[svn] GnuPG - r5106 - in branches/STABLE-BRANCH-1-4: . g10
svn author wk
cvs at cvs.gnupg.org
Mon Aug 3 19:47:19 CEST 2009
Author: wk
Date: 2009-08-03 19:47:18 +0200 (Mon, 03 Aug 2009)
New Revision: 5106
Modified:
branches/STABLE-BRANCH-1-4/NEWS
branches/STABLE-BRANCH-1-4/g10/ChangeLog
branches/STABLE-BRANCH-1-4/g10/card-util.c
branches/STABLE-BRANCH-1-4/g10/cardglue.c
branches/STABLE-BRANCH-1-4/g10/cardglue.h
branches/STABLE-BRANCH-1-4/g10/main.h
branches/STABLE-BRANCH-1-4/g10/misc.c
branches/STABLE-BRANCH-1-4/g10/sig-check.c
Log:
Modified: branches/STABLE-BRANCH-1-4/g10/ChangeLog
===================================================================
--- branches/STABLE-BRANCH-1-4/g10/ChangeLog 2009-07-31 14:36:59 UTC (rev 5105)
+++ branches/STABLE-BRANCH-1-4/g10/ChangeLog 2009-08-03 17:47:18 UTC (rev 5106)
@@ -1,3 +1,19 @@
+2009-08-03 Werner Koch <wk at g10code.com>
+
+ * card-util.c (generate_card_keys): Ask for off-card keys only if
+ the card supports it.
+ (get_info_for_key_operation): Read EXTCAP.
+ (card_store_subkey): Check for non matching sizes.
+
+ * cardglue.c (agent_scd_writecert, agent_scd_readcert): New stubs.
+ * misc.c (not_in_gpg1_notice): New.
+
+2009-07-30 Werner Koch <wk at g10code.com>
+
+ * misc.c (md5_digest_warn): New.
+ (print_digest_algo_note): Divert to new function.
+ * sig-check.c (do_check): Print MD5 warning.
+
2009-07-31 David Shaw <dshaw at jabberwocky.com>
* gpg.c (main): --pgp6 includes --disable-mdc.
Modified: branches/STABLE-BRANCH-1-4/NEWS
===================================================================
--- branches/STABLE-BRANCH-1-4/NEWS 2009-07-31 14:36:59 UTC (rev 5105)
+++ branches/STABLE-BRANCH-1-4/NEWS 2009-08-03 17:47:18 UTC (rev 5106)
@@ -1,6 +1,13 @@
Noteworthy changes in version 1.4.10 (unreleased)
-------------------------------------------------
+ * 2048 bit RSA keys are now generated by default. The default
+ hash algorithm preferences has changed to prefer SHA-256 over
+ SHA-1. 2048 bit DSA keys are now generated to use a 256 bit
+ hash algorithm
+
+ * Support v2 OpenPGP cards.
+
* The algorithm to compute the SIG_ID status has been changed to
match the one from 2.0.10.
@@ -8,11 +15,9 @@
* Fixed a memory leak which made imports of many keys very slow.
- * Support v2 OpenPGP cards.
+ * Many smaller bug fixes.
- * FIXME: Anything else?
-
Noteworthy changes in version 1.4.9 (2008-03-26)
------------------------------------------------
Modified: branches/STABLE-BRANCH-1-4/g10/card-util.c
===================================================================
--- branches/STABLE-BRANCH-1-4/g10/card-util.c 2009-07-31 14:36:59 UTC (rev 5105)
+++ branches/STABLE-BRANCH-1-4/g10/card-util.c 2009-08-03 17:47:18 UTC (rev 5106)
@@ -952,8 +952,7 @@
return -1;
}
-#warning need to implement this fucntion
- rc = -1; /*agent_scd_writecert ("OPENPGP.3", data, n);*/
+ rc = agent_scd_writecert ("OPENPGP.3", data, n);
if (rc)
log_error ("error writing certificate to card: %s\n", gpg_strerror (rc));
xfree (data);
@@ -982,8 +981,7 @@
return -1;
}
-#warning need to implement this fucntion
- rc = -1; /*agent_scd_readcert ("OPENPGP.3", &buffer, &length);*/
+ rc = agent_scd_readcert ("OPENPGP.3", &buffer, &length);
if (rc)
log_error ("error reading certificate from card: %s\n", gpg_strerror (rc));
else
@@ -1158,6 +1156,8 @@
rc = agent_scd_getattr ("CHV-STATUS", info);
if (!rc)
rc = agent_scd_getattr ("DISP-NAME", info);
+ if (!rc)
+ rc = agent_scd_getattr ("EXTCAP", info);
if (rc)
log_error (_("error getting current key info: %s\n"), gpg_strerror (rc));
return rc;
@@ -1263,21 +1263,27 @@
if (get_info_for_key_operation (&info))
return;
+ if (info.extcap.ki)
+ {
#if GNUPG_MAJOR_VERSION == 1
- {
- char *answer=cpr_get("cardedit.genkeys.backup_enc",
- _("Make off-card backup of encryption key? (Y/n) "));
+ char *answer;
- want_backup=answer_is_yes_no_default(answer,1);
- cpr_kill_prompt();
- xfree(answer);
- }
+
+ answer = cpr_get ("cardedit.genkeys.backup_enc",
+ _("Make off-card backup of encryption key? (Y/n) "));
+
+ want_backup=answer_is_yes_no_default(answer,1);
+ cpr_kill_prompt();
+ xfree(answer);
#else
- want_backup = cpr_get_answer_is_yes
- ( "cardedit.genkeys.backup_enc",
+ want_backup = cpr_get_answer_is_yes
+ ( "cardedit.genkeys.backup_enc",
_("Make off-card backup of encryption key? (Y/n) "));
/*FIXME: we need answer_is_yes_no_default()*/
#endif
+ }
+ else
+ want_backup = 0;
if ( (info.fpr1valid && !fpr_is_zero (info.fpr1))
|| (info.fpr2valid && !fpr_is_zero (info.fpr2))
@@ -1385,7 +1391,9 @@
size_t n;
const char *s;
int allow_keyno[3];
+ unsigned int nbits;
+
assert (node->pkt->pkttype == PKT_SECRET_KEY
|| node->pkt->pkttype == PKT_SECRET_SUBKEY);
sk = node->pkt->pkt.secret_key;
@@ -1393,10 +1401,18 @@
if (get_info_for_key_operation (&info))
return 0;
+ if (!info.extcap.ki)
+ {
+ tty_printf ("The card does not support the import of keys\n");
+ tty_printf ("\n");
+ goto leave;
+ }
+
show_card_key_info (&info);
- if (!is_RSA (sk->pubkey_algo)
- || (!info.is_v2 && nbits_from_sk (sk) != 1024) )
+ nbits = nbits_from_sk (sk);
+
+ if (!is_RSA (sk->pubkey_algo) || (!info.is_v2 && nbits != 1024) )
{
tty_printf ("You may only store a 1024 bit RSA key on the card\n");
tty_printf ("\n");
@@ -1429,8 +1445,17 @@
keyno = *answer? atoi(answer): 0;
xfree(answer);
if (keyno >= 1 && keyno <= 3 && allow_keyno[keyno-1])
- break; /* Okay. */
- tty_printf(_("Invalid selection.\n"));
+ {
+ if (info.is_v2 && !info.extcap.aac
+ && info.key_attr[keyno-1].nbits != nbits)
+ {
+ tty_printf ("Key does not match the card's capability.\n");
+ }
+ else
+ break; /* Okay. */
+ }
+ else
+ tty_printf(_("Invalid selection.\n"));
}
if (replace_existing_key_p (&info, keyno))
Modified: branches/STABLE-BRANCH-1-4/g10/cardglue.c
===================================================================
--- branches/STABLE-BRANCH-1-4/g10/cardglue.c 2009-07-31 14:36:59 UTC (rev 5105)
+++ branches/STABLE-BRANCH-1-4/g10/cardglue.c 2009-08-03 17:47:18 UTC (rev 5106)
@@ -1527,3 +1527,26 @@
xfree (cacheid);
}
}
+
+
+int
+agent_scd_writecert (const char *certidstr,
+ const unsigned char *certdata, size_t certdatalen)
+{
+ /* It does not make sense to implement this rarely used and mainly
+ interactive command in GPG-1. GPG-2 is better suited for this. */
+ not_in_gpg1_notice ();
+ return gpg_error (GPG_ERR_NOT_SUPPORTED);
+}
+
+
+int
+agent_scd_readcert (const char *certidstr,
+ void **r_buf, size_t *r_buflen)
+{
+ /* It does not make sense to implement this rarely used and mainly
+ interactive command in GPG-1. GPG-2 is better suited for this. */
+ *r_buf = NULL;
+ not_in_gpg1_notice ();
+ return gpg_error (GPG_ERR_NOT_SUPPORTED);
+}
Modified: branches/STABLE-BRANCH-1-4/g10/cardglue.h
===================================================================
--- branches/STABLE-BRANCH-1-4/g10/cardglue.h 2009-07-31 14:36:59 UTC (rev 5105)
+++ branches/STABLE-BRANCH-1-4/g10/cardglue.h 2009-08-03 17:47:18 UTC (rev 5106)
@@ -230,6 +230,13 @@
void agent_clear_pin_cache (const char *sn);
+/* Dummy functions. */
+int agent_scd_writecert (const char *certidstr,
+ const unsigned char *certdata, size_t certdatalen);
+int agent_scd_readcert (const char *certidstr,
+ void **r_buf, size_t *r_buflen);
+
+
#endif /*ENABLE_CARD_SUPPORT*/
#endif /*GNUPG_G10_CARDGLUE_H*/
Modified: branches/STABLE-BRANCH-1-4/g10/main.h
===================================================================
--- branches/STABLE-BRANCH-1-4/g10/main.h 2009-07-31 14:36:59 UTC (rev 5105)
+++ branches/STABLE-BRANCH-1-4/g10/main.h 2009-08-03 17:47:18 UTC (rev 5106)
@@ -91,6 +91,10 @@
#define idea_cipher_warn(a)
#endif
+void md5_digest_warn (int show);
+
+void not_in_gpg1_notice (void);
+
struct expando_args
{
PKT_public_key *pk;
Modified: branches/STABLE-BRANCH-1-4/g10/misc.c
===================================================================
--- branches/STABLE-BRANCH-1-4/g10/misc.c 2009-07-31 14:36:59 UTC (rev 5105)
+++ branches/STABLE-BRANCH-1-4/g10/misc.c 2009-08-03 17:47:18 UTC (rev 5106)
@@ -350,8 +350,7 @@
}
}
else if(algo==DIGEST_ALGO_MD5)
- log_info(_("WARNING: digest algorithm %s is deprecated\n"),
- digest_algo_to_string(algo));
+ md5_digest_warn (1);
}
/* Return a string which is used as a kind of process ID */
@@ -464,8 +463,42 @@
}
#endif
-static unsigned long get_signature_count(PKT_secret_key *sk)
+/* Print a warning if the md5 digest algorithm has been used. This
+ warning is printed only once unless SHOW is used. */
+void
+md5_digest_warn (int show)
{
+ static int warned = 0;
+
+ if (!warned || show)
+ {
+ log_info (_("WARNING: digest algorithm %s is deprecated\n"),
+ digest_algo_to_string (DIGEST_ALGO_MD5));
+ log_info (_("please see %s for more information\n"),
+ "http://www.gnupg.org/faq/weak-digest-algos.html");
+ warned = 1;
+ }
+}
+
+
+void
+not_in_gpg1_notice (void)
+{
+ static int warned = 0;
+
+ if (!warned)
+ {
+ log_info (_("NOTE: This feature is not available in %s\n"), "GnuPG 1.x");
+ log_info (_("please see %s for more information\n"),
+ "http://www.gnupg.org/faq/features-not-in-gnupg-1.html");
+ warned = 1;
+ }
+}
+
+
+static unsigned long
+get_signature_count(PKT_secret_key *sk)
+{
#ifdef ENABLE_CARD_SUPPORT
if(sk && sk->is_protected && sk->protect.s2k.mode==1002)
{
Modified: branches/STABLE-BRANCH-1-4/g10/sig-check.c
===================================================================
--- branches/STABLE-BRANCH-1-4/g10/sig-check.c 2009-07-31 14:36:59 UTC (rev 5105)
+++ branches/STABLE-BRANCH-1-4/g10/sig-check.c 2009-08-03 17:47:18 UTC (rev 5106)
@@ -318,6 +318,12 @@
mpi_free(result);
}
+ /* Print the MD5 warning if not yet done. Thus at most we get one
+ warning during signature checking. Note that while validating
+ a key we might have already checked MD5 key signatures. */
+ if (sig->digest_algo == DIGEST_ALGO_MD5)
+ md5_digest_warn (0);
+
if( !rc && sig->flags.unknown_critical )
{
log_info(_("assuming bad signature from key %s"
More information about the Gnupg-commits
mailing list