From cvs at cvs.gnupg.org Thu Jun 8 02:43:50 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Thu Jun 8 02:08:49 2006 Subject: [svn] ksba - r242 - trunk/src Message-ID: Author: marcus Date: 2006-06-08 02:43:48 +0200 (Thu, 08 Jun 2006) New Revision: 242 Modified: trunk/src/ChangeLog trunk/src/cert.c Log: 2006-06-08 Marcus Brinkmann * cert.c (ksba_cert_get_crl_dist_point): Fix type of R_REASON. (parse_distribution_point): Fix type of REASON. Modified: trunk/src/ChangeLog =================================================================== --- trunk/src/ChangeLog 2006-05-16 10:20:39 UTC (rev 241) +++ trunk/src/ChangeLog 2006-06-08 00:43:48 UTC (rev 242) @@ -1,3 +1,8 @@ +2006-06-08 Marcus Brinkmann + + * cert.c (ksba_cert_get_crl_dist_point): Fix type of R_REASON. + (parse_distribution_point): Fix type of REASON. + 2006-05-11 Werner Koch * ber-decoder.c (decoder_next): Print error description returned Modified: trunk/src/cert.c =================================================================== --- trunk/src/cert.c 2006-05-16 10:20:39 UTC (rev 241) +++ trunk/src/cert.c 2006-06-08 00:43:48 UTC (rev 242) @@ -1464,7 +1464,7 @@ static gpg_error_t parse_distribution_point (const unsigned char *der, size_t derlen, ksba_name_t *distpoint, ksba_name_t *issuer, - unsigned int *reason) + ksba_crl_reason_t *reason) { gpg_error_t err; struct tag_info ti; @@ -1623,7 +1623,7 @@ ksba_cert_get_crl_dist_point (ksba_cert_t cert, int idx, ksba_name_t *r_distpoint, ksba_name_t *r_issuer, - unsigned int *r_reason) + ksba_crl_reason_t *r_reason) { gpg_error_t err; const char *oid; From cvs at cvs.gnupg.org Thu Jun 8 13:47:56 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Thu Jun 8 13:13:00 2006 Subject: [svn] dirmngr - r225 - trunk Message-ID: Author: marcus Date: 2006-06-08 13:47:56 +0200 (Thu, 08 Jun 2006) New Revision: 225 Modified: trunk/ChangeLog trunk/configure.ac Log: 2006-06-08 Marcus Brinkmann * configure.ac (PTH_LIBS): Add --all to pth-config invocation. Modified: trunk/ChangeLog =================================================================== --- trunk/ChangeLog 2006-05-16 10:38:37 UTC (rev 224) +++ trunk/ChangeLog 2006-06-08 11:47:56 UTC (rev 225) @@ -1,3 +1,7 @@ +2006-06-08 Marcus Brinkmann + + * configure.ac (PTH_LIBS): Add --all to pth-config invocation. + 2006-05-16 Werner Koch Released 0.9.4. Modified: trunk/configure.ac =================================================================== --- trunk/configure.ac 2006-05-16 10:38:37 UTC (rev 224) +++ trunk/configure.ac 2006-06-08 11:47:56 UTC (rev 225) @@ -200,7 +200,7 @@ if test $have_pth = yes; then PTH_CFLAGS=`$PTH_CONFIG --cflags` PTH_LIBS=`$PTH_CONFIG --ldflags` - PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs`" + PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs --all`" AC_DEFINE(USE_GNU_PTH, 1, [Defined if the GNU Portable Thread Library should be used]) fi From cvs at cvs.gnupg.org Thu Jun 8 13:49:39 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Thu Jun 8 13:14:33 2006 Subject: [svn] gcry - r1155 - trunk Message-ID: Author: marcus Date: 2006-06-08 13:49:38 +0200 (Thu, 08 Jun 2006) New Revision: 1155 Modified: trunk/ChangeLog trunk/configure.ac Log: 2006-06-08 Marcus Brinkmann * configure.ac (PTH_LIBS): Add --all to pth-config invocation. Modified: trunk/ChangeLog =================================================================== --- trunk/ChangeLog 2006-04-28 13:38:40 UTC (rev 1154) +++ trunk/ChangeLog 2006-06-08 11:49:38 UTC (rev 1155) @@ -1,3 +1,7 @@ +2006-06-08 Marcus Brinkmann + + * configure.ac (PTH_LIBS): Add --all to pth-config invocation. + 2006-03-14 Werner Koch * configure.ac: Check for fctnl and ftruncate. Modified: trunk/configure.ac =================================================================== --- trunk/configure.ac 2006-04-28 13:38:40 UTC (rev 1154) +++ trunk/configure.ac 2006-06-08 11:49:38 UTC (rev 1155) @@ -469,7 +469,7 @@ if test $have_pth = yes; then PTH_CFLAGS=`$PTH_CONFIG --cflags` PTH_LIBS=`$PTH_CONFIG --ldflags` - PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs`" + PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs --all`" AC_DEFINE(USE_GNU_PTH, 1, [Defined if the GNU Portable Thread Library should be used]) AC_DEFINE(HAVE_PTH, 1, From cvs at cvs.gnupg.org Thu Jun 8 13:57:18 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Thu Jun 8 13:22:15 2006 Subject: [svn] GnuPG - r4152 - branches/GNUPG-1-9-BRANCH Message-ID: Author: marcus Date: 2006-06-08 13:57:18 +0200 (Thu, 08 Jun 2006) New Revision: 4152 Modified: branches/GNUPG-1-9-BRANCH/ChangeLog branches/GNUPG-1-9-BRANCH/configure.ac Log: 2006-06-08 Marcus Brinkmann * configure.ac (PTH_LIBS): Add --all to pth-config invocation. Modified: branches/GNUPG-1-9-BRANCH/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/ChangeLog 2006-05-27 02:07:05 UTC (rev 4151) +++ branches/GNUPG-1-9-BRANCH/ChangeLog 2006-06-08 11:57:18 UTC (rev 4152) @@ -1,3 +1,7 @@ +2006-06-08 Marcus Brinkmann + + * configure.ac (PTH_LIBS): Add --all to pth-config invocation. + 2006-05-24 Werner Koch * configure.ac: New option --disable-optimization taked from 1.4.3. Modified: branches/GNUPG-1-9-BRANCH/configure.ac =================================================================== --- branches/GNUPG-1-9-BRANCH/configure.ac 2006-05-27 02:07:05 UTC (rev 4151) +++ branches/GNUPG-1-9-BRANCH/configure.ac 2006-06-08 11:57:18 UTC (rev 4152) @@ -576,7 +576,7 @@ if test $have_pth = yes; then PTH_CFLAGS=`$PTH_CONFIG --cflags` PTH_LIBS=`$PTH_CONFIG --ldflags` - PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs`" + PTH_LIBS="$PTH_LIBS `$PTH_CONFIG --libs --all`" AC_DEFINE(USE_GNU_PTH, 1, [Defined if the GNU Portable Thread Library should be used]) AC_DEFINE(HAVE_PTH, 1, From cvs at cvs.gnupg.org Thu Jun 8 14:17:39 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Thu Jun 8 13:42:34 2006 Subject: [svn] GnuPG - r4153 - branches/GNUPG-1-9-BRANCH/tests Message-ID: Author: marcus Date: 2006-06-08 14:17:38 +0200 (Thu, 08 Jun 2006) New Revision: 4153 Modified: branches/GNUPG-1-9-BRANCH/tests/ChangeLog branches/GNUPG-1-9-BRANCH/tests/asschk.c Log: 2006-06-08 Marcus Brinkmann * asschk.c (__func__) [__STDC_VERSION__ < 199901L && __GNUC__ >= 2]: Define macro to __FUNCTION__. (die): Use __func__ instead of __FUNCTION__. Modified: branches/GNUPG-1-9-BRANCH/tests/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/tests/ChangeLog 2006-06-08 11:57:18 UTC (rev 4152) +++ branches/GNUPG-1-9-BRANCH/tests/ChangeLog 2006-06-08 12:17:38 UTC (rev 4153) @@ -1,3 +1,9 @@ +2006-06-08 Marcus Brinkmann + + * asschk.c (__func__) [__STDC_VERSION__ < 199901L && __GNUC__ >= 2]: + Define macro to __FUNCTION__. + (die): Use __func__ instead of __FUNCTION__. + 2005-10-07 Marcus Brinkmann * Makefile.am (TESTS_ENVIRONMENT): Remove LD_LIBRARY_PATH hack. Modified: branches/GNUPG-1-9-BRANCH/tests/asschk.c =================================================================== --- branches/GNUPG-1-9-BRANCH/tests/asschk.c 2006-06-08 11:57:18 UTC (rev 4152) +++ branches/GNUPG-1-9-BRANCH/tests/asschk.c 2006-06-08 12:17:38 UTC (rev 4153) @@ -116,6 +116,18 @@ # define ATTR_PRINTF(f,a) #endif +#if __STDC_VERSION__ < 199901L +# if __GNUC__ >= 2 +# define __func__ __FUNCTION__ +# else +/* Let's try our luck here. Some systems may provide __func__ without + providing __STDC_VERSION__ 199901L. */ +# if 0 +# define __func__ "" +# endif +# endif +#endif + #define spacep(p) (*(p) == ' ' || *(p) == '\t') #define MAX_LINELEN 2048 @@ -188,7 +200,7 @@ exit (1); } -#define die(format, args...) (die) ("%s: " format, __FUNCTION__ , ##args) +#define die(format, args...) (die) ("%s: " format, __func__ , ##args) static void err (const char *format, ...) From cvs at cvs.gnupg.org Fri Jun 9 00:07:27 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Thu Jun 8 23:32:28 2006 Subject: [svn] gpgme - r1171 - trunk/m4 Message-ID: Author: marcus Date: 2006-06-09 00:07:27 +0200 (Fri, 09 Jun 2006) New Revision: 1171 Modified: trunk/m4/ChangeLog trunk/m4/pth.m4 Log: 2006-06-08 Marcus Brinkmann * pth.m4: Add --all to pth-config invocation. Modified: trunk/m4/ChangeLog =================================================================== --- trunk/m4/ChangeLog 2006-03-06 10:33:57 UTC (rev 1170) +++ trunk/m4/ChangeLog 2006-06-08 22:07:27 UTC (rev 1171) @@ -1,3 +1,7 @@ +2006-06-08 Marcus Brinkmann + + * pth.m4: Add --all to pth-config invocation. + 2006-02-22 Marcus Brinkmann * pth.m4: Fix code generation (required for Max OS X). Modified: trunk/m4/pth.m4 =================================================================== --- trunk/m4/pth.m4 2006-03-06 10:33:57 UTC (rev 1170) +++ trunk/m4/pth.m4 2006-06-08 22:07:27 UTC (rev 1171) @@ -121,7 +121,7 @@ _pth_cppflags=`pth-config --cflags` _pth_cflags=`pth-config --cflags` _pth_ldflags=`pth-config --ldflags` - _pth_libs=`pth-config --libs` + _pth_libs=`pth-config --libs --all` fi elif test -d "$with_pth"; then with_pth=`echo $with_pth | sed -e 's;/*$;;'` @@ -162,7 +162,7 @@ _pth_cppflags=`$_dir/pth-config --cflags` _pth_cflags=`$_dir/pth-config --cflags` _pth_ldflags=`$_dir/pth-config --ldflags` - _pth_libs=`$_dir/pth-config --libs` + _pth_libs=`$_dir/pth-config --libs --all` _pth_found=yes break fi From cvs at cvs.gnupg.org Fri Jun 9 12:23:36 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Fri Jun 9 11:48:30 2006 Subject: [svn] GnuPG - r4154 - in branches/GNUPG-1-9-BRANCH: agent scd Message-ID: Author: marcus Date: 2006-06-09 12:23:30 +0200 (Fri, 09 Jun 2006) New Revision: 4154 Modified: branches/GNUPG-1-9-BRANCH/agent/ChangeLog branches/GNUPG-1-9-BRANCH/agent/Makefile.am branches/GNUPG-1-9-BRANCH/scd/ChangeLog branches/GNUPG-1-9-BRANCH/scd/Makefile.am Log: agent/ 2006-06-09 Marcus Brinkmann * Makefile.am (gpg_agent_LDADD): Add $(NETLIBS). scd/ 2006-06-09 Marcus Brinkmann * Makefile.am (scdaemon_LDADD): Add $(NETLIBS). Modified: branches/GNUPG-1-9-BRANCH/agent/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/agent/ChangeLog 2006-06-08 12:17:38 UTC (rev 4153) +++ branches/GNUPG-1-9-BRANCH/agent/ChangeLog 2006-06-09 10:23:30 UTC (rev 4154) @@ -1,3 +1,7 @@ +2006-06-09 Marcus Brinkmann + + * Makefile.am (gpg_agent_LDADD): Add $(NETLIBS). + 2006-04-09 Moritz Schulte * command-ssh.c (ssh_request_process): Removed FIXME mentioning a Modified: branches/GNUPG-1-9-BRANCH/agent/Makefile.am =================================================================== --- branches/GNUPG-1-9-BRANCH/agent/Makefile.am 2006-06-08 12:17:38 UTC (rev 4153) +++ branches/GNUPG-1-9-BRANCH/agent/Makefile.am 2006-06-09 10:23:30 UTC (rev 4154) @@ -47,7 +47,7 @@ gpg_agent_LDADD = ../jnlib/libjnlib.a ../common/libcommon.a ../gl/libgnu.a \ $(LIBGCRYPT_LIBS) $(PTH_LIBS) $(LIBASSUAN_LIBS) \ - -lgpg-error @LIBINTL@ + -lgpg-error @LIBINTL@ $(NETLIBS) gpg_protect_tool_SOURCES = \ protect-tool.c \ Modified: branches/GNUPG-1-9-BRANCH/scd/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/scd/ChangeLog 2006-06-08 12:17:38 UTC (rev 4153) +++ branches/GNUPG-1-9-BRANCH/scd/ChangeLog 2006-06-09 10:23:30 UTC (rev 4154) @@ -1,3 +1,7 @@ +2006-06-09 Marcus Brinkmann + + * Makefile.am (scdaemon_LDADD): Add $(NETLIBS). + 2006-04-14 Marcus Brinkmann * app.c (select_application): Cover up a slot mismatch error in Modified: branches/GNUPG-1-9-BRANCH/scd/Makefile.am =================================================================== --- branches/GNUPG-1-9-BRANCH/scd/Makefile.am 2006-06-08 12:17:38 UTC (rev 4153) +++ branches/GNUPG-1-9-BRANCH/scd/Makefile.am 2006-06-09 10:23:30 UTC (rev 4154) @@ -45,7 +45,7 @@ scdaemon_LDADD = ../jnlib/libjnlib.a ../common/libcommon.a ../gl/libgnu.a \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(PTH_LIBS) $(LIBASSUAN_LIBS) \ - $(LIBUSB_LIBS) -lgpg-error $(LIBINTL) $(DL_LIBS) + $(LIBUSB_LIBS) -lgpg-error $(LIBINTL) $(DL_LIBS) $(NETLIBS) # Removed for now: We need to decide whether it makes sense to # continue it at all, given that gpg has now all required From cvs at cvs.gnupg.org Fri Jun 9 12:28:27 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Fri Jun 9 11:53:17 2006 Subject: [svn] GnuPG - r4155 - branches/GNUPG-1-9-BRANCH/agent Message-ID: Author: marcus Date: 2006-06-09 12:28:26 +0200 (Fri, 09 Jun 2006) New Revision: 4155 Modified: branches/GNUPG-1-9-BRANCH/agent/ChangeLog branches/GNUPG-1-9-BRANCH/agent/Makefile.am Log: 2006-06-09 Marcus Brinkmann * Makefile.am (gpg_agent_LDADD): Add $(NETLIBS). (gpg_protect_tool_LDADD): Likewise. (gpg_preset_passphrase_LDADD): Likewise. Modified: branches/GNUPG-1-9-BRANCH/agent/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/agent/ChangeLog 2006-06-09 10:23:30 UTC (rev 4154) +++ branches/GNUPG-1-9-BRANCH/agent/ChangeLog 2006-06-09 10:28:26 UTC (rev 4155) @@ -1,6 +1,8 @@ 2006-06-09 Marcus Brinkmann * Makefile.am (gpg_agent_LDADD): Add $(NETLIBS). + (gpg_protect_tool_LDADD): Likewise. + (gpg_preset_passphrase_LDADD): Likewise. 2006-04-09 Moritz Schulte Modified: branches/GNUPG-1-9-BRANCH/agent/Makefile.am =================================================================== --- branches/GNUPG-1-9-BRANCH/agent/Makefile.am 2006-06-09 10:23:30 UTC (rev 4154) +++ branches/GNUPG-1-9-BRANCH/agent/Makefile.am 2006-06-09 10:28:26 UTC (rev 4155) @@ -54,9 +54,10 @@ protect.c \ minip12.c minip12.h +# Needs $(NETLIBS) for libsimple-pwquery.la. gpg_protect_tool_LDADD = ../common/libsimple-pwquery.a \ ../jnlib/libjnlib.a ../common/libcommon.a ../gl/libgnu.a \ - $(LIBGCRYPT_LIBS) -lgpg-error @LIBINTL@ + $(LIBGCRYPT_LIBS) -lgpg-error @LIBINTL@ $(NETLIBS) if HAVE_W32_SYSTEM gpg_protect_tool_LDADD += -lwsock32 endif @@ -64,9 +65,10 @@ gpg_preset_passphrase_SOURCES = \ preset-passphrase.c +# Needs $(NETLIBS) for libsimple-pwquery.la. gpg_preset_passphrase_LDADD = ../common/libsimple-pwquery.a \ ../jnlib/libjnlib.a ../common/libcommon.a ../gl/libgnu.a \ - $(LIBGCRYPT_LIBS) -lgpg-error @LIBINTL@ + $(LIBGCRYPT_LIBS) -lgpg-error @LIBINTL@ $(NETLIBS) if HAVE_W32_SYSTEM gpg_preset_passphrase_LDADD += -lwsock32 endif From cvs at cvs.gnupg.org Fri Jun 9 13:32:22 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Fri Jun 9 12:57:18 2006 Subject: [svn] GnuPG - r4156 - branches/GNUPG-1-9-BRANCH/tools Message-ID: Author: marcus Date: 2006-06-09 13:32:22 +0200 (Fri, 09 Jun 2006) New Revision: 4156 Modified: branches/GNUPG-1-9-BRANCH/tools/ChangeLog branches/GNUPG-1-9-BRANCH/tools/Makefile.am Log: 2006-06-09 Marcus Brinkmann * Makefile.am (gpgconf_LDADD): Add $(GPG_ERROR_LIBS). (gpgkey2ssh_LDADD): Add ../jnlib/libjnlib.a. Modified: branches/GNUPG-1-9-BRANCH/tools/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/tools/ChangeLog 2006-06-09 10:28:26 UTC (rev 4155) +++ branches/GNUPG-1-9-BRANCH/tools/ChangeLog 2006-06-09 11:32:22 UTC (rev 4156) @@ -1,3 +1,8 @@ +2006-06-09 Marcus Brinkmann + + * Makefile.am (gpgconf_LDADD): Add $(GPG_ERROR_LIBS). + (gpgkey2ssh_LDADD): Add ../jnlib/libjnlib.a. + 2006-05-23 Werner Koch * gpgparsemail.c: Include config.h if available Modified: branches/GNUPG-1-9-BRANCH/tools/Makefile.am =================================================================== --- branches/GNUPG-1-9-BRANCH/tools/Makefile.am 2006-06-09 10:28:26 UTC (rev 4155) +++ branches/GNUPG-1-9-BRANCH/tools/Makefile.am 2006-06-09 11:32:22 UTC (rev 4156) @@ -42,8 +42,10 @@ gpgconf_SOURCES = gpgconf.c gpgconf.h gpgconf-comp.c no-libgcrypt.c -gpgconf_LDADD = ../jnlib/libjnlib.a \ - ../common/libcommon.a ../gl/libgnu.a @LIBINTL@ +# jnlib/common sucks in gpg-error, will they, nil they (some compilers +# do not eliminate the supposed-to-be-unused-inline-functions). +gpgconf_LDADD = ../jnlib/libjnlib.a ../common/libcommon.a \ + ../gl/libgnu.a @LIBINTL@ $(GPG_ERROR_LIBS) gpgparsemail_SOURCES = gpgparsemail.c rfc822parse.c rfc822parse.h gpgparsemail_LDADD = @@ -64,5 +66,7 @@ gpgkey2ssh_SOURCES = gpgkey2ssh.c gpgkey2ssh_CFLAGS = $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS) -gpgkey2ssh_LDADD = ../common/libcommon.a ../gl/libgnu.a \ +# common sucks in jnlib, via use of BUG() in an inline function, which +# some compilers do not eliminate. +gpgkey2ssh_LDADD = ../jnlib/libjnlib.a ../common/libcommon.a ../gl/libgnu.a \ $(LIBGCRYPT_LIBS) $(GPG_ERROR_LIBS) From cvs at cvs.gnupg.org Fri Jun 9 21:45:21 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Fri Jun 9 21:10:08 2006 Subject: [svn] GnuPG - r4157 - trunk/g10 Message-ID: Author: dshaw Date: 2006-06-09 21:45:19 +0200 (Fri, 09 Jun 2006) New Revision: 4157 Modified: trunk/g10/ChangeLog trunk/g10/parse-packet.c Log: * parse-packet.c (parse_user_id): Cap the user ID size at 2048 bytes. This prevents a memory allocation attack with a very large user ID. A very large packet length could even cause the allocation (a u32) to wrap around to a small number. Noted by Evgeny Legerov on full-disclosure. Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-09 11:32:22 UTC (rev 4156) +++ trunk/g10/ChangeLog 2006-06-09 19:45:19 UTC (rev 4157) @@ -1,3 +1,11 @@ +2006-06-09 David Shaw + + * parse-packet.c (parse_user_id): Cap the user ID size at 2048 + bytes. This prevents a memory allocation attack with a very large + user ID. A very large packet length could even cause the + allocation (a u32) to wrap around to a small number. Noted by + Evgeny Legerov on full-disclosure. + 2006-05-25 David Shaw * keygen.c (gen_dsa): Allow generating DSA2 keys Modified: trunk/g10/parse-packet.c =================================================================== --- trunk/g10/parse-packet.c 2006-06-09 11:32:22 UTC (rev 4156) +++ trunk/g10/parse-packet.c 2006-06-09 19:45:19 UTC (rev 4157) @@ -1982,6 +1982,20 @@ { byte *p; + /* Cap the size of a user ID at 2k: a value absurdly large enough + that there is no sane user ID string (which is printable text + as of RFC2440bis) that won't fit in it, but yet small enough to + avoid allocation problems. A large pktlen may not be + allocatable, and a very large pktlen could actually cause our + allocation to wrap around in xmalloc to a small number. */ + + if(pktlen>2048) + { + log_error("packet(%d) too large\n", pkttype); + iobuf_skip_rest(inp, pktlen, 0); + return G10ERR_INVALID_PACKET; + } + packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen); packet->pkt.user_id->len = pktlen; packet->pkt.user_id->ref=1; From cvs at cvs.gnupg.org Sat Jun 10 06:11:07 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Sat Jun 10 05:35:57 2006 Subject: [svn] GnuPG - r4158 - trunk/g10 Message-ID: Author: dshaw Date: 2006-06-10 06:11:05 +0200 (Sat, 10 Jun 2006) New Revision: 4158 Modified: trunk/g10/ChangeLog trunk/g10/keygen.c Log: * keygen.c (gen_card_key): Add optional argument to return a pointer (not a copy) of the stub secret key for the secret key we just generated on the card. (generate_card_subkeypair): Use it here so that the signing key on the card can use the card to generate the 0x19 backsig on the primary key. Noted by Janko Heilgeist and Jonas Oberg. Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-09 19:45:19 UTC (rev 4157) +++ trunk/g10/ChangeLog 2006-06-10 04:11:05 UTC (rev 4158) @@ -1,5 +1,12 @@ 2006-06-09 David Shaw + * keygen.c (gen_card_key): Add optional argument to return a + pointer (not a copy) of the stub secret key for the secret key we + just generated on the card. + (generate_card_subkeypair): Use it here so that the signing key on + the card can use the card to generate the 0x19 backsig on the + primary key. Noted by Janko Heilgeist and Jonas Oberg. + * parse-packet.c (parse_user_id): Cap the user ID size at 2048 bytes. This prevents a memory allocation attack with a very large user ID. A very large packet length could even cause the Modified: trunk/g10/keygen.c =================================================================== --- trunk/g10/keygen.c 2006-06-09 19:45:19 UTC (rev 4157) +++ trunk/g10/keygen.c 2006-06-10 04:11:05 UTC (rev 4158) @@ -122,6 +122,7 @@ static int write_keyblock( IOBUF out, KBNODE node ); static int gen_card_key (int algo, int keyno, int is_primary, KBNODE pub_root, KBNODE sec_root, + PKT_secret_key **ret_sk, u32 expireval, struct para_data_s *para); static int gen_card_key_with_backup (int algo, int keyno, int is_primary, KBNODE pub_root, KBNODE sec_root, @@ -937,7 +938,6 @@ return rc; } -/* sub_sk is currently unused (reserved for backsigs) */ static int write_keybinding( KBNODE root, KBNODE pub_root, PKT_secret_key *pri_sk, PKT_secret_key *sub_sk, @@ -2908,7 +2908,7 @@ } else { - rc = gen_card_key (PUBKEY_ALGO_RSA, 1, 1, pub_root, sec_root, + rc = gen_card_key (PUBKEY_ALGO_RSA, 1, 1, pub_root, sec_root, NULL, get_parameter_u32 (para, pKEYEXPIRE), para); if (!rc) { @@ -2944,7 +2944,7 @@ if (!rc && card && get_parameter (para, pAUTHKEYTYPE)) { - rc = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root, sec_root, + rc = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root, sec_root, NULL, get_parameter_u32 (para, pKEYEXPIRE), para); if (!rc) @@ -2980,6 +2980,7 @@ } else rc = gen_card_key (PUBKEY_ALGO_RSA, 2, 0, pub_root, sec_root, + NULL, get_parameter_u32 (para, pKEYEXPIRE), para); } @@ -3238,7 +3239,7 @@ { int okay=0, rc=0; KBNODE node; - PKT_secret_key *pri_sk = NULL; + PKT_secret_key *pri_sk = NULL, *sub_sk; int algo; unsigned int use; u32 expire; @@ -3318,11 +3319,12 @@ if (passphrase) set_next_passphrase (passphrase); - rc = gen_card_key (algo, keyno, 0, pub_keyblock, sec_keyblock, expire, para); + rc = gen_card_key (algo, keyno, 0, pub_keyblock, sec_keyblock, + &sub_sk, expire, para); if (!rc) - rc = write_keybinding (pub_keyblock, pub_keyblock, pri_sk, NULL, use); + rc = write_keybinding (pub_keyblock, pub_keyblock, pri_sk, sub_sk, use); if (!rc) - rc = write_keybinding (sec_keyblock, pub_keyblock, pri_sk, NULL, use); + rc = write_keybinding (sec_keyblock, pub_keyblock, pri_sk, sub_sk, use); if (!rc) { okay = 1; @@ -3369,7 +3371,7 @@ static int gen_card_key (int algo, int keyno, int is_primary, - KBNODE pub_root, KBNODE sec_root, + KBNODE pub_root, KBNODE sec_root, PKT_secret_key **ret_sk, u32 expireval, struct para_data_s *para) { #ifdef ENABLE_CARD_SUPPORT @@ -3430,6 +3432,9 @@ sk->protect.iv[sk->protect.ivlen] = xtoi_2 (s); } + if( ret_sk ) + *ret_sk = sk; + pkt = xcalloc (1,sizeof *pkt); pkt->pkttype = is_primary ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY; pkt->pkt.public_key = pk; From cvs at cvs.gnupg.org Mon Jun 12 14:05:41 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Mon Jun 12 13:30:18 2006 Subject: [svn] GnuPG - r4159 - trunk/g10 Message-ID: Author: dshaw Date: 2006-06-12 14:05:34 +0200 (Mon, 12 Jun 2006) New Revision: 4159 Modified: trunk/g10/ChangeLog trunk/g10/import.c Log: * import.c (import_one): Add a flag (from_sk) so we don't check prefs on an autoconverted public key. The check should only happen on the sk size. Noted by Dirk Traulsen. Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-10 04:11:05 UTC (rev 4158) +++ trunk/g10/ChangeLog 2006-06-12 12:05:34 UTC (rev 4159) @@ -1,3 +1,9 @@ +2006-06-12 David Shaw + + * import.c (import_one): Add a flag (from_sk) so we don't check + prefs on an autoconverted public key. The check should only + happen on the sk size. Noted by Dirk Traulsen. + 2006-06-09 David Shaw * keygen.c (gen_card_key): Add optional argument to return a Modified: trunk/g10/import.c =================================================================== --- trunk/g10/import.c 2006-06-10 04:11:05 UTC (rev 4158) +++ trunk/g10/import.c 2006-06-12 12:05:34 UTC (rev 4159) @@ -66,7 +66,7 @@ static void revocation_present(KBNODE keyblock); static int import_one(const char *fname, KBNODE keyblock,struct stats_s *stats, unsigned char **fpr,size_t *fpr_len, - unsigned int options); + unsigned int options,int from_sk); static int import_secret_one( const char *fname, KBNODE keyblock, struct stats_s *stats, unsigned int options); static int import_revoke_cert( const char *fname, KBNODE node, @@ -256,7 +256,7 @@ while( !(rc = read_block( inp, &pending_pkt, &keyblock) )) { if( keyblock->pkt->pkttype == PKT_PUBLIC_KEY ) - rc = import_one( fname, keyblock, stats, fpr, fpr_len, options ); + rc = import_one( fname, keyblock, stats, fpr, fpr_len, options, 0); else if( keyblock->pkt->pkttype == PKT_SECRET_KEY ) rc = import_secret_one( fname, keyblock, stats, options ); else if( keyblock->pkt->pkttype == PKT_SIGNATURE @@ -677,7 +677,8 @@ */ static int import_one( const char *fname, KBNODE keyblock, struct stats_s *stats, - unsigned char **fpr,size_t *fpr_len,unsigned int options ) + unsigned char **fpr,size_t *fpr_len,unsigned int options, + int from_sk ) { PKT_public_key *pk; PKT_public_key *pk_orig; @@ -973,7 +974,7 @@ if(mod_key) { revocation_present(keyblock_orig); - if(seckey_available(keyid)==0) + if(!from_sk && seckey_available(keyid)==0) check_prefs(keyblock_orig); } else if(new_key) @@ -997,7 +998,7 @@ } revocation_present(keyblock); - if(seckey_available(keyid)==0) + if(!from_sk && seckey_available(keyid)==0) check_prefs(keyblock); } @@ -1169,7 +1170,7 @@ if(pub_keyblock) { import_one(fname,pub_keyblock,stats, - NULL,NULL,opt.import_options); + NULL,NULL,opt.import_options,1); release_kbnode(pub_keyblock); } } From cvs at cvs.gnupg.org Wed Jun 14 08:26:26 2006 From: cvs at cvs.gnupg.org (svn author twoaday) Date: Wed Jun 14 07:50:47 2006 Subject: [svn] GPGol - r154 - trunk/src Message-ID: Author: twoaday Date: 2006-06-14 08:26:25 +0200 (Wed, 14 Jun 2006) New Revision: 154 Modified: trunk/src/ChangeLog trunk/src/gpgol-rsrcs.rc Log: See ChangeLog. Modified: trunk/src/ChangeLog =================================================================== --- trunk/src/ChangeLog 2006-05-22 17:47:58 UTC (rev 153) +++ trunk/src/ChangeLog 2006-06-14 06:26:25 UTC (rev 154) @@ -1,3 +1,8 @@ +2006-06-14 Timo Schulz + + * gpgol-rscs.rc (IDD_OPT): The English version of the dialog + has no log file item. Add it. + 2006-05-22 Timo Schulz * verify-dialog.c (load_sigbox): A sigsum of 0 also indicates Modified: trunk/src/gpgol-rsrcs.rc =================================================================== --- trunk/src/gpgol-rsrcs.rc 2006-05-22 17:47:58 UTC (rev 153) +++ trunk/src/gpgol-rsrcs.rc 2006-06-14 06:26:25 UTC (rev 154) @@ -227,9 +227,13 @@ CAPTION "Configuration Dialog" FONT 8, "MS Sans Serif" BEGIN - LTEXT "Path to key-manager binary",IDC_STATIC,2,72,87,8 + LTEXT "Path to key-manager binary",IDC_STATIC,2,20,122,8 EDITTEXT IDC_OPT_KEYMAN,2,81,144,12,ES_AUTOHSCROLL PUSHBUTTON "...",IDC_OPT_SELKEYMAN,148,80,11,14 + + LTEXT "Debug output (for analysing problems)", IDC_STATIC, 2,50,122,8 + EDITTEXT IDC_DEBUG_LOGFILE,2,60,144,12,ES_AUTOHSCROLL + DEFPUSHBUTTON "&OK",IDOK,112,101,50,14 END From cvs at cvs.gnupg.org Wed Jun 14 17:49:15 2006 From: cvs at cvs.gnupg.org (svn author twoaday) Date: Wed Jun 14 17:13:42 2006 Subject: [svn] GPGol - r155 - trunk/src Message-ID: Author: twoaday Date: 2006-06-14 17:49:15 +0200 (Wed, 14 Jun 2006) New Revision: 155 Modified: trunk/src/passphrase-dialog.c Log: Modified: trunk/src/passphrase-dialog.c =================================================================== --- trunk/src/passphrase-dialog.c 2006-06-14 06:26:25 UTC (rev 154) +++ trunk/src/passphrase-dialog.c 2006-06-14 15:49:15 UTC (rev 155) @@ -176,7 +176,6 @@ const char* get_pubkey_algo_str (gpgme_pubkey_algo_t alg) { - switch (alg) { case GPGME_PK_RSA: @@ -185,14 +184,12 @@ return "RSA"; case GPGME_PK_ELG_E: + case GPGME_PK_ELG: return "ELG"; case GPGME_PK_DSA: return "DSA"; - case GPGME_PK_ELG: - return "ELG"; - default: break; } From cvs at cvs.gnupg.org Wed Jun 14 17:53:11 2006 From: cvs at cvs.gnupg.org (cvs user sneumann) Date: Wed Jun 14 19:55:49 2006 Subject: gnupgjava (build.properties build.xml) Message-ID: Date: Wednesday, June 14, 2006 @ 17:53:11 Author: sneumann Path: /cvs/gnupg/gnupgjava Modified: build.properties build.xml added new features ------------------+ build.properties | 2 +- build.xml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) From cvs at cvs.gnupg.org Wed Jun 14 17:53:12 2006 From: cvs at cvs.gnupg.org (cvs user sneumann) Date: Wed Jun 14 19:55:55 2006 Subject: gnupgjava/src/java/com/freiheit/gnupg (GnuPGContext.java) Message-ID: Date: Wednesday, June 14, 2006 @ 17:53:12 Author: sneumann Path: /cvs/gnupg/gnupgjava/src/java/com/freiheit/gnupg Modified: GnuPGContext.java added new features -------------------+ GnuPGContext.java | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 files changed, 63 insertions(+), 2 deletions(-) From cvs at cvs.gnupg.org Wed Jun 14 17:53:12 2006 From: cvs at cvs.gnupg.org (cvs user sneumann) Date: Wed Jun 14 19:56:06 2006 Subject: gnupgjava/src/junit/com/freiheit/gnupg (1 file) Message-ID: Date: Wednesday, June 14, 2006 @ 17:53:12 Author: sneumann Path: /cvs/gnupg/gnupgjava/src/junit/com/freiheit/gnupg Modified: GnuPGTestSuite.java added new features ---------------------+ GnuPGTestSuite.java | 77 +++++++++++++++++++++++++++++++++++++++++++++++++- 1 files changed, 76 insertions(+), 1 deletion(-) From cvs at cvs.gnupg.org Wed Jun 14 17:53:11 2006 From: cvs at cvs.gnupg.org (cvs user sneumann) Date: Wed Jun 14 19:56:14 2006 Subject: gnupgjava/src/c (4 files) Message-ID: Date: Wednesday, June 14, 2006 @ 17:53:11 Author: sneumann Path: /cvs/gnupg/gnupgjava/src/c Modified: GNUmakefile GnuPGContext.c com_freiheit_gnupg_GnuPGContext.h gpgmeutils.h added new features -----------------------------------+ GNUmakefile | 2 GnuPGContext.c | 117 +++++++++++++++++++++++++++++++++++- com_freiheit_gnupg_GnuPGContext.h | 40 ++++++++++++ gpgmeutils.h | 25 +++++++ 4 files changed, 182 insertions(+), 2 deletions(-) From cvs at cvs.gnupg.org Wed Jun 14 17:56:17 2006 From: cvs at cvs.gnupg.org (cvs user sneumann) Date: Wed Jun 14 19:56:23 2006 Subject: gnupgjava/src/java/com/freiheit/gnupg (1 file) Message-ID: Date: Wednesday, June 14, 2006 @ 17:56:17 Author: sneumann Path: /cvs/gnupg/gnupgjava/src/java/com/freiheit/gnupg Added: GnuPGGenkeyResult.java added source for generating Keys ------------------------+ GnuPGGenkeyResult.java | 77 +++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 77 insertions(+) From cvs at cvs.gnupg.org Fri Jun 16 13:49:27 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Fri Jun 16 13:13:34 2006 Subject: [svn] GnuPG - r4160 - branches/GNUPG-1-9-BRANCH/common Message-ID: Author: wk Date: 2006-06-16 13:49:27 +0200 (Fri, 16 Jun 2006) New Revision: 4160 Added: branches/GNUPG-1-9-BRANCH/common/dns-cert.c branches/GNUPG-1-9-BRANCH/common/dns-cert.h Log: Added missing files Added: branches/GNUPG-1-9-BRANCH/common/dns-cert.c =================================================================== --- branches/GNUPG-1-9-BRANCH/common/dns-cert.c 2006-06-12 12:05:34 UTC (rev 4159) +++ branches/GNUPG-1-9-BRANCH/common/dns-cert.c 2006-06-16 11:49:27 UTC (rev 4160) @@ -0,0 +1,246 @@ +/* dns-cert.c - DNS CERT code + * Copyright (C) 2005, 2006 Free Software Foundation, Inc. + * + * This file is part of GNUPG. + * + * GNUPG is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * GNUPG is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. + */ + +#include +#include +#ifdef USE_DNS_CERT +# ifdef HAVE_W32_SYSTEM +# include +# else +# include +# include +# include +# endif +#include +#endif + +#include "util.h" +#include "iobuf.h" +#include "dns-cert.h" + +/* Not every installation has gotten around to supporting CERTs + yet... */ +#ifndef T_CERT +#define T_CERT 37 +#endif + + +/* Returns -1 on error, 0 for no answer, 1 for PGP provided and 2 for + IPGP provided. */ +int +get_dns_cert (const char *name,size_t max_size,IOBUF *iobuf, + unsigned char **fpr,size_t *fpr_len,char **url) +{ +#ifdef USE_DNS_CERT + unsigned char *answer; + int r,ret=-1; + u16 count; + + if(fpr) + *fpr=NULL; + + if(url) + *url=NULL; + + answer=xmalloc(max_size); + + r=res_query(name,C_IN,T_CERT,answer,max_size); + /* Not too big, not too small, no errors and at least 1 answer. */ + if(r>=sizeof(HEADER) && r<=max_size + && (((HEADER *)answer)->rcode)==NOERROR + && (count=ntohs(((HEADER *)answer)->ancount))) + { + int rc; + unsigned char *pt,*emsg; + + emsg=&answer[r]; + + pt=&answer[sizeof(HEADER)]; + + /* Skip over the query */ + + rc=dn_skipname(pt,emsg); + if(rc==-1) + goto fail; + + pt+=rc+QFIXEDSZ; + + /* There are several possible response types for a CERT request. + We're interested in the PGP (a key) and IPGP (a URI) types. + Skip all others. TODO: A key is better than a URI since + we've gone through all this bother to fetch it, so favor that + if we have both PGP and IPGP? */ + + while(count-->0 && pt=pt[0]+1 + && fpr && fpr_len && url) + { + /* IPGP type */ + *fpr_len=pt[0]; + + if(*fpr_len) + { + *fpr=xmalloc(*fpr_len); + memcpy(*fpr,&pt[1],*fpr_len); + } + else + *fpr=NULL; + + if(dlen>*fpr_len+1) + { + *url=xmalloc(dlen-(*fpr_len+1)+1); + memcpy(*url,&pt[*fpr_len+1],dlen-(*fpr_len+1)); + (*url)[dlen-(*fpr_len+1)]='\0'; + } + else + *url=NULL; + + ret=2; + break; + } + + /* Neither type matches, so go around to the next answer. */ + pt+=dlen; + } + } + + fail: + xfree(answer); + + return ret; +#else /* !USE_DNS_CERT */ + return -1; +#endif +} + + + +/* Test with simon.josefsson.org */ + +#ifdef TEST +int +main(int argc,char *argv[]) +{ + unsigned char *fpr; + size_t fpr_len; + char *url; + int rc; + IOBUF iobuf; + + if(argc!=2) + { + printf("cert-test [name]\n"); + return 1; + } + + printf("CERT lookup on %s\n",argv[1]); + + rc=get_dns_cert (argv[1],16384,&iobuf,&fpr,&fpr_len,&url); + if(rc==-1) + printf("error\n"); + else if(rc==0) + printf("no answer\n"); + else if(rc==1) + { + printf("key found: %d bytes\n",(int)iobuf_get_temp_length(iobuf)); + iobuf_close(iobuf); + } + else if(rc==2) + { + if(fpr) + { + size_t i; + printf("Fingerprint found (%d bytes): ",(int)fpr_len); + for(i=0;i Author: wk Date: 2006-06-19 10:25:08 +0200 (Mon, 19 Jun 2006) New Revision: 243 Modified: trunk/NEWS trunk/src/ChangeLog trunk/src/ber-decoder.c Log: Fixed BER parser Modified: trunk/NEWS =================================================================== --- trunk/NEWS 2006-06-08 00:43:48 UTC (rev 242) +++ trunk/NEWS 2006-06-19 08:25:08 UTC (rev 243) @@ -1,7 +1,9 @@ Noteworthy changes in version 0.9.15 ------------------------------------------------- + * Fixed BER parser which was broken in the last release. + Noteworthy changes in version 0.9.14 (2006-05-16) ------------------------------------------------- Modified: trunk/src/ChangeLog =================================================================== --- trunk/src/ChangeLog 2006-06-08 00:43:48 UTC (rev 242) +++ trunk/src/ChangeLog 2006-06-19 08:25:08 UTC (rev 243) @@ -1,3 +1,10 @@ +2006-06-19 Werner Koch + + * ber-decoder.c (_ksba_ber_decoder_decode): always store value + even if NODE is NULL. It used to work only because NODE used to + be unitialized and thus most of the time yielded true. The + 2006-05-03 fix unveiled the actual problem. + 2006-06-08 Marcus Brinkmann * cert.c (ksba_cert_get_crl_dist_point): Fix type of R_REASON. Modified: trunk/src/ber-decoder.c =================================================================== --- trunk/src/ber-decoder.c 2006-06-08 00:43:48 UTC (rev 242) +++ trunk/src/ber-decoder.c 2006-06-19 08:25:08 UTC (rev 243) @@ -1,5 +1,5 @@ /* ber-decoder.c - Basic Encoding Rules Decoder - * Copyright (C) 2001, 2004 g10 Code GmbH + * Copyright (C) 2001, 2004, 2006 g10 Code GmbH * * This file is part of KSBA. * @@ -812,8 +812,8 @@ { if (!d->image.buf) { - /* we need some extra bytes to store the stuff we read ahead - at the end of the module which is later pushed back */ + /* We need some extra bytes to store the stuff we read ahead + at the end of the module which is later pushed back. */ d->image.length = ti.length + 100; d->image.used = 0; d->image.buf = xtrymalloc (d->image.length); @@ -823,6 +823,7 @@ if (ti.nhdr + d->image.used >= d->image.length) return set_error (d, NULL, "image buffer too short to store the tag"); + memcpy (d->image.buf + d->image.used, ti.buf, ti.nhdr); d->image.used += ti.nhdr; } @@ -1138,9 +1139,12 @@ int n, c; node = d->val.node; - if (node && d->use_image) + /* Fixme: USE_IMAGE is only not used with the ber-dump utility + and thus of no big use. We should remove the other code + paths and dump ber-dump.c. */ + if (d->use_image) { - if (!d->val.is_endtag) + if (node && !d->val.is_endtag) { /* We don't have nodes for the end tag - so don't store it */ node->off = (ksba_reader_tell (d->reader) - d->val.nhdr - startoff); From cvs at cvs.gnupg.org Mon Jun 19 21:39:59 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Mon Jun 19 21:03:56 2006 Subject: [svn] dirmngr - r226 - trunk/src Message-ID: Author: wk Date: 2006-06-19 21:39:58 +0200 (Mon, 19 Jun 2006) New Revision: 226 Modified: trunk/src/ChangeLog trunk/src/certcache.c trunk/src/validate.c Log: Fixed stupid error. Modified: trunk/src/ChangeLog =================================================================== --- trunk/src/ChangeLog 2006-06-08 11:47:56 UTC (rev 225) +++ trunk/src/ChangeLog 2006-06-19 19:39:58 UTC (rev 226) @@ -1,3 +1,9 @@ +2006-06-19 Werner Koch + + * certcache.c (compare_serialno): Silly me. Using 0 as true is + that hard; tsss. Fixed call cases except for the only working one + which are both numbers of the same length. + 2006-05-15 Werner Koch * crlfetch.c (crl_fetch): Use no-shutdown flag for HTTP. This @@ -449,7 +455,7 @@ ChangeLog. - Copyright 2004, 2005 g10 Code GmbH + Copyright 2004, 2005, 2006 g10 Code GmbH This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without Modified: trunk/src/certcache.c =================================================================== --- trunk/src/certcache.c 2006-06-08 11:47:56 UTC (rev 225) +++ trunk/src/certcache.c 2006-06-19 19:39:58 UTC (rev 226) @@ -117,7 +117,7 @@ unsigned long n_a, n_b; if (!a || !b) - return (!a && !b); + return !(!a && !b); n_a = strtoul (a+1, (char**)&endp, 10); a = endp; @@ -126,10 +126,10 @@ if (*a != ':' || *b != ':') { log_debug ("invalid S-exp in compare_serialno\n"); - return 0; + return 1; } if (n_a != n_b) - return 0; + return 1; a++; b++; Modified: trunk/src/validate.c =================================================================== --- trunk/src/validate.c 2006-06-08 11:47:56 UTC (rev 225) +++ trunk/src/validate.c 2006-06-19 19:39:58 UTC (rev 226) @@ -360,7 +360,7 @@ } } - /* Do we have any critical extesnions in the certificate we + /* Do we have any critical extensions in the certificate we can't handle? */ err = unknown_criticals (subject_cert); if (err) From cvs at cvs.gnupg.org Tue Jun 20 09:21:08 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 20 08:44:58 2006 Subject: [svn] ksba - r244 - in trunk: . doc src tests Message-ID: Author: wk Date: 2006-06-20 09:21:05 +0200 (Tue, 20 Jun 2006) New Revision: 244 Modified: trunk/AUTHORS trunk/Makefile.am trunk/compile trunk/configure.ac trunk/doc/Makefile.am trunk/src/CertificateExample.c trunk/src/Makefile.am trunk/src/asn1-func.c trunk/src/asn1-func.h trunk/src/asn1-func2.c trunk/src/asn1-gentables.c trunk/src/asn1-parse.h trunk/src/asn1-parse.y trunk/src/ber-decoder.c trunk/src/ber-decoder.h trunk/src/ber-dump.c trunk/src/ber-help.c trunk/src/ber-help.h trunk/src/cert-get.c trunk/src/cert.c trunk/src/cert.h trunk/src/certreq.c trunk/src/certreq.h trunk/src/cms-parser.c trunk/src/cms.asn trunk/src/cms.c trunk/src/cms.h trunk/src/convert.h trunk/src/crl.c trunk/src/crl.h trunk/src/der-encoder.c trunk/src/der-encoder.h trunk/src/dn.c trunk/src/keyinfo.c trunk/src/keyinfo.h trunk/src/ksba.h trunk/src/libksba.vers trunk/src/mkerrors trunk/src/name.c trunk/src/ocsp.c trunk/src/ocsp.h trunk/src/oid.c trunk/src/reader.c trunk/src/reader.h trunk/src/sexp-parse.h trunk/src/shared.h trunk/src/time.c trunk/src/tmttv2.asn trunk/src/util.c trunk/src/util.h trunk/src/version.c trunk/src/writer.c trunk/src/writer.h trunk/tests/Makefile.am trunk/tests/cert-basic.c trunk/tests/sha1.c trunk/tests/t-cms-parser.c trunk/tests/t-common.h trunk/tests/t-crl-parser.c trunk/tests/t-dnparser.c trunk/tests/t-ocsp.c Log: Changed FSF's address in the top comments. Modified: trunk/AUTHORS =================================================================== --- trunk/AUTHORS 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/AUTHORS 2006-06-20 07:21:05 UTC (rev 244) @@ -1,4 +1,9 @@ +Program: Libksba +Maintainer: Werner Koch +Bug reports: +Security related bug reports: + g10 Code GmbH Design and most stuff. Modified: trunk/Makefile.am =================================================================== --- trunk/Makefile.am 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/Makefile.am 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. ## Process this file with automake to produce Makefile.in Modified: trunk/compile =================================================================== --- trunk/compile 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/compile 2006-06-20 07:21:05 UTC (rev 244) @@ -18,7 +18,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA.. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a Modified: trunk/configure.ac =================================================================== --- trunk/configure.ac 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/configure.ac 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. # Process this file with autoconf to produce a configure script. AC_PREREQ(2.57) Modified: trunk/doc/Makefile.am =================================================================== --- trunk/doc/Makefile.am 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/doc/Makefile.am 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. ## Process this file with automake to produce Makefile.in Modified: trunk/src/CertificateExample.c =================================================================== --- trunk/src/CertificateExample.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/CertificateExample.c 2006-06-20 07:21:05 UTC (rev 244) @@ -16,7 +16,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ Modified: trunk/src/Makefile.am =================================================================== --- trunk/src/Makefile.am 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/Makefile.am 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. ## Process this file with automake to produce Makefile.in Modified: trunk/src/asn1-func.c =================================================================== --- trunk/src/asn1-func.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/asn1-func.c 2006-06-20 07:21:05 UTC (rev 244) @@ -16,7 +16,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/asn1-func.h =================================================================== --- trunk/src/asn1-func.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/asn1-func.h 2006-06-20 07:21:05 UTC (rev 244) @@ -16,7 +16,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef ASN1_FUNC_H Modified: trunk/src/asn1-func2.c =================================================================== --- trunk/src/asn1-func2.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/asn1-func2.c 2006-06-20 07:21:05 UTC (rev 244) @@ -16,7 +16,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ /* Modified: trunk/src/asn1-gentables.c =================================================================== --- trunk/src/asn1-gentables.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/asn1-gentables.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/asn1-parse.h =================================================================== --- trunk/src/asn1-parse.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/asn1-parse.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef ASN1_PARSE_H Modified: trunk/src/asn1-parse.y =================================================================== --- trunk/src/asn1-parse.y 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/asn1-parse.y 2006-06-20 07:21:05 UTC (rev 244) @@ -16,7 +16,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ Modified: trunk/src/ber-decoder.c =================================================================== --- trunk/src/ber-decoder.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/ber-decoder.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/ber-decoder.h =================================================================== --- trunk/src/ber-decoder.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/ber-decoder.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef BER_DECODER_H Modified: trunk/src/ber-dump.c =================================================================== --- trunk/src/ber-dump.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/ber-dump.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/ber-help.c =================================================================== --- trunk/src/ber-help.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/ber-help.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/ber-help.h =================================================================== --- trunk/src/ber-help.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/ber-help.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef BER_HELP_H Modified: trunk/src/cert-get.c =================================================================== --- trunk/src/cert-get.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/cert-get.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/cert.c =================================================================== --- trunk/src/cert.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/cert.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/cert.h =================================================================== --- trunk/src/cert.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/cert.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef CERT_H Modified: trunk/src/certreq.c =================================================================== --- trunk/src/certreq.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/certreq.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/certreq.h =================================================================== --- trunk/src/certreq.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/certreq.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef CERTREQ_H Modified: trunk/src/cms-parser.c =================================================================== --- trunk/src/cms-parser.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/cms-parser.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ /* Modified: trunk/src/cms.asn =================================================================== --- trunk/src/cms.asn 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/cms.asn 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ -- -- You should have received a copy of the GNU General Public License -- along with this program; if not, write to the Free Software --- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +-- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +-- USA. -- ----------------------------------------------------------------------- -- This module is based on the one given in appendix A of RFC2630 which Modified: trunk/src/cms.c =================================================================== --- trunk/src/cms.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/cms.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/cms.h =================================================================== --- trunk/src/cms.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/cms.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef CMS_H Modified: trunk/src/convert.h =================================================================== --- trunk/src/convert.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/convert.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef CONVERT_H Modified: trunk/src/crl.c =================================================================== --- trunk/src/crl.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/crl.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/crl.h =================================================================== --- trunk/src/crl.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/crl.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef CRL_H Modified: trunk/src/der-encoder.c =================================================================== --- trunk/src/der-encoder.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/der-encoder.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/der-encoder.h =================================================================== --- trunk/src/der-encoder.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/der-encoder.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef DER_ENCODER_H Modified: trunk/src/dn.c =================================================================== --- trunk/src/dn.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/dn.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ /* Reference is RFC-2253 */ Modified: trunk/src/keyinfo.c =================================================================== --- trunk/src/keyinfo.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/keyinfo.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ /* Instead of using the ASN parser - which is easily possible - we use Modified: trunk/src/keyinfo.h =================================================================== --- trunk/src/keyinfo.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/keyinfo.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef KEYINFO_H Modified: trunk/src/ksba.h =================================================================== --- trunk/src/ksba.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/ksba.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef KSBA_H Modified: trunk/src/libksba.vers =================================================================== --- trunk/src/libksba.vers 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/libksba.vers 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. KSBA_0.9 { global: Modified: trunk/src/mkerrors =================================================================== --- trunk/src/mkerrors 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/mkerrors 2006-06-20 07:21:05 UTC (rev 244) @@ -17,7 +17,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. cat < Modified: trunk/src/ocsp.c =================================================================== --- trunk/src/ocsp.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/ocsp.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/ocsp.h =================================================================== --- trunk/src/ocsp.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/ocsp.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef OCSP_H Modified: trunk/src/oid.c =================================================================== --- trunk/src/oid.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/oid.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/reader.c =================================================================== --- trunk/src/reader.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/reader.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/reader.h =================================================================== --- trunk/src/reader.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/reader.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef READER_H Modified: trunk/src/sexp-parse.h =================================================================== --- trunk/src/sexp-parse.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/sexp-parse.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef SEXP_PARSE_H Modified: trunk/src/shared.h =================================================================== --- trunk/src/shared.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/shared.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef SHARED_H Modified: trunk/src/time.c =================================================================== --- trunk/src/time.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/time.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/tmttv2.asn =================================================================== --- trunk/src/tmttv2.asn 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/tmttv2.asn 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ -- -- You should have received a copy of the GNU General Public License -- along with this program; if not, write to the Free Software --- Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +-- Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +-- USA. -- Modified: trunk/src/util.c =================================================================== --- trunk/src/util.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/util.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/util.h =================================================================== --- trunk/src/util.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/util.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef UTIL_H Modified: trunk/src/version.c =================================================================== --- trunk/src/version.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/version.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/writer.c =================================================================== --- trunk/src/writer.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/writer.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/src/writer.h =================================================================== --- trunk/src/writer.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/src/writer.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #ifndef WRITER_H Modified: trunk/tests/Makefile.am =================================================================== --- trunk/tests/Makefile.am 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/tests/Makefile.am 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. ## Process this file with automake to produce Makefile.in Modified: trunk/tests/cert-basic.c =================================================================== --- trunk/tests/cert-basic.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/tests/cert-basic.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/tests/sha1.c =================================================================== --- trunk/tests/sha1.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/tests/sha1.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU Lesser General Public * License along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ Modified: trunk/tests/t-cms-parser.c =================================================================== --- trunk/tests/t-cms-parser.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/tests/t-cms-parser.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/tests/t-common.h =================================================================== --- trunk/tests/t-common.h 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/tests/t-common.h 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ /*-- sha1.c --*/ Modified: trunk/tests/t-crl-parser.c =================================================================== --- trunk/tests/t-crl-parser.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/tests/t-crl-parser.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #undef ENABLE_HASH_LOGGING Modified: trunk/tests/t-dnparser.c =================================================================== --- trunk/tests/t-dnparser.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/tests/t-dnparser.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include Modified: trunk/tests/t-ocsp.c =================================================================== --- trunk/tests/t-ocsp.c 2006-06-19 08:25:08 UTC (rev 243) +++ trunk/tests/t-ocsp.c 2006-06-20 07:21:05 UTC (rev 244) @@ -15,7 +15,8 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, + * USA. */ #include From cvs at cvs.gnupg.org Tue Jun 20 12:04:41 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 20 11:28:27 2006 Subject: [svn] ksba - r245 - trunk Message-ID: Author: wk Date: 2006-06-20 12:04:41 +0200 (Tue, 20 Jun 2006) New Revision: 245 Modified: trunk/ChangeLog trunk/NEWS trunk/TODO trunk/configure.ac Log: About to do a new release Modified: trunk/ChangeLog =================================================================== --- trunk/ChangeLog 2006-06-20 07:21:05 UTC (rev 244) +++ trunk/ChangeLog 2006-06-20 10:04:41 UTC (rev 245) @@ -1,3 +1,9 @@ +2006-06-20 Werner Koch + + Released 0.9.15. + + * configure.ac: Bumbed LT version to C15/A7/R2. + 2006-05-16 Werner Koch Released 0.9.14. Modified: trunk/NEWS =================================================================== --- trunk/NEWS 2006-06-20 07:21:05 UTC (rev 244) +++ trunk/NEWS 2006-06-20 10:04:41 UTC (rev 245) @@ -1,4 +1,4 @@ -Noteworthy changes in version 0.9.15 +Noteworthy changes in version 0.9.15 (2006-06-20) ------------------------------------------------- * Fixed BER parser which was broken in the last release. Modified: trunk/TODO =================================================================== --- trunk/TODO 2006-06-20 07:21:05 UTC (rev 244) +++ trunk/TODO 2006-06-20 10:04:41 UTC (rev 245) @@ -53,7 +53,3 @@ * src/ocsp.c ** Implement nonce checking. - I have not yet found a server accepting and returning a nonce - created by libksba. Any hints are welcome; openvalidation.org does - not work, ocsp.d-trust.net does not accept requests with - nonces. europki returns only a general plain text HTML message. Modified: trunk/configure.ac =================================================================== --- trunk/configure.ac 2006-06-20 07:21:05 UTC (rev 244) +++ trunk/configure.ac 2006-06-20 10:04:41 UTC (rev 245) @@ -1,5 +1,5 @@ # configure.ac - for libksba -# Copyright (C) 2001, 2002, 2003, 2004, 2005 g10 Code GmbH +# Copyright (C) 2001, 2002, 2003, 2004, 2005, 2006 g10 Code GmbH # # This file is part of KSBA # @@ -24,7 +24,7 @@ # Version number: Remember to change immediately *after* a release. # Append a "-cvs" for non-released versions. -AC_INIT(libksba, 0.9.15-cvs, gpa-dev@gnupg.org) +AC_INIT(libksba, 0.9.15, gpa-dev@gnupg.org) # LT Version numbers: Remember to change them just *before* a release. # (Interfaces removed: CURRENT++, AGE=0, REVISION=0) # (Interfaces added: CURRENT++, AGE++, REVISION=0) @@ -32,7 +32,7 @@ # Please remember to document interface changes in the NEWS file. LIBKSBA_LT_CURRENT=15 LIBKSBA_LT_AGE=7 -LIBKSBA_LT_REVISION=1 +LIBKSBA_LT_REVISION=2 #------------------- # fixme: When bouncing this to a newer version, you check whether the From cvs at cvs.gnupg.org Tue Jun 20 12:21:15 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 20 11:45:00 2006 Subject: [svn] ksba - r246 - tags Message-ID: Author: wk Date: 2006-06-20 12:21:15 +0200 (Tue, 20 Jun 2006) New Revision: 246 Added: tags/libksba-0.9.15/ Log: Tagged release Copied: tags/libksba-0.9.15 (from rev 245, trunk) From cvs at cvs.gnupg.org Tue Jun 20 17:48:10 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 20 17:11:52 2006 Subject: [svn] GnuPG - r4161 - branches/GNUPG-1-9-BRANCH/agent Message-ID: Author: wk Date: 2006-06-20 17:48:09 +0200 (Tue, 20 Jun 2006) New Revision: 4161 Modified: branches/GNUPG-1-9-BRANCH/agent/ChangeLog branches/GNUPG-1-9-BRANCH/agent/minip12.c Log: Add MAC t P12 files. Modified: branches/GNUPG-1-9-BRANCH/agent/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/agent/ChangeLog 2006-06-16 11:49:27 UTC (rev 4160) +++ branches/GNUPG-1-9-BRANCH/agent/ChangeLog 2006-06-20 15:48:09 UTC (rev 4161) @@ -1,3 +1,8 @@ +2006-06-20 Werner Koch + + * minip12.c (create_final): New arg PW. Add code to calculate the + MAC. + 2006-06-09 Marcus Brinkmann * Makefile.am (gpg_agent_LDADD): Add $(NETLIBS). Modified: branches/GNUPG-1-9-BRANCH/agent/minip12.c =================================================================== --- branches/GNUPG-1-9-BRANCH/agent/minip12.c 2006-06-16 11:49:27 UTC (rev 4160) +++ branches/GNUPG-1-9-BRANCH/agent/minip12.c 2006-06-20 15:48:09 UTC (rev 4161) @@ -1,5 +1,5 @@ /* minip12.c - A minimal pkcs-12 implementation. - * Copyright (C) 2002, 2003, 2004 Free Software Foundation, Inc. + * Copyright (C) 2002, 2003, 2004, 2006 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -120,6 +120,16 @@ 0xFF, 0xFF, 0x02, 0x02, 0x08, 0x00 }; #define DATA_RC2ITER2048_SALT_OFF 18 +static unsigned char const data_mactemplate[51] = { + 0x30, 0x31, 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, + 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, + 0x14, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0x04, 0x08, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x02, + 0x02, 0x08, 0x00 }; +#define DATA_MACTEMPLATE_MAC_OFF 17 +#define DATA_MACTEMPLATE_SALT_OFF 39 struct buffer_s { @@ -1200,18 +1210,28 @@ /* Create the final PKCS-12 object from the sequences contained in - SEQLIST. That array is terminated with an NULL object */ + SEQLIST. PW is the password. That array is terminated with an NULL + object. */ static unsigned char * -create_final (struct buffer_s *sequences, size_t *r_length) +create_final (struct buffer_s *sequences, const char *pw, size_t *r_length) { int i; size_t needed = 0; size_t len[8], n; + unsigned char *macstart; + size_t maclen; unsigned char *result, *p; size_t resultlen; + char salt[8]; + unsigned char keybuf[20]; + gcry_md_hd_t md; + int rc; - /* 8 steps to create the pkcs#12 Krampf. */ + /* 9 steps to create the pkcs#12 Krampf. */ + /* 8. The MAC. */ + /* We add this at step 0. */ + /* 7. All the buffers. */ for (i=0; sequences[i].buffer; i++) needed += sequences[i].length; @@ -1243,6 +1263,7 @@ needed += 3; /* 0. And the final outer sequence. */ + needed += DIM (data_mactemplate); len[0] = needed; n = compute_tag_length (needed); needed += n; @@ -1263,7 +1284,7 @@ *p++ = TAG_INTEGER; *p++ = 1; *p++ = 3; - + /* 2. Store another sequence. */ p = store_tag_length (p, TAG_SEQUENCE, len[2]); @@ -1279,6 +1300,7 @@ p = store_tag_length (p, TAG_OCTET_STRING, len[5]); /* 6. And the inner sequence. */ + macstart = p; p = store_tag_length (p, TAG_SEQUENCE, len[6]); /* 7. Append all the buffers. */ @@ -1288,6 +1310,38 @@ p += sequences[i].length; } + /* Intermezzo to compute the MAC. */ + maclen = p - macstart; + gcry_randomize (salt, 8, GCRY_STRONG_RANDOM); + if (string_to_key (3, salt, 8, 2048, pw, 20, keybuf)) + { + gcry_free (result); + return NULL; + } + rc = gcry_md_open (&md, GCRY_MD_SHA1, GCRY_MD_FLAG_HMAC); + if (rc) + { + log_error ("gcry_md_open failed: %s\n", gpg_strerror (rc)); + gcry_free (result); + return NULL; + } + rc = gcry_md_setkey (md, keybuf, 20); + if (rc) + { + log_error ("gcry_md_setkey failed: %s\n", gpg_strerror (rc)); + gcry_md_close (md); + gcry_free (result); + return NULL; + } + gcry_md_write (md, macstart, maclen); + + /* 8. Append the MAC template and fix it up. */ + memcpy (p, data_mactemplate, DIM (data_mactemplate)); + memcpy (p + DATA_MACTEMPLATE_SALT_OFF, salt, 8); + memcpy (p + DATA_MACTEMPLATE_MAC_OFF, gcry_md_read (md, 0), 20); + p += DIM (data_mactemplate); + gcry_md_close (md); + /* Ready. */ resultlen = p - result; if (needed != resultlen) @@ -1811,7 +1865,7 @@ seqlist[seqlistidx].buffer = NULL; seqlist[seqlistidx].length = 0; - buffer = create_final (seqlist, &buflen); + buffer = create_final (seqlist, pw, &buflen); failure: for ( ; seqlistidx; seqlistidx--) From cvs at cvs.gnupg.org Tue Jun 20 19:47:12 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 20 19:10:56 2006 Subject: [svn] GnuPG - r4163 - in branches/GNUPG-1-9-BRANCH: doc po Message-ID: Author: wk Date: 2006-06-20 19:47:10 +0200 (Tue, 20 Jun 2006) New Revision: 4163 Added: branches/GNUPG-1-9-BRANCH/doc/gnupg-badge-openpgp.pdf Modified: branches/GNUPG-1-9-BRANCH/doc/Makefile.am branches/GNUPG-1-9-BRANCH/doc/debugging.texi branches/GNUPG-1-9-BRANCH/doc/gnupg.texi branches/GNUPG-1-9-BRANCH/doc/gpg-agent.texi branches/GNUPG-1-9-BRANCH/doc/scdaemon.texi branches/GNUPG-1-9-BRANCH/po/de.po Log: Made make distcheck work again Modified: branches/GNUPG-1-9-BRANCH/doc/Makefile.am =================================================================== --- branches/GNUPG-1-9-BRANCH/doc/Makefile.am 2006-06-20 17:21:37 UTC (rev 4162) +++ branches/GNUPG-1-9-BRANCH/doc/Makefile.am 2006-06-20 17:47:10 UTC (rev 4163) @@ -20,9 +20,12 @@ ## Process this file with automake to produce Makefile.in EXTRA_DIST = gnupg-badge-openpgp.eps gnupg-badge-openpgp.jpg \ - gnupg-card-architecture.eps gnupg-card-architecture.png + gnupg-badge-openpgp.pdf \ + gnupg-card-architecture.eps gnupg-card-architecture.png \ + gnupg-card-architecture.pdf -BUILT_SOURCES = gnupg-card-architecture.eps gnupg-card-architecture.png +BUILT_SOURCES = gnupg-card-architecture.eps gnupg-card-architecture.png \ + gnupg-card-architecture.pdf info_TEXINFOS = gnupg.texi Modified: branches/GNUPG-1-9-BRANCH/doc/debugging.texi =================================================================== --- branches/GNUPG-1-9-BRANCH/doc/debugging.texi 2006-06-20 17:21:37 UTC (rev 4162) +++ branches/GNUPG-1-9-BRANCH/doc/debugging.texi 2006-06-20 17:47:10 UTC (rev 4163) @@ -144,7 +144,7 @@ Here is a little picture showing how the components work together: -@image{gnupg-card-architecture, 14cm} +@image{gnupg-card-architecture, 10cm} @noindent Lets try to explain it: Added: branches/GNUPG-1-9-BRANCH/doc/gnupg-badge-openpgp.pdf =================================================================== (Binary files differ) Property changes on: branches/GNUPG-1-9-BRANCH/doc/gnupg-badge-openpgp.pdf ___________________________________________________________________ Name: svn:mime-type + application/octet-stream Modified: branches/GNUPG-1-9-BRANCH/doc/gnupg.texi =================================================================== --- branches/GNUPG-1-9-BRANCH/doc/gnupg.texi 2006-06-20 17:21:37 UTC (rev 4162) +++ branches/GNUPG-1-9-BRANCH/doc/gnupg.texi 2006-06-20 17:47:10 UTC (rev 4163) @@ -85,11 +85,11 @@ @subtitle Version @value{VERSION} @subtitle @value{UPDATED} -@sp 6 +@sp 3 @image{gnupg-badge-openpgp,8cm,,The GnuPG Logo} -@sp 6 +@sp 3 @author Werner Koch (@email{wk@@gnupg.org}) Modified: branches/GNUPG-1-9-BRANCH/doc/gpg-agent.texi =================================================================== --- branches/GNUPG-1-9-BRANCH/doc/gpg-agent.texi 2006-06-20 17:21:37 UTC (rev 4162) +++ branches/GNUPG-1-9-BRANCH/doc/gpg-agent.texi 2006-06-20 17:47:10 UTC (rev 4163) @@ -1028,5 +1028,3 @@ session. This command is useful to direct future pinentry invocations to another screen. It is only required because there is no way in the ssh-agent protocol to convey this information. - - Modified: branches/GNUPG-1-9-BRANCH/doc/scdaemon.texi =================================================================== --- branches/GNUPG-1-9-BRANCH/doc/scdaemon.texi 2006-06-20 17:21:37 UTC (rev 4162) +++ branches/GNUPG-1-9-BRANCH/doc/scdaemon.texi 2006-06-20 17:47:10 UTC (rev 4163) @@ -1,4 +1,4 @@ -g@c Copyright (C) 2002 Free Software Foundation, Inc. +@c Copyright (C) 2002 Free Software Foundation, Inc. @c This is part of the GnuPG manual. @c For copying conditions, see the file gnupg.texi. Modified: branches/GNUPG-1-9-BRANCH/po/de.po =================================================================== --- branches/GNUPG-1-9-BRANCH/po/de.po 2006-06-20 17:21:37 UTC (rev 4162) +++ branches/GNUPG-1-9-BRANCH/po/de.po 2006-06-20 17:47:10 UTC (rev 4163) @@ -10,7 +10,7 @@ msgstr "" "Project-Id-Version: gnupg2 1.9.18\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" -"POT-Creation-Date: 2005-11-28 12:14+0100\n" +"POT-Creation-Date: 2006-06-20 18:45+0200\n" "PO-Revision-Date: 2005-11-28 12:16+0100\n" "Last-Translator: Werner Koch \n" "Language-Team: de\n" @@ -18,7 +18,7 @@ "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" -#: agent/gpg-agent.c:108 agent/protect-tool.c:108 scd/scdaemon.c:100 +#: agent/gpg-agent.c:109 agent/protect-tool.c:109 scd/scdaemon.c:101 msgid "" "@Options:\n" " " @@ -26,110 +26,110 @@ "@Optionen:\n" " " -#: agent/gpg-agent.c:110 scd/scdaemon.c:102 +#: agent/gpg-agent.c:111 scd/scdaemon.c:103 msgid "run in server mode (foreground)" msgstr "Im Server Modus ausf?hren" -#: agent/gpg-agent.c:111 scd/scdaemon.c:105 +#: agent/gpg-agent.c:112 scd/scdaemon.c:106 msgid "run in daemon mode (background)" msgstr "Im Daemon Modus ausf?hren" -#: agent/gpg-agent.c:112 kbx/kbxutil.c:81 scd/scdaemon.c:106 sm/gpgsm.c:331 -#: tools/gpgconf.c:62 +#: agent/gpg-agent.c:113 kbx/kbxutil.c:82 scd/scdaemon.c:107 sm/gpgsm.c:333 +#: tools/gpgconf.c:63 msgid "verbose" msgstr "ausf?hrlich" -#: agent/gpg-agent.c:113 kbx/kbxutil.c:82 scd/scdaemon.c:107 sm/gpgsm.c:332 +#: agent/gpg-agent.c:114 kbx/kbxutil.c:83 scd/scdaemon.c:108 sm/gpgsm.c:334 msgid "be somewhat more quiet" msgstr "Etwas weniger Ausgaben erzeugen" -#: agent/gpg-agent.c:114 scd/scdaemon.c:108 +#: agent/gpg-agent.c:115 scd/scdaemon.c:109 msgid "sh-style command output" msgstr "Ausgabe f?r /bin/sh" -#: agent/gpg-agent.c:115 scd/scdaemon.c:109 +#: agent/gpg-agent.c:116 scd/scdaemon.c:110 msgid "csh-style command output" msgstr "Ausgabe f?r /bin/csh" -#: agent/gpg-agent.c:116 +#: agent/gpg-agent.c:117 msgid "|FILE|read options from FILE" msgstr "|DATEI|Konfigurationsoptionen aus DATEI lesen" -#: agent/gpg-agent.c:121 scd/scdaemon.c:118 +#: agent/gpg-agent.c:122 scd/scdaemon.c:119 msgid "do not detach from the console" msgstr "Im Vordergrund laufen lassen" -#: agent/gpg-agent.c:122 +#: agent/gpg-agent.c:123 msgid "do not grab keyboard and mouse" msgstr "Tastatur und Maus nicht \"grabben\"" -#: agent/gpg-agent.c:123 scd/scdaemon.c:119 sm/gpgsm.c:334 +#: agent/gpg-agent.c:124 scd/scdaemon.c:120 sm/gpgsm.c:336 msgid "use a log file for the server" msgstr "Logausgaben in eine Datei umlenken" -#: agent/gpg-agent.c:125 +#: agent/gpg-agent.c:126 msgid "use a standard location for the socket" msgstr "Benutze einen Standardnamen f?r den Socket" -#: agent/gpg-agent.c:129 +#: agent/gpg-agent.c:130 msgid "|PGM|use PGM as the PIN-Entry program" msgstr "|PGM|benutze PGM as PIN-Entry" -#: agent/gpg-agent.c:131 +#: agent/gpg-agent.c:132 msgid "|PGM|use PGM as the SCdaemon program" msgstr "|PGM|benutze PGM as SCdaemon" -#: agent/gpg-agent.c:132 +#: agent/gpg-agent.c:133 msgid "do not use the SCdaemon" msgstr "Den Scdaemon basierten Kartenzugriff nicht nutzen" -#: agent/gpg-agent.c:139 +#: agent/gpg-agent.c:140 msgid "ignore requests to change the TTY" msgstr "Ignoriere Anfragen, das TTY zu wechseln" -#: agent/gpg-agent.c:141 +#: agent/gpg-agent.c:142 msgid "ignore requests to change the X display" msgstr "Ignoriere Anfragen, das X-Display zu wechseln" -#: agent/gpg-agent.c:144 +#: agent/gpg-agent.c:145 msgid "|N|expire cached PINs after N seconds" msgstr "|N|lasse PINs im Cache nach N Sekunden verfallen" -#: agent/gpg-agent.c:149 +#: agent/gpg-agent.c:150 msgid "do not use the PIN cache when signing" msgstr "benutze PINs im Cache nicht bem Signieren" -#: agent/gpg-agent.c:151 +#: agent/gpg-agent.c:152 msgid "allow clients to mark keys as \"trusted\"" msgstr "erlaube Aufrufern Schl?ssel als \"vertrauensw?rdig\" zu markieren" -#: agent/gpg-agent.c:153 +#: agent/gpg-agent.c:154 msgid "allow presetting passphrase" msgstr "erlaube ein \"preset\" von Passphrases" -#: agent/gpg-agent.c:154 +#: agent/gpg-agent.c:155 msgid "enable ssh-agent emulation" msgstr "Die ssh-agent Emulation anschalten" -#: agent/gpg-agent.c:156 +#: agent/gpg-agent.c:157 msgid "|FILE|write environment settings also to FILE" msgstr "|DATEI|Schreibe die Umgebungsvariabeln auf DATEI" -#: agent/gpg-agent.c:235 agent/protect-tool.c:142 scd/scdaemon.c:185 -#: sm/gpgsm.c:507 tools/gpgconf.c:85 +#: agent/gpg-agent.c:236 agent/protect-tool.c:143 scd/scdaemon.c:188 +#: sm/gpgsm.c:513 tools/gpgconf.c:86 msgid "Please report bugs to <" msgstr "Fehlerberichte bitte an <" -#: agent/gpg-agent.c:235 agent/protect-tool.c:142 scd/scdaemon.c:185 -#: sm/gpgsm.c:507 tools/gpgconf.c:85 +#: agent/gpg-agent.c:236 agent/protect-tool.c:143 scd/scdaemon.c:188 +#: sm/gpgsm.c:513 tools/gpgconf.c:86 msgid ">.\n" msgstr ">.\n" -#: agent/gpg-agent.c:238 +#: agent/gpg-agent.c:239 msgid "Usage: gpg-agent [options] (-h for help)" msgstr "Gebrauch: gpg-agent [Optionen] (-h f?r Hilfe)" -#: agent/gpg-agent.c:240 +#: agent/gpg-agent.c:241 msgid "" "Syntax: gpg-agent [options] [command [args]]\n" "Secret key management for GnuPG\n" @@ -137,132 +137,132 @@ "Syntax: gpg-agent [Optionen] [Kommando [Argumente]]\n" "Verwaltung von geheimen Schl?ssel f?r GnuPG\n" -#: agent/gpg-agent.c:311 scd/scdaemon.c:259 sm/gpgsm.c:636 +#: agent/gpg-agent.c:312 scd/scdaemon.c:262 sm/gpgsm.c:642 #, c-format msgid "invalid debug-level `%s' given\n" msgstr "ung?ltige Debugebene `%s' angegeben\n" -#: agent/gpg-agent.c:482 agent/protect-tool.c:1072 kbx/kbxutil.c:431 -#: scd/scdaemon.c:351 sm/gpgsm.c:757 +#: agent/gpg-agent.c:483 agent/protect-tool.c:1073 kbx/kbxutil.c:432 +#: scd/scdaemon.c:354 sm/gpgsm.c:763 #, c-format msgid "libgcrypt is too old (need %s, have %s)\n" msgstr "" "Die Bibliothek \"libgcrypt\" is zu alt (ben?tigt wird %s, vorhanden ist %s)\n" -#: agent/gpg-agent.c:574 scd/scdaemon.c:426 sm/gpgsm.c:858 +#: agent/gpg-agent.c:575 scd/scdaemon.c:429 sm/gpgsm.c:864 #, c-format msgid "NOTE: no default option file `%s'\n" msgstr "Notiz: Voreingestellte Konfigurationsdatei `%s' fehlt\n" -#: agent/gpg-agent.c:579 agent/gpg-agent.c:1090 scd/scdaemon.c:431 -#: sm/gpgsm.c:862 +#: agent/gpg-agent.c:580 agent/gpg-agent.c:1091 scd/scdaemon.c:434 +#: sm/gpgsm.c:868 #, c-format msgid "option file `%s': %s\n" msgstr "Konfigurationsdatei `%s': %s\n" -#: agent/gpg-agent.c:587 scd/scdaemon.c:439 sm/gpgsm.c:869 +#: agent/gpg-agent.c:588 scd/scdaemon.c:442 sm/gpgsm.c:875 #, c-format msgid "reading options from `%s'\n" msgstr "Optionen werden aus `%s' gelesen\n" -#: agent/gpg-agent.c:884 +#: agent/gpg-agent.c:885 #, c-format msgid "error creating `%s': %s\n" msgstr "Fehler beim Erstellen von `%s': %s\n" -#: agent/gpg-agent.c:1140 agent/gpg-agent.c:1243 agent/gpg-agent.c:1247 -#: agent/gpg-agent.c:1283 agent/gpg-agent.c:1287 scd/scdaemon.c:906 +#: agent/gpg-agent.c:1141 agent/gpg-agent.c:1244 agent/gpg-agent.c:1248 +#: agent/gpg-agent.c:1284 agent/gpg-agent.c:1288 scd/scdaemon.c:909 #, c-format msgid "can't create directory `%s': %s\n" msgstr "Das Verzeichniss `%s' kann nicht erstellt werden: %s\n" -#: agent/gpg-agent.c:1154 scd/scdaemon.c:920 +#: agent/gpg-agent.c:1155 scd/scdaemon.c:923 msgid "name of socket too long\n" msgstr "Der Name des Sockets ist zu lang\n" -#: agent/gpg-agent.c:1180 scd/scdaemon.c:946 +#: agent/gpg-agent.c:1181 scd/scdaemon.c:949 #, c-format msgid "can't create socket: %s\n" msgstr "Socket kann nicht erzeugt werden: %s\n" -#: agent/gpg-agent.c:1209 scd/scdaemon.c:975 +#: agent/gpg-agent.c:1210 scd/scdaemon.c:978 #, c-format msgid "error binding socket to `%s': %s\n" msgstr "Der Socket kann nicht an `%s' gebunden werden: %s\n" -#: agent/gpg-agent.c:1217 scd/scdaemon.c:983 +#: agent/gpg-agent.c:1218 scd/scdaemon.c:986 #, c-format msgid "listen() failed: %s\n" msgstr "Der listen() Aufruf ist fehlgeschlagen: %s\n" -#: agent/gpg-agent.c:1223 scd/scdaemon.c:989 +#: agent/gpg-agent.c:1224 scd/scdaemon.c:992 #, c-format msgid "listening on socket `%s'\n" msgstr "Es wird auf Socket `%s' geh?rt\n" -#: agent/gpg-agent.c:1251 agent/gpg-agent.c:1293 +#: agent/gpg-agent.c:1252 agent/gpg-agent.c:1294 #, c-format msgid "directory `%s' created\n" msgstr "Verzeichniss `%s' wurde erstellt\n" -#: agent/gpg-agent.c:1299 +#: agent/gpg-agent.c:1300 #, c-format msgid "stat() failed for `%s': %s\n" msgstr "stat() Aufruf f?r `%s' fehlgeschlagen: %s\n" -#: agent/gpg-agent.c:1303 +#: agent/gpg-agent.c:1304 #, c-format msgid "can't use `%s' as home directory\n" msgstr "Die Datei `%s' kann nicht als Home-Verzeichniss benutzt werden\n" -#: agent/gpg-agent.c:1401 +#: agent/gpg-agent.c:1402 #, c-format msgid "handler 0x%lx for fd %d started\n" msgstr "Handhabungsroutine 0x%lx f?r fd %d gestartet\n" -#: agent/gpg-agent.c:1411 +#: agent/gpg-agent.c:1412 #, c-format msgid "handler 0x%lx for fd %d terminated\n" msgstr "Handhabungsroutine 0x%lx f?r den fd %d beendet\n" -#: agent/gpg-agent.c:1425 +#: agent/gpg-agent.c:1426 #, c-format msgid "ssh handler 0x%lx for fd %d started\n" msgstr "SSH Handhabungsroutine 0x%lx f?r fd %d gestartet\n" -#: agent/gpg-agent.c:1432 +#: agent/gpg-agent.c:1433 #, c-format msgid "ssh handler 0x%lx for fd %d terminated\n" msgstr "SSH Handhabungsroutine 0x%lx f?r fd %d beendet\n" -#: agent/gpg-agent.c:1526 scd/scdaemon.c:1105 +#: agent/gpg-agent.c:1527 scd/scdaemon.c:1108 #, c-format msgid "pth_select failed: %s - waiting 1s\n" msgstr "pth_select() Aufruf fehlgeschlagen: %s - warte 1s\n" -#: agent/gpg-agent.c:1610 scd/scdaemon.c:1162 +#: agent/gpg-agent.c:1611 scd/scdaemon.c:1165 #, c-format msgid "%s %s stopped\n" msgstr "%s %s angehalten\n" -#: agent/gpg-agent.c:1631 +#: agent/gpg-agent.c:1632 msgid "no gpg-agent running in this session\n" msgstr "Der gpg-agent l?uft nicht f?r diese Session\n" -#: agent/gpg-agent.c:1641 common/simple-pwquery.c:323 sm/call-agent.c:143 +#: agent/gpg-agent.c:1642 common/simple-pwquery.c:324 sm/call-agent.c:144 msgid "malformed GPG_AGENT_INFO environment variable\n" msgstr "Die Variable GPG_AGENT_INFO ist fehlerhaft\n" -#: agent/gpg-agent.c:1653 common/simple-pwquery.c:335 sm/call-agent.c:155 +#: agent/gpg-agent.c:1654 common/simple-pwquery.c:336 sm/call-agent.c:156 #, c-format msgid "gpg-agent protocol version %d is not supported\n" msgstr "Das gpg-agent Protocol %d wird nicht unterst?tzt\n" -#: agent/protect-tool.c:145 +#: agent/protect-tool.c:146 msgid "Usage: gpg-protect-tool [options] (-h for help)\n" msgstr "Gebrauch: gpg-protect-tool [Optionen] (-h f?r Hilfe)\n" -#: agent/protect-tool.c:147 +#: agent/protect-tool.c:148 msgid "" "Syntax: gpg-protect-tool [options] [args]]\n" "Secret key maintenance tool\n" @@ -270,16 +270,16 @@ "Syntax: gpg-protect-tool [Optionen] [Argumente]\n" "Werkzeug zum Bearbeiten von geheimen Schl?sseln\n" -#: agent/protect-tool.c:1205 +#: agent/protect-tool.c:1206 msgid "Please enter the passphrase to unprotect the PKCS#12 object." msgstr "Bitte geben Sie die Passphrase zum Entsperren des PKCS#12 Objekts ein" -#: agent/protect-tool.c:1208 +#: agent/protect-tool.c:1209 msgid "Please enter the passphrase to protect the new PKCS#12 object." msgstr "" "Bitte geben Sie die Passphrase zum Sch?tzen des neuen PKCS#12 Objekts ein" -#: agent/protect-tool.c:1211 +#: agent/protect-tool.c:1212 msgid "" "Please enter the passphrase to protect the imported object within the GnuPG " "system." @@ -287,11 +287,11 @@ "Bitte geben Sie die Passphrase ein, um das importierte Objekt im GnuPG " "System zu sch?tzen." -#: agent/protect-tool.c:1214 agent/genkey.c:110 agent/genkey.c:218 +#: agent/protect-tool.c:1215 agent/genkey.c:111 agent/genkey.c:219 msgid "Please re-enter this passphrase" msgstr "Bitte geben Sie das Mantra (Passphrase) noch einmal ein:" -#: agent/protect-tool.c:1216 +#: agent/protect-tool.c:1217 msgid "" "Please enter the passphrase or the PIN\n" "needed to complete this operation." @@ -299,56 +299,56 @@ "Die Eingabe des Mantras (Passphrase) bzw. der PIN\n" "wird ben?tigt um diese Aktion auszuf?hren." -#: agent/protect-tool.c:1220 agent/genkey.c:131 agent/genkey.c:238 +#: agent/protect-tool.c:1221 agent/genkey.c:132 agent/genkey.c:239 msgid "does not match - try again" msgstr "Keine ?bereinstimmung - bitte nochmal versuchen" -#: agent/protect-tool.c:1221 +#: agent/protect-tool.c:1222 msgid "Passphrase:" msgstr "Passphrase:" -#: agent/protect-tool.c:1234 +#: agent/protect-tool.c:1235 #, c-format msgid "error while asking for the passphrase: %s\n" msgstr "Fehler bei der Abfrage der Passphrase: %s\n" -#: agent/protect-tool.c:1237 +#: agent/protect-tool.c:1238 msgid "cancelled\n" msgstr "Vom Benutzer abgebrochen\n" -#: agent/divert-scd.c:216 +#: agent/divert-scd.c:217 msgid "Admin PIN" msgstr "Admin PIN" -#: agent/divert-scd.c:274 +#: agent/divert-scd.c:275 msgid "Repeat this PIN" msgstr "PIN bitte wiederholen" -#: agent/divert-scd.c:277 +#: agent/divert-scd.c:278 msgid "PIN not correctly repeated; try again" msgstr "PIN wurde nicht korrekt eingegeben; nochmal versuchen" -#: agent/divert-scd.c:289 +#: agent/divert-scd.c:290 #, c-format msgid "Please enter the PIN%s%s%s to unlock the card" msgstr "Bitte geben Sie die PIN%s%s%s ein um die Karte zu entsperren" -#: agent/genkey.c:108 +#: agent/genkey.c:109 #, c-format msgid "Please enter the passphrase to%0Ato protect your new key" msgstr "" "Bitte geben Sie das Mantra (Passphrase) ein%0Aum Ihren Schl?ssel zu sch?tzen" -#: agent/genkey.c:217 +#: agent/genkey.c:218 msgid "Please enter the new passphrase" msgstr "Bitte geben Sie das Mantra (Passphrase) ein:" -#: agent/query.c:192 +#: agent/query.c:193 #, c-format msgid "failed to acquire the pinentry lock: %s\n" msgstr "Die Sperre f?r das Pinentry kann nicht gesetzt werden: %s\n" -#: agent/query.c:355 +#: agent/query.c:356 msgid "" "Please enter your PIN, so that the secret key can be unlocked for this " "session" @@ -356,7 +356,7 @@ "Bitte geben Sie Ihre PIN ein, so da? der geheime Schl?ssel benutzt werden " "kann" -#: agent/query.c:358 +#: agent/query.c:359 msgid "" "Please enter your passphrase, so that the secret key can be unlocked for " "this session" @@ -364,31 +364,31 @@ "Bitte geben Sie Ihr Mantra (Passphrase) ein, so da? der geheime Schl?ssel " "benutzt werden kann" -#: agent/query.c:416 agent/query.c:428 +#: agent/query.c:417 agent/query.c:429 msgid "PIN too long" msgstr "Die PIN ist zu lang" -#: agent/query.c:417 +#: agent/query.c:418 msgid "Passphrase too long" msgstr "Das Matra (Passphrase) ist zu lang" -#: agent/query.c:425 +#: agent/query.c:426 msgid "Invalid characters in PIN" msgstr "Ung?ltige Zeichen in der PIN" -#: agent/query.c:430 +#: agent/query.c:431 msgid "PIN too short" msgstr "Die PIN ist zu kurz" -#: agent/query.c:442 +#: agent/query.c:443 msgid "Bad PIN" msgstr "Falsche PIN" -#: agent/query.c:443 +#: agent/query.c:444 msgid "Bad Passphrase" msgstr "Falsches Mantra (Passphrase)" -#: agent/query.c:483 +#: agent/query.c:484 msgid "Passphrase" msgstr "Mantra" @@ -401,7 +401,7 @@ #. second "%s" gets replaced by a hexdecimal #. fingerprint string whereas the first one receives #. the name as store in the certificate. -#: agent/trustlist.c:305 +#: agent/trustlist.c:306 #, c-format msgid "" "Please verify that the certificate identified as:%%0A \"%s\"%%0Ahas the " @@ -413,7 +413,7 @@ #. TRANSLATORS: "Correct" is the label of a button and intended to #. be hit if the fingerprint matches the one of the CA. The other #. button is "the default "Cancel" of the Pinentry. -#: agent/trustlist.c:317 +#: agent/trustlist.c:318 msgid "Correct" msgstr "Korrekt" @@ -425,7 +425,7 @@ #. plain % sign, you need to encode it as "%%25". The #. "%s" gets replaced by the name as store in the #. certificate. -#: agent/trustlist.c:334 +#: agent/trustlist.c:335 #, c-format msgid "" "Do you ultimately trust%%0A \"%s\"%%0Ato correctly certify user " @@ -434,62 +434,62 @@ "Wenn Sie vollst?ndiges Vertrauen haben, da?%%0A \"%s\"%%" "0ABenutzerzertifikate verl??lich zertifiziert, so antworten Sie mit \"Ja\"" -#: agent/trustlist.c:342 +#: agent/trustlist.c:343 msgid "Yes" msgstr "Ja" -#: agent/trustlist.c:342 +#: agent/trustlist.c:343 msgid "No" msgstr "Nein" -#: common/sysutils.c:87 +#: common/sysutils.c:88 #, c-format msgid "can't disable core dumps: %s\n" msgstr "" "Das Erstellen eines Speicherabzugs (core-dump) kann nicht verhindert werden: " "%s\n" -#: common/sysutils.c:182 +#: common/sysutils.c:183 #, c-format msgid "Warning: unsafe ownership on %s \"%s\"\n" msgstr "WARNUNG: Unsichere Besitzrechte f?r %s \"%s\"\n" -#: common/sysutils.c:214 +#: common/sysutils.c:215 #, c-format msgid "Warning: unsafe permissions on %s \"%s\"\n" msgstr "WARNUNG: Unsichere Zugriffsrechte f?r %s \"%s\"\n" -#: common/simple-pwquery.c:309 +#: common/simple-pwquery.c:310 msgid "gpg-agent is not available in this session\n" msgstr "Der gpg-agent ist nicht verf?gbar\n" -#: common/simple-pwquery.c:367 +#: common/simple-pwquery.c:368 #, c-format msgid "can't connect to `%s': %s\n" msgstr "Verbindung zu `%s' kann nicht aufgebaut werden: %s\n" -#: common/simple-pwquery.c:378 +#: common/simple-pwquery.c:379 msgid "communication problem with gpg-agent\n" msgstr "Kommunikationsproblem mit gpg-agent\n" -#: common/simple-pwquery.c:388 +#: common/simple-pwquery.c:389 msgid "problem setting the gpg-agent options\n" msgstr "Beim setzen der gpg-agent Optionen ist ein problem aufgetreten\n" -#: common/simple-pwquery.c:526 common/simple-pwquery.c:614 +#: common/simple-pwquery.c:527 common/simple-pwquery.c:615 msgid "canceled by user\n" msgstr "Vom Benutzer abgebrochen\n" -#: common/simple-pwquery.c:533 common/simple-pwquery.c:620 +#: common/simple-pwquery.c:534 common/simple-pwquery.c:621 msgid "problem with the agent\n" msgstr "Problem mit dem Agenten\n" -#: jnlib/logging.c:610 +#: jnlib/logging.c:611 #, c-format msgid "you found a bug ... (%s:%d)\n" msgstr "Sie haben einen Bug (Softwarefehler) gefunden ... (%s:%d)\n" -#: kbx/kbxutil.c:68 sm/gpgsm.c:239 tools/gpgconf.c:53 +#: kbx/kbxutil.c:69 sm/gpgsm.c:241 tools/gpgconf.c:54 msgid "" "@Commands:\n" " " @@ -497,7 +497,7 @@ "@Kommandos:\n" " " -#: kbx/kbxutil.c:76 sm/gpgsm.c:274 tools/gpgconf.c:59 +#: kbx/kbxutil.c:77 sm/gpgsm.c:276 tools/gpgconf.c:60 msgid "" "@\n" "Options:\n" @@ -507,31 +507,31 @@ "Optionen:\n" " " -#: kbx/kbxutil.c:83 sm/gpgsm.c:340 tools/gpgconf.c:64 +#: kbx/kbxutil.c:84 sm/gpgsm.c:342 tools/gpgconf.c:65 msgid "do not make any changes" msgstr "Keine ?nderungen durchf?hren" -#: kbx/kbxutil.c:85 +#: kbx/kbxutil.c:86 msgid "set debugging flags" msgstr "Debug Flags setzen" -#: kbx/kbxutil.c:86 +#: kbx/kbxutil.c:87 msgid "enable full debugging" msgstr "Alle Debug Flags setzen" -#: kbx/kbxutil.c:107 +#: kbx/kbxutil.c:108 msgid "Please report bugs to " msgstr "Bitte richten sie Berichte ?ber Bugs (Softwarefehler) an " -#: kbx/kbxutil.c:107 +#: kbx/kbxutil.c:108 msgid ".\n" msgstr ".\n" -#: kbx/kbxutil.c:111 +#: kbx/kbxutil.c:112 msgid "Usage: kbxutil [options] [files] (-h for help)" msgstr "Gebrauch: kbxutil [Optionen] [Dateien] (-h f?r Hilfe)" -#: kbx/kbxutil.c:114 +#: kbx/kbxutil.c:115 msgid "" "Syntax: kbxutil [options] [files]\n" "list, export, import Keybox data\n" @@ -539,43 +539,43 @@ "Syntax: kbxutil [Optionen] [Dateien]\n" "Anlistem exportieren und Importieren von KeyBox Dateien\n" -#: scd/scdaemon.c:104 +#: scd/scdaemon.c:105 msgid "run in multi server mode (foreground)" msgstr "Im Multiserver Modus ausf?hren" -#: scd/scdaemon.c:110 sm/gpgsm.c:352 +#: scd/scdaemon.c:111 sm/gpgsm.c:354 msgid "read options from file" msgstr "Konfigurationsoptionen aus Datei lesen" -#: scd/scdaemon.c:120 +#: scd/scdaemon.c:121 msgid "|N|connect to reader at port N" msgstr "|N|Verbinde mit dem Leser auf Port N" -#: scd/scdaemon.c:121 +#: scd/scdaemon.c:122 msgid "|NAME|use NAME as ct-API driver" msgstr "|NAME|Benutze NAME als CT-API Treiber" -#: scd/scdaemon.c:122 +#: scd/scdaemon.c:123 msgid "|NAME|use NAME as PC/SC driver" msgstr "|NAME|Benutze NAME als PC/SC Treiber" -#: scd/scdaemon.c:125 +#: scd/scdaemon.c:126 msgid "do not use the internal CCID driver" msgstr "Den internen CCID Treiber nicht benutzen" -#: scd/scdaemon.c:130 +#: scd/scdaemon.c:131 msgid "do not use a reader's keypad" msgstr "Die Tastatur des Kartenleser nicht benutzen" -#: scd/scdaemon.c:131 +#: scd/scdaemon.c:132 msgid "allow the use of admin card commands" msgstr "Erlaube die Benutzung von \"Admin\" Kommandos" -#: scd/scdaemon.c:188 +#: scd/scdaemon.c:191 msgid "Usage: scdaemon [options] (-h for help)" msgstr "Gebrauch: scdaemon [Optionen] (-h f?r Hilfe)" -#: scd/scdaemon.c:190 +#: scd/scdaemon.c:193 msgid "" "Syntax: scdaemon [options] [command [args]]\n" "Smartcard daemon for GnuPG\n" @@ -583,78 +583,78 @@ "Synatx: scdaemon [Optionen] [Kommando [Argumente]]\n" "Smartcard Daemon f?r GnuPG\n" -#: scd/scdaemon.c:662 +#: scd/scdaemon.c:665 msgid "please use the option `--daemon' to run the program in the background\n" msgstr "" "Bitte die Option `--daemon' nutzen um das Programm im Hintergund " "auszuf?hren\n" -#: scd/scdaemon.c:1003 +#: scd/scdaemon.c:1006 #, c-format msgid "handler for fd %d started\n" msgstr "Handhabungsroutine f?r fd %d gestartet\n" -#: scd/scdaemon.c:1008 +#: scd/scdaemon.c:1011 #, c-format msgid "handler for fd %d terminated\n" msgstr "Handhabungsroutine f?r den fd %d beendet\n" -#: scd/app-openpgp.c:595 +#: scd/app-openpgp.c:596 #, c-format msgid "failed to store the fingerprint: %s\n" msgstr "Der Fingerprint kann nicht gespeichert werden: %s\n" -#: scd/app-openpgp.c:608 +#: scd/app-openpgp.c:609 #, c-format msgid "failed to store the creation date: %s\n" msgstr "Das Erzeugungsdatum kann nicht gespeichert werden: %s\n" -#: scd/app-openpgp.c:1003 +#: scd/app-openpgp.c:1004 #, c-format msgid "reading public key failed: %s\n" msgstr "Fehler beim Lesen des ?ffentlichen Schl?ssels: %s\n" -#: scd/app-openpgp.c:1011 scd/app-openpgp.c:1947 +#: scd/app-openpgp.c:1012 scd/app-openpgp.c:1948 msgid "response does not contain the public key data\n" msgstr "Die Antwort enth?lt keine Public Key Daten\n" -#: scd/app-openpgp.c:1019 scd/app-openpgp.c:1955 +#: scd/app-openpgp.c:1020 scd/app-openpgp.c:1956 msgid "response does not contain the RSA modulus\n" msgstr "Die Antwort enth?lt keinen RSA Modulus\n" -#: scd/app-openpgp.c:1028 scd/app-openpgp.c:1965 +#: scd/app-openpgp.c:1029 scd/app-openpgp.c:1966 msgid "response does not contain the RSA public exponent\n" msgstr "Die Antwort enth?lt keinen ?ffenlichen RSA Exponent\n" -#: scd/app-openpgp.c:1296 scd/app-openpgp.c:1384 scd/app-openpgp.c:2187 +#: scd/app-openpgp.c:1297 scd/app-openpgp.c:1385 scd/app-openpgp.c:2192 #, c-format msgid "PIN callback returned error: %s\n" msgstr "Fehler vom PIN \"callback\": %s\n" -#: scd/app-openpgp.c:1302 scd/app-openpgp.c:1390 scd/app-openpgp.c:2193 +#: scd/app-openpgp.c:1303 scd/app-openpgp.c:1391 scd/app-openpgp.c:2198 #, c-format msgid "PIN for CHV%d is too short; minimum length is %d\n" msgstr "Die PIN f?r den CHV%d ist zu kurz; Mindestl?nge ist %d\n" -#: scd/app-openpgp.c:1311 scd/app-openpgp.c:1325 scd/app-openpgp.c:1400 -#: scd/app-openpgp.c:2202 scd/app-openpgp.c:2216 +#: scd/app-openpgp.c:1312 scd/app-openpgp.c:1326 scd/app-openpgp.c:1401 +#: scd/app-openpgp.c:2207 scd/app-openpgp.c:2221 #, c-format msgid "verify CHV%d failed: %s\n" msgstr "Pr?fen von CHV%d fehlgeschlagen: %s\n" -#: scd/app-openpgp.c:1348 +#: scd/app-openpgp.c:1349 msgid "access to admin commands is not configured\n" msgstr "Zugriff auf Admin Kommandos ist nicht konfiguriert\n" -#: scd/app-openpgp.c:1363 scd/app-openpgp.c:2422 +#: scd/app-openpgp.c:1364 scd/app-openpgp.c:2427 msgid "error retrieving CHV status from card\n" msgstr "Fehler beim Holen des CHV Status von der Karte\n" -#: scd/app-openpgp.c:1369 scd/app-openpgp.c:2431 +#: scd/app-openpgp.c:1370 scd/app-openpgp.c:2436 msgid "card is permanently locked!\n" msgstr "Die Karte ist dauerhaft gesperrt!\n" -#: scd/app-openpgp.c:1374 +#: scd/app-openpgp.c:1375 #, c-format msgid "%d Admin PIN attempts remaining before card is permanently locked\n" msgstr "" @@ -663,170 +663,176 @@ #. TRANSLATORS: Do not translate the "|A|" prefix but #. keep it at the start of the string. We need this elsewhere #. to get some infos on the string. -#: scd/app-openpgp.c:1381 +#: scd/app-openpgp.c:1382 msgid "|A|Admin PIN" msgstr "|A|Admin PIN" #. TRANSLATORS: Do not translate the "|*|" prefixes but #. keep it at the start of the string. We need this elsewhere #. to get some infos on the string. -#: scd/app-openpgp.c:1530 +#: scd/app-openpgp.c:1531 msgid "|AN|New Admin PIN" msgstr "|AN|Neue Admin PIN" -#: scd/app-openpgp.c:1530 +#: scd/app-openpgp.c:1531 msgid "|N|New PIN" msgstr "|N|Neue PIN" -#: scd/app-openpgp.c:1534 +#: scd/app-openpgp.c:1535 #, c-format msgid "error getting new PIN: %s\n" msgstr "Fehler beim Holen der neuen PIN: %s\n" -#: scd/app-openpgp.c:1584 scd/app-openpgp.c:2033 +#: scd/app-openpgp.c:1585 scd/app-openpgp.c:2034 msgid "error reading application data\n" msgstr "Fehler beim Lesen der Anwendungsdaten\n" -#: scd/app-openpgp.c:1590 scd/app-openpgp.c:2040 +#: scd/app-openpgp.c:1591 scd/app-openpgp.c:2041 msgid "error reading fingerprint DO\n" msgstr "Fehler beim Lesen des Fingerabdruck Datenobjekts\n" -#: scd/app-openpgp.c:1600 +#: scd/app-openpgp.c:1601 msgid "key already exists\n" msgstr "Schl?ssel existiert bereits\n" -#: scd/app-openpgp.c:1604 +#: scd/app-openpgp.c:1605 msgid "existing key will be replaced\n" msgstr "Existierender Schl?ssel wird ersetzt\n" -#: scd/app-openpgp.c:1606 +#: scd/app-openpgp.c:1607 msgid "generating new key\n" msgstr "Neuer Schl?ssel wird erzeugt\n" -#: scd/app-openpgp.c:1773 +#: scd/app-openpgp.c:1774 msgid "creation timestamp missing\n" msgstr "Erzeugungsdatum fehlt\n" -#: scd/app-openpgp.c:1780 +#: scd/app-openpgp.c:1781 #, c-format msgid "RSA modulus missing or not of size %d bits\n" msgstr "Der RSA Modulus fehlt oder ist nicht %d Bits lang\n" -#: scd/app-openpgp.c:1787 +#: scd/app-openpgp.c:1788 #, c-format msgid "RSA public exponent missing or larger than %d bits\n" msgstr "Der ?ffentliche RSA Exponent fehlt oder ist l?nger als %d Bits\n" -#: scd/app-openpgp.c:1795 scd/app-openpgp.c:1802 +#: scd/app-openpgp.c:1796 scd/app-openpgp.c:1803 #, c-format msgid "RSA prime %s missing or not of size %d bits\n" msgstr "Die RSA Primzahl %s fehlt oder ist nicht %d Bits lang\n" -#: scd/app-openpgp.c:1865 +#: scd/app-openpgp.c:1866 #, c-format msgid "failed to store the key: %s\n" msgstr "Fehler beim Speichern des Schl?ssels: %s\n" -#: scd/app-openpgp.c:1924 +#: scd/app-openpgp.c:1925 msgid "please wait while key is being generated ...\n" msgstr "Bitte warten bis der Schl?ssel erzeugt wurde ...\n" -#: scd/app-openpgp.c:1938 +#: scd/app-openpgp.c:1939 msgid "generating key failed\n" msgstr "Fehler beim Erzeugen des Schl?ssels\n" -#: scd/app-openpgp.c:1941 +#: scd/app-openpgp.c:1942 #, c-format msgid "key generation completed (%d seconds)\n" msgstr "Schl?sselerzeugung vollendet (%d Sekunden)\n" -#: scd/app-openpgp.c:1998 +#: scd/app-openpgp.c:1999 msgid "invalid structure of OpenPGP card (DO 0x93)\n" msgstr "Ung?ltige Struktur der OpenPGP Karte (DO 0x93)\n" -#: scd/app-openpgp.c:2167 +#: scd/app-openpgp.c:2125 #, c-format +msgid "card does not support digest algorithm %s\n" +msgstr "" + +#: scd/app-openpgp.c:2172 +#, c-format msgid "signatures created so far: %lu\n" msgstr "Anzahl bereits erzeugter Signaturen: %lu\n" -#: scd/app-openpgp.c:2175 +#: scd/app-openpgp.c:2180 #, c-format msgid "||Please enter the PIN%%0A[sigs done: %lu]" msgstr "||Bitte geben Sie die PIN ein%%0A[Sigs bisher: %lu]" -#: scd/app-openpgp.c:2436 +#: scd/app-openpgp.c:2441 msgid "" "verification of Admin PIN is currently prohibited through this command\n" msgstr "" "Die ?berpr?fung der Admin PIN is momentan durch ein Kommando verboten " "worden\n" -#: scd/app-openpgp.c:2509 scd/app-openpgp.c:2519 +#: scd/app-openpgp.c:2514 scd/app-openpgp.c:2524 #, c-format msgid "can't access %s - invalid OpenPGP card?\n" msgstr "Zugriff auf %s nicht m?glich - ung?ltige OpenPGP Karte?\n" -#: scd/app-nks.c:344 +#: scd/app-nks.c:345 msgid "the NullPIN has not yet been changed\n" msgstr "Die Nullpin wurde noch nicht ge?ndert\n" -#: sm/base64.c:317 +#: sm/base64.c:318 #, c-format msgid "invalid radix64 character %02x skipped\n" msgstr "Ung?ltiges Basis-64 Zeichen %02X wurde ?bergangen\n" -#: sm/call-agent.c:101 +#: sm/call-agent.c:102 msgid "no running gpg-agent - starting one\n" msgstr "Kein aktiver gpg-agent - es wird einer gestarted\n" -#: sm/call-agent.c:166 +#: sm/call-agent.c:167 msgid "can't connect to the agent - trying fall back\n" msgstr "Verbindung zum gpg-agent nicht m?glich - Ersatzmethode wird versucht\n" -#: sm/call-dirmngr.c:174 -msgid "no running dirmngr - starting one\n" +#: sm/call-dirmngr.c:182 +#, fuzzy, c-format +msgid "no running dirmngr - starting `%s'\n" msgstr "Kein aktiver Dirmngr - es wird einer gestartet\n" -#: sm/call-dirmngr.c:214 +#: sm/call-dirmngr.c:216 msgid "malformed DIRMNGR_INFO environment variable\n" msgstr "Die Variable DIRMNGR_INFO ist fehlerhaft\n" -#: sm/call-dirmngr.c:226 +#: sm/call-dirmngr.c:228 #, c-format msgid "dirmngr protocol version %d is not supported\n" msgstr "Die Dirmngr Protokollversion %d wird nicht unterst?tzt\n" -#: sm/call-dirmngr.c:240 +#: sm/call-dirmngr.c:242 msgid "can't connect to the dirmngr - trying fall back\n" msgstr "" "Verbindung zum Dirmngr kann nicht aufgebaut werden - Ersatzmethode wird " "versucht\n" -#: sm/certdump.c:60 sm/certdump.c:146 +#: sm/certdump.c:61 sm/certdump.c:147 msgid "none" msgstr "keine" -#: sm/certdump.c:155 +#: sm/certdump.c:156 msgid "[none]" msgstr "[keine]" -#: sm/certdump.c:498 sm/certdump.c:561 +#: sm/certdump.c:499 sm/certdump.c:562 msgid "[Error - invalid encoding]" msgstr "[Fehler - Ung?ltige Kodierung]" -#: sm/certdump.c:506 +#: sm/certdump.c:507 msgid "[Error - out of core]" msgstr "[Fehler - Nich gen?gend Speicher]" -#: sm/certdump.c:541 +#: sm/certdump.c:542 msgid "[Error - No name]" msgstr "[Fehler - Kein Name]" -#: sm/certdump.c:566 +#: sm/certdump.c:567 msgid "[Error - invalid DN]" msgstr "[Fehler - Ung?ltiger DN]" -#: sm/certdump.c:727 +#: sm/certdump.c:728 #, c-format msgid "" "Please enter the passphrase to unlock the secret key for:\n" @@ -839,451 +845,451 @@ "S/N %s, ID %08lX, erzeugt %s\n" "zu entsperren" -#: sm/certlist.c:122 +#: sm/certlist.c:123 msgid "no key usage specified - assuming all usages\n" msgstr "" "Schl?sselverwendungszweck nicht vorhanden - f?r alle Zwecke akzeptiert\n" -#: sm/certlist.c:132 sm/keylist.c:245 +#: sm/certlist.c:133 sm/keylist.c:246 #, c-format msgid "error getting key usage information: %s\n" msgstr "Fehler beim holen der Schl?sselbenutzungsinformationen: %s\n" -#: sm/certlist.c:142 +#: sm/certlist.c:143 msgid "certificate should have not been used for certification\n" msgstr "Das Zertifikat h?tte nicht zum Zertifizieren benutzt werden sollen\n" -#: sm/certlist.c:154 +#: sm/certlist.c:155 msgid "certificate should have not been used for OCSP response signing\n" msgstr "" "Das Zertifikat h?tte nicht zum Signieren von OCSP Antworten benutzt werden " "sollen\n" -#: sm/certlist.c:165 +#: sm/certlist.c:166 msgid "certificate should have not been used for encryption\n" msgstr "Das Zertifikat h?tte nicht zum Verschl?sseln benutzt werden sollen\n" -#: sm/certlist.c:166 +#: sm/certlist.c:167 msgid "certificate should have not been used for signing\n" msgstr "Das Zertifikat h?tte nicht zum Signieren benutzt werden sollen\n" -#: sm/certlist.c:167 +#: sm/certlist.c:168 msgid "certificate is not usable for encryption\n" msgstr "Das Zertifikat kann nicht zum Verschl?sseln benutzt werden\n" -#: sm/certlist.c:168 +#: sm/certlist.c:169 msgid "certificate is not usable for signing\n" msgstr "Das Zertifikat kann nicht zum Signieren benutzt werden\n" -#: sm/certchain.c:109 +#: sm/certchain.c:115 #, c-format msgid "critical certificate extension %s is not supported" msgstr "Die kritische Zertifikaterweiterung %s wird nicht unterst?tzt" -#: sm/certchain.c:131 +#: sm/certchain.c:142 msgid "issuer certificate is not marked as a CA" msgstr "Das Herausgeberzertifikat ist nicht f?r eine CA gekennzeichnet" -#: sm/certchain.c:169 +#: sm/certchain.c:180 msgid "critical marked policy without configured policies" msgstr "kritische Richtlinie ohne konfigurierte Richtlinien" -#: sm/certchain.c:179 +#: sm/certchain.c:190 #, c-format msgid "failed to open `%s': %s\n" msgstr "Datei `%s' kann nicht ge?ffnet werden: %s\n" -#: sm/certchain.c:186 sm/certchain.c:215 +#: sm/certchain.c:197 sm/certchain.c:226 msgid "note: non-critical certificate policy not allowed" msgstr "Notiz: Die unkritische Zertifikatrichtlinie ist nicht erlaubt" -#: sm/certchain.c:190 sm/certchain.c:219 +#: sm/certchain.c:201 sm/certchain.c:230 msgid "certificate policy not allowed" msgstr "Die Zertifikatrichtlinie ist nicht erlaubt" -#: sm/certchain.c:330 +#: sm/certchain.c:341 msgid "looking up issuer at external location\n" msgstr "Der Herausgeber wird von einer externen Stelle gesucht\n" -#: sm/certchain.c:350 +#: sm/certchain.c:361 #, c-format msgid "number of issuers matching: %d\n" msgstr "Anzahl der ?bereinstimmenden Heruasgeber: %d\n" -#: sm/certchain.c:503 sm/certchain.c:665 sm/certchain.c:1103 sm/decrypt.c:260 -#: sm/encrypt.c:341 sm/sign.c:324 sm/verify.c:106 +#: sm/certchain.c:514 sm/certchain.c:676 sm/certchain.c:1114 sm/decrypt.c:261 +#: sm/encrypt.c:342 sm/sign.c:325 sm/verify.c:107 msgid "failed to allocated keyDB handle\n" msgstr "Ein keyDB Handle konnte nicht bereitgestellt werden\n" -#: sm/certchain.c:592 +#: sm/certchain.c:603 msgid "certificate has been revoked" msgstr "Das Zertifikat wurde widerrufen" -#: sm/certchain.c:601 +#: sm/certchain.c:612 msgid "no CRL found for certificate" msgstr "Keine CRL f?r das Zertifikat gefunden" -#: sm/certchain.c:605 +#: sm/certchain.c:616 msgid "the available CRL is too old" msgstr "Die vorhandene CRL ist zu alt" -#: sm/certchain.c:607 +#: sm/certchain.c:618 msgid "please make sure that the \"dirmngr\" is properly installed\n" msgstr "" "Bitte vergewissern Sie sich das der \"dirmngr\" richtig installierrt ist\n" -#: sm/certchain.c:612 +#: sm/certchain.c:623 #, c-format msgid "checking the CRL failed: %s" msgstr "Die CRL konnte nicht gepr?ft werden: %s" -#: sm/certchain.c:685 +#: sm/certchain.c:696 msgid "no issuer found in certificate" msgstr "Im Zertifikat ist kein Herausgeber enthalten" -#: sm/certchain.c:698 +#: sm/certchain.c:709 #, c-format msgid "certificate with invalid validity: %s" msgstr "Zertifikat mit unzul?ssiger G?ltigkeit: %s" -#: sm/certchain.c:714 +#: sm/certchain.c:725 msgid "certificate not yet valid" msgstr "Das Zertifikat ist noch nicht g?ltig" -#: sm/certchain.c:727 +#: sm/certchain.c:738 msgid "certificate has expired" msgstr "Das Zertifikat ist abgelaufen" -#: sm/certchain.c:764 +#: sm/certchain.c:775 msgid "self-signed certificate has a BAD signature" msgstr "Das eigenbeglaubigte Zertifikat hat eine FALSCHE Signatur" -#: sm/certchain.c:829 +#: sm/certchain.c:840 msgid "root certificate is not marked trusted" msgstr "Das Wurzelzertifikat ist nicht als vertrauensw?rdig markiert" -#: sm/certchain.c:840 +#: sm/certchain.c:851 #, c-format msgid "fingerprint=%s\n" msgstr "Fingerprint=%s\n" -#: sm/certchain.c:845 +#: sm/certchain.c:856 msgid "root certificate has now been marked as trusted\n" msgstr "Das Wurzelzertifikat wurde nun als vertrauensw?rdig markiert\n" -#: sm/certchain.c:860 +#: sm/certchain.c:871 #, c-format msgid "checking the trust list failed: %s\n" msgstr "Fehler beim Pr?fen der vertrauensw?rdigen Zertifikate: %s\n" -#: sm/certchain.c:886 sm/import.c:157 +#: sm/certchain.c:897 sm/import.c:158 msgid "certificate chain too long\n" msgstr "Der Zertifikatkette ist zu lang\n" -#: sm/certchain.c:898 +#: sm/certchain.c:909 msgid "issuer certificate not found" msgstr "Herausgeberzertifikat nicht gefunden" -#: sm/certchain.c:931 +#: sm/certchain.c:942 msgid "certificate has a BAD signature" msgstr "Das Zertifikat hat eine FALSCHE Signatur" -#: sm/certchain.c:961 +#: sm/certchain.c:972 msgid "found another possible matching CA certificate - trying again" msgstr "" "Eine anderes m?glicherweise passendes CA-Zertifikat gefunden - versuche " "nochmal" -#: sm/certchain.c:984 +#: sm/certchain.c:995 #, c-format msgid "certificate chain longer than allowed by CA (%d)" msgstr "Die Zertifikatkette ist l?nger als von der CA erlaubt (%d)" -#: sm/decrypt.c:127 +#: sm/decrypt.c:128 msgid "" "WARNING: message was encrypted with a weak key in the symmetric cipher.\n" msgstr "" "WARNUNG: Die Nachricht wurde mich einem schwachen Schl?ssel (Weak Key) " "erzeugt\n" -#: sm/decrypt.c:325 +#: sm/decrypt.c:326 msgid "(this is the RC2 algorithm)\n" msgstr "(Dies ist der RC-2 Algorithmus)\n" -#: sm/decrypt.c:327 +#: sm/decrypt.c:328 msgid "(this does not seem to be an encrypted message)\n" msgstr "(dies is wahrscheinlich keine verschl?sselte Nachricht)\n" -#: sm/delete.c:51 sm/delete.c:102 +#: sm/delete.c:52 sm/delete.c:103 #, c-format msgid "certificate `%s' not found: %s\n" msgstr "Zertifikat `%s' nicht gefunden: %s\n" -#: sm/delete.c:112 sm/keydb.c:1402 sm/keydb.c:1495 +#: sm/delete.c:113 sm/keydb.c:1380 sm/keydb.c:1473 #, c-format msgid "error locking keybox: %s\n" msgstr "Fehler beim Sperren der Keybox: %s\n" -#: sm/delete.c:133 +#: sm/delete.c:134 #, c-format msgid "duplicated certificate `%s' deleted\n" msgstr "Doppeltes Zertifikat `%s' gel?scht\n" -#: sm/delete.c:135 +#: sm/delete.c:136 #, c-format msgid "certificate `%s' deleted\n" msgstr "Zertifikat `%s' gel?scht\n" -#: sm/delete.c:165 +#: sm/delete.c:166 #, c-format msgid "deleting certificate \"%s\" failed: %s\n" msgstr "Fehler beim L?schen des Zertifikats \"%s\": %s\n" -#: sm/encrypt.c:120 +#: sm/encrypt.c:121 msgid "weak key created - retrying\n" msgstr "Schwacher Schl?ssel - es wird erneut versucht\n" -#: sm/encrypt.c:332 +#: sm/encrypt.c:333 msgid "no valid recipients given\n" msgstr "Keine g?ltigen Empf?nger angegeben\n" -#: sm/gpgsm.c:241 +#: sm/gpgsm.c:243 msgid "|[FILE]|make a signature" msgstr "|[DATEI]|Erzeuge eine Signatur" -#: sm/gpgsm.c:242 +#: sm/gpgsm.c:244 msgid "|[FILE]|make a clear text signature" msgstr "|[DATEI]|Erzeuge eine Klartextsignatur" -#: sm/gpgsm.c:243 +#: sm/gpgsm.c:245 msgid "make a detached signature" msgstr "Erzeuge eine abgetrennte Signatur" -#: sm/gpgsm.c:244 +#: sm/gpgsm.c:246 msgid "encrypt data" msgstr "Verschl?ssele die Daten" -#: sm/gpgsm.c:245 +#: sm/gpgsm.c:247 msgid "encryption only with symmetric cipher" msgstr "Verschl?sselung nur mit symmetrischem Algrithmus" -#: sm/gpgsm.c:246 +#: sm/gpgsm.c:248 msgid "decrypt data (default)" msgstr "Enschl?ssele die Daten" -#: sm/gpgsm.c:247 +#: sm/gpgsm.c:249 msgid "verify a signature" msgstr "?berpr?fen einer Signatur" -#: sm/gpgsm.c:249 +#: sm/gpgsm.c:251 msgid "list keys" msgstr "Schl?ssel anzeigen" -#: sm/gpgsm.c:250 +#: sm/gpgsm.c:252 msgid "list external keys" msgstr "Externe Schl?ssel anzeigen" -#: sm/gpgsm.c:251 +#: sm/gpgsm.c:253 msgid "list secret keys" msgstr "Geheime Schl?ssel anzeigen" -#: sm/gpgsm.c:252 +#: sm/gpgsm.c:254 msgid "list certificate chain" msgstr "Schl?ssel mit Zertifikatekette anzeigen" -#: sm/gpgsm.c:254 +#: sm/gpgsm.c:256 msgid "list keys and fingerprints" msgstr "Schl?ssel und Fingerprint anzeigen" -#: sm/gpgsm.c:255 +#: sm/gpgsm.c:257 msgid "generate a new key pair" msgstr "Neues Schl?sselpaar erzeugen" -#: sm/gpgsm.c:256 +#: sm/gpgsm.c:258 msgid "remove key from the public keyring" msgstr "Schl?ssel aus dem ?ffentlichen Schl?sselbund l?schen" -#: sm/gpgsm.c:257 +#: sm/gpgsm.c:259 msgid "export keys to a key server" msgstr "Schl?ssen an eine Schl?sselserver exportieren" -#: sm/gpgsm.c:258 +#: sm/gpgsm.c:260 msgid "import keys from a key server" msgstr "Schl?ssel von einem Schl?sselserver importieren" -#: sm/gpgsm.c:259 +#: sm/gpgsm.c:261 msgid "import certificates" msgstr "Zertifikate importieren" -#: sm/gpgsm.c:260 +#: sm/gpgsm.c:262 msgid "export certificates" msgstr "Zertifikate exportieren" -#: sm/gpgsm.c:261 +#: sm/gpgsm.c:263 msgid "register a smartcard" msgstr "Smartcard registrieren" -#: sm/gpgsm.c:262 +#: sm/gpgsm.c:264 msgid "run in server mode" msgstr "Im Server Modus ausf?hren" -#: sm/gpgsm.c:263 +#: sm/gpgsm.c:265 msgid "pass a command to the dirmngr" msgstr "Das Kommand an den Dirmngr durchreichen" -#: sm/gpgsm.c:265 +#: sm/gpgsm.c:267 msgid "invoke gpg-protect-tool" msgstr "Rufe das gpg-protect-tool auf" -#: sm/gpgsm.c:266 +#: sm/gpgsm.c:268 msgid "change a passphrase" msgstr "Das Mantra (Passphrase) ?ndern" -#: sm/gpgsm.c:276 +#: sm/gpgsm.c:278 msgid "create ascii armored output" msgstr "Ausgabe mit ASCII H?lle wird erzeugt" -#: sm/gpgsm.c:278 +#: sm/gpgsm.c:280 msgid "create base-64 encoded output" msgstr "Ausgabe im Basis-64 format erzeugen" -#: sm/gpgsm.c:280 +#: sm/gpgsm.c:282 msgid "assume input is in PEM format" msgstr "Eingabedaten sind im PEM Format" -#: sm/gpgsm.c:282 +#: sm/gpgsm.c:284 msgid "assume input is in base-64 format" msgstr "Eingabedaten sind im Basis-64 Format" -#: sm/gpgsm.c:284 +#: sm/gpgsm.c:286 msgid "assume input is in binary format" msgstr "Eingabedaten sind im Bin?rformat" -#: sm/gpgsm.c:286 +#: sm/gpgsm.c:288 msgid "|NAME|encrypt for NAME" msgstr "|NAME|Verschl?sseln f?r NAME" -#: sm/gpgsm.c:289 +#: sm/gpgsm.c:291 msgid "use system's dirmngr if available" msgstr "Benutze den System Dirmngr when verf?gbar" -#: sm/gpgsm.c:290 +#: sm/gpgsm.c:292 msgid "never consult a CRL" msgstr "Niemals eine CRL konsultieren" -#: sm/gpgsm.c:297 +#: sm/gpgsm.c:299 msgid "check validity using OCSP" msgstr "Die G?ltigkeit mittels OCSP pr?fen" -#: sm/gpgsm.c:300 +#: sm/gpgsm.c:302 msgid "|N|number of certificates to include" msgstr "|N|Sende N Zertifikate mit" -#: sm/gpgsm.c:303 +#: sm/gpgsm.c:305 msgid "|FILE|take policy information from FILE" msgstr "|DATEI|Richtlinieninformationen DATEI entnehmen" -#: sm/gpgsm.c:306 +#: sm/gpgsm.c:308 msgid "do not check certificate policies" msgstr "Zertikikatrichtlinien nicht ?berpr?fen" -#: sm/gpgsm.c:310 +#: sm/gpgsm.c:312 msgid "fetch missing issuer certificates" msgstr "Fehlende Zertifikate automatisch holen" -#: sm/gpgsm.c:314 +#: sm/gpgsm.c:316 msgid "|NAME|use NAME as default recipient" msgstr "|NAME|Benutze NAME als voreingestellten Empf?nger" -#: sm/gpgsm.c:316 +#: sm/gpgsm.c:318 msgid "use the default key as default recipient" msgstr "Benuzte voreingestellten Schl?ssel als Standardempf?nger" -#: sm/gpgsm.c:322 +#: sm/gpgsm.c:324 msgid "use this user-id to sign or decrypt" msgstr "Benuzte diese Benutzer ID zum Signieren oder Entschl?sseln" -#: sm/gpgsm.c:325 +#: sm/gpgsm.c:327 msgid "|N|set compress level N (0 disables)" msgstr "|N|Benutze Komprimierungsstufe N" -#: sm/gpgsm.c:327 +#: sm/gpgsm.c:329 msgid "use canonical text mode" msgstr "Kanonischen Textmodus benutzen" -#: sm/gpgsm.c:330 tools/gpgconf.c:61 +#: sm/gpgsm.c:332 tools/gpgconf.c:62 msgid "use as output file" msgstr "als Ausgabedatei benutzen" -#: sm/gpgsm.c:333 +#: sm/gpgsm.c:335 msgid "don't use the terminal at all" msgstr "Das Terminal ?berhaupt nicht benutzen" -#: sm/gpgsm.c:337 +#: sm/gpgsm.c:339 msgid "force v3 signatures" msgstr "Version 3 Signaturen erzwingen" -#: sm/gpgsm.c:338 +#: sm/gpgsm.c:340 msgid "always use a MDC for encryption" msgstr "Immer das MDC Verfahren zum verschl?sseln mitbenutzen" -#: sm/gpgsm.c:343 +#: sm/gpgsm.c:345 msgid "batch mode: never ask" msgstr "Stapelverarbeitungs Modus: Nie nachfragen" -#: sm/gpgsm.c:344 +#: sm/gpgsm.c:346 msgid "assume yes on most questions" msgstr "\"Ja\" auf die meisten Anfragen annehmen" -#: sm/gpgsm.c:345 +#: sm/gpgsm.c:347 msgid "assume no on most questions" msgstr "\"Nein\" auf die meisten Anfragen annehmen" -#: sm/gpgsm.c:347 +#: sm/gpgsm.c:349 msgid "add this keyring to the list of keyrings" msgstr "Diesen Keyring in die Liste der Keyrings aufnehmen" -#: sm/gpgsm.c:348 +#: sm/gpgsm.c:350 msgid "add this secret keyring to the list" msgstr "Diese geheimen Keyring in die Liste aufnehmen" -#: sm/gpgsm.c:349 +#: sm/gpgsm.c:351 msgid "|NAME|use NAME as default secret key" msgstr "|NAME|Benutze NAME als voreingestellten Schl?ssel" -#: sm/gpgsm.c:350 +#: sm/gpgsm.c:352 msgid "|HOST|use this keyserver to lookup keys" msgstr "|HOST|Benutze HOST als Schl?sselserver" -#: sm/gpgsm.c:351 +#: sm/gpgsm.c:353 msgid "|NAME|set terminal charset to NAME" msgstr "|NAME|Den Zeichensatz f?r das Terminal auf NAME setzen" -#: sm/gpgsm.c:355 +#: sm/gpgsm.c:357 msgid "|LEVEL|set the debugging level to LEVEL" msgstr "|NAME|Die Debugstufe auf NAME setzen" -#: sm/gpgsm.c:363 +#: sm/gpgsm.c:365 msgid "|FD|write status info to this FD" msgstr "|FD|Statusinformationen auf Dateidescriptor FD schreiben" -#: sm/gpgsm.c:370 +#: sm/gpgsm.c:372 msgid "|FILE|load extension module FILE" msgstr "|DATEI|Das Erweiterungsmodul DATEI laden" -#: sm/gpgsm.c:376 +#: sm/gpgsm.c:378 msgid "|NAME|use cipher algorithm NAME" msgstr "|NAME|Den Verschl?sselungsalgrithmus NAME benutzen" -#: sm/gpgsm.c:378 +#: sm/gpgsm.c:380 msgid "|NAME|use message digest algorithm NAME" msgstr "|NAME|Den Hashalgorithmus NAME benutzen" -#: sm/gpgsm.c:380 +#: sm/gpgsm.c:382 msgid "|N|use compress algorithm N" msgstr "|N|Den Kompressionsalgorithmus Nummer N benutzen" -#: sm/gpgsm.c:388 +#: sm/gpgsm.c:390 msgid "" "@\n" "(See the man page for a complete listing of all commands and options)\n" @@ -1291,7 +1297,7 @@ "@\n" "(Die \"man\" Seite beschreibt alle Kommands und Optionen)\n" -#: sm/gpgsm.c:391 +#: sm/gpgsm.c:393 msgid "" "@\n" "Examples:\n" @@ -1311,11 +1317,11 @@ " --list-keys [Namen] Schl?ssel anzeigenn\n" " --fingerprint [Namen] \"Fingerabdr?cke\" anzeigen\\n\n" -#: sm/gpgsm.c:510 +#: sm/gpgsm.c:516 msgid "Usage: gpgsm [options] [files] (-h for help)" msgstr "Gebrauch: gpgsm [Optionen] [Dateien] (-h f?r Hilfe)" -#: sm/gpgsm.c:513 +#: sm/gpgsm.c:519 msgid "" "Syntax: gpgsm [options] [files]\n" "sign, check, encrypt or decrypt using the S/MIME protocol\n" @@ -1324,7 +1330,7 @@ "Gebrauch: gpgsm [Optionen] [Dateien]\n" "Signieren, pr?fen, ver- und entschl?sseln mittels S/MIME protocol\n" -#: sm/gpgsm.c:520 +#: sm/gpgsm.c:526 msgid "" "\n" "Supported algorithms:\n" @@ -1332,215 +1338,215 @@ "\n" "Unterst?tzte Algorithmen:\n" -#: sm/gpgsm.c:607 +#: sm/gpgsm.c:613 msgid "usage: gpgsm [options] " msgstr "Gebrauch: gpgsm [Optionen] " -#: sm/gpgsm.c:672 +#: sm/gpgsm.c:678 msgid "conflicting commands\n" msgstr "Widersprechende Kommandos\n" -#: sm/gpgsm.c:688 +#: sm/gpgsm.c:694 #, c-format msgid "can't encrypt to `%s': %s\n" msgstr "Verschl?sseln f?r `%s' nicht m?glich: %s\n" -#: sm/gpgsm.c:762 +#: sm/gpgsm.c:768 #, c-format msgid "libksba is too old (need %s, have %s)\n" msgstr "Die Bibliothek Libksba is nicht aktuell (ben?tige %s, habe %s)\n" -#: sm/gpgsm.c:1221 +#: sm/gpgsm.c:1229 msgid "WARNING: program may create a core file!\n" msgstr "WARNUNG: Programm k?nnte eine core-dump-Datei schreiben!\n" -#: sm/gpgsm.c:1238 +#: sm/gpgsm.c:1246 msgid "WARNING: running with faked system time: " msgstr "WARNUNG: Ausf?hrung mit gef?lschter Systemzeit: " -#: sm/gpgsm.c:1264 +#: sm/gpgsm.c:1272 msgid "selected cipher algorithm is invalid\n" msgstr "Das ausgew?hlte Verschl?sselungsverfahren ist ung?ltig\n" -#: sm/gpgsm.c:1272 +#: sm/gpgsm.c:1280 msgid "selected digest algorithm is invalid\n" msgstr "Das ausgew?hlte Hashverfahren ist ung?ltig\n" -#: sm/gpgsm.c:1302 +#: sm/gpgsm.c:1310 #, c-format msgid "can't sign using `%s': %s\n" msgstr "Signieren mit `%s' nicht m?glich: %s\n" -#: sm/gpgsm.c:1475 +#: sm/gpgsm.c:1483 msgid "this command has not yet been implemented\n" msgstr "Dieses Kommando wurde noch nicht implementiert\n" -#: sm/gpgsm.c:1705 sm/gpgsm.c:1742 sm/qualified.c:73 +#: sm/gpgsm.c:1713 sm/gpgsm.c:1750 sm/qualified.c:74 #, c-format msgid "can't open `%s': %s\n" msgstr "Datei `%s' kann nicht ge?ffnet werden: %s\n" -#: sm/import.c:109 +#: sm/import.c:110 #, c-format msgid "total number processed: %lu\n" msgstr "gesamte verarbeitete Anzahl: %lu\n" -#: sm/import.c:112 +#: sm/import.c:113 #, c-format msgid " imported: %lu" msgstr " importiert: %lu" -#: sm/import.c:116 +#: sm/import.c:117 #, c-format msgid " unchanged: %lu\n" msgstr " nicht ge?ndert: %lu\n" -#: sm/import.c:118 +#: sm/import.c:119 #, c-format msgid " secret keys read: %lu\n" msgstr " gelesene private Schl?ssel: %lu\n" -#: sm/import.c:120 +#: sm/import.c:121 #, c-format msgid " secret keys imported: %lu\n" msgstr "importierte priv. Schl?ssel: %lu\n" -#: sm/import.c:122 +#: sm/import.c:123 #, c-format msgid " secret keys unchanged: %lu\n" msgstr "unge?nderte priv. Schl?ssel: %lu\n" -#: sm/import.c:124 +#: sm/import.c:125 #, c-format msgid " not imported: %lu\n" msgstr " nicht importiert: %lu\n" -#: sm/import.c:226 +#: sm/import.c:227 msgid "error storing certificate\n" msgstr "Fehler beim speichern des Zertifikats\n" -#: sm/import.c:234 +#: sm/import.c:235 msgid "basic certificate checks failed - not imported\n" msgstr "Grundlegende Zertifikatpr?fungen fehlgeschlagen - nicht importiert\n" -#: sm/import.c:420 sm/import.c:452 +#: sm/import.c:421 sm/import.c:453 #, c-format msgid "error importing certificate: %s\n" msgstr "Fehler beim Importieren des Zertifikats: %s\n" -#: sm/import.c:524 sm/import.c:549 +#: sm/import.c:525 sm/import.c:550 #, c-format msgid "error creating temporary file: %s\n" msgstr "Fehler beim Erstellen einer tempor?ren Datei: %s\n" -#: sm/import.c:532 +#: sm/import.c:533 #, c-format msgid "error writing to temporary file: %s\n" msgstr "Fehler beim Schreiben auf eine tempor?re Datei: %s\n" -#: sm/import.c:541 +#: sm/import.c:542 #, c-format msgid "error reading input: %s\n" msgstr "Fehler beim Lesen der Eingabe: %s\n" -#: sm/keydb.c:187 +#: sm/keydb.c:188 #, c-format msgid "error creating keybox `%s': %s\n" msgstr "Die \"Keybox\" `%s' konnte nicht erstellt werden: %s\n" -#: sm/keydb.c:190 +#: sm/keydb.c:191 msgid "you may want to start the gpg-agent first\n" msgstr "Sie sollten zuerst den gpg-agent starten\n" -#: sm/keydb.c:195 +#: sm/keydb.c:196 #, c-format msgid "keybox `%s' created\n" msgstr "Die \"Keybox\" `%s' wurde erstellt\n" -#: sm/keydb.c:218 +#: sm/keydb.c:219 #, c-format msgid "can't create lock for `%s'\n" msgstr "Datei `%s' konnte nicht gesperrt werden\n" -#: sm/keydb.c:1326 sm/keydb.c:1388 +#: sm/keydb.c:1300 sm/keydb.c:1366 msgid "failed to get the fingerprint\n" msgstr "Kann den Fingerprint nicht ermitteln\n" -#: sm/keydb.c:1333 sm/keydb.c:1395 +#: sm/keydb.c:1307 sm/keydb.c:1373 msgid "failed to allocate keyDB handle\n" msgstr "Kann keinen KeyDB Handler bereitstellen\n" -#: sm/keydb.c:1350 +#: sm/keydb.c:1328 #, c-format msgid "problem looking for existing certificate: %s\n" msgstr "Problem bei der Suche nach vorhandenem Zertifikat: %s\n" -#: sm/keydb.c:1358 +#: sm/keydb.c:1336 #, c-format msgid "error finding writable keyDB: %s\n" msgstr "Fehler bei der Suche nach einer schreibbaren KeyDB: %s\n" -#: sm/keydb.c:1366 +#: sm/keydb.c:1344 #, c-format msgid "error storing certificate: %s\n" msgstr "Fehler beim Speichern des Zertifikats: %s\n" -#: sm/keydb.c:1410 +#: sm/keydb.c:1388 #, c-format msgid "problem re-searching certificate: %s\n" msgstr "Problem bei Wiederfinden des Zertifikats: %s\n" -#: sm/keydb.c:1419 sm/keydb.c:1507 +#: sm/keydb.c:1397 sm/keydb.c:1485 #, c-format msgid "error getting stored flags: %s\n" msgstr "Fehler beim Holen der gespeicherten Flags: %s\n" -#: sm/keydb.c:1428 sm/keydb.c:1518 +#: sm/keydb.c:1406 sm/keydb.c:1496 #, c-format msgid "error storing flags: %s\n" msgstr "Fehler beim Speichern der Flags: %s\n" -#: sm/sign.c:443 +#: sm/sign.c:444 #, c-format msgid "checking for qualified certificate failed: %s\n" msgstr "Pr?fung auf ein qualifiziertes Zertifikats fehlgeschlagen: %s\n" -#: sm/sign.c:478 sm/verify.c:188 +#: sm/sign.c:479 sm/verify.c:189 msgid "(this is the MD2 algorithm)\n" msgstr "(Dies ist der MD2 Algorithmus)\n" -#: sm/verify.c:387 +#: sm/verify.c:388 msgid "Signature made " msgstr "Signatur erzeugt am " -#: sm/verify.c:391 +#: sm/verify.c:392 msgid "[date not given]" msgstr "[Datum nicht vorhanden]" -#: sm/verify.c:392 +#: sm/verify.c:393 #, c-format msgid " using certificate ID %08lX\n" msgstr "mittels Zertifikat ID %08lX\n" -#: sm/verify.c:505 +#: sm/verify.c:506 msgid "Good signature from" msgstr "Korrekte Signatur von" -#: sm/verify.c:506 +#: sm/verify.c:507 msgid " aka" msgstr " alias" -#: sm/qualified.c:112 +#: sm/qualified.c:113 #, c-format msgid "invalid formatted fingerprint in `%s', line %d\n" msgstr "Der Fingerabdruck in `%s', Zeile %d is fehlerhaft formatiert\n" -#: sm/qualified.c:130 +#: sm/qualified.c:131 #, c-format msgid "invalid country code in `%s', line %d\n" msgstr "Ung?ltiger Landescode in `%s', Zeile %d\n" -#: sm/qualified.c:215 +#: sm/qualified.c:224 #, c-format msgid "" "You are about to create a signature using your certificate:\n" @@ -1557,7 +1563,7 @@ "\n" "%s%sSind Sie wirklich sicher, da? Sie dies m?chten?" -#: sm/qualified.c:224 +#: sm/qualified.c:233 msgid "" "Note, that this software is not officially approved to create or verify such " "signatures.\n" @@ -1565,7 +1571,7 @@ "Bitte beachten Sie, da? diese Software nicht offiziell zur Erzeugung\n" "oder Pr?fung von qualifizierten Signaturen zugelassen ist.\n" -#: sm/qualified.c:312 +#: sm/qualified.c:321 #, c-format msgid "" "You are about to create a signature using your certificate:\n" @@ -1577,31 +1583,31 @@ "zu erzeugen. Bitte beachten Sie, da? dies KEINE qualifizierte\n" "Signatur erzeugen wird." -#: tools/gpgconf.c:55 +#: tools/gpgconf.c:56 msgid "list all components" msgstr "Liste aller Komponenten" -#: tools/gpgconf.c:56 +#: tools/gpgconf.c:57 msgid "|COMPONENT|list options" msgstr "|KOMPONENTE|Zeige die Optionen an" -#: tools/gpgconf.c:57 +#: tools/gpgconf.c:58 msgid "|COMPONENT|change options" msgstr "|KOMPONENTE|?ndere die Optionen" -#: tools/gpgconf.c:63 +#: tools/gpgconf.c:64 msgid "quiet" msgstr "Weniger Ausgaben" -#: tools/gpgconf.c:65 +#: tools/gpgconf.c:66 msgid "activate changes at runtime, if possible" msgstr "Aktiviere ?nderungen zur Laufzeit; falls m?glich" -#: tools/gpgconf.c:88 +#: tools/gpgconf.c:89 msgid "Usage: gpgconf [options] (-h for help)" msgstr "Gebrauch: gpgconf [Optionen] (-h f?r Hilfe)" -#: tools/gpgconf.c:91 +#: tools/gpgconf.c:92 msgid "" "Syntax: gpgconf [options]\n" "Manage configuration options for tools of the GnuPG system\n" @@ -1609,71 +1615,75 @@ "Syntax: gpgconf {Optionen]\n" "Verwalte Konfigurationsoptionen f?r Programme des GnuPG Systems\n" -#: tools/gpgconf.c:175 +#: tools/gpgconf.c:176 msgid "usage: gpgconf [options] " msgstr "Gebrauch: gpgconf [Optionen] " -#: tools/gpgconf.c:177 +#: tools/gpgconf.c:178 msgid "Need one component argument" msgstr "Ben?tige ein Komponenten Argument" -#: tools/gpgconf.c:186 +#: tools/gpgconf.c:187 msgid "Component not found" msgstr "Komponente nicht gefunden" -#: tools/gpgconf-comp.c:435 tools/gpgconf-comp.c:499 tools/gpgconf-comp.c:566 -#: tools/gpgconf-comp.c:619 tools/gpgconf-comp.c:688 +#: tools/gpgconf-comp.c:437 tools/gpgconf-comp.c:501 tools/gpgconf-comp.c:568 +#: tools/gpgconf-comp.c:624 tools/gpgconf-comp.c:693 msgid "Options controlling the diagnostic output" msgstr "Optionen zur Einstellung Diagnoseausgaben" -#: tools/gpgconf-comp.c:448 tools/gpgconf-comp.c:512 tools/gpgconf-comp.c:579 -#: tools/gpgconf-comp.c:632 tools/gpgconf-comp.c:711 +#: tools/gpgconf-comp.c:450 tools/gpgconf-comp.c:514 tools/gpgconf-comp.c:581 +#: tools/gpgconf-comp.c:637 tools/gpgconf-comp.c:716 msgid "Options controlling the configuration" msgstr "Optionen zur Einstellung der Konfiguration" -#: tools/gpgconf-comp.c:458 tools/gpgconf-comp.c:537 tools/gpgconf-comp.c:586 -#: tools/gpgconf-comp.c:642 tools/gpgconf-comp.c:718 +#: tools/gpgconf-comp.c:460 tools/gpgconf-comp.c:539 tools/gpgconf-comp.c:588 +#: tools/gpgconf-comp.c:647 tools/gpgconf-comp.c:723 msgid "Options useful for debugging" msgstr "N?tzliche Optionen zum Debuggen" -#: tools/gpgconf-comp.c:463 tools/gpgconf-comp.c:542 tools/gpgconf-comp.c:591 -#: tools/gpgconf-comp.c:647 tools/gpgconf-comp.c:726 +#: tools/gpgconf-comp.c:465 tools/gpgconf-comp.c:544 tools/gpgconf-comp.c:593 +#: tools/gpgconf-comp.c:652 tools/gpgconf-comp.c:731 msgid "|FILE|write server mode logs to FILE" msgstr "|DATEI|Schreibe im Servermodus Logs auf DATEI" -#: tools/gpgconf-comp.c:471 tools/gpgconf-comp.c:547 tools/gpgconf-comp.c:655 +#: tools/gpgconf-comp.c:473 tools/gpgconf-comp.c:549 tools/gpgconf-comp.c:660 msgid "Options controlling the security" msgstr "Optionen zur Einstellung der Sicherheit" -#: tools/gpgconf-comp.c:599 +#: tools/gpgconf-comp.c:601 msgid "Configuration for Keyservers" msgstr "Konfiguration der Schl?sselserver" -#: tools/gpgconf-comp.c:660 +#: tools/gpgconf-comp.c:606 +msgid "allow PKA lookups (DNS requests)" +msgstr "" + +#: tools/gpgconf-comp.c:665 msgid "do not check CRLs for root certificates" msgstr "CRL bei Wurzelzertifikaten nicht ?berpr?fen" -#: tools/gpgconf-comp.c:701 +#: tools/gpgconf-comp.c:706 msgid "Options controlling the format of the output" msgstr "Optionen zum Einstellen der Ausgabeformate" -#: tools/gpgconf-comp.c:737 +#: tools/gpgconf-comp.c:742 msgid "Options controlling the interactivity and enforcement" msgstr "Optionen zur Einstellung der Interaktivit?t und Geltendmachung" -#: tools/gpgconf-comp.c:747 +#: tools/gpgconf-comp.c:752 msgid "Configuration for HTTP servers" msgstr "Konfiguration f?r HTTP Server" -#: tools/gpgconf-comp.c:758 +#: tools/gpgconf-comp.c:763 msgid "use system's HTTP proxy setting" msgstr "Einstellungen des System HTTP-Proxy benutzen" -#: tools/gpgconf-comp.c:763 +#: tools/gpgconf-comp.c:768 msgid "Configuration of LDAP servers to use" msgstr "Konfiguration der zu nutzenden LDAP-Server" -#: tools/gpgconf-comp.c:800 +#: tools/gpgconf-comp.c:805 msgid "Configuration for OCSP" msgstr "Konfiguration zu OCSP" From cvs at cvs.gnupg.org Tue Jun 20 20:52:46 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 20 20:16:29 2006 Subject: [svn] GnuPG - r4164 - in branches/GNUPG-1-9-BRANCH: . po Message-ID: Author: wk Date: 2006-06-20 20:52:43 +0200 (Tue, 20 Jun 2006) New Revision: 4164 Modified: branches/GNUPG-1-9-BRANCH/ChangeLog branches/GNUPG-1-9-BRANCH/NEWS branches/GNUPG-1-9-BRANCH/configure.ac branches/GNUPG-1-9-BRANCH/po/de.po Log: Preparing a new release Modified: branches/GNUPG-1-9-BRANCH/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/ChangeLog 2006-06-20 17:47:10 UTC (rev 4163) +++ branches/GNUPG-1-9-BRANCH/ChangeLog 2006-06-20 18:52:43 UTC (rev 4164) @@ -1,3 +1,7 @@ +2006-06-20 Werner Koch + + Released 1.9.21. + 2006-06-08 Marcus Brinkmann * configure.ac (PTH_LIBS): Add --all to pth-config invocation. Modified: branches/GNUPG-1-9-BRANCH/NEWS =================================================================== --- branches/GNUPG-1-9-BRANCH/NEWS 2006-06-20 17:47:10 UTC (rev 4163) +++ branches/GNUPG-1-9-BRANCH/NEWS 2006-06-20 18:52:43 UTC (rev 4164) @@ -1,22 +1,22 @@ -Noteworthy changes in version 1.9.21 +Noteworthy changes in version 1.9.21 (2006-06-20) ------------------------------------------------- - * [scdaemon] New command APDU. + * New command APDU for scdaemon to allow using it for general card + access. Might be used through gpg-connect-agent by using the SCD + prefix command. - * [scdaemon] Support for keypads of some readers. Tested only with - SPR532. New option --disable-keypad. + * Support for the CardMan 4040 PCMCIA reader (Linux 2.6.15 required). - * [scdaemon] Support for CardMan 4040 PCMCIA reader. + * Scdaemon does not anymore reset cards at the end of a connection. - * [scdaemon] Cards are not anymore reseted at the end of a connection. + * Kludge to allow use of Bundesnetzagentur issued X.509 certificates. - * [gpgsm] Kludge to allow use of Bundesnetzagentur issued - certificates. + * Added --hash=xxx option to scdaemon's PKSIGN command. - * [scdaemon] Added --hash=xxx option to the PKSIGN command. + * Pkcs#12 files are now created with a MAC. This is for better + interoperability. - * [gpg-protect-tool] Does now create a MAC for P12 files. This is for - better interoperability. + * Collected bug fixes and minor other changes. Noteworthy changes in version 1.9.20 (2005-12-20) @@ -310,7 +310,7 @@ development branch. - Copyright 2002, 2003, 2004, 2005 Free Software Foundation, Inc. + Copyright 2002, 2003, 2004, 2005, 2006 Free Software Foundation, Inc. This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without Modified: branches/GNUPG-1-9-BRANCH/configure.ac =================================================================== --- branches/GNUPG-1-9-BRANCH/configure.ac 2006-06-20 17:47:10 UTC (rev 4163) +++ branches/GNUPG-1-9-BRANCH/configure.ac 2006-06-20 18:52:43 UTC (rev 4164) @@ -1,6 +1,6 @@ # configure.ac - for GnuPG 1.9 # Copyright (C) 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # # This file is part of GnuPG. # @@ -27,7 +27,7 @@ # Set my_issvn to "yes" for non-released code. Remember to run an # "svn up" and "autogen.sh" right before creating a distribution. m4_define([my_version], [1.9.21]) -m4_define([my_issvn], [yes]) +m4_define([my_issvn], [no]) m4_define([svn_revision], m4_esyscmd([echo -n $((svn info 2>/dev/null \ Modified: branches/GNUPG-1-9-BRANCH/po/de.po =================================================================== --- branches/GNUPG-1-9-BRANCH/po/de.po 2006-06-20 17:47:10 UTC (rev 4163) +++ branches/GNUPG-1-9-BRANCH/po/de.po 2006-06-20 18:52:43 UTC (rev 4164) @@ -11,7 +11,7 @@ "Project-Id-Version: gnupg2 1.9.18\n" "Report-Msgid-Bugs-To: translations@gnupg.org\n" "POT-Creation-Date: 2006-06-20 18:45+0200\n" -"PO-Revision-Date: 2005-11-28 12:16+0100\n" +"PO-Revision-Date: 2006-06-20 20:04+0200\n" "Last-Translator: Werner Koch \n" "Language-Team: de\n" "MIME-Version: 1.0\n" @@ -747,7 +747,7 @@ #: scd/app-openpgp.c:2125 #, c-format msgid "card does not support digest algorithm %s\n" -msgstr "" +msgstr "Der Hashalgorithmus %s wird von der Karte nicht unterst?tzt\n" #: scd/app-openpgp.c:2172 #, c-format @@ -789,9 +789,9 @@ msgstr "Verbindung zum gpg-agent nicht m?glich - Ersatzmethode wird versucht\n" #: sm/call-dirmngr.c:182 -#, fuzzy, c-format +#, c-format msgid "no running dirmngr - starting `%s'\n" -msgstr "Kein aktiver Dirmngr - es wird einer gestartet\n" +msgstr "Kein aktiver Dirmngr - `%s' wird einer gestartet\n" #: sm/call-dirmngr.c:216 msgid "malformed DIRMNGR_INFO environment variable\n" @@ -1657,7 +1657,7 @@ #: tools/gpgconf-comp.c:606 msgid "allow PKA lookups (DNS requests)" -msgstr "" +msgstr "Erlaube PKA Zugriffe (DNS Anfragen)" #: tools/gpgconf-comp.c:665 msgid "do not check CRLs for root certificates" From cvs at cvs.gnupg.org Tue Jun 20 23:37:54 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 20 23:01:38 2006 Subject: [svn] GnuPG - r4165 - tags Message-ID: Author: wk Date: 2006-06-20 23:37:54 +0200 (Tue, 20 Jun 2006) New Revision: 4165 Added: tags/gnupg-1.9.21/ Log: Tagged release Copied: tags/gnupg-1.9.21 (from rev 4164, branches/GNUPG-1-9-BRANCH) From cvs at cvs.gnupg.org Wed Jun 21 03:15:43 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Wed Jun 21 02:39:33 2006 Subject: [svn] gpgme - r1172 - trunk/doc Message-ID: Author: marcus Date: 2006-06-21 03:15:42 +0200 (Wed, 21 Jun 2006) New Revision: 1172 Modified: trunk/doc/ChangeLog trunk/doc/gpgme.texi Log: 2006-06-21 Marcus Brinkmann * gpgme.texi (Passphrase Callback): Fix inverted condition in description. Modified: trunk/doc/ChangeLog =================================================================== --- trunk/doc/ChangeLog 2006-06-08 22:07:27 UTC (rev 1171) +++ trunk/doc/ChangeLog 2006-06-21 01:15:42 UTC (rev 1172) @@ -1,3 +1,8 @@ +2006-06-21 Marcus Brinkmann + + * gpgme.texi (Passphrase Callback): Fix inverted condition in + description. + 2005-12-20 Werner Koch * gpgme.texi (Verify): Document pka_trust. Modified: trunk/doc/gpgme.texi =================================================================== --- trunk/doc/gpgme.texi 2006-06-08 22:07:27 UTC (rev 1171) +++ trunk/doc/gpgme.texi 2006-06-21 01:15:42 UTC (rev 1172) @@ -2210,9 +2210,9 @@ will be 0. The user must write the passphrase, followed by a newline character, -to the file descriptor @var{fd}. If the user does not return 0 -indicating success, the user must at least write a newline character -before returning from the callback. +to the file descriptor @var{fd}. If the user returns 0 indicating +success, the user must at least write a newline character before +returning from the callback. If an error occurs, return the corresponding @code{gpgme_error_t} value. You can use the error code @code{GPG_ERR_CANCELED} to abort From cvs at cvs.gnupg.org Wed Jun 21 11:16:03 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Wed Jun 21 10:39:44 2006 Subject: [svn] gcry - r1156 - branches/LIBGCRYPT-1-2-BRANCH/src Message-ID: Author: wk Date: 2006-06-21 11:16:02 +0200 (Wed, 21 Jun 2006) New Revision: 1156 Modified: branches/LIBGCRYPT-1-2-BRANCH/src/ChangeLog branches/LIBGCRYPT-1-2-BRANCH/src/global.c Log: Made gxry_xcalloc safe against integer overflow. Modified: branches/LIBGCRYPT-1-2-BRANCH/src/ChangeLog =================================================================== --- branches/LIBGCRYPT-1-2-BRANCH/src/ChangeLog 2006-06-08 11:49:38 UTC (rev 1155) +++ branches/LIBGCRYPT-1-2-BRANCH/src/ChangeLog 2006-06-21 09:16:02 UTC (rev 1156) @@ -1,3 +1,8 @@ +2006-06-21 Werner Koch + + * global.c (gcry_xcalloc, gcry_xcalloc_secure): made safe against + integer overflow. + 2005-06-17 Moritz Schulte * global.c (gcry_xstrdup): Removed superfluous strcpy call. Modified: branches/LIBGCRYPT-1-2-BRANCH/src/global.c =================================================================== --- branches/LIBGCRYPT-1-2-BRANCH/src/global.c 2006-06-08 11:49:38 UTC (rev 1155) +++ branches/LIBGCRYPT-1-2-BRANCH/src/global.c 2006-06-21 09:16:02 UTC (rev 1156) @@ -1,6 +1,6 @@ /* global.c - global control functions * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 - * 2004, 2005 Free Software Foundation, Inc. + * 2004, 2005, 2006 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -600,17 +600,37 @@ void * gcry_xcalloc( size_t n, size_t m ) { - void *p = gcry_xmalloc( n*m ); - memset( p, 0, n*m ); - return p; + size_t nbytes; + void *p; + + nbytes = n * m; + if (m && nbytes / m != n) + { + errno = ENOMEM; + _gcry_fatal_error(gpg_err_code_from_errno (errno), NULL ); + } + + p = gcry_xmalloc ( nbytes ); + memset ( p, 0, nbytes ); + return p; } void * gcry_xcalloc_secure( size_t n, size_t m ) { - void *p = gcry_xmalloc_secure( n* m ); - memset( p, 0, n*m ); - return p; + size_t nbytes; + void *p; + + nbytes = n * m; + if (m && nbytes / m != n) + { + errno = ENOMEM; + _gcry_fatal_error(gpg_err_code_from_errno (errno), NULL ); + } + + p = gcry_xmalloc_secure ( nbytes ); + memset ( p, 0, nbytes ); + return p; } char * From cvs at cvs.gnupg.org Wed Jun 21 11:19:15 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Wed Jun 21 10:42:54 2006 Subject: [svn] gcry - r1157 - in trunk: . cipher src Message-ID: Author: wk Date: 2006-06-21 11:19:13 +0200 (Wed, 21 Jun 2006) New Revision: 1157 Modified: trunk/NEWS trunk/TODO trunk/cipher/ChangeLog trunk/cipher/md.c trunk/cipher/pubkey.c trunk/cipher/rsa.c trunk/src/ChangeLog trunk/src/global.c trunk/src/sexp.c Log: Changed xmalloc style calls to proper malloc calls with error returns at many (but not all) places. Modified: trunk/NEWS =================================================================== --- trunk/NEWS 2006-06-21 09:16:02 UTC (rev 1156) +++ trunk/NEWS 2006-06-21 09:19:13 UTC (rev 1157) @@ -18,6 +18,9 @@ gcry_pk_algo_name CHANGED (minor change in respect to return value) gcry_cipher_algo_name CHANGED (minor change in respect to return value) GCRY_MD_SHA224 NEW +GCRY_PK_USAGE_CERT NEW +GCRY_PK_USAGE_AUTH NEW +GCRY_PK_USAGE_UNKN NEW FIXME: Please add API changes immediatley so that we don't forget about them. Modified: trunk/TODO =================================================================== --- trunk/TODO 2006-06-21 09:16:02 UTC (rev 1156) +++ trunk/TODO 2006-06-21 09:19:13 UTC (rev 1157) @@ -48,3 +48,14 @@ initialization of the pool and in case the entropy collectros need to run that bunch of Unix utilities we don't waste their precious results. + +* Out of memory handler for secure memory shopuld do proper logging + + There is no shortage of standard memory, so logging is most likely + possible. + +* signed vs. unsigned. + Sync the code with 1.2 where we have fixed all these issues. + + + Modified: trunk/cipher/ChangeLog =================================================================== --- trunk/cipher/ChangeLog 2006-06-21 09:16:02 UTC (rev 1156) +++ trunk/cipher/ChangeLog 2006-06-21 09:19:13 UTC (rev 1157) @@ -1,3 +1,11 @@ +2006-06-21 Werner Koch + + * rsa.c (_gcry_rsa_generate): Replace xcalloc by calloc. + * pubkey.c (gcry_pk_encrypt, gcry_pk_sign): Ditto. + (sexp_to_key, sexp_to_sig, sexp_to_enc, gcry_pk_encrypt) + (gcry_pk_sign, gcry_pk_genkey, gcry_pk_get_keygrip): Ditto. + * md.c (md_copy): Ditto. + 2006-04-22 Moritz Schulte * random-daemon.c (_gcry_daemon_initialize_basics): New argument: Modified: trunk/cipher/md.c =================================================================== --- trunk/cipher/md.c 2006-06-21 09:16:02 UTC (rev 1156) +++ trunk/cipher/md.c 2006-06-21 09:19:13 UTC (rev 1157) @@ -440,8 +440,8 @@ } if (! ctx->macpads) { + err = gpg_err_code_from_errno (errno); md_close (hd); - err = gpg_err_code_from_errno (errno); } } } @@ -602,8 +602,8 @@ b->macpads = gcry_malloc_secure (2*(a->macpads_Bsize)); if (! b->macpads) { + err = gpg_err_code_from_errno (errno); md_close (bhd); - err = gpg_err_code_from_errno (errno); } else memcpy (b->macpads, a->macpads, (2*(a->macpads_Bsize))); @@ -612,32 +612,41 @@ /* Copy the complete list of algorithms. The copied list is reversed, but that doesn't matter. */ - if (! err) - for (ar = a->list; ar; ar = ar->next) - { - if (a->secure) - br = gcry_xmalloc_secure (sizeof *br - + ar->digest->contextsize - - sizeof(ar->context)); - else - br = gcry_xmalloc (sizeof *br - + ar->digest->contextsize - - sizeof (ar->context)); - memcpy (br, ar, - sizeof (*br) + ar->digest->contextsize - sizeof (ar->context)); - br->next = b->list; - b->list = br; + if (!err) + { + for (ar = a->list; ar; ar = ar->next) + { + if (a->secure) + br = gcry_malloc_secure (sizeof *br + + ar->digest->contextsize + - sizeof(ar->context)); + else + br = gcry_malloc (sizeof *br + + ar->digest->contextsize + - sizeof (ar->context)); + if (!br) + { + err = gpg_err_code_from_errno (errno); + md_close (bhd); + break; + } - /* Add a reference to the module. */ - ath_mutex_lock (&digests_registered_lock); - _gcry_module_use (br->module); - ath_mutex_unlock (&digests_registered_lock); - } + memcpy (br, ar, (sizeof (*br) + ar->digest->contextsize + - sizeof (ar->context))); + br->next = b->list; + b->list = br; + + /* Add a reference to the module. */ + ath_mutex_lock (&digests_registered_lock); + _gcry_module_use (br->module); + ath_mutex_unlock (&digests_registered_lock); + } + } - if (a->debug) + if (a->debug && !err) md_start_debug (bhd, "unknown"); - if (! err) + if (!err) *b_hd = bhd; return err; @@ -822,7 +831,7 @@ rc = gcry_err_code (gcry_md_setkey (hd, buffer, buflen)); break; case GCRYCTL_START_DUMP: - md_start_debug (hd, buffer); + md_start_debug (hd, (char*)buffer); break; case GCRYCTL_STOP_DUMP: md_stop_debug( hd ); Modified: trunk/cipher/pubkey.c =================================================================== --- trunk/cipher/pubkey.c 2006-06-21 09:16:02 UTC (rev 1156) +++ trunk/cipher/pubkey.c 2006-06-21 09:19:13 UTC (rev 1157) @@ -786,7 +786,15 @@ } { - char *name_terminated = gcry_xmalloc (n + 1); + char *name_terminated; + + name_terminated = gcry_malloc (n + 1); + if (!name_terminated) + { + err = gpg_err_code_from_errno (errno); + gcry_sexp_release (list); + return err; + } memcpy (name_terminated, name, n); name_terminated[n] = 0; @@ -876,7 +884,17 @@ } { - char *name_terminated = gcry_xmalloc (n + 1); + char *name_terminated; + + name_terminated = gcry_malloc (n + 1); + if (!name_terminated) + { + err = gcry_err_code_from_errno (errno); + gcry_sexp_release (l2); + gcry_sexp_release (list); + return err; + } + memcpy (name_terminated, name, n); name_terminated[n] = 0; @@ -1026,7 +1044,14 @@ } { - char *name_terminated = gcry_xmalloc (n + 1); + char *name_terminated; + + name_terminated = gcry_malloc (n + 1); + if (!name_terminated) + { + err = gcry_err_code_from_errno (errno); + goto leave; + } memcpy (name_terminated, name, n); name_terminated[n] = 0; @@ -1391,7 +1416,12 @@ goto leave; /* Now we can encrypt DATA to CIPH. */ - ciph = gcry_xcalloc (strlen (algo_elems) + 1, sizeof (*ciph)); + ciph = gcry_calloc (strlen (algo_elems) + 1, sizeof (*ciph)); + if (!ciph) + { + rc = gpg_err_code_from_errno (errno); + goto leave; + } rc = pubkey_encrypt (module->mod_id, ciph, data, pkey, flags); mpi_free (data); data = NULL; @@ -1407,7 +1437,12 @@ void **arg_list; /* Build the string. */ - string = p = gcry_xmalloc (needed); + string = p = gcry_malloc (needed); + if (!string) + { + rc = gpg_err_code_from_errno (errno); + goto leave; + } p = stpcpy ( p, "(enc-val(" ); p = stpcpy ( p, algo_name ); for (i=0; algo_elems[i]; i++ ) @@ -1609,7 +1644,12 @@ if (rc) goto leave; - result = gcry_xcalloc (strlen (algo_elems) + 1, sizeof (*result)); + result = gcry_calloc (strlen (algo_elems) + 1, sizeof (*result)); + if (!result) + { + rc = gpg_err_code_from_errno (errno); + goto leave; + } rc = pubkey_sign (module->mod_id, result, hash, skey); if (rc) goto leave; @@ -1625,7 +1665,12 @@ needed += 10 * nelem; /* Build the string. */ - string = p = gcry_xmalloc (needed); + string = p = gcry_malloc (needed); + if (!string) + { + rc = gpg_err_code_from_errno (errno); + goto leave; + } p = stpcpy (p, "(sig-val("); p = stpcpy (p, algo_name); for (i = 0; algo_elems[i]; i++) @@ -1847,7 +1892,12 @@ goto leave; } - name_terminated = gcry_xmalloc (n + 1); + name_terminated = gcry_malloc (n + 1); + if (!name_terminated) + { + rc = gpg_err_code_from_errno (errno); + goto leave; + } memcpy (name_terminated, name, n); name_terminated[n] = 0; ath_mutex_lock (&pubkeys_registered_lock); @@ -1908,7 +1958,12 @@ goto leave; } - name_terminated = gcry_xmalloc (n + 1); + name_terminated = gcry_malloc (n + 1); + if (!name_terminated) + { + rc = gpg_err_code_from_errno (errno); + goto leave; + } memcpy (name_terminated, name, n); name_terminated[n] = 0; nbits = (unsigned int) strtoul (name_terminated, NULL, 0); @@ -1935,7 +1990,12 @@ /* Build the string. */ nelem = 0; - string = p = gcry_xmalloc (needed); + string = p = gcry_malloc (needed); + if (!string) + { + rc = gpg_err_code_from_errno (errno); + goto leave; + } p = stpcpy (p, "(key-data"); p = stpcpy (p, "(public-key("); p = stpcpy (p, algo_name); @@ -2103,7 +2163,9 @@ goto fail; /* Invalid structure of object. */ { - char *name_terminated = gcry_xmalloc (n + 1); + char *name_terminated = gcry_malloc (n + 1); + if (!name_terminated) + goto fail; memcpy (name_terminated, name, n); name_terminated[n] = 0; ath_mutex_lock (&pubkeys_registered_lock); Modified: trunk/cipher/rsa.c =================================================================== --- trunk/cipher/rsa.c 2006-06-21 09:16:02 UTC (rev 1156) +++ trunk/cipher/rsa.c 2006-06-21 09:19:13 UTC (rev 1157) @@ -28,6 +28,8 @@ #include #include #include +#include + #include "g10lib.h" #include "mpi.h" #include "cipher.h" @@ -440,6 +442,8 @@ gcry_mpi_t *skey, gcry_mpi_t **retfactors) { RSA_secret_key sk; + gpg_err_code_t rc; + int i; generate (&sk, nbits, use_e); skey[0] = sk.n; @@ -449,10 +453,21 @@ skey[4] = sk.q; skey[5] = sk.u; - /* make an empty list of factors */ - *retfactors = gcry_xcalloc( 1, sizeof **retfactors ); + /* Make an empty list of factors. */ + *retfactors = gcry_calloc ( 1, sizeof **retfactors ); + if (!*retfactors) + { + rc = gpg_err_code_from_errno (errno); + for (i=0; i <= 5; i++) + { + gcry_mpi_release (skey[i]); + skey[i] = NULL; + } + } + else + rc = 0; - return GPG_ERR_NO_ERROR; + return rc; } Modified: trunk/src/ChangeLog =================================================================== --- trunk/src/ChangeLog 2006-06-21 09:16:02 UTC (rev 1156) +++ trunk/src/ChangeLog 2006-06-21 09:19:13 UTC (rev 1157) @@ -1,3 +1,17 @@ +2006-06-21 Werner Koch + + * global.c (gcry_xcalloc, gcry_xcalloc_secure): Made safe against + integer overflow. + + * sexp.c (make_space): Return an error on out of core. + (sexp_sscan): Remove all xmalloc style calls and return proper + error codes on allocation failures. + (gcry_sexp_find_token): Ditto. + (gcry_sexp_nth): + + * sexp.c (gcry_sexp_find_token): Re-indented and removed a cruft + "while(level);" which fortunately had no effect. + 2006-04-28 Werner Koch * gcrypt.h (GCRY_MD_SHA224): Change value from 306 to 11 to match Modified: trunk/src/global.c =================================================================== --- trunk/src/global.c 2006-06-21 09:16:02 UTC (rev 1156) +++ trunk/src/global.c 2006-06-21 09:19:13 UTC (rev 1157) @@ -1,6 +1,6 @@ /* global.c - global control functions * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003 - * 2004, 2005 Free Software Foundation, Inc. + * 2004, 2005, 2006 Free Software Foundation, Inc. * * This file is part of Libgcrypt. * @@ -659,20 +659,41 @@ return p; } + void * gcry_xcalloc( size_t n, size_t m ) { - void *p = gcry_xmalloc( n*m ); - memset( p, 0, n*m ); - return p; + size_t nbytes; + void *p; + + nbytes = n * m; + if (m && nbytes / m != n) + { + errno = ENOMEM; + _gcry_fatal_error(gpg_err_code_from_errno (errno), NULL ); + } + + p = gcry_xmalloc ( nbytes ); + memset ( p, 0, nbytes ); + return p; } void * gcry_xcalloc_secure( size_t n, size_t m ) { - void *p = gcry_xmalloc_secure( n* m ); - memset( p, 0, n*m ); - return p; + size_t nbytes; + void *p; + + nbytes = n * m; + if (m && nbytes / m != n) + { + errno = ENOMEM; + _gcry_fatal_error(gpg_err_code_from_errno (errno), NULL ); + } + + p = gcry_xmalloc_secure ( nbytes ); + memset ( p, 0, nbytes ); + return p; } char * Modified: trunk/src/sexp.c =================================================================== --- trunk/src/sexp.c 2006-06-21 09:16:02 UTC (rev 1156) +++ trunk/src/sexp.c 2006-06-21 09:19:13 UTC (rev 1157) @@ -26,6 +26,7 @@ #include #include #include +#include #define GCRYPT_NO_MPI_MACROS 1 #include "g10lib.h" @@ -367,61 +368,78 @@ gcry_sexp_t gcry_sexp_find_token( const gcry_sexp_t list, const char *tok, size_t toklen ) { - const byte *p; - DATALEN n; + const byte *p; + DATALEN n; + + if ( !list ) + return NULL; - if ( !list ) - return NULL; + if ( !toklen ) + toklen = strlen(tok); - if( !toklen ) - toklen = strlen(tok); - p = list->d; - while ( *p != ST_STOP ) { - if ( *p == ST_OPEN && p[1] == ST_DATA ) { - const byte *head = p; + p = list->d; + while ( *p != ST_STOP ) + { + if ( *p == ST_OPEN && p[1] == ST_DATA ) + { + const byte *head = p; - p += 2; - memcpy ( &n, p, sizeof n ); p += sizeof n; - if ( n == toklen && !memcmp( p, tok, toklen ) ) { /* found it */ - gcry_sexp_t newlist; - byte *d; - int level = 1; + p += 2; + memcpy ( &n, p, sizeof n ); + p += sizeof n; + if ( n == toklen && !memcmp( p, tok, toklen ) ) + { /* found it */ + gcry_sexp_t newlist; + byte *d; + int level = 1; - /* look for the end of the list */ - for ( p += n; level; p++ ) { - if ( *p == ST_DATA ) { + /* Look for the end of the list. */ + for ( p += n; level; p++ ) + { + if ( *p == ST_DATA ) + { memcpy ( &n, ++p, sizeof n ); p += sizeof n + n; - p--; /* compensate for later increment */ + p--; /* Compensate for later increment. */ } - else if ( *p == ST_OPEN ) { - level++; + else if ( *p == ST_OPEN ) + { + level++; } - else if ( *p == ST_CLOSE ) { - level--; + else if ( *p == ST_CLOSE ) + { + level--; } - else if ( *p == ST_STOP ) { - BUG (); + else if ( *p == ST_STOP ) + { + BUG (); } - } while ( level ); - n = p - head; + } + n = p - head; - newlist = gcry_xmalloc ( sizeof *newlist + n ); - d = newlist->d; - memcpy ( d, head, n ); d += n; - *d++ = ST_STOP; - return normalize ( newlist ); + newlist = gcry_malloc ( sizeof *newlist + n ); + if (!newlist) + { + /* No way to return an error code, so we can only + return Not Found. */ + return NULL; + } + d = newlist->d; + memcpy ( d, head, n ); d += n; + *d++ = ST_STOP; + return normalize ( newlist ); } - p += n; + p += n; } - else if ( *p == ST_DATA ) { - memcpy ( &n, ++p, sizeof n ); p += sizeof n; - p += n; + else if ( *p == ST_DATA ) + { + memcpy ( &n, ++p, sizeof n ); p += sizeof n; + p += n; } - else - p++; + else + p++; } - return NULL; + return NULL; } /**************** @@ -462,9 +480,8 @@ -/**************** - * Extract the CAR of the given list - */ +/* Extract the CAR of the given list. May return NULL for bad lists + or memory failure. */ gcry_sexp_t gcry_sexp_nth( const gcry_sexp_t list, int number ) { @@ -503,7 +520,9 @@ if ( *p == ST_DATA ) { memcpy ( &n, p, sizeof n ); p += sizeof n; - newlist = gcry_xmalloc ( sizeof *newlist + n + 1 ); + newlist = gcry_malloc ( sizeof *newlist + n + 1 ); + if (!newlist) + return NULL; d = newlist->d; memcpy ( d, p, n ); d += n; *d++ = ST_STOP; @@ -531,7 +550,9 @@ } while ( level ); n = p + 1 - head; - newlist = gcry_xmalloc ( sizeof *newlist + n ); + newlist = gcry_malloc ( sizeof *newlist + n ); + if (!newlist) + return NULL; d = newlist->d; memcpy ( d, head, n ); d += n; *d++ = ST_STOP; @@ -723,7 +744,9 @@ } while ( level ); n = p - head; - newlist = gcry_xmalloc ( sizeof *newlist + n + 2 ); + newlist = gcry_malloc ( sizeof *newlist + n + 2 ); + if (!newlist) + return NULL; d = newlist->d; *d++ = ST_OPEN; memcpy ( d, head, n ); d += n; @@ -775,21 +798,29 @@ byte *pos; }; -static void +static gpg_err_code_t make_space ( struct make_space_ctx *c, size_t n ) { - size_t used = c->pos - c->sexp->d; - - if ( used + n + sizeof(DATALEN) + 1 >= c->allocated ) { - gcry_sexp_t newsexp; - byte *newhead; - - c->allocated += 2*(n+sizeof(DATALEN)+1); - newsexp = gcry_xrealloc ( c->sexp, sizeof *newsexp + c->allocated - 1 ); - newhead = newsexp->d; - c->pos = newhead + used; - c->sexp = newsexp; + size_t used = c->pos - c->sexp->d; + + if ( used + n + sizeof(DATALEN) + 1 >= c->allocated ) + { + gcry_sexp_t newsexp; + byte *newhead; + size_t newsize; + + newsize = c->allocated + 2*(n+sizeof(DATALEN)+1); + if (newsize <= c->allocated) + return GPG_ERR_TOO_LARGE; + newsexp = gcry_realloc ( c->sexp, sizeof *newsexp + newsize - 1); + if (!newsexp) + return gpg_err_code_from_errno (errno); + c->allocated = newsize; + newhead = newsexp->d; + c->pos = newhead + used; + c->sexp = newsexp; } + return 0; } @@ -891,7 +922,7 @@ const char *buffer, size_t length, int argflag, va_list arg_ptr, void **arg_list) { - gcry_err_code_t err = GPG_ERR_NO_ERROR; + gcry_err_code_t err = 0; static const char tokenchars[] = "abcdefghijklmnopqrstuvwxyz" "ABCDEFGHIJKLMNOPQRSTUVWXYZ" @@ -913,8 +944,6 @@ int arg_counter = 0; int level = 0; - /* FIXME: invent better error codes (?). */ - if (!erroff) erroff = &dummy_erroff; @@ -931,21 +960,41 @@ } \ while (0) -#define MAKE_SPACE(n) do { make_space ( &c, (n) ); } while (0) + /* The MAKE_SPACE macro is used before each store operation to + ensure that the buffer is large enough. It requires a global + context named C and jumps out to the label LEAVE on error! It + also sets ERROFF using the variables BUFFER and P. */ +#define MAKE_SPACE(n) do { \ + gpg_err_code_t _ms_err = make_space (&c, (n)); \ + if (_ms_err) \ + { \ + err = _ms_err; \ + *erroff = p - buffer; \ + goto leave; \ + } \ + } while (0) + + /* The STORE_LEN macro is used to store the length N at buffer P. */ #define STORE_LEN(p,n) do { \ DATALEN ashort = (n); \ memcpy ( (p), &ashort, sizeof(ashort) ); \ (p) += sizeof (ashort); \ } while (0) - /* We assume that the internal representation takes less memory - * than the provided one. However, we add space for one extra datalen - * so that the code which does the ST_CLOSE can use MAKE_SPACE */ + /* We assume that the internal representation takes less memory than + the provided one. However, we add space for one extra datalen so + that the code which does the ST_CLOSE can use MAKE_SPACE */ c.allocated = length + sizeof(DATALEN); if (buffer && length && gcry_is_secure (buffer)) - c.sexp = gcry_xmalloc_secure (sizeof *c.sexp + c.allocated - 1); + c.sexp = gcry_malloc_secure (sizeof *c.sexp + c.allocated - 1); else - c.sexp = gcry_xmalloc (sizeof *c.sexp + c.allocated - 1); + c.sexp = gcry_malloc (sizeof *c.sexp + c.allocated - 1); + if (!c.sexp) + { + err = gpg_err_code_from_errno (errno); + *erroff = 0; + goto leave; + } c.pos = c.sexp->d; for (p = buffer, n = length; n; p++, n--) @@ -986,6 +1035,7 @@ *erroff = p - buffer; /* Invalid octal value. */ err = GPG_ERR_SEXP_BAD_QUOTATION; + goto leave; } p += 2; n -= 2; @@ -998,6 +1048,7 @@ *erroff = p - buffer; /* Invalid hex value. */ err = GPG_ERR_SEXP_BAD_QUOTATION; + goto leave; } p += 2; n -= 2; @@ -1028,6 +1079,7 @@ *erroff = p - buffer; /* Invalid quoted string escape. */ err = GPG_ERR_SEXP_BAD_QUOTATION; + goto leave; } } else if (*p == '\\') @@ -1060,6 +1112,7 @@ { *erroff = p - buffer; err = GPG_ERR_SEXP_ODD_HEX_NUMBERS; + goto leave; } datalen = hexcount / 2; @@ -1079,6 +1132,7 @@ { *erroff = p - buffer; err = GPG_ERR_SEXP_BAD_HEX_CHAR; + goto leave; } } else if (base64) @@ -1099,6 +1153,7 @@ *erroff = p - buffer; /* Buffer too short. */ err = GPG_ERR_SEXP_STRING_TOO_LONG; + goto leave; } /* Make a new list entry. */ MAKE_SPACE (datalen); @@ -1130,6 +1185,7 @@ { *erroff = p - buffer; err = GPG_ERR_SEXP_INV_LEN_SPEC; + goto leave; } } else if (percent) @@ -1153,8 +1209,13 @@ gcry_sexp_t newsexp; byte *newhead; - newsexp = gcry_xmalloc_secure (sizeof *newsexp - + c.allocated - 1); + newsexp = gcry_malloc_secure (sizeof *newsexp + + c.allocated - 1); + if (!newsexp) + { + err = gpg_err_code_from_errno (errno); + goto leave; + } newhead = newsexp->d; memcpy (newhead, c.sexp->d, (c.pos - c.sexp->d)); c.pos = newhead + (c.pos - c.sexp->d); @@ -1201,8 +1262,13 @@ gcry_sexp_t newsexp; byte *newhead; - newsexp = gcry_xmalloc_secure (sizeof *newsexp - + c.allocated - 1); + newsexp = gcry_malloc_secure (sizeof *newsexp + + c.allocated - 1); + if (!newsexp) + { + err = gpg_err_code_from_errno (errno); + goto leave; + } newhead = newsexp->d; memcpy (newhead, c.sexp->d, (c.pos - c.sexp->d)); c.pos = newhead + (c.pos - c.sexp->d); @@ -1236,6 +1302,7 @@ *erroff = p - buffer; /* Invalid format specifier. */ err = GPG_ERR_SEXP_INV_LEN_SPEC; + goto leave; } percent = NULL; } @@ -1246,6 +1313,7 @@ *erroff = p - buffer; /* Open display hint. */ err = GPG_ERR_SEXP_UNMATCHED_DH; + goto leave; } MAKE_SPACE (0); *c.pos++ = ST_OPEN; @@ -1259,6 +1327,7 @@ *erroff = p - buffer; /* Open display hint. */ err = GPG_ERR_SEXP_UNMATCHED_DH; + goto leave; } MAKE_SPACE (0); *c.pos++ = ST_CLOSE; @@ -1283,6 +1352,7 @@ *erroff = p - buffer; /* Open display hint. */ err = GPG_ERR_SEXP_NESTED_DH; + goto leave; } disphint = p; } @@ -1293,6 +1363,7 @@ *erroff = p - buffer; /* Open display hint. */ err = GPG_ERR_SEXP_UNMATCHED_DH; + goto leave; } disphint = NULL; } @@ -1303,6 +1374,7 @@ /* A length may not begin with zero. */ *erroff = p - buffer; err = GPG_ERR_SEXP_ZERO_PREFIX; + goto leave; } digptr = p; } @@ -1318,12 +1390,14 @@ need to save it. Great. */ *erroff = p - buffer; err = GPG_ERR_SEXP_UNEXPECTED_PUNC; + goto leave; } else if (strchr ("&\\", *p)) { /* Reserved punctuation. */ *erroff = p - buffer; err = GPG_ERR_SEXP_UNEXPECTED_PUNC; + goto leave; } else if (argflag && (*p == '%')) percent = p; @@ -1332,14 +1406,16 @@ /* Bad or unavailable. */ *erroff = p - buffer; err = GPG_ERR_SEXP_BAD_CHARACTER; + goto leave; } } MAKE_SPACE (0); *c.pos++ = ST_STOP; - if (level) + if (level && !err) err = GPG_ERR_SEXP_UNMATCHED_PAREN; + leave: if (err) { /* Error -> deallocate. */ From cvs at cvs.gnupg.org Thu Jun 22 19:20:48 2006 From: cvs at cvs.gnupg.org (svn author marcus) Date: Thu Jun 22 18:44:33 2006 Subject: [svn] gpgme - r1173 - trunk/gpgme Message-ID: Author: marcus Date: 2006-06-22 19:20:47 +0200 (Thu, 22 Jun 2006) New Revision: 1173 Modified: trunk/gpgme/ChangeLog trunk/gpgme/keylist.c Log: 2006-06-22 Marcus Brinkmann * keylist.c (gpgme_get_key): Also clone the engine info. Modified: trunk/gpgme/ChangeLog =================================================================== --- trunk/gpgme/ChangeLog 2006-06-21 01:15:42 UTC (rev 1172) +++ trunk/gpgme/ChangeLog 2006-06-22 17:20:47 UTC (rev 1173) @@ -1,3 +1,7 @@ +2006-06-22 Marcus Brinkmann + + * keylist.c (gpgme_get_key): Also clone the engine info. + 2006-03-06 Marcus Brinkmann * gpgme-config.in (cflags_pth): Revert accidential removal of Modified: trunk/gpgme/keylist.c =================================================================== --- trunk/gpgme/keylist.c 2006-06-21 01:15:42 UTC (rev 1172) +++ trunk/gpgme/keylist.c 2006-06-22 17:20:47 UTC (rev 1173) @@ -939,8 +939,22 @@ err = gpgme_new (&listctx); if (err) return err; - gpgme_set_protocol (listctx, gpgme_get_protocol (ctx)); - gpgme_set_keylist_mode (listctx, ctx->keylist_mode); + { + gpgme_protocol_t proto; + gpgme_engine_info_t info; + + /* Clone the relevant state. */ + proto = gpgme_get_protocol (ctx); + gpgme_set_protocol (listctx, proto); + gpgme_set_keylist_mode (listctx, gpgme_get_keylist_mode (ctx)); + info = gpgme_ctx_get_engine_info (ctx); + while (info && info->protocol != proto) + info = info->next; + if (info) + gpgme_ctx_set_engine_info (listctx, proto, + info->file_name, info->home_dir); + } + err = gpgme_op_keylist_start (listctx, fpr, secret); if (!err) err = gpgme_op_keylist_next (listctx, r_key); From cvs at cvs.gnupg.org Thu Jun 22 21:13:24 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Thu Jun 22 20:37:07 2006 Subject: [svn] GnuPG - r4166 - trunk/doc Message-ID: Author: dshaw Date: 2006-06-22 21:13:18 +0200 (Thu, 22 Jun 2006) New Revision: 4166 Modified: trunk/doc/ChangeLog trunk/doc/gpg.sgml Log: * gpg.sgml: Note that --pgp8 does not include SHA224. Clarify that clearsigned messages are not reversible. Modified: trunk/doc/ChangeLog =================================================================== --- trunk/doc/ChangeLog 2006-06-20 21:37:54 UTC (rev 4165) +++ trunk/doc/ChangeLog 2006-06-22 19:13:18 UTC (rev 4166) @@ -1,3 +1,8 @@ +2006-06-22 David Shaw + + * gpg.sgml: Note that --pgp8 does not include SHA224. Clarify + that clearsigned messages are not reversible. + 2006-05-23 David Shaw * mksamplekeys: Incorporate new package signature key and minimize Modified: trunk/doc/gpg.sgml =================================================================== --- trunk/doc/gpg.sgml 2006-06-20 21:37:54 UTC (rev 4165) +++ trunk/doc/gpg.sgml 2006-06-22 19:13:18 UTC (rev 4166) @@ -120,7 +120,11 @@ --clearsign &OptParmFile; -Make a clear text signature. +Make a clear text signature. The content in a clear text signature is +readable without any special software. OpenPGP software is only +needed to verify the signature. Clear text signatures may modify +end-of-line whitespace for platform independence and are not intended +to be reversible. @@ -2496,7 +2500,8 @@ Set up all options to be as PGP 8 compliant as possible. PGP 8 is a lot closer to the OpenPGP standard than previous versions of PGP, so all this does is disable --throw-keyids and set --escape-from-lines. -All algorithms are allowed except for the SHA384 and SHA512 digests. +All algorithms are allowed except for the SHA224, SHA384, and SHA512 +digests. From cvs at cvs.gnupg.org Thu Jun 22 21:17:23 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Thu Jun 22 20:40:56 2006 Subject: [svn] GnuPG - r4167 - trunk/g10 Message-ID: Author: dshaw Date: 2006-06-22 21:17:21 +0200 (Thu, 22 Jun 2006) New Revision: 4167 Modified: trunk/g10/ChangeLog trunk/g10/sign.c Log: * sign.c (do_sign): Accept a truncated hash even for DSA1 keys (be liberal in what you accept, etc). Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-22 19:13:18 UTC (rev 4166) +++ trunk/g10/ChangeLog 2006-06-22 19:17:21 UTC (rev 4167) @@ -1,3 +1,8 @@ +2006-06-22 David Shaw + + * sign.c (do_sign): Accept a truncated hash even for DSA1 keys (be + liberal in what you accept, etc). + 2006-06-12 David Shaw * import.c (import_one): Add a flag (from_sk) so we don't check @@ -2,3 +7,3 @@ prefs on an autoconverted public key. The check should only - happen on the sk size. Noted by Dirk Traulsen. + happen on the sk side. Noted by Dirk Traulsen. Modified: trunk/g10/sign.c =================================================================== --- trunk/g10/sign.c 2006-06-22 19:13:18 UTC (rev 4166) +++ trunk/g10/sign.c 2006-06-22 19:17:21 UTC (rev 4167) @@ -319,6 +319,12 @@ } else { +#if 0 + /* Disabled for now. It seems reasonable to accept a + truncated hash for a DSA1 key, even though we don't + generate it without --enable-dsa2. Be liberal in what you + accept, etc. */ + /* If it's a DSA key, and q is 160 bits, it might be an old-style DSA key. If the hash doesn't match the q, fail unless --enable-dsa2 is set. If the q isn't 160 bits, then @@ -333,6 +339,7 @@ log_error(_("DSA requires the use of a 160 bit hash algorithm\n")); return G10ERR_GENERAL; } +#endif frame = encode_md_value( NULL, sk, md, digest_algo ); if (!frame) From cvs at cvs.gnupg.org Fri Jun 23 00:56:57 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Fri Jun 23 00:20:44 2006 Subject: [svn] GnuPG - r4168 - trunk/g10 Message-ID: Author: dshaw Date: 2006-06-23 00:56:54 +0200 (Fri, 23 Jun 2006) New Revision: 4168 Modified: trunk/g10/ChangeLog trunk/g10/gpg.c trunk/g10/keygen.c trunk/g10/options.h Log: * options.h, gpg.c (main), keygen.c (keygen_upd_std_prefs, keygen_add_std_prefs, proc_parameter_file): Add --default-keyserver-url to specify a keyserver URL at key generation time, and "Keyserver:" keyword for doing the same through a batch file. Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-22 19:17:21 UTC (rev 4167) +++ trunk/g10/ChangeLog 2006-06-22 22:56:54 UTC (rev 4168) @@ -1,5 +1,11 @@ 2006-06-22 David Shaw + * options.h, gpg.c (main), keygen.c (keygen_upd_std_prefs, + keygen_add_std_prefs, proc_parameter_file): Add + --default-keyserver-url to specify a keyserver URL at key + generation time, and "Keyserver:" keyword for doing the same + through a batch file. + * sign.c (do_sign): Accept a truncated hash even for DSA1 keys (be liberal in what you accept, etc). Modified: trunk/g10/gpg.c =================================================================== --- trunk/g10/gpg.c 2006-06-22 19:17:21 UTC (rev 4167) +++ trunk/g10/gpg.c 2006-06-22 22:56:54 UTC (rev 4168) @@ -333,6 +333,7 @@ oNoAutoCheckTrustDB, oPreservePermissions, oDefaultPreferenceList, + oDefaultKeyserverURL, oPersonalCipherPreferences, oPersonalDigestPreferences, oPersonalCompressPreferences, @@ -667,6 +668,7 @@ { aRebuildKeydbCaches, "rebuild-keydb-caches", 256, "@"}, { oPreservePermissions, "preserve-permissions", 0, "@"}, { oDefaultPreferenceList, "default-preference-list", 2, "@"}, + { oDefaultKeyserverURL, "default-keyserver-url", 2, "@"}, { oPersonalCipherPreferences, "personal-cipher-preferences", 2, "@"}, { oPersonalDigestPreferences, "personal-digest-preferences", 2, "@"}, { oPersonalCompressPreferences, "personal-compress-preferences", 2, "@"}, @@ -2652,6 +2654,19 @@ case oDefaultPreferenceList: opt.def_preference_list = pargs.r.ret_str; break; + case oDefaultKeyserverURL: + { + struct keyserver_spec *keyserver; + keyserver=parse_keyserver_uri(pargs.r.ret_str,1, + configname,configlineno); + if(!keyserver) + log_error(_("could not parse keyserver URL\n")); + else + free_keyserver_spec(keyserver); + + opt.def_keyserver_url = pargs.r.ret_str; + } + break; case oPersonalCipherPreferences: pers_cipher_list=pargs.r.ret_str; break; Modified: trunk/g10/keygen.c =================================================================== --- trunk/g10/keygen.c 2006-06-22 19:17:21 UTC (rev 4167) +++ trunk/g10/keygen.c 2006-06-22 22:56:54 UTC (rev 4168) @@ -41,6 +41,7 @@ #include "status.h" #include "i18n.h" #include "cardglue.h" +#include "keyserver-internal.h" #define MAX_PREFS 30 @@ -66,7 +67,8 @@ pPASSPHRASE_S2K, pSERIALNO, pBACKUPENCDIR, - pHANDLE + pHANDLE, + pKEYSERVER }; struct para_data_s { @@ -655,6 +657,7 @@ /* Make sure that the MDC feature flag is set if needed */ add_feature_mdc (sig,mdc_available); add_keyserver_modify (sig,ks_modify); + keygen_add_keyserver_url(sig,NULL); return 0; } @@ -673,6 +676,7 @@ do_add_key_flags (sig, pk->pubkey_usage); keygen_add_key_expire( sig, opaque ); keygen_upd_std_prefs (sig, opaque); + keygen_add_keyserver_url(sig,NULL); return 0; } @@ -682,6 +686,9 @@ { const char *url=opaque; + if(!url) + url=opt.def_keyserver_url; + if(url) build_sig_subpkt(sig,SIGSUBPKT_PREF_KS,url,strlen(url)); else @@ -2238,6 +2245,25 @@ /* Set preferences, if any. */ keygen_set_std_prefs(get_parameter_value( para, pPREFERENCES ), 0); + /* Set keyserver, if any. */ + s1=get_parameter_value( para, pKEYSERVER ); + if(s1) + { + struct keyserver_spec *spec; + + spec=parse_keyserver_uri(s1,1,NULL,0); + if(spec) + { + free_keyserver_spec(spec); + opt.def_keyserver_url=s1; + } + else + { + log_error("%s:%d: invalid keyserver url\n", fname, r->lnr ); + return -1; + } + } + /* Set revoker, if any. */ if (parse_revocation_key (fname, para, pREVOKER)) return -1; @@ -2330,6 +2356,7 @@ { "Preferences", pPREFERENCES }, { "Revoker", pREVOKER }, { "Handle", pHANDLE }, + { "Keyserver", pKEYSERVER }, { NULL, 0 } }; IOBUF fp; Modified: trunk/g10/options.h =================================================================== --- trunk/g10/options.h 2006-06-22 19:17:21 UTC (rev 4167) +++ trunk/g10/options.h 2006-06-22 22:56:54 UTC (rev 4168) @@ -154,7 +154,8 @@ unsigned int export_options; unsigned int list_options; unsigned int verify_options; - char *def_preference_list; + const char *def_preference_list; + const char *def_keyserver_url; prefitem_t *personal_cipher_prefs; prefitem_t *personal_digest_prefs; prefitem_t *personal_compress_prefs; From cvs at cvs.gnupg.org Fri Jun 23 06:27:58 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Fri Jun 23 05:51:43 2006 Subject: [svn] GnuPG - r4169 - trunk/doc Message-ID: Author: dshaw Date: 2006-06-23 06:27:57 +0200 (Fri, 23 Jun 2006) New Revision: 4169 Modified: trunk/doc/ChangeLog trunk/doc/DETAILS trunk/doc/gpg.sgml Log: * gpg.sgml: Document --enable-dsa2, --disable-dsa2, and --default-keyserver-url. * DETAILS: Note "Keyserver:" Modified: trunk/doc/ChangeLog =================================================================== --- trunk/doc/ChangeLog 2006-06-22 22:56:54 UTC (rev 4168) +++ trunk/doc/ChangeLog 2006-06-23 04:27:57 UTC (rev 4169) @@ -1,5 +1,10 @@ 2006-06-22 David Shaw + * gpg.sgml: Document --enable-dsa2, --disable-dsa2, and + --default-keyserver-url. + + * DETAILS: Note "Keyserver:" + * gpg.sgml: Note that --pgp8 does not include SHA224. Clarify that clearsigned messages are not reversible. Modified: trunk/doc/DETAILS =================================================================== --- trunk/doc/DETAILS 2006-06-22 22:56:54 UTC (rev 4168) +++ trunk/doc/DETAILS 2006-06-23 04:27:57 UTC (rev 4169) @@ -807,6 +807,9 @@ characters and should not contain spaces. It is useful for batch key generation to associate a key parameter block with a status line. + Keyserver: + This is an optional parameter that specifies the preferred + keyserver URL for the key. Here is an example: Modified: trunk/doc/gpg.sgml =================================================================== --- trunk/doc/gpg.sgml 2006-06-22 22:56:54 UTC (rev 4168) +++ trunk/doc/gpg.sgml 2006-06-23 04:27:57 UTC (rev 4169) @@ -1723,6 +1723,17 @@ +--enable-dsa2 +--disable-dsa2 + +Enables new-style DSA keys which (unlike the old style) may be larger +than 1024 bit and use hashes other than SHA-1 and RIPEMD/160. Note +that very few programs currently support these keys and signatures +from them. + + + + --show-photos --no-show-photos @@ -3005,6 +3016,14 @@ +--default-keyserver-url &ParmName; + +Set the default keyserver URL to &ParmName;. This keyserver will be +used as the keyserver URL when writing a new self-signature on a key, +which includes key generation and changing preferences. + + + --list-config &OptParmNames; Display various internal configuration parameters of GnuPG. This From cvs at cvs.gnupg.org Fri Jun 23 20:56:27 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Fri Jun 23 20:19:51 2006 Subject: [svn] dirmngr - r227 - in trunk: . doc src Message-ID: Author: wk Date: 2006-06-23 20:56:26 +0200 (Fri, 23 Jun 2006) New Revision: 227 Added: trunk/doc/internals.texi Modified: trunk/ChangeLog trunk/configure.ac trunk/doc/dirmngr.texi trunk/src/ChangeLog trunk/src/certcache.c trunk/src/crlcache.c trunk/src/misc.c trunk/src/misc.h trunk/src/ocsp.c trunk/src/server.c trunk/src/validate.c trunk/src/validate.h Log: Cleanups, more diagnostics and bug fixes. There are still some problems... I am working on it. Modified: trunk/ChangeLog =================================================================== --- trunk/ChangeLog 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/ChangeLog 2006-06-23 18:56:26 UTC (rev 227) @@ -1,3 +1,7 @@ +2006-06-23 Werner Koch + + * doc/internals.texi: new. + 2006-06-08 Marcus Brinkmann * configure.ac (PTH_LIBS): Add --all to pth-config invocation. Modified: trunk/configure.ac =================================================================== --- trunk/configure.ac 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/configure.ac 2006-06-23 18:56:26 UTC (rev 227) @@ -16,7 +16,8 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, +# USA. # Process this file with autoconf to produce a configure script. AC_PREREQ(2.59) @@ -31,7 +32,7 @@ NEED_LIBASSUAN_VERSION=0.6.8 -NEED_KSBA_VERSION=0.9.11 +NEED_KSBA_VERSION=0.9.13 PACKAGE=$PACKAGE_NAME Modified: trunk/doc/dirmngr.texi =================================================================== --- trunk/doc/dirmngr.texi 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/doc/dirmngr.texi 2006-06-23 18:56:26 UTC (rev 227) @@ -716,7 +716,7 @@ @node Dirmngr VALIDATE @section Validate a certificate for debugging -Validate a certificate using the certificate validation fucntion used +Validate a certificate using the certificate validation function used internally by dirmngr. This command is only useful for debugging. To get the actual certificate, this command immediately inquires it using @@ -774,7 +774,7 @@ @item 2 (and other values) There was a problem checking the revocation state of the certificate. A message to stderr has given more detailed information. Most likely -this is due to a missing or tool old CRL or a network problem. +this is due to a missing or expired CRL or due to a network problem. @end table Added: trunk/doc/internals.texi =================================================================== --- trunk/doc/internals.texi 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/doc/internals.texi 2006-06-23 18:56:26 UTC (rev 227) @@ -0,0 +1,244 @@ +@c internals.texi - this file describes internals of DirMngr. + + +@section Verifying a Certificate + +There are several ways to request services from Dirmngr. Almost all of +them are done using the Assuan protocol. What we describe here is the +Assuan Command CHECKCRL as used for example by the dirmnr-client tool if +invoked as + + dirmngr-client foo.crt + +This command will send an Assuan request to an already running Dirmngr +instance. foo.crt is expected to be a standard X.509 certificate and +dirmngr will receive the Assuan command + + CHECKCRL [] + + is optional and expected to be the SHA-1 has of the DER +encosing of the certificate under question. It is to be HEX encoded. +The rationale for sending the fingerprint is that it allows dirmngr to +rely immediatly if it has already cached such an request. Only if this +is not the case and no certificate has been found in dirmngr's internal +certificate storage, dirmngr will request the certificate using the +Assuan inquiry + + INQUIRE TARGETCERT + +The caller (in our example dirmngr-client) is then expected to return +the certificate for the request (which should match FINGERPRINT) as a +binary blob. + +Dirmngr now passes control to @func{crl_cache_cert_isvalid}. This +function checks whether a CRL item exists for target certificate. These +CRL items are kept in a database of already loaded and verified CRLs. +This mechanism is called the CRL cache. Obviously timestamps are kept +there with each item to cope with the expiration date of the CRL. The +possible return values are: Success to indicate that a valid CRL is +available for the certificate and the certificate itself is not listen +in this CRL, GPG_ERR_CERT_REVOKED to indicate that the certificate is +listed in the CRL or GPG_ERR_NO_CRL_KNOWN in cases where no or no +information is available. he first two codes are immediatly returned to +the caller and the processing of this request has been done. + +Only the GPG_ERR_NO_CRL_KNOWN needs more attention: Dirmngr now call +@func(clr_cache_reload_crl} and if this succeeds calls +@func(crl_cache_cert_isvald) one more. All further errors are +immediately returned to the caller. + +@func(clr_cache_reload_crl} is the actual heart of the CRL management. +It locates the corresponding CRL for the target certificate, reads and +verifies this CRL and stores it in the CRL cache. It works like this: + +* Loop over all crlDPs in the target certificate. + * If the crlDP is invalid immediately terminate the loop. + * Loop over all names in the current crlDP. + * If the URL scheme is unknown or not enabled + (--ignore-http-dp, --ignore-ldap-dp) continues with + the next name. + * @func{crl_fetch} is called to actually retrieve the CRL. + In case of problems this name is ignore and we continue with + the next name. Note that @func{crl_fetch} does only return + a descriptor for the CRL for further reading so does the CRL + does not yet end up in memory. + * @func{crl_cache_insert} is called with that descriptor to + actually read the CRL into the cache. See below for a + description of this function. If there is any error (e.g. read + problem, CRL not correctly signed or verification of signature + not possible), this descriptor is rejected and we continue + with the next name. If the CRL has been successfully loaded, + the loop is terminated. +* If no crlDP has been found in the previous loop use a default CRL. + Note, that if any crlDP has been found but loading of the CRL failed, + this condition is not true. + * Try to load a CRL from all configured servers (ldapservers.conf) + in turn. The first server returning a CRL is used. + * @func(crl_cache_insert) is then used to actually insert the CRL + into the cache. If this failed we give up immediatley without + checking the rest of the servers from the first step. +* Ready. + + +The @func{crl_cache_insert} function takes care of reading the bulk of +the CRL, parsing it and checking the signature. It works like this: A +new database file is created using a temporary file name. The CRL +parsing machinery is started and all items of the CRL are put into +this database file. At the end the issuer certificate of the CRL +needs to be retrieved. Three cases are to be distinguished: + + a) An authorityKeyIdentifier with an issuer and serialno exits: The + certificate is retrieved using @func{find_cert_bysn}. If + the certificate is in the certificate cache, it is directly + returned. Then the requester (i.e. the client who requested the + CRL check) is asked via the Assuan inquiry ``SENDCERT'' whether + he can provide this certificate. If this succeed the returned + certificate gets cached and returned. Note, that dirmngr does not + verify in any way whether the expected certificate is returned. + It is in the interest of the client to return a useful certificate + as otherwise the service request will fail due to a bad signature. + The last way to get the certificate is by looking it up at + external resources. This is done using the @func{ca_cert_fetch} + and @func{fetch_next_ksba_cert} and comparing the returned + certificate to match the requested issuer and seriano (This is + needed because the LDAP layer may return several certificates as + LDAP as no standard way to retrieve by serial number). + + b) An authorityKeyIdentifier with a key ID exists: The certificate is + retrieved using @func{find_cert_bysubject}. If the certificate is + in the certificate cache, it is directly returned. Then the + requester is asked via the Assuan inquiry ``SENDCERT_SKI'' whether + he can provide this certificate. If this succeed the returned + certificate gets cached and returned. Note, that dirmngr does not + verify in any way whether the expected certificate is returned. + It is in the interest of the client to return a useful certificate + as otherwise the service request will fail due to a bad signature. + The last way to get the certificate is by looking it up at + external resources. This is done using the @func{ca_cert_fetch} + and @func{fetch_next_ksba_cert} and comparing the returned + certificate to match the requested subject and key ID. + + c) No authorityKeyIdentifier exits: The certificate is retrieved + using @func{find_cert_bysubject} without the key ID argument. If + the certificate is in the certificate cache the first one with a + matching subject is is directly returned. Then the requester is + asked via the Assuan inquiry ``SENDCERT'' and an exact + specification of the subject whether he can + provide this certificate. If this succeed the returned + certificate gets cached and returned. Note, that dirmngr does not + verify in any way whether the expected certificate is returned. + It is in the interest of the client to return a useful certificate + as otherwise the service request will fail due to a bad signature. + The last way to get the certificate is by looking it up at + external resources. This is done using the @func{ca_cert_fetch} + and @func{fetch_next_ksba_cert} and comparing the returned + certificate to match the requested subject; the first certificate + with a matching subject is then returned. + +If no certificate was found, the function returns with the error +GPG_ERR_MISSING_CERT. Now the signature is verified. If this fails, +the erro is returned. On success the @func{validate_cert_chain} is +used to verify that the certificate is actually valid. + +Here we may encounter a recursive situation: +@func{validate_cert_chain} needs to look at other certificates and +also at CRLs to check whether tehse other certificates and well, the +CRL issuer certificate itself are not revoked. FIXME: We need to make +sure that @func{validate_cert_chain} does not try to lookup the CRL we +are currently processing. This would be a catch-22 and may indicate a +broken PKI. However, due to overlapping expiring times and imprecise +clocks thsi may actually happen. + +For historical reasons the Assuan command ISVALID is a bit different +to CHECKCRL but this is mainly due to different calling conventions. +In the end the same fucntionality is used, albeit hidden by a couple +of indirection and argument and result code mangling. It furthere +ingetrages OCSP checking depending on options are the way it is +called. GPGSM still uses this command but might eventuall switch over +to CHECKCRL and CHECKOCSP so that ISVALID can be retired. + + +@section Validating a certificate + +We describe here how the internal function @func{validate_cert_chain} +works. Note that mainly testing purposes this functionality may be +called directly using @cmd{dirmngr-client --validate @file{foo.crt}}. + +For backward compatibility this function returns success if Dirmngr is +not used as a system daemon. Thus not validating the certicates at +all. FIXME: This is definitely not correct and should be fixed ASAP. + +The function takes the target certificate and a mode argument as +parameters and returns an error code and optionally the closes +expiration time of all certificates in the chain. + +We first check that the certificate may be used for the requested +purpose (i.e. OCSP or CRL signing). If this is not the case +GPG_ERR_WRONG_KEY_USAGE is returned. + +The next step is to find the trust anchor (root certificate) and to +assemble the chain in memory: Starting with the target certificate, +the expiration time is checked against the current date, unknown +critical extensions are detected and certificate policies are matched +(We only allow 2.289.9.9 but I have no clue about that OID and from +where I got it - it does not even seem to be assigned - debug cruft?). + +Now if this certificate is a self-signed one, we have reached the +trust anchor. In this case we check that the signature is good, the +certificate is allowed to act as a CA, that it is a trusted one (by +checking whether it is has been put into the trusted-certs +configuration directory) and finally prepend into to our list +representing the certificate chain. This steps ends then. + +If it is not a self-signed certificate, we check that the chain won't +get too long (current limit is 100), if this is the case we terminate +with the error GPG_ERR_BAD_CERT_CHAIN. + +Now the issuer's certificate is looked up: If an +authorityKeyIdentifier is available, this one is used to locate the +certificate either using issuer and serialnumber or subject DN +(i.e. the issuer's DN) and the keyID. The functions +@func{find_cert_bysn) and @func{find_cert_bysubject} are used +respectively. The have already been described above under the +description of @func{crl_cache_insert}. If no certificate was found +or with no authorityKeyIdentifier, only the cache is consulted using +@func{get_cert_bysubject}. The latter is is done under the assumption +that a matching certificate has explicitly been put into the +certificate cache. If the issuer's certificate could not be found, +the validation terminates with the error code GPG_ERR_MISSING_CERT. + +If the issuer's certificate has been found, the signature of the +actual certificate is checked and in case this fails the error +GPG_ERR_BAD_CERT_CHAIN is returned. IF the signature checks out, the +maximum cahin length of the issueing certificate is checked as well as +the capiblity of the certificate (i.e. whether he may be used for +certificate signing). Then the certificate is prepended to our list +representing the certificate chain. Finally the loop is continued now +with the issuer's certificate as the current certificate. + +After the end of the loop and if no error as been encountered +(i.e. the certificate chain has been assempled correctly), a check is +done whether any certificate expired or a critical policy has not been +met. In any of these cases the validation terminates with an +appropriate error. + +Finally the function @func{check_revocations} is called to verify no +certificate in the assempled chain has been revoked: This is an +recursive process because a CRL has to be checked for each certificate +in the chain except for the root certificate, of which we already know +that it is trusted and we avoid checking a CRL here due to common +setup problems and the assumption that a revoked root certifcate has +been removed from the list of trusted certificates. + + + + +@section Looking up certificates through LDAP. + +This describes the LDAP layer to retrieve certificates. +the functions @func{ca_cert_fetch} and @func{fetch_next_ksba_cert} are +used for this. The first one starts a search and the second one is +used to retrieve certificate after certificate. + + + Modified: trunk/src/ChangeLog =================================================================== --- trunk/src/ChangeLog 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/src/ChangeLog 2006-06-23 18:56:26 UTC (rev 227) @@ -1,3 +1,37 @@ +2006-06-23 Werner Koch + + * misc.c (cert_log_name): New. + + * certcache.c (load_certs_from_dir): Also print certificate name. + (find_cert_bysn): Release ISSDN. + + * validate.h: New VALIDATED_MODE_CERT. + * server.c (cmd_validate): Use it here so that no policy checks + are done. Try to validated a cached copy of the target. + + * validate.c (validate_cert_chain): Implement a validation cache. + (check_revocations): Print more diagnostics. Actually use the + loop variable and not the head of the list. + + * ocsp.c (ocsp_isvalid): Make sure it is reset for a status of + revoked. + +2006-06-22 Werner Koch + + * validate.c (cert_use_crl_p): New. + (cert_usage_p): Add a mode 6 for CRL signing. + (validate_cert_chain): Check that the certificate may be used for + CRL signing. Print a note when not running as system daemon. + (validate_cert_chain): Reduce the maximum depth from 50 to 10. + + * certcache.c (find_cert_bysn): Minor restructuring + (find_cert_bysubject): Ditto. Use get_cert_local when called + without KEYID. + * crlcache.c (get_crlissuer_cert_bysn): Removed. + (get_crlissuer_cert): Removed. + (crl_parse_insert): Use find_cert_bysubject and find_cert_bysn + instead of the removed functions. + 2006-06-19 Werner Koch * certcache.c (compare_serialno): Silly me. Using 0 as true is Modified: trunk/src/certcache.c =================================================================== --- trunk/src/certcache.c 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/src/certcache.c 2006-06-23 18:56:26 UTC (rev 227) @@ -361,22 +361,27 @@ } err = put_cert (cert, 1, are_trusted); - ksba_cert_release (cert); if (gpg_err_code (err) == GPG_ERR_DUP_VALUE) log_info (_("certificate `%s' already cached\n"), fname); else if (!err) { - log_info (_("certificate `%s' loaded\n"), fname); - if (are_trusted || opt.verbose) + if (are_trusted) + log_info (_("trusted certificate `%s' loaded\n"), fname); + else + log_info (_("certificate `%s' loaded\n"), fname); + if (opt.verbose) { p = get_fingerprint_hexstring_colon (cert); - log_info (_("SHA1 fingerprint = %s\n"), p); + log_info (_(" SHA1 fingerprint = %s\n"), p); xfree (p); + + cert_log_name (_(" name ="), cert); } } else log_error (_("error loading certificate `%s': %s\n"), fname, gpg_strerror (err)); + ksba_cert_release (cert); } xfree (fname); @@ -626,48 +631,52 @@ - /* Return the certificate matching ISSUER_DN and SERIALNO; if it is not already in the cache, try to find it from other resources. */ ksba_cert_t find_cert_bysn (ctrl_t ctrl, const char *issuer_dn, ksba_sexp_t serialno) { gpg_error_t err; - ksba_cert_t cert = NULL; + ksba_cert_t cert; cert_fetch_context_t context = NULL; + char *hexsn, *buf; + /* First check whether it has already been cached. */ cert = get_cert_bysn (issuer_dn, serialno); + if (cert) + return cert; - if (!cert) + /* Ask back to the service requester to return the certificate. + This is because we can assume that he already used the + certificate while checking for the CRL. */ + hexsn = serial_hex (serialno); + if (!hexsn) { - char *hexsn, *buf; - /* Ask back to the service requester to return the certificate. - This is because we can assume that he already used the - certificate while checking for the CRL. */ - hexsn = serial_hex (serialno); - if (!hexsn) - { - log_debug ("serial_hex() failed\n"); - return NULL; - } - buf = xtrymalloc (1 + strlen (hexsn) + 1 + strlen (issuer_dn) + 1); - if (!buf) - { - log_error ("can't allocate enough memory: %s\n", strerror (errno)); - xfree (hexsn); - return NULL; - } - strcpy (stpcpy (stpcpy (stpcpy (buf, "#"), hexsn),"/"), issuer_dn); + log_error ("serial_hex() failed\n"); + return NULL; + } + buf = xtrymalloc (1 + strlen (hexsn) + 1 + strlen (issuer_dn) + 1); + if (!buf) + { + log_error ("can't allocate enough memory: %s\n", strerror (errno)); xfree (hexsn); - cert = get_cert_local (ctrl, buf); - xfree (buf); - if (cert) - { - cache_cert (cert); - return cert; /* Done. */ - } + return NULL; } + strcpy (stpcpy (stpcpy (stpcpy (buf, "#"), hexsn),"/"), issuer_dn); + xfree (hexsn); + cert = get_cert_local (ctrl, buf); + xfree (buf); + if (cert) + { + cache_cert (cert); + return cert; /* Done. */ + } + if (DBG_LOOKUP) + log_debug ("find_cert_bysn: certificate not returned by caller" + " - doing lookup\n"); + + /* Retrieve the certificate from external resources. */ while (!cert) { ksba_sexp_t sn; @@ -716,6 +725,7 @@ if (!compare_serialno (serialno, sn)) { ksba_free (sn); + ksba_free (issdn); cache_cert (cert); if (DBG_LOOKUP) log_debug (" found\n"); @@ -723,7 +733,7 @@ } ksba_free (sn); - + ksba_free (issdn); ksba_cert_release (cert); cert = NULL; } @@ -732,6 +742,7 @@ return cert; } + /* Return the certificate matching SUBJECT_DN and (if not NULL) KEYID. If it is not already in the cache, try to find it from other resources. Note, that the external search does not work for user @@ -746,6 +757,7 @@ cert_fetch_context_t context = NULL; ksba_sexp_t subj; + /* First we check whether the certificate is cached. */ for (seq=0; (cert = get_cert_bysubject (subject_dn, seq)); seq++) { if (!keyid) @@ -759,21 +771,43 @@ xfree (subj); ksba_cert_release (cert); } + if (cert) + return cert; /* Done. */ - if (!cert) + + /* Ask back to the service requester to return the certificate. + This is because we can assume that he already used the + certificate while checking for the CRL. */ + if (keyid) + cert = get_cert_local_ski (ctrl, subject_dn, keyid); + else { - /* Ask back to the service requester to return the certificate. - This is because we can assume that he already used the - certificate while checking for the CRL. */ - cert = get_cert_local_ski (ctrl, subject_dn, keyid); - if (cert) + /* In contrast to get_cert_local_ski, get_cert_local uses any + passed pattern, so we need to make sure that an exact subject + search is done. */ + char *buf; + + buf = xtrymalloc (1 + strlen (subject_dn) + 1); + if (!buf) { - cache_cert (cert); - return cert; /* Done. */ + log_error ("can't allocate enough memory: %s\n", strerror (errno)); + return NULL; } + strcpy (stpcpy (buf, "/"), subject_dn); + cert = get_cert_local (ctrl, buf); + xfree (buf); } + if (cert) + { + cache_cert (cert); + return cert; /* Done. */ + } + if (DBG_LOOKUP) + log_debug ("find_cert_bysubject: certificate not returned by caller" + " - doing lookup\n"); + /* Locate the certificate using external resources. */ while (!cert) { char *subjdn; @@ -816,6 +850,7 @@ } ksba_free (subjdn); + /* If no key ID has been provided, we return the first match. */ if (!keyid) { cache_cert (cert); @@ -824,6 +859,7 @@ break; /* Ready. */ } + /* With the key ID given we need to compare it. */ if (!ksba_cert_get_subj_key_id (cert, NULL, &subj)) { if (!cmp_simple_canon_sexp (keyid, subj)) Modified: trunk/src/crlcache.c =================================================================== --- trunk/src/crlcache.c 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/src/crlcache.c 2006-06-23 18:56:26 UTC (rev 227) @@ -945,7 +945,7 @@ /* Open the cache file for ENTRY. This function implements a caching strategy and might close unused cache files. It is required to use - unlock_db_file after the using the file. */ + unlock_db_file after using the file. */ static struct cdb * lock_db_file (crl_cache_t cache, crl_cache_entry_t entry) { @@ -1365,92 +1365,6 @@ } -/* Return the certificate for NAME or NULL if it can't be found. Note - that we will only return the first matching certificate. */ -static ksba_cert_t -get_crlissuer_cert (ctrl_t ctrl, const char *name) -{ - gpg_error_t err; - ksba_cert_t cert = NULL; - cert_fetch_context_t context; - - /* First check whether it has already been cached. */ - cert = get_cert_bysubject (name, 0); - if (cert) - return cert; /* Done. */ - - /* Ask back to the service requester to return the certificate. - This is because we can assume that he already used the - certificate while checking for the CRL. */ - cert = get_cert_local (ctrl, name); - if (cert) - return cert; /* Done. */ - - /* If this fails do a regular certificate lookup. */ - if (DBG_LOOKUP) - log_debug ("certificate for CRL issuer not returned by caller" - " - doing lookup\n"); - - err = ca_cert_fetch (ctrl, &context, name); - if (err) - { - log_error (_("error fetching certificate for CRL issuer: %s\n"), - gpg_strerror (err)); - return NULL; - } - - err = fetch_next_ksba_cert (context, &cert); - if (err) - log_error (_("invalid CRL issuer certificate: %s\n"), gpg_strerror (err) ); - end_cert_fetch (context); - - if (!err) - cache_cert (cert); - - return cert; -} - - -/* Return the certificate from the issuer DN NAME and the S/N SN. - First tries the local chache, then asks the caller and then tries - an ldap search. */ -static ksba_cert_t -get_crlissuer_cert_bysn (ctrl_t ctrl, const char *name, ksba_sexp_t sn) -{ - ksba_cert_t cert; - char *snbuf, *buf; - - /* First check whether it has already been cached. */ - cert = get_cert_bysn (name, sn); - if (cert) - return cert; /* Done. */ - - /* Ask back to the service requester to return the certificate. - This is because we can assume that he already used the - certificate while checking for the CRL. */ - snbuf = serial_hex (sn); - if (!snbuf) - snbuf = ""; - buf = xtrymalloc (1 + strlen (snbuf) + 1 + strlen (name) + 1 ); - if (!buf) - { - xfree (snbuf); - return NULL; - } - strcpy (stpcpy (stpcpy (stpcpy (buf, "#"), snbuf), "/"), name); - xfree (snbuf); - cert = get_cert_local (ctrl, buf); - xfree (buf); - if (cert) - { - cache_cert (cert); - return cert; /* Done. */ - } - - return find_cert_bysn (ctrl, name, sn); -} - - /* Prepare a hash context for the signature verification. Input is the CRL and the output is the hash context MD as well as the uses algorithm identifier ALGO. */ @@ -1576,7 +1490,7 @@ required to retrieve certificates using the general dirmngr callback service. R_CRLISSUER returns an allocated string with the crl-issuer DN, THIS_UPDATE and NEXT_UPDATE are filled with the - correspondind data from the CRL. Note that these values might get + corresponding data from the CRL. Note that these values might get set even if the CRL processing fails at a later step; thus the caller should free *R_ISSUER even if the function returns with an error. @@ -1701,7 +1615,7 @@ s = ksba_name_enum (authid, 0); if (s && *authidsn) - crlissuer_cert = get_crlissuer_cert_bysn (ctrl, s, authidsn); + crlissuer_cert = find_cert_bysn (ctrl, s, authidsn); if (!crlissuer_cert && keyid) crlissuer_cert = find_cert_bysubject (ctrl, crlissuer, keyid); @@ -1730,7 +1644,7 @@ xfree (keyid); } else - crlissuer_cert = get_crlissuer_cert (ctrl, crlissuer); + crlissuer_cert = find_cert_bysubject (ctrl, crlissuer, NULL); err = 0; if (!crlissuer_cert) { Modified: trunk/src/misc.c =================================================================== --- trunk/src/misc.c 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/src/misc.c 2006-06-23 18:56:26 UTC (rev 227) @@ -558,7 +558,6 @@ } } - /* Dump an KSBA cert object to the log stream. Prefix the output with TEXT. This is used for debugging. */ void @@ -601,13 +600,43 @@ log_debug (" hash algo: %s\n", ksba_cert_get_digest_algo (cert)); p = get_fingerprint_hexstring (cert); - log_debug (" SHA1 Fingerprint: %s\n", p); + log_debug (" SHA1 fingerprint: %s\n", p); xfree (p); } log_debug ("END Certificate\n"); } + +/* Log the certificate's name in "#SN/ISSUERDN" format along with + TEXT. */ +void +cert_log_name (const char *text, ksba_cert_t cert) +{ + log_info ("%s", text? text:"certificate" ); + if (cert) + { + ksba_sexp_t sn; + char *p; + + p = ksba_cert_get_issuer (cert, 0); + sn = ksba_cert_get_serial (cert); + if (p && sn) + { + log_printf (" #"); + dump_serial (sn); + log_printf ("/"); + dump_string (p); + } + else + log_printf (" [invalid]"); + ksba_free (sn); + xfree (p); + } + log_printf ("\n"); +} + + /**************** * Remove all %xx escapes; this is done inplace. * Returns: New length of the string. Modified: trunk/src/misc.h =================================================================== --- trunk/src/misc.h 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/src/misc.h 2006-06-23 18:56:26 UTC (rev 227) @@ -88,6 +88,8 @@ CERT. This version inserts the usual colons. */ char *get_fingerprint_hexstring_colon (ksba_cert_t cert); +/* Log CERT in short format with s/n and issuer DN prefixed by TEXT. */ +void cert_log_name (const char *text, ksba_cert_t cert); /* Dump the serial number SERIALNO to the log stream. */ void dump_serial (ksba_sexp_t serialno); Modified: trunk/src/ocsp.c =================================================================== --- trunk/src/ocsp.c 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/src/ocsp.c 2006-06-23 18:56:26 UTC (rev 227) @@ -390,7 +390,7 @@ /* Check whether the certificate either given by fingerprint CERT_FPR - or directly through a the CERT object is valid by running an OCSP + or directly through the CERT object is valid by running an OCSP transaction. */ gpg_error_t ocsp_isvalid (ctrl_t ctrl, ksba_cert_t cert, const char *cert_fpr) @@ -548,6 +548,24 @@ gpg_strerror (err)); goto leave; } + + /* In case the certificate has been revoked, we better invalidate + our cached validation status. */ + if (status == KSBA_STATUS_REVOKED) + { + time_t validated_at = 0; /* That is: No cached validation available. */ + err = ksba_cert_set_user_data (cert, "validated_at", + &validated_at, sizeof (validated_at)); + if (err) + { + log_error ("set_user_data(validated_at) failed: %s\n", + gpg_strerror (err)); + err = 0; /* The certificate is anyway revoked, and that is a + more important message than the failure of our + cache. */ + } + } + if (opt.verbose) { Modified: trunk/src/server.c =================================================================== --- trunk/src/server.c 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/src/server.c 2006-06-23 18:56:26 UTC (rev 227) @@ -838,7 +838,7 @@ /* CACHECERT Put a certificate into the internal cache. This command might be - usedful if a client knows in advance certificates required for a + useful if a client knows in advance certificates required for a test and wnats to make sure they get added to the internal cache. It is also helpful for debugging. To get the actual certificate, this command immediately inquires it using @@ -891,7 +891,7 @@ /* VALIDATE - Validate a certificate using the certificate validationj fucntion + Validate a certificate using the certificate validation fucntion used internally by dirmngr. This command is only useful for debugging. To get the actual certificate, this command immediately inquires it using @@ -910,7 +910,7 @@ assuan_error_t ae; unsigned char *value = NULL; size_t valuelen; - + ae = assuan_inquire (ctrl->server_local->assuan_ctx, "TARGETCERT", &value, &valuelen, MAX_CERT_LENGTH); if (ae) @@ -932,8 +932,24 @@ if(err) goto leave; - err = validate_cert_chain (ctrl, cert, NULL, VALIDATE_MODE_CRL_RECURSIVE); + /* If we have this certificate already in our cache, use the cached + version for validation because this will take care of any cached + results. */ + { + unsigned char fpr[20]; + ksba_cert_t tmpcert; + cert_compute_fpr (cert, fpr); + tmpcert = get_cert_byfpr (fpr); + if (tmpcert) + { + ksba_cert_release (cert); + cert = tmpcert; + } + } + + err = validate_cert_chain (ctrl, cert, NULL, VALIDATE_MODE_CERT); + leave: if (err) log_error (_("command %s failed: %s\n"), "VALIDATE", gpg_strerror (err)); Modified: trunk/src/validate.c =================================================================== --- trunk/src/validate.c 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/src/validate.c 2006-06-23 18:56:26 UTC (rev 227) @@ -1,6 +1,6 @@ /* validate.c - Validate a certificate chain. * Copyright (C) 2001, 2003, 2004 Free Software Foundation, Inc. - * Copyright (C) 2004 g10 Code GmbH + * Copyright (C) 2004, 2006 g10 Code GmbH * * This file is part of DirMngr. * @@ -35,8 +35,8 @@ #include "validate.h" #include "misc.h" -/* While running the validation function we need to keep tarckl of the - cretificates and the validation outcome of each. We use this type +/* While running the validation function we need to keep track of the + certificates and the validation outcome of each. We use this type for it. */ struct chain_item_s { @@ -192,16 +192,7 @@ chain_item_t ci; assert (ctrl->check_revocations_nest_level >= 0); - assert (chain); - if (!chain->next) - { - /* We only have one certificate in the chain. This is the - traget and the Root CA certificate. We can't do a - revocation check for the root certificate because this will - in most cases lead to a catch-22. */ - return 0; /* Target certificate is a trusted root certificate. */ - } if (ctrl->check_revocations_nest_level > 10) { @@ -214,13 +205,27 @@ for (ci=chain; ci; ci = ci->next) { assert (ci->cert); + if (ci == chain) + { + /* It does not make sense to check the root certificate for + revocations. In almost all cases this will lead to a + catch-22 as the root certificate is the final trust + anchor for the certificates and the CRLs. We expect the + user to remove root certificates from the list of trusted + certificates in case they have been revoked. */ + if (opt.verbose) + cert_log_name (_("not checking CRL for"), ci->cert); + continue; + } - err = crl_cache_cert_isvalid (ctrl, chain->cert, 0); + if (opt.verbose) + cert_log_name (_("checking CRL for"), ci->cert); + err = crl_cache_cert_isvalid (ctrl, ci->cert, 0); if (gpg_err_code (err) == GPG_ERR_NO_CRL_KNOWN) { - err = crl_cache_reload_crl (ctrl, chain->cert); + err = crl_cache_reload_crl (ctrl, ci->cert); if (!err) - err = crl_cache_cert_isvalid (ctrl, chain->cert, 0); + err = crl_cache_cert_isvalid (ctrl, ci->cert, 0); } switch (gpg_err_code (err)) { @@ -273,31 +278,68 @@ *exptime = 0; if (!opt.system_daemon) - return 0; /* For backward compatibility we only do this in daemon - mode. */ + { + /* For backward compatibility we only do this in daemon mode. */ + log_info (_("running in compatibility mode - " + "certificate chain not checked!\n")); + return 0; /* Okay. */ + } - /* Get the current time. */ - get_isotime (current_time); - if (DBG_X509) dump_cert ("subject", cert); - subject_cert = cert; - maxdepth = 50; - chain = NULL; - depth = 0; - - /* May the target certificate be used for OCSP response signing? */ - if (mode == VALIDATE_MODE_OCSP) + /* May the target certificate be used for this purpose? */ + switch (mode) { + case VALIDATE_MODE_OCSP: err = cert_use_ocsp_p (cert); + break; + case VALIDATE_MODE_CRL: + case VALIDATE_MODE_CRL_RECURSIVE: + err = cert_use_crl_p (cert); + break; + default: + err = 0; + break; } - /* May the certificate be used for CR signing. */ - /* FIXME. */ if (err) - goto leave; + return err; - /* We walk up the the path until we find a trust anchor. */ + /* If we already validated the certificate not too long ago, we can + avoid the excessive computations and lookups unless the caller + asked for the expiration time. */ + if (!r_exptime) + { + size_t buflen; + time_t validated_at; + + err = ksba_cert_get_user_data (cert, "validated_at", + &validated_at, sizeof (validated_at), + &buflen); + if (err || buflen != sizeof (validated_at) || !validated_at) + err = 0; /* Not available or other error. */ + else + { + /* If the validation is not older than 30 minutes we are ready. */ + if (validated_at < get_time () + (30*60)) + { + if (opt.verbose) + log_info ("certificate is good (cached)\n"); + /* Note, that we can't jump to leave here as this would + falsely updated the validation timestamp. */ + return 0; + } + } + } + + /* Get the current time. */ + get_isotime (current_time); + + /* We walk up the chain until we find a trust anchor. */ + subject_cert = cert; + maxdepth = 10; + chain = NULL; + depth = 0; for (;;) { /* Get the subject and issuer name from the current @@ -430,6 +472,10 @@ ci->next = chain; chain = ci; } + + if (opt.verbose) + log_info ("root certificate is good\n"); + break; /* Okay: a self-signed certicate is an end-point. */ } @@ -555,7 +601,7 @@ } if (opt.verbose) - log_info ("certificate is good\n"); + log_info (_("certificate is good\n")); /* Now to the next level up. */ subject_cert = issuer_cert; @@ -571,6 +617,15 @@ err = gpg_error (GPG_ERR_NO_POLICY_MATCH); } + if (!err && opt.verbose) + { + chain_item_t citem; + + log_info (_("certificate chain is good\n")); + for (citem = chain; citem; citem = citem->next) + cert_log_name (" certificate", citem->cert); + } + if (!err) { /* Now that everything is fine, walk the chain and check each certificate for revocations. @@ -585,12 +640,37 @@ might become a recursive process and we should better cache our validity results to avoid double work. Far worse a catch-22 may happen for an improper setup hierachy and we - need a way to break up this deadlock. */ + need a way to break up such a deadlock. */ err = check_revocations (ctrl, chain); } + if (!err && opt.verbose) + log_info ("target certificate is valid\n"); + else if (err && opt.verbose) + log_info ("target certificate is NOT valid\n"); + leave: + if (!err) + { + /* With no error we can update the validation cache. We do this + for all certificates in the chain. */ + chain_item_t citem; + time_t validated_at = get_time (); + + for (citem = chain; citem; citem = citem->next) + { + err = ksba_cert_set_user_data (citem->cert, "validated_at", + &validated_at, sizeof (validated_at)); + if (err) + { + log_error ("set_user_data(validated_at) failed: %s\n", + gpg_strerror (err)); + err = 0; + } + } + } + if (r_exptime) copy_time (r_exptime, exptime); xfree (issuer); @@ -789,7 +869,7 @@ for signing, a MODE of 1 checks for encryption, a MODE of 2 checks for verification and a MODE of 3 for decryption (just for debugging). MODE 4 is for certificate signing, MODE 5 for OCSP - response signing. */ + response signing, MODE 6 is for CRL signing. */ static int cert_usage_p (ksba_cert_t cert, int mode) { @@ -899,6 +979,15 @@ return gpg_error (GPG_ERR_WRONG_KEY_USAGE); } + if (mode == 6) + { + if ((use & (KSBA_KEYUSAGE_CRL_SIGN))) + return 0; + log_info (_("certificate should have not " + "been used for CRL signing\n")); + return gpg_error (GPG_ERR_WRONG_KEY_USAGE); + } + if ((use & ((mode&1)? (KSBA_KEYUSAGE_KEY_ENCIPHERMENT|KSBA_KEYUSAGE_DATA_ENCIPHERMENT): (KSBA_KEYUSAGE_DIGITAL_SIGNATURE|KSBA_KEYUSAGE_NON_REPUDIATION))) @@ -928,3 +1017,10 @@ return cert_usage_p (cert, 5); } +/* Return 0 if the certificate CERT is usable for signing CRLs. */ +gpg_error_t +cert_use_crl_p (ksba_cert_t cert) +{ + return cert_usage_p (cert, 6); +} + Modified: trunk/src/validate.h =================================================================== --- trunk/src/validate.h 2006-06-19 19:39:58 UTC (rev 226) +++ trunk/src/validate.h 2006-06-23 18:56:26 UTC (rev 227) @@ -23,6 +23,7 @@ enum { + VALIDATE_MODE_CERT = 0, VALIDATE_MODE_CRL = 1, VALIDATE_MODE_CRL_RECURSIVE = 2, VALIDATE_MODE_OCSP = 3 @@ -42,5 +43,8 @@ responses. */ gpg_error_t cert_use_ocsp_p (ksba_cert_t cert); +/* Return 0 if the certificate CERT is usable for signing CRLs. */ +gpg_error_t cert_use_crl_p (ksba_cert_t cert); + #endif /*VALIDATE_H*/ From cvs at cvs.gnupg.org Sun Jun 25 14:03:41 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Sun Jun 25 13:26:55 2006 Subject: [svn] GnuPG - r4170 - in trunk: . doc g10 m4 po util Message-ID: Author: wk Date: 2006-06-25 14:03:38 +0200 (Sun, 25 Jun 2006) New Revision: 4170 Modified: trunk/ChangeLog trunk/NEWS trunk/THANKS trunk/configure.ac trunk/doc/gpg.texi trunk/g10/ChangeLog trunk/g10/encr-data.c trunk/m4/ChangeLog trunk/m4/Makefile.am trunk/po/de.po trunk/util/ChangeLog trunk/util/miscutil.c Log: About to do a new release Modified: trunk/ChangeLog =================================================================== --- trunk/ChangeLog 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/ChangeLog 2006-06-25 12:03:38 UTC (rev 4170) @@ -1,3 +1,7 @@ +2006-06-25 Werner Koch + + Released 1.4.4. + 2006-05-23 David Shaw * configure.ac: Add --disable-optimization. This is handy for Modified: trunk/NEWS =================================================================== --- trunk/NEWS 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/NEWS 2006-06-25 12:03:38 UTC (rev 4170) @@ -1,6 +1,9 @@ -Noteworthy changes in version 1.4.4 +Noteworthy changes in version 1.4.4 (2006-06-25) ------------------------------------------------ + * User IDs are now capped 2048 byte. This avoids a memory + allocation attack (see CVE-2006-3082). + * Added support for the SHA-224 hash. Like the SHA-384 hash, it is mainly useful when DSS (the US Digital Signature Standard) compatibility is desired. Modified: trunk/THANKS =================================================================== --- trunk/THANKS 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/THANKS 2006-06-25 12:03:38 UTC (rev 4170) @@ -58,6 +58,7 @@ Edwin Woudt edwin@woudt.nl Enzo Michelangeli em@MailAndNews.com Ernst Molitor ernst.molitor@uni-bonn.de +Evgeny Legerov Fabio Coatti cova@ferrara.linux.it Felix von Leitner leitner@amdiv.de fish stiqz fish@analog.org @@ -103,6 +104,7 @@ Jim Small cavenewt@my-deja.com Joachim Backes backes@rhrk.uni-kl.de Joe Rhett jrhett@isite.net +Joerg Honegger Joerg.Honegger@hp.com John A. Martin jam@jamux.com John Clizbe JPClizbe@comcast.net John R. Shannon john@johnrshannon.com Modified: trunk/configure.ac =================================================================== --- trunk/configure.ac 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/configure.ac 2006-06-25 12:03:38 UTC (rev 4170) @@ -28,7 +28,7 @@ # Set my_issvn to "yes" for non-released code. Remember to run an # "svn up" and "autogen.sh" right before creating a distribution. m4_define([my_version], [1.4.4]) -m4_define([my_issvn], [yes]) +m4_define([my_issvn], [no]) m4_define([svn_revision], m4_esyscmd([echo -n $((svn info 2>/dev/null \ || echo 'Revision: 0')|sed -n '/^Revision:/ s/[^0-9]//gp'|head -1)])) Modified: trunk/doc/gpg.texi =================================================================== --- trunk/doc/gpg.texi 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/doc/gpg.texi 2006-06-25 12:03:38 UTC (rev 4170) @@ -51,7 +51,11 @@ or a passphrase). @item --clearsign -Make a clear text signature. +Make a clear text signature. The content in a clear text signature is +readable without any special software. OpenPGP software is only +needed to verify the signature. Clear text signatures may modify +end-of-line whitespace for platform independence and are not intended +to be reversible. @item -b, --detach-sign Make a detached signature. @@ -355,7 +359,7 @@ that is no longer usable (e.g. revoked, or expired). Then, remove any signatures that are not usable by the trust calculations. Specifically, this removes any signature that does not validate, any -signature that is superceded by a later signature, revoked signatures, +signature that is superseded by a later signature, revoked signatures, and signatures issued by keys that are not present on the keyring. @item minimize @@ -1140,6 +1144,13 @@ validation. This option is only meaningful if pka-lookups is set. @end table +@item --enable-dsa2 +@itemx --disable-dsa2 +Enables new-style DSA keys which (unlike the old style) may be larger +than 1024 bit and use hashes other than SHA-1 and RIPEMD/160. Note +that very few programs currently support these keys and signatures +from them. + @item --show-photos @itemx --no-show-photos Causes --list-keys, --list-sigs, --list-public-keys, @@ -1434,14 +1445,20 @@ Maximum depth of a certification chain (default is 5). @item --cipher-algo @code{name} -Use @code{name} as cipher algorithm. Running the program -with the command --version yields a list of supported -algorithms. If this is not used the cipher algorithm is -selected from the preferences stored with the key. +Use @code{name} as cipher algorithm. Running the program with the +command --version yields a list of supported algorithms. If this is +not used the cipher algorithm is selected from the preferences stored +with the key. In general, you do not want to use this option as it +allows you to violate the OpenPGP standard. +--personal-cipher-preferences is the safe way to accomplish the same +thing. @item --digest-algo @code{name} Use @code{name} as the message digest algorithm. Running the program -with the command --version yields a list of supported algorithms. +with the command --version yields a list of supported algorithms. In +general, you do not want to use this option as it allows you to +violate the OpenPGP standard. --personal-digest-preferences is the +safe way to accomplish the same thing. @item --compress-algo @code{name} Use compression algorithm @code{name}. "zlib" is RFC-1950 ZLIB @@ -1460,7 +1477,10 @@ amount of memory while compressing and decompressing. This may be significant in low memory situations. Note, however, that PGP (all versions) only supports ZIP compression. Using any algorithm other -than ZIP or "none" will make the message unreadable with PGP. +than ZIP or "none" will make the message unreadable with PGP. In +general, you do not want to use this option as it allows you to +violate the OpenPGP standard. --personal-compress-preferences is the +safe way to accomplish the same thing. @item --cert-digest-algo @code{name} Use @code{name} as the message digest algorithm used when signing a @@ -1558,15 +1578,17 @@ Enabled by default. --no-escape-from-lines disables this option. @item --passphrase-fd @code{n} -Read the passphrase from file descriptor @code{n}. If you use 0 for -@code{n}, the passphrase will be read from stdin. This can only be -used if only one passphrase is supplied. +Read the passphrase from file descriptor @code{n}. Only the first line +will be read from file descriptor @code{n}. If you use 0 for @code{n}, +the passphrase will be read from stdin. This can only be used if only +one passphrase is supplied. @item --passphrase-file @code{file} -Read the passphrase from file @code{file}. This can only be used if -only one passphrase is supplied. Obviously, a passphrase stored in a -file is of questionable security if other users can read this file. -Don't use this option if you can avoid it. +Read the passphrase from file @code{file}. Only the first line will +be read from file @code{file}. This can only be used if only one +passphrase is supplied. Obviously, a passphrase stored in a file is +of questionable security if other users can read this file. Don't use +this option if you can avoid it. @item --passphrase @code{string} Use @code{string} as the passphrase. This can only be used if only one @@ -1660,7 +1682,8 @@ Set up all options to be as PGP 8 compliant as possible. PGP 8 is a lot closer to the OpenPGP standard than previous versions of PGP, so all this does is disable --throw-keyids and set --escape-from-lines. -All algorithms are allowed except for the SHA384 and SHA512 digests. +All algorithms are allowed except for the SHA224, SHA384, and SHA512 +digests. @end table @item --force-v3-sigs @@ -1785,10 +1808,10 @@ warning means that your system is secure. Note that the warning for unsafe --homedir permissions cannot be -supressed in the gpg.conf file, as this would allow an attacker to -place an unsafe gpg.conf file in place, and use this file to supress +suppressed in the gpg.conf file, as this would allow an attacker to +place an unsafe gpg.conf file in place, and use this file to suppress warnings about itself. The --homedir permissions warning may only be -supressed on the command line. +suppressed on the command line. @item --no-mdc-warning Suppress the warning about missing MDC integrity protection. @@ -1929,8 +1952,8 @@ @item --allow-multisig-verification Allow verification of concatenated signed messages. This will run a signature verification for each data+signature block. There are some -security issues with this option thus it is off by default. Note that -versions of gpg rpior to version 1.4.3 implicityly allowed for this. +security issues with this option and thus it is off by default. Note +that versions of GPG prior to version 1.4.3 implicitly allowed this. @item --enable-special-filenames This options enables a mode in which filenames of the form @@ -1994,6 +2017,11 @@ list is used for new keys and becomes the default for "setpref" in the edit menu. +@item --default-keyserver-url @code{name} +Set the default keyserver URL to @code{name}. This keyserver will be +used as the keyserver URL when writing a new self-signature on a key, +which includes key generation and changing preferences. + @item --list-config Display various internal configuration parameters of GnuPG. This option is intended for external programs that call GnuPG to perform Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/g10/ChangeLog 2006-06-25 12:03:38 UTC (rev 4170) @@ -582,8 +582,8 @@ 2005-12-08 David Shaw - * options.h, keyserver.c (curl_cant_handle, keyserver_spawn, - keyserver_fetch): Set a flag to indicate that we're doing a direct + * options.h, keyserver.c (curl_cant_handle, keyserver_spawn) + (keyserver_fetch): Set a flag to indicate that we're doing a direct URI fetch so we can differentiate between a keyserver operation and a URI fetch for protocols like LDAP that can do either. Modified: trunk/g10/encr-data.c =================================================================== --- trunk/g10/encr-data.c 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/g10/encr-data.c 2006-06-25 12:03:38 UTC (rev 4170) @@ -99,7 +99,7 @@ log_error("key setup failed: %s\n", g10_errstr(rc) ); goto leave; -} + } if (!ed->buf) { log_error(_("problem handling encrypted packet\n")); goto leave; Modified: trunk/m4/ChangeLog =================================================================== --- trunk/m4/ChangeLog 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/m4/ChangeLog 2006-06-25 12:03:38 UTC (rev 4170) @@ -1,3 +1,7 @@ +2006-06-25 Werner Koch + + * Makefile.am: Added noexecstack.m4 and ldap.m4 + 2006-05-22 Marcus Brinkmann * noexecstack.m4: New file. Modified: trunk/m4/Makefile.am =================================================================== --- trunk/m4/Makefile.am 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/m4/Makefile.am 2006-06-25 12:03:38 UTC (rev 4170) @@ -1 +1,10 @@ -EXTRA_DIST = intmax.m4 longdouble.m4 longlong.m4 printf-posix.m4 signed.m4 size_max.m4 wchar_t.m4 wint_t.m4 xsize.m4 codeset.m4 gettext.m4 glibc21.m4 iconv.m4 intdiv0.m4 inttypes.m4 inttypes_h.m4 inttypes-pri.m4 isc-posix.m4 lcmessage.m4 lib-ld.m4 lib-link.m4 lib-prefix.m4 nls.m4 po.m4 progtest.m4 stdint_h.m4 uintmax_t.m4 ulonglong.m4 readline.m4 libcurl.m4 libusb.m4 tar-ustar.m4 +EXTRA_DIST = intmax.m4 longdouble.m4 longlong.m4 printf-posix.m4 \ + signed.m4 size_max.m4 wchar_t.m4 wint_t.m4 xsize.m4 \ + codeset.m4 gettext.m4 glibc21.m4 iconv.m4 intdiv0.m4 \ + inttypes.m4 inttypes_h.m4 inttypes-pri.m4 isc-posix.m4 \ + lcmessage.m4 lib-ld.m4 lib-link.m4 lib-prefix.m4 nls.m4 \ + po.m4 progtest.m4 stdint_h.m4 uintmax_t.m4 ulonglong.m4 \ + readline.m4 libcurl.m4 libusb.m4 tar-ustar.m4 \ + ldap.m4 \ + noexecstack.m4 + Modified: trunk/po/de.po =================================================================== --- trunk/po/de.po 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/po/de.po 2006-06-25 12:03:38 UTC (rev 4170) @@ -8,7 +8,7 @@ "Project-Id-Version: gnupg-1.4.1\n" "Report-Msgid-Bugs-To: gnupg-i18n@gnupg.org\n" "POT-Creation-Date: 2006-04-03 11:40+0200\n" -"PO-Revision-Date: 2006-04-03 11:40+0200\n" +"PO-Revision-Date: 2006-05-12 12:13+0200\n" "Last-Translator: Walter Koch \n" "Language-Team: German \n" "MIME-Version: 1.0\n" @@ -6113,7 +6113,7 @@ #: g10/trustdb.c:2197 #, c-format msgid "%d marginal(s) needed, %d complete(s) needed, %s trust model\n" -msgstr "%d marignal-needed, %d complete-needed, %s Trust-Modell\n" +msgstr "%d marginal-needed, %d complete-needed, %s Vertrauensmodell\n" #: g10/trustdb.c:2283 #, c-format Modified: trunk/util/ChangeLog =================================================================== --- trunk/util/ChangeLog 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/util/ChangeLog 2006-06-25 12:03:38 UTC (rev 4170) @@ -10,7 +10,7 @@ 2006-04-11 Werner Koch - * iobuf.c (IOBUF_BUFFER_SIZE): New to repalce hardwired 8192. + * iobuf.c (IOBUF_BUFFER_SIZE): New to replace hardwired 8192. 2006-04-06 David Shaw Modified: trunk/util/miscutil.c =================================================================== --- trunk/util/miscutil.c 2006-06-23 04:27:57 UTC (rev 4169) +++ trunk/util/miscutil.c 2006-06-25 12:03:38 UTC (rev 4170) @@ -326,10 +326,10 @@ int answer_is_yes_no_default( const char *s, int def_answer ) { - /* NOTE TO TRANSLATOR: See doc/TRANSLATE about this string. */ + /* TRANSLATORS: See doc/TRANSLATE about this string. */ const char *long_yes = _("yes"); const char *short_yes = _("yY"); - /* NOTE TO TRANSLATOR: See doc/TRANSLATE about this string. */ + /* TRANSLATORS: See doc/TRANSLATE about this string. */ const char *long_no = _("no"); const char *short_no = _("nN"); @@ -363,11 +363,11 @@ int answer_is_yes_no_quit( const char *s ) { - /* NOTE TO TRANSLATOR: See doc/TRANSLATE about this string. */ + /* TRANSLATORS: See doc/TRANSLATE about this string. */ const char *long_yes = _("yes"); - /* NOTE TO TRANSLATOR: See doc/TRANSLATE about this string. */ + /* TRANSLATORS: See doc/TRANSLATE about this string. */ const char *long_no = _("no"); - /* NOTE TO TRANSLATOR: See doc/TRANSLATE about this string. */ + /* TRANSLATORS: See doc/TRANSLATE about this string. */ const char *long_quit = _("quit"); const char *short_yes = _("yY"); const char *short_no = _("nN"); @@ -403,9 +403,9 @@ int answer_is_okay_cancel (const char *s, int def_answer) { - /* NOTE TO TRANSLATOR: See doc/TRANSLATE about this string. */ + /* TRANSLATORS: See doc/TRANSLATE about this string. */ const char *long_okay = _("okay|okay"); - /* NOTE TO TRANSLATOR: See doc/TRANSLATE about this string. */ + /* TRANSLATORS: See doc/TRANSLATE about this string. */ const char *long_cancel = _("cancel|cancel"); const char *short_okay = _("oO"); const char *short_cancel = _("cC"); From cvs at cvs.gnupg.org Sun Jun 25 14:07:21 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Sun Jun 25 13:30:34 2006 Subject: [svn] GnuPG - r4171 - trunk Message-ID: Author: wk Date: 2006-06-25 14:07:16 +0200 (Sun, 25 Jun 2006) New Revision: 4171 Modified: trunk/NEWS Log: Typo fix Modified: trunk/NEWS =================================================================== --- trunk/NEWS 2006-06-25 12:03:38 UTC (rev 4170) +++ trunk/NEWS 2006-06-25 12:07:16 UTC (rev 4171) @@ -1,7 +1,7 @@ Noteworthy changes in version 1.4.4 (2006-06-25) ------------------------------------------------ - * User IDs are now capped 2048 byte. This avoids a memory + * User IDs are now capped at 2048 byte. This avoids a memory allocation attack (see CVE-2006-3082). * Added support for the SHA-224 hash. Like the SHA-384 hash, it From cvs at cvs.gnupg.org Sun Jun 25 15:58:53 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Sun Jun 25 15:22:10 2006 Subject: [svn] GnuPG - r4173 - tags Message-ID: Author: wk Date: 2006-06-25 15:58:52 +0200 (Sun, 25 Jun 2006) New Revision: 4173 Added: tags/gnupg-1.4.4/ Log: Tagged new release Copied: tags/gnupg-1.4.4 (from rev 4172, trunk) From cvs at cvs.gnupg.org Sun Jun 25 16:30:53 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Sun Jun 25 15:54:12 2006 Subject: [svn] GnuPG - r4174 - trunk Message-ID: Author: wk Date: 2006-06-25 16:30:52 +0200 (Sun, 25 Jun 2006) New Revision: 4174 Modified: trunk/NEWS trunk/configure.ac Log: Post release version update Modified: trunk/NEWS =================================================================== --- trunk/NEWS 2006-06-25 13:58:52 UTC (rev 4173) +++ trunk/NEWS 2006-06-25 14:30:52 UTC (rev 4174) @@ -1,3 +1,7 @@ +Noteworthy changes in version 1.4.5 +------------------------------------------------ + + Noteworthy changes in version 1.4.4 (2006-06-25) ------------------------------------------------ Modified: trunk/configure.ac =================================================================== --- trunk/configure.ac 2006-06-25 13:58:52 UTC (rev 4173) +++ trunk/configure.ac 2006-06-25 14:30:52 UTC (rev 4174) @@ -27,8 +27,8 @@ # Remember to change the version number immediately *after* a release. # Set my_issvn to "yes" for non-released code. Remember to run an # "svn up" and "autogen.sh" right before creating a distribution. -m4_define([my_version], [1.4.4]) -m4_define([my_issvn], [no]) +m4_define([my_version], [1.4.5]) +m4_define([my_issvn], [yes]) m4_define([svn_revision], m4_esyscmd([echo -n $((svn info 2>/dev/null \ || echo 'Revision: 0')|sed -n '/^Revision:/ s/[^0-9]//gp'|head -1)])) From cvs at cvs.gnupg.org Tue Jun 27 10:40:24 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 27 10:03:31 2006 Subject: [svn] GnuPG - r4175 - trunk/g10 Message-ID: Author: wk Date: 2006-06-27 10:40:23 +0200 (Tue, 27 Jun 2006) New Revision: 4175 Modified: trunk/g10/ChangeLog trunk/g10/gpg.c Log: do no use reopen_std under W32. Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-25 14:30:52 UTC (rev 4174) +++ trunk/g10/ChangeLog 2006-06-27 08:40:23 UTC (rev 4175) @@ -1,3 +1,7 @@ +2006-06-27 Werner Koch + + * gpg.c (reopen_std) [HAVE_W32_SYSTEM]: Do not use it. + 2006-06-22 David Shaw * options.h, gpg.c (main), keygen.c (keygen_upd_std_prefs, Modified: trunk/g10/gpg.c =================================================================== --- trunk/g10/gpg.c 2006-06-25 14:30:52 UTC (rev 4174) +++ trunk/g10/gpg.c 2006-06-27 08:40:23 UTC (rev 4175) @@ -1631,7 +1631,7 @@ static void reopen_std(void) { -#ifdef HAVE_STAT +#if defined(HAVE_STAT) && !defined(HAVE_W32_SYSTEM) struct stat statbuf; int did_stdin=0,did_stdout=0,did_stderr=0; FILE *complain; @@ -1685,7 +1685,7 @@ if(did_stdin==2 || did_stdout==2 || did_stderr==2) exit(3); -#endif +#endif /* HAVE_STAT && !HAVE_W32_SYSTEM */ } int From cvs at cvs.gnupg.org Tue Jun 27 12:37:32 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 27 12:00:34 2006 Subject: [svn] assuan - r195 - in trunk: . src Message-ID: Author: wk Date: 2006-06-27 12:37:31 +0200 (Tue, 27 Jun 2006) New Revision: 195 Modified: trunk/TODO trunk/src/assuan-client.c Log: Doc updates. Modified: trunk/TODO =================================================================== --- trunk/TODO 2005-10-24 09:25:25 UTC (rev 194) +++ trunk/TODO 2006-06-27 10:37:31 UTC (rev 195) @@ -3,3 +3,9 @@ * When turning libassuan into a shared library, provide a general version as well as a Pth-enabled one. * Need API documentation. +* assuan_transact returns immetitely on an error in the callback + function. It might be Better to return the error to the caller. As + an example see dirmngr-client, where we need to send empty reponses + for unknown inquiries, albeit dirmngr itself would handle the + returns for assuan_inquire gracefully. We need to chekc all + applications whether it is safe to change this. Modified: trunk/src/assuan-client.c =================================================================== --- trunk/src/assuan-client.c 2005-10-24 09:25:25 UTC (rev 194) +++ trunk/src/assuan-client.c 2006-06-27 10:37:31 UTC (rev 195) @@ -125,7 +125,9 @@ * * Return value: 0 on success or error code. The error code may be * the one one returned by the server in error lines or from the - * callback functions. + * callback functions. Take care: When a callback returns an error + * this function returns immediately with an error and thus the caller + * will altter return an Assuan error (write erro in most cases). **/ assuan_error_t assuan_transact (ASSUAN_CONTEXT ctx, From cvs at cvs.gnupg.org Tue Jun 27 13:04:49 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 27 12:27:51 2006 Subject: [svn] dirmngr - r228 - in trunk: . doc src Message-ID: Author: wk Date: 2006-06-27 13:04:47 +0200 (Tue, 27 Jun 2006) New Revision: 228 Modified: trunk/ChangeLog trunk/NEWS trunk/configure.ac trunk/doc/Makefile.am trunk/doc/internals.texi trunk/src/ChangeLog trunk/src/crlcache.c trunk/src/dirmngr-client.c trunk/src/ldap.c trunk/src/validate.c trunk/src/validate.h Log: About to do a new release Modified: trunk/ChangeLog =================================================================== --- trunk/ChangeLog 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/ChangeLog 2006-06-27 11:04:47 UTC (rev 228) @@ -1,3 +1,7 @@ +2006-06-27 Werner Koch + + Released 0.9.5. + 2006-06-23 Werner Koch * doc/internals.texi: new. Modified: trunk/NEWS =================================================================== --- trunk/NEWS 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/NEWS 2006-06-27 11:04:47 UTC (rev 228) @@ -1,7 +1,10 @@ -Noteworthy changes in version 0.9.5 (unreleased) +Noteworthy changes in version 0.9.5 (2006-06-27) ------------------------------------------------ + * Fixed a problems with the CRL caching and CRL certificate + validation. + * Improved diagnostics. Noteworthy changes in version 0.9.4 (2006-05-16) Modified: trunk/configure.ac =================================================================== --- trunk/configure.ac 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/configure.ac 2006-06-27 11:04:47 UTC (rev 228) @@ -23,7 +23,7 @@ AC_PREREQ(2.59) min_automake_version="1.9.3" -AC_INIT(dirmngr, 0.9.5-cvs, gpa-dev@gnupg.org) +AC_INIT(dirmngr, 0.9.5, gpa-dev@gnupg.org) NEED_GPG_ERROR_VERSION=0.7 Modified: trunk/doc/Makefile.am =================================================================== --- trunk/doc/Makefile.am 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/doc/Makefile.am 2006-06-27 11:04:47 UTC (rev 228) @@ -19,6 +19,8 @@ ## Process this file with automake to produce Makefile.in +EXTRA_DIST = internals.texi + info_TEXINFOS = dirmngr.texi dirmngr_TEXINFOS = gpl.texi fdl.texi Modified: trunk/doc/internals.texi =================================================================== --- trunk/doc/internals.texi 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/doc/internals.texi 2006-06-27 11:04:47 UTC (rev 228) @@ -1,53 +1,62 @@ @c internals.texi - this file describes internals of DirMngr. +!!! UNDER CONSTRUCTION !!! + + @section Verifying a Certificate There are several ways to request services from Dirmngr. Almost all of them are done using the Assuan protocol. What we describe here is the -Assuan Command CHECKCRL as used for example by the dirmnr-client tool if +Assuan command CHECKCRL as used for example by the dirmnr-client tool if invoked as +@example dirmngr-client foo.crt +@end example This command will send an Assuan request to an already running Dirmngr instance. foo.crt is expected to be a standard X.509 certificate and dirmngr will receive the Assuan command - CHECKCRL [] +@example + CHECKCRL @var [{fingerprint}] +@end example - is optional and expected to be the SHA-1 has of the DER -encosing of the certificate under question. It is to be HEX encoded. -The rationale for sending the fingerprint is that it allows dirmngr to -rely immediatly if it has already cached such an request. Only if this -is not the case and no certificate has been found in dirmngr's internal -certificate storage, dirmngr will request the certificate using the -Assuan inquiry +@var{fingerprint} is optional and expected to be the SHA-1 has of the +DER encoding of the certificate under question. It is to be HEX +encoded. The rationale for sending the fingerprint is that it allows +dirmngr to reply immediatly if it has already cached such a request. If +this is not the case and no certificate has been found in dirmngr's +internal certificate storage, dirmngr will request the certificate using +the Assuan inquiry +@example INQUIRE TARGETCERT +@end example The caller (in our example dirmngr-client) is then expected to return -the certificate for the request (which should match FINGERPRINT) as a -binary blob. +the certificate for the request (which should match @var{fingerprint}) +as a binary blob. -Dirmngr now passes control to @func{crl_cache_cert_isvalid}. This +Dirmngr now passes control to @code{crl_cache_cert_isvalid}. This function checks whether a CRL item exists for target certificate. These CRL items are kept in a database of already loaded and verified CRLs. This mechanism is called the CRL cache. Obviously timestamps are kept there with each item to cope with the expiration date of the CRL. The -possible return values are: Success to indicate that a valid CRL is -available for the certificate and the certificate itself is not listen -in this CRL, GPG_ERR_CERT_REVOKED to indicate that the certificate is -listed in the CRL or GPG_ERR_NO_CRL_KNOWN in cases where no or no -information is available. he first two codes are immediatly returned to +possible return values are: @code{0} to indicate that a valid CRL is +available for the certificate and the certificate itself is not listed +in this CRL, @code{GPG_ERR_CERT_REVOKED} to indicate that the certificate is +listed in the CRL or @code{GPG_ERR_NO_CRL_KNOWN} in cases where no CRL or no +information is available. The first two codes are immediatly returned to the caller and the processing of this request has been done. -Only the GPG_ERR_NO_CRL_KNOWN needs more attention: Dirmngr now call -@func(clr_cache_reload_crl} and if this succeeds calls -@func(crl_cache_cert_isvald) one more. All further errors are +Only the @code{GPG_ERR_NO_CRL_KNOWN} needs more attention: Dirmngr now +calls @code{clr_cache_reload_crl} and if this succeeds calls +@code{crl_cache_cert_isvald) once more. All further errors are immediately returned to the caller. -@func(clr_cache_reload_crl} is the actual heart of the CRL management. +@code{crl_cache_reload_crl} is the actual heart of the CRL management. It locates the corresponding CRL for the target certificate, reads and verifies this CRL and stores it in the CRL cache. It works like this: @@ -57,12 +66,12 @@ * If the URL scheme is unknown or not enabled (--ignore-http-dp, --ignore-ldap-dp) continues with the next name. - * @func{crl_fetch} is called to actually retrieve the CRL. + * @code{crl_fetch} is called to actually retrieve the CRL. In case of problems this name is ignore and we continue with - the next name. Note that @func{crl_fetch} does only return + the next name. Note that @code{crl_fetch} does only return a descriptor for the CRL for further reading so does the CRL does not yet end up in memory. - * @func{crl_cache_insert} is called with that descriptor to + * @code{crl_cache_insert} is called with that descriptor to actually read the CRL into the cache. See below for a description of this function. If there is any error (e.g. read problem, CRL not correctly signed or verification of signature @@ -74,13 +83,13 @@ this condition is not true. * Try to load a CRL from all configured servers (ldapservers.conf) in turn. The first server returning a CRL is used. - * @func(crl_cache_insert) is then used to actually insert the CRL + * @code(crl_cache_insert) is then used to actually insert the CRL into the cache. If this failed we give up immediatley without checking the rest of the servers from the first step. * Ready. -The @func{crl_cache_insert} function takes care of reading the bulk of +The @code{crl_cache_insert} function takes care of reading the bulk of the CRL, parsing it and checking the signature. It works like this: A new database file is created using a temporary file name. The CRL parsing machinery is started and all items of the CRL are put into @@ -88,7 +97,7 @@ needs to be retrieved. Three cases are to be distinguished: a) An authorityKeyIdentifier with an issuer and serialno exits: The - certificate is retrieved using @func{find_cert_bysn}. If + certificate is retrieved using @code{find_cert_bysn}. If the certificate is in the certificate cache, it is directly returned. Then the requester (i.e. the client who requested the CRL check) is asked via the Assuan inquiry ``SENDCERT'' whether @@ -98,14 +107,14 @@ It is in the interest of the client to return a useful certificate as otherwise the service request will fail due to a bad signature. The last way to get the certificate is by looking it up at - external resources. This is done using the @func{ca_cert_fetch} - and @func{fetch_next_ksba_cert} and comparing the returned + external resources. This is done using the @code{ca_cert_fetch} + and @code{fetch_next_ksba_cert} and comparing the returned certificate to match the requested issuer and seriano (This is needed because the LDAP layer may return several certificates as LDAP as no standard way to retrieve by serial number). b) An authorityKeyIdentifier with a key ID exists: The certificate is - retrieved using @func{find_cert_bysubject}. If the certificate is + retrieved using @code{find_cert_bysubject}. If the certificate is in the certificate cache, it is directly returned. Then the requester is asked via the Assuan inquiry ``SENDCERT_SKI'' whether he can provide this certificate. If this succeed the returned @@ -114,12 +123,12 @@ It is in the interest of the client to return a useful certificate as otherwise the service request will fail due to a bad signature. The last way to get the certificate is by looking it up at - external resources. This is done using the @func{ca_cert_fetch} - and @func{fetch_next_ksba_cert} and comparing the returned + external resources. This is done using the @code{ca_cert_fetch} + and @code{fetch_next_ksba_cert} and comparing the returned certificate to match the requested subject and key ID. c) No authorityKeyIdentifier exits: The certificate is retrieved - using @func{find_cert_bysubject} without the key ID argument. If + using @code{find_cert_bysubject} without the key ID argument. If the certificate is in the certificate cache the first one with a matching subject is is directly returned. Then the requester is asked via the Assuan inquiry ``SENDCERT'' and an exact @@ -130,21 +139,21 @@ It is in the interest of the client to return a useful certificate as otherwise the service request will fail due to a bad signature. The last way to get the certificate is by looking it up at - external resources. This is done using the @func{ca_cert_fetch} - and @func{fetch_next_ksba_cert} and comparing the returned + external resources. This is done using the @code{ca_cert_fetch} + and @code{fetch_next_ksba_cert} and comparing the returned certificate to match the requested subject; the first certificate with a matching subject is then returned. If no certificate was found, the function returns with the error GPG_ERR_MISSING_CERT. Now the signature is verified. If this fails, -the erro is returned. On success the @func{validate_cert_chain} is +the erro is returned. On success the @code{validate_cert_chain} is used to verify that the certificate is actually valid. Here we may encounter a recursive situation: -@func{validate_cert_chain} needs to look at other certificates and +@code{validate_cert_chain} needs to look at other certificates and also at CRLs to check whether tehse other certificates and well, the CRL issuer certificate itself are not revoked. FIXME: We need to make -sure that @func{validate_cert_chain} does not try to lookup the CRL we +sure that @code{validate_cert_chain} does not try to lookup the CRL we are currently processing. This would be a catch-22 and may indicate a broken PKI. However, due to overlapping expiring times and imprecise clocks thsi may actually happen. @@ -160,7 +169,7 @@ @section Validating a certificate -We describe here how the internal function @func{validate_cert_chain} +We describe here how the internal function @code{validate_cert_chain} works. Note that mainly testing purposes this functionality may be called directly using @cmd{dirmngr-client --validate @file{foo.crt}}. @@ -198,18 +207,18 @@ authorityKeyIdentifier is available, this one is used to locate the certificate either using issuer and serialnumber or subject DN (i.e. the issuer's DN) and the keyID. The functions -@func{find_cert_bysn) and @func{find_cert_bysubject} are used +@code{find_cert_bysn) and @code{find_cert_bysubject} are used respectively. The have already been described above under the -description of @func{crl_cache_insert}. If no certificate was found +description of @code{crl_cache_insert}. If no certificate was found or with no authorityKeyIdentifier, only the cache is consulted using -@func{get_cert_bysubject}. The latter is is done under the assumption +@code{get_cert_bysubject}. The latter is is done under the assumption that a matching certificate has explicitly been put into the certificate cache. If the issuer's certificate could not be found, -the validation terminates with the error code GPG_ERR_MISSING_CERT. +the validation terminates with the error code @code{GPG_ERR_MISSING_CERT}. If the issuer's certificate has been found, the signature of the actual certificate is checked and in case this fails the error -GPG_ERR_BAD_CERT_CHAIN is returned. IF the signature checks out, the +#code{GPG_ERR_BAD_CERT_CHAIN} is returned. If the signature checks out, the maximum cahin length of the issueing certificate is checked as well as the capiblity of the certificate (i.e. whether he may be used for certificate signing). Then the certificate is prepended to our list @@ -222,7 +231,7 @@ met. In any of these cases the validation terminates with an appropriate error. -Finally the function @func{check_revocations} is called to verify no +Finally the function @code{check_revocations} is called to verify no certificate in the assempled chain has been revoked: This is an recursive process because a CRL has to be checked for each certificate in the chain except for the root certificate, of which we already know @@ -236,7 +245,7 @@ @section Looking up certificates through LDAP. This describes the LDAP layer to retrieve certificates. -the functions @func{ca_cert_fetch} and @func{fetch_next_ksba_cert} are +the functions @code{ca_cert_fetch} and @code{fetch_next_ksba_cert} are used for this. The first one starts a search and the second one is used to retrieve certificate after certificate. Modified: trunk/src/ChangeLog =================================================================== --- trunk/src/ChangeLog 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/src/ChangeLog 2006-06-27 11:04:47 UTC (rev 228) @@ -1,3 +1,12 @@ +2006-06-27 Werner Koch + + * dirmngr-client.c (inq_cert): Take care of SENDCERT_SKI. + +2006-06-26 Werner Koch + + * crlcache.c (lock_db_file): Count open files when needed. + (find_entry): Fixed deleted case. + 2006-06-23 Werner Koch * misc.c (cert_log_name): New. @@ -5,14 +14,15 @@ * certcache.c (load_certs_from_dir): Also print certificate name. (find_cert_bysn): Release ISSDN. - * validate.h: New VALIDATED_MODE_CERT. + * validate.h: New VALIDATE_MODE_CERT. * server.c (cmd_validate): Use it here so that no policy checks are done. Try to validated a cached copy of the target. * validate.c (validate_cert_chain): Implement a validation cache. (check_revocations): Print more diagnostics. Actually use the loop variable and not the head of the list. - + (validate_cert_chain): Do not check revocations of CRL issuer + certificates in plain CRL check mode. * ocsp.c (ocsp_isvalid): Make sure it is reset for a status of revoked. Modified: trunk/src/crlcache.c =================================================================== --- trunk/src/crlcache.c 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/src/crlcache.c 2006-06-27 11:04:47 UTC (rev 228) @@ -153,7 +153,6 @@ struct crl_cache_s { crl_cache_entry_t entries; - unsigned int cdb_open_count; /* Currently open cache files. */ }; typedef struct crl_cache_s *crl_cache_t; @@ -951,6 +950,8 @@ { char *fname; int fd; + int open_count; + crl_cache_entry_t e; if (entry->cdb) { @@ -958,12 +959,20 @@ return entry->cdb; } + for (open_count = 0, e = cache->entries; e; e = e->next) + { + if (e->cdb) + open_count++; +/* log_debug ("CACHE: cdb=%p use_count=%u lru_count=%u\n", */ +/* e->cdb,e->cdb_use_count,e->cdb_lru_count); */ + } + /* If there are too many file open, find the least recent used DB file and close it. Note that for Pth thread safeness we need to use a loop here. */ - while (cache->cdb_open_count >= MAX_OPEN_DB_FILES ) + while (open_count >= MAX_OPEN_DB_FILES ) { - crl_cache_entry_t e, last_e = NULL; + crl_cache_entry_t last_e = NULL; unsigned int last_lru = (unsigned int)(-1); for (e = cache->entries; e; e = e->next) @@ -978,14 +987,15 @@ return NULL; } +/* log_debug ("CACHE: closing file at cdb=%p\n", last_e->cdb); */ + fd = cdb_fileno (last_e->cdb); cdb_free (last_e->cdb); xfree (last_e->cdb); last_e->cdb = NULL; if (close (fd)) log_error (_("error closing cache file: %s\n"), strerror(errno)); - assert (cache->cdb_open_count); - cache->cdb_open_count--; + open_count--; } @@ -1031,7 +1041,6 @@ entry->cdb_use_count = 1; entry->cdb_lru_count = 0; - cache->cdb_open_count++; return entry->cdb; } @@ -1074,7 +1083,7 @@ static crl_cache_entry_t find_entry (crl_cache_entry_t first, const char *issuer_hash) { - while (first && !first->deleted && strcmp (issuer_hash, first->issuer_hash) ) + while (first && (first->deleted || strcmp (issuer_hash, first->issuer_hash))) first = first->next; return first; } @@ -1660,7 +1669,7 @@ goto failure; } err = validate_cert_chain (ctrl, crlissuer_cert, - NULL, VALIDATE_MODE_CRL); + NULL, VALIDATE_MODE_CRL_RECURSIVE); if (err) { log_error (_("error checking validity of CRL " Modified: trunk/src/dirmngr-client.c =================================================================== --- trunk/src/dirmngr-client.c 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/src/dirmngr-client.c 2006-06-27 11:04:47 UTC (rev 228) @@ -760,17 +760,28 @@ simply ignore it by sending back and empty value. */ ae = assuan_send_data (parm->ctx, NULL, 0); } + else if (!strncmp (line, "SENDCERT_SKI", 12) + && (line[12]==' ' || !line[12])) + { + /* We don't support this but dirmngr might ask for it. So + simply ignore it by sending back an empty value. */ + ae = assuan_send_data (parm->ctx, NULL, 0); + } else if (!strncmp (line, "SENDISSUERCERT", 14) && (line[14] == ' ' || !line[14])) { /* We don't support this but dirmngr might ask for it. So - simply ignore it by sending back and empty value. */ + simply ignore it by sending back an empty value. */ ae = assuan_send_data (parm->ctx, NULL, 0); } else { log_info (_("unsupported inquiry `%s'\n"), line); ae = ASSUAN_Inquire_Unknown; + /* Note that this error will let assuan_transact terminate + immediately instead of return the error to the caller. It is + not clear whether this is the desired behaviour - it may + change in future. */ } return ae; Modified: trunk/src/ldap.c =================================================================== --- trunk/src/ldap.c 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/src/ldap.c 2006-06-27 11:04:47 UTC (rev 228) @@ -841,7 +841,7 @@ NULL, NULL, NULL, url, reader); - /* FIXME: This option might be used for DoS attacks. Becuase it + /* FIXME: This option might be used for DoS attacks. Because it will enlarge the list of servers to consult without a limit and all LDAP queries w/o a host are will then try each host in turn. */ Modified: trunk/src/validate.c =================================================================== --- trunk/src/validate.c 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/src/validate.c 2006-06-27 11:04:47 UTC (rev 228) @@ -626,7 +626,7 @@ cert_log_name (" certificate", citem->cert); } - if (!err) + if (!err && mode != VALIDATE_MODE_CRL) { /* Now that everything is fine, walk the chain and check each certificate for revocations. Modified: trunk/src/validate.h =================================================================== --- trunk/src/validate.h 2006-06-23 18:56:26 UTC (rev 227) +++ trunk/src/validate.h 2006-06-27 11:04:47 UTC (rev 228) @@ -23,9 +23,14 @@ enum { + /* Simple certificate validation mode. */ VALIDATE_MODE_CERT = 0, + /* Standard CRL issuer certificate validation; i.e. CRLs are not + considered for CRL issuer certificates. */ VALIDATE_MODE_CRL = 1, + /* Full CRL validation. */ VALIDATE_MODE_CRL_RECURSIVE = 2, + /* Validation as used for OCSP. */ VALIDATE_MODE_OCSP = 3 }; From cvs at cvs.gnupg.org Tue Jun 27 13:12:17 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 27 12:35:18 2006 Subject: [svn] dirmngr - r229 - tags Message-ID: Author: wk Date: 2006-06-27 13:12:17 +0200 (Tue, 27 Jun 2006) New Revision: 229 Added: tags/dirmngr-0.9.5/ Log: Tagged release Copied: tags/dirmngr-0.9.5 (from rev 228, trunk) From cvs at cvs.gnupg.org Tue Jun 27 16:31:02 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 27 15:54:06 2006 Subject: [svn] GnuPG - r4176 - branches/GNUPG-1-9-BRANCH/g10 Message-ID: Author: wk Date: 2006-06-27 16:30:59 +0200 (Tue, 27 Jun 2006) New Revision: 4176 Modified: branches/GNUPG-1-9-BRANCH/g10/ChangeLog branches/GNUPG-1-9-BRANCH/g10/build-packet.c branches/GNUPG-1-9-BRANCH/g10/exec.c branches/GNUPG-1-9-BRANCH/g10/getkey.c branches/GNUPG-1-9-BRANCH/g10/gpg.c branches/GNUPG-1-9-BRANCH/g10/import.c branches/GNUPG-1-9-BRANCH/g10/keygen.c branches/GNUPG-1-9-BRANCH/g10/options.h branches/GNUPG-1-9-BRANCH/g10/parse-packet.c branches/GNUPG-1-9-BRANCH/g10/sign.c Log: Ported patches from 1.4.x Modified: branches/GNUPG-1-9-BRANCH/g10/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/ChangeLog 2006-06-27 08:40:23 UTC (rev 4175) +++ branches/GNUPG-1-9-BRANCH/g10/ChangeLog 2006-06-27 14:30:59 UTC (rev 4176) @@ -1,3 +1,63 @@ +2006-06-27 Werner Koch + + Applied patches from 1.4.x (2006-05-22 to 2006-06-23) from David: + + * keygen.c (keygen_upd_std_prefs, keygen_add_std_prefs) + (proc_parameter_file): Add --default-keyserver-url to specify a + keyserver URL at key generation time, and "Keyserver:" keyword for + doing the same through a batch file. + * options.h, gpg.c (main): Ditto. + + * sign.c (do_sign): For now don't accept a truncated hash even + for DSA1 keys (be liberal in what you accept, etc). + + * import.c (import_one): Add a flag (from_sk) so we don't check + prefs on an autoconverted public key. The check should only + happen on the sk side. Noted by Dirk Traulsen. + + * keygen.c (gen_card_key): Add optional argument to return a + pointer (not a copy) of the stub secret key for the secret key we + just generated on the card. + (generate_card_subkeypair): Use it here so that the signing key on + the card can use the card to generate the 0x19 backsig on the + primary key. Noted by Janko Heilgeist and Jonas Oberg. + + * parse-packet.c (parse_user_id): Cap the user ID size at 2048 + bytes. This prevents a memory allocation attack with a very large + user ID. A very large packet length could even cause the + allocation (a u32) to wrap around to a small number. Noted by + Evgeny Legerov on full-disclosure. + + * keygen.c (gen_dsa): Allow generating DSA2 keys. Allow + specifying sizes > 1024 when --enable-dsa2 is set. The size of q + is set automatically based on the key size. + (ask_keysize, generate_keypair): Ask for DSA size when + --enable-dsa2 is set. + + * exec.c (make_tempdir) [W32]: Fix bug with a temporary directory + on W32 that is over 256 bytes long. Noted by Israel G. Lugo. + + * gpg.c (reopen_std): New function to reopen fd 0, 1, or 2 if we + are called with them closed. This is to protect our + keyring/trustdb files from corruption if they get attached to one + of the standard fds. Print a warning if possible that this has + happened, and fail completely if we cannot reopen (should never + happen). + (main): Call it here. + + * parse-packet.c (dump_sig_subpkt, parse_signature): Fix meaning + of key expiration and sig expiration subpackets - zero means + "never expire" according to 2440, not "expire instantly". + * build-packet.c (build_sig_subpkt_from_sig): Ditto. + * getkey.c (fixup_uidnode, merge_selfsigs_main) + (merge_selfsigs_subkey): Ditto. + * keygen.c (keygen_add_key_expire): Ditto. + + * getkey.c (get_pubkey_byname) + * import.c (import_one): Fix key selection problem when + auto-key-locate returns a list of keys, not all of which are + usable (revoked, expired, etc). Noted by Simon Josefsson. + 2006-05-24 Werner Koch * keyid.c (hash_public_key): Do not double hash the length bytes, Modified: branches/GNUPG-1-9-BRANCH/g10/build-packet.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/build-packet.c 2006-06-27 08:40:23 UTC (rev 4175) +++ branches/GNUPG-1-9-BRANCH/g10/build-packet.c 2006-06-27 14:30:59 UTC (rev 4176) @@ -841,7 +841,8 @@ if(sig->expiredate>sig->timestamp) u=sig->expiredate-sig->timestamp; else - u=0; + u=1; /* A 1-second expiration time is the shortest one + OpenPGP has */ buf[0] = (u >> 24) & 0xff; buf[1] = (u >> 16) & 0xff; Modified: branches/GNUPG-1-9-BRANCH/g10/exec.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/exec.c 2006-06-27 08:40:23 UTC (rev 4175) +++ branches/GNUPG-1-9-BRANCH/g10/exec.c 2006-06-27 14:30:59 UTC (rev 4176) @@ -127,8 +127,11 @@ if(tmp==NULL) { #if defined (_WIN32) - tmp=xmalloc(256); - if(GetTempPath(256,tmp)==0) + int err; + + tmp=xmalloc(MAX_PATH+2); + err=GetTempPath(MAX_PATH+1,tmp); + if(err==0 || err>MAX_PATH+1) strcpy(tmp,"c:\\windows\\temp"); else { Modified: branches/GNUPG-1-9-BRANCH/g10/getkey.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/getkey.c 2006-06-27 08:40:23 UTC (rev 4175) +++ branches/GNUPG-1-9-BRANCH/g10/getkey.c 2006-06-27 14:30:59 UTC (rev 4176) @@ -935,7 +935,7 @@ for(akl=opt.auto_key_locate;akl;akl=akl->next) { - unsigned char *fpr; + unsigned char *fpr=NULL; size_t fpr_len; switch(akl->type) @@ -1507,12 +1507,12 @@ /* store the key flags in the helper variable for later processing */ uid->help_key_usage=parse_key_usage(sig); - /* ditto or the key expiration */ - uid->help_key_expire = 0; + /* ditto for the key expiration */ p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL); - if ( p ) { - uid->help_key_expire = keycreated + buffer_to_u32(p); - } + if( p && buffer_to_u32(p) ) + uid->help_key_expire = keycreated + buffer_to_u32(p); + else + uid->help_key_expire = 0; /* Set the primary user ID flag - we will later wipe out some * of them to only have one in our keyblock */ @@ -1724,7 +1724,7 @@ key_usage=parse_key_usage(sig); p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL); - if ( p ) + if( p && buffer_to_u32(p) ) { key_expire = keytimestamp + buffer_to_u32(p); key_expire_seen = 1; @@ -2128,7 +2128,7 @@ subpk->pubkey_usage = key_usage; p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_KEY_EXPIRE, NULL); - if ( p ) + if ( p && buffer_to_u32(p) ) key_expire = keytimestamp + buffer_to_u32(p); else key_expire = 0; Modified: branches/GNUPG-1-9-BRANCH/g10/gpg.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/gpg.c 2006-06-27 08:40:23 UTC (rev 4175) +++ branches/GNUPG-1-9-BRANCH/g10/gpg.c 2006-06-27 14:30:59 UTC (rev 4176) @@ -328,6 +328,7 @@ oNoAutoCheckTrustDB, oPreservePermissions, oDefaultPreferenceList, + oDefaultKeyserverURL, oPersonalCipherPreferences, oPersonalDigestPreferences, oPersonalCompressPreferences, @@ -659,6 +660,7 @@ { aRebuildKeydbCaches, "rebuild-keydb-caches", 256, "@"}, { oPreservePermissions, "preserve-permissions", 0, "@"}, { oDefaultPreferenceList, "default-preference-list", 2, "@"}, + { oDefaultKeyserverURL, "default-keyserver-url", 2, "@"}, { oPersonalCipherPreferences, "personal-cipher-preferences", 2, "@"}, { oPersonalDigestPreferences, "personal-digest-preferences", 2, "@"}, { oPersonalCompressPreferences, "personal-compress-preferences", 2, "@"}, @@ -1643,6 +1645,78 @@ log_error("unknown trust model `%s'\n",model); } + + +/* Make sure that the standard file descriptors are opened. Obviously + some folks close them before an exec and the next file we open will + get one of them assigned and thus any output (i.e. diagnostics) end + up in that file (e.g. the trustdb). Not actually a gpg problem as + this will hapenn with almost all utilities when called in a wrong + way. However we try to minimize the damage here and raise + awareness of the problem. + + Must be called before we open any files! */ +static void +reopen_std(void) +{ +#if defined(HAVE_STAT) && !defined(HAVE_W32_SYSTEM) + struct stat statbuf; + int did_stdin=0,did_stdout=0,did_stderr=0; + FILE *complain; + + if(fstat(STDIN_FILENO,&statbuf)==-1 && errno==EBADF) + { + if(open("/dev/null",O_RDONLY)==STDIN_FILENO) + did_stdin=1; + else + did_stdin=2; + } + + if(fstat(STDOUT_FILENO,&statbuf)==-1 && errno==EBADF) + { + if(open("/dev/null",O_WRONLY)==STDOUT_FILENO) + did_stdout=1; + else + did_stdout=2; + } + + if(fstat(STDERR_FILENO,&statbuf)==-1 && errno==EBADF) + { + if(open("/dev/null",O_WRONLY)==STDERR_FILENO) + did_stderr=1; + else + did_stderr=2; + } + + /* It's hard to log this sort of thing since the filehandle we would + complain to may be closed... */ + if(did_stderr==0) + complain=stderr; + else if(did_stdout==0) + complain=stdout; + else + complain=NULL; + + if(complain) + { + if(did_stdin==1) + fprintf(complain,"gpg: WARNING: standard input reopened\n"); + if(did_stdout==1) + fprintf(complain,"gpg: WARNING: standard output reopened\n"); + if(did_stderr==1) + fprintf(complain,"gpg: WARNING: standard error reopened\n"); + + if(did_stdin==2 || did_stdout==2 || did_stderr==2) + fprintf(complain,"gpg: fatal: unable to reopen standard input," + " output, or error\n"); + } + + if(did_stdin==2 || did_stdout==2 || did_stderr==2) + exit(3); +#endif /* HAVE_STAT && !HAVE_W32_SYSTEM */ +} + + int main (int argc, char **argv ) { @@ -1697,7 +1771,7 @@ /* Please note that we may running SUID(ROOT), so be very CAREFUL when adding any stuff between here and the call to secmem_init() somewhere after the option parsing. */ - + reopen_std (); trap_unaligned(); set_strusage (my_strusage); gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); @@ -2586,6 +2660,19 @@ case oDefaultPreferenceList: opt.def_preference_list = pargs.r.ret_str; break; + case oDefaultKeyserverURL: + { + struct keyserver_spec *keyserver; + keyserver=parse_keyserver_uri(pargs.r.ret_str,1, + configname,configlineno); + if(!keyserver) + log_error(_("could not parse keyserver URL\n")); + else + free_keyserver_spec(keyserver); + + opt.def_keyserver_url = pargs.r.ret_str; + } + break; case oPersonalCipherPreferences: pers_cipher_list=pargs.r.ret_str; break; Modified: branches/GNUPG-1-9-BRANCH/g10/import.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/import.c 2006-06-27 08:40:23 UTC (rev 4175) +++ branches/GNUPG-1-9-BRANCH/g10/import.c 2006-06-27 14:30:59 UTC (rev 4176) @@ -66,7 +66,7 @@ static void revocation_present(KBNODE keyblock); static int import_one(const char *fname, KBNODE keyblock,struct stats_s *stats, unsigned char **fpr,size_t *fpr_len, - unsigned int options); + unsigned int options,int from_sk); static int import_secret_one( const char *fname, KBNODE keyblock, struct stats_s *stats, unsigned int options); static int import_revoke_cert( const char *fname, KBNODE node, @@ -258,7 +258,7 @@ while( !(rc = read_block( inp, &pending_pkt, &keyblock) )) { if( keyblock->pkt->pkttype == PKT_PUBLIC_KEY ) - rc = import_one( fname, keyblock, stats, fpr, fpr_len, options ); + rc = import_one( fname, keyblock, stats, fpr, fpr_len, options, 0); else if( keyblock->pkt->pkttype == PKT_SECRET_KEY ) rc = import_secret_one( fname, keyblock, stats, options ); else if( keyblock->pkt->pkttype == PKT_SIGNATURE @@ -679,7 +679,8 @@ */ static int import_one( const char *fname, KBNODE keyblock, struct stats_s *stats, - unsigned char **fpr,size_t *fpr_len,unsigned int options ) + unsigned char **fpr,size_t *fpr_len,unsigned int options, + int from_sk ) { PKT_public_key *pk; PKT_public_key *pk_orig; @@ -698,9 +699,6 @@ pk = node->pkt->pkt.public_key; - if(fpr) - *fpr=fingerprint_from_pk(pk,NULL,fpr_len); - keyid_from_pk( pk, keyid ); uidnode = find_next_kbnode( keyblock, PKT_USER_ID ); @@ -978,13 +976,31 @@ if(mod_key) { revocation_present(keyblock_orig); - if(seckey_available(keyid)==0) + if(!from_sk && seckey_available(keyid)==0) check_prefs(keyblock_orig); } else if(new_key) { + /* A little explanation for this: we fill in the fingerprint + when importing keys as it can be useful to know the + fingerprint in certain keyserver-related cases (a keyserver + asked for a particular name, but the key doesn't have that + name). However, in cases where we're importing more than + one key at a time, we cannot know which key to fingerprint. + In these cases, rather than guessing, we do not fingerpring + at all, and we must hope the user ID on the keys are + useful. */ + if(fpr) + { + xfree(*fpr); + if(stats->imported==1) + *fpr=fingerprint_from_pk(pk,NULL,fpr_len); + else + *fpr=NULL; + } + revocation_present(keyblock); - if(seckey_available(keyid)==0) + if(!from_sk && seckey_available(keyid)==0) check_prefs(keyblock); } @@ -1156,7 +1172,7 @@ if(pub_keyblock) { import_one(fname,pub_keyblock,stats, - NULL,NULL,opt.import_options); + NULL,NULL,opt.import_options,1); release_kbnode(pub_keyblock); } } Modified: branches/GNUPG-1-9-BRANCH/g10/keygen.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/keygen.c 2006-06-27 08:40:23 UTC (rev 4175) +++ branches/GNUPG-1-9-BRANCH/g10/keygen.c 2006-06-27 14:30:59 UTC (rev 4176) @@ -42,6 +42,7 @@ #include "trustdb.h" #include "status.h" #include "i18n.h" +#include "keyserver-internal.h" #include "call-agent.h" @@ -69,7 +70,8 @@ pPASSPHRASE_S2K, pSERIALNO, pBACKUPENCDIR, - pHANDLE + pHANDLE, + pKEYSERVER }; struct para_data_s { @@ -125,6 +127,7 @@ static int write_keyblock( IOBUF out, KBNODE node ); static int gen_card_key (int algo, int keyno, int is_primary, KBNODE pub_root, KBNODE sec_root, + PKT_secret_key **ret_sk, u32 expireval, struct para_data_s *para); static int gen_card_key_with_backup (int algo, int keyno, int is_primary, KBNODE pub_root, KBNODE sec_root, @@ -224,7 +227,7 @@ if(pk->expiredate > pk->timestamp) u= pk->expiredate - pk->timestamp; else - u= 0; + u= 1; buf[0] = (u >> 24) & 0xff; buf[1] = (u >> 16) & 0xff; @@ -657,6 +660,7 @@ /* Make sure that the MDC feature flag is set if needed */ add_feature_mdc (sig,mdc_available); add_keyserver_modify (sig,ks_modify); + keygen_add_keyserver_url(sig,NULL); return 0; } @@ -675,6 +679,7 @@ do_add_key_flags (sig, pk->pubkey_usage); keygen_add_key_expire( sig, opaque ); keygen_upd_std_prefs (sig, opaque); + keygen_add_keyserver_url(sig,NULL); return 0; } @@ -684,6 +689,9 @@ { const char *url=opaque; + if(!url) + url=opt.def_keyserver_url; + if(url) build_sig_subpkt(sig,SIGSUBPKT_PREF_KS,url,strlen(url)); else @@ -940,7 +948,6 @@ return rc; } -/* sub_sk is currently unused (reserved for backsigs) */ static int write_keybinding( KBNODE root, KBNODE pub_root, PKT_secret_key *pri_sk, PKT_secret_key *sub_sk, @@ -1224,20 +1231,54 @@ PKT_public_key *pk; gcry_sexp_t s_parms, s_key; gcry_sexp_t misc_key_info; + unsigned int qbits; - if( nbits > 1024 || nbits < 512 ) { + if ( nbits < 512 || (!opt.flags.dsa2 && nbits > 1024)) + { nbits = 1024; log_info(_("keysize invalid; using %u bits\n"), nbits ); - } + } + else if ( nbits > 3072 ) + { + nbits = 3072; + log_info(_("keysize invalid; using %u bits\n"), nbits ); + } - if( (nbits % 64) ) { + if( (nbits % 64) ) + { nbits = ((nbits + 63) / 64) * 64; log_info(_("keysize rounded up to %u bits\n"), nbits ); - } + } + /* + Figure out a q size based on the key size. FIPS 180-3 says: + + L = 1024, N = 160 + L = 2048, N = 224 + L = 2048, N = 256 + L = 3072, N = 256 + + 2048/256 is an odd pair since there is also a 2048/224 and + 3072/256. Matching sizes is not a very exact science. + + We'll do 256 qbits for nbits over 2048, 224 for nbits over 1024 + but less than 2048, and 160 for 1024 (DSA1). + */ + + if (nbits > 2048) + qbits = 256; + else if ( nbits > 1024) + qbits = 224; + else + qbits = 160; + + if (qbits != 160 ) + log_info (_("WARNING: some OpenPGP programs can't" + " handle a DSA key with this digest size\n")); + rc = gcry_sexp_build (&s_parms, NULL, - "(genkey(dsa(nbits %d)))", - (int)nbits); + "(genkey(dsa(nbits %d)(qbits %d)))", + (int)nbits, (int)qbits); if (rc) log_bug ("gcry_sexp_build failed: %s\n", gpg_strerror (rc)); @@ -1253,9 +1294,8 @@ pk = xmalloc_clear( sizeof *pk ); sk->timestamp = pk->timestamp = make_timestamp(); sk->version = pk->version = 4; - if( expireval ) { - sk->expiredate = pk->expiredate = sk->timestamp + expireval; - } + if (expireval) + sk->expiredate = pk->expiredate = sk->timestamp + expireval; sk->pubkey_algo = pk->pubkey_algo = PUBKEY_ALGO_DSA; rc = key_from_sexp (pk->pkey, s_key, "public-key", "pqgy"); @@ -1633,10 +1673,10 @@ switch(algo) { case PUBKEY_ALGO_DSA: - if(opt.expert) + if(opt.flags.dsa2) { def=1024; - max=1024; + max=3072; } else { @@ -2375,6 +2415,25 @@ /* Set preferences, if any. */ keygen_set_std_prefs(get_parameter_value( para, pPREFERENCES ), 0); + /* Set keyserver, if any. */ + s1=get_parameter_value( para, pKEYSERVER ); + if(s1) + { + struct keyserver_spec *spec; + + spec=parse_keyserver_uri(s1,1,NULL,0); + if(spec) + { + free_keyserver_spec(spec); + opt.def_keyserver_url=s1; + } + else + { + log_error("%s:%d: invalid keyserver url\n", fname, r->lnr ); + return -1; + } + } + /* Set revoker, if any. */ if (parse_revocation_key (fname, para, pREVOKER)) return -1; @@ -2467,6 +2526,7 @@ { "Preferences", pPREFERENCES }, { "Revoker", pREVOKER }, { "Handle", pHANDLE }, + { "Keyserver", pKEYSERVER }, { NULL, 0 } }; IOBUF fp; @@ -2746,13 +2806,13 @@ sprintf( r->u.value, "%d", PUBKEY_ALGO_DSA ); r->next = para; para = r; - tty_printf(_("DSA keypair will have %u bits.\n"),1024); + nbits = ask_keysize( PUBKEY_ALGO_DSA ); + r = xmalloc_clear( sizeof *r + 20 ); + r->key = pKEYLENGTH; + sprintf( r->u.value, "%u", nbits); + r->next = para; + para = r; r = xmalloc_clear( sizeof *r + 20 ); - r->key = pKEYLENGTH; - strcpy( r->u.value, "1024" ); - r->next = para; - para = r; - r = xmalloc_clear( sizeof *r + 20 ); r->key = pKEYUSAGE; strcpy( r->u.value, "sign" ); r->next = para; @@ -2791,7 +2851,7 @@ } } - + nbits = ask_keysize( algo ); r = xmalloc_clear( sizeof *r + 20 ); r->key = both? pSUBKEYLENGTH : pKEYLENGTH; @@ -3057,7 +3117,7 @@ } else { - rc = gen_card_key (PUBKEY_ALGO_RSA, 1, 1, pub_root, sec_root, + rc = gen_card_key (PUBKEY_ALGO_RSA, 1, 1, pub_root, sec_root, NULL, get_parameter_u32 (para, pKEYEXPIRE), para); if (!rc) { @@ -3093,7 +3153,7 @@ if (!rc && card && get_parameter (para, pAUTHKEYTYPE)) { - rc = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root, sec_root, + rc = gen_card_key (PUBKEY_ALGO_RSA, 3, 0, pub_root, sec_root, NULL, get_parameter_u32 (para, pKEYEXPIRE), para); if (!rc) @@ -3129,6 +3189,7 @@ } else rc = gen_card_key (PUBKEY_ALGO_RSA, 2, 0, pub_root, sec_root, + NULL, get_parameter_u32 (para, pKEYEXPIRE), para); } @@ -3353,7 +3414,7 @@ } rc = do_create( algo, nbits, pub_keyblock, sec_keyblock, - dek, s2k, &sub_sk, expire, 1 ); + dek, s2k, &sub_sk, expire, 1 ); if( !rc ) rc = write_keybinding(pub_keyblock, pub_keyblock, pri_sk, sub_sk, use); if( !rc ) @@ -3387,7 +3448,7 @@ { int okay=0, rc=0; KBNODE node; - PKT_secret_key *pri_sk = NULL; + PKT_secret_key *pri_sk = NULL, *sub_sk; int algo; unsigned int use; u32 expire; @@ -3467,11 +3528,12 @@ if (passphrase) set_next_passphrase (passphrase); - rc = gen_card_key (algo, keyno, 0, pub_keyblock, sec_keyblock, expire, para); + rc = gen_card_key (algo, keyno, 0, pub_keyblock, sec_keyblock, + &sub_sk, expire, para); if (!rc) - rc = write_keybinding (pub_keyblock, pub_keyblock, pri_sk, NULL, use); + rc = write_keybinding (pub_keyblock, pub_keyblock, pri_sk, sub_sk, use); if (!rc) - rc = write_keybinding (sec_keyblock, pub_keyblock, pri_sk, NULL, use); + rc = write_keybinding (sec_keyblock, pub_keyblock, pri_sk, sub_sk, use); if (!rc) { okay = 1; @@ -3518,7 +3580,7 @@ static int gen_card_key (int algo, int keyno, int is_primary, - KBNODE pub_root, KBNODE sec_root, + KBNODE pub_root, KBNODE sec_root, PKT_secret_key **ret_sk, u32 expireval, struct para_data_s *para) { #ifdef ENABLE_CARD_SUPPORT @@ -3579,6 +3641,9 @@ sk->protect.iv[sk->protect.ivlen] = xtoi_2 (s); } + if( ret_sk ) + *ret_sk = sk; + pkt = xcalloc (1,sizeof *pkt); pkt->pkttype = is_primary ? PKT_PUBLIC_KEY : PKT_PUBLIC_SUBKEY; pkt->pkt.public_key = pk; Modified: branches/GNUPG-1-9-BRANCH/g10/options.h =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/options.h 2006-06-27 08:40:23 UTC (rev 4175) +++ branches/GNUPG-1-9-BRANCH/g10/options.h 2006-06-27 14:30:59 UTC (rev 4176) @@ -154,7 +154,8 @@ unsigned int export_options; unsigned int list_options; unsigned int verify_options; - char *def_preference_list; + const char *def_preference_list; + const char *def_keyserver_url; prefitem_t *personal_cipher_prefs; prefitem_t *personal_digest_prefs; prefitem_t *personal_compress_prefs; Modified: branches/GNUPG-1-9-BRANCH/g10/parse-packet.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/parse-packet.c 2006-06-27 08:40:23 UTC (rev 4175) +++ branches/GNUPG-1-9-BRANCH/g10/parse-packet.c 2006-06-27 14:30:59 UTC (rev 4176) @@ -1,6 +1,6 @@ /* parse-packet.c - read packets - * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, - * 2005 Free Software Foundation, Inc. + * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, + * 2006 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -876,8 +876,13 @@ break; case SIGSUBPKT_SIG_EXPIRE: if( length >= 4 ) - fprintf (listfp, "sig expires after %s", - strtimevalue( buffer_to_u32(buffer) ) ); + { + if(buffer_to_u32(buffer)) + fprintf (listfp, "sig expires after %s", + strtimevalue( buffer_to_u32(buffer) ) ); + else + fprintf (listfp, "sig does not expire"); + } break; case SIGSUBPKT_EXPORTABLE: if( length ) @@ -901,8 +906,13 @@ break; case SIGSUBPKT_KEY_EXPIRE: if( length >= 4 ) - fprintf (listfp, "key expires after %s", - strtimevalue( buffer_to_u32(buffer) ) ); + { + if(buffer_to_u32(buffer)) + fprintf (listfp, "key expires after %s", + strtimevalue( buffer_to_u32(buffer) ) ); + else + fprintf (listfp, "key does not expire"); + } break; case SIGSUBPKT_PREF_SYM: fputs("pref-sym-algos:", listfp ); @@ -1408,7 +1418,7 @@ log_info ("signature packet without keyid\n"); p=parse_sig_subpkt(sig->hashed,SIGSUBPKT_SIG_EXPIRE,NULL); - if(p) + if(p && buffer_to_u32(p)) sig->expiredate=sig->timestamp+buffer_to_u32(p); if(sig->expiredate && sig->expiredate<=make_timestamp()) sig->flags.expired=1; @@ -2027,6 +2037,20 @@ { byte *p; + /* Cap the size of a user ID at 2k: a value absurdly large enough + that there is no sane user ID string (which is printable text + as of RFC2440bis) that won't fit in it, but yet small enough to + avoid allocation problems. A large pktlen may not be + allocatable, and a very large pktlen could actually cause our + allocation to wrap around in xmalloc to a small number. */ + + if (pktlen > 2048) + { + log_error ("packet(%d) too large\n", pkttype); + iobuf_skip_rest(inp, pktlen, 0); + return G10ERR_INVALID_PACKET; + } + packet->pkt.user_id = xmalloc_clear(sizeof *packet->pkt.user_id + pktlen); packet->pkt.user_id->len = pktlen; packet->pkt.user_id->ref=1; Modified: branches/GNUPG-1-9-BRANCH/g10/sign.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/sign.c 2006-06-27 08:40:23 UTC (rev 4175) +++ branches/GNUPG-1-9-BRANCH/g10/sign.c 2006-06-27 14:30:59 UTC (rev 4176) @@ -320,6 +320,12 @@ } else { +#if 0 /* disabled *. + /* Disabled for now. It seems reasonable to accept a + truncated hash for a DSA1 key, even though we don't + generate it without --enable-dsa2. Be liberal in what you + accept, etc. */ + /* If it's a DSA key, and q is 160 bits, it might be an old-style DSA key. If the hash doesn't match the q, fail unless --enable-dsa2 is set. If the q isn't 160 bits, then @@ -333,6 +339,7 @@ log_error(_("DSA requires the use of a 160 bit hash algorithm\n")); return G10ERR_GENERAL; } +#endif /* disabled */ frame = encode_md_value( NULL, sk, md, digest_algo ); if (!frame) @@ -1539,7 +1546,7 @@ } /* Note that already expired sigs will remain expired (with a - duration of 0) since build-packet.c:build_sig_subpkt_from_sig + duration of 1) since build-packet.c:build_sig_subpkt_from_sig detects this case. */ if( sig->version >= 4 ) From cvs at cvs.gnupg.org Tue Jun 27 16:32:55 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Tue Jun 27 15:55:53 2006 Subject: [svn] GnuPG - r4177 - in branches/GNUPG-1-9-BRANCH: . agent sm Message-ID: Author: wk Date: 2006-06-27 16:32:34 +0200 (Tue, 27 Jun 2006) New Revision: 4177 Modified: branches/GNUPG-1-9-BRANCH/NEWS branches/GNUPG-1-9-BRANCH/TODO branches/GNUPG-1-9-BRANCH/agent/ChangeLog branches/GNUPG-1-9-BRANCH/agent/command-ssh.c branches/GNUPG-1-9-BRANCH/agent/gpg-agent.c branches/GNUPG-1-9-BRANCH/configure.ac branches/GNUPG-1-9-BRANCH/sm/ChangeLog branches/GNUPG-1-9-BRANCH/sm/certchain.c branches/GNUPG-1-9-BRANCH/sm/certdump.c branches/GNUPG-1-9-BRANCH/sm/gpgsm.h branches/GNUPG-1-9-BRANCH/sm/keylist.c Log: Various smaller changes Modified: branches/GNUPG-1-9-BRANCH/NEWS =================================================================== --- branches/GNUPG-1-9-BRANCH/NEWS 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/NEWS 2006-06-27 14:32:34 UTC (rev 4177) @@ -1,3 +1,8 @@ +Noteworthy changes in version 1.9.22 +------------------------------------------------- + + + Noteworthy changes in version 1.9.21 (2006-06-20) ------------------------------------------------- Modified: branches/GNUPG-1-9-BRANCH/TODO =================================================================== --- branches/GNUPG-1-9-BRANCH/TODO 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/TODO 2006-06-27 14:32:34 UTC (rev 4177) @@ -111,6 +111,10 @@ anyway. ** skclist.c:random_is_faked Remove the whole stuff? +** qbits + We pass a new qbit parameter to genkey - implement this in libgcrypt. +** Makefile.am + Remove the no-pointer-sign kludge. * common/ ** ttyio Modified: branches/GNUPG-1-9-BRANCH/agent/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/agent/ChangeLog 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/agent/ChangeLog 2006-06-27 14:32:34 UTC (rev 4177) @@ -1,3 +1,14 @@ +2006-06-26 Werner Koch + + * gpg-agent.c (handle_signal): Print infor for SIGUSR2 only in + verbose mode. + +2006-06-22 Werner Koch + + * command-ssh.c (make_cstring): Use memcpy instead of strncpy. + (ssh_receive_mpint_list, sexp_key_extract, data_sign): Use + xtrycalloc instead of xtrymalloc followed by memset. + 2006-06-20 Werner Koch * minip12.c (create_final): New arg PW. Add code to calculate the Modified: branches/GNUPG-1-9-BRANCH/agent/command-ssh.c =================================================================== --- branches/GNUPG-1-9-BRANCH/agent/command-ssh.c 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/agent/command-ssh.c 2006-06-27 14:32:34 UTC (rev 4177) @@ -268,7 +268,7 @@ s = xtrymalloc (data_n + 1); if (s) { - strncpy (s, data, data_n); + memcpy (s, data, data_n); s[data_n] = 0; } @@ -853,14 +853,12 @@ elems_public = key_spec.elems_key_public; elems_public_n = strlen (elems_public); - mpis = xtrymalloc (sizeof (*mpis) * (elems_n + 1)); - if (! mpis) + mpis = xtrycalloc (elems_n + 1, sizeof *mpis ); + if (!mpis) { err = gpg_error_from_errno (errno); goto out; } - - memset (mpis, 0, sizeof (*mpis) * (elems_n + 1)); elem_is_secret = 0; for (i = 0; i < elems_n; i++) @@ -1143,13 +1141,12 @@ } elems_n = strlen (elems); - mpis_new = xtrymalloc (sizeof (*mpis_new) * (elems_n + 1)); - if (! mpis_new) + mpis_new = xtrycalloc (elems_n + 1, sizeof *mpis_new ); + if (!mpis_new) { err = gpg_error_from_errno (errno); goto out; } - memset (mpis_new, 0, sizeof (*mpis_new) * (elems_n + 1)); value_list = gcry_sexp_find_token (sexp, key_spec.identifier, 0); if (! value_list) @@ -2055,13 +2052,12 @@ elems = spec.elems_signature; elems_n = strlen (elems); - mpis = xtrymalloc (sizeof (*mpis) * (elems_n + 1)); - if (! mpis) + mpis = xtrycalloc (elems_n + 1, sizeof *mpis); + if (!mpis) { err = gpg_error_from_errno (errno); goto out; } - memset (mpis, 0, sizeof (*mpis) * (elems_n + 1)); for (i = 0; i < elems_n; i++) { Modified: branches/GNUPG-1-9-BRANCH/agent/gpg-agent.c =================================================================== --- branches/GNUPG-1-9-BRANCH/agent/gpg-agent.c 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/agent/gpg-agent.c 2006-06-27 14:32:34 UTC (rev 4177) @@ -1360,7 +1360,8 @@ break; case SIGUSR2: - log_info ("SIGUSR2 received - checking smartcard status\n"); + if (opt.verbose) + log_info ("SIGUSR2 received - checking smartcard status\n"); break; case SIGTERM: Modified: branches/GNUPG-1-9-BRANCH/configure.ac =================================================================== --- branches/GNUPG-1-9-BRANCH/configure.ac 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/configure.ac 2006-06-27 14:32:34 UTC (rev 4177) @@ -26,8 +26,8 @@ # Remember to change the version number immediately *after* a release. # Set my_issvn to "yes" for non-released code. Remember to run an # "svn up" and "autogen.sh" right before creating a distribution. -m4_define([my_version], [1.9.21]) -m4_define([my_issvn], [no]) +m4_define([my_version], [1.9.22]) +m4_define([my_issvn], [yes]) m4_define([svn_revision], m4_esyscmd([echo -n $((svn info 2>/dev/null \ Modified: branches/GNUPG-1-9-BRANCH/sm/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/sm/ChangeLog 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/sm/ChangeLog 2006-06-27 14:32:34 UTC (rev 4177) @@ -1,3 +1,8 @@ +2006-06-26 Werner Koch + + * certdump.c (gpgsm_cert_log_name): New. + * certchain.c (is_cert_still_valid): Log the name of the certificate. + 2006-06-20 Werner Koch * gpgsm.c (gpgsm_init_default_ctrl): Take care of the command line Modified: branches/GNUPG-1-9-BRANCH/sm/certchain.c =================================================================== --- branches/GNUPG-1-9-BRANCH/sm/certchain.c 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/sm/certchain.c 2006-06-27 14:32:34 UTC (rev 4177) @@ -597,6 +597,8 @@ { /* Fixme: We should change the wording because we may have used OCSP. */ + if (!lm) + gpgsm_cert_log_name (NULL, subject_cert); switch (gpg_err_code (err)) { case GPG_ERR_CERT_REVOKED: Modified: branches/GNUPG-1-9-BRANCH/sm/certdump.c =================================================================== --- branches/GNUPG-1-9-BRANCH/sm/certdump.c 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/sm/certdump.c 2006-06-27 14:32:34 UTC (rev 4177) @@ -238,6 +238,36 @@ } +/* Log the certificate's name in "#SN/ISSUERDN" format along with + TEXT. */ +void +gpgsm_cert_log_name (const char *text, ksba_cert_t cert) +{ + log_info ("%s", text? text:"certificate" ); + if (cert) + { + ksba_sexp_t sn; + char *p; + + p = ksba_cert_get_issuer (cert, 0); + sn = ksba_cert_get_serial (cert); + if (p && sn) + { + log_printf (" #"); + gpgsm_dump_serial (sn); + log_printf ("/"); + gpgsm_dump_string (p); + } + else + log_printf (" [invalid]"); + ksba_free (sn); + xfree (p); + } + log_printf ("\n"); +} + + + /* helper for the rfc2253 string parser */ static const unsigned char * Modified: branches/GNUPG-1-9-BRANCH/sm/gpgsm.h =================================================================== --- branches/GNUPG-1-9-BRANCH/sm/gpgsm.h 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/sm/gpgsm.h 2006-06-27 14:32:34 UTC (rev 4177) @@ -218,6 +218,8 @@ void gpgsm_print_name2 (FILE *fp, const char *string, int translate); void gpgsm_print_name (FILE *fp, const char *string); +void gpgsm_cert_log_name (const char *text, ksba_cert_t cert); + void gpgsm_dump_cert (const char *text, ksba_cert_t cert); void gpgsm_dump_serial (ksba_const_sexp_t p); void gpgsm_dump_time (ksba_isotime_t t); Modified: branches/GNUPG-1-9-BRANCH/sm/keylist.c =================================================================== --- branches/GNUPG-1-9-BRANCH/sm/keylist.c 2006-06-27 14:30:59 UTC (rev 4176) +++ branches/GNUPG-1-9-BRANCH/sm/keylist.c 2006-06-27 14:32:34 UTC (rev 4177) @@ -672,7 +672,7 @@ else fputs ("[?]\n", fp); - fputs (" keyUsage:", fp); + fputs (" keyUsage: ", fp); err = ksba_cert_get_key_usage (cert, &kusage); if (gpg_err_code (err) != GPG_ERR_NO_DATA) { From cvs at cvs.gnupg.org Wed Jun 28 11:37:44 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Wed Jun 28 11:00:45 2006 Subject: [svn] GnuPG - r4178 - trunk/g10 Message-ID: Author: wk Date: 2006-06-28 11:37:42 +0200 (Wed, 28 Jun 2006) New Revision: 4178 Modified: trunk/g10/ChangeLog trunk/g10/app-openpgp.c Log: Fixed uploading of keays. Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-27 14:32:34 UTC (rev 4177) +++ trunk/g10/ChangeLog 2006-06-28 09:37:42 UTC (rev 4178) @@ -1,3 +1,9 @@ +2006-06-28 Werner Koch + + * app-openpgp.c (do_writekey): Fixed computation of memmove + length. This led to garbled keys if E was larger than one byte. + Thanks to Achim Pietig for hinting at the garbled E. + 2006-06-27 Werner Koch * gpg.c (reopen_std) [HAVE_W32_SYSTEM]: Do not use it. Modified: trunk/g10/app-openpgp.c =================================================================== --- trunk/g10/app-openpgp.c 2006-06-27 14:32:34 UTC (rev 4177) +++ trunk/g10/app-openpgp.c 2006-06-28 09:37:42 UTC (rev 4178) @@ -1789,7 +1789,7 @@ if (rsa_e_len < 4) { /* Right justify E. */ - memmove (tp+4-rsa_e_len, tp, 4-rsa_e_len); + memmove (tp+4-rsa_e_len, tp, rsa_e_len); memset (tp, 0, 4-rsa_e_len); } tp += 4; From cvs at cvs.gnupg.org Wed Jun 28 17:14:10 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Wed Jun 28 16:37:11 2006 Subject: [svn] GnuPG - r4179 - branches/GNUPG-1-9-BRANCH/jnlib Message-ID: Author: wk Date: 2006-06-28 17:14:09 +0200 (Wed, 28 Jun 2006) New Revision: 4179 Modified: branches/GNUPG-1-9-BRANCH/jnlib/ChangeLog branches/GNUPG-1-9-BRANCH/jnlib/dotlock.c Log: Remove stale lockfiles if created on the same node. Modified: branches/GNUPG-1-9-BRANCH/jnlib/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/jnlib/ChangeLog 2006-06-28 09:37:42 UTC (rev 4178) +++ branches/GNUPG-1-9-BRANCH/jnlib/ChangeLog 2006-06-28 15:14:09 UTC (rev 4179) @@ -1,3 +1,15 @@ +2006-06-28 Werner Koch + + * dotlock.c (make_dotlock, release_dotlock, read_lockfile) + (maybe_deadlock, destroy_dotlock, create_dotlock): Re-indented. + (create_dotlock): Repalces some log_fatal by log_error as it was + not intended that they should terminate. Write the nodename to + the locking file. Code cleanups. + (read_lockfile): Reworked to read the node name. + (make_dotlock): Test for identical node name and delete lock stale + file. + (release_dotlock): Likewise. + 2006-05-23 Werner Koch * libjnlib-config.h (JNLIB_NEED_UTF8CONV): Fixed typo in name. Modified: branches/GNUPG-1-9-BRANCH/jnlib/dotlock.c =================================================================== --- branches/GNUPG-1-9-BRANCH/jnlib/dotlock.c 2006-06-28 09:37:42 UTC (rev 4178) +++ branches/GNUPG-1-9-BRANCH/jnlib/dotlock.c 2006-06-28 15:14:09 UTC (rev 4179) @@ -1,6 +1,6 @@ /* dotlock.c - dotfile locking * Copyright (C) 1998, 2000, 2001, 2003, 2004, - * 2005 Free Software Foundation, Inc. + * 2005, 2006 Free Software Foundation, Inc. * * This file is part of GnuPG. * @@ -55,32 +55,35 @@ #endif -struct dotlock_handle { - struct dotlock_handle *next; - char *tname; /* name of lockfile template */ - char *lockname; /* name of the real lockfile */ - int locked; /* lock status */ - int disable; /* locking */ +struct dotlock_handle +{ + struct dotlock_handle *next; + char *tname; /* Name of lockfile template. */ + size_t nodename_off; /* Offset in TNAME of the nodename part. */ + size_t nodename_len; /* Length of the nodename part. */ + char *lockname; /* Name of the real lockfile. */ + int locked; /* Lock status. */ + int disable; /* When true, locking is disabled. */ }; static volatile DOTLOCK all_lockfiles; static int never_lock; -static int read_lockfile( const char *name ); +static int read_lockfile (DOTLOCK h, int *same_node); void disable_dotlock(void) { - never_lock = 1; + never_lock = 1; } /**************** * Create a lockfile with the given name and return an object of * type DOTLOCK which may be used later to actually do the lock. * A cleanup routine gets installed to cleanup left over locks - * or other files used together with the lockmechanism. - * Althoug the function is called dotlock, this does not necessarily + * or other files used together with the lock mechanism. + * Although the function is called dotlock, this does not necessarily * mean that real lockfiles are used - the function may decide to * use fcntl locking. Calling the function with NULL only install * the atexit handler and maybe used to assure that the cleanup @@ -94,160 +97,165 @@ DOTLOCK create_dotlock( const char *file_to_lock ) { - static int initialized; - DOTLOCK h; - int fd = -1; - char pidstr[16]; - #ifndef HAVE_DOSISH_SYSTEM - struct utsname utsbuf; - #endif - const char *nodename; - const char *dirpart; - int dirpartlen; + static int initialized; + DOTLOCK h; + int fd = -1; + char pidstr[16]; + const char *nodename; + const char *dirpart; + int dirpartlen; +#ifndef HAVE_DOSISH_SYSTEM + struct utsname utsbuf; +#endif - if( !initialized ) { - atexit( dotlock_remove_lockfiles ); - initialized = 1; + if ( !initialized ) + { + atexit( dotlock_remove_lockfiles ); + initialized = 1; } - if( !file_to_lock ) - return NULL; + if ( !file_to_lock ) + return NULL; /* Only initialization was requested. */ - h = jnlib_xcalloc( 1, sizeof *h ); - if( never_lock ) { - h->disable = 1; + h = jnlib_xcalloc ( 1, sizeof *h ); + if( never_lock ) + { + h->disable = 1; #ifdef _REENTRANT - /* fixme: aquire mutex on all_lockfiles */ + /* fixme: aquire mutex on all_lockfiles */ #endif - h->next = all_lockfiles; - all_lockfiles = h; - return h; + h->next = all_lockfiles; + all_lockfiles = h; + return h; } #ifndef HAVE_DOSISH_SYSTEM - sprintf( pidstr, "%10d\n", (int)getpid() ); - /* fixme: add the hostname to the second line (FQDN or IP addr?) */ + sprintf (pidstr, "%10d\n", (int)getpid() ); + /* fixme: add the hostname to the second line (FQDN or IP addr?) */ - /* create a temporary file */ - if( uname( &utsbuf ) ) - nodename = "unknown"; - else - nodename = utsbuf.nodename; - + /* Create a temporary file. */ + if ( uname ( &utsbuf ) ) + nodename = "unknown"; + else + nodename = utsbuf.nodename; + #ifdef __riscos__ - { - char *iter = (char *) nodename; - for (; iter[0]; iter++) - if (iter[0] == '.') - iter[0] = '/'; - } + { + char *iter = (char *) nodename; + for (; iter[0]; iter++) + if (iter[0] == '.') + iter[0] = '/'; + } #endif /* __riscos__ */ - if( !(dirpart = strrchr( file_to_lock, DIRSEP_C )) ) { - dirpart = EXTSEP_S; - dirpartlen = 1; + if ( !(dirpart = strrchr ( file_to_lock, DIRSEP_C )) ) + { + dirpart = EXTSEP_S; + dirpartlen = 1; } - else { - dirpartlen = dirpart - file_to_lock; - dirpart = file_to_lock; + else + { + dirpartlen = dirpart - file_to_lock; + dirpart = file_to_lock; } #ifdef _REENTRANT /* fixme: aquire mutex on all_lockfiles */ #endif - h->next = all_lockfiles; - all_lockfiles = h; + h->next = all_lockfiles; + all_lockfiles = h; - h->tname = jnlib_xmalloc( dirpartlen + 6+30+ strlen(nodename) + 11 ); + h->tname = jnlib_xmalloc ( dirpartlen + 6+30+ strlen(nodename) + 11 ); + h->nodename_len = strlen (nodename); #ifndef __riscos__ - sprintf( h->tname, "%.*s/.#lk%p.%s.%d", - dirpartlen, dirpart, h, nodename, (int)getpid() ); + sprintf (h->tname, "%.*s/.#lk%p.", dirpartlen, dirpart, h ); + h->nodename_off = strlen (h->tname); + sprintf (h->tname+h->nodename_off, "%s.%d", nodename, (int)getpid ()); #else /* __riscos__ */ - sprintf( h->tname, "%.*s.lk%p/%s/%d", - dirpartlen, dirpart, h, nodename, (int)getpid() ); + sprintf (h->tname, "%.*s.lk%p/", dirpartlen, dirpart, h ); + h->nodename_off = strlen (h->tname); + sprintf (h->tname+h->nodename_off, "%s/%d", nodename, (int)getpid () ); #endif /* __riscos__ */ - do { - errno = 0; - fd = open( h->tname, O_WRONLY|O_CREAT|O_EXCL, - S_IRUSR|S_IRGRP|S_IROTH|S_IWUSR ); - } while( fd == -1 && errno == EINTR ); - if( fd == -1 ) { - all_lockfiles = h->next; - log_error( "failed to create temporary file `%s': %s\n", - h->tname, strerror(errno)); - jnlib_free(h->tname); - jnlib_free(h); - return NULL; + do + { + errno = 0; + fd = open (h->tname, O_WRONLY|O_CREAT|O_EXCL, + S_IRUSR|S_IRGRP|S_IROTH|S_IWUSR ); + } + while (fd == -1 && errno == EINTR); + + if ( fd == -1 ) + { + all_lockfiles = h->next; + log_error ( "failed to create temporary file `%s': %s\n", + h->tname, strerror(errno)); + jnlib_free(h->tname); + jnlib_free(h); + return NULL; } - if( write(fd, pidstr, 11 ) != 11 ) { - all_lockfiles = h->next; - #ifdef _REENTRANT - /* release mutex */ - #endif - log_fatal( "error writing to `%s': %s\n", h->tname, strerror(errno) ); - close(fd); - unlink(h->tname); - jnlib_free(h->tname); - jnlib_free(h); - return NULL; - } - if( close(fd) ) { - all_lockfiles = h->next; - #ifdef _REENTRANT - /* release mutex */ - #endif - log_fatal( "error writing to `%s': %s\n", h->tname, strerror(errno) ); - close(fd); - unlink(h->tname); - jnlib_free(h->tname); - jnlib_free(h); - return NULL; - } + if ( write (fd, pidstr, 11 ) != 11 ) + goto write_failed; + if ( write (fd, nodename, strlen (nodename) ) != strlen (nodename) ) + goto write_failed; + if ( write (fd, "\n", 1 ) != 1 ) + goto write_failed; + if ( close (fd) ) + goto write_failed; # ifdef _REENTRANT - /* release mutex */ + /* release mutex */ # endif #endif /* !HAVE_DOSISH_SYSTEM */ - h->lockname = jnlib_xmalloc( strlen(file_to_lock) + 6 ); - strcpy(stpcpy(h->lockname, file_to_lock), EXTSEP_S "lock"); - return h; + h->lockname = jnlib_xmalloc ( strlen (file_to_lock) + 6 ); + strcpy (stpcpy(h->lockname, file_to_lock), EXTSEP_S "lock"); + return h; + write_failed: + all_lockfiles = h->next; +# ifdef _REENTRANT + /* fixme: release mutex */ +# endif + log_error ( "error writing to `%s': %s\n", h->tname, strerror(errno) ); + close(fd); + unlink(h->tname); + jnlib_free(h->tname); + jnlib_free(h); + return NULL; } void destroy_dotlock ( DOTLOCK h ) { -#if !defined (HAVE_DOSISH_SYSTEM) - if ( h ) - { - DOTLOCK hprev, htmp; - - /* First remove the handle from our global list of all locks. */ - for (hprev=NULL, htmp=all_lockfiles; htmp; hprev=htmp, htmp=htmp->next) - if (htmp == h) - { - if (hprev) - hprev->next = htmp->next; - else - all_lockfiles = htmp->next; - h->next = NULL; - break; - } - - /* Second destroy the lock. */ - if (!h->disable) +#ifndef HAVE_DOSISH_SYSTEM + if ( h ) + { + DOTLOCK hprev, htmp; + + /* First remove the handle from our global list of all locks. */ + for (hprev=NULL, htmp=all_lockfiles; htmp; hprev=htmp, htmp=htmp->next) + if (htmp == h) { - if (h->locked && h->lockname) - unlink (h->lockname); - if (h->tname) + if (hprev) + hprev->next = htmp->next; + else + all_lockfiles = htmp->next; + h->next = NULL; + break; + } + + /* Second destroy the lock. */ + if (!h->disable) + { + if (h->locked && h->lockname) + unlink (h->lockname); + if (h->tname) unlink (h->tname); - jnlib_free (h->tname); - jnlib_free (h->lockname); - } - jnlib_free(h); - - } -#endif + jnlib_free (h->tname); + jnlib_free (h->lockname); + } + jnlib_free(h); + } +#endif /*!HAVE_DOSISH_SYSTEM*/ } @@ -255,107 +263,120 @@ static int maybe_deadlock( DOTLOCK h ) { - DOTLOCK r; + DOTLOCK r; - for( r=all_lockfiles; r; r = r->next ) { - if( r != h && r->locked ) - return 1; + for ( r=all_lockfiles; r; r = r->next ) + { + if ( r != h && r->locked ) + return 1; } - return 0; + return 0; } /**************** - * Do a lock on H. A TIMEOUT of 0 returns immediately, - * -1 waits forever (hopefully not), other - * values are timeouts in milliseconds. - * Returns: 0 on success + * Do a lock on H. A TIMEOUT of 0 returns immediately, -1 waits + * forever (hopefully not), other values are reserved (should then be + * timeouts in milliseconds). Returns: 0 on success */ int make_dotlock( DOTLOCK h, long timeout ) { #ifdef HAVE_DOSISH_SYSTEM - return 0; + return 0; #else - int pid; - const char *maybe_dead=""; - int backoff=0; + int pid; + const char *maybe_dead=""; + int backoff=0; + int same_node; - if( h->disable ) { - return 0; - } + if ( h->disable ) + return 0; /* Locks are completely disabled. Return success. */ - if( h->locked ) { + if ( h->locked ) + { #ifndef __riscos__ - log_debug("oops, `%s' is already locked\n", h->lockname ); + log_debug("oops, `%s' is already locked\n", h->lockname ); #endif /* !__riscos__ */ - return 0; + return 0; } - for(;;) { + for(;;) + { #ifndef __riscos__ - if( !link(h->tname, h->lockname) ) { - /* fixme: better use stat to check the link count */ - h->locked = 1; - return 0; /* okay */ + if ( !link(h->tname, h->lockname) ) + { + /* fixme: better use stat to check the link count */ + h->locked = 1; + return 0; /* okay */ } - if( errno != EEXIST ) { - log_error( "lock not made: link() failed: %s\n", strerror(errno) ); - return -1; + if ( errno != EEXIST ) + { + log_error( "lock not made: link() failed: %s\n", strerror(errno) ); + return -1; } #else /* __riscos__ */ - if( !renamefile(h->tname, h->lockname) ) { - h->locked = 1; - return 0; /* okay */ + if ( !renamefile(h->tname, h->lockname) ) + { + h->locked = 1; + return 0; /* okay */ } - if( errno != EEXIST ) { - log_error( "lock not made: rename() failed: %s\n", strerror(errno) ); - return -1; + if ( errno != EEXIST ) + { + log_error( "lock not made: rename() failed: %s\n", strerror(errno) ); + return -1; } #endif /* __riscos__ */ - if( (pid = read_lockfile(h->lockname)) == -1 ) { - if( errno != ENOENT ) { - log_info("cannot read lockfile\n"); - return -1; + + if ( (pid = read_lockfile (h, &same_node)) == -1 ) + { + if ( errno != ENOENT ) + { + log_info ("cannot read lockfile\n"); + return -1; } - log_info( "lockfile disappeared\n"); - continue; + log_info( "lockfile disappeared\n"); + continue; } - else if( pid == getpid() ) { - log_info( "Oops: lock already held by us\n"); - h->locked = 1; - return 0; /* okay */ + else if ( pid == getpid() && same_node ) + { + log_info( "Oops: lock already held by us\n"); + h->locked = 1; + return 0; /* okay */ } - else if( kill(pid, 0) && errno == ESRCH ) { + else if ( same_node && kill (pid, 0) && errno == ESRCH ) + { #ifndef __riscos__ - maybe_dead = " - probably dead"; -#if 0 /* we should not do this without checking the permissions */ - /* and the hostname */ - log_info( "removing stale lockfile (created by %d)", pid ); -#endif + log_info ("removing stale lockfile (created by %d)", pid ); + unlink (h->lockname); + continue; #else /* __riscos__ */ - /* we are *pretty* sure that the other task is dead and therefore - we remove the other lock file */ - maybe_dead = " - probably dead - removing lock"; - unlink(h->lockname); + /* Under RISCOS we are *pretty* sure that the other task + is dead and therefore we remove the stale lock file. */ + maybe_dead = " - probably dead - removing lock"; + unlink(h->lockname); #endif /* __riscos__ */ } - if( timeout == -1 ) { - struct timeval tv; - log_info( "waiting for lock (held by %d%s) %s...\n", - pid, maybe_dead, maybe_deadlock(h)? "(deadlock?) ":""); + if ( timeout == -1 ) + { + /* Wait until lock has been released. */ + struct timeval tv; + + log_info ("waiting for lock (held by %d%s) %s...\n", + pid, maybe_dead, maybe_deadlock(h)? "(deadlock?) ":""); - /* can't use sleep, cause signals may be blocked */ - tv.tv_sec = 1 + backoff; - tv.tv_usec = 0; - select(0, NULL, NULL, NULL, &tv); - if( backoff < 10 ) - backoff++ ; + + /* We can't use sleep, cause signals may be blocked. */ + tv.tv_sec = 1 + backoff; + tv.tv_usec = 0; + select(0, NULL, NULL, NULL, &tv); + if ( backoff < 10 ) + backoff++ ; } - else - return -1; + else + return -1; } - /*not reached */ + /*NOTREACHED*/ #endif /* !HAVE_DOSISH_SYSTEM */ } @@ -368,92 +389,150 @@ release_dotlock( DOTLOCK h ) { #ifdef HAVE_DOSISH_SYSTEM - return 0; + return 0; #else - int pid; + int pid, same_node; - /* To avoid atexit race conditions we first check whether there - are any locks left. It might happen that another atexit - handler tries to release the lock while the atexit handler of - this module already ran and thus H is undefined. */ - if(!all_lockfiles) - return 0; + /* To avoid atexit race conditions we first check whether there are + any locks left. It might happen that another atexit handler + tries to release the lock while the atexit handler of this module + already ran and thus H is undefined. */ + if (!all_lockfiles) + return 0; - if( h->disable ) { - return 0; - } + if ( h->disable ) + return 0; - if( !h->locked ) { - log_debug("oops, `%s' is not locked\n", h->lockname ); - return 0; + if ( !h->locked ) + { + log_debug("oops, `%s' is not locked\n", h->lockname ); + return 0; } - pid = read_lockfile( h->lockname ); - if( pid == -1 ) { - log_error( "release_dotlock: lockfile error\n"); - return -1; + pid = read_lockfile (h, &same_node); + if ( pid == -1 ) + { + log_error( "release_dotlock: lockfile error\n"); + return -1; } - if( pid != getpid() ) { - log_error( "release_dotlock: not our lock (pid=%d)\n", pid); - return -1; + if ( pid != getpid() || !same_node ) + { + log_error( "release_dotlock: not our lock (pid=%d)\n", pid); + return -1; } #ifndef __riscos__ - if( unlink( h->lockname ) ) { - log_error( "release_dotlock: error removing lockfile `%s'", - h->lockname); - return -1; + if ( unlink( h->lockname ) ) + { + log_error( "release_dotlock: error removing lockfile `%s'", + h->lockname); + return -1; } #else /* __riscos__ */ - if( renamefile(h->lockname, h->tname) ) { - log_error( "release_dotlock: error renaming lockfile `%s' to `%s'", - h->lockname, h->tname); - return -1; + if ( renamefile(h->lockname, h->tname) ) + { + log_error( "release_dotlock: error renaming lockfile `%s' to `%s'", + h->lockname, h->tname); + return -1; } #endif /* __riscos__ */ - /* fixme: check that the link count is now 1 */ - h->locked = 0; - return 0; + /* fixme: check that the link count is now 1 */ + h->locked = 0; + return 0; #endif /* !HAVE_DOSISH_SYSTEM */ } -/**************** - * Read the lock file and return the pid, returns -1 on error. +/* + Read the lock file and return the pid, returns -1 on error. True + will be stored at SAME_NODE if the lock file has been created on + the same node. */ static int -read_lockfile( const char *name ) +read_lockfile (DOTLOCK h, int *same_node ) { #ifdef HAVE_DOSISH_SYSTEM - return 0; + return 0; #else - int fd, pid; - char pidstr[16]; + char buffer_space[10+1+70+1]; /* 70 is just an estimated value; node + name are usually shorter. */ + int fd, pid; + char *buffer, *p; + size_t expected_len; + int res, nread; + + *same_node = 0; + expected_len = 10 + 1 + h->nodename_len + 1; + if ( expected_len >= sizeof buffer_space) + buffer = jnlib_xmalloc (expected_len); + else + buffer = buffer_space; - if( (fd = open(name, O_RDONLY)) == -1 ) { - int e = errno; - log_debug("error opening lockfile `%s': %s\n", name, strerror(errno) ); - errno = e; - return -1; + if ( (fd = open (h->lockname, O_RDONLY)) == -1 ) + { + int e = errno; + log_info ("error opening lockfile `%s': %s\n", + h->lockname, strerror(errno) ); + if (buffer != buffer_space) + jnlib_free (buffer); + errno = e; /* Need to return ERRNO here. */ + return -1; } - if( read(fd, pidstr, 10 ) != 10 ) { /* Read 10 digits w/o newline */ - log_debug("error reading lockfile `%s'", name ); - close(fd); - errno = 0; - return -1; + + p = buffer; + nread = 0; + do + { + res = read (fd, p, expected_len - nread); + if (res == -1 && errno == EINTR) + continue; + if (res < 0) + { + log_info ("error reading lockfile `%s'", h->lockname ); + close (fd); + if (buffer != buffer_space) + jnlib_free (buffer); + errno = 0; /* Do not return an inappropriate ERRNO. */ + return -1; + } + p += res; + nread += res; } - pidstr[10] = 0; /* terminate pid string */ - close(fd); - pid = atoi(pidstr); + while (res && nread != expected_len); + close(fd); + + if (nread < 11) + { + log_info ("invalid size of lockfile `%s'", h->lockname ); + if (buffer != buffer_space) + jnlib_free (buffer); + errno = 0; /* Do not return an inappropriate ERRNO. */ + return -1; + } + + if (buffer[10] != '\n' + || (buffer[10] = 0, pid = atoi (buffer)) == -1 #ifndef __riscos__ - if( !pid || pid == -1 ) { + || !pid #else /* __riscos__ */ - if( (!pid && riscos_getpid()) || pid == -1 ) { + || (!pid && riscos_getpid()) #endif /* __riscos__ */ - log_error("invalid pid %d in lockfile `%s'", pid, name ); - errno = 0; - return -1; + ) + { + log_error ("invalid pid %d in lockfile `%s'", pid, h->lockname ); + if (buffer != buffer_space) + jnlib_free (buffer); + errno = 0; + return -1; } - return pid; + + if (nread == expected_len + && !memcmp (h->tname+h->nodename_off, buffer+11, h->nodename_len) + && buffer[11+h->nodename_len] == '\n') + *same_node = 1; + + if (buffer != buffer_space) + jnlib_free (buffer); + return pid; #endif } From cvs at cvs.gnupg.org Wed Jun 28 17:26:07 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Wed Jun 28 16:49:03 2006 Subject: [svn] GnuPG - r4180 - trunk/g10 Message-ID: Author: dshaw Date: 2006-06-28 17:26:05 +0200 (Wed, 28 Jun 2006) New Revision: 4180 Modified: trunk/g10/ChangeLog trunk/g10/pkclist.c Log: * pkclist.c (algo_available): Automatically enable DSA2 mode when handling a key that clearly isn't DSA1 (i.e. q!=160). Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-28 15:14:09 UTC (rev 4179) +++ trunk/g10/ChangeLog 2006-06-28 15:26:05 UTC (rev 4180) @@ -1,3 +1,8 @@ +2006-06-28 David Shaw + + * pkclist.c (algo_available): Automatically enable DSA2 mode when + handling a key that clearly isn't DSA1 (i.e. q!=160). + 2006-06-28 Werner Koch * app-openpgp.c (do_writekey): Fixed computation of memmove Modified: trunk/g10/pkclist.c =================================================================== --- trunk/g10/pkclist.c 2006-06-28 15:14:09 UTC (rev 4179) +++ trunk/g10/pkclist.c 2006-06-28 15:26:05 UTC (rev 4180) @@ -1212,12 +1212,12 @@ { if(hint) { - if(opt.flags.dsa2) + if((*(int *)hint)!=20 || opt.flags.dsa2) { - /* If --enable-dsa2 is set, then we'll accept a hash - that is larger than we need. If --enable-dsa2 is not - set, then we won't accept any hash that isn't exactly - the right size. */ + /* If --enable-dsa2 is set or the hash isn't 160 bits + (which implies DSA2), then we'll accept a hash that + is larger than we need. Otherwise we won't accept + any hash that isn't exactly the right size. */ if((*(int *)hint) > md_digest_length(algo)) return 0; } From cvs at cvs.gnupg.org Wed Jun 28 19:12:57 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Wed Jun 28 18:35:57 2006 Subject: [svn] GnuPG - r4181 - trunk/g10 Message-ID: Author: dshaw Date: 2006-06-28 19:12:55 +0200 (Wed, 28 Jun 2006) New Revision: 4181 Modified: trunk/g10/ChangeLog trunk/g10/sign.c Log: * sign.c (sign_file): When signing with multiple DSA keys, one being DSA1 and one being DSA2 and encrypting at the same time, if the recipient preferences give a hash that can work with the DSA2 key, then allow the DSA1 key to be promoted rather than giving up and using hash_for(). Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-28 15:26:05 UTC (rev 4180) +++ trunk/g10/ChangeLog 2006-06-28 17:12:55 UTC (rev 4181) @@ -1,5 +1,11 @@ 2006-06-28 David Shaw + * sign.c (sign_file): When signing with multiple DSA keys, one + being DSA1 and one being DSA2 and encrypting at the same time, if + the recipient preferences give a hash that can work with the DSA2 + key, then allow the DSA1 key to be promoted rather than giving up + and using hash_for(). + * pkclist.c (algo_available): Automatically enable DSA2 mode when handling a key that clearly isn't DSA1 (i.e. q!=160). Modified: trunk/g10/sign.c =================================================================== --- trunk/g10/sign.c 2006-06-28 15:26:05 UTC (rev 4180) +++ trunk/g10/sign.c 2006-06-28 17:12:55 UTC (rev 4181) @@ -319,28 +319,6 @@ } else { -#if 0 - /* Disabled for now. It seems reasonable to accept a - truncated hash for a DSA1 key, even though we don't - generate it without --enable-dsa2. Be liberal in what you - accept, etc. */ - - /* If it's a DSA key, and q is 160 bits, it might be an - old-style DSA key. If the hash doesn't match the q, fail - unless --enable-dsa2 is set. If the q isn't 160 bits, then - allow any hash since it must be a DSA2 key (if the hash is - too small, we'll fail in encode_md_value). */ - - if(sk->pubkey_algo==PUBKEY_ALGO_DSA - && (mpi_get_nbits(sk->skey[1])/8)==20 - && !opt.flags.dsa2 - && md_digest_length(digest_algo)!=20) - { - log_error(_("DSA requires the use of a 160 bit hash algorithm\n")); - return G10ERR_GENERAL; - } -#endif - frame = encode_md_value( NULL, sk, md, digest_algo ); if (!frame) return G10ERR_GENERAL; @@ -866,8 +844,13 @@ if (DBG_HASHING) md_start_debug (mfx.md, "sign"); - /* If we're encrypting and signing, it is reasonable to pick the - hash algorithm to use out of the recepient key prefs. */ + /* If we're encrypting and signing, it is reasonable to pick the + hash algorithm to use out of the recepient key prefs. This is + best effort only, as in a DSA2 and smartcard world there are + cases where we cannot please everyone with a single hash (DSA2 + wants >160 and smartcards want =160). In the future this could + be more complex with different hashes for each sk, but the + current design requires a single hash for all SKs. */ if(pk_list) { if(opt.def_digest_algo) @@ -883,43 +866,54 @@ } else { - int hashlen=0,algo; + int hashlen=0,algo,smartcard=0; /* Of course, if the recipient asks for something - unreasonable (like a non-160-bit hash for DSA without - --enable-dsa2, for example), then don't do it. Check - all sk's - if any are DSA, then the hash has - restrictions. In the future this can be more complex - with different hashes for each sk, but so long as there - is only one signing algorithm with hash restrictions, - this is ok. -dms */ + unreasonable (like the wrong hash for a DSA key) then + don't do it. Check all sk's - if any are DSA or live + on a smartcard, then the hash has restrictions and we + may not be able to give the recipient what they want. + For DSA, pass a hint for the largest q we have. Note + that this means that a q>160 key will override a q=160 + key and force the use of truncation for the q=160 key. + The alternative would be to ignore the recipient prefs + completely and get a different hash for each DSA key in + hash_for(). The override behavior here is more or less + reasonable as it is under the control of the user which + keys they sign with for a given message and the fact + that the message with multiple signatures won't be + usable on an implementation that doesn't understand + DSA2 anyway. */ for( sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next ) { if(sk_rover->sk->pubkey_algo==PUBKEY_ALGO_DSA) { - if(opt.flags.dsa2) - hashlen=mpi_get_nbits(sk_rover->sk->skey[1])/8; - else - hashlen=20; - break; + int temp_hashlen=mpi_get_nbits(sk_rover->sk->skey[1])/8; + + /* Pick a hash that is large enough for our + largest q */ + + if(hashlensk->is_protected && sk_rover->sk->protect.s2k.mode==1002) - { - /* Current smartcards only do 160-bit hashes. - Note that this may well have to change as the - cards add algorithms. */ - - hashlen=20; - break; - } + smartcard=1; } - if((algo= - select_algo_from_prefs(pk_list,PREFTYPE_HASH,-1, - hashlen?&hashlen:NULL))>0) - recipient_digest_algo=algo; + /* Current smartcards only do 160-bit hashes. If we have + to have a >160-bit hash, then we can't use the + recipient prefs as we'd need both =160 and >160 at the + same time and recipient prefs currently require a + single hash for all signatures. All this may well have + to change as the cards add algorithms. */ + + if(!smartcard || (smartcard && hashlen==20)) + if((algo= + select_algo_from_prefs(pk_list,PREFTYPE_HASH,-1, + hashlen?&hashlen:NULL))>0) + recipient_digest_algo=algo; } } From cvs at cvs.gnupg.org Wed Jun 28 19:54:37 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Wed Jun 28 19:17:32 2006 Subject: [svn] GnuPG - r4182 - trunk/g10 Message-ID: Author: dshaw Date: 2006-06-28 19:54:35 +0200 (Wed, 28 Jun 2006) New Revision: 4182 Modified: trunk/g10/ChangeLog trunk/g10/keydb.h trunk/g10/pkclist.c trunk/g10/sign.c Log: * keydb.h, pkclist.c (select_algo_from_prefs, algo_available): Pass a union for preference hints rather than doing void * games. * sign.c (sign_file): Use it here. Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-28 17:12:55 UTC (rev 4181) +++ trunk/g10/ChangeLog 2006-06-28 17:54:35 UTC (rev 4182) @@ -1,5 +1,10 @@ 2006-06-28 David Shaw + * keydb.h, pkclist.c (select_algo_from_prefs, algo_available): + Pass a union for preference hints rather than doing void * games. + + * sign.c (sign_file): Use it here. + * sign.c (sign_file): When signing with multiple DSA keys, one being DSA1 and one being DSA2 and encrypting at the same time, if the recipient preferences give a hash that can work with the DSA2 Modified: trunk/g10/keydb.h =================================================================== --- trunk/g10/keydb.h 2006-06-28 17:12:55 UTC (rev 4181) +++ trunk/g10/keydb.h 2006-06-28 17:54:35 UTC (rev 4182) @@ -177,9 +177,14 @@ int check_signatures_trust( PKT_signature *sig ); void release_pk_list( PK_LIST pk_list ); int build_pk_list( STRLIST rcpts, PK_LIST *ret_pk_list, unsigned use ); -int algo_available( preftype_t preftype, int algo, void *hint ); +union pref_hint +{ + int digest_length; +}; +int algo_available( preftype_t preftype, int algo, + const union pref_hint *hint ); int select_algo_from_prefs( PK_LIST pk_list, int preftype, - int request, void *hint ); + int request, const union pref_hint *hint ); int select_mdc_from_pklist (PK_LIST pk_list); /*-- skclist.c --*/ Modified: trunk/g10/pkclist.c =================================================================== --- trunk/g10/pkclist.c 2006-06-28 17:12:55 UTC (rev 4181) +++ trunk/g10/pkclist.c 2006-06-28 17:54:35 UTC (rev 4182) @@ -1186,7 +1186,7 @@ preference list, so I'm including it. -dms */ int -algo_available( preftype_t preftype, int algo, void *hint ) +algo_available( preftype_t preftype, int algo, const union pref_hint *hint ) { if( preftype == PREFTYPE_SYM ) { @@ -1210,18 +1210,18 @@ } else if( preftype == PREFTYPE_HASH ) { - if(hint) + if(hint && hint->digest_length) { - if((*(int *)hint)!=20 || opt.flags.dsa2) + if(hint->digest_length!=20 || opt.flags.dsa2) { /* If --enable-dsa2 is set or the hash isn't 160 bits (which implies DSA2), then we'll accept a hash that is larger than we need. Otherwise we won't accept any hash that isn't exactly the right size. */ - if((*(int *)hint) > md_digest_length(algo)) + if(hint->digest_length > md_digest_length(algo)) return 0; } - else if(((*(int *)hint) != md_digest_length(algo))) + else if(hint->digest_length != md_digest_length(algo)) return 0; } @@ -1259,7 +1259,8 @@ * Return -1 if we could not find an algorithm. */ int -select_algo_from_prefs(PK_LIST pk_list, int preftype, int request, void *hint) +select_algo_from_prefs(PK_LIST pk_list, int preftype, + int request, const union pref_hint *hint) { PK_LIST pkr; u32 bits[8]; Modified: trunk/g10/sign.c =================================================================== --- trunk/g10/sign.c 2006-06-28 17:12:55 UTC (rev 4181) +++ trunk/g10/sign.c 2006-06-28 17:54:35 UTC (rev 4182) @@ -866,8 +866,11 @@ } else { - int hashlen=0,algo,smartcard=0; + union pref_hint hint; + int algo,smartcard=0; + hint.digest_length=0; + /* Of course, if the recipient asks for something unreasonable (like the wrong hash for a DSA key) then don't do it. Check all sk's - if any are DSA or live @@ -894,8 +897,8 @@ /* Pick a hash that is large enough for our largest q */ - if(hashlensk->is_protected && sk_rover->sk->protect.s2k.mode==1002) @@ -909,10 +912,9 @@ single hash for all signatures. All this may well have to change as the cards add algorithms. */ - if(!smartcard || (smartcard && hashlen==20)) + if(!smartcard || (smartcard && hint.digest_length==20)) if((algo= - select_algo_from_prefs(pk_list,PREFTYPE_HASH,-1, - hashlen?&hashlen:NULL))>0) + select_algo_from_prefs(pk_list,PREFTYPE_HASH,-1,&hint))>0) recipient_digest_algo=algo; } } From cvs at cvs.gnupg.org Wed Jun 28 21:33:16 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Wed Jun 28 20:56:08 2006 Subject: [svn] GnuPG - r4183 - trunk/g10 Message-ID: Author: wk Date: 2006-06-28 21:33:14 +0200 (Wed, 28 Jun 2006) New Revision: 4183 Modified: trunk/g10/ChangeLog trunk/g10/import.c Log: i18n fix Modified: trunk/g10/ChangeLog =================================================================== --- trunk/g10/ChangeLog 2006-06-28 17:54:35 UTC (rev 4182) +++ trunk/g10/ChangeLog 2006-06-28 19:33:14 UTC (rev 4183) @@ -16,6 +16,9 @@ 2006-06-28 Werner Koch + * import.c (check_prefs_warning): Fix change for better + translatability. + * app-openpgp.c (do_writekey): Fixed computation of memmove length. This led to garbled keys if E was larger than one byte. Thanks to Achim Pietig for hinting at the garbled E. Modified: trunk/g10/import.c =================================================================== --- trunk/g10/import.c 2006-06-28 17:54:35 UTC (rev 4182) +++ trunk/g10/import.c 2006-06-28 19:33:14 UTC (rev 4183) @@ -563,8 +563,13 @@ static void check_prefs_warning(PKT_public_key *pk) { - log_info(_("WARNING: key %s contains preferences for unavailable\n" - "algorithms on these user IDs:\n"), keystr_from_pk(pk)); + log_info(_("WARNING: key %s contains preferences for unavailable\n"), + keystr_from_pk(pk)); + /* TRANSLATORS: This string is belongs to the previous one. They are + only split up to allow printing of a common prefix. The + check_prefs_warning tag is a hack to make this string unique. */ + log_info(_(" algorithms on these user IDs:\n" + "\0" "check_prefs_warning")); } static void From cvs at cvs.gnupg.org Thu Jun 29 00:29:27 2006 From: cvs at cvs.gnupg.org (svn author dshaw) Date: Wed Jun 28 23:52:20 2006 Subject: [svn] GnuPG - r4184 - trunk/cipher Message-ID: Author: dshaw Date: 2006-06-29 00:29:25 +0200 (Thu, 29 Jun 2006) New Revision: 4184 Modified: trunk/cipher/ChangeLog trunk/cipher/rsa.c Log: * rsa.c (generate): Use e=65537 for new RSA keys. Modified: trunk/cipher/ChangeLog =================================================================== --- trunk/cipher/ChangeLog 2006-06-28 19:33:14 UTC (rev 4183) +++ trunk/cipher/ChangeLog 2006-06-28 22:29:25 UTC (rev 4184) @@ -1,3 +1,7 @@ +2006-06-28 David Shaw + + * rsa.c (generate): Use e=65537 for new RSA keys. + 2006-04-20 David Shaw * dsa.c (dsa2_generate): New function to generate a DSA key with a Modified: trunk/cipher/rsa.c =================================================================== --- trunk/cipher/rsa.c 2006-06-28 19:33:14 UTC (rev 4183) +++ trunk/cipher/rsa.c 2006-06-28 22:29:25 UTC (rev 4184) @@ -136,25 +136,21 @@ mpi_gcd(g, t1, t2); mpi_fdiv_q(f, phi, g); - /* find an public exponent. - We use 41 as this is quite fast and more secure than the - commonly used 17. Benchmarking the RSA verify function - with a 1024 bit key yields (2001-11-08): + /* Find an public exponent. + Benchmarking the RSA verify function with a 1024 bit key yields + (2001-11-08): e=17 0.54 ms e=41 0.75 ms e=257 0.95 ms e=65537 1.80 ms + + This code used 41 until 2006-06-28 when it was changed to use + 65537 as the new best practice. See FIPS-186-3. */ e = mpi_alloc( (32+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB ); - mpi_set_ui( e, 41); - if( !mpi_gcd(t1, e, phi) ) { - mpi_set_ui( e, 257); - if( !mpi_gcd(t1, e, phi) ) { - mpi_set_ui( e, 65537); - while( !mpi_gcd(t1, e, phi) ) /* (while gcd is not 1) */ - mpi_add_ui( e, e, 2); - } - } + mpi_set_ui( e, 65537); + while( !mpi_gcd(t1, e, phi) ) /* (while gcd is not 1) */ + mpi_add_ui( e, e, 2); /* calculate the secret key d = e^1 mod phi */ d = mpi_alloc( (nbits+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB ); From cvs at cvs.gnupg.org Fri Jun 30 11:42:10 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Fri Jun 30 11:04:56 2006 Subject: [svn] GnuPG - r4185 - in branches/GNUPG-1-9-BRANCH: . g10 scd Message-ID: Author: wk Date: 2006-06-30 11:42:08 +0200 (Fri, 30 Jun 2006) New Revision: 4185 Modified: branches/GNUPG-1-9-BRANCH/TODO branches/GNUPG-1-9-BRANCH/g10/ChangeLog branches/GNUPG-1-9-BRANCH/g10/card-util.c branches/GNUPG-1-9-BRANCH/g10/keygen.c branches/GNUPG-1-9-BRANCH/g10/mainproc.c branches/GNUPG-1-9-BRANCH/g10/misc.c branches/GNUPG-1-9-BRANCH/g10/parse-packet.c branches/GNUPG-1-9-BRANCH/g10/pkclist.c branches/GNUPG-1-9-BRANCH/g10/pubkey-enc.c branches/GNUPG-1-9-BRANCH/g10/seskey.c branches/GNUPG-1-9-BRANCH/scd/ChangeLog branches/GNUPG-1-9-BRANCH/scd/app-openpgp.c Log: A couple of fixes. gpg2's key generation does now work. Modified: branches/GNUPG-1-9-BRANCH/TODO =================================================================== --- branches/GNUPG-1-9-BRANCH/TODO 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/TODO 2006-06-30 09:42:08 UTC (rev 4185) @@ -103,6 +103,9 @@ * sm/ ** check that we issue NO_SECKEY xxx if a -u key was not found +* jnlib/ +** provide jnlib_malloc and try to remove all jnlib_xmalloc. + * gpg/ ** issue a NO_SECKEY xxxx if a -u key was not found. ** Replace DIGEST_ALGO_SHA224 Modified: branches/GNUPG-1-9-BRANCH/g10/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/ChangeLog 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/g10/ChangeLog 2006-06-30 09:42:08 UTC (rev 4185) @@ -1,3 +1,24 @@ +2006-06-30 Werner Koch + + * misc.c (checksum_mpi): No need for nbits as they are alredy + included in the buffer. + +2006-06-29 Werner Koch + + * parse-packet.c (parse_signature, parse_key): Need store the + length of opaque data as number of bits. + * card-util.c (card_store_subkey): Ditto. + + * mainproc.c (print_pkenc_list, check_sig_and_print): Replaced + log_get_stream by calls to log_printf. This avoids the extra LFs + inserted by the logging function. They are a bit too smart + sometimes. + * pkclist.c (do_show_revocation_reason): Print final LF through + log_printf to avoid extra LFs. + * pubkey-enc.c (get_it): Ditto. + + * seskey.c (encode_md_value): Fix call to gcry. + 2006-06-27 Werner Koch Applied patches from 1.4.x (2006-05-22 to 2006-06-23) from David: Modified: branches/GNUPG-1-9-BRANCH/g10/card-util.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/card-util.c 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/g10/card-util.c 2006-06-30 09:42:08 UTC (rev 4185) @@ -1271,7 +1271,7 @@ sk->skey[i] = NULL; } i = pubkey_get_npkey (sk->pubkey_algo); - sk->skey[i] = mpi_set_opaque (NULL, xstrdup ("dummydata"), 10); + sk->skey[i] = gcry_mpi_set_opaque (NULL, xstrdup ("dummydata"), 10*8); sk->is_protected = 1; sk->protect.s2k.mode = 1002; s = info.serialno; Modified: branches/GNUPG-1-9-BRANCH/g10/keygen.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/keygen.c 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/g10/keygen.c 2006-06-30 09:42:08 UTC (rev 4185) @@ -3701,7 +3701,7 @@ sk->skey[i] = NULL; } i = pubkey_get_npkey (sk->pubkey_algo); - sk->skey[i] = mpi_set_opaque (NULL, xstrdup ("dummydata"), 10); + sk->skey[i] = gcry_mpi_set_opaque (NULL, xstrdup ("dummydata"), 10*8); sk->is_protected = 1; sk->protect.s2k.mode = 1002; s = get_parameter_value (para, pSERIALNO); Modified: branches/GNUPG-1-9-BRANCH/g10/mainproc.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/mainproc.c 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/g10/mainproc.c 2006-06-30 09:42:08 UTC (rev 4185) @@ -445,7 +445,7 @@ nbits_from_pk( pk ), algstr, keystr_from_pk(pk), strtimestamp(pk->timestamp) ); p=get_user_id_native(list->kid); - fprintf(log_get_stream(),_(" \"%s\"\n"),p); + log_printf (_(" \"%s\"\n"),p); xfree(p); } else @@ -1527,7 +1527,7 @@ not going to even try to make two strings here :) */ log_info(_("Key available at: ") ); print_utf8_string( log_get_stream(), p, n ); - putc( '\n', log_get_stream() ); + log_printf ("\n"); if(opt.keyserver_options.options&KEYSERVER_AUTO_KEY_RETRIEVE && opt.keyserver_options.options&KEYSERVER_HONOR_KEYSERVER_URL) @@ -1667,9 +1667,9 @@ xfree(p); if(opt.verify_options&VERIFY_SHOW_UID_VALIDITY) - fprintf(log_get_stream()," [%s]\n",trust_value_to_string(valid)); + log_printf (" [%s]\n",trust_value_to_string(valid)); else - fputs("\n", log_get_stream() ); + log_printf ("\n"); count++; } if( !count ) { /* just in case that we have no valid textual @@ -1712,11 +1712,8 @@ else log_info(_("Good signature from \"%s\""),p); if (opt.trust_model!=TM_ALWAYS && un) - { - putc(' ', log_get_stream() ); - fputs(_("[uncertain]"), log_get_stream() ); - } - fputs("\n", log_get_stream() ); + log_printf (" %s",_("[uncertain]") ); + log_printf ("\n"); } /* If we have a good signature and already printed @@ -1760,10 +1757,10 @@ valid=trust_value_to_string(get_validity(pk, un->pkt-> pkt.user_id)); - fprintf(log_get_stream()," [%s]\n",valid); + log_printf (" [%s]\n",valid); } else - fputs("\n", log_get_stream() ); + log_printf ("\n"); } } release_kbnode( keyblock ); Modified: branches/GNUPG-1-9-BRANCH/g10/misc.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/misc.c 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/g10/misc.c 2006-06-30 09:42:08 UTC (rev 4185) @@ -297,7 +297,6 @@ u16 csum; byte *buffer; unsigned int nbytes; - unsigned int nbits; if ( gcry_mpi_print (GCRYMPI_FMT_PGP, NULL, 0, &nbytes, a) ) BUG (); @@ -308,9 +307,7 @@ gcry_xmalloc_secure (nbytes) : gcry_xmalloc (nbytes)); if ( gcry_mpi_print (GCRYMPI_FMT_PGP, buffer, nbytes, NULL, a) ) BUG (); - nbits = gcry_mpi_get_nbits (a); - csum = checksum_u16 (nbits); - csum += checksum (buffer, nbytes); + csum = checksum (buffer, nbytes); xfree (buffer); return csum; } Modified: branches/GNUPG-1-9-BRANCH/g10/parse-packet.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/parse-packet.c 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/g10/parse-packet.c 2006-06-30 09:42:08 UTC (rev 4185) @@ -1490,9 +1490,10 @@ if( list_mode ) fprintf (listfp, "\tunknown algorithm %d\n", sig->pubkey_algo ); unknown_pubkey_warning( sig->pubkey_algo ); - /* we store the plain material in data[0], so that we are able + /* We store the plain material in data[0], so that we are able * to write it back with build_packet() */ - sig->data[0]= mpi_set_opaque(NULL, read_rest(inp, pktlen, 0), pktlen ); + sig->data[0]= gcry_mpi_set_opaque (NULL, read_rest(inp, pktlen, 0), + pktlen*8 ); pktlen = 0; } else { @@ -1715,8 +1716,8 @@ size_t snlen = 0; if( !npkey ) { - sk->skey[0] = mpi_set_opaque( NULL, - read_rest(inp, pktlen, 0), pktlen ); + sk->skey[0] = gcry_mpi_set_opaque (NULL, read_rest(inp, pktlen, 0), + pktlen*8 ); pktlen = 0; goto leave; } @@ -1894,15 +1895,17 @@ if( sk->protect.s2k.mode == 1001 || sk->protect.s2k.mode == 1002 ) { /* better set some dummy stuff here */ - sk->skey[npkey] = mpi_set_opaque(NULL, xstrdup("dummydata"), 10); + sk->skey[npkey] = gcry_mpi_set_opaque(NULL, + xstrdup("dummydata"), 10*8); pktlen = 0; } else if( is_v4 && sk->is_protected ) { /* ugly; the length is encrypted too, so we read all * stuff up to the end of the packet into the first * skey element */ - sk->skey[npkey] = mpi_set_opaque(NULL, - read_rest(inp, pktlen, 0),pktlen); + sk->skey[npkey] = gcry_mpi_set_opaque (NULL, + read_rest(inp, pktlen, 0), + pktlen*8); pktlen = 0; if( list_mode ) { fprintf (listfp, "\tencrypted stuff follows\n"); @@ -1942,8 +1945,9 @@ PKT_public_key *pk = pkt->pkt.public_key; if( !npkey ) { - pk->pkey[0] = mpi_set_opaque( NULL, - read_rest(inp, pktlen, 0), pktlen ); + pk->pkey[0] = gcry_mpi_set_opaque ( NULL, + read_rest(inp, pktlen, 0), + pktlen*8 ); pktlen = 0; goto leave; } Modified: branches/GNUPG-1-9-BRANCH/g10/pkclist.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/pkclist.c 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/g10/pkclist.c 2006-06-30 09:42:08 UTC (rev 4185) @@ -76,7 +76,7 @@ fputs( text, log_get_stream() ); else fprintf( log_get_stream(), "code=%02x", *p ); - putc( '\n', log_get_stream() ); + log_printf ("\n"); n--; p++; pp = NULL; do { @@ -88,9 +88,9 @@ if( n ) { pp = memchr( p, '\n', n ); nn = pp? pp - p : n; - log_info( _("revocation comment: ") ); - print_string( log_get_stream(), p, nn, 0 ); - putc( '\n', log_get_stream() ); + log_info ( _("revocation comment: ") ); + print_string ( log_get_stream(), p, nn, 0 ); + log_printf ("\n"); p += nn; n -= nn; } } while( pp ); Modified: branches/GNUPG-1-9-BRANCH/g10/pubkey-enc.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/pubkey-enc.c 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/g10/pubkey-enc.c 2006-06-30 09:42:08 UTC (rev 4185) @@ -308,7 +308,7 @@ if ( pk && pk->is_revoked ) { log_info( _("NOTE: key has been revoked") ); - putc( '\n', log_get_stream() ); + log_printf ("\n"); show_revocation_reason( pk, 1 ); } Modified: branches/GNUPG-1-9-BRANCH/g10/seskey.c =================================================================== --- branches/GNUPG-1-9-BRANCH/g10/seskey.c 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/g10/seskey.c 2006-06-30 09:42:08 UTC (rev 4185) @@ -220,8 +220,7 @@ { /* It's a DSA signature, so find out the size of q. */ - unsigned int qbytes = gcry_mpi_get_nbits (pk?pk->pkey[1]:sk->skey[1]); - size_t n; + size_t qbytes = gcry_mpi_get_nbits (pk?pk->pkey[1]:sk->skey[1]); /* Make sure it is a multiple of 8 bits. */ @@ -259,7 +258,7 @@ } if (gcry_mpi_scan (&frame, GCRYMPI_FMT_USG, - gcry_md_read (md, hash_algo), n, &n)) + gcry_md_read (md, hash_algo), qbytes, &qbytes)) BUG(); } else Modified: branches/GNUPG-1-9-BRANCH/scd/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/scd/ChangeLog 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/scd/ChangeLog 2006-06-30 09:42:08 UTC (rev 4185) @@ -1,3 +1,9 @@ +2006-06-28 Werner Koch + + * app-openpgp.c (do_writekey): Fixed computation of memmove + length. This led to garbled keys if E was larger than one byte. + Thanks to Achim Pietig for hinting at the garbled E. + 2006-06-09 Marcus Brinkmann * Makefile.am (scdaemon_LDADD): Add $(NETLIBS). Modified: branches/GNUPG-1-9-BRANCH/scd/app-openpgp.c =================================================================== --- branches/GNUPG-1-9-BRANCH/scd/app-openpgp.c 2006-06-28 22:29:25 UTC (rev 4184) +++ branches/GNUPG-1-9-BRANCH/scd/app-openpgp.c 2006-06-30 09:42:08 UTC (rev 4185) @@ -1828,7 +1828,7 @@ if (rsa_e_len < 4) { /* Right justify E. */ - memmove (tp+4-rsa_e_len, tp, 4-rsa_e_len); + memmove (tp+4-rsa_e_len, tp, rsa_e_len); memset (tp, 0, 4-rsa_e_len); } tp += 4; From cvs at cvs.gnupg.org Fri Jun 30 15:19:49 2006 From: cvs at cvs.gnupg.org (svn author wk) Date: Fri Jun 30 14:42:38 2006 Subject: [svn] GnuPG - r4186 - in branches/GNUPG-1-9-BRANCH: . m4 Message-ID: Author: wk Date: 2006-06-30 15:19:49 +0200 (Fri, 30 Jun 2006) New Revision: 4186 Added: branches/GNUPG-1-9-BRANCH/keyserver/ branches/GNUPG-1-9-BRANCH/m4/ldap.m4 Modified: branches/GNUPG-1-9-BRANCH/ChangeLog branches/GNUPG-1-9-BRANCH/Makefile.am branches/GNUPG-1-9-BRANCH/configure.ac branches/GNUPG-1-9-BRANCH/m4/ChangeLog branches/GNUPG-1-9-BRANCH/m4/Makefile.am Log: Added keyserver directory from trunk Modified: branches/GNUPG-1-9-BRANCH/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/ChangeLog 2006-06-30 09:42:08 UTC (rev 4185) +++ branches/GNUPG-1-9-BRANCH/ChangeLog 2006-06-30 13:19:49 UTC (rev 4186) @@ -1,3 +1,10 @@ +2006-06-30 Werner Koch + + * keyserver/: New. Taken from 1.4.4 + * Makefile.am (SUBDIRS): Include keyserver/. + * configure.ac: Include keyserver/. + (FAKE_CURL, GPGKEYS_CURL): New. + 2006-06-20 Werner Koch Released 1.9.21. Modified: branches/GNUPG-1-9-BRANCH/Makefile.am =================================================================== --- branches/GNUPG-1-9-BRANCH/Makefile.am 2006-06-30 09:42:08 UTC (rev 4185) +++ branches/GNUPG-1-9-BRANCH/Makefile.am 2006-06-30 13:19:49 UTC (rev 4186) @@ -35,8 +35,11 @@ if BUILD_GPG gpg = g10 +# fixme: Noy yet ready for a build +keyserver = else gpg = +keyserver = endif if BUILD_GPGSM sm = sm @@ -61,7 +64,7 @@ endif SUBDIRS = m4 intl gl jnlib common ${kbx} \ - ${gpg} ${sm} ${agent} ${scd} tools po doc ${tests} + ${gpg} ${keyserver} ${sm} ${agent} ${scd} tools po doc ${tests} dist-hook: @set -e; \ Modified: branches/GNUPG-1-9-BRANCH/configure.ac =================================================================== --- branches/GNUPG-1-9-BRANCH/configure.ac 2006-06-30 09:42:08 UTC (rev 4185) +++ branches/GNUPG-1-9-BRANCH/configure.ac 2006-06-30 13:19:49 UTC (rev 4186) @@ -716,6 +716,20 @@ AC_SUBST(GPGKEYS_LDAP) AC_SUBST(LDAPLIBS) + +# Check for curl. We fake the curl API if libcurl isn't installed. + +# fixme: need to add this +#LIBCURL_CHECK_CONFIG([yes],,,[fake_curl=yes]) +#AM_CONDITIONAL(FAKE_CURL,test x"$fake_curl" = xyes) +AM_CONDITIONAL(FAKE_CURL,1) + +# Generic, for us, means curl + +if test x"$try_generic" = xyes ; then + AC_SUBST(GPGKEYS_CURL,"gpgkeys_curl$EXEEXT") +fi + dnl This isn't necessarily sendmail itself, but anything that gives a dnl sendmail-ish interface to the outside world. That includes qmail, dnl postfix, etc. Basically, anything that can handle "sendmail -t". @@ -1231,6 +1245,7 @@ common/Makefile kbx/Makefile g10/Makefile +keyserver/Makefile sm/Makefile agent/Makefile scd/Makefile Copied: branches/GNUPG-1-9-BRANCH/keyserver (from rev 4172, trunk/keyserver) Modified: branches/GNUPG-1-9-BRANCH/m4/ChangeLog =================================================================== --- branches/GNUPG-1-9-BRANCH/m4/ChangeLog 2006-06-30 09:42:08 UTC (rev 4185) +++ branches/GNUPG-1-9-BRANCH/m4/ChangeLog 2006-06-30 13:19:49 UTC (rev 4186) @@ -1,3 +1,8 @@ +2006-06-30 Werner Koch + + * ldap.m4: New. Taken from gnupg 1.4.4 + * Makefile.am (EXTRA_DIST): Add ldap.me + 2004-09-30 Werner Koch * gpg-error.m4, libassuan.m4, libgcrypt.m4: Updated. Modified: branches/GNUPG-1-9-BRANCH/m4/Makefile.am =================================================================== --- branches/GNUPG-1-9-BRANCH/m4/Makefile.am 2006-06-30 09:42:08 UTC (rev 4185) +++ branches/GNUPG-1-9-BRANCH/m4/Makefile.am 2006-06-30 13:19:49 UTC (rev 4186) @@ -1,3 +1,5 @@ EXTRA_DIST = intmax.m4 longdouble.m4 longlong.m4 printf-posix.m4 signed.m4 size_max.m4 wchar_t.m4 wint_t.m4 xsize.m4 codeset.m4 gettext.m4 glibc21.m4 iconv.m4 intdiv0.m4 inttypes.m4 inttypes_h.m4 inttypes-pri.m4 isc-posix.m4 lcmessage.m4 lib-ld.m4 lib-link.m4 lib-prefix.m4 progtest.m4 stdint_h.m4 uintmax_t.m4 ulonglong.m4 +EXTRA_DIST += ldap.m4 + EXTRA_DIST += gpg-error.m4 libgcrypt.m4 libassuan.m4 ksba.m4 Copied: branches/GNUPG-1-9-BRANCH/m4/ldap.m4 (from rev 4172, trunk/m4/ldap.m4)