From cvs at cvs.gnupg.org Tue Feb 1 06:17:21 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Tue Feb 1 06:17:23 2005 Subject: gnupg/g10 (ChangeLog keygen.c) Message-ID: Date: Tuesday, February 1, 2005 @ 06:26:25 Author: dshaw Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog keygen.c * keygen.c (do_generate_keypair): Write the auth key to the card before the encryption key. This is a partial workaround for a PGP bug (as of this writing, all versions including 8.1), that causes it to try and encrypt to the most recent subkey regardless of whether that subkey is actually an encryption type. In this case, the auth key is an RSA key so it succeeds. -----------+ ChangeLog | 9 +++++++++ keygen.c | 29 ++++++++++++++++++----------- 2 files changed, 27 insertions(+), 11 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.691 gnupg/g10/ChangeLog:1.692 --- gnupg/g10/ChangeLog:1.691 Fri Jan 28 01:50:10 2005 +++ gnupg/g10/ChangeLog Tue Feb 1 06:26:25 2005 @@ -1,3 +1,12 @@ +2005-01-31 David Shaw + + * keygen.c (do_generate_keypair): Write the auth key to the card + before the encryption key. This is a partial workaround for a PGP + bug (as of this writing, all versions including 8.1), that causes + it to try and encrypt to the most recent subkey regardless of + whether that subkey is actually an encryption type. In this case, + the auth key is an RSA key so it succeeds. + 2005-01-27 David Shaw * keyid.c (keyid_from_sk, keyid_from_pk): Use 0xFFFFFFFFFFFFFFFF Index: gnupg/g10/keygen.c diff -u gnupg/g10/keygen.c:1.144 gnupg/g10/keygen.c:1.145 --- gnupg/g10/keygen.c:1.144 Fri Jan 28 01:50:10 2005 +++ gnupg/g10/keygen.c Tue Feb 1 06:26:25 2005 @@ -2820,6 +2820,24 @@ get_parameter_uint (para, pKEYUSAGE)); } + /* Write the auth key to the card before the encryption key. This + is a partial workaround for a PGP bug (as of this writing, all + versions including 8.1), that causes it to try and encrypt to + the most recent subkey regardless of whether that subkey is + actually an encryption type. In this case, the auth key is an + RSA key so it succeeds. */ + + if (!rc && card && get_parameter (para, pAUTHKEYTYPE)) + { + rc = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root, sec_root, + get_parameter_u32 (para, pKEYEXPIRE), para); + + if (!rc) + rc = write_keybinding (pub_root, pub_root, pri_sk, sub_sk, PUBKEY_USAGE_AUTH); + if (!rc) + rc = write_keybinding (sec_root, pub_root, pri_sk, sub_sk, PUBKEY_USAGE_AUTH); + } + if( !rc && get_parameter( para, pSUBKEYTYPE ) ) { if (!card) @@ -2859,17 +2877,6 @@ did_sub = 1; } - if (!rc && card && get_parameter (para, pAUTHKEYTYPE)) - { - rc = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root, sec_root, - get_parameter_u32 (para, pKEYEXPIRE), para); - - if (!rc) - rc = write_keybinding (pub_root, pub_root, pri_sk, sub_sk, PUBKEY_USAGE_AUTH); - if (!rc) - rc = write_keybinding (sec_root, pub_root, pri_sk, sub_sk, PUBKEY_USAGE_AUTH); - } - if( !rc && outctrl->use_files ) { /* direct write to specified files */ rc = write_keyblock( outctrl->pub.stream, pub_root ); if( rc ) From cvs at cvs.gnupg.org Tue Feb 1 17:40:09 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Tue Feb 1 17:40:15 2005 Subject: dirmngr (13 files) Message-ID: Date: Tuesday, February 1, 2005 @ 17:49:15 Author: wk Path: /cvs/dirmngr/dirmngr Modified: ChangeLog THANKS TODO doc/dirmngr.texi jnlib/argparse.c src/ChangeLog src/certcache.c src/certcache.h src/crlcache.c src/crlfetch.c src/crlfetch.h src/dirmngr.c src/ldap.c * crlcache.c (crl_parse_insert): Renamed a few variables and changed diagnostic strings for clarity. (get_issuer_cert): Renamed to get_crlissuer_cert. Try to locate the certificate from the cache using the subject name. Use new fetch function. (get_crlissuer_cert_bysn): New. (crl_parse_insert): Use it here. * crlfetch.c (ca_cert_fetch): Changed interface. (fetch_next_ksba_cert): New. * ldap.c (run_ldap_wrapper): Add arg MULTI_MODE. Changed all callers. (start_default_fetch_ldap): New * certcache.c (get_cert_bysubject): New. (clean_cache_slot, put_cert): Store the subject DN if available. (MAX_EXTRA_CACHED_CERTS): Increase limit of cachable certificates to 1000. (find_cert_bysn): Loop until a certificate with a matching S/N has been found. * dirmngr.c (main): Add honor-http-proxy to the gpgconf list. ------------------+ ChangeLog | 4 + THANKS | 9 +-- TODO | 11 +++- doc/dirmngr.texi | 2 jnlib/argparse.c | 2 src/ChangeLog | 32 +++++++++++ src/certcache.c | 86 +++++++++++++++++++++++-------- src/certcache.h | 5 + src/crlcache.c | 143 +++++++++++++++++++++++++++++++++-------------------- src/crlfetch.c | 53 +++++++++++++++++-- src/crlfetch.h | 16 ++++- src/dirmngr.c | 12 +++- src/ldap.c | 134 +++++++++++++++++++++++++++++++++++++++++++++---- 13 files changed, 398 insertions(+), 111 deletions(-) Index: dirmngr/ChangeLog diff -u dirmngr/ChangeLog:1.84 dirmngr/ChangeLog:1.85 --- dirmngr/ChangeLog:1.84 Tue Jan 4 20:19:49 2005 +++ dirmngr/ChangeLog Tue Feb 1 17:49:15 2005 @@ -1,3 +1,7 @@ +2005-01-21 Werner Koch + + * doc/dirmngr.texi (Dirmngr Options): Typo fix; s/URL/CRL. + 2005-01-04 Werner Koch * configure.ac (PTH_LIBS): Die if Pth is not available. There is Index: dirmngr/THANKS diff -u dirmngr/THANKS:1.3 dirmngr/THANKS:1.4 --- dirmngr/THANKS:1.3 Sat Dec 18 09:50:39 2004 +++ dirmngr/THANKS Tue Feb 1 17:49:15 2005 @@ -1,5 +1,6 @@ -Bernhard Reiter -Marcus Brinkmann -Michael Nottebrock +Bernhard Reiter bernhard@intevation.de +Marcus Brinkmann marcus@g10code.de +Michael Nottebrock michaelnottebrock@gmx.net +Neil Dunbar neil.dunbar@hp.com -The whole Ägypten Project team. +The whole Ägypten project team. Index: dirmngr/TODO diff -u dirmngr/TODO:1.17 dirmngr/TODO:1.18 --- dirmngr/TODO:1.17 Fri Dec 17 11:42:18 2004 +++ dirmngr/TODO Tue Feb 1 17:49:15 2005 @@ -7,8 +7,6 @@ This is the server where a baseDN has been given and that baseDN is contained in the search pattern. -* Properly use locks in crlcache.c - * name subordination (nameRelativeToCRLIssuer) is not yet supported by Dirmngr. @@ -18,4 +16,13 @@ this yet. Solution is to have a mapping DN->host in our ldapservers configuration file. +* crlcache.c + We use a simple approach to get the CRL issuing certificate. We + might want to enhance it in case no authorityKeyIdentifier is + available to try all available matching certificates with the given + DN. OTOH, rfc3280 requires the use of authorityKeyIdentifier if + different signing keys are used. + + + Index: dirmngr/doc/dirmngr.texi diff -u dirmngr/doc/dirmngr.texi:1.20 dirmngr/doc/dirmngr.texi:1.21 --- dirmngr/doc/dirmngr.texi:1.20 Tue Jan 4 15:16:39 2005 +++ dirmngr/doc/dirmngr.texi Tue Feb 1 17:49:15 2005 @@ -380,7 +380,7 @@ @opindex ignore-http-dp When looking for the location of a CRL, the to be tested certificate usually contains so called @dfn{CRL Distribution Point} (DP) entries -which are URLs describing the way to access the URL. The first found DP +which are URLs describing the way to access the CRL. The first found DP entry is used. With this option all entries using the @acronym{HTTP} scheme are ignored when looking for a suitable DP. Index: dirmngr/jnlib/argparse.c diff -u dirmngr/jnlib/argparse.c:1.5 dirmngr/jnlib/argparse.c:1.6 --- dirmngr/jnlib/argparse.c:1.5 Tue Sep 28 14:27:26 2004 +++ dirmngr/jnlib/argparse.c Tue Feb 1 17:49:15 2005 @@ -904,7 +904,7 @@ switch( level ) { case 11: p = "foo"; break; case 13: p = "0.0"; break; - case 14: p = "Copyright (C) 2004 Free Software Foundation, Inc."; break; + case 14: p = "Copyright (C) 2005 Free Software Foundation, Inc."; break; case 15: p = "This program comes with ABSOLUTELY NO WARRANTY.\n" "This is free software, and you are welcome to redistribute it\n" Index: dirmngr/src/ChangeLog diff -u dirmngr/src/ChangeLog:1.41 dirmngr/src/ChangeLog:1.42 --- dirmngr/src/ChangeLog:1.41 Wed Jan 5 21:07:08 2005 +++ dirmngr/src/ChangeLog Tue Feb 1 17:49:15 2005 @@ -1,3 +1,33 @@ +2005-02-01 Werner Koch + + * crlcache.c (crl_parse_insert): Renamed a few variables and + changed diagnostic strings for clarity. + (get_issuer_cert): Renamed to get_crlissuer_cert. Try to locate + the certificate from the cache using the subject name. Use new + fetch function. + (get_crlissuer_cert_bysn): New. + (crl_parse_insert): Use it here. + * crlfetch.c (ca_cert_fetch): Changed interface. + (fetch_next_ksba_cert): New. + * ldap.c (run_ldap_wrapper): Add arg MULTI_MODE. Changed all + callers. + (start_default_fetch_ldap): New + * certcache.c (get_cert_bysubject): New. + (clean_cache_slot, put_cert): Store the subject DN if available. + (MAX_EXTRA_CACHED_CERTS): Increase limit of cachable certificates + to 1000. + (find_cert_bysn): Loop until a certificate with a matching S/N has + been found. + + * dirmngr.c (main): Add honor-http-proxy to the gpgconf list. + +2005-01-31 Werner Koch + + * ldap.c: Started to work on support for userSMIMECertificates. + + * dirmngr.c (main): Make sure to always pass a server control + structure to the caching functions. Reported by Neil Dunbar. + 2005-01-05 Werner Koch * dirmngr-client.c (read_pem_certificate): Skip trailing percent @@ -350,7 +380,7 @@ ChangeLog. - Copyright 2004 g10 Code GmbH + Copyright 2004, 2005 g10 Code GmbH This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without Index: dirmngr/src/certcache.c diff -u dirmngr/src/certcache.c:1.8 dirmngr/src/certcache.c:1.9 --- dirmngr/src/certcache.c:1.8 Fri Dec 3 15:42:36 2004 +++ dirmngr/src/certcache.c Tue Feb 1 17:49:15 2005 @@ -1,5 +1,5 @@ /* certcache.c - Certificate caching - * Copyright (C) 2004 g10 Code GmbH + * Copyright (C) 2004, 2005 g10 Code GmbH * * This file is part of DirMngr. * @@ -36,7 +36,7 @@ #include "certcache.h" -#define MAX_EXTRA_CACHED_CERTS 200 /* FIXME: This is a debugging value. */ +#define MAX_EXTRA_CACHED_CERTS 1000 /* A certificate cache item. This consists of a the ksba cert object @@ -51,6 +51,7 @@ unsigned char fpr[20]; /* The fingerprint of this object. */ char *issuer_dn; /* The malloced issuer DN. */ ksba_sexp_t sn; /* The malloced serial number */ + char *subject_dn; /* The malloced subject DN - maybe NULL. */ struct { unsigned int loaded:1; /* It has been explicitly loaded. */ @@ -180,6 +181,8 @@ ci->sn = NULL; ksba_free (ci->issuer_dn); ci->issuer_dn = NULL; + ksba_free (ci->subject_dn); + ci->subject_dn = NULL; cert = ci->cert; ci->cert = NULL; @@ -268,6 +271,7 @@ clean_cache_slot (ci); return gpg_error (GPG_ERR_INV_CERT_OBJ); } + ci->subject_dn = ksba_cert_get_subject (cert, 0); ci->flags.loaded = !!is_loaded; ci->flags.trusted = !!is_trusted; @@ -585,6 +589,34 @@ } +/* Return the certificate matching SUBJEC_DN. SEQ should initially be + set to 0 and bumped up to get the next subject with that DN. */ +ksba_cert_t +get_cert_bysubject (const char *subject_dn, unsigned int seq) +{ + /* Simple and very inefficient implementation and API. fixme! */ + cert_item_t ci; + int i; + + acquire_cache_read_lock (); + for (i=0; i < 256; i++) + { + for (ci=cert_cache[i]; ci; ci = ci->next) + if (ci->cert && ci->subject_dn + && !strcmp (ci->subject_dn, subject_dn)) + if (!seq--) + { + ksba_cert_ref (ci->cert); + release_cache_lock (); + return ci->cert; + } + } + + release_cache_lock (); + return NULL; +} + + /* Return the certificate matching ISSUER_DN and SERIALNO; if it is @@ -593,43 +625,39 @@ find_cert_bysn (ctrl_t ctrl, const char *issuer_dn, ksba_sexp_t serialno) { gpg_error_t err; - ksba_cert_t cert; - ksba_reader_t reader; + ksba_cert_t cert = NULL; + cert_fetch_context_t context = NULL; cert = get_cert_bysn (issuer_dn, serialno); - /* Fixme: We should not use the simple ca-fetch_cert but do a - regular lookup and iterate over all certificates until we found - a matching S/N. */ while (!cert) { ksba_sexp_t sn; char *issdn; - err = ca_cert_fetch (ctrl, issuer_dn, &reader); - if (err) + if (!context) { - log_error (_("error fetching certificate for issuer: %s\n"), - gpg_strerror (err)); - return NULL; + err = ca_cert_fetch (ctrl, &context, issuer_dn); + if (err) + { + log_error (_("error fetching certificate by S/N: %s\n"), + gpg_strerror (err)); + break; + } } - err = ksba_cert_new (&cert); - if (!err) - err = ksba_cert_read_der (cert, reader); - ksba_reader_release (reader); + err = fetch_next_ksba_cert (context, &cert); if (err) { - log_error (_("invalid issuer certificate: %s\n"), + log_error (_("error fetching certificate by S/N: %s\n"), gpg_strerror (err) ); - ksba_cert_release (cert); - return NULL; + break; } issdn = ksba_cert_get_issuer (cert, 0); if (strcmp (issuer_dn, issdn)) { - log_debug ("find_cert_bysn: Ooops: Issuer DN does not match\n"); + log_debug ("find_cert_bysn: Ooops: issuer DN does not match\n"); ksba_cert_release (cert); cert = NULL; ksba_free (issdn); @@ -637,20 +665,32 @@ } sn = ksba_cert_get_serial (cert); + + if (DBG_LOOKUP) + { + log_debug (" considering certificate (#"); + dump_serial (sn); + log_printf ("/"); + dump_string (issdn); + log_printf (")\n"); + } + if (!compare_serialno (serialno, sn)) { ksba_free (sn); cache_cert (cert); + if (DBG_LOOKUP) + log_debug (" found\n"); break; /* Ready. */ } - log_debug ("find_cert_bysn: S/N does not match\n"); + ksba_free (sn); + ksba_cert_release (cert); cert = NULL; - ksba_free (sn); - break; /* FIXME: That should be a get next cert. */ } + end_cert_fetch (context); return cert; } Index: dirmngr/src/certcache.h diff -u dirmngr/src/certcache.h:1.6 dirmngr/src/certcache.h:1.7 --- dirmngr/src/certcache.h:1.6 Wed Dec 15 23:11:59 2004 +++ dirmngr/src/certcache.h Tue Feb 1 17:49:15 2005 @@ -56,11 +56,16 @@ certificate. */ ksba_cert_t get_cert_byhexfpr (const char *string); +/* Return the certificate matching ISSUER_DN and SERIALNO. */ +ksba_cert_t get_cert_bysn (const char *issuer_dn, ksba_sexp_t serialno); /* Return the certificate matching ISSUER_DN. SEQ should initially be set to 0 and bumped up to get the next issuer with that DN. */ ksba_cert_t get_cert_byissuer (const char *issuer_dn, unsigned int seq); +/* Return the certificate matching SUBJECT_DN. SEQ should initially be + set to 0 and bumped up to get the next issuer with that DN. */ +ksba_cert_t get_cert_bysubject (const char *subject_dn, unsigned int seq); /* Return the certificate matching ISSUER_DN and SERIALNO; if it is not already in the cache, try to find it from other resources. */ Index: dirmngr/src/crlcache.c diff -u dirmngr/src/crlcache.c:1.52 dirmngr/src/crlcache.c:1.53 --- dirmngr/src/crlcache.c:1.52 Wed Dec 15 23:11:59 2004 +++ dirmngr/src/crlcache.c Tue Feb 1 17:49:15 2005 @@ -1,6 +1,6 @@ /* crlcache.c - LDAP access * Copyright (C) 2002 Klarälvdalens Datakonsult AB - * Copyright (C) 2003, 2004 g10 Code GmbH + * Copyright (C) 2003, 2004, 2005 g10 Code GmbH * * This file is part of DirMngr. * @@ -1365,57 +1365,89 @@ } -/* Return the certificate for ISSUER or NULL if it can't be found. */ +/* Return the certificate for NAME or NULL if it can't be found. Note + that we will only return the first matching certificate. */ static ksba_cert_t -get_issuer_cert (ctrl_t ctrl, const char *issuer) +get_crlissuer_cert (ctrl_t ctrl, const char *name) { gpg_error_t err; - ksba_cert_t issuer_cert = NULL; - ksba_reader_t reader; + ksba_cert_t cert = NULL; + cert_fetch_context_t context; /* First check whether it has already been cached. */ - issuer_cert = get_cert_byissuer (issuer, 0); - if (issuer_cert) - return issuer_cert; /* Done. */ + cert = get_cert_bysubject (name, 0); + if (cert) + return cert; /* Done. */ /* Ask back to the service requester to return the certificate. This is because we can assume that he already used the certificate while checking for the CRL. */ - issuer_cert = get_cert_local (ctrl, issuer); - if (issuer_cert) - return issuer_cert; /* Done. */ + cert = get_cert_local (ctrl, name); + if (cert) + return cert; /* Done. */ /* If this fails do a regular certificate lookup. */ if (DBG_LOOKUP) log_debug ("certificate for CRL issuer not returned by caller" " - doing lookup\n"); - err = ca_cert_fetch (ctrl, issuer, &reader); + err = ca_cert_fetch (ctrl, &context, name); if (err) { - log_error (_("error fetching certificate for issuer: %s\n"), + log_error (_("error fetching certificate for CRL issuer: %s\n"), gpg_strerror (err)); return NULL; } - err = ksba_cert_new (&issuer_cert); - if (!err) - { - err = ksba_cert_read_der (issuer_cert, reader); - if (err) - { - ksba_cert_release (issuer_cert); - issuer_cert = NULL; - } - } + err = fetch_next_ksba_cert (context, &cert); if (err) - log_error (_("invalid issuer certificate: %s\n"), gpg_strerror (err) ); - ksba_reader_release (reader); + log_error (_("invalid CRL issuer certificate: %s\n"), gpg_strerror (err) ); + end_cert_fetch (context); if (!err) - cache_cert (issuer_cert); + cache_cert (cert); + + return cert; +} + + +/* Return the certificate from the issuer DN NAME and the S/N SN. + First tries the local chache, then asks the caller and then tries + an ldap search. */ +static ksba_cert_t +get_crlissuer_cert_bysn (ctrl_t ctrl, const char *name, ksba_sexp_t sn) +{ + ksba_cert_t cert; + char *snbuf, *buf; + + /* First check whether it has already been cached. */ + cert = get_cert_bysn (name, sn); + if (cert) + return cert; /* Done. */ + + /* Ask back to the service requester to return the certificate. + This is because we can assume that he already used the + certificate while checking for the CRL. */ + snbuf = serial_hex (sn); + if (!snbuf) + snbuf = ""; + buf = xtrymalloc (1 + strlen (snbuf) + 1 + strlen (name) + 1 ); + if (!buf) + { + xfree (snbuf); + return NULL; + } + strcpy (stpcpy (stpcpy (stpcpy (buf, "#"), snbuf), "/"), name); + xfree (snbuf); + cert = get_cert_local (ctrl, buf); + xfree (buf); + if (cert) + { + cache_cert (cert); + return cert; /* Done. */ + } - return issuer_cert; + return find_cert_bysn (ctrl, name, sn); } @@ -1540,28 +1572,29 @@ CRL object and stored in the data base file DB with the name FNAME (only used for printing error messages). That DB should be a temporary one and not the actual one. If the function fails the - caller should delete this temporary databse file. CTRL is required - to retrieve certificates using the general dirmngr callback - service. R_ISSUER returns an allocated string with the issuer DB, - THIS_UPDATE and NEXT_UPDATE are filled with the correspondind data - from the CRL. Note that these values might get set even if the CRL - processing fails at a later step; thus the caller should free - *R_ISSUER even when the function returns with an error. + caller should delete this temporary database file. CTRL is + required to retrieve certificates using the general dirmngr + callback service. R_CRLISSUER returns an allocated string with the + crl-issuer DN, THIS_UPDATE and NEXT_UPDATE are filled with the + correspondind data from the CRL. Note that these values might get + set even if the CRL processing fails at a later step; thus the + caller should free *R_ISSUER even if the function returns with an + error. */ static int crl_parse_insert (ctrl_t ctrl, ksba_crl_t crl, struct cdb_make *cdb, const char *fname, - char **r_issuer, + char **r_crlissuer, ksba_isotime_t thisupdate, ksba_isotime_t nextupdate) { gpg_error_t err; ksba_stop_reason_t stopreason; - ksba_cert_t issuer_cert = NULL; + ksba_cert_t crlissuer_cert = NULL; gcry_md_hd_t md = NULL; int algo = 0; size_t n; - *r_issuer = NULL; + *r_crlissuer = NULL; *thisupdate = *nextupdate = 0; /* Start of the KSBA parser loop. */ @@ -1638,20 +1671,24 @@ case KSBA_SR_READY: { - char *issuer; + char *crlissuer; ksba_name_t authid; ksba_sexp_t authidsn; - err = ksba_crl_get_issuer (crl, &issuer); + /* We need to look for the issuer only after having read + all items. The issuer itselfs comes before the items + but the optional authorityKeyIdentifier comes after the + items. */ + err = ksba_crl_get_issuer (crl, &crlissuer); if( err ) { - log_error (_("no issuer found in CRL: %s\n"), + log_error (_("no CRL issuer found in CRL: %s\n"), gpg_strerror (err) ); err = gpg_error (GPG_ERR_INV_CRL); goto failure; } - *r_issuer = issuer; /* (Do it here so we don't need to - free it later) */ + *r_crlissuer = crlissuer; /* (Do it here so we don't need + to free it later) */ if (!ksba_crl_get_auth_key_id (crl, NULL, &authid, &authidsn)) { @@ -1663,10 +1700,10 @@ s = ksba_name_enum (authid, 0); if (s && *authidsn) - issuer_cert = find_cert_bysn (ctrl, s, authidsn); - if (!issuer_cert) + crlissuer_cert = get_crlissuer_cert_bysn (ctrl, s, authidsn); + if (!crlissuer_cert) { - log_info ("issuer certificate (#"); + log_info ("CRL issuer certificate (#"); dump_serial (authidsn); log_printf ("/"); dump_string (s); @@ -1676,27 +1713,27 @@ xfree (authidsn); } else - issuer_cert = get_issuer_cert (ctrl, issuer); + crlissuer_cert = get_crlissuer_cert (ctrl, crlissuer); err = 0; - if (!issuer_cert) + if (!crlissuer_cert) { err = gpg_error (GPG_ERR_MISSING_CERT); goto failure; } - err = finish_sig_check (crl, md, algo, issuer_cert); + err = finish_sig_check (crl, md, algo, crlissuer_cert); if (err) { log_error (_("CRL signature verification failed: %s\n"), gpg_strerror (err)); goto failure; } - err = validate_cert_chain (ctrl, issuer_cert, + err = validate_cert_chain (ctrl, crlissuer_cert, NULL, VALIDATE_MODE_CRL); if (err) { log_error (_("error checking validity of CRL " - "signing certificate: %s\n"), + "issuer certificate: %s\n"), gpg_strerror (err)); goto failure; } @@ -1715,7 +1752,7 @@ failure: - ksba_cert_release (issuer_cert); + ksba_cert_release (crlissuer_cert); return err; } @@ -1813,7 +1850,7 @@ /* FIXME: We should acquire a mutex for the URL, so that we don't - simultaneously enter the same CRL twice. However this needs t be + simultaneously enter the same CRL twice. However this needs to be interweaved with the checking function.*/ err2 = 0; @@ -1935,7 +1972,7 @@ || !strcmp (oid, oidstr_authorityKeyIdentifier) || !strcmp (oid, oidstr_crlNumber) ) continue; - log_error (_("unknown crtical CRL extension %s\n"), oid); + log_error (_("unknown critical CRL extension %s\n"), oid); if (!err2) err2 = gpg_error (GPG_ERR_INV_CRL); invalidate_crl |= 2; Index: dirmngr/src/crlfetch.c diff -u dirmngr/src/crlfetch.c:1.23 dirmngr/src/crlfetch.c:1.24 --- dirmngr/src/crlfetch.c:1.23 Wed Dec 1 17:11:14 2004 +++ dirmngr/src/crlfetch.c Tue Feb 1 17:49:15 2005 @@ -1,6 +1,6 @@ /* crlfetch.c - LDAP access * Copyright (C) 2002 Klarälvdalens Datakonsult AB - * Copyright (C) 2003, 2004 g10 Code GmbH + * Copyright (C) 2003, 2004, 2005 g10 Code GmbH * * This file is part of DirMngr. * @@ -142,9 +142,12 @@ } -/* Fetch a CA certificate for DN using the default server. */ -int -ca_cert_fetch (ctrl_t ctrl, const char *dn, ksba_reader_t *reader) +/* Fetch a CA certificate for DN using the default server. This + function only initiates the fetch; fetch_next_cert must be used to + actually read the certificate; end_cert_fetch to end the + operation. */ +gpg_error_t +ca_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, const char *dn) { if (opt.disable_ldap) { @@ -152,7 +155,7 @@ "LDAP"); return gpg_error (GPG_ERR_NOT_SUPPORTED); } - return attr_fetch_ldap (ctrl, dn, "cACertificate", reader); + return start_default_fetch_ldap (ctrl, context, dn, "cACertificate"); } @@ -162,7 +165,7 @@ { if (opt.disable_ldap) { - log_error (_("Certificate search not possible due to disabled %s\n"), + log_error (_("certificate search not possible due to disabled %s\n"), "LDAP"); return gpg_error (GPG_ERR_NOT_SUPPORTED); } @@ -176,6 +179,44 @@ return fetch_next_cert_ldap (context, value, valuelen); } + +/* Fetch the next data from CONTEXT, assuming it is a certificate and return + it as a cert object in R_CERT. */ +gpg_error_t +fetch_next_ksba_cert (cert_fetch_context_t context, ksba_cert_t *r_cert) +{ + gpg_error_t err; + unsigned char *value; + size_t valuelen; + ksba_cert_t cert; + + *r_cert = NULL; + + err = fetch_next_cert_ldap (context, &value, &valuelen); + if (!err && !value) + err = gpg_error (GPG_ERR_BUG); + if (err) + return err; + + err = ksba_cert_new (&cert); + if (err) + { + xfree (value); + return err; + } + + err = ksba_cert_init_from_mem (cert, value, valuelen); + xfree (value); + if (err) + { + ksba_cert_release (cert); + return err; + } + *r_cert = cert; + return 0; +} + + void end_cert_fetch (cert_fetch_context_t context) { Index: dirmngr/src/crlfetch.h diff -u dirmngr/src/crlfetch.h:1.13 dirmngr/src/crlfetch.h:1.14 --- dirmngr/src/crlfetch.h:1.13 Fri Dec 17 16:16:12 2004 +++ dirmngr/src/crlfetch.h Tue Feb 1 17:49:15 2005 @@ -39,7 +39,8 @@ /* Fetch cert for DN. */ -int ca_cert_fetch (ctrl_t ctrl, const char *dn, ksba_reader_t *reader); +gpg_error_t ca_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, + const char *dn); /* Query the server for certs matching patterns. */ @@ -49,6 +50,8 @@ const ldap_server_t server); gpg_error_t fetch_next_cert(cert_fetch_context_t context, unsigned char **value, size_t *valuelen); +gpg_error_t fetch_next_ksba_cert (cert_fetch_context_t context, + ksba_cert_t *r_cert); void end_cert_fetch (cert_fetch_context_t context); /* Close a reader object. */ @@ -70,10 +73,13 @@ ksba_reader_t *reader); -gpg_error_t start_cert_fetch_ldap(ctrl_t ctrl, - cert_fetch_context_t *context, - strlist_t patterns, - const ldap_server_t server ); +gpg_error_t start_default_fetch_ldap (ctrl_t ctrl, + cert_fetch_context_t *context, + const char *dn, const char *attr); +gpg_error_t start_cert_fetch_ldap( ctrl_t ctrl, + cert_fetch_context_t *context, + strlist_t patterns, + const ldap_server_t server ); gpg_error_t fetch_next_cert_ldap (cert_fetch_context_t context, unsigned char **value, size_t *valuelen ); void end_cert_fetch_ldap (cert_fetch_context_t context); Index: dirmngr/src/dirmngr.c diff -u dirmngr/src/dirmngr.c:1.54 dirmngr/src/dirmngr.c:1.55 --- dirmngr/src/dirmngr.c:1.54 Fri Dec 17 16:16:12 2004 +++ dirmngr/src/dirmngr.c Tue Feb 1 17:49:15 2005 @@ -931,15 +931,20 @@ } else if (cmd == aLoadCRL) { + struct server_control_s ctrlbuf; + + memset (&ctrlbuf, 0, sizeof ctrlbuf); + dirmngr_init_default_ctrl (&ctrlbuf); + launch_reaper_thread (); cert_cache_init (); crl_cache_init (); if (!argc) - rc = crl_cache_load (NULL, NULL); + rc = crl_cache_load (&ctrlbuf, NULL); else { for (; !rc && argc; argc--, argv++) - rc = crl_cache_load (NULL, *argv); + rc = crl_cache_load (&ctrlbuf, *argv); } } else if (cmd == aFetchCRL) @@ -962,7 +967,7 @@ argv[0], gpg_strerror (rc)); else { - rc = crl_cache_insert (NULL, argv[0], reader); + rc = crl_cache_insert (&ctrlbuf, argv[0], reader); if (rc) log_error (_("processing CRL from `%s' failed: %s\n"), argv[0], gpg_strerror (rc)); @@ -1035,6 +1040,7 @@ printf ("disable-http:%lu:\n", GC_OPT_FLAG_NONE); printf ("disable-ldap:%lu:\n", GC_OPT_FLAG_NONE); + printf ("honor-http-proxy:%lu\n", GC_OPT_FLAG_NONE); printf ("http-proxy:%lu:\n", GC_OPT_FLAG_NONE); printf ("ldap-proxy:%lu:\n", GC_OPT_FLAG_NONE); printf ("only-ldap-proxy:%lu:\n", GC_OPT_FLAG_NONE); Index: dirmngr/src/ldap.c diff -u dirmngr/src/ldap.c:1.45 dirmngr/src/ldap.c:1.46 --- dirmngr/src/ldap.c:1.45 Fri Dec 17 16:16:12 2004 +++ dirmngr/src/ldap.c Tue Feb 1 17:49:15 2005 @@ -1,6 +1,6 @@ /* ldap.c - LDAP access * Copyright (C) 2002 Klarälvdalens Datakonsult AB - * Copyright (C) 2003, 2004 g10 Code GmbH + * Copyright (C) 2003, 2004, 2005 g10 Code GmbH * * This file is part of DirMngr. * @@ -51,6 +51,7 @@ "$-_.+!*'()," #define USERCERTIFICATE "userCertificate" #define CACERTIFICATE "caCertificate" +#define USERSMIMECERTIFICATE "userSMIMECertificate" /* Definition for the context of the cert fetch functions. */ @@ -705,7 +706,7 @@ if (opt.verbose) log_info (_("ldap wrapper %d started\n"), (int)ctx->pid); - /* Need to wait for the first byte so we are able todetect an empty + /* Need to wait for the first byte so we are able to detect an empty output and not let the consumer se an EOF without further error indications. The CRL loading logic assumes that after return from this function, a failed search (e.g. host not found ) is @@ -737,6 +738,7 @@ static gpg_error_t run_ldap_wrapper (ctrl_t ctrl, int ignore_timeout, + int multi_mode, const char *proxy, const char *host, int port, const char *user, const char *pass, @@ -744,7 +746,7 @@ const char *url, ksba_reader_t *reader) { - const char *argv[30]; + const char *argv[40]; int argc; char portbuf[30], timeoutbuf[30]; @@ -760,6 +762,8 @@ if (opt.verbose) argv[argc++] = "-vv"; argv[argc++] = "--log-with-pid"; + if (multi_mode) + argv[argc++] = "--multi"; if (opt.ldaptimeout) { sprintf (timeoutbuf, "%u", opt.ldaptimeout); @@ -825,6 +829,7 @@ err = run_ldap_wrapper (ctrl, 1, /* Ignore explicit timeout because CRLS might be very large. */ + 0, opt.ldap_proxy, host, port, NULL, NULL, @@ -864,6 +869,7 @@ { err = run_ldap_wrapper (ctrl, 0, + 0, NULL, server->host, server->port, NULL, NULL, @@ -896,6 +902,7 @@ { err = run_ldap_wrapper (ctrl, 0, + 0, opt.ldap_proxy, server->host, server->port, server->user, server->pass, @@ -1041,7 +1048,9 @@ { gpg_error_t err; char *u_dn, *u_filter; - char const attrs[] = (USERCERTIFICATE "," CACERTIFICATE); + char const attrs[] = (USERCERTIFICATE "," +/* USERSMIMECERTIFICATE "," */ + CACERTIFICATE); *url = NULL; @@ -1079,8 +1088,48 @@ } +/* Prepare an LDAP query to return the attribute ATTR for the DN. All + vonfigured default servers are queried until one responds. This + function returns an error code or 0 and a CONTEXT on success. */ +gpg_error_t +start_default_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *context, + const char *dn, const char *attr) +{ + gpg_error_t err; + struct ldap_server_s *server; + + *context = xtrycalloc (1, sizeof **context); + if (!*context) + return gpg_error_from_errno (errno); + + /* FIXME; we might want to look at the Base SN to try matching + servers first. */ + err = gpg_error (GPG_ERR_CONFIGURATION); + for (server = opt.ldapservers; server; server = server->next) + { + err = run_ldap_wrapper (ctrl, + 0, + 1, + opt.ldap_proxy, + server->host, server->port, + server->user, server->pass, + dn, "objectClass=*", attr, NULL, + &(*context)->reader); + if (!err) + break; /* Probably found a result. */ + } + + if (err) + { + xfree (*context); + *context = NULL; + } + return err; +} + + /* Prepare an LDAP query to return certificates maching PATTERNS using - the SERVER. This function retruns an error code or 0 and a CONTEXT + the SERVER. This function returns an error code or 0 and a CONTEXT on success. */ gpg_error_t start_cert_fetch_ldap (ctrl_t ctrl, cert_fetch_context_t *context, @@ -1227,13 +1276,14 @@ has been truncated. */ gpg_error_t fetch_next_cert_ldap (cert_fetch_context_t context, - unsigned char **value, size_t *valuelen) + unsigned char **value, size_t *valuelen) { gpg_error_t err; unsigned char hdr[5]; char *p, *pend; int n; int okay = 0; + int is_cms = 0; *value = NULL; *valuelen = 0; @@ -1247,12 +1297,63 @@ n = (hdr[1] << 24)|(hdr[2]<<16)|(hdr[3]<<8)|hdr[4]; if (*hdr == 'V' && okay) { - *value = xtrymalloc (n); - if (!*value) - return gpg_error_from_errno (errno); - *valuelen = n; - err = read_buffer (context->reader, *value, n); - break; /* Ready or error. */ +#if 0 /* That code is not yet ready. */ + + if (is_cms) + { + /* The certificate needs to be parsed from CMS data. Read */ + ksba_cms_t cms; + ksba_stop_reason_t stopreason; + int i; + + err = ksba_cms_new (&cms); + if (err) + goto leave; + err = ksba_cms_set_reader_writer (cms, context->reader, NULL); + if (err) + { + log_error ("ksba_cms_set_reader_writer failed: %s\n", + gpg_strerror (err)); + goto leave; + } + + do + { + err = ksba_cms_parse (cms, &stopreason); + if (err) + { + log_error ("ksba_cms_parse failed: %s\n", + gpg_strerror (err)); + goto leave; + } + + if (stopreason == KSBA_SR_BEGIN_DATA) + log_error ("userSMIMECertificate is not " + "a certs-only message\n"); + } + while (stopreason != KSBA_SR_READY); + + for (i=0; (cert=ksba_cms_get_cert (cms, i)); i++) + { + check_and_store (ctrl, stats, cert, 0); + ksba_cert_release (cert); + cert = NULL; + } + if (!i) + log_error ("no certificate found\n"); + else + any = 1; + } + else +#endif + { + *value = xtrymalloc (n); + if (!*value) + return gpg_error_from_errno (errno); + *valuelen = n; + err = read_buffer (context->reader, *value, n); + break; /* Ready or error. */ + } } else if (!n && *hdr == 'A') okay = 0; @@ -1274,6 +1375,7 @@ { p = context->tmpbuf; p[n] = 0; /*(we allocated one extra byte for this.)*/ + is_cms = 0; if ( (pend = strchr (p, ';')) ) *pend = 0; /* Strip off the extension. */ if (!ascii_strcasecmp (p, USERCERTIFICATE)) @@ -1290,6 +1392,14 @@ CACERTIFICATE); okay = 1; } +/* else if (!ascii_strcasecmp (p, USERSMIMECERTIFICATE)) */ +/* { */ +/* if (DBG_LOOKUP) */ +/* log_debug ("fetch_next_cert_ldap: got attribute `%s'\n", */ +/* USERSMIMECERTIFICATE); */ +/* okay = 1; */ +/* is_cms = 1; */ +/* } */ else { if (DBG_LOOKUP) From cvs at cvs.gnupg.org Tue Feb 1 17:59:08 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Tue Feb 1 17:59:16 2005 Subject: gnupg/keyserver (ChangeLog ksutil.h) Message-ID: Date: Tuesday, February 1, 2005 @ 18:08:18 Author: dshaw Path: /cvs/gnupg/gnupg/keyserver Modified: ChangeLog ksutil.h * ksutil.h: Up the default timeout to two minutes. -----------+ ChangeLog | 4 ++++ ksutil.h | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) Index: gnupg/keyserver/ChangeLog diff -u gnupg/keyserver/ChangeLog:1.108 gnupg/keyserver/ChangeLog:1.109 --- gnupg/keyserver/ChangeLog:1.108 Mon Jan 24 19:23:56 2005 +++ gnupg/keyserver/ChangeLog Tue Feb 1 18:08:18 2005 @@ -1,3 +1,7 @@ +2005-02-01 David Shaw + + * ksutil.h: Up the default timeout to two minutes. + 2005-01-24 David Shaw * gpgkeys_ldap.c (print_nocr): New. Index: gnupg/keyserver/ksutil.h diff -u gnupg/keyserver/ksutil.h:1.3 gnupg/keyserver/ksutil.h:1.4 --- gnupg/keyserver/ksutil.h:1.3 Tue Jan 18 12:16:10 2005 +++ gnupg/keyserver/ksutil.h Tue Feb 1 18:08:18 2005 @@ -53,8 +53,8 @@ struct keylist *next; }; -/* 30 seconds seems reasonable */ -#define DEFAULT_KEYSERVER_TIMEOUT 30 +/* 2 minutes seems reasonable */ +#define DEFAULT_KEYSERVER_TIMEOUT 120 unsigned int set_timeout(unsigned int seconds); int register_timeout(void); From cvs at cvs.gnupg.org Tue Feb 1 21:46:24 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Tue Feb 1 21:46:30 2005 Subject: gnupg/util (ChangeLog http.c) Message-ID: Date: Tuesday, February 1, 2005 @ 21:55:35 Author: dshaw Path: /cvs/gnupg/gnupg/util Modified: ChangeLog http.c * http.c (connect_server): Fix fd leak when connecting to a round-robin server set that has some down servers. Noted by Phil Pennock. -----------+ ChangeLog | 6 ++++++ http.c | 10 +++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) Index: gnupg/util/ChangeLog diff -u gnupg/util/ChangeLog:1.178 gnupg/util/ChangeLog:1.179 --- gnupg/util/ChangeLog:1.178 Thu Jan 20 12:42:02 2005 +++ gnupg/util/ChangeLog Tue Feb 1 21:55:35 2005 @@ -1,3 +1,9 @@ +2005-02-01 David Shaw + + * http.c (connect_server): Fix fd leak when connecting to a + round-robin server set that has some down servers. Noted by Phil + Pennock. + 2005-01-20 Werner Koch * simple-gettext.c (set_gettext_file): Use MO files depending on Index: gnupg/util/http.c diff -u gnupg/util/http.c:1.31 gnupg/util/http.c:1.32 --- gnupg/util/http.c:1.31 Thu Jan 13 23:09:33 2005 +++ gnupg/util/http.c Tue Feb 1 21:55:35 2005 @@ -859,6 +859,8 @@ connected=1; break; } + + sock_close(sock); } freeaddrinfo(res); @@ -880,6 +882,8 @@ if((host=gethostbyname(srvlist[srv].target))==NULL) continue; + hostfound=1; + if((sock=socket(host->h_addrtype,SOCK_STREAM,0))==-1) { log_error("error creating socket: %s\n",strerror(errno)); @@ -917,6 +921,8 @@ if(host->h_addr_list[i]) break; + + sock_close(sock); } #endif /* !HAVE_GETADDRINFO */ @@ -930,13 +936,15 @@ else log_error("%s: Host not found: ec=%d\n",server,(int)WSAGetLastError()); #else + int err=errno; if(hostfound) - log_error("%s: %s\n",server,strerror(errno)); + log_error("%s: %s\n",server,strerror(err)); else log_error("%s: Host not found\n",server); #endif if(sock!=-1) sock_close(sock); + errno=err; return -1; } From cvs at cvs.gnupg.org Tue Feb 1 21:47:58 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Tue Feb 1 21:48:00 2005 Subject: gnupg/keyserver (ChangeLog gpgkeys_hkp.c gpgkeys_http.c) Message-ID: Date: Tuesday, February 1, 2005 @ 21:57:08 Author: dshaw Path: /cvs/gnupg/gnupg/keyserver Modified: ChangeLog gpgkeys_hkp.c gpgkeys_http.c * gpgkeys_hkp.c (get_key), gpgkeys_http.c (get_key): Fix missing http_close() calls. Noted by Phil Pennock. ----------------+ ChangeLog | 3 +++ gpgkeys_hkp.c | 1 + gpgkeys_http.c | 1 + 3 files changed, 5 insertions(+) Index: gnupg/keyserver/ChangeLog diff -u gnupg/keyserver/ChangeLog:1.109 gnupg/keyserver/ChangeLog:1.110 --- gnupg/keyserver/ChangeLog:1.109 Tue Feb 1 18:08:18 2005 +++ gnupg/keyserver/ChangeLog Tue Feb 1 21:57:08 2005 @@ -1,5 +1,8 @@ 2005-02-01 David Shaw + * gpgkeys_hkp.c (get_key), gpgkeys_http.c (get_key): Fix missing + http_close() calls. Noted by Phil Pennock. + * ksutil.h: Up the default timeout to two minutes. 2005-01-24 David Shaw Index: gnupg/keyserver/gpgkeys_hkp.c diff -u gnupg/keyserver/gpgkeys_hkp.c:1.47 gnupg/keyserver/gpgkeys_hkp.c:1.48 --- gnupg/keyserver/gpgkeys_hkp.c:1.47 Fri Jan 14 00:37:26 2005 +++ gnupg/keyserver/gpgkeys_hkp.c Tue Feb 1 21:57:08 2005 @@ -289,6 +289,7 @@ } m_free(line); + http_close(&hd); } free(request); Index: gnupg/keyserver/gpgkeys_http.c diff -u gnupg/keyserver/gpgkeys_http.c:1.12 gnupg/keyserver/gpgkeys_http.c:1.13 --- gnupg/keyserver/gpgkeys_http.c:1.12 Tue Jan 18 12:16:10 2005 +++ gnupg/keyserver/gpgkeys_http.c Tue Feb 1 21:57:08 2005 @@ -114,6 +114,7 @@ } m_free(line); + http_close(&hd); } free(request); From cvs at cvs.gnupg.org Thu Feb 3 10:23:37 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Feb 3 10:23:44 2005 Subject: gnupg (7 files) Message-ID: Date: Thursday, February 3, 2005 @ 10:32:53 Author: wk Path: /cvs/gnupg/gnupg Modified: NEWS THANKS doc/ChangeLog doc/README.W32 g10/ChangeLog g10/mainproc.c g10/parse-packet.c Updated to match the switch to the NSIS installer. --------------------+ NEWS | 3 THANKS | 1 doc/ChangeLog | 4 doc/README.W32 | 219 +++++++++++++++++++++++++++---------- g10/ChangeLog | 4 g10/mainproc.c | 2 g10/parse-packet.c | 294 +++++++++++++++++++++++++++------------------------ 7 files changed, 329 insertions(+), 198 deletions(-) Index: gnupg/NEWS diff -u gnupg/NEWS:1.230 gnupg/NEWS:1.231 --- gnupg/NEWS:1.230 Sun Jan 23 02:19:32 2005 +++ gnupg/NEWS Thu Feb 3 10:32:53 2005 @@ -23,6 +23,9 @@ available, missing secret key stubs will be created on the fly. Details of the key are listed too. + * The implicit packet dumping in double verbose mode is now send + to stderr and not to stdout. + * [W32] The algorithm for the default home directory changed: First we look at the environment variable GNUPGHOME, if this one is not set, we check whether the registry entry Index: gnupg/THANKS diff -u gnupg/THANKS:1.80 gnupg/THANKS:1.81 --- gnupg/THANKS:1.80 Mon Jan 17 11:13:59 2005 +++ gnupg/THANKS Thu Feb 3 10:32:53 2005 @@ -34,6 +34,7 @@ Daniel Eisenbud eisenbud@cs.swarthmore.edu Daniel Koening dan@mail.isis.de Daniel Resare daniel@resare.com +Dany Nativel dany@natzo.com Dave Dykstra dwd@bell-labs.com David C Niemi niemi@tuxers.net David Champion dgc@uchicago.edu Index: gnupg/doc/ChangeLog diff -u gnupg/doc/ChangeLog:1.92 gnupg/doc/ChangeLog:1.93 --- gnupg/doc/ChangeLog:1.92 Thu Jan 27 11:30:27 2005 +++ gnupg/doc/ChangeLog Thu Feb 3 10:32:53 2005 @@ -1,3 +1,7 @@ +2005-02-03 Werner Koch + + * README.W32: Updated to match the switch to the NSIS installer. + 2005-01-27 Werner Koch * faq.raw: Updated to the version from 1.2.7. Index: gnupg/doc/README.W32 diff -u gnupg/doc/README.W32:1.6 gnupg/doc/README.W32:1.7 --- gnupg/doc/README.W32:1.6 Thu Jan 20 18:21:40 2005 +++ gnupg/doc/README.W32 Thu Feb 3 10:32:53 2005 @@ -1,5 +1,7 @@ -This is a binary version of GnuPG for MS-Windows 95, 98, WNT, W2000 -and XP. +README.W32 -*- text -*- + +This is a binary package with GnuPG for MS-Windows 95, 98, WNT, W2000 +and XP. See the file README for generic instructions and usage hints. A FAQ comes with this package and a probably more recent one can be found online at http://www.gnupg.org/faq.html. See @@ -7,85 +9,178 @@ particular the list gnupg-users@gnupg.org might be useful to answer questions - but please read the FAQ first. -Note: Due to the use of the NSIS installer, the information below are -mostly out of date. -Installation instructions: --------------------------- - 1. Unpack the ZIP archive (alright, you already did this). - 2. Copy "gpg.exe", "gpgv.exe" and "gpgkeys_ldap.exe" to a place - where you usually store your binaries. - 3. Create a directory "c:\gnupg" (or any other as you like) - 4. If you did not use the default directory "c:\gnupg", you - should enter a string with the directory into the Registry - under the key: - HKEY_CURRENT_USER -> Software -> GNU -> GnuPG - (you probably need to create the keys GNU and GnuPG) and insert a - new string under the name "HomeDir" with the value of the default - directory you want to use. Please use forward slashes and not the - backslashes when setting filenames for GnuPG into the Registry. - 5. Enter "gpg" and see what happens - 6. Read the file README and the online HOWTOs +Installation directory: +======================= + +The installation directory of GnuPG is stored in the Registry under +the key HKEY_LCOAL_MACHINE\Software\GNU\GnuPG with the name "Install +Directory". The installer does not change the PATH environment +variable to include this directory. You might want to do this +manually. + +Below the Installation directory, you will find directories named +"Doc", "gnupg.nls" and "Src". The latter will be used for distributed +patched, if any, and to store the source file if they have been +included in this package. The source files usually require further +unpacking using a the TAR utility. Internationalization support: ------------------------------ - 1 +============================= -Store the locale id (like "de") into the registry under the key -HKEY_CURRENT_USER\Software\GNU\GnuPG with the name "Lang". +Store the locale id (like "de") into the Registry under the key +HKEY_CURRENT_USER\Software\GNU\GnuPG with the name "Lang". This must +match one of the installed languages files in the directory named +"gnupg.nls" below the installation directory. Note, that the ".mo" +extension is not part of the lcoale id. + + +Home directory: +=============== + +GnuPG makes use of a per user home directory to store its keys as well +as configuration files. The default home directory is a directory +named "gnupg" below the application data directory of the user. This +directory will be created if it does not exist. Being only a default, +it may be changed by setting the name of the home directory into the +Registry under the key HKEY_CURRENT_USER\Software\GNU\GnuPG using the +name "HomeDir". If an environment varaibale "GNUPGHOME" exists, this +even overrides the registry setting. The command line option +"--homedir" may be used to override all other settings of the home +directory. + + +Reporting bugs: +=============== + +Please check the documentation first before asking or reporting a +bugs. In particular check the archives of the mailing lists (see +www.gnupg.org) and the bug tracking system at http://bugs.gnupg.org +(login is "guest" password is "guest") whether the problem is already +known. Asking on the gnupg-users mailing list is also strongly +encouraged; if you are not subscribed it may some time until a posting +is approved (this is an anti-spam measure). Bug reporting addresses +are listed in the file AUTHORS. + +If you want to report a bug or have other problems, always give +detailed description of the problem, the version of GnuPG you used, +the version of the OS, whether it is the official version from +gnupg.org or how you built it. Don't edit error messages - replacing +sensitive information like user IDs, fingerprints and keyids is okay. +If possible, switch to English messages by changing the "Lang" entry +to empty (see under Internationalization support). + + +How to build GnuPG from the source: +=================================== + +Until recently all official GnuPG versions have been build using the +Mingw32/CPD kit as available at +ftp://ftp.gnupg.org/people/werner/cpd/mingw32-cqpd-0.3.2.tar.gz . +However, for maintenance reasons we switched to Debian's mingw32 cross +compiler package and that is now the recommended way of building GnuPG +for W32 platforms. It might be possible to build it nativly on a W32 +platform but this is not supported. Please don't file any bug reports +if it does not build with any other system than the recommended one. + +According to the conditions of the GNU General Public License you +either got the source files with this package, a written offer to send +you the source on demand or the source is available at the same site +you downloaded the binary package. If you downloaded the package from +the official GnuPG site or one of its mirrors, the corresponding +source tarball is available in the sibling directory named gnupg. The +source used to build all versions is always the same and the version +numbers should match. If the version number of the binary package has +a letter suffix, you will find a patch file installed in the "Src" +directory with the changes relative to the generic version. + +The source is distributed as a BZIP2 or GZIP compressed tar archive. +See the instructions in file README on how to check the integrity of +that file. Wir a properly setup build environment, you unpack the +tarball change to the created directory and run + $ ./autogen.sh --build-w32 + $ make + $ cp g10/gpg*.exe /some_windows_drive/ -How to build it from the source: --------------------------------- -This version has been build with the Mingw32/CPD kit using the latest -stable version of GnuPG. +Building a version with the installer is a bit more complex and +basically works by creating a top directory, unpacking in that top +directory, switching to the gnupg-1.x.y directory, running +"./autogen.sh --build-w32" and "make", switching back to the top +directory, running a "mkdir dist-w32; mkdir iconv", copying the +required iconv files (iconv.dll, README.iconv, COPYING.LIB) into the +iconv directory, running gnupg-1.x.y/scripts/mk-w32-dist and voila, +the installer package will be available in the dist-w32 directory. -First get the source: It has to be available at the same location you -found this binary package - if not you should have received a written -offer to get the source delivered to you See the file COPYING (section -3) for details. -If you got this package from its canonical place (ftp.gnupg.org), the -source is available at: +Copying: +======== - ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.2.n.tar.gz +GnuPG is -or for development snapshots + Copyright 1998, 1999, 2000, 2001, 2002, 2003, 2004, + 2005 Free Software Foundation, Inc. - ftp://ftp.gnupg.org/gcrypt/alpha/gnupg/gnupg-1.x.n.tar.gz + GnuPG is free software; you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. -this is the same source as for the Unix version. If your binary -version of GnuPG is called something like gnupg-w32-1.0.4-1.zip, you -should find a patch file named gnupg-w32-1.0.4-1.0.4-1.diff.gz at the -same location, which has to be applied to the stock gpg source file. -Instructions are at the top of this file. + GnuPG is distributed in the hope that it will be useful, but WITHOUT + ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public + License for more details. -To build it, you need the MingW32/CPD kit, which is available at + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA + 02111-1307, USA - ftp://ftp.gnupg.org/people/werner/cpd/mingw32-cpd-0.3.2.tar.gz - ftp://ftp.gnupg.org/people/werner/cpd/gcc-core-2.95.2.tar.gz - ftp://ftp.gnupg.org/people/werner/cpd/binutils-2.9.1.tar.gz +See the files AUTHORS and THANKS for credits, further legal +information and bug reporting addresses pertaining to GnuPG. -gcc and binutils are stock GNU source which are available -at every GNU mirror. +For copying conditions of the GNU LIBICONV library see the file +README.iconv. + +The installer software used to create the official binary packages for +W32 is NSIS (http://nsis.sourceforge.net/): -After you have installed this environment you should be able to do this: + Copyright (C) 1999-2005 Nullsoft, Inc. - $ scripts/autogen.sh --build-w32 - $ make - $ mingw32 strip g10/gpg.exe - $ cp g10/gpg.exe /some_windows_drive/ + This license applies to everything in the NSIS package, except where + otherwise noted. + + This software is provided 'as-is', without any express or implied + warranty. In no event will the authors be held liable for any + damages arising from the use of this software. + + Permission is granted to anyone to use this software for any + purpose, including commercial applications, and to alter it and + redistribute it freely, subject to the following restrictions: + + 1. The origin of this software must not be misrepresented; you must + not claim that you wrote the original software. If you use this + software in a product, an acknowledgment in the product + documentation would be appreciated but is not required. + + 2. Altered source versions must be plainly marked as such, and must + not be misrepresented as being the original software. + + 3. This notice may not be removed or altered from any source + distribution. + +The user interface used with the installer is -And everything hopefully works. If there is a make problem in the -"po" directory you can eiterignore it or do a "touch po/all". To -build the distribtion ZIP file, you have to create a directory -"dist-w32" and run "scripts/mk-w32-dist" right after a successul make -run. + Copyright (C) 2002-2005 Joost Verburg -Don't forget that MS-Windows ist just a temporary workaround until -you can switch to a GNU system ;-) + [It is distributed along with NSIS and the same conditions as stated + above apply] -Be the source always with you. - Werner +The term "W32" is used to describe the API used by current Microsoft +Windows versions. We don't use the Microsft terminology here; in +hacker terminology, calling something a "win" is a form of praise. +Keep in mind that Windows ist just a temporary workaround until you +can switch to a complete Free Software system. Be the source always +with you. Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.692 gnupg/g10/ChangeLog:1.693 --- gnupg/g10/ChangeLog:1.692 Tue Feb 1 06:26:25 2005 +++ gnupg/g10/ChangeLog Thu Feb 3 10:32:53 2005 @@ -18,6 +18,10 @@ 2005-01-27 Werner Koch + * parse-packet.c (listfp): New. + (set_packet_list_mode): Intialize it to stdout or stderr depending + on a global option. Made all printing in list mode use LISTFP. + * keygen.c (generate_subkeypair): Detect primary key on-card and ask for the passphrase. Return an error if the primary key is a plain stub. Index: gnupg/g10/mainproc.c diff -u gnupg/g10/mainproc.c:1.161 gnupg/g10/mainproc.c:1.162 --- gnupg/g10/mainproc.c:1.161 Thu Oct 21 21:18:47 2004 +++ gnupg/g10/mainproc.c Thu Feb 3 10:32:53 2005 @@ -1151,7 +1151,7 @@ if( rc ) { free_packet(pkt); /* stop processing when an invalid packet has been encountered - * but don't do so when we are doing a --list-packet. */ + * but don't do so when we are doing a --list-packets. */ if( rc == G10ERR_INVALID_PACKET && opt.list_packets != 2 ) break; continue; Index: gnupg/g10/parse-packet.c diff -u gnupg/g10/parse-packet.c:1.114 gnupg/g10/parse-packet.c:1.115 --- gnupg/g10/parse-packet.c:1.114 Sun Oct 17 00:48:20 2004 +++ gnupg/g10/parse-packet.c Thu Feb 3 10:32:53 2005 @@ -1,6 +1,6 @@ /* parse-packet.c - read packets * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, - * 2004 Free Software Foundation, Inc. + * 2004, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -37,8 +37,9 @@ #include "main.h" #include "i18n.h" -static int mpi_print_mode = 0; -static int list_mode = 0; +static int mpi_print_mode; +static int list_mode; +static FILE *listfp; static int parse( IOBUF inp, PACKET *pkt, int onlykeypkts, off_t *retpos, int *skip, IOBUF out, int do_skip @@ -105,6 +106,23 @@ int old = list_mode; list_mode = mode; mpi_print_mode = DBG_MPI; + /* We use stdout print only if invoked by the --list-packets + command but switch to stderr in all otehr cases. This breaks + the previous behaviour but that seems to be more of a bug than + intentional. I don't believe that any application makes use of + this long standing annoying way of printing to stdout except + when doing a --list-packets. If this assumption fails, it will + be easy to add an option for the listing stream. Note that we + initialize it only once; mainly because some code may switch + the option value later back to 1 and we want to have all output + to the same stream. + + Using stderr is not actually very clean because it bypasses the + logging code but it is a special thing anyay. I am not sure + whether using log_stream() would be better. Perhaps we should + enable the list mdoe only with a special option. */ + if (!listfp) + listfp = opt.list_packets == 2 ? stdout : stderr; return old; } @@ -523,14 +541,14 @@ { if( *i && !(*i%8) ) { if( *i && !(*i%24) ) - printf("\n%4d:", *i ); + fprintf (listfp, "\n%4d:", *i ); else - putchar(' '); + putc (' ', listfp); } if( c == -1 ) - printf(" EOF" ); + fprintf (listfp, " EOF" ); else - printf(" %02x", c ); + fprintf (listfp, " %02x", c ); ++*i; } @@ -573,13 +591,14 @@ { if( list_mode ) { if( pkttype == PKT_MARKER ) - fputs(":marker packet:\n", stdout ); + fputs(":marker packet:\n", listfp ); else - printf(":unknown packet: type %2d, length %lu\n", pkttype, pktlen); + fprintf (listfp, ":unknown packet: type %2d, length %lu\n", + pkttype, pktlen); if( pkttype ) { int c, i=0 ; if( pkttype != PKT_MARKER ) - fputs("dump:", stdout ); + fputs("dump:", listfp ); if( partial ) { while( (c=iobuf_get(inp)) != -1 ) dump_hex_line(c, &i); @@ -588,7 +607,7 @@ for( ; pktlen; pktlen-- ) dump_hex_line(iobuf_get(inp), &i); } - putchar('\n'); + putc ('\n', listfp); return; } } @@ -691,18 +710,18 @@ assert( !pktlen ); if( list_mode ) { - printf(":symkey enc packet: version %d, cipher %d, s2k %d, hash %d", + fprintf (listfp, ":symkey enc packet: version %d, cipher %d, s2k %d, hash %d", version, cipher_algo, s2kmode, hash_algo); if(seskeylen) - printf(", seskey %d bits",(seskeylen-1)*8); - printf("\n"); + fprintf (listfp, ", seskey %d bits",(seskeylen-1)*8); + fprintf (listfp, "\n"); if( s2kmode == 1 || s2kmode == 3 ) { - printf("\tsalt "); + fprintf (listfp, "\tsalt "); for(i=0; i < 8; i++ ) - printf("%02x", k->s2k.salt[i]); + fprintf (listfp, "%02x", k->s2k.salt[i]); if( s2kmode == 3 ) - printf(", count %lu", (ulong)k->s2k.count ); - printf("\n"); + fprintf (listfp, ", count %lu", (ulong)k->s2k.count ); + fprintf (listfp, "\n"); } } @@ -736,13 +755,13 @@ k->pubkey_algo = iobuf_get_noeof(inp); pktlen--; k->throw_keyid = 0; /* only used as flag for build_packet */ if( list_mode ) - printf(":pubkey enc packet: version %d, algo %d, keyid %08lX%08lX\n", + fprintf (listfp, ":pubkey enc packet: version %d, algo %d, keyid %08lX%08lX\n", k->version, k->pubkey_algo, (ulong)k->keyid[0], (ulong)k->keyid[1]); ndata = pubkey_get_nenc(k->pubkey_algo); if( !ndata ) { if( list_mode ) - printf("\tunsupported algorithm %d\n", k->pubkey_algo ); + fprintf (listfp, "\tunsupported algorithm %d\n", k->pubkey_algo ); unknown_pubkey_warning( k->pubkey_algo ); k->data[0] = NULL; /* no need to store the encrypted data */ } @@ -751,9 +770,9 @@ n = pktlen; k->data[i] = mpi_read(inp, &n, 0); pktlen -=n; if( list_mode ) { - printf("\tdata: "); - mpi_print(stdout, k->data[i], mpi_print_mode ); - putchar('\n'); + fprintf (listfp, "\tdata: "); + mpi_print(listfp, k->data[i], mpi_print_mode ); + putc ('\n', listfp); } if (!k->data[i]) rc = G10ERR_INVALID_PACKET; @@ -777,82 +796,83 @@ * detect the ARRs - we print our old message here when it is a faked * ARR and add an additional notice */ if ( type == SIGSUBPKT_ARR && !hashed ) { - printf("\tsubpkt %d len %u (additional recipient request)\n" - "WARNING: PGP versions > 5.0 and < 6.5.8 will automagically " - "encrypt to this key and thereby reveal the plaintext to " - "the owner of this ARR key. Detailed info follows:\n", - type, (unsigned)length ); + fprintf (listfp, + "\tsubpkt %d len %u (additional recipient request)\n" + "WARNING: PGP versions > 5.0 and < 6.5.8 will automagically " + "encrypt to this key and thereby reveal the plaintext to " + "the owner of this ARR key. Detailed info follows:\n", + type, (unsigned)length ); } buffer++; length--; - printf("\t%s%ssubpkt %d len %u (", /*)*/ + fprintf (listfp, "\t%s%ssubpkt %d len %u (", /*)*/ critical ? "critical ":"", hashed ? "hashed ":"", type, (unsigned)length ); if( length > buflen ) { - printf("too short: buffer is only %u)\n", (unsigned)buflen ); + fprintf (listfp, "too short: buffer is only %u)\n", (unsigned)buflen ); return; } switch( type ) { case SIGSUBPKT_SIG_CREATED: if( length >= 4 ) - printf("sig created %s", strtimestamp( buffer_to_u32(buffer) ) ); + fprintf (listfp, "sig created %s", strtimestamp( buffer_to_u32(buffer) ) ); break; case SIGSUBPKT_SIG_EXPIRE: if( length >= 4 ) - printf("sig expires after %s", + fprintf (listfp, "sig expires after %s", strtimevalue( buffer_to_u32(buffer) ) ); break; case SIGSUBPKT_EXPORTABLE: if( length ) - printf("%sexportable", *buffer? "":"not "); + fprintf (listfp, "%sexportable", *buffer? "":"not "); break; case SIGSUBPKT_TRUST: if(length!=2) p="[invalid trust subpacket]"; else - printf("trust signature of depth %d, value %d",buffer[0],buffer[1]); + fprintf (listfp, "trust signature of depth %d, value %d",buffer[0],buffer[1]); break; case SIGSUBPKT_REGEXP: if(!length) p="[invalid regexp subpacket]"; else - printf("regular expression: \"%s\"",buffer); + fprintf (listfp, "regular expression: \"%s\"",buffer); break; case SIGSUBPKT_REVOCABLE: if( length ) - printf("%srevocable", *buffer? "":"not "); + fprintf (listfp, "%srevocable", *buffer? "":"not "); break; case SIGSUBPKT_KEY_EXPIRE: if( length >= 4 ) - printf("key expires after %s", + fprintf (listfp, "key expires after %s", strtimevalue( buffer_to_u32(buffer) ) ); break; case SIGSUBPKT_PREF_SYM: - fputs("pref-sym-algos:", stdout ); + fputs("pref-sym-algos:", listfp ); for( i=0; i < length; i++ ) - printf(" %d", buffer[i] ); + fprintf (listfp, " %d", buffer[i] ); break; case SIGSUBPKT_REV_KEY: - fputs("revocation key: ", stdout ); + fputs("revocation key: ", listfp ); if( length < 22 ) p = "[too short]"; else { - printf("c=%02x a=%d f=", buffer[0], buffer[1] ); + fprintf (listfp, "c=%02x a=%d f=", buffer[0], buffer[1] ); for( i=2; i < length; i++ ) - printf("%02X", buffer[i] ); + fprintf (listfp, "%02X", buffer[i] ); } break; case SIGSUBPKT_ISSUER: if( length >= 8 ) - printf("issuer key ID %08lX%08lX", + fprintf (listfp, "issuer key ID %08lX%08lX", (ulong)buffer_to_u32(buffer), (ulong)buffer_to_u32(buffer+4) ); break; case SIGSUBPKT_NOTATION: { - fputs("notation: ", stdout ); + fputs("notation: ", listfp ); if( length < 8 ) p = "[too short]"; else { @@ -865,11 +885,11 @@ if( 8+n1+n2 != length ) p = "[error]"; else { - print_string( stdout, s, n1, ')' ); - putc( '=', stdout ); + print_string( listfp, s, n1, ')' ); + putc( '=', listfp ); if( *buffer & 0x80 ) - print_string( stdout, s+n1, n2, ')' ); + print_string( listfp, s+n1, n2, ')' ); else p = "[not human readable]"; } @@ -877,67 +897,67 @@ } break; case SIGSUBPKT_PREF_HASH: - fputs("pref-hash-algos:", stdout ); + fputs("pref-hash-algos:", listfp ); for( i=0; i < length; i++ ) - printf(" %d", buffer[i] ); + fprintf (listfp, " %d", buffer[i] ); break; case SIGSUBPKT_PREF_COMPR: - fputs("pref-zip-algos:", stdout ); + fputs("pref-zip-algos:", listfp ); for( i=0; i < length; i++ ) - printf(" %d", buffer[i] ); + fprintf (listfp, " %d", buffer[i] ); break; case SIGSUBPKT_KS_FLAGS: - fputs("key server preferences:",stdout); + fputs("key server preferences:",listfp); for(i=0;ipubkey_algo, @@ -1386,7 +1406,7 @@ ndata = pubkey_get_nsig(sig->pubkey_algo); if( !ndata ) { if( list_mode ) - printf("\tunknown algorithm %d\n", sig->pubkey_algo ); + fprintf (listfp, "\tunknown algorithm %d\n", sig->pubkey_algo ); unknown_pubkey_warning( sig->pubkey_algo ); /* we store the plain material in data[0], so that we are able * to write it back with build_packet() */ @@ -1399,9 +1419,9 @@ sig->data[i] = mpi_read(inp, &n, 0 ); pktlen -=n; if( list_mode ) { - printf("\tdata: "); - mpi_print(stdout, sig->data[i], mpi_print_mode ); - putchar('\n'); + fprintf (listfp, "\tdata: "); + mpi_print(listfp, sig->data[i], mpi_print_mode ); + putc ('\n', listfp); } if (!sig->data[i]) rc = G10ERR_INVALID_PACKET; @@ -1439,7 +1459,7 @@ ops->keyid[1] = read_32(inp); pktlen -= 4; ops->last = iobuf_get_noeof(inp); pktlen--; if( list_mode ) - printf(":onepass_sig packet: keyid %08lX%08lX\n" + fprintf (listfp, ":onepass_sig packet: keyid %08lX%08lX\n" "\tversion %d, sigclass %02x, digest %d, pubkey %d, last=%d\n", (ulong)ops->keyid[0], (ulong)ops->keyid[1], version, ops->sig_class, @@ -1515,16 +1535,16 @@ /* early versions of G10 use old PGP comments packets; * luckily all those comments are started by a hash */ if( list_mode ) { - printf(":rfc1991 comment packet: \"" ); + fprintf (listfp, ":rfc1991 comment packet: \"" ); for( ; pktlen; pktlen-- ) { int c; c = iobuf_get_noeof(inp); if( c >= ' ' && c <= 'z' ) - putchar(c); + putc (c, listfp); else - printf("\\x%02x", c ); + fprintf (listfp, "\\x%02x", c ); } - printf("\"\n"); + fprintf (listfp, "\"\n"); } iobuf_skip_rest(inp, pktlen, 0); return 0; @@ -1560,7 +1580,7 @@ } algorithm = iobuf_get_noeof(inp); pktlen--; if( list_mode ) - printf(":%s key packet:\n" + fprintf (listfp, ":%s key packet:\n" "\tversion %d, algo %d, created %lu, expires %lu\n", pkttype == PKT_PUBLIC_KEY? "public" : pkttype == PKT_SECRET_KEY? "secret" : @@ -1602,7 +1622,7 @@ npkey = pubkey_get_npkey( algorithm ); if( !npkey ) { if( list_mode ) - printf("\tunknown algorithm %d\n", algorithm ); + fprintf (listfp, "\tunknown algorithm %d\n", algorithm ); unknown_pubkey_warning( algorithm ); } @@ -1622,9 +1642,9 @@ for(i=0; i < npkey; i++ ) { n = pktlen; sk->skey[i] = mpi_read(inp, &n, 0 ); pktlen -=n; if( list_mode ) { - printf( "\tskey[%d]: ", i); - mpi_print(stdout, sk->skey[i], mpi_print_mode ); - putchar('\n'); + fprintf (listfp, "\tskey[%d]: ", i); + mpi_print(listfp, sk->skey[i], mpi_print_mode ); + putc ('\n', listfp); } if (!sk->skey[i]) rc = G10ERR_INVALID_PACKET; @@ -1654,7 +1674,7 @@ temp[i] = iobuf_get_noeof(inp); if( i < 4 || memcmp( temp, "GNU", 3 ) ) { if( list_mode ) - printf( "\tunknown S2K %d\n", + fprintf (listfp, "\tunknown S2K %d\n", sk->protect.s2k.mode ); rc = G10ERR_INVALID_PACKET; goto leave; @@ -1675,19 +1695,21 @@ break; } switch( sk->protect.s2k.mode ) { - case 0: if( list_mode ) printf( "\tsimple S2K" ); + case 0: if( list_mode ) fprintf (listfp, "\tsimple S2K" ); break; - case 1: if( list_mode ) printf( "\tsalted S2K" ); + case 1: if( list_mode ) fprintf (listfp, "\tsalted S2K" ); break; - case 3: if( list_mode ) printf( "\titer+salt S2K" ); + case 3: if( list_mode ) fprintf (listfp, "\titer+salt S2K" ); break; - case 1001: if( list_mode ) printf( "\tgnu-dummy S2K" ); + case 1001: if( list_mode ) fprintf (listfp, + "\tgnu-dummy S2K" ); break; - case 1002: if (list_mode) printf("\tgnu-divert-to-card S2K"); + case 1002: if (list_mode) fprintf (listfp, + "\tgnu-divert-to-card S2K"); break; default: if( list_mode ) - printf( "\tunknown %sS2K %d\n", + fprintf (listfp, "\tunknown %sS2K %d\n", sk->protect.s2k.mode < 1000? "":"GNU ", sk->protect.s2k.mode ); rc = G10ERR_INVALID_PACKET; @@ -1695,18 +1717,18 @@ } if( list_mode ) { - printf(", algo: %d,%s hash: %d", + fprintf (listfp, ", algo: %d,%s hash: %d", sk->protect.algo, sk->protect.sha1chk?" SHA1 protection," :" simple checksum,", sk->protect.s2k.hash_algo ); if( sk->protect.s2k.mode == 1 || sk->protect.s2k.mode == 3 ) { - printf(", salt: "); + fprintf (listfp, ", salt: "); for(i=0; i < 8; i++ ) - printf("%02x", sk->protect.s2k.salt[i]); + fprintf (listfp, "%02x", sk->protect.s2k.salt[i]); } - putchar('\n'); + putc ('\n', listfp); } if( sk->protect.s2k.mode == 3 ) { @@ -1717,7 +1739,7 @@ sk->protect.s2k.count = iobuf_get(inp); pktlen--; if( list_mode ) - printf("\tprotect count: %lu\n", + fprintf (listfp, "\tprotect count: %lu\n", (ulong)sk->protect.s2k.count); } else if( sk->protect.s2k.mode == 1002 ) { @@ -1741,7 +1763,7 @@ sk->protect.s2k.mode = 0; sk->protect.s2k.hash_algo = DIGEST_ALGO_MD5; if( list_mode ) - printf( "\tprotect algo: %d (hash algo: %d)\n", + fprintf (listfp, "\tprotect algo: %d (hash algo: %d)\n", sk->protect.algo, sk->protect.s2k.hash_algo ); } /* It is really ugly that we don't know the size @@ -1772,11 +1794,12 @@ for(i=0; i < sk->protect.ivlen && pktlen; i++, pktlen-- ) temp[i] = iobuf_get_noeof(inp); if( list_mode ) { - printf( sk->protect.s2k.mode == 1002? "\tserial-number: " - : "\tprotect IV: "); + fprintf (listfp, + sk->protect.s2k.mode == 1002? "\tserial-number: " + : "\tprotect IV: "); for(i=0; i < sk->protect.ivlen; i++ ) - printf(" %02x", temp[i] ); - putchar('\n'); + fprintf (listfp, " %02x", temp[i] ); + putc ('\n', listfp); } memcpy(sk->protect.iv, temp, sk->protect.ivlen ); } @@ -1800,7 +1823,7 @@ read_rest(inp, pktlen, 0),pktlen); pktlen = 0; if( list_mode ) { - printf("\tencrypted stuff follows\n"); + fprintf (listfp, "\tencrypted stuff follows\n"); } } else { /* v3 method: the mpi length is not encrypted */ @@ -1808,16 +1831,16 @@ if ( sk->is_protected ) { sk->skey[i] = read_protected_v3_mpi (inp, &pktlen); if( list_mode ) - printf( "\tskey[%d]: [encrypted]\n", i); + fprintf (listfp, "\tskey[%d]: [encrypted]\n", i); } else { n = pktlen; sk->skey[i] = mpi_read(inp, &n, 0 ); pktlen -=n; if( list_mode ) { - printf( "\tskey[%d]: ", i); - mpi_print(stdout, sk->skey[i], mpi_print_mode ); - putchar('\n'); + fprintf (listfp, "\tskey[%d]: ", i); + mpi_print(listfp, sk->skey[i], mpi_print_mode ); + putc ('\n', listfp); } } @@ -1829,7 +1852,7 @@ sk->csum = read_16(inp); pktlen -= 2; if( list_mode ) { - printf("\tchecksum: %04hx\n", sk->csum); + fprintf (listfp, "\tchecksum: %04hx\n", sk->csum); } } } @@ -1846,9 +1869,9 @@ for(i=0; i < npkey; i++ ) { n = pktlen; pk->pkey[i] = mpi_read(inp, &n, 0 ); pktlen -=n; if( list_mode ) { - printf( "\tpkey[%d]: ", i); - mpi_print(stdout, pk->pkey[i], mpi_print_mode ); - putchar('\n'); + fprintf (listfp, "\tpkey[%d]: ", i); + mpi_print(listfp, pk->pkey[i], mpi_print_mode ); + putc ('\n', listfp); } if (!pk->pkey[i]) rc = G10ERR_INVALID_PACKET; @@ -1959,15 +1982,15 @@ if( list_mode ) { int n = packet->pkt.user_id->len; - printf(":user ID packet: \""); + fprintf (listfp, ":user ID packet: \""); /* fixme: Hey why don't we replace this with print_string?? */ for(p=packet->pkt.user_id->name; n; p++, n-- ) { if( *p >= ' ' && *p <= 'z' ) - putchar(*p); + putc (*p, listfp); else - printf("\\x%02x", *p ); + fprintf (listfp, "\\x%02x", *p ); } - printf("\"\n"); + fprintf (listfp, "\"\n"); } return 0; } @@ -2030,7 +2053,7 @@ make_attribute_uidname(packet->pkt.user_id, EXTRA_UID_NAME_SPACE); if( list_mode ) { - printf(":attribute packet: %s\n", packet->pkt.user_id->name ); + fprintf (listfp, ":attribute packet: %s\n", packet->pkt.user_id->name ); } return 0; } @@ -2049,15 +2072,15 @@ if( list_mode ) { int n = packet->pkt.comment->len; - printf(":%scomment packet: \"", pkttype == PKT_OLD_COMMENT? + fprintf (listfp, ":%scomment packet: \"", pkttype == PKT_OLD_COMMENT? "OpenPGP draft " : "" ); for(p=packet->pkt.comment->data; n; p++, n-- ) { if( *p >= ' ' && *p <= 'z' ) - putchar(*p); + putc (*p, listfp); else - printf("\\x%02x", *p ); + fprintf (listfp, "\\x%02x", *p ); } - printf("\"\n"); + fprintf (listfp, "\"\n"); } return 0; } @@ -2084,14 +2107,14 @@ pkt->pkt.ring_trust->sigcache = c; } if( list_mode ) - printf(":trust packet: flag=%02x sigcache=%02x\n", + fprintf (listfp, ":trust packet: flag=%02x sigcache=%02x\n", pkt->pkt.ring_trust->trustval, pkt->pkt.ring_trust->sigcache); } else { if( list_mode ) - printf(":trust packet: empty\n"); + fprintf (listfp, ":trust packet: empty\n"); } iobuf_skip_rest (inp, pktlen, 0); } @@ -2136,21 +2159,21 @@ pktlen = 0; if( list_mode ) { - printf(":literal data packet:\n" + fprintf (listfp, ":literal data packet:\n" "\tmode %c (%X), created %lu, name=\"", mode >= ' ' && mode <'z'? mode : '?', mode, (ulong)pt->timestamp ); for(p=pt->name,i=0; i < namelen; p++, i++ ) { if( *p >= ' ' && *p <= 'z' ) - putchar(*p); + putc (*p, listfp); else - printf("\\x%02x", *p ); + fprintf (listfp, "\\x%02x", *p ); } - printf("\",\n\traw data: "); + fprintf (listfp, "\",\n\traw data: "); if(partial) - printf("unknown length\n"); + fprintf (listfp, "unknown length\n"); else - printf("%lu bytes\n", (ulong)pt->len ); + fprintf (listfp, "%lu bytes\n", (ulong)pt->len ); } leave: @@ -2174,7 +2197,7 @@ zd->new_ctb = new_ctb; zd->buf = inp; if( list_mode ) - printf(":compressed packet: algo=%d\n", zd->algorithm); + fprintf (listfp, ":compressed packet: algo=%d\n", zd->algorithm); return 0; } @@ -2223,11 +2246,12 @@ } if( list_mode ) { if( orig_pktlen ) - printf(":encrypted data packet:\n\tlength: %lu\n", orig_pktlen); + fprintf (listfp, ":encrypted data packet:\n\tlength: %lu\n", + orig_pktlen); else - printf(":encrypted data packet:\n\tlength: unknown\n"); + fprintf (listfp, ":encrypted data packet:\n\tlength: unknown\n"); if( ed->mdc_method ) - printf("\tmdc_method: %d\n", ed->mdc_method ); + fprintf (listfp, "\tmdc_method: %d\n", ed->mdc_method ); } ed->buf = inp; @@ -2247,7 +2271,7 @@ mdc = pkt->pkt.mdc= m_alloc(sizeof *pkt->pkt.mdc ); if( list_mode ) - printf(":mdc packet: length=%lu\n", pktlen); + fprintf (listfp, ":mdc packet: length=%lu\n", pktlen); if( !new_ctb || pktlen != 20 ) { log_error("mdc_packet with invalid encoding\n"); rc = G10ERR_INVALID_PACKET; @@ -2283,7 +2307,7 @@ int i; if ( list_mode ) - printf(":packet 63: length %lu ", pktlen); + fprintf (listfp, ":packet 63: length %lu ", pktlen); sesmark = get_session_marker ( &sesmarklen ); if ( pktlen < sesmarklen+1 ) /* 1 is for the control bytes */ @@ -2310,7 +2334,7 @@ int c; i=0; - printf("- private (rest length %lu)\n", pktlen); + fprintf (listfp, "- private (rest length %lu)\n", pktlen); if( partial ) { while( (c=iobuf_get(inp)) != -1 ) dump_hex_line(c, &i); @@ -2319,7 +2343,7 @@ for( ; pktlen; pktlen-- ) dump_hex_line(iobuf_get(inp), &i); } - putchar('\n'); + putc ('\n', listfp); } iobuf_skip_rest(inp,pktlen, 0); return G10ERR_INVALID_PACKET; From cvs at cvs.gnupg.org Thu Feb 3 12:07:07 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Feb 3 12:07:11 2005 Subject: gnupg (5 files) Message-ID: Date: Thursday, February 3, 2005 @ 12:16:27 Author: wk Path: /cvs/gnupg/gnupg Modified: scripts/ChangeLog scripts/mk-w32-dist scripts/w32installer.nsi util/ChangeLog util/http.c Last changes for W32 --------------------------+ scripts/ChangeLog | 6 ++++++ scripts/mk-w32-dist | 6 +++++- scripts/w32installer.nsi | 12 +++++++++--- util/ChangeLog | 4 ++++ util/http.c | 2 +- 5 files changed, 25 insertions(+), 5 deletions(-) Index: gnupg/scripts/ChangeLog diff -u gnupg/scripts/ChangeLog:1.61 gnupg/scripts/ChangeLog:1.62 --- gnupg/scripts/ChangeLog:1.61 Wed Jan 26 18:44:48 2005 +++ gnupg/scripts/ChangeLog Thu Feb 3 12:16:27 2005 @@ -1,3 +1,9 @@ +2005-02-03 Werner Koch + + * w32installer.nsi: Display README.W32 at the end of the + installation. + * mk-w32-dist: Append .txt to README.W32. + 2005-01-26 Werner Koch * w32installer.nsi: Create a start menu entry and enhanced the Index: gnupg/scripts/mk-w32-dist diff -u gnupg/scripts/mk-w32-dist:1.16 gnupg/scripts/mk-w32-dist:1.17 --- gnupg/scripts/mk-w32-dist:1.16 Wed Jan 26 18:44:47 2005 +++ gnupg/scripts/mk-w32-dist Thu Feb 3 12:16:27 2005 @@ -79,7 +79,11 @@ cp ${srcdir}/$i $i.txt todos $i.txt done -for i in README.W32 gnupg-w32.reg; do +for i in README.W32 ; do + cp ${srcdir}/doc/$i $i.txt + todos $i.txt +done +for i in gnupg-w32.reg; do cp ${srcdir}/doc/$i . todos $i done Index: gnupg/scripts/w32installer.nsi diff -u gnupg/scripts/w32installer.nsi:1.4 gnupg/scripts/w32installer.nsi:1.5 --- gnupg/scripts/w32installer.nsi:1.4 Wed Jan 26 18:44:47 2005 +++ gnupg/scripts/w32installer.nsi Thu Feb 3 12:16:27 2005 @@ -60,7 +60,9 @@ Var STARTMENU_FOLDER Var DOC_INSTALLED +!ifdef WITH_WINPT Var WINPT_INSTALLED +!endif ; ------------------ ; Interface Settings @@ -113,7 +115,7 @@ !insertmacro MUI_PAGE_INSTFILES -!define MUI_FINISHPAGE_SHOWREADME "README.txt" +!define MUI_FINISHPAGE_SHOWREADME "README.W32.txt" !define MUI_FINISHPAGE_SHOWREADME_TEXT "$(T_ShowReadme)" !define MUI_FINISHPAGE_LINK \ "Visit the GnuPG website for latest news and support" @@ -163,7 +165,7 @@ SetOutPath "$INSTDIR\Doc" File "README.txt" - File "README.W32" + File "README.W32.txt" File "COPYING.txt" Call InstallIconv @@ -272,6 +274,8 @@ CreateShortCut "$SMPROGRAMS\$STARTMENU_FOLDER\GnuPG README.lnk" \ "$INSTDIR\Doc\README.txt" + CreateShortCut "$SMPROGRAMS\$STARTMENU_FOLDER\GnuPG README.Windows.lnk" \ + "$INSTDIR\Doc\README.W32.txt" CreateShortCut "$SMPROGRAMS\$STARTMENU_FOLDER\GnuPG NEWS.lnk" \ "$INSTDIR\Doc\NEWS.txt" @@ -280,6 +284,7 @@ "$INSTDIR\Doc\gpg.man" +!ifdef WITH_WINPT IntCmp $WINPT_INSTALLED 1 0 no_winpt_menu no_winpt_menu CreateShortCut "$SMPROGRAMS\$STARTMENU_FOLDER\winpt.lnk" \ "$INSTDIR\winpt.exe" @@ -290,6 +295,7 @@ "$INSTDIR\Doc\NEWS.winpt.txt" no_winpt_menu: +!endif CreateShortCut "$SMPROGRAMS\$STARTMENU_FOLDER\uninst-gnupg.lnk" \ "$INSTDIR\uninst-gnupg.exe" @@ -319,7 +325,7 @@ Delete "$INSTDIR\gpgkeys_ldap.exe" Delete "$INSTDIR\Doc\README.txt" - Delete "$INSTDIR\Doc\README.W32" + Delete "$INSTDIR\Doc\README.W32.txt" Delete "$INSTDIR\Doc\COPYING.txt" Delete "$INSTDIR\Doc\COPYING.LIB.txt" Delete "$INSTDIR\Doc\README.iconv.txt" Index: gnupg/util/ChangeLog diff -u gnupg/util/ChangeLog:1.179 gnupg/util/ChangeLog:1.180 --- gnupg/util/ChangeLog:1.179 Tue Feb 1 21:55:35 2005 +++ gnupg/util/ChangeLog Thu Feb 3 12:16:27 2005 @@ -1,3 +1,7 @@ +2005-02-03 Werner Koch + + * http.c (connect_server): Define ERR outside of the !W32 block. + 2005-02-01 David Shaw * http.c (connect_server): Fix fd leak when connecting to a Index: gnupg/util/http.c diff -u gnupg/util/http.c:1.32 gnupg/util/http.c:1.33 --- gnupg/util/http.c:1.32 Tue Feb 1 21:55:35 2005 +++ gnupg/util/http.c Thu Feb 3 12:16:27 2005 @@ -930,13 +930,13 @@ if(!connected) { + int err=errno; #ifdef _WIN32 if(hostfound) log_error("%s: Unable to connect: ec=%d\n",server,(int)WSAGetLastError()); else log_error("%s: Host not found: ec=%d\n",server,(int)WSAGetLastError()); #else - int err=errno; if(hostfound) log_error("%s: %s\n",server,strerror(err)); else From cvs at cvs.gnupg.org Thu Feb 3 14:11:37 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Thu Feb 3 14:11:41 2005 Subject: GNUPG-1-9-BRANCH gnupg (8 files) Message-ID: Date: Thursday, February 3, 2005 @ 14:20:58 Author: wk Path: /cvs/gnupg/gnupg Tag: GNUPG-1-9-BRANCH Modified: ChangeLog configure.ac jnlib/ChangeLog jnlib/logging.c scd/ChangeLog scd/apdu.c scd/app-openpgp.c scd/ccid-driver.c Forgot to commit the recent fixed to scd and logging - doing it now -------------------+ ChangeLog | 5 + configure.ac | 6 - jnlib/ChangeLog | 5 + jnlib/logging.c | 41 +++-------- scd/ChangeLog | 25 ++++++ scd/apdu.c | 14 ++- scd/app-openpgp.c | 193 ++++++++++++++++++++++++++++++++++------------------ scd/ccid-driver.c | 6 - 8 files changed, 191 insertions(+), 104 deletions(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.131.2.65 gnupg/ChangeLog:1.131.2.66 --- gnupg/ChangeLog:1.131.2.65 Thu Jan 13 19:00:46 2005 +++ gnupg/ChangeLog Thu Feb 3 14:20:57 2005 @@ -1,3 +1,8 @@ +2005-01-17 Werner Koch + + * configure.ac: Make --without-included-regex work as expected. + Fixed FTP location info for some libraries. + 2005-01-13 Werner Koch Released 1.9.15. Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.36.2.79 gnupg/configure.ac:1.36.2.80 --- gnupg/configure.ac:1.36.2.79 Thu Jan 13 20:03:37 2005 +++ gnupg/configure.ac Thu Feb 3 14:20:57 2005 @@ -889,7 +889,7 @@ AC_MSG_CHECKING([whether the included regex lib is requested]) AC_ARG_WITH(included-regex, [ --with-included-regex use the included GNU regex library], - [gnupg_cv_included_regex=yes],[gnupg_cv_included_regex=no]) + [gnupg_cv_included_regex="$withval"],[gnupg_cv_included_regex=no]) AC_MSG_RESULT($gnupg_cv_included_regex) if test $gnupg_cv_included_regex = no ; then @@ -1060,7 +1060,7 @@ *** *** You need libgpg-error to build this program. ** This library is for example available at -*** ftp://ftp.gnupg.org/gcrypt/alpha/libgpg-error +*** ftp://ftp.gnupg.org/gcrypt/libgpg-error *** (at least version $NEED_GPG_ERROR_VERSION is required.) ***]]) fi @@ -1070,7 +1070,7 @@ *** *** You need libgcrypt to build this program. ** This library is for example available at -*** ftp://ftp.gnupg.org/gcrypt/alpha/libgcrypt/ +*** ftp://ftp.gnupg.org/gcrypt/libgcrypt/ *** (at least version $NEED_LIBGCRYPT_VERSION using API $NEED_LIBGCRYPT_API) is required.) ***]]) fi Index: gnupg/jnlib/ChangeLog diff -u gnupg/jnlib/ChangeLog:1.3.2.31 gnupg/jnlib/ChangeLog:1.3.2.32 --- gnupg/jnlib/ChangeLog:1.3.2.31 Mon Dec 20 12:36:46 2004 +++ gnupg/jnlib/ChangeLog Thu Feb 3 14:20:57 2005 @@ -1,3 +1,8 @@ +2005-01-19 Werner Koch + + * logging.c (fun_writer): Don't fallback to stderr. Print to + stderr only if connected to a tty. + 2004-12-20 Werner Koch * w32-pth.c (do_pth_event_free): The events are hold in a ring Index: gnupg/jnlib/logging.c diff -u gnupg/jnlib/logging.c:1.2.2.12 gnupg/jnlib/logging.c:1.2.2.13 --- gnupg/jnlib/logging.c:1.2.2.12 Wed Dec 15 15:15:08 2004 +++ gnupg/jnlib/logging.c Thu Feb 3 14:20:57 2005 @@ -1,6 +1,6 @@ /* logging.c - useful logging functions * Copyright (C) 1998, 1999, 2000, 2001, 2003, - * 2004 Free Software Foundation, Inc. + * 2004, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -20,11 +20,6 @@ */ -/* This file should replace logger.c in the future - for now it is not - * used by GnuPG but by GPA. - * It is a quite simple implemenation but sufficient for most purposes. - */ - #include #include #include @@ -64,23 +59,6 @@ static int missing_lf; static int errorcount; -#if 0 -static void -write2stderr( const char *s ) -{ - write( 2, s, strlen(s) ); -} - - -static void -do_die(int rc, const char *text ) -{ - write2stderr("\nFatal error: "); - write2stderr(text); - write2stderr("\n"); - abort(); -} -#endif int log_get_errorcount (int clear) @@ -150,7 +128,8 @@ cookie->fd = socket (PF_LOCAL, SOCK_STREAM, 0); if (cookie->fd == -1) { - if (!cookie->quiet && !running_detached) + if (!cookie->quiet && !running_detached + && isatty (fileno (stderr))) fprintf (stderr, "failed to create socket for logging: %s\n", strerror(errno)); } @@ -168,7 +147,8 @@ if (connect (cookie->fd, (struct sockaddr *) &addr, addrlen) == -1) { - if (!cookie->quiet && !running_detached) + if (!cookie->quiet && !running_detached + && isatty (fileno (stderr))) fprintf (stderr, "can't connect to `%s': %s\n", cookie->name, strerror(errno)); close (cookie->fd); @@ -180,12 +160,16 @@ { if (!running_detached) { + /* Due to all the problems with apps not running + detahced but beeing caled with stderr closed or + used for a different purposes, it does not make + sense to switch to stderr. We tehrefore disable it. */ if (!cookie->quiet) { - fputs ("switching logging to stderr\n", stderr); + /* fputs ("switching logging to stderr\n", stderr);*/ cookie->quiet = 1; } - cookie->fd = fileno (stderr); + cookie->fd = -1; /*fileno (stderr);*/ } } else /* Connection has been established. */ @@ -199,7 +183,8 @@ if (cookie->fd != -1 && !writen (cookie->fd, buffer, size)) return size; /* Okay. */ - if (!running_detached && cookie->fd != -1) + if (!running_detached && cookie->fd != -1 + && isatty (fileno (stderr))) { if (*cookie->name) fprintf (stderr, "error writing to `%s': %s\n", Index: gnupg/scd/ChangeLog diff -u gnupg/scd/ChangeLog:1.25.2.65 gnupg/scd/ChangeLog:1.25.2.66 --- gnupg/scd/ChangeLog:1.25.2.65 Thu Jan 13 19:00:44 2005 +++ gnupg/scd/ChangeLog Thu Feb 3 14:20:57 2005 @@ -1,3 +1,28 @@ +2005-01-26 Werner Koch + + * ccid-driver.c (parse_ccid_descriptor): Need the CSM workaround + also for newer firmware versions. Need to get a list of fixed + firmware versions and use that. + +2005-01-25 Werner Koch + + * apdu.c (apdu_send_le, apdu_send_direct): Fix some compiler + warnings. + + * app-openpgp.c (get_cached_data): New arg GET_IMMEDIATE to bypass + the cache. Changed all callers. + (get_one_do): Bypass the cache if the value would have been read + directly for v1.1 cards.It makes things a bit slower but obnly for + 1.0 cards and there are not that many cards out in the wild. This + is required to fix a caching bug when generating new keys; as a + side effect of the retrieval of the the C4 DO from the 6E DO the + cached fingerprint will get updated to the old value and later + when signing the generated key the checking of the fingerprint + fails becuase it won't match the new one. Thanks to Moritz for + analyzing this problem. + (verify_chv3): Removed the CHV status reread logic because we + won't cache the C4 DO anymore. + 2004-12-28 Werner Koch * ccid-driver.c (find_endpoint): New. Index: gnupg/scd/apdu.c diff -u gnupg/scd/apdu.c:1.4.2.25 gnupg/scd/apdu.c:1.4.2.26 --- gnupg/scd/apdu.c:1.4.2.25 Wed Dec 15 15:15:08 2004 +++ gnupg/scd/apdu.c Thu Feb 3 14:20:57 2005 @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * - * $Id: apdu.c,v 1.4.2.25 2004/12/15 14:15:08 wk Exp $ + * $Id: apdu.c,v 1.4.2.26 2005/02/03 13:20:57 wk Exp $ */ #include @@ -2721,7 +2721,8 @@ resultlen -= 2; if (DBG_CARD_IO) { - log_debug (" response: sw=%04X datalen=%d\n", sw, resultlen); + log_debug (" response: sw=%04X datalen=%d\n", + sw, (unsigned int)resultlen); if ( !retbuf && (sw == SW_SUCCESS || (sw & 0xff00) == SW_MORE_DATA)) log_printhex (" dump: ", result, resultlen); } @@ -2787,7 +2788,8 @@ resultlen -= 2; if (DBG_CARD_IO) { - log_debug (" more: sw=%04X datalen=%d\n", sw, resultlen); + log_debug (" more: sw=%04X datalen=%d\n", + sw, (unsigned int)resultlen); if (!retbuf && (sw==SW_SUCCESS || (sw&0xff00)==SW_MORE_DATA)) log_printhex (" dump: ", result, resultlen); } @@ -2920,7 +2922,8 @@ resultlen -= 2; if (DBG_CARD_IO) { - log_debug (" response: sw=%04X datalen=%d\n", sw, resultlen); + log_debug (" response: sw=%04X datalen=%d\n", + sw, (unsigned int)resultlen); if ( !retbuf && (sw == SW_SUCCESS || (sw & 0xff00) == SW_MORE_DATA)) log_printhex (" dump: ", result, resultlen); } @@ -2972,7 +2975,8 @@ resultlen -= 2; if (DBG_CARD_IO) { - log_debug (" more: sw=%04X datalen=%d\n", sw, resultlen); + log_debug (" more: sw=%04X datalen=%d\n", + sw, (unsigned int)resultlen); if (!retbuf && (sw==SW_SUCCESS || (sw&0xff00)==SW_MORE_DATA)) log_printhex (" dump: ", result, resultlen); } Index: gnupg/scd/app-openpgp.c diff -u gnupg/scd/app-openpgp.c:1.9.2.23 gnupg/scd/app-openpgp.c:1.9.2.24 --- gnupg/scd/app-openpgp.c:1.9.2.23 Fri Oct 22 18:03:03 2004 +++ gnupg/scd/app-openpgp.c Thu Feb 3 14:20:57 2005 @@ -1,5 +1,5 @@ /* app-openpgp.c - The OpenPGP card application. - * Copyright (C) 2003, 2004 Free Software Foundation, Inc. + * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -17,7 +17,7 @@ * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA * - * $Id: app-openpgp.c,v 1.9.2.23 2004/10/22 16:03:03 wk Exp $ + * $Id: app-openpgp.c,v 1.9.2.24 2005/02/03 13:20:57 wk Exp $ */ #include @@ -79,8 +79,13 @@ { 0x00C4, 0, 0x6E, 1, 0, 1, 1, "CHV Status Bytes" }, { 0x00C5, 0, 0x6E, 1, 0, 0, 0, "Fingerprints" }, { 0x00C6, 0, 0x6E, 1, 0, 0, 0, "CA Fingerprints" }, + { 0x00CD, 0, 0x6E, 1, 0, 0, 0, "Generation time" }, { 0x007A, 1, 0, 1, 0, 0, 0, "Security Support Template" }, { 0x0093, 0, 0x7A, 1, 1, 0, 0, "Digital Signature Counter" }, + { 0x0101, 0, 0, 0, 0, 0, 0, "Private DO 1"}, + { 0x0102, 0, 0, 0, 0, 0, 0, "Private DO 2"}, + { 0x0103, 0, 0, 0, 0, 0, 0, "Private DO 3"}, + { 0x0104, 0, 0, 0, 0, 0, 0, "Private DO 4"}, { 0 } }; @@ -133,10 +138,12 @@ /* Wrapper around iso7816_get_data which first tries to get the data - from the cache. */ + from the cache. With GET_IMMEDIATE passed as true, the cache is + bypassed. */ static gpg_error_t get_cached_data (app_t app, int tag, - unsigned char **result, size_t *resultlen) + unsigned char **result, size_t *resultlen, + int get_immediate) { gpg_error_t err; int i; @@ -147,23 +154,25 @@ *result = NULL; *resultlen = 0; - for (c=app->app_local->cache; c; c = c->next) - if (c->tag == tag) - { - if(c->length) + if (!get_immediate) + { + for (c=app->app_local->cache; c; c = c->next) + if (c->tag == tag) { - p = xtrymalloc (c->length); - if (!p) - return gpg_error (gpg_err_code_from_errno (errno)); - memcpy (p, c->data, c->length); - *result = p; + if(c->length) + { + p = xtrymalloc (c->length); + if (!p) + return gpg_error (gpg_err_code_from_errno (errno)); + memcpy (p, c->data, c->length); + *result = p; + } + + *resultlen = c->length; + + return 0; } - - *resultlen = c->length; - - return 0; - } - + } err = iso7816_get_data (app->slot, tag, &p, &len); if (err) @@ -172,6 +181,9 @@ *resultlen = len; /* Check whether we should cache this object. */ + if (get_immediate) + return 0; + for (i=0; data_objects[i].tag; i++) if (data_objects[i].tag == tag) { @@ -180,8 +192,7 @@ break; } - /* No, cache it. */ - + /* Okay, cache it. */ for (c=app->app_local->cache; c; c = c->next) assert (c->tag != tag); @@ -294,7 +305,8 @@ if (data_objects[i].tag && data_objects[i].get_from) { rc = get_cached_data (app, data_objects[i].get_from, - &buffer, &buflen); + &buffer, &buflen, + data_objects[i].get_immediate_in_v11); if (!rc) { const unsigned char *s; @@ -315,7 +327,8 @@ if (!value) /* Not in a constructed DO, try simple. */ { - rc = get_cached_data (app, tag, &buffer, &buflen); + rc = get_cached_data (app, tag, &buffer, &buflen, + data_objects[i].get_immediate_in_v11); if (!rc) { value = buffer; @@ -421,7 +434,7 @@ at any time and should be called after changing the login-data DO. Everything up to a LF is considered a mailbox or account name. If - the first LF is follewed by DC4 (0x14) control sequence are + the first LF is followed by DC4 (0x14) control sequence are expected up to the next LF. Control sequences are separated by FS (0x28) and consist of key=value pairs. There is one key defined: @@ -576,6 +589,23 @@ } static void +send_fprtime_if_not_null (ctrl_t ctrl, const char *keyword, + int number, const unsigned char *stamp) +{ + char numbuf1[50], numbuf2[50]; + unsigned long value; + + value = (stamp[0] << 24) | (stamp[1]<<16) | (stamp[2]<<8) | stamp[3]; + if (!value) + return; + sprintf (numbuf1, "%d", number); + sprintf (numbuf2, "%lu", value); + send_status_info (ctrl, keyword, + numbuf1, (size_t)strlen(numbuf1), + numbuf2, (size_t)strlen(numbuf2), NULL, 0); +} + +static void send_key_data (ctrl_t ctrl, const char *name, const unsigned char *a, size_t alen) { @@ -607,12 +637,17 @@ { "DISP-SEX", 0x5F35 }, { "PUBKEY-URL", 0x5F50 }, { "KEY-FPR", 0x00C5, 3 }, + { "KEY-TIME", 0x00CD, 4 }, { "CA-FPR", 0x00C6, 3 }, - { "CHV-STATUS", 0x00C4, 1 }, + { "CHV-STATUS", 0x00C4, 1 }, { "SIG-COUNTER", 0x0093, 2 }, { "SERIALNO", 0x004F, -1 }, { "AID", 0x004F }, { "EXTCAP", 0x0000, -2 }, + { "PRIVATE-DO-1", 0x0101 }, + { "PRIVATE-DO-2", 0x0102 }, + { "PRIVATE-DO-3", 0x0103 }, + { "PRIVATE-DO-4", 0x0104 }, { NULL, 0 } }; int idx, i; @@ -686,6 +721,12 @@ for (i=0; i < 3; i++) send_fpr_if_not_null (ctrl, table[idx].name, i+1, value+i*20); } + else if (table[idx].special == 4) + { + if (valuelen >= 12) + for (i=0; i < 3; i++) + send_fprtime_if_not_null (ctrl, table[idx].name, i+1, value+i*4); + } else send_status_info (ctrl, table[idx].name, value, valuelen, NULL, 0); @@ -705,9 +746,20 @@ do_getattr (app, ctrl, "PUBKEY-URL"); do_getattr (app, ctrl, "LOGIN-DATA"); do_getattr (app, ctrl, "KEY-FPR"); + if (app->card_version > 0x0100) + do_getattr (app, ctrl, "KEY-TIME"); do_getattr (app, ctrl, "CA-FPR"); do_getattr (app, ctrl, "CHV-STATUS"); do_getattr (app, ctrl, "SIG-COUNTER"); + if (app->app_local->extcap.private_dos) + { + do_getattr (app, ctrl, "PRIVATE-DO-1"); + do_getattr (app, ctrl, "PRIVATE-DO-2"); + if (app->did_chv2) + do_getattr (app, ctrl, "PRIVATE-DO-3"); + if (app->did_chv3) + do_getattr (app, ctrl, "PRIVATE-DO-4"); + } return 0; } @@ -792,8 +844,6 @@ void *relptr; unsigned char *value; size_t valuelen; - int reread_chv_status; - relptr = get_one_do (app, 0x00C4, &value, &valuelen); if (!relptr || valuelen < 7) @@ -809,13 +859,14 @@ return gpg_error (GPG_ERR_BAD_PIN); } - reread_chv_status = (value[6] < 3); - log_info(_("%d Admin PIN attempts remaining before card" " is permanently locked\n"), value[6]); xfree (relptr); - rc = pincb (pincb_arg, _("Admin PIN"), &pinvalue); + /* TRANSLATORS: Do not translate the "|A|" prefix but + keep it at the start of the string. We need this elsewhere + to get some infos on the string. */ + rc = pincb (pincb_arg, _("|A|Admin PIN"), &pinvalue); if (rc) { log_info (_("PIN callback returned error: %s\n"), gpg_strerror (rc)); @@ -839,13 +890,6 @@ return rc; } app->did_chv3 = 1; - /* If the PIN has been entered wrongly before, we need to flush - the cached value so that the next read correctly reflects the - resetted retry counter. Note that version 1.1 of the specs - allow direct reading of that DO, so that we could actually - flush it in all cases. */ - if (reread_chv_status) - flush_cache_item (app, 0x00C4); } return rc; } @@ -864,17 +908,22 @@ static struct { const char *name; int tag; + int need_chv; int special; } table[] = { - { "DISP-NAME", 0x005B }, - { "LOGIN-DATA", 0x005E, 2 }, - { "DISP-LANG", 0x5F2D }, - { "DISP-SEX", 0x5F35 }, - { "PUBKEY-URL", 0x5F50 }, - { "CHV-STATUS-1", 0x00C4, 1 }, - { "CA-FPR-1", 0x00CA }, - { "CA-FPR-2", 0x00CB }, - { "CA-FPR-3", 0x00CC }, + { "DISP-NAME", 0x005B, 3 }, + { "LOGIN-DATA", 0x005E, 3, 2 }, + { "DISP-LANG", 0x5F2D, 3 }, + { "DISP-SEX", 0x5F35, 3 }, + { "PUBKEY-URL", 0x5F50, 3 }, + { "CHV-STATUS-1", 0x00C4, 3, 1 }, + { "CA-FPR-1", 0x00CA, 3 }, + { "CA-FPR-2", 0x00CB, 3 }, + { "CA-FPR-3", 0x00CC, 3 }, + { "PRIVATE-DO-1", 0x0101, 2 }, + { "PRIVATE-DO-2", 0x0102, 3 }, + { "PRIVATE-DO-3", 0x0103, 2 }, + { "PRIVATE-DO-4", 0x0104, 3 }, { NULL, 0 } }; @@ -884,7 +933,17 @@ if (!table[idx].name) return gpg_error (GPG_ERR_INV_NAME); - rc = verify_chv3 (app, pincb, pincb_arg); + switch (table[idx].need_chv) + { + case 2: + rc = verify_chv2 (app, pincb, pincb_arg); + break; + case 3: + rc = verify_chv3 (app, pincb, pincb_arg); + break; + default: + rc = 0; + } if (rc) return rc; @@ -953,10 +1012,14 @@ else app->did_chv1 = app->did_chv2 = 0; - rc = pincb (pincb_arg, chvno == 3? "New Admin PIN" : "New PIN", &pinvalue); + /* Note to translators: Do not translate the "|*|" prefixes but + keep it at the start of the string. We need this elsewhere + to get some infos on the string. */ + rc = pincb (pincb_arg, chvno == 3? _("|AN|New Admin PIN") : _("|N|New PIN"), + &pinvalue); if (rc) { - log_error ("error getting new PIN: %s\n", gpg_strerror (rc)); + log_error (_("error getting new PIN: %s\n"), gpg_strerror (rc)); goto leave; } @@ -1022,14 +1085,14 @@ rc = iso7816_get_data (app->slot, 0x006E, &buffer, &buflen); if (rc) { - log_error ("error reading application data\n"); + log_error (_("error reading application data\n")); return gpg_error (GPG_ERR_GENERAL); } fpr = find_tlv (buffer, buflen, 0x00C5, &n); if (!fpr || n != 60) { rc = gpg_error (GPG_ERR_GENERAL); - log_error ("error reading fingerprint DO\n"); + log_error (_("error reading fingerprint DO\n")); goto leave; } fpr += 20*keyno; @@ -1038,13 +1101,13 @@ if (i!=20 && !force) { rc = gpg_error (GPG_ERR_EEXIST); - log_error ("key already exists\n"); + log_error (_("key already exists\n")); goto leave; } else if (i!=20) - log_info ("existing key will be replaced\n"); + log_info (_("existing key will be replaced\n")); else - log_info ("generating new key\n"); + log_info (_("generating new key\n")); rc = verify_chv3 (app, pincb, pincb_arg); @@ -1054,7 +1117,7 @@ xfree (buffer); buffer = NULL; #if 1 - log_info ("please wait while key is being generated ...\n"); + log_info (_("please wait while key is being generated ...\n")); start_at = time (NULL); rc = iso7816_generate_keypair #else @@ -1069,16 +1132,16 @@ if (rc) { rc = gpg_error (GPG_ERR_CARD); - log_error ("generating key failed\n"); + log_error (_("generating key failed\n")); goto leave; } - log_info ("key generation completed (%d seconds)\n", + log_info (_("key generation completed (%d seconds)\n"), (int)(time (NULL) - start_at)); keydata = find_tlv (buffer, buflen, 0x7F49, &keydatalen); if (!keydata) { rc = gpg_error (GPG_ERR_CARD); - log_error ("response does not contain the public key data\n"); + log_error (_("response does not contain the public key data\n")); goto leave; } @@ -1086,7 +1149,7 @@ if (!m) { rc = gpg_error (GPG_ERR_CARD); - log_error ("response does not contain the RSA modulus\n"); + log_error (_("response does not contain the RSA modulus\n")); goto leave; } /* log_printhex ("RSA n:", m, mlen); */ @@ -1096,7 +1159,7 @@ if (!e) { rc = gpg_error (GPG_ERR_CARD); - log_error ("response does not contain the RSA public exponent\n"); + log_error (_("response does not contain the RSA public exponent\n")); goto leave; } /* log_printhex ("RSA e:", e, elen); */ @@ -1129,7 +1192,7 @@ ul = (value[0] << 16) | (value[1] << 8) | value[2]; else { - log_error ("invalid structure of OpenPGP card (DO 0x93)\n"); + log_error (_("invalid structure of OpenPGP card (DO 0x93)\n")); ul = 0; } return ul; @@ -1161,17 +1224,17 @@ assert (keyno >= 1 && keyno <= 3); - rc = get_cached_data (app, 0x006E, &buffer, &buflen); + rc = get_cached_data (app, 0x006E, &buffer, &buflen, 0); if (rc) { - log_error ("error reading application data\n"); + log_error (_("error reading application data\n")); return gpg_error (GPG_ERR_GENERAL); } fpr = find_tlv (buffer, buflen, 0x00C5, &n); if (!fpr || n != 60) { xfree (buffer); - log_error ("error reading fingerprint DO\n"); + log_error (_("error reading fingerprint DO\n")); return gpg_error (GPG_ERR_GENERAL); } fpr += (keyno-1)*20; @@ -1290,7 +1353,7 @@ memcpy (data+15, indata, indatalen); sigcount = get_sig_counter (app); - log_info ("signatures created so far: %lu\n", sigcount); + log_info (_("signatures created so far: %lu\n"), sigcount); if (!app->did_chv1 || app->force_chv1 ) { Index: gnupg/scd/ccid-driver.c diff -u gnupg/scd/ccid-driver.c:1.1.2.23 gnupg/scd/ccid-driver.c:1.1.2.24 --- gnupg/scd/ccid-driver.c:1.1.2.23 Thu Jan 13 19:00:44 2005 +++ gnupg/scd/ccid-driver.c Thu Feb 3 14:20:57 2005 @@ -52,7 +52,7 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * - * $Id: ccid-driver.c,v 1.1.2.23 2005/01/13 18:00:44 wk Exp $ + * $Id: ccid-driver.c,v 1.1.2.24 2005/02/03 13:20:57 wk Exp $ */ @@ -403,7 +403,7 @@ if (buf[49] == 0xff) DEBUGOUT_CONT ("echo\n"); else - DEBUGOUT_1 (" %02X\n", buf[48]); + DEBUGOUT_CONT_1 (" %02X\n", buf[48]); DEBUGOUT ( " wlcdLayout "); if (!buf[50] && !buf[51]) @@ -450,7 +450,7 @@ if (handle->id_vendor == VENDOR_SCM /* FIXME: check whether it is the same firmware version for all drivers. */ - && handle->bcd_device < 0x0513 + && handle->bcd_device < 0x0519 && handle->max_ifsd > 48) { DEBUGOUT ("enabling workaround for buggy SCM readers\n"); From cvs at cvs.gnupg.org Thu Feb 3 20:32:19 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Thu Feb 3 20:32:22 2005 Subject: libgcrypt (ChangeLog) Message-ID: Date: Thursday, February 3, 2005 @ 20:41:41 Author: mo Path: /cvs/libgcrypt/libgcrypt Modified: ChangeLog 2005-02-03 Moritz Schulte * THANKS: Updated. -----------+ ChangeLog | 4 ++++ 1 files changed, 4 insertions(+) Index: libgcrypt/ChangeLog diff -u libgcrypt/ChangeLog:1.163 libgcrypt/ChangeLog:1.164 --- libgcrypt/ChangeLog:1.163 Mon Aug 9 12:41:31 2004 +++ libgcrypt/ChangeLog Thu Feb 3 20:41:41 2005 @@ -1,3 +1,7 @@ +2005-02-03 Moritz Schulte + + * THANKS: Updated. + 2004-08-09 Moritz Schulte * THANKS: Updated. From cvs at cvs.gnupg.org Thu Feb 3 20:33:34 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Thu Feb 3 20:33:39 2005 Subject: libgcrypt/doc (ChangeLog gcrypt.texi) Message-ID: Date: Thursday, February 3, 2005 @ 20:42:56 Author: mo Path: /cvs/libgcrypt/libgcrypt/doc Modified: ChangeLog gcrypt.texi 2005-02-03 Moritz Schulte * gcrypt.texi: Fixed several typos; thanks to Michele Baldessari. -------------+ ChangeLog | 4 ++++ gcrypt.texi | 26 +++++++++++++------------- 2 files changed, 17 insertions(+), 13 deletions(-) Index: libgcrypt/doc/ChangeLog diff -u libgcrypt/doc/ChangeLog:1.42 libgcrypt/doc/ChangeLog:1.43 --- libgcrypt/doc/ChangeLog:1.42 Tue Jan 4 21:49:00 2005 +++ libgcrypt/doc/ChangeLog Thu Feb 3 20:42:56 2005 @@ -1,3 +1,7 @@ +2005-02-03 Moritz Schulte + + * gcrypt.texi: Fixed several typos; thanks to Michele Baldessari. + 2005-01-04 Werner Koch * gcrypt.texi: Updated to use @copying. Fixed list of copyright Index: libgcrypt/doc/gcrypt.texi diff -u libgcrypt/doc/gcrypt.texi:1.44 libgcrypt/doc/gcrypt.texi:1.45 --- libgcrypt/doc/gcrypt.texi:1.44 Tue Jan 4 21:49:00 2005 +++ libgcrypt/doc/gcrypt.texi Thu Feb 3 20:42:56 2005 @@ -1200,7 +1200,7 @@ Register a new cipher module whose specification can be found in @var{cipher}. On success, a new algorithm ID is stored in -@var{algorithm_id} and a pointer representhing this module is stored +@var{algorithm_id} and a pointer representing this module is stored in @var{module}. @end deftypefun @@ -1503,7 +1503,7 @@ paradigm and is in that similar to other building blocks provided by @acronym{Libgcrypt}. -For convenience reasons, a few cyclic redudancy check value operations +For convenience reasons, a few cyclic redundancy check value operations are also supported. @menu @@ -1612,7 +1612,7 @@ The function responsible for `finalizing' a message digest context. See below for an explanation of this type. @item gcry_md_read_t read -The function reponsible for reading out a message digest result. See +The function responsible for reading out a message digest result. See below for an explanation of this type. @item size_t contextsize The size of the algorithm-specific `context', that should be @@ -1654,7 +1654,7 @@ Register a new digest module whose specification can be found in @var{digest}. On success, a new algorithm ID is stored in -@var{algorithm_id} and a pointer representhing this module is stored +@var{algorithm_id} and a pointer representing this module is stored in @var{module}. @end deftypefun @@ -2095,7 +2095,7 @@ The primary name of this algorithm. @item char **aliases A list of strings that are `aliases' for the algorithm. The list -musdt be terminanted with a NULL element. +must be terminated with a NULL element. @item const char *elements_pkey String containing the one-letter names of the MPI values contained in a public key. @@ -2113,7 +2113,7 @@ be included in the `key grip'. @item int use The bitwise-OR of the following flags, depending on the abilities of -the algortihm: +the algorithm: @table @code @item GCRY_PK_USAGE_SIGN The algorithm supports signing and verifying of data. @@ -2133,13 +2133,13 @@ The function responsible for decrypting data. See below for a description of this type. @item gcry_pk_sign_t sign -The function reponsible for signing data. See below for a description +The function responsible for signing data. See below for a description of this type. @item gcry_pk_verify_t verify The function responsible for verifying that the provided signature matches the provided data. See below for a description of this type. @item gcry_pk_get_nbits_t get_nbits -The function reponsible for returning the number of bits of a provided +The function responsible for returning the number of bits of a provided key. See below for a description of this type. @end table @end deftp @@ -2188,7 +2188,7 @@ Register a new public key module whose specification can be found in @var{pubkey}. On success, a new algorithm ID is stored in -@var{algorithm_id} and a pointer representhing this module is stored +@var{algorithm_id} and a pointer representing this module is stored in @var{module}. @end deftypefun @@ -3670,7 +3670,7 @@ This function tries to resize the memory area pointed to by @var{p} to @var{n} bytes. On success it returns a pointer to the new memory area, in an out-of-core condition, it returns NULL. Depending on -wether the memory pointed to by @var{p} is secure memory or not, +whether the memory pointed to by @var{p} is secure memory or not, gcry_realloc tries to use secure memory as well. @end deftypefun @@ -3699,13 +3699,13 @@ @bye /* Version check should be the very first gcry call because it - makes sure that constructor functrions are run. */ + makes sure that constructor functions are run. */ if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); /* Many applications don't require secure memory, so they should disable it right away. There won't be a problem unless one makes - use of a feature which requires secure memoery - in that case the - process would abort becuase the secmem is not initialized. */ + use of a feature which requires secure memory - in that case the + process would abort because the secmem is not initialized. */ gcry_control (GCRYCTL_DISABLE_SECMEM, 0); /* .. add whatever initialization you want, but better don't make calls From cvs at cvs.gnupg.org Thu Feb 3 20:43:32 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Thu Feb 3 20:43:35 2005 Subject: LIBGCRYPT-1-2-BRANCH libgcrypt/doc (ChangeLog gcrypt.texi) Message-ID: Date: Thursday, February 3, 2005 @ 20:52:55 Author: mo Path: /cvs/libgcrypt/libgcrypt/doc Tag: LIBGCRYPT-1-2-BRANCH Modified: ChangeLog gcrypt.texi 2005-02-03 Moritz Schulte * gcrypt.texi: Fixed several typos; thanks to Michele Baldessari. -------------+ ChangeLog | 4 ++++ gcrypt.texi | 26 +++++++++++++------------- 2 files changed, 17 insertions(+), 13 deletions(-) Index: libgcrypt/doc/ChangeLog diff -u libgcrypt/doc/ChangeLog:1.38.2.3 libgcrypt/doc/ChangeLog:1.38.2.4 --- libgcrypt/doc/ChangeLog:1.38.2.3 Tue Jan 4 21:50:23 2005 +++ libgcrypt/doc/ChangeLog Thu Feb 3 20:52:55 2005 @@ -1,3 +1,7 @@ +2005-02-03 Moritz Schulte + + * gcrypt.texi: Fixed several typos; thanks to Michele Baldessari. + 2005-01-04 Werner Koch * gcrypt.texi: Updated to use @copying. Fixed list of copyright Index: libgcrypt/doc/gcrypt.texi diff -u libgcrypt/doc/gcrypt.texi:1.38.2.3 libgcrypt/doc/gcrypt.texi:1.38.2.4 --- libgcrypt/doc/gcrypt.texi:1.38.2.3 Tue Jan 4 21:50:23 2005 +++ libgcrypt/doc/gcrypt.texi Thu Feb 3 20:52:55 2005 @@ -1200,7 +1200,7 @@ Register a new cipher module whose specification can be found in @var{cipher}. On success, a new algorithm ID is stored in -@var{algorithm_id} and a pointer representhing this module is stored +@var{algorithm_id} and a pointer representing this module is stored in @var{module}. @end deftypefun @@ -1503,7 +1503,7 @@ paradigm and is in that similar to other building blocks provided by @acronym{Libgcrypt}. -For convenience reasons, a few cyclic redudancy check value operations +For convenience reasons, a few cyclic redundancy check value operations are also supported. @menu @@ -1612,7 +1612,7 @@ The function responsible for `finalizing' a message digest context. See below for an explanation of this type. @item gcry_md_read_t read -The function reponsible for reading out a message digest result. See +The function responsible for reading out a message digest result. See below for an explanation of this type. @item size_t contextsize The size of the algorithm-specific `context', that should be @@ -1654,7 +1654,7 @@ Register a new digest module whose specification can be found in @var{digest}. On success, a new algorithm ID is stored in -@var{algorithm_id} and a pointer representhing this module is stored +@var{algorithm_id} and a pointer representing this module is stored in @var{module}. @end deftypefun @@ -2095,7 +2095,7 @@ The primary name of this algorithm. @item char **aliases A list of strings that are `aliases' for the algorithm. The list -musdt be terminanted with a NULL element. +must be terminated with a NULL element. @item const char *elements_pkey String containing the one-letter names of the MPI values contained in a public key. @@ -2113,7 +2113,7 @@ be included in the `key grip'. @item int use The bitwise-OR of the following flags, depending on the abilities of -the algortihm: +the algorithm: @table @code @item GCRY_PK_USAGE_SIGN The algorithm supports signing and verifying of data. @@ -2133,13 +2133,13 @@ The function responsible for decrypting data. See below for a description of this type. @item gcry_pk_sign_t sign -The function reponsible for signing data. See below for a description +The function responsible for signing data. See below for a description of this type. @item gcry_pk_verify_t verify The function responsible for verifying that the provided signature matches the provided data. See below for a description of this type. @item gcry_pk_get_nbits_t get_nbits -The function reponsible for returning the number of bits of a provided +The function responsible for returning the number of bits of a provided key. See below for a description of this type. @end table @end deftp @@ -2188,7 +2188,7 @@ Register a new public key module whose specification can be found in @var{pubkey}. On success, a new algorithm ID is stored in -@var{algorithm_id} and a pointer representhing this module is stored +@var{algorithm_id} and a pointer representing this module is stored in @var{module}. @end deftypefun @@ -3670,7 +3670,7 @@ This function tries to resize the memory area pointed to by @var{p} to @var{n} bytes. On success it returns a pointer to the new memory area, in an out-of-core condition, it returns NULL. Depending on -wether the memory pointed to by @var{p} is secure memory or not, +whether the memory pointed to by @var{p} is secure memory or not, gcry_realloc tries to use secure memory as well. @end deftypefun @@ -3699,13 +3699,13 @@ @bye /* Version check should be the very first gcry call because it - makes sure that constructor functrions are run. */ + makes sure that constructor functions are run. */ if (!gcry_check_version (GCRYPT_VERSION)) die ("version mismatch\n"); /* Many applications don't require secure memory, so they should disable it right away. There won't be a problem unless one makes - use of a feature which requires secure memoery - in that case the - process would abort becuase the secmem is not initialized. */ + use of a feature which requires secure memory - in that case the + process would abort because the secmem is not initialized. */ gcry_control (GCRYCTL_DISABLE_SECMEM, 0); /* .. add whatever initialization you want, but better don't make calls From cvs at cvs.gnupg.org Thu Feb 3 22:32:47 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Thu Feb 3 22:32:51 2005 Subject: gnupg (ChangeLog NEWS) Message-ID: Date: Thursday, February 3, 2005 @ 22:42:10 Author: dshaw Path: /cvs/gnupg/gnupg Modified: ChangeLog NEWS * NEWS: Fix typo. -----------+ ChangeLog | 4 ++++ NEWS | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.238 gnupg/ChangeLog:1.239 --- gnupg/ChangeLog:1.238 Thu Feb 3 11:21:26 2005 +++ gnupg/ChangeLog Thu Feb 3 22:42:10 2005 @@ -1,3 +1,7 @@ +2005-02-03 David Shaw + + * NEWS: Fix typo. + 2005-02-03 Werner Koch Released 1.4.1rc1. Index: gnupg/NEWS diff -u gnupg/NEWS:1.231 gnupg/NEWS:1.232 --- gnupg/NEWS:1.231 Thu Feb 3 10:32:53 2005 +++ gnupg/NEWS Thu Feb 3 22:42:10 2005 @@ -8,7 +8,7 @@ * New "import-unusable-sigs" and "export-unusable-sigs" tags for - --import-options and --export-options. These are on by + --import-options and --export-options. These are off by default, and cause GnuPG to not import or export key signatures that are not usable (e.g. expired signatures). From cvs at cvs.gnupg.org Fri Feb 4 04:52:12 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Fri Feb 4 06:21:40 2005 Subject: gnupg/m4 (ChangeLog libcurl.m4) Message-ID: Date: Friday, February 4, 2005 @ 05:01:35 Author: dshaw Path: /cvs/gnupg/gnupg/m4 Modified: ChangeLog libcurl.m4 * libcurl.m4: More comments. ------------+ ChangeLog | 4 ++++ libcurl.m4 | 8 +------- 2 files changed, 5 insertions(+), 7 deletions(-) Index: gnupg/m4/ChangeLog diff -u gnupg/m4/ChangeLog:1.13 gnupg/m4/ChangeLog:1.14 --- gnupg/m4/ChangeLog:1.13 Tue Jan 25 03:47:57 2005 +++ gnupg/m4/ChangeLog Fri Feb 4 05:01:35 2005 @@ -1,3 +1,7 @@ +2005-02-03 David Shaw + + * libcurl.m4: More comments. + 2005-01-24 David Shaw * libcurl.m4: All versions of curl-config support --feature. Index: gnupg/m4/libcurl.m4 diff -u gnupg/m4/libcurl.m4:1.8 gnupg/m4/libcurl.m4:1.9 --- gnupg/m4/libcurl.m4:1.8 Tue Jan 25 03:47:57 2005 +++ gnupg/m4/libcurl.m4 Fri Feb 4 05:01:35 2005 @@ -32,13 +32,7 @@ # found is after version 7.7.2, the first version that included the # curl-config script. Note that it is very important for people # packaging binary versions of libcurl to include this script! -# Without curl-config, we can only make educated guesses as to what -# protocols are available. Specifically, we assume that all of HTTP, -# FTP, GOPHER, FILE, TELNET, LDAP, and DICT exist, and (if SSL exists) -# HTTPS is present. All of these protocols existed when libcurl was -# first created in version 7, so this is a safe assumption. If the -# version is 7.11.0 or later, FTPS is assumed to be present as well. -# FTPS existed before then, but was not yet fully standards compliant. +# Without curl-config, we can only guess what protocols are available. AC_DEFUN([LIBCURL_CHECK_CONFIG], [ From cvs at cvs.gnupg.org Fri Feb 4 11:09:20 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Fri Feb 4 11:09:26 2005 Subject: gnupg (ChangeLog configure.ac util/ChangeLog util/w32reg.c) Message-ID: Date: Friday, February 4, 2005 @ 11:18:46 Author: wk Path: /cvs/gnupg/gnupg Modified: ChangeLog configure.ac util/ChangeLog util/w32reg.c (GNUPG_CHECK_GNUMAKE): Removed. Not needed for decent automakes. ----------------+ ChangeLog | 5 +++++ configure.ac | 3 +-- util/ChangeLog | 3 +++ util/w32reg.c | 16 ++++++++++++---- 4 files changed, 21 insertions(+), 6 deletions(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.239 gnupg/ChangeLog:1.240 --- gnupg/ChangeLog:1.239 Thu Feb 3 22:42:10 2005 +++ gnupg/ChangeLog Fri Feb 4 11:18:46 2005 @@ -1,3 +1,8 @@ +2005-02-04 Werner Koch + + * configure.ac (GNUPG_CHECK_GNUMAKE): Removed. Not needed for + decent automakes. + 2005-02-03 David Shaw * NEWS: Fix typo. Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.130 gnupg/configure.ac:1.131 --- gnupg/configure.ac:1.130 Thu Feb 3 11:21:25 2005 +++ gnupg/configure.ac Fri Feb 4 11:18:46 2005 @@ -19,7 +19,7 @@ dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA dnl dnl (Process this file with autoconf to produce a configure script.) -dnlAC_REVISION($Revision: 1.130 $)dnl +dnlAC_REVISION($Revision: 1.131 $)dnl AC_PREREQ(2.59) min_automake_version="1.9.3" @@ -1211,7 +1211,6 @@ AM_CONDITIONAL(CROSS_COMPILING, test x$cross_compiling = xyes) -GNUPG_CHECK_GNUMAKE # add some extra libs here so that previous tests don't fail for # mysterious reasons - the final link step should bail out. Index: gnupg/util/ChangeLog diff -u gnupg/util/ChangeLog:1.180 gnupg/util/ChangeLog:1.181 --- gnupg/util/ChangeLog:1.180 Thu Feb 3 12:16:27 2005 +++ gnupg/util/ChangeLog Fri Feb 4 11:18:46 2005 @@ -1,5 +1,8 @@ 2005-02-03 Werner Koch + * w32reg.c (read_w32_registry_string): Fallback to HKLM also for a + missing name. + * http.c (connect_server): Define ERR outside of the !W32 block. 2005-02-01 David Shaw Index: gnupg/util/w32reg.c diff -u gnupg/util/w32reg.c:1.7 gnupg/util/w32reg.c:1.8 --- gnupg/util/w32reg.c:1.7 Fri Aug 29 01:29:32 2003 +++ gnupg/util/w32reg.c Fri Feb 4 11:18:46 2005 @@ -1,5 +1,5 @@ /* w32reg.c - MS-Windows Registry access - * Copyright (C) 1999, 2002 Free Software Foundation, Inc. + * Copyright (C) 1999, 2002, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -77,14 +77,22 @@ { if (root) return NULL; /* no need for a RegClose, so return direct */ - /* It seems to be common practise to fall back to HLM. */ + /* It seems to be common practise to fall back to HKLM. */ if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, dir, 0, KEY_READ, &key_handle) ) return NULL; /* still no need for a RegClose, so return direct */ } nbytes = 1; - if( RegQueryValueEx( key_handle, name, 0, NULL, NULL, &nbytes ) ) - goto leave; + if( RegQueryValueEx( key_handle, name, 0, NULL, NULL, &nbytes ) ) { + if (root) + goto leave; + /* Try to fallback to HKLM also vor a missing value. */ + RegCloseKey (key_handle); + if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, dir, 0, KEY_READ, &key_handle) ) + return NULL; /* Nope. */ + if (RegQueryValueEx( key_handle, name, 0, NULL, NULL, &nbytes)) + goto leave; + } result = malloc( (n1=nbytes+1) ); if( !result ) goto leave; From cvs at cvs.gnupg.org Sat Feb 5 00:51:12 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sat Feb 5 00:51:16 2005 Subject: gnupg/g10 (ChangeLog getkey.c) Message-ID: Date: Saturday, February 5, 2005 @ 01:00:35 Author: dshaw Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog getkey.c * getkey.c (merge_selfsigs_subkey): Merged away definition from the backsigs code. -----------+ ChangeLog | 5 +++++ getkey.c | 1 + 2 files changed, 6 insertions(+) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.693 gnupg/g10/ChangeLog:1.694 --- gnupg/g10/ChangeLog:1.693 Thu Feb 3 10:32:53 2005 +++ gnupg/g10/ChangeLog Sat Feb 5 01:00:35 2005 @@ -1,3 +1,8 @@ +2005-02-04 David Shaw + + * getkey.c (merge_selfsigs_subkey): Merged away definition from + the backsigs code. + 2005-01-31 David Shaw * keygen.c (do_generate_keypair): Write the auth key to the card Index: gnupg/g10/getkey.c diff -u gnupg/g10/getkey.c:1.124 gnupg/g10/getkey.c:1.125 --- gnupg/g10/getkey.c:1.124 Thu Jan 20 18:21:40 2005 +++ gnupg/g10/getkey.c Sat Feb 5 01:00:35 2005 @@ -1994,6 +1994,7 @@ if(subpk->backsig==0) { int seq=0; + size_t n; while((p=enum_sig_subpkt(sig->hashed, SIGSUBPKT_SIGNATURE,&n,&seq,NULL))) From cvs at cvs.gnupg.org Sat Feb 5 15:55:32 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sat Feb 5 16:00:22 2005 Subject: gnupg/keyserver (4 files) Message-ID: Date: Saturday, February 5, 2005 @ 16:04:59 Author: dshaw Path: /cvs/gnupg/gnupg/keyserver Modified: ChangeLog gpgkeys_curl.c gpgkeys_finger.c gpgkeys_hkp.c * gpgkeys_finger.c (main), gpgkeys_hkp.c (main): Fix --version output. * gpgkeys_curl.c (main): Make sure the curl handle is cleaned up on failure. ------------------+ ChangeLog | 8 ++++++++ gpgkeys_curl.c | 5 +++-- gpgkeys_finger.c | 2 +- gpgkeys_hkp.c | 2 +- 4 files changed, 13 insertions(+), 4 deletions(-) Index: gnupg/keyserver/ChangeLog diff -u gnupg/keyserver/ChangeLog:1.110 gnupg/keyserver/ChangeLog:1.111 --- gnupg/keyserver/ChangeLog:1.110 Tue Feb 1 21:57:08 2005 +++ gnupg/keyserver/ChangeLog Sat Feb 5 16:04:59 2005 @@ -1,3 +1,11 @@ +2005-02-05 David Shaw + + * gpgkeys_finger.c (main), gpgkeys_hkp.c (main): Fix --version + output. + + * gpgkeys_curl.c (main): Make sure the curl handle is cleaned up + on failure. + 2005-02-01 David Shaw * gpgkeys_hkp.c (get_key), gpgkeys_http.c (get_key): Fix missing Index: gnupg/keyserver/gpgkeys_curl.c diff -u gnupg/keyserver/gpgkeys_curl.c:1.11 gnupg/keyserver/gpgkeys_curl.c:1.12 --- gnupg/keyserver/gpgkeys_curl.c:1.11 Mon Jan 24 19:23:56 2005 +++ gnupg/keyserver/gpgkeys_curl.c Sat Feb 5 16:04:59 2005 @@ -470,8 +470,6 @@ ret=get_key(thekey); - curl_easy_cleanup(curl); - fail: free(thekey); @@ -482,6 +480,9 @@ if(output!=stdout) fclose(output); + if(curl) + curl_easy_cleanup(curl); + curl_global_cleanup(); return ret; Index: gnupg/keyserver/gpgkeys_finger.c diff -u gnupg/keyserver/gpgkeys_finger.c:1.12 gnupg/keyserver/gpgkeys_finger.c:1.13 --- gnupg/keyserver/gpgkeys_finger.c:1.12 Fri Jan 14 00:37:26 2005 +++ gnupg/keyserver/gpgkeys_finger.c Sat Feb 5 16:04:59 2005 @@ -372,7 +372,7 @@ /* Kludge to implement standard GNU options. */ if (argc > 1 && !strcmp (argv[1], "--version")) { - fputs ("gpgkeys_ldap (GnuPG) " VERSION"\n", stdout); + fputs ("gpgkeys_finger (GnuPG) " VERSION"\n", stdout); return 0; } else if (argc > 1 && !strcmp (argv[1], "--help")) Index: gnupg/keyserver/gpgkeys_hkp.c diff -u gnupg/keyserver/gpgkeys_hkp.c:1.48 gnupg/keyserver/gpgkeys_hkp.c:1.49 --- gnupg/keyserver/gpgkeys_hkp.c:1.48 Tue Feb 1 21:57:08 2005 +++ gnupg/keyserver/gpgkeys_hkp.c Sat Feb 5 16:04:59 2005 @@ -763,7 +763,7 @@ /* Kludge to implement standard GNU options. */ if (argc > 1 && !strcmp (argv[1], "--version")) { - fputs ("gpgkeys_ldap (GnuPG) " VERSION"\n", stdout); + fputs ("gpgkeys_hkp (GnuPG) " VERSION"\n", stdout); return 0; } else if (argc > 1 && !strcmp (argv[1], "--help")) From cvs at cvs.gnupg.org Sat Feb 5 20:42:33 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sat Feb 5 20:42:42 2005 Subject: gnupg/doc (ChangeLog gpg.sgml) Message-ID: Date: Saturday, February 5, 2005 @ 20:52:02 Author: dshaw Path: /cvs/gnupg/gnupg/doc Modified: ChangeLog gpg.sgml * gpg.sgml: Note that level 0 signatures are always accepted regardless of --min-cert-level. -----------+ ChangeLog | 5 +++++ gpg.sgml | 17 ++++++++++------- 2 files changed, 15 insertions(+), 7 deletions(-) Index: gnupg/doc/ChangeLog diff -u gnupg/doc/ChangeLog:1.93 gnupg/doc/ChangeLog:1.94 --- gnupg/doc/ChangeLog:1.93 Thu Feb 3 10:32:53 2005 +++ gnupg/doc/ChangeLog Sat Feb 5 20:52:02 2005 @@ -1,3 +1,8 @@ +2005-02-05 David Shaw + + * gpg.sgml: Note that level 0 signatures are always accepted + regardless of --min-cert-level. + 2005-02-03 Werner Koch * README.W32: Updated to match the switch to the NSIS installer. Index: gnupg/doc/gpg.sgml diff -u gnupg/doc/gpg.sgml:1.78 gnupg/doc/gpg.sgml:1.79 --- gnupg/doc/gpg.sgml:1.78 Thu Dec 16 07:01:19 2004 +++ gnupg/doc/gpg.sgml Sat Feb 5 20:52:02 2005 @@ -1063,13 +1063,6 @@ this option. This option defaults to no. - ---min-cert-level - -When building the trust database, disregard any signatures with a -certification level below this. Defaults to 2, which disregards level -1 signatures. - --default-cert-level &ParmN; @@ -1105,6 +1098,16 @@ +--min-cert-level + +When building the trust database, disregard any signatures with a +certification level below this. Defaults to 2, which disregards level +1 signatures. Note that level 0 "no particular claim" signatures are +always accepted. + + + + --trusted-key long key ID Assume that the specified key (which must be given From cvs at cvs.gnupg.org Sun Feb 6 18:29:07 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sun Feb 6 18:29:16 2005 Subject: gnupg/g10 (ChangeLog import.c keyserver.c trustdb.c trustdb.h) Message-ID: Date: Sunday, February 6, 2005 @ 18:38:43 Author: dshaw Path: /cvs/gnupg/gnupg/g10 Modified: ChangeLog import.c keyserver.c trustdb.c trustdb.h * trustdb.h, trustdb.c (trustdb_check_or_update): New. If the trustdb is dirty and --interactive is set, do an --update-trustdb. If not interactive, do a --check_trustdb unless --no-auto-check-trustdb is set. * import.c (import_keys_internal): Moved from here. * keyserver.c (keyserver_refresh): Call it here after all refreshing has happened so that we don't rebuild after each preferred keyserver set of imports, but do one big rebuild at the end. This is Debian bug #293816, noted by Kurt Roeckx. -------------+ ChangeLog | 14 ++++++++++++++ import.c | 15 ++++++--------- keyserver.c | 22 ++++++++++++++++++---- trustdb.c | 14 ++++++++++++++ trustdb.h | 5 +++-- 5 files changed, 55 insertions(+), 15 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.694 gnupg/g10/ChangeLog:1.695 --- gnupg/g10/ChangeLog:1.694 Sat Feb 5 01:00:35 2005 +++ gnupg/g10/ChangeLog Sun Feb 6 18:38:43 2005 @@ -1,3 +1,17 @@ +2005-02-06 David Shaw + + * trustdb.h, trustdb.c (trustdb_check_or_update): New. If the + trustdb is dirty and --interactive is set, do an --update-trustdb. + If not interactive, do a --check_trustdb unless + --no-auto-check-trustdb is set. + + * import.c (import_keys_internal): Moved from here. + + * keyserver.c (keyserver_refresh): Call it here after all + refreshing has happened so that we don't rebuild after each + preferred keyserver set of imports, but do one big rebuild at the + end. This is Debian bug #293816, noted by Kurt Roeckx. + 2005-02-04 David Shaw * getkey.c (merge_selfsigs_subkey): Merged away definition from Index: gnupg/g10/import.c diff -u gnupg/g10/import.c:1.120 gnupg/g10/import.c:1.121 --- gnupg/g10/import.c:1.120 Thu Jan 20 18:21:40 2005 +++ gnupg/g10/import.c Sun Feb 6 18:38:43 2005 @@ -1,6 +1,6 @@ /* import.c - import a key into our key storage. - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, - * 2004, 2005 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, + * 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -193,18 +193,15 @@ import_print_stats (stats); import_release_stats_handle (stats); } + /* If no fast import and the trustdb is dirty (i.e. we added a key or userID that had something other than a selfsig, a signature that was other than a selfsig, or any revocation), then update/check the trustdb if the user specified by setting interactive or by not setting no-auto-check-trustdb */ - if (!(options&IMPORT_FAST) && trustdb_pending_check()) - { - if (opt.interactive) - update_trustdb(); - else if (!opt.no_auto_check_trustdb) - check_trustdb(); - } + + if(!(options&IMPORT_FAST)) + trustdb_check_or_update(); return rc; } Index: gnupg/g10/keyserver.c diff -u gnupg/g10/keyserver.c:1.79 gnupg/g10/keyserver.c:1.80 --- gnupg/g10/keyserver.c:1.79 Wed Jan 26 22:20:30 2005 +++ gnupg/g10/keyserver.c Sun Feb 6 18:38:43 2005 @@ -35,6 +35,7 @@ #include "ttyio.h" #include "options.h" #include "packet.h" +#include "trustdb.h" #include "keyserver-internal.h" #include "util.h" @@ -1628,11 +1629,17 @@ { int rc,count,numdesc,fakev3=0; KEYDB_SEARCH_DESC *desc; + unsigned int options=opt.keyserver_options.import_options; - /* We switch merge_only on during a refresh, as 'refresh' should - never import new keys, even if their keyids match. Is it worth - preserving the old merge_only value here? */ - opt.import_options|=IMPORT_MERGE_ONLY; + /* We switch merge-only on during a refresh, as 'refresh' should + never import new keys, even if their keyids match. */ + opt.keyserver_options.import_options|=IMPORT_MERGE_ONLY; + + /* Similarly, we switch on fast-import, since refresh may make + multiple import sets (due to preferred keyserver URLs). We don't + want each set to rebuild the trustdb. Instead we do it once at + the end here. */ + opt.keyserver_options.import_options|=IMPORT_FAST; /* If refresh_add_fake_v3_keyids is on and it's a HKP or MAILTO scheme, then enable fake v3 keyid generation. */ @@ -1696,6 +1703,13 @@ m_free(desc); + opt.keyserver_options.import_options=options; + + /* If the original options didn't have fast import, and the trustdb + is dirty, rebuild. */ + if(!(opt.keyserver_options.import_options&IMPORT_FAST)) + trustdb_check_or_update(); + return rc; } Index: gnupg/g10/trustdb.c diff -u gnupg/g10/trustdb.c:1.136 gnupg/g10/trustdb.c:1.137 --- gnupg/g10/trustdb.c:1.136 Wed Dec 15 06:16:53 2004 +++ gnupg/g10/trustdb.c Sun Feb 6 18:38:43 2005 @@ -624,6 +624,20 @@ return pending_check_trustdb; } +/* If the trustdb is dirty, and we're interactive, update it. + Otherwise, check it unless no-auto-check-trustdb is set. */ +void +trustdb_check_or_update(void) +{ + if(trustdb_pending_check()) + { + if(opt.interactive) + update_trustdb(); + else if(!opt.no_auto_check_trustdb) + check_trustdb(); + } +} + void read_trust_options(byte *trust_model,ulong *created,ulong *nextcheck, byte *marginals,byte *completes,byte *cert_depth) Index: gnupg/g10/trustdb.h diff -u gnupg/g10/trustdb.h:1.49 gnupg/g10/trustdb.h:1.50 --- gnupg/g10/trustdb.h:1.49 Wed Nov 24 06:25:03 2004 +++ gnupg/g10/trustdb.h Sun Feb 6 18:38:43 2005 @@ -1,6 +1,6 @@ /* trustdb.h - Trust database - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, - * 2004 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, + * 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -53,6 +53,7 @@ void revalidation_mark (void); int trustdb_pending_check(void); +void trustdb_check_or_update(void); int cache_disabled_value(PKT_public_key *pk); From cvs at cvs.gnupg.org Tue Feb 8 12:31:56 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Tue Feb 8 12:32:09 2005 Subject: dirmngr (NEWS configure.ac) Message-ID: Date: Tuesday, February 8, 2005 @ 12:41:46 Author: wk Path: /cvs/dirmngr/dirmngr Modified: NEWS configure.ac post release updates --------------+ NEWS | 4 ++++ configure.ac | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) Index: dirmngr/NEWS diff -u dirmngr/NEWS:1.35 dirmngr/NEWS:1.36 --- dirmngr/NEWS:1.35 Tue Feb 8 12:30:41 2005 +++ dirmngr/NEWS Tue Feb 8 12:41:46 2005 @@ -1,3 +1,7 @@ +Noteworthy changes in version 0.9.2 +------------------------------------------------ + + Noteworthy changes in version 0.9.1 (2005-02-08) ------------------------------------------------ Index: dirmngr/configure.ac diff -u dirmngr/configure.ac:1.70 dirmngr/configure.ac:1.71 --- dirmngr/configure.ac:1.70 Tue Feb 8 12:30:41 2005 +++ dirmngr/configure.ac Tue Feb 8 12:41:46 2005 @@ -1,6 +1,6 @@ # configure.ac - for DirMngr # Copyright (C) 2002 Klarälvdalens Datakonsult AB -# Copyright (C) 2003, 2004 g10 Code GmbH +# Copyright (C) 2003, 2004, 2005 g10 Code GmbH # # This file is part of DirMngr. # @@ -22,7 +22,7 @@ AC_PREREQ(2.59) min_automake_version="1.9.3" -AC_INIT(dirmngr, 0.9.1, gpa-dev@gnupg.org) +AC_INIT(dirmngr, 0.9.2-cvs, gpa-dev@gnupg.org) NEED_GPG_ERROR_VERSION=0.7 From cvs at cvs.gnupg.org Thu Feb 10 04:56:35 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Thu Feb 10 04:58:38 2005 Subject: gnupg (5 files) Message-ID: Date: Thursday, February 10, 2005 @ 05:06:30 Author: dshaw Path: /cvs/gnupg/gnupg Modified: g10/ChangeLog g10/encr-data.c g10/mainproc.c include/ChangeLog include/cipher.h Disable the "quick check" bytes for PK decryptions. This is in regards to the Mister and Zuccherato attack on OpenPGP CFB mode. -------------------+ g10/ChangeLog | 9 +++++++++ g10/encr-data.c | 8 +++++--- g10/mainproc.c | 6 ++++-- include/ChangeLog | 4 ++++ include/cipher.h | 18 ++++++++++-------- 5 files changed, 32 insertions(+), 13 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.695 gnupg/g10/ChangeLog:1.696 --- gnupg/g10/ChangeLog:1.695 Sun Feb 6 18:38:43 2005 +++ gnupg/g10/ChangeLog Thu Feb 10 05:06:30 2005 @@ -1,3 +1,12 @@ +2005-02-09 David Shaw + + * encr-data.c (decrypt_data): Use it here to turn off the "quick + check" bytes for PK decryptions. This is in regards to the Mister + and Zuccherato attack on OpenPGP CFB mode. + + * mainproc.c (proc_symkey_enc): Set a flag to indicate that a + particular session key came from a passphrase and not a PK. + 2005-02-06 David Shaw * trustdb.h, trustdb.c (trustdb_check_or_update): New. If the Index: gnupg/g10/encr-data.c diff -u gnupg/g10/encr-data.c:1.30 gnupg/g10/encr-data.c:1.31 --- gnupg/g10/encr-data.c:1.30 Fri Oct 8 23:54:26 2004 +++ gnupg/g10/encr-data.c Thu Feb 10 05:06:30 2005 @@ -1,5 +1,5 @@ /* encr-data.c - process an encrypted data packet - * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -125,10 +125,12 @@ cipher_sync( dfx.cipher_hd ); p = temp; /* log_hexdump( "prefix", temp, nprefix+2 ); */ - if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) { + if(dek->symmetric + && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) ) + { rc = G10ERR_BAD_KEY; goto leave; - } + } if( dfx.mdc_hash ) md_write( dfx.mdc_hash, temp, nprefix+2 ); Index: gnupg/g10/mainproc.c diff -u gnupg/g10/mainproc.c:1.162 gnupg/g10/mainproc.c:1.163 --- gnupg/g10/mainproc.c:1.162 Thu Feb 3 10:32:53 2005 +++ gnupg/g10/mainproc.c Thu Feb 10 05:06:30 2005 @@ -1,6 +1,6 @@ /* mainproc.c - handle packets - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, - * 2004 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, + * 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -330,6 +330,8 @@ if(c->dek) { + c->dek->symmetric=1; + /* FIXME: This doesn't work perfectly if a symmetric key comes before a public key in the message - if the user doesn't know the passphrase, then there is Index: gnupg/include/ChangeLog diff -u gnupg/include/ChangeLog:1.81 gnupg/include/ChangeLog:1.82 --- gnupg/include/ChangeLog:1.81 Thu Dec 16 06:16:08 2004 +++ gnupg/include/ChangeLog Thu Feb 10 05:06:30 2005 @@ -1,3 +1,7 @@ +2005-02-09 David Shaw + + * cipher.h: Add a flag for a symmetric DEK. + 2004-12-16 David Shaw * memory.h: Return a flag to indicate whether we got the lock. Index: gnupg/include/cipher.h diff -u gnupg/include/cipher.h:1.63 gnupg/include/cipher.h:1.64 --- gnupg/include/cipher.h:1.63 Mon Nov 29 22:14:18 2004 +++ gnupg/include/cipher.h Thu Feb 10 05:06:30 2005 @@ -1,6 +1,6 @@ /* cipher.h - * Copyright (C) 1998, 1999, 2000, 2001, 2003, - * 2004 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2003, 2004, + * 2005 Free Software Foundation, Inc. * * This file is part of GNUPG. * @@ -70,12 +70,14 @@ #define is_ELGAMAL(a) ((a)==PUBKEY_ALGO_ELGAMAL_E) #define is_DSA(a) ((a)==PUBKEY_ALGO_DSA) -typedef struct { - int algo; - int keylen; - int algo_info_printed; - int use_mdc; - byte key[32]; /* this is the largest used keylen (256 bit) */ +typedef struct +{ + int algo; + int keylen; + int algo_info_printed; + int use_mdc; + int symmetric; + byte key[32]; /* this is the largest used keylen (256 bit) */ } DEK; struct cipher_handle_s; From cvs at cvs.gnupg.org Thu Feb 10 05:01:35 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Thu Feb 10 05:01:41 2005 Subject: STABLE-BRANCH-1-2 gnupg (5 files) Message-ID: Date: Thursday, February 10, 2005 @ 05:11:35 Author: dshaw Path: /cvs/gnupg/gnupg Tag: STABLE-BRANCH-1-2 Modified: g10/ChangeLog g10/encr-data.c g10/mainproc.c include/ChangeLog include/cipher.h Disable the "quick check" bytes for PK decryptions. This is in regards to the Mister and Zuccherato attack on OpenPGP CFB mode. -------------------+ g10/ChangeLog | 9 +++++++++ g10/encr-data.c | 8 +++++--- g10/mainproc.c | 6 ++++-- include/ChangeLog | 4 ++++ include/cipher.h | 4 +++- 5 files changed, 25 insertions(+), 6 deletions(-) Index: gnupg/g10/ChangeLog diff -u gnupg/g10/ChangeLog:1.249.2.233 gnupg/g10/ChangeLog:1.249.2.234 --- gnupg/g10/ChangeLog:1.249.2.233 Mon Nov 29 22:07:08 2004 +++ gnupg/g10/ChangeLog Thu Feb 10 05:11:35 2005 @@ -1,3 +1,12 @@ +2005-02-09 David Shaw + + * mainproc.c (proc_symkey_enc): Set a flag to indicate that a + particular session key came from a passphrase and not a PK. + + * encr-data.c (decrypt_data): Use it here to turn off the "quick + check" bytes for PK decryptions. This is in regards to the Mister + and Zuccherato attack on OpenPGP CFB mode. + 2004-11-29 David Shaw * getkey.c (parse_key_usage): New function to parse out key usage Index: gnupg/g10/encr-data.c diff -u gnupg/g10/encr-data.c:1.29 gnupg/g10/encr-data.c:1.29.2.1 --- gnupg/g10/encr-data.c:1.29 Sat Jun 29 15:46:33 2002 +++ gnupg/g10/encr-data.c Thu Feb 10 05:11:35 2005 @@ -1,5 +1,5 @@ /* encr-data.c - process an encrypted data packet - * Copyright (C) 1998, 1999, 2000, 2001 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -120,10 +120,12 @@ cipher_sync( dfx.cipher_hd ); p = temp; /* log_hexdump( "prefix", temp, nprefix+2 ); */ - if( p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1] ) { + if( dek->symmetric + && (p[nprefix-2] != p[nprefix] || p[nprefix-1] != p[nprefix+1]) ) + { rc = G10ERR_BAD_KEY; goto leave; - } + } if( dfx.mdc_hash ) md_write( dfx.mdc_hash, temp, nprefix+2 ); Index: gnupg/g10/mainproc.c diff -u gnupg/g10/mainproc.c:1.112.2.27 gnupg/g10/mainproc.c:1.112.2.28 --- gnupg/g10/mainproc.c:1.112.2.27 Sun Jun 27 20:26:49 2004 +++ gnupg/g10/mainproc.c Thu Feb 10 05:11:35 2005 @@ -1,6 +1,6 @@ /* mainproc.c - handle packets - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, - * 2004 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, + * 2005 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -317,6 +317,8 @@ c->dek = passphrase_to_dek( NULL, 0, algo, &enc->s2k, 0, NULL, NULL ); if(c->dek) { + c->dek->symmetric=1; + /* FIXME: This doesn't work perfectly if a symmetric key comes before a public key in the message - if the user doesn't know the passphrase, then there is a chance Index: gnupg/include/ChangeLog diff -u gnupg/include/ChangeLog:1.34.2.20 gnupg/include/ChangeLog:1.34.2.21 --- gnupg/include/ChangeLog:1.34.2.20 Mon Nov 29 22:07:43 2004 +++ gnupg/include/ChangeLog Thu Feb 10 05:11:35 2005 @@ -1,3 +1,7 @@ +2005-02-09 David Shaw + + * cipher.h: Add a flag for a symmetric DEK. + 2004-11-29 David Shaw * cipher.h: Add PUBKEY_USAGE_UNKNOWN. Index: gnupg/include/cipher.h diff -u gnupg/include/cipher.h:1.53.2.6 gnupg/include/cipher.h:1.53.2.7 --- gnupg/include/cipher.h:1.53.2.6 Mon Nov 29 22:07:43 2004 +++ gnupg/include/cipher.h Thu Feb 10 05:11:35 2005 @@ -1,5 +1,6 @@ /* cipher.h - * Copyright (C) 1998, 1999, 2000, 2001, 2003 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2003, + * 2005 Free Software Foundation, Inc. * * This file is part of GNUPG. * @@ -76,6 +77,7 @@ int keylen; int algo_info_printed; int use_mdc; + int symmetric; byte key[32]; /* this is the largest used keylen (256 bit) */ } DEK; From cvs at cvs.gnupg.org Fri Feb 11 18:36:08 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Fri Feb 11 18:36:11 2005 Subject: gnupg (ChangeLog NEWS configure.ac) Message-ID: Date: Friday, February 11, 2005 @ 18:46:15 Author: dshaw Path: /cvs/gnupg/gnupg Modified: ChangeLog NEWS configure.ac * configure.ac: Add --enable-fake-curl option to help test no-curl HTTP. * NEWS: Note Mister/Zuccherato CFB countermeasures. --------------+ ChangeLog | 7 +++++++ NEWS | 9 ++++++--- configure.ac | 18 +++++++++++++----- 3 files changed, 26 insertions(+), 8 deletions(-) Index: gnupg/ChangeLog diff -u gnupg/ChangeLog:1.240 gnupg/ChangeLog:1.241 --- gnupg/ChangeLog:1.240 Fri Feb 4 11:18:46 2005 +++ gnupg/ChangeLog Fri Feb 11 18:46:15 2005 @@ -1,3 +1,10 @@ +2005-02-11 David Shaw + + * configure.ac: Add --enable-fake-curl option to help test no-curl + HTTP. + + * NEWS: Note Mister/Zuccherato CFB countermeasures. + 2005-02-04 Werner Koch * configure.ac (GNUPG_CHECK_GNUMAKE): Removed. Not needed for Index: gnupg/NEWS diff -u gnupg/NEWS:1.232 gnupg/NEWS:1.233 --- gnupg/NEWS:1.232 Thu Feb 3 22:42:10 2005 +++ gnupg/NEWS Fri Feb 11 18:46:15 2005 @@ -5,7 +5,7 @@ signatures. This is in response to some problems seen with certain PGP/MIME mail clients and GnuPG version 1.4.0. More details about this are available at - + . * New "import-unusable-sigs" and "export-unusable-sigs" tags for --import-options and --export-options. These are off by @@ -23,9 +23,12 @@ available, missing secret key stubs will be created on the fly. Details of the key are listed too. - * The implicit packet dumping in double verbose mode is now send + * The implicit packet dumping in double verbose mode is now sent to stderr and not to stdout. + * Added countermeasures against the Mister/Zuccherato CFB attack + . + * [W32] The algorithm for the default home directory changed: First we look at the environment variable GNUPGHOME, if this one is not set, we check whether the registry entry @@ -38,7 +41,7 @@ * [W32] The locale selection under Windows changed. You need to enter the locale in the registry at HKCU\Software\GNU\GnuPG:Lang. - For German you would use "de". If it is not set, GnupG falls + For German you would use "de". If it is not set, GnuPG falls back to HKLM. The languages files "*.mo" are expected in a directory named "gnupg.nls" below the installation directory; that directory must be stored in the registry at the same key as Index: gnupg/configure.ac diff -u gnupg/configure.ac:1.131 gnupg/configure.ac:1.132 --- gnupg/configure.ac:1.131 Fri Feb 4 11:18:46 2005 +++ gnupg/configure.ac Fri Feb 11 18:46:15 2005 @@ -19,7 +19,7 @@ dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA dnl dnl (Process this file with autoconf to produce a configure script.) -dnlAC_REVISION($Revision: 1.131 $)dnl +dnlAC_REVISION($Revision: 1.132 $)dnl AC_PREREQ(2.59) min_automake_version="1.9.3" @@ -645,11 +645,19 @@ AC_SUBST(LDAPLIBS) AM_CONDITIONAL(GPGKEYS_LDAP, test "$GPGKEYS_LDAP" != "") -# If we have neither FTP or HTTP defined, then don't bother to check -# for curl. +AC_ARG_ENABLE(fake-curl, + AC_HELP_STRING([--enable-fake-curl],[enable EXPERIMENTAL no-curl HTTP code]),fake_curl=$enableval,fake_curl=no) -if test "$try_ftp" = yes || test "$try_http" = yes ; then - LIBCURL_CHECK_CONFIG([no],,[have_libcurl=yes]) +AM_CONDITIONAL(FAKE_CURL,test x"$fake_curl" = xyes) + +if test x"$fake_curl" = xyes ; then + libcurl_protocol_HTTP=yes +else + # If we have neither FTP or HTTP defined, then don't bother to check + # for curl. + if test x"$try_ftp" = xyes || test x"$try_http" = xyes ; then + LIBCURL_CHECK_CONFIG([no]) + fi fi # Are we doing HTTP? From cvs at cvs.gnupg.org Fri Feb 11 18:55:03 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Fri Feb 11 18:55:07 2005 Subject: gnupg/keyserver (5 files) Message-ID: Date: Friday, February 11, 2005 @ 19:05:13 Author: dshaw Path: /cvs/gnupg/gnupg/keyserver Added: curl-shim.c curl-shim.h Modified: ChangeLog Makefile.am gpgkeys_curl.c * curl-shim.h, curl-shim.c: New. This is code to fake the curl API in terms of the current HTTP iobuf API. * gpgkeys_curl.c [FAKE_CURL], Makefile.am: If FAKE_CURL is set, link with the iobuf code rather than libcurl. ----------------+ ChangeLog | 8 ++ Makefile.am | 7 ++ curl-shim.c | 153 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ curl-shim.h | 71 +++++++++++++++++++++++++ gpgkeys_curl.c | 4 + 5 files changed, 243 insertions(+) Index: gnupg/keyserver/ChangeLog diff -u gnupg/keyserver/ChangeLog:1.111 gnupg/keyserver/ChangeLog:1.112 --- gnupg/keyserver/ChangeLog:1.111 Sat Feb 5 16:04:59 2005 +++ gnupg/keyserver/ChangeLog Fri Feb 11 19:05:13 2005 @@ -1,3 +1,11 @@ +2005-02-11 David Shaw + + * curl-shim.h, curl-shim.c: New. This is code to fake the curl + API in terms of the current HTTP iobuf API. + + * gpgkeys_curl.c [FAKE_CURL], Makefile.am: If FAKE_CURL is set, + link with the iobuf code rather than libcurl. + 2005-02-05 David Shaw * gpgkeys_finger.c (main), gpgkeys_hkp.c (main): Fix --version Index: gnupg/keyserver/Makefile.am diff -u gnupg/keyserver/Makefile.am:1.25 gnupg/keyserver/Makefile.am:1.26 --- gnupg/keyserver/Makefile.am:1.25 Tue Jan 18 05:24:52 2005 +++ gnupg/keyserver/Makefile.am Fri Feb 11 19:05:13 2005 @@ -39,5 +39,12 @@ gpgkeys_hkp_LDADD = ../util/libutil.a @NETLIBS@ @SRVLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ gpgkeys_http_LDADD = ../util/libutil.a @NETLIBS@ @SRVLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ gpgkeys_finger_LDADD = ../util/libutil.a @NETLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ + +if FAKE_CURL +gpgkeys_curl_SOURCES += curl-shim.c curl-shim.h +gpgkeys_curl_CPPFLAGS = -DFAKE_CURL +gpgkeys_curl_LDADD = ../util/libutil.a @NETLIBS@ @SRVLIBS@ $(other_libs) @GETOPT@ @W32LIBS@ +else gpgkeys_curl_CPPFLAGS = @LIBCURL_CPPFLAGS@ gpgkeys_curl_LDADD = @LIBCURL@ @GETOPT@ +endif Index: gnupg/keyserver/curl-shim.c diff -u /dev/null gnupg/keyserver/curl-shim.c:1.1 --- /dev/null Fri Feb 11 19:05:13 2005 +++ gnupg/keyserver/curl-shim.c Fri Feb 11 19:05:13 2005 @@ -0,0 +1,153 @@ +/* curl-shim.c - Implement a small subset of the curl API in terms of + * the iobuf HTTP API + * + * Copyright (C) 2005 Free Software Foundation, Inc. + * + * This file is part of GnuPG. + * + * GnuPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GnuPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +#include +#include +#include +#include +#include +#include +#include "http.h" +#include "util.h" +#include "curl-shim.h" + +static CURLcode handle_error(CURL *curl,CURLcode err,const char *str) +{ + if(curl->errorbuffer) + { + switch(err) + { + case CURLE_OK: + strcpy(curl->errorbuffer,"okay"); + break; + + case CURLE_COULDNT_CONNECT: + strcpy(curl->errorbuffer,"couldn't connect"); + break; + + case CURLE_WRITE_ERROR: + strcpy(curl->errorbuffer,"write error"); + break; + + default: + strcpy(curl->errorbuffer,"generic error"); + break; + } + + if(str && (strlen(curl->errorbuffer)+2+strlen(str)+1)<=CURL_ERROR_SIZE) + { + strcat(curl->errorbuffer,": "); + strcat(curl->errorbuffer,str); + } + } + + return err; +} + +CURLcode curl_global_init(long flags) +{ + return CURLE_OK; +} + +void curl_global_cleanup(void) {} + +CURL *curl_easy_init(void) +{ + return calloc(1,sizeof(CURL)); +} + +void curl_easy_cleanup(CURL *curl) +{ + free(curl); +} + +CURLcode curl_easy_setopt(CURL *curl,CURLoption option,...) +{ + va_list ap; + + va_start(ap,option); + + switch(option) + { + case CURLOPT_URL: + curl->url=va_arg(ap,char *); + break; + case CURLOPT_WRITEFUNCTION: + curl->writer=va_arg(ap,write_func); + break; + case CURLOPT_FILE: + curl->file=va_arg(ap,void *); + break; + case CURLOPT_ERRORBUFFER: + curl->errorbuffer=va_arg(ap,char *); + break; + case CURLOPT_PROXY: + curl->proxy=va_arg(ap,char *); + break; + default: + /* We ignore the huge majority of curl options */ + break; + } + + return handle_error(curl,CURLE_OK,NULL); +} + +CURLcode curl_easy_perform(CURL *curl) +{ + int rc; + CURLcode err=CURLE_OK; + const char *errstr=NULL; + + rc=http_open_document(&curl->hd,curl->url,0,curl->proxy); + if(rc!=0) + { + if(rc==G10ERR_NETWORK) + errstr=strerror(errno); + else + errstr=g10_errstr(rc); + + err=CURLE_COULDNT_CONNECT; + } + else + { + size_t maxlen=1024,buflen,len; + byte *line=NULL; + + while((len=iobuf_read_line(curl->hd.fp_read,&line,&buflen,&maxlen))) + { + maxlen=1024; + size_t ret; + + ret=(curl->writer)(line,len,1,curl->file); + if(ret!=len) + { + err=CURLE_WRITE_ERROR; + break; + } + } + + m_free(line); + http_close(&curl->hd); + } + + return handle_error(curl,err,errstr); +} Index: gnupg/keyserver/curl-shim.h diff -u /dev/null gnupg/keyserver/curl-shim.h:1.1 --- /dev/null Fri Feb 11 19:05:13 2005 +++ gnupg/keyserver/curl-shim.h Fri Feb 11 19:05:13 2005 @@ -0,0 +1,71 @@ +/* curl-shim.h + * Copyright (C) 2005 Free Software Foundation, Inc. + * + * This file is part of GNUPG. + * + * GNUPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GNUPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +#ifndef _CURL_SHIM_H_ +#define _CURL_SHIM_H_ + +#include "http.h" + +typedef enum + { + CURLE_OK=0, + CURLE_FTP_COULDNT_RETR_FILE, + CURLE_COULDNT_CONNECT, + CURLE_WRITE_ERROR + } CURLcode; + +typedef enum + { + CURLOPT_URL, + CURLOPT_WRITEFUNCTION, + CURLOPT_FILE, + CURLOPT_ERRORBUFFER, + CURLOPT_FOLLOWLOCATION, + CURLOPT_MAXREDIRS, + CURLOPT_STDERR, + CURLOPT_VERBOSE, + CURLOPT_SSL_VERIFYPEER, + CURLOPT_PROXY + } CURLoption; + +typedef size_t (*write_func)(char *buffer,size_t size, + size_t nitems,void *outstream); + +typedef struct +{ + char *url; + char *errorbuffer; + char *proxy; + write_func writer; + void *file; + struct http_context hd; +} CURL; + +#define CURL_ERROR_SIZE 256 +#define CURL_GLOBAL_DEFAULT 0 + +CURLcode curl_global_init(long flags); +void curl_global_cleanup(void); +CURL *curl_easy_init(void); +CURLcode curl_easy_setopt(CURL *curl,CURLoption option,...); +CURLcode curl_easy_perform(CURL *curl); +void curl_easy_cleanup(CURL *curl); + +#endif /* !_CURL_SHIM_H_ */ Index: gnupg/keyserver/gpgkeys_curl.c diff -u gnupg/keyserver/gpgkeys_curl.c:1.12 gnupg/keyserver/gpgkeys_curl.c:1.13 --- gnupg/keyserver/gpgkeys_curl.c:1.12 Sat Feb 5 16:04:59 2005 +++ gnupg/keyserver/gpgkeys_curl.c Fri Feb 11 19:05:13 2005 @@ -27,7 +27,11 @@ #ifdef HAVE_GETOPT_H #include #endif +#ifdef FAKE_CURL +#include "curl-shim.h" +#else #include +#endif #include "keyserver.h" #include "ksutil.h" From cvs at cvs.gnupg.org Sat Feb 12 04:04:50 2005 From: cvs at cvs.gnupg.org (cvs user dshaw) Date: Sat Feb 12 04:04:55 2005 Subject: gnupg/keyserver (5 files) Message-ID: Date: Saturday, February 12, 2005 @ 04:15:02 Author: dshaw Path: /cvs/gnupg/gnupg/keyserver Modified: ChangeLog curl-shim.c curl-shim.h gpgkeys_curl.c gpgkeys_ldap.c * curl-shim.c (curl_easy_perform): Fix compile warning. * curl-shim.h, gpgkeys_curl.c (main), gpgkeys_ldap.c (main): Add ca-cert-file option, to pass in the SSL cert. ----------------+ ChangeLog | 5 +++++ curl-shim.c | 2 +- curl-shim.h | 3 ++- gpgkeys_curl.c | 24 ++++++++++++++++++++++++ gpgkeys_ldap.c | 35 +++++++++++++++++++++++++++++++++++ 5 files changed, 67 insertions(+), 2 deletions(-) Index: gnupg/keyserver/ChangeLog diff -u gnupg/keyserver/ChangeLog:1.112 gnupg/keyserver/ChangeLog:1.113 --- gnupg/keyserver/ChangeLog:1.112 Fri Feb 11 19:05:13 2005 +++ gnupg/keyserver/ChangeLog Sat Feb 12 04:15:02 2005 @@ -1,5 +1,10 @@ 2005-02-11 David Shaw + * curl-shim.c (curl_easy_perform): Fix compile warning. + + * curl-shim.h, gpgkeys_curl.c (main), gpgkeys_ldap.c (main): Add + ca-cert-file option, to pass in the SSL cert. + * curl-shim.h, curl-shim.c: New. This is code to fake the curl API in terms of the current HTTP iobuf API. Index: gnupg/keyserver/curl-shim.c diff -u gnupg/keyserver/curl-shim.c:1.1 gnupg/keyserver/curl-shim.c:1.2 --- gnupg/keyserver/curl-shim.c:1.1 Fri Feb 11 19:05:13 2005 +++ gnupg/keyserver/curl-shim.c Sat Feb 12 04:15:02 2005 @@ -129,7 +129,7 @@ } else { - size_t maxlen=1024,buflen,len; + unsigned int maxlen=1024,buflen,len; byte *line=NULL; while((len=iobuf_read_line(curl->hd.fp_read,&line,&buflen,&maxlen))) Index: gnupg/keyserver/curl-shim.h diff -u gnupg/keyserver/curl-shim.h:1.1 gnupg/keyserver/curl-shim.h:1.2 --- gnupg/keyserver/curl-shim.h:1.1 Fri Feb 11 19:05:13 2005 +++ gnupg/keyserver/curl-shim.h Sat Feb 12 04:15:02 2005 @@ -42,7 +42,8 @@ CURLOPT_STDERR, CURLOPT_VERBOSE, CURLOPT_SSL_VERIFYPEER, - CURLOPT_PROXY + CURLOPT_PROXY, + CURLOPT_CAINFO } CURLoption; typedef size_t (*write_func)(char *buffer,size_t size, Index: gnupg/keyserver/gpgkeys_curl.c diff -u gnupg/keyserver/gpgkeys_curl.c:1.13 gnupg/keyserver/gpgkeys_curl.c:1.14 --- gnupg/keyserver/gpgkeys_curl.c:1.13 Fri Feb 11 19:05:13 2005 +++ gnupg/keyserver/gpgkeys_curl.c Sat Feb 12 04:15:02 2005 @@ -158,6 +158,7 @@ char *thekey=NULL; unsigned int timeout=DEFAULT_KEYSERVER_TIMEOUT; long follow_redirects=5,debug=0,check_cert=1; + char *ca_cert_file=NULL; console=stderr; @@ -344,6 +345,26 @@ else check_cert=1; } + else if(strncasecmp(start,"ca-cert-file",12)==0) + { + if(no) + { + free(ca_cert_file); + ca_cert_file=NULL; + } + else if(start[12]=='=') + { + free(ca_cert_file); + ca_cert_file=strdup(&start[13]); + if(!ca_cert_file) + { + fprintf(console,"gpgkeys: out of memory while creating " + "ca_cert_file\n"); + ret=KEYSERVER_NO_MEMORY; + goto fail; + } + } + } continue; } @@ -406,6 +427,9 @@ curl_easy_setopt(curl,CURLOPT_SSL_VERIFYPEER,check_cert); + if(ca_cert_file) + curl_easy_setopt(curl,CURLOPT_CAINFO,ca_cert_file); + if(proxy[0]) curl_easy_setopt(curl,CURLOPT_PROXY,proxy); Index: gnupg/keyserver/gpgkeys_ldap.c diff -u gnupg/keyserver/gpgkeys_ldap.c:1.49 gnupg/keyserver/gpgkeys_ldap.c:1.50 --- gnupg/keyserver/gpgkeys_ldap.c:1.49 Mon Jan 24 19:23:56 2005 +++ gnupg/keyserver/gpgkeys_ldap.c Sat Feb 12 04:15:02 2005 @@ -1549,6 +1549,7 @@ int version,failed=0,use_ssl=0,use_tls=0,bound=0,check_cert=1; struct keylist *keylist=NULL,*keyptr=NULL; unsigned int timeout=DEFAULT_KEYSERVER_TIMEOUT; + char *ca_cert_file=NULL; console=stderr; @@ -1776,6 +1777,26 @@ else if(start[7]=='\0') timeout=DEFAULT_KEYSERVER_TIMEOUT; } + else if(strncasecmp(start,"ca-cert-file",12)==0) + { + if(no) + { + free(ca_cert_file); + ca_cert_file=NULL; + } + else if(start[12]=='=') + { + free(ca_cert_file); + ca_cert_file=strdup(&start[13]); + if(!ca_cert_file) + { + fprintf(console,"gpgkeys: out of memory while creating " + "ca_cert_file\n"); + ret=KEYSERVER_NO_MEMORY; + goto fail; + } + } + } continue; } @@ -1787,6 +1808,20 @@ return KEYSERVER_INTERNAL_ERROR; } +#if defined(HAVE_LDAP_SET_OPTION) && defined(LDAP_OPT_X_TLS_CACERTFILE) + if(ca_cert_file) + { + err=ldap_set_option(NULL,LDAP_OPT_X_TLS_CACERTFILE,ca_cert_file); + if(err!=LDAP_SUCCESS) + { + fprintf(console,"gpgkeys: unable to set ca-cert-file: %s\n", + ldap_err2string(err)); + ret=KEYSERVER_INTERNAL_ERROR; + goto fail; + } + } +#endif /* HAVE_LDAP_SET_OPTION && LDAP_OPT_X_TLS_CACERTFILE */ + /* SSL trumps TLS */ if(use_ssl) use_tls=0; From cvs at cvs.gnupg.org Sun Feb 13 19:03:05 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Sun Feb 13 19:03:11 2005 Subject: libgcrypt/src (ChangeLog g10lib.h gcrypt.h libgcrypt.vers mpi.h) Message-ID: Date: Sunday, February 13, 2005 @ 19:13:23 Author: mo Path: /cvs/libgcrypt/libgcrypt/src Modified: ChangeLog g10lib.h gcrypt.h libgcrypt.vers mpi.h 2005-02-13 Moritz Schulte * gcrypt.h: Declare new functions: gcry_ac_data_encrypt_scheme, gcry_ac_data_decrypt_scheme, gcry_ac_data_sign_scheme, gcry_ac_data_verify_scheme, gcry_ac_data_encode, gcry_ac_data_decode, gcry_ac_data_to_sexp, gcry_ac_data_from_sexp. New types: gcry_ac_emsa_pkcs_v1_5_t, gcry_ac_ssa_pkcs_v1_5_t, gcry_md_algo_t. New enumeration lists: gcry_ac_scheme_t, gcry_ac_em_t. * libgcrypt.vers: Added new ac functions. * g10lib.h: Declare function: _gcry_pk_get_elements. * mpi.h (mpi_get_ui): New macro. Declare function: _gcry_mpi_get_ui. ----------------+ ChangeLog | 14 + g10lib.h | 1 gcrypt.h | 476 ++++++++++++++++++++++++++++++++++--------------------- libgcrypt.vers | 26 +-- mpi.h | 5 5 files changed, 333 insertions(+), 189 deletions(-) Index: libgcrypt/src/ChangeLog diff -u libgcrypt/src/ChangeLog:1.158 libgcrypt/src/ChangeLog:1.159 --- libgcrypt/src/ChangeLog:1.158 Tue Nov 9 18:57:38 2004 +++ libgcrypt/src/ChangeLog Sun Feb 13 19:13:22 2005 @@ -1,3 +1,17 @@ +2005-02-13 Moritz Schulte + + * gcrypt.h: Declare new functions: gcry_ac_data_encrypt_scheme, + gcry_ac_data_decrypt_scheme, gcry_ac_data_sign_scheme, + gcry_ac_data_verify_scheme, gcry_ac_data_encode, + gcry_ac_data_decode, gcry_ac_data_to_sexp, gcry_ac_data_from_sexp. + New types: gcry_ac_emsa_pkcs_v1_5_t, gcry_ac_ssa_pkcs_v1_5_t, + gcry_md_algo_t. + New enumeration lists: gcry_ac_scheme_t, gcry_ac_em_t. + * libgcrypt.vers: Added new ac functions. + * g10lib.h: Declare function: _gcry_pk_get_elements. + * mpi.h (mpi_get_ui): New macro. + Declare function: _gcry_mpi_get_ui. + 2004-11-09 Werner Koch * gcrypt.h: Removed 3 trailing commas from enums. Noted by Heiko Index: libgcrypt/src/g10lib.h diff -u libgcrypt/src/g10lib.h:1.26 libgcrypt/src/g10lib.h:1.27 --- libgcrypt/src/g10lib.h:1.26 Fri Dec 19 20:50:14 2003 +++ libgcrypt/src/g10lib.h Sun Feb 13 19:13:22 2005 @@ -240,6 +240,7 @@ gcry_err_code_t _gcry_pk_module_lookup (int id, gcry_module_t *module); void _gcry_pk_module_release (gcry_module_t module); +gcry_err_code_t _gcry_pk_get_elements (int algo, char **enc, char **sig); /* Memory management. */ Index: libgcrypt/src/gcrypt.h diff -u libgcrypt/src/gcrypt.h:1.128 libgcrypt/src/gcrypt.h:1.129 --- libgcrypt/src/gcrypt.h:1.128 Tue Nov 9 18:57:38 2004 +++ libgcrypt/src/gcrypt.h Sun Feb 13 19:13:22 2005 @@ -937,182 +937,6 @@ *LIST_LENGTH, *LIST_LENGTH is updated to the correct number. */ gcry_error_t gcry_pk_list (int *list, int *list_length); -/* Alternative interface for asymetric cryptography. */ - -/* The algorithm IDs. */ -typedef enum gcry_ac_id - { - GCRY_AC_RSA = 1, - GCRY_AC_DSA = 17, - GCRY_AC_ELG = 20, - GCRY_AC_ELG_E = 16 - } -gcry_ac_id_t; - -/* Key types. */ -typedef enum gcry_ac_key_type - { - GCRY_AC_KEY_SECRET, - GCRY_AC_KEY_PUBLIC - } -gcry_ac_key_type_t; - -/* AC data. */ -#define GCRY_AC_FLAG_DEALLOC (1 << 0) -#define GCRY_AC_FLAG_COPY (1 << 1) -#define GCRY_AC_FLAG_NO_BLINDING (1 << 2) - -/* This type represents a `data set'. */ -typedef struct gcry_ac_data *gcry_ac_data_t; - -/* This type represents a single `key', either a secret one or a - public one. */ -typedef struct gcry_ac_key *gcry_ac_key_t; - -/* This type represents a `key pair' containing a secret and a public - key. */ -typedef struct gcry_ac_key_pair *gcry_ac_key_pair_t; - -/* This type represents a `handle' that is needed by functions - performing cryptographic operations. */ -typedef struct gcry_ac_handle *gcry_ac_handle_t; - -/* The caller of gcry_ac_key_pair_generate can provide one of these - structures in order to influence the key generation process in an - algorithm-specific way. */ -typedef struct gcry_ac_key_spec_rsa -{ - gcry_mpi_t e; /* E to use. */ -} gcry_ac_key_spec_rsa_t; - -/* Returns a new, empty data set in DATA. */ -gcry_error_t gcry_ac_data_new (gcry_ac_data_t *data); - -/* Destroy the data set DATA. */ -void gcry_ac_data_destroy (gcry_ac_data_t data); - -/* Create a copy of the data set DATA and store it in DATA_CP. */ -gcry_error_t gcry_ac_data_copy (gcry_ac_data_t *data_cp, - gcry_ac_data_t data); - -/* Return the number of named MPI values inside of the data set - DATA. */ -unsigned int gcry_ac_data_length (gcry_ac_data_t data); - -/* Destroy any values contained in the data set DATA. */ -void gcry_ac_data_clear (gcry_ac_data_t data); - -/* Add the value MPI to DATA with the label NAME. If FLAGS contains - GCRY_AC_FLAG_DATA_COPY, the data set will contain copies of NAME - and MPI. If FLAGS contains GCRY_AC_FLAG_DATA_DEALLOC or - GCRY_AC_FLAG_DATA_COPY, the values contained in the data set will - be deallocated when they are to be removed from the data set. */ -gcry_error_t gcry_ac_data_set (gcry_ac_data_t data, unsigned int flags, - const char *name, gcry_mpi_t mpi); - -/* Store the value labelled with NAME found in DATA in MPI. If FLAGS - contains GCRY_AC_FLAG_COPY, store a copy of the MPI value contained - in the data set. MPI may be NULL. */ -gcry_error_t gcry_ac_data_get_name (gcry_ac_data_t data, unsigned int flags, - const char *name, gcry_mpi_t *mpi); - -/* Stores in NAME and MPI the named MPI value contained in the data - set DATA with the index IDX. If FLAGS contains GCRY_AC_FLAG_COPY, - store copies of the values contained in the data set. NAME or MPI - may be NULL. */ -gcry_error_t gcry_ac_data_get_index (gcry_ac_data_t data, unsigned int flags, - unsigned int idx, - const char **name, gcry_mpi_t *mpi); - -/* Create a new ac handle. */ -gcry_error_t gcry_ac_open (gcry_ac_handle_t *handle, - gcry_ac_id_t algorithm, unsigned int flags); - -/* Destroy an ac handle. */ -void gcry_ac_close (gcry_ac_handle_t handle); - -/* Initialize a key from a given data set. */ -gcry_error_t gcry_ac_key_init (gcry_ac_key_t *key, gcry_ac_handle_t handle, - gcry_ac_key_type_t type, gcry_ac_data_t data); - -/* Generates a new key pair via the handle HANDLE of NBITS bits and - stores it in KEY_PAIR. In case non-standard settings are wanted, a - pointer to a structure of type gcry_ac_key_spec__t, - matching the selected algorithm, can be given as KEY_SPEC. - MISC_DATA is not used yet. */ -gcry_error_t gcry_ac_key_pair_generate (gcry_ac_handle_t handle, - unsigned int nbits, void *spec, - gcry_ac_key_pair_t *key_pair, - gcry_mpi_t **misc_data); - -/* Returns the key of type WHICH out of the key pair KEY_PAIR. */ -gcry_ac_key_t gcry_ac_key_pair_extract (gcry_ac_key_pair_t key_pair, - gcry_ac_key_type_t which); - -/* Returns the data set contained in the key KEY. */ -gcry_ac_data_t gcry_ac_key_data_get (gcry_ac_key_t key); - -/* Verifies that the key KEY is sane via HANDLE. */ -gcry_error_t gcry_ac_key_test (gcry_ac_handle_t handle, gcry_ac_key_t key); - -/* Stores the number of bits of the key KEY in NBITS via HANDLE. */ -gcry_error_t gcry_ac_key_get_nbits (gcry_ac_handle_t handle, - gcry_ac_key_t key, unsigned int *nbits); - -/* Writes the 20 byte long key grip of the key KEY to KEY_GRIP via - HANDLE. */ -gcry_error_t gcry_ac_key_get_grip (gcry_ac_handle_t handle, gcry_ac_key_t key, - unsigned char *key_grip); - -/* Destroy a key. */ -void gcry_ac_key_destroy (gcry_ac_key_t key); - -/* Destroy a key pair. */ -void gcry_ac_key_pair_destroy (gcry_ac_key_pair_t key_pair); - -/* Encrypt the plain text MPI value DATA_PLAIN with the key KEY under - the control of the flags FLAGS and store the resulting data set - into DATA_ENCRYPTED. */ -gcry_error_t gcry_ac_data_encrypt (gcry_ac_handle_t handle, - unsigned int flags, - gcry_ac_key_t key, - gcry_mpi_t data_plain, - gcry_ac_data_t *data_encrypted); - -/* Decrypt the decrypted data contained in the data set DATA_ENCRYPTED - with the key KEY under the control of the flags FLAGS and store the - resulting plain text MPI value in DATA_PLAIN. */ -gcry_error_t gcry_ac_data_decrypt (gcry_ac_handle_t handle, - unsigned int flags, - gcry_ac_key_t key, - gcry_mpi_t *data_plain, - gcry_ac_data_t data_encrypted); - -/* Sign the data contained in DATA with the key KEY and store the - resulting signature in the data set DATA_SIGNATURE. */ -gcry_error_t gcry_ac_data_sign (gcry_ac_handle_t handle, - gcry_ac_key_t key, - gcry_mpi_t data, - gcry_ac_data_t *data_signature); - -/* Verify that the signature contained in the data set DATA_SIGNATURE - is indeed the result of signing the data contained in DATA with the - secret key belonging to the public key KEY. */ -gcry_error_t gcry_ac_data_verify (gcry_ac_handle_t handle, - gcry_ac_key_t key, - gcry_mpi_t data, - gcry_ac_data_t data_signature); - -/* Store the textual representation of the algorithm whose id is given - in ALGORITHM in NAME. */ -gcry_error_t gcry_ac_id_to_name (gcry_ac_id_t algorithm, - const char **name); - -/* Store the numeric ID of the algorithm whose textual representation - is contained in NAME in ALGORITHM. */ -gcry_error_t gcry_ac_name_to_id (const char *name, - gcry_ac_id_t *algorithm); - /************************************ @@ -1292,6 +1116,306 @@ gcry_error_t gcry_md_list (int *list, int *list_length); + +/* Alternative interface for asymetric cryptography. */ + +/* The algorithm IDs. */ +typedef enum gcry_ac_id + { + GCRY_AC_RSA = 1, + GCRY_AC_DSA = 17, + GCRY_AC_ELG = 20, + GCRY_AC_ELG_E = 16 + } +gcry_ac_id_t; + +/* Key types. */ +typedef enum gcry_ac_key_type + { + GCRY_AC_KEY_SECRET, + GCRY_AC_KEY_PUBLIC + } +gcry_ac_key_type_t; + +/* Encoding methods. */ +typedef enum gcry_ac_em + { + GCRY_AC_EME_PKCS_V1_5, + GCRY_AC_EMSA_PKCS_V1_5, + } +gcry_ac_em_t; + +/* Encryption and Signature schemes. */ +typedef enum gcry_ac_scheme + { + GCRY_AC_ES_PKCS_V1_5, + GCRY_AC_SSA_PKCS_V1_5, + } +gcry_ac_scheme_t; + +/* AC data. */ +#define GCRY_AC_FLAG_DEALLOC (1 << 0) +#define GCRY_AC_FLAG_COPY (1 << 1) +#define GCRY_AC_FLAG_NO_BLINDING (1 << 2) + +/* This type represents a `data set'. */ +typedef struct gcry_ac_data *gcry_ac_data_t; + +/* This type represents a single `key', either a secret one or a + public one. */ +typedef struct gcry_ac_key *gcry_ac_key_t; + +/* This type represents a `key pair' containing a secret and a public + key. */ +typedef struct gcry_ac_key_pair *gcry_ac_key_pair_t; + +/* This type represents a `handle' that is needed by functions + performing cryptographic operations. */ +typedef struct gcry_ac_handle *gcry_ac_handle_t; + +/* The caller of gcry_ac_key_pair_generate can provide one of these + structures in order to influence the key generation process in an + algorithm-specific way. */ +typedef struct gcry_ac_key_spec_rsa +{ + gcry_mpi_t e; /* E to use. */ +} gcry_ac_key_spec_rsa_t; + +/* Structure used for passing data to the implementation of the + `EME-PKCS-V1_5' encoding method. */ +typedef struct gcry_ac_eme_pkcs_v1_5 +{ + gcry_ac_key_t key; + gcry_ac_handle_t handle; +} gcry_ac_eme_pkcs_v1_5_t; + +typedef enum gcry_md_algos gcry_md_algo_t; + +/* Structure used for passing data to the implementation of the + `EMSA-PKCS-V1_5' encoding method. */ +typedef struct gcry_ac_emsa_pkcs_v1_5 +{ + gcry_md_algo_t md; + size_t em_n; +} gcry_ac_emsa_pkcs_v1_5_t; + +/* Structure used for passing data to the implementation of the + `SSA-PKCS-V1_5' signature scheme. */ +typedef struct gcry_ac_ssa_pkcs_v1_5 +{ + gcry_md_algo_t md; +} gcry_ac_ssa_pkcs_v1_5_t; + +/* Returns a new, empty data set in DATA. */ +gcry_error_t gcry_ac_data_new (gcry_ac_data_t *data); + +/* Destroy the data set DATA. */ +void gcry_ac_data_destroy (gcry_ac_data_t data); + +/* Create a copy of the data set DATA and store it in DATA_CP. */ +gcry_error_t gcry_ac_data_copy (gcry_ac_data_t *data_cp, + gcry_ac_data_t data); + +/* Return the number of named MPI values inside of the data set + DATA. */ +unsigned int gcry_ac_data_length (gcry_ac_data_t data); + +/* Destroy any values contained in the data set DATA. */ +void gcry_ac_data_clear (gcry_ac_data_t data); + +/* Add the value MPI to DATA with the label NAME. If FLAGS contains + GCRY_AC_FLAG_DATA_COPY, the data set will contain copies of NAME + and MPI. If FLAGS contains GCRY_AC_FLAG_DATA_DEALLOC or + GCRY_AC_FLAG_DATA_COPY, the values contained in the data set will + be deallocated when they are to be removed from the data set. */ +gcry_error_t gcry_ac_data_set (gcry_ac_data_t data, unsigned int flags, + const char *name, gcry_mpi_t mpi); + +/* Store the value labelled with NAME found in DATA in MPI. If FLAGS + contains GCRY_AC_FLAG_COPY, store a copy of the MPI value contained + in the data set. MPI may be NULL. */ +gcry_error_t gcry_ac_data_get_name (gcry_ac_data_t data, unsigned int flags, + const char *name, gcry_mpi_t *mpi); + +/* Stores in NAME and MPI the named MPI value contained in the data + set DATA with the index IDX. If FLAGS contains GCRY_AC_FLAG_COPY, + store copies of the values contained in the data set. NAME or MPI + may be NULL. */ +gcry_error_t gcry_ac_data_get_index (gcry_ac_data_t data, unsigned int flags, + unsigned int idx, + const char **name, gcry_mpi_t *mpi); + +/* Convert the data set DATA into a new S-Expression, which is to be + stored in SEXP, according to the identifiers contained in + IDENTIFIERS. */ +gcry_error_t gcry_ac_data_to_sexp (gcry_ac_data_t data, gcry_sexp_t *sexp, + const char **identifiers); + +/* Create a new data set, which is to be stored in DATA_SET, from the + S-Expression SEXP, according to the identifiers contained in + IDENTIFIERS. */ +gcry_error_t gcry_ac_data_from_sexp (gcry_ac_data_t *data, gcry_sexp_t sexp, + const char **identifiers); + +/* Create a new ac handle. */ +gcry_error_t gcry_ac_open (gcry_ac_handle_t *handle, + gcry_ac_id_t algorithm, unsigned int flags); + +/* Destroy an ac handle. */ +void gcry_ac_close (gcry_ac_handle_t handle); + +/* Initialize a key from a given data set. */ +gcry_error_t gcry_ac_key_init (gcry_ac_key_t *key, gcry_ac_handle_t handle, + gcry_ac_key_type_t type, gcry_ac_data_t data); + +/* Generates a new key pair via the handle HANDLE of NBITS bits and + stores it in KEY_PAIR. In case non-standard settings are wanted, a + pointer to a structure of type gcry_ac_key_spec__t, + matching the selected algorithm, can be given as KEY_SPEC. + MISC_DATA is not used yet. */ +gcry_error_t gcry_ac_key_pair_generate (gcry_ac_handle_t handle, + unsigned int nbits, void *spec, + gcry_ac_key_pair_t *key_pair, + gcry_mpi_t **misc_data); + +/* Returns the key of type WHICH out of the key pair KEY_PAIR. */ +gcry_ac_key_t gcry_ac_key_pair_extract (gcry_ac_key_pair_t key_pair, + gcry_ac_key_type_t which); + +/* Returns the data set contained in the key KEY. */ +gcry_ac_data_t gcry_ac_key_data_get (gcry_ac_key_t key); + +/* Verifies that the key KEY is sane via HANDLE. */ +gcry_error_t gcry_ac_key_test (gcry_ac_handle_t handle, gcry_ac_key_t key); + +/* Stores the number of bits of the key KEY in NBITS via HANDLE. */ +gcry_error_t gcry_ac_key_get_nbits (gcry_ac_handle_t handle, + gcry_ac_key_t key, unsigned int *nbits); + +/* Writes the 20 byte long key grip of the key KEY to KEY_GRIP via + HANDLE. */ +gcry_error_t gcry_ac_key_get_grip (gcry_ac_handle_t handle, gcry_ac_key_t key, + unsigned char *key_grip); + +/* Destroy a key. */ +void gcry_ac_key_destroy (gcry_ac_key_t key); + +/* Destroy a key pair. */ +void gcry_ac_key_pair_destroy (gcry_ac_key_pair_t key_pair); + +/* Encodes a message according to the encoding method METHOD. OPTIONS + must be a pointer to a method-specific structure + (gcry_ac_em*_t). */ +gcry_error_t gcry_ac_data_encode (gcry_ac_em_t method, + unsigned int flags, void *options, + unsigned char *m, size_t m_n, + unsigned char **em, size_t *em_n); + +/* Decodes a message according to the encoding method METHOD. OPTIONS + must be a pointer to a method-specific structure + (gcry_ac_em*_t). */ +gcry_error_t gcry_ac_data_decode (gcry_ac_em_t method, + unsigned int flags, void *options, + unsigned char *em, size_t em_n, + unsigned char **m, size_t *m_n); + +/* Encrypt the plain text MPI value DATA_PLAIN with the key KEY under + the control of the flags FLAGS and store the resulting data set + into DATA_ENCRYPTED. */ +gcry_error_t gcry_ac_data_encrypt (gcry_ac_handle_t handle, + unsigned int flags, + gcry_ac_key_t key, + gcry_mpi_t data_plain, + gcry_ac_data_t *data_encrypted); + +/* Decrypt the decrypted data contained in the data set DATA_ENCRYPTED + with the key KEY under the control of the flags FLAGS and store the + resulting plain text MPI value in DATA_PLAIN. */ +gcry_error_t gcry_ac_data_decrypt (gcry_ac_handle_t handle, + unsigned int flags, + gcry_ac_key_t key, + gcry_mpi_t *data_plain, + gcry_ac_data_t data_encrypted); + +/* Encrypts the plain text message contained in M, which is of size + M_N, with the public key KEY_PUBLIC according to the Encryption + Scheme SCHEME_ID. HANDLE is used for accessing the low-level + cryptographic primitives. If OPTS is not NULL, it has to be an + anonymous structure specific to the chosen scheme (gcry_ac_es_*_t). + The encrypted message will be stored in C and C_N. */ +gcry_error_t gcry_ac_data_encrypt_scheme (gcry_ac_handle_t handle, + gcry_ac_scheme_t scheme, + unsigned int flags, void *opts, + gcry_ac_key_t key_public, + unsigned char *m, size_t m_n, + unsigned char **c, size_t *c_n); + +/* Decrypts the cipher message contained in C, which is of size C_N, + with the secret key KEY_SECRET according to the Encryption Scheme + SCHEME_ID. HANDLE is used for accessing the low-level + cryptographic primitives. If OPTS is not NULL, it has to be an + anonymous structure specific to the chosen scheme (gcry_ac_es_*_t). + The decrypted message will be stored in M and M_N. */ +gcry_error_t gcry_ac_data_decrypt_scheme (gcry_ac_handle_t handle, + gcry_ac_scheme_t scheme, + unsigned int flags, void *opts, + gcry_ac_key_t key_secret, + unsigned char *c, size_t c_n, + unsigned char **m, size_t *m_n); + +/* Sign the data contained in DATA with the key KEY and store the + resulting signature in the data set DATA_SIGNATURE. */ +gcry_error_t gcry_ac_data_sign (gcry_ac_handle_t handle, + gcry_ac_key_t key, + gcry_mpi_t data, + gcry_ac_data_t *data_signature); + +/* Verify that the signature contained in the data set DATA_SIGNATURE + is indeed the result of signing the data contained in DATA with the + secret key belonging to the public key KEY. */ +gcry_error_t gcry_ac_data_verify (gcry_ac_handle_t handle, + gcry_ac_key_t key, + gcry_mpi_t data, + gcry_ac_data_t data_signature); + +/* Signs the message contained in M, which is of size M_N, with the + secret key KEY_SECRET according to the Signature Scheme SCHEME_ID. + Handle is used for accessing the low-level cryptographic + primitives. If OPTS is not NULL, it has to be an anonymous + structure specific to the chosen scheme (gcry_ac_ssa_*_t). The + signed message will be stored in S and S_N. */ +gcry_error_t gcry_ac_data_sign_scheme (gcry_ac_handle_t handle, + gcry_ac_scheme_t scheme, + unsigned int flags, void *opts, + gcry_ac_key_t key_secret, + unsigned char *m, size_t m_n, + unsigned char **s, size_t *s_n); + +/* Verifies that the signature contained in S, which is of length S_N, + is indeed the result of signing the message contained in M, which + is of size M_N, with the secret key belonging to the public key + KEY_PUBLIC. If OPTS is not NULL, it has to be an anonymous + structure (gcry_ac_ssa_*_t) specific to the Signature Scheme, whose + ID is contained in SCHEME_ID. */ +gcry_error_t gcry_ac_data_verify_scheme (gcry_ac_handle_t handle, + gcry_ac_scheme_t scheme, + unsigned int flags, void *opts, + gcry_ac_key_t key_public, + unsigned char *m, size_t m_n, + unsigned char *s, size_t s_n); + +/* Store the textual representation of the algorithm whose id is given + in ALGORITHM in NAME. */ +gcry_error_t gcry_ac_id_to_name (gcry_ac_id_t algorithm, + const char **name); + +/* Store the numeric ID of the algorithm whose textual representation + is contained in NAME in ALGORITHM. */ +gcry_error_t gcry_ac_name_to_id (const char *name, + gcry_ac_id_t *algorithm); + + + /************************************ * * * random generating functions * Index: libgcrypt/src/libgcrypt.vers diff -u libgcrypt/src/libgcrypt.vers:1.4 libgcrypt/src/libgcrypt.vers:1.5 --- libgcrypt/src/libgcrypt.vers:1.4 Wed Mar 3 09:07:22 2004 +++ libgcrypt/src/libgcrypt.vers Sun Feb 13 19:13:22 2005 @@ -53,18 +53,20 @@ gcry_pk_get_keygrip; gcry_pk_get_nbits; gcry_pk_list; gcry_pk_map_name; gcry_pk_register; gcry_pk_sign; gcry_pk_testkey; gcry_pk_unregister; gcry_pk_verify; - - gcry_ac_close; gcry_ac_data_clear; gcry_ac_data_copy; - gcry_ac_data_decrypt; gcry_ac_data_destroy; gcry_ac_data_encrypt; - gcry_ac_data_get_index; gcry_ac_data_get_name; gcry_ac_data_length; - gcry_ac_data_new; gcry_ac_data_set; gcry_ac_data_sign; - gcry_ac_data_verify; gcry_ac_flags; gcry_ac_id_to_name; - gcry_ac_key_data_get; gcry_ac_key_destroy; - gcry_ac_key_generate_specs; gcry_ac_key_get_grip; - gcry_ac_key_get_nbits; gcry_ac_key_init; gcry_ac_key_pair_destroy; - gcry_ac_key_pair_extract; gcry_ac_key_pair_generate; - gcry_ac_key_test; gcry_ac_name_to_id; gcry_ac_open; - + + gcry_ac_data_new; gcry_ac_data_destroy; gcry_ac_data_copy; + gcry_ac_data_length; gcry_ac_data_clear; gcry_ac_data_set; + gcry_ac_data_get_name; gcry_ac_data_get_index; gcry_ac_open; + gcry_ac_close; gcry_ac_key_init; gcry_ac_key_pair_generate; + gcry_ac_key_pair_extract; gcry_ac_key_data_get; gcry_ac_key_test; + gcry_ac_key_get_nbits; gcry_ac_key_get_grip; gcry_ac_key_destroy; + gcry_ac_key_pair_destroy; gcry_ac_data_encrypt; gcry_ac_data_decrypt; + gcry_ac_data_sign; gcry_ac_data_verify; gcry_ac_id_to_name; + gcry_ac_name_to_id; gcry_ac_list; gcry_ac_data_encode; + gcry_ac_data_decode; gcry_ac_mpi_to_os; gcry_ac_mpi_to_os_alloc; + gcry_ac_os_to_mpi; gcry_ac_data_encrypt_scheme; gcry_ac_data_decrypt_scheme; + gcry_ac_data_sign_scheme; gcry_ac_data_verify_scheme; + gcry_prime_check; gcry_prime_generate; gcry_prime_group_generator; gcry_prime_release_factors; Index: libgcrypt/src/mpi.h diff -u libgcrypt/src/mpi.h:1.12 libgcrypt/src/mpi.h:1.13 --- libgcrypt/src/mpi.h:1.12 Tue Jul 15 00:33:41 2003 +++ libgcrypt/src/mpi.h Sun Feb 13 19:13:22 2005 @@ -1,5 +1,6 @@ /* mpi.h - Multi Precision Integers - * Copyright (C) 1994, 1996, 1998, 2001, 2002, 2003 Free Software Foundation, Inc. + * Copyright (C) 1994, 1996, 1998, + * 2001, 2002, 2003, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -106,6 +107,7 @@ #define mpi_alloc_like(a) _gcry_mpi_alloc_like((a)) #define mpi_set(a,b) _gcry_mpi_set ((a),(b)) #define mpi_set_ui(a,b) _gcry_mpi_set_ui ((a),(b)) +#define mpi_get_ui(a,b) _gcry_mpi_get_ui ((a),(b)) #define mpi_alloc_set_ui(a) _gcry_mpi_alloc_set_ui ((a)) #define mpi_m_check(a) _gcry_mpi_m_check ((a)) #define mpi_swap(a,b) _gcry_mpi_swap ((a),(b)) @@ -115,6 +117,7 @@ void _gcry_mpi_set( gcry_mpi_t w, gcry_mpi_t u); void _gcry_mpi_set_ui( gcry_mpi_t w, ulong u); gcry_mpi_t _gcry_mpi_alloc_set_ui( unsigned long u); +gcry_err_code_t _gcry_mpi_get_ui (gcry_mpi_t w, ulong *u); void _gcry_mpi_m_check( gcry_mpi_t a ); void _gcry_mpi_swap( gcry_mpi_t a, gcry_mpi_t b); From cvs at cvs.gnupg.org Sun Feb 13 19:16:19 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Sun Feb 13 19:16:22 2005 Subject: libgcrypt/doc (ChangeLog gcrypt.texi) Message-ID: Date: Sunday, February 13, 2005 @ 19:26:41 Author: mo Path: /cvs/libgcrypt/libgcrypt/doc Modified: ChangeLog gcrypt.texi 2005-02-13 Moritz Schulte * gcrypt.texi (Using cryptographic functions): Document new encoding and scheme crypto functionality. -------------+ ChangeLog | 5 ++ gcrypt.texi | 116 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 121 insertions(+) Index: libgcrypt/doc/ChangeLog diff -u libgcrypt/doc/ChangeLog:1.43 libgcrypt/doc/ChangeLog:1.44 --- libgcrypt/doc/ChangeLog:1.43 Thu Feb 3 20:42:56 2005 +++ libgcrypt/doc/ChangeLog Sun Feb 13 19:26:41 2005 @@ -1,3 +1,8 @@ +2005-02-13 Moritz Schulte + + * gcrypt.texi (Using cryptographic functions): Document new + encoding and scheme crypto functionality. + 2005-02-03 Moritz Schulte * gcrypt.texi: Fixed several typos; thanks to Michele Baldessari. Index: libgcrypt/doc/gcrypt.texi diff -u libgcrypt/doc/gcrypt.texi:1.45 libgcrypt/doc/gcrypt.texi:1.46 --- libgcrypt/doc/gcrypt.texi:1.45 Thu Feb 3 20:42:56 2005 +++ libgcrypt/doc/gcrypt.texi Sun Feb 13 19:26:41 2005 @@ -2911,6 +2911,24 @@ algorithm; blinding is the default. @end table +There exist two kinds of cryptographic functions available through the +ac interface: primitives, and high-level functions. + +Primitives deal with MPIs (data sets) directly; what they provide is +direct access to the cryptographic operations provided by an algorithm +implementation. + +High-level functions deal with octet strings, according to a specified +``scheme''. Schemes make use of ``encoding methods'', which are +responsible for converting the provided octet strings into MPIs, which +are then forwared to the cryptographic primitives. Since schemes are +to be used for a special purpose in order to achieve a particular +security goal, there exist ``encryption schemes'' and ``signature +schemes''. Encoding methods can be used seperately or implicitely +through schemes. + +What follows is a description of the cryptographic primitives. + @deftypefun gcry_error_t gcry_ac_data_encrypt (gcry_ac_handle_t @var{handle}, unsigned int @var{flags}, gcry_ac_key_t @var{key}, gcry_mpi_t @var{data_plain}, gcry_ac_data_t **@var{data_encrypted}) Encrypts the plain text MPI value @var{data_plain} with the key public @var{key} under the control of the flags @var{flags} and stores the @@ -2937,6 +2955,104 @@ key @var{key}. @end deftypefun +What follows is a description of the high-level functions. + +The type ``gcry_ac_em_t'' is used for specifying encoding methods; the +following methods are supported: + +@table @code +@item GCRY_AC_EME_PKCS_V1_5 +PKCS-V1_5 Encoding Method for Encryption. Options must be provided +through a pointer to a correctly initialized object of type +gcry_ac_eme_pkcs_v1_5_t. + +@item GCRY_AC_EMSA_PKCS_V1_5 +PKCS-V1_5 Encoding Method for Signatures with Appendix. Options must +be provided through a pointer to a correctly initialized object of +type gcry_ac_emsa_pkcs_v1_5_t. +@end table + +Option structure types: + +@table @code +@item gcry_ac_eme_pkcs_v1_5_t +@table @code +@item gcry_ac_key_t key +@item gcry_ac_handle_t handle +@end table +@item gcry_ac_emsa_pkcs_v1_5_t +@table @code +@item gcry_md_algo_t md +@item size_t em_n +@end table +@end table + +Encoding methods can be used directly through the following functions: + +@deftypefun gcry_error_t gcry_ac_data_encode (gcry_ac_em_t @var{method}, unsigned int @var{flags}, void *@var{options}, unsigned char *@var{m}, size_t @var{m_n}, unsigned char **@var{em}, size_t *@var{em_n}) +Encodes the message contained in @var{m} of size @var{m_n} according +to @var{method}, @var{flags} and @var{options}. The newly created +encoded message is stored in @var{em} and @var{em_n}. +@end deftypefun + +@deftypefun gcry_error_t gcry_ac_data_decode (gcry_ac_em_t @var{method}, unsigned int @var{flags}, void *@var{options}, unsigned char *@var{em}, size_t @var{em_n}, unsigned char **@var{m}, size_t *@var{m_n}) +Decodes the message contained in @var{em} of size @var{em_n} according +to @var{method}, @var{flags} and @var{options}. The newly created +decoded message is stored in @var{m} and @var{m_n}. +@end deftypefun + +The type ``gcry_ac_scheme_t'' is used for specifying schemes; the +following schemes are supported: + +@table @code +@item GCRY_AC_ES_PKCS_V1_5 +PKCS-V1_5 Encryption Scheme. No options can be provided. +@item GCRY_AC_SSA_PKCS_V1_5 +PKCS-V1_5 Signature Scheme (with Appendix). Options can be provided +through a pointer to a correctly initialized object of type +gcry_ac_ssa_pkcs_v1_5_t. +@end table + +Option structure types: + +@table @code +@item gcry_ac_ssa_pkcs_v1_5_t +@table @code +@item gcry_md_algo_t md +@end table +@end table + +The functions implementing schemes: + +@deftypefun gcry_error_t gcry_ac_data_encrypt_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key_public}, unsigned char *@var{m}, size_t @var{m_n}, unsigned char **@var{c}, size_t *@var{c_n}) +Encrypts the plain text contained in @var{m} of size @var{m_n} through +@var{handle} and @var{key_public} according to @var{scheme}, +@var{flags} and @var{opts}. The encrypted message is stored in +@var{c} and @var{c_n}. +@end deftypefun + +@deftypefun gcry_error_t gcry_ac_data_decrypt_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key_secret}, unsigned char *@var{c}, size_t @var{c_n}, unsigned char **@var{m}, size_t *@var{m_n}) +Decrypts the cipher text contained in @var{c} of size @var{c_n} +through @var{handle} and @var{key_secret} according to @var{scheme}, +@var{flags} and @var{opts}. The decrypted message is stored in +@var{m} and @var{m_n}. +@end deftypefun + +@deftypefun gcry_error_t gcry_ac_data_sign_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key_secret}, unsigned char *@var{m}, size_t @var{m_n}, unsigned char **@var{s}, size_t *@var{s_n}) +Signs the message contained in @var{m} of size @var{m_n} through +@var{handle} and @var{key_secret} according to @var{scheme}, +@var{flags} and @var{opts}. The signature is stored in @var{s} and +@var{s_n}. +@end deftypefun + +@deftypefun gcry_error_t gcry_ac_data_verify_scheme (gcry_ac_handle_t @var{handle}, gcry_ac_scheme_t @var{scheme}, unsigned int @var{flags}, void *@var{opts}, gcry_ac_key_t @var{key_public}, unsigned char *@var{m}, size_t @var{m_n}, unsigned char *@var{s}, size_t @var{s_n}) +Verifies that the signature contained in @var{s} and @var{s_n} is +indeed the result of signing the message contained in @var{m} of size +@var{m_n} through @var{handle} and the secret key belonging to +@var{key_public} according to @var{scheme}, @var{flags} and +@var{opts}. +@end deftypefun + @node Handle-independent functions @section Handle-independent functions From cvs at cvs.gnupg.org Sun Feb 13 19:30:54 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Sun Feb 13 19:30:56 2005 Subject: libgcrypt/cipher (ChangeLog serpent.c) Message-ID: Date: Sunday, February 13, 2005 @ 19:41:16 Author: mo Path: /cvs/libgcrypt/libgcrypt/cipher Modified: ChangeLog serpent.c 2005-02-13 Moritz Schulte * serpent.c: Updated from 1.2 branch: s/u32_t/u32/ and s/byte_t/byte/. Too match what we have always used and are using in all other files too (serpent_test): Moved prototype out of a fucntion. -----------+ ChangeLog | 8 ++++ serpent.c | 113 +++++++++++++++++++++++++++++------------------------------- 2 files changed, 63 insertions(+), 58 deletions(-) Index: libgcrypt/cipher/ChangeLog diff -u libgcrypt/cipher/ChangeLog:1.223 libgcrypt/cipher/ChangeLog:1.224 --- libgcrypt/cipher/ChangeLog:1.223 Sun Feb 13 19:15:20 2005 +++ libgcrypt/cipher/ChangeLog Sun Feb 13 19:41:15 2005 @@ -1,3 +1,11 @@ +2005-02-13 Moritz Schulte + + * serpent.c: Updated from 1.2 branch: + + s/u32_t/u32/ and s/byte_t/byte/. Too match what we have always + used and are using in all other files too + (serpent_test): Moved prototype out of a fucntion. + 2005-02-07 Moritz Schulte * ac.c: Major parts rewritten. Index: libgcrypt/cipher/serpent.c diff -u libgcrypt/cipher/serpent.c:1.6 libgcrypt/cipher/serpent.c:1.7 --- libgcrypt/cipher/serpent.c:1.6 Thu Dec 9 18:04:47 2004 +++ libgcrypt/cipher/serpent.c Sun Feb 13 19:41:15 2005 @@ -1,5 +1,5 @@ /* serpent.c - Implementation of the Serpent encryption algorithm. - * Copyright (C) 2003 Free Software Foundation, Inc. + * Copyright (C) 2003, 2004, 2005 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -35,19 +35,15 @@ /* Magic number, used during generating of the subkeys. */ #define PHI 0x9E3779B9 -/* Internal types. */ -typedef byte byte_t; -typedef u32 u32_t; - /* Serpent works on 128 bit blocks. */ -typedef u32_t serpent_block_t[4]; +typedef u32 serpent_block_t[4]; /* Serpent key, provided by the user. If the original key is shorter than 256 bits, it is padded. */ -typedef u32_t serpent_key_t[8]; +typedef u32 serpent_key_t[8]; /* The key schedule consists of 33 128 bit subkeys. */ -typedef u32_t serpent_subkeys_t[ROUNDS + 1][4]; +typedef u32 serpent_subkeys_t[ROUNDS + 1][4]; /* A Serpent context. */ typedef struct serpent_context @@ -55,10 +51,11 @@ serpent_subkeys_t keys; /* Generated subkeys. */ } serpent_context_t; + /* A prototype. */ static const char *serpent_test (void); - + #define byte_swap_32(x) \ (0 \ | (((x) & 0xff000000) >> 24) | (((x) & 0x00ff0000) >> 8) \ @@ -82,8 +79,8 @@ #define SBOX0(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t05, t06, t07, t08, t09; \ - u32_t t11, t12, t13, t14, t15, t17, t01; \ + u32 t02, t03, t05, t06, t07, t08, t09; \ + u32 t11, t12, t13, t14, t15, t17, t01; \ t01 = b ^ c ; \ t02 = a | d ; \ t03 = a ^ b ; \ @@ -106,8 +103,8 @@ #define SBOX0_INVERSE(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t06, t08, t09, t10; \ - u32_t t12, t13, t14, t15, t17, t18, t01; \ + u32 t02, t03, t04, t05, t06, t08, t09, t10; \ + u32 t12, t13, t14, t15, t17, t18, t01; \ t01 = c ^ d ; \ t02 = a | b ; \ t03 = b | c ; \ @@ -131,8 +128,8 @@ #define SBOX1(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t06, t07, t08; \ - u32_t t10, t11, t12, t13, t16, t17, t01; \ + u32 t02, t03, t04, t05, t06, t07, t08; \ + u32 t10, t11, t12, t13, t16, t17, t01; \ t01 = a | d ; \ t02 = c ^ d ; \ t03 = ~ b ; \ @@ -155,8 +152,8 @@ #define SBOX1_INVERSE(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t06, t07, t08; \ - u32_t t09, t10, t11, t14, t15, t17, t01; \ + u32 t02, t03, t04, t05, t06, t07, t08; \ + u32 t09, t10, t11, t14, t15, t17, t01; \ t01 = a ^ b ; \ t02 = b | d ; \ t03 = a & c ; \ @@ -179,8 +176,8 @@ #define SBOX2(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t05, t06, t07, t08; \ - u32_t t09, t10, t12, t13, t14, t01; \ + u32 t02, t03, t05, t06, t07, t08; \ + u32 t09, t10, t12, t13, t14, t01; \ t01 = a | c ; \ t02 = a ^ b ; \ t03 = d ^ t01; \ @@ -201,8 +198,8 @@ #define SBOX2_INVERSE(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t06, t07, t08, t09; \ - u32_t t10, t11, t12, t15, t16, t17, t01; \ + u32 t02, t03, t04, t06, t07, t08, t09; \ + u32 t10, t11, t12, t15, t16, t17, t01; \ t01 = a ^ d ; \ t02 = c ^ d ; \ t03 = a & c ; \ @@ -225,8 +222,8 @@ #define SBOX3(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t06, t07, t08; \ - u32_t t09, t10, t11, t13, t14, t15, t01; \ + u32 t02, t03, t04, t05, t06, t07, t08; \ + u32 t09, t10, t11, t13, t14, t15, t01; \ t01 = a ^ c ; \ t02 = a | d ; \ t03 = a & d ; \ @@ -249,8 +246,8 @@ #define SBOX3_INVERSE(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t06, t07, t09; \ - u32_t t11, t12, t13, t14, t16, t01; \ + u32 t02, t03, t04, t05, t06, t07, t09; \ + u32 t11, t12, t13, t14, t16, t01; \ t01 = c | d ; \ t02 = a | d ; \ t03 = c ^ t02; \ @@ -272,8 +269,8 @@ #define SBOX4(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t06, t08, t09; \ - u32_t t10, t11, t12, t13, t14, t15, t16, t01; \ + u32 t02, t03, t04, t05, t06, t08, t09; \ + u32 t10, t11, t12, t13, t14, t15, t16, t01; \ t01 = a | b ; \ t02 = b | c ; \ t03 = a ^ t02; \ @@ -297,8 +294,8 @@ #define SBOX4_INVERSE(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t06, t07, t09; \ - u32_t t10, t11, t12, t13, t15, t01; \ + u32 t02, t03, t04, t05, t06, t07, t09; \ + u32 t10, t11, t12, t13, t15, t01; \ t01 = b | d ; \ t02 = c | d ; \ t03 = a & t01; \ @@ -320,8 +317,8 @@ #define SBOX5(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t07, t08, t09; \ - u32_t t10, t11, t12, t13, t14, t01; \ + u32 t02, t03, t04, t05, t07, t08, t09; \ + u32 t10, t11, t12, t13, t14, t01; \ t01 = b ^ d ; \ t02 = b | d ; \ t03 = a & t01; \ @@ -343,8 +340,8 @@ #define SBOX5_INVERSE(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t07, t08, t09; \ - u32_t t10, t12, t13, t15, t16, t01; \ + u32 t02, t03, t04, t05, t07, t08, t09; \ + u32 t10, t12, t13, t15, t16, t01; \ t01 = a & d ; \ t02 = c ^ t01; \ t03 = a ^ d ; \ @@ -366,8 +363,8 @@ #define SBOX6(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t07, t08, t09, t10; \ - u32_t t11, t12, t13, t15, t17, t18, t01; \ + u32 t02, t03, t04, t05, t07, t08, t09, t10; \ + u32 t11, t12, t13, t15, t17, t18, t01; \ t01 = a & d ; \ t02 = b ^ c ; \ t03 = a ^ d ; \ @@ -391,8 +388,8 @@ #define SBOX6_INVERSE(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t06, t07, t08, t09; \ - u32_t t12, t13, t14, t15, t16, t17, t01; \ + u32 t02, t03, t04, t05, t06, t07, t08, t09; \ + u32 t12, t13, t14, t15, t16, t17, t01; \ t01 = a ^ c ; \ t02 = ~ c ; \ t03 = b & t01; \ @@ -416,8 +413,8 @@ #define SBOX7(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t05, t06, t08, t09, t10; \ - u32_t t11, t13, t14, t15, t16, t17, t01; \ + u32 t02, t03, t04, t05, t06, t08, t09, t10; \ + u32 t11, t13, t14, t15, t16, t17, t01; \ t01 = a & c ; \ t02 = ~ d ; \ t03 = a & t02; \ @@ -441,8 +438,8 @@ #define SBOX7_INVERSE(a, b, c, d, w, x, y, z) \ { \ - u32_t t02, t03, t04, t06, t07, t08, t09; \ - u32_t t10, t11, t13, t14, t15, t16, t01; \ + u32 t02, t03, t04, t06, t07, t08, t09; \ + u32 t10, t11, t13, t14, t15, t16, t01; \ t01 = a & b ; \ t02 = a | b ; \ t03 = c | t01; \ @@ -582,7 +579,7 @@ /* Convert the user provided key KEY of KEY_LENGTH bytes into the internally used format. */ static void -serpent_key_prepare (const byte_t *key, unsigned int key_length, +serpent_key_prepare (const byte *key, unsigned int key_length, serpent_key_t key_prepared) { int i; @@ -591,9 +588,9 @@ for (i = 0; i < key_length / 4; i++) { #ifdef WORDS_BIGENDIAN - key_prepared[i] = byte_swap_32 (((u32_t *) key)[i]); + key_prepared[i] = byte_swap_32 (((u32 *) key)[i]); #else - key_prepared[i] = ((u32_t *) key)[i]; + key_prepared[i] = ((u32 *) key)[i]; #endif } @@ -612,9 +609,9 @@ static void serpent_subkeys_generate (serpent_key_t key, serpent_subkeys_t subkeys) { - u32_t w_real[140]; /* The `prekey'. */ - u32_t k[132]; - u32_t *w = &w_real[8]; + u32 w_real[140]; /* The `prekey'. */ + u32 k[132]; + u32 *w = &w_real[8]; int i, j; /* Initialize with key values. */ @@ -669,19 +666,19 @@ /* Initialize CONTEXT with the key KEY of KEY_LENGTH bits. */ static void serpent_setkey_internal (serpent_context_t *context, - const byte_t *key, unsigned int key_length) + const byte *key, unsigned int key_length) { serpent_key_t key_prepared; serpent_key_prepare (key, key_length, key_prepared); serpent_subkeys_generate (key_prepared, context->keys); - _gcry_burn_stack (272 * sizeof (u32_t)); + _gcry_burn_stack (272 * sizeof (u32)); } /* Initialize CTX with the key KEY of KEY_LENGTH bytes. */ static gcry_err_code_t serpent_setkey (void *ctx, - const byte_t *key, unsigned int key_length) + const byte *key, unsigned int key_length) { serpent_context_t *context = ctx; static const char *serpent_test_ret; @@ -842,12 +839,12 @@ } static void -serpent_encrypt (void *ctx, byte_t *buffer_out, const byte_t *buffer_in) +serpent_encrypt (void *ctx, byte *buffer_out, const byte *buffer_in) { serpent_context_t *context = ctx; serpent_encrypt_internal (context, - (const u32_t *) buffer_in, (u32_t *) buffer_out); + (const u32 *) buffer_in, (u32 *) buffer_out); _gcry_burn_stack (2 * sizeof (serpent_block_t)); } @@ -857,8 +854,8 @@ serpent_context_t *context = ctx; serpent_decrypt_internal (context, - (const u32_t *) buffer_in, - (u32_t *) buffer_out); + (const u32 *) buffer_in, + (u32 *) buffer_out); _gcry_burn_stack (2 * sizeof (serpent_block_t)); } @@ -918,8 +915,8 @@ serpent_setkey_internal (&context, test_data[i].key, test_data[i].key_length); serpent_encrypt_internal (&context, - (const u32_t *) test_data[i].text_plain, - (u32_t *) scratch); + (const u32 *) test_data[i].text_plain, + (u32 *) scratch); if (memcmp (scratch, test_data[i].text_cipher, sizeof (serpent_block_t))) switch (test_data[i].key_length) @@ -933,8 +930,8 @@ } serpent_decrypt_internal (&context, - (const u32_t *) test_data[i].text_cipher, - (u32_t *) scratch); + (const u32 *) test_data[i].text_cipher, + (u32 *) scratch); if (memcmp (scratch, test_data[i].text_plain, sizeof (serpent_block_t))) switch (test_data[i].key_length) { From cvs at cvs.gnupg.org Mon Feb 14 20:56:35 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Mon Feb 14 20:56:40 2005 Subject: GNUPG-1-9-BRANCH gnupg/agent (ChangeLog command-ssh.c) Message-ID: Date: Monday, February 14, 2005 @ 21:07:02 Author: mo Path: /cvs/gnupg/gnupg/agent Tag: GNUPG-1-9-BRANCH Modified: ChangeLog command-ssh.c 2005-02-14 Moritz Schulte * command-ssh.c (es_read_byte): Renamed to ... (stream_es_read_byte): ... this; changed callers. (es_write_byte): Renamed to ... (stream_write_byte): ... this; changed callers. (es_read_uint32): Renamed to ... (stream_read_uint32): ... this; changed callers. (es_write_uint32): Renamed to ... (stream_write_uint32): ... this; changed callers. (es_read_data): Renamed to ... (stream_read_data): ... this; changed callers. (es_write_data): Renamed to ... (stream_write_data): ... this; changed callers. (es_read_string): Renamed to ... (stream_read_string): ... this; changed callers. (es_read_cstring): Renamed to ... (stream_read_cstring): ... this; changed callers. (es_write_string): Renamed to ... (stream_write_string): ... this; changed callers. (es_write_cstring): Renamed to ... (stream_write_cstring): ... this; changed callers. (es_read_mpi): Renamed to ... (stream_read_mpi): ... this; changed callers. (es_write_mpi): Renamed to ... (stream_write_mpi): ... this; changed callers. (es_copy): Renamed to ... (stream_copy): ... this; changed callers. (es_read_file): Renamed to ... (file_to_buffer): ... this; changed callers. (ssh_identity_register): Removed variable description_length; changed code to use asprintf for description. (stream_write_uint32): Do not filter out the last byte of shift expression. ---------------+ ChangeLog | 35 +++++++ command-ssh.c | 249 +++++++++++++++++++++++++++----------------------------- 2 files changed, 156 insertions(+), 128 deletions(-) Index: gnupg/agent/ChangeLog diff -u gnupg/agent/ChangeLog:1.59.2.61 gnupg/agent/ChangeLog:1.59.2.62 --- gnupg/agent/ChangeLog:1.59.2.61 Thu Feb 3 18:40:02 2005 +++ gnupg/agent/ChangeLog Mon Feb 14 21:07:01 2005 @@ -1,3 +1,38 @@ +2005-02-14 Moritz Schulte + + * command-ssh.c (es_read_byte): Renamed to ... + (stream_es_read_byte): ... this; changed callers. + (es_write_byte): Renamed to ... + (stream_write_byte): ... this; changed callers. + (es_read_uint32): Renamed to ... + (stream_read_uint32): ... this; changed callers. + (es_write_uint32): Renamed to ... + (stream_write_uint32): ... this; changed callers. + (es_read_data): Renamed to ... + (stream_read_data): ... this; changed callers. + (es_write_data): Renamed to ... + (stream_write_data): ... this; changed callers. + (es_read_string): Renamed to ... + (stream_read_string): ... this; changed callers. + (es_read_cstring): Renamed to ... + (stream_read_cstring): ... this; changed callers. + (es_write_string): Renamed to ... + (stream_write_string): ... this; changed callers. + (es_write_cstring): Renamed to ... + (stream_write_cstring): ... this; changed callers. + (es_read_mpi): Renamed to ... + (stream_read_mpi): ... this; changed callers. + (es_write_mpi): Renamed to ... + (stream_write_mpi): ... this; changed callers. + (es_copy): Renamed to ... + (stream_copy): ... this; changed callers. + (es_read_file): Renamed to ... + (file_to_buffer): ... this; changed callers. + (ssh_identity_register): Removed variable description_length; + changed code to use asprintf for description. + (stream_write_uint32): Do not filter out the last byte of shift + expression. + 2005-02-03 Werner Koch * agent.h (agent_exit): Add JNLIB_GCC_A_NR to indicate that this Index: gnupg/agent/command-ssh.c diff -u gnupg/agent/command-ssh.c:1.1.4.5 gnupg/agent/command-ssh.c:1.1.4.6 --- gnupg/agent/command-ssh.c:1.1.4.5 Thu Feb 3 18:40:02 2005 +++ gnupg/agent/command-ssh.c Mon Feb 14 21:07:01 2005 @@ -181,8 +181,8 @@ General utility functions. */ -/* A secure realloc, i.e. it amkese sure to allocate secure memory if - A is NULL. This is required becuase the standard gcry_realloc does +/* A secure realloc, i.e. it makes sure to allocate secure memory if A + is NULL. This is required becuase the standard gcry_realloc does not know whether to allocate secure or normal if NULL is passed as existing buffer. */ static void * @@ -220,17 +220,12 @@ /* Primitive I/O functions. - - FIXME: Needs documentation. - - Why are all these functions prefixed with es_ ? They are not part - of libestream, thus they should not use this prefix. - */ +/* Read a byte from STREAM, store it in B. */ static gpg_error_t -es_read_byte (estream_t stream, unsigned char *b) +stream_read_byte (estream_t stream, unsigned char *b) { gpg_error_t err; int ret; @@ -252,9 +247,9 @@ return err; } - +/* Write the byte contained in B to STREAM. */ static gpg_error_t -es_write_byte (estream_t stream, unsigned char b) +stream_write_byte (estream_t stream, unsigned char b) { gpg_error_t err; int ret; @@ -268,9 +263,9 @@ return err; } - +/* Read a uint32 from STREAM, store it in UINT32. */ static gpg_error_t -es_read_uint32 (estream_t stream, u32 *uint32) +stream_read_uint32 (estream_t stream, u32 *uint32) { unsigned char buffer[4]; size_t bytes_read; @@ -308,9 +303,9 @@ return err; } - +/* Write the uint32 contained in UINT32 to STREAM. */ static gpg_error_t -es_write_uint32 (estream_t stream, u32 uint32) +stream_write_uint32 (estream_t stream, u32 uint32) { unsigned char buffer[4]; gpg_error_t err; @@ -331,9 +326,9 @@ return err; } - +/* Read SIZE bytes from STREAM into BUFFER. */ static gpg_error_t -es_read_data (estream_t stream, unsigned char *buffer, size_t size) +stream_read_data (estream_t stream, unsigned char *buffer, size_t size) { gpg_error_t err; size_t bytes_read; @@ -353,9 +348,9 @@ return err; } - +/* Write SIZE bytes from BUFFER to STREAM. */ static gpg_error_t -es_write_data (estream_t stream, const unsigned char *buffer, size_t size) +stream_write_data (estream_t stream, const unsigned char *buffer, size_t size) { gpg_error_t err; int ret; @@ -369,10 +364,12 @@ return err; } - +/* Read a binary string from STREAM into STRING, store size of string + in STRING_SIZE; depending on SECURE use secure memory for + string. */ static gpg_error_t -es_read_string (estream_t stream, unsigned int secure, - unsigned char **string, u32 *string_size) +stream_read_string (estream_t stream, unsigned int secure, + unsigned char **string, u32 *string_size) { gpg_error_t err; unsigned char *buffer; @@ -381,7 +378,7 @@ buffer = NULL; /* Read string length. */ - err = es_read_uint32 (stream, &length); + err = stream_read_uint32 (stream, &length); if (err) goto out; @@ -399,7 +396,7 @@ } /* Read data. */ - err = es_read_data (stream, buffer, length); + err = stream_read_data (stream, buffer, length); if (err) goto out; @@ -417,14 +414,14 @@ return err; } - +/* Read a C-string from STREAM, store copy in STRING. */ static gpg_error_t -es_read_cstring (estream_t stream, char **string) +stream_read_cstring (estream_t stream, char **string) { unsigned char *buffer; gpg_error_t err; - err = es_read_string (stream, 0, &buffer, NULL); + err = stream_read_string (stream, 0, &buffer, NULL); if (err) goto out; @@ -436,39 +433,40 @@ } -/* FIXME: Needs documentation. */ +/* Write a binary string from STRING of size STRING_N to STREAM. */ static gpg_error_t -es_write_string (estream_t stream, - const unsigned char *string, u32 string_n) +stream_write_string (estream_t stream, + const unsigned char *string, u32 string_n) { gpg_error_t err; - err = es_write_uint32 (stream, string_n); + err = stream_write_uint32 (stream, string_n); if (err) goto out; - err = es_write_data (stream, string, string_n); + err = stream_write_data (stream, string, string_n); out: return err; } - +/* Write a C-string from STRING to STREAM. */ static gpg_error_t -es_write_cstring (estream_t stream, const char *string) +stream_write_cstring (estream_t stream, const char *string) { gpg_error_t err; - err = es_write_string (stream, - (const unsigned char *) string, strlen (string)); + err = stream_write_string (stream, + (const unsigned char *) string, strlen (string)); return err; } - +/* Read an MPI from STREAM, store it in MPINT. Depending on SECURE + use secure memory. */ static gpg_error_t -es_read_mpi (estream_t stream, unsigned int secure, gcry_mpi_t *mpint) +stream_read_mpi (estream_t stream, unsigned int secure, gcry_mpi_t *mpint) { unsigned char *mpi_data; u32 mpi_data_size; @@ -477,7 +475,7 @@ mpi_data = NULL; - err = es_read_string (stream, secure, &mpi_data, &mpi_data_size); + err = stream_read_string (stream, secure, &mpi_data, &mpi_data_size); if (err) goto out; @@ -494,9 +492,9 @@ return err; } - +/* Write the MPI contained in MPINT to STREAM. */ static gpg_error_t -es_write_mpi (estream_t stream, gcry_mpi_t mpint) +stream_write_mpi (estream_t stream, gcry_mpi_t mpint) { unsigned char *mpi_buffer; size_t mpi_buffer_n; @@ -508,7 +506,7 @@ if (err) goto out; - err = es_write_string (stream, mpi_buffer, mpi_buffer_n); + err = stream_write_string (stream, mpi_buffer, mpi_buffer_n); out: @@ -517,9 +515,42 @@ return err; } +/* Copy data from SRC to DST until EOF is reached. */ +static gpg_error_t +stream_copy (estream_t dst, estream_t src) +{ + char buffer[BUFSIZ]; + size_t bytes_read; + gpg_error_t err; + int ret; + + err = 0; + while (1) + { + ret = es_read (src, buffer, sizeof (buffer), &bytes_read); + if (ret || (! bytes_read)) + { + if (ret) + err = gpg_error_from_errno (errno); + break; + } + ret = es_write (dst, buffer, bytes_read, NULL); + if (ret) + { + err = gpg_error_from_errno (errno); + break; + } + } + + return err; +} + +/* Read the content of the file specified by FILENAME into a newly + create buffer, which is to be stored in BUFFER; store length of + buffer in BUFFER_N. */ static gpg_error_t -es_read_file (const char *filename, unsigned char **buffer, size_t *buffer_n) +file_to_buffer (const char *filename, unsigned char **buffer, size_t *buffer_n) { unsigned char *buffer_new; struct stat statbuf; @@ -551,7 +582,7 @@ goto out; } - err = es_read_data (stream, buffer_new, statbuf.st_size); + err = stream_read_data (stream, buffer_new, statbuf.st_size); if (err) goto out; @@ -570,36 +601,6 @@ } -static gpg_error_t -es_copy (estream_t dst, estream_t src) -{ - char buffer[BUFSIZ]; - size_t bytes_read; - gpg_error_t err; - int ret; - - err = 0; - while (1) - { - ret = es_read (src, buffer, sizeof (buffer), &bytes_read); - if (ret || (! bytes_read)) - { - if (ret) - err = gpg_error_from_errno (errno); - break; - } - ret = es_write (dst, buffer, bytes_read, NULL); - if (ret) - { - err = gpg_error_from_errno (errno); - break; - } - } - - return err; -} - - /* @@ -661,7 +662,7 @@ for (i = 0; i < elems_n; i++) { elem_is_secret = strchr (elems_secret, elems[i]) ? 1 : 0; - err = es_read_mpi (stream, elem_is_secret, &mpis[i]); + err = stream_read_mpi (stream, elem_is_secret, &mpis[i]); if (err) break; } @@ -727,7 +728,7 @@ if (err) goto out; - err = es_write_string (signature_blob, data, data_n); + err = stream_write_string (signature_blob, data, data_n); xfree (data); out: @@ -771,7 +772,7 @@ if (err) goto out; - err = es_write_string (signature_blob, buffer, sizeof (buffer)); + err = stream_write_string (signature_blob, buffer, sizeof (buffer)); out: @@ -1075,7 +1076,7 @@ comment = ""; key = NULL; - err = es_read_cstring (stream, &key_type); + err = stream_read_cstring (stream, &key_type); if (err) goto out; @@ -1089,7 +1090,7 @@ if (read_comment) { - err = es_read_cstring (stream, &comment); + err = stream_read_cstring (stream, &comment); if (err) goto out; } @@ -1145,12 +1146,12 @@ goto out; } - err = es_write_cstring (stream, type); + err = stream_write_cstring (stream, type); if (err) goto out; for (i = 0; mpis[i] && (! err); i++) - err = es_write_mpi (stream, mpis[i]); + err = stream_write_mpi (stream, mpis[i]); if (err) goto out; @@ -1172,7 +1173,7 @@ goto out; } - err = es_read_data (stream, blob_new, blob_size_new); + err = stream_read_data (stream, blob_new, blob_size_new); if (err) goto out; @@ -1223,11 +1224,11 @@ if (err) goto out; - err = es_write_string (stream, blob, blob_n); + err = stream_write_string (stream, blob, blob_n); if (err) goto out; - err = es_write_cstring (stream, comment); + err = stream_write_cstring (stream, comment); out: @@ -1256,7 +1257,7 @@ goto out; } - err = es_write_data (blob_stream, blob, blob_size); + err = stream_write_data (blob_stream, blob, blob_size); if (err) goto out; @@ -1373,6 +1374,7 @@ if (err) goto out; + /* FIXME: write better. */ sprintf (template, "(public-key (%s", spec.identifier); for (i = 0; i < elems_n; i++) sprintf (strchr (template, 0)," (%c %%m)", elems[i]); @@ -1479,7 +1481,7 @@ strncpy (key_path + key_directory_n + 1, dir_entry->d_name, 40); /* Read file content. */ - err = es_read_file (key_path, &buffer, &buffer_n); + err = file_to_buffer (key_path, &buffer, &buffer_n); if (err) break; @@ -1540,19 +1542,19 @@ if (! err) { - ret_err = es_write_byte (response, SSH_RESPONSE_IDENTITIES_ANSWER); + ret_err = stream_write_byte (response, SSH_RESPONSE_IDENTITIES_ANSWER); if (ret_err) goto leave; - ret_err = es_write_uint32 (response, key_counter); + ret_err = stream_write_uint32 (response, key_counter); if (ret_err) goto leave; - ret_err = es_copy (response, key_blobs); + ret_err = stream_copy (response, key_blobs); if (ret_err) goto leave; } else { - ret_err = es_write_byte (response, SSH_RESPONSE_FAILURE); + ret_err = stream_write_byte (response, SSH_RESPONSE_FAILURE); goto leave; }; @@ -1651,7 +1653,7 @@ if (err) goto out; - err = es_write_cstring (stream, spec.ssh_identifier); + err = stream_write_cstring (stream, spec.ssh_identifier); if (err) goto out; @@ -1714,7 +1716,7 @@ goto out; } - err = es_read_data (stream, sig_blob, sig_blob_n); + err = stream_read_data (stream, sig_blob, sig_blob_n); if (err) goto out; @@ -1763,7 +1765,7 @@ /* Receive key. */ - err = es_read_string (request, 0, &key_blob, &key_blob_size); + err = stream_read_string (request, 0, &key_blob, &key_blob_size); if (err) goto out; @@ -1772,12 +1774,12 @@ goto out; /* Receive data to sign. */ - err = es_read_string (request, 0, &data, &data_size); + err = stream_read_string (request, 0, &data, &data_size); if (err) goto out; /* FIXME? */ - err = es_read_uint32 (request, &flags); + err = stream_read_uint32 (request, &flags); if (err) goto out; @@ -1817,16 +1819,16 @@ if (! err) { - ret_err = es_write_byte (response, SSH_RESPONSE_SIGN_RESPONSE); + ret_err = stream_write_byte (response, SSH_RESPONSE_SIGN_RESPONSE); if (ret_err) goto leave; - ret_err = es_write_string (response, sig, sig_n); + ret_err = stream_write_string (response, sig, sig_n); if (ret_err) goto leave; } else { - ret_err = es_write_byte (response, SSH_RESPONSE_FAILURE); + ret_err = stream_write_byte (response, SSH_RESPONSE_FAILURE); if (ret_err) goto leave; } @@ -1975,7 +1977,6 @@ unsigned char *buffer; unsigned int buffer_n; char passphrase[100]; - size_t description_length; char *description; char key_grip[41]; char *comment; @@ -2000,23 +2001,15 @@ if (err) goto out; - - /* FIXME: What the hell is that: Never have use sprintf in that way. - When marking a string translatbale you might get a buffer - overflow. We have never done this elsewhere. Using [x]asprintf - is the right way!! */ - description_length = 95 + (comment ? strlen (comment) : 0); - description = malloc (description_length); - if (! description) + ret = asprintf (&description, + "Please provide the passphrase, which should be used " + "for protecting the received secret key `%s':", + comment ? comment : ""); + if (ret < 0) { err = gpg_err_code_from_errno (errno); goto out; } - else - sprintf (description, - "Please provide the passphrase, which should be used " - "for protecting the received secret key `%s':", - comment ? comment : ""); err = get_passphrase (ctrl, description, sizeof (passphrase), passphrase); if (err) @@ -2041,7 +2034,7 @@ xfree (buffer); xfree (comment); - xfree (description); + free (description); /* FIXME: verify xfree vs free. */ return err; @@ -2088,7 +2081,7 @@ while (1) { - err = es_read_byte (request, &b); + err = stream_read_byte (request, &b); if (gpg_err_code (err) == GPG_ERR_EOF) { err = 0; @@ -2101,7 +2094,7 @@ { u32 n = 0; - err = es_read_uint32 (request, &n); + err = stream_read_uint32 (request, &n); if (! err) ttl = n; break; @@ -2129,7 +2122,7 @@ gcry_sexp_release (key); - ret_err = es_write_byte (response, + ret_err = stream_write_byte (response, err ? SSH_RESPONSE_FAILURE : SSH_RESPONSE_SUCCESS); return ret_err; @@ -2150,7 +2143,7 @@ key_blob = NULL; key = NULL; - err = es_read_string (request, 0, &key_blob, &key_blob_size); + err = stream_read_string (request, 0, &key_blob, &key_blob_size); if (err) goto out; @@ -2165,7 +2158,7 @@ xfree (key_blob); gcry_sexp_release (key); - ret_err = es_write_byte (response, + ret_err = stream_write_byte (response, err ? SSH_RESPONSE_FAILURE : SSH_RESPONSE_SUCCESS); return ret_err; @@ -2192,7 +2185,7 @@ gpg_error_t err; err = ssh_identities_remove_all (); - ret_err = es_write_byte (response, + ret_err = stream_write_byte (response, err ? SSH_RESPONSE_FAILURE : SSH_RESPONSE_SUCCESS); return ret_err; @@ -2228,7 +2221,7 @@ gpg_error_t err; err = ssh_lock (); - ret_err = es_write_byte (response, + ret_err = stream_write_byte (response, err ? SSH_RESPONSE_FAILURE : SSH_RESPONSE_SUCCESS); return ret_err; @@ -2241,7 +2234,7 @@ gpg_error_t err; err = ssh_unlock (); - ret_err = es_write_byte (response, + ret_err = stream_write_byte (response, err ? SSH_RESPONSE_FAILURE : SSH_RESPONSE_SUCCESS); return ret_err; @@ -2278,7 +2271,7 @@ client -wk */ /* Retrieve request. */ - err = es_read_string (stream_sock, 1, &request_data, &request_data_size); + err = stream_read_string (stream_sock, 1, &request_data, &request_data_size); if (err) goto out; @@ -2301,7 +2294,7 @@ err = gpg_error_from_errno (errno); goto out; } - err = es_write_data (request, request_data, request_data_size); + err = stream_write_data (request, request_data, request_data_size); if (err) goto out; es_rewind (request); @@ -2313,7 +2306,7 @@ goto out; } - err = es_read_byte (request, &request_type); + err = stream_read_byte (request, &request_type); if (err) { send_err = 1; @@ -2350,14 +2343,14 @@ goto out; } - err = es_write_uint32 (stream_sock, response_size); + err = stream_write_uint32 (stream_sock, response_size); if (err) { send_err = 1; goto out; } - err = es_copy (stream_sock, response); + err = stream_copy (stream_sock, response); if (err) goto out; @@ -2373,10 +2366,10 @@ if (send_err) { - err = es_write_uint32 (stream_sock, 1); + err = stream_write_uint32 (stream_sock, 1); if (err) goto leave; - err = es_write_byte (stream_sock, SSH_RESPONSE_FAILURE); + err = stream_write_byte (stream_sock, SSH_RESPONSE_FAILURE); if (err) goto leave; } From cvs at cvs.gnupg.org Mon Feb 14 21:33:54 2005 From: cvs at cvs.gnupg.org (cvs user mo) Date: Mon Feb 14 21:33:57 2005 Subject: GNUPG-1-9-BRANCH gnupg/agent (ChangeLog command-ssh.c gpg-agent.c) Message-ID: Date: Monday, February 14, 2005 @ 21:44:22 Author: mo Path: /cvs/gnupg/gnupg/agent Tag: GNUPG-1-9-BRANCH Modified: ChangeLog command-ssh.c gpg-agent.c 2005-02-14 Moritz Schulte * command-ssh.c (uint32_construct): New macro ... (stream_read_uint32): ... use it; removed unnecessary cast. ---------------+ ChangeLog | 2 ++ command-ssh.c | 29 ++++++++++++----------------- gpg-agent.c | 2 +- 3 files changed, 15 insertions(+), 18 deletions(-) Index: gnupg/agent/ChangeLog diff -u gnupg/agent/ChangeLog:1.59.2.62 gnupg/agent/ChangeLog:1.59.2.63 --- gnupg/agent/ChangeLog:1.59.2.62 Mon Feb 14 21:07:01 2005 +++ gnupg/agent/ChangeLog Mon Feb 14 21:44:22 2005 @@ -32,6 +32,8 @@ changed code to use asprintf for description. (stream_write_uint32): Do not filter out the last byte of shift expression. + (uint32_construct): New macro ... + (stream_read_uint32): ... use it; removed unnecessary cast. 2005-02-03 Werner Koch Index: gnupg/agent/command-ssh.c diff -u gnupg/agent/command-ssh.c:1.1.4.6 gnupg/agent/command-ssh.c:1.1.4.7 --- gnupg/agent/command-ssh.c:1.1.4.6 Mon Feb 14 21:07:01 2005 +++ gnupg/agent/command-ssh.c Mon Feb 14 21:44:22 2005 @@ -63,7 +63,14 @@ #define SSH_DSA_SIGNATURE_ELEMS 2 #define SPEC_FLAG_USE_PKCS1V2 (1 << 0) + + +/* Macros. */ +/* Return a new uint32 with b0 being the most significant byte and b3 + being the least significant byte. */ +#define uint32_construct(b0, b1, b2, b3) \ + ((b0 << 24) | (b1 << 16) | (b2 << 8) | b3) @@ -283,18 +290,7 @@ { u32 n; - /* FIXME: For what is the cast good for? The proper way of - wrinting it - assuming an unsigned buffer - is: - - n = (buffer[0]<< 24)|(buffer[0]<< 16)|(buffer[0]<<8)|(buffer[0]); - - -wk - */ - n = (0 - | ((u32) (buffer[0] << 24)) - | ((u32) (buffer[1] << 16)) - | ((u32) (buffer[2] << 8)) - | ((u32) (buffer[3] << 0))); + n = uint32_construct (buffer[0], buffer[1], buffer[2], buffer[3]); *uint32 = n; err = 0; } @@ -311,11 +307,10 @@ gpg_error_t err; int ret; - /* Fixme: The 0xFF mask is superfluous. */ - buffer[0] = (uint32 >> 24) & 0xFF; - buffer[1] = (uint32 >> 16) & 0xFF; - buffer[2] = (uint32 >> 8) & 0xFF; - buffer[3] = (uint32 >> 0) & 0xFF; + buffer[0] = uint32 >> 24; + buffer[1] = uint32 >> 16; + buffer[2] = uint32 >> 8; + buffer[3] = uint32 >> 0; ret = es_write (stream, buffer, sizeof (buffer), NULL); if (ret) Index: gnupg/agent/gpg-agent.c diff -u gnupg/agent/gpg-agent.c:1.31.2.32 gnupg/agent/gpg-agent.c:1.31.2.33 --- gnupg/agent/gpg-agent.c:1.31.2.32 Thu Feb 3 18:40:02 2005 +++ gnupg/agent/gpg-agent.c Mon Feb 14 21:44:22 2005 @@ -1168,7 +1168,7 @@ agent_exit (2); } - + serv_addr = malloc (sizeof (*serv_addr)); /* FIXME. */ memset (serv_addr, 0, sizeof *serv_addr); serv_addr->sun_family = AF_UNIX; assert (strlen (name) + 1 < sizeof (serv_addr->sun_path)); From cvs at cvs.gnupg.org Mon Feb 14 23:22:35 2005 From: cvs at cvs.gnupg.org (cvs user stefan) Date: Mon Feb 14 23:22:42 2005 Subject: gnupgjava (build.properties build.xml) Message-ID: Date: Monday, February 14, 2005 @ 23:22:35 Author: stefan Path: /cvs/gnupg/gnupgjava Modified: build.properties build.xml Minor changes in how to execute crypto operations and build files ------------------+ build.properties | 4 ++-- build.xml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) From cvs at cvs.gnupg.org Mon Feb 14 23:22:35 2005 From: cvs at cvs.gnupg.org (cvs user stefan) Date: Mon Feb 14 23:22:49 2005 Subject: gnupgjava/src/c (GNUmakefile GnuPGContext.c) Message-ID: Date: Monday, February 14, 2005 @ 23:22:35 Author: stefan Path: /cvs/gnupg/gnupgjava/src/c Modified: GNUmakefile GnuPGContext.c Minor changes in how to execute crypto operations and build files ----------------+ GNUmakefile | 7 --- GnuPGContext.c | 120 +++++++++++++++++++++++++++++++------------------------ 2 files changed, 70 insertions(+), 57 deletions(-) From cvs at cvs.gnupg.org Tue Feb 15 11:52:07 2005 From: cvs at cvs.gnupg.org (cvs user wk) Date: Tue Feb 15 11:52:13 2005 Subject: gnupg (9 files) Message-ID: Date: Tuesday, February 15, 2005 @ 12:02:32 Author: wk Path: /cvs/gnupg/gnupg Modified: NEWS doc/ChangeLog doc/gpg.sgml g10/ChangeLog g10/card-util.c g10/keyedit.c g10/keygen.c g10/misc.c g10/passphrase.c * gpg.sgml: Add bkuptocard command for --edit-key. * passphrase.c (agent_get_passphrase): Don't call free_public_key if PK is NULL. (passphrase_clear_cache): Ditto. Removed debug output. (passphrase_to_dek): Ditto. ------------------+ NEWS | 3 + doc/ChangeLog | 4 + doc/gpg.sgml | 14 ++++- g10/ChangeLog | 17 ++++++ g10/card-util.c | 7 +- g10/keyedit.c | 146 +++++++++++++++++++++++++++++++++++++++++++---------- g10/keygen.c | 5 + g10/misc.c | 46 +++++++++++++++- g10/passphrase.c | 21 ++++--- 9 files changed, 222 insertions(+), 41 deletions(-) Index: gnupg/NEWS diff -u gnupg/NEWS:1.233 gnupg/NEWS:1.234 --- gnupg/NEWS:1.233 Fri Feb 11 18:46:15 2005 +++ gnupg/NEWS Tue Feb 15 12:02:32 2005 @@ -47,6 +47,9 @@ that directory must be stored in the registry at the same key as above with the name "Install Directory". + * Add new --edit-key command "bkuptocard" to allow restoring a + card key from a backup. + Noteworthy changes in version 1.4.0 (2004-12-16) ------------------------------------------------ Index: gnupg/doc/ChangeLog diff -u gnupg/doc/ChangeLog:1.94 gnupg/doc/ChangeLog:1.95 --- gnupg/doc/ChangeLog:1.94 Sat Feb 5 20:52:02 2005 +++ gnupg/doc/ChangeLog Tue Feb 15 12:02:31 2005 @@ -1,3 +1,7 @@ +2005-02-15 Werner Koch + + * gpg.sgml: Add bkuptocard command for --edit-key. + 2005-02-05 David Shaw * gpg.sgml: Note that level 0 signatures are always accepted Index: gnupg/doc/gpg.sgml diff -u gnupg/doc/gpg.sgml:1.79 gnupg/doc/gpg.sgml:1.80 --- gnupg/doc/gpg.sgml:1.79 Sat Feb 5 20:52:02 2005 +++ gnupg/doc/gpg.sgml Tue Feb 15 12:02:31 2005 @@ -1,6 +1,6 @@