("can't allocate enough memory: %s\n", strerror (errno)); + xfree (hexsn); + return NULL; + } + strcpy (stpcpy (stpcpy (stpcpy (buf, "#"), hexsn),"/"), issuer_dn); + xfree (hexsn); + cert = get_cert_local (ctrl, buf); + xfree (buf); + if (cert) + { + cache_cert (cert); + return cert; /* Done. */ + } + } + while (!cert) { ksba_sexp_t sn; @@ -694,6 +732,119 @@ return cert; } +/* Return the certificate matching SUBJECT_DN and (if not NULL) + KEYID. If it is not already in the cache, try to find it from other + resources. Note, that the external search does not work for user + certificates because the LDAP lookup is on the caCertificate + attribute. For our purposes this is just fine. */ +ksba_cert_t +find_cert_bysubject (ctrl_t ctrl, const char *subject_dn, ksba_sexp_t keyid) +{ + gpg_error_t err; + int seq; + ksba_cert_t cert = NULL; + cert_fetch_context_t context = NULL; + ksba_sexp_t subj; + + for (seq=0; (cert = get_cert_bysubject (subject_dn, seq)); seq++) + { + if (!keyid) + break; /* No keyid requested, so return the first one found. */ + if (!ksba_cert_get_subj_key_id (cert, NULL, &subj) + && !cmp_simple_canon_sexp (keyid, subj)) + { + xfree (subj); + break; /* Found matching cert. */ + } + xfree (subj); + ksba_cert_release (cert); + } + + if (!cert) + { + /* Ask back to the service requester to return the certificate. + This is because we can assume that he already used the + certificate while checking for the CRL. */ + cert = get_cert_local_ski (ctrl, subject_dn, keyid); + if (cert) + { + cache_cert (cert); + return cert; /* Done. */ + } + } + + + while (!cert) + { + char *subjdn; + + if (!context) + { + err = ca_cert_fetch (ctrl, &context, subject_dn); + if (err) + { + log_error (_("error fetching certificate by subject: %s\n"), + gpg_strerror (err)); + break; + } + } + + err = fetch_next_ksba_cert (context, &cert); + if (err) + { + log_error (_("error fetching certificate by subject: %s\n"), + gpg_strerror (err) ); + break; + } + + subjdn = ksba_cert_get_subject (cert, 0); + if (strcmp (subject_dn, subjdn)) + { + log_info ("find_cert_bysubject: subject DN does not match\n"); + ksba_cert_release (cert); + cert = NULL; + ksba_free (subjdn); + continue; + } + + + if (DBG_LOOKUP) + { + log_debug (" considering certificate (/"); + dump_string (subjdn); + log_printf (")\n"); + } + ksba_free (subjdn); + + if (!keyid) + { + cache_cert (cert); + if (DBG_LOOKUP) + log_debug (" found\n"); + break; /* Ready. */ + } + + if (!ksba_cert_get_subj_key_id (cert, NULL, &subj)) + { + if (!cmp_simple_canon_sexp (keyid, subj)) + { + ksba_free (subj); + cache_cert (cert); + if (DBG_LOOKUP) + log_debug (" found\n"); + break; /* Ready. */ + } + } + + ksba_free (subj); + ksba_cert_release (cert); + cert = NULL; + } + + end_cert_fetch (context); + return cert; +} + /* Return 0 if the certificate is a trusted certificate. Returns @@ -735,6 +886,7 @@ ksba_cert_t issuer_cert = NULL; ksba_name_t authid; ksba_sexp_t authidno; + ksba_sexp_t keyid; *r_cert = NULL; @@ -748,7 +900,7 @@ /* First we need to check whether we can return that certificate using the authorithyKeyIdentifier. */ - err = ksba_cert_get_auth_key_id (cert, NULL, &authid, &authidno); + err = ksba_cert_get_auth_key_id (cert, &keyid, &authid, &authidno); if (err) { log_info (_("error getting authorityKeyIdentifier: %s\n"), @@ -761,27 +913,46 @@ { issuer_cert = find_cert_bysn (ctrl, s, authidno); } + if (!issuer_cert && keyid) + { + /* Not found by issuer+s/n. Now that we have an AKI + keyIdentifier look for a certificate with a matching + SKI. */ + issuer_cert = find_cert_bysubject (ctrl, issuer_dn, keyid); + } /* Print a note so that the user does not feel too helpless when an issuer certificate was found and gpgsm prints BAD signature because it is not the correct one. */ if (!issuer_cert) { - log_info ("issuer certificate (#"); - dump_serial (authidno); - log_printf ("/"); - dump_string (s); - log_printf (") not found\n"); + log_info ("issuer certificate "); + if (keyid) + { + log_printf ("{"); + dump_serial (keyid); + log_printf ("} "); + } + if (authidno) + { + log_printf ("(#"); + dump_serial (authidno); + log_printf ("/"); + dump_string (s); + log_printf (") "); + } + log_printf ("not found using authorityKeyIdentifier\n"); } ksba_name_release (authid); xfree (authidno); + xfree (keyid); } - /* If this did not work, try just with the issuer's name. */ + /* If this did not work, try just with the issuer's name and assume + that there is only one such certificate. We only look into our + cache then. */ if (err || !issuer_cert) { - /* FIXME: we need to save a sequence number here for later - tries. */ - issuer_cert = get_cert_byissuer (issuer_dn, 0); + issuer_cert = get_cert_bysubject (issuer_dn, 0); } leave: Index: dirmngr/src/certcache.h diff -u dirmngr/src/certcache.h:1.7 dirmngr/src/certcache.h:1.8 --- dirmngr/src/certcache.h:1.7 Tue Feb 1 17:49:15 2005 +++ dirmngr/src/certcache.h Mon Apr 18 12:37:53 2005 @@ -34,6 +34,9 @@ the 20 bytes large buffer DIGEST. Return address of this buffer. */ unsigned char *cert_compute_fpr (ksba_cert_t cert, unsigned char *digest); +/* Compare two simple S-exprerssions A and B and return 0 if they match. */ +int cmp_simple_canon_sexp (ksba_sexp_t a, ksba_sexp_t b); + /* Put CERT into the certificate cache. */ gpg_error_t cache_cert (ksba_cert_t cert); @@ -72,6 +75,15 @@ ksba_cert_t find_cert_bysn (ctrl_t ctrl, const char *issuer_dn, ksba_sexp_t serialno); + +/* Return the certificate matching SUBJECT_DN and (if not NULL) KEYID. If + it is not already in the cache, try to find it from other + resources. Note, that the external search does not work for user + certificates because the LDAP lookup is on the caCertificate + attribute. For our purposes this is just fine. */ +ksba_cert_t find_cert_bysubject (ctrl_t ctrl, + const char *subject_dn, ksba_sexp_t keyid); + /* Given the certificate CERT locate the issuer for this certificate and return it at R_CERT. Returns 0 on success or GPG_ERR_NOT_FOUND. */ Index: dirmngr/src/crlcache.c diff -u dirmngr/src/crlcache.c:1.53 dirmngr/src/crlcache.c:1.54 --- dirmngr/src/crlcache.c:1.53 Tue Feb 1 17:49:15 2005 +++ dirmngr/src/crlcache.c Mon Apr 18 12:37:53 2005 @@ -1674,6 +1674,7 @@ char *crlissuer; ksba_name_t authid; ksba_sexp_t authidsn; + ksba_sexp_t keyid; /* We need to look for the issuer only after having read all items. The issuer itselfs comes before the items @@ -1690,7 +1691,7 @@ *r_crlissuer = crlissuer; /* (Do it here so we don't need to free it later) */ - if (!ksba_crl_get_auth_key_id (crl, NULL, &authid, &authidsn)) + if (!ksba_crl_get_auth_key_id (crl, &keyid, &authid, &authidsn)) { const char *s; @@ -1701,16 +1702,32 @@ s = ksba_name_enum (authid, 0); if (s && *authidsn) crlissuer_cert = get_crlissuer_cert_bysn (ctrl, s, authidsn); + if (!crlissuer_cert && keyid) + crlissuer_cert = find_cert_bysubject (ctrl, + crlissuer, keyid); + if (!crlissuer_cert) { - log_info ("CRL issuer certificate (#"); - dump_serial (authidsn); - log_printf ("/"); - dump_string (s); - log_printf (") not found\n"); + log_info ("CRL issuer certificate "); + if (keyid) + { + log_printf ("{"); + dump_serial (keyid); + log_printf ("} "); + } + if (authidsn) + { + log_printf ("(#"); + dump_serial (authidsn); + log_printf ("/"); + dump_string (s); + log_printf (") "); + } + log_printf ("not found\n"); } ksba_name_release (authid); xfree (authidsn); + xfree (keyid); } else crlissuer_cert = get_crlissuer_cert (ctrl, crlissuer); Index: dirmngr/src/dirmngr.h diff -u dirmngr/src/dirmngr.h:1.25 dirmngr/src/dirmngr.h:1.26 --- dirmngr/src/dirmngr.h:1.25 Mon Dec 13 16:16:35 2004 +++ dirmngr/src/dirmngr.h Mon Apr 18 12:37:53 2005 @@ -148,6 +148,8 @@ /*-- server.c --*/ ksba_cert_t get_cert_local (ctrl_t ctrl, const char *issuer); ksba_cert_t get_issuing_cert_local (ctrl_t ctrl, const char *issuer); +ksba_cert_t get_cert_local_ski (ctrl_t ctrl, + const char *name, ksba_sexp_t keyid); void start_command_handler (int fd); gpg_error_t dirmngr_status (ctrl_t ctrl, const char *keyword, ...); gpg_error_t dirmngr_tick (ctrl_t ctrl); Index: dirmngr/src/server.c diff -u dirmngr/src/server.c:1.48 dirmngr/src/server.c:1.49 --- dirmngr/src/server.c:1.48 Fri Dec 3 15:42:36 2004 +++ dirmngr/src/server.c Mon Apr 18 12:37:53 2005 @@ -1,6 +1,6 @@ /* dirmngr.c - LDAP access * Copyright (C) 2002 Klarälvdalens Datakonsult AB - * Copyright (C) 2003, 2004 g10 Code GmbH + * Copyright (C) 2003, 2004, 2005 g10 Code GmbH * * This file is part of DirMngr. * @@ -39,6 +39,7 @@ #include "ocsp.h" #include "certcache.h" #include "validate.h" +#include "misc.h" /* To avoid DoS attacks we limit the size of a certificate to something reasonable. */ @@ -128,7 +129,8 @@ xfree (buf); if (rc) { - log_error (_("assuan_inquire failed: %s\n"), assuan_strerror (rc)); + log_error (_("assuan_inquire(%s) failed: %s\n"), + command, assuan_strerror (rc)); return NULL; } @@ -171,12 +173,13 @@ return do_get_cert_local (ctrl, name, "SENDCERT"); } - + /* Ask back to return the issuing certificate for name, given as a regular gpgsm certificate indentificates (e.g. fingerprint or one of the other methods). Alternatively, NULL may be used for NAME to return thecurrent target certificate. Either return the certificate in a KSBA object or NULL if it is not available. + */ ksba_cert_t get_issuing_cert_local (ctrl_t ctrl, const char *name) @@ -189,6 +192,76 @@ return do_get_cert_local (ctrl, name, "SENDISSUERCERT"); } +/* Ask back to return a certificate with subject NAME and a + subjectKeyIdentifier of KEYID. */ +ksba_cert_t +get_cert_local_ski (ctrl_t ctrl, const char *name, ksba_sexp_t keyid) +{ + unsigned char *value; + size_t valuelen; + int rc; + char *buf; + ksba_cert_t cert; + char *hexkeyid; + + if (!ctrl || !ctrl->server_local->assuan_ctx) + { + log_debug ("get_cert_local_ski called w/o context\n"); + return NULL; + } + if (!name || !keyid) + { + log_debug ("get_cert_local_ski called with insufficient arguments\n"); + return NULL; + } + + hexkeyid = serial_hex (keyid); + if (!hexkeyid) + { + log_debug ("serial_hex() failed\n"); + return NULL; + } + + buf = xtrymalloc (15 + strlen (hexkeyid) + 2 + strlen(name) + 1); + if (!buf) + { + + log_error ("can't allocate enough memory: %s\n", strerror (errno)); + xfree (hexkeyid); + return NULL; + } + strcpy (stpcpy (stpcpy (stpcpy (buf, "SENDCERT_SKI "), hexkeyid)," /"),name); + xfree (hexkeyid); + + rc = assuan_inquire (ctrl->server_local->assuan_ctx, buf, + &value, &valuelen, MAX_CERT_LENGTH); + xfree (buf); + if (rc) + { + log_error (_("assuan_inquire(%s) failed: %s\n"), "SENDCERT_SKI", + assuan_strerror (rc)); + return NULL; + } + + if (!valuelen) + { + xfree (value); + return NULL; + } + + rc = ksba_cert_new (&cert); + if (!rc) + { + rc = ksba_cert_init_from_mem (cert, value, valuelen); + if (rc) + { + ksba_cert_release (cert); + cert = NULL; + } + } + xfree (value); + return cert; +} Index: dirmngr/src/validate.c diff -u dirmngr/src/validate.c:1.7 dirmngr/src/validate.c:1.8 --- dirmngr/src/validate.c:1.7 Wed Dec 15 23:11:59 2004 +++ dirmngr/src/validate.c Mon Apr 18 12:37:53 2005 @@ -471,7 +471,7 @@ } /* Now check the signature of the certificate. Well, we - shouldnot delay this until later so that faked certificates + should delay this until later so that faked certificates can't be turned into a DoS easily. */ err = check_cert_sig (issuer_cert, subject_cert); if (err) From cvs at cvs.gnupg.org Mon Apr 18 12:28:05 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Mon Apr 18 12:28:08 2005 Subject: GNUPG-1-9-BRANCH gnupg (17 files) Message-ID: Date: Monday, April 18, 2005 @ 12:44:46 Author: wk Path: /cvs/gnupg/gnupg Tag: GNUPG-1-9-BRANCH Modified: ChangeLog NEWS README TODO agent/command-ssh.c common/ChangeLog common/sexputil.c common/util.h configure.ac sm/ChangeLog sm/call-dirmngr.c sm/certchain.c sm/certdump.c sm/certlist.c sm/gpgsm.c sm/gpgsm.h sm/keylist.c * configure.ac: Require libksba 0.9.11. sm/ * call-dirmngr.c (inq_certificate): Add new inquire SENDCERT_SKI. * certlist.c (gpgsm_find_cert): Add new arg KEYID and implement this filter. Changed all callers. * certchain.c (find_up_search_by_keyid): New helper. (find_up): Also try using the AKI.keyIdentifier. (find_up_external): Ditto. ---------------------+ ChangeLog | 4 + NEWS | 9 +++ README | 8 +-- TODO | 4 + agent/command-ssh.c | 1 common/ChangeLog | 5 ++ common/sexputil.c | 78 ++++++++++++++++++++++++++++++++++ common/util.h | 3 + configure.ac | 2 sm/ChangeLog | 15 ++++++ sm/call-dirmngr.c | 21 +++++++-- sm/certchain.c | 113 +++++++++++++++++++++++++++++++++++++++++--------- sm/certdump.c | 1 sm/certlist.c | 40 +++++++++++++++-- sm/gpgsm.c | 2 sm/gpgsm.h | 2 sm/keylist.c | 35 +++++++++++++-- 17 files changed, 302 insertions(+), 41 deletions(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.131.2.70 gnupg/ChangeLog:1.131.2.71 --- gnupg/ChangeLog:1.131.2.70 Fri Apr 15 04:24:44 2005 +++ gnupg/ChangeLog Mon Apr 18 12:44:46 2005 @@ -1,3 +1,7 @@ +2005-04-15 Werner Koch + + * configure.ac: Require libksba 0.9.11. + 2005-04-15 Marcus Brinkmann * configure.ac: Check for /usr/bin/shred and define SHRED. Index: gnupg/NEWS diff -u gnupg/NEWS:1.165.2.65 gnupg/NEWS:1.165.2.66 --- gnupg/NEWS:1.165.2.65 Thu Jan 13 20:03:37 2005 +++ gnupg/NEWS Mon Apr 18 12:44:46 2005 @@ -1,6 +1,13 @@ Noteworthy changes in version 1.9.16 ------------------------------------------------- + * gpg-agent does now support the ssh-agent protocol and thus allows + to use the pinentry as well as the OpenPGP smartcard with ssh. + + * New tool gpg-connect-agent as a genereal client for the gpg-agent. + + * New tool symcryptrun as a wrapper for certain encryption tools. + Noteworthy changes in version 1.9.15 (2005-01-13) ------------------------------------------------- @@ -226,7 +233,7 @@ development branch. - Copyright 2002, 2003, 2004 Free Software Foundation, Inc. + Copyright 2002, 2003, 2004, 2005 Free Software Foundation, Inc. This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without Index: gnupg/README diff -u gnupg/README:1.72.2.15 gnupg/README:1.72.2.16 --- gnupg/README:1.72.2.15 Wed Oct 20 10:54:45 2004 +++ gnupg/README Mon Apr 18 12:44:45 2005 @@ -399,7 +399,7 @@ +Heinrich Heine duesseldorf - * [NEW] Exact match by subject's DN + * Exact match by subject's DN This is indicated by a leading slash, directly followed by the rfc2253 encoded DN of the subject. Note that you can't use the @@ -411,7 +411,7 @@ /CN=Heinrich Heine,O=Poets,L=Paris,C=FR - * [NEW] Excact match by issuer's DN + * Excact match by issuer's DN This is indicated by a leading hash mark, directly followed by a slash and then directly followed by the rfc2253 encoded DN of the @@ -422,10 +422,10 @@ #/CN=Root Cert,O=Poets,L=Paris,C=FR - * [NEW] Exact match by serial number and subject's DN + * Exact match by serial number and issuer's DN This is indicated by a hash mark, followed by the hexadecmal - representation of the serial number, the followed by a slahs and + representation of the serial number, the followed by a slash and the RFC2253 encoded DN of the issuer. See note above. Example: Index: gnupg/TODO diff -u gnupg/TODO:1.165.2.38 gnupg/TODO:1.165.2.39 --- gnupg/TODO:1.165.2.38 Thu Mar 3 11:15:07 2005 +++ gnupg/TODO Mon Apr 18 12:44:45 2005 @@ -1,5 +1,9 @@ -*- outline -*- +* IMPORTANT +Check that openpty and pty.h are available and build symcryptrun only +then. Run shred on the temporary files. + * src/base64 ** Make parsing more robust Index: gnupg/agent/command-ssh.c diff -u gnupg/agent/command-ssh.c:1.1.4.16 gnupg/agent/command-ssh.c:1.1.4.17 --- gnupg/agent/command-ssh.c:1.1.4.16 Sat Apr 9 18:41:28 2005 +++ gnupg/agent/command-ssh.c Mon Apr 18 12:44:45 2005 @@ -1741,6 +1741,7 @@ /* Prepare buffer stream. */ +#warning Huh, sleep? why that? Anyway, this should be pth_sleep sleep (5); key_directory = NULL; Index: gnupg/common/ChangeLog diff -u gnupg/common/ChangeLog:1.30.2.47 gnupg/common/ChangeLog:1.30.2.48 --- gnupg/common/ChangeLog:1.30.2.47 Mon Apr 11 18:10:03 2005 +++ gnupg/common/ChangeLog Mon Apr 18 12:44:45 2005 @@ -1,3 +1,8 @@ +2005-04-17 Werner Koch + + * sexputil.c (cmp_simple_canon_sexp): New. + (make_simple_sexp_from_hexstr): New. + 2005-04-07 Werner Koch * sexputil.c: New. Index: gnupg/common/sexputil.c diff -u gnupg/common/sexputil.c:1.1.2.1 gnupg/common/sexputil.c:1.1.2.2 --- gnupg/common/sexputil.c:1.1.2.1 Wed Apr 13 11:39:38 2005 +++ gnupg/common/sexputil.c Mon Apr 18 12:44:45 2005 @@ -61,3 +61,81 @@ return err; } + +/* Compare two simple S-expressions like "(3:foo)". Returns 0 if they + are identical or !0 if they are not. Not that this function can't + be used for sorting. */ +int +cmp_simple_canon_sexp (const unsigned char *a, const unsigned char *b) +{ + unsigned long n1, n2; + char *endp; + + if (!a && !b) + return 0; /* Both are NULL, they are identical. */ + if (!a || !b) + return 1; /* One is NULL, they are not identical. */ + if (*a != '(' || *b != '(') + log_bug ("invalid S-exp in cmp_simple_canon_sexp\n"); + + a++; + n1 = strtoul (a, &endp, 10); + a = endp; + b++; + n2 = strtoul (b, &endp, 10); + b = endp; + + if (*a != ':' || *b != ':' ) + log_bug ("invalid S-exp in cmp_simple_canon_sexp\n"); + if (n1 != n2) + return 1; /* Not the same. */ + + for (a++, b++; n1; n1--, a++, b++) + if (*a != *b) + return 1; /* Not the same. */ + return 0; +} + + +/* Create a simple S-expression from the hex string at LIBNE. Returns + a newly allocated buffer with that canonical encoded S-expression + or NULL in case of an error. On return the number of characters + scanned in LINE will be stored at NSCANNED. This fucntions stops + converting at the first character not representing a hexdigit. Odd + numbers of hex digits are allowed; a leading zero is then + assumed. If no characters have been found, NULL is returned.*/ +unsigned char * +make_simple_sexp_from_hexstr (const char *line, size_t *nscanned) +{ + size_t n, len; + const char *s; + unsigned char *buf; + unsigned char *p; + char numbuf[50]; + + for (n=0, s=line; hexdigitp (s); s++, n++) + ; + if (nscanned) + *nscanned = n; + if (!n) + return NULL; + len = ((n+1) & ~0x01)/2; + sprintf (numbuf, "(%u:", (unsigned int)len); + buf = xtrymalloc (strlen (numbuf) + len + 1 + 1); + if (!buf) + return NULL; + p = stpcpy (buf, numbuf); + s = line; + if ((n&1)) + { + *p++ = xtoi_1 (s); + s++; + n--; + } + for (; n > 1; n -=2, s += 2) + *p++ = xtoi_2 (s); + *p++ = ')'; + *p = 0; /* (Not really neaded.) */ + + return buf; +} Index: gnupg/common/util.h diff -u gnupg/common/util.h:1.12.2.16 gnupg/common/util.h:1.12.2.17 --- gnupg/common/util.h:1.12.2.16 Mon Apr 11 18:10:03 2005 +++ gnupg/common/util.h Mon Apr 18 12:44:45 2005 @@ -123,6 +123,9 @@ /*-- sexputil.c */ gpg_error_t keygrip_from_canon_sexp (const unsigned char *key, size_t keylen, unsigned char *grip); +int cmp_simple_canon_sexp (const unsigned char *a, const unsigned char *b); +unsigned char *make_simple_sexp_from_hexstr (const char *line, + size_t *nscanned); /*-- homedir. c --*/ const char *default_homedir (void); Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.36.2.82 gnupg/configure.ac:1.36.2.83 --- gnupg/configure.ac:1.36.2.82 Fri Apr 15 04:24:44 2005 +++ gnupg/configure.ac Mon Apr 18 12:44:45 2005 @@ -36,7 +36,7 @@ NEED_LIBASSUAN_VERSION=0.6.9 -NEED_KSBA_VERSION=0.9.7 +NEED_KSBA_VERSION=0.9.11 NEED_OPENSC_VERSION=0.8.0 Index: gnupg/sm/ChangeLog diff -u gnupg/sm/ChangeLog:1.101.2.91 gnupg/sm/ChangeLog:1.101.2.92 --- gnupg/sm/ChangeLog:1.101.2.91 Mon Apr 11 18:21:05 2005 +++ gnupg/sm/ChangeLog Mon Apr 18 12:44:45 2005 @@ -1,3 +1,18 @@ +2005-04-17 Werner Koch + + * call-dirmngr.c (inq_certificate): Add new inquire SENDCERT_SKI. + * certlist.c (gpgsm_find_cert): Add new arg KEYID and implement + this filter. Changed all callers. + + * certchain.c (find_up_search_by_keyid): New helper. + (find_up): Also try using the AKI.keyIdentifier. + (find_up_external): Ditto. + +2005-04-15 Werner Koch + + * keylist.c (list_cert_raw): Print the subjectKeyIdentifier as + well as the keyIdentifier part of the authorityKeyIdentifier. + 2005-03-31 Werner Koch * call-dirmngr.c (start_dirmngr): Use PATHSEP_C instead of ':'. Index: gnupg/sm/call-dirmngr.c diff -u gnupg/sm/call-dirmngr.c:1.16.2.13 gnupg/sm/call-dirmngr.c:1.16.2.14 --- gnupg/sm/call-dirmngr.c:1.16.2.13 Mon Apr 11 18:21:05 2005 +++ gnupg/sm/call-dirmngr.c Mon Apr 18 12:44:45 2005 @@ -1,5 +1,5 @@ /* call-dirmngr.c - communication with the dromngr - * Copyright (C) 2002, 2003 Free Software Foundation, Inc. + * Copyright (C) 2002, 2003, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -266,11 +266,25 @@ const unsigned char *der; size_t derlen; int issuer_mode = 0; + ksba_sexp_t ski = NULL; if (!strncmp (line, "SENDCERT", 8) && (line[8] == ' ' || !line[8])) { line += 8; } + else if (!strncmp (line, "SENDCERT_SKI", 12) && (line[12]==' ' || !line[12])) + { + size_t n; + + /* Send a certificate where a sourceKeyidentifier is included. */ + line += 12; + while (*line == ' ') + line++; + ski = make_simple_sexp_from_hexstr (line, &n); + line += n; + while (*line == ' ') + line++; + } else if (!strncmp (line, "SENDISSUERCERT", 14) && (line[14] == ' ' || !line[14])) { @@ -304,7 +318,7 @@ ksba_cert_t cert; - err = gpgsm_find_cert (line, &cert); + err = gpgsm_find_cert (line, ski, &cert); if (err) { log_error ("certificate not found: %s\n", gpg_strerror (err)); @@ -321,6 +335,7 @@ } } + xfree (ski); return rc; } @@ -717,7 +732,7 @@ if (!*line) return ASSUAN_Inquire_Error; - err = gpgsm_find_cert (line, &cert); + err = gpgsm_find_cert (line, NULL, &cert); if (err) { log_error ("certificate not found: %s\n", gpg_strerror (err)); Index: gnupg/sm/certchain.c diff -u gnupg/sm/certchain.c:1.32.2.21 gnupg/sm/certchain.c:1.32.2.22 --- gnupg/sm/certchain.c:1.32.2.21 Thu Mar 17 20:10:37 2005 +++ gnupg/sm/certchain.c Mon Apr 18 12:44:45 2005 @@ -266,6 +266,42 @@ } +/* Helper fucntion for find_up. This resets the key handle and search + for an issuer ISSUER with a subjectKeyIdentifier of KEYID. Returns + 0 obn success or -1 when not found. */ +static int +find_up_search_by_keyid (KEYDB_HANDLE kh, + const char *issuer, ksba_sexp_t keyid) +{ + int rc; + ksba_cert_t cert = NULL; + ksba_sexp_t subj = NULL; + + keydb_search_reset (kh); + while (!(rc = keydb_search_subject (kh, issuer))) + { + ksba_cert_release (cert); cert = NULL; + rc = keydb_get_cert (kh, &cert); + if (rc) + { + log_error ("keydb_get_cert() failed: rc=%d\n", rc); + rc = -1; + break; + } + xfree (subj); + if (!ksba_cert_get_subj_key_id (cert, NULL, &subj)) + { + if (!cmp_simple_canon_sexp (keyid, subj)) + break; /* Found matching cert. */ + } + } + + ksba_cert_release (cert); + xfree (subj); + return rc? -1:0; +} + + static void find_up_store_certs_cb (void *cb_value, ksba_cert_t cert) { @@ -275,13 +311,13 @@ } - /* Helper for find_up(). Locate the certificate for ISSUER using an external lookup. KH is the keydb context we are currently using. On success 0 is returned and the certificate may be retrieved from - the keydb using keydb_get_cert().*/ + the keydb using keydb_get_cert(). KEYID is the keyIdentifier from + the AKI or NULL. */ static int -find_up_external (KEYDB_HANDLE kh, const char *issuer) +find_up_external (KEYDB_HANDLE kh, const char *issuer, ksba_sexp_t keyid) { int rc; strlist_t names = NULL; @@ -324,8 +360,13 @@ /* The issuers are currently stored in the ephemeral key DB, so we temporary switch to ephemeral mode. */ old = keydb_set_ephemeral (kh, 1); - keydb_search_reset (kh); - rc = keydb_search_subject (kh, issuer); + if (keyid) + rc = find_up_search_by_keyid (kh, issuer, keyid); + else + { + keydb_search_reset (kh); + rc = keydb_search_subject (kh, issuer); + } keydb_set_ephemeral (kh, old); } return rc; @@ -343,9 +384,10 @@ { ksba_name_t authid; ksba_sexp_t authidno; + ksba_sexp_t keyid; int rc = -1; - if (!ksba_cert_get_auth_key_id (cert, NULL, &authid, &authidno)) + if (!ksba_cert_get_auth_key_id (cert, &keyid, &authid, &authidno)) { const char *s = ksba_name_enum (authid, 0); if (s && *authidno) @@ -369,28 +411,57 @@ keydb_set_ephemeral (kh, old); } - /* If we didn't found it, try an external lookup. */ - if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next) - rc = find_up_external (kh, issuer); } + if (rc == -1 && keyid && !find_next) + { + /* Not found by AIK.issuer_sn. Lets try the AIY.ki + instead. Loop over all certificates with that issuer as + subject and stop for the one with a matching + subjectKeyIdentifier. */ + rc = find_up_search_by_keyid (kh, issuer, keyid); + if (rc) + { + int old = keydb_set_ephemeral (kh, 1); + if (!old) + rc = find_up_search_by_keyid (kh, issuer, keyid); + keydb_set_ephemeral (kh, old); + } + if (rc) + rc = -1; /* Need to make sure to have this error code. */ + } + + /* If we still didn't found it, try an external lookup. */ + if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next) + rc = find_up_external (kh, issuer, keyid); + /* Print a note so that the user does not feel too helpless when an issuer certificate was found and gpgsm prints BAD signature because it is not the correct one. */ if (rc == -1) { - log_info ("%sissuer certificate (#", find_next?"next ":""); - gpgsm_dump_serial (authidno); - log_printf ("/"); - gpgsm_dump_string (s); - log_printf (") not found using authorityKeyIdentifier\n"); + log_info ("%sissuer certificate ", find_next?"next ":""); + if (keyid) + { + log_printf ("{"); + gpgsm_dump_serial (keyid); + log_printf ("} "); + } + if (authidno) + { + log_printf ("(#"); + gpgsm_dump_serial (authidno); + log_printf ("/"); + gpgsm_dump_string (s); + log_printf (") "); + } + log_printf ("not found using authorityKeyIdentifier\n"); } else if (rc) log_error ("failed to find authorityKeyIdentifier: rc=%d\n", rc); + xfree (keyid); ksba_name_release (authid); xfree (authidno); - /* Fixme: There is no way to do an external lookup with - serial+issuer. */ } if (rc) /* Not found via authorithyKeyIdentifier, try regular issuer name. */ @@ -409,7 +480,7 @@ /* Still not found. If enabled, try an external lookup. */ if (rc == -1 && opt.auto_issuer_key_retrieve && !find_next) - rc = find_up_external (kh, issuer); + rc = find_up_external (kh, issuer, NULL); return rc; } @@ -468,7 +539,7 @@ rc = keydb_get_cert (kh, r_next); if (rc) { - log_error ("failed to get cert: rc=%d\n", rc); + log_error ("keydb_get_cert() failed: rc=%d\n", rc); rc = gpg_error (GPG_ERR_GENERAL); } @@ -791,7 +862,7 @@ rc = keydb_get_cert (kh, &issuer_cert); if (rc) { - log_error ("failed to get cert: rc=%d\n", rc); + log_error ("keydb_get_cert() failed: rc=%d\n", rc); rc = gpg_error (GPG_ERR_GENERAL); goto leave; } @@ -818,6 +889,8 @@ might have been used. This is required because some CAs are reusing the issuer and subject DN for new root certificates. */ + /* FIXME: Do this only if we don't have an + AKI.keyIdentifier */ rc = find_up (kh, subject_cert, issuer, 1); if (!rc) { @@ -1008,7 +1081,7 @@ rc = keydb_get_cert (kh, &issuer_cert); if (rc) { - log_error ("failed to get cert: rc=%d\n", rc); + log_error ("keydb_get_cert() failed: rc=%d\n", rc); rc = gpg_error (GPG_ERR_GENERAL); goto leave; } Index: gnupg/sm/certdump.c diff -u gnupg/sm/certdump.c:1.11.2.11 gnupg/sm/certdump.c:1.11.2.12 --- gnupg/sm/certdump.c:1.11.2.11 Thu Sep 30 23:37:06 2004 +++ gnupg/sm/certdump.c Mon Apr 18 12:44:45 2005 @@ -75,6 +75,7 @@ } +/* Dump the serial number or any other simple S-expression. */ void gpgsm_dump_serial (ksba_const_sexp_t p) { Index: gnupg/sm/certlist.c diff -u gnupg/sm/certlist.c:1.13.2.11 gnupg/sm/certlist.c:1.13.2.12 --- gnupg/sm/certlist.c:1.13.2.11 Tue Aug 24 20:13:15 2004 +++ gnupg/sm/certlist.c Mon Apr 18 12:44:45 2005 @@ -1,5 +1,5 @@ /* certlist.c - build list of certificates - * Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc. + * Copyright (C) 2001, 2003, 2004, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -412,9 +412,11 @@ /* Like gpgsm_add_to_certlist, but look only for one certificate. No - chain validation is done */ + chain validation is done. If KEYID is not NULL it is take as an + additional filter value which must match the + subjectKeyIdentifier. */ int -gpgsm_find_cert (const char *name, ksba_cert_t *r_cert) +gpgsm_find_cert (const char *name, ksba_sexp_t keyid, ksba_cert_t *r_cert) { int rc; KEYDB_SEARCH_DESC desc; @@ -429,10 +431,38 @@ rc = gpg_error (GPG_ERR_ENOMEM); else { + nextone: rc = keydb_search (kh, &desc, 1); if (!rc) - rc = keydb_get_cert (kh, r_cert); - if (!rc) + { + rc = keydb_get_cert (kh, r_cert); + if (!rc && keyid) + { + ksba_sexp_t subj; + + rc = ksba_cert_get_subj_key_id (*r_cert, NULL, &subj); + if (!rc) + { + if (cmp_simple_canon_sexp (keyid, subj)) + { + xfree (subj); + goto nextone; + } + xfree (subj); + /* Okay: Here we know that the certificate's + subjectKeyIdentifier matches the requested + one. */ + } + else if (gpg_err_code (rc) == GPG_ERR_NO_DATA) + goto nextone; + } + } + + /* If we don't have the KEYID filter we need to check for + ambigious search results. Note, that it is somehwat + reasonable to assume that a specification of a KEYID + won't lead to ambiguous names. */ + if (!rc && !keyid) { rc = keydb_search (kh, &desc, 1); if (rc == -1) Index: gnupg/sm/gpgsm.c diff -u gnupg/sm/gpgsm.c:1.67.2.38 gnupg/sm/gpgsm.c:1.67.2.39 --- gnupg/sm/gpgsm.c:1.67.2.38 Wed Dec 22 18:55:28 2004 +++ gnupg/sm/gpgsm.c Mon Apr 18 12:44:45 2005 @@ -1566,7 +1566,7 @@ ksba_cert_t cert = NULL; char *grip = NULL; - rc = gpgsm_find_cert (*argv, &cert); + rc = gpgsm_find_cert (*argv, NULL, &cert); if (rc) ; else if (!(grip = gpgsm_get_keygrip_hexstring (cert))) Index: gnupg/sm/gpgsm.h diff -u gnupg/sm/gpgsm.h:1.54.2.24 gnupg/sm/gpgsm.h:1.54.2.25 --- gnupg/sm/gpgsm.h:1.54.2.24 Sat Dec 18 11:22:09 2004 +++ gnupg/sm/gpgsm.h Mon Apr 18 12:44:45 2005 @@ -252,7 +252,7 @@ int gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret, certlist_t *listaddr, int is_encrypt_to); void gpgsm_release_certlist (certlist_t list); -int gpgsm_find_cert (const char *name, ksba_cert_t *r_cert); +int gpgsm_find_cert (const char *name, ksba_sexp_t keyid, ksba_cert_t *r_cert); /*-- keylist.c --*/ gpg_error_t gpgsm_list_keys (ctrl_t ctrl, STRLIST names, Index: gnupg/sm/keylist.c diff -u gnupg/sm/keylist.c:1.25.2.19 gnupg/sm/keylist.c:1.25.2.20 --- gnupg/sm/keylist.c:1.25.2.19 Sun Dec 19 14:38:24 2004 +++ gnupg/sm/keylist.c Mon Apr 18 12:44:45 2005 @@ -1,6 +1,6 @@ -/* keylist.c +/* keylist.c - Print certificates in various formats. * Copyright (C) 1998, 1999, 2000, 2001, 2003, - * 2004 Free Software Foundation, Inc. + * 2004, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -122,7 +122,7 @@ { "1.3.6.1.5.5.7.1.11", "subjectInfoAccess" }, /* X.509 id-ce */ - { "2.5.29.14", "subjectKeyIdentifier"}, + { "2.5.29.14", "subjectKeyIdentifier", 1}, { "2.5.29.15", "keyUsage", 1 }, { "2.5.29.16", "privateKeyUsagePeriod" }, { "2.5.29.17", "subjectAltName", 1 }, @@ -512,7 +512,7 @@ { gpg_error_t err; size_t off, len; - ksba_sexp_t sexp; + ksba_sexp_t sexp, keyid; char *dn; ksba_isotime_t t; int idx, i; @@ -588,9 +588,27 @@ fprintf (fp, " keyType: %u bit %s\n", nbits, algoname? algoname:"?"); } + /* subjectKeyIdentifier */ + fputs (" subjKeyId: ", fp); + err = ksba_cert_get_subj_key_id (cert, NULL, &keyid); + if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA) + { + if (gpg_err_code (err) == GPG_ERR_NO_DATA) + fputs ("[none]\n", fp); + else + { + gpgsm_print_serial (fp, keyid); + ksba_free (keyid); + putc ('\n', fp); + } + } + else + fputs ("[?]\n", fp); + + /* authorityKeyIdentifier */ fputs (" authKeyId: ", fp); - err = ksba_cert_get_auth_key_id (cert, NULL, &name, &sexp); + err = ksba_cert_get_auth_key_id (cert, &keyid, &name, &sexp); if (!err || gpg_err_code (err) == GPG_ERR_NO_DATA) { if (gpg_err_code (err) == GPG_ERR_NO_DATA || !name) @@ -603,6 +621,13 @@ print_names_raw (fp, -15, name); ksba_name_release (name); } + if (keyid) + { + fputs (" authKeyId.ki: ", fp); + gpgsm_print_serial (fp, keyid); + ksba_free (keyid); + putc ('\n', fp); + } } else fputs ("[?]\n", fp); From cvs at cvs.gnupg.org Tue Apr 19 13:43:44 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Tue Apr 19 13:43:49 2005 Subject: GNUPG-1-9-BRANCH gnupg/tools (ChangeLog symcryptrun.c) Message-ID: Date: Tuesday, April 19, 2005 @ 14:00:29 Author: marcus Path: /cvs/gnupg/gnupg/tools Tag: GNUPG-1-9-BRANCH Modified: ChangeLog symcryptrun.c 2005-04-19 Marcus Brinkmann * symcryptrun.c: Add --input option. ---------------+ ChangeLog | 4 +++ symcryptrun.c | 74 ++++++++++++++++++++++++++++++++++---------------------- 2 files changed, 50 insertions(+), 28 deletions(-) Index: gnupg/tools/ChangeLog diff -u gnupg/tools/ChangeLog:1.25.2.71 gnupg/tools/ChangeLog:1.25.2.72 --- gnupg/tools/ChangeLog:1.25.2.71 Fri Apr 15 11:04:43 2005 +++ gnupg/tools/ChangeLog Tue Apr 19 14:00:29 2005 @@ -1,3 +1,7 @@ +2005-04-19 Marcus Brinkmann + + * symcryptrun.c: Add --input option. + 2005-04-15 Marcus Brinkmann * symcryptrun.c (TEMP_FAILURE_RETRY): Define if not defined. Index: gnupg/tools/symcryptrun.c diff -u gnupg/tools/symcryptrun.c:1.1.2.5 gnupg/tools/symcryptrun.c:1.1.2.6 --- gnupg/tools/symcryptrun.c:1.1.2.5 Fri Apr 15 11:04:43 2005 +++ gnupg/tools/symcryptrun.c Tue Apr 19 14:00:29 2005 @@ -124,6 +124,7 @@ oKeyfile, oDecrypt, oEncrypt, + oInput, }; @@ -132,23 +133,23 @@ { { 301, NULL, 0, N_("@\nCommands:\n ") }, - { oDecrypt, "decrypt", 0, N_("decryption modus")}, - { oEncrypt, "encrypt", 0, N_("encryption modus")}, + { oDecrypt, "decrypt", 0, N_("decryption modus") }, + { oEncrypt, "encrypt", 0, N_("encryption modus") }, { 302, NULL, 0, N_("@\nOptions:\n ") }, - { oClass, "class", 2, N_("tool class (confucius)")}, - { oProgram, "program", 2, N_("program filename")}, - - { oKeyfile, "keyfile", 2, N_("secret key file (required)")}, + { oClass, "class", 2, N_("tool class (confucius)") }, + { oProgram, "program", 2, N_("program filename") }, + { oKeyfile, "keyfile", 2, N_("secret key file (required)") }, + { oInput, "inputfile", 2, N_("input file name (default stdin)") }, { oVerbose, "verbose", 0, N_("verbose") }, { oQuiet, "quiet", 0, N_("quiet") }, - { oLogFile, "log-file", 2, N_("use a log file for the server")}, - { oOptions, "options" , 2, N_("|FILE|read options from FILE")}, + { oLogFile, "log-file", 2, N_("use a log file for the server") }, + { oOptions, "options" , 2, N_("|FILE|read options from FILE") }, /* Hidden options. */ - { oNoVerbose, "no-verbose", 0, "@"}, + { oNoVerbose, "no-verbose", 0, "@" }, { oHomedir, "homedir", 2, "@" }, { oNoOptions, "no-options", 0, "@" },/* shortcut for --options /dev/null */ @@ -166,6 +167,7 @@ char *class; char *program; char *keyfile; + char *input; } opt; @@ -755,22 +757,31 @@ int res; char *tmpdir; char *infile; + int infile_from_stdin = 0; char *outfile; tmpdir = confucius_mktmpdir (); if (!tmpdir) return 1; - - /* TMPDIR + "/" + "in" + "\0". */ - infile = malloc (strlen (tmpdir) + 1 + 2 + 1); - if (!infile) + + if (opt.input && !(opt.input[0] == '-' && opt.input[1] == '\0')) + infile = xstrdup (opt.input); + else { - log_error (_("cannot allocate infile string: %s\n"), strerror (errno)); - rmdir (tmpdir); - return 1; + infile_from_stdin = 1; + + /* TMPDIR + "/" + "in" + "\0". */ + infile = malloc (strlen (tmpdir) + 1 + 2 + 1); + if (!infile) + { + log_error (_("cannot allocate infile string: %s\n"), + strerror (errno)); + rmdir (tmpdir); + return 1; + } + strcpy (infile, tmpdir); + strcat (infile, "/in"); } - strcpy (infile, tmpdir); - strcat (infile, "/in"); /* TMPDIR + "/" + "out" + "\0". */ outfile = malloc (strlen (tmpdir) + 1 + 3 + 1); @@ -784,14 +795,17 @@ strcpy (outfile, tmpdir); strcat (outfile, "/out"); - /* Create INFILE and fill it with content. */ - res = confucius_copy_file ("-", infile, mode == oEncrypt); - if (res) + if (infile_from_stdin) { - free (outfile); - free (infile); - rmdir (tmpdir); - return res; + /* Create INFILE and fill it with content. */ + res = confucius_copy_file ("-", infile, mode == oEncrypt); + if (res) + { + free (outfile); + free (infile); + rmdir (tmpdir); + return res; + } } /* Run the engine and thus create the output file, handling @@ -800,7 +814,8 @@ if (res) { remove_file (outfile, mode == oDecrypt); - remove_file (infile, mode == oEncrypt); + if (infile_from_stdin) + remove_file (infile, mode == oEncrypt); free (outfile); free (infile); rmdir (tmpdir); @@ -812,7 +827,8 @@ if (res) { remove_file (outfile, mode == oDecrypt); - remove_file (infile, mode == oEncrypt); + if (infile_from_stdin) + remove_file (infile, mode == oEncrypt); free (outfile); free (infile); rmdir (tmpdir); @@ -820,7 +836,8 @@ } remove_file (outfile, mode == oDecrypt); - remove_file (infile, mode == oEncrypt); + if (infile_from_stdin) + remove_file (infile, mode == oEncrypt); free (outfile); free (infile); rmdir (tmpdir); @@ -915,6 +932,7 @@ case oClass: opt.class = pargs.r.ret_str; break; case oProgram: opt.program = pargs.r.ret_str; break; case oKeyfile: opt.keyfile = pargs.r.ret_str; break; + case oInput: opt.input = pargs.r.ret_str; break; case oLogFile: logfile = pargs.r.ret_str; break; From cvs at cvs.gnupg.org Wed Apr 20 16:30:26 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Wed Apr 20 16:30:29 2005 Subject: GNUPG-1-9-BRANCH gnupg/agent (ChangeLog command-ssh.c) Message-ID: Date: Wednesday, April 20, 2005 @ 16:47:19 Author: mo Path: /cvs/gnupg/gnupg/agent Tag: GNUPG-1-9-BRANCH Modified: ChangeLog command-ssh.c 2005-04-20 Moritz Schulte * command-ssh.c (ssh_handler_request_identities): Removed debugging code (sleep call), which was commited unintenionally. ---------------+ ChangeLog | 5 +++++ command-ssh.c | 3 --- 2 files changed, 5 insertions(+), 3 deletions(-) Index: gnupg/agent/ChangeLog diff -u gnupg/agent/ChangeLog:1.59.2.73 gnupg/agent/ChangeLog:1.59.2.74 --- gnupg/agent/ChangeLog:1.59.2.73 Sat Apr 9 18:41:28 2005 +++ gnupg/agent/ChangeLog Wed Apr 20 16:47:18 2005 @@ -1,3 +1,8 @@ +2005-04-20 Moritz Schulte + + * command-ssh.c (ssh_handler_request_identities): Removed + debugging code (sleep call), which was commited unintenionally. + 2005-04-03 Moritz Schulte * command-ssh.c (ssh_request_spec): New member: secret_input. Index: gnupg/agent/command-ssh.c diff -u gnupg/agent/command-ssh.c:1.1.4.17 gnupg/agent/command-ssh.c:1.1.4.18 --- gnupg/agent/command-ssh.c:1.1.4.17 Mon Apr 18 12:44:45 2005 +++ gnupg/agent/command-ssh.c Wed Apr 20 16:47:19 2005 @@ -1741,9 +1741,6 @@ /* Prepare buffer stream. */ -#warning Huh, sleep? why that? Anyway, this should be pth_sleep - sleep (5); - key_directory = NULL; key_secret = NULL; key_public = NULL; From cvs at cvs.gnupg.org Wed Apr 20 18:47:06 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Wed Apr 20 18:47:10 2005 Subject: dirmngr/src (ChangeLog ldap.c server.c) Message-ID: Date: Wednesday, April 20, 2005 @ 19:03:56 Author: wk Path: /cvs/dirmngr/dirmngr/src Modified: ChangeLog ldap.c server.c (ldap_wrapper_wait_connections): Set a shutdown flag. (ldap_wrapper_thread): Handle shutdown in a special way. -----------+ ChangeLog | 10 ++++++++++ ldap.c | 14 +++++++++----- server.c | 15 +++++++++------ 3 files changed, 28 insertions(+), 11 deletions(-) Index: dirmngr/src/ChangeLog diff -u dirmngr/src/ChangeLog:1.47 dirmngr/src/ChangeLog:1.48 --- dirmngr/src/ChangeLog:1.47 Mon Apr 18 12:37:53 2005 +++ dirmngr/src/ChangeLog Wed Apr 20 19:03:56 2005 @@ -1,3 +1,13 @@ +2005-04-20 Werner Koch + + * ldap.c (ldap_wrapper_wait_connections): Set a shutdown flag. + (ldap_wrapper_thread): Handle shutdown in a special way. + +2005-04-19 Werner Koch + + * server.c (get_cert_local, get_issuing_cert_local) + (get_cert_local_ski): Bail out if called without a local context. + 2005-04-18 Werner Koch * certcache.c (find_issuing_cert): Fixed last resort method which Index: dirmngr/src/ldap.c diff -u dirmngr/src/ldap.c:1.48 dirmngr/src/ldap.c:1.49 --- dirmngr/src/ldap.c:1.48 Thu Apr 14 13:58:29 2005 +++ dirmngr/src/ldap.c Wed Apr 20 19:03:56 2005 @@ -65,7 +65,7 @@ }; -/* To keep track of the LDAp wrapper state we use this structure. */ +/* To keep track of the LDAP wrapper state we use this structure. */ struct wrapper_context_s { struct wrapper_context_s *next; @@ -95,6 +95,9 @@ finished processes. */ static struct wrapper_context_s *wrapper_list; +/* We need to know whether we are shutting down the process */ +static int shutting_down; + /* Prototypes. */ static gpg_error_t read_buffer (ksba_reader_t reader, @@ -343,10 +346,10 @@ /* Use a separate loop to check whether ready marked wrappers may be removed. We may only do so if the ksba reader object - is not anymore in use. */ + is not anymore in use or we are in shutdown state. */ again: for (ctx_prev=NULL, ctx=wrapper_list; ctx; ctx_prev=ctx, ctx=ctx->next) - if (ctx->ready && !ctx->reader) + if (ctx->ready && (!ctx->reader || shutting_down)) { if (ctx_prev) ctx_prev->next = ctx->next; @@ -368,6 +371,7 @@ void ldap_wrapper_wait_connections () { + shutting_down = 1; while (wrapper_list) pth_yield (NULL); } @@ -406,7 +410,7 @@ } } -/* Cleanup all resources hel by the connection associated with +/* Cleanup all resources held by the connection associated with CTRL. This is used after a cancel to kill running wrappers. */ void ldap_wrapper_connection_cleanup (ctrl_t ctrl) @@ -1302,7 +1306,7 @@ if (is_cms) { - /* The certificate needs to be parsed from CMS data. Read */ + /* The certificate needs to be parsed from CMS data. */ ksba_cms_t cms; ksba_stop_reason_t stopreason; int i; Index: dirmngr/src/server.c diff -u dirmngr/src/server.c:1.49 dirmngr/src/server.c:1.50 --- dirmngr/src/server.c:1.49 Mon Apr 18 12:37:53 2005 +++ dirmngr/src/server.c Wed Apr 20 19:03:56 2005 @@ -165,9 +165,10 @@ ksba_cert_t get_cert_local (ctrl_t ctrl, const char *name) { - if (!ctrl || !ctrl->server_local->assuan_ctx) + if (!ctrl || !ctrl->server_local || !ctrl->server_local->assuan_ctx) { - log_debug ("get_cert_local called w/o context\n"); + if (opt.debug) + log_debug ("get_cert_local called w/o context\n"); return NULL; } return do_get_cert_local (ctrl, name, "SENDCERT"); @@ -184,9 +185,10 @@ ksba_cert_t get_issuing_cert_local (ctrl_t ctrl, const char *name) { - if (!ctrl || !ctrl->server_local->assuan_ctx) + if (!ctrl || !ctrl->server_local || !ctrl->server_local->assuan_ctx) { - log_debug ("get_issuing_cert_local called w/o context\n"); + if (opt.debug) + log_debug ("get_issuing_cert_local called w/o context\n"); return NULL; } return do_get_cert_local (ctrl, name, "SENDISSUERCERT"); @@ -204,9 +206,10 @@ ksba_cert_t cert; char *hexkeyid; - if (!ctrl || !ctrl->server_local->assuan_ctx) + if (!ctrl || !ctrl->server_local || !ctrl->server_local->assuan_ctx) { - log_debug ("get_cert_local_ski called w/o context\n"); + if (opt.debug) + log_debug ("get_cert_local_ski called w/o context\n"); return NULL; } if (!name || !keyid) From cvs at cvs.gnupg.org Wed Apr 20 20:30:01 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Wed Apr 20 20:30:04 2005 Subject: GNUPG-1-9-BRANCH gnupg/doc (ChangeLog gnupg.texi gpg-agent.texi gpgsm.texi) Message-ID: Date: Wednesday, April 20, 2005 @ 20:46:51 Author: wk Path: /cvs/gnupg/gnupg/doc Tag: GNUPG-1-9-BRANCH Modified: ChangeLog gnupg.texi gpg-agent.texi gpgsm.texi (Agent Configuration): New section. ----------------+ ChangeLog | 6 ++- gnupg.texi | 2 - gpg-agent.texi | 96 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- gpgsm.texi | 2 - 4 files changed, 101 insertions(+), 5 deletions(-) Index: gnupg/doc/ChangeLog diff -u gnupg/doc/ChangeLog:1.39.2.26 gnupg/doc/ChangeLog:1.39.2.27 --- gnupg/doc/ChangeLog:1.39.2.26 Thu Feb 24 18:36:11 2005 +++ gnupg/doc/ChangeLog Wed Apr 20 20:46:51 2005 @@ -1,3 +1,7 @@ +2005-04-20 Werner Koch + + * gpg-agent.texi (Agent Configuration): New section. + 2005-02-24 Werner Koch * tools.texi (gpg-connect-agent): New. @@ -171,7 +175,7 @@ * Makefile.am, gpgsm.texi: New. - Copyright 2002 Free Software Foundation, Inc. + Copyright 2002, 2004, 2005 Free Software Foundation, Inc. This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without Index: gnupg/doc/gnupg.texi diff -u gnupg/doc/gnupg.texi:1.1.2.9 gnupg/doc/gnupg.texi:1.1.2.10 --- gnupg/doc/gnupg.texi:1.1.2.9 Thu Jan 13 19:00:46 2005 +++ gnupg/doc/gnupg.texi Wed Apr 20 20:46:51 2005 @@ -22,7 +22,7 @@ Boston, MA 02111-1307 USA @end iftex -Copyright @copyright{} 2002, 2004 Free Software Foundation, Inc. +Copyright @copyright{} 2002, 2004, 2005 Free Software Foundation, Inc. @quotation Permission is granted to copy, distribute and/or modify this document Index: gnupg/doc/gpg-agent.texi diff -u gnupg/doc/gpg-agent.texi:1.1.2.16 gnupg/doc/gpg-agent.texi:1.1.2.17 --- gnupg/doc/gpg-agent.texi:1.1.2.16 Thu Feb 24 18:36:11 2005 +++ gnupg/doc/gpg-agent.texi Wed Apr 20 20:46:51 2005 @@ -11,7 +11,7 @@ @c man begin DESCRIPTION @command{gpg-agent} is a daemon to manage secret (private) keys -independelty from any protocol. It is used as a backend for +independently from any protocol. It is used as a backend for @command{gpg} and @command{gpgsm} as well as for a couple of other utilities. @@ -71,6 +71,7 @@ @menu * Agent Commands:: List of all commands. * Agent Options:: List of all options. +* Agent Configuration:: Configuration files. * Agent Signals:: Use of some signals. * Agent Examples:: Some usage examples. * Agent Protocol:: The protocol the agent uses. @@ -123,6 +124,7 @@ @table @gnupgtabopt +@anchor{option --options} @item --options @var{file} @opindex options Reads configuration from @var{file} instead of from the default @@ -130,6 +132,7 @@ @file{gpg-agent.conf} and expected in the @file{.gnupg} directory directly below the home directory of the user. +@anchor{option --homedir} @item --homedir @var{dir} @opindex homedir Set the name of the home directory to @var{dir}. If his option is not @@ -255,10 +258,11 @@ Don't allow multiple connections. This option is in general not very useful. +@anchor{option --allow-mark-trusted} @item --allow-mark-trusted @opindex allow-mark-trusted Allow clients to mark keys as trusted, i.e. put them into the -@code{trustlist.txt} file. This is by default not allowed to make it +@file{trustlist.txt} file. This is by default not allowed to make it harder for users to inadvertly accept Root-CA keys. @item --ignore-cache-for-signing @@ -289,6 +293,12 @@ installation dependend and can be shown with the @code{--version} command. +@item --disable-scdaemon +@opindex disable-scdaemon +Do not make use of the scdaemon tool. This option has the effect of +disabling the ability to do smartcard operations. Note, that enabling +this option at runtime does not kill an already forked scdaemon. + @item --use-standard-socket @itemx --no-use-standard-socket @opindex use-standard-socket @@ -326,6 +336,7 @@ window system's @code{DISPLAY} variable. This is useful to lock the pinentry to pop up at the @sc{tty} or display you started the agent. +@anchor{option --enable-ssh-support} @item --enable-ssh-support @opindex enable-ssh-support @@ -359,6 +370,87 @@ All the long options may also be given in the configuration file after stripping off the two leading dashes. + +@c man begin FILES + +@node Agent Configuration +@section Configuration + +There are a few configuration files needed for the operation of the +agent. By default they may all be found in the current home directory +(@pxref{option --homedir}). + +@table @file + +@item gpg-agent.conf +@cindex gpg-agent.conf + This is the standard configuration file read by @command{gpg-agent} on + startup. It may contain any valid long option; the leading + two dashes may not be entered and the option may not be abbreviated. + This file is also read after a @code{SIGHUP} however only a few + options will actually have an effect. This default name may be + changed on the command line (@pxref{option --options}). + +@item trustlist.txt + This is the list of trusted keys. Comment lines, indicated by a leading + hash mark, as well as empty lines are ignored. To mark a key as trusted + you need to enter its fingerprint followed by a space and a capital + letter @code{S}. Colons may optionally be used to separate the bytes of + a fingerprint; this allows to cut and paste the fingeperint from a key + listing output. + + Here is an example where two keys are marked as ultimately trusted: + + @example + # CN=Wurzel ZS 3,O=Intevation GmbH,C=DE + A6935DD34EF3087973C706FC311AA2CCF733765B S + + # CN=PCA-1-Verwaltung-02/O=PKI-1-Verwaltung/C=DE + DC:BD:69:25:48:BD:BB:7E:31:6E:BB:80:D3:00:80:35:D4:F8:A6:CD S + @end example + + Before entering a key into this file, you need to ensure its + authenticity. How to do this depends on your organisation; your + administrator might have already entered those keys which are deemed + trustworthy enough into this file. Places where to look for the + fingerprint of a root certificate are letters received from the CA or + the website of the CA (after making 100% sure that this is indeed the + website of that CA). You may want to consider allowing interactive + updates of this file by using the @xref{option --allow-mark-trusted}. + This is however not as secure as maintaining this file manually. It is + even advisable to change the permissions to read-only so that this file + can't be changed inadvertently. + + @item sshcontrol + + This file is used when support for the secure shell agent protocol has + been enabled (@pxref{option --enable-ssh-support}). Only keys present in + this file are used in the SSH protocol. The @command{ssh-add} tool y be + used to add new entries to this file; you may also add them manually. + Comment lines, indicated by a leading hash mark, as well as empty lines + are ignored. An entry starts with optional white spaces, followed by + the keygrip of the key given as 40 hex digits, optionally followed by + the caching TTL in seconds and another optional field for arbitrary + flags. A @code{!} may be prepended to the keygrip to disable this + entry. + + The follwoing example lists exactly one key. Note that keys available + through a OpenPGP smartcard in the active smartcard reader are implictly + added to this list; i.e. there is no need to list them. + + @example + # Key added on 2005-02-25 15:08:29 + 5A6592BF45DC73BD876874A28FD4639282E29B52 0 + @end example +@end table + +Note that on larger installations, it is useful to put predefined +files into the directory @file{/etc/skel/.gnupg/} so that newly created +users start up with a working configuration. For existing users the +a small helper script is provied to create these files (@pxref{addgnupghome}). + + + @c @c Agent Signals @c Index: gnupg/doc/gpgsm.texi diff -u gnupg/doc/gpgsm.texi:1.1.2.21 gnupg/doc/gpgsm.texi:1.1.2.22 --- gnupg/doc/gpgsm.texi:1.1.2.21 Tue Feb 22 19:08:28 2005 +++ gnupg/doc/gpgsm.texi Wed Apr 20 20:46:51 2005 @@ -12,7 +12,7 @@ @command{gpgsm} is a tool similar to @command{gpg} to provide digital encryption and signing servicesd on X.509 certificates and the CMS -protocoll. It is mainly used as a backend for S/MIME mail processing. +protocol. It is mainly used as a backend for S/MIME mail processing. @command{gpgsm} includes a full features certificate management and complies with all rules defined for the German Sphinx project. From cvs at cvs.gnupg.org Wed Apr 20 21:02:29 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Wed Apr 20 21:02:33 2005 Subject: GNUPG-1-9-BRANCH gnupg/agent (ChangeLog agent.h call-scd.c gpg-agent.c minip12.c) Message-ID: Date: Wednesday, April 20, 2005 @ 21:19:25 Author: wk Path: /cvs/gnupg/gnupg/agent Tag: GNUPG-1-9-BRANCH Modified: ChangeLog agent.h call-scd.c gpg-agent.c minip12.c . -------------+ ChangeLog | 12 ++++++++ agent.h | 1 call-scd.c | 3 ++ gpg-agent.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++------ minip12.c | 9 ++++-- 5 files changed, 93 insertions(+), 11 deletions(-) Index: gnupg/agent/ChangeLog diff -u gnupg/agent/ChangeLog:1.59.2.74 gnupg/agent/ChangeLog:1.59.2.75 --- gnupg/agent/ChangeLog:1.59.2.74 Wed Apr 20 16:47:18 2005 +++ gnupg/agent/ChangeLog Wed Apr 20 21:19:24 2005 @@ -3,6 +3,18 @@ * command-ssh.c (ssh_handler_request_identities): Removed debugging code (sleep call), which was commited unintenionally. +2005-04-20 Werner Koch + + * minip12.c (parse_bag_encrypted_data): Fix the unpadding hack. + + * gpg-agent.c: New option --disable-scdaemon. + (handle_connections): Add time event to drive ... + (handle_tick): New function. + (main): Record the parent PID. Fixed segv when using ssh and a + command. + + * call-scd.c (start_scd): Take care of this option. + 2005-04-03 Moritz Schulte * command-ssh.c (ssh_request_spec): New member: secret_input. Index: gnupg/agent/agent.h diff -u gnupg/agent/agent.h:1.32.2.17 gnupg/agent/agent.h:1.32.2.18 --- gnupg/agent/agent.h:1.32.2.17 Fri Feb 25 17:14:55 2005 +++ gnupg/agent/agent.h Wed Apr 20 21:19:24 2005 @@ -66,6 +66,7 @@ pinentry. */ const char *scdaemon_program; /* Filename of the program to handle smartcard tasks. */ + int disable_scdaemon; /* Never use the SCdaemon. */ int no_grab; /* Don't let the pinentry grab the keyboard */ unsigned long def_cache_ttl; unsigned long max_cache_ttl; Index: gnupg/agent/call-scd.c diff -u gnupg/agent/call-scd.c:1.13.2.12 gnupg/agent/call-scd.c:1.13.2.13 --- gnupg/agent/call-scd.c:1.13.2.12 Mon Apr 11 18:09:18 2005 +++ gnupg/agent/call-scd.c Wed Apr 20 21:19:24 2005 @@ -137,6 +137,9 @@ int no_close_list[3]; int i; + if (opt.disable_scdaemon) + return gpg_error (GPG_ERR_NOT_SUPPORTED); + #ifdef USE_GNU_PTH if (!pth_mutex_acquire (&scd_lock, 0, NULL)) { Index: gnupg/agent/gpg-agent.c diff -u gnupg/agent/gpg-agent.c:1.31.2.35 gnupg/agent/gpg-agent.c:1.31.2.36 --- gnupg/agent/gpg-agent.c:1.31.2.35 Thu Feb 24 18:36:11 2005 +++ gnupg/agent/gpg-agent.c Wed Apr 20 21:19:24 2005 @@ -94,7 +94,8 @@ oAllowPresetPassphrase, oKeepTTY, oKeepDISPLAY, - oSSHSupport + oSSHSupport, + oDisableScdaemon }; @@ -128,6 +129,7 @@ N_("|PGM|use PGM as the PIN-Entry program") }, { oScdaemonProgram, "scdaemon-program", 2 , N_("|PGM|use PGM as the SCdaemon program") }, + { oDisableScdaemon, "disable-scdaemon", 0, N_("do not use the SCdaemon") }, { oDisplay, "display", 2, "@" }, { oTTYname, "ttyname", 2, "@" }, @@ -187,6 +189,11 @@ the log file after a SIGHUP if it didn't changed. Malloced. */ static char *current_logfile; +/* The handle_tick() function may test whether a parent is still + runing. We record the PID of the parent here or -1 if it should be + watched. */ +static pid_t parent_pid = (pid_t)(-1); + /* Local prototypes. */ @@ -387,6 +394,7 @@ opt.max_cache_ttl = MAX_CACHE_TTL; opt.ignore_cache_for_signing = 0; opt.allow_mark_trusted = 0; + opt.disable_scdaemon = 0; return 1; } @@ -415,6 +423,7 @@ case oPinentryProgram: opt.pinentry_program = pargs->r.ret_str; break; case oScdaemonProgram: opt.scdaemon_program = pargs->r.ret_str; break; + case oDisableScdaemon: opt.disable_scdaemon = 1; break; case oDefCacheTTL: opt.def_cache_ttl = pargs->r.ret_ulong; break; case oMaxCacheTTL: opt.max_cache_ttl = pargs->r.ret_ulong; break; @@ -740,6 +749,8 @@ GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME); printf ("allow-mark-trusted:%lu:\n", GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME); + printf ("disable-scdaemon:%lu:\n", + GC_OPT_FLAG_NONE|GC_OPT_FLAG_RUNTIME); agent_exit (0); } @@ -819,6 +830,11 @@ else fd_ssh = -1; + /* If we are going to exec a program in the parent, we record + the PID, so that the child may check whether the program is + still alive. */ + if (argc) + parent_pid = getpid (); fflush (NULL); #ifdef HAVE_W32_SYSTEM @@ -878,14 +894,14 @@ kill (pid, SIGTERM ); exit (1); } - if (putenv (infostr_ssh_sock)) + if (opt.ssh_support && putenv (infostr_ssh_sock)) { log_error ("failed to set environment: %s\n", strerror (errno) ); kill (pid, SIGTERM ); exit (1); } - if (putenv (infostr_ssh_pid)) + if (opt.ssh_support && putenv (infostr_ssh_pid)) { log_error ("failed to set environment: %s\n", strerror (errno) ); @@ -922,8 +938,7 @@ printf ("%s; export SSH_AGENT_PID;\n", infostr_ssh_pid); } } - /* Note: teh standard free is here correct. */ - free (infostr); + free (infostr); /* (Note that a vanilla free is here correct.) */ if (opt.ssh_support) { free (infostr_ssh_sock); @@ -1311,6 +1326,27 @@ #ifdef USE_GNU_PTH +/* This is the worker for the ticker. It is called every few seconds + and may only do fast operations. */ +static void +handle_tick (void) +{ +#ifndef HAVE_W32_SYSTEM + if (parent_pid != (pid_t)(-1)) + { + if (kill (parent_pid, 0)) + { + shutdown_pending = 2; + log_info ("parent process died - shutting down\n"); + log_info ("%s %s stopped\n", strusage(11), strusage(13) ); + cleanup (); + agent_exit (0); + } + } +#endif /*HAVE_W32_SYSTEM*/ +} + + static void handle_signal (int signo) { @@ -1409,7 +1445,7 @@ handle_connections (int listen_fd, int listen_fd_ssh) { pth_attr_t tattr; - pth_event_t ev; + pth_event_t ev, time_ev; sigset_t sigs; int signo; struct sockaddr_un paddr; @@ -1434,6 +1470,7 @@ #else ev = NULL; #endif + time_ev = NULL; FD_ZERO (&fdset); FD_SET (listen_fd, &fdset); @@ -1456,16 +1493,33 @@ continue; } + /* Create a timeout event if needed. */ + if (!time_ev) + time_ev = pth_event (PTH_EVENT_TIME, pth_timeout (2, 0)); + /* POSIX says that fd_set should be implemented as a structure, thus a simple assignment is fine to copy the entire set. */ read_fdset = fdset; + if (time_ev) + pth_event_concat (ev, time_ev, NULL); ret = pth_select_ev (FD_SETSIZE, &read_fdset, NULL, NULL, NULL, ev); + if (time_ev) + pth_event_isolate (time_ev); + if (ret == -1) { - if (pth_event_occurred (ev)) + if (pth_event_occurred (ev) + || (time_ev && pth_event_occurred (time_ev))) { - handle_signal (signo); + if (pth_event_occurred (ev)) + handle_signal (signo); + if (time_ev && pth_event_occurred (time_ev)) + { + pth_event_free (time_ev, PTH_FREE_ALL); + time_ev = NULL; + handle_tick (); + } continue; } log_error (_("pth_select failed: %s - waiting 1s\n"), @@ -1479,6 +1533,13 @@ handle_signal (signo); } + if (time_ev && pth_event_occurred (time_ev)) + { + pth_event_free (time_ev, PTH_FREE_ALL); + time_ev = NULL; + handle_tick (); + } + if (FD_ISSET (listen_fd, &read_fdset)) { plen = sizeof paddr; @@ -1515,6 +1576,8 @@ } pth_event_free (ev, PTH_FREE_ALL); + if (time_ev) + pth_event_free (time_ev, PTH_FREE_ALL); cleanup (); log_info (_("%s %s stopped\n"), strusage(11), strusage(13)); } Index: gnupg/agent/minip12.c diff -u gnupg/agent/minip12.c:1.5.2.7 gnupg/agent/minip12.c:1.5.2.8 --- gnupg/agent/minip12.c:1.5.2.7 Wed Sep 29 15:50:31 2004 +++ gnupg/agent/minip12.c Wed Apr 20 21:19:24 2005 @@ -486,6 +486,7 @@ buffer = p = plain; /* { */ +/* # warning debug code is enabled */ /* FILE *fp = fopen ("tmp-rc2-plain.der", "wb"); */ /* if (!fp || fwrite (p, n, 1, fp) != 1) */ /* exit (2); */ @@ -586,8 +587,10 @@ } /* Ugly hack to cope with the padding: Forget about the rest if - that it is less than the cipher's block length. */ - if (n < 8) + that is less or equal to the cipher's block length. We can + reasonable assume that all valid data will be longer than + just one block. */ + if (n <= 8) n = 0; /* Skip the optional SET with the pkcs12 cert attributes. */ @@ -602,7 +605,7 @@ { /* The optional SET. */ p += ti.length; n -= ti.length; - if (n < 8) + if (n <= 8) n = 0; if (n && parse_tag (&p, &n, &ti)) goto bailout; From cvs at cvs.gnupg.org Thu Apr 21 08:55:22 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 21 08:55:25 2005 Subject: gpgme-1-0-branch gpgme/gpgme (ChangeLog gpgme.h verify.c) Message-ID: Date: Thursday, April 21, 2005 @ 09:12:18 Author: wk Path: /cvs/gpgme/gpgme/gpgme Tag: gpgme-1-0-branch Modified: ChangeLog gpgme.h verify.c (calc_sig_summary): Set the key revoked bit. -----------+ ChangeLog | 4 ++++ gpgme.h | 2 +- verify.c | 25 +++++++++++++++++++------ 3 files changed, 24 insertions(+), 7 deletions(-) Index: gpgme/gpgme/ChangeLog diff -u gpgme/gpgme/ChangeLog:1.386.2.2 gpgme/gpgme/ChangeLog:1.386.2.3 --- gpgme/gpgme/ChangeLog:1.386.2.2 Sat Dec 11 16:50:12 2004 +++ gpgme/gpgme/ChangeLog Thu Apr 21 09:12:18 2005 @@ -1,3 +1,7 @@ +2005-04-21 Werner Koch + + * verify.c (calc_sig_summary): Set the key revoked bit. + 2004-12-11 Marcus Brinkmann * util.h [HAVE_CONFIG_H && HAVE_TTYNAME_R] (ttyname_r): Define Index: gpgme/gpgme/gpgme.h diff -u gpgme/gpgme/gpgme.h:1.149.2.2 gpgme/gpgme/gpgme.h:1.149.2.3 --- gpgme/gpgme/gpgme.h:1.149.2.2 Tue Dec 28 12:32:50 2004 +++ gpgme/gpgme/gpgme.h Thu Apr 21 09:12:18 2005 @@ -75,7 +75,7 @@ AM_PATH_GPGME macro) check that this header matches the installed library. Warning: Do not edit the next line. configure will do that for you! */ -#define GPGME_VERSION "1.0.2" +#define GPGME_VERSION "1.0.3-cvs" /* Some opaque data types used by GPGME. */ Index: gpgme/gpgme/verify.c diff -u gpgme/gpgme/verify.c:1.69.2.1 gpgme/gpgme/verify.c:1.69.2.2 --- gpgme/gpgme/verify.c:1.69.2.1 Tue Dec 7 22:11:53 2004 +++ gpgme/gpgme/verify.c Thu Apr 21 09:12:18 2005 @@ -94,7 +94,8 @@ calc_sig_summary (gpgme_signature_t sig) { unsigned long sum = 0; - + + /* Calculate the red/green flag. */ if (sig->validity == GPGME_VALIDITY_FULL || sig->validity == GPGME_VALIDITY_ULTIMATE) { @@ -113,11 +114,6 @@ else if (gpg_err_code (sig->status) == GPG_ERR_BAD_SIGNATURE) sum |= GPGME_SIGSUM_RED; - if (sig->validity == GPGME_VALIDITY_UNKNOWN) - { - if (gpg_err_code (sig->validity_reason) == GPG_ERR_CRL_TOO_OLD) - sum |= GPGME_SIGSUM_CRL_TOO_OLD; - } /* FIXME: handle the case when key and message are expired. */ switch (gpg_err_code (sig->status)) @@ -143,6 +139,23 @@ break; } + /* Now look at the certain reason codes. */ + switch (gpg_err_code (sig->validity_reason)) + { + case GPG_ERR_CRL_TOO_OLD: + if (sig->validity == GPGME_VALIDITY_UNKNOWN) + sum |= GPGME_SIGSUM_CRL_TOO_OLD; + break; + + case GPG_ERR_CERT_REVOKED: + sum |= GPGME_SIGSUM_KEY_REVOKED; + break; + + default: + break; + } + + /* Check other flags. */ if (sig->wrong_key_usage) sum |= GPGME_SIGSUM_BAD_POLICY; From cvs at cvs.gnupg.org Thu Apr 21 08:56:43 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 21 08:56:46 2005 Subject: gpgme/gpgme (ChangeLog verify.c) Message-ID: Date: Thursday, April 21, 2005 @ 09:13:41 Author: wk Path: /cvs/gpgme/gpgme/gpgme Modified: ChangeLog verify.c (calc_sig_summary): Set the key revoked bit. -----------+ ChangeLog | 6 +++++- verify.c | 25 +++++++++++++++++++------ 2 files changed, 24 insertions(+), 7 deletions(-) Index: gpgme/gpgme/ChangeLog diff -u gpgme/gpgme/ChangeLog:1.396 gpgme/gpgme/ChangeLog:1.397 --- gpgme/gpgme/ChangeLog:1.396 Thu Apr 14 10:49:20 2005 +++ gpgme/gpgme/ChangeLog Thu Apr 21 09:13:41 2005 @@ -1,3 +1,7 @@ +2005-04-21 Werner Koch + + * verify.c (calc_sig_summary): Set the key revoked bit. + 2005-04-14 Marcus Brinkmann * wait-global.c (gpgme_wait): Use LI->ctx when checking a context @@ -4676,7 +4680,7 @@ * data.c (gpgme_data_rewind): Allow to rewind data_type_none. - Copyright 2001, 2002, 2003, 2004 g10 Code GmbH + Copyright 2001, 2002, 2003, 2004, 2005 g10 Code GmbH This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without Index: gpgme/gpgme/verify.c diff -u gpgme/gpgme/verify.c:1.70 gpgme/gpgme/verify.c:1.71 --- gpgme/gpgme/verify.c:1.70 Tue Dec 7 22:13:36 2004 +++ gpgme/gpgme/verify.c Thu Apr 21 09:13:41 2005 @@ -94,7 +94,8 @@ calc_sig_summary (gpgme_signature_t sig) { unsigned long sum = 0; - + + /* Calculate the red/green flag. */ if (sig->validity == GPGME_VALIDITY_FULL || sig->validity == GPGME_VALIDITY_ULTIMATE) { @@ -113,11 +114,6 @@ else if (gpg_err_code (sig->status) == GPG_ERR_BAD_SIGNATURE) sum |= GPGME_SIGSUM_RED; - if (sig->validity == GPGME_VALIDITY_UNKNOWN) - { - if (gpg_err_code (sig->validity_reason) == GPG_ERR_CRL_TOO_OLD) - sum |= GPGME_SIGSUM_CRL_TOO_OLD; - } /* FIXME: handle the case when key and message are expired. */ switch (gpg_err_code (sig->status)) @@ -143,6 +139,23 @@ break; } + /* Now look at the certain reason codes. */ + switch (gpg_err_code (sig->validity_reason)) + { + case GPG_ERR_CRL_TOO_OLD: + if (sig->validity == GPGME_VALIDITY_UNKNOWN) + sum |= GPGME_SIGSUM_CRL_TOO_OLD; + break; + + case GPG_ERR_CERT_REVOKED: + sum |= GPGME_SIGSUM_KEY_REVOKED; + break; + + default: + break; + } + + /* Check other flags. */ if (sig->wrong_key_usage) sum |= GPGME_SIGSUM_BAD_POLICY; From cvs at cvs.gnupg.org Thu Apr 21 08:59:42 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 21 08:59:45 2005 Subject: GNUPG-1-9-BRANCH gnupg/sm (ChangeLog Makefile.am certchain.c) Message-ID: Date: Thursday, April 21, 2005 @ 09:16:41 Author: wk Path: /cvs/gnupg/gnupg/sm Tag: GNUPG-1-9-BRANCH Modified: ChangeLog Makefile.am certchain.c (gpgsm_validate_chain): Check revocations even for expired certificates. This is required because on signature verification an expired key is fine whereas a revoked one is not. -------------+ ChangeLog | 16 ++++++++++++++++ Makefile.am | 3 ++- certchain.c | 9 +++------ 3 files changed, 21 insertions(+), 7 deletions(-) Index: gnupg/sm/ChangeLog diff -u gnupg/sm/ChangeLog:1.101.2.92 gnupg/sm/ChangeLog:1.101.2.93 --- gnupg/sm/ChangeLog:1.101.2.92 Mon Apr 18 12:44:45 2005 +++ gnupg/sm/ChangeLog Thu Apr 21 09:16:41 2005 @@ -1,3 +1,19 @@ +2005-04-21 Werner Koch + + * certchain.c (gpgsm_validate_chain): Check revocations even for + expired certificates. This is required because on signature + verification an expired key is fine whereas a revoked one is not. + +2005-04-20 Werner Koch + + * Makefile.am (AM_CFLAGS): Add PTH_CFLAGS as noted by several folks. + +2005-04-19 Werner Koch + + * certchain.c (check_cert_policy): Print the diagnostic for a open + failure of policies.txt only in verbose mode or when it is not + ENOENT. + 2005-04-17 Werner Koch * call-dirmngr.c (inq_certificate): Add new inquire SENDCERT_SKI. Index: gnupg/sm/Makefile.am diff -u gnupg/sm/Makefile.am:1.27.2.5 gnupg/sm/Makefile.am:1.27.2.6 --- gnupg/sm/Makefile.am:1.27.2.5 Thu Mar 3 11:15:07 2005 +++ gnupg/sm/Makefile.am Thu Apr 21 09:16:41 2005 @@ -21,7 +21,8 @@ bin_PROGRAMS = gpgsm -AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(LIBASSUAN_CFLAGS) $(KSBA_CFLAGS) +AM_CFLAGS = $(LIBGCRYPT_CFLAGS) $(LIBASSUAN_CFLAGS) $(KSBA_CFLAGS) \ + $(PTH_CFLAGS) AM_CPPFLAGS = -I$(top_srcdir)/common -I$(top_srcdir)/intl include $(top_srcdir)/am/cmacros.am Index: gnupg/sm/certchain.c diff -u gnupg/sm/certchain.c:1.32.2.22 gnupg/sm/certchain.c:1.32.2.23 --- gnupg/sm/certchain.c:1.32.2.22 Mon Apr 18 12:44:45 2005 +++ gnupg/sm/certchain.c Thu Apr 21 09:16:41 2005 @@ -175,8 +175,9 @@ fp = fopen (opt.policy_file, "r"); if (!fp) { - log_error ("failed to open `%s': %s\n", - opt.policy_file, strerror (errno)); + if (opt.verbose || errno != ENOENT) + log_info (_("failed to open `%s': %s\n"), + opt.policy_file, strerror (errno)); xfree (policies); /* With no critical policies this is only a warning */ if (!any_critical) @@ -816,8 +817,6 @@ /* Check for revocations etc. */ if ((flags & 1)) rc = 0; - else if (any_expired) - ; /* Don't bother to run the expensive CRL check then. */ else rc = is_cert_still_valid (ctrl, lm, fp, subject_cert, subject_cert, @@ -953,8 +952,6 @@ /* Check for revocations etc. */ if ((flags & 1)) rc = 0; - else if (any_expired) - ; /* Don't bother to run the expensive CRL check then. */ else rc = is_cert_still_valid (ctrl, lm, fp, subject_cert, issuer_cert, From cvs at cvs.gnupg.org Thu Apr 21 09:36:54 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 21 09:36:57 2005 Subject: dirmngr (ChangeLog Makefile.am) Message-ID: Date: Thursday, April 21, 2005 @ 09:53:52 Author: wk Path: /cvs/dirmngr/dirmngr Modified: ChangeLog Makefile.am Create bzip2 -------------+ ChangeLog | 2 ++ Makefile.am | 1 + 2 files changed, 3 insertions(+) Index: dirmngr/ChangeLog diff -u dirmngr/ChangeLog:1.88 dirmngr/ChangeLog:1.89 --- dirmngr/ChangeLog:1.88 Thu Apr 21 09:48:34 2005 +++ dirmngr/ChangeLog Thu Apr 21 09:53:52 2005 @@ -2,6 +2,8 @@ Released 0.9.2. + * Makefile.am: Also create a bzip2 tarball. + 2005-04-18 Werner Koch * configure.ac: Require libksba 0.9.11. Index: dirmngr/Makefile.am diff -u dirmngr/Makefile.am:1.6 dirmngr/Makefile.am:1.7 --- dirmngr/Makefile.am:1.6 Fri Apr 2 20:05:29 2004 +++ dirmngr/Makefile.am Thu Apr 21 09:53:52 2005 @@ -20,6 +20,7 @@ ## Process this file with automake to produce Makefile.in ACLOCAL_AMFLAGS = -I m4 +AUTOMAKE_OPTIONS = dist-bzip2 EXTRA_DIST = config.rpath README-alpha autogen.sh From cvs at cvs.gnupg.org Thu Apr 21 09:42:59 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 21 09:43:10 2005 Subject: dirmngr (NEWS configure.ac) Message-ID: Date: Thursday, April 21, 2005 @ 09:59:58 Author: wk Path: /cvs/dirmngr/dirmngr Modified: NEWS configure.ac post release version number bump --------------+ NEWS | 4 ++++ configure.ac | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) Index: dirmngr/NEWS diff -u dirmngr/NEWS:1.38 dirmngr/NEWS:1.39 --- dirmngr/NEWS:1.38 Thu Apr 21 09:48:34 2005 +++ dirmngr/NEWS Thu Apr 21 09:59:58 2005 @@ -1,3 +1,7 @@ +Noteworthy changes in version 0.9.3 +------------------------------------------------ + + Noteworthy changes in version 0.9.2 (2005-04-21) ------------------------------------------------ Index: dirmngr/configure.ac diff -u dirmngr/configure.ac:1.73 dirmngr/configure.ac:1.74 --- dirmngr/configure.ac:1.73 Thu Apr 21 09:48:34 2005 +++ dirmngr/configure.ac Thu Apr 21 09:59:58 2005 @@ -22,7 +22,7 @@ AC_PREREQ(2.59) min_automake_version="1.9.3" -AC_INIT(dirmngr, 0.9.2, gpa-dev@gnupg.org) +AC_INIT(dirmngr, 0.9.3-cvs, gpa-dev@gnupg.org) NEED_GPG_ERROR_VERSION=0.7 From cvs at cvs.gnupg.org Thu Apr 21 11:16:09 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 21 11:16:15 2005 Subject: GNUPG-1-9-BRANCH gnupg (15 files) Message-ID: Date: Thursday, April 21, 2005 @ 11:33:07 Author: wk Path: /cvs/gnupg/gnupg Tag: GNUPG-1-9-BRANCH Modified: ChangeLog README TODO configure.ac doc/gpgsm.texi scd/ChangeLog scd/ccid-driver.c scd/command.c sm/ChangeLog sm/certchain.c sm/gpgsm.c sm/gpgsm.h tools/ChangeLog tools/gpgconf-comp.c tools/symcryptrun.c * configure.ac: Do not build gpg by default. * gpgsm.c: New options --{enable,disable}-trusted-cert-crl-check. * certchain.c (gpgsm_validate_chain): Make use of it. * certchain.c (gpgsm_validate_chain): Check revocations even for expired certificates. This is required because on signature verification an expired key is fine whereas a revoked one is not. * gpgconf-comp.c: Add gpgsm option disable-trusted-cert-crl-check. ----------------------+ ChangeLog | 9 +++++++++ README | 5 +++-- TODO | 29 ++++++++--------------------- configure.ac | 11 ++++++++++- doc/gpgsm.texi | 12 ++++++++++++ scd/ChangeLog | 4 ++++ scd/ccid-driver.c | 4 ++-- scd/command.c | 26 +++++++++++++------------- sm/ChangeLog | 3 +++ sm/certchain.c | 10 ++++++---- sm/gpgsm.c | 12 ++++++++++++ sm/gpgsm.h | 1 + tools/ChangeLog | 8 ++++++++ tools/gpgconf-comp.c | 6 ++++++ tools/symcryptrun.c | 2 +- 15 files changed, 98 insertions(+), 44 deletions(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.131.2.71 gnupg/ChangeLog:1.131.2.72 --- gnupg/ChangeLog:1.131.2.71 Mon Apr 18 12:44:46 2005 +++ gnupg/ChangeLog Thu Apr 21 11:33:07 2005 @@ -1,3 +1,12 @@ +2005-04-21 Werner Koch + + * configure.ac: Do not build gpg by default. + +2005-04-20 Werner Koch + + * configure.ac: Test whether GPG_ERR_LOCKED is declared and + provide a replacement if not. + 2005-04-15 Werner Koch * configure.ac: Require libksba 0.9.11. Index: gnupg/README diff -u gnupg/README:1.72.2.16 gnupg/README:1.72.2.17 --- gnupg/README:1.72.2.16 Mon Apr 18 12:44:45 2005 +++ gnupg/README Thu Apr 21 11:33:07 2005 @@ -11,7 +11,8 @@ You should use this GnuPG version if you want to use the gpg-agent or gpgsm (the S/MIME variant of gpg). Note that the gpg-agent is also -helpful when using the standard gpg versions (1.2.x or 1.3.x). +helpful when using the standard gpg versions (1.3.x as well as some of +the old 1.2.x). BUILD INSTRUCTIONS @@ -51,7 +52,7 @@ S/MIME and smartcards. Note that there is no binary gpg but a gpg2 so that this package won't confict with a GnuPG 1.2 or 1.3 installation. gpg2 behaves just like gpg; it is however suggested to -keep using gpg 1.2.x or 1.3.x. +keep using gpg 1.2.x or 1.3.x. gpg2 is not even build by default. In case of problem please ask on gpa-dev@gnupg.org for advise. Note that this release is only expected to build on GNU and *BSD systems. Index: gnupg/TODO diff -u gnupg/TODO:1.165.2.39 gnupg/TODO:1.165.2.40 --- gnupg/TODO:1.165.2.39 Mon Apr 18 12:44:45 2005 +++ gnupg/TODO Thu Apr 21 11:33:07 2005 @@ -1,10 +1,5 @@ -*- outline -*- -* IMPORTANT -Check that openpty and pty.h are available and build symcryptrun only -then. Run shred on the temporary files. - - * src/base64 ** Make parsing more robust Currently we don't cope with overlong lines in the best way. @@ -23,14 +18,7 @@ * sm/certchain.c ** When a certificate chain was sucessfully verified, make ephemeral certs used in this chain permanent. -** figure out how to auto retrieve a key by serialno+issuer. - Dirmngr is currently not able to parse more than the CN. -* sm/certlist.c -** ocspSigning usage is not fully implemented - We should review the entire CRL and OCSP validation system. - Okay. This has been fixed in dirmngr when running it in system - daemon mode. * sm/decrypt.c ** replace leading zero in integer hack by a cleaner solution @@ -58,8 +46,6 @@ ** A SIGHUP should also restart the scdaemon But do this only after all connections terminated. As of now we only send a RESET. -** Watch the child process if not invoked as a daemon - and terminate after the child has terminated * agent/command.c ** Make sure that secure memory is used where appropriate @@ -69,7 +55,8 @@ ** Support DSA * agent/divert-scd.c - Remove the agent_reset_scd kludge. + Remove the agent_reset_scd kludge. We will do this after Scdaemon + has been changed to allow multiple sessions. Currently in progress. * Move pkcs-1 encoding into libgcrypt. @@ -93,11 +80,7 @@ ** Explain how to setup a root CA key as trusted ** Explain how trustlist.txt might be managed. ** Write a script to generate man pages from texi. - -* Requirements by the BSI -** Support authorityKeyIdentifier.keyIdentifier - This needs support in libksba/src/cert.c as well as in sm/*.c. - Need test certs as well. Same goes for CRL authorityKeyIdentifier. + In progress (yatm) * Windows port @@ -108,5 +91,9 @@ ** No card status notifications. -* [scdaemon] release the card after use so that gpg 1.4 is abale to access it +* scd/ +** Release the card after use so that gpg 1.4 is able to access it + This won't be a sufficient change. we need to change gpg 1.4 to make + use of the agent. Work is underway. + Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.36.2.83 gnupg/configure.ac:1.36.2.84 --- gnupg/configure.ac:1.36.2.83 Mon Apr 18 12:44:45 2005 +++ gnupg/configure.ac Thu Apr 21 11:33:07 2005 @@ -62,7 +62,7 @@ have_opensc=no have_pth=no -GNUPG_BUILD_PROGRAM(gpg, yes) +GNUPG_BUILD_PROGRAM(gpg, no) GNUPG_BUILD_PROGRAM(gpgsm, yes) GNUPG_BUILD_PROGRAM(agent, yes) GNUPG_BUILD_PROGRAM(scdaemon, yes) @@ -313,6 +313,11 @@ #define EXEC_TEMPFILE_ONLY #endif +/* Temporary hacks to avoid requring a libgpg-error update. */ +#if !HAVE_DECL_GPG_ERR_LOCKED +#define GPG_ERR_LOCKED 173 +#endif + ]) AM_MAINTAINER_MODE @@ -437,6 +442,10 @@ # AM_PATH_GPG_ERROR("$NEED_GPG_ERROR_VERSION", have_gpg_error=yes,have_gpg_error=no) +_tmp_gpg_error_save_cflags="$CFLAGS" +CFLAGS="$CFLAGS $GPG_ERROR_CFLAGS" +AC_CHECK_DECLS(GPG_ERR_LOCKED,,,[#include ]) +CFLAGS="${_tmp_gpg_error_save_cflags}" # Index: gnupg/doc/gpgsm.texi diff -u gnupg/doc/gpgsm.texi:1.1.2.22 gnupg/doc/gpgsm.texi:1.1.2.23 --- gnupg/doc/gpgsm.texi:1.1.2.22 Wed Apr 20 20:46:51 2005 +++ gnupg/doc/gpgsm.texi Thu Apr 21 11:33:07 2005 @@ -315,6 +315,18 @@ to check for revoked certificates. The disable option is most useful with an off-line network connection to suppress this check. +@item --enable-trusted-cert-crl-check +@itemx --disable-trusted-cert-crl-check +@opindex enable-trusted-cert-crl-check +@opindex disable-trusted-cert-crl-check +By default the @acronym{CRL} for trusted root certificates are checked +like for any other certificates. This allows a CA to revoke its own +certificates voluntary without the need of putting all ever issued +certificates into a CRL. The disable option may be used to switch this +extra check off. Due to the caching done by the Dirmngr, there won't be +any noticeable performance gain. Note, that this also disables possible +OCSP checks for trusted root certificates. + @item --force-crl-refresh @opindex force-crl-refresh Tell the dirmngr to reload the CRL for each request. For better Index: gnupg/scd/ChangeLog diff -u gnupg/scd/ChangeLog:1.25.2.73 gnupg/scd/ChangeLog:1.25.2.74 --- gnupg/scd/ChangeLog:1.25.2.73 Thu Apr 14 19:25:43 2005 +++ gnupg/scd/ChangeLog Thu Apr 21 11:33:07 2005 @@ -1,3 +1,7 @@ +2005-04-20 Werner Koch + + * command.c: Use GPG_ERR_LOCKED instead of EBUSY. + 2005-04-14 Werner Koch * app-openpgp.c (retrieve_key_material): Rewritten. Return a Index: gnupg/scd/ccid-driver.c diff -u gnupg/scd/ccid-driver.c:1.1.2.25 gnupg/scd/ccid-driver.c:1.1.2.26 --- gnupg/scd/ccid-driver.c:1.1.2.25 Mon Apr 11 18:20:10 2005 +++ gnupg/scd/ccid-driver.c Thu Apr 21 11:33:06 2005 @@ -52,7 +52,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Date: 2005/04/11 16:20:10 $ + * $Date: 2005/04/21 09:33:06 $ */ @@ -1274,7 +1274,7 @@ } -/* Note that this fucntion won't return the error codes NO_CARD or +/* Note that this function won't return the error codes NO_CARD or CARD_INACTIVE */ int ccid_slot_status (ccid_driver_t handle, int *statusbits) Index: gnupg/scd/command.c diff -u gnupg/scd/command.c:1.19.2.20 gnupg/scd/command.c:1.19.2.21 --- gnupg/scd/command.c:1.19.2.20 Thu Apr 14 19:25:43 2005 +++ gnupg/scd/command.c Thu Apr 21 11:33:06 2005 @@ -263,7 +263,7 @@ return 0; /* Already initialized using a card context. */ if ( IS_LOCKED (ctrl) ) - return gpg_error (GPG_ERR_EBUSY); + return gpg_error (GPG_ERR_LOCKED); if (ctrl->reader_slot != -1) slot = ctrl->reader_slot; @@ -360,7 +360,7 @@ if (ctrl->server_local->card_removed) { if ( IS_LOCKED (ctrl) ) - return gpg_error (GPG_ERR_EBUSY); + return gpg_error (GPG_ERR_LOCKED); do_reset (ctrl, 0); } @@ -745,7 +745,7 @@ unsigned char *buf; if (locked_session && locked_session != ctrl->server_local) - return gpg_error (GPG_ERR_EBUSY); + return gpg_error (GPG_ERR_LOCKED); /* Parse the hexstring. */ for (p=line,n=0; hexdigitp (p); p++, n++) @@ -817,7 +817,7 @@ char *keyidstr; if ( IS_LOCKED (ctrl) ) - return gpg_error (GPG_ERR_EBUSY); + return gpg_error (GPG_ERR_LOCKED); if ((rc = open_card (ctrl, NULL))) return rc; @@ -871,7 +871,7 @@ char *keyidstr; if ( IS_LOCKED (ctrl) ) - return gpg_error (GPG_ERR_EBUSY); + return gpg_error (GPG_ERR_LOCKED); if ((rc = open_card (ctrl, NULL))) return rc; @@ -921,7 +921,7 @@ char *keyidstr; if ( IS_LOCKED (ctrl) ) - return gpg_error (GPG_ERR_EBUSY); + return gpg_error (GPG_ERR_LOCKED); if ((rc = open_card (ctrl, NULL))) return rc; @@ -1021,7 +1021,7 @@ char *line, *linebuf; if ( IS_LOCKED (ctrl) ) - return gpg_error (GPG_ERR_EBUSY); + return gpg_error (GPG_ERR_LOCKED); if ((rc = open_card (ctrl, NULL))) return rc; @@ -1076,7 +1076,7 @@ int force = has_option (line, "--force"); if ( IS_LOCKED (ctrl) ) - return gpg_error (GPG_ERR_EBUSY); + return gpg_error (GPG_ERR_LOCKED); /* Skip over options. */ while ( *line == '-' && line[1] == '-' ) @@ -1165,7 +1165,7 @@ int reset_mode = has_option (line, "--reset"); if ( IS_LOCKED (ctrl) ) - return gpg_error (GPG_ERR_EBUSY); + return gpg_error (GPG_ERR_LOCKED); /* Skip over options. */ while (*line == '-' && line[1] == '-') @@ -1212,7 +1212,7 @@ char *keyidstr; if ( IS_LOCKED (ctrl) ) - return gpg_error (GPG_ERR_EBUSY); + return gpg_error (GPG_ERR_LOCKED); if ((rc = open_card (ctrl, NULL))) return rc; @@ -1244,7 +1244,7 @@ Grant exclusive card access to this session. Note that there is no lock counter used and a second lock from the same session will get ignore. A single unlock (or RESET) unlocks the session. - Return GPG_ERR_EBUSY if another session has locked the reader. + Return GPG_ERR_LOCKED if another session has locked the reader. If the option --wait is given the command will wait until a lock has been released. @@ -1259,7 +1259,7 @@ if (locked_session) { if (locked_session != ctrl->server_local) - rc = gpg_error (GPG_ERR_EBUSY); + rc = gpg_error (GPG_ERR_LOCKED); } else locked_session = ctrl->server_local; @@ -1293,7 +1293,7 @@ if (locked_session) { if (locked_session != ctrl->server_local) - rc = gpg_error (GPG_ERR_EBUSY); + rc = gpg_error (GPG_ERR_LOCKED); else locked_session = NULL; } Index: gnupg/sm/ChangeLog diff -u gnupg/sm/ChangeLog:1.101.2.93 gnupg/sm/ChangeLog:1.101.2.94 --- gnupg/sm/ChangeLog:1.101.2.93 Thu Apr 21 09:16:41 2005 +++ gnupg/sm/ChangeLog Thu Apr 21 11:33:06 2005 @@ -1,5 +1,8 @@ 2005-04-21 Werner Koch + * gpgsm.c: New options --{enable,disable}-trusted-cert-crl-check. + * certchain.c (gpgsm_validate_chain): Make use of it. + * certchain.c (gpgsm_validate_chain): Check revocations even for expired certificates. This is required because on signature verification an expired key is fine whereas a revoked one is not. Index: gnupg/sm/certchain.c diff -u gnupg/sm/certchain.c:1.32.2.23 gnupg/sm/certchain.c:1.32.2.24 --- gnupg/sm/certchain.c:1.32.2.23 Thu Apr 21 09:16:41 2005 +++ gnupg/sm/certchain.c Thu Apr 21 11:33:06 2005 @@ -752,13 +752,13 @@ } - /* Is this a self-signed certificate? */ + /* Is this a self-issued certificate? */ if (subject && !strcmp (issuer, subject)) { /* Yes. */ if (gpgsm_check_cert_sig (subject_cert, subject_cert) ) { do_list (1, lm, fp, - _("selfsigned certificate has a BAD signature")); + _("self-signed certificate has a BAD signature")); if (DBG_X509) { gpgsm_dump_cert ("self-signing cert", subject_cert); @@ -816,7 +816,9 @@ /* Check for revocations etc. */ if ((flags & 1)) - rc = 0; + ; + else if (opt.no_trusted_cert_crl_check) + ; else rc = is_cert_still_valid (ctrl, lm, fp, subject_cert, subject_cert, @@ -1045,7 +1047,7 @@ rc = gpgsm_check_cert_sig (cert, cert); if (rc) { - log_error ("selfsigned certificate has a BAD signature: %s\n", + log_error ("self-signed certificate has a BAD signature: %s\n", gpg_strerror (rc)); if (DBG_X509) { Index: gnupg/sm/gpgsm.c diff -u gnupg/sm/gpgsm.c:1.67.2.39 gnupg/sm/gpgsm.c:1.67.2.40 --- gnupg/sm/gpgsm.c:1.67.2.39 Mon Apr 18 12:44:45 2005 +++ gnupg/sm/gpgsm.c Thu Apr 21 11:33:06 2005 @@ -130,6 +130,8 @@ oDisableCRLChecks, oEnableCRLChecks, + oDisableTrustedCertCRLCheck, + oEnableTrustedCertCRLCheck, oForceCRLRefresh, oDisableOCSP, @@ -285,6 +287,8 @@ N_("use system's dirmngr if available")}, { oDisableCRLChecks, "disable-crl-checks", 0, N_("never consult a CRL")}, { oEnableCRLChecks, "enable-crl-checks", 0, "@"}, + { oDisableTrustedCertCRLCheck, "disable-trusted-cert-crl-check", 0, "@"}, + { oEnableTrustedCertCRLCheck, "enable-trusted-cert-crl-check", 0, "@"}, { oForceCRLRefresh, "force-crl-refresh", 0, "@"}, { oDisableOCSP, "disable-ocsp", 0, "@" }, @@ -973,6 +977,12 @@ case oEnableCRLChecks: opt.no_crl_check = 0; break; + case oDisableTrustedCertCRLCheck: + opt.no_trusted_cert_crl_check = 1; + break; + case oEnableTrustedCertCRLCheck: + opt.no_trusted_cert_crl_check = 0; + break; case oForceCRLRefresh: opt.force_crl_refresh = 1; break; @@ -1352,6 +1362,8 @@ GC_OPT_FLAG_NONE ); printf ("disable-crl-checks:%lu:\n", GC_OPT_FLAG_NONE ); + printf ("disable-trusted-cert-crl-check:%lu:\n", + GC_OPT_FLAG_NONE ); printf ("enable-ocsp:%lu:\n", GC_OPT_FLAG_NONE ); printf ("include-certs:%lu:1:\n", Index: gnupg/sm/gpgsm.h diff -u gnupg/sm/gpgsm.h:1.54.2.25 gnupg/sm/gpgsm.h:1.54.2.26 --- gnupg/sm/gpgsm.h:1.54.2.25 Mon Apr 18 12:44:45 2005 +++ gnupg/sm/gpgsm.h Thu Apr 21 11:33:06 2005 @@ -97,6 +97,7 @@ int ignore_time_conflict; /* Ignore certain time conflicts */ int no_crl_check; /* Don't do a CRL check */ + int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */ int force_crl_refresh; /* Force refreshing the CRL. */ int enable_ocsp; /* Default to use OCSP checks. */ Index: gnupg/tools/ChangeLog diff -u gnupg/tools/ChangeLog:1.25.2.72 gnupg/tools/ChangeLog:1.25.2.73 --- gnupg/tools/ChangeLog:1.25.2.72 Tue Apr 19 14:00:29 2005 +++ gnupg/tools/ChangeLog Thu Apr 21 11:33:06 2005 @@ -1,3 +1,11 @@ +2005-04-21 Werner Koch + + * gpgconf-comp.c: Add gpgsm option disable-trusted-cert-crl-check. + +2005-04-20 Werner Koch + + * gpgconf-comp.c: Add gpg-agent:disable-scdaemon. + 2005-04-19 Marcus Brinkmann * symcryptrun.c: Add --input option. Index: gnupg/tools/gpgconf-comp.c diff -u gnupg/tools/gpgconf-comp.c:1.1.2.51 gnupg/tools/gpgconf-comp.c:1.1.2.52 --- gnupg/tools/gpgconf-comp.c:1.1.2.51 Wed Mar 9 20:22:54 2005 +++ gnupg/tools/gpgconf-comp.c Thu Apr 21 11:33:06 2005 @@ -449,6 +449,9 @@ { "options", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT, "gnupg", "|FILE|read options from FILE", GC_ARG_TYPE_PATHNAME, GC_BACKEND_GPG_AGENT }, + { "disable-scdaemon", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED, + "gnupg", "do not use the SCdaemon", + GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT }, { "Debug", GC_OPT_FLAG_GROUP, GC_LEVEL_ADVANCED, @@ -651,6 +654,9 @@ { "disable-crl-checks", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC, "gnupg", "never consult a CRL", GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM }, + { "disable-trusted-cert-crl-check", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT, + "gnupg", N_("do not check CRLs for root certificates"), + GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM }, { "enable-ocsp", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED, "gnupg", "check validity using OCSP", GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM }, Index: gnupg/tools/symcryptrun.c diff -u gnupg/tools/symcryptrun.c:1.1.2.6 gnupg/tools/symcryptrun.c:1.1.2.7 --- gnupg/tools/symcryptrun.c:1.1.2.6 Tue Apr 19 14:00:29 2005 +++ gnupg/tools/symcryptrun.c Thu Apr 21 11:33:06 2005 @@ -124,7 +124,7 @@ oKeyfile, oDecrypt, oEncrypt, - oInput, + oInput }; From cvs at cvs.gnupg.org Thu Apr 21 11:50:47 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 21 11:50:51 2005 Subject: GNUPG-1-9-BRANCH gnupg/tools (ChangeLog symcryptrun.c) Message-ID: Date: Thursday, April 21, 2005 @ 12:07:41 Author: wk Path: /cvs/gnupg/gnupg/tools Tag: GNUPG-1-9-BRANCH Modified: ChangeLog symcryptrun.c (main): Optionally allow the input file as command line argument. ---------------+ ChangeLog | 3 +++ symcryptrun.c | 16 +++++++++++++++- 2 files changed, 18 insertions(+), 1 deletion(-) Index: gnupg/tools/ChangeLog diff -u gnupg/tools/ChangeLog:1.25.2.73 gnupg/tools/ChangeLog:1.25.2.74 --- gnupg/tools/ChangeLog:1.25.2.73 Thu Apr 21 11:33:06 2005 +++ gnupg/tools/ChangeLog Thu Apr 21 12:07:41 2005 @@ -1,5 +1,8 @@ 2005-04-21 Werner Koch + * symcryptrun.c (main): Optionally allow the input file as command + line argument. + * gpgconf-comp.c: Add gpgsm option disable-trusted-cert-crl-check. 2005-04-20 Werner Koch Index: gnupg/tools/symcryptrun.c diff -u gnupg/tools/symcryptrun.c:1.1.2.7 gnupg/tools/symcryptrun.c:1.1.2.8 --- gnupg/tools/symcryptrun.c:1.1.2.7 Thu Apr 21 11:33:06 2005 +++ gnupg/tools/symcryptrun.c Thu Apr 21 12:07:41 2005 @@ -190,7 +190,7 @@ break; case 41: p = _("Syntax: symcryptrun --class CLASS --program PROGRAM " - "--keyfile KEYFILE [options...] COMMAND\n" + "--keyfile KEYFILE [options...] COMMAND [inputfile]\n" "Call a simple symmetric encryption tool\n"); break; case 31: p = "\nHome: "; break; @@ -961,6 +961,20 @@ xfree (configname); configname = NULL; + /* With --inputfile an argument is not allowed, without only one + optional argument is allowed. */ + if (argc > 1) + log_error (_("too many arguments\n")); + else if (opt.input && argc) + log_error (_("no argument allowed when using option \"%s\"\n"), + "--inputfile"); + + if (argc) + { + opt.input = *argv; + argv++; argc--; + } + if (!mode) log_error (_("either %s or %s must be given\n"), "--decrypt", "--encrypt"); From cvs at cvs.gnupg.org Thu Apr 21 16:22:03 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 21 16:22:07 2005 Subject: GNUPG-1-9-BRANCH gnupg (6 files) Message-ID: Date: Thursday, April 21, 2005 @ 16:39:01 Author: wk Path: /cvs/gnupg/gnupg Tag: GNUPG-1-9-BRANCH Modified: ChangeLog NEWS configure.ac doc/gpg-agent.texi po/ChangeLog po/de.po Preparing a release --------------------+ ChangeLog | 2 NEWS | 7 configure.ac | 2 doc/gpg-agent.texi | 13 - po/ChangeLog | 6 po/de.po | 565 ++++++++++++++++++++++++++++++++------------------- 6 files changed, 380 insertions(+), 215 deletions(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.131.2.72 gnupg/ChangeLog:1.131.2.73 --- gnupg/ChangeLog:1.131.2.72 Thu Apr 21 11:33:07 2005 +++ gnupg/ChangeLog Thu Apr 21 16:39:00 2005 @@ -1,5 +1,7 @@ 2005-04-21 Werner Koch + Released 1.9.16. + * configure.ac: Do not build gpg by default. 2005-04-20 Werner Koch Index: gnupg/NEWS diff -u gnupg/NEWS:1.165.2.66 gnupg/NEWS:1.165.2.67 --- gnupg/NEWS:1.165.2.66 Mon Apr 18 12:44:46 2005 +++ gnupg/NEWS Thu Apr 21 16:39:00 2005 @@ -1,13 +1,16 @@ -Noteworthy changes in version 1.9.16 +Noteworthy changes in version 1.9.16 (2005-04-21) ------------------------------------------------- * gpg-agent does now support the ssh-agent protocol and thus allows to use the pinentry as well as the OpenPGP smartcard with ssh. - * New tool gpg-connect-agent as a genereal client for the gpg-agent. + * New tool gpg-connect-agent as a general client for the gpg-agent. * New tool symcryptrun as a wrapper for certain encryption tools. + * The gpg tool is not anymore build by default because those gpg + versions available in the gnupg 1.4 series are far more matured. + Noteworthy changes in version 1.9.15 (2005-01-13) ------------------------------------------------- Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.36.2.84 gnupg/configure.ac:1.36.2.85 --- gnupg/configure.ac:1.36.2.84 Thu Apr 21 11:33:07 2005 +++ gnupg/configure.ac Thu Apr 21 16:39:00 2005 @@ -24,7 +24,7 @@ # Version number: Remember to change it immediately *after* a release. # Add a "-cvs" prefix for non-released code. -AC_INIT(gnupg, 1.9.16-cvs, gnupg-devel@gnupg.org) +AC_INIT(gnupg, 1.9.16, gnupg-devel@gnupg.org) # Set development_version to yes if the minor number is odd or you # feel that the default check for a development version is not # sufficient. Index: gnupg/doc/gpg-agent.texi diff -u gnupg/doc/gpg-agent.texi:1.1.2.17 gnupg/doc/gpg-agent.texi:1.1.2.18 --- gnupg/doc/gpg-agent.texi:1.1.2.17 Wed Apr 20 20:46:51 2005 +++ gnupg/doc/gpg-agent.texi Thu Apr 21 16:39:00 2005 @@ -465,14 +465,15 @@ @item SIGHUP @cpindex SIGHUP -This signals flushes all chached passphrases and when the program was +This signal flushes all chached passphrases and if the program has been started with a configuration file, the configuration file is read again. Only certain options are honored: @code{quiet}, @code{verbose}, -@code{debug}, @code{debug-all}, @code{no-grab}, @code{pinentry-program}, -@code{default-cache-ttl} and @code{ignore-cache-for-signing}. -@code{scdaemon-program} is also supported but due to the current -implementation, which calls the scdaemon only once, it is not of much -use. +@code{debug}, @code{debug-all}, @code{debug-level}, @code{no-grab}, +@code{pinentry-program}, @code{default-cache-ttl}, @code{max-cache-ttl}, +@code{ignore-cache-for-signing}, @code{allow-mark-trusted} and +@code{disable-scdaemon}. @code{scdaemon-program} is also supported but +due to the current implementation, which calls the scdaemon only once, +it is not of much use unless you manually kill the scdaemon. @item SIGTERM Index: gnupg/po/ChangeLog diff -u gnupg/po/ChangeLog:1.50.2.10 gnupg/po/ChangeLog:1.50.2.11 --- gnupg/po/ChangeLog:1.50.2.10 Tue Jan 4 16:57:10 2005 +++ gnupg/po/ChangeLog Thu Apr 21 16:39:00 2005 @@ -1,3 +1,7 @@ +2005-04-21 Werner Koch + + * de.po: Fixed all fuzzies and untranslated strings. + 2005-01-04 Werner Koch * de.po: Updated. @@ -58,7 +62,7 @@ * de.po: New. - Copyright 2002 Free Software Foundation, Inc. + Copyright 2002, 2003, 2004, 2005 Free Software Foundation, Inc. This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without Index: gnupg/po/de.po diff -u gnupg/po/de.po:1.84.2.18 gnupg/po/de.po:1.84.2.19 --- gnupg/po/de.po:1.84.2.18 Thu Jan 13 19:00:45 2005 +++ gnupg/po/de.po Thu Apr 21 16:39:00 2005 @@ -1,5 +1,5 @@ # German translation for GnuPG 1.9.x -*-coding: latin-1;-*- -# Copyright (C) 2002, 2004 Free Software Foundation, Inc. +# Copyright (C) 2002, 2004, 2005 Free Software Foundation, Inc. # Werner Koch , 2002. # # @@ -8,17 +8,17 @@ # msgid "" msgstr "" -"Project-Id-Version: gnupg2 1.9.14\n" +"Project-Id-Version: gnupg2 1.9.16\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2005-01-04 16:45+0100\n" -"PO-Revision-Date: 2005-01-04 16:53+0100\n" +"POT-Creation-Date: 2005-04-21 15:21+0200\n" +"PO-Revision-Date: 2005-04-21 16:23+0200\n" "Last-Translator: Werner Koch \n" "Language-Team: de\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=iso-8859-1\n" "Content-Transfer-Encoding: 8bit\n" -#: agent/gpg-agent.c:103 agent/protect-tool.c:106 scd/scdaemon.c:98 +#: agent/gpg-agent.c:107 agent/protect-tool.c:106 scd/scdaemon.c:98 msgid "" "@Options:\n" " " @@ -26,102 +26,110 @@ "@Optionen:\n" " " -#: agent/gpg-agent.c:105 scd/scdaemon.c:100 +#: agent/gpg-agent.c:109 scd/scdaemon.c:100 msgid "run in server mode (foreground)" msgstr "Im Server Modus ausführen" -#: agent/gpg-agent.c:106 scd/scdaemon.c:101 +#: agent/gpg-agent.c:110 scd/scdaemon.c:101 msgid "run in daemon mode (background)" msgstr "Im Daemon Modus ausführen" -#: agent/gpg-agent.c:107 kbx/kbxutil.c:81 scd/scdaemon.c:102 sm/gpgsm.c:325 +#: agent/gpg-agent.c:111 kbx/kbxutil.c:81 scd/scdaemon.c:102 sm/gpgsm.c:329 #: tools/gpgconf.c:62 msgid "verbose" msgstr "ausführlich" -#: agent/gpg-agent.c:108 kbx/kbxutil.c:82 scd/scdaemon.c:103 sm/gpgsm.c:326 +#: agent/gpg-agent.c:112 kbx/kbxutil.c:82 scd/scdaemon.c:103 sm/gpgsm.c:330 msgid "be somewhat more quiet" msgstr "Etwas weniger Ausgaben erzeugen" -#: agent/gpg-agent.c:109 scd/scdaemon.c:104 +#: agent/gpg-agent.c:113 scd/scdaemon.c:104 msgid "sh-style command output" msgstr "Ausgabe für /bin/sh" -#: agent/gpg-agent.c:110 scd/scdaemon.c:105 +#: agent/gpg-agent.c:114 scd/scdaemon.c:105 msgid "csh-style command output" msgstr "Ausgabe für /bin/csh" -#: agent/gpg-agent.c:111 +#: agent/gpg-agent.c:115 msgid "|FILE|read options from FILE" msgstr "|DATEI|Konfigurationsoptionen aus DATEI lesen" -#: agent/gpg-agent.c:116 scd/scdaemon.c:112 +#: agent/gpg-agent.c:120 scd/scdaemon.c:112 msgid "do not detach from the console" msgstr "Im Vordergrund laufen lassen" -#: agent/gpg-agent.c:117 +#: agent/gpg-agent.c:121 msgid "do not grab keyboard and mouse" msgstr "Tastatur und Maus nicht \"grabben\"" -#: agent/gpg-agent.c:118 scd/scdaemon.c:113 sm/gpgsm.c:328 +#: agent/gpg-agent.c:122 scd/scdaemon.c:113 sm/gpgsm.c:332 msgid "use a log file for the server" msgstr "Logausgaben in eine Datei umlenken" -#: agent/gpg-agent.c:119 +#: agent/gpg-agent.c:123 msgid "do not allow multiple connections" msgstr "Nicht mehr als eine Verbindung erlauben" -#: agent/gpg-agent.c:121 +#: agent/gpg-agent.c:125 msgid "use a standard location for the socket" msgstr "Benutze einen Standardnamen für den Socket" -#: agent/gpg-agent.c:125 +#: agent/gpg-agent.c:129 msgid "|PGM|use PGM as the PIN-Entry program" msgstr "|PGM|benutze PGM as PIN-Entry" -#: agent/gpg-agent.c:127 +#: agent/gpg-agent.c:131 msgid "|PGM|use PGM as the SCdaemon program" msgstr "|PGM|benutze PGM as SCdaemon" -#: agent/gpg-agent.c:134 +#: agent/gpg-agent.c:132 +msgid "do not use the SCdaemon" +msgstr "Den Scdaemon basierten Kartenzugriff nicht nutzen" + +#: agent/gpg-agent.c:139 msgid "ignore requests to change the TTY" msgstr "Ignoriere Anfragen, das TTY zu wechseln" -#: agent/gpg-agent.c:136 +#: agent/gpg-agent.c:141 msgid "ignore requests to change the X display" msgstr "Ignoriere Anfragen, das X-Display zu wechseln" -#: agent/gpg-agent.c:139 +#: agent/gpg-agent.c:144 msgid "|N|expire cached PINs after N seconds" msgstr "|N|lasse PINs im Cache nach N Sekunden verfallen" -#: agent/gpg-agent.c:142 +#: agent/gpg-agent.c:147 msgid "do not use the PIN cache when signing" msgstr "benutze PINs im Cache nicht bem Signieren" -#: agent/gpg-agent.c:144 +#: agent/gpg-agent.c:149 msgid "allow clients to mark keys as \"trusted\"" msgstr "erlaube Aufrufern Schlüssel als \"vertrauenswürdig\" zu markieren" -#: agent/gpg-agent.c:146 +#: agent/gpg-agent.c:151 msgid "allow presetting passphrase" msgstr "erlaube ein \"preset\" von Passphrases" -#: agent/gpg-agent.c:205 agent/protect-tool.c:139 scd/scdaemon.c:178 -#: sm/gpgsm.c:499 tools/gpgconf.c:85 +#: agent/gpg-agent.c:152 +msgid "enable ssh-agent emulation" +msgstr "Die ssh-agent Emulation anschalten" + +#: agent/gpg-agent.c:232 agent/protect-tool.c:139 scd/scdaemon.c:178 +#: sm/gpgsm.c:503 tools/gpgconf.c:85 msgid "Please report bugs to <" msgstr "Fehlerberichte bitte an <" -#: agent/gpg-agent.c:205 agent/protect-tool.c:139 scd/scdaemon.c:178 -#: sm/gpgsm.c:499 tools/gpgconf.c:85 +#: agent/gpg-agent.c:232 agent/protect-tool.c:139 scd/scdaemon.c:178 +#: sm/gpgsm.c:503 tools/gpgconf.c:85 msgid ">.\n" msgstr ">.\n" -#: agent/gpg-agent.c:208 +#: agent/gpg-agent.c:235 msgid "Usage: gpg-agent [options] (-h for help)" msgstr "Gebrauch: gpg-agent [Optionen] (-h für Hilfe)" -#: agent/gpg-agent.c:210 +#: agent/gpg-agent.c:237 msgid "" "Syntax: gpg-agent [options] [command [args]]\n" "Secret key management for GnuPG\n" @@ -129,54 +137,118 @@ "Syntax: gpg-agent [Optionen] [Kommando [Argumente]]\n" "Verwaltung von geheimen Schlüssel für GnuPG\n" -#: agent/gpg-agent.c:281 scd/scdaemon.c:252 sm/gpgsm.c:628 +#: agent/gpg-agent.c:308 scd/scdaemon.c:252 sm/gpgsm.c:632 #, c-format msgid "invalid debug-level `%s' given\n" msgstr "ungültige Debugebene `%s' angegeben\n" -#: agent/gpg-agent.c:462 agent/protect-tool.c:1061 kbx/kbxutil.c:431 -#: scd/scdaemon.c:367 sm/gpgsm.c:749 +#: agent/gpg-agent.c:498 agent/protect-tool.c:1061 kbx/kbxutil.c:431 +#: scd/scdaemon.c:367 sm/gpgsm.c:753 #, c-format msgid "libgcrypt is too old (need %s, have %s)\n" msgstr "" "Die Bibliothek \"libgcrypt\" is zu alt (benötigt wird %s, vorhanden ist %s)\n" -#: agent/gpg-agent.c:537 scd/scdaemon.c:442 sm/gpgsm.c:850 +#: agent/gpg-agent.c:590 scd/scdaemon.c:442 sm/gpgsm.c:854 #, c-format msgid "NOTE: no default option file `%s'\n" msgstr "Notiz: Voreingestellte Konfigurationsdatei `%s' fehlt\n" -#: agent/gpg-agent.c:542 agent/gpg-agent.c:1056 scd/scdaemon.c:447 -#: sm/gpgsm.c:854 +#: agent/gpg-agent.c:595 agent/gpg-agent.c:1104 scd/scdaemon.c:447 +#: sm/gpgsm.c:858 #, c-format msgid "option file `%s': %s\n" msgstr "Konfigurationsdatei `%s': %s\n" -#: agent/gpg-agent.c:550 scd/scdaemon.c:455 sm/gpgsm.c:861 +#: agent/gpg-agent.c:603 scd/scdaemon.c:455 sm/gpgsm.c:865 #, c-format msgid "reading options from `%s'\n" msgstr "Optionen werden aus `%s' gelesen\n" -#: agent/gpg-agent.c:775 agent/gpg-agent.c:1090 agent/gpg-agent.c:1094 -#: agent/gpg-agent.c:1130 agent/gpg-agent.c:1134 +#: agent/gpg-agent.c:1154 agent/gpg-agent.c:1257 agent/gpg-agent.c:1261 +#: agent/gpg-agent.c:1297 agent/gpg-agent.c:1301 #, c-format msgid "can't create directory `%s': %s\n" -msgstr "Das Verzeichniss `%s' kann nicht erstell werden: %s\n" +msgstr "Das Verzeichniss `%s' kann nicht erstellt werden: %s\n" + +#: agent/gpg-agent.c:1168 +msgid "name of socket too long\n" +msgstr "Der Name des Sockets ist zu lang\n" + +#: agent/gpg-agent.c:1194 +#, c-format +msgid "can't create socket: %s\n" +msgstr "Socket kann nicht erzeugt werden: %s\n" + +#: agent/gpg-agent.c:1223 +#, c-format +msgid "error binding socket to `%s': %s\n" +msgstr "Der Socket kann nicht an `%s' gebunden werden: %s\n" + +#: agent/gpg-agent.c:1231 +#, c-format +msgid "listen() failed: %s\n" +msgstr "Der listen() Aufruf ist fehlgeschlagen: %s\n" + +#: agent/gpg-agent.c:1237 +#, c-format +msgid "listening on socket `%s'\n" +msgstr "Es wird auf Socket `%s' gehört\n" -#: agent/gpg-agent.c:1098 agent/gpg-agent.c:1140 +#: agent/gpg-agent.c:1265 agent/gpg-agent.c:1307 #, c-format msgid "directory `%s' created\n" msgstr "Verzeichniss `%s' wurde erstellt\n" -#: agent/gpg-agent.c:1327 +#: agent/gpg-agent.c:1313 +#, c-format +msgid "stat() failed for `%s': %s\n" +msgstr "stat() Aufruf für `%s' fehlgeschlagen: %s\n" + +#: agent/gpg-agent.c:1317 +#, c-format +msgid "can't use `%s' as home directory\n" +msgstr "Die Datei `%s' kann nicht als Home-Verzeichniss benutzt werden\n" + +#: agent/gpg-agent.c:1408 +#, c-format +msgid "handler for fd %d started\n" +msgstr "Handhabungsroutine für fd %d gestartet\n" + +#: agent/gpg-agent.c:1417 +#, c-format +msgid "handler for fd %d terminated\n" +msgstr "Handhabungsroutine für den fd %d beendet\n" + +#: agent/gpg-agent.c:1430 +#, c-format +msgid "ssh handler for fd %d started\n" +msgstr "SSH Handhabungsroutine für fd %d gestartet\n" + +#: agent/gpg-agent.c:1436 +#, c-format +msgid "ssh handler for fd %d terminated\n" +msgstr "SSH Handhabungsroutine für fd %d beendet\n" + +#: agent/gpg-agent.c:1525 +#, c-format +msgid "pth_select failed: %s - waiting 1s\n" +msgstr "pth_select() Aufruf fehlgeschlagen: %s - warte 1s\n" + +#: agent/gpg-agent.c:1582 +#, c-format +msgid "%s %s stopped\n" +msgstr "%s %s angehalten\n" + +#: agent/gpg-agent.c:1604 msgid "no gpg-agent running in this session\n" msgstr "Der gpg-agent läuft nicht für diese Session\n" -#: agent/gpg-agent.c:1337 common/simple-pwquery.c:323 sm/call-agent.c:140 +#: agent/gpg-agent.c:1614 common/simple-pwquery.c:323 sm/call-agent.c:140 msgid "malformed GPG_AGENT_INFO environment variable\n" msgstr "Die Variable GPG_AGENT_INFO ist fehlerhaft\n" -#: agent/gpg-agent.c:1349 common/simple-pwquery.c:335 sm/call-agent.c:152 +#: agent/gpg-agent.c:1626 common/simple-pwquery.c:335 sm/call-agent.c:152 #, c-format msgid "gpg-agent protocol version %d is not supported\n" msgstr "Das gpg-agent Protocol %d wird nicht unterstützt\n" @@ -395,12 +467,12 @@ msgid "problem with the agent\n" msgstr "Problem mit dem Agenten\n" -#: jnlib/logging.c:624 +#: jnlib/logging.c:609 #, c-format msgid "you found a bug ... (%s:%d)\n" msgstr "Sie haben einen Bug (Softwarefehler) gefunden ... (%s:%d)\n" -#: kbx/kbxutil.c:68 sm/gpgsm.c:235 tools/gpgconf.c:53 +#: kbx/kbxutil.c:68 sm/gpgsm.c:237 tools/gpgconf.c:53 msgid "" "@Commands:\n" " " @@ -408,7 +480,7 @@ "@Kommandos:\n" " " -#: kbx/kbxutil.c:76 sm/gpgsm.c:270 tools/gpgconf.c:59 +#: kbx/kbxutil.c:76 sm/gpgsm.c:272 tools/gpgconf.c:59 msgid "" "@\n" "Options:\n" @@ -418,7 +490,7 @@ "Optionen:\n" " " -#: kbx/kbxutil.c:83 sm/gpgsm.c:333 tools/gpgconf.c:64 +#: kbx/kbxutil.c:83 sm/gpgsm.c:337 tools/gpgconf.c:64 msgid "do not make any changes" msgstr "Keine Änderungen durchführen" @@ -450,7 +522,7 @@ "Syntax: kbxutil [Optionen] [Dateien]\n" "Anlistem exportieren und Importieren von KeyBox Dateien\n" -#: scd/scdaemon.c:106 sm/gpgsm.c:345 +#: scd/scdaemon.c:106 sm/gpgsm.c:349 msgid "read options from file" msgstr "Konfigurationsoptionen aus Datei lesen" @@ -500,90 +572,163 @@ "Bitte die Option `--daemon' nutzen um das Programm im Hintergund " "auszuführen\n" -#: scd/app-openpgp.c:534 +#: scd/app-openpgp.c:595 #, c-format msgid "failed to store the fingerprint: %s\n" msgstr "Der Fingerprint kann nicht gespeichert werden: %s\n" -#: scd/app-openpgp.c:547 +#: scd/app-openpgp.c:608 #, c-format msgid "failed to store the creation date: %s\n" msgstr "Das Erzeugungsdatum kann nicht gespeichert werden: %s\n" -#: scd/app-openpgp.c:732 scd/app-openpgp.c:821 scd/app-openpgp.c:1313 +#: scd/app-openpgp.c:976 +#, c-format +msgid "reading public key failed: %s\n" +msgstr "Fehler beim Lesen des öffentlichen Schlüssels: %s\n" + +#: scd/app-openpgp.c:984 scd/app-openpgp.c:1621 scd/app-openpgp.c:2411 +msgid "response does not contain the public key data\n" +msgstr "Die Antwort enthält keine Public Key Daten\n" + +#: scd/app-openpgp.c:992 scd/app-openpgp.c:1629 scd/app-openpgp.c:2419 +msgid "response does not contain the RSA modulus\n" +msgstr "Die Antwort enthält keinen RSA Modulus\n" + +#: scd/app-openpgp.c:1001 scd/app-openpgp.c:1639 scd/app-openpgp.c:2430 +msgid "response does not contain the RSA public exponent\n" +msgstr "Die Antwort enthält keinen öffenlichen RSA Exponent\n" + +#: scd/app-openpgp.c:1253 scd/app-openpgp.c:1341 scd/app-openpgp.c:1861 #, c-format msgid "PIN callback returned error: %s\n" msgstr "Fehler vom PIN \"callback\": %s\n" -#: scd/app-openpgp.c:738 scd/app-openpgp.c:827 scd/app-openpgp.c:1319 +#: scd/app-openpgp.c:1259 scd/app-openpgp.c:1347 scd/app-openpgp.c:1867 #, c-format msgid "PIN for CHV%d is too short; minimum length is %d\n" msgstr "Die PIN für den CHV%d ist zu kurz; Mindestlänge ist %d\n" -#: scd/app-openpgp.c:747 scd/app-openpgp.c:761 scd/app-openpgp.c:837 -#: scd/app-openpgp.c:1328 scd/app-openpgp.c:1342 +#: scd/app-openpgp.c:1268 scd/app-openpgp.c:1282 scd/app-openpgp.c:1357 +#: scd/app-openpgp.c:1876 scd/app-openpgp.c:1890 #, c-format msgid "verify CHV%d failed: %s\n" msgstr "Prüfen von CHV%d fehlgeschlagen: %s\n" -#: scd/app-openpgp.c:784 +#: scd/app-openpgp.c:1305 msgid "access to admin commands is not configured\n" msgstr "Zugriff auf Admin Kommandos ist nicht konfiguriert\n" -#: scd/app-openpgp.c:801 +#: scd/app-openpgp.c:1320 scd/app-openpgp.c:2096 msgid "error retrieving CHV status from card\n" msgstr "Fehler beim Holen des CHV Status von der Karte\n" -#: scd/app-openpgp.c:807 +#: scd/app-openpgp.c:1326 scd/app-openpgp.c:2105 msgid "card is permanently locked!\n" msgstr "Die Karte ist dauerhaft gesperrt!\n" -#: scd/app-openpgp.c:814 +#: scd/app-openpgp.c:1331 #, c-format msgid "%d Admin PIN attempts remaining before card is permanently locked\n" msgstr "" "Noch %d Admin PIN Versuche möglich bevor die Karte dauerhaft gesperrt wird\n" -#: scd/app-openpgp.c:818 -msgid "Admin PIN" -msgstr "Admin PIN" +#. TRANSLATORS: Do not translate the "|A|" prefix but +#. keep it at the start of the string. We need this elsewhere +#. to get some infos on the string. +#: scd/app-openpgp.c:1338 +msgid "|A|Admin PIN" +msgstr "|A|Admin PIN" + +#. TRANSLATORS: Do not translate the "|*|" prefixes but +#. keep it at the start of the string. We need this elsewhere +#. to get some infos on the string. +#: scd/app-openpgp.c:1487 +msgid "|AN|New Admin PIN" +msgstr "|AN|Neue Admin PIN" + +#: scd/app-openpgp.c:1487 +msgid "|N|New PIN" +msgstr "|N|Neue PIN" + +#: scd/app-openpgp.c:1491 +#, c-format +msgid "error getting new PIN: %s\n" +msgstr "Fehler beim Holen der neuen PIN: %s\n" + +#: scd/app-openpgp.c:1564 scd/app-openpgp.c:1707 +msgid "error reading application data\n" +msgstr "Fehler beim Lesen der Anwendungsdaten\n" + +#: scd/app-openpgp.c:1571 scd/app-openpgp.c:1714 +msgid "error reading fingerprint DO\n" +msgstr "Fehler beim Lesen des Fingerabdruck Datenobjekts\n" + +#: scd/app-openpgp.c:1580 +msgid "key already exists\n" +msgstr "Schlüssel existiert bereits\n" + +#: scd/app-openpgp.c:1584 +msgid "existing key will be replaced\n" +msgstr "Existierender Schlüssel wird ersetzt\n" + +#: scd/app-openpgp.c:1586 +msgid "generating new key\n" +msgstr "Neuer Schlüssel wird erzeugt\n" -#: scd/app-openpgp.c:1301 +#: scd/app-openpgp.c:1597 +msgid "please wait while key is being generated ...\n" +msgstr "Bitte warten bis der Schlüssel erzeugt wurde ...\n" + +#: scd/app-openpgp.c:1612 +msgid "generating key failed\n" +msgstr "Fehler beim Erzeugen des Schlüssels\n" + +#: scd/app-openpgp.c:1615 +#, c-format +msgid "key generation completed (%d seconds)\n" +msgstr "Schlüsselerzeugung vollendet (%d Sekunden)\n" + +#: scd/app-openpgp.c:1672 +msgid "invalid structure of OpenPGP card (DO 0x93)\n" +msgstr "Ungültige Struktur der OpenPGP Karte (DO 0x93)\n" + +#: scd/app-openpgp.c:1841 +#, c-format +msgid "signatures created so far: %lu\n" +msgstr "Anzahl bereits erzeugter Signaturen: %lu\n" + +#: scd/app-openpgp.c:1849 #, c-format msgid "PIN [sigs done: %lu]" msgstr "PIN [erzeugte signaturen: %lu]" -#: scd/app-openpgp.c:1587 scd/app-openpgp.c:1597 +#: scd/app-openpgp.c:2110 +msgid "" +"verification of Admin PIN is currently prohibited through this command\n" +msgstr "" +"Die Überprüfung der Admin PIN is momentan durch ein Kommando verboten " +"worden\n" + +#: scd/app-openpgp.c:2181 scd/app-openpgp.c:2191 #, c-format msgid "can't access %s - invalid OpenPGP card?\n" msgstr "Zugriff auf %s nicht möglich - ungültige OpenPGP Karte?\n" -#: scd/app-openpgp.c:1668 +#: scd/app-openpgp.c:2262 #, c-format msgid "error getting serial number: %s\n" msgstr "Fehler beim Holen der Seriennummer: %s\n" -#: scd/app-openpgp.c:1763 +#: scd/app-openpgp.c:2362 #, c-format msgid "failed to store the key: %s\n" msgstr "Fehler beim Speichern des Schlüssels: %s\n" -#: scd/app-openpgp.c:1805 +#: scd/app-openpgp.c:2404 msgid "reading the key failed\n" msgstr "Fehler beim Lesen des Schlüssels: %s\n" -#: scd/app-openpgp.c:1812 -msgid "response does not contain the public key data\n" -msgstr "Die Antwort enthält keine Public Key Daten\n" - -#: scd/app-openpgp.c:1820 -msgid "response does not contain the RSA modulus\n" -msgstr "Die Antwort enthält keinen RSA Modulus\n" - -#: scd/app-openpgp.c:1831 -msgid "response does not contain the RSA public exponent\n" -msgstr "Die Antwort enthält keinen öffenlichen RSA Exponent\n" - #: sm/base64.c:315 #, c-format msgid "invalid radix64 character %02x skipped\n" @@ -616,31 +761,31 @@ "Verbindung zum Dirmngr kann nicht aufgebaut werden - Ersatzmethode wird " "versucht\n" -#: sm/certdump.c:59 sm/certdump.c:142 +#: sm/certdump.c:59 sm/certdump.c:143 msgid "none" msgstr "keine" -#: sm/certdump.c:151 +#: sm/certdump.c:152 msgid "[none]" msgstr "[keine]" -#: sm/certdump.c:493 +#: sm/certdump.c:494 msgid "[Error - No name]" msgstr "[Fehler - Kein Name]" -#: sm/certdump.c:507 +#: sm/certdump.c:508 msgid "[Error - unknown encoding]" msgstr "[Fehler - Unbekannte Kodierung]" -#: sm/certdump.c:511 +#: sm/certdump.c:512 msgid "[Error - invalid encoding]" msgstr "[Fehler - Ungültige Kodierung]" -#: sm/certdump.c:516 +#: sm/certdump.c:517 msgid "[Error - invalid DN]" msgstr "[Fehler - Ungültiger DN]" -#: sm/certdump.c:677 +#: sm/certdump.c:678 #, c-format msgid "" "Please enter the passphrase to unlock the secret key for:\n" @@ -702,108 +847,113 @@ msgid "critical marked policy without configured policies" msgstr "kritische Richtlinie ohne konfigurierte Richtlinien" -#: sm/certchain.c:185 sm/certchain.c:214 +#: sm/certchain.c:179 +#, c-format +msgid "failed to open `%s': %s\n" +msgstr "Datei `%s' kann nicht geöffnet werden: %s\n" + +#: sm/certchain.c:186 sm/certchain.c:215 msgid "note: non-critical certificate policy not allowed" msgstr "Notiz: Die unkritische Zertifikatrichtlinie ist nicht erlaubt" -#: sm/certchain.c:189 sm/certchain.c:218 +#: sm/certchain.c:190 sm/certchain.c:219 msgid "certificate policy not allowed" msgstr "Die Zertifikatrichtlinie ist nicht erlaubt" -#: sm/certchain.c:349 +#: sm/certchain.c:330 msgid "looking up issuer at external location\n" msgstr "Der Herausgeber wird von einer externen Stelle gesucht\n" -#: sm/certchain.c:367 +#: sm/certchain.c:350 #, c-format msgid "number of issuers matching: %d\n" msgstr "Anzahl der übereinstimmenden Heruasgeber: %d\n" -#: sm/certchain.c:403 sm/certchain.c:562 sm/certchain.c:931 sm/decrypt.c:260 +#: sm/certchain.c:503 sm/certchain.c:662 sm/certchain.c:1031 sm/decrypt.c:260 #: sm/encrypt.c:341 sm/sign.c:324 sm/verify.c:106 msgid "failed to allocated keyDB handle\n" msgstr "Ein keyDB Handle konnte nicht bereitgestellt werden\n" -#: sm/certchain.c:492 +#: sm/certchain.c:592 msgid "certificate has been revoked" msgstr "Das Zertifikat wurde widerrufen" -#: sm/certchain.c:501 +#: sm/certchain.c:601 msgid "no CRL found for certificate" msgstr "Keine CRL für das Zertifikat gefunden" -#: sm/certchain.c:505 +#: sm/certchain.c:605 msgid "the available CRL is too old" msgstr "Die vorhandene CRL ist zu alt" -#: sm/certchain.c:507 +#: sm/certchain.c:607 msgid "please make sure that the \"dirmngr\" is properly installed\n" msgstr "" "Bite vergewissern Sie sich das der \"dirmngr\" richtig installierrt ist\n" -#: sm/certchain.c:512 +#: sm/certchain.c:612 #, c-format msgid "checking the CRL failed: %s" msgstr "Die CRL konnte nicht geprüft werden: %s" -#: sm/certchain.c:582 +#: sm/certchain.c:682 msgid "no issuer found in certificate" msgstr "Im Zertifikat ist kein Herausgeber enthalten" -#: sm/certchain.c:595 +#: sm/certchain.c:695 #, c-format msgid "certificate with invalid validity: %s" msgstr "Zertifikat mit unzulässiger Gültigkeit: %s" -#: sm/certchain.c:611 +#: sm/certchain.c:711 msgid "certificate not yet valid" msgstr "Das Zertifikat ist noch nicht gültig" -#: sm/certchain.c:624 +#: sm/certchain.c:724 msgid "certificate has expired" msgstr "Das Zertifikat ist abgelaufen" -#: sm/certchain.c:661 -msgid "selfsigned certificate has a BAD signature" +#: sm/certchain.c:761 +msgid "self-signed certificate has a BAD signature" msgstr "Das eigenbeglaubigte Zertifikat hat eine FALSCHE Signatur" -#: sm/certchain.c:679 +#: sm/certchain.c:779 msgid "root certificate is not marked trusted" msgstr "Das Wurzelzertifikat ist nicht als vertrauenswürdig markiert" -#: sm/certchain.c:690 +#: sm/certchain.c:790 #, c-format msgid "fingerprint=%s\n" msgstr "Fingerprint=%s\n" -#: sm/certchain.c:695 +#: sm/certchain.c:795 msgid "root certificate has now been marked as trusted\n" msgstr "Das Wurzelzertifikat wurde nun als vertrauenswürdig markiert\n" -#: sm/certchain.c:710 +#: sm/certchain.c:810 #, c-format msgid "checking the trust list failed: %s\n" msgstr "Fehler beim Prüfen der vertrauenswürdigen Zertifikate: %s\n" -#: sm/certchain.c:736 sm/import.c:157 +#: sm/certchain.c:836 sm/import.c:157 msgid "certificate chain too long\n" msgstr "Der Zertifikatkette ist zu lang\n" -#: sm/certchain.c:748 +#: sm/certchain.c:848 msgid "issuer certificate not found" msgstr "Herausgeberzertifikat nicht gefunden" -#: sm/certchain.c:781 +#: sm/certchain.c:881 msgid "certificate has a BAD signature" msgstr "Das Zertifikat hat eine FALSCHE Signatur" -#: sm/certchain.c:809 +#: sm/certchain.c:911 msgid "found another possible matching CA certificate - trying again" msgstr "" "Eine anderes möglicherweise passendes CA-Zertifikat gefunden - versuche " "nochmal" -#: sm/certchain.c:832 +#: sm/certchain.c:934 #, c-format msgid "certificate chain longer than allowed by CA (%d)" msgstr "Die Zertifikatkette ist länger als von der CA erlaubt (%d)" @@ -856,243 +1006,243 @@ msgid "no valid recipients given\n" msgstr "Keine gültigen Empfänger angegeben\n" -#: sm/gpgsm.c:237 +#: sm/gpgsm.c:239 msgid "|[FILE]|make a signature" msgstr "|[DATEI]|Erzeuge eine Signatur" -#: sm/gpgsm.c:238 +#: sm/gpgsm.c:240 msgid "|[FILE]|make a clear text signature" msgstr "|[DATEI]|Erzeuge eine Klartextsignatur" -#: sm/gpgsm.c:239 +#: sm/gpgsm.c:241 msgid "make a detached signature" msgstr "Erzeuge eine abgetrennte Signatur" -#: sm/gpgsm.c:240 +#: sm/gpgsm.c:242 msgid "encrypt data" msgstr "Verschlüssele die Daten" -#: sm/gpgsm.c:241 +#: sm/gpgsm.c:243 msgid "encryption only with symmetric cipher" msgstr "Verschlüsselung nur mit symmetrischem Algrithmus" -#: sm/gpgsm.c:242 +#: sm/gpgsm.c:244 msgid "decrypt data (default)" msgstr "Enschlüssele die Daten" -#: sm/gpgsm.c:243 +#: sm/gpgsm.c:245 msgid "verify a signature" msgstr "Überprüfen einer Signatur" -#: sm/gpgsm.c:245 +#: sm/gpgsm.c:247 msgid "list keys" msgstr "Schlüssel anzeigen" -#: sm/gpgsm.c:246 +#: sm/gpgsm.c:248 msgid "list external keys" msgstr "Externe Schlüssel anzeigen" -#: sm/gpgsm.c:247 +#: sm/gpgsm.c:249 msgid "list secret keys" msgstr "Geheime Schlüssel anzeigen" -#: sm/gpgsm.c:248 +#: sm/gpgsm.c:250 msgid "list certificate chain" msgstr "Schlüssel mit Zertifikatekette anzeigen" -#: sm/gpgsm.c:250 +#: sm/gpgsm.c:252 msgid "list keys and fingerprints" msgstr "Schlüssel und Fingerprint anzeigen" -#: sm/gpgsm.c:251 +#: sm/gpgsm.c:253 msgid "generate a new key pair" msgstr "Neues Schlüsselpaar erzeugen" -#: sm/gpgsm.c:252 +#: sm/gpgsm.c:254 msgid "remove key from the public keyring" msgstr "Schlüssel aus dem öffentlichen Schlüsselbund löschen" -#: sm/gpgsm.c:253 +#: sm/gpgsm.c:255 msgid "export keys to a key server" msgstr "Schlüssen an eine Schlüsselserver exportieren" -#: sm/gpgsm.c:254 +#: sm/gpgsm.c:256 msgid "import keys from a key server" msgstr "Schlüssel von einem Schlüsselserver importieren" -#: sm/gpgsm.c:255 +#: sm/gpgsm.c:257 msgid "import certificates" msgstr "Zertifikate importieren" -#: sm/gpgsm.c:256 +#: sm/gpgsm.c:258 msgid "export certificates" msgstr "Zertifikate exportieren" -#: sm/gpgsm.c:257 +#: sm/gpgsm.c:259 msgid "register a smartcard" msgstr "Smartcard registrieren" -#: sm/gpgsm.c:258 +#: sm/gpgsm.c:260 msgid "run in server mode" msgstr "Im Server Modus ausführen" -#: sm/gpgsm.c:259 +#: sm/gpgsm.c:261 msgid "pass a command to the dirmngr" msgstr "Das Kommand an den Dirmngr durchreichen" -#: sm/gpgsm.c:261 +#: sm/gpgsm.c:263 msgid "invoke gpg-protect-tool" msgstr "Rufe das gpg-protect-tool auf" -#: sm/gpgsm.c:262 +#: sm/gpgsm.c:264 msgid "change a passphrase" msgstr "Das Mantra (Passphrase) ändern" -#: sm/gpgsm.c:272 +#: sm/gpgsm.c:274 msgid "create ascii armored output" msgstr "Ausgabe mit ASCII Hülle wird erzeugt" -#: sm/gpgsm.c:274 +#: sm/gpgsm.c:276 msgid "create base-64 encoded output" msgstr "Ausgabe im Basis-64 format erzeugen" -#: sm/gpgsm.c:276 +#: sm/gpgsm.c:278 msgid "assume input is in PEM format" msgstr "Eingabedaten sind im PEM Format" -#: sm/gpgsm.c:278 +#: sm/gpgsm.c:280 msgid "assume input is in base-64 format" msgstr "Eingabedaten sind im Basis-64 Format" -#: sm/gpgsm.c:280 +#: sm/gpgsm.c:282 msgid "assume input is in binary format" msgstr "Eingabedaten sind im Binärformat" -#: sm/gpgsm.c:282 +#: sm/gpgsm.c:284 msgid "|NAME|encrypt for NAME" msgstr "|NAME|Verschlüsseln für NAME" -#: sm/gpgsm.c:285 +#: sm/gpgsm.c:287 msgid "use system's dirmngr if available" msgstr "Benutze den System Dirmngr when verfügbar" -#: sm/gpgsm.c:286 +#: sm/gpgsm.c:288 msgid "never consult a CRL" msgstr "Niemals eine CRL konsultieren" -#: sm/gpgsm.c:291 +#: sm/gpgsm.c:295 msgid "check validity using OCSP" msgstr "Die Gültigkeit mittels OCSP prüfen" -#: sm/gpgsm.c:294 +#: sm/gpgsm.c:298 msgid "|N|number of certificates to include" msgstr "|N|Sende N Zertifikate mit" -#: sm/gpgsm.c:297 +#: sm/gpgsm.c:301 msgid "|FILE|take policy information from FILE" msgstr "|DATEI|Richtlinieninformationen DATEI entnehmen" -#: sm/gpgsm.c:300 +#: sm/gpgsm.c:304 msgid "do not check certificate policies" msgstr "Zertikikatrichtlinien nicht überprüfen" -#: sm/gpgsm.c:304 +#: sm/gpgsm.c:308 msgid "fetch missing issuer certificates" msgstr "Fehlende Zertifikate automatisch holen" -#: sm/gpgsm.c:308 +#: sm/gpgsm.c:312 msgid "|NAME|use NAME as default recipient" msgstr "|NAME|Benutze NAME als voreingestellten Empfänger" -#: sm/gpgsm.c:310 +#: sm/gpgsm.c:314 msgid "use the default key as default recipient" msgstr "Benuzte voreingestellten Schlüssel als Standardempfänger" -#: sm/gpgsm.c:316 +#: sm/gpgsm.c:320 msgid "use this user-id to sign or decrypt" msgstr "Benuzte diese Benutzer ID zum Signieren oder Entschlüsseln" -#: sm/gpgsm.c:319 +#: sm/gpgsm.c:323 msgid "|N|set compress level N (0 disables)" msgstr "|N|Benutze Komprimierungsstufe N" -#: sm/gpgsm.c:321 +#: sm/gpgsm.c:325 msgid "use canonical text mode" msgstr "Kanonischen Textmodus benutzen" -#: sm/gpgsm.c:324 tools/gpgconf.c:61 +#: sm/gpgsm.c:328 tools/gpgconf.c:61 msgid "use as output file" msgstr "als Ausgabedatei benutzen" -#: sm/gpgsm.c:327 +#: sm/gpgsm.c:331 msgid "don't use the terminal at all" msgstr "Das Terminal überhaupt nicht benutzen" -#: sm/gpgsm.c:330 +#: sm/gpgsm.c:334 msgid "force v3 signatures" msgstr "Version 3 Signaturen erzwingen" -#: sm/gpgsm.c:331 +#: sm/gpgsm.c:335 msgid "always use a MDC for encryption" msgstr "Immer das MDC Verfahren zum verschlüsseln mitbenutzen" -#: sm/gpgsm.c:336 +#: sm/gpgsm.c:340 msgid "batch mode: never ask" msgstr "Stapelverarbeitungs Modus: Nie nachfragen" -#: sm/gpgsm.c:337 +#: sm/gpgsm.c:341 msgid "assume yes on most questions" msgstr "\"Ja\" auf die meisten Anfragen annehmen" -#: sm/gpgsm.c:338 +#: sm/gpgsm.c:342 msgid "assume no on most questions" msgstr "\"Nein\" auf die meisten Anfragen annehmen" -#: sm/gpgsm.c:340 +#: sm/gpgsm.c:344 msgid "add this keyring to the list of keyrings" msgstr "Diesen Keyring in die Liste der Keyrings aufnehmen" -#: sm/gpgsm.c:341 +#: sm/gpgsm.c:345 msgid "add this secret keyring to the list" msgstr "Diese geheimen Keyring in die Liste aufnehmen" -#: sm/gpgsm.c:342 +#: sm/gpgsm.c:346 msgid "|NAME|use NAME as default secret key" msgstr "|NAME|Benutze NAME als voreingestellten Schlüssel" -#: sm/gpgsm.c:343 +#: sm/gpgsm.c:347 msgid "|HOST|use this keyserver to lookup keys" msgstr "|HOST|Benutze HOST als Schlüsselserver" -#: sm/gpgsm.c:344 +#: sm/gpgsm.c:348 msgid "|NAME|set terminal charset to NAME" msgstr "|NAME|Den Zeichensatz für das Terminal auf NAME setzen" -#: sm/gpgsm.c:348 +#: sm/gpgsm.c:352 msgid "|LEVEL|set the debugging level to LEVEL" msgstr "|NAME|Die Debugstufe auf NAME setzen" -#: sm/gpgsm.c:355 +#: sm/gpgsm.c:359 msgid "|FD|write status info to this FD" msgstr "|FD|Statusinformationen auf Dateidescriptor FD schreiben" -#: sm/gpgsm.c:362 +#: sm/gpgsm.c:366 msgid "|FILE|load extension module FILE" msgstr "|DATEI|Das Erweiterungsmodul DATEI laden" -#: sm/gpgsm.c:368 +#: sm/gpgsm.c:372 msgid "|NAME|use cipher algorithm NAME" msgstr "|NAME|Den Verschlüsselungsalgrithmus NAME benutzen" -#: sm/gpgsm.c:370 +#: sm/gpgsm.c:374 msgid "|NAME|use message digest algorithm NAME" msgstr "|NAME|Den Hashalgorithmus NAME benutzen" -#: sm/gpgsm.c:372 +#: sm/gpgsm.c:376 msgid "|N|use compress algorithm N" msgstr "|N|Den Kompressionsalgorithmus Nummer N benutzen" -#: sm/gpgsm.c:380 +#: sm/gpgsm.c:384 msgid "" "@\n" "(See the man page for a complete listing of all commands and options)\n" @@ -1100,7 +1250,7 @@ "@\n" "(Die \"man\" Seite beschreibt alle Kommands und Optionen)\n" -#: sm/gpgsm.c:383 +#: sm/gpgsm.c:387 msgid "" "@\n" "Examples:\n" @@ -1120,11 +1270,11 @@ " --list-keys [Namen] Schlüssel anzeigenn\n" " --fingerprint [Namen] \"Fingerabdrücke\" anzeigen\\n\n" -#: sm/gpgsm.c:502 +#: sm/gpgsm.c:506 msgid "Usage: gpgsm [options] [files] (-h for help)" msgstr "Gebrauch: gpgsm [Optionen] [Dateien] (-h für Hilfe)" -#: sm/gpgsm.c:505 +#: sm/gpgsm.c:509 msgid "" "Syntax: gpgsm [options] [files]\n" "sign, check, encrypt or decrypt using the S/MIME protocol\n" @@ -1133,7 +1283,7 @@ "Gebrauch: gpgsm [Optionen] [Dateien]\n" "Signieren, prüfen, ver- und entschlüsseln mittels S/MIME protocol\n" -#: sm/gpgsm.c:512 +#: sm/gpgsm.c:516 msgid "" "\n" "Supported algorithms:\n" @@ -1141,50 +1291,50 @@ "\n" "Unterstützte Algorithmen:\n" -#: sm/gpgsm.c:599 +#: sm/gpgsm.c:603 msgid "usage: gpgsm [options] " msgstr "Gebrauch: gpgsm [Optionen] " -#: sm/gpgsm.c:664 +#: sm/gpgsm.c:668 msgid "conflicting commands\n" msgstr "Widersprechende Kommandos\n" -#: sm/gpgsm.c:680 +#: sm/gpgsm.c:684 #, c-format msgid "can't encrypt to `%s': %s\n" msgstr "Verschlüsseln für `%s' nicht möglich: %s\n" -#: sm/gpgsm.c:754 +#: sm/gpgsm.c:758 #, c-format msgid "libksba is too old (need %s, have %s)\n" msgstr "Die Bibliothek Libksba is nicht aktuell (benötige %s, habe %s)\n" -#: sm/gpgsm.c:1205 +#: sm/gpgsm.c:1215 msgid "WARNING: program may create a core file!\n" msgstr "WARNUNG: Programm könnte eine core-dump-Datei schreiben!\n" -#: sm/gpgsm.c:1217 +#: sm/gpgsm.c:1227 msgid "WARNING: running with faked system time: " msgstr "WARNUNG: Ausführung mit gefälschter Systemzeit: " -#: sm/gpgsm.c:1243 +#: sm/gpgsm.c:1253 msgid "selected cipher algorithm is invalid\n" msgstr "Das ausgewählte Verschlüsselungsverfahren ist ungültig\n" -#: sm/gpgsm.c:1251 +#: sm/gpgsm.c:1261 msgid "selected digest algorithm is invalid\n" msgstr "Das ausgewählte Hashverfahren ist ungültig\n" -#: sm/gpgsm.c:1281 +#: sm/gpgsm.c:1291 #, c-format msgid "can't sign using `%s': %s\n" msgstr "Signieren mit `%s' nicht möglich: %s\n" -#: sm/gpgsm.c:1452 +#: sm/gpgsm.c:1464 msgid "this command has not yet been implemented\n" msgstr "Diee Kommando wurde noch nicht implementiert\n" -#: sm/gpgsm.c:1682 sm/gpgsm.c:1719 +#: sm/gpgsm.c:1694 sm/gpgsm.c:1731 #, c-format msgid "can't open `%s': %s\n" msgstr "Datei `%s' kann nicht geöffnet werden: %s\n" @@ -1374,51 +1524,59 @@ msgid "Component not found" msgstr "Komponente nicht gefunden" -#: tools/gpgconf-comp.c:435 tools/gpgconf-comp.c:496 tools/gpgconf-comp.c:561 -#: tools/gpgconf-comp.c:614 tools/gpgconf-comp.c:680 +#: tools/gpgconf-comp.c:435 tools/gpgconf-comp.c:499 tools/gpgconf-comp.c:564 +#: tools/gpgconf-comp.c:617 tools/gpgconf-comp.c:686 msgid "Options controlling the diagnostic output" msgstr "Optionen zur Einstellung Diagnoseausgaben" -#: tools/gpgconf-comp.c:448 tools/gpgconf-comp.c:509 tools/gpgconf-comp.c:574 -#: tools/gpgconf-comp.c:627 tools/gpgconf-comp.c:703 +#: tools/gpgconf-comp.c:448 tools/gpgconf-comp.c:512 tools/gpgconf-comp.c:577 +#: tools/gpgconf-comp.c:630 tools/gpgconf-comp.c:709 msgid "Options controlling the configuration" msgstr "Optionen zur Einstellung der Konfiguration" -#: tools/gpgconf-comp.c:455 tools/gpgconf-comp.c:532 tools/gpgconf-comp.c:581 -#: tools/gpgconf-comp.c:637 tools/gpgconf-comp.c:710 +#: tools/gpgconf-comp.c:458 tools/gpgconf-comp.c:535 tools/gpgconf-comp.c:584 +#: tools/gpgconf-comp.c:640 tools/gpgconf-comp.c:716 msgid "Options useful for debugging" msgstr "Nützliche Optionen zum Debuggen" -#: tools/gpgconf-comp.c:460 tools/gpgconf-comp.c:537 tools/gpgconf-comp.c:586 -#: tools/gpgconf-comp.c:642 tools/gpgconf-comp.c:718 +#: tools/gpgconf-comp.c:463 tools/gpgconf-comp.c:540 tools/gpgconf-comp.c:589 +#: tools/gpgconf-comp.c:645 tools/gpgconf-comp.c:724 msgid "|FILE|write server mode logs to FILE" msgstr "|DATEI|Schreibe im Servermodus Logs auf DATEI" -#: tools/gpgconf-comp.c:468 tools/gpgconf-comp.c:542 tools/gpgconf-comp.c:650 +#: tools/gpgconf-comp.c:471 tools/gpgconf-comp.c:545 tools/gpgconf-comp.c:653 msgid "Options controlling the security" msgstr "Optionen zur Einstellung der Sicherheit" -#: tools/gpgconf-comp.c:594 +#: tools/gpgconf-comp.c:597 msgid "Configuration for Keyservers" msgstr "Konfiguration der Schlüsselserver" -#: tools/gpgconf-comp.c:693 +#: tools/gpgconf-comp.c:658 +msgid "do not check CRLs for root certificates" +msgstr "CRL bei Wurzelzertifikaten nicht überprüfen" + +#: tools/gpgconf-comp.c:699 msgid "Options controlling the format of the output" msgstr "Optionen zum Einstellen der Ausgabeformate" -#: tools/gpgconf-comp.c:729 +#: tools/gpgconf-comp.c:735 msgid "Options controlling the interactivity and enforcement" msgstr "Optionen zur Einstellung der Interaktivität und Geltendmachung" -#: tools/gpgconf-comp.c:739 +#: tools/gpgconf-comp.c:745 msgid "Configuration for HTTP servers" msgstr "Konfiguration für HTTP Server" -#: tools/gpgconf-comp.c:752 +#: tools/gpgconf-comp.c:756 +msgid "use system's HTTP proxy setting" +msgstr "Einstellungen des System HTTP-Proxy benutzen" + +#: tools/gpgconf-comp.c:761 msgid "Configuration of LDAP servers to use" msgstr "Konfiguration der zu nutzenden LDAP-Server" -#: tools/gpgconf-comp.c:789 +#: tools/gpgconf-comp.c:798 msgid "Configuration for OCSP" msgstr "Konfiguration zu OCSP" @@ -1438,9 +1596,6 @@ #~ msgid "error running `%s': exit status %d\n" #~ msgstr "Fehler bei Ausführung von `%s': Endestatus %d\n" -#~ msgid "error running `%s': terminated\n" -#~ msgstr "Fehler beim Ausführen von `%s': beendet\n" - #~ msgid "Usage: sc-investigate [options] (-h for help)\n" #~ msgstr "Gebrauch: sc-investigate [Optionen] (-h für Hilfe)\n" From cvs at cvs.gnupg.org Thu Apr 21 16:42:17 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Apr 21 16:42:20 2005 Subject: GNUPG-1-9-BRANCH gnupg (NEWS configure.ac) Message-ID: Date: Thursday, April 21, 2005 @ 16:59:18 Author: wk Path: /cvs/gnupg/gnupg Tag: GNUPG-1-9-BRANCH Modified: NEWS configure.ac post release version number update --------------+ NEWS | 4 ++++ configure.ac | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) Index: gnupg/NEWS diff -u gnupg/NEWS:1.165.2.67 gnupg/NEWS:1.165.2.68 --- gnupg/NEWS:1.165.2.67 Thu Apr 21 16:39:00 2005 +++ gnupg/NEWS Thu Apr 21 16:59:18 2005 @@ -1,3 +1,7 @@ +Noteworthy changes in version 1.9.17 +------------------------------------------------- + + Noteworthy changes in version 1.9.16 (2005-04-21) ------------------------------------------------- Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.36.2.85 gnupg/configure.ac:1.36.2.86 --- gnupg/configure.ac:1.36.2.85 Thu Apr 21 16:39:00 2005 +++ gnupg/configure.ac Thu Apr 21 16:59:18 2005 @@ -24,7 +24,7 @@ # Version number: Remember to change it immediately *after* a release. # Add a "-cvs" prefix for non-released code. -AC_INIT(gnupg, 1.9.16, gnupg-devel@gnupg.org) +AC_INIT(gnupg, 1.9.17-cvs, gnupg-devel@gnupg.org) # Set development_version to yes if the minor number is odd or you # feel that the default check for a development version is not # sufficient. From cvs at cvs.gnupg.org Thu Apr 21 23:16:19 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Fri Apr 22 00:21:07 2005 Subject: gnupg/m4 (ChangeLog libcurl.m4) Message-ID: Date: Thursday, April 21, 2005 @ 23:16:19 Author: dshaw Path: /cvs/gnupg/gnupg/m4 Modified: ChangeLog libcurl.m4 * libcurl.m4: Add a check for curl_free() since older versions of libcurl don't have it. Substitute free() as an alternative. ------------+ ChangeLog | 5 +++++ libcurl.m4 | 8 +++++++- 2 files changed, 12 insertions(+), 1 deletion(-) From cvs at cvs.gnupg.org Thu Apr 21 23:47:49 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Fri Apr 22 00:21:43 2005 Subject: gnupg/m4 (ChangeLog libcurl.m4) Message-ID: Date: Thursday, April 21, 2005 @ 23:47:49 Author: dshaw Path: /cvs/gnupg/gnupg/m4 Modified: ChangeLog libcurl.m4 * libcurl.m4: Properly work on systems that actually DO have curl_free()... ------------+ ChangeLog | 3 +++ libcurl.m4 | 24 ++++++++++++++++++------ 2 files changed, 21 insertions(+), 6 deletions(-) From cvs at cvs.gnupg.org Fri Apr 22 05:04:13 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Fri Apr 22 05:04:16 2005 Subject: gnupg/g10 (ChangeLog mainproc.c) Message-ID: Date: Friday, April 22, 2005 @ 05:21:14 Author: dshaw Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog mainproc.c * mainproc.c (symkey_decrypt_seskey): There is no need to have an extra check for a bad passphrase and/or unknown cipher algorithm here. We'll fail quite happily later, and usually with a better error message to boot. ------------+ ChangeLog | 7 ++++++ mainproc.c | 66 +++++++++++++++++++++++++++++------------------------------ 2 files changed, 40 insertions(+), 33 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.722 gnupg/g10/ChangeLog:1.723 --- gnupg/g10/ChangeLog:1.722 Sun Apr 17 06:10:03 2005 +++ gnupg/g10/ChangeLog Fri Apr 22 05:21:14 2005 @@ -1,3 +1,10 @@ +2005-04-21 David Shaw + + * mainproc.c (symkey_decrypt_seskey): There is no need to have an + extra check for a bad passphrase and/or unknown cipher algorithm + here. We'll fail quite happily later, and usually with a better + error message to boot. + 2005-04-16 David Shaw * keyserver.c (keyserver_spawn): Free some memory. Index: gnupg/g10/mainproc.c diff -u gnupg/g10/mainproc.c:1.164 gnupg/g10/mainproc.c:1.165 --- gnupg/g10/mainproc.c:1.164 Fri Apr 1 18:22:34 2005 +++ gnupg/g10/mainproc.c Fri Apr 22 05:21:14 2005 @@ -241,41 +241,41 @@ static int symkey_decrypt_seskey( DEK *dek, byte *seskey, size_t slen ) { - CIPHER_HANDLE hd; - unsigned int n; + CIPHER_HANDLE hd; - if ( slen < 17 || slen > 33 ) { - log_error ( _("weird size for an encrypted session key (%d)\n"), - (int)slen); - return G10ERR_BAD_KEY; - } - hd = cipher_open( dek->algo, CIPHER_MODE_CFB, 1 ); - cipher_setkey( hd, dek->key, dek->keylen ); - cipher_setiv( hd, NULL, 0 ); - cipher_decrypt( hd, seskey, seskey, slen ); - cipher_close( hd ); - /* check first byte (the cipher algo) */ - if(check_cipher_algo(seskey[0])) - { - /* There is no way to tell the difference here between a bad - passphrase and a cipher algorithm that we don't have. */ - log_error(_("bad passphrase or unknown cipher algorithm (%d)\n"), - seskey[0]); - if(seskey[0]==CIPHER_ALGO_IDEA) - idea_cipher_warn(0); - return G10ERR_PASSPHRASE; - } - n = cipher_get_keylen (seskey[0]) / 8; - if (n > DIM(dek->key)) - BUG (); - /* now we replace the dek components with the real session key - to decrypt the contents of the sequencing packet. */ - dek->keylen = cipher_get_keylen( seskey[0] ) / 8; - dek->algo = seskey[0]; - memcpy( dek->key, seskey + 1, dek->keylen ); - /*log_hexdump( "thekey", dek->key, dek->keylen );*/ + if(slen < 17 || slen > 33) + { + log_error ( _("weird size for an encrypted session key (%d)\n"), + (int)slen); + return G10ERR_BAD_KEY; + } + + hd = cipher_open( dek->algo, CIPHER_MODE_CFB, 1 ); + cipher_setkey( hd, dek->key, dek->keylen ); + cipher_setiv( hd, NULL, 0 ); + cipher_decrypt( hd, seskey, seskey, slen ); + cipher_close( hd ); + + /* now we replace the dek components with the real session key to + decrypt the contents of the sequencing packet. */ + + dek->keylen=slen-1; + dek->algo=seskey[0]; + + if(dek->keylen > DIM(dek->key)) + BUG (); + + /* This is not completely accurate, since a bad passphrase may have + resulted in a garbage algorithm byte, but it's close enough since + a bogus byte here will fail later. */ + if(dek->algo==CIPHER_ALGO_IDEA) + idea_cipher_warn(0); + + memcpy(dek->key, seskey + 1, dek->keylen); + + /*log_hexdump( "thekey", dek->key, dek->keylen );*/ - return 0; + return 0; } static void From cvs at cvs.gnupg.org Fri Apr 22 05:19:17 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Fri Apr 22 05:19:20 2005 Subject: gnupg/g10 (ChangeLog keyedit.c) Message-ID: Date: Friday, April 22, 2005 @ 05:36:20 Author: dshaw Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog keyedit.c * keyedit.c (sign_uids, keyedit_menu): When the user requests to sign a key without specifying which user IDs to sign, and declines to sign all user IDs, walk through the set of user IDs and prompt for which to sign. -----------+ ChangeLog | 5 +++++ keyedit.c | 48 +++++++++++++++++++++++++++++++----------------- 2 files changed, 36 insertions(+), 17 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.723 gnupg/g10/ChangeLog:1.724 --- gnupg/g10/ChangeLog:1.723 Fri Apr 22 05:21:14 2005 +++ gnupg/g10/ChangeLog Fri Apr 22 05:36:20 2005 @@ -1,5 +1,10 @@ 2005-04-21 David Shaw + * keyedit.c (sign_uids, keyedit_menu): When the user requests to + sign a key without specifying which user IDs to sign, and declines + to sign all user IDs, walk through the set of user IDs and prompt + for which to sign. + * mainproc.c (symkey_decrypt_seskey): There is no need to have an extra check for a bad passphrase and/or unknown cipher algorithm here. We'll fail quite happily later, and usually with a better Index: gnupg/g10/keyedit.c diff -u gnupg/g10/keyedit.c:1.175 gnupg/g10/keyedit.c:1.176 --- gnupg/g10/keyedit.c:1.175 Mon Mar 21 16:24:47 2005 +++ gnupg/g10/keyedit.c Fri Apr 22 05:36:20 2005 @@ -498,7 +498,7 @@ */ static int sign_uids( KBNODE keyblock, STRLIST locusr, int *ret_modified, - int local, int nonrevocable, int trust ) + int local, int nonrevocable, int trust, int interactive ) { int rc = 0; SK_LIST sk_list = NULL; @@ -506,7 +506,7 @@ PKT_secret_key *sk = NULL; KBNODE node, uidnode; PKT_public_key *primary_pk=NULL; - int select_all = !count_selected_uids(keyblock); + int select_all = !count_selected_uids(keyblock) || interactive; int all_v3=1; /* Are there any non-v3 sigs on this key already? */ @@ -575,10 +575,12 @@ force_v4=0; } } - else if( node->pkt->pkttype == PKT_USER_ID ) { + else if( node->pkt->pkttype == PKT_USER_ID ) + { uidnode = (node->flag & NODFLG_MARK_A)? node : NULL; if(uidnode) { + int yesreally=0; char *user=utf8_to_native(uidnode->pkt->pkt.user_id->name, uidnode->pkt->pkt.user_id->len, 0); @@ -601,6 +603,8 @@ uidnode->flag &= ~NODFLG_MARK_A; uidnode=NULL; } + else if(interactive) + yesreally=1; } else { @@ -627,6 +631,8 @@ uidnode->flag &= ~NODFLG_MARK_A; uidnode=NULL; } + else if(interactive) + yesreally=1; } else { @@ -652,6 +658,8 @@ uidnode->flag &= ~NODFLG_MARK_A; uidnode=NULL; } + else if(interactive) + yesreally=1; } else { @@ -661,9 +669,20 @@ } } + if(uidnode && interactive && !yesreally) + { + tty_printf(_("User ID \"%s\" is signable. "),user); + if(!cpr_get_answer_is_yes("sign_uid.sign_okay", + _("Sign it? (y/N) "))) + { + uidnode->flag &= ~NODFLG_MARK_A; + uidnode=NULL; + } + } + m_free(user); } - } + } else if( uidnode && node->pkt->pkttype == PKT_SIGNATURE && (node->pkt->pkt.signature->sig_class&~3) == 0x10 ) { if( sk_keyid[0] == node->pkt->pkt.signature->keyid[0] @@ -1554,6 +1573,7 @@ PKT_public_key *pk=keyblock->pkt->pkt.public_key; tty_printf("\n"); + if( redisplay && !quiet ) { show_key_with_all_names( cur_keyblock, 0, 1, 0, 1, 0 ); @@ -1683,7 +1703,7 @@ case cmdSIGN: /* sign (only the public key) */ { - int localsig=0,nonrevokesig=0,trustsig=0; + int localsig=0,nonrevokesig=0,trustsig=0,interactive=0; if( pk->is_revoked ) { @@ -1704,17 +1724,11 @@ } } - if( count_uids(keyblock) > 1 && !count_selected_uids(keyblock) - && !have_commands ) - { - if( !cpr_get_answer_is_yes("keyedit.sign_all.okay", - _("Really sign all user IDs?" - " (y/N) "))) - { - tty_printf(_("Hint: Select the user IDs to sign\n")); - break; - } - } + if(count_uids(keyblock) > 1 && !count_selected_uids(keyblock) + && !cpr_get_answer_is_yes("keyedit.sign_all.okay", + _("Really sign all user IDs?" + " (y/N) "))) + interactive=1; /* What sort of signing are we doing? */ if(!parse_sign_type(answer,&localsig,&nonrevokesig,&trustsig)) @@ -1724,7 +1738,7 @@ } sign_uids(keyblock, locusr, &modified, - localsig, nonrevokesig, trustsig); + localsig, nonrevokesig, trustsig, interactive); } break; From cvs at cvs.gnupg.org Fri Apr 22 14:16:17 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Fri Apr 22 14:16:20 2005 Subject: libgcrypt (AUTHORS) Message-ID: Date: Friday, April 22, 2005 @ 14:33:23 Author: wk Path: /cvs/libgcrypt/libgcrypt Modified: AUTHORS added new author with CA ---------+ AUTHORS | 7 +++++++ 1 files changed, 7 insertions(+) Index: libgcrypt/AUTHORS diff -u libgcrypt/AUTHORS:1.44 libgcrypt/AUTHORS:1.45 --- libgcrypt/AUTHORS:1.44 Fri Feb 13 13:44:15 2004 +++ libgcrypt/AUTHORS Fri Apr 22 14:33:23 2005 @@ -62,6 +62,13 @@ nmav@gnutls.org Orginal code for cipher/rfc2268.c. +LIBGCRYPT The Written Word 2005-04-15 +Assigns past and future changes. (new: src/libgcrypt.pc.in, +src/Makefile.am, src/secmem.c, mpi/hppa1.1/mpih-mul3.S, +mpi/hppa1.1/udiv-qrnnd.S, mpi/hppa1.1/mpih-mul2.S, +mpi/hppa1.1/mpih-mul1.S, mpi/Makefile.am, tests/prime.c, +tests/register.c, tests/ac.c, tests/basic.c, tests/tsexp.c, +tests/keygen.c, tests/pubkey.c, configure.ac, acinclude.m4) More credits From cvs at cvs.gnupg.org Sat Apr 23 00:23:08 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Sat Apr 23 00:23:13 2005 Subject: libgcrypt (30 files) Message-ID: Date: Saturday, April 23, 2005 @ 00:39:44 Author: mo Path: /cvs/libgcrypt/libgcrypt Added: src/libgcrypt.pc.in Modified: ChangeLog acinclude.m4 cipher/ChangeLog cipher/Makefile.am cipher/ac.c cipher/md.c configure.ac mpi/ChangeLog mpi/Makefile.am mpi/hppa1.1/mpih-mul1.S mpi/hppa1.1/mpih-mul2.S mpi/hppa1.1/mpih-mul3.S mpi/hppa1.1/udiv-qrnnd.S src/ChangeLog src/Makefile.am src/g10lib.h src/global.c tests/ChangeLog tests/ac-data.c tests/ac-schemes.c tests/ac.c tests/basic.c tests/benchmark.c tests/keygen.c tests/pkbench.c tests/prime.c tests/pubkey.c tests/register.c tests/tsexp.c ChangeLog: 2005-04-23 Moritz Schulte * acinclude.m4 (TYPE_SOCKLEN_T): New type definition test; provided by Albert Chin. * configure.ac: Don't use $(CMD) as it's not portable; use `CMD` nstead. Simpler -lnsl/-lsocket test. Use TYPE_SOCKLEN_T test. Don't forget to set `random_modules' correctly. 2005-04-22 Moritz Schulte * configure.ac: Added support for pkgconfig; provided by Albert Chin. cipher/ChangeLog: 2005-04-12 Moritz Schulte * ac.c (_gcry_ac_io_write, _gcry_ac_io_read): Initialize err to make the compiler happy. Always use errno, now that gcry_malloc() is guaranteed to set errno on failure. (_gcry_ac_data_to_sexp): Don't forget to goto out after error in loop. (_gcry_ac_data_to_sexp): Remove unused variable: mpi_list; (_gcry_ac_data_to_sexp): Always deallocate sexp_buffer. (_gcry_ac_data_from_sexp): Don't forget to initialize data_set_new. (_gcry_ac_data_from_sexp): Handle special case, which is necessary, since gcry_sexp_nth() does not distinguish between "element does not exist" and "element is the empty list". (_gcry_ac_io_init_va): Use assert to make sure that mode and type are correct. Use gcry_error_t types where gcry_err_code_t types have been used before. mpi/ChangeLog: 2005-04-23 Moritz Schulte * Makefile.am: Don't assume the compiler will pre-process the .S files. Some compilers, like those from HP and IBM, don't do this. So, we use the same solution gnupg-1.4.0 does. Preprocess first and then compile. * hppa1.1/mpih-mul3.S: Add "level 1.1" directive to disable warning about using PA-RISC1.1 opcodes. * hppa1.1/mpih-mul2.S: Likewise. * hppa1.1/mpih-mul1.S: Likewise. * hppa1.1/udiv-qrnnd.S: Likewise. src/ChangeLog: 2005-04-22 Moritz Schulte * Makefile.am (pkgconfigdir, pkgconfig_DATA): New; support for pkgconfig provided by Albert Chin. * libgcrypt.pc.in (Cflags): New file. 2005-04-16 Moritz Schulte * g10lib.h (_gcry_ac_init): Declare. * global.c (global_init): Call _gcry_ac_init; don't forget to set err. tests/ChangeLog: 2005-04-22 Moritz Schulte * tsexp.c: Include in case HAVE_CONFIG_H is defined; thanks to Albert Chin. * testapi.c: Likewise. * register.c: Likewise. * pubkey.c: Likewise. * prime.c: Likewise. * pkbench.c: Likewise. * keygen.c: Likewise. * benchmark.c: Likewise. * basic.c: Likewise. * ac-schemes.c: Likewise. * ac-data.c: Likewise. * ac.c: Likewise. 2005-04-16 Moritz Schulte * ac-data.c (check_run): Include new test. --------------------------+ ChangeLog | 14 ++++++++++++++ acinclude.m4 | 40 ++++++++++++++++++++++++++++++++++++++++ cipher/ChangeLog | 4 ++++ cipher/Makefile.am | 1 + cipher/ac.c | 13 ++++++------- cipher/md.c | 3 +++ configure.ac | 30 +++++++++++++----------------- mpi/ChangeLog | 13 +++++++++++++ mpi/Makefile.am | 8 ++++++-- mpi/hppa1.1/mpih-mul1.S | 2 ++ mpi/hppa1.1/mpih-mul2.S | 2 ++ mpi/hppa1.1/mpih-mul3.S | 1 + mpi/hppa1.1/udiv-qrnnd.S | 2 ++ src/ChangeLog | 12 ++++++++++++ src/Makefile.am | 2 ++ src/g10lib.h | 1 + src/global.c | 10 +++++++--- src/libgcrypt.pc.in | 11 +++++++++++ tests/ChangeLog | 20 ++++++++++++++++++++ tests/ac-data.c | 11 +++++++---- tests/ac-schemes.c | 3 +++ tests/ac.c | 5 ++++- tests/basic.c | 5 ++++- tests/benchmark.c | 2 +- tests/keygen.c | 5 ++++- tests/pkbench.c | 5 ++++- tests/prime.c | 5 ++++- tests/pubkey.c | 5 ++++- tests/register.c | 5 ++++- tests/tsexp.c | 5 ++++- 30 files changed, 203 insertions(+), 42 deletions(-) Index: libgcrypt/ChangeLog diff -u libgcrypt/ChangeLog:1.166 libgcrypt/ChangeLog:1.167 --- libgcrypt/ChangeLog:1.166 Mon Apr 11 14:06:25 2005 +++ libgcrypt/ChangeLog Sat Apr 23 00:39:42 2005 @@ -1,3 +1,17 @@ +2005-04-23 Moritz Schulte + + * acinclude.m4 (TYPE_SOCKLEN_T): New type definition test; + provided by Albert Chin. + * configure.ac: Don't use $(CMD) as it's not portable; use `CMD` nstead. + Simpler -lnsl/-lsocket test. + Use TYPE_SOCKLEN_T test. + Don't forget to set `random_modules' correctly. + +2005-04-22 Moritz Schulte + + * configure.ac: Added support for pkgconfig; provided by Albert + Chin. + 2005-04-11 Moritz Schulte * configure.ac: Integrate Whirlpool. Index: libgcrypt/acinclude.m4 diff -u libgcrypt/acinclude.m4:1.44 libgcrypt/acinclude.m4:1.45 --- libgcrypt/acinclude.m4:1.44 Tue Feb 22 18:54:27 2005 +++ libgcrypt/acinclude.m4 Sat Apr 23 00:39:42 2005 @@ -727,3 +727,43 @@ fi ]) +dnl Check for socklen_t: historically on BSD it is an int, and in +dnl POSIX 1g it is a type of its own, but some platforms use different +dnl types for the argument to getsockopt, getpeername, etc. So we +dnl have to test to find something that will work. +AC_DEFUN([TYPE_SOCKLEN_T], +[ + AC_CHECK_TYPE([socklen_t], ,[ + AC_MSG_CHECKING([for socklen_t equivalent]) + AC_CACHE_VAL([socklen_t_equiv], + [ + # Systems have either "struct sockaddr *" or + # "void *" as the second argument to getpeername + socklen_t_equiv= + for arg2 in "struct sockaddr" void; do + for t in int size_t unsigned long "unsigned long"; do + AC_TRY_COMPILE([ + #include + #include + + int getpeername (int, $arg2 *, $t *); + ],[ + $t len; + getpeername(0,0,&len); + ],[ + socklen_t_equiv="$t" + break + ]) + done + done + + if test "x$socklen_t_equiv" = x; then + AC_MSG_ERROR([Cannot find a type to use in place of socklen_t]) + fi + ]) + AC_MSG_RESULT($socklen_t_equiv) + AC_DEFINE_UNQUOTED(socklen_t, $socklen_t_equiv, + [type to use in place of socklen_t if not defined])], + [#include +#include ]) +]) Index: libgcrypt/cipher/ChangeLog diff -u libgcrypt/cipher/ChangeLog:1.231 libgcrypt/cipher/ChangeLog:1.232 --- libgcrypt/cipher/ChangeLog:1.231 Tue Apr 12 22:19:51 2005 +++ libgcrypt/cipher/ChangeLog Sat Apr 23 00:39:42 2005 @@ -1,3 +1,7 @@ +2005-04-16 Moritz Schulte + + * ac.c (_gcry_ac_init): New function. + 2005-04-12 Moritz Schulte * ac.c (_gcry_ac_io_write, _gcry_ac_io_read): Initialize err to Index: libgcrypt/cipher/Makefile.am diff -u libgcrypt/cipher/Makefile.am:1.81 libgcrypt/cipher/Makefile.am:1.82 --- libgcrypt/cipher/Makefile.am:1.81 Fri Feb 13 13:44:13 2004 +++ libgcrypt/cipher/Makefile.am Sat Apr 23 00:39:43 2005 @@ -62,6 +62,7 @@ sha256.c \ sha512.c \ tiger.c \ +whirlpool.c \ twofish.c \ rfc2268.c Index: libgcrypt/cipher/ac.c diff -u libgcrypt/cipher/ac.c:1.18 libgcrypt/cipher/ac.c:1.19 --- libgcrypt/cipher/ac.c:1.18 Tue Apr 12 22:19:51 2005 +++ libgcrypt/cipher/ac.c Sat Apr 23 00:39:43 2005 @@ -1323,13 +1323,6 @@ -/* - * Wrapper macros. - */ - - - - /* * Handle management. */ @@ -3475,3 +3468,9 @@ return gcry_error (err); } + +gcry_err_code_t +_gcry_ac_init (void) +{ + return 0; +} Index: libgcrypt/cipher/md.c diff -u libgcrypt/cipher/md.c:1.84 libgcrypt/cipher/md.c:1.85 --- libgcrypt/cipher/md.c:1.84 Sun Apr 10 21:00:27 2005 +++ libgcrypt/cipher/md.c Sat Apr 23 00:39:43 2005 @@ -64,6 +64,9 @@ #if USE_TIGER { &_gcry_digest_spec_tiger, GCRY_MD_TIGER }, #endif +#if USE_WHIRLPOOL + { &_gcry_digest_spec_whirlpool, GCRY_MD_WHIRLPOOL }, +#endif { NULL }, }; Index: libgcrypt/configure.ac diff -u libgcrypt/configure.ac:1.74 libgcrypt/configure.ac:1.75 --- libgcrypt/configure.ac:1.74 Mon Apr 11 14:06:25 2005 +++ libgcrypt/configure.ac Sat Apr 23 00:39:42 2005 @@ -19,7 +19,7 @@ # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA # # (Process this file with autoconf to produce a configure script.) -AC_REVISION($Revision: 1.74 $) +AC_REVISION($Revision: 1.75 $) AC_PREREQ(2.59) min_automake_version="1.9.3" @@ -250,7 +250,7 @@ AC_ARG_ENABLE(ciphers, AC_HELP_STRING([--enable-ciphers=ciphers], [select the symmetric ciphers to include]), - [enabled_ciphers=$(echo $enableval | tr , ' ' | tr '[A-Z]' '[a-z]')], + [enabled_ciphers=`echo $enableval | tr , ' ' | tr '[A-Z]' '[a-z]'`], [enabled_ciphers=""]) if test "x$enabled_ciphers" = "x" \ -o "$enabled_ciphers" = "yes" \ @@ -270,7 +270,7 @@ AC_ARG_ENABLE(pubkey-ciphers, AC_HELP_STRING([--enable-pubkey-ciphers=ciphers], [select the public-key ciphers to include]), - [enabled_pubkey_ciphers=$(echo $enableval | tr , ' ' | tr '[A-Z]' '[a-z]')], + [enabled_pubkey_ciphers=`echo $enableval | tr , ' ' | tr '[A-Z]' '[a-z]'`], [enabled_pubkey_ciphers=""]) if test "x$enabled_pubkey_ciphers" = "x" \ -o "$enabled_pubkey_ciphers" = "yes" \ @@ -290,7 +290,7 @@ AC_ARG_ENABLE(digests, AC_HELP_STRING([--enable-digests=digests], [select the message digests to include]), - [enabled_digests=$(echo $enableval | tr , ' ' | tr '[A-Z]' '[a-z]')], + [enabled_digests=`echo $enableval | tr , ' ' | tr '[A-Z]' '[a-z]'`], [enabled_digests=""]) if test "x$enabled_digests" = "x" \ -o "$enabled_digests" = "yes" \ @@ -310,7 +310,7 @@ AC_ARG_ENABLE(random, AC_HELP_STRING([--enable-random=name], [select which random number generator to use]), - [random=$(echo $enableval | tr '[A-Z]' '[a-z]')], + [random=`echo $enableval | tr '[A-Z]' '[a-z]'`], []) if test "x$random" = "x" -o "$random" = "yes" -o "$random" = "no"; then random=default @@ -428,18 +428,9 @@ # Solaris needs -lsocket and -lnsl. Unisys system includes # gethostbyname in libsocket but needs libnsl for socket. -AC_CHECK_LIB(nsl, gethostbyname) -AC_CHECK_LIB(socket, socket, ac_need_libsocket=1, ac_try_nsl=1) -if test x$ac_need_libsocket = x1; then - LIBS="$LIBS -lsocket" -fi -if test x$ac_try_nsl = x1; then - AC_CHECK_LIB(nsl, gethostbyname, ac_need_libnsl=1) - if test x$ac_need_libnsl = x1 - then - LIBS="$LIBS -lnsl" - fi -fi +AC_SEARCH_LIBS(setsockopt, [socket], , + [AC_SEARCH_LIBS(setsockopt, [socket], , , [-lnsl])]) +AC_SEARCH_LIBS(setsockopt, [nsl]) ################################## #### Checks for header files. #### @@ -474,6 +465,8 @@ #include ]) +TYPE_SOCKLEN_T + ####################################### #### Checks for library functions. #### ####################################### @@ -554,6 +547,8 @@ if test "$random" = "auto"; then # Build everything, allow to select at runtime. random_modules="$auto_random_modules" + else + random_modules="$random" fi fi @@ -788,6 +783,7 @@ doc/Makefile src/Makefile src/libgcrypt-config +src/libgcrypt.pc tests/Makefile w32-dll/Makefile ]) Index: libgcrypt/mpi/ChangeLog diff -u libgcrypt/mpi/ChangeLog:1.92 libgcrypt/mpi/ChangeLog:1.93 --- libgcrypt/mpi/ChangeLog:1.92 Tue Feb 22 18:54:27 2005 +++ libgcrypt/mpi/ChangeLog Sat Apr 23 00:39:43 2005 @@ -1,3 +1,16 @@ +2005-04-23 Moritz Schulte + + * Makefile.am: Don't assume the compiler will pre-process the .S + files. Some compilers, like those from HP and IBM, don't do + this. So, we use the same solution gnupg-1.4.0 does. Preprocess + first and then compile. + + * hppa1.1/mpih-mul3.S: Add "level 1.1" directive to disable + warning about using PA-RISC1.1 opcodes. + * hppa1.1/mpih-mul2.S: Likewise. + * hppa1.1/mpih-mul1.S: Likewise. + * hppa1.1/udiv-qrnnd.S: Likewise. + 2005-02-16 Moritz Schulte * mpiutil.c (_gcry_mpi_alloc_limb_space): Rewritten, fixed memory Index: libgcrypt/mpi/Makefile.am diff -u libgcrypt/mpi/Makefile.am:1.37 libgcrypt/mpi/Makefile.am:1.38 --- libgcrypt/mpi/Makefile.am:1.37 Fri Dec 19 12:44:32 2003 +++ libgcrypt/mpi/Makefile.am Sat Apr 23 00:39:43 2005 @@ -181,10 +181,14 @@ SUFFIXES = .S .o .obj .lo .S.o: - $(CCASCOMPILE) -c `test -f '$<' || echo '$(srcdir)/'`$< + $(CPP) $(INCLUDES) $(DEFS) $< | grep -v '^#' > $*.s + $(CCASCOMPILE) -c `test -f '$*.s' || echo '$(srcdir)/'`$*.s + rm $*.s .S.obj: $(CCASCOMPILE) -c `if test -f '$<'; then $(CYGPATH_W) '$<'; else $(CYGPATH_W) '$(srcdir)/$<'; fi` .S.lo: - $(LTCCASCOMPILE) -c -o $@ `test -f '$<' || echo '$(srcdir)/'`$< + $(CPP) $(INCLUDES) $(DEFS) $< | grep -v '^#' > $*.s + $(LTCCASCOMPILE) -c -o $@ `test -f '$*.s' || echo '$(srcdir)/'`$*.s + rm $*.s Index: libgcrypt/mpi/hppa1.1/mpih-mul1.S diff -u libgcrypt/mpi/hppa1.1/mpih-mul1.S:1.5 libgcrypt/mpi/hppa1.1/mpih-mul1.S:1.6 --- libgcrypt/mpi/hppa1.1/mpih-mul1.S:1.5 Tue May 14 15:11:07 2002 +++ libgcrypt/mpi/hppa1.1/mpih-mul1.S Sat Apr 23 00:39:43 2005 @@ -55,6 +55,8 @@ * in the cache.) */ + .level 1.1 + .code .export _gcry_mpih_mul_1 .label _gcry_mpih_mul_1 Index: libgcrypt/mpi/hppa1.1/mpih-mul2.S diff -u libgcrypt/mpi/hppa1.1/mpih-mul2.S:1.5 libgcrypt/mpi/hppa1.1/mpih-mul2.S:1.6 --- libgcrypt/mpi/hppa1.1/mpih-mul2.S:1.5 Tue May 14 15:11:07 2002 +++ libgcrypt/mpi/hppa1.1/mpih-mul2.S Sat Apr 23 00:39:43 2005 @@ -45,6 +45,8 @@ * There are some ideas described in mul1.S that applies to this code too. */ + .level 1.1 + .code .export _gcry_mpih_addmul_1 .label _gcry_mpih_addmul_1 Index: libgcrypt/mpi/hppa1.1/mpih-mul3.S diff -u libgcrypt/mpi/hppa1.1/mpih-mul3.S:1.5 libgcrypt/mpi/hppa1.1/mpih-mul3.S:1.6 --- libgcrypt/mpi/hppa1.1/mpih-mul3.S:1.5 Tue May 14 15:11:07 2002 +++ libgcrypt/mpi/hppa1.1/mpih-mul3.S Sat Apr 23 00:39:43 2005 @@ -51,6 +51,7 @@ * but that requires reworking the hairy software pipeline... */ + .level 1.1 .code .export _gcry_mpih_submul_1 Index: libgcrypt/mpi/hppa1.1/udiv-qrnnd.S diff -u libgcrypt/mpi/hppa1.1/udiv-qrnnd.S:1.8 libgcrypt/mpi/hppa1.1/udiv-qrnnd.S:1.9 --- libgcrypt/mpi/hppa1.1/udiv-qrnnd.S:1.8 Tue Feb 22 18:54:26 2005 +++ libgcrypt/mpi/hppa1.1/udiv-qrnnd.S Sat Apr 23 00:39:43 2005 @@ -36,6 +36,8 @@ * d gr23 */ + .level 1.1 + .data .align 8 .label L$0000 Index: libgcrypt/src/ChangeLog diff -u libgcrypt/src/ChangeLog:1.164 libgcrypt/src/ChangeLog:1.165 --- libgcrypt/src/ChangeLog:1.164 Thu Apr 14 19:50:16 2005 +++ libgcrypt/src/ChangeLog Sat Apr 23 00:39:43 2005 @@ -1,3 +1,15 @@ +2005-04-22 Moritz Schulte + + * Makefile.am (pkgconfigdir, pkgconfig_DATA): New; support for + pkgconfig provided by Albert Chin. + * libgcrypt.pc.in (Cflags): New file. + +2005-04-16 Moritz Schulte + + * g10lib.h (_gcry_ac_init): Declare. + * global.c (global_init): Call _gcry_ac_init; don't forget to set + err. + 2005-04-14 Werner Koch * sexp.c (whitespacep): New. Index: libgcrypt/src/Makefile.am diff -u libgcrypt/src/Makefile.am:1.44 libgcrypt/src/Makefile.am:1.45 --- libgcrypt/src/Makefile.am:1.44 Thu Apr 15 11:12:34 2004 +++ libgcrypt/src/Makefile.am Sat Apr 23 00:39:44 2005 @@ -22,6 +22,8 @@ bin_SCRIPTS = libgcrypt-config m4datadir = $(datadir)/aclocal m4data_DATA = libgcrypt.m4 +pkgconfigdir = $(libdir)/pkgconfig +pkgconfig_DATA = libgcrypt.pc include_HEADERS = gcrypt.h gcrypt-module.h lib_LTLIBRARIES = libgcrypt.la Index: libgcrypt/src/g10lib.h diff -u libgcrypt/src/g10lib.h:1.27 libgcrypt/src/g10lib.h:1.28 --- libgcrypt/src/g10lib.h:1.27 Sun Feb 13 19:13:22 2005 +++ libgcrypt/src/g10lib.h Sat Apr 23 00:39:44 2005 @@ -237,6 +237,7 @@ gcry_err_code_t _gcry_cipher_init (void); gcry_err_code_t _gcry_md_init (void); gcry_err_code_t _gcry_pk_init (void); +gcry_err_code_t _gcry_ac_init (void); gcry_err_code_t _gcry_pk_module_lookup (int id, gcry_module_t *module); void _gcry_pk_module_release (gcry_module_t module); Index: libgcrypt/src/global.c diff -u libgcrypt/src/global.c:1.48 libgcrypt/src/global.c:1.49 --- libgcrypt/src/global.c:1.48 Tue Feb 22 18:49:27 2005 +++ libgcrypt/src/global.c Sat Apr 23 00:39:44 2005 @@ -66,11 +66,15 @@ err = ath_init (); if (! err) - _gcry_cipher_init (); + err = _gcry_cipher_init (); if (! err) - _gcry_md_init (); + err = _gcry_md_init (); if (! err) - _gcry_pk_init (); + err = _gcry_pk_init (); +#if 0 + if (! err) + err = _gcry_ac_init (); +#endif if (err) /* FIXME? */ Index: libgcrypt/src/libgcrypt.pc.in diff -u /dev/null libgcrypt/src/libgcrypt.pc.in:1.1 --- /dev/null Sat Apr 23 00:39:59 2005 +++ libgcrypt/src/libgcrypt.pc.in Sat Apr 23 00:39:44 2005 @@ -0,0 +1,11 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: libgcrypt +Description: General purpose crypto library +Version: @VERSION@ +Requires: libgpg-error +Libs: -L${libdir} -lgcrypt +Cflags: -I${includedir} Index: libgcrypt/tests/ChangeLog diff -u libgcrypt/tests/ChangeLog:1.55 libgcrypt/tests/ChangeLog:1.56 --- libgcrypt/tests/ChangeLog:1.55 Mon Apr 11 14:02:35 2005 +++ libgcrypt/tests/ChangeLog Sat Apr 23 00:39:44 2005 @@ -1,3 +1,23 @@ +2005-04-22 Moritz Schulte + + * tsexp.c: Include in case HAVE_CONFIG_H is defined; + thanks to Albert Chin. + * testapi.c: Likewise. + * register.c: Likewise. + * pubkey.c: Likewise. + * prime.c: Likewise. + * pkbench.c: Likewise. + * keygen.c: Likewise. + * benchmark.c: Likewise. + * basic.c: Likewise. + * ac-schemes.c: Likewise. + * ac-data.c: Likewise. + * ac.c: Likewise. + +2005-04-16 Moritz Schulte + + * ac-data.c (check_run): Include new test. + 2005-04-11 Moritz Schulte * basic.c (check_digests): Add tests for Whirlpool. Index: libgcrypt/tests/ac-data.c diff -u libgcrypt/tests/ac-data.c:1.1 libgcrypt/tests/ac-data.c:1.2 --- libgcrypt/tests/ac-data.c:1.1 Wed Mar 30 21:05:25 2005 +++ libgcrypt/tests/ac-data.c Sat Apr 23 00:39:44 2005 @@ -18,6 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include @@ -72,9 +75,7 @@ assert_err (err); length1 = gcry_ac_data_length (data); - assert (length1); length2 = gcry_ac_data_length (data2); - assert (length2); assert (length1 == length2); for (i = 0; i < length1; i++) @@ -149,9 +150,11 @@ gcry_mpi_release (mpi1); printf ("data-set-test-1 succeeded\n"); - - + gcry_ac_data_clear (data); + assert (! gcry_ac_data_length (data)); + check_sexp_conversion (data); + printf ("data-set-test-2 succeeded\n"); gcry_ac_data_destroy (data); Index: libgcrypt/tests/ac-schemes.c diff -u libgcrypt/tests/ac-schemes.c:1.2 libgcrypt/tests/ac-schemes.c:1.3 --- libgcrypt/tests/ac-schemes.c:1.2 Wed Mar 30 21:05:25 2005 +++ libgcrypt/tests/ac-schemes.c Sat Apr 23 00:39:44 2005 @@ -18,6 +18,9 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include Index: libgcrypt/tests/ac.c diff -u libgcrypt/tests/ac.c:1.8 libgcrypt/tests/ac.c:1.9 --- libgcrypt/tests/ac.c:1.8 Thu Jan 15 08:41:28 2004 +++ libgcrypt/tests/ac.c Sat Apr 23 00:39:44 2005 @@ -1,5 +1,5 @@ /* pubkey.c - Public key encryption/decryption tests - * Copyright (C) 2003 Free Software Foundation, Inc. + * Copyright (C) 2003, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -18,6 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include Index: libgcrypt/tests/basic.c diff -u libgcrypt/tests/basic.c:1.28 libgcrypt/tests/basic.c:1.29 --- libgcrypt/tests/basic.c:1.28 Mon Apr 11 14:02:35 2005 +++ libgcrypt/tests/basic.c Sat Apr 23 00:39:44 2005 @@ -1,5 +1,5 @@ /* basic.c - basic regression tests - * Copyright (C) 2001, 2002, 2003 Free Software Foundation, Inc. + * Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -18,6 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include Index: libgcrypt/tests/benchmark.c diff -u libgcrypt/tests/benchmark.c:1.3 libgcrypt/tests/benchmark.c:1.4 --- libgcrypt/tests/benchmark.c:1.3 Wed Mar 3 09:08:05 2004 +++ libgcrypt/tests/benchmark.c Sat Apr 23 00:39:44 2005 @@ -1,5 +1,5 @@ /* benchmark.c - for libgcrypt - * Copyright (C) 2002, 2004 Free Software Foundation, Inc. + * Copyright (C) 2002, 2004, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * Index: libgcrypt/tests/keygen.c diff -u libgcrypt/tests/keygen.c:1.6 libgcrypt/tests/keygen.c:1.7 --- libgcrypt/tests/keygen.c:1.6 Tue Nov 4 13:03:40 2003 +++ libgcrypt/tests/keygen.c Sat Apr 23 00:39:44 2005 @@ -1,5 +1,5 @@ /* keygen.c - key generation regression tests - * Copyright (C) 2003 Free Software Foundation, Inc. + * Copyright (C) 2003, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -18,6 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include Index: libgcrypt/tests/pkbench.c diff -u libgcrypt/tests/pkbench.c:1.3 libgcrypt/tests/pkbench.c:1.4 --- libgcrypt/tests/pkbench.c:1.3 Wed Sep 15 22:36:10 2004 +++ libgcrypt/tests/pkbench.c Sat Apr 23 00:39:44 2005 @@ -1,5 +1,5 @@ /* pkbench.c - Pubkey menchmarking - * Copyright (C) 2004 Free Software Foundation, Inc. + * Copyright (C) 2004, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -18,6 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include Index: libgcrypt/tests/prime.c diff -u libgcrypt/tests/prime.c:1.2 libgcrypt/tests/prime.c:1.3 --- libgcrypt/tests/prime.c:1.2 Fri Oct 10 16:17:20 2003 +++ libgcrypt/tests/prime.c Sat Apr 23 00:39:44 2005 @@ -1,5 +1,5 @@ /* prime.c - part of the Libgcrypt test suite. - Copyright (C) 2001, 2002, 2003 Free Software Foundation, Inc. + Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as @@ -16,6 +16,9 @@ Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include Index: libgcrypt/tests/pubkey.c diff -u libgcrypt/tests/pubkey.c:1.5 libgcrypt/tests/pubkey.c:1.6 --- libgcrypt/tests/pubkey.c:1.5 Thu Dec 4 17:11:53 2003 +++ libgcrypt/tests/pubkey.c Sat Apr 23 00:39:44 2005 @@ -1,5 +1,5 @@ /* pubkey.c - Public key encryption/decryption tests - * Copyright (C) 2001, 2002, 2003 Free Software Foundation, Inc. + * Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -18,6 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include Index: libgcrypt/tests/register.c diff -u libgcrypt/tests/register.c:1.6 libgcrypt/tests/register.c:1.7 --- libgcrypt/tests/register.c:1.6 Tue Jul 22 00:51:40 2003 +++ libgcrypt/tests/register.c Sat Apr 23 00:39:44 2005 @@ -1,5 +1,5 @@ /* register.c - Test for registering of additional cipher modules. - * Copyright (C) 2001, 2002, 2003 Free Software Foundation, Inc. + * Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -18,6 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include Index: libgcrypt/tests/tsexp.c diff -u libgcrypt/tests/tsexp.c:1.10 libgcrypt/tests/tsexp.c:1.11 --- libgcrypt/tests/tsexp.c:1.10 Tue Feb 3 13:13:15 2004 +++ libgcrypt/tests/tsexp.c Sat Apr 23 00:39:44 2005 @@ -1,5 +1,5 @@ /* tsexp.c - S-expression regression tests - * Copyright (C) 2001, 2002, 2003 Free Software Foundation, Inc. + * Copyright (C) 2001, 2002, 2003, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -18,6 +18,9 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +#ifdef HAVE_CONFIG_H +#include +#endif #include #include #include From cvs at cvs.gnupg.org Sat Apr 23 01:35:49 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sat Apr 23 01:35:53 2005 Subject: gnupg/include (ChangeLog distfiles) Message-ID: Date: Saturday, April 23, 2005 @ 01:52:58 Author: dshaw Path: /cvs/gnupg/gnupg/include Modified: ChangeLog distfiles * distfiles: Add assuan.h. -----------+ ChangeLog | 4 ++++ distfiles | 1 + 2 files changed, 5 insertions(+) Index: gnupg/include/ChangeLog diff -u gnupg/include/ChangeLog:1.84 gnupg/include/ChangeLog:1.85 --- gnupg/include/ChangeLog:1.84 Tue Apr 5 19:09:12 2005 +++ gnupg/include/ChangeLog Sat Apr 23 01:52:58 2005 @@ -1,3 +1,7 @@ +2005-04-22 David Shaw + + * distfiles: Add assuan.h. + 2005-04-04 Werner Koch * memory.h (xcalloc, xcalloc_secure): Replaced macros by functions. Index: gnupg/include/distfiles diff -u gnupg/include/distfiles:1.13 gnupg/include/distfiles:1.14 --- gnupg/include/distfiles:1.13 Sun Sep 28 15:42:18 2003 +++ gnupg/include/distfiles Sat Apr 23 01:52:58 2005 @@ -12,5 +12,6 @@ keyserver.h _regex.h dynload.h +assuan.h ChangeLog From cvs at cvs.gnupg.org Sat Apr 23 02:58:20 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sat Apr 23 02:58:26 2005 Subject: gnupg/scripts (ChangeLog gnupg.spec.in) Message-ID: Date: Saturday, April 23, 2005 @ 03:15:29 Author: dshaw Path: /cvs/gnupg/gnupg/scripts Modified: ChangeLog gnupg.spec.in * gnupg.spec.in: No longer any need to override libexecdir. The makefiles now calculate this correctly internally. ---------------+ ChangeLog | 5 +++++ gnupg.spec.in | 6 +++++- 2 files changed, 10 insertions(+), 1 deletion(-) Index: gnupg/scripts/ChangeLog diff -u gnupg/scripts/ChangeLog:1.67 gnupg/scripts/ChangeLog:1.68 --- gnupg/scripts/ChangeLog:1.67 Wed Mar 30 16:23:01 2005 +++ gnupg/scripts/ChangeLog Sat Apr 23 03:15:29 2005 @@ -1,3 +1,8 @@ +2005-04-22 David Shaw + + * gnupg.spec.in: No longer any need to override libexecdir. The + makefiles now calculate this correctly internally. + 2005-03-30 Werner Koch * w32installer.nsi: Allow including of WINPT source. Include Index: gnupg/scripts/gnupg.spec.in diff -u gnupg/scripts/gnupg.spec.in:1.10 gnupg/scripts/gnupg.spec.in:1.11 --- gnupg/scripts/gnupg.spec.in:1.10 Thu Feb 17 04:49:16 2005 +++ gnupg/scripts/gnupg.spec.in Sat Apr 23 03:15:29 2005 @@ -25,6 +25,10 @@ BuildRoot: %{_tmppath}/rpmbuild_%{name}-%{version} %changelog +* Fri Apr 22 2005 David Shaw +- No longer any need to override libexecdir. The makefiles now + calculate this correctly internally. + * Wed Feb 16 2005 David Shaw - Fix problem with storing the gpgkeys helpers in libexec, but calling them in libexec/gnupg. @@ -165,7 +169,7 @@ make %install -%makeinstall libexecdir=$RPM_BUILD_ROOT/%{_libexecdir}/gnupg +%makeinstall %find_lang %{name} rm %{buildroot}%{_datadir}/%{name}/FAQ rm %{buildroot}%{_datadir}/%{name}/faq.html From cvs at cvs.gnupg.org Sun Apr 24 17:48:25 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sun Apr 24 17:48:28 2005 Subject: gnupg/g10 (ChangeLog keyedit.c trustdb.h) Message-ID: Date: Sunday, April 24, 2005 @ 18:05:41 Author: dshaw Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog keyedit.c trustdb.h * trustdb.h, keyedit.c (keyedit_menu, menu_select_uid_namehash): Allow specifying user ID via the namehash from --with-colons --fixed-list-mode --list-keys. Suggested by Peter Palfrader. -----------+ ChangeLog | 6 ++++++ keyedit.c | 46 ++++++++++++++++++++++++++++++++++++++++++++-- trustdb.h | 3 +++ 3 files changed, 53 insertions(+), 2 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.724 gnupg/g10/ChangeLog:1.725 --- gnupg/g10/ChangeLog:1.724 Fri Apr 22 05:36:20 2005 +++ gnupg/g10/ChangeLog Sun Apr 24 18:05:41 2005 @@ -1,3 +1,9 @@ +2005-04-24 David Shaw + + * trustdb.h, keyedit.c (keyedit_menu, menu_select_uid_namehash): + Allow specifying user ID via the namehash from --with-colons + --fixed-list-mode --list-keys. Suggested by Peter Palfrader. + 2005-04-21 David Shaw * keyedit.c (sign_uids, keyedit_menu): When the user requests to Index: gnupg/g10/keyedit.c diff -u gnupg/g10/keyedit.c:1.176 gnupg/g10/keyedit.c:1.177 --- gnupg/g10/keyedit.c:1.176 Fri Apr 22 05:36:20 2005 +++ gnupg/g10/keyedit.c Sun Apr 24 18:05:41 2005 @@ -62,6 +62,7 @@ static int menu_set_keyserver_url (const char *url, KBNODE pub_keyblock, KBNODE sec_keyblock ); static int menu_select_uid( KBNODE keyblock, int idx ); +static int menu_select_uid_namehash( KBNODE keyblock, const char *namehash ); static int menu_select_key( KBNODE keyblock, int idx ); static int count_uids( KBNODE keyblock ); static int count_uids_with_flag( KBNODE keyblock, unsigned flag ); @@ -1685,8 +1686,10 @@ break; case cmdSELUID: - if( menu_select_uid( cur_keyblock, arg_number ) ) - redisplay = 1; + if(strlen(arg_string)==NAMEHASH_LEN*2) + redisplay=menu_select_uid_namehash(cur_keyblock,arg_string); + else + redisplay=menu_select_uid(cur_keyblock,arg_number); break; case cmdSELKEY: @@ -3900,6 +3903,45 @@ return 1; } +/* Search in the keyblock for a uid that matches namehash */ +static int +menu_select_uid_namehash( KBNODE keyblock, const char *namehash ) +{ + byte hash[NAMEHASH_LEN]; + KBNODE node; + int i; + + assert(strlen(namehash)==NAMEHASH_LEN*2); + + for(i=0;inext;node;node=node->next) + { + if(node->pkt->pkttype==PKT_USER_ID) + { + namehash_from_uid(node->pkt->pkt.user_id); + if(memcmp(node->pkt->pkt.user_id->namehash,hash,NAMEHASH_LEN)==0) + { + if(node->flag&NODFLG_SELUID) + node->flag &= ~NODFLG_SELUID; + else + node->flag |= NODFLG_SELUID; + + break; + } + } + } + + if(!node) + { + tty_printf(_("No user ID with hash %s\n"),namehash); + return 0; + } + + return 1; +} + /**************** * Select secondary keys * Returns: True if the selection changed; Index: gnupg/g10/trustdb.h diff -u gnupg/g10/trustdb.h:1.50 gnupg/g10/trustdb.h:1.51 --- gnupg/g10/trustdb.h:1.50 Sun Feb 6 18:38:43 2005 +++ gnupg/g10/trustdb.h Sun Apr 24 18:05:41 2005 @@ -37,6 +37,9 @@ #define TRUST_FLAG_DISABLED 128 /* d: key/uid disabled */ #define TRUST_FLAG_PENDING_CHECK 256 /* a check-trustdb is pending */ +#define NAMEHASH_HASH DIGEST_ALGO_RMD160 +#define NAMEHASH_LEN 20 + /*-- trustdb.c --*/ void register_trusted_keyid(u32 *keyid); void register_trusted_key( const char *string ); From cvs at cvs.gnupg.org Sun Apr 24 18:35:01 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sun Apr 24 18:35:04 2005 Subject: gnupg/m4 (ChangeLog libcurl.m4) Message-ID: Date: Sunday, April 24, 2005 @ 18:52:15 Author: dshaw Path: /cvs/gnupg/gnupg/m4 Modified: ChangeLog libcurl.m4 * libcurl.m4: Add a check for curl_free() since older versions of libcurl don't have it. Substitute free() as an alternative. ------------+ ChangeLog | 5 +++++ libcurl.m4 | 20 +++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) Index: gnupg/m4/ChangeLog diff -u gnupg/m4/ChangeLog:1.17 gnupg/m4/ChangeLog:1.18 --- gnupg/m4/ChangeLog:1.17 Mon Mar 21 15:32:44 2005 +++ gnupg/m4/ChangeLog Sun Apr 24 18:52:14 2005 @@ -1,3 +1,8 @@ +2005-04-24 David Shaw + + * libcurl.m4: Add a check for curl_free() since older versions of + libcurl don't have it. Substitute free() as an alternative. + 2005-03-21 David Shaw * readline.m4: Check for completion functionality. Index: gnupg/m4/libcurl.m4 diff -u gnupg/m4/libcurl.m4:1.10 gnupg/m4/libcurl.m4:1.11 --- gnupg/m4/libcurl.m4:1.10 Tue Mar 1 01:05:16 2005 +++ gnupg/m4/libcurl.m4 Sun Apr 24 18:52:15 2005 @@ -1,7 +1,7 @@ # LIBCURL_CHECK_CONFIG ([DEFAULT-ACTION], [MINIMUM-VERSION], # [ACTION-IF-YES], [ACTION-IF-NO]) # ---------------------------------------------------------- -# David Shaw Jan-23-2005 +# David Shaw Apr-21-2005 # # Checks for libcurl. DEFAULT-ACTION is the string yes or no to # specify whether to default to --with-libcurl or --without-libcurl. @@ -155,6 +155,24 @@ ]) if test $libcurl_cv_lib_curl_usable = yes ; then + + # Does curl_free() exist in this version of libcurl? + # If not, fake it with free() + + _libcurl_save_cppflags=$CPPFLAGS + CPPFLAGS="$CPPFLAGS $LIBCURL_CPPFLAGS" + _libcurl_save_libs=$LIBS + LIBS="$LIBS $LIBCURL" + + AC_CHECK_FUNC(curl_free,, + AC_DEFINE(curl_free,free, + [Define curl_free() as free() if our version of curl lacks curl_free.])) + + CPPFLAGS=$_libcurl_save_cppflags + LIBS=$_libcurl_save_libs + unset _libcurl_save_cppflags + unset _libcurl_save_libs + AC_DEFINE(HAVE_LIBCURL,1, [Define to 1 if you have a functional curl library.]) AC_SUBST(LIBCURL_CPPFLAGS) From cvs at cvs.gnupg.org Sun Apr 24 20:18:12 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sun Apr 24 20:18:16 2005 Subject: gnupg/g10 (ChangeLog keyedit.c trustdb.c trustdb.h) Message-ID: Date: Sunday, April 24, 2005 @ 20:35:30 Author: dshaw Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog keyedit.c trustdb.c trustdb.h * trustdb.h, trustdb.c (mark_usable_uid_certs): Add flags for the no-pubkey and chosen revocation cases. (clean_uid): New function to clean a user ID of unusable (as defined by mark_usable_uid_certs) certs. * keyedit.c (keyedit_menu, menu_clean_uids): Call it here for new "clean" command that removes unusable sigs from a key. -----------+ ChangeLog | 8 ++++ keyedit.c | 65 ++++++++++++++++++++++++++++++++--- trustdb.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++++++--------- trustdb.h | 2 + 4 files changed, 164 insertions(+), 21 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.725 gnupg/g10/ChangeLog:1.726 --- gnupg/g10/ChangeLog:1.725 Sun Apr 24 18:05:41 2005 +++ gnupg/g10/ChangeLog Sun Apr 24 20:35:30 2005 @@ -1,5 +1,13 @@ 2005-04-24 David Shaw + * trustdb.h, trustdb.c (mark_usable_uid_certs): Add flags for the + no-pubkey and chosen revocation cases. + (clean_uid): New function to clean a user ID of unusable (as + defined by mark_usable_uid_certs) certs. + + * keyedit.c (keyedit_menu, menu_clean_uids): Call it here for new + "clean" command that removes unusable sigs from a key. + * trustdb.h, keyedit.c (keyedit_menu, menu_select_uid_namehash): Allow specifying user ID via the namehash from --with-colons --fixed-list-mode --list-keys. Suggested by Peter Palfrader. Index: gnupg/g10/keyedit.c diff -u gnupg/g10/keyedit.c:1.177 gnupg/g10/keyedit.c:1.178 --- gnupg/g10/keyedit.c:1.177 Sun Apr 24 18:05:41 2005 +++ gnupg/g10/keyedit.c Sun Apr 24 20:35:30 2005 @@ -53,6 +53,7 @@ static int menu_adduid( KBNODE keyblock, KBNODE sec_keyblock, int photo ); static void menu_deluid( KBNODE pub_keyblock, KBNODE sec_keyblock ); static int menu_delsig( KBNODE pub_keyblock ); +static int menu_clean_uids(KBNODE keyblock); static void menu_delkey( KBNODE pub_keyblock, KBNODE sec_keyblock ); static int menu_addrevoker( KBNODE pub_keyblock, KBNODE sec_keyblock, int sensitive ); @@ -1327,7 +1328,7 @@ cmdADDREVOKER, cmdTOGGLE, cmdSELKEY, cmdPASSWD, cmdTRUST, cmdPREF, cmdEXPIRE, cmdENABLEKEY, cmdDISABLEKEY, cmdSHOWPREF, cmdSETPREF, cmdPREFKS, cmdINVCMD, cmdSHOWPHOTO, cmdUPDTRUST, cmdCHKTRUST, - cmdADDCARDKEY, cmdKEYTOCARD, cmdBKUPTOCARD, cmdNOP + cmdADDCARDKEY, cmdKEYTOCARD, cmdBKUPTOCARD, cmdCLEAN, cmdNOP }; static struct @@ -1426,6 +1427,7 @@ { "enable" , cmdENABLEKEY , KEYEDIT_NOT_SK, N_("enable key") }, { "disable" , cmdDISABLEKEY, KEYEDIT_NOT_SK, N_("disable key") }, { "showphoto",cmdSHOWPHOTO , 0, N_("show selected photo IDs") }, + { "clean", cmdCLEAN , KEYEDIT_NOT_SK, NULL }, { NULL, cmdNONE, 0, NULL } }; @@ -1952,7 +1954,7 @@ { int sensitive=0; - if(arg_string && ascii_strcasecmp(arg_string,"sensitive")==0) + if(ascii_strcasecmp(arg_string,"sensitive")==0) sensitive=1; if( menu_addrevoker( keyblock, sec_keyblock, sensitive ) ) { redisplay = 1; @@ -2123,9 +2125,27 @@ } break; - case cmdSHOWPHOTO: - menu_showphoto(keyblock); - break; + case cmdSHOWPHOTO: + menu_showphoto(keyblock); + break; + + case cmdCLEAN: + { + if(*arg_string) + { + if(ascii_strcasecmp(arg_string,"sigs")!=0 + && ascii_strcasecmp(arg_string,"signatures")!=0 + && ascii_strcasecmp(arg_string,"certs")!=0 + && ascii_strcasecmp(arg_string,"certificates")!=0) + { + tty_printf(_("Unable to clean `%s'\n"),arg_string); + break; + } + } + + modified=menu_clean_uids(keyblock); + } + break; case cmdQUIT: if( have_commands ) @@ -3108,6 +3128,41 @@ return changed; } +static int +menu_clean_uids(KBNODE keyblock) +{ + KBNODE uidnode; + int modified=0; + int select_all=!count_selected_uids(keyblock); + + for(uidnode=keyblock;uidnode;uidnode=uidnode->next) + { + if(uidnode->pkt->pkttype==PKT_USER_ID + && (uidnode->flag&NODFLG_SELUID || select_all)) + { + int deleted; + char *user=utf8_to_native(uidnode->pkt->pkt.user_id->name, + uidnode->pkt->pkt.user_id->len, + 0); + deleted=clean_uid(keyblock,uidnode,opt.verbose); + if(deleted) + { + tty_printf(deleted==1? + _("User ID \"%s\": %d signature removed.\n"): + _("User ID \"%s\": %d signatures removed.\n"), + user,deleted); + modified=1; + } + else + tty_printf(_("User ID \"%s\": already clean.\n"),user); + + m_free(user); + } + } + + return modified; +} + /**************** * Remove some of the secondary keys Index: gnupg/g10/trustdb.c diff -u gnupg/g10/trustdb.c:1.137 gnupg/g10/trustdb.c:1.138 --- gnupg/g10/trustdb.c:1.137 Sun Feb 6 18:38:43 2005 +++ gnupg/g10/trustdb.c Sun Apr 24 20:35:30 2005 @@ -1,6 +1,6 @@ /* trustdb.c - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, - * 2004 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, + * 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -1409,8 +1409,9 @@ * To do this, we first revmove all signatures which are not valid and * from the remain ones we look for the latest one. If this is not a * certification revocation signature we mark the signature by setting - * node flag bit 8. Note that flag bits 9 and 10 are used for internal - * purposes. + * node flag bit 8. Revocations are marked with flag 11, and sigs + * from unavailable keys are marked with flag 12. Note that flag bits + * 9 and 10 are used for internal purposes. */ static void mark_usable_uid_certs (KBNODE keyblock, KBNODE uidnode, @@ -1423,34 +1424,44 @@ /* first check all signatures */ for (node=uidnode->next; node; node = node->next) { - node->flag &= ~(1<<8 | 1<<9 | 1<<10); + int rc; + + node->flag &= ~(1<<8 | 1<<9 | 1<<10 | 1<<11 | 1<<12); if (node->pkt->pkttype == PKT_USER_ID || node->pkt->pkttype == PKT_PUBLIC_SUBKEY) break; /* ready */ if (node->pkt->pkttype != PKT_SIGNATURE) continue; - sig = node->pkt->pkt.signature; - if (sig->keyid[0] == main_kid[0] && sig->keyid[1] == main_kid[1]) - continue; /* ignore self-signatures */ + if (main_kid + && sig->keyid[0] == main_kid[0] && sig->keyid[1] == main_kid[1]) + continue; /* ignore self-signatures if we pass in a main_kid */ if (!IS_UID_SIG(sig) && !IS_UID_REV(sig)) continue; /* we only look at these signature classes */ if(sig->sig_class>=0x11 && sig->sig_class<=0x13 && sig->sig_class-0x10flag |= 1<<12; + continue; + } node->flag |= 1<<9; } /* reset the remaining flags */ for (; node; node = node->next) - node->flag &= ~(1<<8 | 1<<9 | 1 << 10); + node->flag &= ~(1<<8 | 1<<9 | 1<<10 | 1<<11 | 1<<12); /* kbnode flag usage: bit 9 is here set for signatures to consider, * bit 10 will be set by the loop to keep track of keyIDs already - * processed, bit 8 will be set for the usable signatures */ + * processed, bit 8 will be set for the usable signatures, and bit + * 11 will be set for usable revocations. */ /* for each cert figure out the latest valid one */ for (node=uidnode->next; node; node = node->next) @@ -1458,7 +1469,7 @@ KBNODE n, signode; u32 kid[2]; u32 sigdate; - + if (node->pkt->pkttype == PKT_PUBLIC_SUBKEY) break; if ( !(node->flag & (1<<9)) ) @@ -1470,6 +1481,8 @@ signode = node; sigdate = sig->timestamp; kid[0] = sig->keyid[0]; kid[1] = sig->keyid[1]; + + /* Now find the latest and greatest signature */ for (n=uidnode->next; n; n = n->next) { if (n->pkt->pkttype == PKT_PUBLIC_SUBKEY) @@ -1532,6 +1545,7 @@ sigdate = sig->timestamp; } } + sig = signode->pkt->pkt.signature; if (IS_UID_SIG (sig)) { /* this seems to be a usable one which is not revoked. @@ -1550,11 +1564,75 @@ if (expire==0 || expire > curtime ) { signode->flag |= (1<<8); /* yeah, found a good cert */ - if (expire && expire < *next_expire) + if (next_expire && expire && expire < *next_expire) *next_expire = expire; } } + else + signode->flag |= (1<<11); + } +} + +int +clean_uid(KBNODE keyblock,KBNODE uidnode,int noisy) +{ + int deleted=0; + KBNODE node; + + assert(keyblock->pkt->pkttype==PKT_PUBLIC_KEY); + + /* Passing in a 0 for current time here means that we'll never weed + out an expired sig. This is correct behavior since we want to + keep the most recent expired sig in a series. */ + mark_usable_uid_certs(keyblock,uidnode,NULL,NULL,0,NULL); + + /* What we want to do here is remove signatures that are not + considered as part of the trust calculations. Thus, all invalid + signatures are out, as are any signatures that aren't the last of + a series of uid sigs or revocations It breaks down like this: + coming out of mark_usable_uid_certs, if a sig is unflagged, it is + not even a candidate. If a sig has flag 9 or 10, that means it + was selected as a candidate and vetted. If a sig has flag 8 it + is a usable signature. If a sig has flag 11 it is a usable + revocation. If a sig has flag 12 it was issued by an unavailable + key. "Usable" here means the most recent valid + signature/revocation in a series from a particular signer. + + Delete everything that isn't a usable uid sig (which might be + expired), a usable revocation, or a sig from an unavailable + key. */ + + for(node=uidnode->next; + node && node->pkt->pkttype==PKT_SIGNATURE; + node=node->next) + { + /* Keep usable uid sigs ... */ + if(node->flag & (1<<8)) + continue; + + /* ... and usable revocations... */ + if(node->flag & (1<<11)) + continue; + + /* ... and sigs from unavailable keys. */ + if(node->flag & (1<<12)) + continue; + + /* Everything else we delete */ + + /* if 9 or 10 is set, but we get this far, it's superceded, + otherwise, it's invalid */ + + if(noisy) + log_info("removing signature issued by key %s: %s\n", + keystr(node->pkt->pkt.signature->keyid), + node->flag&(1<<9)?"superceded":"invalid"); + + delete_kbnode(node); + deleted++; } + + return deleted; } /* Used by validate_one_keyblock to confirm a regexp within a trust Index: gnupg/g10/trustdb.h diff -u gnupg/g10/trustdb.h:1.51 gnupg/g10/trustdb.h:1.52 --- gnupg/g10/trustdb.h:1.51 Sun Apr 24 18:05:41 2005 +++ gnupg/g10/trustdb.h Sun Apr 24 20:35:30 2005 @@ -81,6 +81,8 @@ void update_ownertrust (PKT_public_key *pk, unsigned int new_trust ); int clear_ownertrusts (PKT_public_key *pk); +int clean_uid(KBNODE keyblock,KBNODE uidnode,int noisy); + /*-- tdbdump.c --*/ void list_trustdb(const char *username); void export_ownertrust(void); From cvs at cvs.gnupg.org Wed Apr 27 15:21:41 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Wed Apr 27 15:21:45 2005 Subject: GNUPG-1-9-BRANCH gnupg/doc (ChangeLog tools.texi) Message-ID: Date: Wednesday, April 27, 2005 @ 15:39:17 Author: wk Path: /cvs/gnupg/gnupg/doc Tag: GNUPG-1-9-BRANCH Modified: ChangeLog tools.texi (symcryptrun): Added. ------------+ ChangeLog | 2 + tools.texi | 94 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) Index: gnupg/doc/ChangeLog diff -u gnupg/doc/ChangeLog:1.39.2.28 gnupg/doc/ChangeLog:1.39.2.29 --- gnupg/doc/ChangeLog:1.39.2.28 Wed Apr 27 14:09:21 2005 +++ gnupg/doc/ChangeLog Wed Apr 27 15:39:16 2005 @@ -1,5 +1,7 @@ 2005-04-27 Werner Koch + * tools.texi (symcryptrun): Added. + * scdaemon.texi: Removed OpenSC specific options. 2005-04-20 Werner Koch Index: gnupg/doc/tools.texi diff -u gnupg/doc/tools.texi:1.1.2.8 gnupg/doc/tools.texi:1.1.2.9 --- gnupg/doc/tools.texi:1.1.2.8 Thu Feb 24 18:36:11 2005 +++ gnupg/doc/tools.texi Wed Apr 27 15:39:16 2005 @@ -14,6 +14,7 @@ * gpgsm-gencert.sh:: Generate an X.509 certificate request. * gpg-preset-passphrase:: Put a passphrase into the cache. * gpg-connect-agent:: Communicate with a running agent. +* symcryptrun:: Call a simple symmetric encryption tool. @end menu @c @@ -721,9 +722,102 @@ (on W32 systems) by means on the Registry entry @var{HKCU\Software\GNU\GnuPG:HomeDir}. +@end table + +@c +@c SYMCRYPTRUN +@c +@node symcryptrun +@section Call a simple symmetric encryption tool. + +Sometimes simple encryption tools are already in use for a long time and +there might be a desire to integrate them into the GnuPG framework. The +protocols and encryption methods might be non-standard or not even +properly documented, so that a full-fledged encryption tool with an +interface like gpg is not doable. @command{symcryptrun} provides a +solution: It operates by calling the external encryption/decryption +module and provides a passphrase for a key using the standard +@command{pinentry} based mechanism through @command{gpg-agent}. + +Note, that @command{symcryptrun} is only available if GnuPG has been +configured with @samp{--enable-symcryptrun} at build time. + +@menu +* Invoking symcryptrun:: List of all commands and options. +@end menu + + +@node Invoking symcryptrun +@subsection List of all commands and options. + +@noindent +@command{symcryptrun} is invoked this way: + +@example +symcryptrun --class CLASS --program PROGRAM --keyfile KEYFILE + [--decrypt | --encrypt] [inputfile] +@end example + +For encryption, the plain text must be provided on STDIN or as the +argument @var{inputfile}, and the ciphertext will be output to STDOUT. +For decryption vice versa. + +@var{CLASS} describes the calling conventions of the external tool. +Currently it must be given as @samp{confucius}. @var{PROGRAM} is the +the full filename of that external tool. + +For the class @samp{confucius} the option @option{--keyfile} is +required; @var{keyfile} is the name of a file containing the secret key, +which may be protected by a passphrase. For detailed calling +conventions, see the source code. + +@noindent +Note, that @command{gpg-agent} must be running before starting +@command{symcryptrun}. + +@noindent +The following additional options may be used: + +@table @gnupgtabopt +@item -v +@itemx --verbose +@opindex verbose +Output additional information while running. + +@item -q +@item --quiet +@opindex q +@opindex quiet +Try to be as quiet as possible. + +@item --homedir @var{dir} +@opindex homedir +Set the name of the home directory to @var{dir}. If his option is not +used, the home directory defaults to @file{~/.gnupg}. It is only +recognized when given on the command line. It also overrides any home +directory stated through the environment variable @env{GNUPGHOME} or +(on W32 systems) by means on the Registry entry +@var{HKCU\Software\GNU\GnuPG:HomeDir}. + +@item --log-file @var{file} +@opindex log-file +Append all logging output to @var{file}. Default is to write logging +informaton to STDERR. @end table +@noindent +The possible exit status codes of @command{symcryptrun} are: +@table @code +@item 0 + Success. +@item 1 + Some error occured. +@item 2 + No valid passphrase was provided. +@item 3 + The operation was canceled by the user. +@end table From cvs at cvs.gnupg.org Wed Apr 27 21:11:46 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Wed Apr 27 21:11:51 2005 Subject: libgcrypt/mpi (ChangeLog mpiutil.c) Message-ID: Date: Wednesday, April 27, 2005 @ 21:29:24 Author: mo Path: /cvs/libgcrypt/libgcrypt/mpi Modified: ChangeLog mpiutil.c 2005-04-27 Moritz Schulte * mpiutil.c (gcry_mpi_randomize): Store random data in secure memory if the given MPI is secure - not the other way around (argl). -----------+ ChangeLog | 5 +++++ mpiutil.c | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) Index: libgcrypt/mpi/ChangeLog diff -u libgcrypt/mpi/ChangeLog:1.93 libgcrypt/mpi/ChangeLog:1.94 --- libgcrypt/mpi/ChangeLog:1.93 Sat Apr 23 00:39:43 2005 +++ libgcrypt/mpi/ChangeLog Wed Apr 27 21:29:24 2005 @@ -1,3 +1,8 @@ +2005-04-27 Moritz Schulte + + * mpiutil.c (gcry_mpi_randomize): Store random data in secure + memory if the given MPI is secure - not the other way around (argl). + 2005-04-23 Moritz Schulte * Makefile.am: Don't assume the compiler will pre-process the .S Index: libgcrypt/mpi/mpiutil.c diff -u libgcrypt/mpi/mpiutil.c:1.39 libgcrypt/mpi/mpiutil.c:1.40 --- libgcrypt/mpi/mpiutil.c:1.39 Wed Feb 16 20:48:35 2005 +++ libgcrypt/mpi/mpiutil.c Wed Apr 27 21:29:24 2005 @@ -410,14 +410,14 @@ if (level == GCRY_WEAK_RANDOM) { - p = mpi_is_secure(w) ? gcry_xmalloc (nbytes) - : gcry_xmalloc_secure (nbytes); + p = mpi_is_secure(w) ? gcry_xmalloc_secure (nbytes) + : gcry_xmalloc (nbytes); gcry_create_nonce (p, nbytes); } else { - p = mpi_is_secure(w) ? gcry_random_bytes (nbytes, level) - : gcry_random_bytes_secure (nbytes, level); + p = mpi_is_secure(w) ? gcry_random_bytes_secure (nbytes, level) + : gcry_random_bytes (nbytes, level); } _gcry_mpi_set_buffer( w, p, nbytes, 0 ); gcry_free (p); From cvs at cvs.gnupg.org Wed Apr 27 21:30:16 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Wed Apr 27 21:30:19 2005 Subject: GNUPG-1-9-BRANCH gnupg/scd (7 files) Message-ID: Date: Wednesday, April 27, 2005 @ 21:47:53 Author: wk Path: /cvs/gnupg/gnupg/scd Tag: GNUPG-1-9-BRANCH Modified: ChangeLog app-openpgp.c app-p15.c app.c iso7816.c tlv.c tlv.h * app-p15.c (micardo_mse): New. (do_sign): Call it. * iso7816.c (iso7816_manage_security_env): Allow passing DATA as NULL to indicate an empty Lc. * tlv.c (find_tlv): Check that a found object fits into the buffer. (find_tlv_unchecked): New as replacement for the old non-checking variant. * app.c (select_application): Keep on using the non-checking variant. * app-openpgp.c (get_one_do, dump_all_do): Ditto. ---------------+ ChangeLog | 13 +++++ app-openpgp.c | 8 +-- app-p15.c | 142 +++++++++++++++++++++++++++++++++++++++++++++++++------- app.c | 2 iso7816.c | 9 +-- tlv.c | 23 +++++++-- tlv.h | 11 +++- 7 files changed, 177 insertions(+), 31 deletions(-) Index: gnupg/scd/ChangeLog diff -u gnupg/scd/ChangeLog:1.25.2.75 gnupg/scd/ChangeLog:1.25.2.76 --- gnupg/scd/ChangeLog:1.25.2.75 Wed Apr 27 14:09:20 2005 +++ gnupg/scd/ChangeLog Wed Apr 27 21:47:53 2005 @@ -1,5 +1,18 @@ 2005-04-27 Werner Koch + * app-p15.c (micardo_mse): New. + (do_sign): Call it. + * iso7816.c (iso7816_manage_security_env): Allow passing DATA as + NULL to indicate an empty Lc. + * tlv.c (find_tlv): Check that a found object fits into the + buffer. + (find_tlv_unchecked): New as replacement for the old non-checking + variant. + * app.c (select_application): Keep on using the non-checking + variant. + * app-openpgp.c (get_one_do, dump_all_do): Ditto. + + Removal of the old OpenSC based code. * app-p15.c: New. Basic support for pkcs15 cards without OpenSC. Index: gnupg/scd/app-openpgp.c diff -u gnupg/scd/app-openpgp.c:1.9.2.30 gnupg/scd/app-openpgp.c:1.9.2.31 --- gnupg/scd/app-openpgp.c:1.9.2.30 Thu Apr 14 19:25:43 2005 +++ gnupg/scd/app-openpgp.c Wed Apr 27 21:47:53 2005 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * - * $Id: app-openpgp.c,v 1.9.2.30 2005/04/14 17:25:43 wk Exp $ + * $Id: app-openpgp.c,v 1.9.2.31 2005/04/27 19:47:53 wk Exp $ */ #include @@ -357,7 +357,7 @@ { const unsigned char *s; - s = find_tlv (buffer, buflen, tag, &valuelen); + s = find_tlv_unchecked (buffer, buflen, tag, &valuelen); if (!s) value = NULL; /* not found */ else if (valuelen > buflen - (s - buffer)) @@ -433,8 +433,8 @@ if (j==i || data_objects[i].tag != data_objects[j].get_from) continue; - value = find_tlv (buffer, buflen, - data_objects[j].tag, &valuelen); + value = find_tlv_unchecked (buffer, buflen, + data_objects[j].tag, &valuelen); if (!value) ; /* not found */ else if (valuelen > buflen - (value - buffer)) Index: gnupg/scd/app-p15.c diff -u gnupg/scd/app-p15.c:1.1.2.2 gnupg/scd/app-p15.c:1.1.2.3 --- gnupg/scd/app-p15.c:1.1.2.2 Wed Apr 27 14:09:20 2005 +++ gnupg/scd/app-p15.c Wed Apr 27 21:47:53 2005 @@ -59,11 +59,15 @@ "\x90\x00\x66", CARD_TYPE_TCOS }, /* SLE66P */ { 27, "\x3B\xFF\x94\x00\xFF\x80\xB1\xFE\x45\x1F\x03\x00\x68\xD2\x76\x00" - "\x00\x28\xFF\x05\x1E\x31\x80\x00\x90\x00\x23", + "\x00\x28\xFF\x05\x1E\x31\x80\x00\x90\x00\x23", CARD_TYPE_MICARDO }, /* German BMI card */ + { 19, "\x3B\x6F\x00\xFF\x00\x68\xD2\x76\x00\x00\x28\xFF\x05\x1E\x31\x80" + "\x00\x90\x00", + CARD_TYPE_MICARDO }, /* German BMI card (ATR due to reader problem) */ { 26, "\x3B\xFE\x94\x00\xFF\x80\xB1\xFA\x45\x1F\x03\x45\x73\x74\x45\x49" "\x44\x20\x76\x65\x72\x20\x31\x2E\x30\x43", CARD_TYPE_MICARDO }, /* EstEID (Estonian Big Brother card) */ + { 0 } }; @@ -392,7 +396,7 @@ } -/* This function calls select file to read a file suing a complete +/* This function calls select file to read a file using a complete path which may or may not start at the master file (MF). */ static gpg_error_t select_ef_by_path (app_t app, const unsigned short *path, size_t pathlen) @@ -2525,6 +2529,99 @@ } +/* Micardo cards require special treatment. This is a helper for the + crypto functions to manage the security environment. We expect that + the key file has already been selected. FID is the one of the + selected key. */ +static gpg_error_t +micardo_mse (app_t app, unsigned short fid) +{ + gpg_error_t err; + int recno; + unsigned short refdata = 0; + int se_num; + unsigned char msebuf[10]; + + /* Read the KeyD file containing extra information on keys. */ + err = iso7816_select_file (app->slot, 0x0013, 0, NULL, NULL); + if (err) + { + log_error ("error reading EF_keyD: %s\n", gpg_strerror (err)); + return err; + } + + for (recno = 1, se_num = -1; ; recno++) + { + unsigned char *buffer; + size_t buflen; + size_t n, nn; + const unsigned char *p, *pp; + + err = iso7816_read_record (app->slot, recno, 1, 0, &buffer, &buflen); + if (gpg_err_code (err) == GPG_ERR_NOT_FOUND) + break; /* ready */ + if (err) + { + log_error ("error reading EF_keyD record: %s\n", + gpg_strerror (err)); + return err; + } + log_printhex ("keyD record:", buffer, buflen); + p = find_tlv (buffer, buflen, 0x83, &n); + if (p && n == 4 && ((p[2]<<8)|p[3]) == fid) + { + refdata = ((p[0]<<8)|p[1]); + /* Locate the SE DO and the there included sec env number. */ + p = find_tlv (buffer, buflen, 0x7b, &n); + if (p && n) + { + pp = find_tlv (p, n, 0x80, &nn); + if (pp && nn == 1) + { + se_num = *pp; + xfree (buffer); + break; /* found. */ + } + } + } + xfree (buffer); + } + if (se_num == -1) + { + log_error ("CRT for keyfile %04hX not found\n", fid); + return gpg_error (GPG_ERR_NOT_FOUND); + } + + + /* Restore the security environment to SE_NUM if needed */ + if (se_num) + { + err = iso7816_manage_security_env (app->slot, 0xf3, se_num, NULL, 0); + if (err) + { + log_error ("restoring SE to %d failed: %s\n", + se_num, gpg_strerror (err)); + return err; + } + } + + /* Set the DST reference data. */ + msebuf[0] = 0x83; + msebuf[1] = 0x03; + msebuf[2] = 0x80; + msebuf[3] = (refdata >> 8); + msebuf[4] = refdata; + err = iso7816_manage_security_env (app->slot, 0x41, 0xb6, msebuf, 5); + if (err) + { + log_error ("setting SE to reference file %04hX failed: %s\n", + refdata, gpg_strerror (err)); + return err; + } + return 0; +} + + /* Handler for the PKSIGN command. @@ -2561,6 +2658,13 @@ err = prkdf_object_from_keyidstr (app, keyidstr, &prkdf); if (err) return err; + if (!(prkdf->usageflags.sign || prkdf->usageflags.sign_recover + ||prkdf->usageflags.non_repudiation)) + { + log_error ("key %s may not be used for signing\n", keyidstr); + return gpg_error (GPG_ERR_WRONG_KEY_USAGE); + } + if (!prkdf->authid) { log_error ("no authentication object defined for %s\n", keyidstr); @@ -2597,6 +2701,16 @@ return gpg_error (GPG_ERR_INV_CARD); } + /* Select the key file. Note that this may change the security + environment thus we do it before PIN verification. */ + err = select_ef_by_path (app, prkdf->path, prkdf->pathlen); + if (err) + { + log_error ("error selecting file for key %s: %s\n", + keyidstr, gpg_strerror (errno)); + return err; + } + /* Now that we have all the information available, prepare and run the PIN verification.*/ if (1) @@ -2742,7 +2856,6 @@ memcpy (data+15, indata, indatalen); } - /* Manage security environment needs to be weaked for certain cards. */ if (app->app_local->card_type == CARD_TYPE_TCOS) { @@ -2751,10 +2864,10 @@ } else if (app->app_local->card_type == CARD_TYPE_MICARDO) { - /* Micardo cards are very special in that they need to restore a - security environment using a infomration from a special - file. */ - log_error ("WARNING: support for MICARDO cards is not yet available\n"); + if (!prkdf->pathlen) + err = gpg_error (GPG_ERR_BUG); + else + err = micardo_mse (app, prkdf->path[prkdf->pathlen-1]); } else if (prkdf->key_reference_valid) { @@ -2767,11 +2880,11 @@ err = iso7816_manage_security_env (app->slot, 0x41, 0xB6, mse, sizeof mse); - if (err) - { - log_error ("MSE failed: %s\n", gpg_strerror (err)); - return err; - } + } + if (err) + { + log_error ("MSE failed: %s\n", gpg_strerror (err)); + return err; } @@ -2782,9 +2895,6 @@ - - - /* Select the PKCS#15 application on the card in SLOT. */ gpg_error_t app_select_p15 (app_t app) @@ -2846,7 +2956,7 @@ the common APP structure. */ app->app_local->card_type = card_type; - /* Read basic information and check whether this is a real + /* Read basic information and thus check whether this is a real card. */ rc = read_p15_info (app); if (rc) Index: gnupg/scd/app.c diff -u gnupg/scd/app.c:1.3.2.15 gnupg/scd/app.c:1.3.2.16 --- gnupg/scd/app.c:1.3.2.15 Wed Apr 27 14:09:20 2005 +++ gnupg/scd/app.c Wed Apr 27 21:47:53 2005 @@ -83,7 +83,7 @@ size_t n; const unsigned char *p; - p = find_tlv (result, resultlen, 0x5A, &n); + p = find_tlv_unchecked (result, resultlen, 0x5A, &n); if (p) resultlen -= (p-result); if (p && n > resultlen && n == 0x0d && resultlen+1 == n) Index: gnupg/scd/iso7816.c diff -u gnupg/scd/iso7816.c:1.3.2.11 gnupg/scd/iso7816.c:1.3.2.12 --- gnupg/scd/iso7816.c:1.3.2.11 Wed Oct 20 10:54:45 2004 +++ gnupg/scd/iso7816.c Wed Apr 27 21:47:53 2005 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * - * $Id: iso7816.c,v 1.3.2.11 2004/10/20 08:54:45 wk Exp $ + * $Id: iso7816.c,v 1.3.2.12 2005/04/27 19:47:53 wk Exp $ */ #include @@ -299,10 +299,11 @@ { int sw; - if (p1 < 0 || p1 > 255 || p2 < 0 || p2 > 255 || !data || !datalen) + if (p1 < 0 || p1 > 255 || p2 < 0 || p2 > 255 ) return gpg_error (GPG_ERR_INV_VALUE); - sw = apdu_send_simple (slot, 0x00, CMD_MSE, p1, p2, datalen, data); + sw = apdu_send_simple (slot, 0x00, CMD_MSE, p1, p2, + data? datalen : -1, data); return map_sw (sw); } @@ -605,7 +606,7 @@ buffer = NULL; bufferlen = 0; - /* Fixme: Either the ccid driver of the TCOS cards have problems + /* Fixme: Either the ccid driver or the TCOS cards have problems with an Le of 0. */ sw = apdu_send_le (slot, 0x00, CMD_READ_RECORD, recno, Index: gnupg/scd/tlv.c diff -u gnupg/scd/tlv.c:1.1.2.2 gnupg/scd/tlv.c:1.1.2.3 --- gnupg/scd/tlv.c:1.1.2.2 Tue Mar 23 13:33:19 2004 +++ gnupg/scd/tlv.c Wed Apr 27 21:47:53 2005 @@ -1,5 +1,5 @@ /* tlv.c - Tag-Length-Value Utilities - * Copyright (C) 2003, 2004 Free Software Foundation, Inc. + * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -113,17 +113,32 @@ /* Locate a TLV encoded data object in BUFFER of LENGTH and return a pointer to value as well as its length in NBYTES. Return - NULL if it was not found. Note, that the function does not check - whether the value fits into the provided buffer. */ + NULL if it was not found or if the object does not fit into the buffer. */ const unsigned char * find_tlv (const unsigned char *buffer, size_t length, int tag, size_t *nbytes) { - return do_find_tlv (buffer, length, tag, nbytes, 0); + const unsigned char *p; + + p = do_find_tlv (buffer, length, tag, nbytes, 0); + if (p && *nbytes > (length - (p-buffer))) + p = NULL; /* Object longer than buffer. */ + return p; } +/* Locate a TLV encoded data object in BUFFER of LENGTH and + return a pointer to value as well as its length in NBYTES. Return + NULL if it was not found. Note, that the function does not check + whether the value fits into the provided buffer. */ +const unsigned char * +find_tlv_unchecked (const unsigned char *buffer, size_t length, + int tag, size_t *nbytes) +{ + return do_find_tlv (buffer, length, tag, nbytes, 0); +} + /* ASN.1 BER parser: Parse BUFFER of length SIZE and return the tag and the length part from the TLV triplet. Update BUFFER and SIZE Index: gnupg/scd/tlv.h diff -u gnupg/scd/tlv.h:1.1.2.1 gnupg/scd/tlv.h:1.1.2.2 --- gnupg/scd/tlv.h:1.1.2.1 Tue Jan 27 17:40:28 2004 +++ gnupg/scd/tlv.h Wed Apr 27 21:47:53 2005 @@ -62,13 +62,20 @@ }; +/* Locate a TLV encoded data object in BUFFER of LENGTH and return a + pointer to value as well as its length in NBYTES. Return NULL if + it was not found or if the object does not fit into the buffer. */ +const unsigned char *find_tlv (const unsigned char *buffer, size_t length, + int tag, size_t *nbytes); + /* Locate a TLV encoded data object in BUFFER of LENGTH and return a pointer to value as well as its length in NBYTES. Return NULL if it was not found. Note, that the function does not check whether the value fits into the provided buffer.*/ -const unsigned char *find_tlv (const unsigned char *buffer, size_t length, - int tag, size_t *nbytes); +const unsigned char *find_tlv_unchecked (const unsigned char *buffer, + size_t length, + int tag, size_t *nbytes); /* ASN.1 BER parser: Parse BUFFER of length SIZE and return the tag From cvs at cvs.gnupg.org Thu Apr 28 17:53:54 2005 From: cvs at cvs.gnupg.org (cvs user marcus) Date: Thu Apr 28 17:53:58 2005 Subject: gpgme (7 files) Message-ID: Date: Thursday, April 28, 2005 @ 18:11:34 Author: marcus Path: /cvs/gpgme/gpgme Modified: NEWS doc/ChangeLog doc/gpgme.texi gpgme/ChangeLog gpgme/engine-gpgsm.c gpgme/gpgme.c gpgme/gpgme.h doc/ 2005-04-28 Marcus Brinkmann * gpgme.texi (Included Certificates): Document GPGME_INCLUDE_CERTS_DEFAULT. gpgme/ 2005-04-28 Marcus Brinkmann * gpgme.h (GPGME_INCLUDE_CERTS_DEFAULT): New macro. * engine-gpgsm.c (gpgsm_sign): Send the include-certs option after the reset, just for cleanliness, and do not sent it at all if the default is requested. * gpgme.c (gpgme_set_include_certs): Allow to use GPGME_INCLUDE_CERTS_DEFAULT. ----------------------+ NEWS | 11 +++++++++++ doc/ChangeLog | 5 +++++ doc/gpgme.texi | 3 +++ gpgme/ChangeLog | 9 +++++++++ gpgme/engine-gpgsm.c | 22 +++++++++++++++------- gpgme/gpgme.c | 8 +++++--- gpgme/gpgme.h | 3 +++ 7 files changed, 51 insertions(+), 10 deletions(-) Index: gpgme/NEWS diff -u gpgme/NEWS:1.139 gpgme/NEWS:1.140 --- gpgme/NEWS:1.139 Wed Jan 12 11:28:42 2005 +++ gpgme/NEWS Thu Apr 28 18:11:34 2005 @@ -4,10 +4,21 @@ * You can now configure the backend engine file name and home directory to be used, as default and per context. + * Previousy, GPGME would use a default "include certs" of 1. This + has been changed. Now GPGME will use the crypto backend engines + default unless you set the value with gpgme_set_include_certs() + explicitely. A new macro GPGME_INCLUDE_CERTS_DEFAULT can be used + as a value to explicitely request the new default behaviour. + + Because the default changes, this is a slight change of the API + semantics. We consider it to be a bug fix. + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ gpgme_set_engine_info NEW gpgme_ctx_get_engine_info NEW gpgme_ctx_set_engine_info NEW +gpgme_set_include_certs CHANGED DEFAULT +GPGME_INCLUDE_CERTS_DEFAULT NEW ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Index: gpgme/doc/ChangeLog diff -u gpgme/doc/ChangeLog:1.135 gpgme/doc/ChangeLog:1.136 --- gpgme/doc/ChangeLog:1.135 Wed Jan 12 12:13:17 2005 +++ gpgme/doc/ChangeLog Thu Apr 28 18:11:34 2005 @@ -1,3 +1,8 @@ +2005-04-28 Marcus Brinkmann + + * gpgme.texi (Included Certificates): Document + GPGME_INCLUDE_CERTS_DEFAULT. + 2005-01-12 Marcus Brinkmann * gpgme.texi (Engine Configuration): New section. Index: gpgme/doc/gpgme.texi diff -u gpgme/doc/gpgme.texi:1.137 gpgme/doc/gpgme.texi:1.138 --- gpgme/doc/gpgme.texi:1.137 Wed Jan 12 12:13:17 2005 +++ gpgme/doc/gpgme.texi Thu Apr 28 18:11:34 2005 @@ -2028,6 +2028,9 @@ values of @var{nr_of_certs} are: @table @code +@item GPGME_INCLUDE_CERTS_DEFAULT +Fall back to the default of the crypto backend. This is the default +for GPGME. @item -2 Include all certificates except the root certificate. @item -1 Index: gpgme/gpgme/ChangeLog diff -u gpgme/gpgme/ChangeLog:1.397 gpgme/gpgme/ChangeLog:1.398 --- gpgme/gpgme/ChangeLog:1.397 Thu Apr 21 09:13:41 2005 +++ gpgme/gpgme/ChangeLog Thu Apr 28 18:11:33 2005 @@ -1,3 +1,12 @@ +2005-04-28 Marcus Brinkmann + + * gpgme.h (GPGME_INCLUDE_CERTS_DEFAULT): New macro. + * engine-gpgsm.c (gpgsm_sign): Send the include-certs option after + the reset, just for cleanliness, and do not sent it at all if the + default is requested. + * gpgme.c (gpgme_set_include_certs): Allow to use + GPGME_INCLUDE_CERTS_DEFAULT. + 2005-04-21 Werner Koch * verify.c (calc_sig_summary): Set the key revoked bit. Index: gpgme/gpgme/engine-gpgsm.c diff -u gpgme/gpgme/engine-gpgsm.c:1.105 gpgme/gpgme/engine-gpgsm.c:1.106 --- gpgme/gpgme/engine-gpgsm.c:1.105 Thu Mar 24 14:05:12 2005 +++ gpgme/gpgme/engine-gpgsm.c Thu Apr 28 18:11:33 2005 @@ -1437,19 +1437,27 @@ if (!gpgsm) return gpg_error (GPG_ERR_INV_VALUE); - if (asprintf (&assuan_cmd, "OPTION include-certs %i", include_certs) < 0) - return gpg_error_from_errno (errno); - err = gpgsm_assuan_simple_command (gpgsm->assuan_ctx, assuan_cmd, NULL,NULL); - free (assuan_cmd); - if (err) - return err; - /* We must send a reset because we need to reset the list of signers. Note that RESET does not reset OPTION commands. */ err = gpgsm_assuan_simple_command (gpgsm->assuan_ctx, "RESET", NULL, NULL); if (err) return err; + if (include_certs != GPGME_INCLUDE_CERTS_DEFAULT) + { + /* FIXME: Make sure that if we run multiple operations, that we + can reset any previously set value in case the default is + requested. */ + + if (asprintf (&assuan_cmd, "OPTION include-certs %i", include_certs) < 0) + return gpg_error_from_errno (errno); + err = gpgsm_assuan_simple_command (gpgsm->assuan_ctx, assuan_cmd, + NULL, NULL); + free (assuan_cmd); + if (err) + return err; + } + for (i = 0; (key = gpgme_signers_enum (ctx, i)); i++) { const char *s = key->subkeys ? key->subkeys->fpr : NULL; Index: gpgme/gpgme/gpgme.c diff -u gpgme/gpgme/gpgme.c:1.80 gpgme/gpgme/gpgme.c:1.81 --- gpgme/gpgme/gpgme.c:1.80 Wed Mar 9 17:03:04 2005 +++ gpgme/gpgme/gpgme.c Thu Apr 28 18:11:33 2005 @@ -222,12 +222,14 @@ /* Set the number of certifications to include in an S/MIME message. - The default is 1 (only the cert of the sender). -1 means all - certs, and -2 means all certs except the root cert. */ + The default is GPGME_INCLUDE_CERTS_DEFAULT. -1 means all certs, + and -2 means all certs except the root cert. */ void gpgme_set_include_certs (gpgme_ctx_t ctx, int nr_of_certs) { - if (nr_of_certs < -2) + if (nr_of_certs == GPGME_INCLUDE_CERTS_DEFAULT) + ctx->include_certs = GPGME_INCLUDE_CERTS_DEFAULT; + else if (nr_of_certs < -2) ctx->include_certs = -2; else ctx->include_certs = nr_of_certs; Index: gpgme/gpgme/gpgme.h diff -u gpgme/gpgme/gpgme.h:1.153 gpgme/gpgme/gpgme.h:1.154 --- gpgme/gpgme/gpgme.h:1.153 Wed Mar 9 17:03:04 2005 +++ gpgme/gpgme/gpgme.h Thu Apr 28 18:11:33 2005 @@ -706,6 +706,9 @@ /* Return non-zero if text mode is set in CTX. */ int gpgme_get_textmode (gpgme_ctx_t ctx); +/* Use whatever the default of the backend crypto engine is. */ +#define GPGME_INCLUDE_CERTS_DEFAULT -256 + /* Include up to NR_OF_CERTS certificates in an S/MIME message. */ void gpgme_set_include_certs (gpgme_ctx_t ctx, int nr_of_certs); From cvs at cvs.gnupg.org Sat Apr 30 16:28:27 2005 From: cvs at cvs.gnupg.org (cvs user werner) Date: Sat Apr 30 16:28:34 2005 Subject: oftpd (AUTHORS BUGS ChangeLog README configure.in) Message-ID: Date: Saturday, April 30, 2005 @ 16:28:27 Author: werner Path: /cvs/wk/oftpd Modified: AUTHORS BUGS ChangeLog README configure.in (file_nlst, file_list): Fixed the paranoia test for overlong directories. Ported patches from Shane Kerr's 0.3.7 release: * configure.in: Disabled support for sendfile() on FreeBSD. It appears to me that there's a bug in the sendfile() user-level library. I would welcome advice from any FreeBSD developer wishing to set me straight. * src/ftp_session.c (do_size): Changed SIZE command to return error for directories. * src/file_list.c: #ifdef wrap GLOB_ABORTED for really old gcc compilers (Slackware or older installations). (skip_ls_options): Add code to skip command line options that are intended for "ls". --------------+ AUTHORS | 3 +++ BUGS | 13 ++++++++++++- ChangeLog | 26 ++++++++++++++++++++++++-- README | 24 +++++++++++++++++++----- configure.in | 11 ++++++----- 5 files changed, 64 insertions(+), 13 deletions(-) From cvs at cvs.gnupg.org Sat Apr 30 16:28:27 2005 From: cvs at cvs.gnupg.org (cvs user werner) Date: Sat Apr 30 16:28:43 2005 Subject: oftpd/src (config.h.in file_list.c ftp_session.c) Message-ID: Date: Saturday, April 30, 2005 @ 16:28:27 Author: werner Path: /cvs/wk/oftpd/src Modified: config.h.in file_list.c ftp_session.c (file_nlst, file_list): Fixed the paranoia test for overlong directories. Ported patches from Shane Kerr's 0.3.7 release: * configure.in: Disabled support for sendfile() on FreeBSD. It appears to me that there's a bug in the sendfile() user-level library. I would welcome advice from any FreeBSD developer wishing to set me straight. * src/ftp_session.c (do_size): Changed SIZE command to return error for directories. * src/file_list.c: #ifdef wrap GLOB_ABORTED for really old gcc compilers (Slackware or older installations). (skip_ls_options): Add code to skip command line options that are intended for "ls". ---------------+ config.h.in | 6 ++-- file_list.c | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++---- ftp_session.c | 5 +++ 3 files changed, 77 insertions(+), 8 deletions(-)