[svn] GnuPG - r4559 - in trunk: . common doc sm
svn author wk
cvs at cvs.gnupg.org
Tue Aug 14 18:50:59 CEST 2007
Author: wk
Date: 2007-08-14 18:50:27 +0200 (Tue, 14 Aug 2007)
New Revision: 4559
Modified:
trunk/NEWS
trunk/TODO
trunk/common/ChangeLog
trunk/common/homedir.c
trunk/common/util.h
trunk/doc/ChangeLog
trunk/doc/glossary.texi
trunk/doc/gpg-agent.texi
trunk/doc/gpgsm.texi
trunk/doc/yat2m.c
trunk/sm/ChangeLog
trunk/sm/call-dirmngr.c
trunk/sm/gpgsm.c
Log:
Documentaion updates.
Support doe Dirmngr under W32.
Fixed a yat2m bug.
Modified: trunk/NEWS
===================================================================
--- trunk/NEWS 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/NEWS 2007-08-14 16:50:27 UTC (rev 4559)
@@ -1,4 +1,4 @@
-Noteworthy changes in version 2.0.6
+Noteworthy changes in version 2.0.6 (2007-08-14)
------------------------------------------------
* GPGSM does now grok --default-key.
@@ -8,6 +8,10 @@
* GPGSM does again correctly print the serial number as well the the
various keyids. This was broken since 2.0.4.
+ * New option --validation-model and support for the chain-model.
+
+ * Imporved Windows support.
+
Noteworthy changes in version 2.0.5 (2007-07-05)
------------------------------------------------
Modified: trunk/TODO
===================================================================
--- trunk/TODO 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/TODO 2007-08-14 16:50:27 UTC (rev 4559)
@@ -110,6 +110,7 @@
* Remove -sat PGP2 compatibility hack
* UTF-8 specific TODOs
+ None.
* Pinpad Reader
We do not yet support P15 applications. The trivial thing using
@@ -124,11 +125,7 @@
* Howtos
** Migrate OpenPGP keys to another system
-
-* do_add_recipient
- Prints wrong error message even when decrypting.
- *Decrypt* does even not work in this case.
-
* Duplicate certifciates
This may happen and lead to an Ambiguous Name error. Solution is to
- check the certs for identity beforethorwin this error.
+ check the certs for identity before throwing this error.
+
Modified: trunk/common/ChangeLog
===================================================================
--- trunk/common/ChangeLog 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/common/ChangeLog 2007-08-14 16:50:27 UTC (rev 4559)
@@ -1,3 +1,7 @@
+2007-08-14 Werner Koch <wk at g10code.com>
+
+ * homedir.c (dirmngr_socket_name): New.
+
2007-08-07 Werner Koch <wk at g10code.com>
* tlv.c, tlv.h: Move from ../scd/.
Modified: trunk/common/homedir.c
===================================================================
--- trunk/common/homedir.c 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/common/homedir.c 2007-08-14 16:50:27 UTC (rev 4559)
@@ -290,6 +290,29 @@
}
+/* Return the default socket name used by DirMngr. */
+const char *
+dirmngr_socket_name (void)
+{
+#ifdef HAVE_W32_SYSTEM
+ static char *name;
+
+ if (!name)
+ {
+ const char *s1, *s2;
+ s1 = w32_rootdir ();
+ s2 = DIRSEP_S "S.dirmngr";
+ name = xmalloc (strlen (s1) + strlen (s2) + 1);
+ strcpy (stpcpy (name, s1), s2);
+ }
+ return name;
+#else /*!HAVE_W32_SYSTEM*/
+ return "/var/run/dirmngr/socket";
+#endif /*!HAVE_W32_SYSTEM*/
+}
+
+
+
/* Return the file name of a helper tool. WHICH is one of the
GNUPG_MODULE_NAME_foo constants. */
const char *
Modified: trunk/common/util.h
===================================================================
--- trunk/common/util.h 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/common/util.h 2007-08-14 16:50:27 UTC (rev 4559)
@@ -178,6 +178,7 @@
const char *gnupg_libexecdir (void);
const char *gnupg_libdir (void);
const char *gnupg_datadir (void);
+const char *dirmngr_socket_name (void);
#define GNUPG_MODULE_NAME_AGENT 1
#define GNUPG_MODULE_NAME_PINENTRY 2
Modified: trunk/doc/ChangeLog
===================================================================
--- trunk/doc/ChangeLog 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/doc/ChangeLog 2007-08-14 16:50:27 UTC (rev 4559)
@@ -1,3 +1,15 @@
+2007-08-14 Werner Koch <wk at g10code.com>
+
+ * glossary.texi (Glossary): Add a more items.
+
+2007-08-13 Werner Koch <wk at g10code.com>
+
+ * yat2m.c (proc_texi_cmd): Do not put @samp content between two
+ newlines.
+
+ * gpg-agent.texi (Agent Configuration): Explain the CM flag for
+ trustlist.txt.
+
2007-08-09 Werner Koch <wk at g10code.com>
* gpgsm.texi (Certificate Options): Describe --validation-model.
Modified: trunk/doc/glossary.texi
===================================================================
--- trunk/doc/glossary.texi 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/doc/glossary.texi 2007-08-14 16:50:27 UTC (rev 4559)
@@ -12,6 +12,21 @@
@acronym{CRL} but used for @acronym{CA}s and not for end user
certificates.
+ at item Chain model
+ Verification model for X.509 which uses the creation date of a
+signature as the date the validation starts and in turn checks that each
+certificate has been issued within the time frame, the issuing
+certificate was valid. This allows the verification of signatures after
+the the CA's certificate expired. The validation test also required an
+online check of the certificate status. The chain model is required by
+the German signature law. See also @emph{Shell model}.
+
+ at item CMS
+ The @emph{Cryptographic Message Standard} describes a message
+format for encryption and digital signing. It is closely related to the
+X.509 certificate format. @acronym{CMS} was formerly known under the
+name @code{PKCS#7} and is described by @code{RFC3369}.
+
@item CRL
The @emph{Certificate Revocation List} is a list containing
certificates revoked by the issuer.
@@ -21,6 +36,12 @@
ask them to issue a new certificate. The data format of such a signing
request is called PCKS#10.
+ at item OpenPGP
+ A data format used to build a PKI and to exchange encrypted or
+signed messages. In contrast to X.509, OpenPGP also includes the
+message format but does not explicilty demand a specific PKI. However
+any kind of PKI may be build upon the OpenPGP protocol.
+
@item Keygrip
This term is used by GnuPG to describe a 20 byte hash value used
to identify a certain key without referencing to a concrete protocol.
@@ -37,4 +58,15 @@
on a disk; the latter is often called a Soft-PSE.
+ at item Shell model
+The standard model for validation of certificates under X.509. At the
+time of the verification all certifciates must be valid and not expired.
+See also @emph{Chain mode}.
+
+
+ at item X.509
+Description of a PKI used with CMS. It is for example
+defined by @code{RFC3280}.
+
+
@end table
Modified: trunk/doc/gpg-agent.texi
===================================================================
--- trunk/doc/gpg-agent.texi 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/doc/gpg-agent.texi 2007-08-14 16:50:27 UTC (rev 4559)
@@ -493,31 +493,40 @@
even advisable to change the permissions to read-only so that this file
can't be changed inadvertently.
-It is possible to add further flags after the @code{S} for use by the
-caller. The only flag currently defined is @code{relax} to relax
-checking of some root certificate requirements.
-
As a special feature a line @code{include-default} will include a global
list of trusted certificates (e.g. @file{/etc/gnupg/trustlist.txt}).
This global list is also used if the local list is not available.
+It is possible to add further flags after the @code{S} for use by the
+caller:
+
+ at table @code
+ at item relax
+Relax checking of some root certificate requirements.
+
+ at item cm
+If validation of a certificate finally issued by a CA with this flag set
+fails, try again using the chain validation model.
+
+ at end table
+
@item sshcontrol
- This file is used when support for the secure shell agent protocol has
- been enabled (@pxref{option --enable-ssh-support}). Only keys present in
- this file are used in the SSH protocol. The @command{ssh-add} tool y be
- used to add new entries to this file; you may also add them manually.
- Comment lines, indicated by a leading hash mark, as well as empty lines
- are ignored. An entry starts with optional white spaces, followed by
- the keygrip of the key given as 40 hex digits, optionally followed by
- the caching TTL in seconds and another optional field for arbitrary
- flags. A @code{!} may be prepended to the keygrip to disable this
- entry.
+This file is used when support for the secure shell agent protocol has
+been enabled (@pxref{option --enable-ssh-support}). Only keys present
+in this file are used in the SSH protocol. The @command{ssh-add} tool
+y be used to add new entries to this file; you may also add them
+manually. Comment lines, indicated by a leading hash mark, as well as
+empty lines are ignored. An entry starts with optional white spaces,
+followed by the keygrip of the key given as 40 hex digits, optionally
+followed by the caching TTL in seconds and another optional field for
+arbitrary flags. A @code{!} may be prepended to the keygrip to
+disable this entry.
- The follwoing example lists exactly one key. Note that keys available
- through a OpenPGP smartcard in the active smartcard reader are implictly
- added to this list; i.e. there is no need to list them.
+The follwoing example lists exactly one key. Note that keys available
+through a OpenPGP smartcard in the active smartcard reader are
+implictly added to this list; i.e. there is no need to list them.
@example
# Key added on 2005-02-25 15:08:29
Modified: trunk/doc/gpgsm.texi
===================================================================
--- trunk/doc/gpgsm.texi 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/doc/gpgsm.texi 2007-08-14 16:50:27 UTC (rev 4559)
@@ -339,7 +339,8 @@
@opindex prefer-system-dirmngr
If a system wide @command{dirmngr} is running in daemon mode, first try
to connect to this one. Fallback to a pipe based server if this does
-not work.
+not work. Under Windows this option is ignored because the system dirmngr is
+always used.
@item --no-secmem-warning
@opindex no-secmem-warning
Modified: trunk/doc/yat2m.c
===================================================================
--- trunk/doc/yat2m.c 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/doc/yat2m.c 2007-08-14 16:50:27 UTC (rev 4559)
@@ -449,7 +449,7 @@
{ "code", 0, "\\fB", "\\fR" },
{ "sc", 0, "\\fB", "\\fR" },
{ "var", 0, "\\fI", "\\fR" },
- { "samp", 0, "\n'", "'\n" },
+ { "samp", 0, "'", "'" },
{ "file", 0, "`\\fI","\\fR'" },
{ "env", 0, "`\\fI","\\fR'" },
{ "acronym", 0 },
Modified: trunk/sm/ChangeLog
===================================================================
--- trunk/sm/ChangeLog 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/sm/ChangeLog 2007-08-14 16:50:27 UTC (rev 4559)
@@ -1,3 +1,19 @@
+2007-08-14 Werner Koch <wk at g10code.com>
+
+ * call-dirmngr.c (start_dirmngr): Use dirmngr_socket_name. change
+ the way infostr is xstrdupped.
+
+ * gpgsm.c (main) [W32]: Make --prefer-system-dirmngr a dummy under
+ Windows.
+
+2007-08-13 Werner Koch <wk at g10code.com>
+
+ * gpgsm.c (do_add_recipient): Add RECP_REQUIRED and make error
+ message depend on that.
+ (main): Add avriable RECP_REQUIRED, set ift for encryption
+ commands and pass it to do_add_recipient.
+ (our_pk_test_algo, our_cipher_test_algo, our_md_test_algo): Implement.
+
2007-08-09 Werner Koch <wk at g10code.com>
* gpgsm.c (main) [W32]: Enable CRL check by default.
Modified: trunk/sm/call-dirmngr.c
===================================================================
--- trunk/sm/call-dirmngr.c 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/sm/call-dirmngr.c 2007-08-14 16:50:27 UTC (rev 4559)
@@ -34,8 +34,6 @@
#include "i18n.h"
#include "keydb.h"
-/* The name of the socket for a system daemon. */
-#define DEFAULT_SOCKET_NAME "/var/run/dirmngr/socket"
struct membuf {
size_t len;
@@ -155,14 +153,23 @@
/* Note: if you change this to multiple connections, you also need
to take care of the implicit option sending caching. */
+#ifdef HAVE_W32_SYSTEM
+ infostr = NULL;
+ opt.prefer_system_dirmngr = 1;
+#else
infostr = force_pipe_server? NULL : getenv ("DIRMNGR_INFO");
- if (opt.prefer_system_dirmngr && !force_pipe_server
- &&(!infostr || !*infostr))
+#endif /*HAVE_W32_SYSTEM*/
+ if (infostr && !*infostr)
+ infostr = NULL;
+ else if (infostr)
+ infostr = xstrdup (infostr);
+
+ if (opt.prefer_system_dirmngr && !force_pipe_server && !infostr)
{
- infostr = DEFAULT_SOCKET_NAME;
+ infostr = xstrdup (dirmngr_socket_name ());
try_default = 1;
}
- if (!infostr || !*infostr)
+ if (!infostr)
{
const char *pgmname;
const char *argv[3];
@@ -206,8 +213,7 @@
int prot;
int pid;
- infostr = xstrdup (infostr);
- if (!try_default && *infostr)
+ if (!try_default)
{
if ( !(p = strchr (infostr, PATHSEP_C)) || p == infostr)
{
@@ -234,13 +240,20 @@
pid = -1;
rc = assuan_socket_connect (&ctx, infostr, pid);
+#ifdef HAVE_W32_SYSTEM
+ if (rc)
+ log_debug ("connecting dirmngr at `%s' failed\n", infostr);
+#endif
+
xfree (infostr);
+#ifndef HAVE_W32_SYSTEM
if (gpg_err_code (rc) == GPG_ERR_ASS_CONNECT_FAILED)
{
log_error (_("can't connect to the dirmngr - trying fall back\n"));
force_pipe_server = 1;
return start_dirmngr ();
}
+#endif /*!HAVE_W32_SYSTEM*/
}
if (rc)
Modified: trunk/sm/gpgsm.c
===================================================================
--- trunk/sm/gpgsm.c 2007-08-10 16:52:05 UTC (rev 4558)
+++ trunk/sm/gpgsm.c 2007-08-14 16:50:27 UTC (rev 4559)
@@ -491,25 +491,65 @@
static estream_t open_es_fwrite (const char *filename);
static void run_protect_tool (int argc, char **argv);
+/* Remove this if libgcrypt 1.3.0 is required. */
+#define MY_GCRY_PK_ECDSA 301
+
static int
our_pk_test_algo (int algo)
{
- return 1;
+ switch (algo)
+ {
+ case GCRY_PK_RSA:
+ case MY_GCRY_PK_ECDSA:
+ return gcry_pk_test_algo (algo);
+ default:
+ return 1;
+ }
}
static int
our_cipher_test_algo (int algo)
{
- return 1;
+ switch (algo)
+ {
+ case GCRY_CIPHER_3DES:
+ case GCRY_CIPHER_AES128:
+ case GCRY_CIPHER_AES192:
+ case GCRY_CIPHER_AES256:
+ case GCRY_CIPHER_SERPENT128:
+ case GCRY_CIPHER_SERPENT192:
+ case GCRY_CIPHER_SERPENT256:
+ case 309 /*GCRY_CIPHER_SEED*/:
+ case 310 /*GCRY_CIPHER_CAMELLIA128*/:
+ case 311 /*GCRY_CIPHER_CAMELLIA192*/:
+ case 312 /*GCRY_CIPHER_CAMELLIA256*/:
+ return gcry_cipher_test_algo (algo);
+ default:
+ return 1;
+ }
}
+
static int
our_md_test_algo (int algo)
{
- return 1;
+ switch (algo)
+ {
+ case GCRY_MD_MD5:
+ case GCRY_MD_SHA1:
+ case GCRY_MD_RMD160:
+ case GCRY_MD_SHA256:
+ case GCRY_MD_SHA384:
+ case GCRY_MD_SHA512:
+ case 305 /*GCRY_MD_WHIRLPOOL*/:
+ return gcry_md_test_algo (algo);
+ default:
+ return 1;
+ }
}
+
static const char *
my_strusage( int level )
{
@@ -571,12 +611,12 @@
gcry_control (GCRYCTL_DROP_PRIVS); /* drop setuid */
}
- for (i=1; i < 110; i++ )
+ for (i=1; i < 400; i++ )
if (!chkf(i))
n += strlen(mapf(i)) + 2;
list = xmalloc (21 + n);
*list = 0;
- for (p=NULL, i=1; i < 110; i++)
+ for (p=NULL, i=1; i < 400; i++)
{
if (!chkf(i))
{
@@ -683,13 +723,15 @@
/* Helper to add recipients to a list. */
static void
do_add_recipient (ctrl_t ctrl, const char *name,
- certlist_t *recplist, int is_encrypt_to)
+ certlist_t *recplist, int is_encrypt_to, int recp_required)
{
int rc = gpgsm_add_to_certlist (ctrl, name, 0, recplist, is_encrypt_to);
if (rc)
{
- log_error (_("can't encrypt to `%s': %s\n"), name, gpg_strerror (rc));
- gpgsm_status2 (ctrl, STATUS_INV_RECP,
+ if (recp_required)
+ {
+ log_error ("can't encrypt to `%s': %s\n", name, gpg_strerror (rc));
+ gpgsm_status2 (ctrl, STATUS_INV_RECP,
gpg_err_code (rc) == -1? "1":
gpg_err_code (rc) == GPG_ERR_NO_PUBKEY? "1":
gpg_err_code (rc) == GPG_ERR_AMBIGUOUS_NAME? "2":
@@ -701,6 +743,10 @@
gpg_err_code (rc) == GPG_ERR_NO_POLICY_MATCH? "8":
"0",
name, NULL);
+ }
+ else
+ log_info (_("NOTE: won't be able to encrypt to `%s': %s\n"),
+ name, gpg_strerror (rc));
}
}
@@ -747,6 +793,7 @@
certlist_t recplist = NULL;
certlist_t signerlist = NULL;
int do_not_setup_keys = 0;
+ int recp_required = 0;
/*mtrace();*/
@@ -943,9 +990,13 @@
set_cmd (&cmd, pargs.r_opt);
break;
+ case aEncr:
+ recp_required = 1;
+ set_cmd (&cmd, pargs.r_opt);
+ break;
+
case aSym:
case aDecrypt:
- case aEncr:
case aSign:
case aClearsign:
case aVerify:
@@ -1295,6 +1346,22 @@
opt.def_cipher_algoid = "2.16.840.1.101.3.4.1.2";
else if (!strcmp (opt.def_cipher_algoid, "AES256") )
opt.def_cipher_algoid = "2.16.840.1.101.3.4.1.42";
+ else if (!strcmp (opt.def_cipher_algoid, "SERPENT")
+ || !strcmp (opt.def_cipher_algoid, "SERPENT128") )
+ opt.def_cipher_algoid = "1.3.6.1.4.1.11591.13.2.2";
+ else if (!strcmp (opt.def_cipher_algoid, "SERPENT192") )
+ opt.def_cipher_algoid = "1.3.6.1.4.1.11591.13.2.22";
+ else if (!strcmp (opt.def_cipher_algoid, "SERPENT192") )
+ opt.def_cipher_algoid = "1.3.6.1.4.1.11591.13.2.42";
+ else if (!strcmp (opt.def_cipher_algoid, "SEED") )
+ opt.def_cipher_algoid = "1.2.410.200004.1.4";
+ else if (!strcmp (opt.def_cipher_algoid, "CAMELLIA")
+ || !strcmp (opt.def_cipher_algoid, "CAMELLIA128") )
+ opt.def_cipher_algoid = "1.2.392.200011.61.1.1.1.2";
+ else if (!strcmp (opt.def_cipher_algoid, "CAMELLIA192") )
+ opt.def_cipher_algoid = "1.2.392.200011.61.1.1.1.3";
+ else if (!strcmp (opt.def_cipher_algoid, "CAMELLIA256") )
+ opt.def_cipher_algoid = "1.2.392.200011.61.1.1.1.4";
if (cmd != aGPGConfList)
{
@@ -1384,12 +1451,12 @@
complain about no (regular) recipients. */
for (sl = remusr; sl; sl = sl->next)
if (!(sl->flags & 1))
- do_add_recipient (&ctrl, sl->d, &recplist, 0);
+ do_add_recipient (&ctrl, sl->d, &recplist, 0, recp_required);
if (!opt.no_encrypt_to)
{
for (sl = remusr; sl; sl = sl->next)
if ((sl->flags & 1))
- do_add_recipient (&ctrl, sl->d, &recplist, 1);
+ do_add_recipient (&ctrl, sl->d, &recplist, 1, recp_required);
}
}
@@ -1428,8 +1495,10 @@
GC_OPT_FLAG_NONE );
printf ("auto-issuer-key-retrieve:%lu:\n",
GC_OPT_FLAG_NONE );
+#ifndef HAVE_W32_SYSTEM
printf ("prefer-system-dirmngr:%lu:\n",
GC_OPT_FLAG_NONE );
+#endif
printf ("cipher-algo:%lu:\"3DES:\n",
GC_OPT_FLAG_DEFAULT );
printf ("p12-charset:%lu:\n",
More information about the Gnupg-commits
mailing list