GNUPG-1-9-BRANCH gnupg (15 files)
cvs user wk
cvs at cvs.gnupg.org
Thu Apr 21 11:16:09 CEST 2005
Date: Thursday, April 21, 2005 @ 11:33:07
Author: wk
Path: /cvs/gnupg/gnupg
Tag: GNUPG-1-9-BRANCH
Modified: ChangeLog README TODO configure.ac doc/gpgsm.texi scd/ChangeLog
scd/ccid-driver.c scd/command.c sm/ChangeLog sm/certchain.c
sm/gpgsm.c sm/gpgsm.h tools/ChangeLog tools/gpgconf-comp.c
tools/symcryptrun.c
* configure.ac: Do not build gpg by default.
* gpgsm.c: New options --{enable,disable}-trusted-cert-crl-check.
* certchain.c (gpgsm_validate_chain): Make use of it.
* certchain.c (gpgsm_validate_chain): Check revocations even for
expired certificates. This is required because on signature
verification an expired key is fine whereas a revoked one is not.
* gpgconf-comp.c: Add gpgsm option disable-trusted-cert-crl-check.
----------------------+
ChangeLog | 9 +++++++++
README | 5 +++--
TODO | 29 ++++++++---------------------
configure.ac | 11 ++++++++++-
doc/gpgsm.texi | 12 ++++++++++++
scd/ChangeLog | 4 ++++
scd/ccid-driver.c | 4 ++--
scd/command.c | 26 +++++++++++++-------------
sm/ChangeLog | 3 +++
sm/certchain.c | 10 ++++++----
sm/gpgsm.c | 12 ++++++++++++
sm/gpgsm.h | 1 +
tools/ChangeLog | 8 ++++++++
tools/gpgconf-comp.c | 6 ++++++
tools/symcryptrun.c | 2 +-
15 files changed, 98 insertions(+), 44 deletions(-)
Index: gnupg/ChangeLog
diff -u gnupg/ChangeLog:1.131.2.71 gnupg/ChangeLog:1.131.2.72
--- gnupg/ChangeLog:1.131.2.71 Mon Apr 18 12:44:46 2005
+++ gnupg/ChangeLog Thu Apr 21 11:33:07 2005
@@ -1,3 +1,12 @@
+2005-04-21 Werner Koch <wk at g10code.com>
+
+ * configure.ac: Do not build gpg by default.
+
+2005-04-20 Werner Koch <wk at g10code.com>
+
+ * configure.ac: Test whether GPG_ERR_LOCKED is declared and
+ provide a replacement if not.
+
2005-04-15 Werner Koch <wk at g10code.com>
* configure.ac: Require libksba 0.9.11.
Index: gnupg/README
diff -u gnupg/README:1.72.2.16 gnupg/README:1.72.2.17
--- gnupg/README:1.72.2.16 Mon Apr 18 12:44:45 2005
+++ gnupg/README Thu Apr 21 11:33:07 2005
@@ -11,7 +11,8 @@
You should use this GnuPG version if you want to use the gpg-agent or
gpgsm (the S/MIME variant of gpg). Note that the gpg-agent is also
-helpful when using the standard gpg versions (1.2.x or 1.3.x).
+helpful when using the standard gpg versions (1.3.x as well as some of
+the old 1.2.x).
BUILD INSTRUCTIONS
@@ -51,7 +52,7 @@
S/MIME and smartcards. Note that there is no binary gpg but a gpg2 so
that this package won't confict with a GnuPG 1.2 or 1.3
installation. gpg2 behaves just like gpg; it is however suggested to
-keep using gpg 1.2.x or 1.3.x.
+keep using gpg 1.2.x or 1.3.x. gpg2 is not even build by default.
In case of problem please ask on gpa-dev at gnupg.org for advise. Note
that this release is only expected to build on GNU and *BSD systems.
Index: gnupg/TODO
diff -u gnupg/TODO:1.165.2.39 gnupg/TODO:1.165.2.40
--- gnupg/TODO:1.165.2.39 Mon Apr 18 12:44:45 2005
+++ gnupg/TODO Thu Apr 21 11:33:07 2005
@@ -1,10 +1,5 @@
-*- outline -*-
-* IMPORTANT
-Check that openpty and pty.h are available and build symcryptrun only
-then. Run shred on the temporary files.
-
-
* src/base64
** Make parsing more robust
Currently we don't cope with overlong lines in the best way.
@@ -23,14 +18,7 @@
* sm/certchain.c
** When a certificate chain was sucessfully verified, make ephemeral certs used in this chain permanent.
-** figure out how to auto retrieve a key by serialno+issuer.
- Dirmngr is currently not able to parse more than the CN.
-* sm/certlist.c
-** ocspSigning usage is not fully implemented
- We should review the entire CRL and OCSP validation system.
- Okay. This has been fixed in dirmngr when running it in system
- daemon mode.
* sm/decrypt.c
** replace leading zero in integer hack by a cleaner solution
@@ -58,8 +46,6 @@
** A SIGHUP should also restart the scdaemon
But do this only after all connections terminated. As of now we
only send a RESET.
-** Watch the child process if not invoked as a daemon
- and terminate after the child has terminated
* agent/command.c
** Make sure that secure memory is used where appropriate
@@ -69,7 +55,8 @@
** Support DSA
* agent/divert-scd.c
- Remove the agent_reset_scd kludge.
+ Remove the agent_reset_scd kludge. We will do this after Scdaemon
+ has been changed to allow multiple sessions. Currently in progress.
* Move pkcs-1 encoding into libgcrypt.
@@ -93,11 +80,7 @@
** Explain how to setup a root CA key as trusted
** Explain how trustlist.txt might be managed.
** Write a script to generate man pages from texi.
-
-* Requirements by the BSI
-** Support authorityKeyIdentifier.keyIdentifier
- This needs support in libksba/src/cert.c as well as in sm/*.c.
- Need test certs as well. Same goes for CRL authorityKeyIdentifier.
+ In progress (yatm)
* Windows port
@@ -108,5 +91,9 @@
** No card status notifications.
-* [scdaemon] release the card after use so that gpg 1.4 is abale to access it
+* scd/
+** Release the card after use so that gpg 1.4 is able to access it
+ This won't be a sufficient change. we need to change gpg 1.4 to make
+ use of the agent. Work is underway.
+
Index: gnupg/configure.ac
diff -u gnupg/configure.ac:1.36.2.83 gnupg/configure.ac:1.36.2.84
--- gnupg/configure.ac:1.36.2.83 Mon Apr 18 12:44:45 2005
+++ gnupg/configure.ac Thu Apr 21 11:33:07 2005
@@ -62,7 +62,7 @@
have_opensc=no
have_pth=no
-GNUPG_BUILD_PROGRAM(gpg, yes)
+GNUPG_BUILD_PROGRAM(gpg, no)
GNUPG_BUILD_PROGRAM(gpgsm, yes)
GNUPG_BUILD_PROGRAM(agent, yes)
GNUPG_BUILD_PROGRAM(scdaemon, yes)
@@ -313,6 +313,11 @@
#define EXEC_TEMPFILE_ONLY
#endif
+/* Temporary hacks to avoid requring a libgpg-error update. */
+#if !HAVE_DECL_GPG_ERR_LOCKED
+#define GPG_ERR_LOCKED 173
+#endif
+
])
AM_MAINTAINER_MODE
@@ -437,6 +442,10 @@
#
AM_PATH_GPG_ERROR("$NEED_GPG_ERROR_VERSION",
have_gpg_error=yes,have_gpg_error=no)
+_tmp_gpg_error_save_cflags="$CFLAGS"
+CFLAGS="$CFLAGS $GPG_ERROR_CFLAGS"
+AC_CHECK_DECLS(GPG_ERR_LOCKED,,,[#include <gpg-error.h>])
+CFLAGS="${_tmp_gpg_error_save_cflags}"
#
Index: gnupg/doc/gpgsm.texi
diff -u gnupg/doc/gpgsm.texi:1.1.2.22 gnupg/doc/gpgsm.texi:1.1.2.23
--- gnupg/doc/gpgsm.texi:1.1.2.22 Wed Apr 20 20:46:51 2005
+++ gnupg/doc/gpgsm.texi Thu Apr 21 11:33:07 2005
@@ -315,6 +315,18 @@
to check for revoked certificates. The disable option is most useful
with an off-line network connection to suppress this check.
+ at item --enable-trusted-cert-crl-check
+ at itemx --disable-trusted-cert-crl-check
+ at opindex enable-trusted-cert-crl-check
+ at opindex disable-trusted-cert-crl-check
+By default the @acronym{CRL} for trusted root certificates are checked
+like for any other certificates. This allows a CA to revoke its own
+certificates voluntary without the need of putting all ever issued
+certificates into a CRL. The disable option may be used to switch this
+extra check off. Due to the caching done by the Dirmngr, there won't be
+any noticeable performance gain. Note, that this also disables possible
+OCSP checks for trusted root certificates.
+
@item --force-crl-refresh
@opindex force-crl-refresh
Tell the dirmngr to reload the CRL for each request. For better
Index: gnupg/scd/ChangeLog
diff -u gnupg/scd/ChangeLog:1.25.2.73 gnupg/scd/ChangeLog:1.25.2.74
--- gnupg/scd/ChangeLog:1.25.2.73 Thu Apr 14 19:25:43 2005
+++ gnupg/scd/ChangeLog Thu Apr 21 11:33:07 2005
@@ -1,3 +1,7 @@
+2005-04-20 Werner Koch <wk at g10code.com>
+
+ * command.c: Use GPG_ERR_LOCKED instead of EBUSY.
+
2005-04-14 Werner Koch <wk at g10code.com>
* app-openpgp.c (retrieve_key_material): Rewritten. Return a
Index: gnupg/scd/ccid-driver.c
diff -u gnupg/scd/ccid-driver.c:1.1.2.25 gnupg/scd/ccid-driver.c:1.1.2.26
--- gnupg/scd/ccid-driver.c:1.1.2.25 Mon Apr 11 18:20:10 2005
+++ gnupg/scd/ccid-driver.c Thu Apr 21 11:33:06 2005
@@ -52,7 +52,7 @@
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
*
- * $Date: 2005/04/11 16:20:10 $
+ * $Date: 2005/04/21 09:33:06 $
*/
@@ -1274,7 +1274,7 @@
}
-/* Note that this fucntion won't return the error codes NO_CARD or
+/* Note that this function won't return the error codes NO_CARD or
CARD_INACTIVE */
int
ccid_slot_status (ccid_driver_t handle, int *statusbits)
Index: gnupg/scd/command.c
diff -u gnupg/scd/command.c:1.19.2.20 gnupg/scd/command.c:1.19.2.21
--- gnupg/scd/command.c:1.19.2.20 Thu Apr 14 19:25:43 2005
+++ gnupg/scd/command.c Thu Apr 21 11:33:06 2005
@@ -263,7 +263,7 @@
return 0; /* Already initialized using a card context. */
if ( IS_LOCKED (ctrl) )
- return gpg_error (GPG_ERR_EBUSY);
+ return gpg_error (GPG_ERR_LOCKED);
if (ctrl->reader_slot != -1)
slot = ctrl->reader_slot;
@@ -360,7 +360,7 @@
if (ctrl->server_local->card_removed)
{
if ( IS_LOCKED (ctrl) )
- return gpg_error (GPG_ERR_EBUSY);
+ return gpg_error (GPG_ERR_LOCKED);
do_reset (ctrl, 0);
}
@@ -745,7 +745,7 @@
unsigned char *buf;
if (locked_session && locked_session != ctrl->server_local)
- return gpg_error (GPG_ERR_EBUSY);
+ return gpg_error (GPG_ERR_LOCKED);
/* Parse the hexstring. */
for (p=line,n=0; hexdigitp (p); p++, n++)
@@ -817,7 +817,7 @@
char *keyidstr;
if ( IS_LOCKED (ctrl) )
- return gpg_error (GPG_ERR_EBUSY);
+ return gpg_error (GPG_ERR_LOCKED);
if ((rc = open_card (ctrl, NULL)))
return rc;
@@ -871,7 +871,7 @@
char *keyidstr;
if ( IS_LOCKED (ctrl) )
- return gpg_error (GPG_ERR_EBUSY);
+ return gpg_error (GPG_ERR_LOCKED);
if ((rc = open_card (ctrl, NULL)))
return rc;
@@ -921,7 +921,7 @@
char *keyidstr;
if ( IS_LOCKED (ctrl) )
- return gpg_error (GPG_ERR_EBUSY);
+ return gpg_error (GPG_ERR_LOCKED);
if ((rc = open_card (ctrl, NULL)))
return rc;
@@ -1021,7 +1021,7 @@
char *line, *linebuf;
if ( IS_LOCKED (ctrl) )
- return gpg_error (GPG_ERR_EBUSY);
+ return gpg_error (GPG_ERR_LOCKED);
if ((rc = open_card (ctrl, NULL)))
return rc;
@@ -1076,7 +1076,7 @@
int force = has_option (line, "--force");
if ( IS_LOCKED (ctrl) )
- return gpg_error (GPG_ERR_EBUSY);
+ return gpg_error (GPG_ERR_LOCKED);
/* Skip over options. */
while ( *line == '-' && line[1] == '-' )
@@ -1165,7 +1165,7 @@
int reset_mode = has_option (line, "--reset");
if ( IS_LOCKED (ctrl) )
- return gpg_error (GPG_ERR_EBUSY);
+ return gpg_error (GPG_ERR_LOCKED);
/* Skip over options. */
while (*line == '-' && line[1] == '-')
@@ -1212,7 +1212,7 @@
char *keyidstr;
if ( IS_LOCKED (ctrl) )
- return gpg_error (GPG_ERR_EBUSY);
+ return gpg_error (GPG_ERR_LOCKED);
if ((rc = open_card (ctrl, NULL)))
return rc;
@@ -1244,7 +1244,7 @@
Grant exclusive card access to this session. Note that there is
no lock counter used and a second lock from the same session will
get ignore. A single unlock (or RESET) unlocks the session.
- Return GPG_ERR_EBUSY if another session has locked the reader.
+ Return GPG_ERR_LOCKED if another session has locked the reader.
If the option --wait is given the command will wait until a
lock has been released.
@@ -1259,7 +1259,7 @@
if (locked_session)
{
if (locked_session != ctrl->server_local)
- rc = gpg_error (GPG_ERR_EBUSY);
+ rc = gpg_error (GPG_ERR_LOCKED);
}
else
locked_session = ctrl->server_local;
@@ -1293,7 +1293,7 @@
if (locked_session)
{
if (locked_session != ctrl->server_local)
- rc = gpg_error (GPG_ERR_EBUSY);
+ rc = gpg_error (GPG_ERR_LOCKED);
else
locked_session = NULL;
}
Index: gnupg/sm/ChangeLog
diff -u gnupg/sm/ChangeLog:1.101.2.93 gnupg/sm/ChangeLog:1.101.2.94
--- gnupg/sm/ChangeLog:1.101.2.93 Thu Apr 21 09:16:41 2005
+++ gnupg/sm/ChangeLog Thu Apr 21 11:33:06 2005
@@ -1,5 +1,8 @@
2005-04-21 Werner Koch <wk at g10code.com>
+ * gpgsm.c: New options --{enable,disable}-trusted-cert-crl-check.
+ * certchain.c (gpgsm_validate_chain): Make use of it.
+
* certchain.c (gpgsm_validate_chain): Check revocations even for
expired certificates. This is required because on signature
verification an expired key is fine whereas a revoked one is not.
Index: gnupg/sm/certchain.c
diff -u gnupg/sm/certchain.c:1.32.2.23 gnupg/sm/certchain.c:1.32.2.24
--- gnupg/sm/certchain.c:1.32.2.23 Thu Apr 21 09:16:41 2005
+++ gnupg/sm/certchain.c Thu Apr 21 11:33:06 2005
@@ -752,13 +752,13 @@
}
- /* Is this a self-signed certificate? */
+ /* Is this a self-issued certificate? */
if (subject && !strcmp (issuer, subject))
{ /* Yes. */
if (gpgsm_check_cert_sig (subject_cert, subject_cert) )
{
do_list (1, lm, fp,
- _("selfsigned certificate has a BAD signature"));
+ _("self-signed certificate has a BAD signature"));
if (DBG_X509)
{
gpgsm_dump_cert ("self-signing cert", subject_cert);
@@ -816,7 +816,9 @@
/* Check for revocations etc. */
if ((flags & 1))
- rc = 0;
+ ;
+ else if (opt.no_trusted_cert_crl_check)
+ ;
else
rc = is_cert_still_valid (ctrl, lm, fp,
subject_cert, subject_cert,
@@ -1045,7 +1047,7 @@
rc = gpgsm_check_cert_sig (cert, cert);
if (rc)
{
- log_error ("selfsigned certificate has a BAD signature: %s\n",
+ log_error ("self-signed certificate has a BAD signature: %s\n",
gpg_strerror (rc));
if (DBG_X509)
{
Index: gnupg/sm/gpgsm.c
diff -u gnupg/sm/gpgsm.c:1.67.2.39 gnupg/sm/gpgsm.c:1.67.2.40
--- gnupg/sm/gpgsm.c:1.67.2.39 Mon Apr 18 12:44:45 2005
+++ gnupg/sm/gpgsm.c Thu Apr 21 11:33:06 2005
@@ -130,6 +130,8 @@
oDisableCRLChecks,
oEnableCRLChecks,
+ oDisableTrustedCertCRLCheck,
+ oEnableTrustedCertCRLCheck,
oForceCRLRefresh,
oDisableOCSP,
@@ -285,6 +287,8 @@
N_("use system's dirmngr if available")},
{ oDisableCRLChecks, "disable-crl-checks", 0, N_("never consult a CRL")},
{ oEnableCRLChecks, "enable-crl-checks", 0, "@"},
+ { oDisableTrustedCertCRLCheck, "disable-trusted-cert-crl-check", 0, "@"},
+ { oEnableTrustedCertCRLCheck, "enable-trusted-cert-crl-check", 0, "@"},
{ oForceCRLRefresh, "force-crl-refresh", 0, "@"},
{ oDisableOCSP, "disable-ocsp", 0, "@" },
@@ -973,6 +977,12 @@
case oEnableCRLChecks:
opt.no_crl_check = 0;
break;
+ case oDisableTrustedCertCRLCheck:
+ opt.no_trusted_cert_crl_check = 1;
+ break;
+ case oEnableTrustedCertCRLCheck:
+ opt.no_trusted_cert_crl_check = 0;
+ break;
case oForceCRLRefresh:
opt.force_crl_refresh = 1;
break;
@@ -1352,6 +1362,8 @@
GC_OPT_FLAG_NONE );
printf ("disable-crl-checks:%lu:\n",
GC_OPT_FLAG_NONE );
+ printf ("disable-trusted-cert-crl-check:%lu:\n",
+ GC_OPT_FLAG_NONE );
printf ("enable-ocsp:%lu:\n",
GC_OPT_FLAG_NONE );
printf ("include-certs:%lu:1:\n",
Index: gnupg/sm/gpgsm.h
diff -u gnupg/sm/gpgsm.h:1.54.2.25 gnupg/sm/gpgsm.h:1.54.2.26
--- gnupg/sm/gpgsm.h:1.54.2.25 Mon Apr 18 12:44:45 2005
+++ gnupg/sm/gpgsm.h Thu Apr 21 11:33:06 2005
@@ -97,6 +97,7 @@
int ignore_time_conflict; /* Ignore certain time conflicts */
int no_crl_check; /* Don't do a CRL check */
+ int no_trusted_cert_crl_check; /* Don't run a CRL check for trusted certs. */
int force_crl_refresh; /* Force refreshing the CRL. */
int enable_ocsp; /* Default to use OCSP checks. */
Index: gnupg/tools/ChangeLog
diff -u gnupg/tools/ChangeLog:1.25.2.72 gnupg/tools/ChangeLog:1.25.2.73
--- gnupg/tools/ChangeLog:1.25.2.72 Tue Apr 19 14:00:29 2005
+++ gnupg/tools/ChangeLog Thu Apr 21 11:33:06 2005
@@ -1,3 +1,11 @@
+2005-04-21 Werner Koch <wk at g10code.com>
+
+ * gpgconf-comp.c: Add gpgsm option disable-trusted-cert-crl-check.
+
+2005-04-20 Werner Koch <wk at g10code.com>
+
+ * gpgconf-comp.c: Add gpg-agent:disable-scdaemon.
+
2005-04-19 Marcus Brinkmann <marcus at g10code.de>
* symcryptrun.c: Add --input option.
Index: gnupg/tools/gpgconf-comp.c
diff -u gnupg/tools/gpgconf-comp.c:1.1.2.51 gnupg/tools/gpgconf-comp.c:1.1.2.52
--- gnupg/tools/gpgconf-comp.c:1.1.2.51 Wed Mar 9 20:22:54 2005
+++ gnupg/tools/gpgconf-comp.c Thu Apr 21 11:33:06 2005
@@ -449,6 +449,9 @@
{ "options", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT,
"gnupg", "|FILE|read options from FILE",
GC_ARG_TYPE_PATHNAME, GC_BACKEND_GPG_AGENT },
+ { "disable-scdaemon", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED,
+ "gnupg", "do not use the SCdaemon",
+ GC_ARG_TYPE_NONE, GC_BACKEND_GPG_AGENT },
{ "Debug",
GC_OPT_FLAG_GROUP, GC_LEVEL_ADVANCED,
@@ -651,6 +654,9 @@
{ "disable-crl-checks", GC_OPT_FLAG_NONE, GC_LEVEL_BASIC,
"gnupg", "never consult a CRL",
GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
+ { "disable-trusted-cert-crl-check", GC_OPT_FLAG_NONE, GC_LEVEL_EXPERT,
+ "gnupg", N_("do not check CRLs for root certificates"),
+ GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
{ "enable-ocsp", GC_OPT_FLAG_NONE, GC_LEVEL_ADVANCED,
"gnupg", "check validity using OCSP",
GC_ARG_TYPE_NONE, GC_BACKEND_GPGSM },
Index: gnupg/tools/symcryptrun.c
diff -u gnupg/tools/symcryptrun.c:1.1.2.6 gnupg/tools/symcryptrun.c:1.1.2.7
--- gnupg/tools/symcryptrun.c:1.1.2.6 Tue Apr 19 14:00:29 2005
+++ gnupg/tools/symcryptrun.c Thu Apr 21 11:33:06 2005
@@ -124,7 +124,7 @@
oKeyfile,
oDecrypt,
oEncrypt,
- oInput,
+ oInput
};
More information about the Gnupg-commits
mailing list