From cvs at cvs.gnupg.org Thu Oct 2 13:18:13 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 02 Oct 2014 13:18:13 +0200 Subject: [git] GPG-ERROR - branch, master, updated. libgpg-error-1.16-11-g3ecdcb6 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "Error codes used by GnuPG et al.". The branch, master has been updated via 3ecdcb6ac814e3b63aebbf66729ae6cb67c9f6d2 (commit) via 74abfcf0c3ba7cd6ce36540c70699fc1719248b3 (commit) from d2757001c5719ca8c8bd6aa2e2e2d9a299fb76c6 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 3ecdcb6ac814e3b63aebbf66729ae6cb67c9f6d2 Author: Werner Koch Date: Thu Oct 2 13:14:53 2014 +0200 build: Support SYSROOT based config script finding. * src/gpg-error.m4: Add support for SYSROOT and set gpg_config_script_warn. Use AC_PATH_PROG instead of AC_PATH_TOOL because the config script is not expected to be installed with a prefix for its name. diff --git a/src/gpg-error.m4 b/src/gpg-error.m4 index 053eceb..1661204 100644 --- a/src/gpg-error.m4 +++ b/src/gpg-error.m4 @@ -9,7 +9,7 @@ # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # -# Last-changed: 2014-01-24 +# Last-changed: 2014-10-02 dnl AM_PATH_GPG_ERROR([MINIMUM-VERSION, @@ -17,7 +17,12 @@ dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]]) dnl dnl Test for libgpg-error and define GPG_ERROR_CFLAGS, GPG_ERROR_LIBS, dnl GPG_ERROR_MT_CFLAGS, and GPG_ERROR_MT_LIBS. The _MT_ variants are -dnl used for programs requireding real multi thread support. +dnl used for programs requireing real multi thread support. +dnl +dnl If a prefix option is not used, the config script is first +dnl searched in $SYSROOT/bin and then along $PATH. If the used +dnl config script does not match the host specification the script +dnl is added to the gpg_config_script_warn variable. dnl AC_DEFUN([AM_PATH_GPG_ERROR], [ AC_REQUIRE([AC_CANONICAL_HOST]) @@ -36,13 +41,26 @@ AC_DEFUN([AM_PATH_GPG_ERROR], AC_ARG_WITH(gpg-error-prefix,, [gpg_error_config_prefix="$withval"]) - if test x$gpg_error_config_prefix != x ; then - if test x${GPG_ERROR_CONFIG+set} != xset ; then - GPG_ERROR_CONFIG=$gpg_error_config_prefix/bin/gpg-error-config + if test x"${GPG_ERROR_CONFIG}" = x ; then + if test x"${gpg_error_config_prefix}" != x ; then + GPG_ERROR_CONFIG="${gpg_error_config_prefix}/bin/gpg-error-config" + else + case "${SYSROOT}" in + /*) + if test -x "${SYSROOT}/bin/gpg-error-config" ; then + GPG_ERROR_CONFIG="${SYSROOT}/bin/gpg-error-config" + fi + ;; + '') + ;; + *) + AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.]) + ;; + esac fi fi - AC_PATH_TOOL(GPG_ERROR_CONFIG, gpg-error-config, no) + AC_PATH_PROG(GPG_ERROR_CONFIG, gpg-error-config, no) min_gpg_error_version=ifelse([$1], ,0.0,$1) AC_MSG_CHECKING(for GPG Error - version >= $min_gpg_error_version) ok=no @@ -83,8 +101,9 @@ AC_DEFUN([AM_PATH_GPG_ERROR], *** built for $gpg_error_config_host and thus may not match the *** used host $host. *** You may want to use the configure option --with-gpg-error-prefix -*** to specify a matching config script. +*** to specify a matching config script or use \$SYSROOT. ***]]) + gpg_config_script_warn="$gpg_config_script_warn libgpg-error" fi fi else commit 74abfcf0c3ba7cd6ce36540c70699fc1719248b3 Author: Werner Koch Date: Thu Oct 2 10:50:57 2014 +0200 Add GPG_ERR_BOGUS_STRING and an experimental gpgrt_pending. * src/visibility.c (gpgrt_pending, gpgrt_pending_unlocked): New. * src/estream.c (_gpgrt_pending, _gpgrt_pending_unlocked): New. (check_pending): new. (check_pending_fbf, check_pending_nbf): New. (es_func_mem_read, es_func_fd_read, es_func_w32_read) (es_func_fp_read, es_fill): Take care of the special 0 value for SIZE. diff --git a/NEWS b/NEWS index 2e49b0c..4330408 100644 --- a/NEWS +++ b/NEWS @@ -32,6 +32,9 @@ Noteworthy changes in version 1.17 (unreleased) [C12/A12/R_] GPG_ERR_BAD_HS_FINISHED NEW. GPG_ERR_BAD_HS_SERVER_KEX NEW. GPG_ERR_BAD_HS_CLIENT_KEX NEW. + GPG_ERR_BOGUS_STRING NEW. + gpgrt_pending NEW. + gpgrt_pending_unlocked NEW. Noteworthy changes in version 1.16 (2014-09-18) [C12/A12/R2] diff --git a/doc/errorref.txt b/doc/errorref.txt index 666dca6..07b7cd4 100644 --- a/doc/errorref.txt +++ b/doc/errorref.txt @@ -219,7 +219,12 @@ GPG_ERR_INV_ARG Invalid argument 52 GPG_ERR_NOT_PROCESSED Data not processed 53 GPG_ERR_UNUSABLE_PUBKEY Unusable public key 54 GPG_ERR_UNUSABLE_SECKEY Unusable secret key -55 GPG_ERR_INV_VALUE Invalid value + +GPG_ERR_INV_VALUE Invalid value + + NTBTLS: - A DH parameter is out of range + + 56 GPG_ERR_BAD_CERT_CHAIN Bad certificate chain GPG_ERR_MISSING_CERT Missing certificate @@ -516,7 +521,13 @@ GPG_ERR_LIMIT_REACHED Limit reached GnuPG: gpgtar: Extract directory can't be created because too many of directories with a similar name are already existing. -184 GPG_ERR_NOT_INITIALIZED Not initialized +GPG_ERR_NOT_INITIALIZED Not initialized + + An operation can't be performed because something has not been + initialized. This might be a missing initialization of an entire + subsystems or a prerequisite for using a function is not + fulfilled. + 185 GPG_ERR_MISSING_ISSUER_CERT Missing issuer certificate 186 GPG_ERR_NO_KEYSERVER No keyserver available @@ -699,6 +710,13 @@ GPG_ERR_BAD_HS_CLIENT_KEX Bad client key exchange message in handshake NTBTLS: - As the description says. +GPG_ERR_BOGUS_STRING Bogus string + + Used if a protocol sends length prefixed strings which contain a + Nul byte and further processing would discard the rest of the + string. May also be used if a string contains unexpected and + possible dangerous characters (e.g. control characters in a domain + name). GPG_ERR_KEY_DISABLED Key disabled diff --git a/src/err-codes.h.in b/src/err-codes.h.in index 9274530..704049c 100644 --- a/src/err-codes.h.in +++ b/src/err-codes.h.in @@ -273,8 +273,8 @@ 247 GPG_ERR_BAD_HS_FINISHED Bad finished message in handshake 248 GPG_ERR_BAD_HS_SERVER_KEX Bad server key exchange message in handshake 249 GPG_ERR_BAD_HS_CLIENT_KEX Bad client key exchange message in handshake - -# 250 and 251 are free to be used. +250 GPG_ERR_BOGUS_STRING Bogus string +# 251 is free to be used. 252 GPG_ERR_KEY_DISABLED Key disabled 253 GPG_ERR_KEY_ON_CARD Not possible with a card based key diff --git a/src/estream.c b/src/estream.c index 46be363..2537141 100644 --- a/src/estream.c +++ b/src/estream.c @@ -625,6 +625,9 @@ es_func_mem_read (void *cookie, void *buffer, size_t size) estream_cookie_mem_t mem_cookie = cookie; gpgrt_ssize_t ret; + if (!size) /* Just the pending data check. */ + return (mem_cookie->data_len - mem_cookie->offset)? 0 : -1; + if (size > mem_cookie->data_len - mem_cookie->offset) size = mem_cookie->data_len - mem_cookie->offset; @@ -898,7 +901,9 @@ es_func_fd_read (void *cookie, void *buffer, size_t size) estream_cookie_fd_t file_cookie = cookie; gpgrt_ssize_t bytes_read; - if (IS_INVALID_FD (file_cookie->fd)) + if (!size) + bytes_read = -1; /* We don't know whether anything is pending. */ + else if (IS_INVALID_FD (file_cookie->fd)) { _gpgrt_yield (); bytes_read = 0; @@ -1057,7 +1062,9 @@ es_func_w32_read (void *cookie, void *buffer, size_t size) estream_cookie_w32_t w32_cookie = cookie; gpgrt_ssize_t bytes_read; - if (w32_cookie->hd == INVALID_HANDLE_VALUE) + if (!size) + bytes_to_read = -1; /* We don't know whether anything is pending. */ + else if (w32_cookie->hd == INVALID_HANDLE_VALUE) { _gpgrt_yield (); bytes_read = 0; @@ -1273,6 +1280,9 @@ es_func_fp_read (void *cookie, void *buffer, size_t size) estream_cookie_fp_t file_cookie = cookie; gpgrt_ssize_t bytes_read; + if (!size) + return -1; /* We don't know whether anything is pending. */ + if (file_cookie->fp) { if (pre_syscall_func) @@ -1602,6 +1612,8 @@ es_fill (estream_t stream) _set_errno (EOPNOTSUPP); err = -1; } + else if (!stream->buffer_size) + err = 0; else { gpgrt_cookie_read_function_t func_read = stream->intern->func_read; @@ -1937,6 +1949,18 @@ es_read_nbf (estream_t _GPGRT__RESTRICT stream, return err; } +static int +check_pending_nbf (estream_t _GPGRT__RESTRICT stream) +{ + gpgrt_cookie_read_function_t func_read = stream->intern->func_read; + char buffer[1]; + + if (!(*func_read) (stream->intern->cookie, buffer, 0)) + return 1; /* Pending bytes. */ + return 0; /* No pending bytes or error. */ +} + + /* Try to read BYTES_TO_READ bytes FROM STREAM into BUFFER in fully-buffered-mode, storing the amount of bytes read in *BYTES_READ. */ @@ -1987,6 +2011,26 @@ es_read_fbf (estream_t _GPGRT__RESTRICT stream, return err; } + +static int +check_pending_fbf (estream_t _GPGRT__RESTRICT stream) +{ + gpgrt_cookie_read_function_t func_read = stream->intern->func_read; + char buffer[1]; + + if (stream->data_offset == stream->data_len) + { + /* Nothing more to read in current container, check whetehr it + would be possible to fill the container with new data. */ + if (!(*func_read) (stream->intern->cookie, buffer, 0)) + return 1; /* Pending bytes. */ + } + else + return 1; + return 0; +} + + /* Try to read BYTES_TO_READ bytes FROM STREAM into BUFFER in line-buffered-mode, storing the amount of bytes read in *BYTES_READ. */ @@ -2003,7 +2047,7 @@ es_read_lbf (estream_t _GPGRT__RESTRICT stream, } /* Try to read BYTES_TO_READ bytes FROM STREAM into BUFFER, storing - *the amount of bytes read in BYTES_READ. */ + the amount of bytes read in BYTES_READ. */ static int es_readn (estream_t _GPGRT__RESTRICT stream, void *_GPGRT__RESTRICT buffer_arg, @@ -2062,6 +2106,39 @@ es_readn (estream_t _GPGRT__RESTRICT stream, return err; } + +/* Return true if at least one byte is pending for read. This is a + best effort check and it it possible that bytes are still pending + even if false is returned. If the stream is in writing mode it is + switched to read mode. */ +static int +check_pending (estream_t _GPGRT__RESTRICT stream) +{ + if (stream->flags.writing) + { + /* Switching to reading mode -> flush output. */ + if (es_flush (stream)) + return 0; /* Better return 0 on error. */ + stream->flags.writing = 0; + } + + /* Check unread data first. */ + if (stream->unread_data_len) + return 1; + + switch (stream->intern->strategy) + { + case _IONBF: + return check_pending_nbf (stream); + case _IOLBF: + case _IOFBF: + return check_pending_fbf (stream); + } + + return 0; +} + + /* Try to unread DATA_N bytes from DATA into STREAM, storing the amount of bytes successfully unread in *BYTES_UNREAD. */ static void @@ -3394,6 +3471,34 @@ _gpgrt_syshd (estream_t stream, es_syshd_t *syshd) int +_gpgrt_pending_unlocked (estream_t stream) +{ + return check_pending (stream); +} + + +/* Return true if there is at least one byte pending for read on + STREAM. This does only work if the backend supports checking for + pending bytes and is thus mostly useful with cookie based backends. + + Note that if this function is used with cookie based functions, the + read cookie may be called with 0 for the SIZE argument. If bytes + are pending the function is expected to return -1 in this case and + thus deviates from the standard behavior of read(2). */ +int +_gpgrt_pending (estream_t stream) +{ + int ret; + + lock_stream (stream); + ret = _gpgrt_pending_unlocked (stream); + unlock_stream (stream); + + return ret; +} + + +int _gpgrt_feof_unlocked (estream_t stream) { return es_get_indicator (stream, 0, 1); diff --git a/src/gpg-error.def.in b/src/gpg-error.def.in index ac20a69..f17522e 100644 --- a/src/gpg-error.def.in +++ b/src/gpg-error.def.in @@ -137,4 +137,7 @@ EXPORTS gpg_err_deinit @102 gpgrt_set_alloc_func @103 + gpgrt_pending @104 + gpgrt_pending_unlocked @105 + ;; end of file with public symbols for Windows. diff --git a/src/gpg-error.h.in b/src/gpg-error.h.in index 80ce391..6ac6e0a 100644 --- a/src/gpg-error.h.in +++ b/src/gpg-error.h.in @@ -496,6 +496,8 @@ int gpgrt_ferror (gpgrt_stream_t stream); int gpgrt_ferror_unlocked (gpgrt_stream_t stream); void gpgrt_clearerr (gpgrt_stream_t stream); void gpgrt_clearerr_unlocked (gpgrt_stream_t stream); +int gpgrt_pending (gpgrt_stream_t stream); +int gpgrt_pending_unlocked (gpgrt_stream_t stream); int gpgrt_fflush (gpgrt_stream_t stream); int gpgrt_fseek (gpgrt_stream_t stream, long int offset, int whence); @@ -648,6 +650,8 @@ int gpgrt_vsnprintf (char *buf,size_t bufsize, # define es_ferror_unlocked gpgrt_ferror_unlocked # define es_clearerr gpgrt_clearerr # define es_clearerr_unlocked gpgrt_clearerr_unlocked +# define es_pending gpgrt_pending +# define es_pending_unlocked gpgrt_pending_unlocked # define es_fflush gpgrt_fflush # define es_fseek gpgrt_fseek # define es_fseeko gpgrt_fseeko diff --git a/src/gpg-error.vers b/src/gpg-error.vers index 43becea..c0e599a 100644 --- a/src/gpg-error.vers +++ b/src/gpg-error.vers @@ -64,6 +64,8 @@ GPG_ERROR_1.0 { gpgrt_flockfile; gpgrt_ftrylockfile; gpgrt_funlockfile; + gpgrt_pending; + gpgrt_pending_unlocked; gpgrt_feof; gpgrt_feof_unlocked; gpgrt_ferror; diff --git a/src/gpgrt-int.h b/src/gpgrt-int.h index f97166f..8907835 100644 --- a/src/gpgrt-int.h +++ b/src/gpgrt-int.h @@ -102,6 +102,8 @@ int _gpgrt_ferror (gpgrt_stream_t stream); int _gpgrt_ferror_unlocked (gpgrt_stream_t stream); void _gpgrt_clearerr (gpgrt_stream_t stream); void _gpgrt_clearerr_unlocked (gpgrt_stream_t stream); +int _gpgrt_pending (gpgrt_stream_t stream); +int _gpgrt_pending_unlocked (gpgrt_stream_t stream); int _gpgrt_fflush (gpgrt_stream_t stream); int _gpgrt_fseek (gpgrt_stream_t stream, long int offset, int whence); diff --git a/src/visibility.c b/src/visibility.c index f0d7fd1..f26f58c 100644 --- a/src/visibility.c +++ b/src/visibility.c @@ -298,6 +298,18 @@ gpgrt_funlockfile (estream_t stream) } int +gpgrt_pending (estream_t stream) +{ + return _gpgrt_pending (stream); +} + +int +gpgrt_pending_unlocked (estream_t stream) +{ + return _gpgrt_pending_unlocked (stream); +} + +int gpgrt_feof (estream_t stream) { return _gpgrt_feof (stream); diff --git a/src/visibility.h b/src/visibility.h index feeb8d1..35878d7 100644 --- a/src/visibility.h +++ b/src/visibility.h @@ -87,6 +87,8 @@ MARK_VISIBLE (_gpgrt_get_std_stream) MARK_VISIBLE (gpgrt_flockfile) MARK_VISIBLE (gpgrt_ftrylockfile) MARK_VISIBLE (gpgrt_funlockfile) +MARK_VISIBLE (gpgrt_pending) +MARK_VISIBLE (gpgrt_pending_unlocked) MARK_VISIBLE (gpgrt_feof) MARK_VISIBLE (gpgrt_feof_unlocked) MARK_VISIBLE (gpgrt_ferror) @@ -190,6 +192,8 @@ MARK_VISIBLE (gpgrt_set_alloc_func) #define gpgrt_flockfile _gpgrt_USE_UNDERSCORED_FUNCTION #define gpgrt_ftrylockfile _gpgrt_USE_UNDERSCORED_FUNCTION #define gpgrt_funlockfile _gpgrt_USE_UNDERSCORED_FUNCTION +#define gpgrt_pending _gpgrt_USE_UNDERSCORED_FUNCTION +#define gpgrt_pending_unlocked _gpgrt_USE_UNDERSCORED_FUNCTION #define gpgrt_feof _gpgrt_USE_UNDERSCORED_FUNCTION #define gpgrt_feof_unlocked _gpgrt_USE_UNDERSCORED_FUNCTION #define gpgrt_ferror _gpgrt_USE_UNDERSCORED_FUNCTION ----------------------------------------------------------------------- Summary of changes: NEWS | 3 ++ doc/errorref.txt | 22 +++++++++- src/err-codes.h.in | 4 +- src/estream.c | 111 ++++++++++++++++++++++++++++++++++++++++++++++++-- src/gpg-error.def.in | 3 ++ src/gpg-error.h.in | 4 ++ src/gpg-error.m4 | 33 +++++++++++---- src/gpg-error.vers | 2 + src/gpgrt-int.h | 2 + src/visibility.c | 12 ++++++ src/visibility.h | 4 ++ 11 files changed, 186 insertions(+), 14 deletions(-) hooks/post-receive -- Error codes used by GnuPG et al. http://git.gnupg.org From cvs at cvs.gnupg.org Thu Oct 2 13:22:50 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 02 Oct 2014 13:22:50 +0200 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-115-g1e8b864 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via 1e8b86494cf8fa045696bd447b16267ffd1797f0 (commit) from 51dae8c8c4b63bb5e1685cbd8722e35342524737 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 1e8b86494cf8fa045696bd447b16267ffd1797f0 Author: Werner Koch Date: Thu Oct 2 12:51:49 2014 +0200 build: Support SYSROOT based config script finding. * src/libgcrypt.m4: Add support for SYSROOT and set gpg_config_script_warn. Use AC_PATH_PROG instead of AC_PATH_TOOL because the config script is not expected to be installed with a prefix for its name * configure.ac: Print a library mismatch warning. * m4/gpg-error.m4: Update from git master. -- Also fixed the false copyright notice in libgcrypt.m4. diff --git a/configure.ac b/configure.ac index c5952c7..baed3ec 100644 --- a/configure.ac +++ b/configure.ac @@ -2123,9 +2123,17 @@ GCRY_MSG_SHOW([Try using Intel AVX2: ],[$avx2support]) GCRY_MSG_SHOW([Try using ARM NEON: ],[$neonsupport]) GCRY_MSG_SHOW([],[]) -if test "$print_egd_notice" = "yes"; then +if test "x${gpg_config_script_warn}" != x; then cat <= $min_gpg_error_version) ok=no @@ -83,8 +101,9 @@ AC_DEFUN([AM_PATH_GPG_ERROR], *** built for $gpg_error_config_host and thus may not match the *** used host $host. *** You may want to use the configure option --with-gpg-error-prefix -*** to specify a matching config script. +*** to specify a matching config script or use \$SYSROOT. ***]]) + gpg_config_script_warn="$gpg_config_script_warn libgpg-error" fi fi else diff --git a/src/libgcrypt.m4 b/src/libgcrypt.m4 index 6cf482f..c67cfec 100644 --- a/src/libgcrypt.m4 +++ b/src/libgcrypt.m4 @@ -1,13 +1,15 @@ -dnl Autoconf macros for libgcrypt -dnl Copyright (C) 2002, 2004, 2011 Free Software Foundation, Inc. -dnl -dnl This file is free software; as a special exception the author gives -dnl unlimited permission to copy and/or distribute it, with or without -dnl modifications, as long as this notice is preserved. -dnl -dnl This file is distributed in the hope that it will be useful, but -dnl WITHOUT ANY WARRANTY, to the extent permitted by law; without even the -dnl implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# libgcrypt.m4 - Autoconf macros to detect libgcrypt +# Copyright (C) 2002, 2003, 2004, 2011, 2014 g10 Code GmbH +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Last-changed: 2014-10-02 dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION, @@ -20,19 +22,37 @@ dnl version of libgcrypt is at least 1.2.5 *and* the API number is 1. Using dnl this features allows to prevent build against newer versions of libgcrypt dnl with a changed API. dnl +dnl If a prefix option is not used, the config script is first +dnl searched in $SYSROOT/bin and then along $PATH. If the used +dnl config script does not match the host specification the script +dnl is added to the gpg_config_script_warn variable. +dnl AC_DEFUN([AM_PATH_LIBGCRYPT], [ AC_REQUIRE([AC_CANONICAL_HOST]) AC_ARG_WITH(libgcrypt-prefix, AC_HELP_STRING([--with-libgcrypt-prefix=PFX], [prefix where LIBGCRYPT is installed (optional)]), libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="") - if test x$libgcrypt_config_prefix != x ; then - if test x${LIBGCRYPT_CONFIG+set} != xset ; then - LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config + if test x"${LIBGCRYPT_CONFIG}" = x ; then + if test x"${libgcrypt_config_prefix}" != x ; then + LIBGCRYPT_CONFIG="${libgcrypt_config_prefix}/bin/libgcrypt-config" + else + case "${SYSROOT}" in + /*) + if test -x "${SYSROOT}/bin/libgcrypt-config" ; then + LIBGCRYPT_CONFIG="${SYSROOT}/bin/libgcrypt-config" + fi + ;; + '') + ;; + *) + AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.]) + ;; + esac fi fi - AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, no) + AC_PATH_PROG(LIBGCRYPT_CONFIG, libgcrypt-config, no) tmp=ifelse([$1], ,1:1.2.0,$1) if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then req_libgcrypt_api=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\1/'` @@ -108,8 +128,9 @@ AC_DEFUN([AM_PATH_LIBGCRYPT], *** built for $libgcrypt_config_host and thus may not match the *** used host $host. *** You may want to use the configure option --with-libgcrypt-prefix -*** to specify a matching config script. +*** to specify a matching config script or use \$SYSROOT. ***]]) + gpg_config_script_warn="$gpg_config_script_warn libgcrypt" fi fi else ----------------------------------------------------------------------- Summary of changes: configure.ac | 12 ++++++++++-- doc/gcrypt.texi | 2 +- m4/gpg-error.m4 | 33 ++++++++++++++++++++++++++------- src/libgcrypt.m4 | 51 ++++++++++++++++++++++++++++++++++++--------------- 4 files changed, 73 insertions(+), 25 deletions(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org From cvs at cvs.gnupg.org Thu Oct 2 14:47:42 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 02 Oct 2014 14:47:42 +0200 Subject: [git] GPG-ERROR - branch, master, updated. libgpg-error-1.16-12-ge8b04be Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "Error codes used by GnuPG et al.". The branch, master has been updated via e8b04bed1093a9f1d87c150326e79adfeb02e2b4 (commit) from 3ecdcb6ac814e3b63aebbf66729ae6cb67c9f6d2 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit e8b04bed1093a9f1d87c150326e79adfeb02e2b4 Author: Werner Koch Date: Thu Oct 2 14:46:34 2014 +0200 w32: Make it build again. * src/estream.c (es_func_w32_read): Fix var name. diff --git a/src/estream.c b/src/estream.c index 2537141..a17950e 100644 --- a/src/estream.c +++ b/src/estream.c @@ -1063,7 +1063,7 @@ es_func_w32_read (void *cookie, void *buffer, size_t size) gpgrt_ssize_t bytes_read; if (!size) - bytes_to_read = -1; /* We don't know whether anything is pending. */ + bytes_read = -1; /* We don't know whether anything is pending. */ else if (w32_cookie->hd == INVALID_HANDLE_VALUE) { _gpgrt_yield (); ----------------------------------------------------------------------- Summary of changes: src/estream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) hooks/post-receive -- Error codes used by GnuPG et al. http://git.gnupg.org From cvs at cvs.gnupg.org Thu Oct 2 15:03:54 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 02 Oct 2014 15:03:54 +0200 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-116-g0ecd136 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via 0ecd136a6ca02252f63ad229fa5240897bfe6544 (commit) from 1e8b86494cf8fa045696bd447b16267ffd1797f0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 0ecd136a6ca02252f63ad229fa5240897bfe6544 Author: Werner Koch Date: Thu Oct 2 14:49:31 2014 +0200 build: Document SYSROOT. * configure.ac: Mark SYSROOT as arg var. diff --git a/configure.ac b/configure.ac index baed3ec..18db662 100644 --- a/configure.ac +++ b/configure.ac @@ -83,6 +83,8 @@ AC_CANONICAL_HOST AM_MAINTAINER_MODE AM_SILENT_RULES +AC_ARG_VAR(SYSROOT,[locate config scripts also below that directory]) + AH_TOP([ #ifndef _GCRYPT_CONFIG_H_INCLUDED #define _GCRYPT_CONFIG_H_INCLUDED diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index ecd4d7f..58671df 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -267,9 +267,9 @@ example shows how it can be used at the command line: gcc -c foo.c `libgcrypt-config --cflags` @end example -Adding the output of @samp{libgcrypt-config --cflags} to the compilers -command line will ensure that the compiler can find the Libgcrypt header -file. +Adding the output of @samp{libgcrypt-config --cflags} to the +compiler?s command line will ensure that the compiler can find the +Libgcrypt header file. A similar problem occurs when linking the program with the library. Again, the compiler has to find the library files. For this to work, @@ -314,7 +314,20 @@ found, execute @var{action-if-found}, otherwise do Additionally, the function defines @code{LIBGCRYPT_CFLAGS} to the flags needed for compilation of the program to find the @file{gcrypt.h} header file, and @code{LIBGCRYPT_LIBS} to the linker -flags needed to link the program to the Libgcrypt library. +flags needed to link the program to the Libgcrypt library. If the +used helper script does not match the target type you are building for +a warning is printed and the string @code{libgcrypt} is appended to the +variable @code{gpg_config_script_warn}. + +This macro searches for @command{libgcrypt-config} along the PATH. If +you are cross-compiling, it is useful to set the environment variable + at code{SYSROOT} to the top directory of your target. The macro will +then first look for the helper program in the @file{bin} directory +below that top directory. An absolute directory name must be used for + at code{SYSROOT}. Finally, if the configure command line option + at code{--libgcrypt-prefix} is used, only its value is used for the top +directory below which the helper script is expected. + @end defmac You can use the defined Autoconf variables like this in your ----------------------------------------------------------------------- Summary of changes: configure.ac | 2 ++ doc/gcrypt.texi | 21 +++++++++++++++++---- 2 files changed, 19 insertions(+), 4 deletions(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org From cvs at cvs.gnupg.org Thu Oct 2 15:59:38 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 02 Oct 2014 15:59:38 +0200 Subject: [git] GPGME - branch, master, updated. gpgme-1.5.1-11-g4027a0a Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GnuPG Made Easy". The branch, master has been updated via 4027a0a89724df3aeef8a964c529548d724b6a5a (commit) via b3309f997c541d7150827a659bffc38bc9f685fe (commit) from 7273ab387a7b4c44cae8d94711c4991e7754bc95 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 4027a0a89724df3aeef8a964c529548d724b6a5a Author: Werner Koch Date: Thu Oct 2 15:48:53 2014 +0200 build: Implement SYSROOT feature. * configure.ac: Document SYSROOT. * m4/gpg-error.m4: Update from libgpg-error master. * src/gpgme.m4: Implement SYSROOT stuff. diff --git a/configure.ac b/configure.ac index efc60c7..5cf46f7 100644 --- a/configure.ac +++ b/configure.ac @@ -83,6 +83,7 @@ AM_INIT_AUTOMAKE AM_MAINTAINER_MODE AC_CANONICAL_HOST AM_SILENT_RULES +AC_ARG_VAR(SYSROOT,[locate config scripts also below that directory]) # Enable GNU extensions on systems that have them. AC_GNU_SOURCE @@ -636,3 +637,12 @@ echo " FD Passing: $use_descriptor_passing GPGME Pthread: $have_pthread " +if test "x${gpg_config_script_warn}" != x; then +cat <= $min_gpg_error_version) ok=no @@ -64,6 +88,8 @@ AC_DEFUN([AM_PATH_GPG_ERROR], if test $ok = yes; then GPG_ERROR_CFLAGS=`$GPG_ERROR_CONFIG $gpg_error_config_args --cflags` GPG_ERROR_LIBS=`$GPG_ERROR_CONFIG $gpg_error_config_args --libs` + GPG_ERROR_MT_CFLAGS=`$GPG_ERROR_CONFIG $gpg_error_config_args --mt --cflags 2>/dev/null` + GPG_ERROR_MT_LIBS=`$GPG_ERROR_CONFIG $gpg_error_config_args --mt --libs 2>/dev/null` AC_MSG_RESULT([yes ($gpg_error_config_version)]) ifelse([$2], , :, [$2]) gpg_error_config_host=`$GPG_ERROR_CONFIG $gpg_error_config_args --host 2>/dev/null || echo none` @@ -75,16 +101,21 @@ AC_DEFUN([AM_PATH_GPG_ERROR], *** built for $gpg_error_config_host and thus may not match the *** used host $host. *** You may want to use the configure option --with-gpg-error-prefix -*** to specify a matching config script. +*** to specify a matching config script or use \$SYSROOT. ***]]) + gpg_config_script_warn="$gpg_config_script_warn libgpg-error" fi fi else GPG_ERROR_CFLAGS="" GPG_ERROR_LIBS="" + GPG_ERROR_MT_CFLAGS="" + GPG_ERROR_MT_LIBS="" AC_MSG_RESULT(no) ifelse([$3], , :, [$3]) fi AC_SUBST(GPG_ERROR_CFLAGS) AC_SUBST(GPG_ERROR_LIBS) + AC_SUBST(GPG_ERROR_MT_CFLAGS) + AC_SUBST(GPG_ERROR_MT_LIBS) ]) diff --git a/src/gpgme.m4 b/src/gpgme.m4 index fe17f21..6c2be44 100644 --- a/src/gpgme.m4 +++ b/src/gpgme.m4 @@ -1,5 +1,5 @@ # gpgme.m4 - autoconf macro to detect GPGME. -# Copyright (C) 2002, 2003, 2004 g10 Code GmbH +# Copyright (C) 2002, 2003, 2004, 2014 g10 Code GmbH # # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without @@ -8,6 +8,8 @@ # This file is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Last-changed: 2014-10-02 AC_DEFUN([_AM_PATH_GPGME_CONFIG], @@ -15,9 +17,25 @@ AC_DEFUN([_AM_PATH_GPGME_CONFIG], AC_HELP_STRING([--with-gpgme-prefix=PFX], [prefix where GPGME is installed (optional)]), gpgme_config_prefix="$withval", gpgme_config_prefix="") - if test "x$gpgme_config_prefix" != x ; then - GPGME_CONFIG="$gpgme_config_prefix/bin/gpgme-config" + if test x"${GPGME_CONFIG}" = x ; then + if test x"${gpgme_config_prefix}" != x ; then + GPGME_CONFIG="${gpgme_config_prefix}/bin/gpgme-config" + else + case "${SYSROOT}" in + /*) + if test -x "${SYSROOT}/bin/gpgme-config" ; then + GPGME_CONFIG="${SYSROOT}/bin/gpgme-config" + fi + ;; + '') + ;; + *) + AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.]) + ;; + esac + fi fi + AC_PATH_PROG(GPGME_CONFIG, gpgme-config, no) if test "$GPGME_CONFIG" != "no" ; then @@ -31,10 +49,35 @@ AC_DEFUN([_AM_PATH_GPGME_CONFIG], sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'` ]) + +AC_DEFUN([_AM_PATH_GPGME_CONFIG_HOST_CHECK], +[ + gpgme_config_host=`$GPGME_CONFIG --host 2>/dev/null || echo none` + if test x"$gpgme_config_host" != xnone ; then + if test x"$gpgme_config_host" != x"$host" ; then + AC_MSG_WARN([[ +*** +*** The config script $GPGME_CONFIG was +*** built for $gpgme_config_host and thus may not match the +*** used host $host. +*** You may want to use the configure option --with-gpgme-prefix +*** to specify a matching config script or use \$SYSROOT. +***]]) + gpg_config_script_warn="$gpg_config_script_warn gpgme" + fi + fi +]) + + dnl AM_PATH_GPGME([MINIMUM-VERSION, dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]]) dnl Test for libgpgme and define GPGME_CFLAGS and GPGME_LIBS. dnl +dnl If a prefix option is not used, the config script is first +dnl searched in $SYSROOT/bin and then along $PATH. If the used +dnl config script does not match the host specification the script +dnl is added to the gpg_config_script_warn variable. +dnl AC_DEFUN([AM_PATH_GPGME], [ AC_REQUIRE([_AM_PATH_GPGME_CONFIG])dnl tmp=ifelse([$1], ,1:0.4.2,$1) @@ -57,7 +100,7 @@ AC_DEFUN([AM_PATH_GPGME], sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'` if test "$gpgme_version_major" -gt "$req_major"; then ok=yes - else + else if test "$gpgme_version_major" -eq "$req_major"; then if test "$gpgme_version_minor" -gt "$req_minor"; then ok=yes @@ -88,6 +131,7 @@ AC_DEFUN([AM_PATH_GPGME], GPGME_LIBS=`$GPGME_CONFIG --libs` AC_MSG_RESULT(yes) ifelse([$2], , :, [$2]) + _AM_PATH_GPGME_CONFIG_HOST_CHECK else GPGME_CFLAGS="" GPGME_LIBS="" @@ -126,7 +170,7 @@ AC_DEFUN([AM_PATH_GPGME_PTHREAD], sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'` if test "$gpgme_version_major" -gt "$req_major"; then ok=yes - else + else if test "$gpgme_version_major" -eq "$req_major"; then if test "$gpgme_version_minor" -gt "$req_minor"; then ok=yes @@ -158,6 +202,7 @@ AC_DEFUN([AM_PATH_GPGME_PTHREAD], GPGME_PTHREAD_LIBS=`$GPGME_CONFIG --thread=pthread --libs` AC_MSG_RESULT(yes) ifelse([$2], , :, [$2]) + _AM_PATH_GPGME_CONFIG_HOST_CHECK else GPGME_PTHREAD_CFLAGS="" GPGME_PTHREAD_LIBS="" @@ -195,7 +240,7 @@ AC_DEFUN([AM_PATH_GPGME_GLIB], sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'` if test "$gpgme_version_major" -gt "$req_major"; then ok=yes - else + else if test "$gpgme_version_major" -eq "$req_major"; then if test "$gpgme_version_minor" -gt "$req_minor"; then ok=yes @@ -226,6 +271,7 @@ AC_DEFUN([AM_PATH_GPGME_GLIB], GPGME_GLIB_LIBS=`$GPGME_CONFIG --glib --libs` AC_MSG_RESULT(yes) ifelse([$2], , :, [$2]) + _AM_PATH_GPGME_CONFIG_HOST_CHECK else GPGME_GLIB_CFLAGS="" GPGME_GLIB_LIBS="" @@ -235,4 +281,3 @@ AC_DEFUN([AM_PATH_GPGME_GLIB], AC_SUBST(GPGME_GLIB_CFLAGS) AC_SUBST(GPGME_GLIB_LIBS) ]) - commit b3309f997c541d7150827a659bffc38bc9f685fe Author: Daniel Kahn Gillmor Date: Mon Sep 29 17:48:39 2014 -0400 Use --no-sk-comments, not --no-sk-comment. -- The --no-sk-comments flag is (or should be) a no-op in modern versions of gnupg, but gpgme should still use its full form rather than the (slightly) abbreviated --no-sk-comment diff --git a/src/engine-gpg.c b/src/engine-gpg.c index 8e18253..30c3bfb 100644 --- a/src/engine-gpg.c +++ b/src/engine-gpg.c @@ -779,7 +779,7 @@ build_argv (engine_gpg_t gpg, const char *pgmname) argc++; if (!gpg->cmd.used) argc++; /* --batch */ - argc += 1; /* --no-sk-comment */ + argc += 1; /* --no-sk-comments */ argv = calloc (argc + 1, sizeof *argv); if (!argv) @@ -864,7 +864,7 @@ build_argv (engine_gpg_t gpg, const char *pgmname) } argc++; } - argv[argc] = strdup ("--no-sk-comment"); + argv[argc] = strdup ("--no-sk-comments"); if (!argv[argc]) { int saved_err = gpg_error_from_syserror (); ----------------------------------------------------------------------- Summary of changes: configure.ac | 10 +++++++++ doc/gpgme.texi | 19 +++++++++++++++--- m4/gpg-error.m4 | 45 ++++++++++++++++++++++++++++++++++------- src/engine-gpg.c | 4 ++-- src/gpgme.m4 | 59 +++++++++++++++++++++++++++++++++++++++++++++++------- 5 files changed, 118 insertions(+), 19 deletions(-) hooks/post-receive -- GnuPG Made Easy http://git.gnupg.org From cvs at cvs.gnupg.org Thu Oct 2 16:24:16 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 02 Oct 2014 16:24:16 +0200 Subject: [git] GnuPG - branch, STABLE-BRANCH-2-0, updated. gnupg-2.0.26-11-g39c5d99 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, STABLE-BRANCH-2-0 has been updated via 39c5d991a8fe9187bfbe71d0ff06630fea36fae0 (commit) via dcb5fa8747e8fc9f35285f168ee3ae8e6d422293 (commit) via 3e14da863a668fb0ec1a075722bd0f7b47ae4c1b (commit) from 36179da032fa43d82042b3d31ed175d17b8e9bc4 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 39c5d991a8fe9187bfbe71d0ff06630fea36fae0 Author: Werner Koch Date: Thu Oct 2 16:17:45 2014 +0200 build: Update m4 scripts * m4/gpg-error.m4: Update from Libgpg-error git master. * m4/libgcrypt.m4: Update from Libgcrypt git master. * configure.ac: Declare SYSROOT a precious variable. Add extra error message for library configuration mismatches. diff --git a/configure.ac b/configure.ac index 5da6ea5..7137e3f 100644 --- a/configure.ac +++ b/configure.ac @@ -460,6 +460,7 @@ AH_BOTTOM([ AM_MAINTAINER_MODE +AC_ARG_VAR(SYSROOT,[locate config scripts also below that directory]) # Checks for programs. AC_MSG_NOTICE([checking for programs]) @@ -1613,3 +1614,12 @@ echo " gpg-check-pattern will not be build. " fi +if test "x${gpg_config_script_warn}" != x; then +cat <= $min_gpg_error_version) ok=no @@ -64,6 +88,8 @@ AC_DEFUN([AM_PATH_GPG_ERROR], if test $ok = yes; then GPG_ERROR_CFLAGS=`$GPG_ERROR_CONFIG $gpg_error_config_args --cflags` GPG_ERROR_LIBS=`$GPG_ERROR_CONFIG $gpg_error_config_args --libs` + GPG_ERROR_MT_CFLAGS=`$GPG_ERROR_CONFIG $gpg_error_config_args --mt --cflags 2>/dev/null` + GPG_ERROR_MT_LIBS=`$GPG_ERROR_CONFIG $gpg_error_config_args --mt --libs 2>/dev/null` AC_MSG_RESULT([yes ($gpg_error_config_version)]) ifelse([$2], , :, [$2]) gpg_error_config_host=`$GPG_ERROR_CONFIG $gpg_error_config_args --host 2>/dev/null || echo none` @@ -75,16 +101,21 @@ AC_DEFUN([AM_PATH_GPG_ERROR], *** built for $gpg_error_config_host and thus may not match the *** used host $host. *** You may want to use the configure option --with-gpg-error-prefix -*** to specify a matching config script. +*** to specify a matching config script or use \$SYSROOT. ***]]) + gpg_config_script_warn="$gpg_config_script_warn libgpg-error" fi fi else GPG_ERROR_CFLAGS="" GPG_ERROR_LIBS="" + GPG_ERROR_MT_CFLAGS="" + GPG_ERROR_MT_LIBS="" AC_MSG_RESULT(no) ifelse([$3], , :, [$3]) fi AC_SUBST(GPG_ERROR_CFLAGS) AC_SUBST(GPG_ERROR_LIBS) + AC_SUBST(GPG_ERROR_MT_CFLAGS) + AC_SUBST(GPG_ERROR_MT_LIBS) ]) diff --git a/m4/libgcrypt.m4 b/m4/libgcrypt.m4 index 6cf482f..c67cfec 100644 --- a/m4/libgcrypt.m4 +++ b/m4/libgcrypt.m4 @@ -1,13 +1,15 @@ -dnl Autoconf macros for libgcrypt -dnl Copyright (C) 2002, 2004, 2011 Free Software Foundation, Inc. -dnl -dnl This file is free software; as a special exception the author gives -dnl unlimited permission to copy and/or distribute it, with or without -dnl modifications, as long as this notice is preserved. -dnl -dnl This file is distributed in the hope that it will be useful, but -dnl WITHOUT ANY WARRANTY, to the extent permitted by law; without even the -dnl implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# libgcrypt.m4 - Autoconf macros to detect libgcrypt +# Copyright (C) 2002, 2003, 2004, 2011, 2014 g10 Code GmbH +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Last-changed: 2014-10-02 dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION, @@ -20,19 +22,37 @@ dnl version of libgcrypt is at least 1.2.5 *and* the API number is 1. Using dnl this features allows to prevent build against newer versions of libgcrypt dnl with a changed API. dnl +dnl If a prefix option is not used, the config script is first +dnl searched in $SYSROOT/bin and then along $PATH. If the used +dnl config script does not match the host specification the script +dnl is added to the gpg_config_script_warn variable. +dnl AC_DEFUN([AM_PATH_LIBGCRYPT], [ AC_REQUIRE([AC_CANONICAL_HOST]) AC_ARG_WITH(libgcrypt-prefix, AC_HELP_STRING([--with-libgcrypt-prefix=PFX], [prefix where LIBGCRYPT is installed (optional)]), libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="") - if test x$libgcrypt_config_prefix != x ; then - if test x${LIBGCRYPT_CONFIG+set} != xset ; then - LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config + if test x"${LIBGCRYPT_CONFIG}" = x ; then + if test x"${libgcrypt_config_prefix}" != x ; then + LIBGCRYPT_CONFIG="${libgcrypt_config_prefix}/bin/libgcrypt-config" + else + case "${SYSROOT}" in + /*) + if test -x "${SYSROOT}/bin/libgcrypt-config" ; then + LIBGCRYPT_CONFIG="${SYSROOT}/bin/libgcrypt-config" + fi + ;; + '') + ;; + *) + AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.]) + ;; + esac fi fi - AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, no) + AC_PATH_PROG(LIBGCRYPT_CONFIG, libgcrypt-config, no) tmp=ifelse([$1], ,1:1.2.0,$1) if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then req_libgcrypt_api=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\1/'` @@ -108,8 +128,9 @@ AC_DEFUN([AM_PATH_LIBGCRYPT], *** built for $libgcrypt_config_host and thus may not match the *** used host $host. *** You may want to use the configure option --with-libgcrypt-prefix -*** to specify a matching config script. +*** to specify a matching config script or use \$SYSROOT. ***]]) + gpg_config_script_warn="$gpg_config_script_warn libgcrypt" fi fi else commit dcb5fa8747e8fc9f35285f168ee3ae8e6d422293 Author: Daniel Kahn Gillmor Date: Mon Sep 29 17:49:53 2014 -0400 gpg: --compress-sigs and --compress-keys are not no-ops in 2.0 * g10/gpg.c: Cleanup argument parsing. -- c76117f8b0165fe5cec5e7f234f55f5a4cd7f0ab mistakenly marked compress-sigs and compress-keys as no-ops on the 2.0.x branch. These options still have an effect on the 2.0.x branch, and the duplicate declaration also causes the gpg argument parser to fail when shortened versions of the option are present, like: gpg: option "--compress-k" is ambiguous diff --git a/g10/gpg.c b/g10/gpg.c index eefd4ae..a995796 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -770,8 +770,6 @@ static ARGPARSE_OPTS opts[] = { /* Dummy options. */ ARGPARSE_s_n (oNoop, "sk-comments", "@"), ARGPARSE_s_n (oNoop, "no-sk-comments", "@"), - ARGPARSE_s_n (oNoop, "compress-keys", "@"), - ARGPARSE_s_n (oNoop, "compress-sigs", "@"), ARGPARSE_end () }; commit 3e14da863a668fb0ec1a075722bd0f7b47ae4c1b Author: Daniel Kahn Gillmor Date: Mon Sep 29 17:49:52 2014 -0400 gpg: Avoid duplicate declaration of {no-,}sk-comments noops. * g10/gpg.c: Cleanup argument parsing. -- With c76117f8b0165fe5cec5e7f234f55f5a4cd7f0ab, the GnuPG 2.0.x branch accidentally introduced a second (identical) argument parser for both --sk-comments, and for --no-sk-comments. This caused short versions (e.g. omitting the trailing "s", as gpgme does) of either command to fail with: gpg: option "--sk-comment" is ambiguous diff --git a/g10/gpg.c b/g10/gpg.c index 12d4295..eefd4ae 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -538,9 +538,6 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_i (oAttributeFD, "attribute-fd", "@"), ARGPARSE_s_s (oAttributeFile, "attribute-file", "@"), - ARGPARSE_s_n (oNoop, "sk-comments", "@"), - ARGPARSE_s_n (oNoop, "no-sk-comments", "@"), - ARGPARSE_s_i (oCompletesNeeded, "completes-needed", "@"), ARGPARSE_s_i (oMarginalsNeeded, "marginals-needed", "@"), ARGPARSE_s_i (oMaxCertDepth, "max-cert-depth", "@" ), ----------------------------------------------------------------------- Summary of changes: configure.ac | 10 ++++++++++ g10/gpg.c | 5 ----- m4/gpg-error.m4 | 45 ++++++++++++++++++++++++++++++++++++++------- m4/libgcrypt.m4 | 51 ++++++++++++++++++++++++++++++++++++--------------- 4 files changed, 84 insertions(+), 27 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Thu Oct 2 17:34:34 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 02 Oct 2014 17:34:34 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta834-20-gf2361e6 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via f2361e6d582d4343d71d294ed1da654afe7750ee (commit) via 6bc0cd6202033be113999dbf27be4014bdf2c784 (commit) from edd191e5b006dc6ace1d41672e7201cbe58c41c9 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit f2361e6d582d4343d71d294ed1da654afe7750ee Author: Werner Koch Date: Thu Oct 2 17:33:57 2014 +0200 First changes for future use of NTBTLS. * configure.ac (NEED_NTBTLS_ABI, NEED_NTBTLS_VERSION): New. (HTTP_USE_NTBTLS): New. Prefer over GNUTLS. * m4/ntbtls.m4: New. * m4/Makefile.am (EXTRA_DIST): Add new file. * common/http.c: Add conditionals to eventually use NTBTLS. -- This is only the configure stuff. If you have NTBTLS installed GNUTLS will not be used but there won't be any https support either :-(. This patch is used to have a real world test bench for the forthcoming library. diff --git a/common/Makefile.am b/common/Makefile.am index 03bc5eb..87d6820 100644 --- a/common/Makefile.am +++ b/common/Makefile.am @@ -226,8 +226,9 @@ t_zb32_LDADD = $(t_common_ldadd) # http tests t_http_SOURCES = t-http.c -t_http_CFLAGS = $(t_common_cflags) $(LIBGNUTLS_CFLAGS) -t_http_LDADD = libcommontls.a $(t_common_ldadd) $(LIBGNUTLS_LIBS) $(DNSLIBS) +t_http_CFLAGS = $(t_common_cflags) $(NTBTLS_CFLAGS) $(LIBGNUTLS_CFLAGS) +t_http_LDADD = libcommontls.a $(t_common_ldadd) \ + $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(DNSLIBS) # All programs should depend on the created libs. $(PROGRAMS) : libcommon.a libcommonpth.a libcommontls.a libcommontlsnpth.a diff --git a/common/http.c b/common/http.c index 7e3bb57..413efd8 100644 --- a/common/http.c +++ b/common/http.c @@ -39,7 +39,7 @@ - fixme: list other requirements. - - With HTTP_USE_GNUTLS or HTTP_USE_POLARSSL support for https is + - With HTTP_USE_NTBTLS or HTTP_USE_GNUTLS support for https is provided (this also requires estream). - With HTTP_NO_WSASTARTUP the socket initialization is not done @@ -82,17 +82,16 @@ # include #endif -#if defined (HTTP_USE_GNUTLS) && defined (HTTP_USE_POLARSSL) -# error Both, HTTP_USE_GNUTLS and HTTP_USE_POLARSSL, are defined. +#if defined (HTTP_USE_GNUTLS) && defined (HTTP_USE_NTBTLS) +# error Both, HTTP_USE_GNUTLS and HTTP_USE_NTBTLS, are defined. #endif -#ifdef HTTP_USE_GNUTLS +#ifdef HTTP_USE_NTBTLS +# include +#elif HTTP_USE_GNUTLS # include # include #endif /*HTTP_USE_GNUTLS*/ -#ifdef HTTP_USE_POLARSSL -# error Support for PolarSSL has not yet been added -#endif #include "util.h" @@ -156,8 +155,15 @@ typedef unsigned long longcounter_t; # define counter_strtoul(a) strtoul ((a), NULL, 10) #endif -#ifndef HTTP_USE_GNUTLS -typedef void * gnutls_session_t; +#if HTTP_USE_NTBTLS +typedef ntbtls_t tls_session_t; +# define USE_TLS 1 +#elif HTTP_USE_GNUTLS +typedef gnutls_session_t tls_session_t; +# define USE_TLS 1 +#else +typedef void *tls_session_t; +# undef USE_TLS #endif static gpg_err_code_t do_parse_uri (parsed_uri_t uri, int only_local_part, @@ -226,14 +232,16 @@ struct http_session_s int refcount; /* Number of references to this object. */ #ifdef HTTP_USE_GNUTLS gnutls_certificate_credentials_t certcred; - gnutls_session_t tls_session; +#endif /*HTTP_USE_GNUTLS*/ +#ifdef USE_TLS + tls_session_t tls_session; struct { int done; /* Verifciation has been done. */ - int rc; /* GnuTLS verification return code. */ + int rc; /* TLS verification return code. */ unsigned int status; /* Verification status. */ } verify; char *servername; /* Malloced server name. */ -#endif /*HTTP_USE_GNUTLS*/ +#endif /*USE_TLS*/ /* A callback function to log details of TLS certifciates. */ void (*cert_log_cb) (http_session_t, gpg_error_t, const char *, const void **, size_t *); @@ -522,7 +530,8 @@ session_unref (int lnr, http_session_t sess) if (sess->refcount) return; -#ifdef HTTP_USE_GNUTLS +#ifdef USE_TLS +# ifdef HTTP_USE_GNUTLS if (sess->tls_session) { my_socket_t sock = gnutls_transport_get_ptr (sess->tls_session); @@ -531,8 +540,9 @@ session_unref (int lnr, http_session_t sess) } if (sess->certcred) gnutls_certificate_free_credentials (sess->certcred); +# endif /*HTTP_USE_GNUTLS*/ xfree (sess->servername); -#endif /*HTTP_USE_GNUTLS*/ +#endif /*USE_TLS*/ xfree (sess); } @@ -560,7 +570,18 @@ http_session_new (http_session_t *r_session, const char *tls_priority) return gpg_error_from_syserror (); sess->refcount = 1; -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS + { + (void)tls_priority; + + err = ntbtls_new (&sess->tls_session, NTBTLS_CLIENT); + if (err) + { + log_error ("ntbtls_new failed: %s\n", gpg_strerror (err)); + goto leave; + } + } +#elif HTTP_USE_GNUTLS { const char *errpos; int rc; @@ -616,17 +637,18 @@ http_session_new (http_session_t *r_session, const char *tls_priority) goto leave; } } - #else /*!HTTP_USE_GNUTLS*/ - (void)tls_priority; + { + (void)tls_priority; + } #endif /*!HTTP_USE_GNUTLS*/ /* log_debug ("http.c:session_new: sess %p created\n", sess); */ err = 0; -#ifdef HTTP_USE_GNUTLS +#if USE_TLS leave: -#endif /*HTTP_USE_GNUTLS*/ +#endif /*USE_TLS*/ if (err) http_session_unref (sess); else @@ -1067,7 +1089,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part, uri->port = 11371; uri->is_http = 1; } -#ifdef HTTP_USE_GNUTLS +#ifdef USE_TLS else if (!strcmp (uri->scheme, "https") || !strcmp (uri->scheme,"hkps") || (force_tls && (!strcmp (uri->scheme, "http") || !strcmp (uri->scheme,"hkp")))) @@ -1076,7 +1098,7 @@ do_parse_uri (parsed_uri_t uri, int only_local_part, uri->is_http = 1; uri->use_tls = 1; } -#endif +#endif /*USE_TLS*/ else if (!no_scheme_check) return GPG_ERR_INV_URI; /* Unsupported scheme */ @@ -1393,22 +1415,24 @@ send_request (http_t hd, const char *httphost, const char *auth, log_error ("TLS requested but no session object provided\n"); return gpg_err_make (default_errsource, GPG_ERR_INTERNAL); } -#ifdef HTTP_USE_GNUTLS +#ifdef USE_TLS if (hd->uri->use_tls && !hd->session->tls_session) { log_error ("TLS requested but no GNUTLS context available\n"); return gpg_err_make (default_errsource, GPG_ERR_INTERNAL); } -#endif /*HTTP_USE_GNUTLS*/ +#endif /*USE_TLS*/ server = *hd->uri->host ? hd->uri->host : "localhost"; port = hd->uri->port ? hd->uri->port : 80; /* Try to use SNI. */ -#ifdef HTTP_USE_GNUTLS +#ifdef USE_TLS if (hd->uri->use_tls) { +# if HTTP_USE_GNUTLS int rc; +# endif xfree (hd->session->servername); hd->session->servername = xtrystrdup (httphost? httphost : server); @@ -1418,13 +1442,22 @@ send_request (http_t hd, const char *httphost, const char *auth, return err; } +# if HTTP_USE_NTBTLS + err = ntbtls_set_hostname (hd->session->tls_session, server); + if (err) + { + log_info ("ntbtls_set_hostname failed: %s\n", gpg_strerror (err)); + return err; + } +# elif HTTP_USE_GNUTLS rc = gnutls_server_name_set (hd->session->tls_session, GNUTLS_NAME_DNS, server, strlen (server)); if (rc < 0) log_info ("gnutls_server_name_set failed: %s\n", gnutls_strerror (rc)); +# endif /*HTTP_USE_GNUTLS*/ } -#endif /*HTTP_USE_GNUTLS*/ +#endif /*USE_TLS*/ if ( (proxy && *proxy) || ( (hd->flags & HTTP_FLAG_TRY_PROXY) @@ -1490,7 +1523,37 @@ send_request (http_t hd, const char *httphost, const char *auth, -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS + if (hd->uri->use_tls) + { + my_socket_ref (hd->sock); + + while ((err = ntbtls_handshake (hd->session->tls_session))) + { + switch (err) + { + default: + log_info ("TLS handshake failed: %s <%s>\n", + gpg_strerror (err), gpg_strsource (err)); + xfree (proxy_authstr); + return err; + } + } + + hd->session->verify.done = 0; + if (tls_callback) + err = tls_callback (hd, hd->session, 0); + else + err = http_verify_server_credentials (hd->session); + if (err) + { + log_info ("TLS connection authentication failed: %s <%s>\n", + gpg_strerror (err), gpg_strsource (err)); + xfree (proxy_authstr); + return err; + } + } +#elif HTTP_USE_GNUTLS if (hd->uri->use_tls) { int rc; @@ -2423,7 +2486,7 @@ cookie_write (void *cookie, const void *buffer_arg, size_t size) static void send_gnutls_bye (void *opaque) { - gnutls_session_t tls_session = opaque; + tls_session_t tls_session = opaque; int ret; again: @@ -2473,7 +2536,10 @@ cookie_close (void *cookie) gpg_error_t http_verify_server_credentials (http_session_t sess) { -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS + (void)sess; + return 0; /* FIXME!! */ +#elif HTTP_USE_GNUTLS static const char const errprefix[] = "TLS verification of peer failed"; int rc; unsigned int status; diff --git a/common/t-http.c b/common/t-http.c index 9872f9a..e031ef9 100644 --- a/common/t-http.c +++ b/common/t-http.c @@ -42,7 +42,9 @@ #include "http.h" -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS +# include +#elif HTTP_USE_GNUTLS # include /* For init, logging, and deinit. */ #endif /*HTTP_USE_GNUTLS*/ @@ -97,6 +99,7 @@ static int no_verify; +#if HTTP_USE_GNUTLS static gpg_error_t verify_callback (http_t hd, http_session_t session, int reserved) { @@ -104,14 +107,15 @@ verify_callback (http_t hd, http_session_t session, int reserved) (void)reserved; return no_verify? 0 : http_verify_server_credentials (session); } +#endif - +#if HTTP_USE_GNUTLS static void my_gnutls_log (int level, const char *text) { fprintf (stderr, "gnutls:L%d: %s", level, text); } - +#endif /* Prepend FNAME with the srcdir environment variable's value and return an allocated filename. */ @@ -233,7 +237,14 @@ main (int argc, char **argv) if (!cafile) cafile = prepend_srcdir ("tls-ca.pem"); -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS + + (void)err; + + ntbtls_set_debug (tls_dbg, NULL, NULL); + +#elif HTTP_USE_GNUTLS + rc = gnutls_global_init (); if (rc) log_error ("gnutls_global_init failed: %s\n", gnutls_strerror (rc)); diff --git a/configure.ac b/configure.ac index daca838..46a0aad 100644 --- a/configure.ac +++ b/configure.ac @@ -61,9 +61,13 @@ NEED_LIBASSUAN_VERSION=2.1.0 NEED_KSBA_API=1 NEED_KSBA_VERSION=1.2.0 +NEED_NTBTLS_API=1 +NEED_NTBTLS_VERSION=0.1.0 + NEED_NPTH_API=1 NEED_NPTH_VERSION=0.91 + NEED_GNUTLS_VERSION=3.0 @@ -88,6 +92,7 @@ have_gpg_error=no have_libgcrypt=no have_libassuan=no have_ksba=no +have_ntbtls=no have_npth=no have_libusb=no have_adns=no @@ -101,6 +106,7 @@ card_support=yes use_ccid_driver=yes use_standard_socket=yes dirmngr_auto_start=yes +use_tls_library=no GNUPG_BUILD_PROGRAM(gpg, yes) GNUPG_BUILD_PROGRAM(gpgsm, yes) @@ -126,6 +132,8 @@ AC_DEFINE_UNQUOTED(NEED_LIBGCRYPT_VERSION, "$NEED_LIBGCRYPT_VERSION", [Required version of Libgcrypt]) AC_DEFINE_UNQUOTED(NEED_KSBA_VERSION, "$NEED_KSBA_VERSION", [Required version of Libksba]) +AC_DEFINE_UNQUOTED(NEED_NTBTLS_VERSION, "$NEED_NTBTLS_VERSION", + [Required version of NTBTLS]) @@ -841,27 +849,37 @@ else ***]]) fi + # -# Check whether GNUTLS is available +# NTBTLS is our TLS library. If it is not available fallback to +# GNUTLS. # -PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $NEED_GNUTLS_VERSION], - [have_gnutls=yes], - [have_gnutls=no]) -if test "$have_gnutls" = "yes"; then - AC_SUBST([LIBGNUTLS_CFLAGS]) - AC_SUBST([LIBGNUTLS_LIBS]) - AC_DEFINE(HTTP_USE_GNUTLS, 1, [Enable GNUTLS support in http.c]) +AM_PATH_NTBTLS("$NEED_NTBTLS_API:$NEED_NTBTLS_VERSION", + [have_ntbtls=yes],[have_ntbtls=no]) + +if test "$have_ntbtls" = yes ; then + use_tls_library=ntbtls + AC_DEFINE(HTTP_USE_NTBTLS, 1, [Enable NTBTLS support in http.c]) else - tmp=$(echo "$LIBGNUTLS_PKG_ERRORS" | tr '\n' '\v' | sed 's/\v/\n*** /g') - AC_MSG_WARN([[ + PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $NEED_GNUTLS_VERSION], + [have_gnutls=yes], + [have_gnutls=no]) + if test "$have_gnutls" = "yes"; then + AC_SUBST([LIBGNUTLS_CFLAGS]) + AC_SUBST([LIBGNUTLS_LIBS]) + use_tls_library=gnutls + AC_DEFINE(HTTP_USE_GNUTLS, 1, [Enable GNUTLS support in http.c]) + else + tmp=$(echo "$LIBGNUTLS_PKG_ERRORS" | tr '\n' '\v' | sed 's/\v/\n*** /g') + AC_MSG_WARN([[ *** -*** Building without GNUTLS - no TLS access to keyservers. +*** Building without NTBTLS and GNUTLS - no TLS access to keyservers. *** *** $tmp]]) + fi fi - AC_MSG_NOTICE([checking for networking options]) # @@ -1788,7 +1806,7 @@ echo " Dirmngr auto start: $dirmngr_auto_start Readline support: $gnupg_cv_have_readline DNS SRV support: $use_dns_srv - TLS support: $have_gnutls + TLS support: $use_tls_library " if test x"$use_regex" != xyes ; then echo " diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am index 7e2449f..d0226a3 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -63,7 +63,7 @@ endif dirmngr_LDADD = $(libcommontlsnpth) $(libcommonpth) \ ../gl/libgnu.a $(DNSLIBS) $(LIBASSUAN_LIBS) \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \ - $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) + $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) if !USE_LDAPWRAPPER dirmngr_LDADD += $(LDAPLIBS) endif diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index 48fa80b..8110df2 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -40,7 +40,12 @@ # include #endif #include -#ifdef HTTP_USE_GNUTLS + +#include "dirmngr-err.h" + +#if HTTP_USE_NTBTLS +# include +#elif HTTP_USE_GNUTLS # include #endif /*HTTP_USE_GNUTLS*/ @@ -210,6 +215,7 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_p_u (oDebug, "debug", "@"), ARGPARSE_s_n (oDebugAll, "debug-all", "@"), ARGPARSE_s_i (oGnutlsDebug, "gnutls-debug", "@"), + ARGPARSE_s_i (oGnutlsDebug, "tls-debug", "@"), ARGPARSE_s_i (oDebugWait, "debug-wait", "@"), ARGPARSE_s_n (oNoGreeting, "no-greeting", "@"), ARGPARSE_s_s (oHomedir, "homedir", "@"), @@ -244,7 +250,7 @@ static char *current_logfile; /* Helper to implement --debug-level. */ static const char *debug_level; -/* Helper to set the GNUTLS log level. */ +/* Helper to set the NTBTLS or GNUTLS log level. */ static int opt_gnutls_debug = -1; /* Flag indicating that a shutdown has been requested. */ @@ -410,7 +416,12 @@ set_debug (void) if (opt.debug & DBG_CRYPTO_VALUE ) gcry_control (GCRYCTL_SET_DEBUG_FLAGS, 1); -#ifdef HTTP_USE_GNUTLS +#if HTTP_USE_NTBTLS + if (opt_gnutls_debug >= 0) + { + ntbtls_set_debug (opt_gnutls_debug, NULL, NULL); + } +#elif HTTP_USE_GNUTLS if (opt_gnutls_debug >= 0) { gnutls_global_set_log_function (my_gnutls_log); @@ -669,8 +680,12 @@ main (int argc, char **argv) ksba_set_malloc_hooks (gcry_malloc, gcry_realloc, gcry_free ); ksba_set_hash_buffer_function (my_ksba_hash_buffer, NULL); - /* Init GNUTLS. */ -#ifdef HTTP_USE_GNUTLS + /* Init TLS library. */ +#if HTTP_USE_NTBTLS + if (!ntbtls_check_version (NEED_NTBTLS_VERSION) ) + log_fatal( _("%s is too old (need %s, have %s)\n"), "ntbtls", + NEED_NTBTLS_VERSION, ntbtls_check_version (NULL) ); +#elif HTTP_USE_GNUTLS rc = gnutls_global_init (); if (rc) log_fatal ("gnutls_global_init failed: %s\n", gnutls_strerror (rc)); diff --git a/m4/Makefile.am b/m4/Makefile.am index 05a2be3..f1b8df9 100644 --- a/m4/Makefile.am +++ b/m4/Makefile.am @@ -4,7 +4,7 @@ EXTRA_DIST += ldap.m4 libcurl.m4 libusb.m4 tar-ustar.m4 readline.m4 EXTRA_DIST += gnupg-pth.m4 -EXTRA_DIST += gpg-error.m4 libgcrypt.m4 libassuan.m4 ksba.m4 +EXTRA_DIST += gpg-error.m4 libgcrypt.m4 libassuan.m4 ksba.m4 ntbtls.m4 EXTRA_DIST += autobuild.m4 diff --git a/m4/ntbtls.m4 b/m4/ntbtls.m4 new file mode 100644 index 0000000..85c8ee9 --- /dev/null +++ b/m4/ntbtls.m4 @@ -0,0 +1,137 @@ +dnl Autoconf macros for NTBTLS +dnl Copyright (C) 2002, 2004, 2011 Free Software Foundation, Inc. +dnl +dnl This file is free software; as a special exception the author gives +dnl unlimited permission to copy and/or distribute it, with or without +dnl modifications, as long as this notice is preserved. +dnl +dnl This file is distributed in the hope that it will be useful, but +dnl WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +dnl implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + + +dnl AM_PATH_NTBTLS([MINIMUM-VERSION, +dnl [ACTION-IF-FOUND [, ACTION-IF-NOT-FOUND ]]]) +dnl +dnl Test for NTBTLS and define NTBTLS_CFLAGS and NTBTLS_LIBS. +dnl MINIMUN-VERSION is a string with the version number optionalliy prefixed +dnl with the API version to also check the API compatibility. Example: +dnl a MINIMUN-VERSION of 1:1.2.5 won't pass the test unless the installed +dnl version of libgcrypt is at least 1.2.5 *and* the API number is 1. Using +dnl this features allows to prevent build against newer versions of libgcrypt +dnl with a changed API. +dnl +AC_DEFUN([AM_PATH_NTBTLS], +[ AC_REQUIRE([AC_CANONICAL_HOST]) + AC_ARG_WITH(ntbtls-prefix, + AC_HELP_STRING([--with-ntbtls-prefix=PFX], + [prefix where NTBTLS is installed (optional)]), + ntbtls_config_prefix="$withval", ntbtls_config_prefix="") + if test x"${NTBTLS_CONFIG}" = x ; then + if test x"${ntbtls_config_prefix}" != x ; then + NTBTLS_CONFIG="${ntbtls_config_prefix}/bin/ntbtls-config" + else + case "${SYSROOT}" in + /*) + if test -x "${SYSROOT}/bin/ntbtls-config" ; then + NTBTLS_CONFIG="${SYSROOT}/bin/ntbtls-config" + fi + ;; + '') + ;; + *) + AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.]) + ;; + esac + fi + fi + + AC_PATH_PROG(NTBTLS_CONFIG, ntbtls-config, no) + tmp=ifelse([$1], ,1:1.0.0,$1) + if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then + req_ntbtls_api=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\1/'` + min_ntbtls_version=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\2/'` + else + req_ntbtls_api=0 + min_ntbtls_version="$tmp" + fi + + AC_MSG_CHECKING(for NTBTLS - version >= $min_ntbtls_version) + ok=no + if test "$NTBTLS_CONFIG" != "no" ; then + req_major=`echo $min_ntbtls_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\1/'` + req_minor=`echo $min_ntbtls_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\2/'` + req_micro=`echo $min_ntbtls_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\)/\3/'` + ntbtls_config_version=`$NTBTLS_CONFIG --version` + major=`echo $ntbtls_config_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\1/'` + minor=`echo $ntbtls_config_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\2/'` + micro=`echo $ntbtls_config_version | \ + sed 's/\([[0-9]]*\)\.\([[0-9]]*\)\.\([[0-9]]*\).*/\3/'` + if test "$major" -gt "$req_major"; then + ok=yes + else + if test "$major" -eq "$req_major"; then + if test "$minor" -gt "$req_minor"; then + ok=yes + else + if test "$minor" -eq "$req_minor"; then + if test "$micro" -ge "$req_micro"; then + ok=yes + fi + fi + fi + fi + fi + fi + if test $ok = yes; then + AC_MSG_RESULT([yes ($ntbtls_config_version)]) + else + AC_MSG_RESULT(no) + fi + if test $ok = yes; then + # If we have a recent ntbtls, we should also check that the + # API is compatible + if test "$req_ntbtls_api" -gt 0 ; then + tmp=`$NTBTLS_CONFIG --api-version 2>/dev/null || echo 0` + if test "$tmp" -gt 0 ; then + AC_MSG_CHECKING([NTBTLS API version]) + if test "$req_ntbtls_api" -eq "$tmp" ; then + AC_MSG_RESULT([okay]) + else + ok=no + AC_MSG_RESULT([does not match. want=$req_ntbtls_api got=$tmp]) + fi + fi + fi + fi + if test $ok = yes; then + NTBTLS_CFLAGS=`$NTBTLS_CONFIG --cflags` + NTBTLS_LIBS=`$NTBTLS_CONFIG --libs` + ifelse([$2], , :, [$2]) + ntbtls_config_host=`$NTBTLS_CONFIG --host 2>/dev/null || echo none` + if test x"$ntbtls_config_host" != xnone ; then + if test x"$ntbtls_config_host" != x"$host" ; then + AC_MSG_WARN([[ +*** +*** The config script $NTBTLS_CONFIG was +*** built for $ntbtls_config_host and thus may not match the +*** used host $host. +*** You may want to use the configure option --with-ntbtls-prefix +*** to specify a matching config script or use \$SYSROOT. +***]]) + gpg_config_script_warn="$gpg_config_script_warn ntbtls" + fi + fi + else + NTBTLS_CFLAGS="" + NTBTLS_LIBS="" + ifelse([$3], , :, [$3]) + fi + AC_SUBST(NTBTLS_CFLAGS) + AC_SUBST(NTBTLS_LIBS) +]) commit 6bc0cd6202033be113999dbf27be4014bdf2c784 Author: Werner Koch Date: Thu Oct 2 16:17:45 2014 +0200 build: Update m4 scripts * m4/gpg-error.m4: Update from Libgpg-error git master. * m4/libgcrypt.m4: Update from Libgcrypt git master. * configure.ac: Declare SYSROOT a precious variable. Add extra error message for library configuration mismatches. diff --git a/configure.ac b/configure.ac index c627c27..daca838 100644 --- a/configure.ac +++ b/configure.ac @@ -528,6 +528,7 @@ AH_BOTTOM([ AM_MAINTAINER_MODE +AC_ARG_VAR(SYSROOT,[locate config scripts also below that directory]) # Checks for programs. AC_MSG_NOTICE([checking for programs]) @@ -1796,3 +1797,12 @@ echo " gpg-check-pattern will not be build. " fi +if test "x${gpg_config_script_warn}" != x; then +cat <= $min_gpg_error_version) ok=no @@ -62,6 +86,8 @@ AC_DEFUN([AM_PATH_GPG_ERROR], if test $ok = yes; then GPG_ERROR_CFLAGS=`$GPG_ERROR_CONFIG $gpg_error_config_args --cflags` GPG_ERROR_LIBS=`$GPG_ERROR_CONFIG $gpg_error_config_args --libs` + GPG_ERROR_MT_CFLAGS=`$GPG_ERROR_CONFIG $gpg_error_config_args --mt --cflags 2>/dev/null` + GPG_ERROR_MT_LIBS=`$GPG_ERROR_CONFIG $gpg_error_config_args --mt --libs 2>/dev/null` AC_MSG_RESULT([yes ($gpg_error_config_version)]) ifelse([$2], , :, [$2]) gpg_error_config_host=`$GPG_ERROR_CONFIG $gpg_error_config_args --host 2>/dev/null || echo none` @@ -73,16 +99,21 @@ AC_DEFUN([AM_PATH_GPG_ERROR], *** built for $gpg_error_config_host and thus may not match the *** used host $host. *** You may want to use the configure option --with-gpg-error-prefix -*** to specify a matching config script. +*** to specify a matching config script or use \$SYSROOT. ***]]) + gpg_config_script_warn="$gpg_config_script_warn libgpg-error" fi fi else GPG_ERROR_CFLAGS="" GPG_ERROR_LIBS="" + GPG_ERROR_MT_CFLAGS="" + GPG_ERROR_MT_LIBS="" AC_MSG_RESULT(no) ifelse([$3], , :, [$3]) fi AC_SUBST(GPG_ERROR_CFLAGS) AC_SUBST(GPG_ERROR_LIBS) + AC_SUBST(GPG_ERROR_MT_CFLAGS) + AC_SUBST(GPG_ERROR_MT_LIBS) ]) diff --git a/m4/libgcrypt.m4 b/m4/libgcrypt.m4 index 6cf482f..c67cfec 100644 --- a/m4/libgcrypt.m4 +++ b/m4/libgcrypt.m4 @@ -1,13 +1,15 @@ -dnl Autoconf macros for libgcrypt -dnl Copyright (C) 2002, 2004, 2011 Free Software Foundation, Inc. -dnl -dnl This file is free software; as a special exception the author gives -dnl unlimited permission to copy and/or distribute it, with or without -dnl modifications, as long as this notice is preserved. -dnl -dnl This file is distributed in the hope that it will be useful, but -dnl WITHOUT ANY WARRANTY, to the extent permitted by law; without even the -dnl implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# libgcrypt.m4 - Autoconf macros to detect libgcrypt +# Copyright (C) 2002, 2003, 2004, 2011, 2014 g10 Code GmbH +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Last-changed: 2014-10-02 dnl AM_PATH_LIBGCRYPT([MINIMUM-VERSION, @@ -20,19 +22,37 @@ dnl version of libgcrypt is at least 1.2.5 *and* the API number is 1. Using dnl this features allows to prevent build against newer versions of libgcrypt dnl with a changed API. dnl +dnl If a prefix option is not used, the config script is first +dnl searched in $SYSROOT/bin and then along $PATH. If the used +dnl config script does not match the host specification the script +dnl is added to the gpg_config_script_warn variable. +dnl AC_DEFUN([AM_PATH_LIBGCRYPT], [ AC_REQUIRE([AC_CANONICAL_HOST]) AC_ARG_WITH(libgcrypt-prefix, AC_HELP_STRING([--with-libgcrypt-prefix=PFX], [prefix where LIBGCRYPT is installed (optional)]), libgcrypt_config_prefix="$withval", libgcrypt_config_prefix="") - if test x$libgcrypt_config_prefix != x ; then - if test x${LIBGCRYPT_CONFIG+set} != xset ; then - LIBGCRYPT_CONFIG=$libgcrypt_config_prefix/bin/libgcrypt-config + if test x"${LIBGCRYPT_CONFIG}" = x ; then + if test x"${libgcrypt_config_prefix}" != x ; then + LIBGCRYPT_CONFIG="${libgcrypt_config_prefix}/bin/libgcrypt-config" + else + case "${SYSROOT}" in + /*) + if test -x "${SYSROOT}/bin/libgcrypt-config" ; then + LIBGCRYPT_CONFIG="${SYSROOT}/bin/libgcrypt-config" + fi + ;; + '') + ;; + *) + AC_MSG_WARN([Ignoring \$SYSROOT as it is not an absolute path.]) + ;; + esac fi fi - AC_PATH_TOOL(LIBGCRYPT_CONFIG, libgcrypt-config, no) + AC_PATH_PROG(LIBGCRYPT_CONFIG, libgcrypt-config, no) tmp=ifelse([$1], ,1:1.2.0,$1) if echo "$tmp" | grep ':' >/dev/null 2>/dev/null ; then req_libgcrypt_api=`echo "$tmp" | sed 's/\(.*\):\(.*\)/\1/'` @@ -108,8 +128,9 @@ AC_DEFUN([AM_PATH_LIBGCRYPT], *** built for $libgcrypt_config_host and thus may not match the *** used host $host. *** You may want to use the configure option --with-libgcrypt-prefix -*** to specify a matching config script. +*** to specify a matching config script or use \$SYSROOT. ***]]) + gpg_config_script_warn="$gpg_config_script_warn libgcrypt" fi fi else ----------------------------------------------------------------------- Summary of changes: common/Makefile.am | 5 +- common/http.c | 122 ++++++++++++++++++++++++++++++++++----------- common/t-http.c | 19 +++++-- configure.ac | 54 +++++++++++++++----- dirmngr/Makefile.am | 2 +- dirmngr/dirmngr.c | 25 ++++++++-- m4/Makefile.am | 2 +- m4/gpg-error.m4 | 45 ++++++++++++++--- m4/libgcrypt.m4 | 51 +++++++++++++------ m4/ntbtls.m4 | 137 +++++++++++++++++++++++++++++++++++++++++++++++++++ 10 files changed, 386 insertions(+), 76 deletions(-) create mode 100644 m4/ntbtls.m4 hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Thu Oct 2 19:18:12 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 02 Oct 2014 19:18:12 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta834-21-g688a903 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 688a903b4b3ad348c0d09e9d3fab8a12f4f94311 (commit) from f2361e6d582d4343d71d294ed1da654afe7750ee (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 688a903b4b3ad348c0d09e9d3fab8a12f4f94311 Author: Werner Koch Date: Thu Oct 2 19:17:34 2014 +0200 gpg: Fix regression removing SHA256. * g10/misc.c (map_md_openpgp_to_gcry): Always use SHA256. -- Regression due to commit d33246700578cddd1cb8ed8164cfbba50aba4ef3 GnuPG-bug-id: 1733. diff --git a/configure.ac b/configure.ac index 46a0aad..be10791 100644 --- a/configure.ac +++ b/configure.ac @@ -259,7 +259,7 @@ GNUPG_GPG_DISABLE_ALGO([camellia192],[CAMELLIA192 cipher]) GNUPG_GPG_DISABLE_ALGO([camellia256],[CAMELLIA256 cipher]) GNUPG_GPG_DISABLE_ALGO([md5],[MD5 hash]) -# SHA1 is a MUSt algorithm +# SHA1 is a MUST algorithm GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash]) GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash]) # SHA256 is a MUST algorithm for GnuPG. diff --git a/g10/misc.c b/g10/misc.c index 76faa49..320e8af 100644 --- a/g10/misc.c +++ b/g10/misc.c @@ -686,11 +686,7 @@ map_md_openpgp_to_gcry (digest_algo_t algo) case DIGEST_ALGO_SHA224: return 0; #endif -#ifdef GPG_USE_SHA256 case DIGEST_ALGO_SHA256: return GCRY_MD_SHA256; -#else - case DIGEST_ALGO_SHA256: return 0; -#endif #ifdef GPG_USE_SHA384 case DIGEST_ALGO_SHA384: return GCRY_MD_SHA384; ----------------------------------------------------------------------- Summary of changes: configure.ac | 2 +- g10/misc.c | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 3 08:25:14 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 03 Oct 2014 08:25:14 +0200 Subject: [git] GPG-ERROR - branch, master, updated. libgpg-error-1.16-13-g12b5188 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "Error codes used by GnuPG et al.". The branch, master has been updated via 12b5188bd495e45775c34c8e6263e6be177c03da (commit) from e8b04bed1093a9f1d87c150326e79adfeb02e2b4 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 12b5188bd495e45775c34c8e6263e6be177c03da Author: Werner Koch Date: Fri Oct 3 08:22:53 2014 +0200 Change gpgrt_pending{,_unlocked} to macros. * src/gpg-error.h.in (gpgrt_pending): Change to a macro. (gpgrt_pending_unlocked): Change to a macro. (_gpgrt_pending, _gpgrt_pending_unlocked): New private functions. * src/visibility.c, src/visibility.h: Change accordingly. * src/gpg-error.vers, src/gpg-error.def.in: Ditto. * src/estream.c (_gpgrt_pending_unlocked): Rename to _gpgrt__pending_unlocked. (_gpgrt_pending): Rename to _gpgrt__pending. -- The function are supposed to be used with gprt_getc and thus we need to avoid the function call overhead. We may want to change them to inline functions, though. gpgrt_pending is changed to a macro with the idea that we eventually can export the samestream flags and thus avoid the function call overhead in the samethread case too. diff --git a/src/estream.c b/src/estream.c index a17950e..42609ee 100644 --- a/src/estream.c +++ b/src/estream.c @@ -3471,7 +3471,7 @@ _gpgrt_syshd (estream_t stream, es_syshd_t *syshd) int -_gpgrt_pending_unlocked (estream_t stream) +_gpgrt__pending_unlocked (estream_t stream) { return check_pending (stream); } @@ -3486,12 +3486,12 @@ _gpgrt_pending_unlocked (estream_t stream) are pending the function is expected to return -1 in this case and thus deviates from the standard behavior of read(2). */ int -_gpgrt_pending (estream_t stream) +_gpgrt__pending (estream_t stream) { int ret; lock_stream (stream); - ret = _gpgrt_pending_unlocked (stream); + ret = _gpgrt__pending_unlocked (stream); unlock_stream (stream); return ret; diff --git a/src/gpg-error.def.in b/src/gpg-error.def.in index f17522e..cba973d 100644 --- a/src/gpg-error.def.in +++ b/src/gpg-error.def.in @@ -137,7 +137,7 @@ EXPORTS gpg_err_deinit @102 gpgrt_set_alloc_func @103 - gpgrt_pending @104 - gpgrt_pending_unlocked @105 + _gpgrt_pending @104 + _gpgrt_pending_unlocked @105 ;; end of file with public symbols for Windows. diff --git a/src/gpg-error.h.in b/src/gpg-error.h.in index 6ac6e0a..7099b43 100644 --- a/src/gpg-error.h.in +++ b/src/gpg-error.h.in @@ -496,8 +496,17 @@ int gpgrt_ferror (gpgrt_stream_t stream); int gpgrt_ferror_unlocked (gpgrt_stream_t stream); void gpgrt_clearerr (gpgrt_stream_t stream); void gpgrt_clearerr_unlocked (gpgrt_stream_t stream); -int gpgrt_pending (gpgrt_stream_t stream); -int gpgrt_pending_unlocked (gpgrt_stream_t stream); + +int _gpgrt_pending (gpgrt_stream_t stream); /* (private) */ +int _gpgrt_pending_unlocked (gpgrt_stream_t stream); /* (private) */ + +#define gpgrt_pending(stream) _gpgrt_pending (stream) + +#define gpgrt_pending_unlocked(stream) \ + (((!(stream)->flags.writing) \ + && (((stream)->data_offset < (stream)->data_len) \ + || ((stream)->unread_data_len))) \ + ? 1 : _gpgrt_pending_unlocked ((stream))) int gpgrt_fflush (gpgrt_stream_t stream); int gpgrt_fseek (gpgrt_stream_t stream, long int offset, int whence); @@ -509,8 +518,8 @@ void gpgrt_rewind (gpgrt_stream_t stream); int gpgrt_fgetc (gpgrt_stream_t stream); int gpgrt_fputc (int c, gpgrt_stream_t stream); -int _gpgrt_getc_underflow (gpgrt_stream_t stream); -int _gpgrt_putc_overflow (int c, gpgrt_stream_t stream); +int _gpgrt_getc_underflow (gpgrt_stream_t stream); /* (private) */ +int _gpgrt_putc_overflow (int c, gpgrt_stream_t stream); /* (private) */ #define gpgrt_getc_unlocked(stream) \ (((!(stream)->flags.writing) \ diff --git a/src/gpg-error.vers b/src/gpg-error.vers index c0e599a..758e549 100644 --- a/src/gpg-error.vers +++ b/src/gpg-error.vers @@ -64,8 +64,8 @@ GPG_ERROR_1.0 { gpgrt_flockfile; gpgrt_ftrylockfile; gpgrt_funlockfile; - gpgrt_pending; - gpgrt_pending_unlocked; + _gpgrt_pending; + _gpgrt_pending_unlocked; gpgrt_feof; gpgrt_feof_unlocked; gpgrt_ferror; diff --git a/src/gpgrt-int.h b/src/gpgrt-int.h index 8907835..bc2db8b 100644 --- a/src/gpgrt-int.h +++ b/src/gpgrt-int.h @@ -102,8 +102,8 @@ int _gpgrt_ferror (gpgrt_stream_t stream); int _gpgrt_ferror_unlocked (gpgrt_stream_t stream); void _gpgrt_clearerr (gpgrt_stream_t stream); void _gpgrt_clearerr_unlocked (gpgrt_stream_t stream); -int _gpgrt_pending (gpgrt_stream_t stream); -int _gpgrt_pending_unlocked (gpgrt_stream_t stream); +int _gpgrt__pending (gpgrt_stream_t stream); +int _gpgrt__pending_unlocked (gpgrt_stream_t stream); int _gpgrt_fflush (gpgrt_stream_t stream); int _gpgrt_fseek (gpgrt_stream_t stream, long int offset, int whence); diff --git a/src/visibility.c b/src/visibility.c index f26f58c..9213ce9 100644 --- a/src/visibility.c +++ b/src/visibility.c @@ -298,15 +298,15 @@ gpgrt_funlockfile (estream_t stream) } int -gpgrt_pending (estream_t stream) +_gpgrt_pending (estream_t stream) { - return _gpgrt_pending (stream); + return _gpgrt__pending (stream); } int -gpgrt_pending_unlocked (estream_t stream) +_gpgrt_pending_unlocked (estream_t stream) { - return _gpgrt_pending_unlocked (stream); + return _gpgrt__pending_unlocked (stream); } int diff --git a/src/visibility.h b/src/visibility.h index 35878d7..6f7de84 100644 --- a/src/visibility.h +++ b/src/visibility.h @@ -87,8 +87,8 @@ MARK_VISIBLE (_gpgrt_get_std_stream) MARK_VISIBLE (gpgrt_flockfile) MARK_VISIBLE (gpgrt_ftrylockfile) MARK_VISIBLE (gpgrt_funlockfile) -MARK_VISIBLE (gpgrt_pending) -MARK_VISIBLE (gpgrt_pending_unlocked) +MARK_VISIBLE (_gpgrt_pending) +MARK_VISIBLE (_gpgrt_pending_unlocked) MARK_VISIBLE (gpgrt_feof) MARK_VISIBLE (gpgrt_feof_unlocked) MARK_VISIBLE (gpgrt_ferror) @@ -192,8 +192,8 @@ MARK_VISIBLE (gpgrt_set_alloc_func) #define gpgrt_flockfile _gpgrt_USE_UNDERSCORED_FUNCTION #define gpgrt_ftrylockfile _gpgrt_USE_UNDERSCORED_FUNCTION #define gpgrt_funlockfile _gpgrt_USE_UNDERSCORED_FUNCTION -#define gpgrt_pending _gpgrt_USE_UNDERSCORED_FUNCTION -#define gpgrt_pending_unlocked _gpgrt_USE_UNDERSCORED_FUNCTION +#define _gpgrt_pending _gpgrt_USE_UNDERSCORED_FUNCTION +#define _gpgrt_pending_unlocked _gpgrt_USE_UNDERSCORED_FUNCTION #define gpgrt_feof _gpgrt_USE_UNDERSCORED_FUNCTION #define gpgrt_feof_unlocked _gpgrt_USE_UNDERSCORED_FUNCTION #define gpgrt_ferror _gpgrt_USE_UNDERSCORED_FUNCTION ----------------------------------------------------------------------- Summary of changes: src/estream.c | 6 +++--- src/gpg-error.def.in | 4 ++-- src/gpg-error.h.in | 17 +++++++++++++---- src/gpg-error.vers | 4 ++-- src/gpgrt-int.h | 4 ++-- src/visibility.c | 8 ++++---- src/visibility.h | 8 ++++---- 7 files changed, 30 insertions(+), 21 deletions(-) hooks/post-receive -- Error codes used by GnuPG et al. http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 3 13:06:20 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 03 Oct 2014 13:06:20 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta834-27-gade531a Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via ade531acac5041b8346581fe323f36b9dcfee502 (commit) via 6522a68d8d11e15ee77102e6830f251c2d9f440d (commit) via a6fcdbc9e0fc0e45a3badc23813e689e83059b61 (commit) via 09a8f75f303388ebc77fc9b4f8b70431af2f6902 (commit) via b15d5d42adf31c0797797ebe19c471ab6f52c668 (commit) via 9c380384dafb213334f8834178c5ceb0bf33db6e (commit) from 688a903b4b3ad348c0d09e9d3fab8a12f4f94311 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit ade531acac5041b8346581fe323f36b9dcfee502 Author: Werner Koch Date: Fri Oct 3 13:02:06 2014 +0200 Some doc fixes and a fix for "make distcheck". -- diff --git a/README b/README index 94c0756..ad52077 100644 --- a/README +++ b/README @@ -2,28 +2,39 @@ ========================= Version 2.1 - THIS IS A DEVELOPMENT VERSION AND NOT INTENDED FOR REGULAR USE. - Copyright 1997-1998, 2013-2014 Werner Koch Copyright 1998-2013 Free Software Foundation, Inc. * INTRODUCTION - GnuPG is a tool for secure communication and data storage. It can - be used to encrypt data and to create digital signatures. It - includes an advanced key management facility and is compliant with - the proposed OpenPGP Internet standard as described in RFC4880 and - the S/MIME standard as described by several RFCs. + GnuPG is a complete and free implementation of the OpenPGP standard + as defined by RFC4880 (also known as PGP). GnuPG allows to encrypt + and sign data and communication, features a versatile key management + system as well as access modules for public key directories. + + GnuPG, also known as GPG, is a command line tool with features for + easy integration with other applications. A wealth of frontend + applications and libraries making use of GnuPG are available. Since + version 2 GnuPG provides support for S/MIME and Secure Shell in + addition to OpenPGP. + + GnuPG is Free Software (meaning that it respects your freedom). It + can be freely used, modified and distributed under the terms of the + GNU General Public License. + + We are currently maintaining three branches of GnuPG: + + - 2.1 (i.e. this release) is the latest development with a lot of + new features. - GnuPG is distributed under the terms of the GNU General Public - License. See the file COPYING for details. GnuPG works best on - GNU/Linux or *BSD systems. Most other Unices are also supported but - are not as well tested as the Free Unices. + - 2.0 is the current stable version for general use. - GnuPG-2 is the stable version of GnuPG integrating support for - OpenPGP and S/MIME. It does not conflict with an installed 1.4 - OpenPGP-only version. + - 1.4 is the old standalone version which is most suitable for older + or embedded platforms. + + You may not install 2.1 and 2.0 at the same time. However, it is + possible to install 1.4 along with any of the 2.x versions. * BUILD INSTRUCTIONS @@ -115,22 +126,15 @@ exists and copies them to the new store. The old secring.gpg is kept for use by older versions of gpg. - GPG's smartcard commands --card-edit and --card-status as well as some - of the card related sub-commands of --edit-key are not yet fully - supported. However, signing and decryption with a smartcard does - work. - - Note that gpg-agent now uses a fixed socket by default. All tools - will start the gpg-agent as needed. In general there is no more - need to set the GPG_AGENT_INFO environment variable. The - SSH_AUTH_SOCK environment variable should be set to a fixed value. + Note that gpg-agent now uses a fixed socket. All tools will start + the gpg-agent as needed. The formerly used environment variable + GPG_AGENT_INFO is ignored by 2.1. The SSH_AUTH_SOCK environment + variable should be set to a fixed value. The Dirmngr is now part of GnuPG proper and also used to access - OpenPGP keyservers. The directroy layout of Dirmngr changed to make + OpenPGP keyservers. The directory layout of Dirmngr changed to make use of the GnuPG directories. Dirmngr is started by gpg or gpgsm as - needed needed. There is no more need to install a separate dirmngr - package. - + needed. There is no more need to install a separate Dirmngr package. * DOCUMENTATION @@ -203,10 +207,12 @@ Commercial grade support for GnuPG is available; for a listing of offers see https://www.gnupg.org/service.html . Maintaining and - improving GnuPG is costly. Since 2001, g10 Code GmbH, a German - company owned and headed by GnuPG's principal author Werner Koch, is - bearing the majority of these costs. To help them carry on this - work, they need your support. See https://gnupg.org/donate/ . + improving GnuPG requires a lot of time. Since 2001, g10 Code GmbH, + a German company owned and headed by GnuPG's principal author Werner + Koch, is bearing the majority of these costs. To keep GnuPG in a + healthy state, they need your support. + + Please consider to donate at https://gnupg.org/donate/ . # This file is Free Software; as a special exception the authors gives diff --git a/po/de.po b/po/de.po index d5db5df..d3bd5ff 100644 --- a/po/de.po +++ b/po/de.po @@ -4342,7 +4342,8 @@ msgstr "WARNUNG: \"%s%s\" ist eine veraltete Option - sie hat keine Wirkung.\n" #, c-format msgid "%s:%u: \"%s\" is obsolete in this file - it only has effect in %s\n" -msgstr "%s:%u: Die Option \"%s\" is veraltet - sie hat eine Wirkung nur in %s.\n" +msgstr "" +"%s:%u: Die Option \"%s\" is veraltet - sie hat eine Wirkung nur in %s.\n" #, c-format msgid "" diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am index 17d1911..cc28027 100644 --- a/tests/openpgp/Makefile.am +++ b/tests/openpgp/Makefile.am @@ -76,8 +76,9 @@ EXTRA_DIST = defs.inc pinentry.sh $(TESTS) $(TEST_FILES) ChangeLog-2011 \ CLEANFILES = prepared.stamp x y yy z out err $(data_files) \ plain-1 plain-2 plain-3 trustdb.gpg *.lock .\#lk* \ *.test.log gpg_dearmor gpg.conf gpg-agent.conf S.gpg-agent \ - pubring.gpg secring.gpg pubring.pkr secring.skr \ - gnupg-test.stop pubring.gpg~ random_seed gpg-agent.log + pubring.gpg pubring.gpg~ pubring.kbx pubring.kbx~ \ + secring.gpg pubring.pkr secring.skr \ + gnupg-test.stop random_seed gpg-agent.log clean-local: -rm -rf private-keys-v1.d openpgp-revocs.d commit 6522a68d8d11e15ee77102e6830f251c2d9f440d Author: Werner Koch Date: Fri Oct 3 12:35:22 2014 +0200 build: Add configure options --disable-{ntb,gnu}tls. * configure.ac: Add --disable-ntbtls and --disable-gnutls. diff --git a/configure.ac b/configure.ac index 9e1dd89..28268f1 100644 --- a/configure.ac +++ b/configure.ac @@ -93,6 +93,7 @@ have_libgcrypt=no have_libassuan=no have_ksba=no have_ntbtls=no +have_gnutls=no have_npth=no have_libusb=no have_adns=no @@ -829,16 +830,27 @@ fi # NTBTLS is our TLS library. If it is not available fallback to # GNUTLS. # -AM_PATH_NTBTLS("$NEED_NTBTLS_API:$NEED_NTBTLS_VERSION", - [have_ntbtls=yes],[have_ntbtls=no]) - +AC_ARG_ENABLE(ntbtls, + AC_HELP_STRING([--disable-ntbtls], + [disable the use of NTBTLS as TLS library]), + try_ntbtls=$enableval, try_ntbtls=yes) +if test x"$try_ntbtls" = xyes ; then + AM_PATH_NTBTLS("$NEED_NTBTLS_API:$NEED_NTBTLS_VERSION", + [have_ntbtls=yes],[have_ntbtls=no]) +fi if test "$have_ntbtls" = yes ; then use_tls_library=ntbtls AC_DEFINE(HTTP_USE_NTBTLS, 1, [Enable NTBTLS support in http.c]) else - PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $NEED_GNUTLS_VERSION], - [have_gnutls=yes], - [have_gnutls=no]) + AC_ARG_ENABLE(gnutls, + AC_HELP_STRING([--disable-gnutls], + [disable GNUTLS as fallback TLS library]), + try_gnutls=$enableval, try_gnutls=yes) + if test x"$try_gnutls" = xyes ; then + PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= $NEED_GNUTLS_VERSION], + [have_gnutls=yes], + [have_gnutls=no]) + fi if test "$have_gnutls" = "yes"; then AC_SUBST([LIBGNUTLS_CFLAGS]) AC_SUBST([LIBGNUTLS_LIBS]) commit a6fcdbc9e0fc0e45a3badc23813e689e83059b61 Author: Andre Heinecke Date: Fri Sep 19 19:38:13 2014 +0200 gpg: Check gpg-agent version before 2.1 migration. * g10/call-agent.c, g10/call-agent.h (agent_get_version): New. * g10/migrate.c (migrate_secring): Abort migration if agent_get_version returns not at least 2.1.0 -- GnuPG-bug-id: 1718 On the first installation of GnuPG 2.1 it is likely that an old gpg-agent is still running in the environment. In that case the migration would fail. Signed-off-by: Andre Heinecke diff --git a/g10/call-agent.c b/g10/call-agent.c index 58f4a92..080df18 100644 --- a/g10/call-agent.c +++ b/g10/call-agent.c @@ -2277,3 +2277,33 @@ agent_passwd (ctrl_t ctrl, const char *hexkeygrip, const char *desc, cache_nonce_status_cb, &cn_parm); return err; } + +/* Return the version reported by gpg-agent. */ +gpg_error_t +agent_get_version (ctrl_t ctrl, char **r_version) +{ + gpg_error_t err; + membuf_t data; + + err = start_agent (ctrl, 0); + if (err) + return err; + + init_membuf (&data, 64); + err = assuan_transact (agent_ctx, "GETINFO version", + membuf_data_cb, &data, + NULL, NULL, NULL, NULL); + if (err) + { + xfree (get_membuf (&data, NULL)); + *r_version = NULL; + } + else + { + put_membuf (&data, "", 1); + *r_version = get_membuf (&data, NULL); + if (!*r_version) + err = gpg_error_from_syserror (); + } + return err; +} diff --git a/g10/call-agent.h b/g10/call-agent.h index 1deb854..5b4cd09 100644 --- a/g10/call-agent.h +++ b/g10/call-agent.h @@ -192,6 +192,8 @@ gpg_error_t agent_delete_key (ctrl_t ctrl, const char *hexkeygrip, /* Change the passphrase of a key. */ gpg_error_t agent_passwd (ctrl_t ctrl, const char *hexkeygrip, const char *desc, char **cache_nonce_addr, char **passwd_nonce_addr); +/* Get the version reported by gpg-agent. */ +gpg_error_t agent_get_version (ctrl_t ctrl, char **r_version); #endif /*GNUPG_G10_CALL_AGENT_H*/ diff --git a/g10/migrate.c b/g10/migrate.c index 9a21cfe..5cb3512 100644 --- a/g10/migrate.c +++ b/g10/migrate.c @@ -29,6 +29,7 @@ #include "keydb.h" #include "util.h" #include "main.h" +#include "call-agent.h" #ifdef HAVE_DOSISH_SYSTEM @@ -46,6 +47,7 @@ migrate_secring (ctrl_t ctrl) dotlock_t lockhd = NULL; char *secring = NULL; char *flagfile = NULL; + char *agent_version = NULL; secring = make_filename (opt.homedir, "secring" EXTSEP_S "gpg", NULL); if (access (secring, F_OK)) @@ -72,6 +74,27 @@ migrate_secring (ctrl_t ctrl) goto leave; } + if (!agent_get_version (ctrl, &agent_version)) + { + if (!gnupg_compare_version (agent_version, "2.1.0")) + { + log_error ("error: GnuPG agent version \"%s\" is too old. ", + agent_version); + log_error ("Please install an updated GnuPG agent.\n"); + log_error ("migration aborted\n"); + xfree (agent_version); + goto leave; + } + xfree (agent_version); + } + else + { + log_error ("error: GnuPG agent unusable. " + "Please check that a GnuPG agent can be started.\n"); + log_error ("migration aborted\n"); + goto leave; + } + log_info ("porting secret keys from '%s' to gpg-agent\n", secring); if (!import_old_secring (ctrl, secring)) { commit 09a8f75f303388ebc77fc9b4f8b70431af2f6902 Author: Werner Koch Date: Fri Oct 3 12:13:25 2014 +0200 po: Auto update translations. -- diff --git a/po/fr.po b/po/fr.po index 11f724a..2ba5e46 100644 --- a/po/fr.po +++ b/po/fr.po @@ -333,9 +333,6 @@ msgstr "ne pas capturer le clavier et la souris" msgid "use a log file for the server" msgstr "utiliser un fichier journal pour le serveur" -msgid "use a standard location for the socket" -msgstr "utiliser un emplacement de socket standard" - msgid "|PGM|use PGM as the PIN-Entry program" msgstr "|PROG|utiliser PROG pour entrer le code personnel" @@ -373,9 +370,6 @@ msgstr "" msgid "enable putty support" msgstr "non pris en charge" -msgid "|FILE|write environment settings also to FILE" -msgstr "|FICHIER|?crire aussi les r?glages d'env. dans FICHIER" - # @EMAIL@ is currently an URL #. TRANSLATORS: @EMAIL@ will get replaced by the actual bug #. reporting address. This is so that we can change the @@ -419,14 +413,6 @@ msgstr "lecture des options de ??%s??\n" msgid "NOTE: '%s' is not considered an option\n" msgstr "Remarque?: ??%s?? n'est pas consid?r? comme une option\n" -#, c-format -msgid "error creating '%s': %s\n" -msgstr "erreur de cr?ation de ??%s???: %s\n" - -#, c-format -msgid "can't create directory '%s': %s\n" -msgstr "impossible de cr?er le r?pertoire ??%s???: %s\n" - msgid "name of socket too long\n" msgstr "nom de socket trop long\n" @@ -459,6 +445,10 @@ msgid "listening on socket '%s'\n" msgstr "?coute sur la socket ??%s??\n" #, c-format +msgid "can't create directory '%s': %s\n" +msgstr "impossible de cr?er le r?pertoire ??%s???: %s\n" + +#, c-format msgid "directory '%s' created\n" msgstr "r?pertoire ??%s?? cr??\n" @@ -502,15 +492,6 @@ msgid "no gpg-agent running in this session\n" msgstr "" "aucune instance de gpg-agent n'est en cours d'ex?cution dans cette session\n" -#, fuzzy, c-format -#| msgid "malformed DIRMNGR_INFO environment variable\n" -msgid "malformed %s environment variable\n" -msgstr "la variable d'environnement DIRMNGR_INFO est mal d?finie\n" - -#, c-format -msgid "gpg-agent protocol version %d is not supported\n" -msgstr "le protocole gpg-agent version?%d n'est pas pris en charge\n" - msgid "Usage: gpg-preset-passphrase [options] KEYGRIP (-h for help)\n" msgstr "" "Utilisation?: gpg-preset-passphrase [options] KEYGRIP (-h pour l'aide)\n" @@ -833,10 +814,6 @@ msgstr "attente pour permettre ? l'agent d'arriver? (%d?s)\n" msgid "connection to agent established\n" msgstr "connexion ? l'agent ?tablie\n" -msgid "can't connect to the agent - trying fall back\n" -msgstr "" -"impossible de se connecter ? l'agent ? essai avec la solution de repli\n" - #, c-format msgid "no running Dirmngr - starting '%s'\n" msgstr "pas d'instance de Dirmngr en cours d'ex?cution ? d?marrage de ??%s??\n" @@ -1726,13 +1703,16 @@ msgstr "afficher les clefs et les empreintes" msgid "list secret keys" msgstr "afficher les clefs secr?tes" +msgid "generate a new key pair" +msgstr "g?n?rer une nouvelle paire de clefs" + #, fuzzy #| msgid "generate a new key pair" msgid "quickly generate a new key pair" msgstr "g?n?rer une nouvelle paire de clefs" -msgid "generate a new key pair" -msgstr "g?n?rer une nouvelle paire de clefs" +msgid "full featured key pair generation" +msgstr "" msgid "generate a revocation certificate" msgstr "g?n?rer un certificat de r?vocation" @@ -3667,9 +3647,9 @@ msgid " (%d) RSA (set your own capabilities)\n" msgstr " (%d) RSA (indiquez vous-m?me les capacit?s)\n" #, fuzzy, c-format -#| msgid " (%d) RSA\n" -msgid " (%d) ECC\n" -msgstr " (%d) RSA\n" +#| msgid " (%d) ECDSA and ECDH\n" +msgid " (%d) ECC and ECC\n" +msgstr " (%d) ECDSA et ECDH\n" #, fuzzy, c-format #| msgid " (%d) ECDSA (sign only)\n" @@ -3886,6 +3866,19 @@ msgstr "" "Changer le (N)om, le (C)ommentaire, l'(A)dresse ?lectronique\n" "ou (O)ui/(Q)uitter?? " +#, fuzzy +#| msgid "Change (N)ame, (C)omment, (E)mail or (Q)uit? " +msgid "Change (N)ame, (E)mail, or (Q)uit? " +msgstr "" +"Changer le (N)om, le (C)ommentaire, l'(A)dresse ?lectronique ou (Q)uitter?? " + +#, fuzzy +#| msgid "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? " +msgid "Change (N)ame, (E)mail, or (O)kay/(Q)uit? " +msgstr "" +"Changer le (N)om, le (C)ommentaire, l'(A)dresse ?lectronique\n" +"ou (O)ui/(Q)uitter?? " + msgid "Please correct the error first\n" msgstr "Veuillez d'abord corriger l'erreur\n" @@ -3962,6 +3955,10 @@ msgstr "Faut-il quand m?me utiliser cette clef?? (o/N) " msgid "creating anyway\n" msgstr "g?n?ration d'une nouvelle clef\n" +#, c-format +msgid "Note: Use \"%s %s\" for a full featured key generation dialog.\n" +msgstr "" + msgid "Key generation canceled.\n" msgstr "La g?n?ration de clef a ?t? annul?e.\n" @@ -4420,8 +4417,20 @@ msgstr "Attention?: ??%s?? est une commande d?conseill?e ? ne l'utilise msgid "%s:%u: obsolete option \"%s\" - it has no effect\n" msgstr "%s?: %u?: option ??%s?? obsol?te ? non prise en compte\n" -#, c-format -msgid "WARNING: \"%s\" is an obsolete option - it has no effect\n" +#, fuzzy, c-format +#| msgid "WARNING: \"%s\" is an obsolete option - it has no effect\n" +msgid "WARNING: \"%s%s\" is an obsolete option - it has no effect\n" +msgstr "Attention?: ??%s?? est une option obsol?te ? non prise en compte\n" + +#, fuzzy, c-format +#| msgid "%s:%u: obsolete option \"%s\" - it has no effect\n" +msgid "%s:%u: \"%s\" is obsolete in this file - it only has effect in %s\n" +msgstr "%s?: %u?: option ??%s?? obsol?te ? non prise en compte\n" + +#, fuzzy, c-format +#| msgid "WARNING: \"%s\" is an obsolete option - it has no effect\n" +msgid "" +"WARNING: \"%s%s\" is an obsolete option - it has no effect except on %s\n" msgstr "Attention?: ??%s?? est une option obsol?te ? non prise en compte\n" msgid "Uncompressed" @@ -4879,6 +4888,10 @@ msgstr "" "les donn?es ne sont pas enregistr?es?; utilisez l'option ??--output?? pour\n" "les enregistrer\n" +#, c-format +msgid "error creating '%s': %s\n" +msgstr "erreur de cr?ation de ??%s???: %s\n" + msgid "Detached signature.\n" msgstr "Signature d?tach?e.\n" @@ -7167,6 +7180,11 @@ msgstr "" "pas d'instance de dirmngr en cours d'ex?cution ?\n" "d?marrage d'une nouvelle instance\n" +#, fuzzy, c-format +#| msgid "malformed DIRMNGR_INFO environment variable\n" +msgid "malformed %s environment variable\n" +msgstr "la variable d'environnement DIRMNGR_INFO est mal d?finie\n" + #, c-format msgid "dirmngr protocol version %d is not supported\n" msgstr "le protocole dirmngr version?%d n'est pas pris en charge\n" @@ -8186,6 +8204,24 @@ msgstr "" "V?rifier une phrase de passe donn?e sur l'entr?e standard par rapport ? " "ficmotif\n" +#~ msgid "use a standard location for the socket" +#~ msgstr "utiliser un emplacement de socket standard" + +#~ msgid "|FILE|write environment settings also to FILE" +#~ msgstr "|FICHIER|?crire aussi les r?glages d'env. dans FICHIER" + +#~ msgid "gpg-agent protocol version %d is not supported\n" +#~ msgstr "le protocole gpg-agent version?%d n'est pas pris en charge\n" + +#~ msgid "can't connect to the agent - trying fall back\n" +#~ msgstr "" +#~ "impossible de se connecter ? l'agent ? essai avec la solution de repli\n" + +#, fuzzy +#~| msgid " (%d) RSA\n" +#~ msgid " (%d) ECC\n" +#~ msgstr " (%d) RSA\n" + #, fuzzy #~| msgid "can't create directory '%s': %s\n" #~ msgid "can't create directory `%s': %s\n" @@ -8305,9 +8341,6 @@ msgstr "" #~ msgid "deleting secret key not implemented\n" #~ msgstr "la suppression de clef secr?te n'est pas impl?ment?e\n" -#~ msgid " (%d) ECDSA and ECDH\n" -#~ msgstr " (%d) ECDSA et ECDH\n" - #~ msgid "10 translator see trustdb.c:uid_trust_string_fixed" #~ msgstr "11 le traducteur a bien lu ce qu'il fallait :)" diff --git a/po/ja.po b/po/ja.po index 73de77a..365365a 100644 --- a/po/ja.po +++ b/po/ja.po @@ -323,9 +323,6 @@ msgstr "???????????????" msgid "use a log file for the server" msgstr "??????????????" -msgid "use a standard location for the socket" -msgstr "?????????????" - msgid "|PGM|use PGM as the PIN-Entry program" msgstr "|PGM|PGM?PIN????????????" @@ -359,9 +356,6 @@ msgstr "ssh??????????" msgid "enable putty support" msgstr "putty??????????" -msgid "|FILE|write environment settings also to FILE" -msgstr "|FILE|FILE?????????????" - #. TRANSLATORS: @EMAIL@ will get replaced by the actual bug #. reporting address. This is so that we can change the #. reporting address without breaking the translations. @@ -402,14 +396,6 @@ msgstr "'%s' ??????????????\n" msgid "NOTE: '%s' is not considered an option\n" msgstr "*??*: '%s'???????????????\n" -#, c-format -msgid "error creating '%s': %s\n" -msgstr "'%s'??????: %s\n" - -#, c-format -msgid "can't create directory '%s': %s\n" -msgstr "??????'%s'????????: %s\n" - msgid "name of socket too long\n" msgstr "???????????\n" @@ -440,6 +426,10 @@ msgid "listening on socket '%s'\n" msgstr "????'%s'?listen\n" #, c-format +msgid "can't create directory '%s': %s\n" +msgstr "??????'%s'????????: %s\n" + +#, c-format msgid "directory '%s' created\n" msgstr "??????'%s'????????\n" @@ -482,14 +472,6 @@ msgstr "%s %s ??????\n" msgid "no gpg-agent running in this session\n" msgstr "????????gpg-agent??????????\n" -#, c-format -msgid "malformed %s environment variable\n" -msgstr "????%s?????????\n" - -#, c-format -msgid "gpg-agent protocol version %d is not supported\n" -msgstr "gpg-agent???????????%d????????????\n" - msgid "Usage: gpg-preset-passphrase [options] KEYGRIP (-h for help)\n" msgstr "???: gpg-preset-passphrase [?????] KEYGRIP (???? -h)\n" @@ -804,9 +786,6 @@ msgstr "agent???????%d?????\n" msgid "connection to agent established\n" msgstr "??????????????????\n" -msgid "can't connect to the agent - trying fall back\n" -msgstr "agent???????? - ????????????\n" - #, c-format msgid "no running Dirmngr - starting '%s'\n" msgstr "dirmngr???????? - ?????'%s'\n" @@ -1664,13 +1643,16 @@ msgstr "??????????????" msgid "list secret keys" msgstr "??????" +msgid "generate a new key pair" +msgstr "????????" + #, fuzzy #| msgid "generate a new key pair" msgid "quickly generate a new key pair" msgstr "????????" -msgid "generate a new key pair" -msgstr "????????" +msgid "full featured key pair generation" +msgstr "" msgid "generate a revocation certificate" msgstr "????????" @@ -3522,8 +3504,9 @@ msgstr " (%d) DSA (???????????)\n" msgid " (%d) RSA (set your own capabilities)\n" msgstr " (%d) RSA (???????????)\n" -#, c-format -msgid " (%d) ECC\n" +#, fuzzy, c-format +#| msgid " (%d) ECC\n" +msgid " (%d) ECC and ECC\n" msgstr " (%d) ECC\n" #, c-format @@ -3730,6 +3713,16 @@ msgstr "??(N)?????(C)??????(E)???????? msgid "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? " msgstr "??(N)?????(C)??????(E)???????OK(O)???(Q)? " +#, fuzzy +#| msgid "Change (N)ame, (C)omment, (E)mail or (Q)uit? " +msgid "Change (N)ame, (E)mail, or (Q)uit? " +msgstr "??(N)?????(C)??????(E)?????????(Q)? " + +#, fuzzy +#| msgid "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? " +msgid "Change (N)ame, (E)mail, or (O)kay/(Q)uit? " +msgstr "??(N)?????(C)??????(E)???????OK(O)???(Q)? " + msgid "Please correct the error first\n" msgstr "??????????????\n" @@ -3806,6 +3799,10 @@ msgstr "?????????????? (y/N) " msgid "creating anyway\n" msgstr "???????\n" +#, c-format +msgid "Note: Use \"%s %s\" for a full featured key generation dialog.\n" +msgstr "" + msgid "Key generation canceled.\n" msgstr "??????????????\n" @@ -4236,8 +4233,22 @@ msgid "%s:%u: obsolete option \"%s\" - it has no effect\n" msgstr "" "%s:%u: \"%s\"????????????????? - ???????????\n" -#, c-format -msgid "WARNING: \"%s\" is an obsolete option - it has no effect\n" +#, fuzzy, c-format +#| msgid "WARNING: \"%s\" is an obsolete option - it has no effect\n" +msgid "WARNING: \"%s%s\" is an obsolete option - it has no effect\n" +msgstr "" +"*??*: \"%s\"????????????????? - ???????????\n" + +#, fuzzy, c-format +#| msgid "%s:%u: obsolete option \"%s\" - it has no effect\n" +msgid "%s:%u: \"%s\" is obsolete in this file - it only has effect in %s\n" +msgstr "" +"%s:%u: \"%s\"????????????????? - ???????????\n" + +#, fuzzy, c-format +#| msgid "WARNING: \"%s\" is an obsolete option - it has no effect\n" +msgid "" +"WARNING: \"%s%s\" is an obsolete option - it has no effect except on %s\n" msgstr "" "*??*: \"%s\"????????????????? - ???????????\n" @@ -4639,6 +4650,10 @@ msgid "data not saved; use option \"--output\" to save it\n" msgstr "" "??????????????????\"--output\"?????????????\n" +#, c-format +msgid "error creating '%s': %s\n" +msgstr "'%s'??????: %s\n" + msgid "Detached signature.\n" msgstr "?????\n" @@ -6764,6 +6779,10 @@ msgid "no running dirmngr - starting one\n" msgstr "dirmngr???????? - ?????\n" #, c-format +msgid "malformed %s environment variable\n" +msgstr "????%s?????????\n" + +#, c-format msgid "dirmngr protocol version %d is not supported\n" msgstr "dirmngr???????????%d????????????\n" @@ -7744,6 +7763,18 @@ msgstr "" "??: gpg-check-pattern [?????] ????????\n" "????????????????????????????\n" +#~ msgid "use a standard location for the socket" +#~ msgstr "?????????????" + +#~ msgid "|FILE|write environment settings also to FILE" +#~ msgstr "|FILE|FILE?????????????" + +#~ msgid "gpg-agent protocol version %d is not supported\n" +#~ msgstr "gpg-agent???????????%d????????????\n" + +#~ msgid "can't connect to the agent - trying fall back\n" +#~ msgstr "agent???????? - ????????????\n" + #, fuzzy #~| msgid "can't create directory '%s': %s\n" #~ msgid "can't create directory `%s': %s\n" diff --git a/po/uk.po b/po/uk.po index 9a7090e..785fae5 100644 --- a/po/uk.po +++ b/po/uk.po @@ -333,9 +333,6 @@ msgstr "?? ??????????? ????????? ??????????? ? msgid "use a log file for the server" msgstr "??????????????? ???? ??????? ??? ???????" -msgid "use a standard location for the socket" -msgstr "??????????????? ??? ?????? ?????????? ????????????" - msgid "|PGM|use PGM as the PIN-Entry program" msgstr "??????????????? ??????? ???????? ??????????" @@ -369,9 +366,6 @@ msgstr "????????? ????????? ssh" msgid "enable putty support" msgstr "????????? ????????? putty" -msgid "|FILE|write environment settings also to FILE" -msgstr "???????? ????????? ?????????? ? ?? ?????" - #. TRANSLATORS: @EMAIL@ will get replaced by the actual bug #. reporting address. This is so that we can change the #. reporting address without breaking the translations. @@ -412,14 +406,6 @@ msgstr "????????? ????????? ? ?%s?\n" msgid "NOTE: '%s' is not considered an option\n" msgstr "??????????: %s ?? ?????????? ??? ?????????? ????????????!\n" -#, c-format -msgid "error creating '%s': %s\n" -msgstr "??????? ????????? ?%s?: %s.\n" - -#, c-format -msgid "can't create directory '%s': %s\n" -msgstr "?? ??????? ???????? ??????? ?%s?: %s\n" - msgid "name of socket too long\n" msgstr "????? ?????? ? ????? ??????\n" @@ -450,6 +436,10 @@ msgid "listening on socket '%s'\n" msgstr "?????????? ????? ?? ?????? ?%s?\n" #, c-format +msgid "can't create directory '%s': %s\n" +msgstr "?? ??????? ???????? ??????? ?%s?: %s\n" + +#, c-format msgid "directory '%s' created\n" msgstr "???????? ??????? ?%s?\n" @@ -494,14 +484,6 @@ msgstr "%s %s ????????\n" msgid "no gpg-agent running in this session\n" msgstr "? ????? ?????? ?? ???????? gpg-agent\n" -#, c-format -msgid "malformed %s environment variable\n" -msgstr "????????? ???????????? ??????? ?????????? %s\n" - -#, c-format -msgid "gpg-agent protocol version %d is not supported\n" -msgstr "????????? ?????? ????????? gpg-agent %d ?? ???????????\n" - msgid "Usage: gpg-preset-passphrase [options] KEYGRIP (-h for help)\n" msgstr "" "????????????: gpg-preset-passphrase [?????????] KEYGRIP (-h ? ???????)\n" @@ -826,10 +808,6 @@ msgstr "?????????? ?? ?????????????? ??????? ( msgid "connection to agent established\n" msgstr "??????????? ????????? ? ???????\n" -msgid "can't connect to the agent - trying fall back\n" -msgstr "" -"?? ??????? ?????????? ????????? ? ???????, ?????????????? ????????? ???????\n" - #, c-format msgid "no running Dirmngr - starting '%s'\n" msgstr "Dirmngr ?? ???????? ? ?????????? ?%s?\n" @@ -1705,13 +1683,16 @@ msgstr "???????? ?????? ?????? ? ?????????" msgid "list secret keys" msgstr "???????? ?????? ???????? ??????" +msgid "generate a new key pair" +msgstr "???????? ???? ??????" + #, fuzzy #| msgid "generate a new key pair" msgid "quickly generate a new key pair" msgstr "???????? ???? ??????" -msgid "generate a new key pair" -msgstr "???????? ???? ??????" +msgid "full featured key pair generation" +msgstr "" msgid "generate a revocation certificate" msgstr "???????? ?????????? ???????????" @@ -3636,9 +3617,10 @@ msgstr " (%d) DSA (?? ??????????? ??????????? ???? msgid " (%d) RSA (set your own capabilities)\n" msgstr " (%d) RSA (?? ??????????? ??????????? ?????????)\n" -#, c-format -msgid " (%d) ECC\n" -msgstr " (%d) ECC\n" +#, fuzzy, c-format +#| msgid " (%d) ECDSA and ECDH\n" +msgid " (%d) ECC and ECC\n" +msgstr " (%d) ECDSA ? ECDH\n" #, c-format msgid " (%d) ECC (sign only)\n" @@ -3849,6 +3831,17 @@ msgid "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? " msgstr "" "??????? ????? (N), ???????? (C), ??. ????? (E) ??? ?????? (O) ?? ????? (Q)? " +#, fuzzy +#| msgid "Change (N)ame, (C)omment, (E)mail or (Q)uit? " +msgid "Change (N)ame, (E)mail, or (Q)uit? " +msgstr "??????? ????? (N), ???????? (C), ??. ????? (E) ??? ????? (Q)? " + +#, fuzzy +#| msgid "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? " +msgid "Change (N)ame, (E)mail, or (O)kay/(Q)uit? " +msgstr "" +"??????? ????? (N), ???????? (C), ??. ????? (E) ??? ?????? (O) ?? ????? (Q)? " + msgid "Please correct the error first\n" msgstr "???????? ???????? ???????\n" @@ -3924,6 +3917,10 @@ msgstr "????? ??? ??????????????? ??? ????? (y/N msgid "creating anyway\n" msgstr "????????? ?????? ?????\n" +#, c-format +msgid "Note: Use \"%s %s\" for a full featured key generation dialog.\n" +msgstr "" + msgid "Key generation canceled.\n" msgstr "????????? ????? ?????????.\n" @@ -4373,8 +4370,20 @@ msgstr "?????: ?%s? ?????????? ?????????? ????? msgid "%s:%u: obsolete option \"%s\" - it has no effect\n" msgstr "%s:%u: ?????????? ???????? ?%s? ? ??? ?? ???????????\n" -#, c-format -msgid "WARNING: \"%s\" is an obsolete option - it has no effect\n" +#, fuzzy, c-format +#| msgid "WARNING: \"%s\" is an obsolete option - it has no effect\n" +msgid "WARNING: \"%s%s\" is an obsolete option - it has no effect\n" +msgstr "?????: ?%s? ? ?????????? ?????????? ? ??? ?? ???????????\n" + +#, fuzzy, c-format +#| msgid "%s:%u: obsolete option \"%s\" - it has no effect\n" +msgid "%s:%u: \"%s\" is obsolete in this file - it only has effect in %s\n" +msgstr "%s:%u: ?????????? ???????? ?%s? ? ??? ?? ???????????\n" + +#, fuzzy, c-format +#| msgid "WARNING: \"%s\" is an obsolete option - it has no effect\n" +msgid "" +"WARNING: \"%s%s\" is an obsolete option - it has no effect except on %s\n" msgstr "?????: ?%s? ? ?????????? ?????????? ? ??? ?? ???????????\n" msgid "Uncompressed" @@ -4788,6 +4797,10 @@ msgstr "" "???? ?? ?????????; ????????????? ??? ??????? ?????????? ?????????? ?--" "output?\n" +#, c-format +msgid "error creating '%s': %s\n" +msgstr "??????? ????????? ?%s?: %s.\n" + msgid "Detached signature.\n" msgstr "??????????? ??????.\n" @@ -6971,6 +6984,10 @@ msgid "no running dirmngr - starting one\n" msgstr "dirmngr ?? ???????? ? ??????????\n" #, c-format +msgid "malformed %s environment variable\n" +msgstr "????????? ???????????? ??????? ?????????? %s\n" + +#, c-format msgid "dirmngr protocol version %d is not supported\n" msgstr "????????? ????????? dirmngr ?????? %d ?? ???????????\n" @@ -7961,6 +7978,23 @@ msgstr "" "?????????: gpg-check-pattern [?????????] ????_????????\n" "?????????? ??????, ???????? ? stdin, ?? ????????? ?????_????????\n" +#~ msgid "use a standard location for the socket" +#~ msgstr "??????????????? ??? ?????? ?????????? ????????????" + +#~ msgid "|FILE|write environment settings also to FILE" +#~ msgstr "???????? ????????? ?????????? ? ?? ?????" + +#~ msgid "gpg-agent protocol version %d is not supported\n" +#~ msgstr "????????? ?????? ????????? gpg-agent %d ?? ???????????\n" + +#~ msgid "can't connect to the agent - trying fall back\n" +#~ msgstr "" +#~ "?? ??????? ?????????? ????????? ? ???????, ?????????????? ????????? " +#~ "???????\n" + +#~ msgid " (%d) ECC\n" +#~ msgstr " (%d) ECC\n" + #, fuzzy #~| msgid "can't create directory '%s': %s\n" #~ msgid "can't create directory `%s': %s\n" @@ -8073,9 +8107,6 @@ msgstr "" #~ msgid "too many entries in pk cache - disabled\n" #~ msgstr "??????? ?????? ??????? ? ???? pk ? ????????\n" -#~ msgid " (%d) ECDSA and ECDH\n" -#~ msgstr " (%d) ECDSA ? ECDH\n" - #~ msgid "the IDEA cipher plugin is not present\n" #~ msgstr "?? ???????? ??????? ?????????? IDEA\n" commit b15d5d42adf31c0797797ebe19c471ab6f52c668 Author: Werner Koch Date: Fri Oct 3 12:13:05 2014 +0200 po: Update German translation. diff --git a/po/de.po b/po/de.po index 8804b24..d5db5df 100644 --- a/po/de.po +++ b/po/de.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-2.1.0\n" "Report-Msgid-Bugs-To: translations at gnupg.org\n" -"PO-Revision-Date: 2014-08-14 17:12+0200\n" +"PO-Revision-Date: 2014-10-03 12:12+0200\n" "Last-Translator: Werner Koch \n" "Language-Team: German \n" "Language: de\n" @@ -318,9 +318,6 @@ msgstr "Tastatur und Maus nicht \"grabben\"" msgid "use a log file for the server" msgstr "Logausgaben in eine Datei umlenken" -msgid "use a standard location for the socket" -msgstr "Benutze einen Standardnamen f?r den Socket" - msgid "|PGM|use PGM as the PIN-Entry program" msgstr "|PGM|benutze PGM as PIN-Entry" @@ -354,9 +351,6 @@ msgstr "SSH Unterst?tzung einschalten" msgid "enable putty support" msgstr "PuTTY Unterst?tzung einschalten" -msgid "|FILE|write environment settings also to FILE" -msgstr "|DATEI|Schreibe die Umgebungsvariablen auf DATEI" - #. TRANSLATORS: @EMAIL@ will get replaced by the actual bug #. reporting address. This is so that we can change the #. reporting address without breaking the translations. @@ -399,14 +393,6 @@ msgstr "Optionen werden aus '%s' gelesen\n" msgid "NOTE: '%s' is not considered an option\n" msgstr "Hinweis: `%s' wird nicht als Option betrachtet\n" -#, c-format -msgid "error creating '%s': %s\n" -msgstr "Fehler beim Erstellen von `%s': %s\n" - -#, c-format -msgid "can't create directory '%s': %s\n" -msgstr "Verzeichnis `%s' kann nicht erzeugt werden: %s\n" - msgid "name of socket too long\n" msgstr "Der Name des Sockets ist zu lang\n" @@ -437,6 +423,10 @@ msgid "listening on socket '%s'\n" msgstr "Es wird auf Socket `%s' geh?rt\n" #, c-format +msgid "can't create directory '%s': %s\n" +msgstr "Verzeichnis `%s' kann nicht erzeugt werden: %s\n" + +#, c-format msgid "directory '%s' created\n" msgstr "Verzeichnis `%s' erzeugt\n" @@ -479,14 +469,6 @@ msgstr "%s %s angehalten\n" msgid "no gpg-agent running in this session\n" msgstr "Der gpg-agent l?uft nicht f?r diese Session\n" -#, c-format -msgid "malformed %s environment variable\n" -msgstr "Fehlerhafte %s Variable\n" - -#, c-format -msgid "gpg-agent protocol version %d is not supported\n" -msgstr "GPG-Agent-Protokoll-Version %d wird nicht unterst?tzt\n" - msgid "Usage: gpg-preset-passphrase [options] KEYGRIP (-h for help)\n" msgstr "Aufruf: gpg-preset-passphrase [Optionen] KEYGRIP (-h f?r Hilfe)\n" @@ -812,9 +794,6 @@ msgstr "Warte bis der gpg-agent bereit ist ... (%ds)\n" msgid "connection to agent established\n" msgstr "Verbindung zum gpg-agent aufgebaut\n" -msgid "can't connect to the agent - trying fall back\n" -msgstr "Verbindung zum gpg-agent nicht m?glich - Ersatzmethode wird versucht\n" - #, c-format msgid "no running Dirmngr - starting '%s'\n" msgstr "Kein aktiver Dirmngr - `%s' wird gestartet\n" @@ -1694,11 +1673,14 @@ msgstr "Liste der Schl?ssel und ihrer \"Fingerabdr?cke\"" msgid "list secret keys" msgstr "Liste der geheimen Schl?ssel" +msgid "generate a new key pair" +msgstr "Ein neues Schl?sselpaar erzeugen" + msgid "quickly generate a new key pair" msgstr "Schnell ein neues Schl?sselpaar erzeugen" -msgid "generate a new key pair" -msgstr "Ein neues Schl?sselpaar erzeugen" +msgid "full featured key pair generation" +msgstr "Ein neues Schl?sselpaar erzeugen (alle Optionen)" msgid "generate a revocation certificate" msgstr "Ein Schl?sselwiderruf-Zertifikat erzeugen" @@ -3266,12 +3248,10 @@ msgstr "" "dazu f?hren, da? eine andere User-ID als prim?r angesehen wird.\n" msgid "WARNING: Your encryption subkey expires soon.\n" -msgstr "" +msgstr "WARNUNG: Ihr Unterschl?ssel zum Verschl?sseln wird bald verfallen.\n" -#, fuzzy -#| msgid "You can't change the expiration date of a v3 key\n" msgid "You may want to change its expiration date too.\n" -msgstr "Sie k?nnen das Verfallsdatum eines v3-Schl?ssels nicht ?ndern\n" +msgstr "Bitte erw?gen Sie, dessen Verfallsdatum auch zu ?ndern.\n" msgid "" "WARNING: This is a PGP2-style key. Adding a photo ID may cause some " @@ -3618,8 +3598,8 @@ msgid " (%d) RSA (set your own capabilities)\n" msgstr " (%d) RSA (Leistungsf?higkeit selber einstellbar)\n" #, c-format -msgid " (%d) ECC\n" -msgstr " (%d) ECC\n" +msgid " (%d) ECC and ECC\n" +msgstr " (%d) ECC und ECC\n" #, c-format msgid " (%d) ECC (sign only)\n" @@ -3825,6 +3805,12 @@ msgstr "?ndern: (N)ame, (K)ommentar, (E)-Mail oder (A)bbrechen? " msgid "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? " msgstr "?ndern: (N)ame, (K)ommentar, (E)-Mail oder (F)ertig/(A)bbrechen? " +msgid "Change (N)ame, (E)mail, or (Q)uit? " +msgstr "?ndern: (N)ame, (E)-Mail oder (A)bbrechen? " + +msgid "Change (N)ame, (E)mail, or (O)kay/(Q)uit? " +msgstr "?ndern: (N)ame, (E)-Mail oder (F)ertig/(A)bbrechen? " + msgid "Please correct the error first\n" msgstr "Bitte beseitigen Sie zuerst den Fehler\n" @@ -3898,6 +3884,10 @@ msgstr "Trotzdem erzeugen? (j/N) " msgid "creating anyway\n" msgstr "wird trotzdem erzeugt\n" +#, c-format +msgid "Note: Use \"%s %s\" for a full featured key generation dialog.\n" +msgstr "Hinweis: \"%s %s\" ruft den erweiterten Dialog auf.\n" + msgid "Key generation canceled.\n" msgstr "Schl?sselerzeugung abgebrochen.\n" @@ -4347,8 +4337,19 @@ msgid "%s:%u: obsolete option \"%s\" - it has no effect\n" msgstr "%s:%u: Die Option \"%s\" is veraltet - sie hat keine Wirkung\n" #, c-format -msgid "WARNING: \"%s\" is an obsolete option - it has no effect\n" -msgstr "WARNUNG: \"%s\" ist eine veraltete Option - sie hat keine Wirkung.\n" +msgid "WARNING: \"%s%s\" is an obsolete option - it has no effect\n" +msgstr "WARNUNG: \"%s%s\" ist eine veraltete Option - sie hat keine Wirkung.\n" + +#, c-format +msgid "%s:%u: \"%s\" is obsolete in this file - it only has effect in %s\n" +msgstr "%s:%u: Die Option \"%s\" is veraltet - sie hat eine Wirkung nur in %s.\n" + +#, c-format +msgid "" +"WARNING: \"%s%s\" is an obsolete option - it has no effect except on %s\n" +msgstr "" +"WARNUNG: \"%s%s\" ist eine veraltete Option - sie hat eine Wirkung nur\n" +"in %s.\n" msgid "Uncompressed" msgstr "nicht komprimiert" @@ -4784,6 +4785,10 @@ msgid "data not saved; use option \"--output\" to save it\n" msgstr "" "Daten wurden nicht gespeichert; verwenden Sie daf?r die Option \"--output\"\n" +#, c-format +msgid "error creating '%s': %s\n" +msgstr "Fehler beim Erstellen von `%s': %s\n" + msgid "Detached signature.\n" msgstr "Abgetrennte Beglaubigungen.\n" @@ -7007,6 +7012,10 @@ msgid "no running dirmngr - starting one\n" msgstr "Dirmngr l?uft nicht - ein neuer wird gestartet\n" #, c-format +msgid "malformed %s environment variable\n" +msgstr "Fehlerhafte %s Variable\n" + +#, c-format msgid "dirmngr protocol version %d is not supported\n" msgstr "Dirmngr Protocol Version %d wird nicht unterst?tzt\n" @@ -7995,6 +8004,22 @@ msgstr "" "Syntax: gpg-check-pattern [optionen] Musterdatei\n" "Die von stdin gelesene Passphrase gegen die Musterdatei pr?fen\n" +#~ msgid "use a standard location for the socket" +#~ msgstr "Benutze einen Standardnamen f?r den Socket" + +#~ msgid "|FILE|write environment settings also to FILE" +#~ msgstr "|DATEI|Schreibe die Umgebungsvariablen auf DATEI" + +#~ msgid "gpg-agent protocol version %d is not supported\n" +#~ msgstr "GPG-Agent-Protokoll-Version %d wird nicht unterst?tzt\n" + +#~ msgid "can't connect to the agent - trying fall back\n" +#~ msgstr "" +#~ "Verbindung zum gpg-agent nicht m?glich - Ersatzmethode wird versucht\n" + +#~ msgid " (%d) ECC\n" +#~ msgstr " (%d) ECC\n" + #~ msgid "can't create directory `%s': %s\n" #~ msgstr " git describe --match gnupg-2.1.*[0-9] --long" @@ -8077,9 +8102,6 @@ msgstr "" #~ msgid "deleting secret key not implemented\n" #~ msgstr "L?schen des geheimen Schl?ssel ist nicht implementiert\n" -#~ msgid " (%d) ECDSA and ECDH\n" -#~ msgstr " (%d) ECDSA und ECDH\n" - #~ msgid "10 translator see trustdb.c:uid_trust_string_fixed" #~ msgstr "10" commit 9c380384dafb213334f8834178c5ceb0bf33db6e Author: Werner Koch Date: Fri Oct 3 11:58:58 2014 +0200 Remove support for the GPG_AGENT_INFO envvar. * agent/agent.h (opt): Remove field use_standard_socket. * agent/command.c (cmd_killagent): Always allow killing. * agent/gpg-agent.c (main): Turn --{no,}use-standard-socket and --write-env-file into dummy options. Always return true for --use-standard-socket-p. Do not print the GPG_AGENT_INFO envvar setting or set that envvar. (create_socket_name): Simplify by removing non standard socket support. (check_for_running_agent): Ditto. * common/asshelp.c (start_new_gpg_agent): Remove GPG_AGENT_INFO use. * common/simple-pwquery.c (agent_open): Ditto. * configure.ac (GPG_AGENT_INFO_NAME): Remove. * g10/server.c (gpg_server): Do not print the AgentInfo comment. * g13/server.c (g13_server): Ditto. * sm/server.c (gpgsm_server): Ditto. * tools/gpgconf.c (main): Simplify by removing non standard socket support. -- The indented fix to allow using a different socket than the one in the gnupg home directory is to change Libassuan to check whether the socket files exists as a regualr file with a special keyword to redirect to another socket file name. diff --git a/agent/agent.h b/agent/agent.h index a420bae..7342475 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -58,9 +58,6 @@ struct int batch; /* Batch mode */ const char *homedir; /* Configuration directory name */ - /* True if we are listening on the standard socket. */ - int use_standard_socket; - /* True if we handle sigusr2. */ int sigusr2_enabled; diff --git a/agent/command.c b/agent/command.c index e17232e..8c68498 100644 --- a/agent/command.c +++ b/agent/command.c @@ -2605,8 +2605,7 @@ cmd_updatestartuptty (assuan_context_t ctx, char *line) static const char hlp_killagent[] = "KILLAGENT\n" "\n" - "If the agent has been started using a standard socket\n" - "we allow a client to stop the agent."; + "Stop the agent."; static gpg_error_t cmd_killagent (assuan_context_t ctx, char *line) { @@ -2614,9 +2613,6 @@ cmd_killagent (assuan_context_t ctx, char *line) (void)line; - if (!opt.use_standard_socket) - return set_error (GPG_ERR_NOT_SUPPORTED, "no --use-standard-socket"); - ctrl->server_local->stopme = 1; assuan_set_flag (ctx, ASSUAN_FORCE_CLOSE, 1); return 0; diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 3febaf8..0c163e1 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -1,7 +1,7 @@ /* gpg-agent.c - The GnuPG Agent * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2009, * 2010 Free Software Foundation, Inc. - * Copyright (C) 2013 Werner Koch + * Copyright (C) 2013, 2014 Werner Koch * * This file is part of GnuPG. * @@ -152,9 +152,8 @@ static ARGPARSE_OPTS opts[] = { { oNoDetach, "no-detach" ,0, N_("do not detach from the console")}, { oNoGrab, "no-grab" ,0, N_("do not grab keyboard and mouse")}, { oLogFile, "log-file" ,2, N_("use a log file for the server")}, - { oUseStandardSocket, "use-standard-socket", 0, - N_("use a standard location for the socket")}, - { oNoUseStandardSocket, "no-use-standard-socket", 0, "@"}, + { oUseStandardSocket, "use-standard-socket", 0, "@"}, /* dummy */ + { oNoUseStandardSocket, "no-use-standard-socket", 0, "@"}, /* dummy */ { oPinentryProgram, "pinentry-program", 2 , N_("|PGM|use PGM as the PIN-Entry program") }, { oPinentryTouchFile, "pinentry-touch-file", 2 , "@" }, @@ -207,8 +206,7 @@ static ARGPARSE_OPTS opts[] = { "@" #endif }, - { oWriteEnvFile, "write-env-file", 2|8, - N_("|FILE|write environment settings also to FILE")}, + { oWriteEnvFile, "write-env-file", 2|8, "@" }, /* dummy */ {0} }; @@ -314,7 +312,7 @@ static int active_connections; Local prototypes. */ -static char *create_socket_name (char *standard_name, char *template); +static char *create_socket_name (char *standard_name); static gnupg_fd_t create_server_socket (char *name, int is_ssh, assuan_sock_nonce_t *nonce); static void create_directories (void); @@ -325,7 +323,7 @@ static void agent_deinit_default_ctrl (ctrl_t ctrl); static void handle_connections (gnupg_fd_t listen_fd, gnupg_fd_t listen_fd_ssh); static void check_own_socket (void); -static int check_for_running_agent (int silent, int mode); +static int check_for_running_agent (int silent); /* Pth wrapper function definitions. */ ASSUAN_SYSTEM_NPTH_IMPL; @@ -620,7 +618,6 @@ main (int argc, char **argv ) int debug_wait = 0; int gpgconf_list = 0; gpg_error_t err; - const char *env_file_name = NULL; struct assuan_malloc_hooks malloc_hooks; /* Before we do anything else we save the list of currently open @@ -670,9 +667,6 @@ main (int argc, char **argv ) /* Set default options. */ parse_rereadable_options (NULL, 0); /* Reset them to default values. */ -#ifdef USE_STANDARD_SOCKET - opt.use_standard_socket = 1; -#endif shell = getenv ("SHELL"); if (shell && strlen (shell) >= 3 && !strcmp (shell+strlen (shell)-3, "csh") ) @@ -830,8 +824,8 @@ main (int argc, char **argv ) case oXauthority: default_xauthority = xstrdup (pargs.r.ret_str); break; - case oUseStandardSocket: opt.use_standard_socket = 1; break; - case oNoUseStandardSocket: opt.use_standard_socket = 0; break; + case oUseStandardSocket: /* dummy */ break; + case oNoUseStandardSocket: /* dummy */ break; case oFakedSystemTime: { @@ -853,12 +847,7 @@ main (int argc, char **argv ) # endif break; - case oWriteEnvFile: - if (pargs.r_type) - env_file_name = pargs.r.ret_str; - else - env_file_name = make_filename ("~/.gpg-agent-info", NULL); - break; + case oWriteEnvFile: /* dummy */ break; default : pargs.err = configfp? 1:2; break; } @@ -914,7 +903,7 @@ main (int argc, char **argv ) print the status directly to stderr. */ opt.debug = 0; set_debug (); - check_for_running_agent (0, 0); + check_for_running_agent (0); agent_exit (0); } @@ -945,9 +934,9 @@ main (int argc, char **argv ) if (gpgconf_list == 3) { - if (opt.use_standard_socket && !opt.quiet) - log_info ("configured to use the standard socket\n"); - agent_exit (!opt.use_standard_socket); + /* We now use the standard socket always - return true for + backward compatibility. */ + agent_exit (0); } else if (gpgconf_list == 2) agent_exit (0); @@ -1077,14 +1066,11 @@ main (int argc, char **argv ) /* Create the sockets. */ - socket_name = create_socket_name - (GPG_AGENT_SOCK_NAME, "gpg-XXXXXX/"GPG_AGENT_SOCK_NAME); - + socket_name = create_socket_name (GPG_AGENT_SOCK_NAME); fd = create_server_socket (socket_name, 0, &socket_nonce); if (opt.ssh_support) { - socket_name_ssh = create_socket_name - (GPG_AGENT_SSH_SOCK_NAME, "gpg-XXXXXX/"GPG_AGENT_SSH_SOCK_NAME); + socket_name_ssh = create_socket_name (GPG_AGENT_SSH_SOCK_NAME); fd_ssh = create_server_socket (socket_name_ssh, 1, &socket_nonce_ssh); } else @@ -1100,10 +1086,7 @@ main (int argc, char **argv ) #ifdef HAVE_W32_SYSTEM (void)csh_style; (void)nodetach; - (void)env_file_name; pid = getpid (); - es_printf ("set %s=%s;%lu;1\n", - GPG_AGENT_INFO_NAME, socket_name, (ulong)pid); #else /*!HAVE_W32_SYSTEM*/ pid = fork (); if (pid == (pid_t)-1) @@ -1113,7 +1096,7 @@ main (int argc, char **argv ) } else if (pid) { /* We are the parent */ - char *infostr, *infostr_ssh_sock, *infostr_ssh_valid; + char *infostr_ssh_sock, *infostr_ssh_valid; /* Close the socket FD. */ close (fd); @@ -1133,14 +1116,7 @@ main (int argc, char **argv ) log_info ("no saved signal mask\n"); #endif /*HAVE_SIGPROCMASK*/ - /* Create the info string: :: */ - if (asprintf (&infostr, "%s=%s:%lu:1", - GPG_AGENT_INFO_NAME, socket_name, (ulong)pid ) < 0) - { - log_error ("out of core\n"); - kill (pid, SIGTERM); - exit (1); - } + /* Create the SSH info string if enabled. */ if (opt.ssh_support) { if (asprintf (&infostr_ssh_sock, "SSH_AUTH_SOCK=%s", @@ -1164,37 +1140,8 @@ main (int argc, char **argv ) if (opt.ssh_support) *socket_name_ssh = 0; - if (env_file_name) - { - estream_t fp; - - fp = es_fopen (env_file_name, "w,mode=-rw"); - if (!fp) - log_error (_("error creating '%s': %s\n"), - env_file_name, strerror (errno)); - else - { - es_fputs (infostr, fp); - es_putc ('\n', fp); - if (opt.ssh_support) - { - es_fputs (infostr_ssh_sock, fp); - es_putc ('\n', fp); - } - es_fclose (fp); - } - } - - if (argc) { /* Run the program given on the commandline. */ - if (putenv (infostr)) - { - log_error ("failed to set environment: %s\n", - strerror (errno) ); - kill (pid, SIGTERM ); - exit (1); - } if (opt.ssh_support && (putenv (infostr_ssh_sock) || putenv (infostr_ssh_valid))) { @@ -1222,8 +1169,6 @@ main (int argc, char **argv ) shell's eval to set it */ if (csh_style) { - *strchr (infostr, '=') = ' '; - es_printf ("setenv %s;\n", infostr); if (opt.ssh_support) { *strchr (infostr_ssh_sock, '=') = ' '; @@ -1232,14 +1177,12 @@ main (int argc, char **argv ) } else { - es_printf ( "%s; export %s;\n", infostr, GPG_AGENT_INFO_NAME); if (opt.ssh_support) { es_printf ("%s; export SSH_AUTH_SOCK;\n", infostr_ssh_sock); } } - xfree (infostr); if (opt.ssh_support) { xfree (infostr_ssh_sock); @@ -1496,45 +1439,18 @@ get_agent_scd_notify_event (void) -/* Create a name for the socket. With USE_STANDARD_SOCKET given as - true using STANDARD_NAME in the home directory or if given as - false from the mkdir type name TEMPLATE. In the latter case a - unique name in a unique new directory will be created. In both - cases check for valid characters as well as against a maximum - allowed length for a unix domain socket is done. The function - terminates the process in case of an error. Returns: Pointer to an - allocated string with the absolute name of the socket used. */ +/* Create a name for the socket in the home directory as using + STANDARD_NAME. We also check for valid characters as well as + against a maximum allowed length for a unix domain socket is done. + The function terminates the process in case of an error. Returns: + Pointer to an allocated string with the absolute name of the socket + used. */ static char * -create_socket_name (char *standard_name, char *template) +create_socket_name (char *standard_name) { - char *name, *p; - - if (opt.use_standard_socket) - name = make_filename (opt.homedir, standard_name, NULL); - else - { - /* Prepend the tmp directory to the template. */ - p = getenv ("TMPDIR"); - if (!p || !*p) - p = "/tmp"; - if (p[strlen (p) - 1] == '/') - name = xstrconcat (p, template, NULL); - else - name = xstrconcat (p, "/", template, NULL); - - p = strrchr (name, '/'); - if (!p) - BUG (); - *p = 0; - if (!mkdtemp (name)) - { - log_error (_("can't create directory '%s': %s\n"), - name, strerror (errno)); - agent_exit (2); - } - *p = '/'; - } + char *name; + name = make_filename (opt.homedir, standard_name, NULL); if (strchr (name, PATHSEP_C)) { log_error (("'%s' are not allowed in the socket name\n"), PATHSEP_S); @@ -1583,22 +1499,22 @@ create_server_socket (char *name, int is_ssh, assuan_sock_nonce_t *nonce) /* Our error code mapping on W32CE returns EEXIST thus we also test for this. */ - if (opt.use_standard_socket && rc == -1 + if (rc == -1 && (errno == EADDRINUSE #ifdef HAVE_W32_SYSTEM || errno == EEXIST #endif )) { - /* Check whether a gpg-agent is already running on the standard - socket. We do this test only if this is not the ssh socket. + /* Check whether a gpg-agent is already running. + We do this test only if this is not the ssh socket. For ssh we assume that a test for gpg-agent has already been done and reuse the requested ssh socket. Testing the ssh-socket is not possible because at this point, though we know the new Assuan socket, the Assuan server and thus the ssh-agent server is not yet operational. This would lead to a hang. */ - if (!is_ssh && !check_for_running_agent (1, 1)) + if (!is_ssh && !check_for_running_agent (1)) { log_set_prefix (NULL, JNLIB_LOG_WITH_PREFIX); log_set_file (NULL); @@ -1623,8 +1539,7 @@ create_server_socket (char *name, int is_ssh, assuan_sock_nonce_t *nonce) gpg_strerror (gpg_error_from_errno (errno))); assuan_sock_close (fd); - if (opt.use_standard_socket) - *name = 0; /* Inhibit removal of the socket by cleanup(). */ + *name = 0; /* Inhibit removal of the socket by cleanup(). */ agent_exit (2); } @@ -2429,9 +2344,6 @@ check_own_socket (void) if (disable_check_own_socket) return; - if (!opt.use_standard_socket) - return; /* This check makes only sense in standard socket mode. */ - if (check_own_socket_running || shutdown_pending) return; /* Still running or already shutting down. */ @@ -2452,73 +2364,25 @@ check_own_socket (void) /* Figure out whether an agent is available and running. Prints an - error if not. If SILENT is true, no messages are printed. Usually - started with MODE 0. Returns 0 if the agent is running. */ + error if not. If SILENT is true, no messages are printed. + Returns 0 if the agent is running. */ static int -check_for_running_agent (int silent, int mode) +check_for_running_agent (int silent) { - int rc; - char *infostr, *p; + gpg_error_t err; + char *sockname; assuan_context_t ctx = NULL; - int prot, pid; - - if (!mode) - { - infostr = getenv (GPG_AGENT_INFO_NAME); - if (!infostr || !*infostr) - { - if (!check_for_running_agent (silent, 1)) - return 0; /* Okay, its running on the standard socket. */ - if (!silent) - log_error (_("no gpg-agent running in this session\n")); - return -1; - } - infostr = xstrdup (infostr); - if ( !(p = strchr (infostr, PATHSEP_C)) || p == infostr) - { - xfree (infostr); - if (!check_for_running_agent (silent, 1)) - return 0; /* Okay, its running on the standard socket. */ - if (!silent) - log_error (_("malformed %s environment variable\n"), - GPG_AGENT_INFO_NAME); - return -1; - } - - *p++ = 0; - pid = atoi (p); - while (*p && *p != PATHSEP_C) - p++; - prot = *p? atoi (p+1) : 0; - if (prot != 1) - { - xfree (infostr); - if (!silent) - log_error (_("gpg-agent protocol version %d is not supported\n"), - prot); - if (!check_for_running_agent (silent, 1)) - return 0; /* Okay, its running on the standard socket. */ - return -1; - } - } - else /* MODE != 0 */ - { - infostr = make_filename (opt.homedir, GPG_AGENT_SOCK_NAME, NULL); - pid = (pid_t)(-1); - } + sockname = make_filename (opt.homedir, GPG_AGENT_SOCK_NAME, NULL); - rc = assuan_new (&ctx); - if (! rc) - rc = assuan_socket_connect (ctx, infostr, pid, 0); - xfree (infostr); - if (rc) + err = assuan_new (&ctx); + if (!err) + err = assuan_socket_connect (ctx, sockname, (pid_t)(-1), 0); + xfree (sockname); + if (err) { - if (!mode && !check_for_running_agent (silent, 1)) - return 0; /* Okay, its running on the standard socket. */ - - if (!mode && !silent) - log_error ("can't connect to the agent: %s\n", gpg_strerror (rc)); + if (!silent) + log_error (_("no gpg-agent running in this session\n")); if (ctx) assuan_release (ctx); diff --git a/common/asshelp.c b/common/asshelp.c index 5e3f663..e97d396 100644 --- a/common/asshelp.c +++ b/common/asshelp.c @@ -359,14 +359,11 @@ start_new_gpg_agent (assuan_context_t *r_ctx, gpg_error_t (*status_cb)(ctrl_t, int, ...), ctrl_t status_cb_arg) { - /* If we ever failed to connect via a socket we will force the use - of the pipe based server for the lifetime of the process. */ - static int force_pipe_server = 0; - - gpg_error_t err = 0; - char *infostr, *p; + gpg_error_t err; assuan_context_t ctx; int did_success_msg = 0; + char *sockname; + const char *argv[5]; *r_ctx = NULL; @@ -377,200 +374,96 @@ start_new_gpg_agent (assuan_context_t *r_ctx, return err; } - restart: - infostr = force_pipe_server? NULL : getenv (GPG_AGENT_INFO_NAME); - if (!infostr || !*infostr) + sockname = make_absfilename (homedir, GPG_AGENT_SOCK_NAME, NULL); + err = assuan_socket_connect (ctx, sockname, 0, 0); + if (err) { - char *sockname; - const char *argv[5]; - pid_t pid; - int excode; - - /* First check whether we can connect at the standard - socket. */ - sockname = make_absfilename (homedir, GPG_AGENT_SOCK_NAME, NULL); - err = assuan_socket_connect (ctx, sockname, 0, 0); + char *abs_homedir; + lock_spawn_t lock; - if (err) - { - char *abs_homedir; + /* With no success start a new server. */ + if (!agent_program || !*agent_program) + agent_program = gnupg_module_name (GNUPG_MODULE_NAME_AGENT); - /* With no success start a new server. */ - if (!agent_program || !*agent_program) - agent_program = gnupg_module_name (GNUPG_MODULE_NAME_AGENT); + if (verbose) + log_info (_("no running gpg-agent - starting '%s'\n"), + agent_program); - if (verbose) - log_info (_("no running gpg-agent - starting '%s'\n"), - agent_program); + if (status_cb) + status_cb (status_cb_arg, STATUS_PROGRESS, + "starting_agent ? 0 0", NULL); - if (status_cb) - status_cb (status_cb_arg, STATUS_PROGRESS, - "starting_agent ? 0 0", NULL); + /* We better pass an absolute home directory to the agent just + in case gpg-agent does not convert the passed name to an + absolute one (which it should do). */ + abs_homedir = make_absfilename_try (homedir, NULL); + if (!abs_homedir) + { + gpg_error_t tmperr = gpg_err_make (errsource, + gpg_err_code_from_syserror ()); + log_error ("error building filename: %s\n",gpg_strerror (tmperr)); + xfree (sockname); + assuan_release (ctx); + return tmperr; + } - /* We better pass an absolute home directory to the agent - just in casee gpg-agent does not convert the passed name - to an absolute one (which it should do). */ - abs_homedir = make_absfilename_try (homedir, NULL); - if (!abs_homedir) - { - gpg_error_t tmperr = gpg_err_make (errsource, - gpg_err_code_from_syserror ()); - log_error ("error building filename: %s\n",gpg_strerror (tmperr)); - xfree (sockname); - assuan_release (ctx); - return tmperr; - } + if (fflush (NULL)) + { + gpg_error_t tmperr = gpg_err_make (errsource, + gpg_err_code_from_syserror ()); + log_error ("error flushing pending output: %s\n", + strerror (errno)); + xfree (sockname); + assuan_release (ctx); + xfree (abs_homedir); + return tmperr; + } - if (fflush (NULL)) - { - gpg_error_t tmperr = gpg_err_make (errsource, - gpg_err_code_from_syserror ()); - log_error ("error flushing pending output: %s\n", - strerror (errno)); - xfree (sockname); - assuan_release (ctx); - xfree (abs_homedir); - return tmperr; - } + /* If the agent has been configured for use with a standard + socket, an environment variable is not required and thus + we we can savely start the agent here. */ - argv[0] = "--homedir"; - argv[1] = abs_homedir; - argv[2] = "--use-standard-socket-p"; - argv[3] = NULL; - err = gnupg_spawn_process_fd (agent_program, argv, -1, -1, -1, &pid); + argv[0] = "--homedir"; + argv[1] = abs_homedir; + argv[2] = "--use-standard-socket"; + argv[3] = "--daemon"; + argv[4] = NULL; + + if (!(err = lock_spawning (&lock, homedir, "agent", verbose)) + && assuan_socket_connect (ctx, sockname, 0, 0)) + { + err = gnupg_spawn_process_detached (agent_program, argv,NULL); if (err) - log_debug ("starting '%s' for testing failed: %s\n", + log_error ("failed to start agent '%s': %s\n", agent_program, gpg_strerror (err)); - else if ((err = gnupg_wait_process (agent_program, pid, 1, &excode))) + else { - if (excode == -1) - log_debug ("running '%s' for testing failed (wait): %s\n", - agent_program, gpg_strerror (err)); - } - gnupg_release_process (pid); + int i; - if (!err && !excode) - { - /* If the agent has been configured for use with a - standard socket, an environment variable is not - required and thus we we can savely start the agent - here. */ - lock_spawn_t lock; - - argv[0] = "--homedir"; - argv[1] = abs_homedir; - argv[2] = "--use-standard-socket"; - argv[3] = "--daemon"; - argv[4] = NULL; - - if (!(err = lock_spawning (&lock, homedir, "agent", verbose)) - && assuan_socket_connect (ctx, sockname, 0, 0)) + for (i=0; i < SECS_TO_WAIT_FOR_AGENT; i++) { - err = gnupg_spawn_process_detached (agent_program, argv,NULL); - if (err) - log_error ("failed to start agent '%s': %s\n", - agent_program, gpg_strerror (err)); - else + if (verbose) + log_info (_("waiting for the agent to come up ... (%ds)\n"), + SECS_TO_WAIT_FOR_AGENT - i); + gnupg_sleep (1); + err = assuan_socket_connect (ctx, sockname, 0, 0); + if (!err) { - int i; - - for (i=0; i < SECS_TO_WAIT_FOR_AGENT; i++) + if (verbose) { - if (verbose) - log_info (_("waiting for the agent " - "to come up ... (%ds)\n"), - SECS_TO_WAIT_FOR_AGENT - i); - gnupg_sleep (1); - err = assuan_socket_connect (ctx, sockname, 0, 0); - if (!err) - { - if (verbose) - { - log_info (_("connection to agent " - "established\n")); - did_success_msg = 1; - } - break; - } + log_info (_("connection to agent established\n")); + did_success_msg = 1; } + break; } } - - unlock_spawning (&lock, "agent"); } - else - { - /* If using the standard socket is not the default we - start the agent as a pipe server which gives us most - of the required features except for passphrase - caching etc. */ - const char *pgmname; - assuan_fd_t no_close_list[3]; - int i; - - if ( !(pgmname = strrchr (agent_program, '/'))) - pgmname = agent_program; - else - pgmname++; - - argv[0] = pgmname; /* (Assuan expects a standard argv.) */ - argv[1] = "--homedir"; - argv[2] = abs_homedir; - argv[3] = "--server"; - argv[4] = NULL; - - i=0; - if (log_get_fd () != -1) - no_close_list[i++] = assuan_fd_from_posix_fd (log_get_fd ()); - no_close_list[i++] = assuan_fd_from_posix_fd (fileno (stderr)); - no_close_list[i] = ASSUAN_INVALID_FD; - - /* Connect to the agent and perform initial handshaking. */ - err = assuan_pipe_connect (ctx, agent_program, argv, - no_close_list, NULL, NULL, 0); - } - xfree (abs_homedir); } - xfree (sockname); - } - else - { - int prot; - int pid; - infostr = xstrdup (infostr); - if ( !(p = strchr (infostr, PATHSEP_C)) || p == infostr) - { - log_error (_("malformed %s environment variable\n"), - GPG_AGENT_INFO_NAME); - xfree (infostr); - force_pipe_server = 1; - goto restart; - } - *p++ = 0; - pid = atoi (p); - while (*p && *p != PATHSEP_C) - p++; - prot = *p? atoi (p+1) : 0; - if (prot != 1) - { - log_error (_("gpg-agent protocol version %d is not supported\n"), - prot); - xfree (infostr); - force_pipe_server = 1; - goto restart; - } - - err = assuan_socket_connect (ctx, infostr, pid, 0); - xfree (infostr); - if (gpg_err_code (err) == GPG_ERR_ASS_CONNECT_FAILED) - { - log_info (_("can't connect to the agent - trying fall back\n")); - force_pipe_server = 1; - goto restart; - } + unlock_spawning (&lock, "agent"); + xfree (abs_homedir); } - + xfree (sockname); if (err) { log_error ("can't connect to the agent: %s\n", gpg_strerror (err)); @@ -582,11 +475,11 @@ start_new_gpg_agent (assuan_context_t *r_ctx, log_debug (_("connection to agent established\n")); err = assuan_transact (ctx, "RESET", - NULL, NULL, NULL, NULL, NULL, NULL); + NULL, NULL, NULL, NULL, NULL, NULL); if (!err) err = send_pinentry_environment (ctx, errsource, - opt_lc_ctype, opt_lc_messages, - session_env); + opt_lc_ctype, opt_lc_messages, + session_env); if (err) { assuan_release (ctx); diff --git a/common/exechelp-w32.c b/common/exechelp-w32.c index 7bcd79b..05e9e10 100644 --- a/common/exechelp-w32.c +++ b/common/exechelp-w32.c @@ -754,10 +754,7 @@ gnupg_spawn_process_detached (const char *pgmname, const char *argv[], char *cmdline; - /* FIXME: We don't make use of ENVP yet. It is currently only used - to pass the GPG_AGENT_INFO variable to gpg-agent. As the default - on windows is to use a standard socket, this does not really - matter. */ + /* We don't use ENVP. */ (void)envp; if (access (pgmname, X_OK)) diff --git a/common/simple-pwquery.c b/common/simple-pwquery.c index 7dcc057..0eff5c5 100644 --- a/common/simple-pwquery.c +++ b/common/simple-pwquery.c @@ -69,13 +69,12 @@ #endif -/* Name of the socket to be used if GPG_AGENT_INFO has not been - set. No default socket is used if this is NULL. */ +/* Name of the socket to be used. This is a kludge to keep on using + the existsing code despite that we only support a standard socket. */ static char *default_gpg_agent_info; - #ifndef HAVE_STPCPY @@ -324,14 +323,11 @@ agent_open (int *rfd) char *infostr, *p; struct sockaddr_un client_addr; size_t len; - int prot; char line[200]; int nread; *rfd = -1; - infostr = getenv (GPG_AGENT_INFO_NAME); - if ( !infostr || !*infostr ) - infostr = default_gpg_agent_info; + infostr = default_gpg_agent_info; if ( !infostr || !*infostr ) { #ifdef SPWQ_USE_LOGGING @@ -348,23 +344,12 @@ agent_open (int *rfd) if ( !(p = strchr ( infostr, PATHSEP_C)) || p == infostr || (p-infostr)+1 >= sizeof client_addr.sun_path ) { -#ifdef SPWQ_USE_LOGGING - log_error (_("malformed %s environment variable\n"), GPG_AGENT_INFO_NAME); -#endif return SPWQ_NO_AGENT; } *p++ = 0; while (*p && *p != PATHSEP_C) p++; - prot = *p? atoi (p+1) : 0; - if ( prot != 1) - { -#ifdef SPWQ_USE_LOGGING - log_error (_("gpg-agent protocol version %d is not supported\n"),prot); -#endif - return SPWQ_PROTOCOL_ERROR; - } #ifdef HAVE_W32_SYSTEM fd = _w32_sock_new (AF_UNIX, SOCK_STREAM, 0); diff --git a/configure.ac b/configure.ac index be10791..9e1dd89 100644 --- a/configure.ac +++ b/configure.ac @@ -104,7 +104,6 @@ use_exec=yes use_trust_models=yes card_support=yes use_ccid_driver=yes -use_standard_socket=yes dirmngr_auto_start=yes use_tls_library=no @@ -707,30 +706,6 @@ fi AM_CONDITIONAL(USE_LDAPWRAPPER, test "$use_ldapwrapper" = yes) -# -# Allows enabling the use of a standard socket by default This is -# gpg-agent's option --[no-]use-standard-socket. For Windows we force -# the use of this. -# -AC_MSG_CHECKING([whether to use a standard socket by default]) -AC_ARG_ENABLE(standard-socket, - AC_HELP_STRING([--disable-standard-socket], - [don't use a standard socket by default]), - use_standard_socket=$enableval) -tmp="" -if test "$use_standard_socket" != yes; then - if test "$have_w32_system" = yes; then - use_standard_socket=yes - tmp=" (forced)" - fi -fi -AC_MSG_RESULT($use_standard_socket$tmp) -if test "$use_standard_socket" = yes; then - AC_DEFINE(USE_STANDARD_SOCKET,1, - [Use the standard socket for the agent by default]) -fi - - # (These need to go after AC_PROG_CC so that $EXEEXT is defined) AC_DEFINE_UNQUOTED(EXEEXT,"$EXEEXT",[The executable file extension, if any]) @@ -1615,8 +1590,6 @@ AC_DEFINE_UNQUOTED(GPGCONF_DISP_NAME, "GPGConf", AC_DEFINE_UNQUOTED(GPGTAR_NAME, "gpgtar", [The name of the gpgtar tool]) -AC_DEFINE_UNQUOTED(GPG_AGENT_INFO_NAME, "GPG_AGENT_INFO", - [The name of the agent info envvar]) AC_DEFINE_UNQUOTED(GPG_AGENT_SOCK_NAME, "S.gpg-agent", [The name of the agent socket]) AC_DEFINE_UNQUOTED(GPG_AGENT_SSH_SOCK_NAME, "S.gpg-agent.ssh", @@ -1802,7 +1775,6 @@ echo " Default scdaemon: $show_gnupg_scdaemon_pgm Default dirmngr: $show_gnupg_dirmngr_pgm - Use standard socket: $use_standard_socket Dirmngr auto start: $dirmngr_auto_start Readline support: $gnupg_cv_have_readline DNS SRV support: $use_dns_srv diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index b42d353..7c21889 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -53,10 +53,10 @@ independently from any protocol. It is used as a backend for utilities. @ifset gpgtwoone -The agent is usualy started on demand by @command{gpg}, @command{gpgsm}, - at command{gpgconf} or @command{gpg-connect-agent}. Thus there is no -reason to start it manually. In case you want to use the included -Secure Shell Agent you may start the agent using: +The agent is automatically started on demand by @command{gpg}, + at command{gpgsm}, @command{gpgconf}, or @command{gpg-connect-agent}. +Thus there is no reason to start it manually. In case you want to use +the included Secure Shell Agent you may start the agent using: @example gpg-connect-agent /bye @@ -174,11 +174,15 @@ default mode is to create a socket and listen for commands there. @item --daemon [@var{command line}] @opindex daemon Start the gpg-agent as a daemon; that is, detach it from the console -and run it in the background. Because @command{gpg-agent} prints out +and run it in the background. + at ifclear gpgtwoone +Because @command{gpg-agent} prints out important information required for further use, a common way of invoking gpg-agent is: @code{eval $(gpg-agent --daemon)} to setup the environment variables. The option @option{--write-env-file} is -another way commonly used to do this. Yet another way is creating +another way commonly used to do this. + at end ifclear +Yet another way is creating a new process as a child of gpg-agent: @code{gpg-agent --daemon /bin/sh}. This way you get a new shell with the environment setup properly; if you exit from this shell, gpg-agent terminates as well. @@ -305,6 +309,7 @@ shell or the C-shell respectively. The default is to guess it based on the environment variable @code{SHELL} which is correct in almost all cases. + at ifclear gpgtwoone @item --write-env-file @var{file} @opindex write-env-file Often it is required to connect to the agent from a process not being an @@ -319,7 +324,7 @@ to be evaluated by a Bourne shell like in this simple example: eval $(cat @var{file}) eval $(cut -d= -f 1 < @var{file} | xargs echo export) @end example - + at end ifclear @item --no-grab @@ -466,6 +471,11 @@ debugging purposes. @itemx --no-use-standard-socket @opindex use-standard-socket @opindex no-use-standard-socket + at ifset gpgtwoone +Since GnuPG 2.1 the standard socket is always used. These options +have no more effect. + at end ifset + at ifclear gpgtwoone By enabling this option @command{gpg-agent} will listen on the socket named @file{S.gpg-agent}, located in the home directory, and not create a random socket below a temporary directory. Tools connecting to @@ -474,19 +484,16 @@ environment variable @var{GPG_AGENT_INFO} and then fall back to this socket. This option may not be used if the home directory is mounted on a remote file system which does not support special files like fifos or sockets. - at ifset gpgtwoone -Note, that @option{--use-standard-socket} is the default on all -systems since GnuPG 2.1. - at end ifset - at ifclear gpgtwoone + Note, that @option{--use-standard-socket} is the default on Windows systems. - at end ifclear + The default may be changed at build time. It is possible to test at runtime whether the agent has been configured for use with the standard socket by issuing the command @command{gpg-agent --use-standard-socket-p} which returns success if the standard socket option has been enabled. + at end ifclear @item --display @var{string} @itemx --ttyname @var{string} @@ -751,6 +758,30 @@ This signal is used for internal purposes. @node Agent Examples @section Examples + at ifset gpgtwoone +It is important to set the GPG_TTY environment variable in +your login shell, for example in the @file{~/.bashrc} init script: + + at cartouche + at example + export GPG_TTY=$(tty) + at end example + at end cartouche + +If you enabled the Ssh Agent Support, you also need to tell ssh about +it by adding this to your init script: + + at cartouche + at example +unset SSH_AGENT_PID +if [ "$@{gnupg_SSH_AUTH_SOCK_by:-0@}" -ne $$ ]; then + export SSH_AUTH_SOCK="$@{HOME@}/.gnupg/S.gpg-agent.ssh" +fi + at end example + at end cartouche + at end ifset + + at ifclear gpgtwoone The usual way to invoke @command{gpg-agent} is @example @@ -786,6 +817,7 @@ and add something like (for Bourne shells) @noindent to your shell initialization file (e.g. @file{~/.bashrc}). + at end ifclear @c @c Assuan Protocol @@ -797,15 +829,21 @@ to your shell initialization file (e.g. @file{~/.bashrc}). Note: this section does only document the protocol, which is used by GnuPG components; it does not deal with the ssh-agent protocol. + at ifset gpgtwoone +The @command{gpg-agent} daemon is started on demand by the GnuPG +components. + at end ifset + at ifclear gpgtwoone The @command{gpg-agent} should be started by the login shell and set an environment variable to tell clients about the socket to be used. Clients should deny to access an agent with a socket name which does not match its own configuration. An application may choose to start -an instance of the gpgagent if it does not figure that any has been -started; it should not do this if a gpgagent is running but not +an instance of the gpg-agent if it does not figure that any has been +started; it should not do this if a gpg-agent is running but not usable. Because @command{gpg-agent} can only be used in background mode, no special command line option is required to activate the use of the protocol. + at end ifclear To identify a key we use a thing called keygrip which is the SHA-1 hash of an canonical encoded S-Expression of the public key as used in diff --git a/doc/gpg.texi b/doc/gpg.texi index 31bdda0..33329a1 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1701,9 +1701,12 @@ This is dummy option. It has no effect when used with @command{gpg2}. @item --agent-program @var{file} @opindex agent-program Specify an agent program to be used for secret key operations. The -default value is the @file{/usr/bin/gpg-agent}. This is only used +default value is the @file{/usr/bin/gpg-agent}. + at ifclear gpgtwoone +This is only used as a fallback when the environment variable @code{GPG_AGENT_INFO} is not set or a running agent cannot be connected. + at end ifclear @ifset gpgtwoone @item --dirmngr-program @var{file} @@ -3040,6 +3043,10 @@ Operation is further controlled by a few environment variables: If set directory used instead of "~/.gnupg". @item GPG_AGENT_INFO + at ifset gpgtwoone + This variable was used by GnuPG versions before 2.1 + at end ifset + at ifclear gpgtwoone Used to locate the gpg-agent. The value consists of 3 colon delimited fields: The first is the path @@ -3047,6 +3054,7 @@ Operation is further controlled by a few environment variables: protocol version which should be set to 1. When starting the gpg-agent as described in its documentation, this variable is set to the correct value. The option @option{--gpg-agent-info} can be used to override it. + at end ifclear @item PINENTRY_USER_DATA This value is passed via gpg-agent to pinentry. It is useful to convey diff --git a/doc/gpgsm.texi b/doc/gpgsm.texi index 078d2ad..bc6326c 100644 --- a/doc/gpgsm.texi +++ b/doc/gpgsm.texi @@ -358,9 +358,12 @@ Change the default name of the policy file to @var{filename}. @item --agent-program @var{file} @opindex agent-program Specify an agent program to be used for secret key operations. The -default value is the @file{/usr/local/bin/gpg-agent}. This is only used +default value is the @file{/usr/local/bin/gpg-agent}. + at ifclear gpgtwoone +This is only used as a fallback when the environment variable @code{GPG_AGENT_INFO} is not set or a running agent cannot be connected. + at end ifclear @item --dirmngr-program @var{file} @opindex dirmngr-program @@ -892,8 +895,12 @@ other programs of this software too. @item S.gpg-agent @cindex S.gpg-agent -If this file exists and the environment variable @env{GPG_AGENT_INFO} is -not set, @command{gpgsm} will first try to connect to this socket for +If this file exists + at ifclear gpgtwoone +and the environment variable @env{GPG_AGENT_INFO} is +not set, + at end ifclear + at command{gpgsm} will first try to connect to this socket for accessing @command{gpg-agent} before starting a new @command{gpg-agent} instance. Under Windows this socket (which in reality be a plain file describing a regular TCP listening port) is the standard way of diff --git a/g10/server.c b/g10/server.c index b019d1a..d02f20e 100644 --- a/g10/server.c +++ b/g10/server.c @@ -728,15 +728,12 @@ gpg_server (ctrl_t ctrl) if (opt.verbose || opt.debug) { char *tmp = NULL; - const char *s1 = getenv (GPG_AGENT_INFO_NAME); tmp = xtryasprintf ("Home: %s\n" "Config: %s\n" - "AgentInfo: %s\n" "%s", opt.homedir, "fixme: need config filename", - s1?s1:"[not set]", hello); if (tmp) { diff --git a/g13/server.c b/g13/server.c index 573f670..07b74f8 100644 --- a/g13/server.c +++ b/g13/server.c @@ -612,15 +612,12 @@ g13_server (ctrl_t ctrl) if (opt.verbose || opt.debug) { char *tmp = NULL; - const char *s1 = getenv (GPG_AGENT_INFO_NAME); tmp = xtryasprintf ("Home: %s\n" "Config: %s\n" - "AgentInfo: %s\n" "%s", opt.homedir, opt.config_filename, - s1?s1:"[not set]", hello); if (tmp) { diff --git a/scd/scdaemon.c b/scd/scdaemon.c index 9cc4d11..be99b00 100644 --- a/scd/scdaemon.c +++ b/scd/scdaemon.c @@ -206,9 +206,8 @@ static int ticker_disabled; -static char *create_socket_name (int use_standard_socket, - char *standard_name, char *template); -static gnupg_fd_t create_server_socket (int is_standard_name, const char *name, +static char *create_socket_name (char *standard_name); +static gnupg_fd_t create_server_socket (const char *name, assuan_sock_nonce_t *nonce); static void *start_connection_thread (void *arg); @@ -399,7 +398,6 @@ main (int argc, char **argv ) int gpgconf_list = 0; const char *config_filename = NULL; int allow_coredump = 0; - int standard_socket = 0; struct assuan_malloc_hooks malloc_hooks; int res; npth_t pipecon_handler; @@ -445,12 +443,6 @@ main (int argc, char **argv ) opt.allow_admin = 1; opt.pcsc_driver = DEFAULT_PCSC_DRIVER; -#ifdef HAVE_W32_SYSTEM - standard_socket = 1; /* Under Windows we always use a standard - socket. */ -#endif - - shell = getenv ("SHELL"); if (shell && strlen (shell) >= 3 && !strcmp (shell+strlen (shell)-3, "csh") ) csh_style = 1; @@ -744,12 +736,8 @@ main (int argc, char **argv ) back the name of that socket. */ if (multi_server) { - socket_name = create_socket_name (standard_socket, - SCDAEMON_SOCK_NAME, - "gpg-XXXXXX/" SCDAEMON_SOCK_NAME); - - fd = FD2INT(create_server_socket (standard_socket, - socket_name, &socket_nonce)); + socket_name = create_socket_name (SCDAEMON_SOCK_NAME); + fd = FD2INT(create_server_socket (socket_name, &socket_nonce)); } res = npth_attr_init (&tattr); @@ -800,12 +788,8 @@ main (int argc, char **argv ) #endif /* Create the socket. */ - socket_name = create_socket_name (standard_socket, - SCDAEMON_SOCK_NAME, - "gpg-XXXXXX/" SCDAEMON_SOCK_NAME); - - fd = FD2INT (create_server_socket (standard_socket, - socket_name, &socket_nonce)); + socket_name = create_socket_name (SCDAEMON_SOCK_NAME); + fd = FD2INT (create_server_socket (socket_name, &socket_nonce)); fflush (NULL); @@ -1026,46 +1010,17 @@ handle_tick (void) } -/* Create a name for the socket. With USE_STANDARD_SOCKET given as - true using STANDARD_NAME in the home directory or if given has - false from the mkdir type name TEMPLATE. In the latter case a - unique name in a unique new directory will be created. In both - cases check for valid characters as well as against a maximum - allowed length for a unix domain socket is done. The function - terminates the process in case of an error. Retunrs: Pointer to an - allcoated string with the absolute name of the socket used. */ +/* Create a name for the socket. We check for valid characters as + well as against a maximum allowed length for a unix domain socket + is done. The function terminates the process in case of an error. + Retunrs: Pointer to an allcoated string with the absolute name of + the socket used. */ static char * -create_socket_name (int use_standard_socket, - char *standard_name, char *template) +create_socket_name (char *standard_name) { - char *name, *p; - - if (use_standard_socket) - name = make_filename (opt.homedir, standard_name, NULL); - else - { - /* Prepend the tmp directory to the template. */ - p = getenv ("TMPDIR"); - if (!p || !*p) - p = "/tmp"; - if (p[strlen (p) - 1] == '/') - name = xstrconcat (p, template, NULL); - else - name = xstrconcat (p, "/", template, NULL); - - p = strrchr (name, '/'); - if (!p) - BUG (); - *p = 0; - if (!mkdtemp (name)) - { - log_error (_("can't create directory '%s': %s\n"), - name, strerror (errno)); - scd_exit (2); - } - *p = '/'; - } + char *name; + name = make_filename (opt.homedir, standard_name, NULL); if (strchr (name, PATHSEP_C)) { log_error (("'%s' are not allowed in the socket name\n"), PATHSEP_S); @@ -1081,12 +1036,10 @@ create_socket_name (int use_standard_socket, -/* Create a Unix domain socket with NAME. IS_STANDARD_NAME indicates - whether a non-random socket is used. Returns the file descriptor +/* Create a Unix domain socket with NAME. Returns the file descriptor or terminates the process in case of an error. */ static gnupg_fd_t -create_server_socket (int is_standard_name, const char *name, - assuan_sock_nonce_t *nonce) +create_server_socket (const char *name, assuan_sock_nonce_t *nonce) { struct sockaddr_un *serv_addr; socklen_t len; @@ -1108,7 +1061,7 @@ create_server_socket (int is_standard_name, const char *name, len = SUN_LEN (serv_addr); rc = assuan_sock_bind (fd, (struct sockaddr*) serv_addr, len); - if (is_standard_name && rc == -1 && errno == EADDRINUSE) + if (rc == -1 && errno == EADDRINUSE) { remove (name); rc = assuan_sock_bind (fd, (struct sockaddr*) serv_addr, len); diff --git a/sm/server.c b/sm/server.c index 978e70a..0bee5b2 100644 --- a/sm/server.c +++ b/sm/server.c @@ -1299,18 +1299,15 @@ gpgsm_server (certlist_t default_recplist) if (opt.verbose || opt.debug) { char *tmp = NULL; - const char *s1 = getenv (GPG_AGENT_INFO_NAME); /* Fixme: Use the really used socket name. */ if (asprintf (&tmp, "Home: %s\n" "Config: %s\n" - "AgentInfo: %s\n" "DirmngrInfo: %s\n" "%s", opt.homedir, opt.config_filename, - s1?s1:"[not set]", (dirmngr_user_socket_name () ? dirmngr_user_socket_name () : dirmngr_sys_socket_name ()), diff --git a/tools/gpgconf.c b/tools/gpgconf.c index cb37a25..f63c05e 100644 --- a/tools/gpgconf.c +++ b/tools/gpgconf.c @@ -366,28 +366,10 @@ main (int argc, char **argv) } { - char *infostr = getenv (GPG_AGENT_INFO_NAME); - - if (!infostr || !*infostr) - infostr = make_filename (default_homedir (), + char *tmp = make_filename (default_homedir (), GPG_AGENT_SOCK_NAME, NULL); - else - { - char *tmp; - - infostr = xstrdup (infostr); - tmp = strchr (infostr, PATHSEP_C); - if (!tmp || tmp == infostr) - { - xfree (infostr); - infostr = NULL; - } - else - *tmp = 0; - } - es_fprintf (outfp, "agent-socket:%s\n", - infostr? gc_percent_escape (infostr) : ""); - xfree (infostr); + es_fprintf (outfp, "agent-socket:%s\n", gc_percent_escape (tmp)); + xfree (tmp); } { /* We need to use make_filename to expand a possible "~/". */ ----------------------------------------------------------------------- Summary of changes: README | 68 ++++++------ agent/agent.h | 3 - agent/command.c | 6 +- agent/gpg-agent.c | 224 ++++++++------------------------------- common/asshelp.c | 255 +++++++++++++-------------------------------- common/exechelp-w32.c | 5 +- common/simple-pwquery.c | 21 +--- configure.ac | 52 ++++----- doc/gpg-agent.texi | 68 +++++++++--- doc/gpg.texi | 10 +- doc/gpgsm.texi | 13 ++- g10/call-agent.c | 30 ++++++ g10/call-agent.h | 2 + g10/migrate.c | 23 ++++ g10/server.c | 3 - g13/server.c | 3 - po/de.po | 101 +++++++++++------- po/fr.po | 107 ++++++++++++------- po/ja.po | 93 +++++++++++------ po/uk.po | 103 +++++++++++------- scd/scdaemon.c | 81 +++----------- sm/server.c | 3 - tests/openpgp/Makefile.am | 5 +- tools/gpgconf.c | 24 +---- 24 files changed, 589 insertions(+), 714 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 3 15:07:37 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 03 Oct 2014 15:07:37 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta834-28-gbc8583f Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via bc8583f247898a1fa45f6de834d34b335ab1952c (commit) from ade531acac5041b8346581fe323f36b9dcfee502 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit bc8583f247898a1fa45f6de834d34b335ab1952c Author: Werner Koch Date: Fri Oct 3 15:05:47 2014 +0200 gpg: Allow creating a cert-only primary key. * g10/keygen.c (ask_key_flags): Allow a 'c' in direct entry. -- GnuPG-bug-id: 1726 diff --git a/g10/keygen.c b/g10/keygen.c index 17d7ce1..229f2bf 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -1718,6 +1718,13 @@ ask_key_flags(int algo,int subkey) current |= PUBKEY_USAGE_ENC; else if ((*s == 'a' || *s == 'A') && (possible&PUBKEY_USAGE_AUTH)) current |= PUBKEY_USAGE_AUTH; + else if (!subkey && *s == 'c') + { + /* Accept 'c' for the primary key because USAGE_CERT + will will be set anyway. This is for folks who + want to experiment with a cert-only primary key. */ + current |= PUBKEY_USAGE_CERT; + } } break; } ----------------------------------------------------------------------- Summary of changes: g10/keygen.c | 7 +++++++ 1 file changed, 7 insertions(+) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 3 16:05:52 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 03 Oct 2014 16:05:52 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 0943c7cc23371943e9670a2f35c318d847cbac6a (commit) via 841a797f6d45065aa77128fdfd43bd4769efefa4 (commit) from bc8583f247898a1fa45f6de834d34b335ab1952c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 0943c7cc23371943e9670a2f35c318d847cbac6a Author: Werner Koch Date: Fri Oct 3 15:45:32 2014 +0200 Release 2.1.0-beta864. diff --git a/NEWS b/NEWS index a700313..4d533ce 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,23 @@ -Noteworthy changes in version 2.1.0-betaNNN (unreleased) +Noteworthy changes in version 2.1.0-beta864 (2014-10-03) -------------------------------------------------------- + * gpg: Removed the GPG_AGENT_INFO related code. GnuPG does now only + use a fixed socket name in its home directory. + + * gpg: Renamed --gen-key to --full-gen-key and re-added a --gen-key + command using less prompts. + + * gpg: Use SHA-256 for all signature types also on RSA keys. + + * gpg: Default keyring is now created with a .kbx suffix. + + * gpg: Add a shortcut to key capabilies menu (e.g. "=e" sets the + encryption capabilities). + + * gpg: Fixed obsolete options parsing. + + * speedo: Improved the quick build system. + Noteworthy changes in version 2.1.0-beta834 (2014-09-18) -------------------------------------------------------- commit 841a797f6d45065aa77128fdfd43bd4769efefa4 Author: Werner Koch Date: Fri Oct 3 15:30:38 2014 +0200 speedo: Add INSTALL_PREFIX feature. -- With this it is now possible build and install gnupg 2.1 properly below /usr/local: make -f TOPSRC/build-aux/speed.ml native INSTALL_PREFIX=/usr/local Of course you need installation priviliges for the /usr/local tree. diff --git a/build-aux/speedo.mk b/build-aux/speedo.mk index a9ba6d4..6d344f1 100644 --- a/build-aux/speedo.mk +++ b/build-aux/speedo.mk @@ -58,8 +58,10 @@ help: @echo ' w32-installer Build a Windows installer' @echo ' w32-source Pack a source archive' @echo - @echo 'Prepend TARGET with "git-" to build from GIT repos' - @echo 'Prepend TARGET with "this-" to build from the source tarball' + @echo 'You may append INSTALL_REFIX= for native builds.' + @echo 'Prepend TARGET with "git-" to build from GIT repos.' + @echo 'Prepend TARGET with "this-" to build from the source tarball.' + SPEEDOMAKE := $(MAKE) -f $(SPEEDO_MK) UPD_SWDB=1 @@ -124,6 +126,9 @@ MAKE_J=3 # Name to use for the w32 installer and sources INST_NAME=gnupg-w32 +# Use this to override the installaion directory for native builds. +INSTALL_PREFIX=none + # Directory names. # They must be absolute, as we switch directories pretty often. @@ -131,7 +136,11 @@ root := $(shell pwd)/PLAY sdir := $(root)/src bdir := $(root)/build bdir6:= $(root)/build-w64 +ifeq ($(INSTALL_PREFIX),none) idir := $(root)/inst +else +idir := $(abspath $(INSTALL_PREFIX)) +endif idir6:= $(root)/inst-w64 stampdir := $(root)/stamps topsrc := $(shell cd $(dir $(SPEEDO_MK)).. && pwd) ----------------------------------------------------------------------- Summary of changes: NEWS | 19 ++++++++++++++++++- build-aux/speedo.mk | 13 +++++++++++-- 2 files changed, 29 insertions(+), 3 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 3 17:07:29 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 03 Oct 2014 17:07:29 +0200 Subject: [git] gnupg-doc - branch, master, updated. 5c72ed8b0c55d9da39b05dcfb8e3dd103b6e883e Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GnuPG website and other docs". The branch, master has been updated via 5c72ed8b0c55d9da39b05dcfb8e3dd103b6e883e (commit) from a2b4c989e971b3a7af19cd3feaef76c2a5003cee (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 5c72ed8b0c55d9da39b05dcfb8e3dd103b6e883e Author: Werner Koch Date: Fri Oct 3 16:52:25 2014 +0200 web: Update news. -- diff --git a/web/index.org b/web/index.org index b42a7d8..ba5462b 100644 --- a/web/index.org +++ b/web/index.org @@ -56,6 +56,11 @@ all [[file:news.org][news of previous years]] is also available. # point or paste the [[news.en.rss][RSS file]] into your aggregator. +** A beta for GnuPG 2.1.0 released (2014-10-03) + +A beta beta release for the forthcoming GnuPG 2.1 version is now +available. [[http://lists.gnupg.org/pipermail/gnupg-announce/2014q4/000357.html][{more}]] + ** GPA 0.95 released GPA is the GNU Privacy Assistant, a frontend to GnuPG. This new ----------------------------------------------------------------------- Summary of changes: web/index.org | 5 +++++ 1 file changed, 5 insertions(+) hooks/post-receive -- The GnuPG website and other docs http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 3 18:28:55 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 03 Oct 2014 18:28:55 +0200 Subject: [git] GnuPG - branch, STABLE-BRANCH-1-4, updated. gnupg-1.4.18-12-gf681235 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, STABLE-BRANCH-1-4 has been updated via f68123551f4d5b286309006da67c57878f6cc619 (commit) via 534e2876acc05f9f8d9b54c18511fe768d77dfb5 (commit) from 2889a70c102271a1b6ff529bafb6748c4e773014 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit f68123551f4d5b286309006da67c57878f6cc619 Author: Werner Koch Date: Fri Oct 3 18:28:58 2014 +0200 mpi: Fix compiler warning. * mpi/mpi-inv.c (mpi_invm): Do not return a value. diff --git a/mpi/mpi-inv.c b/mpi/mpi-inv.c index 361c57e..43e97d8 100644 --- a/mpi/mpi-inv.c +++ b/mpi/mpi-inv.c @@ -166,9 +166,9 @@ mpi_invm( MPI x, MPI a, MPI n ) int odd ; if (!mpi_cmp_ui (a, 0)) - return 0; /* Inverse does not exists. */ + return; /* Inverse does not exists. */ if (!mpi_cmp_ui (n, 1)) - return 0; /* Inverse does not exists. */ + return; /* Inverse does not exists. */ u = mpi_copy(a); v = mpi_copy(n); commit 534e2876acc05f9f8d9b54c18511fe768d77dfb5 Author: Daniel Kahn Gillmor Date: Fri Oct 3 12:01:11 2014 -0400 gpg: Add build and runtime support for larger RSA keys * configure.ac: Added --enable-large-secmem option. * g10/options.h: Add opt.flags.large_rsa. * g10/gpg.c: Contingent on configure option: adjust secmem size, add gpg --enable-large-rsa, bound to opt.flags.large_rsa. * g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa * doc/gpg.texi: Document --enable-large-rsa. -- Some older implementations built and used RSA keys up to 16Kib, but the larger secret keys now fail when used by more recent GnuPG, due to secure memory limitations. Building with ./configure --enable-large-secmem will make gpg capable of working with those secret keys, as well as permitting the use of a new gpg option --enable-large-rsa, which let gpg generate RSA keys up to 8Kib when used with --batch --gen-key. Debian-bug-id: 739424 Minor edits by wk. GnuPG-bug-id: 1732 diff --git a/configure.ac b/configure.ac index ae63a4a..1fd6253 100644 --- a/configure.ac +++ b/configure.ac @@ -158,6 +158,7 @@ use_exec=yes card_support=yes agent_support=yes disable_keyserver_path=no +large_secmem=no AC_ARG_ENABLE(minimal, AC_HELP_STRING([--enable-minimal],[build the smallest gpg binary possible]), @@ -177,6 +178,21 @@ AC_ARG_ENABLE(minimal, agent_support=no) +AC_MSG_CHECKING([whether to allocate extra secure memory]) +AC_ARG_ENABLE(large-secmem, + AC_HELP_STRING([--enable-large-secmem], + [allocate extra secure memory]), + large_secmem=$enableval, large_secmem=no) +AC_MSG_RESULT($large_secmem) +if test "$large_secmem" = yes ; then + SECMEM_BUFFER_SIZE=65536 +else + SECMEM_BUFFER_SIZE=32768 +fi +AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE, + [Size of secure memory buffer]) + + AC_MSG_CHECKING([whether OpenPGP card support is requested]) AC_ARG_ENABLE(card-support, AC_HELP_STRING([--disable-card-support], diff --git a/doc/gpg.texi b/doc/gpg.texi index ded69ce..ae86809 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1104,6 +1104,15 @@ the opposite meaning. The options are: validation. This option is only meaningful if pka-lookups is set. @end table + at item --enable-large-rsa + at itemx --disable-large-rsa + at opindex enable-large-rsa + at opindex disable-large-rsa +With --gen-key and --batch, enable the creation of larger RSA secret +keys than is generally recommended (up to 8192 bits). These large +keys are more expensive to use, and their signatures and +certifications are also larger. + @item --enable-dsa2 @itemx --disable-dsa2 @opindex enable-dsa2 diff --git a/g10/gpg.c b/g10/gpg.c index 1b0a364..6dc15fa 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -372,6 +372,8 @@ enum cmd_and_opt_values oAutoKeyLocate, oNoAutoKeyLocate, oAllowMultisigVerification, + oEnableLargeRSA, + oDisableLargeRSA, oEnableDSA2, oDisableDSA2, oAllowMultipleMessages, @@ -719,6 +721,8 @@ static ARGPARSE_OPTS opts[] = { { oDebugCCIDDriver, "debug-ccid-driver", 0, "@"}, #endif { oAllowMultisigVerification, "allow-multisig-verification", 0, "@"}, + { oEnableLargeRSA, "enable-large-rsa", 0, "@"}, + { oDisableLargeRSA, "disable-large-rsa", 0, "@"}, { oEnableDSA2, "enable-dsa2", 0, "@"}, { oDisableDSA2, "disable-dsa2", 0, "@"}, { oAllowMultipleMessages, "allow-multiple-messages", 0, "@"}, @@ -1995,7 +1999,7 @@ main (int argc, char **argv ) } #endif /* initialize the secure memory. */ - got_secmem=secmem_init( 32768 ); + got_secmem=secmem_init( SECMEM_BUFFER_SIZE ); maybe_setuid = 0; /* Okay, we are now working under our real uid */ @@ -2851,6 +2855,22 @@ main (int argc, char **argv ) release_akl(); break; + case oEnableLargeRSA: +#if SECMEM_BUFFER_SIZE >= 65536 + opt.flags.large_rsa=1; +#else + if (configname) + log_info("%s:%d: WARNING: gpg not built with large secure " + "memory buffer. Ignoring enable-large-rsa\n", + configname,configlineno); + else + log_info("WARNING: gpg not built with large secure " + "memory buffer. Ignoring --enable-large-rsa\n"); +#endif /* SECMEM_BUFFER_SIZE >= 65536 */ + break; + case oDisableLargeRSA: opt.flags.large_rsa=0; + break; + case oEnableDSA2: opt.flags.dsa2=1; break; case oDisableDSA2: opt.flags.dsa2=0; break; diff --git a/g10/keygen.c b/g10/keygen.c index 84f852f..9020908 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -1253,6 +1253,7 @@ gen_rsa(int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek, PKT_public_key *pk; MPI skey[6]; MPI *factors; + const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096); assert( is_RSA(algo) ); @@ -1260,8 +1261,8 @@ gen_rsa(int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek, nbits = 2048; log_info(_("keysize invalid; using %u bits\n"), nbits ); } - else if (nbits > 4096) { - nbits = 4096; + else if (nbits > maxsize) { + nbits = maxsize; log_info(_("keysize invalid; using %u bits\n"), nbits ); } diff --git a/g10/options.h b/g10/options.h index d6326d8..670cf64 100644 --- a/g10/options.h +++ b/g10/options.h @@ -231,6 +231,7 @@ struct unsigned int utf8_filename:1; unsigned int dsa2:1; unsigned int allow_multiple_messages:1; + unsigned int large_rsa:1; } flags; /* Linked list of ways to find a key if the key isn't on the local ----------------------------------------------------------------------- Summary of changes: configure.ac | 16 ++++++++++++++++ doc/gpg.texi | 9 +++++++++ g10/gpg.c | 22 +++++++++++++++++++++- g10/keygen.c | 5 +++-- g10/options.h | 1 + mpi/mpi-inv.c | 4 ++-- 6 files changed, 52 insertions(+), 5 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 3 20:19:36 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 03 Oct 2014 20:19:36 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864-1-g0c52bfa Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 0c52bfa3955b629038a6ac42c48356b88fce181e (commit) from 0943c7cc23371943e9670a2f35c318d847cbac6a (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 0c52bfa3955b629038a6ac42c48356b88fce181e Author: Werner Koch Date: Fri Oct 3 20:19:08 2014 +0200 doc: Minor fix. -- Due to todays reminder: On Tue 2014-04-22 18:46:15 -0400, Daniel Kahn Gillmor wrote: > With --trust-model=always, all keys and user IDs are considered > automatically valid; they are not automatically trusted (setting > universal ownertrust to anything other than "ultimate" would be > insufficient to acheive the effect of --trust-model=always, due to > --max-cert-depth and certificate path reachability). > > Thanks to Nicolai Josuttis for pointing out this documentation error. diff --git a/NEWS b/NEWS index 4d533ce..fe80aab 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,10 @@ +Noteworthy changes in version 2.1.0 (unreleased) +------------------------------------------------ + + * For a complete list of changes see the lists of changes for the + 2.1.0 beta versions below. + + Noteworthy changes in version 2.1.0-beta864 (2014-10-03) -------------------------------------------------------- @@ -11,7 +18,7 @@ Noteworthy changes in version 2.1.0-beta864 (2014-10-03) * gpg: Default keyring is now created with a .kbx suffix. - * gpg: Add a shortcut to key capabilies menu (e.g. "=e" sets the + * gpg: Add a shortcut to the key capabilies menu (e.g. "=e" sets the encryption capabilities). * gpg: Fixed obsolete options parsing. diff --git a/doc/gpg.texi b/doc/gpg.texi index 33329a1..002e888 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1425,7 +1425,7 @@ Set what trust model GnuPG should follow. The models are: @item always @opindex trust-mode:always Skip key validation and assume that used keys are always fully - trusted. You generally won't use this unless you are using some + valid. You generally won't use this unless you are using some external validation scheme. This option also suppresses the "[uncertain]" tag printed with signature checks when there is no evidence that the user ID is bound to the key. Note that this ----------------------------------------------------------------------- Summary of changes: NEWS | 9 ++++++++- doc/gpg.texi | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 3 20:21:23 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 03 Oct 2014 20:21:23 +0200 Subject: [git] GnuPG - branch, STABLE-BRANCH-1-4, updated. gnupg-1.4.18-13-g65c05f5 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, STABLE-BRANCH-1-4 has been updated via 65c05f5c18d4331d6f1a5de98b4c6af27bc1aed8 (commit) from f68123551f4d5b286309006da67c57878f6cc619 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 65c05f5c18d4331d6f1a5de98b4c6af27bc1aed8 Author: Werner Koch Date: Fri Oct 3 20:21:28 2014 +0200 doc: Minor fix -- Thanks to dkg for the reminder. diff --git a/doc/gpg.texi b/doc/gpg.texi index ae86809..b1a27fb 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1375,7 +1375,7 @@ Set what trust model GnuPG should follow. The models are: @item always @opindex trust-mode:always Skip key validation and assume that used keys are always fully - trusted. You generally won't use this unless you are using some + valid. You generally won't use this unless you are using some external validation scheme. This option also suppresses the "[uncertain]" tag printed with signature checks when there is no evidence that the user ID is bound to the key. Note that this ----------------------------------------------------------------------- Summary of changes: doc/gpg.texi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 3 20:24:28 2014 From: cvs at cvs.gnupg.org (by Daniel Kahn Gillmor) Date: Fri, 03 Oct 2014 20:24:28 +0200 Subject: [git] GnuPG - branch, STABLE-BRANCH-2-0, updated. gnupg-2.0.26-12-gf952fe8 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, STABLE-BRANCH-2-0 has been updated via f952fe8c6ddf13ecca14ca72a27d1f8da6adc901 (commit) from 39c5d991a8fe9187bfbe71d0ff06630fea36fae0 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit f952fe8c6ddf13ecca14ca72a27d1f8da6adc901 Author: Daniel Kahn Gillmor Date: Fri Oct 3 13:59:34 2014 -0400 gpg: Add build and runtime support for larger RSA keys * configure.ac: Added --enable-large-secmem option. * g10/options.h: Add opt.flags.large_rsa. * g10/gpg.c: Contingent on configure option: adjust secmem size, add gpg --enable-large-rsa, bound to opt.flags.large_rsa. * g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa * doc/gpg.texi: Document --enable-large-rsa. -- This is a cherry-pick of 534e2876acc05f9f8d9b54c18511fe768d77dfb5 from STABLE-BRANCH-1-4 against STABLE-BRANCH-2-0 Some older implementations built and used RSA keys up to 16Kib, but the larger secret keys now fail when used by more recent GnuPG, due to secure memory limitations. Building with ./configure --enable-large-secmem will make gpg capable of working with those secret keys, as well as permitting the use of a new gpg option --enable-large-rsa, which let gpg generate RSA keys up to 8Kib when used with --batch --gen-key. Debian-bug-id: 739424 Minor edits by wk. GnuPG-bug-id: 1732 diff --git a/configure.ac b/configure.ac index 7137e3f..3f83bdc 100644 --- a/configure.ac +++ b/configure.ac @@ -83,6 +83,7 @@ use_exec=yes disable_keyserver_path=no use_ccid_driver=yes use_standard_socket=no +large_secmem=no GNUPG_BUILD_PROGRAM(gpg, yes) GNUPG_BUILD_PROGRAM(gpgsm, yes) @@ -174,6 +175,22 @@ AC_ARG_ENABLE(selinux-support, selinux_support=$enableval, selinux_support=no) AC_MSG_RESULT($selinux_support) + +AC_MSG_CHECKING([whether to allocate extra secure memory]) +AC_ARG_ENABLE(large-secmem, + AC_HELP_STRING([--enable-large-secmem], + [allocate extra secure memory]), + large_secmem=$enableval, large_secmem=no) +AC_MSG_RESULT($large_secmem) +if test "$large_secmem" = yes ; then + SECMEM_BUFFER_SIZE=65536 +else + SECMEM_BUFFER_SIZE=32768 +fi +AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE, + [Size of secure memory buffer]) + + # Allow disabling of bzib2 support. # It is defined only after we confirm the library is available later AC_MSG_CHECKING([whether to enable the BZIP2 compression algorithm]) diff --git a/doc/gpg.texi b/doc/gpg.texi index d66259e..b2c956e 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1192,6 +1192,15 @@ the opposite meaning. The options are: validation. This option is only meaningful if pka-lookups is set. @end table + at item --enable-large-rsa + at itemx --disable-large-rsa + at opindex enable-large-rsa + at opindex disable-large-rsa +With --gen-key and --batch, enable the creation of larger RSA secret +keys than is generally recommended (up to 8192 bits). These large +keys are more expensive to use, and their signatures and +certifications are also larger. + @item --enable-dsa2 @itemx --disable-dsa2 @opindex enable-dsa2 diff --git a/g10/gpg.c b/g10/gpg.c index a995796..576b88e 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -367,6 +367,8 @@ enum cmd_and_opt_values oAutoKeyLocate, oNoAutoKeyLocate, oAllowMultisigVerification, + oEnableLargeRSA, + oDisableLargeRSA, oEnableDSA2, oDisableDSA2, oAllowMultipleMessages, @@ -736,6 +738,8 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oAllowMultisigVerification, "allow-multisig-verification", "@"), + ARGPARSE_s_n (oEnableLargeRSA, "enable-large-rsa", "@"), + ARGPARSE_s_n (oDisableLargeRSA, "disable-large-rsa", "@"), ARGPARSE_s_n (oEnableDSA2, "enable-dsa2", "@"), ARGPARSE_s_n (oDisableDSA2, "disable-dsa2", "@"), ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"), @@ -2069,7 +2073,7 @@ main (int argc, char **argv) #endif /* Initialize the secure memory. */ - if (!gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0)) + if (!gcry_control (GCRYCTL_INIT_SECMEM, SECMEM_BUFFER_SIZE, 0)) got_secmem = 1; #if defined(HAVE_GETUID) && defined(HAVE_GETEUID) /* There should be no way to get to this spot while still carrying @@ -2964,6 +2968,22 @@ main (int argc, char **argv) release_akl(); break; + case oEnableLargeRSA: +#if SECMEM_BUFFER_SIZE >= 65536 + opt.flags.large_rsa=1; +#else + if (configname) + log_info("%s:%d: WARNING: gpg not built with large secure " + "memory buffer. Ignoring enable-large-rsa\n", + configname,configlineno); + else + log_info("WARNING: gpg not built with large secure " + "memory buffer. Ignoring --enable-large-rsa\n"); +#endif /* SECMEM_BUFFER_SIZE >= 65536 */ + break; + case oDisableLargeRSA: opt.flags.large_rsa=0; + break; + case oEnableDSA2: opt.flags.dsa2=1; break; case oDisableDSA2: opt.flags.dsa2=0; break; diff --git a/g10/keygen.c b/g10/keygen.c index 5841ad8..17fde7f 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -1431,6 +1431,7 @@ gen_rsa (int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek, PKT_secret_key *sk; PKT_public_key *pk; gcry_sexp_t s_parms, s_key; + const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096); assert (is_RSA(algo)); @@ -1442,9 +1443,9 @@ gen_rsa (int algo, unsigned nbits, KBNODE pub_root, KBNODE sec_root, DEK *dek, nbits = 2048; log_info (_("keysize invalid; using %u bits\n"), nbits ); } - else if (nbits > 4096) + else if (nbits > maxsize) { - nbits = 4096; + nbits = maxsize; log_info (_("keysize invalid; using %u bits\n"), nbits ); } diff --git a/g10/options.h b/g10/options.h index 1a13841..e9c540d 100644 --- a/g10/options.h +++ b/g10/options.h @@ -232,6 +232,7 @@ struct unsigned int dsa2:1; unsigned int allow_multiple_messages:1; unsigned int allow_weak_digest_algos:1; + unsigned int large_rsa:1; } flags; /* Linked list of ways to find a key if the key isn't on the local ----------------------------------------------------------------------- Summary of changes: configure.ac | 17 +++++++++++++++++ doc/gpg.texi | 9 +++++++++ g10/gpg.c | 22 +++++++++++++++++++++- g10/keygen.c | 5 +++-- g10/options.h | 1 + 5 files changed, 51 insertions(+), 3 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Sat Oct 4 14:37:34 2014 From: cvs at cvs.gnupg.org (by Andrei Scherer) Date: Sat, 04 Oct 2014 14:37:34 +0200 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-117-g30bd759 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via 30bd759f398f45b04d0a783b875f59ce9bd1e51d (commit) from 0ecd136a6ca02252f63ad229fa5240897bfe6544 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 30bd759f398f45b04d0a783b875f59ce9bd1e51d Author: Andrei Scherer Date: Thu Aug 28 09:45:35 2014 -0800 Improved ripemd160 performance * cipher/rmd160.c (transform): Interleave the left and right lane rounds to introduce more instruction level parallelism. -- The benchmarks on different systems: Intel(R) Atom(TM) CPU N570 @ 1.66GHz before: Hash: | nanosecs/byte mebibytes/sec cycles/byte RIPEMD160 | 13.07 ns/B 72.97 MiB/s - c/B after: Hash: | nanosecs/byte mebibytes/sec cycles/byte RIPEMD160 | 11.37 ns/B 83.84 MiB/s - c/B Intel(R) Core(TM) i5-4670 CPU @ 3.40GHz before: Hash: | nanosecs/byte mebibytes/sec cycles/byte RIPEMD160 | 3.31 ns/B 288.0 MiB/s - c/B after: Hash: | nanosecs/byte mebibytes/sec cycles/byte RIPEMD160 | 2.08 ns/B 458.5 MiB/s - c/B Signed-off-by: Andrei Scherer diff --git a/cipher/rmd160.c b/cipher/rmd160.c index 2aba0fe..e6d02f5 100644 --- a/cipher/rmd160.c +++ b/cipher/rmd160.c @@ -178,8 +178,7 @@ static unsigned int transform_blk ( void *ctx, const unsigned char *data ) { RMD160_CONTEXT *hd = ctx; - register u32 a,b,c,d,e; - u32 aa,bb,cc,dd,ee,t; + register u32 al, ar, bl, br, cl, cr, dl, dr, el, er; u32 x[16]; int i; @@ -201,196 +200,186 @@ transform_blk ( void *ctx, const unsigned char *data ) #define F2(x,y,z) ( ((x) | ~(y)) ^ (z) ) #define F3(x,y,z) ( ((x) & (z)) | ((y) & ~(z)) ) #define F4(x,y,z) ( (x) ^ ((y) | ~(z)) ) -#define R(a,b,c,d,e,f,k,r,s) do { t = a + f(b,c,d) + k + x[r]; \ - a = rol(t,s) + e; \ +#define R(a,b,c,d,e,f,k,r,s) do { a += f(b,c,d) + k + x[r]; \ + a = rol(a,s) + e; \ c = rol(c,10); \ } while(0) - /* left lane */ - a = hd->h0; - b = hd->h1; - c = hd->h2; - d = hd->h3; - e = hd->h4; - R( a, b, c, d, e, F0, K0, 0, 11 ); - R( e, a, b, c, d, F0, K0, 1, 14 ); - R( d, e, a, b, c, F0, K0, 2, 15 ); - R( c, d, e, a, b, F0, K0, 3, 12 ); - R( b, c, d, e, a, F0, K0, 4, 5 ); - R( a, b, c, d, e, F0, K0, 5, 8 ); - R( e, a, b, c, d, F0, K0, 6, 7 ); - R( d, e, a, b, c, F0, K0, 7, 9 ); - R( c, d, e, a, b, F0, K0, 8, 11 ); - R( b, c, d, e, a, F0, K0, 9, 13 ); - R( a, b, c, d, e, F0, K0, 10, 14 ); - R( e, a, b, c, d, F0, K0, 11, 15 ); - R( d, e, a, b, c, F0, K0, 12, 6 ); - R( c, d, e, a, b, F0, K0, 13, 7 ); - R( b, c, d, e, a, F0, K0, 14, 9 ); - R( a, b, c, d, e, F0, K0, 15, 8 ); - R( e, a, b, c, d, F1, K1, 7, 7 ); - R( d, e, a, b, c, F1, K1, 4, 6 ); - R( c, d, e, a, b, F1, K1, 13, 8 ); - R( b, c, d, e, a, F1, K1, 1, 13 ); - R( a, b, c, d, e, F1, K1, 10, 11 ); - R( e, a, b, c, d, F1, K1, 6, 9 ); - R( d, e, a, b, c, F1, K1, 15, 7 ); - R( c, d, e, a, b, F1, K1, 3, 15 ); - R( b, c, d, e, a, F1, K1, 12, 7 ); - R( a, b, c, d, e, F1, K1, 0, 12 ); - R( e, a, b, c, d, F1, K1, 9, 15 ); - R( d, e, a, b, c, F1, K1, 5, 9 ); - R( c, d, e, a, b, F1, K1, 2, 11 ); - R( b, c, d, e, a, F1, K1, 14, 7 ); - R( a, b, c, d, e, F1, K1, 11, 13 ); - R( e, a, b, c, d, F1, K1, 8, 12 ); - R( d, e, a, b, c, F2, K2, 3, 11 ); - R( c, d, e, a, b, F2, K2, 10, 13 ); - R( b, c, d, e, a, F2, K2, 14, 6 ); - R( a, b, c, d, e, F2, K2, 4, 7 ); - R( e, a, b, c, d, F2, K2, 9, 14 ); - R( d, e, a, b, c, F2, K2, 15, 9 ); - R( c, d, e, a, b, F2, K2, 8, 13 ); - R( b, c, d, e, a, F2, K2, 1, 15 ); - R( a, b, c, d, e, F2, K2, 2, 14 ); - R( e, a, b, c, d, F2, K2, 7, 8 ); - R( d, e, a, b, c, F2, K2, 0, 13 ); - R( c, d, e, a, b, F2, K2, 6, 6 ); - R( b, c, d, e, a, F2, K2, 13, 5 ); - R( a, b, c, d, e, F2, K2, 11, 12 ); - R( e, a, b, c, d, F2, K2, 5, 7 ); - R( d, e, a, b, c, F2, K2, 12, 5 ); - R( c, d, e, a, b, F3, K3, 1, 11 ); - R( b, c, d, e, a, F3, K3, 9, 12 ); - R( a, b, c, d, e, F3, K3, 11, 14 ); - R( e, a, b, c, d, F3, K3, 10, 15 ); - R( d, e, a, b, c, F3, K3, 0, 14 ); - R( c, d, e, a, b, F3, K3, 8, 15 ); - R( b, c, d, e, a, F3, K3, 12, 9 ); - R( a, b, c, d, e, F3, K3, 4, 8 ); - R( e, a, b, c, d, F3, K3, 13, 9 ); - R( d, e, a, b, c, F3, K3, 3, 14 ); - R( c, d, e, a, b, F3, K3, 7, 5 ); - R( b, c, d, e, a, F3, K3, 15, 6 ); - R( a, b, c, d, e, F3, K3, 14, 8 ); - R( e, a, b, c, d, F3, K3, 5, 6 ); - R( d, e, a, b, c, F3, K3, 6, 5 ); - R( c, d, e, a, b, F3, K3, 2, 12 ); - R( b, c, d, e, a, F4, K4, 4, 9 ); - R( a, b, c, d, e, F4, K4, 0, 15 ); - R( e, a, b, c, d, F4, K4, 5, 5 ); - R( d, e, a, b, c, F4, K4, 9, 11 ); - R( c, d, e, a, b, F4, K4, 7, 6 ); - R( b, c, d, e, a, F4, K4, 12, 8 ); - R( a, b, c, d, e, F4, K4, 2, 13 ); - R( e, a, b, c, d, F4, K4, 10, 12 ); - R( d, e, a, b, c, F4, K4, 14, 5 ); - R( c, d, e, a, b, F4, K4, 1, 12 ); - R( b, c, d, e, a, F4, K4, 3, 13 ); - R( a, b, c, d, e, F4, K4, 8, 14 ); - R( e, a, b, c, d, F4, K4, 11, 11 ); - R( d, e, a, b, c, F4, K4, 6, 8 ); - R( c, d, e, a, b, F4, K4, 15, 5 ); - R( b, c, d, e, a, F4, K4, 13, 6 ); - - aa = a; bb = b; cc = c; dd = d; ee = e; - - /* right lane */ - a = hd->h0; - b = hd->h1; - c = hd->h2; - d = hd->h3; - e = hd->h4; - R( a, b, c, d, e, F4, KK0, 5, 8); - R( e, a, b, c, d, F4, KK0, 14, 9); - R( d, e, a, b, c, F4, KK0, 7, 9); - R( c, d, e, a, b, F4, KK0, 0, 11); - R( b, c, d, e, a, F4, KK0, 9, 13); - R( a, b, c, d, e, F4, KK0, 2, 15); - R( e, a, b, c, d, F4, KK0, 11, 15); - R( d, e, a, b, c, F4, KK0, 4, 5); - R( c, d, e, a, b, F4, KK0, 13, 7); - R( b, c, d, e, a, F4, KK0, 6, 7); - R( a, b, c, d, e, F4, KK0, 15, 8); - R( e, a, b, c, d, F4, KK0, 8, 11); - R( d, e, a, b, c, F4, KK0, 1, 14); - R( c, d, e, a, b, F4, KK0, 10, 14); - R( b, c, d, e, a, F4, KK0, 3, 12); - R( a, b, c, d, e, F4, KK0, 12, 6); - R( e, a, b, c, d, F3, KK1, 6, 9); - R( d, e, a, b, c, F3, KK1, 11, 13); - R( c, d, e, a, b, F3, KK1, 3, 15); - R( b, c, d, e, a, F3, KK1, 7, 7); - R( a, b, c, d, e, F3, KK1, 0, 12); - R( e, a, b, c, d, F3, KK1, 13, 8); - R( d, e, a, b, c, F3, KK1, 5, 9); - R( c, d, e, a, b, F3, KK1, 10, 11); - R( b, c, d, e, a, F3, KK1, 14, 7); - R( a, b, c, d, e, F3, KK1, 15, 7); - R( e, a, b, c, d, F3, KK1, 8, 12); - R( d, e, a, b, c, F3, KK1, 12, 7); - R( c, d, e, a, b, F3, KK1, 4, 6); - R( b, c, d, e, a, F3, KK1, 9, 15); - R( a, b, c, d, e, F3, KK1, 1, 13); - R( e, a, b, c, d, F3, KK1, 2, 11); - R( d, e, a, b, c, F2, KK2, 15, 9); - R( c, d, e, a, b, F2, KK2, 5, 7); - R( b, c, d, e, a, F2, KK2, 1, 15); - R( a, b, c, d, e, F2, KK2, 3, 11); - R( e, a, b, c, d, F2, KK2, 7, 8); - R( d, e, a, b, c, F2, KK2, 14, 6); - R( c, d, e, a, b, F2, KK2, 6, 6); - R( b, c, d, e, a, F2, KK2, 9, 14); - R( a, b, c, d, e, F2, KK2, 11, 12); - R( e, a, b, c, d, F2, KK2, 8, 13); - R( d, e, a, b, c, F2, KK2, 12, 5); - R( c, d, e, a, b, F2, KK2, 2, 14); - R( b, c, d, e, a, F2, KK2, 10, 13); - R( a, b, c, d, e, F2, KK2, 0, 13); - R( e, a, b, c, d, F2, KK2, 4, 7); - R( d, e, a, b, c, F2, KK2, 13, 5); - R( c, d, e, a, b, F1, KK3, 8, 15); - R( b, c, d, e, a, F1, KK3, 6, 5); - R( a, b, c, d, e, F1, KK3, 4, 8); - R( e, a, b, c, d, F1, KK3, 1, 11); - R( d, e, a, b, c, F1, KK3, 3, 14); - R( c, d, e, a, b, F1, KK3, 11, 14); - R( b, c, d, e, a, F1, KK3, 15, 6); - R( a, b, c, d, e, F1, KK3, 0, 14); - R( e, a, b, c, d, F1, KK3, 5, 6); - R( d, e, a, b, c, F1, KK3, 12, 9); - R( c, d, e, a, b, F1, KK3, 2, 12); - R( b, c, d, e, a, F1, KK3, 13, 9); - R( a, b, c, d, e, F1, KK3, 9, 12); - R( e, a, b, c, d, F1, KK3, 7, 5); - R( d, e, a, b, c, F1, KK3, 10, 15); - R( c, d, e, a, b, F1, KK3, 14, 8); - R( b, c, d, e, a, F0, KK4, 12, 8); - R( a, b, c, d, e, F0, KK4, 15, 5); - R( e, a, b, c, d, F0, KK4, 10, 12); - R( d, e, a, b, c, F0, KK4, 4, 9); - R( c, d, e, a, b, F0, KK4, 1, 12); - R( b, c, d, e, a, F0, KK4, 5, 5); - R( a, b, c, d, e, F0, KK4, 8, 14); - R( e, a, b, c, d, F0, KK4, 7, 6); - R( d, e, a, b, c, F0, KK4, 6, 8); - R( c, d, e, a, b, F0, KK4, 2, 13); - R( b, c, d, e, a, F0, KK4, 13, 6); - R( a, b, c, d, e, F0, KK4, 14, 5); - R( e, a, b, c, d, F0, KK4, 0, 15); - R( d, e, a, b, c, F0, KK4, 3, 13); - R( c, d, e, a, b, F0, KK4, 9, 11); - R( b, c, d, e, a, F0, KK4, 11, 11); - - - t = hd->h1 + d + cc; - hd->h1 = hd->h2 + e + dd; - hd->h2 = hd->h3 + a + ee; - hd->h3 = hd->h4 + b + aa; - hd->h4 = hd->h0 + c + bb; - hd->h0 = t; - - return /*burn_stack*/ 108+5*sizeof(void*); + /* left lane and right lanes interleaved */ + al = ar = hd->h0; + bl = br = hd->h1; + cl = cr = hd->h2; + dl = dr = hd->h3; + el = er = hd->h4; + R( al, bl, cl, dl, el, F0, K0, 0, 11 ); + R( ar, br, cr, dr, er, F4, KK0, 5, 8); + R( el, al, bl, cl, dl, F0, K0, 1, 14 ); + R( er, ar, br, cr, dr, F4, KK0, 14, 9); + R( dl, el, al, bl, cl, F0, K0, 2, 15 ); + R( dr, er, ar, br, cr, F4, KK0, 7, 9); + R( cl, dl, el, al, bl, F0, K0, 3, 12 ); + R( cr, dr, er, ar, br, F4, KK0, 0, 11); + R( bl, cl, dl, el, al, F0, K0, 4, 5 ); + R( br, cr, dr, er, ar, F4, KK0, 9, 13); + R( al, bl, cl, dl, el, F0, K0, 5, 8 ); + R( ar, br, cr, dr, er, F4, KK0, 2, 15); + R( el, al, bl, cl, dl, F0, K0, 6, 7 ); + R( er, ar, br, cr, dr, F4, KK0, 11, 15); + R( dl, el, al, bl, cl, F0, K0, 7, 9 ); + R( dr, er, ar, br, cr, F4, KK0, 4, 5); + R( cl, dl, el, al, bl, F0, K0, 8, 11 ); + R( cr, dr, er, ar, br, F4, KK0, 13, 7); + R( bl, cl, dl, el, al, F0, K0, 9, 13 ); + R( br, cr, dr, er, ar, F4, KK0, 6, 7); + R( al, bl, cl, dl, el, F0, K0, 10, 14 ); + R( ar, br, cr, dr, er, F4, KK0, 15, 8); + R( el, al, bl, cl, dl, F0, K0, 11, 15 ); + R( er, ar, br, cr, dr, F4, KK0, 8, 11); + R( dl, el, al, bl, cl, F0, K0, 12, 6 ); + R( dr, er, ar, br, cr, F4, KK0, 1, 14); + R( cl, dl, el, al, bl, F0, K0, 13, 7 ); + R( cr, dr, er, ar, br, F4, KK0, 10, 14); + R( bl, cl, dl, el, al, F0, K0, 14, 9 ); + R( br, cr, dr, er, ar, F4, KK0, 3, 12); + R( al, bl, cl, dl, el, F0, K0, 15, 8 ); + R( ar, br, cr, dr, er, F4, KK0, 12, 6); + R( el, al, bl, cl, dl, F1, K1, 7, 7 ); + R( er, ar, br, cr, dr, F3, KK1, 6, 9); + R( dl, el, al, bl, cl, F1, K1, 4, 6 ); + R( dr, er, ar, br, cr, F3, KK1, 11, 13); + R( cl, dl, el, al, bl, F1, K1, 13, 8 ); + R( cr, dr, er, ar, br, F3, KK1, 3, 15); + R( bl, cl, dl, el, al, F1, K1, 1, 13 ); + R( br, cr, dr, er, ar, F3, KK1, 7, 7); + R( al, bl, cl, dl, el, F1, K1, 10, 11 ); + R( ar, br, cr, dr, er, F3, KK1, 0, 12); + R( el, al, bl, cl, dl, F1, K1, 6, 9 ); + R( er, ar, br, cr, dr, F3, KK1, 13, 8); + R( dl, el, al, bl, cl, F1, K1, 15, 7 ); + R( dr, er, ar, br, cr, F3, KK1, 5, 9); + R( cl, dl, el, al, bl, F1, K1, 3, 15 ); + R( cr, dr, er, ar, br, F3, KK1, 10, 11); + R( bl, cl, dl, el, al, F1, K1, 12, 7 ); + R( br, cr, dr, er, ar, F3, KK1, 14, 7); + R( al, bl, cl, dl, el, F1, K1, 0, 12 ); + R( ar, br, cr, dr, er, F3, KK1, 15, 7); + R( el, al, bl, cl, dl, F1, K1, 9, 15 ); + R( er, ar, br, cr, dr, F3, KK1, 8, 12); + R( dl, el, al, bl, cl, F1, K1, 5, 9 ); + R( dr, er, ar, br, cr, F3, KK1, 12, 7); + R( cl, dl, el, al, bl, F1, K1, 2, 11 ); + R( cr, dr, er, ar, br, F3, KK1, 4, 6); + R( bl, cl, dl, el, al, F1, K1, 14, 7 ); + R( br, cr, dr, er, ar, F3, KK1, 9, 15); + R( al, bl, cl, dl, el, F1, K1, 11, 13 ); + R( ar, br, cr, dr, er, F3, KK1, 1, 13); + R( el, al, bl, cl, dl, F1, K1, 8, 12 ); + R( er, ar, br, cr, dr, F3, KK1, 2, 11); + R( dl, el, al, bl, cl, F2, K2, 3, 11 ); + R( dr, er, ar, br, cr, F2, KK2, 15, 9); + R( cl, dl, el, al, bl, F2, K2, 10, 13 ); + R( cr, dr, er, ar, br, F2, KK2, 5, 7); + R( bl, cl, dl, el, al, F2, K2, 14, 6 ); + R( br, cr, dr, er, ar, F2, KK2, 1, 15); + R( al, bl, cl, dl, el, F2, K2, 4, 7 ); + R( ar, br, cr, dr, er, F2, KK2, 3, 11); + R( el, al, bl, cl, dl, F2, K2, 9, 14 ); + R( er, ar, br, cr, dr, F2, KK2, 7, 8); + R( dl, el, al, bl, cl, F2, K2, 15, 9 ); + R( dr, er, ar, br, cr, F2, KK2, 14, 6); + R( cl, dl, el, al, bl, F2, K2, 8, 13 ); + R( cr, dr, er, ar, br, F2, KK2, 6, 6); + R( bl, cl, dl, el, al, F2, K2, 1, 15 ); + R( br, cr, dr, er, ar, F2, KK2, 9, 14); + R( al, bl, cl, dl, el, F2, K2, 2, 14 ); + R( ar, br, cr, dr, er, F2, KK2, 11, 12); + R( el, al, bl, cl, dl, F2, K2, 7, 8 ); + R( er, ar, br, cr, dr, F2, KK2, 8, 13); + R( dl, el, al, bl, cl, F2, K2, 0, 13 ); + R( dr, er, ar, br, cr, F2, KK2, 12, 5); + R( cl, dl, el, al, bl, F2, K2, 6, 6 ); + R( cr, dr, er, ar, br, F2, KK2, 2, 14); + R( bl, cl, dl, el, al, F2, K2, 13, 5 ); + R( br, cr, dr, er, ar, F2, KK2, 10, 13); + R( al, bl, cl, dl, el, F2, K2, 11, 12 ); + R( ar, br, cr, dr, er, F2, KK2, 0, 13); + R( el, al, bl, cl, dl, F2, K2, 5, 7 ); + R( er, ar, br, cr, dr, F2, KK2, 4, 7); + R( dl, el, al, bl, cl, F2, K2, 12, 5 ); + R( dr, er, ar, br, cr, F2, KK2, 13, 5); + R( cl, dl, el, al, bl, F3, K3, 1, 11 ); + R( cr, dr, er, ar, br, F1, KK3, 8, 15); + R( bl, cl, dl, el, al, F3, K3, 9, 12 ); + R( br, cr, dr, er, ar, F1, KK3, 6, 5); + R( al, bl, cl, dl, el, F3, K3, 11, 14 ); + R( ar, br, cr, dr, er, F1, KK3, 4, 8); + R( el, al, bl, cl, dl, F3, K3, 10, 15 ); + R( er, ar, br, cr, dr, F1, KK3, 1, 11); + R( dl, el, al, bl, cl, F3, K3, 0, 14 ); + R( dr, er, ar, br, cr, F1, KK3, 3, 14); + R( cl, dl, el, al, bl, F3, K3, 8, 15 ); + R( cr, dr, er, ar, br, F1, KK3, 11, 14); + R( bl, cl, dl, el, al, F3, K3, 12, 9 ); + R( br, cr, dr, er, ar, F1, KK3, 15, 6); + R( al, bl, cl, dl, el, F3, K3, 4, 8 ); + R( ar, br, cr, dr, er, F1, KK3, 0, 14); + R( el, al, bl, cl, dl, F3, K3, 13, 9 ); + R( er, ar, br, cr, dr, F1, KK3, 5, 6); + R( dl, el, al, bl, cl, F3, K3, 3, 14 ); + R( dr, er, ar, br, cr, F1, KK3, 12, 9); + R( cl, dl, el, al, bl, F3, K3, 7, 5 ); + R( cr, dr, er, ar, br, F1, KK3, 2, 12); + R( bl, cl, dl, el, al, F3, K3, 15, 6 ); + R( br, cr, dr, er, ar, F1, KK3, 13, 9); + R( al, bl, cl, dl, el, F3, K3, 14, 8 ); + R( ar, br, cr, dr, er, F1, KK3, 9, 12); + R( el, al, bl, cl, dl, F3, K3, 5, 6 ); + R( er, ar, br, cr, dr, F1, KK3, 7, 5); + R( dl, el, al, bl, cl, F3, K3, 6, 5 ); + R( dr, er, ar, br, cr, F1, KK3, 10, 15); + R( cl, dl, el, al, bl, F3, K3, 2, 12 ); + R( cr, dr, er, ar, br, F1, KK3, 14, 8); + R( bl, cl, dl, el, al, F4, K4, 4, 9 ); + R( br, cr, dr, er, ar, F0, KK4, 12, 8); + R( al, bl, cl, dl, el, F4, K4, 0, 15 ); + R( ar, br, cr, dr, er, F0, KK4, 15, 5); + R( el, al, bl, cl, dl, F4, K4, 5, 5 ); + R( er, ar, br, cr, dr, F0, KK4, 10, 12); + R( dl, el, al, bl, cl, F4, K4, 9, 11 ); + R( dr, er, ar, br, cr, F0, KK4, 4, 9); + R( cl, dl, el, al, bl, F4, K4, 7, 6 ); + R( cr, dr, er, ar, br, F0, KK4, 1, 12); + R( bl, cl, dl, el, al, F4, K4, 12, 8 ); + R( br, cr, dr, er, ar, F0, KK4, 5, 5); + R( al, bl, cl, dl, el, F4, K4, 2, 13 ); + R( ar, br, cr, dr, er, F0, KK4, 8, 14); + R( el, al, bl, cl, dl, F4, K4, 10, 12 ); + R( er, ar, br, cr, dr, F0, KK4, 7, 6); + R( dl, el, al, bl, cl, F4, K4, 14, 5 ); + R( dr, er, ar, br, cr, F0, KK4, 6, 8); + R( cl, dl, el, al, bl, F4, K4, 1, 12 ); + R( cr, dr, er, ar, br, F0, KK4, 2, 13); + R( bl, cl, dl, el, al, F4, K4, 3, 13 ); + R( br, cr, dr, er, ar, F0, KK4, 13, 6); + R( al, bl, cl, dl, el, F4, K4, 8, 14 ); + R( ar, br, cr, dr, er, F0, KK4, 14, 5); + R( el, al, bl, cl, dl, F4, K4, 11, 11 ); + R( er, ar, br, cr, dr, F0, KK4, 0, 15); + R( dl, el, al, bl, cl, F4, K4, 6, 8 ); + R( dr, er, ar, br, cr, F0, KK4, 3, 13); + R( cl, dl, el, al, bl, F4, K4, 15, 5 ); + R( cr, dr, er, ar, br, F0, KK4, 9, 11); + R( bl, cl, dl, el, al, F4, K4, 13, 6 ); + R( br, cr, dr, er, ar, F0, KK4, 11, 11); + + dr += cl + hd->h1; + hd->h1 = hd->h2 + dl + er; + hd->h2 = hd->h3 + el + ar; + hd->h3 = hd->h4 + al + br; + hd->h4 = hd->h0 + bl + cr; + hd->h0 = dr; + + return /*burn_stack*/ 104+5*sizeof(void*); } ----------------------------------------------------------------------- Summary of changes: cipher/rmd160.c | 367 +++++++++++++++++++++++++++---------------------------- 1 file changed, 178 insertions(+), 189 deletions(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org From cvs at cvs.gnupg.org Sat Oct 4 14:48:14 2014 From: cvs at cvs.gnupg.org (by Jussi Kivilinna) Date: Sat, 04 Oct 2014 14:48:14 +0200 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-118-gde0ccd4 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via de0ccd4dce7ec185a678d78878d4538dd609ca0f (commit) from 30bd759f398f45b04d0a783b875f59ce9bd1e51d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit de0ccd4dce7ec185a678d78878d4538dd609ca0f Author: Jussi Kivilinna Date: Sun Aug 31 13:17:24 2014 +0300 Add Whirlpool AMD64/SSE2 assembly implementation * cipher/Makefile.am: Add 'whirlpool-sse2-amd64.S'. * cipher/whirlpool-sse2-amd64.S: New. * cipher/whirlpool.c (USE_AMD64_ASM): New. (whirlpool_tables_s): New. (rc, C0, C1, C2, C3, C4, C5, C6, C7): Combine these tables into single structure and replace old tables with macros of same name. (tab): New structure containing above tables. [USE_AMD64_ASM] (_gcry_whirlpool_transform_amd64) (whirlpool_transform): New. * configure.ac [host=x86_64]: Add 'whirlpool-sse2-amd64.lo'. -- Benchmark results: On Intel Core i5-4570 (3.2 Ghz): After: WHIRLPOOL | 4.82 ns/B 197.8 MiB/s 15.43 c/B Before: WHIRLPOOL | 9.10 ns/B 104.8 MiB/s 29.13 c/B On Intel Core i5-2450M (2.5 Ghz): After: WHIRLPOOL | 8.43 ns/B 113.1 MiB/s 21.09 c/B Before: WHIRLPOOL | 13.45 ns/B 70.92 MiB/s 33.62 c/B On Intel Core2 T8100 (2.1 Ghz): After: WHIRLPOOL | 10.22 ns/B 93.30 MiB/s 21.47 c/B Before: WHIRLPOOL | 19.87 ns/B 48.00 MiB/s 41.72 c/B Summary, old vs new ratio: Intel Core i5-4570: 1.88x Intel Core i5-2450M: 1.59x Intel Core2 T8100: 1.94x Signed-off-by: Jussi Kivilinna diff --git a/cipher/Makefile.am b/cipher/Makefile.am index c165356..7f45cbb 100644 --- a/cipher/Makefile.am +++ b/cipher/Makefile.am @@ -87,7 +87,7 @@ sha512.c sha512-ssse3-amd64.S sha512-avx-amd64.S sha512-avx2-bmi2-amd64.S \ sha512-armv7-neon.S \ stribog.c \ tiger.c \ -whirlpool.c \ +whirlpool.c whirlpool-sse2-amd64.S \ twofish.c twofish-amd64.S twofish-arm.S \ rfc2268.c \ camellia.c camellia.h camellia-glue.c camellia-aesni-avx-amd64.S \ diff --git a/cipher/whirlpool-sse2-amd64.S b/cipher/whirlpool-sse2-amd64.S new file mode 100644 index 0000000..d0bcf2d --- /dev/null +++ b/cipher/whirlpool-sse2-amd64.S @@ -0,0 +1,335 @@ +/* whirlpool-sse2-amd64.S - AMD64 assembly implementation of Whirlpool + * + * Copyright (C) 2014 Jussi Kivilinna + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, see . + */ + +#ifdef __x86_64 +#include +#if defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) && defined(USE_WHIRLPOOL) + +#ifdef __PIC__ +# define RIP %rip +#else +# define RIP +#endif + +.text + +/* look-up table offsets on RTAB */ +#define RC (0) +#define C0 (RC + (8 * 10)) +#define C1 (C0 + (8 * 256)) +#define C2 (C1 + (8 * 256)) +#define C3 (C2 + (8 * 256)) +#define C4 (C3 + (8 * 256)) +#define C5 (C4 + (8 * 256)) +#define C6 (C5 + (8 * 256)) +#define C7 (C6 + (8 * 256)) + +/* stack variables */ +#define STACK_DATAP (0) +#define STACK_STATEP (STACK_DATAP + 8) +#define STACK_ROUNDS (STACK_STATEP + 8) +#define STACK_NBLKS (STACK_ROUNDS + 8) +#define STACK_RBP (STACK_NBLKS + 8) +#define STACK_RBX (STACK_RBP + 8) +#define STACK_R12 (STACK_RBX + 8) +#define STACK_R13 (STACK_R12 + 8) +#define STACK_R14 (STACK_R13 + 8) +#define STACK_R15 (STACK_R14 + 8) +#define STACK_MAX (STACK_R15 + 8) + +/* register macros */ +#define RTAB %rbp + +#define RI1 %rax +#define RI2 %rbx +#define RI3 %rcx +#define RI4 %rdx + +#define RI1d %eax +#define RI2d %ebx +#define RI3d %ecx +#define RI4d %edx + +#define RI1bl %al +#define RI2bl %bl +#define RI3bl %cl +#define RI4bl %dl + +#define RI1bh %ah +#define RI2bh %bh +#define RI3bh %ch +#define RI4bh %dh + +#define RB0 %r8 +#define RB1 %r9 +#define RB2 %r10 +#define RB3 %r11 +#define RB4 %r12 +#define RB5 %r13 +#define RB6 %r14 +#define RB7 %r15 + +#define RT0 %rsi +#define RT1 %rdi + +#define RT0d %esi +#define RT1d %edi + +#define XKEY0 %xmm0 +#define XKEY1 %xmm1 +#define XKEY2 %xmm2 +#define XKEY3 %xmm3 +#define XKEY4 %xmm4 +#define XKEY5 %xmm5 +#define XKEY6 %xmm6 +#define XKEY7 %xmm7 + +#define XSTATE0 %xmm8 +#define XSTATE1 %xmm9 +#define XSTATE2 %xmm10 +#define XSTATE3 %xmm11 +#define XSTATE4 %xmm12 +#define XSTATE5 %xmm13 +#define XSTATE6 %xmm14 +#define XSTATE7 %xmm15 + +/*********************************************************************** + * AMD64 assembly implementation of Whirlpool. + * - Using table-lookups + * - Store state in XMM registers + ***********************************************************************/ +#define __do_whirl(op, ri, \ + b0, b1, b2, b3, b4, b5, b6, b7, \ + load_ri, load_arg) \ + movzbl ri ## bl, RT0d; \ + movzbl ri ## bh, RT1d; \ + shrq $16, ri; \ + op ## q C7(RTAB,RT0,8), b7; \ + op ## q C6(RTAB,RT1,8), b6; \ + movzbl ri ## bl, RT0d; \ + movzbl ri ## bh, RT1d; \ + shrq $16, ri; \ + op ## q C5(RTAB,RT0,8), b5; \ + op ## q C4(RTAB,RT1,8), b4; \ + movzbl ri ## bl, RT0d; \ + movzbl ri ## bh, RT1d; \ + shrl $16, ri ## d; \ + op ## q C3(RTAB,RT0,8), b3; \ + op ## q C2(RTAB,RT1,8), b2; \ + movzbl ri ## bl, RT0d; \ + movzbl ri ## bh, RT1d; \ + load_ri( load_arg, ri); \ + op ## q C1(RTAB,RT0,8), b1; \ + op ## q C0(RTAB,RT1,8), b0; + +#define do_whirl(op, ri, rb_add, load_ri, load_arg) \ + __do_whirl(op, ##ri, rb_add, load_ri, load_arg) + +#define dummy(...) /*_*/ + +#define do_movq(src, dst) movq src, dst; + +#define RB_ADD0 RB0, RB1, RB2, RB3, RB4, RB5, RB6, RB7 +#define RB_ADD1 RB1, RB2, RB3, RB4, RB5, RB6, RB7, RB0 +#define RB_ADD2 RB2, RB3, RB4, RB5, RB6, RB7, RB0, RB1 +#define RB_ADD3 RB3, RB4, RB5, RB6, RB7, RB0, RB1, RB2 +#define RB_ADD4 RB4, RB5, RB6, RB7, RB0, RB1, RB2, RB3 +#define RB_ADD5 RB5, RB6, RB7, RB0, RB1, RB2, RB3, RB4 +#define RB_ADD6 RB6, RB7, RB0, RB1, RB2, RB3, RB4, RB5 +#define RB_ADD7 RB7, RB0, RB1, RB2, RB3, RB4, RB5, RB6 + +.align 8 +.globl _gcry_whirlpool_transform_amd64 +.type _gcry_whirlpool_transform_amd64, at function; + +_gcry_whirlpool_transform_amd64: + /* input: + * %rdi: state + * %rsi: inblk + * %rdx: nblks + * %rcx: look-up tables + */ + cmp $0, %rdx; + je .Lskip; + + subq $STACK_MAX, %rsp; + movq %rbp, STACK_RBP(%rsp); + movq %rbx, STACK_RBX(%rsp); + movq %r12, STACK_R12(%rsp); + movq %r13, STACK_R13(%rsp); + movq %r14, STACK_R14(%rsp); + movq %r15, STACK_R15(%rsp); + + movq %rdx, STACK_NBLKS(%rsp); + movq %rdi, STACK_STATEP(%rsp); + movq %rsi, STACK_DATAP(%rsp); + + movq %rcx, RTAB; + + jmp .Lfirst_block; + +.align 8 +.Lblock_loop: + movq STACK_DATAP(%rsp), %rsi; + movq RI1, %rdi; + +.Lfirst_block: + /* load data_block */ + movq 0*8(%rsi), RB0; + movq 1*8(%rsi), RB1; + bswapq RB0; + movq 2*8(%rsi), RB2; + bswapq RB1; + movq 3*8(%rsi), RB3; + bswapq RB2; + movq 4*8(%rsi), RB4; + bswapq RB3; + movq 5*8(%rsi), RB5; + bswapq RB4; + movq RB0, XSTATE0; + movq 6*8(%rsi), RB6; + bswapq RB5; + movq RB1, XSTATE1; + movq 7*8(%rsi), RB7; + bswapq RB6; + movq RB2, XSTATE2; + bswapq RB7; + movq RB3, XSTATE3; + movq RB4, XSTATE4; + movq RB5, XSTATE5; + movq RB6, XSTATE6; + movq RB7, XSTATE7; + + /* load key */ + movq 0*8(%rdi), XKEY0; + movq 1*8(%rdi), XKEY1; + movq 2*8(%rdi), XKEY2; + movq 3*8(%rdi), XKEY3; + movq 4*8(%rdi), XKEY4; + movq 5*8(%rdi), XKEY5; + movq 6*8(%rdi), XKEY6; + movq 7*8(%rdi), XKEY7; + + movq XKEY0, RI1; + movq XKEY1, RI2; + movq XKEY2, RI3; + movq XKEY3, RI4; + + /* prepare and store state */ + pxor XKEY0, XSTATE0; + pxor XKEY1, XSTATE1; + pxor XKEY2, XSTATE2; + pxor XKEY3, XSTATE3; + pxor XKEY4, XSTATE4; + pxor XKEY5, XSTATE5; + pxor XKEY6, XSTATE6; + pxor XKEY7, XSTATE7; + + movq XSTATE0, 0*8(%rdi); + movq XSTATE1, 1*8(%rdi); + movq XSTATE2, 2*8(%rdi); + movq XSTATE3, 3*8(%rdi); + movq XSTATE4, 4*8(%rdi); + movq XSTATE5, 5*8(%rdi); + movq XSTATE6, 6*8(%rdi); + movq XSTATE7, 7*8(%rdi); + + addq $64, STACK_DATAP(%rsp); + movl $(0), STACK_ROUNDS(%rsp); +.align 8 +.Lround_loop: + do_whirl(mov, RI1 /*XKEY0*/, RB_ADD0, do_movq, XKEY4); + do_whirl(xor, RI2 /*XKEY1*/, RB_ADD1, do_movq, XKEY5); + do_whirl(xor, RI3 /*XKEY2*/, RB_ADD2, do_movq, XKEY6); + do_whirl(xor, RI4 /*XKEY3*/, RB_ADD3, do_movq, XKEY7); + do_whirl(xor, RI1 /*XKEY0*/, RB_ADD4, do_movq, XSTATE0); + do_whirl(xor, RI2 /*XKEY1*/, RB_ADD5, do_movq, XSTATE1); + do_whirl(xor, RI3 /*XKEY2*/, RB_ADD6, do_movq, XSTATE2); + do_whirl(xor, RI4 /*XKEY3*/, RB_ADD7, do_movq, XSTATE3); + + movl STACK_ROUNDS(%rsp), RT0d; + movq RB1, XKEY1; + addl $1, STACK_ROUNDS(%rsp); + movq RB2, XKEY2; + movq RB3, XKEY3; + xorq RC(RTAB,RT0,8), RB0; /* Add round constant */ + movq RB4, XKEY4; + movq RB5, XKEY5; + movq RB0, XKEY0; + movq RB6, XKEY6; + movq RB7, XKEY7; + + do_whirl(xor, RI1 /*XSTATE0*/, RB_ADD0, do_movq, XSTATE4); + do_whirl(xor, RI2 /*XSTATE1*/, RB_ADD1, do_movq, XSTATE5); + do_whirl(xor, RI3 /*XSTATE2*/, RB_ADD2, do_movq, XSTATE6); + do_whirl(xor, RI4 /*XSTATE3*/, RB_ADD3, do_movq, XSTATE7); + + cmpl $10, STACK_ROUNDS(%rsp); + je .Lis_last_round; + + do_whirl(xor, RI1 /*XSTATE4*/, RB_ADD4, do_movq, XKEY0); + do_whirl(xor, RI2 /*XSTATE5*/, RB_ADD5, do_movq, XKEY1); + do_whirl(xor, RI3 /*XSTATE6*/, RB_ADD6, do_movq, XKEY2); + do_whirl(xor, RI4 /*XSTATE7*/, RB_ADD7, do_movq, XKEY3); + movq RB0, XSTATE0; + movq RB1, XSTATE1; + movq RB2, XSTATE2; + movq RB3, XSTATE3; + movq RB4, XSTATE4; + movq RB5, XSTATE5; + movq RB6, XSTATE6; + movq RB7, XSTATE7; + + jmp .Lround_loop; +.align 8 +.Lis_last_round: + do_whirl(xor, RI1 /*XSTATE4*/, RB_ADD4, dummy, _); + movq STACK_STATEP(%rsp), RI1; + do_whirl(xor, RI2 /*XSTATE5*/, RB_ADD5, dummy, _); + do_whirl(xor, RI3 /*XSTATE6*/, RB_ADD6, dummy, _); + do_whirl(xor, RI4 /*XSTATE7*/, RB_ADD7, dummy, _); + + /* store state */ + xorq RB0, 0*8(RI1); + xorq RB1, 1*8(RI1); + xorq RB2, 2*8(RI1); + xorq RB3, 3*8(RI1); + xorq RB4, 4*8(RI1); + xorq RB5, 5*8(RI1); + xorq RB6, 6*8(RI1); + xorq RB7, 7*8(RI1); + + subq $1, STACK_NBLKS(%rsp); + jnz .Lblock_loop; + + movq STACK_RBP(%rsp), %rbp; + movq STACK_RBX(%rsp), %rbx; + movq STACK_R12(%rsp), %r12; + movq STACK_R13(%rsp), %r13; + movq STACK_R14(%rsp), %r14; + movq STACK_R15(%rsp), %r15; + addq $STACK_MAX, %rsp; +.Lskip: + movl $(STACK_MAX + 8), %eax; + ret; +.size _gcry_whirlpool_transform_amd64,.-_gcry_whirlpool_transform_amd64; + +#endif +#endif diff --git a/cipher/whirlpool.c b/cipher/whirlpool.c index ffc6662..2732f63 100644 --- a/cipher/whirlpool.c +++ b/cipher/whirlpool.c @@ -40,6 +40,14 @@ #include "bufhelp.h" #include "hash-common.h" +/* USE_AMD64_ASM indicates whether to use AMD64 assembly code. */ +#undef USE_AMD64_ASM +#if defined(__x86_64__) && defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) +# define USE_AMD64_ASM 1 +#endif + + + /* Size of a whirlpool block (in bytes). */ #define BLOCK_SIZE 64 @@ -89,8 +97,15 @@ typedef struct { + +struct whirlpool_tables_s { + u64 RC[R]; + u64 C[8][256]; +}; + +static const struct whirlpool_tables_s tab = +{ /* Round constants. */ -static const u64 rc[R] = { U64_C (0x1823c6e887b8014f), U64_C (0x36a6d2f5796f9152), @@ -102,13 +117,9 @@ static const u64 rc[R] = U64_C (0xe427418ba77d95d8), U64_C (0xfbee7c66dd17479e), U64_C (0xca2dbf07ad5a8333), - }; - - - + }, /* Main lookup boxes. */ -static const u64 C0[256] = - { + { { U64_C (0x18186018c07830d8), U64_C (0x23238c2305af4626), U64_C (0xc6c63fc67ef991b8), U64_C (0xe8e887e8136fcdfb), U64_C (0x878726874ca113cb), U64_C (0xb8b8dab8a9626d11), @@ -237,10 +248,7 @@ static const u64 C0[256] = U64_C (0x98985a98b4c22d2c), U64_C (0xa4a4aaa4490e55ed), U64_C (0x2828a0285d885075), U64_C (0x5c5c6d5cda31b886), U64_C (0xf8f8c7f8933fed6b), U64_C (0x8686228644a411c2), - }; - -static const u64 C1[256] = - { + }, { U64_C (0xd818186018c07830), U64_C (0x2623238c2305af46), U64_C (0xb8c6c63fc67ef991), U64_C (0xfbe8e887e8136fcd), U64_C (0xcb878726874ca113), U64_C (0x11b8b8dab8a9626d), @@ -369,10 +377,7 @@ static const u64 C1[256] = U64_C (0x2c98985a98b4c22d), U64_C (0xeda4a4aaa4490e55), U64_C (0x752828a0285d8850), U64_C (0x865c5c6d5cda31b8), U64_C (0x6bf8f8c7f8933fed), U64_C (0xc28686228644a411), - }; - -static const u64 C2[256] = - { + }, { U64_C (0x30d818186018c078), U64_C (0x462623238c2305af), U64_C (0x91b8c6c63fc67ef9), U64_C (0xcdfbe8e887e8136f), U64_C (0x13cb878726874ca1), U64_C (0x6d11b8b8dab8a962), @@ -501,10 +506,7 @@ static const u64 C2[256] = U64_C (0x2d2c98985a98b4c2), U64_C (0x55eda4a4aaa4490e), U64_C (0x50752828a0285d88), U64_C (0xb8865c5c6d5cda31), U64_C (0xed6bf8f8c7f8933f), U64_C (0x11c28686228644a4), - }; - -static const u64 C3[256] = - { + }, { U64_C (0x7830d818186018c0), U64_C (0xaf462623238c2305), U64_C (0xf991b8c6c63fc67e), U64_C (0x6fcdfbe8e887e813), U64_C (0xa113cb878726874c), U64_C (0x626d11b8b8dab8a9), @@ -633,10 +635,7 @@ static const u64 C3[256] = U64_C (0xc22d2c98985a98b4), U64_C (0x0e55eda4a4aaa449), U64_C (0x8850752828a0285d), U64_C (0x31b8865c5c6d5cda), U64_C (0x3fed6bf8f8c7f893), U64_C (0xa411c28686228644), - }; - -static const u64 C4[256] = - { + }, { U64_C (0xc07830d818186018), U64_C (0x05af462623238c23), U64_C (0x7ef991b8c6c63fc6), U64_C (0x136fcdfbe8e887e8), U64_C (0x4ca113cb87872687), U64_C (0xa9626d11b8b8dab8), @@ -765,10 +764,7 @@ static const u64 C4[256] = U64_C (0xb4c22d2c98985a98), U64_C (0x490e55eda4a4aaa4), U64_C (0x5d8850752828a028), U64_C (0xda31b8865c5c6d5c), U64_C (0x933fed6bf8f8c7f8), U64_C (0x44a411c286862286), - }; - -static const u64 C5[256] = - { + }, { U64_C (0x18c07830d8181860), U64_C (0x2305af462623238c), U64_C (0xc67ef991b8c6c63f), U64_C (0xe8136fcdfbe8e887), U64_C (0x874ca113cb878726), U64_C (0xb8a9626d11b8b8da), @@ -897,10 +893,7 @@ static const u64 C5[256] = U64_C (0x98b4c22d2c98985a), U64_C (0xa4490e55eda4a4aa), U64_C (0x285d8850752828a0), U64_C (0x5cda31b8865c5c6d), U64_C (0xf8933fed6bf8f8c7), U64_C (0x8644a411c2868622), - }; - -static const u64 C6[256] = - { + }, { U64_C (0x6018c07830d81818), U64_C (0x8c2305af46262323), U64_C (0x3fc67ef991b8c6c6), U64_C (0x87e8136fcdfbe8e8), U64_C (0x26874ca113cb8787), U64_C (0xdab8a9626d11b8b8), @@ -1029,10 +1022,7 @@ static const u64 C6[256] = U64_C (0x5a98b4c22d2c9898), U64_C (0xaaa4490e55eda4a4), U64_C (0xa0285d8850752828), U64_C (0x6d5cda31b8865c5c), U64_C (0xc7f8933fed6bf8f8), U64_C (0x228644a411c28686), - }; - -static const u64 C7[256] = - { + }, { U64_C (0x186018c07830d818), U64_C (0x238c2305af462623), U64_C (0xc63fc67ef991b8c6), U64_C (0xe887e8136fcdfbe8), U64_C (0x8726874ca113cb87), U64_C (0xb8dab8a9626d11b8), @@ -1161,7 +1151,18 @@ static const u64 C7[256] = U64_C (0x985a98b4c22d2c98), U64_C (0xa4aaa4490e55eda4), U64_C (0x28a0285d88507528), U64_C (0x5c6d5cda31b8865c), U64_C (0xf8c7f8933fed6bf8), U64_C (0x86228644a411c286), - }; + } } +}; +#define C tab.C +#define C0 C[0] +#define C1 C[1] +#define C2 C[2] +#define C3 C[3] +#define C4 C[4] +#define C5 C[5] +#define C6 C[6] +#define C7 C[7] +#define rc tab.RC @@ -1189,6 +1190,22 @@ whirlpool_init (void *ctx, unsigned int flags) } +#ifdef USE_AMD64_ASM + +extern unsigned int +_gcry_whirlpool_transform_amd64(u64 *state, const unsigned char *data, + size_t nblks, const struct whirlpool_tables_s *tables); + +static unsigned int +whirlpool_transform (void *ctx, const unsigned char *data, size_t nblks) +{ + whirlpool_context_t *context = ctx; + + return _gcry_whirlpool_transform_amd64( + context->hash_state, data, nblks, &tab); +} + +#else /* USE_AMD64_ASM */ /* * Transform block. @@ -1308,6 +1325,8 @@ whirlpool_transform ( void *c, const unsigned char *data, size_t nblks ) return burn; } +#endif /* !USE_AMD64_ASM */ + /* Bug compatibility Whirlpool version. */ static void diff --git a/configure.ac b/configure.ac index 18db662..d14b7f6 100644 --- a/configure.ac +++ b/configure.ac @@ -1943,6 +1943,13 @@ LIST_MEMBER(whirlpool, $enabled_digests) if test "$found" = "1" ; then GCRYPT_DIGESTS="$GCRYPT_DIGESTS whirlpool.lo" AC_DEFINE(USE_WHIRLPOOL, 1, [Defined if this module should be included]) + + case "${host}" in + x86_64-*-*) + # Build with the assembly implementation + GCRYPT_DIGESTS="$GCRYPT_DIGESTS whirlpool-sse2-amd64.lo" + ;; + esac fi # rmd160 and sha1 should be included always. ----------------------------------------------------------------------- Summary of changes: cipher/Makefile.am | 2 +- cipher/whirlpool-sse2-amd64.S | 335 +++++++++++++++++++++++++++++++++++++++++ cipher/whirlpool.c | 91 ++++++----- configure.ac | 7 + 4 files changed, 398 insertions(+), 37 deletions(-) create mode 100644 cipher/whirlpool-sse2-amd64.S hooks/post-receive -- The GNU crypto library http://git.gnupg.org From cvs at cvs.gnupg.org Tue Oct 7 22:20:48 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Tue, 07 Oct 2014 22:20:48 +0200 Subject: [git] gnupg-doc - branch, master, updated. 1e43180ee23ec011709494f906b19125cc39538f Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GnuPG website and other docs". The branch, master has been updated via 1e43180ee23ec011709494f906b19125cc39538f (commit) from 5c72ed8b0c55d9da39b05dcfb8e3dd103b6e883e (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 1e43180ee23ec011709494f906b19125cc39538f Author: Werner Koch Date: Tue Oct 7 22:20:55 2014 +0200 web: Enforce a minimum donation of 4 Euro. diff --git a/cgi/procdonate.cgi b/cgi/procdonate.cgi index 3293b3c..a61c75c 100755 --- a/cgi/procdonate.cgi +++ b/cgi/procdonate.cgi @@ -331,7 +331,17 @@ sub check_donation () $stripeamount = $data{"_amount"}; $amount = $data{"Amount"}; $currency = $data{"Currency"}; - $euroamount = $data{"Euro"} + $euroamount = $data{"Euro"}; + + # Check that at least some Euros are given. Due to Stripe + # processing fees and our own costs for bookkeeping we need to ask + # for a minimum amount. + if ( (not $anyerr) and ($euroamount < 4.00) ) { + $errdict{"amount"} = 'Sorry, due to overhead costs we do' . + ' not accept donations of less than 4 Euro.'; + $anyerr = 1; + } + # Check the mail address if ($mail ne '' and $mail !~ /\S+@\S+\.\S+/ ) { diff --git a/web/donate/kudos.org b/web/donate/kudos.org index e86483e..e3c4a46 100644 --- a/web/donate/kudos.org +++ b/web/donate/kudos.org @@ -31,14 +31,17 @@ | 2011 | 21 | 553 | 465 | | 2012 | 53 | 5991 | 4963 | | 2013 | 148 | 5041 | 4145 | -| 2014 | 66 | 4059 | | +| 2014 | 102 | 4742 | 3985 | |------+-----+-------+----------| -| | 272 | 14829 | 9573 | -#+TBLFM: $LR2=vsum(@I.. at II)::$LR3=vsum(@I.. at II)::$LR4=vsum(@I.. at II) +| | | 16327 | 13558 | +#+TBLFM: $LR3=vsum(@I.. at II)::$LR4=vsum(@I.. at II) + +# In 2014 without the 32641.27 (27429.64) from the Goteo campaign #+HTML:
-The "net" column gives the actual value without VAT and PayPal fees.\\ -Last update: 2014-06-25 +The "net" column gives the actual value without VAT and credit card +fees.\\ +Last update: 2014-10-07 #+HTML:
* Hardware and service donations ----------------------------------------------------------------------- Summary of changes: cgi/procdonate.cgi | 12 +++++++++++- web/donate/kudos.org | 13 ++++++++----- 2 files changed, 19 insertions(+), 6 deletions(-) hooks/post-receive -- The GnuPG website and other docs http://git.gnupg.org From cvs at cvs.gnupg.org Wed Oct 8 14:51:37 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Wed, 08 Oct 2014 14:51:37 +0200 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-120-ga078436 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via a078436be5b656e4a2acfaeb5f054b9991f617e5 (commit) via 5c906e2cdb14e93fb4915fdc69c7353a5fa35709 (commit) from de0ccd4dce7ec185a678d78878d4538dd609ca0f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit a078436be5b656e4a2acfaeb5f054b9991f617e5 Author: Werner Koch Date: Wed Oct 8 14:42:36 2014 +0200 doc: Fix a configure option name. -- diff --git a/AUTHORS b/AUTHORS index 860dea2..f72a421 100644 --- a/AUTHORS +++ b/AUTHORS @@ -137,7 +137,7 @@ Authors with a DCO ================== Andrei Scherer -2014-0822:BF7CEF794F9.000003F0andsch at inbox.com: +2014-08-22:BF7CEF794F9.000003F0andsch at inbox.com: Christian Aistleitner 2013-02-26:20130226110144.GA12678 at quelltextlich.at: diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index 58671df..63edf06 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -325,7 +325,7 @@ you are cross-compiling, it is useful to set the environment variable then first look for the helper program in the @file{bin} directory below that top directory. An absolute directory name must be used for @code{SYSROOT}. Finally, if the configure command line option - at code{--libgcrypt-prefix} is used, only its value is used for the top + at code{--with-libgcrypt-prefix} is used, only its value is used for the top directory below which the helper script is expected. @end defmac commit 5c906e2cdb14e93fb4915fdc69c7353a5fa35709 Author: Werner Koch Date: Wed Oct 8 14:41:21 2014 +0200 Fix prime test for 2 and lower and add check command to mpicalc. * cipher/primegen.c (check_prime): Return true for the small primes. (_gcry_prime_check): Return correct values for 2 and lower numbers. * src/mpicalc.c (do_primecheck): New. (main): Add command 'P'. (main): Allow for larger input data. diff --git a/cipher/primegen.c b/cipher/primegen.c index 14a5ccf..ce6db8d 100644 --- a/cipher/primegen.c +++ b/cipher/primegen.c @@ -868,7 +868,7 @@ check_prime( gcry_mpi_t prime, gcry_mpi_t val_2, int rm_rounds, for (i=0; (x = small_prime_numbers[i]); i++ ) { if ( mpi_divisible_ui( prime, x ) ) - return 0; + return !mpi_cmp_ui (prime, x); } /* A quick Fermat test. */ @@ -1169,19 +1169,20 @@ _gcry_prime_generate (gcry_mpi_t *prime, unsigned int prime_bits, gcry_err_code_t _gcry_prime_check (gcry_mpi_t x, unsigned int flags) { - gcry_err_code_t rc = 0; - gcry_mpi_t val_2 = mpi_alloc_set_ui (2); /* Used by the Fermat test. */ - (void)flags; + switch (mpi_cmp_ui (x, 2)) + { + case 0: return 0; /* 2 is a prime */ + case -1: return GPG_ERR_NO_PRIME; /* Only numbers > 1 are primes. */ + } + /* We use 64 rounds because the prime we are going to test is not guaranteed to be a random one. */ - if (! check_prime (x, val_2, 64, NULL, NULL)) - rc = GPG_ERR_NO_PRIME; - - mpi_free (val_2); + if (check_prime (x, mpi_const (MPI_C_TWO), 64, NULL, NULL)) + return 0; - return rc; + return GPG_ERR_NO_PRIME; } /* Find a generator for PRIME where the factorization of (prime-1) is diff --git a/src/mpicalc.c b/src/mpicalc.c index b2b4335..f1fbbef 100644 --- a/src/mpicalc.c +++ b/src/mpicalc.c @@ -254,6 +254,23 @@ do_nbits (void) } +static void +do_primecheck (void) +{ + gpg_error_t err; + + if (stackidx < 1) + { + fputs ("stack underflow\n", stderr); + return; + } + err = gcry_prime_check (stack[stackidx - 1], 0); + mpi_set_ui (stack[stackidx - 1], !err); + if (err && gpg_err_code (err) != GPG_ERR_NO_PRIME) + fprintf (stderr, "checking prime failed: %s\n", gpg_strerror (err)); +} + + static int my_getc (void) { @@ -295,6 +312,7 @@ print_help (void) "d dup item [-1] := [0] {+1}\n" "r reverse [0] := [1], [1] := [0] {0}\n" "b # of bits [0] := nbits([0]) {0}\n" + "P prime check [0] := is_prime([0])?1:0 {0}\n" "c clear stack\n" "p print top item\n" "f print the stack\n" @@ -313,7 +331,7 @@ main (int argc, char **argv) int print_config = 0; int i, c; int state = 0; - char strbuf[1000]; + char strbuf[4096]; int stridx = 0; if (argc) @@ -508,6 +526,9 @@ main (int argc, char **argv) case 'b': do_nbits (); break; + case 'P': + do_primecheck (); + break; case 'c': for (i = 0; i < stackidx; i++) { ----------------------------------------------------------------------- Summary of changes: AUTHORS | 2 +- cipher/primegen.c | 19 ++++++++++--------- doc/gcrypt.texi | 2 +- src/mpicalc.c | 23 ++++++++++++++++++++++- 4 files changed, 34 insertions(+), 12 deletions(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org From cvs at cvs.gnupg.org Wed Oct 8 14:54:48 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Wed, 08 Oct 2014 14:54:48 +0200 Subject: [git] GCRYPT - branch, LIBGCRYPT-1-6-BRANCH, updated. libgcrypt-1.6.2-4-g0c2d144 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, LIBGCRYPT-1-6-BRANCH has been updated via 0c2d1443124dc6e65bd7f980f79aa2a6e33a82da (commit) from d4b86782debb93773ed1ccb9f8c1a230ff6e84f8 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 0c2d1443124dc6e65bd7f980f79aa2a6e33a82da Author: Werner Koch Date: Wed Oct 8 14:41:21 2014 +0200 Fix prime test for 2 and lower and add check command to mpicalc. * cipher/primegen.c (check_prime): Return true for the small primes. (_gcry_prime_check): Return correct values for 2 and lower numbers. * src/mpicalc.c (do_primecheck): New. (main): Add command 'P'. (main): Allow for larger input data. -- (cherry picked from commit 5c906e2cdb14e93fb4915fdc69c7353a5fa35709) diff --git a/cipher/primegen.c b/cipher/primegen.c index dd1f2ea..e46bf18 100644 --- a/cipher/primegen.c +++ b/cipher/primegen.c @@ -882,7 +882,7 @@ check_prime( gcry_mpi_t prime, gcry_mpi_t val_2, int rm_rounds, for (i=0; (x = small_prime_numbers[i]); i++ ) { if ( mpi_divisible_ui( prime, x ) ) - return 0; + return !mpi_cmp_ui (prime, x); } /* A quick Fermat test. */ @@ -1183,19 +1183,20 @@ _gcry_prime_generate (gcry_mpi_t *prime, unsigned int prime_bits, gcry_err_code_t _gcry_prime_check (gcry_mpi_t x, unsigned int flags) { - gcry_err_code_t rc = 0; - gcry_mpi_t val_2 = mpi_alloc_set_ui (2); /* Used by the Fermat test. */ - (void)flags; + switch (mpi_cmp_ui (x, 2)) + { + case 0: return 0; /* 2 is a prime */ + case -1: return GPG_ERR_NO_PRIME; /* Only numbers > 1 are primes. */ + } + /* We use 64 rounds because the prime we are going to test is not guaranteed to be a random one. */ - if (! check_prime (x, val_2, 64, NULL, NULL)) - rc = GPG_ERR_NO_PRIME; - - mpi_free (val_2); + if (check_prime (x, mpi_const (MPI_C_TWO), 64, NULL, NULL)) + return 0; - return rc; + return GPG_ERR_NO_PRIME; } /* Find a generator for PRIME where the factorization of (prime-1) is diff --git a/src/mpicalc.c b/src/mpicalc.c index b2b4335..f1fbbef 100644 --- a/src/mpicalc.c +++ b/src/mpicalc.c @@ -254,6 +254,23 @@ do_nbits (void) } +static void +do_primecheck (void) +{ + gpg_error_t err; + + if (stackidx < 1) + { + fputs ("stack underflow\n", stderr); + return; + } + err = gcry_prime_check (stack[stackidx - 1], 0); + mpi_set_ui (stack[stackidx - 1], !err); + if (err && gpg_err_code (err) != GPG_ERR_NO_PRIME) + fprintf (stderr, "checking prime failed: %s\n", gpg_strerror (err)); +} + + static int my_getc (void) { @@ -295,6 +312,7 @@ print_help (void) "d dup item [-1] := [0] {+1}\n" "r reverse [0] := [1], [1] := [0] {0}\n" "b # of bits [0] := nbits([0]) {0}\n" + "P prime check [0] := is_prime([0])?1:0 {0}\n" "c clear stack\n" "p print top item\n" "f print the stack\n" @@ -313,7 +331,7 @@ main (int argc, char **argv) int print_config = 0; int i, c; int state = 0; - char strbuf[1000]; + char strbuf[4096]; int stridx = 0; if (argc) @@ -508,6 +526,9 @@ main (int argc, char **argv) case 'b': do_nbits (); break; + case 'P': + do_primecheck (); + break; case 'c': for (i = 0; i < stackidx; i++) { ----------------------------------------------------------------------- Summary of changes: cipher/primegen.c | 19 ++++++++++--------- src/mpicalc.c | 23 ++++++++++++++++++++++- 2 files changed, 32 insertions(+), 10 deletions(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org From cvs at cvs.gnupg.org Wed Oct 8 15:01:15 2014 From: cvs at cvs.gnupg.org (by Markus Teich) Date: Wed, 08 Oct 2014 15:01:15 +0200 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-121-g23ecadf Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via 23ecadf309f8056c35cc092e58df801ac0eab862 (commit) from a078436be5b656e4a2acfaeb5f054b9991f617e5 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 23ecadf309f8056c35cc092e58df801ac0eab862 Author: Markus Teich Date: Tue Oct 7 18:24:27 2014 +0200 mpi: Add gcry_mpi_ec_sub. * NEWS (gcry_mpi_ec_sub): New. * doc/gcrypt.texi (gcry_mpi_ec_sub): New. * mpi/ec.c (_gcry_mpi_ec_sub, sub_points_edwards): New. (sub_points_montgomery, sub_points_weierstrass): New stubs. * src/gcrypt-int.h (_gcry_mpi_ec_sub): New. * src/gcrypt.h.in (gcry_mpi_ec_sub): New. * src/libgcrypt.def (gcry_mpi_ec_sub): New. * src/libgcrypt.vers (gcry_mpi_ec_sub): New. * src/mpi.h (_gcry_mpi_ec_sub_points): New. * src/visibility.c (gcry_mpi_ec_sub): New. * src/visibility.h (gcry_mpi_ec_sub): New. -- This function subtracts two points on the curve. Only Twisted Edwards curves are supported with this change. Signed-off-by: Markus Teich diff --git a/NEWS b/NEWS index 214c676..0150fdd 100644 --- a/NEWS +++ b/NEWS @@ -29,6 +29,7 @@ Noteworthy changes in version 1.7.0 (unreleased) GCRYCTL_SET_SBOX NEW. gcry_cipher_set_sbox NEW macro. GCRY_MD_GOSTR3411_CP NEW. + gcry_mpi_ec_sub NEW. Noteworthy changes in version 1.6.0 (2013-12-16) diff --git a/doc/gcrypt.texi b/doc/gcrypt.texi index 63edf06..108d53a 100644 --- a/doc/gcrypt.texi +++ b/doc/gcrypt.texi @@ -4806,6 +4806,15 @@ Add the points @var{u} and @var{v} of the elliptic curve described by @var{ctx} and store the result into @var{w}. @end deftypefun + at deftypefun void gcry_mpi_ec_sub ( @ + @w{gcry_mpi_point_t @var{w}}, @w{gcry_mpi_point_t @var{u}}, @ + @w{gcry_mpi_point_t @var{v}}, @w{gcry_ctx_t @var{ctx}}) + +Subtracts the point @var{v} from the point @var{u} of the elliptic +curve described by @var{ctx} and store the result into @var{w}. Only +Twisted Edwards curves are supported for now. + at end deftypefun + @deftypefun void gcry_mpi_ec_mul ( @ @w{gcry_mpi_point_t @var{w}}, @w{gcry_mpi_t @var{n}}, @ @w{gcry_mpi_point_t @var{u}}, @w{gcry_ctx_t @var{ctx}}) diff --git a/mpi/ec.c b/mpi/ec.c index a55291a..80f3b22 100644 --- a/mpi/ec.c +++ b/mpi/ec.c @@ -1131,6 +1131,71 @@ _gcry_mpi_ec_add_points (mpi_point_t result, } +/* RESULT = P1 - P2 (Weierstrass version).*/ +static void +sub_points_weierstrass (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + (void)result; + (void)p1; + (void)p2; + (void)ctx; + log_fatal ("%s: %s not yet supported\n", + "_gcry_mpi_ec_sub_points", "Weierstrass"); +} + + +/* RESULT = P1 - P2 (Montgomery version).*/ +static void +sub_points_montgomery (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + (void)result; + (void)p1; + (void)p2; + (void)ctx; + log_fatal ("%s: %s not yet supported\n", + "_gcry_mpi_ec_sub_points", "Montgomery"); +} + + +/* RESULT = P1 - P2 (Twisted Edwards version).*/ +static void +sub_points_edwards (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + mpi_point_t p2i = _gcry_mpi_point_new (0); + point_set (p2i, p2); + _gcry_mpi_neg (p2i->x, p2i->x); + add_points_edwards (result, p1, p2i, ctx); + _gcry_mpi_point_release (p2i); +} + + +/* RESULT = P1 - P2 */ +void +_gcry_mpi_ec_sub_points (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx) +{ + switch (ctx->model) + { + case MPI_EC_WEIERSTRASS: + sub_points_weierstrass (result, p1, p2, ctx); + break; + case MPI_EC_MONTGOMERY: + sub_points_montgomery (result, p1, p2, ctx); + break; + case MPI_EC_EDWARDS: + sub_points_edwards (result, p1, p2, ctx); + break; + } +} + + /* Scalar point multiplication - the main function for ECC. If takes an integer SCALAR and a POINT as well as the usual context CTX. RESULT will be set to the resulting point. */ diff --git a/src/gcrypt-int.h b/src/gcrypt-int.h index 8a6df84..918937b 100644 --- a/src/gcrypt-int.h +++ b/src/gcrypt-int.h @@ -430,6 +430,8 @@ int _gcry_mpi_ec_get_affine (gcry_mpi_t x, gcry_mpi_t y, gcry_mpi_point_t point, void _gcry_mpi_ec_dup (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_ctx_t ctx); void _gcry_mpi_ec_add (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_mpi_point_t v, mpi_ec_t ctx); +void _gcry_mpi_ec_sub (gcry_mpi_point_t w, + gcry_mpi_point_t u, gcry_mpi_point_t v, mpi_ec_t ctx); void _gcry_mpi_ec_mul (gcry_mpi_point_t w, gcry_mpi_t n, gcry_mpi_point_t u, mpi_ec_t ctx); int _gcry_mpi_ec_curve_point (gcry_mpi_point_t w, mpi_ec_t ctx); diff --git a/src/gcrypt.h.in b/src/gcrypt.h.in index 65d9ef6..f3207c9 100644 --- a/src/gcrypt.h.in +++ b/src/gcrypt.h.in @@ -704,6 +704,10 @@ void gcry_mpi_ec_dup (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_ctx_t ctx); void gcry_mpi_ec_add (gcry_mpi_point_t w, gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx); +/* W = U - V. */ +void gcry_mpi_ec_sub (gcry_mpi_point_t w, + gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx); + /* W = N * U. */ void gcry_mpi_ec_mul (gcry_mpi_point_t w, gcry_mpi_t n, gcry_mpi_point_t u, gcry_ctx_t ctx); diff --git a/src/libgcrypt.def b/src/libgcrypt.def index 57ed490..924f17f 100644 --- a/src/libgcrypt.def +++ b/src/libgcrypt.def @@ -276,5 +276,7 @@ EXPORTS gcry_mac_ctl @242 gcry_mac_get_algo @243 + gcry_mpi_ec_sub @244 + ;; end of file with public symbols for Windows. diff --git a/src/libgcrypt.vers b/src/libgcrypt.vers index 7ee0541..7e8df3f 100644 --- a/src/libgcrypt.vers +++ b/src/libgcrypt.vers @@ -105,7 +105,7 @@ GCRYPT_1.6 { gcry_mpi_ec_get_mpi; gcry_mpi_ec_get_point; gcry_mpi_ec_set_mpi; gcry_mpi_ec_set_point; gcry_mpi_ec_get_affine; - gcry_mpi_ec_dup; gcry_mpi_ec_add; gcry_mpi_ec_mul; + gcry_mpi_ec_dup; gcry_mpi_ec_add; gcry_mpi_ec_sub; gcry_mpi_ec_mul; gcry_mpi_ec_curve_point; gcry_log_debug; diff --git a/src/mpi.h b/src/mpi.h index 7407b7f..13b5117 100644 --- a/src/mpi.h +++ b/src/mpi.h @@ -286,6 +286,9 @@ void _gcry_mpi_ec_dup_point (mpi_point_t result, void _gcry_mpi_ec_add_points (mpi_point_t result, mpi_point_t p1, mpi_point_t p2, mpi_ec_t ctx); +void _gcry_mpi_ec_sub_points (mpi_point_t result, + mpi_point_t p1, mpi_point_t p2, + mpi_ec_t ctx); void _gcry_mpi_ec_mul_point (mpi_point_t result, gcry_mpi_t scalar, mpi_point_t point, mpi_ec_t ctx); diff --git a/src/visibility.c b/src/visibility.c index 6ed57ca..fa23e53 100644 --- a/src/visibility.c +++ b/src/visibility.c @@ -567,6 +567,14 @@ gcry_mpi_ec_add (gcry_mpi_point_t w, } void +gcry_mpi_ec_sub (gcry_mpi_point_t w, + gcry_mpi_point_t u, gcry_mpi_point_t v, gcry_ctx_t ctx) +{ + _gcry_mpi_ec_sub_points (w, u, v, + _gcry_ctx_get_pointer (ctx, CONTEXT_TYPE_EC)); +} + +void gcry_mpi_ec_mul (gcry_mpi_point_t w, gcry_mpi_t n, gcry_mpi_point_t u, gcry_ctx_t ctx) { diff --git a/src/visibility.h b/src/visibility.h index 96b5235..fa3c763 100644 --- a/src/visibility.h +++ b/src/visibility.h @@ -218,6 +218,7 @@ MARK_VISIBLEX (gcry_mpi_copy) MARK_VISIBLEX (gcry_mpi_div) MARK_VISIBLEX (gcry_mpi_dump) MARK_VISIBLEX (gcry_mpi_ec_add) +MARK_VISIBLEX (gcry_mpi_ec_sub) MARK_VISIBLEX (gcry_mpi_ec_curve_point) MARK_VISIBLEX (gcry_mpi_ec_dup) MARK_VISIBLEX (gcry_mpi_ec_get_affine) @@ -486,6 +487,7 @@ MARK_VISIBLEX (_gcry_mpi_get_const) #define gcry_mpi_abs _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_add _gcry_USE_THE_UNDERSCORED_FUNCTION +#define gcry_mpi_ec_sub _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_curve_point _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_dup _gcry_USE_THE_UNDERSCORED_FUNCTION #define gcry_mpi_ec_get_affine _gcry_USE_THE_UNDERSCORED_FUNCTION ----------------------------------------------------------------------- Summary of changes: NEWS | 1 + doc/gcrypt.texi | 9 ++++++++ mpi/ec.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++ src/gcrypt-int.h | 2 ++ src/gcrypt.h.in | 4 ++++ src/libgcrypt.def | 2 ++ src/libgcrypt.vers | 2 +- src/mpi.h | 3 +++ src/visibility.c | 8 +++++++ src/visibility.h | 2 ++ 10 files changed, 97 insertions(+), 1 deletion(-) hooks/post-receive -- The GNU crypto library http://git.gnupg.org From cvs at cvs.gnupg.org Wed Oct 8 21:45:02 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Wed, 08 Oct 2014 21:45:02 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864-2-g3ae6afc Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 3ae6afc1336d42bd95fa0b7f5f83bd299ae26b97 (commit) from 0c52bfa3955b629038a6ac42c48356b88fce181e (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 3ae6afc1336d42bd95fa0b7f5f83bd299ae26b97 Author: Werner Koch Date: Wed Oct 8 21:40:34 2014 +0200 gpg: Avoid error exit if keygrip computations fails in a key listing. * g10/keyid.c (keygrip_from_pk): Use log_info and clear array on error. -- This may happen due to algorithms or curves not supported by Libgcrypt. We should only print a warning and not have gpg return with failure for a secret key listing. Signed-off-by: Werner Koch diff --git a/g10/keyid.c b/g10/keyid.c index 94900bd..3b4c10c 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -854,7 +854,8 @@ keygrip_from_pk (PKT_public_key *pk, unsigned char *array) if (!gcry_pk_get_keygrip (s_pkey, array)) { - log_error ("error computing keygrip\n"); + log_info ("error computing keygrip\n"); + memset (array, 0, 20); err = gpg_error (GPG_ERR_GENERAL); } else ----------------------------------------------------------------------- Summary of changes: g10/keyid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Thu Oct 9 08:31:40 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 09 Oct 2014 08:31:40 +0200 Subject: [git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-122-g669a83b Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU crypto library". The branch, master has been updated via 669a83ba86c38b271d85ed4bf1cabc7cc8160583 (commit) from 23ecadf309f8056c35cc092e58df801ac0eab862 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 669a83ba86c38b271d85ed4bf1cabc7cc8160583 Author: Werner Koch Date: Thu Oct 9 08:31:35 2014 +0200 Register DCO for Markus Teich -- diff --git a/AUTHORS b/AUTHORS index f72a421..e186a48 100644 --- a/AUTHORS +++ b/AUTHORS @@ -157,6 +157,9 @@ Jussi Kivilinna Jussi Kivilinna 2013-05-06:5186720A.4090101 at iki.fi: +Markus Teich +2014-10-08:20141008180509.GA2770 at trolle: + Milan Broz 2014-01-13:52D44CC6.4050707 at gmail.com: ----------------------------------------------------------------------- Summary of changes: AUTHORS | 3 +++ 1 file changed, 3 insertions(+) hooks/post-receive -- The GNU crypto library http://git.gnupg.org From cvs at cvs.gnupg.org Thu Oct 9 21:04:49 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 09 Oct 2014 21:04:49 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864-9-g2ca90f7 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 2ca90f78cee91c43b8d538d1cb92728f8e1452d5 (commit) via 60e21d8b85888b8c9ea15c70268f98d780fdf5fb (commit) via b6507bb80e4e4aa5c85a918fdcf5c28cccb75081 (commit) via ec332d58efc50f6508b87fc9f51db68c39cee044 (commit) via d8c01d826f919dd2faa73fe5692e0d3da235846d (commit) via 6be5c4febc2ec484f049ed743bca08fa9da44590 (commit) via 27fe067efea883629354450a042ad09e47d90ff8 (commit) from 3ae6afc1336d42bd95fa0b7f5f83bd299ae26b97 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 2ca90f78cee91c43b8d538d1cb92728f8e1452d5 Author: Werner Koch Date: Thu Oct 9 21:01:49 2014 +0200 gpg: Skip overlong keys and a print a warning. * kbx/keybox-search.c (keybox_search): Add arg r_skipped and skip too long blobs. * sm/keydb.c (keydb_search): Call keybox_search with a dummy param. * g10/keydb.c (struct keydb_handle): Add field skipped_long_blobs. (keydb_search_reset): Reset that field. (keydb_search): Update that field. (keydb_get_skipped_counter): New. * g10/keylist.c (list_all): Print count of skipped keys. Signed-off-by: Werner Koch diff --git a/g10/keydb.c b/g10/keydb.c index a387951..a9a9753 100644 --- a/g10/keydb.c +++ b/g10/keydb.c @@ -67,6 +67,7 @@ struct keydb_handle { int locked; int found; + unsigned long skipped_long_blobs; int current; int used; /* Number of items in ACTIVE. */ struct resource_item active[MAX_KEYDB_RESOURCES]; @@ -1289,6 +1290,13 @@ keydb_rebuild_caches (int noisy) } +/* Return the number of skipped blocks since the last search reset. */ +unsigned long +keydb_get_skipped_counter (KEYDB_HANDLE hd) +{ + return hd ? hd->skipped_long_blobs : 0; +} + /* * Start the next search on this handle right at the beginning @@ -1307,6 +1315,7 @@ keydb_search_reset (KEYDB_HANDLE hd) if (DBG_CLOCK) log_clock ("keydb_search_reset"); + hd->skipped_long_blobs = 0; hd->current = 0; hd->found = -1; /* Now reset all resources. */ @@ -1424,7 +1433,7 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc, break; case KEYDB_RESOURCE_TYPE_KEYBOX: rc = keybox_search (hd->active[hd->current].u.kb, desc, - ndesc, descindex); + ndesc, descindex, &hd->skipped_long_blobs); break; } if (rc == -1 || gpg_err_code (rc) == GPG_ERR_EOF) diff --git a/g10/keydb.h b/g10/keydb.h index 23d0bcc..78d151a 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -142,6 +142,7 @@ gpg_error_t keydb_insert_keyblock (KEYDB_HANDLE hd, kbnode_t kb); gpg_error_t keydb_delete_keyblock (KEYDB_HANDLE hd); gpg_error_t keydb_locate_writable (KEYDB_HANDLE hd, const char *reserved); void keydb_rebuild_caches (int noisy); +unsigned long keydb_get_skipped_counter (KEYDB_HANDLE hd); gpg_error_t keydb_search_reset (KEYDB_HANDLE hd); gpg_error_t keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc, size_t ndesc, size_t *descindex); diff --git a/g10/keylist.c b/g10/keylist.c index 4a02820..b5ea84d 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -499,6 +499,9 @@ list_all (int secret, int mark_secret) es_fflush (es_stdout); if (rc && gpg_err_code (rc) != GPG_ERR_NOT_FOUND) log_error ("keydb_search_next failed: %s\n", g10_errstr (rc)); + if (keydb_get_skipped_counter (hd)) + log_info (_("Warning: %lu key(s) skipped due to their large size\n"), + keydb_get_skipped_counter (hd)); if (opt.check_sigs && !opt.with_colons) print_signature_stats (&stats); diff --git a/kbx/keybox-search.c b/kbx/keybox-search.c index ba284f9..bf47042 100644 --- a/kbx/keybox-search.c +++ b/kbx/keybox-search.c @@ -718,10 +718,12 @@ keybox_search_reset (KEYBOX_HANDLE hd) /* Note: When in ephemeral mode the search function does visit all - blobs but in standard mode, blobs flagged as ephemeral are ignored. */ + blobs but in standard mode, blobs flagged as ephemeral are ignored. + The value at R_SKIPPED is updated by the number of skipped long + records (counts PGP and X.509). */ int keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc, - size_t *r_descindex) + size_t *r_descindex, unsigned long *r_skipped) { int rc; size_t n; @@ -852,6 +854,13 @@ keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc, _keybox_release_blob (blob); blob = NULL; rc = _keybox_read_blob (&blob, hd->fp); + if (gpg_err_code (rc) == GPG_ERR_TOO_LARGE + && gpg_err_source (rc) == GPG_ERR_SOURCE_KEYBOX) + { + ++*r_skipped; + continue; /* Skip too large records. */ + } + if (rc) break; diff --git a/kbx/keybox.h b/kbx/keybox.h index 9067fb8..b44f1b2 100644 --- a/kbx/keybox.h +++ b/kbx/keybox.h @@ -87,7 +87,7 @@ int keybox_get_flags (KEYBOX_HANDLE hd, int what, int idx, unsigned int *value); int keybox_search_reset (KEYBOX_HANDLE hd); int keybox_search (KEYBOX_HANDLE hd, KEYBOX_SEARCH_DESC *desc, size_t ndesc, - size_t *r_descindex); + size_t *r_descindex, unsigned long *r_skipped); /*-- keybox-update.c --*/ diff --git a/sm/keydb.c b/sm/keydb.c index fb0947a..83e573f 100644 --- a/sm/keydb.c +++ b/sm/keydb.c @@ -958,6 +958,7 @@ int keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc, size_t ndesc) { int rc = -1; + unsigned long skipped; if (!hd) return gpg_error (GPG_ERR_INV_VALUE); @@ -970,7 +971,8 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc, size_t ndesc) BUG(); /* we should never see it here */ break; case KEYDB_RESOURCE_TYPE_KEYBOX: - rc = keybox_search (hd->active[hd->current].u.kr, desc, ndesc, NULL); + rc = keybox_search (hd->active[hd->current].u.kr, desc, ndesc, + NULL, &skipped); break; } if (rc == -1) /* EOF -> switch to next resource */ commit 60e21d8b85888b8c9ea15c70268f98d780fdf5fb Author: Werner Koch Date: Thu Oct 9 20:57:02 2014 +0200 gpg: Sync keylist output and warning messages. * g10/keylist.c (list_all): Flush stdout before logging. * g10/misc.c (print_pubkey_algo_note): Ditto. (print_cipher_algo_note): Ditto. (print_digest_algo_note): Ditto. (print_md5_rejected_note): Ditto. Signed-off-by: Werner Koch diff --git a/g10/keylist.c b/g10/keylist.c index 3649475..4a02820 100644 --- a/g10/keylist.c +++ b/g10/keylist.c @@ -496,6 +496,7 @@ list_all (int secret, int mark_secret) keyblock = NULL; } while (!(rc = keydb_search_next (hd))); + es_fflush (es_stdout); if (rc && gpg_err_code (rc) != GPG_ERR_NOT_FOUND) log_error ("keydb_search_next failed: %s\n", g10_errstr (rc)); diff --git a/g10/misc.c b/g10/misc.c index 320e8af..c47d6dc 100644 --- a/g10/misc.c +++ b/g10/misc.c @@ -298,12 +298,14 @@ print_pubkey_algo_note (pubkey_algo_t algo) if(!warn) { warn=1; + es_fflush (es_stdout); log_info (_("WARNING: using experimental public key algorithm %s\n"), openpgp_pk_algo_name (algo)); } } else if (algo == PUBKEY_ALGO_ELGAMAL) { + es_fflush (es_stdout); log_info (_("WARNING: Elgamal sign+encrypt keys are deprecated\n")); } } @@ -317,6 +319,7 @@ print_cipher_algo_note (cipher_algo_t algo) if(!warn) { warn=1; + es_fflush (es_stdout); log_info (_("WARNING: using experimental cipher algorithm %s\n"), openpgp_cipher_algo_name (algo)); } @@ -332,13 +335,17 @@ print_digest_algo_note (digest_algo_t algo) if(!warn) { warn=1; + es_fflush (es_stdout); log_info (_("WARNING: using experimental digest algorithm %s\n"), gcry_md_algo_name (algo)); } } else if(algo==DIGEST_ALGO_MD5) - log_info (_("WARNING: digest algorithm %s is deprecated\n"), - gcry_md_algo_name (algo)); + { + es_fflush (es_stdout); + log_info (_("WARNING: digest algorithm %s is deprecated\n"), + gcry_md_algo_name (algo)); + } } @@ -349,6 +356,7 @@ print_md5_rejected_note (void) if (!shown) { + es_fflush (es_stdout); log_info (_("Note: signatures using the %s algorithm are rejected\n"), "MD5"); commit b6507bb80e4e4aa5c85a918fdcf5c28cccb75081 Author: Werner Koch Date: Thu Oct 9 20:19:05 2014 +0200 kbx: Fix handling of overlong keys. * kbx/keybox-file.c (IMAGELEN_LIMIT): Change limit from 10^6 to 2MiB. (_keybox_read_blob2): Skip too long record records. (_keybox_write_blob): Do not accept too long record. * kbx/keybox-dump.c (file_stats_s): Add field skipped_long_blobs. (_keybox_dump_file): Print new counter. (_keybox_dump_file): Skip too long records. ---- To test this feature you may set the limit back to 1MiB and use key F7F0E70F307D56ED which is in my local copy close to 2MiB. Without this patch it was possible to import the key but access to that key and all keys stored after it was not possible. Signed-off-by: Werner Koch diff --git a/kbx/keybox-dump.c b/kbx/keybox-dump.c index bfe7b48..dfa8200 100644 --- a/kbx/keybox-dump.c +++ b/kbx/keybox-dump.c @@ -491,6 +491,7 @@ struct file_stats_s unsigned long non_flagged; unsigned long secret_flagged; unsigned long ephemeral_flagged; + unsigned long skipped_long_blobs; }; static int @@ -594,8 +595,25 @@ _keybox_dump_file (const char *filename, int stats_only, FILE *outfp) if (!(fp = open_file (&filename, outfp))) return gpg_error_from_syserror (); - while ( !(rc = _keybox_read_blob (&blob, fp)) ) + for (;;) { + rc = _keybox_read_blob (&blob, fp); + if (gpg_err_code (rc) == GPG_ERR_TOO_LARGE + && gpg_err_source (rc) == GPG_ERR_SOURCE_KEYBOX) + { + if (stats_only) + stats.skipped_long_blobs++; + else + { + fprintf (outfp, "BEGIN-RECORD: %lu\n", count ); + fprintf (outfp, "# Record too large\nEND-RECORD\n"); + } + count++; + continue; + } + if (rc) + break; + if (stats_only) { update_stats (blob, &stats); @@ -612,7 +630,7 @@ _keybox_dump_file (const char *filename, int stats_only, FILE *outfp) if (rc == -1) rc = 0; if (rc) - fprintf (outfp, "error reading '%s': %s\n", filename, gpg_strerror (rc)); + fprintf (outfp, "# error reading '%s': %s\n", filename, gpg_strerror (rc)); if (fp != stdin) fclose (fp); @@ -636,14 +654,17 @@ _keybox_dump_file (const char *filename, int stats_only, FILE *outfp) stats.non_flagged, stats.secret_flagged, stats.ephemeral_flagged); + if (stats.skipped_long_blobs) + fprintf (outfp, " skipped long blobs: %8lu\n", + stats.skipped_long_blobs); if (stats.unknown_blob_count) fprintf (outfp, " unknown blob types: %8lu\n", stats.unknown_blob_count); if (stats.too_short_blobs) - fprintf (outfp, " too short blobs: %8lu\n", + fprintf (outfp, " too short blobs: %8lu (error)\n", stats.too_short_blobs); if (stats.too_large_blobs) - fprintf (outfp, " too large blobs: %8lu\n", + fprintf (outfp, " too large blobs: %8lu (error)\n", stats.too_large_blobs); } diff --git a/kbx/keybox-file.c b/kbx/keybox-file.c index def896b..1ed5169 100644 --- a/kbx/keybox-file.c +++ b/kbx/keybox-file.c @@ -27,6 +27,9 @@ #include "keybox-defs.h" +#define IMAGELEN_LIMIT (2*1024*1024) + + #if !defined(HAVE_FTELLO) && !defined(ftello) static off_t ftello (FILE *stream) @@ -75,9 +78,6 @@ _keybox_read_blob2 (KEYBOXBLOB *r_blob, FILE *fp, int *skipped_deleted) } imagelen = (c1 << 24) | (c2 << 16) | (c3 << 8 ) | c4; - if (imagelen > 1000000) /* Sanity check. */ - return gpg_error (GPG_ERR_TOO_LARGE); - if (imagelen < 5) return gpg_error (GPG_ERR_TOO_SHORT); @@ -90,6 +90,15 @@ _keybox_read_blob2 (KEYBOXBLOB *r_blob, FILE *fp, int *skipped_deleted) goto again; } + if (imagelen > IMAGELEN_LIMIT) /* Sanity check. */ + { + /* Seek forward so that the caller may choose to ignore this + record. */ + if (fseek (fp, imagelen-5, SEEK_CUR)) + return gpg_error_from_syserror (); + return gpg_error (GPG_ERR_TOO_LARGE); + } + image = xtrymalloc (imagelen); if (!image) return gpg_error_from_syserror (); @@ -124,6 +133,10 @@ _keybox_write_blob (KEYBOXBLOB blob, FILE *fp) size_t length; image = _keybox_get_blob_image (blob, &length); + + if (length > IMAGELEN_LIMIT) + return gpg_error (GPG_ERR_TOO_LARGE); + if (fwrite (image, length, 1, fp) != 1) return gpg_error_from_syserror (); return 0; commit ec332d58efc50f6508b87fc9f51db68c39cee044 Author: Werner Koch Date: Thu Oct 9 19:10:32 2014 +0200 gpg: Take care to use pubring.kbx if it has ever been used. * kbx/keybox-defs.h (struct keybox_handle): Add field for_openpgp. * kbx/keybox-file.c (_keybox_write_header_blob): Set openpgp header flag. * kbx/keybox-blob.c (_keybox_update_header_blob): Add arg for_openpgp and set header flag. * kbx/keybox-init.c (keybox_new): Rename to do_keybox_new, make static and add arg for_openpgp. (keybox_new_openpgp, keybox_new_x509): New. Use them instead of the former keybox_new. * kbx/keybox-update.c (blob_filecopy): Add arg for_openpgp and set the openpgp header flags. * g10/keydb.c (rt_from_file): New. Factored out and extended from keydb_add_resource. (keydb_add_resource): Switch to the kbx file if it has the openpgp flag set. * kbx/keybox-dump.c (dump_header_blob): Print header flags. -- The problem was reported by dkg on gnupg-devel (2014-10-07): I just discovered a new problem, though, which will affect people on systems that have gpg and gpg2 coinstalled: 0) create a new keyring with gpg2, and use it exclusively with gpg2 for a while. 1) somehow (accidentally?) use gpg (1.4.x) again -- this creates ~/.gnupg/pubring.gpg 2) future runs of gpg2 now only look at pubring.gpg and ignore pubring.kbx -- the keys you had accumulated in the keybox are no longer listed in the output of gpg2 --list-keys Note that gpgsm has always used pubring.kbx and thus this file might already be there but without gpg ever inserted a key. The new flag in the KBX header gives us an indication whether a KBX file has ever been written by gpg >= 2.1. If that is the case we will use it instead of the default pubring.gpg. Signed-off-by: Werner Koch diff --git a/g10/keydb.c b/g10/keydb.c index 178456a..a387951 100644 --- a/g10/keydb.c +++ b/g10/keydb.c @@ -242,7 +242,7 @@ maybe_create_keyring_or_box (char *filename, int is_box, int force_create) rc = gpg_error_from_syserror (); else { - rc = _keybox_write_header_blob (fp); + rc = _keybox_write_header_blob (fp, 1); fclose (fp); } if (rc) @@ -277,6 +277,50 @@ maybe_create_keyring_or_box (char *filename, int is_box, int force_create) } +/* Helper for keydb_add_resource. Opens FILENAME to figures out the + resource type. Returns the resource type and a flag at R_NOTFOUND + indicating whether FILENAME could be opened at all. If the openpgp + flag is set in a keybox header, R_OPENPGP will be set to true. */ +static KeydbResourceType +rt_from_file (const char *filename, int *r_found, int *r_openpgp) +{ + u32 magic; + unsigned char verbuf[4]; + FILE *fp; + KeydbResourceType rt = KEYDB_RESOURCE_TYPE_NONE; + + *r_found = *r_openpgp = 0; + fp = fopen (filename, "rb"); + if (fp) + { + *r_found = 1; + + if (fread (&magic, 4, 1, fp) == 1 ) + { + if (magic == 0x13579ace || magic == 0xce9a5713) + ; /* GDBM magic - not anymore supported. */ + else if (fread (&verbuf, 4, 1, fp) == 1 + && verbuf[0] == 1 + && fread (&magic, 4, 1, fp) == 1 + && !memcmp (&magic, "KBXf", 4)) + { + if ((verbuf[3] & 0x02)) + *r_openpgp = 1; + rt = KEYDB_RESOURCE_TYPE_KEYBOX; + } + else + rt = KEYDB_RESOURCE_TYPE_KEYRING; + } + else /* Maybe empty: assume keyring. */ + rt = KEYDB_RESOURCE_TYPE_KEYRING; + + fclose (fp); + } + + return rt; +} + + /* * Register a resource (keyring or aeybox). The first keyring or * keybox which is added by this function is created if it does not @@ -337,33 +381,34 @@ keydb_add_resource (const char *url, unsigned int flags) /* See whether we can determine the filetype. */ if (rt == KEYDB_RESOURCE_TYPE_NONE) { - FILE *fp; + int found, openpgp_flag; int pass = 0; size_t filenamelen; check_again: filenamelen = strlen (filename); - fp = fopen (filename, "rb"); - if (fp) + rt = rt_from_file (filename, &found, &openpgp_flag); + if (found) { - u32 magic; - - if (fread (&magic, 4, 1, fp) == 1 ) + /* The file exists and we have the resource type in RT. + + Now let us check whether in addition to the "pubring.gpg" + a "pubring.kbx with openpgp keys exists. This is so that + GPG 2.1 will use an existing "pubring.kbx" by default iff + that file has been created or used by 2.1. This check is + needed because after creation or use of the kbx file with + 2.1 an older version of gpg may have created a new + pubring.gpg for its own use. */ + if (!pass && is_default && rt == KEYDB_RESOURCE_TYPE_KEYRING + && filenamelen > 4 && !strcmp (filename+filenamelen-4, ".gpg")) { - if (magic == 0x13579ace || magic == 0xce9a5713) - ; /* GDBM magic - not anymore supported. */ - else if (fread (&magic, 4, 1, fp) == 1 - && !memcmp (&magic, "\x01", 1) - && fread (&magic, 4, 1, fp) == 1 - && !memcmp (&magic, "KBXf", 4)) + strcpy (filename+filenamelen-4, ".kbx"); + if ((rt_from_file (filename, &found, &openpgp_flag) + == KEYDB_RESOURCE_TYPE_KEYBOX) && found && openpgp_flag) rt = KEYDB_RESOURCE_TYPE_KEYBOX; - else - rt = KEYDB_RESOURCE_TYPE_KEYRING; - } - else /* Maybe empty: assume keyring. */ - rt = KEYDB_RESOURCE_TYPE_KEYRING; - - fclose (fp); + else /* Restore filename */ + strcpy (filename+filenamelen-4, ".gpg"); + } } else if (!pass && is_default && create @@ -508,7 +553,7 @@ keydb_new (void) case KEYDB_RESOURCE_TYPE_KEYBOX: hd->active[j].type = all_resources[i].type; hd->active[j].token = all_resources[i].token; - hd->active[j].u.kb = keybox_new (all_resources[i].token, 0); + hd->active[j].u.kb = keybox_new_openpgp (all_resources[i].token, 0); if (!hd->active[j].u.kb) { xfree (hd); diff --git a/kbx/keybox-blob.c b/kbx/keybox-blob.c index f7abb6c..35ce3e3 100644 --- a/kbx/keybox-blob.c +++ b/kbx/keybox-blob.c @@ -42,8 +42,9 @@ - u32 Length of this blob - byte Blob type (1) - byte Version number (1) - - byte RFU - - byte RFU + - u16 Header flags + bit 0 - RFU + bit 1 - Is being or has been used for OpenPGP blobs - b4 Magic 'KBXf' - u32 RFU - u32 file_created_at @@ -1028,7 +1029,7 @@ _keybox_get_blob_fileoffset (KEYBOXBLOB blob) void -_keybox_update_header_blob (KEYBOXBLOB blob) +_keybox_update_header_blob (KEYBOXBLOB blob, int for_openpgp) { if (blob->bloblen >= 32 && blob->blob[4] == BLOBTYPE_HEADER) { @@ -1039,5 +1040,8 @@ _keybox_update_header_blob (KEYBOXBLOB blob) blob->blob[20+1] = (val >> 16); blob->blob[20+2] = (val >> 8); blob->blob[20+3] = (val ); + + if (for_openpgp) + blob->blob[7] |= 0x02; /* OpenPGP data may be available. */ } } diff --git a/kbx/keybox-defs.h b/kbx/keybox-defs.h index 7bbcf83..415a3ef 100644 --- a/kbx/keybox-defs.h +++ b/kbx/keybox-defs.h @@ -101,6 +101,7 @@ struct keybox_handle { int eof; int error; int ephemeral; + int for_openpgp; /* Used by gpg. */ struct keybox_found_s found; struct keybox_found_s saved_found; struct { @@ -176,7 +177,7 @@ int _keybox_new_blob (KEYBOXBLOB *r_blob, void _keybox_release_blob (KEYBOXBLOB blob); const unsigned char *_keybox_get_blob_image (KEYBOXBLOB blob, size_t *n); off_t _keybox_get_blob_fileoffset (KEYBOXBLOB blob); -void _keybox_update_header_blob (KEYBOXBLOB blob); +void _keybox_update_header_blob (KEYBOXBLOB blob, int for_openpgp); /*-- keybox-openpgp.c --*/ gpg_error_t _keybox_parse_openpgp (const unsigned char *image, size_t imagelen, diff --git a/kbx/keybox-dump.c b/kbx/keybox-dump.c index af9052d..bfe7b48 100644 --- a/kbx/keybox-dump.c +++ b/kbx/keybox-dump.c @@ -141,6 +141,25 @@ dump_header_blob (const byte *buffer, size_t length, FILE *fp) return -1; } fprintf (fp, "Version: %d\n", buffer[5]); + + n = get16 (buffer + 6); + fprintf( fp, "Flags: %04lX", n); + if (n) + { + int any = 0; + + fputs (" (", fp); + if ((n & 2)) + { + if (any) + putc (',', fp); + fputs ("openpgp", fp); + any++; + } + putc (')', fp); + } + putc ('\n', fp); + if ( memcmp (buffer+8, "KBXf", 4)) fprintf (fp, "[Error: invalid magic number]\n"); diff --git a/kbx/keybox-file.c b/kbx/keybox-file.c index f720993..def896b 100644 --- a/kbx/keybox-file.c +++ b/kbx/keybox-file.c @@ -132,7 +132,7 @@ _keybox_write_blob (KEYBOXBLOB blob, FILE *fp) /* Write a fresh header type blob. */ int -_keybox_write_header_blob (FILE *fp) +_keybox_write_header_blob (FILE *fp, int for_openpgp) { unsigned char image[32]; u32 val; @@ -143,6 +143,8 @@ _keybox_write_header_blob (FILE *fp) image[4] = BLOBTYPE_HEADER; image[5] = 1; /* Version */ + if (for_openpgp) + image[7] = 0x02; /* OpenPGP data may be available. */ memcpy (image+8, "KBXf", 4); val = time (NULL); diff --git a/kbx/keybox-init.c b/kbx/keybox-init.c index 8ae3ec3..0d4800e 100644 --- a/kbx/keybox-init.c +++ b/kbx/keybox-init.c @@ -77,15 +77,10 @@ keybox_is_writable (void *token) -/* Create a new handle for the resource associated with TOKEN. SECRET - is just a cross-check. - - The returned handle must be released using keybox_release (). */ -KEYBOX_HANDLE -keybox_new (void *token, int secret) +static KEYBOX_HANDLE +do_keybox_new (KB_NAME resource, int secret, int for_openpgp) { KEYBOX_HANDLE hd; - KB_NAME resource = token; int idx; assert (resource && !resource->secret == !secret); @@ -94,6 +89,7 @@ keybox_new (void *token, int secret) { hd->kb = resource; hd->secret = !!secret; + hd->for_openpgp = for_openpgp; if (!resource->handle_table) { resource->handle_table_size = 3; @@ -135,6 +131,30 @@ keybox_new (void *token, int secret) return hd; } + +/* Create a new handle for the resource associated with TOKEN. SECRET + is just a cross-check. This is the OpenPGP version. The returned + handle must be released using keybox_release. */ +KEYBOX_HANDLE +keybox_new_openpgp (void *token, int secret) +{ + KB_NAME resource = token; + + return do_keybox_new (resource, secret, 1); +} + +/* Create a new handle for the resource associated with TOKEN. SECRET + is just a cross-check. This is the X.509 version. The returned + handle must be released using keybox_release. */ +KEYBOX_HANDLE +keybox_new_x509 (void *token, int secret) +{ + KB_NAME resource = token; + + return do_keybox_new (resource, secret, 0); +} + + void keybox_release (KEYBOX_HANDLE hd) { diff --git a/kbx/keybox-update.c b/kbx/keybox-update.c index 6ade9e7..693b732 100644 --- a/kbx/keybox-update.c +++ b/kbx/keybox-update.c @@ -211,18 +211,18 @@ rename_tmp_file (const char *bakfname, const char *tmpfname, -/* Perform insert/delete/update operation. - MODE is one of FILECOPY_INSERT, FILECOPY_DELETE, FILECOPY_UPDATE. -*/ +/* Perform insert/delete/update operation. MODE is one of + FILECOPY_INSERT, FILECOPY_DELETE, FILECOPY_UPDATE. FOR_OPENPGP + indicates that this is called due to an OpenPGP keyblock change. */ static int blob_filecopy (int mode, const char *fname, KEYBOXBLOB blob, - int secret, off_t start_offset) + int secret, int for_openpgp, off_t start_offset) { FILE *fp, *newfp; int rc=0; char *bakfname = NULL; char *tmpfname = NULL; - char buffer[4096]; + char buffer[4096]; /* (Must be at least 32 bytes) */ int nread, nbytes; /* Open the source file. Because we do a rename, we have to check the @@ -239,7 +239,7 @@ blob_filecopy (int mode, const char *fname, KEYBOXBLOB blob, if (!newfp ) return gpg_error_from_syserror (); - rc = _keybox_write_header_blob (newfp); + rc = _keybox_write_header_blob (newfp, for_openpgp); if (rc) return rc; @@ -275,9 +275,19 @@ blob_filecopy (int mode, const char *fname, KEYBOXBLOB blob, /* prepare for insert */ if (mode == FILECOPY_INSERT) { - /* Copy everything to the new file. */ + int first_record = 1; + + /* Copy everything to the new file. If this is for OpenPGP, we + make sure that the openpgp flag is set in the header. (We + failsafe the blob type.) */ while ( (nread = fread (buffer, 1, DIM(buffer), fp)) > 0 ) { + if (first_record && for_openpgp && buffer[4] == BLOBTYPE_HEADER) + { + first_record = 0; + buffer[7] |= 0x02; /* OpenPGP data may be available. */ + } + if (fwrite (buffer, nread, 1, newfp) != 1) { rc = gpg_error_from_syserror (); @@ -409,7 +419,7 @@ keybox_insert_keyblock (KEYBOX_HANDLE hd, const void *image, size_t imagelen, _keybox_destroy_openpgp_info (&info); if (!err) { - err = blob_filecopy (FILECOPY_INSERT, fname, blob, hd->secret, 0); + err = blob_filecopy (FILECOPY_INSERT, fname, blob, hd->secret, 1, 0); _keybox_release_blob (blob); /* if (!rc && !hd->secret && kb_offtbl) */ /* { */ @@ -462,7 +472,7 @@ keybox_update_keyblock (KEYBOX_HANDLE hd, const void *image, size_t imagelen) /* Update the keyblock. */ if (!err) { - err = blob_filecopy (FILECOPY_UPDATE, fname, blob, hd->secret, off); + err = blob_filecopy (FILECOPY_UPDATE, fname, blob, hd->secret, 1, off); _keybox_release_blob (blob); } return err; @@ -495,7 +505,7 @@ keybox_insert_cert (KEYBOX_HANDLE hd, ksba_cert_t cert, rc = _keybox_create_x509_blob (&blob, cert, sha1_digest, hd->ephemeral); if (!rc) { - rc = blob_filecopy (FILECOPY_INSERT, fname, blob, hd->secret, 0); + rc = blob_filecopy (FILECOPY_INSERT, fname, blob, hd->secret, 0, 0); _keybox_release_blob (blob); /* if (!rc && !hd->secret && kb_offtbl) */ /* { */ @@ -743,8 +753,10 @@ keybox_compress (KEYBOX_HANDLE hd) first_blob = 0; if (length > 4 && buffer[4] == BLOBTYPE_HEADER) { - /* Write out the blob with an updated maintenance time stamp. */ - _keybox_update_header_blob (blob); + /* Write out the blob with an updated maintenance time + stamp and if needed (ie. used by gpg) set the openpgp + flag. */ + _keybox_update_header_blob (blob, hd->for_openpgp); rc = _keybox_write_blob (blob, newfp); if (rc) break; @@ -752,7 +764,7 @@ keybox_compress (KEYBOX_HANDLE hd) } /* The header blob is missing. Insert it. */ - rc = _keybox_write_header_blob (newfp); + rc = _keybox_write_header_blob (newfp, hd->for_openpgp); if (rc) break; any_changes = 1; diff --git a/kbx/keybox.h b/kbx/keybox.h index 96c6db5..9067fb8 100644 --- a/kbx/keybox.h +++ b/kbx/keybox.h @@ -62,7 +62,8 @@ typedef enum void *keybox_register_file (const char *fname, int secret); int keybox_is_writable (void *token); -KEYBOX_HANDLE keybox_new (void *token, int secret); +KEYBOX_HANDLE keybox_new_openpgp (void *token, int secret); +KEYBOX_HANDLE keybox_new_x509 (void *token, int secret); void keybox_release (KEYBOX_HANDLE hd); void keybox_push_found_state (KEYBOX_HANDLE hd); void keybox_pop_found_state (KEYBOX_HANDLE hd); @@ -74,7 +75,7 @@ int keybox_lock (KEYBOX_HANDLE hd, int yes); /*-- keybox-file.c --*/ /* Fixme: This function does not belong here: Provide a better interface to create a new keybox file. */ -int _keybox_write_header_blob (FILE *fp); +int _keybox_write_header_blob (FILE *fp, int openpgp_flag); /*-- keybox-search.c --*/ gpg_error_t keybox_get_keyblock (KEYBOX_HANDLE hd, iobuf_t *r_iobuf, diff --git a/sm/keydb.c b/sm/keydb.c index 5a250b0..fb0947a 100644 --- a/sm/keydb.c +++ b/sm/keydb.c @@ -341,7 +341,7 @@ keydb_add_resource (const char *url, int force, int secret, int *auto_created) /* Do a compress run if needed and the file is not locked. */ if (!dotlock_take (all_resources[used_resources].lockhandle, 0)) { - KEYBOX_HANDLE kbxhd = keybox_new (token, secret); + KEYBOX_HANDLE kbxhd = keybox_new_x509 (token, secret); if (kbxhd) { @@ -400,7 +400,7 @@ keydb_new (int secret) hd->active[j].token = all_resources[i].token; hd->active[j].secret = all_resources[i].secret; hd->active[j].lockhandle = all_resources[i].lockhandle; - hd->active[j].u.kr = keybox_new (all_resources[i].token, secret); + hd->active[j].u.kr = keybox_new_x509 (all_resources[i].token, secret); if (!hd->active[j].u.kr) { xfree (hd); commit d8c01d826f919dd2faa73fe5692e0d3da235846d Author: Werner Koch Date: Thu Oct 9 10:56:25 2014 +0200 gpg: Change wording of a migration error message. -- diff --git a/g10/migrate.c b/g10/migrate.c index 5cb3512..96ca5c2 100644 --- a/g10/migrate.c +++ b/g10/migrate.c @@ -80,8 +80,9 @@ migrate_secring (ctrl_t ctrl) { log_error ("error: GnuPG agent version \"%s\" is too old. ", agent_version); - log_error ("Please install an updated GnuPG agent.\n"); - log_error ("migration aborted\n"); + log_info ("Please make sure that a recent gpg-agent is running.\n"); + log_info ("(restarting the user session may achieve this.)\n"); + log_info ("migration aborted\n"); xfree (agent_version); goto leave; } commit 6be5c4febc2ec484f049ed743bca08fa9da44590 Author: Kristian Fiskerstrand Date: Tue Oct 7 20:37:16 2014 +0200 doc: Add missing entry for allow-preset-passphase -- diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 7c21889..36f0ed1 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -349,6 +349,12 @@ Allow clients to mark keys as trusted, i.e. put them into the @file{trustlist.txt} file. This is by default not allowed to make it harder for users to inadvertently accept Root-CA keys. + at anchor{option --allow-preset-passphrase} + at item --allow-preset-passphrase + at opindex allow-preset-passphrase +This option allows the use of @command{gpg-preset-passphrase} to seed the +internal cache of @command{gpg-agent} with passphrases. + @ifset gpgtwoone @anchor{option --allow-loopback-pinentry} @item --allow-loopback-pinentry commit 27fe067efea883629354450a042ad09e47d90ff8 Author: Daniel Kahn Gillmor Date: Wed Oct 8 03:12:51 2014 -0400 Avoid unnecessary library linkage * dirmngr/Makefile.am: Avoid $(DNSLIBS) for dirmngr_ldap * g10/Makefile.am: $(LIBREADLINE) is only for gpg2; gpgv2 does not need $(LIBASSUAN_LIBS) * sm/Makefile.am: gpgsm does not need $(ZLIBS) * tools/Makefile.am: gpgconf does not need $(NPTH_LIBS) -- In the course of building GnuPG 2.1.0 beta864 on debian, i found that several of the installed executables were linked to libraries that they did not need to be linked to, which would cause unnecessary package dependencies at runtime. The changeset here removes these unnecessary libraries from linking. Something similar could possibly also be done by passing --as-needed to the linker, but trimming the depenencies seems more parsimonious. diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am index d0226a3..632e525 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -73,7 +73,7 @@ if USE_LDAPWRAPPER dirmngr_ldap_SOURCES = dirmngr_ldap.c $(ldap_url) dirmngr_ldap_CFLAGS = $(GPG_ERROR_CFLAGS) $(LIBGCRYPT_CFLAGS) dirmngr_ldap_LDFLAGS = -dirmngr_ldap_LDADD = $(libcommon) no-libgcrypt.o ../gl/libgnu.a $(DNSLIBS) \ +dirmngr_ldap_LDADD = $(libcommon) no-libgcrypt.o ../gl/libgnu.a \ $(GPG_ERROR_LIBS) $(LDAPLIBS) $(LBER_LIBS) $(LIBINTL) \ $(LIBICONV) endif diff --git a/g10/Makefile.am b/g10/Makefile.am index 6fa7a5c..d0343fa 100644 --- a/g10/Makefile.am +++ b/g10/Makefile.am @@ -138,14 +138,14 @@ gpgv2_SOURCES = gpgv.c \ # here, even that it is not used by gpg. A proper solution would # either to split up libkeybox.a or to use a separate keybox daemon. LDADD = $(needed_libs) ../common/libgpgrl.a \ - $(ZLIBS) $(DNSLIBS) $(LIBREADLINE) \ + $(ZLIBS) $(DNSLIBS) \ $(LIBINTL) $(CAPLIBS) $(NETLIBS) -gpg2_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) \ +gpg2_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) $(LIBREADLINE) \ $(KSBA_LIBS) $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) \ $(LIBICONV) $(resource_objs) $(extra_sys_libs) gpg2_LDFLAGS = $(extra_bin_ldflags) gpgv2_LDADD = $(LDADD) $(LIBGCRYPT_LIBS) \ - $(KSBA_LIBS) $(LIBASSUAN_LIBS) $(GPG_ERROR_LIBS) \ + $(KSBA_LIBS) $(GPG_ERROR_LIBS) \ $(LIBICONV) $(resource_objs) $(extra_sys_libs) gpgv2_LDFLAGS = $(extra_bin_ldflags) diff --git a/sm/Makefile.am b/sm/Makefile.am index 7fff752..12b85ab 100644 --- a/sm/Makefile.am +++ b/sm/Makefile.am @@ -61,7 +61,7 @@ common_libs = ../kbx/libkeybox.a $(libcommon) ../gl/libgnu.a gpgsm_LDADD = $(common_libs) ../common/libgpgrl.a \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(LIBASSUAN_LIBS) \ - $(GPG_ERROR_LIBS) $(LIBREADLINE) $(LIBINTL) $(ZLIBS) \ + $(GPG_ERROR_LIBS) $(LIBREADLINE) $(LIBINTL) \ $(LIBICONV) $(resource_objs) $(extra_sys_libs) gpgsm_LDFLAGS = $(extra_bin_ldflags) diff --git a/tools/Makefile.am b/tools/Makefile.am index 946ae4a..340901a 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -98,7 +98,7 @@ gpgconf_SOURCES = gpgconf.c gpgconf.h gpgconf-comp.c no-libgcrypt.c # common sucks in gpg-error, will they, nil they (some compilers # do not eliminate the supposed-to-be-unused-inline-functions). gpgconf_LDADD = $(maybe_commonpth_libs) $(opt_libassuan_libs) \ - $(LIBINTL) $(GPG_ERROR_LIBS) $(NPTH_LIBS) $(NETLIBS) \ + $(LIBINTL) $(GPG_ERROR_LIBS) $(NETLIBS) \ $(LIBICONV) $(W32SOCKLIBS) gpgconf_LDFLAGS = $(extra_bin_ldflags) ----------------------------------------------------------------------- Summary of changes: dirmngr/Makefile.am | 2 +- doc/gpg-agent.texi | 6 ++++ g10/Makefile.am | 6 ++-- g10/keydb.c | 98 +++++++++++++++++++++++++++++++++++++++------------ g10/keydb.h | 1 + g10/keylist.c | 4 +++ g10/migrate.c | 5 +-- g10/misc.c | 12 +++++-- kbx/keybox-blob.c | 10 ++++-- kbx/keybox-defs.h | 3 +- kbx/keybox-dump.c | 48 ++++++++++++++++++++++--- kbx/keybox-file.c | 23 +++++++++--- kbx/keybox-init.c | 34 ++++++++++++++---- kbx/keybox-search.c | 13 +++++-- kbx/keybox-update.c | 38 +++++++++++++------- kbx/keybox.h | 7 ++-- sm/Makefile.am | 2 +- sm/keydb.c | 8 +++-- tools/Makefile.am | 2 +- 19 files changed, 250 insertions(+), 72 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 10 13:51:35 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 10 Oct 2014 13:51:35 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864-11-g5b5e5a6 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 5b5e5a6027ae1743719e112aa4e9055f1b8133a7 (commit) via 6cabb7a2a18f871b8c3d5de58bcdc5aaa5b201af (commit) from 2ca90f78cee91c43b8d538d1cb92728f8e1452d5 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 5b5e5a6027ae1743719e112aa4e9055f1b8133a7 Author: Werner Koch Date: Fri Oct 10 13:51:19 2014 +0200 doc: Fix a man page rendering problem. * doc/gpg-agent.texi (Agent Configuration): Fix rendering of the sshcontrol example. diff --git a/doc/gpg-agent.texi b/doc/gpg-agent.texi index 36f0ed1..7eadf59 100644 --- a/doc/gpg-agent.texi +++ b/doc/gpg-agent.texi @@ -684,13 +684,13 @@ The following example lists exactly one key. Note that keys available through a OpenPGP smartcard in the active smartcard reader are implicitly added to this list; i.e. there is no need to list them. - @cartouche - @smallexample - # Key added on: 2011-07-20 20:38:46 - # Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81 - 34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm - @end smallexample - @end cartouche + at cartouche + at smallexample + # Key added on: 2011-07-20 20:38:46 + # Fingerprint: 5e:8d:c4:ad:e7:af:6e:27:8a:d6:13:e4:79:ad:0b:81 + 34B62F25E277CF13D3C6BCEBFD3F85D08F0A864B 0 confirm + at end smallexample + at end cartouche @item private-keys-v1.d/ commit 6cabb7a2a18f871b8c3d5de58bcdc5aaa5b201af Author: Daniel Kahn Gillmor Date: Thu Oct 9 16:54:15 2014 -0400 gpg: Add build and runtime support for larger RSA keys * configure.ac: Added --enable-large-secmem option. * g10/options.h: Add opt.flags.large_rsa. * g10/gpg.c: Contingent on configure option: adjust secmem size, add gpg --enable-large-rsa, bound to opt.flags.large_rsa. * g10/keygen.c: Adjust max RSA size based on opt.flags.large_rsa * doc/gpg.texi: Document --enable-large-rsa. -- This is a cherry-pick of 534e2876acc05f9f8d9b54c18511fe768d77dfb5 from STABLE-BRANCH-1-4 against master Some older implementations built and used RSA keys up to 16Kib, but the larger secret keys now fail when used by more recent GnuPG, due to secure memory limitations. Building with ./configure --enable-large-secmem will make gpg capable of working with those secret keys, as well as permitting the use of a new gpg option --enable-large-rsa, which let gpg generate RSA keys up to 8Kib when used with --batch --gen-key. Debian-bug-id: 739424 Minor edits by wk. GnuPG-bug-id: 1732 diff --git a/configure.ac b/configure.ac index 28268f1..7ce8c09 100644 --- a/configure.ac +++ b/configure.ac @@ -107,6 +107,7 @@ card_support=yes use_ccid_driver=yes dirmngr_auto_start=yes use_tls_library=no +large_secmem=no GNUPG_BUILD_PROGRAM(gpg, yes) GNUPG_BUILD_PROGRAM(gpgsm, yes) @@ -223,6 +224,20 @@ AC_ARG_ENABLE(selinux-support, AC_MSG_RESULT($selinux_support) +AC_MSG_CHECKING([whether to allocate extra secure memory]) +AC_ARG_ENABLE(large-secmem, + AC_HELP_STRING([--enable-large-secmem], + [allocate extra secure memory]), + large_secmem=$enableval, large_secmem=no) +AC_MSG_RESULT($large_secmem) +if test "$large_secmem" = yes ; then + SECMEM_BUFFER_SIZE=65536 +else + SECMEM_BUFFER_SIZE=32768 +fi +AC_DEFINE_UNQUOTED(SECMEM_BUFFER_SIZE,$SECMEM_BUFFER_SIZE, + [Size of secure memory buffer]) + AC_MSG_CHECKING([whether to enable trust models]) AC_ARG_ENABLE(trust-models, AC_HELP_STRING([--disable-trust-models], diff --git a/doc/gpg.texi b/doc/gpg.texi index 002e888..e7360e9 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -1181,6 +1181,15 @@ the opposite meaning. The options are: validation. This option is only meaningful if pka-lookups is set. @end table + at item --enable-large-rsa + at itemx --disable-large-rsa + at opindex enable-large-rsa + at opindex disable-large-rsa +With --gen-key and --batch, enable the creation of larger RSA secret +keys than is generally recommended (up to 8192 bits). These large +keys are more expensive to use, and their signatures and +certifications are also larger. + @item --enable-dsa2 @itemx --disable-dsa2 @opindex enable-dsa2 diff --git a/g10/gpg.c b/g10/gpg.c index f586042..e7d6d00 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -376,6 +376,8 @@ enum cmd_and_opt_values oAutoKeyLocate, oNoAutoKeyLocate, oAllowMultisigVerification, + oEnableLargeRSA, + oDisableLargeRSA, oEnableDSA2, oDisableDSA2, oAllowMultipleMessages, @@ -770,6 +772,8 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oAllowMultisigVerification, "allow-multisig-verification", "@"), + ARGPARSE_s_n (oEnableLargeRSA, "enable-large-rsa", "@"), + ARGPARSE_s_n (oDisableLargeRSA, "disable-large-rsa", "@"), ARGPARSE_s_n (oEnableDSA2, "enable-dsa2", "@"), ARGPARSE_s_n (oDisableDSA2, "disable-dsa2", "@"), ARGPARSE_s_n (oAllowMultipleMessages, "allow-multiple-messages", "@"), @@ -2181,7 +2185,7 @@ main (int argc, char **argv) #endif /* Initialize the secure memory. */ - if (!gcry_control (GCRYCTL_INIT_SECMEM, 32768, 0)) + if (!gcry_control (GCRYCTL_INIT_SECMEM, SECMEM_BUFFER_SIZE, 0)) got_secmem = 1; #if defined(HAVE_GETUID) && defined(HAVE_GETEUID) /* There should be no way to get to this spot while still carrying @@ -3099,6 +3103,22 @@ main (int argc, char **argv) release_akl(); break; + case oEnableLargeRSA: +#if SECMEM_BUFFER_SIZE >= 65536 + opt.flags.large_rsa=1; +#else + if (configname) + log_info("%s:%d: WARNING: gpg not built with large secure " + "memory buffer. Ignoring enable-large-rsa\n", + configname,configlineno); + else + log_info("WARNING: gpg not built with large secure " + "memory buffer. Ignoring --enable-large-rsa\n"); +#endif /* SECMEM_BUFFER_SIZE >= 65536 */ + break; + case oDisableLargeRSA: opt.flags.large_rsa=0; + break; + case oEnableDSA2: opt.flags.dsa2=1; break; case oDisableDSA2: opt.flags.dsa2=0; break; diff --git a/g10/keygen.c b/g10/keygen.c index 229f2bf..1c8d70e 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -1555,6 +1555,7 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root, int err; char *keyparms; char nbitsstr[35]; + const unsigned maxsize = (opt.flags.large_rsa ? 8192 : 4096); assert (is_RSA(algo)); @@ -1566,9 +1567,9 @@ gen_rsa (int algo, unsigned int nbits, KBNODE pub_root, nbits = 2048; log_info (_("keysize invalid; using %u bits\n"), nbits ); } - else if (nbits > 4096) + else if (nbits > maxsize) { - nbits = 4096; + nbits = maxsize; log_info (_("keysize invalid; using %u bits\n"), nbits ); } diff --git a/g10/options.h b/g10/options.h index 7efb3d6..edd31a9 100644 --- a/g10/options.h +++ b/g10/options.h @@ -229,6 +229,7 @@ struct unsigned int dsa2:1; unsigned int allow_multiple_messages:1; unsigned int allow_weak_digest_algos:1; + unsigned int large_rsa:1; } flags; /* Linked list of ways to find a key if the key isn't on the local ----------------------------------------------------------------------- Summary of changes: configure.ac | 15 +++++++++++++++ doc/gpg-agent.texi | 14 +++++++------- doc/gpg.texi | 9 +++++++++ g10/gpg.c | 22 +++++++++++++++++++++- g10/keygen.c | 5 +++-- g10/options.h | 1 + 6 files changed, 56 insertions(+), 10 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 10 15:30:25 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 10 Oct 2014 15:30:25 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864-13-g54ffe20 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 54ffe2045aa4d3157f0919744210c9463594799c (commit) via 36679f33aa0bf8bc6a03bcbd5b283cb541686434 (commit) from 5b5e5a6027ae1743719e112aa4e9055f1b8133a7 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 54ffe2045aa4d3157f0919744210c9463594799c Author: Werner Koch Date: Fri Oct 10 15:29:42 2014 +0200 Use a unique capitalization for "Note:". -- diff --git a/agent/gpg-agent.c b/agent/gpg-agent.c index 0c163e1..af91506 100644 --- a/agent/gpg-agent.c +++ b/agent/gpg-agent.c @@ -759,7 +759,7 @@ main (int argc, char **argv ) if (default_config) { if( parse_debug ) - log_info (_("NOTE: no default option file '%s'\n"), + log_info (_("Note: no default option file '%s'\n"), configname ); /* Save the default conf file name so that reread_configuration is able to test whether the @@ -881,7 +881,7 @@ main (int argc, char **argv ) for (i=0; i < argc; i++) if (argv[i][0] == '-' && argv[i][1] == '-') - log_info (_("NOTE: '%s' is not considered an option\n"), argv[i]); + log_info (_("Note: '%s' is not considered an option\n"), argv[i]); } #ifdef ENABLE_NLS diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index 8110df2..b6892bf 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -807,7 +807,7 @@ main (int argc, char **argv) if (default_config) { if( parse_debug ) - log_info (_("NOTE: no default option file '%s'\n"), + log_info (_("Note: no default option file '%s'\n"), configname ); } else @@ -925,7 +925,7 @@ main (int argc, char **argv) for (i=0; i < argc; i++) if (argv[i][0] == '-' && argv[i][1] == '-') - log_info (_("NOTE: '%s' is not considered an option\n"), argv[i]); + log_info (_("Note: '%s' is not considered an option\n"), argv[i]); } if (!access ("/etc/"DIRMNGR_NAME, F_OK) && !strncmp (opt.homedir, "/etc/", 5)) diff --git a/dirmngr/validate.c b/dirmngr/validate.c index 024708b..574eca6 100644 --- a/dirmngr/validate.c +++ b/dirmngr/validate.c @@ -164,7 +164,7 @@ check_cert_policy (ksba_cert_t cert) if (!any_critical) { - log_info (_("note: non-critical certificate policy not allowed")); + log_info (_("Note: non-critical certificate policy not allowed")); err = 0; } else diff --git a/g10/card-util.c b/g10/card-util.c index abf234f..b5be80a 100644 --- a/g10/card-util.c +++ b/g10/card-util.c @@ -1282,7 +1282,7 @@ show_keysize_warning (void) return; shown = 1; tty_printf - (_("NOTE: There is no guarantee that the card " + (_("Note: There is no guarantee that the card " "supports the requested size.\n" " If the key generation does not succeed, " "please check the\n" @@ -1392,7 +1392,7 @@ generate_card_keys (ctrl_t ctrl) || (info.fpr3valid && !fpr_is_zero (info.fpr3))) { tty_printf ("\n"); - log_info (_("NOTE: keys are already stored on the card!\n")); + log_info (_("Note: keys are already stored on the card!\n")); tty_printf ("\n"); if ( !cpr_get_answer_is_yes ("cardedit.genkeys.replace_keys", _("Replace existing keys? (y/N) "))) diff --git a/g10/gpg.c b/g10/gpg.c index e7d6d00..57deb8d 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -1976,7 +1976,7 @@ get_default_configname (void) /* Print a warning when both config files are present. */ char *p = make_filename (opt.homedir, "options", NULL); if (! access (p, R_OK)) - log_info (_("NOTE: old default options file '%s' ignored\n"), p); + log_info (_("Note: old default options file '%s' ignored\n"), p); xfree (p); } else @@ -2243,7 +2243,7 @@ main (int argc, char **argv) if( !configfp ) { if( default_config ) { if( parse_debug ) - log_info(_("NOTE: no default option file '%s'\n"), + log_info(_("Note: no default option file '%s'\n"), configname ); } else { @@ -2509,7 +2509,7 @@ main (int argc, char **argv) #endif /*!NO_TRUST_MODELS*/ case oForceOwnertrust: - log_info(_("NOTE: %s is not for normal use!\n"), + log_info(_("Note: %s is not for normal use!\n"), "--force-ownertrust"); opt.force_ownertrust=string_to_trust_value(pargs.r.ret_str); if(opt.force_ownertrust==-1) @@ -3235,7 +3235,7 @@ main (int argc, char **argv) } if (opt.no_literal) { - log_info(_("NOTE: %s is not for normal use!\n"), "--no-literal"); + log_info(_("Note: %s is not for normal use!\n"), "--no-literal"); if (opt.textmode) log_error(_("%s not allowed with %s!\n"), "--textmode", "--no-literal" ); @@ -3247,7 +3247,7 @@ main (int argc, char **argv) if (opt.set_filesize) - log_info(_("NOTE: %s is not for normal use!\n"), "--set-filesize"); + log_info(_("Note: %s is not for normal use!\n"), "--set-filesize"); if( opt.batch ) tty_batchmode( 1 ); @@ -3268,7 +3268,7 @@ main (int argc, char **argv) for (i=0; i < argc; i++) if (argv[i][0] == '-' && argv[i][1] == '-') - log_info (_("NOTE: '%s' is not considered an option\n"), argv[i]); + log_info (_("Note: '%s' is not considered an option\n"), argv[i]); } @@ -3353,7 +3353,7 @@ main (int argc, char **argv) log_error(_("invalid min-cert-level; must be 1, 2, or 3\n")); switch( opt.s2k_mode ) { case 0: - log_info(_("NOTE: simple S2K mode (0) is strongly discouraged\n")); + log_info(_("Note: simple S2K mode (0) is strongly discouraged\n")); break; case 1: case 3: break; default: diff --git a/g10/keygen.c b/g10/keygen.c index 1c8d70e..6079ff0 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -4263,7 +4263,7 @@ generate_subkeypair (ctrl_t ctrl, kbnode_t keyblock) if (pri_psk->version < 4) { - log_info (_("NOTE: creating subkeys for v3 keys " + log_info (_("Note: creating subkeys for v3 keys " "is not OpenPGP compliant\n")); err = gpg_error (GPG_ERR_CONFLICT); goto leave; @@ -4386,7 +4386,7 @@ generate_card_subkeypair (kbnode_t pub_keyblock, if (pri_pk->version < 4) { - log_info (_("NOTE: creating subkeys for v3 keys " + log_info (_("Note: creating subkeys for v3 keys " "is not OpenPGP compliant\n")); err = gpg_error (GPG_ERR_NOT_SUPPORTED); goto leave; @@ -4657,7 +4657,7 @@ gen_card_key_with_backup (int algo, int keyno, int is_primary, iobuf_close (fp); iobuf_ioctl (NULL, IOBUF_IOCTL_INVALIDATE_CACHE, 0, (char*)fname); - log_info (_("NOTE: backup of card key saved to '%s'\n"), fname); + log_info (_("Note: backup of card key saved to '%s'\n"), fname); fingerprint_from_sk (sk, array, &n); p = fprbuf = xmalloc (MAX_FINGERPRINT_LEN*2 + 1 + 1); diff --git a/g10/mainproc.c b/g10/mainproc.c index 7c699b3..50d1d27 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -623,7 +623,7 @@ proc_plaintext( CTX c, PACKET *pkt ) literals_seen++; if( pt->namelen == 8 && !memcmp( pt->name, "_CONSOLE", 8 ) ) - log_info(_("NOTE: sender requested \"for-your-eyes-only\"\n")); + log_info(_("Note: sender requested \"for-your-eyes-only\"\n")); else if( opt.verbose ) log_info(_("original file name='%.*s'\n"), pt->namelen, pt->name); free_md_filter_context( &c->mfx ); diff --git a/g10/pubkey-enc.c b/g10/pubkey-enc.c index 60f7611..e79199e 100644 --- a/g10/pubkey-enc.c +++ b/g10/pubkey-enc.c @@ -375,14 +375,14 @@ get_it (PKT_pubkey_enc *enc, DEK *dek, PKT_public_key *sk, u32 *keyid) BUG (); if (pk->expiredate && pk->expiredate <= make_timestamp ()) { - log_info (_("NOTE: secret key %s expired at %s\n"), + log_info (_("Note: secret key %s expired at %s\n"), keystr (keyid), asctimestamp (pk->expiredate)); } } if (pk && pk->flags.revoked) { - log_info (_("NOTE: key has been revoked")); + log_info (_("Note: key has been revoked")); log_printf ("\n"); show_revocation_reason (pk, 1); } diff --git a/g10/revoke.c b/g10/revoke.c index 019c62c..81b5d6d 100644 --- a/g10/revoke.c +++ b/g10/revoke.c @@ -113,7 +113,7 @@ export_minimal_pk(IOBUF out,KBNODE keyblock, rc=build_packet(out,&pkt); if(rc) { - log_error(_("build_packet failed: %s\n"), g10_errstr(rc) ); + log_error("build_packet failed: %s\n", g10_errstr(rc) ); return rc; } } diff --git a/g10/sig-check.c b/g10/sig-check.c index ad2ab5c..f563862 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -235,7 +235,7 @@ do_check_messages( PKT_public_key *pk, PKT_signature *sig, if( pk->has_expired || (pk->expiredate && pk->expiredate < cur_time)) { char buf[11]; if (opt.verbose) - log_info(_("NOTE: signature key %s expired %s\n"), + log_info(_("Note: signature key %s expired %s\n"), keystr_from_pk(pk), asctimestamp( pk->expiredate ) ); sprintf(buf,"%lu",(ulong)pk->expiredate); write_status_text(STATUS_KEYEXPIRED,buf); @@ -246,7 +246,7 @@ do_check_messages( PKT_public_key *pk, PKT_signature *sig, if (pk->flags.revoked) { if (opt.verbose) - log_info (_("NOTE: signature key %s has been revoked\n"), + log_info (_("Note: signature key %s has been revoked\n"), keystr_from_pk(pk)); if (r_revoked) *r_revoked=1; diff --git a/g10/tdbio.c b/g10/tdbio.c index 2b9d4ff..aff565c 100644 --- a/g10/tdbio.c +++ b/g10/tdbio.c @@ -647,7 +647,7 @@ open_db() /* Take care of read-only trustdbs. */ db_fd = open (db_name, O_RDONLY | MY_O_BINARY ); if (db_fd != -1 && !opt.quiet) - log_info (_("NOTE: trustdb not writable\n")); + log_info (_("Note: trustdb not writable\n")); } if ( db_fd == -1 ) log_fatal( _("can't open '%s': %s\n"), db_name, strerror(errno) ); diff --git a/po/de.po b/po/de.po index 7c4dab7..fa56dd5 100644 --- a/po/de.po +++ b/po/de.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-2.1.0\n" "Report-Msgid-Bugs-To: translations at gnupg.org\n" -"PO-Revision-Date: 2014-10-10 14:57+0200\n" +"PO-Revision-Date: 2014-10-10 15:27+0200\n" "Last-Translator: Werner Koch \n" "Language-Team: German \n" "Language: de\n" @@ -378,7 +378,7 @@ msgid "%s is too old (need %s, have %s)\n" msgstr "Die Bibliothek %s ist nicht aktuell (ben?tige %s, habe %s)\n" #, c-format -msgid "NOTE: no default option file '%s'\n" +msgid "Note: no default option file '%s'\n" msgstr "Hinweis: Keine voreingestellte Optionendatei '%s' vorhanden\n" #, c-format @@ -390,7 +390,7 @@ msgid "reading options from '%s'\n" msgstr "Optionen werden aus '%s' gelesen\n" #, c-format -msgid "NOTE: '%s' is not considered an option\n" +msgid "Note: '%s' is not considered an option\n" msgstr "Hinweis: `%s' wird nicht als Option betrachtet\n" msgid "name of socket too long\n" @@ -1259,7 +1259,7 @@ msgid "Replace existing key? (y/N) " msgstr "Vorhandenen Schl?ssel ersetzen? (j/N) " msgid "" -"NOTE: There is no guarantee that the card supports the requested size.\n" +"Note: There is no guarantee that the card supports the requested size.\n" " If the key generation does not succeed, please check the\n" " documentation of your card to see what sizes are allowed.\n" msgstr "" @@ -1305,8 +1305,8 @@ msgid "Make off-card backup of encryption key? (Y/n) " msgstr "" "Sicherung des Verschl?sselungsschl?ssel au?erhalb der Karte erstellen? (J/n) " -msgid "NOTE: keys are already stored on the card!\n" -msgstr "ACHTUNG: Auf der Karte sind bereits Schl?ssel gespeichert!\n" +msgid "Note: keys are already stored on the card!\n" +msgstr "Hinweis: Auf der Karte sind bereits Schl?ssel gespeichert!\n" msgid "Replace existing keys? (y/N) " msgstr "Vorhandene Schl?ssel ersetzen? (j/N) " @@ -1524,7 +1524,8 @@ msgstr "Mit unbekanntem Verfahren verschl?sselt %d\n" msgid "" "WARNING: message was encrypted with a weak key in the symmetric cipher.\n" -msgstr "WARNUNG: Botschaft wurde mit einem unsicheren Schl?ssel verschl?sselt.\n" +msgstr "" +"WARNUNG: Botschaft wurde mit einem unsicheren Schl?ssel verschl?sselt.\n" msgid "problem handling encrypted packet\n" msgstr "Problem beim Bearbeiten des verschl?sselten Pakets\n" @@ -1943,7 +1944,7 @@ msgid "show expiration dates during signature listings" msgstr "Das Ablaufdatum mit den Signaturen anlisten" #, c-format -msgid "NOTE: old default options file '%s' ignored\n" +msgid "Note: old default options file '%s' ignored\n" msgstr "Hinweis: Alte voreingestellte Optionendatei '%s' wurde ignoriert\n" #, c-format @@ -1953,7 +1954,7 @@ msgstr "" "%s)\n" #, c-format -msgid "NOTE: %s is not for normal use!\n" +msgid "Note: %s is not for normal use!\n" msgstr "Hinweis: %s ist nicht f?r den ?blichen Gebrauch gedacht!\n" #, c-format @@ -2061,7 +2062,7 @@ msgstr "WARNUNG: %s ersetzt %s\n" #, c-format msgid "%s not allowed with %s!\n" -msgstr "%s kann nicht zusammen mit %s verwendet werden!\n" +msgstr "%s zusammen mit %s ist nicht erlaubt!\n" #, c-format msgid "%s makes no sense with %s!\n" @@ -2101,7 +2102,7 @@ msgstr "ung?ltiger \"default-cert-level\"; Wert mu? 0, 1, 2 oder 3 sein\n" msgid "invalid min-cert-level; must be 1, 2, or 3\n" msgstr "ung?ltiger \"min-cert-level\"; Wert mu? 0, 1, 2 oder 3 sein\n" -msgid "NOTE: simple S2K mode (0) is strongly discouraged\n" +msgid "Note: simple S2K mode (0) is strongly discouraged\n" msgstr "Hinweis: Vom \"simple S2K\"-Modus (0) ist strikt abzuraten\n" msgid "invalid S2K mode; must be 0, 1 or 3\n" @@ -3928,7 +3929,7 @@ msgstr "" "Der Schl?ssel wurde %lu Sekunden in der Zukunft erzeugt (Zeitreise oder " "Uhren stimmen nicht ?berein)\n" -msgid "NOTE: creating subkeys for v3 keys is not OpenPGP compliant\n" +msgid "Note: creating subkeys for v3 keys is not OpenPGP compliant\n" msgstr "Hinweis: Unterschl?ssel f?r v3-Schl?ssel sind nicht OpenPGP-konform\n" msgid "Secret parts of primary key are not available.\n" @@ -3949,7 +3950,7 @@ msgid "can't create backup file '%s': %s\n" msgstr "Sicherungsdatei '%s' kann nicht erzeugt werden: %s\n" #, c-format -msgid "NOTE: backup of card key saved to '%s'\n" +msgid "Note: backup of card key saved to '%s'\n" msgstr "Hinweis: Sicherung des Kartenschl?ssels wurde auf `%s' gespeichert\n" msgid "never " @@ -4181,7 +4182,7 @@ msgstr "Passphrase aus dem Cache gel?scht. Cache ID: %s\n" msgid "decryption failed: %s\n" msgstr "Entschl?sselung fehlgeschlagen: %s\n" -msgid "NOTE: sender requested \"for-your-eyes-only\"\n" +msgid "Note: sender requested \"for-your-eyes-only\"\n" msgstr "" "Hinweis: Der Absender verlangte Vertraulichkeit(\"for-your-eyes-only\")\n" @@ -4834,10 +4835,10 @@ msgstr "" "Empf?ngereinstellungen gefunden\n" #, c-format -msgid "NOTE: secret key %s expired at %s\n" +msgid "Note: secret key %s expired at %s\n" msgstr "Hinweis: geheimer Schl?ssel %s verf?llt am %s\n" -msgid "NOTE: key has been revoked" +msgid "Note: key has been revoked" msgstr "Hinweis: Schl?ssel wurde widerrufen" #, c-format @@ -5004,11 +5005,11 @@ msgstr "" "Uhrenproblem)\n" #, c-format -msgid "NOTE: signature key %s expired %s\n" +msgid "Note: signature key %s expired %s\n" msgstr "Hinweis: Signaturschl?ssel %s ist am %s verfallen\n" #, c-format -msgid "NOTE: signature key %s has been revoked\n" +msgid "Note: signature key %s has been revoked\n" msgstr "Hinweis: Signaturschl?ssel %s wurde widerrufen\n" #, c-format @@ -5168,7 +5169,7 @@ msgstr "%s: ung?ltige trust-db erzeugt\n" msgid "%s: trustdb created\n" msgstr "%s: trust-db erzeugt\n" -msgid "NOTE: trustdb not writable\n" +msgid "Note: trustdb not writable\n" msgstr "Hinweis: Die \"trustdb\" ist nicht schreibbar\n" #, c-format @@ -5684,7 +5685,7 @@ msgstr "entscheidende Richtlinie ohne konfigurierte Richtlinien" msgid "failed to open '%s': %s\n" msgstr "Datei `%s' kann nicht ge?ffnet werden: %s\n" -msgid "note: non-critical certificate policy not allowed" +msgid "Note: non-critical certificate policy not allowed" msgstr "Hinweis: Die unkritische Zertifikatsrichtlinie ist nicht erlaubt" msgid "certificate policy not allowed" @@ -6217,7 +6218,7 @@ msgstr "" "Signieren, pr?fen, ver- und entschl?sseln mittels S/MIME Protokoll\n" #, c-format -msgid "NOTE: won't be able to encrypt to '%s': %s\n" +msgid "Note: won't be able to encrypt to '%s': %s\n" msgstr "Hinweis: Verschl?sselung f?r `%s' wird nicht m?glich sein: %s\n" #, c-format @@ -8355,15 +8356,15 @@ msgstr "" #~ msgid "key %s: secret key not found: %s\n" #~ msgstr "Schl?ssel %s: geheimer Schl?ssel nicht gefunden: %s\n" -#~ msgid "NOTE: a key's S/N does not match the card's one\n" +#~ msgid "Note: a key's S/N does not match the card's one\n" #~ msgstr "" #~ "Hinweis: Eine Schl?sselseriennr stimmt nicht mit derjenigen der Karte " #~ "?berein\n" -#~ msgid "NOTE: primary key is online and stored on card\n" +#~ msgid "Note: primary key is online and stored on card\n" #~ msgstr "Hinweis: Hauptschl?ssel ist online und auf der Karte gespeichert\n" -#~ msgid "NOTE: secondary key is online and stored on card\n" +#~ msgid "Note: secondary key is online and stored on card\n" #~ msgstr "Hinweis: Zweitschl?ssel ist online und auf der Karte gespeichert\n" #~ msgid "Key is protected.\n" @@ -8411,7 +8412,7 @@ msgstr "" #~ msgid "unknown protection algorithm\n" #~ msgstr "Unbekanntes Schutzverfahren\n" -#~ msgid "NOTE: This key is not protected!\n" +#~ msgid "Note: This key is not protected!\n" #~ msgstr "Dieser Schl?ssel ist nicht gesch?tzt.\n" #~ msgid "Invalid passphrase; please try again" diff --git a/po/fr.po b/po/fr.po index 2ba5e46..aad9a1f 100644 --- a/po/fr.po +++ b/po/fr.po @@ -398,7 +398,7 @@ msgid "%s is too old (need %s, have %s)\n" msgstr "%s est trop ancien (n?cessaire?: %s, utilis??: %s)\n" #, c-format -msgid "NOTE: no default option file '%s'\n" +msgid "Note: no default option file '%s'\n" msgstr "Remarque?: pas de fichier d'options par d?faut ??%s??\n" #, c-format @@ -410,7 +410,7 @@ msgid "reading options from '%s'\n" msgstr "lecture des options de ??%s??\n" #, c-format -msgid "NOTE: '%s' is not considered an option\n" +msgid "Note: '%s' is not considered an option\n" msgstr "Remarque?: ??%s?? n'est pas consid?r? comme une option\n" msgid "name of socket too long\n" @@ -1282,7 +1282,7 @@ msgid "Replace existing key? (y/N) " msgstr "Faut-il remplacer la clef existante?? (o/N) " msgid "" -"NOTE: There is no guarantee that the card supports the requested size.\n" +"Note: There is no guarantee that the card supports the requested size.\n" " If the key generation does not succeed, please check the\n" " documentation of your card to see what sizes are allowed.\n" msgstr "" @@ -1324,7 +1324,7 @@ msgid "Make off-card backup of encryption key? (Y/n) " msgstr "" "Faut-il faire une sauvegarde hors carte de la clef de chiffrement?? (O/n) " -msgid "NOTE: keys are already stored on the card!\n" +msgid "Note: keys are already stored on the card!\n" msgstr "Remarque?: les clefs sont d?j? stock?es sur la carte.\n" msgid "Replace existing keys? (y/N) " @@ -1996,7 +1996,7 @@ msgid "show expiration dates during signature listings" msgstr "montrer les dates d'expiration en affichant les signatures" #, c-format -msgid "NOTE: old default options file '%s' ignored\n" +msgid "Note: old default options file '%s' ignored\n" msgstr "Remarque?: l'ancien fichier d'options par d?faut ??%s?? a ?t? ignor?\n" #, c-format @@ -2004,7 +2004,7 @@ msgid "libgcrypt is too old (need %s, have %s)\n" msgstr "libgcrypt est trop ancienne (n?cessaire?: %s, utilis??: %s)\n" #, c-format -msgid "NOTE: %s is not for normal use!\n" +msgid "Note: %s is not for normal use!\n" msgstr "Remarque?: %s n'est pas pour une utilisation normale.\n" #, c-format @@ -2154,7 +2154,7 @@ msgstr "??default-cert-level?? incorrect?; doit ?tre 0, 1, 2 ou 3\n" msgid "invalid min-cert-level; must be 1, 2, or 3\n" msgstr "??min-cert-level?? incorrect?; doit ?tre , 1, 2 ou 3\n" -msgid "NOTE: simple S2K mode (0) is strongly discouraged\n" +msgid "Note: simple S2K mode (0) is strongly discouraged\n" msgstr "Remarque?: le mode S2K simple (0) est fortement d?conseill?\n" msgid "invalid S2K mode; must be 0, 1 or 3\n" @@ -3999,7 +3999,7 @@ msgstr "" "la clef a ?t? cr??e %lu?secondes dans le futur (faille temporelle ou\n" "probl?me d'horloge)\n" -msgid "NOTE: creating subkeys for v3 keys is not OpenPGP compliant\n" +msgid "Note: creating subkeys for v3 keys is not OpenPGP compliant\n" msgstr "" "Remarque?: la cr?ation de sous-clefs pour des clefs?v3 n'est pas compatible\n" " avec OpenPGP\n" @@ -4023,7 +4023,7 @@ msgid "can't create backup file '%s': %s\n" msgstr "impossible de cr?er le fichier de sauvegarde ??%s???: %s\n" #, c-format -msgid "NOTE: backup of card key saved to '%s'\n" +msgid "Note: backup of card key saved to '%s'\n" msgstr "Remarque?: sauvegarde de la clef de la carte dans ??%s??\n" msgid "never " @@ -4044,6 +4044,10 @@ msgstr "Notation de signature critique?: " msgid "Signature notation: " msgstr "Notation de signature?: " +#, c-format +msgid "Warning: %lu key(s) skipped due to their large size\n" +msgstr "" + msgid "Keyring" msgstr "Porte-clefs" @@ -4255,7 +4259,7 @@ msgstr "phrase de passe effac?e mise en cache avec l'identifiant?: %s\n" msgid "decryption failed: %s\n" msgstr "?chec du d?chiffrement?: %s\n" -msgid "NOTE: sender requested \"for-your-eyes-only\"\n" +msgid "Note: sender requested \"for-your-eyes-only\"\n" msgstr "Remarque?: l'exp?diteur a demand? ??? votre seule attention??\n" #, c-format @@ -4934,10 +4938,10 @@ msgstr "" " dans les pr?f?rences du destinataire\n" #, c-format -msgid "NOTE: secret key %s expired at %s\n" +msgid "Note: secret key %s expired at %s\n" msgstr "Remarque?: la clef secr?te %s a expir? le %s\n" -msgid "NOTE: key has been revoked" +msgid "Note: key has been revoked" msgstr "Remarque?: la clef a ?t? r?voqu?e" #, c-format @@ -5101,11 +5105,11 @@ msgstr "" "(faille temporelle ou probl?me d'horloge)\n" #, c-format -msgid "NOTE: signature key %s expired %s\n" +msgid "Note: signature key %s expired %s\n" msgstr "Remarque?: la clef de signature %s a expir? le %s\n" #, c-format -msgid "NOTE: signature key %s has been revoked\n" +msgid "Note: signature key %s has been revoked\n" msgstr "Remarque?: la clef de signature %s a ?t? r?voqu?e\n" #, c-format @@ -5266,7 +5270,7 @@ msgstr "%s?: base de confiance incorrecte cr??e\n" msgid "%s: trustdb created\n" msgstr "%s?: base de confiance cr??e\n" -msgid "NOTE: trustdb not writable\n" +msgid "Note: trustdb not writable\n" msgstr "Remarque?: la base de confiance n'est pas accessible en ?criture\n" #, c-format @@ -5816,7 +5820,9 @@ msgstr "politique de signature marqu?e critique sans politiques configur?es" msgid "failed to open '%s': %s\n" msgstr "?chec d'ouverture de ??%s???: %s\n" -msgid "note: non-critical certificate policy not allowed" +#, fuzzy +#| msgid "note: non-critical certificate policy not allowed" +msgid "Note: non-critical certificate policy not allowed" msgstr "remarque?: politique de certificat non critique non autoris?e" msgid "certificate policy not allowed" @@ -6357,7 +6363,7 @@ msgstr "" "L'op?ration par d?faut d?pend des donn?es entr?es\n" #, c-format -msgid "NOTE: won't be able to encrypt to '%s': %s\n" +msgid "Note: won't be able to encrypt to '%s': %s\n" msgstr "Remarque?: ne sera pas capable de chiffrer ? ??%s???: %s\n" #, c-format @@ -8204,6 +8210,27 @@ msgstr "" "V?rifier une phrase de passe donn?e sur l'entr?e standard par rapport ? " "ficmotif\n" +#, fuzzy +#~| msgid "Note: no default option file '%s'\n" +#~ msgid "NOTE: no default option file '%s'\n" +#~ msgstr "Remarque?: pas de fichier d'options par d?faut ??%s??\n" + +#, fuzzy +#~| msgid "Note: %s is not for normal use!\n" +#~ msgid "NOTE: %s is not for normal use!\n" +#~ msgstr "Remarque?: %s n'est pas pour une utilisation normale.\n" + +#, fuzzy +#~| msgid "Note: creating subkeys for v3 keys is not OpenPGP compliant\n" +#~ msgid "NOTE: creating subkeys for v3 keys is not OpenPGP compliant\n" +#~ msgstr "" +#~ "Remarque?: la cr?ation de sous-clefs pour des clefs?v3 n'est pas " +#~ "compatible\n" +#~ " avec OpenPGP\n" + +#~ msgid "note: non-critical certificate policy not allowed" +#~ msgstr "remarque?: politique de certificat non critique non autoris?e" + #~ msgid "use a standard location for the socket" #~ msgstr "utiliser un emplacement de socket standard" @@ -8444,16 +8471,16 @@ msgstr "" #~ msgid "key %s: secret key not found: %s\n" #~ msgstr "clef %s?: clef secr?te introuvable?: %s\n" -#~ msgid "NOTE: a key's S/N does not match the card's one\n" +#~ msgid "Note: a key's S/N does not match the card's one\n" #~ msgstr "" #~ "Remarque?: le num?ro de s?rie d'une clef ne correspond pas ? celui de la " #~ "carte\n" -#~ msgid "NOTE: primary key is online and stored on card\n" +#~ msgid "Note: primary key is online and stored on card\n" #~ msgstr "" #~ "Remarque?: la clef principale est en ligne et stock?e sur la carte\n" -#~ msgid "NOTE: secondary key is online and stored on card\n" +#~ msgid "Note: secondary key is online and stored on card\n" #~ msgstr "" #~ "Remarque?: la clef secondaire est en ligne et stock?e sur la carte\n" @@ -8580,7 +8607,7 @@ msgstr "" #~ msgid "unknown protection algorithm\n" #~ msgstr "algorithme de protection inconnu\n" -#~ msgid "NOTE: This key is not protected!\n" +#~ msgid "Note: This key is not protected!\n" #~ msgstr "Remarque?: cette clef n'est pas prot?g?e.\n" #~ msgid "protection digest %d is not supported\n" @@ -9030,7 +9057,7 @@ msgstr "" #~ msgid " algorithms on these user IDs:\n" #~ msgstr " algorithmes indisponibles pour ces identit?s?:\n" -#~ msgid "NOTE: This feature is not available in %s\n" +#~ msgid "Note: This feature is not available in %s\n" #~ msgstr "Remarque?: cette fonctionnalit? n'est pas disponible dans %s\n" #~ msgid "Repeat passphrase\n" diff --git a/po/ja.po b/po/ja.po index 365365a..975c2ec 100644 --- a/po/ja.po +++ b/po/ja.po @@ -381,7 +381,7 @@ msgid "%s is too old (need %s, have %s)\n" msgstr "%s ?????? (%s ?????? %s)\n" #, c-format -msgid "NOTE: no default option file '%s'\n" +msgid "Note: no default option file '%s'\n" msgstr "*??*: ???????????????? '%s' ??????\n" #, c-format @@ -393,7 +393,7 @@ msgid "reading options from '%s'\n" msgstr "'%s' ??????????????\n" #, c-format -msgid "NOTE: '%s' is not considered an option\n" +msgid "Note: '%s' is not considered an option\n" msgstr "*??*: '%s'???????????????\n" msgid "name of socket too long\n" @@ -1249,7 +1249,7 @@ msgid "Replace existing key? (y/N) " msgstr "???????????? (y/N) " msgid "" -"NOTE: There is no guarantee that the card supports the requested size.\n" +"Note: There is no guarantee that the card supports the requested size.\n" " If the key generation does not succeed, please check the\n" " documentation of your card to see what sizes are allowed.\n" msgstr "" @@ -1288,7 +1288,7 @@ msgstr "?%d????%u bit ??????????: %s\n" msgid "Make off-card backup of encryption key? (Y/n) " msgstr "?????????????????????? (Y/n) " -msgid "NOTE: keys are already stored on the card!\n" +msgid "Note: keys are already stored on the card!\n" msgstr "*??*: ??????????????????!\n" msgid "Replace existing keys? (y/N) " @@ -1908,7 +1908,7 @@ msgid "show expiration dates during signature listings" msgstr "??????????????????" #, c-format -msgid "NOTE: old default options file '%s' ignored\n" +msgid "Note: old default options file '%s' ignored\n" msgstr "*??*: ????????????????????'%s'????????\n" #, c-format @@ -1916,7 +1916,7 @@ msgid "libgcrypt is too old (need %s, have %s)\n" msgstr "libgcrypt ?????? (?? %s, ?? %s)\n" #, c-format -msgid "NOTE: %s is not for normal use!\n" +msgid "Note: %s is not for normal use!\n" msgstr "*??*: ??%s??????!\n" #, c-format @@ -2062,7 +2062,7 @@ msgstr "???default-cert-level?0?1?2?3????????? msgid "invalid min-cert-level; must be 1, 2, or 3\n" msgstr "???min-cert-level?0?1?2?3??????????\n" -msgid "NOTE: simple S2K mode (0) is strongly discouraged\n" +msgid "Note: simple S2K mode (0) is strongly discouraged\n" msgstr "*??*: ???S2K???(0)????????????\n" msgid "invalid S2K mode; must be 0, 1 or 3\n" @@ -3838,7 +3838,7 @@ msgid "" "key has been created %lu seconds in future (time warp or clock problem)\n" msgstr "??%lu????????? (??????????????)\n" -msgid "NOTE: creating subkeys for v3 keys is not OpenPGP compliant\n" +msgid "Note: creating subkeys for v3 keys is not OpenPGP compliant\n" msgstr "*??*: v3????????????OpenPGP???????\n" msgid "Secret parts of primary key are not available.\n" @@ -3859,7 +3859,7 @@ msgid "can't create backup file '%s': %s\n" msgstr "???????????'%s'????????: %s\n" #, c-format -msgid "NOTE: backup of card key saved to '%s'\n" +msgid "Note: backup of card key saved to '%s'\n" msgstr "*??*: ????????????'%s'???????\n" msgid "never " @@ -3880,6 +3880,10 @@ msgstr "???????????: " msgid "Signature notation: " msgstr "????: " +#, c-format +msgid "Warning: %lu key(s) skipped due to their large size\n" +msgstr "" + msgid "Keyring" msgstr "????" @@ -4080,7 +4084,7 @@ msgstr "?????????????????? ID: %s\n" msgid "decryption failed: %s\n" msgstr "?????????: %s\n" -msgid "NOTE: sender requested \"for-your-eyes-only\"\n" +msgid "Note: sender requested \"for-your-eyes-only\"\n" msgstr "*??*: ????\"?????\"?????????\n" #, c-format @@ -4693,10 +4697,10 @@ msgid "WARNING: cipher algorithm %s not found in recipient preferences\n" msgstr "*??*: ????????%s?????????????????\n" #, c-format -msgid "NOTE: secret key %s expired at %s\n" +msgid "Note: secret key %s expired at %s\n" msgstr "*??*: ???%s?%s??????????\n" -msgid "NOTE: key has been revoked" +msgid "Note: key has been revoked" msgstr "*??*: ????????" #, c-format @@ -4852,11 +4856,11 @@ msgid "" msgstr "?%s?%lu????????? (??????????????)\n" #, c-format -msgid "NOTE: signature key %s expired %s\n" +msgid "Note: signature key %s expired %s\n" msgstr "*??*: ???%s?%s??????????\n" #, c-format -msgid "NOTE: signature key %s has been revoked\n" +msgid "Note: signature key %s has been revoked\n" msgstr "*??*: ? %s ???????\n" #, c-format @@ -5002,7 +5006,7 @@ msgstr "%s: ??????????????\n" msgid "%s: trustdb created\n" msgstr "%s: ??????????????\n" -msgid "NOTE: trustdb not writable\n" +msgid "Note: trustdb not writable\n" msgstr "*??*: ??????????????????\n" #, c-format @@ -5497,7 +5501,9 @@ msgstr "???????????????????????? msgid "failed to open '%s': %s\n" msgstr "'%s'??????: %s\n" -msgid "note: non-critical certificate policy not allowed" +#, fuzzy +#| msgid "note: non-critical certificate policy not allowed" +msgid "Note: non-critical certificate policy not allowed" msgstr "??: ???????????????????????" msgid "certificate policy not allowed" @@ -6017,7 +6023,7 @@ msgstr "" "?????????????????????\n" #, c-format -msgid "NOTE: won't be able to encrypt to '%s': %s\n" +msgid "Note: won't be able to encrypt to '%s': %s\n" msgstr "*??*:'%s'????????????: %s\n" #, c-format @@ -7763,6 +7769,24 @@ msgstr "" "??: gpg-check-pattern [?????] ????????\n" "????????????????????????????\n" +#, fuzzy +#~| msgid "Note: no default option file '%s'\n" +#~ msgid "NOTE: no default option file '%s'\n" +#~ msgstr "*??*: ???????????????? '%s' ??????\n" + +#, fuzzy +#~| msgid "Note: %s is not for normal use!\n" +#~ msgid "NOTE: %s is not for normal use!\n" +#~ msgstr "*??*: ??%s??????!\n" + +#, fuzzy +#~| msgid "Note: creating subkeys for v3 keys is not OpenPGP compliant\n" +#~ msgid "NOTE: creating subkeys for v3 keys is not OpenPGP compliant\n" +#~ msgstr "*??*: v3????????????OpenPGP???????\n" + +#~ msgid "note: non-critical certificate policy not allowed" +#~ msgstr "??: ???????????????????????" + #~ msgid "use a standard location for the socket" #~ msgstr "?????????????" diff --git a/po/uk.po b/po/uk.po index 785fae5..f5f3d91 100644 --- a/po/uk.po +++ b/po/uk.po @@ -391,7 +391,7 @@ msgid "%s is too old (need %s, have %s)\n" msgstr "%s ? ??????? ?????????? (???????? %s, ????? %s)\n" #, c-format -msgid "NOTE: no default option file '%s'\n" +msgid "Note: no default option file '%s'\n" msgstr "??????????: ?? ???????? ????? ??????? ?????????? ?%s?\n" #, c-format @@ -403,7 +403,7 @@ msgid "reading options from '%s'\n" msgstr "????????? ????????? ? ?%s?\n" #, c-format -msgid "NOTE: '%s' is not considered an option\n" +msgid "Note: '%s' is not considered an option\n" msgstr "??????????: %s ?? ?????????? ??? ?????????? ????????????!\n" msgid "name of socket too long\n" @@ -1275,7 +1275,7 @@ msgid "Replace existing key? (y/N) " msgstr "???????? ??? ????????? ????? (y/N ??? ?/?) " msgid "" -"NOTE: There is no guarantee that the card supports the requested size.\n" +"Note: There is no guarantee that the card supports the requested size.\n" " If the key generation does not succeed, please check the\n" " documentation of your card to see what sizes are allowed.\n" msgstr "" @@ -1316,7 +1316,7 @@ msgstr "??????? ??? ??? ?????? ????? ??????? ?? msgid "Make off-card backup of encryption key? (Y/n) " msgstr "???????? ???????? ????? ????? ?????????? ???? ???????? (Y/n ??? ?/?) " -msgid "NOTE: keys are already stored on the card!\n" +msgid "Note: keys are already stored on the card!\n" msgstr "??????????: ????? ??? ????????? ?? ??????!\n" msgid "Replace existing keys? (y/N) " @@ -1966,7 +1966,7 @@ msgid "show expiration dates during signature listings" msgstr "?????????? ???? ?????????? ??????? ??? ? ?????? ????????" #, c-format -msgid "NOTE: old default options file '%s' ignored\n" +msgid "Note: old default options file '%s' ignored\n" msgstr "??????????: ?????????? ???? ??????? ?????????? ?%s? ?????????????\n" #, c-format @@ -1974,7 +1974,7 @@ msgid "libgcrypt is too old (need %s, have %s)\n" msgstr "libgcrypt ??????? ????? (???????? ? %s, ????? %s)\n" #, c-format -msgid "NOTE: %s is not for normal use!\n" +msgid "Note: %s is not for normal use!\n" msgstr "??????????: %s ?? ?????????? ??? ?????????? ????????????!\n" #, c-format @@ -2126,7 +2126,7 @@ msgstr "?????????? ???????? default-cert-level; ??? ??? msgid "invalid min-cert-level; must be 1, 2, or 3\n" msgstr "?????????? ???????? min-cert-level; ??? ???? 1, 2 ??? 3\n" -msgid "NOTE: simple S2K mode (0) is strongly discouraged\n" +msgid "Note: simple S2K mode (0) is strongly discouraged\n" msgstr "" "??????????: ??????????? ?? ???????????? ??? ????????????? ??????? ??????? " "S2K (0)\n" @@ -3960,7 +3960,7 @@ msgstr "" "???? ???? ???????? ? ????????? ?? %lu ??????? ? ??????????? (?????? ????? " "??? ???????? ? ??????????)\n" -msgid "NOTE: creating subkeys for v3 keys is not OpenPGP compliant\n" +msgid "Note: creating subkeys for v3 keys is not OpenPGP compliant\n" msgstr "??????????: ????????? ????????? ??? ?????? v3 ????????? ? OpenPGP\n" msgid "Secret parts of primary key are not available.\n" @@ -3981,7 +3981,7 @@ msgid "can't create backup file '%s': %s\n" msgstr "?? ??????? ???????? ???? ????????? ????? ?%s?: %s\n" #, c-format -msgid "NOTE: backup of card key saved to '%s'\n" +msgid "Note: backup of card key saved to '%s'\n" msgstr "??????????: ???????? ????? ????? ?? ?????? ????????? ?? ?%s?\n" msgid "never " @@ -4002,6 +4002,10 @@ msgstr "???????? ???????? ???????: " msgid "Signature notation: " msgstr "???????? ???????: " +#, c-format +msgid "Warning: %lu key(s) skipped due to their large size\n" +msgstr "" + msgid "Keyring" msgstr "??????? ??????" @@ -4210,7 +4214,7 @@ msgstr "????????? ?????? ???????? ? ?????????? msgid "decryption failed: %s\n" msgstr "??????? ?????? ?????????????: %s\n" -msgid "NOTE: sender requested \"for-your-eyes-only\"\n" +msgid "Note: sender requested \"for-your-eyes-only\"\n" msgstr "??????????: ?????? ???????????: ????? ??? ????\n" #, c-format @@ -4840,10 +4844,10 @@ msgid "WARNING: cipher algorithm %s not found in recipient preferences\n" msgstr "?????: ?? ???????? ????????? ?????????? %s ? ????????? ??????????\n" #, c-format -msgid "NOTE: secret key %s expired at %s\n" +msgid "Note: secret key %s expired at %s\n" msgstr "??????????: ????? ??? ????????? ????? %s ?????????? %s\n" -msgid "NOTE: key has been revoked" +msgid "Note: key has been revoked" msgstr "??????????: ???? ???? ??????????" #, c-format @@ -5003,11 +5007,11 @@ msgstr "" "??? ???????? ? ??????????)\n" #, c-format -msgid "NOTE: signature key %s expired %s\n" +msgid "Note: signature key %s expired %s\n" msgstr "??????????: ????? ??? ????? ??????? %s ?????????? %s\n" #, c-format -msgid "NOTE: signature key %s has been revoked\n" +msgid "Note: signature key %s has been revoked\n" msgstr "??????????: ???? ??????? %s ???? ??????????\n" #, c-format @@ -5162,7 +5166,7 @@ msgstr "%s: ???????? ?????????? trustdb\n" msgid "%s: trustdb created\n" msgstr "%s: ???????? trustdb\n" -msgid "NOTE: trustdb not writable\n" +msgid "Note: trustdb not writable\n" msgstr "??????????: ????? ?? trustdb ??????????\n" #, c-format @@ -5679,7 +5683,9 @@ msgstr "???????, ????????? ?? ????????, ??? ??? msgid "failed to open '%s': %s\n" msgstr "?? ??????? ???????? ?%s?: %s\n" -msgid "note: non-critical certificate policy not allowed" +#, fuzzy +#| msgid "note: non-critical certificate policy not allowed" +msgid "Note: non-critical certificate policy not allowed" msgstr "??????????: ?????????? ?????????? ??????? ????????????" msgid "certificate policy not allowed" @@ -6208,7 +6214,7 @@ msgstr "" "?????? ??? ?????????? ??? ??????? ?????\n" #, c-format -msgid "NOTE: won't be able to encrypt to '%s': %s\n" +msgid "Note: won't be able to encrypt to '%s': %s\n" msgstr "??????????: ?? ???????? ??????????? ?? ?%s?: %s\n" #, c-format @@ -7978,6 +7984,24 @@ msgstr "" "?????????: gpg-check-pattern [?????????] ????_????????\n" "?????????? ??????, ???????? ? stdin, ?? ????????? ?????_????????\n" +#, fuzzy +#~| msgid "Note: no default option file '%s'\n" +#~ msgid "NOTE: no default option file '%s'\n" +#~ msgstr "??????????: ?? ???????? ????? ??????? ?????????? ?%s?\n" + +#, fuzzy +#~| msgid "Note: %s is not for normal use!\n" +#~ msgid "NOTE: %s is not for normal use!\n" +#~ msgstr "??????????: %s ?? ?????????? ??? ?????????? ????????????!\n" + +#, fuzzy +#~| msgid "Note: creating subkeys for v3 keys is not OpenPGP compliant\n" +#~ msgid "NOTE: creating subkeys for v3 keys is not OpenPGP compliant\n" +#~ msgstr "??????????: ????????? ????????? ??? ?????? v3 ????????? ? OpenPGP\n" + +#~ msgid "note: non-critical certificate policy not allowed" +#~ msgstr "??????????: ?????????? ?????????? ??????? ????????????" + #~ msgid "use a standard location for the socket" #~ msgstr "??????????????? ??? ?????? ?????????? ????????????" diff --git a/scd/scdaemon.c b/scd/scdaemon.c index be99b00..9c55297 100644 --- a/scd/scdaemon.c +++ b/scd/scdaemon.c @@ -500,7 +500,7 @@ main (int argc, char **argv ) if (default_config) { if( parse_debug ) - log_info (_("NOTE: no default option file '%s'\n"), + log_info (_("Note: no default option file '%s'\n"), configname ); } else @@ -627,7 +627,7 @@ main (int argc, char **argv ) for (i=0; i < argc; i++) if (argv[i][0] == '-' && argv[i][1] == '-') - log_info (_("NOTE: '%s' is not considered an option\n"), argv[i]); + log_info (_("Note: '%s' is not considered an option\n"), argv[i]); } if (atexit (cleanup)) diff --git a/sm/certchain.c b/sm/certchain.c index 5f5fd80..5e632f7 100644 --- a/sm/certchain.c +++ b/sm/certchain.c @@ -350,7 +350,7 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) { if (!opt.quiet) do_list (0, listmode, fplist, - _("note: non-critical certificate policy not allowed")); + _("Note: non-critical certificate policy not allowed")); return 0; } do_list (1, listmode, fplist, @@ -379,7 +379,7 @@ check_cert_policy (ksba_cert_t cert, int listmode, estream_t fplist) if (!any_critical) { do_list (0, listmode, fplist, - _("note: non-critical certificate policy not allowed")); + _("Note: non-critical certificate policy not allowed")); return 0; } do_list (1, listmode, fplist, diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 2faf203..cc8039c 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -756,7 +756,7 @@ do_add_recipient (ctrl_t ctrl, const char *name, get_inv_recpsgnr_code (rc), name, NULL); } else - log_info (_("NOTE: won't be able to encrypt to '%s': %s\n"), + log_info (_("Note: won't be able to encrypt to '%s': %s\n"), name, gpg_strerror (rc)); } } @@ -1028,7 +1028,7 @@ main ( int argc, char **argv) if (default_config) { if (parse_debug) - log_info (_("NOTE: no default option file '%s'\n"), configname); + log_info (_("Note: no default option file '%s'\n"), configname); } else { @@ -1496,7 +1496,7 @@ main ( int argc, char **argv) for (i=0; i < argc; i++) if (argv[i][0] == '-' && argv[i][1] == '-') - log_info (_("NOTE: '%s' is not considered an option\n"), argv[i]); + log_info (_("Note: '%s' is not considered an option\n"), argv[i]); } /*FIXME if (opt.batch) */ diff --git a/tools/gpg-connect-agent.c b/tools/gpg-connect-agent.c index 07c3391..78dea2a 100644 --- a/tools/gpg-connect-agent.c +++ b/tools/gpg-connect-agent.c @@ -1219,7 +1219,7 @@ main (int argc, char **argv) for (i=0; i < argc; i++) if (argv[i][0] == '-' && argv[i][1] == '-') - log_info (_("NOTE: '%s' is not considered an option\n"), argv[i]); + log_info (_("Note: '%s' is not considered an option\n"), argv[i]); } diff --git a/tools/gpgconf.c b/tools/gpgconf.c index f63c05e..31804f5 100644 --- a/tools/gpgconf.c +++ b/tools/gpgconf.c @@ -205,7 +205,7 @@ main (int argc, char **argv) for (i=0; i < argc; i++) if (argv[i][0] == '-' && argv[i][1] == '-') - log_info (_("NOTE: '%s' is not considered an option\n"), argv[i]); + log_info (_("Note: '%s' is not considered an option\n"), argv[i]); } fname = argc ? *argv : NULL; commit 36679f33aa0bf8bc6a03bcbd5b283cb541686434 Author: Werner Koch Date: Fri Oct 10 15:02:02 2014 +0200 po: Fix some grammar buglets in the German translation. -- Reported-by: Thomas Gries 1) "GnuPG erstellt eine User-ID,[Komma fehlt] um Ihren Schl?ssel ?" 2) "Die Karte wird nun konfiguriert,[<<< Komma fehlt] um einen ?" in gpg-agent 3) "verbite" ? "verbiete" 4) in gpg-agent --help ich f?nde eine einheitliche Gro?- bzw. Kleinschreibung der Befehle besser, derzeit gibt es einen Mix aus Gro?- und Kleinschreibung "Benutze... ", "benutze..." usw: Item 3 was already fixed. Also fixed some capitalization inconsistencies. Signed-off-by: Werner Koch diff --git a/po/de.po b/po/de.po index d3bd5ff..7c4dab7 100644 --- a/po/de.po +++ b/po/de.po @@ -9,7 +9,7 @@ msgid "" msgstr "" "Project-Id-Version: gnupg-2.1.0\n" "Report-Msgid-Bugs-To: translations at gnupg.org\n" -"PO-Revision-Date: 2014-10-03 12:12+0200\n" +"PO-Revision-Date: 2014-10-10 14:57+0200\n" "Last-Translator: Werner Koch \n" "Language-Team: German \n" "Language: de\n" @@ -319,13 +319,13 @@ msgid "use a log file for the server" msgstr "Logausgaben in eine Datei umlenken" msgid "|PGM|use PGM as the PIN-Entry program" -msgstr "|PGM|benutze PGM as PIN-Entry" +msgstr "|PGM|Benutze PGM as PIN-Entry" msgid "|PGM|use PGM as the SCdaemon program" -msgstr "|PGM|benutze PGM als SCdaemon" +msgstr "|PGM|Benutze PGM als SCdaemon" msgid "do not use the SCdaemon" -msgstr "Den Scdaemon-basierten Kartenzugriff nicht nutzen" +msgstr "Den SCdaemon-basierten Kartenzugriff nicht nutzen" msgid "ignore requests to change the TTY" msgstr "Ignoriere Anfragen, das TTY zu wechseln" @@ -334,16 +334,16 @@ msgid "ignore requests to change the X display" msgstr "Ignoriere Anfragen, das X-Display zu wechseln" msgid "|N|expire cached PINs after N seconds" -msgstr "|N|lasse PINs im Cache nach N Sekunden verfallen" +msgstr "|N|Lasse PINs im Cache nach N Sekunden verfallen" msgid "do not use the PIN cache when signing" -msgstr "benutze PINs im Cache nicht beim Signieren" +msgstr "Benutze PINs im Cache nicht beim Signieren" msgid "disallow clients to mark keys as \"trusted\"" -msgstr "verbiete Aufrufern Schl?ssel als \"vertrauensw?rdig\" zu markieren" +msgstr "Verbiete Aufrufern Schl?ssel als \"vertrauensw?rdig\" zu markieren" msgid "allow presetting passphrase" -msgstr "erlaube ein \"preset\" von Passphrases" +msgstr "Erlaube ein \"preset\" von Passphrases" msgid "enable ssh support" msgstr "SSH Unterst?tzung einschalten" @@ -1294,7 +1294,8 @@ msgstr "%s-Schl?ssell?ngen m?ssen im Bereich %u-%u sein\n" #, c-format msgid "The card will now be re-configured to generate a key of %u bits\n" msgstr "" -"Die Karte wird nun rekonfiguriert um einen Schl?ssel von %u Bit zu erzeugen\n" +"Die Karte wird nun rekonfiguriert, um einen Schl?ssel von %u Bit zu " +"erzeugen\n" #, c-format msgid "error changing size of key %d to %u bits: %s\n" @@ -1523,8 +1524,7 @@ msgstr "Mit unbekanntem Verfahren verschl?sselt %d\n" msgid "" "WARNING: message was encrypted with a weak key in the symmetric cipher.\n" -msgstr "" -"Warnung: Botschaft wurde mit einem unsicheren Schl?ssel verschl?sselt.\n" +msgstr "WARNUNG: Botschaft wurde mit einem unsicheren Schl?ssel verschl?sselt.\n" msgid "problem handling encrypted packet\n" msgstr "Problem beim Bearbeiten des verschl?sselten Pakets\n" @@ -3719,7 +3719,7 @@ msgid "" "\n" msgstr "" "\n" -"GnuPG erstellt eine User-ID um Ihren Schl?ssel identifizierbar zu machen.\n" +"GnuPG erstellt eine User-ID, um Ihren Schl?ssel identifizierbar zu machen.\n" "\n" #. TRANSLATORS: This string is in general not anymore used @@ -3929,7 +3929,7 @@ msgstr "" "Uhren stimmen nicht ?berein)\n" msgid "NOTE: creating subkeys for v3 keys is not OpenPGP compliant\n" -msgstr "HINWEIS: Unterschl?ssel f?r v3-Schl?ssel sind nicht OpenPGP-konform\n" +msgstr "Hinweis: Unterschl?ssel f?r v3-Schl?ssel sind nicht OpenPGP-konform\n" msgid "Secret parts of primary key are not available.\n" msgstr "Geheime Teile des Hauptschl?ssels sind nicht vorhanden.\n" @@ -3970,6 +3970,10 @@ msgstr "Entscheidender Beglaubigungs-\"Notation\": " msgid "Signature notation: " msgstr "Beglaubigungs-\"Notation\": " +#, c-format +msgid "Warning: %lu key(s) skipped due to their large size\n" +msgstr "WARNUNG: %lu Schl?ssel ?bersprungen, da sie zu gro? sind\n" + msgid "Keyring" msgstr "Schl?sselbund" @@ -4167,7 +4171,7 @@ msgstr "" "WARNUNG: Botschaft wurde nicht integrit?tsgesch?tzt (integrity protected)\n" msgid "WARNING: encrypted message has been manipulated!\n" -msgstr "Warnung: Verschl?sselte Botschaft ist manipuliert worden!\n" +msgstr "WARNUNG: Verschl?sselte Botschaft ist manipuliert worden!\n" #, c-format msgid "cleared passphrase cached with ID: %s\n" @@ -4690,8 +4694,7 @@ msgstr "Hinweis: ?berpr?fte Adresse des Unterzeichners ist `%s'\n" #, c-format msgid "Note: Signer's address '%s' does not match DNS entry\n" -msgstr "" -"Hinweise: Adresse des Unterzeichners `%s' passt nicht zum DNS-Eintrag\n" +msgstr "Hinweis: Adresse des Unterzeichners `%s' passt nicht zum DNS-Eintrag\n" msgid "trustlevel adjusted to FULL due to valid PKA info\n" msgstr "\"Trust\"-Ebene auf VOLLST?NDIG ge?ndert (wg. g?ltiger PKA-Info)\n" @@ -5166,7 +5169,7 @@ msgid "%s: trustdb created\n" msgstr "%s: trust-db erzeugt\n" msgid "NOTE: trustdb not writable\n" -msgstr "Notiz: Die \"trustdb\" ist nicht schreibbar\n" +msgstr "Hinweis: Die \"trustdb\" ist nicht schreibbar\n" #, c-format msgid "%s: invalid trustdb\n" @@ -5682,7 +5685,7 @@ msgid "failed to open '%s': %s\n" msgstr "Datei `%s' kann nicht ge?ffnet werden: %s\n" msgid "note: non-critical certificate policy not allowed" -msgstr "Notiz: Die unkritische Zertifikatsrichtlinie ist nicht erlaubt" +msgstr "Hinweis: Die unkritische Zertifikatsrichtlinie ist nicht erlaubt" msgid "certificate policy not allowed" msgstr "Die Zertifikatsrichtlinie ist nicht erlaubt" @@ -8388,7 +8391,7 @@ msgstr "" #~ msgstr "Fehler beim Schreiben des geheimen Schl?sselbundes `%s': %s\n" #~ msgid "WARNING: 2 files with confidential information exists.\n" -#~ msgstr "Warnung: Zwei Dateien mit vertraulichem Inhalt vorhanden.\n" +#~ msgstr "WARNUNG: Zwei Dateien mit vertraulichem Inhalt vorhanden.\n" #~ msgid "%s is the unchanged one\n" #~ msgstr "%s ist der Unver?nderte\n" ----------------------------------------------------------------------- Summary of changes: agent/gpg-agent.c | 4 +-- dirmngr/dirmngr.c | 4 +-- dirmngr/validate.c | 2 +- g10/card-util.c | 4 +-- g10/gpg.c | 14 ++++---- g10/keygen.c | 6 ++-- g10/mainproc.c | 2 +- g10/pubkey-enc.c | 4 +-- g10/revoke.c | 2 +- g10/sig-check.c | 4 +-- g10/tdbio.c | 2 +- po/de.po | 86 ++++++++++++++++++++++++--------------------- po/fr.po | 71 +++++++++++++++++++++++++------------ po/ja.po | 58 +++++++++++++++++++++--------- po/uk.po | 58 +++++++++++++++++++++--------- scd/scdaemon.c | 4 +-- sm/certchain.c | 4 +-- sm/gpgsm.c | 6 ++-- tools/gpg-connect-agent.c | 2 +- tools/gpgconf.c | 2 +- 20 files changed, 209 insertions(+), 130 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Sat Oct 11 19:44:52 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Sat, 11 Oct 2014 19:44:52 +0200 Subject: [git] GnuPG - branch, STABLE-BRANCH-2-0, updated. gnupg-2.0.26-14-geb756e2 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, STABLE-BRANCH-2-0 has been updated via eb756e2510bfcae3339e0907a7e4cacdea59b175 (commit) via 9112fed78b33faae32d21ab581721758ae2e95f2 (commit) from f952fe8c6ddf13ecca14ca72a27d1f8da6adc901 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit eb756e2510bfcae3339e0907a7e4cacdea59b175 Author: Werner Koch Date: Sat Oct 11 19:44:13 2014 +0200 gpg: Show v3 key fingerprints as all zero. * g10/keyid.c (fingerprint_from_pk): Show v3 fingerprints as all zero. -- MD5 is considered broken for a long time now. To make it easier for users to notice that a listing shows a v3 key, the fingerprint is now displayed as 16 zero bytes unless --allow-weak-digest-algos is active. Signed-off-by: Werner Koch diff --git a/g10/keyid.c b/g10/keyid.c index d7a877b..10eadef 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -672,7 +672,7 @@ fingerprint_from_pk( PKT_public_key *pk, byte *array, size_t *ret_len ) if ( pk->version < 4 ) { - if ( is_RSA(pk->pubkey_algo) ) + if ( is_RSA(pk->pubkey_algo) && opt.flags.allow_weak_digest_algos) { /* RSA in version 3 packets is special. */ gcry_md_hd_t md; commit 9112fed78b33faae32d21ab581721758ae2e95f2 Author: Werner Koch Date: Sat Oct 11 19:41:51 2014 +0200 gpg: Avoid using cached MD5 signature status. * g10/sig-check.c (check_key_signature2): Avoid using a cached MD5 signature status. * g10/keyring.c (keyring_get_keyblock): Ditto. (write_keyblock): Ditto. * g10/sig-check.c (do_check): Move reject warning to ... * g10/misc.c (print_md5_rejected_note): new. -- Signed-off-by: Werner Koch diff --git a/g10/keyring.c b/g10/keyring.c index 7482724..837df5e 100644 --- a/g10/keyring.c +++ b/g10/keyring.c @@ -31,7 +31,7 @@ #include "util.h" #include "keyring.h" #include "packet.h" -#include "keydb.h" +#include "keydb.h" #include "options.h" #include "main.h" /*for check_key_signature()*/ #include "i18n.h" @@ -46,11 +46,11 @@ struct off_item { /*off_t off;*/ }; -typedef struct off_item **OffsetHashTable; +typedef struct off_item **OffsetHashTable; typedef struct keyring_name *KR_NAME; -struct keyring_name +struct keyring_name { struct keyring_name *next; int secret; @@ -79,7 +79,7 @@ struct keyring_handle { int error; } current; struct { - CONST_KR_NAME kr; + CONST_KR_NAME kr; off_t offset; size_t pk_no; size_t uid_no; @@ -102,7 +102,7 @@ static struct off_item * new_offset_item (void) { struct off_item *k; - + k = xmalloc_clear (sizeof *k); return k; } @@ -121,7 +121,7 @@ release_offset_items (struct off_item *k) } #endif -static OffsetHashTable +static OffsetHashTable new_offset_hash_table (void) { struct off_item **tbl; @@ -164,7 +164,7 @@ update_offset_hash_table (OffsetHashTable tbl, u32 *kid, off_t off) for (k = tbl[(kid[1] & 0x07ff)]; k; k = k->next) { - if (k->kid[0] == kid[0] && k->kid[1] == kid[1]) + if (k->kid[0] == kid[0] && k->kid[1] == kid[1]) { /*k->off = off;*/ return; @@ -194,14 +194,14 @@ update_offset_hash_table_from_kb (OffsetHashTable tbl, KBNODE node, off_t off) } } -/* +/* * Register a filename for plain keyring files. ptr is set to a * pointer to be used to create a handles etc, or the already-issued * pointer if it has already been registered. The function returns 1 * if a new keyring was registered. */ int -keyring_register_filename (const char *fname, int secret, int readonly, +keyring_register_filename (const char *fname, int secret, int readonly, void **ptr) { KR_NAME kr; @@ -217,7 +217,7 @@ keyring_register_filename (const char *fname, int secret, int readonly, if (readonly) kr->readonly = 1; *ptr=kr; - return 0; + return 0; } } @@ -251,12 +251,12 @@ keyring_is_writable (void *token) return r? (r->readonly || !access (r->fname, W_OK)) : 0; } - + /* Create a new handle for the resource associated with TOKEN. SECRET is just just as a cross-check. - + The returned handle must be released using keyring_release (). */ KEYRING_HANDLE keyring_new (void *token, int secret) @@ -265,7 +265,7 @@ keyring_new (void *token, int secret) KR_NAME resource = token; assert (resource && !resource->secret == !secret); - + hd = xmalloc_clear (sizeof *hd); hd->resource = resource; hd->secret = !!secret; @@ -273,7 +273,7 @@ keyring_new (void *token, int secret) return hd; } -void +void keyring_release (KEYRING_HANDLE hd) { if (!hd) @@ -300,7 +300,7 @@ keyring_get_resource_name (KEYRING_HANDLE hd) * Lock the keyring with the given handle, or unlock if YES is false. * We ignore the handle and lock all registered files. */ -int +int keyring_lock (KEYRING_HANDLE hd, int yes) { KR_NAME kr; @@ -323,7 +323,7 @@ keyring_lock (KEYRING_HANDLE hd, int yes) } if (rc) return rc; - + /* and now set the locks */ for (kr=kr_names; kr; kr = kr->next) { if (!keyring_is_writable(kr)) @@ -334,7 +334,7 @@ keyring_lock (KEYRING_HANDLE hd, int yes) log_info ("can't lock `%s'\n", kr->fname ); rc = G10ERR_GENERAL; } - else + else kr->is_locked = 1; } } @@ -347,10 +347,10 @@ keyring_lock (KEYRING_HANDLE hd, int yes) ; else if (release_dotlock (kr->lockhd)) log_info ("can't unlock `%s'\n", kr->fname ); - else + else kr->is_locked = 0; } - } + } return rc; } @@ -360,7 +360,7 @@ keyring_lock (KEYRING_HANDLE hd, int yes) /* * Return the last found keyring. Caller must free it. * The returned keyblock has the kbode flag bit 0 set for the node with - * the public key used to locate the keyblock or flag bit 1 set for + * the public key used to locate the keyblock or flag bit 1 set for * the user ID node. */ int @@ -406,7 +406,7 @@ keyring_get_keyblock (KEYRING_HANDLE hd, KBNODE *ret_kb) init_packet (pkt); continue; } - if (rc) { + if (rc) { log_error ("keyring_get_keyblock: read error: %s\n", g10_errstr(rc) ); rc = G10ERR_INV_KEYRING; @@ -426,19 +426,26 @@ keyring_get_keyblock (KEYRING_HANDLE hd, KBNODE *ret_kb) } in_cert = 1; - if (pkt->pkttype == PKT_RING_TRUST) + if (pkt->pkttype == PKT_RING_TRUST) { /*(this code is duplicated after the loop)*/ - if ( lastnode + if ( lastnode && lastnode->pkt->pkttype == PKT_SIGNATURE && (pkt->pkt.ring_trust->sigcache & 1) ) { - /* This is a ring trust packet with a checked signature + /* This is a ring trust packet with a checked signature * status cache following directly a signature paket. - * Set the cache status into that signature packet. */ + * Set the cache status into that signature packet. + * + * We do not use cached signatures made with MD5 to + * avoid using a cached status created with an older + * version of gpg. */ PKT_signature *sig = lastnode->pkt->pkt.signature; - - sig->flags.checked = 1; - sig->flags.valid = !!(pkt->pkt.ring_trust->sigcache & 2); + + if (sig->digest_algo != DIGEST_ALGO_MD5) + { + sig->flags.checked = 1; + sig->flags.valid = !!(pkt->pkt.ring_trust->sigcache & 2); + } } /* Reset LASTNODE, so that we set the cache status only from * the ring trust packet immediately following a signature. */ @@ -468,7 +475,7 @@ keyring_get_keyblock (KEYRING_HANDLE hd, KBNODE *ret_kb) if (++uid_no == hd->found.uid_no) node->flag |= 2; break; - + default: break; } @@ -478,7 +485,7 @@ keyring_get_keyblock (KEYRING_HANDLE hd, KBNODE *ret_kb) } set_packet_list_mode(save_mode); - if (rc == -1 && keyblock) + if (rc == -1 && keyblock) rc = 0; /* got the entire keyblock */ if (rc || !ret_kb) @@ -486,12 +493,15 @@ keyring_get_keyblock (KEYRING_HANDLE hd, KBNODE *ret_kb) else { /*(duplicated form the loop body)*/ if ( pkt && pkt->pkttype == PKT_RING_TRUST - && lastnode + && lastnode && lastnode->pkt->pkttype == PKT_SIGNATURE && (pkt->pkt.ring_trust->sigcache & 1) ) { PKT_signature *sig = lastnode->pkt->pkt.signature; - sig->flags.checked = 1; - sig->flags.valid = !!(pkt->pkt.ring_trust->sigcache & 2); + if (sig->digest_algo != DIGEST_ALGO_MD5) + { + sig->flags.checked = 1; + sig->flags.valid = !!(pkt->pkt.ring_trust->sigcache & 2); + } } *ret_kb = keyblock; } @@ -500,7 +510,7 @@ keyring_get_keyblock (KEYRING_HANDLE hd, KBNODE *ret_kb) iobuf_close(a); /* Make sure that future search operations fail immediately when - * we know that we are working on a invalid keyring + * we know that we are working on a invalid keyring */ if (rc == G10ERR_INV_KEYRING) hd->current.error = rc; @@ -571,11 +581,11 @@ keyring_insert_keyblock (KEYRING_HANDLE hd, KBNODE kb) if (hd->current.kr->readonly) return gpg_error (GPG_ERR_EACCES); } - else + else fname = hd->resource? hd->resource->fname:NULL; if (!fname) - return G10ERR_GENERAL; + return G10ERR_GENERAL; /* Close this one otherwise we will lose the position for * a next search. Fixme: it would be better to adjust the position @@ -590,7 +600,7 @@ keyring_insert_keyblock (KEYRING_HANDLE hd, KBNODE kb) { update_offset_hash_table_from_kb (kr_offtbl, kb, 0); } - + return rc; } @@ -639,10 +649,10 @@ keyring_delete_keyblock (KEYRING_HANDLE hd) -/* +/* * Start the next search on this handle right at the beginning */ -int +int keyring_search_reset (KEYRING_HANDLE hd) { assert (hd); @@ -652,17 +662,17 @@ keyring_search_reset (KEYRING_HANDLE hd) hd->current.iobuf = NULL; hd->current.eof = 0; hd->current.error = 0; - + hd->found.kr = NULL; hd->found.offset = 0; - return 0; + return 0; } static int prepare_search (KEYRING_HANDLE hd) { - if (hd->current.error) + if (hd->current.error) return hd->current.error; /* still in error state */ if (hd->current.kr && !hd->current.eof) { @@ -671,7 +681,7 @@ prepare_search (KEYRING_HANDLE hd) return 0; /* okay */ } - if (!hd->current.kr && hd->current.eof) + if (!hd->current.kr && hd->current.eof) return -1; /* still EOF */ if (!hd->current.kr) { /* start search with first keyring */ @@ -683,7 +693,7 @@ prepare_search (KEYRING_HANDLE hd) assert (!hd->current.iobuf); } else { /* EOF */ - iobuf_close (hd->current.iobuf); + iobuf_close (hd->current.iobuf); hd->current.iobuf = NULL; hd->current.kr = NULL; hd->current.eof = 1; @@ -841,7 +851,7 @@ compare_name (int mode, const char *name, const char *uid, size_t uidlen) int i; const char *s, *se; - if (mode == KEYDB_SEARCH_MODE_EXACT) { + if (mode == KEYDB_SEARCH_MODE_EXACT) { for (i=0; name[i] && uidlen; i++, uidlen--) if (uid[i] != name[i]) break; @@ -852,7 +862,7 @@ compare_name (int mode, const char *name, const char *uid, size_t uidlen) if (ascii_memistr( uid, uidlen, name )) return 0; } - else if ( mode == KEYDB_SEARCH_MODE_MAIL + else if ( mode == KEYDB_SEARCH_MODE_MAIL || mode == KEYDB_SEARCH_MODE_MAILSUB || mode == KEYDB_SEARCH_MODE_MAILEND) { for (i=0, s= uid; i < uidlen && *s != '<'; s++, i++) @@ -864,7 +874,7 @@ compare_name (int mode, const char *name, const char *uid, size_t uidlen) ; if (i < uidlen) { i = se - s; - if (mode == KEYDB_SEARCH_MODE_MAIL) { + if (mode == KEYDB_SEARCH_MODE_MAIL) { if( strlen(name)-2 == i && !ascii_memcasecmp( s, name+1, i) ) return 0; @@ -888,11 +898,11 @@ compare_name (int mode, const char *name, const char *uid, size_t uidlen) } -/* +/* * Search through the keyring(s), starting at the current position, * for a keyblock which contains one of the keys described in the DESC array. */ -int +int keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, size_t ndesc, size_t *descindex) { @@ -912,28 +922,28 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, /* figure out what information we need */ need_uid = need_words = need_keyid = need_fpr = any_skip = 0; - for (n=0; n < ndesc; n++) + for (n=0; n < ndesc; n++) { - switch (desc[n].mode) + switch (desc[n].mode) { - case KEYDB_SEARCH_MODE_EXACT: + case KEYDB_SEARCH_MODE_EXACT: case KEYDB_SEARCH_MODE_SUBSTR: case KEYDB_SEARCH_MODE_MAIL: case KEYDB_SEARCH_MODE_MAILSUB: case KEYDB_SEARCH_MODE_MAILEND: need_uid = 1; break; - case KEYDB_SEARCH_MODE_WORDS: + case KEYDB_SEARCH_MODE_WORDS: need_uid = 1; need_words = 1; break; - case KEYDB_SEARCH_MODE_SHORT_KID: + case KEYDB_SEARCH_MODE_SHORT_KID: case KEYDB_SEARCH_MODE_LONG_KID: need_keyid = 1; break; - case KEYDB_SEARCH_MODE_FPR16: + case KEYDB_SEARCH_MODE_FPR16: case KEYDB_SEARCH_MODE_FPR20: - case KEYDB_SEARCH_MODE_FPR: + case KEYDB_SEARCH_MODE_FPR: need_fpr = 1; break; case KEYDB_SEARCH_MODE_FIRST: @@ -942,7 +952,7 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, break; default: break; } - if (desc[n].skipfnc) + if (desc[n].skipfnc) { any_skip = 1; need_keyid = 1; @@ -961,7 +971,7 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, else if (ndesc == 1 && desc[0].mode == KEYDB_SEARCH_MODE_LONG_KID) { struct off_item *oi; - + oi = lookup_offset_hash_table (kr_offtbl, desc[0].u.kid); if (!oi) { /* We know that we don't have this key */ @@ -970,9 +980,9 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, return -1; } /* We could now create a positive search status and return. - * However the problem is that another instance of gpg may + * However the problem is that another instance of gpg may * have changed the keyring so that the offsets are not valid - * anymore - therefore we don't do it + * anymore - therefore we don't do it */ } @@ -983,13 +993,13 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, log_debug ("word search mode does not yet work\n"); /* FIXME: here is a long standing bug in our function and in addition we just use the first search description */ - for (n=0; n < ndesc && !name; n++) + for (n=0; n < ndesc && !name; n++) { - if (desc[n].mode == KEYDB_SEARCH_MODE_WORDS) + if (desc[n].mode == KEYDB_SEARCH_MODE_WORDS) name = desc[n].u.name; } assert (name); - if ( !hd->word_match.name || strcmp (hd->word_match.name, name) ) + if ( !hd->word_match.name || strcmp (hd->word_match.name, name) ) { /* name changed */ xfree (hd->word_match.name); @@ -1007,23 +1017,23 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, main_offset = 0; pk_no = uid_no = 0; initial_skip = 1; /* skip until we see the start of a keyblock */ - while (!(rc=search_packet (hd->current.iobuf, &pkt, &offset, need_uid))) + while (!(rc=search_packet (hd->current.iobuf, &pkt, &offset, need_uid))) { byte afp[MAX_FINGERPRINT_LEN]; size_t an; - if (pkt.pkttype == PKT_PUBLIC_KEY || pkt.pkttype == PKT_SECRET_KEY) + if (pkt.pkttype == PKT_PUBLIC_KEY || pkt.pkttype == PKT_SECRET_KEY) { main_offset = offset; pk_no = uid_no = 0; initial_skip = 0; } - if (initial_skip) + if (initial_skip) { free_packet (&pkt); continue; } - + pk = NULL; sk = NULL; uid = NULL; @@ -1044,13 +1054,13 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, if (use_offtbl && !kr_offtbl_ready) update_offset_hash_table (kr_offtbl, aki, main_offset); } - else if (pkt.pkttype == PKT_USER_ID) + else if (pkt.pkttype == PKT_USER_ID) { uid = pkt.pkt.user_id; ++uid_no; } else if ( pkt.pkttype == PKT_SECRET_KEY - || pkt.pkttype == PKT_SECRET_SUBKEY) + || pkt.pkttype == PKT_SECRET_SUBKEY) { sk = pkt.pkt.secret_key; ++pk_no; @@ -1062,28 +1072,28 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, } if (need_keyid) keyid_from_sk (sk, aki); - + } - for (n=0; n < ndesc; n++) + for (n=0; n < ndesc; n++) { switch (desc[n].mode) { - case KEYDB_SEARCH_MODE_NONE: + case KEYDB_SEARCH_MODE_NONE: BUG (); break; - case KEYDB_SEARCH_MODE_EXACT: + case KEYDB_SEARCH_MODE_EXACT: case KEYDB_SEARCH_MODE_SUBSTR: case KEYDB_SEARCH_MODE_MAIL: case KEYDB_SEARCH_MODE_MAILSUB: case KEYDB_SEARCH_MODE_MAILEND: - case KEYDB_SEARCH_MODE_WORDS: + case KEYDB_SEARCH_MODE_WORDS: if ( uid && !compare_name (desc[n].mode, desc[n].u.name, - uid->name, uid->len)) + uid->name, uid->len)) goto found; break; - - case KEYDB_SEARCH_MODE_SHORT_KID: + + case KEYDB_SEARCH_MODE_SHORT_KID: if ((pk||sk) && desc[n].u.kid[1] == aki[1]) goto found; break; @@ -1097,19 +1107,19 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, goto found; break; case KEYDB_SEARCH_MODE_FPR20: - case KEYDB_SEARCH_MODE_FPR: + case KEYDB_SEARCH_MODE_FPR: if ((pk||sk) && !memcmp (desc[n].u.fpr, afp, 20)) goto found; break; - case KEYDB_SEARCH_MODE_FIRST: + case KEYDB_SEARCH_MODE_FIRST: if (pk||sk) goto found; break; - case KEYDB_SEARCH_MODE_NEXT: + case KEYDB_SEARCH_MODE_NEXT: if (pk||sk) goto found; break; - default: + default: rc = G10ERR_INV_ARG; goto found; } @@ -1121,7 +1131,7 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, meaningful if this function returns with no errors. */ if(descindex) *descindex=n; - for (n=any_skip?0:ndesc; n < ndesc; n++) + for (n=any_skip?0:ndesc; n < ndesc; n++) { if (desc[n].skipfnc && desc[n].skipfnc (desc[n].skipfncvalue, aki, uid)) @@ -1147,12 +1157,12 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, if (use_offtbl && !kr_offtbl_ready) { KR_NAME kr; - + /* First set the did_full_scan flag for this keyring (ignore secret keyrings) */ for (kr=kr_names; kr; kr = kr->next) { - if (!kr->secret && hd->resource == kr) + if (!kr->secret && hd->resource == kr) { kr->did_full_scan = 1; break; @@ -1162,14 +1172,14 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, offtbl ready */ for (kr=kr_names; kr; kr = kr->next) { - if (!kr->secret && !kr->did_full_scan) + if (!kr->secret && !kr->did_full_scan) break; } if (!kr) kr_offtbl_ready = 1; } } - else + else hd->current.error = rc; free_packet(&pkt); @@ -1181,7 +1191,7 @@ keyring_search (KEYRING_HANDLE hd, KEYDB_SEARCH_DESC *desc, static int create_tmp_file (const char *template, char **r_bakfname, char **r_tmpfname, IOBUF *r_fp) -{ +{ char *bakfname, *tmpfname; mode_t oldmask; @@ -1205,7 +1215,7 @@ create_tmp_file (const char *template, strcpy (tmpfname,template); strcpy (tmpfname+strlen(template)-4, EXTSEP_S "tmp"); } - else + else { /* file does not end with gpg; hmmm */ bakfname = xmalloc (strlen( template ) + 5); strcpy (stpcpy(bakfname, template), EXTSEP_S "bak"); @@ -1239,7 +1249,7 @@ create_tmp_file (const char *template, xfree (bakfname); return rc; } - + *r_bakfname = bakfname; *r_tmpfname = tmpfname; return 0; @@ -1272,7 +1282,7 @@ rename_tmp_file (const char *bakfname, const char *tmpfname, /* first make a backup file except for secret keyrings */ if (!secret) - { + { #if defined(HAVE_DOSISH_SYSTEM) || defined(__riscos__) remove (bakfname); #endif @@ -1284,7 +1294,7 @@ rename_tmp_file (const char *bakfname, const char *tmpfname, return rc; } } - + /* then rename the file */ #if defined(HAVE_DOSISH_SYSTEM) || defined(__riscos__) remove( fname ); @@ -1309,7 +1319,7 @@ rename_tmp_file (const char *bakfname, const char *tmpfname, statbuf.st_mode=S_IRUSR | S_IWUSR; if (((secret && !opt.preserve_permissions) - || !stat (bakfname,&statbuf)) + || !stat (bakfname,&statbuf)) && !chmod (fname,statbuf.st_mode)) ; else @@ -1337,10 +1347,10 @@ write_keyblock (IOBUF fp, KBNODE keyblock) { KBNODE kbctx = NULL, node; int rc; - - while ( (node = walk_kbnode (keyblock, &kbctx, 0)) ) + + while ( (node = walk_kbnode (keyblock, &kbctx, 0)) ) { - if (node->pkt->pkttype == PKT_RING_TRUST) + if (node->pkt->pkttype == PKT_RING_TRUST) continue; /* we write it later on our own */ if ( (rc = build_packet (fp, node->pkt) )) @@ -1349,12 +1359,12 @@ write_keyblock (IOBUF fp, KBNODE keyblock) node->pkt->pkttype, g10_errstr(rc) ); return rc; } - if (node->pkt->pkttype == PKT_SIGNATURE) + if (node->pkt->pkttype == PKT_SIGNATURE) { /* always write a signature cache packet */ PKT_signature *sig = node->pkt->pkt.signature; unsigned int cacheval = 0; - - if (sig->flags.checked) + + if (sig->flags.checked && sig->digest_algo != DIGEST_ALGO_MD5) { cacheval |= 1; if (sig->flags.valid) @@ -1363,7 +1373,7 @@ write_keyblock (IOBUF fp, KBNODE keyblock) iobuf_put (fp, 0xb0); /* old style packet 12, 1 byte len*/ iobuf_put (fp, 2); /* 2 bytes */ iobuf_put (fp, 0); /* unused */ - if (iobuf_put (fp, cacheval)) + if (iobuf_put (fp, cacheval)) { rc = gpg_error_from_syserror (); log_error ("writing sigcache packet failed\n"); @@ -1374,7 +1384,7 @@ write_keyblock (IOBUF fp, KBNODE keyblock) return 0; } -/* +/* * Walk over all public keyrings, check the signatures and replace the * keyring with a new one where the signature cache is then updated. * This is only done for the public keyrings. @@ -1419,7 +1429,7 @@ keyring_rebuild_cache (void *token,int noisy) * the original file is closed */ tmpfp = NULL; } - rc = lastresname? rename_tmp_file (bakfilename, tmpfilename, + rc = lastresname? rename_tmp_file (bakfilename, tmpfilename, lastresname, 0) : 0; xfree (tmpfilename); tmpfilename = NULL; xfree (bakfilename); bakfilename = NULL; @@ -1432,10 +1442,10 @@ keyring_rebuild_cache (void *token,int noisy) if (rc) goto leave; } - + release_kbnode (keyblock); rc = keyring_get_keyblock (hd, &keyblock); - if (rc) + if (rc) { log_error ("keyring_get_keyblock failed: %s\n", g10_errstr(rc)); goto leave; @@ -1479,7 +1489,7 @@ keyring_rebuild_cache (void *token,int noisy) sigcount++; } } - + /* write the keyblock to the temporary file */ rc = write_keyblock (tmpfp, keyblock); if (rc) @@ -1489,10 +1499,10 @@ keyring_rebuild_cache (void *token,int noisy) log_info(_("%lu keys cached so far (%lu signatures)\n"), count, sigcount ); - } /* end main loop */ + } /* end main loop */ if (rc == -1) rc = 0; - if (rc) + if (rc) { log_error ("keyring_search failed: %s\n", g10_errstr(rc)); goto leave; @@ -1520,8 +1530,8 @@ keyring_rebuild_cache (void *token,int noisy) leave: if (tmpfp) iobuf_cancel (tmpfp); - xfree (tmpfilename); - xfree (bakfilename); + xfree (tmpfilename); + xfree (bakfilename); release_kbnode (keyblock); keyring_lock (hd, 0); keyring_release (hd); @@ -1544,13 +1554,13 @@ do_copy (int mode, const char *fname, KBNODE root, int secret, char *bakfname = NULL; char *tmpfname = NULL; - /* Open the source file. Because we do a rename, we have to check the + /* Open the source file. Because we do a rename, we have to check the permissions of the file */ if (access (fname, W_OK)) return gpg_error_from_syserror (); fp = iobuf_open (fname); - if (mode == 1 && !fp && errno == ENOENT) { + if (mode == 1 && !fp && errno == ENOENT) { /* insert mode but file does not exist: create a new file */ KBNODE kbctx, node; mode_t oldmask; diff --git a/g10/main.h b/g10/main.h index 4cf2cc7..e97b936 100644 --- a/g10/main.h +++ b/g10/main.h @@ -63,9 +63,6 @@ extern int g10_errors_seen; #else void g10_exit(int rc); #endif -void print_pubkey_algo_note( int algo ); -void print_cipher_algo_note( int algo ); -void print_digest_algo_note( int algo ); /*-- armor.c --*/ char *make_radix64_string( const byte *data, size_t len ); @@ -82,6 +79,10 @@ u16 checksum( byte *p, unsigned n ); u16 checksum_mpi( gcry_mpi_t a ); u32 buffer_to_u32( const byte *buffer ); const byte *get_session_marker( size_t *rlen ); +void print_pubkey_algo_note( int algo ); +void print_cipher_algo_note( int algo ); +void print_digest_algo_note( int algo ); +void print_md5_rejected_note (void); int map_cipher_openpgp_to_gcry (int algo); #define openpgp_cipher_open(_a,_b,_c,_d) gcry_cipher_open((_a),map_cipher_openpgp_to_gcry((_b)),(_c),(_d)) #define openpgp_cipher_get_algo_keylen(_a) gcry_cipher_get_algo_keylen(map_cipher_openpgp_to_gcry((_a))) diff --git a/g10/misc.c b/g10/misc.c index ef03776..17494ac 100644 --- a/g10/misc.c +++ b/g10/misc.c @@ -340,6 +340,22 @@ print_digest_algo_note( int algo ) } +void +print_md5_rejected_note (void) +{ + static int shown; + + if (!shown) + { + fflush (stdout); + log_info + (_("Note: signatures using the %s algorithm are rejected\n"), + "MD5"); + shown = 1; + } +} + + /* Map OpenPGP algo numbers to those used by Libgcrypt. We need to do this for algorithms we implemented in Libgcrypt after they become part of OpenPGP. */ diff --git a/g10/sig-check.c b/g10/sig-check.c index ed4fa89..2999693 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -272,16 +272,7 @@ do_check( PKT_public_key *pk, PKT_signature *sig, gcry_md_hd_t digest, if (sig->digest_algo == GCRY_MD_MD5 && !opt.flags.allow_weak_digest_algos) { - static int shown; - - if (!shown) - { - log_info - (_("Note: signatures using the %s algorithm are rejected\n"), - "MD5"); - shown = 1; - } - + print_md5_rejected_note (); return GPG_ERR_DIGEST_ALGO; } @@ -549,9 +540,11 @@ check_key_signature2( KBNODE root, KBNODE node, PKT_public_key *check_pk, /* Check whether we have cached the result of a previous signature check. Note that we may no longer have the pubkey or hash needed to verify a sig, but can still use the cached value. A - cache refresh detects and clears these cases. */ + cache refresh detects and clears these cases. + For safety reasons we ignore cache entries from MD5 signatures. */ if ( !opt.no_sig_cache ) { - if (sig->flags.checked) { /*cached status available*/ + if (sig->flags.checked && sig->digest_algo != DIGEST_ALGO_MD5) { + /*cached status available*/ if( is_selfsig ) { u32 keyid[2]; ----------------------------------------------------------------------- Summary of changes: g10/keyid.c | 2 +- g10/keyring.c | 230 +++++++++++++++++++++++++++++-------------------------- g10/main.h | 7 +- g10/misc.c | 16 ++++ g10/sig-check.c | 17 ++-- 5 files changed, 146 insertions(+), 126 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Sun Oct 12 20:19:18 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Sun, 12 Oct 2014 20:19:18 +0200 Subject: [git] GnuPG - branch, wk/test-master, created. gnupg-2.1.0-beta864-15-gbb961e0 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, wk/test-master has been created at bb961e062bbf1011ef3430afdf2075561ba400ab (commit) - Log ----------------------------------------------------------------- commit bb961e062bbf1011ef3430afdf2075561ba400ab Author: Werner Koch Date: Sun Oct 12 20:07:12 2014 +0200 gpg: Remove all support for v3 keys and always create v4-signatures. * g10/build-packet.c (do_key): Remove support for building v3 keys. * g10/parse-packet.c (read_protected_v3_mpi): Remove. (parse_key): Remove support for v3-keys. Add dedicated warnings for v3-key packets. * g10/keyid.c (hash_public_key): Remove v3-key support. (keyid_from_pk): Ditto. (fingerprint_from_pk): Ditto. * g10/options.h (opt): Remove fields force_v3_sigs and force_v4_certs. * g10/gpg.c (cmd_and_opt_values): Remove oForceV3Sigs, oNoForceV3Sigs, oForceV4Certs, oNoForceV4Certs. (opts): Turn --force-v3-sigs, --no-force-v3-sigs, --force-v4-certs, --no-force-v4-certs int dummy options. (main): Remove setting of the force_v3_sigs force_v4_certs flags. * g10/revoke.c (gen_revoke, create_revocation): Always create v4 certs. * g10/sign.c (hash_uid): Remove support for v3-signatures (hash_sigversion_to_magic): Ditto. (only_old_style): Remove this v3-key function. (write_signature_packets): Remove support for creating v3-signatures. (sign_file): Ditto. (sign_symencrypt_file): Ditto. (clearsign_file): Ditto. Remove code to emit no Hash armor line if only v3-keys are used. (make_keysig_packet): Remove arg SIGVERSION and force using v4-signatures. Change all callers to not pass a value for this arg. Remove all v3-key related code. (update_keysig_packet): Remove v3-signature support. * g10/keyedit.c (sign_uids): Always create v4-signatures. * g10/textfilter.c (copy_clearsig_text): Remove arg pgp2mode and change caller. -- v3 keys are deprecated for about 15 years and due the severe weaknesses of MD5 it does not make any sense to keep code around to use these old and broken keys. Users who need to decrypt old messages should use gpg 1.4 and best re-encrypt them to modern standards. verification of old (i.e. PGP2) created signatures is thus also not anymore possible but such signatures have no values anyway - MD5 is just too broken. We have also kept support for v3 signatures until now. With the removal of support for v3 keys it is questionable whether it makes any sense to keep support for v3-signatures. What we do now is to keep support for verification of v3-signatures but we force the use of v4-signatures. The latter makes the --pgp6 and --pgp7 switch a bit obsolete because those PGP versions require v3-signatures for messages. These versions of PGP are also really old and not anymore maintained so they have not received any bug fixes and should not be used anyway. Signed-off-by: Werner Koch diff --git a/doc/OpenPGP b/doc/OpenPGP index 96223d7..794f669 100644 --- a/doc/OpenPGP +++ b/doc/OpenPGP @@ -9,6 +9,15 @@ =================== GnuPG (>=1.0.3) is in compliance with RFC2440 despite these exceptions: + * With GnuPG >= 2.1.0 all support for version 3 keys has been + removed. Thus there is no more compatibility with PGP-2. Users + who need to be able to decrypt old PGP 2 messages should use + GnuPG 1.4.x along with the option --allow-weak-digest-algos. + + * With GnuPG >= 2.1.0 all signatures (on messages and keys) are + created using version 4 signatures. Support for verifying + version 3 signature is still available. + * (9.2) states that IDEA SHOULD be implemented. This is not done due to patent problems. UPDATE: Since version 1.4.13 (or GnuPG 2.x with Libgcrypt 1.6) diff --git a/doc/gpg.texi b/doc/gpg.texi index e7360e9..54ca1b2 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -2129,6 +2129,7 @@ platforms that have different line ending conventions (UNIX-like to Mac, Mac to Windows, etc). @option{--no-textmode} disables this option, and is the default. + at ifclear gpgtwoone @item --force-v3-sigs @itemx --no-force-v3-sigs @opindex force-v3-sigs @@ -2147,6 +2148,15 @@ Defaults to no. Always use v4 key signatures even on v3 keys. This option also changes the default hash algorithm for v3 RSA keys from MD5 to SHA-1. @option{--no-force-v4-certs} disables this option. + at end ifclear + + at ifset gpgtwoone + at item --force-v3-sigs + at itemx --no-force-v3-sigs + at item --force-v4-certs + at itemx --no-force-v4-certs +These options are obsolete and have no effect since GnuPG 2.1. + at end ifset @item --force-mdc @opindex force-mdc @@ -2301,8 +2311,12 @@ compression algorithms none and ZIP. This also disables --throw-keyids, and making signatures with signing subkeys as PGP 6 does not understand signatures made by signing subkeys. -This option implies @option{--disable-mdc --escape-from-lines ---force-v3-sigs}. + at ifclear gpgtwoone +This option implies @option{--disable-mdc --escape-from-lines --force-v3-sigs}. + at end ifclear + at ifset gpgtwoone +This option implies @option{--disable-mdc --escape-from-lines}. + at end ifset @item --pgp7 @opindex pgp7 diff --git a/g10/build-packet.c b/g10/build-packet.c index af0de3b..c04abab 100644 --- a/g10/build-packet.c +++ b/g10/build-packet.c @@ -291,24 +291,13 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk) int i, nskey, npkey; iobuf_t a = iobuf_temp(); /* Build in a self-enlarging buffer. */ - /* Write the version number - if none is specified, use 3 */ + /* Write the version number - if none is specified, use 4 */ if ( !pk->version ) - iobuf_put ( a, 3 ); + iobuf_put ( a, 4 ); else iobuf_put ( a, pk->version ); write_32 (a, pk->timestamp ); - /* v3 needs the expiration time. */ - if ( pk->version < 4 ) - { - u16 ndays; - if ( pk->expiredate ) - ndays = (u16)((pk->expiredate - pk->timestamp) / 86400L); - else - ndays = 0; - write_16(a, ndays); - } - iobuf_put (a, pk->pubkey_algo ); /* Get number of secret and public parameters. They are held in one @@ -347,45 +336,37 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk) /* Build the header for protected (encrypted) secret parameters. */ if (ski->is_protected) { - if ( is_RSA (pk->pubkey_algo) && pk->version < 4 && !ski->s2k.mode ) + /* OpenPGP protection according to rfc2440. */ + iobuf_put (a, ski->sha1chk? 0xfe : 0xff); + iobuf_put (a, ski->algo); + if (ski->s2k.mode >= 1000) { - /* The simple rfc1991 (v3) way. */ - iobuf_put (a, ski->algo ); - iobuf_write (a, ski->iv, ski->ivlen); + /* These modes are not possible in OpenPGP, we use them + to implement our extensions, 101 can be viewed as a + private/experimental extension (this is not specified + in rfc2440 but the same scheme is used for all other + algorithm identifiers). */ + iobuf_put (a, 101); + iobuf_put (a, ski->s2k.hash_algo); + iobuf_write (a, "GNU", 3 ); + iobuf_put (a, ski->s2k.mode - 1000); } else { - /* OpenPGP protection according to rfc2440. */ - iobuf_put (a, ski->sha1chk? 0xfe : 0xff); - iobuf_put (a, ski->algo); - if (ski->s2k.mode >= 1000) - { - /* These modes are not possible in OpenPGP, we use - them to implement our extensions, 101 can be - viewed as a private/experimental extension (this - is not specified in rfc2440 but the same scheme - is used for all other algorithm identifiers). */ - iobuf_put (a, 101); - iobuf_put (a, ski->s2k.hash_algo); - iobuf_write (a, "GNU", 3 ); - iobuf_put (a, ski->s2k.mode - 1000); - } - else - { - iobuf_put (a, ski->s2k.mode); - iobuf_put (a, ski->s2k.hash_algo); - } - - if (ski->s2k.mode == 1 || ski->s2k.mode == 3) - iobuf_write (a, ski->s2k.salt, 8); - - if (ski->s2k.mode == 3) - iobuf_put (a, ski->s2k.count); - - /* For our special modes 1001, 1002 we do not need an IV. */ - if (ski->s2k.mode != 1001 && ski->s2k.mode != 1002) - iobuf_write (a, ski->iv, ski->ivlen); + iobuf_put (a, ski->s2k.mode); + iobuf_put (a, ski->s2k.hash_algo); } + + if (ski->s2k.mode == 1 || ski->s2k.mode == 3) + iobuf_write (a, ski->s2k.salt, 8); + + if (ski->s2k.mode == 3) + iobuf_put (a, ski->s2k.count); + + /* For our special modes 1001, 1002 we do not need an IV. */ + if (ski->s2k.mode != 1001 && ski->s2k.mode != 1002) + iobuf_write (a, ski->iv, ski->ivlen); + } else /* Not protected. */ iobuf_put (a, 0 ); @@ -400,7 +381,7 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk) /* The serial number gets stored in the IV field. */ iobuf_write (a, ski->iv, ski->ivlen); } - else if (ski->is_protected && pk->version >= 4) + else if (ski->is_protected) { /* The secret key is protected - write it out as it is. */ byte *p; @@ -410,20 +391,6 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk) p = gcry_mpi_get_opaque (pk->pkey[npkey], &ndatabits); iobuf_write (a, p, (ndatabits+7)/8 ); } - else if (ski->is_protected) - { - /* The secret key is protected the old v4 way. */ - for ( ; i < nskey; i++ ) - { - byte *p; - unsigned int ndatabits; - - assert (gcry_mpi_get_flag (pk->pkey[i], GCRYMPI_FLAG_OPAQUE)); - p = gcry_mpi_get_opaque (pk->pkey[i], &ndatabits); - iobuf_write (a, p, (ndatabits+7)/8); - } - write_16 (a, ski->csum ); - } else { /* Non-protected key. */ diff --git a/g10/filter.h b/g10/filter.h index 40c5134..731ad0f 100644 --- a/g10/filter.h +++ b/g10/filter.h @@ -152,7 +152,7 @@ int cipher_filter( void *opaque, int control, int text_filter( void *opaque, int control, iobuf_t chain, byte *buf, size_t *ret_len); int copy_clearsig_text (iobuf_t out, iobuf_t inp, gcry_md_hd_t md, - int escape_dash, int escape_from, int pgp2mode); + int escape_dash, int escape_from); /*-- progress.c --*/ progress_filter_context_t *new_progress_context (void); diff --git a/g10/gpg.c b/g10/gpg.c index 57deb8d..1df44fe 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -272,10 +272,6 @@ enum cmd_and_opt_values oShowPhotos, oNoShowPhotos, oPhotoViewer, - oForceV3Sigs, - oNoForceV3Sigs, - oForceV4Certs, - oNoForceV4Certs, oForceMDC, oNoForceMDC, oDisableMDC, @@ -525,10 +521,6 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oQuiet, "quiet", "@"), ARGPARSE_s_n (oNoTTY, "no-tty", "@"), - ARGPARSE_s_n (oForceV3Sigs, "force-v3-sigs", "@"), - ARGPARSE_s_n (oNoForceV3Sigs, "no-force-v3-sigs", "@"), - ARGPARSE_s_n (oForceV4Certs, "force-v4-certs", "@"), - ARGPARSE_s_n (oNoForceV4Certs, "no-force-v4-certs", "@"), ARGPARSE_s_n (oForceMDC, "force-mdc", "@"), ARGPARSE_s_n (oNoForceMDC, "no-force-mdc", "@"), ARGPARSE_s_n (oDisableMDC, "disable-mdc", "@"), @@ -810,6 +802,10 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oNoop, "no-sk-comments", "@"), ARGPARSE_s_n (oNoop, "compress-keys", "@"), ARGPARSE_s_n (oNoop, "compress-sigs", "@"), + ARGPARSE_s_n (oNoop, "force-v3-sigs", "@"), + ARGPARSE_s_n (oNoop, "no-force-v3-sigs", "@"), + ARGPARSE_s_n (oNoop, "force-v4-certs", "@"), + ARGPARSE_s_n (oNoop, "no-force-v4-certs", "@"), ARGPARSE_end () }; @@ -2535,7 +2531,6 @@ main (int argc, char **argv) opt.allow_freeform_uid = 1; opt.pgp2_workarounds = 0; opt.escape_from = 1; - opt.force_v3_sigs = 0; opt.not_dash_escaped = 0; opt.def_cipher_algo = 0; opt.def_digest_algo = 0; @@ -2553,7 +2548,6 @@ main (int argc, char **argv) opt.allow_freeform_uid = 1; opt.pgp2_workarounds = 0; opt.escape_from = 0; - opt.force_v3_sigs = 0; opt.not_dash_escaped = 0; opt.def_cipher_algo = 0; opt.def_digest_algo = 0; @@ -2637,10 +2631,7 @@ main (int argc, char **argv) opt.verify_options&=~VERIFY_SHOW_PHOTOS; break; case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; - case oForceV3Sigs: opt.force_v3_sigs = 1; break; - case oNoForceV3Sigs: opt.force_v3_sigs = 0; break; - case oForceV4Certs: opt.force_v4_certs = 1; break; - case oNoForceV4Certs: opt.force_v4_certs = 0; break; + case oForceMDC: opt.force_mdc = 1; break; case oNoForceMDC: opt.force_mdc = 0; break; case oDisableMDC: opt.disable_mdc = 1; break; @@ -3288,15 +3279,17 @@ main (int argc, char **argv) /* Do these after the switch(), so they can override settings. */ if(PGP6) { + /* That does not anymore work becuase we have no more support + for v3 signatures. */ opt.disable_mdc=1; opt.escape_from=1; - opt.force_v3_sigs=1; opt.ask_sig_expire=0; } else if(PGP7) { + /* That does not anymore work because we have no more support + for v3 signatures. */ opt.escape_from=1; - opt.force_v3_sigs=1; opt.ask_sig_expire=0; } else if(PGP8) diff --git a/g10/keyedit.c b/g10/keyedit.c index 308576d..a8e6f5d 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -536,14 +536,10 @@ sign_uids (estream_t fp, { u32 sk_keyid[2], pk_keyid[2]; char *p, *trust_regexp = NULL; - int force_v4 = 0, class = 0, selfsig = 0; + int class = 0, selfsig = 0; u32 duration = 0, timestamp = 0; byte trust_depth = 0, trust_value = 0; - if (local || nonrevocable || trust - || opt.cert_policy_url || opt.cert_notations) - force_v4 = 1; - pk = sk_rover->pk; keyid_from_pk (pk, sk_keyid); @@ -567,14 +563,7 @@ sign_uids (estream_t fp, /* Is this a self-sig? */ if (pk_keyid[0] == sk_keyid[0] && pk_keyid[1] == sk_keyid[1]) - { - selfsig = 1; - /* Do not force a v4 sig here, otherwise it would - be difficult to remake a v3 selfsig. If this - is a v3->v4 promotion case, then we set - force_v4 later anyway. */ - force_v4 = 0; - } + selfsig = 1; } else if (node->pkt->pkttype == PKT_USER_ID) { @@ -716,7 +705,6 @@ sign_uids (estream_t fp, "it to an OpenPGP self-" "signature? (y/N) "))) { - force_v4 = 1; node->flag |= NODFLG_DELSIG; xfree (user); continue; @@ -860,7 +848,6 @@ sign_uids (estream_t fp, passphrase, etc). */ timestamp = now; duration = primary_pk->expiredate - now; - force_v4 = 1; } cpr_kill_prompt (); @@ -879,9 +866,6 @@ sign_uids (estream_t fp, duration = parse_expire_string (opt.def_cert_expire); } - if (duration) - force_v4 = 1; - if (selfsig) ; else @@ -1041,7 +1025,7 @@ sign_uids (estream_t fp, node->pkt->pkt.user_id, NULL, pk, - 0x13, 0, force_v4 ? 4 : 0, 0, 0, + 0x13, 0, 0, 0, keygen_add_std_prefs, primary_pk, NULL); else @@ -1049,7 +1033,7 @@ sign_uids (estream_t fp, node->pkt->pkt.user_id, NULL, pk, - class, 0, force_v4 ? 4 : 0, + class, 0, timestamp, duration, sign_mk_attrib, &attrib, NULL); @@ -3290,7 +3274,7 @@ menu_adduid (KBNODE pub_keyblock, int photo, const char *photo_name) if (!uid) return 0; - err = make_keysig_packet (&sig, pk, uid, NULL, pk, 0x13, 0, 0, 0, 0, + err = make_keysig_packet (&sig, pk, uid, NULL, pk, 0x13, 0, 0, 0, keygen_add_std_prefs, pk, NULL); if (err) { @@ -3674,9 +3658,7 @@ menu_addrevoker (ctrl_t ctrl, kbnode_t pub_keyblock, int sensitive) break; } - /* The 1F signature must be at least v4 to carry the revocation key - subpacket. */ - rc = make_keysig_packet (&sig, pk, NULL, NULL, pk, 0x1F, 0, 4, 0, 0, + rc = make_keysig_packet (&sig, pk, NULL, NULL, pk, 0x1F, 0, 0, 0, keygen_add_revkey, &revkey, NULL); if (rc) { @@ -4966,7 +4948,7 @@ reloop: /* (must use this, because we are modifing the list) */ } rc = make_keysig_packet (&sig, primary_pk, unode->pkt->pkt.user_id, - NULL, signerkey, 0x30, 0, 0, 0, 0, + NULL, signerkey, 0x30, 0, 0, 0, sign_mk_attrib, &attrib, NULL); free_public_key (signerkey); if (rc) @@ -5058,7 +5040,7 @@ menu_revuid (KBNODE pub_keyblock) node->flag &= ~NODFLG_SELUID; rc = make_keysig_packet (&sig, pk, uid, NULL, pk, 0x30, 0, - (reason == NULL) ? 3 : 0, timestamp, 0, + timestamp, 0, sign_mk_attrib, &attrib, NULL); if (rc) { @@ -5122,7 +5104,7 @@ menu_revkey (KBNODE pub_keyblock) return 0; rc = make_keysig_packet (&sig, pk, NULL, NULL, pk, - 0x20, 0, opt.force_v4_certs ? 4 : 0, 0, 0, + 0x20, 0, 0, 0, revocation_reason_build_cb, reason, NULL); if (rc) { @@ -5183,7 +5165,7 @@ menu_revsubkey (KBNODE pub_keyblock) node->flag &= ~NODFLG_SELKEY; rc = make_keysig_packet (&sig, mainpk, NULL, subpk, mainpk, - 0x28, 0, 0, 0, 0, sign_mk_attrib, &attrib, + 0x28, 0, 0, 0, sign_mk_attrib, &attrib, NULL); if (rc) { diff --git a/g10/keygen.c b/g10/keygen.c index 6079ff0..8095452 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -812,7 +812,7 @@ make_backsig (PKT_signature *sig, PKT_public_key *pk, cache_public_key (sub_pk); err = make_keysig_packet (&backsig, pk, NULL, sub_pk, sub_psk, 0x19, - 0, 0, timestamp, 0, NULL, NULL, cache_nonce); + 0, timestamp, 0, NULL, NULL, cache_nonce); if (err) log_error ("make_keysig_packet failed for backsig: %s\n", g10_errstr(err)); else @@ -922,7 +922,7 @@ write_direct_sig (KBNODE root, PKT_public_key *psk, /* Make the signature. */ err = make_keysig_packet (&sig, pk, NULL,NULL, psk, 0x1F, - 0, 0, timestamp, 0, + 0, timestamp, 0, keygen_add_revkey, revkey, cache_nonce); if (err) { @@ -977,7 +977,7 @@ write_selfsigs (KBNODE root, PKT_public_key *psk, /* Make the signature. */ err = make_keysig_packet (&sig, pk, uid, NULL, psk, 0x13, - 0, 0, timestamp, 0, + 0, timestamp, 0, keygen_add_std_prefs, pk, cache_nonce); if (err) { @@ -1036,12 +1036,12 @@ write_keybinding (KBNODE root, PKT_public_key *pri_psk, PKT_public_key *sub_psk, oduap.usage = use; oduap.pk = sub_pk; err = make_keysig_packet (&sig, pri_pk, NULL, sub_pk, pri_psk, 0x18, - 0, 0, timestamp, 0, + 0, timestamp, 0, keygen_add_key_flags_and_expire, &oduap, cache_nonce); if (err) { - log_error ("make_keysig_packet failed: %s\n", g10_errstr (err)); + log_error ("make_keysig_packeto failed: %s\n", g10_errstr (err)); return err; } diff --git a/g10/keyid.c b/g10/keyid.c index 3b4c10c..f1fbec2 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -147,10 +147,6 @@ hash_public_key (gcry_md_hd_t md, PKT_public_key *pk) size_t nbytes; int npkey = pubkey_get_npkey (pk->pubkey_algo); - /* Two extra bytes for the expiration date in v3 */ - if(pk->version<4) - n+=2; - /* FIXME: We can avoid the extra malloc by calling only the first mpi_print here which computes the required length and calling the real mpi_print only at the end. The speed advantage would only be @@ -211,16 +207,6 @@ hash_public_key (gcry_md_hd_t md, PKT_public_key *pk) gcry_md_putc ( md, pk->timestamp >> 8 ); gcry_md_putc ( md, pk->timestamp ); - if(pk->version<4) - { - u16 days=0; - if(pk->expiredate) - days=(u16)((pk->expiredate - pk->timestamp) / 86400L); - - gcry_md_putc ( md, days >> 8 ); - gcry_md_putc ( md, days ); - } - gcry_md_putc ( md, pk->pubkey_algo ); if(npkey==0 && pk->pkey[0] @@ -432,18 +418,6 @@ keyid_from_pk (PKT_public_key *pk, u32 *keyid) keyid[1] = pk->keyid[1]; lowbits = keyid[1]; } - else if( pk->version < 4 ) - { - if( is_RSA(pk->pubkey_algo) ) - { - lowbits = (pubkey_get_npkey (pk->pubkey_algo) ? - v3_keyid ( pk->pkey[0], keyid ) : 0); /* From n. */ - pk->keyid[0] = keyid[0]; - pk->keyid[1] = keyid[1]; - } - else - pk->keyid[0]=pk->keyid[1]=keyid[0]=keyid[1]=lowbits=0xFFFFFFFF; - } else { const byte *dp; @@ -706,66 +680,20 @@ colon_expirestr_from_sig (PKT_signature *sig) byte * fingerprint_from_pk (PKT_public_key *pk, byte *array, size_t *ret_len) { - byte *buf; const byte *dp; - size_t len, nbytes; - int i; - - if ( pk->version < 4 ) - { - if ( is_RSA(pk->pubkey_algo) ) - { - /* RSA in version 3 packets is special. */ - gcry_md_hd_t md; - - if (gcry_md_open (&md, DIGEST_ALGO_MD5, 0)) - BUG (); - if ( pubkey_get_npkey (pk->pubkey_algo) > 1 ) - { - for (i=0; i < 2; i++) - { - if (gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, - &nbytes, pk->pkey[i])) - BUG (); - /* fixme: Better allocate BUF on the stack */ - buf = xmalloc (nbytes); - if (gcry_mpi_print (GCRYMPI_FMT_USG, buf, nbytes, - NULL, pk->pkey[i])) - BUG (); - gcry_md_write (md, buf, nbytes); - xfree (buf); - } - } - gcry_md_final (md); - if (!array) - array = xmalloc (16); - len = 16; - memcpy (array, gcry_md_read (md, DIGEST_ALGO_MD5), 16); - gcry_md_close(md); - } - else - { - if (!array) - array = xmalloc(16); - len = 16; - memset (array,0,16); - } - } - else - { - gcry_md_hd_t md; + size_t len; + gcry_md_hd_t md; - md = do_fingerprint_md(pk); - dp = gcry_md_read( md, 0 ); - len = gcry_md_get_algo_dlen (gcry_md_get_algo (md)); - assert( len <= MAX_FINGERPRINT_LEN ); - if (!array) - array = xmalloc ( len ); - memcpy (array, dp, len ); - pk->keyid[0] = dp[12] << 24 | dp[13] << 16 | dp[14] << 8 | dp[15] ; - pk->keyid[1] = dp[16] << 24 | dp[17] << 16 | dp[18] << 8 | dp[19] ; - gcry_md_close( md); - } + md = do_fingerprint_md(pk); + dp = gcry_md_read( md, 0 ); + len = gcry_md_get_algo_dlen (gcry_md_get_algo (md)); + assert( len <= MAX_FINGERPRINT_LEN ); + if (!array) + array = xmalloc ( len ); + memcpy (array, dp, len ); + pk->keyid[0] = dp[12] << 24 | dp[13] << 16 | dp[14] << 8 | dp[15] ; + pk->keyid[1] = dp[16] << 24 | dp[17] << 16 | dp[18] << 8 | dp[19] ; + gcry_md_close( md); *ret_len = len; return array; diff --git a/g10/options.h b/g10/options.h index edd31a9..0875eb5 100644 --- a/g10/options.h +++ b/g10/options.h @@ -74,8 +74,6 @@ struct int no_armor; int list_packets; /* list-packets mode: 1=normal, 2=invoked by command*/ int def_cipher_algo; - int force_v3_sigs; - int force_v4_certs; int force_mdc; int disable_mdc; int def_digest_algo; diff --git a/g10/packet.h b/g10/packet.h index b1b82d7..ba43638 100644 --- a/g10/packet.h +++ b/g10/packet.h @@ -530,7 +530,7 @@ int ask_for_detached_datafile( gcry_md_hd_t md, gcry_md_hd_t md2, int make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, PKT_user_id *uid, PKT_public_key *subpk, PKT_public_key *pksk, int sigclass, int digest_algo, - int sigversion, u32 timestamp, u32 duration, + u32 timestamp, u32 duration, int (*mksubpkt)(PKT_signature *, void *), void *opaque, const char *cache_nonce); diff --git a/g10/parse-packet.c b/g10/parse-packet.c index f7b2079..50da17c 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -1901,53 +1901,6 @@ parse_onepass_sig (IOBUF inp, int pkttype, unsigned long pktlen, } -static gcry_mpi_t -read_protected_v3_mpi (IOBUF inp, unsigned long *length) -{ - int c; - unsigned int nbits, nbytes; - unsigned char *buf, *p; - gcry_mpi_t val; - - if (*length < 2) - { - log_error ("mpi too small\n"); - return NULL; - } - - if ((c = iobuf_get (inp)) == -1) - return NULL; - --*length; - nbits = c << 8; - if ((c = iobuf_get (inp)) == -1) - return NULL; - --*length; - nbits |= c; - - if (nbits > 16384) - { - log_error ("mpi too large (%u bits)\n", nbits); - return NULL; - } - nbytes = (nbits + 7) / 8; - buf = p = xmalloc (2 + nbytes); - *p++ = nbits >> 8; - *p++ = nbits; - for (; nbytes && *length; nbytes--, --*length) - *p++ = iobuf_get (inp); - if (nbytes) - { - log_error ("packet shorter than mpi\n"); - xfree (buf); - return NULL; - } - - /* Convert buffer into an opaque MPI. */ - val = gcry_mpi_set_opaque (NULL, buf, (p - buf) * 8); - return val; -} - - static int parse_key (IOBUF inp, int pkttype, unsigned long pktlen, byte * hdr, int hdrlen, PACKET * pkt) @@ -1956,7 +1909,6 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, int i, version, algorithm; unsigned long timestamp, expiredate, max_expiredate; int npkey, nskey; - int is_v4 = 0; int rc = 0; u32 keyid[2]; PKT_public_key *pk; @@ -1991,8 +1943,19 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, return 0; } else if (version == 4) - is_v4 = 1; - else if (version != 2 && version != 3) + { + /* The only supported version. Use an older gpg + versions (i.e. gpg 1.4 to parse v3 packets). */ + } + else if (version == 2 || version == 3) + { + log_info ("packet(%d) with obsolete version %d\n", pkttype, version); + if (list_mode) + es_fprintf (listfp, ":key packet: [obsolete version %d]\n", version); + err = gpg_error (GPG_ERR_INV_PACKET); + goto leave; + } + else { log_error ("packet(%d) with unknown version %d\n", pkttype, version); if (list_mode) @@ -2012,23 +1975,8 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, timestamp = read_32 (inp); pktlen -= 4; - if (is_v4) - { - expiredate = 0; /* have to get it from the selfsignature */ - max_expiredate = 0; - } - else - { - unsigned short ndays; - ndays = read_16 (inp); - pktlen -= 2; - if (ndays) - expiredate = timestamp + ndays * 86400L; - else - expiredate = 0; - - max_expiredate = expiredate; - } + expiredate = 0; /* have to get it from the selfsignature */ + max_expiredate = 0; algorithm = iobuf_get_noeof (inp); pktlen--; if (list_mode) @@ -2145,7 +2093,7 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, ski->s2k.hash_algo = iobuf_get_noeof (inp); pktlen--; /* Check for the special GNU extension. */ - if (is_v4 && ski->s2k.mode == 101) + if (ski->s2k.mode == 101) { for (i = 0; i < 4 && pktlen; i++, pktlen--) temp[i] = iobuf_get_noeof (inp); @@ -2312,7 +2260,7 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, 10 * 8); pktlen = 0; } - else if (is_v4 && ski->is_protected) + else if (ski->is_protected) { /* Ugly: The length is encrypted too, so we read all stuff * up to the end of the packet into the first SKEY @@ -2331,29 +2279,18 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, } else { - /* The v3 method: The mpi length is not encrypted. */ + /* Not encrypted. */ for (i = npkey; i < nskey; i++) { - if (ski->is_protected) - { - pk->pkey[i] = read_protected_v3_mpi (inp, &pktlen); - if (pk->pkey[i]) - gcry_mpi_set_flag (pk->pkey[i], GCRYMPI_FLAG_USER1); - if (list_mode) - es_fprintf (listfp, "\tskey[%d]: [v3 protected]\n", i); - } - else - { - unsigned int n = pktlen; - pk->pkey[i] = mpi_read (inp, &n, 0); - pktlen -= n; - if (list_mode) - { - es_fprintf (listfp, "\tskey[%d]: ", i); - mpi_print (listfp, pk->pkey[i], mpi_print_mode); - es_putc ('\n', listfp); - } - } + unsigned int n = pktlen; + pk->pkey[i] = mpi_read (inp, &n, 0); + pktlen -= n; + if (list_mode) + { + es_fprintf (listfp, "\tskey[%d]: ", i); + mpi_print (listfp, pk->pkey[i], mpi_print_mode); + es_putc ('\n', listfp); + } if (!pk->pkey[i]) err = gpg_error (GPG_ERR_INV_PACKET); diff --git a/g10/revoke.c b/g10/revoke.c index 81b5d6d..6b9e709 100644 --- a/g10/revoke.c +++ b/g10/revoke.c @@ -338,7 +338,7 @@ gen_desig_revoke( const char *uname, strlist_t locusr ) /* create it */ rc = make_keysig_packet( &sig, pk, NULL, NULL, pk2, 0x20, 0, - 0, 0, 0, + 0, 0, revocation_reason_build_cb, reason, NULL); if( rc ) { @@ -465,7 +465,6 @@ create_revocation (const char *filename, push_armor_filter (afx, out); rc = make_keysig_packet (&sig, psk, NULL, NULL, psk, 0x20, 0, - opt.force_v4_certs? 4:0, 0, 0, revocation_reason_build_cb, reason, cache_nonce); if (rc) @@ -649,16 +648,13 @@ gen_revoke (const char *uname) goto leave; } - if (psk->version >= 4 || opt.force_v4_certs) + /* Get the reason for the revocation. */ + reason = ask_revocation_reason (1, 0, 1); + if (!reason) { - /* Get the reason for the revocation. */ - reason = ask_revocation_reason (1, 0, 1); - if (!reason) - { - /* user decided to cancel */ - rc = 0; - goto leave; - } + /* User decided to cancel. */ + rc = 0; + goto leave; } if (!opt.armor) diff --git a/g10/sign.c b/g10/sign.c index bd78c17..e7d4a68 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -155,30 +155,32 @@ mk_notation_policy_etc (PKT_signature *sig, static void hash_uid (gcry_md_hd_t md, int sigversion, const PKT_user_id *uid) { - if ( sigversion >= 4 ) { - byte buf[5]; - - if(uid->attrib_data) { - buf[0] = 0xd1; /* indicates an attribute packet */ - buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */ - buf[2] = uid->attrib_len >> 16; - buf[3] = uid->attrib_len >> 8; - buf[4] = uid->attrib_len; - } - else { - buf[0] = 0xb4; /* indicates a userid packet */ - buf[1] = uid->len >> 24; /* always use 4 length bytes */ - buf[2] = uid->len >> 16; - buf[3] = uid->len >> 8; - buf[4] = uid->len; - } - gcry_md_write( md, buf, 5 ); + byte buf[5]; + + (void)sigversion; + + if (uid->attrib_data) + { + buf[0] = 0xd1; /* Indicates an attribute packet. */ + buf[1] = uid->attrib_len >> 24; /* Always use 4 length bytes. */ + buf[2] = uid->attrib_len >> 16; + buf[3] = uid->attrib_len >> 8; + buf[4] = uid->attrib_len; + } + else + { + buf[0] = 0xb4; /* Indicates a userid packet. */ + buf[1] = uid->len >> 24; /* Always use 4 length bytes. */ + buf[2] = uid->len >> 16; + buf[3] = uid->len >> 8; + buf[4] = uid->len; } + gcry_md_write( md, buf, 5 ); - if(uid->attrib_data) - gcry_md_write (md, uid->attrib_data, uid->attrib_len ); - else - gcry_md_write (md, uid->name, uid->len ); + if (uid->attrib_data) + gcry_md_write (md, uid->attrib_data, uid->attrib_len ); + else + gcry_md_write (md, uid->name, uid->len ); } @@ -188,45 +190,38 @@ hash_uid (gcry_md_hd_t md, int sigversion, const PKT_user_id *uid) static void hash_sigversion_to_magic (gcry_md_hd_t md, const PKT_signature *sig) { - if (sig->version >= 4) - gcry_md_putc (md, sig->version); - gcry_md_putc (md, sig->sig_class); - if (sig->version < 4) { - u32 a = sig->timestamp; - gcry_md_putc (md, (a >> 24) & 0xff ); - gcry_md_putc (md, (a >> 16) & 0xff ); - gcry_md_putc (md, (a >> 8) & 0xff ); - gcry_md_putc (md, a & 0xff ); + byte buf[6]; + size_t n; + + gcry_md_putc (md, sig->version); + gcry_md_putc (md, sig->sig_class); + gcry_md_putc (md, sig->pubkey_algo); + gcry_md_putc (md, sig->digest_algo); + if (sig->hashed) + { + n = sig->hashed->len; + gcry_md_putc (md, (n >> 8) ); + gcry_md_putc (md, n ); + gcry_md_write (md, sig->hashed->data, n ); + n += 6; } - else { - byte buf[6]; - size_t n; - - gcry_md_putc (md, sig->pubkey_algo); - gcry_md_putc (md, sig->digest_algo); - if (sig->hashed) { - n = sig->hashed->len; - gcry_md_putc (md, (n >> 8) ); - gcry_md_putc (md, n ); - gcry_md_write (md, sig->hashed->data, n ); - n += 6; - } - else { - gcry_md_putc (md, 0); /* always hash the length of the subpacket*/ - gcry_md_putc (md, 0); - n = 6; - } - /* add some magic */ - buf[0] = sig->version; - buf[1] = 0xff; - buf[2] = n >> 24; /* hmmm, n is only 16 bit, so this is always 0 */ - buf[3] = n >> 16; - buf[4] = n >> 8; - buf[5] = n; - gcry_md_write (md, buf, 6); + else + { + gcry_md_putc (md, 0); /* Always hash the length of the subpacket. */ + gcry_md_putc (md, 0); + n = 6; } + /* Add some magic. */ + buf[0] = sig->version; + buf[1] = 0xff; + buf[2] = n >> 24; /* (n is only 16 bit, so this is always 0) */ + buf[3] = n >> 16; + buf[4] = n >> 8; + buf[5] = n; + gcry_md_write (md, buf, 6); } + /* Perform the sign operation. If CACHE_NONCE is given the agent is advised to use that cached passphrase fro the key. */ static int @@ -520,26 +515,6 @@ hash_for (PKT_public_key *pk) } -/* Return true iff all keys in SK_LIST are old style (v3 RSA). */ -static int -only_old_style (SK_LIST sk_list) -{ - SK_LIST sk_rover = NULL; - int old_style = 0; - - for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) - { - PKT_public_key *pk = sk_rover->pk; - - if (pk->pubkey_algo == PUBKEY_ALGO_RSA && pk->version < 4) - old_style = 1; - else - return 0; - } - return old_style; -} - - static void print_status_sig_created (PKT_public_key *pk, PKT_signature *sig, int what) { @@ -705,10 +680,8 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash, /* Build the signature packet. */ sig = xmalloc_clear (sizeof *sig); - if (opt.force_v3_sigs) - sig->version = 3; - else if (duration || opt.sig_policy_url - || opt.sig_notations || opt.sig_keyserver_url) + if (duration || opt.sig_policy_url + || opt.sig_notations || opt.sig_keyserver_url) sig->version = 4; else sig->version = pk->version; @@ -727,11 +700,8 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash, if (gcry_md_copy (&md, hash)) BUG (); - if (sig->version >= 4) - { - build_sig_subpkt_from_sig (sig); - mk_notation_policy_etc (sig, pk, NULL); - } + build_sig_subpkt_from_sig (sig); + mk_notation_policy_etc (sig, pk, NULL); hash_sigversion_to_magic (md, sig); gcry_md_final (md); @@ -814,13 +784,10 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) goto leave; - if(!opt.force_v3_sigs) - { - if(opt.ask_sig_expire && !opt.batch) - duration=ask_expire_interval(1,opt.def_sig_expire); - else - duration=parse_expire_string(opt.def_sig_expire); - } + if (opt.ask_sig_expire && !opt.batch) + duration = ask_expire_interval(1,opt.def_sig_expire); + else + duration = parse_expire_string(opt.def_sig_expire); /* Note: In the old non-agent version the following call used to unprotect the secret key. This is now done on demand by the agent. */ @@ -1123,30 +1090,22 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile ) int rc = 0; SK_LIST sk_list = NULL; SK_LIST sk_rover = NULL; - int old_style = 0; - int only_md5 = 0; u32 duration=0; pfx = new_progress_context (); afx = new_armor_context (); init_packet( &pkt ); - if(!opt.force_v3_sigs) - { - if(opt.ask_sig_expire && !opt.batch) - duration=ask_expire_interval(1,opt.def_sig_expire); - else - duration=parse_expire_string(opt.def_sig_expire); - } + if (opt.ask_sig_expire && !opt.batch) + duration = ask_expire_interval (1,opt.def_sig_expire); + else + duration = parse_expire_string (opt.def_sig_expire); /* Note: In the old non-agent version the following call used to unprotect the secret key. This is now done on demand by the agent. */ if( (rc=build_sk_list( locusr, &sk_list, PUBKEY_USAGE_SIG )) ) goto leave; - if(!duration ) - old_style = only_old_style( sk_list ); - /* prepare iobufs */ inp = iobuf_open(fname); if (inp && is_secured_file (iobuf_get_fd (inp))) @@ -1184,18 +1143,7 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile ) iobuf_writestr(out, "-----BEGIN PGP SIGNED MESSAGE-----" LF ); - for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) - { - if (hash_for (sk_rover->pk) == DIGEST_ALGO_MD5) - only_md5 = 1; - else - { - only_md5 = 0; - break; - } - } - - if( !(old_style && only_md5) ) { + { const char *s; int any = 0; byte hashs_seen[256]; @@ -1234,8 +1182,8 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile ) if ( DBG_HASHING ) gcry_md_debug ( textmd, "clearsign" ); - copy_clearsig_text( out, inp, textmd, !opt.not_dash_escaped, - opt.escape_from, (old_style && only_md5) ); + copy_clearsig_text (out, inp, textmd, !opt.not_dash_escaped, + opt.escape_from); /* fixme: check for read errors */ /* now write the armor */ @@ -1292,13 +1240,10 @@ sign_symencrypt_file (const char *fname, strlist_t locusr) memset( &cfx, 0, sizeof cfx); init_packet( &pkt ); - if(!opt.force_v3_sigs) - { - if(opt.ask_sig_expire && !opt.batch) - duration=ask_expire_interval(1,opt.def_sig_expire); - else - duration=parse_expire_string(opt.def_sig_expire); - } + if (opt.ask_sig_expire && !opt.batch) + duration = ask_expire_interval (1, opt.def_sig_expire); + else + duration = parse_expire_string (opt.def_sig_expire); /* Note: In the old non-agent version the following call used to unprotect the secret key. This is now done on demand by the agent. */ @@ -1441,52 +1386,39 @@ sign_symencrypt_file (const char *fname, strlist_t locusr) * applied (actually: dropped) when a v3 key is used. TIMESTAMP is * the timestamp to use for the signature. 0 means "now" */ int -make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, +make_keysig_packet (PKT_signature **ret_sig, PKT_public_key *pk, PKT_user_id *uid, PKT_public_key *subpk, PKT_public_key *pksk, int sigclass, int digest_algo, - int sigversion, u32 timestamp, u32 duration, + u32 timestamp, u32 duration, int (*mksubpkt)(PKT_signature *, void *), void *opaque, const char *cache_nonce) { PKT_signature *sig; int rc=0; + int sigversion; gcry_md_hd_t md; assert( (sigclass >= 0x10 && sigclass <= 0x13) || sigclass == 0x1F || sigclass == 0x20 || sigclass == 0x18 || sigclass == 0x19 || sigclass == 0x30 || sigclass == 0x28 ); - if (opt.force_v4_certs) - sigversion = 4; - + sigversion = 4; if (sigversion < pksk->version) sigversion = pksk->version; - /* If you are making a signature on a v4 key using your v3 key, it - doesn't make sense to generate a v3 sig. After all, no v3-only - PGP implementation could understand the v4 key in the first - place. Note that this implies that a signature on an attribute - uid is usually going to be v4 as well, since they are not - generally found on v3 keys. */ - if (sigversion < pk->version) - sigversion = pk->version; - if( !digest_algo ) { - /* Basically, this means use SHA1 always unless it's a v3 RSA - key making a v3 cert (use MD5), or the user specified - something (use whatever they said), or it's DSA (use the - best match). They still can't pick an inappropriate hash - for DSA or the signature will fail. Note that this still - allows the caller of make_keysig_packet to override the - user setting if it must. */ + /* Basically, this means use SHA1 always unless the user + specified something (use whatever they said), or it's DSA + (use the best match). They still can't pick an + inappropriate hash for DSA or the signature will fail. + Note that this still allows the caller of + make_keysig_packet to override the user setting if it + must. */ if(opt.cert_digest_algo) digest_algo=opt.cert_digest_algo; - else if(pksk->pubkey_algo == PUBKEY_ALGO_RSA - && pk->version<4 && sigversion<4) - digest_algo = DIGEST_ALGO_MD5; else if(pksk->pubkey_algo == PUBKEY_ALGO_DSA) digest_algo = match_dsa_hash (gcry_mpi_get_nbits (pksk->pkey[1])/8); else if (pksk->pubkey_algo == PUBKEY_ALGO_ECDSA @@ -1533,16 +1465,14 @@ make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, if(duration) sig->expiredate=sig->timestamp+duration; sig->sig_class = sigclass; - if( sig->version >= 4 ) - { - build_sig_subpkt_from_sig( sig ); - mk_notation_policy_etc (sig, pk, pksk); - } + + build_sig_subpkt_from_sig( sig ); + mk_notation_policy_etc (sig, pk, pksk); /* Crucial that the call to mksubpkt comes LAST before the calls to finalize the sig as that makes it possible for the mksubpkt function to get a reliable pointer to the subpacket area. */ - if( sig->version >= 4 && mksubpkt ) + if (mksubpkt) rc = (*mksubpkt)( sig, opaque ); if( !rc ) { @@ -1627,17 +1557,14 @@ update_keysig_packet( PKT_signature **ret_sig, duration of 1) since build-packet.c:build_sig_subpkt_from_sig detects this case. */ - if( sig->version >= 4 ) - { - /* Put the updated timestamp into the sig. Note that this - will automagically lower any sig expiration dates to - correctly correspond to the differences in the timestamps - (i.e. the duration will shrink). */ - build_sig_subpkt_from_sig( sig ); - - if (mksubpkt) - rc = (*mksubpkt)(sig, opaque); - } + /* Put the updated timestamp into the sig. Note that this will + automagically lower any sig expiration dates to correctly + correspond to the differences in the timestamps (i.e. the + duration will shrink). */ + build_sig_subpkt_from_sig( sig ); + + if (mksubpkt) + rc = (*mksubpkt)(sig, opaque); if (!rc) { hash_sigversion_to_magic (md, sig); diff --git a/g10/textfilter.c b/g10/textfilter.c index 14bf699..394d9c3 100644 --- a/g10/textfilter.c +++ b/g10/textfilter.c @@ -161,7 +161,7 @@ text_filter( void *opaque, int control, */ int copy_clearsig_text( IOBUF out, IOBUF inp, gcry_md_hd_t md, - int escape_dash, int escape_from, int pgp2mode ) + int escape_dash, int escape_from) { unsigned int maxlen; byte *buffer = NULL; /* malloced buffer */ @@ -170,10 +170,7 @@ copy_clearsig_text( IOBUF out, IOBUF inp, gcry_md_hd_t md, int truncated = 0; int pending_lf = 0; - if( !opt.pgp2_workarounds ) - pgp2mode = 0; - - if( !escape_dash ) + if( !escape_dash ) escape_from = 0; write_status_begin_signing (md); @@ -194,9 +191,7 @@ copy_clearsig_text( IOBUF out, IOBUF inp, gcry_md_hd_t md, gcry_md_putc ( md, '\n' ); } gcry_md_write ( md, buffer, - len_without_trailing_chars (buffer, n, - pgp2mode? - " \r\n":" \t\r\n")); + len_without_trailing_chars (buffer, n, " \t\r\n")); } else gcry_md_write ( md, buffer, n ); diff --git a/tests/openpgp/defs.inc b/tests/openpgp/defs.inc index 2faa4c2..b7320d5 100755 --- a/tests/openpgp/defs.inc +++ b/tests/openpgp/defs.inc @@ -24,7 +24,7 @@ dsa_usrname1="pgp5" # we use the sub key because we do not yet have the logic to to derive # the first encryption key from a keyblock (I guess) (Well of course # we have this by now and the notation below will lookup the primary -# first and the search for the encryption subkey.) +# first and then search for the encryption subkey.) dsa_usrname2="0xCB879DE9" commit 2d68dc437e7de92619abe3a019b0a7606487b6bf Author: Werner Koch Date: Sun Oct 12 19:15:20 2014 +0200 gpg: Minor change for better readability. * g10/build-packet.c (write_version): Remove. (do_pubkey_enc, do_onepass_sig): Write version directly. Signed-off-by: Werner Koch diff --git a/g10/build-packet.c b/g10/build-packet.c index 7464979..af0de3b 100644 --- a/g10/build-packet.c +++ b/g10/build-packet.c @@ -52,7 +52,6 @@ static int write_header( IOBUF out, int ctb, u32 len ); static int write_sign_packet_header( IOBUF out, int ctb, u32 len ); static int write_header2( IOBUF out, int ctb, u32 len, int hdrlen ); static int write_new_header( IOBUF out, int ctb, u32 len, int hdrlen ); -static int write_version( IOBUF out, int ctb ); /**************** * Build a packet and write it to INP @@ -488,7 +487,8 @@ do_pubkey_enc( IOBUF out, int ctb, PKT_pubkey_enc *enc ) int n, i; IOBUF a = iobuf_temp(); - write_version( a, ctb ); + iobuf_put (a, 3); /* Version. */ + if ( enc->throw_keyid ) { write_32(a, 0 ); /* Don't tell Eve who can decrypt the message. */ @@ -1190,7 +1190,7 @@ do_onepass_sig( IOBUF out, int ctb, PKT_onepass_sig *ops ) int rc = 0; IOBUF a = iobuf_temp(); - write_version( a, ctb ); + iobuf_put (a, 3); /* Version. */ iobuf_put(a, ops->sig_class ); iobuf_put(a, ops->digest_algo ); iobuf_put(a, ops->pubkey_algo ); @@ -1370,13 +1370,3 @@ write_new_header( IOBUF out, int ctb, u32 len, int hdrlen ) } return 0; } - -static int -write_version (IOBUF out, int ctb) -{ - (void)ctb; - - if (iobuf_put (out, 3)) - return -1; - return 0; -} ----------------------------------------------------------------------- hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Mon Oct 13 15:12:58 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Mon, 13 Oct 2014 15:12:58 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864-19-gfab89f1 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via fab89f159bcb36ea7285af661d5756eefa981822 (commit) via 21c0ea6bafafbcc4a2e07f0ac76275cc0229e9a0 (commit) via c60814a5ce13932d933b363abc0c60c12783ae2f (commit) via a2567225373a7e4e4a6eb0cba1d9ab6ff2d1330a (commit) via 2543f0ab9c7b4247347688863f898667bae31984 (commit) via 2d68dc437e7de92619abe3a019b0a7606487b6bf (commit) from 54ffe2045aa4d3157f0919744210c9463594799c (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit fab89f159bcb36ea7285af661d5756eefa981822 Author: Werner Koch Date: Mon Oct 13 15:00:39 2014 +0200 gpg: Remove extra RSA import status line. * g10/import.c (stats_s): Remove field "imported_rsa". (import_print_stats): Do not print separate value for RSA. (import_one): Remove the RSA counter. -- RSA is the standard key format and thus there is no more need to have a separate counter. This is a remain from the RSA patent times. Signed-off-by: Werner Koch diff --git a/doc/DETAILS b/doc/DETAILS index 311dfe3..eafd312 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -739,7 +739,7 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB: - - - - - + - always 0 (formerly used for the number of RSA keys) - - - diff --git a/g10/import.c b/g10/import.c index 8f7595c..16e2b0b 100644 --- a/g10/import.c +++ b/g10/import.c @@ -45,7 +45,6 @@ struct stats_s { ulong count; ulong no_user_id; ulong imported; - ulong imported_rsa; ulong n_uids; ulong n_sigs; ulong n_subk; @@ -399,10 +398,8 @@ import_print_stats (void *hd) stats->skipped_new_keys ); if( stats->no_user_id ) log_info(_(" w/o user IDs: %lu\n"), stats->no_user_id ); - if( stats->imported || stats->imported_rsa ) { + if( stats->imported) { log_info(_(" imported: %lu"), stats->imported ); - if (stats->imported_rsa) - log_printf (" (RSA: %lu)", stats->imported_rsa ); log_printf ("\n"); } if( stats->unchanged ) @@ -431,11 +428,10 @@ import_print_stats (void *hd) if( is_status_enabled() ) { char buf[14*20]; - sprintf(buf, "%lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu", + sprintf(buf, "%lu %lu %lu 0 %lu %lu %lu %lu %lu %lu %lu %lu %lu %lu", stats->count, stats->no_user_id, stats->imported, - stats->imported_rsa, stats->unchanged, stats->n_uids, stats->n_subk, @@ -1022,8 +1018,6 @@ import_one (ctrl_t ctrl, print_import_ok (pk, 1); } stats->imported++; - if( is_RSA( pk->pubkey_algo ) ) - stats->imported_rsa++; new_key = 1; } else { /* merge */ diff --git a/tests/openpgp/import.test b/tests/openpgp/import.test index a58db40..783d059 100755 --- a/tests/openpgp/import.test +++ b/tests/openpgp/import.test @@ -43,4 +43,6 @@ $GPG --import $key1 || true $GPG --import $key2 || true n=$($GPG --list-keys --with-colons $fpr1 $fpr2 2>/dev/null \ | grep '^pub:.:4096:1:DDA252EBB8EBE1AF:' | wc -l) -[ $n -ne 2 ] && error "Importing keys with long id collision failed" +if [ $n -ne 2 ] ; then + error "Importing keys with long id collision failed" +fi commit 21c0ea6bafafbcc4a2e07f0ac76275cc0229e9a0 Author: Werner Koch Date: Mon Oct 13 14:54:26 2014 +0200 gpg: Fix informative printing of user ids. * g10/getkey.c (keyid_list): Add field "fpr". (cache_user_id): Store fpr and check for dups only by fpr. (get_pubkey_byfpr): New. (get_user_id_string): Make static and use xasprintf. (get_long_user_id_string): Use xasprintf. (get_user_id_byfpr): New. (get_user_id_byfpr_native): New. * g10/keyid.c (fingerprint_from_pk): Make arg RET_LEN optional. * g10/import.c (import_one): Use get_user_id_byfpr_native. -- We now cache the userids using the fingerprint. This allows to print the correct user id for keys with a duplicated key id. We should eventually start to retire the use of all the old keyid based functions. However, at some places we only have the keyid and thus some of them will need to be kept (maybe changed with an indication to show that more than several user ids are matching). Signed-off-by: Werner Koch diff --git a/g10/getkey.c b/g10/getkey.c index 707a106..4f10c18 100644 --- a/g10/getkey.c +++ b/g10/getkey.c @@ -74,6 +74,7 @@ static struct typedef struct keyid_list { struct keyid_list *next; + char fpr[MAX_FINGERPRINT_LEN]; u32 keyid[2]; } *keyid_list_t; @@ -263,6 +264,7 @@ cache_user_id (KBNODE keyblock) keyid_list_t a = xmalloc_clear (sizeof *a); /* Hmmm: For a long list of keyids it might be an advantage * to append the keys. */ + fingerprint_from_pk (k->pkt->pkt.public_key, a->fpr, NULL); keyid_from_pk (k->pkt->pkt.public_key, a->keyid); /* First check for duplicates. */ for (r = user_id_db; r; r = r->next) @@ -270,8 +272,7 @@ cache_user_id (KBNODE keyblock) keyid_list_t b = r->keyids; for (b = r->keyids; b; b = b->next) { - if (b->keyid[0] == a->keyid[0] - && b->keyid[1] == a->keyid[1]) + if (!memcmp (b->fpr, a->fpr, MAX_FINGERPRINT_LEN)) { if (DBG_CACHE) log_debug ("cache_user_id: already in cache\n"); @@ -950,6 +951,34 @@ get_pubkey_end (GETKEY_CTX ctx) } +/* Search for a key with the given standard fingerprint. In contrast + * to get_pubkey_byfprint we assume a right padded fingerprint of the + * standard length. PK may be NULL to only put the result into the + * internal caches. */ +gpg_error_t +get_pubkey_byfpr (PKT_public_key *pk, const byte *fpr) +{ + gpg_error_t err; + struct getkey_ctx_s ctx; + kbnode_t kb = NULL; + + memset (&ctx, 0, sizeof ctx); + ctx.exact = 1; + ctx.not_allocated = 1; + ctx.kr_handle = keydb_new (); + ctx.nitems = 1; + ctx.items[0].mode = KEYDB_SEARCH_MODE_FPR; + memcpy (ctx.items[0].u.fpr, fpr, MAX_FINGERPRINT_LEN); + err = lookup (&ctx, &kb, 0); + if (!err && pk) + pk_from_block (&ctx, pk, kb); + release_kbnode (kb); + get_pubkey_end (&ctx); + + return err; +} + + /* Search for a key with the given fingerprint. * FIXME: * We should replace this with the _byname function. This can be done @@ -2687,11 +2716,10 @@ enum_secret_keys (void **context, PKT_public_key *sk) /* Return a string with a printable representation of the user_id. * this string must be freed by xfree. */ -char * +static char * get_user_id_string (u32 * keyid) { user_id_db_t r; - char *p; int pass = 0; /* Try it two times; second pass reads from key resources. */ do @@ -2703,17 +2731,13 @@ get_user_id_string (u32 * keyid) { if (a->keyid[0] == keyid[0] && a->keyid[1] == keyid[1]) { - p = xmalloc (keystrlen () + 1 + r->len + 1); - sprintf (p, "%s %.*s", keystr (keyid), r->len, r->name); - return p; + return xasprintf ("%s %.*s", keystr (keyid), r->len, r->name); } } } } while (++pass < 2 && !get_pubkey (NULL, keyid)); - p = xmalloc (keystrlen () + 5); - sprintf (p, "%s [?]", keystr (keyid)); - return p; + return xasprintf ("%s [?]", keystr (keyid)); } @@ -2731,33 +2755,30 @@ char * get_long_user_id_string (u32 * keyid) { user_id_db_t r; - char *p; + keyid_list_t a; int pass = 0; /* Try it two times; second pass reads from key resources. */ do { for (r = user_id_db; r; r = r->next) { - keyid_list_t a; for (a = r->keyids; a; a = a->next) { if (a->keyid[0] == keyid[0] && a->keyid[1] == keyid[1]) { - p = xmalloc (r->len + 20); - sprintf (p, "%08lX%08lX %.*s", - (ulong) keyid[0], (ulong) keyid[1], - r->len, r->name); - return p; + return xasprintf ("%08lX%08lX %.*s", + (ulong) keyid[0], (ulong) keyid[1], + r->len, r->name); } } } } while (++pass < 2 && !get_pubkey (NULL, keyid)); - p = xmalloc (25); - sprintf (p, "%08lX%08lX [?]", (ulong) keyid[0], (ulong) keyid[1]); - return p; + return xasprintf ("%08lX%08lX [?]", (ulong) keyid[0], (ulong) keyid[1]); } + +/* Please try to use get_user_id_native instead of this one. */ char * get_user_id (u32 * keyid, size_t * rn) { @@ -2792,6 +2813,7 @@ get_user_id (u32 * keyid, size_t * rn) return p; } +/* Please try to use get_user_id_byfpr_native instead of this one. */ char * get_user_id_native (u32 * keyid) { @@ -2802,6 +2824,55 @@ get_user_id_native (u32 * keyid) return p2; } + +/* Return a user id from the caching by looking it up using the FPR + which mustbe of size MAX_FINGERPRINT_LEN. */ +char * +get_user_id_byfpr (const byte *fpr, size_t *rn) +{ + user_id_db_t r; + char *p; + int pass = 0; + + /* Try it two times; second pass reads from key resources. */ + do + { + for (r = user_id_db; r; r = r->next) + { + keyid_list_t a; + for (a = r->keyids; a; a = a->next) + { + if (!memcmp (a->fpr, fpr, MAX_FINGERPRINT_LEN)) + { + /* An empty string as user id is possible. Make + sure that the malloc allocates one byte and does + not bail out. */ + p = xmalloc (r->len? r->len : 1); + memcpy (p, r->name, r->len); + *rn = r->len; + return p; + } + } + } + } + while (++pass < 2 && !get_pubkey_byfpr (NULL, fpr)); + p = xstrdup (user_id_not_found_utf8 ()); + *rn = strlen (p); + return p; +} + +char * +get_user_id_byfpr_native (const byte *fpr) +{ + size_t rn; + char *p = get_user_id_byfpr (fpr, &rn); + char *p2 = utf8_to_native (p, rn, 0); + xfree (p); + return p2; +} + + + KEYDB_HANDLE get_ctx_handle (GETKEY_CTX ctx) { diff --git a/g10/gpg.h b/g10/gpg.h index 3251dd0..ce4d253 100644 --- a/g10/gpg.h +++ b/g10/gpg.h @@ -37,7 +37,8 @@ /* Number of bits we accept when reading or writing MPIs. */ #define MAX_EXTERN_MPI_BITS 16384 -/* The maximum length of a binary fingerprints. */ +/* The maximum length of a binary fingerprints. + Warning: At some places we still use 20 instead of this macro. */ #define MAX_FINGERPRINT_LEN 20 diff --git a/g10/import.c b/g10/import.c index be2fd63..8f7595c 100644 --- a/g10/import.c +++ b/g10/import.c @@ -1009,9 +1009,9 @@ import_one (ctrl_t ctrl, /* we are ready */ if( !opt.quiet && !silent) { - char *p=get_user_id_native (keyid); - log_info( _("key %s: public key \"%s\" imported\n"), - keystr(keyid),p); + char *p = get_user_id_byfpr_native (fpr2); + log_info (_("key %s: public key \"%s\" imported\n"), + keystr(keyid), p); xfree(p); } if( is_status_enabled() ) @@ -1094,7 +1094,7 @@ import_one (ctrl_t ctrl, /* we are ready */ if( !opt.quiet && !silent) { - char *p=get_user_id_native(keyid); + char *p = get_user_id_byfpr_native (fpr2); if( n_uids == 1 ) log_info( _("key %s: \"%s\" 1 new user ID\n"), keystr(keyid),p); @@ -1145,7 +1145,7 @@ import_one (ctrl_t ctrl, if( !opt.quiet && !silent) { - char *p=get_user_id_native(keyid); + char *p = get_user_id_byfpr_native (fpr2); log_info( _("key %s: \"%s\" not changed\n"),keystr(keyid),p); xfree(p); } diff --git a/g10/keydb.h b/g10/keydb.h index 55f8fc2..c61e0ae 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -222,6 +222,7 @@ int get_pubkey_bynames( GETKEY_CTX *rx, PKT_public_key *pk, int get_pubkey_next( GETKEY_CTX ctx, PKT_public_key *pk, KBNODE *ret_keyblock ); void get_pubkey_end( GETKEY_CTX ctx ); gpg_error_t get_seckey (PKT_public_key *pk, u32 *keyid); +gpg_error_t get_pubkey_byfpr (PKT_public_key *pk, const byte *fpr); int get_pubkey_byfprint( PKT_public_key *pk, const byte *fprint, size_t fprint_len ); int get_pubkey_byfprint_fast (PKT_public_key *pk, @@ -252,11 +253,12 @@ gpg_error_t enum_secret_keys (void **context, PKT_public_key *pk); void setup_main_keyids (kbnode_t keyblock); void merge_keys_and_selfsig( KBNODE keyblock ); -char*get_user_id_string( u32 *keyid ); char*get_user_id_string_native( u32 *keyid ); char*get_long_user_id_string( u32 *keyid ); char*get_user_id( u32 *keyid, size_t *rn ); char*get_user_id_native( u32 *keyid ); +char *get_user_id_byfpr (const byte *fpr, size_t *rn); +char *get_user_id_byfpr_native (const byte *fpr); KEYDB_HANDLE get_ctx_handle(GETKEY_CTX ctx); void release_akl(void); int parse_auto_key_locate(char *options); diff --git a/g10/keyid.c b/g10/keyid.c index 3b4c10c..8b4eeb1 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -767,7 +767,8 @@ fingerprint_from_pk (PKT_public_key *pk, byte *array, size_t *ret_len) gcry_md_close( md); } - *ret_len = len; + if (ret_len) + *ret_len = len; return array; } commit c60814a5ce13932d933b363abc0c60c12783ae2f Author: Werner Koch Date: Mon Oct 13 14:01:29 2014 +0200 gpg: Allow importing keys with duplicated long key ids. * g10/keydb.c (keydb_handle): Add field no_caching. (keyblock_cache): Repalce field kid by fpr. (keydb_disable_caching): New. (keydb_search): Use the fingerprint as cache index. * g10/import.c (import_one): Use the fingerprint and not the kid to lookup the key. Call keydb_disable_caching beofre re-searching for update. * tests/openpgp/import.test: Add a test case. Signed-off-by: Werner Koch diff --git a/g10/import.c b/g10/import.c index ca35ce1..be2fd63 100644 --- a/g10/import.c +++ b/g10/import.c @@ -855,12 +855,15 @@ import_one (ctrl_t ctrl, PKT_public_key *pk_orig; KBNODE node, uidnode; KBNODE keyblock_orig = NULL; + byte fpr2[MAX_FINGERPRINT_LEN]; + size_t fpr2len; u32 keyid[2]; int rc = 0; int new_key = 0; int mod_key = 0; int same_key = 0; int non_self = 0; + size_t an; char pkstrbuf[PUBKEY_STRING_SIZE]; /* get the key and print some info about it */ @@ -870,6 +873,9 @@ import_one (ctrl_t ctrl, pk = node->pkt->pkt.public_key; + fingerprint_from_pk (pk, fpr2, &fpr2len); + for (an = fpr2len; an < MAX_FINGERPRINT_LEN; an++) + fpr2[an] = 0; keyid_from_pk( pk, keyid ); uidnode = find_next_kbnode( keyblock, PKT_USER_ID ); @@ -957,7 +963,7 @@ import_one (ctrl_t ctrl, /* do we have this key already in one of our pubrings ? */ pk_orig = xmalloc_clear( sizeof *pk_orig ); - rc = get_pubkey_fast ( pk_orig, keyid ); + rc = get_pubkey_byfprint_fast (pk_orig, fpr2, fpr2len); if( rc && rc != G10ERR_NO_PUBKEY && rc != G10ERR_UNU_PUBKEY ) { if (!silent) @@ -1033,17 +1039,11 @@ import_one (ctrl_t ctrl, goto leave; } - /* now read the original keyblock */ + /* Now read the original keyblock again so that we can use + that handle for updating the keyblock. */ hd = keydb_new (); - { - byte afp[MAX_FINGERPRINT_LEN]; - size_t an; - - fingerprint_from_pk (pk_orig, afp, &an); - while (an < MAX_FINGERPRINT_LEN) - afp[an++] = 0; - rc = keydb_search_fpr (hd, afp); - } + keydb_disable_caching (hd); + rc = keydb_search_fpr (hd, fpr2); if( rc ) { log_error (_("key %s: can't locate original keyblock: %s\n"), @@ -1051,7 +1051,7 @@ import_one (ctrl_t ctrl, keydb_release (hd); goto leave; } - rc = keydb_get_keyblock (hd, &keyblock_orig ); + rc = keydb_get_keyblock (hd, &keyblock_orig); if (rc) { log_error (_("key %s: can't read original keyblock: %s\n"), diff --git a/g10/keydb.c b/g10/keydb.c index a9a9753..c192e06 100644 --- a/g10/keydb.c +++ b/g10/keydb.c @@ -68,6 +68,7 @@ struct keydb_handle int locked; int found; unsigned long skipped_long_blobs; + int no_caching; int current; int used; /* Number of items in ACTIVE. */ struct resource_item active[MAX_KEYDB_RESOURCES]; @@ -75,7 +76,7 @@ struct keydb_handle /* This is a simple cache used to return the last result of a - successful long kid search. This works only for keybox resources + successful fingerprint search. This works only for keybox resources because (due to lack of a copy_keyblock function) we need to store an image of the keyblock which is fortunately instantly available for keyboxes. */ @@ -87,7 +88,7 @@ enum keyblock_cache_states { struct { enum keyblock_cache_states state; - u32 kid[2]; + byte fpr[MAX_FINGERPRINT_LEN]; iobuf_t iobuf; /* Image of the keyblock. */ u32 *sigstatus; int pk_no; @@ -570,6 +571,7 @@ keydb_new (void) return hd; } + void keydb_release (KEYDB_HANDLE hd) { @@ -600,6 +602,17 @@ keydb_release (KEYDB_HANDLE hd) } +/* Set a flag on handle to not use cached results. This is required + for updating a keyring. Fixme: Using a new parameter for keydb_new + might be a better solution. */ +void +keydb_disable_caching (KEYDB_HANDLE hd) +{ + if (hd) + hd->no_caching = 1; +} + + /* * Return the name of the current resource. This is function first * looks for the last found found, then for the current search @@ -1407,10 +1420,12 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc, if (DBG_CACHE) dump_search_desc ("keydb_search", desc, ndesc); - if (ndesc == 1 && desc[0].mode == KEYDB_SEARCH_MODE_LONG_KID + if (!hd->no_caching + && ndesc == 1 + && (desc[0].mode == KEYDB_SEARCH_MODE_FPR20 + || desc[0].mode == KEYDB_SEARCH_MODE_FPR) && keyblock_cache.state == KEYBLOCK_CACHE_FILLED - && keyblock_cache.kid[0] == desc[0].u.kid[0] - && keyblock_cache.kid[1] == desc[0].u.kid[1]) + && !memcmp (keyblock_cache.fpr, desc[0].u.fpr, 20)) { /* (DESCINDEX is already set). */ if (DBG_CLOCK) @@ -1450,11 +1465,13 @@ keydb_search (KEYDB_HANDLE hd, KEYDB_SEARCH_DESC *desc, : rc); keyblock_cache_clear (); - if (!rc && ndesc == 1 && desc[0].mode == KEYDB_SEARCH_MODE_LONG_KID) + if (!hd->no_caching + && !rc + && ndesc == 1 && (desc[0].mode == KEYDB_SEARCH_MODE_FPR20 + || desc[0].mode == KEYDB_SEARCH_MODE_FPR)) { keyblock_cache.state = KEYBLOCK_CACHE_PREPARED; - keyblock_cache.kid[0] = desc[0].u.kid[0]; - keyblock_cache.kid[1] = desc[0].u.kid[1]; + memcpy (keyblock_cache.fpr, desc[0].u.fpr, 20); } if (DBG_CLOCK) diff --git a/g10/keydb.h b/g10/keydb.h index 78d151a..55f8fc2 100644 --- a/g10/keydb.h +++ b/g10/keydb.h @@ -135,6 +135,7 @@ gpg_error_t keydb_add_resource (const char *url, unsigned int flags); KEYDB_HANDLE keydb_new (void); void keydb_release (KEYDB_HANDLE hd); +void keydb_disable_caching (KEYDB_HANDLE hd); const char *keydb_get_resource_name (KEYDB_HANDLE hd); gpg_error_t keydb_get_keyblock (KEYDB_HANDLE hd, KBNODE *ret_kb); gpg_error_t keydb_update_keyblock (KEYDB_HANDLE hd, kbnode_t kb); diff --git a/tests/openpgp/import.test b/tests/openpgp/import.test index eb6860e..a58db40 100755 --- a/tests/openpgp/import.test +++ b/tests/openpgp/import.test @@ -31,3 +31,16 @@ if $GPG --list-keys --with-colons $keyid \ else error "$goodkey: import failed (bug 1223)" fi + + +key1=$srcdir/samplekeys/dda252ebb8ebe1af-1.asc +key2=$srcdir/samplekeys/dda252ebb8ebe1af-2.asc +fpr1=9E669861368BCA0BE42DAF7DDDA252EBB8EBE1AF +fpr2=A55120427374F3F7AA5F1166DDA252EBB8EBE1AF +info "Checking import of two keys with colliding long key ids." +$GPG --delete-key --batch --yes $fpr1 $fpr2 2>/dev/null || true +$GPG --import $key1 || true +$GPG --import $key2 || true +n=$($GPG --list-keys --with-colons $fpr1 $fpr2 2>/dev/null \ + | grep '^pub:.:4096:1:DDA252EBB8EBE1AF:' | wc -l) +[ $n -ne 2 ] && error "Importing keys with long id collision failed" commit a2567225373a7e4e4a6eb0cba1d9ab6ff2d1330a Author: Werner Koch Date: Mon Oct 13 13:56:47 2014 +0200 tests: Add sample keys with colliding long keu ids. -- Thanks to David Leon Gil who posted these keys to openpgp at ietf.org on Fri, 13 Dec 2013 07:09:54 -0800 (PST). diff --git a/tests/openpgp/Makefile.am b/tests/openpgp/Makefile.am index cc28027..a6eda61 100644 --- a/tests/openpgp/Makefile.am +++ b/tests/openpgp/Makefile.am @@ -68,7 +68,9 @@ sample_keys = samplekeys/ecc-sample-1-pub.asc \ samplekeys/ecc-sample-2-sec.asc \ samplekeys/ecc-sample-3-sec.asc \ samplekeys/eddsa-sample-1-pub.asc \ - samplekeys/eddsa-sample-1-sec.asc + samplekeys/eddsa-sample-1-sec.asc \ + samplekeys/dda252ebb8ebe1af-1.asc \ + samplekeys/dda252ebb8ebe1af-2.asc EXTRA_DIST = defs.inc pinentry.sh $(TESTS) $(TEST_FILES) ChangeLog-2011 \ mkdemodirs signdemokey $(priv_keys) $(sample_keys) diff --git a/tests/openpgp/samplekeys/README b/tests/openpgp/samplekeys/README index c30345f..6f8f916 100644 --- a/tests/openpgp/samplekeys/README +++ b/tests/openpgp/samplekeys/README @@ -8,3 +8,5 @@ ecc-sample-3-pub.asc A NIST P-521 ECC sample key. ecc-sample-3-sec.asc Ditto, but the secret keyblock. eddsa-sample-1-pub.asc An Ed25519 sample key. eddsa-sample-1-sec.asc Ditto, but as protected secret keyblock. +dda252ebb8ebe1af-1.asc rsa4096 key 1 +dda252ebb8ebe1af-2.asc rsa4096 key 2 with a long keyid collision. diff --git a/tests/openpgp/samplekeys/dda252ebb8ebe1af-1.asc b/tests/openpgp/samplekeys/dda252ebb8ebe1af-1.asc new file mode 100644 index 0000000..ddae954 --- /dev/null +++ b/tests/openpgp/samplekeys/dda252ebb8ebe1af-1.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + + +mQINBFJtd/UBEACpw/psXoGNM8RHczviD7FnGdjMQPEJQ+nuWQ2AEGYouulg5hFv +0ChuSQVLiqQht2k5K2liyW1MeXoJ8tr9nSn/Zi9nttc0Wo6K7pvrDD40r2HNg305 +qLCzItr5st3x8cq2cIXvN4LOm2rqpBLZ/sqMmNiW2Y7/aAQqV1xtR35joHqamWHD +UPOmzBMs07YSUjXgC1EMx8kWQSV6cuARj93kxWj8R6eoYHHfrWCEGR313wov6QST +zIfVU7FqQqOmdLW3LaPHxcrI/TjsnkUN99qdlpjJH/YW925LDPJHAkliqPP5AvhU +F9KbY2F8mcIZBCDd8TH+xXynuN3BbIU4kCwVbdx/tcpO1npuJcKB1Go/udyow/Ei +Z3nHzJsCVkezvopek77wnwPaP0nAb7f4iIY3gJCoGirOx6N075TgF6MBe00q9oFE +y4rvnUnU9/QzOOes95eUMhM+9eK1cuLFEV5t47DfxRdq+fQip3FJ2l6v19sZvQ0G +j06pjYqg0of273rG8oXcDrFjb1Zqhj8x1mLl6u7d/ide5wTm9HylBWcYKQjIJJAi +WIScxEPIOINDJKgsKTuKtoyNvISJ3xUeS1yzxiIb3YGLIyPgFFx0vFyqJfbkXq70 +m1n2xnJlkTidfzbZvc6EA7vRGSDYK6FqqhlGhc7UypUEVW8FM/jZNAOS6QARAUGt +tCg5RTY2OTg2MTM2OEJDQTBCRTQyREFGN0REREEyNTJFQkI4RUJFMUFGiQI3BBMB +CgAhBQJSg/uTAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEN2iUuu46+Gv ++Z0P+wQhkLwm+WGcEsS98Lei9O7hit/k4g/VkLUUQV7BOR3n8uRZIFkdOtpvrFU3 +aKf246uCy6GM48Oh+1U2cv5InX/WEuKaFo5uF6t79wyt18BUn1weDcU+DQdOSG4f +fSnNa55wkN0l0svW4fGIthjmDTz6HZFntYD+9A20wZAqpPIs+vyG9Jp+e9E9Y/W/ +EFQbNlxHHb9+BMT2+DtNP+HSl3MPFlQPKOLZxyLAU5uzT0Sa0LxhrQy5FgkW6Jog +sbAJVM9z0pZw+grzGPciM66ZW1rxeICvbYsdWLytRjqxpY8GS8XudyseUGd+dZim +ptarsrE5yfSMg2gW5Z1PTc0tEMXJLUwtpyzQjpFpbb7dPuo2TUp09LgZKX63WCbS +Nb1RTaGfkeYudOTo2rh4Jfg+Tb/JRpO6clo0rxAq8nPH2WmG+9TB8Zbb7YRzGWuV +/e5SeVNR+zY8tXZKnmUIH1HIprc+BtT6Bupdvd0CT14Mg9MmsFvUXofwHLa4gahr +8/iG9y3uHSA6Rhz++yOpyOmNvO1LDxsYNaRCIXQJbqgNwF5YNYlMPsEeY/CG7FOb +Afv7rHiYtRRQfz2P4OF900DJO7QL9gdNXJ1+Hajy/5Lvvl7qwqMG4GvVQEsgFc5O +jjFCUhE2i20j2kEMxvA5RLBH/fOoGARn87tiKSfb+pqLNZQb +=fDJ8 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/tests/openpgp/samplekeys/dda252ebb8ebe1af-2.asc b/tests/openpgp/samplekeys/dda252ebb8ebe1af-2.asc new file mode 100644 index 0000000..8547463 --- /dev/null +++ b/tests/openpgp/samplekeys/dda252ebb8ebe1af-2.asc @@ -0,0 +1,29 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + + +mQINBFKD+38BEADSv5l4xOx9hCRJVcybq6yK5hTpGSFf3xo1bkhoMvyC62ehb4jD +MDLwwNRyzCBEWQJLbq/LLizPFN2qXFJpXJcsuqsHNYRtDqDBEjtriRQwSqHnqTXt +c0K46FYHldCJQ4/tBXxPI+WwtXjcNRWaV7n2BvR/Jk+B5e4Zz3LPnN0C4w5vORHs +hN1jil8A3Hs/F+OmlQYrU8ZtNwTpSo2EXxe2fVgSDCsKRyNsPZj++OyujPzW+yaN +lJ9I/q6s9gvX9o9o7nwZbqBETipWsdRK6RfBdTKpnyLNordbWwWTk6GxN8T5Ppit +P6a3UlQ71VuflcswCTmEQ1pEfZrlRFKa9psBOW+cZLNxT9h0jGFMh6/B3w48Sag+ +cFcPBFWParC+cAXBIURDxT9G6bzNLogg7YKoaPsyiXnLDH2VJUCXs27D2wPJL24Q +S7npvsg63MPPssWgG5cauLznmNR4y5pQi6oH/C10v0zrUJy6FPJzQhYRhWOvhtz6 +j88RGMrFNNCdB2VACtn699D+ixu3nRlXHIKCT+xLSfgslVYifmJOCNljBLGHOQ1e +FJxQuNVpmmxjvk/8kqK+pHLB9Qn6M1ZYzip7OyUL3OAWabCabgEw2bQmUhiBWD3u +buv0WAVOJEAFvBCAeYNQzrQMY+Rc3RnvynG4pI6Tbo8wC6/IJcDOw516JwARASB3 +tChBNTUxMjA0MjczNzRGM0Y3QUE1RjExNjZEREEyNTJFQkI4RUJFMUFGiQI3BBMB +CgAhBQJSg/uTAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEN2iUuu46+Gv +9L0P/3tFu0LOZ/dAPjUNfKJCZqcIuVnD5xShMTsUbVx+QoXMy7rt4iRLD7ofGi/I +vTAZehxk3sk/Slx5nbews+3NItyw6mcaP9HlmwKNr6k7BC2kJHcCxH4DNzhmIx1H +3T/CggtHX42JBYKlGf22y+M8jAbvsPOUfTznx96mYNrOY6s1dJyn0kRleqJ8+tGj +/5+0y90iZnGCa0FtacQkKUPkXwVodeZVxk8z5OEipShYKc+8dl+5WsvOzHqLC/KY +xCGRb4JaqEMwouLNg8dTNAXXUvFGqJNDX4+andggogmI1hdD9xExfSU9cAGegg2t +vvveC4S+CCHd+zt88iK5ze6F61RxwYhhNbkuFGjdgNGCpHtG/BQhKnYJuKEbq3oi +mgNyxJERlfgaWXveiMG0AmACXN+jCkTtqZjQnsg2N2QDL3tjY7usmuiwRL1aVOFG +Kw5/Cc+2nDeANS3Xi1403Ni269b1c6kNSoLe4zd0WsbO3Kouds8F8EQfeheXQe97 +ZxuvBOMsR9wHC3f0sl/vfxCGdUC+khmKk5taKnUeUFJmVmh5ghlVy8FySHGB0QHO +zd8GUl59rFpQJNpNFQW2YKDhrcjxIr2AeJrdoDI6NsQ02+Qtep/bbq53hqtAD4jF +t3S8vBbTXtRk6g2qn4ojF4SOIc8SAiZcURgVFuSJX8ngFbO4 +=OEw/ +-----END PGP PUBLIC KEY BLOCK----- commit 2543f0ab9c7b4247347688863f898667bae31984 Author: Werner Koch Date: Mon Oct 13 11:45:34 2014 +0200 tests: Speed up conventional encryption tests for gpg. * tests/openpgp/conventional-mdc.test: Add an s2k-count option. * tests/openpgp/conventional.test: Ditto. -- Due to measuring the iteration count for the passphrase hashing, the conventional encryption tests are running quite slow. This patch fixes it by using a fixed and lower value for the iteration count. Signed-off-by: Werner Koch diff --git a/tests/openpgp/conventional-mdc.test b/tests/openpgp/conventional-mdc.test index 15b525f..744e11e 100755 --- a/tests/openpgp/conventional-mdc.test +++ b/tests/openpgp/conventional-mdc.test @@ -10,6 +10,10 @@ . $srcdir/defs.inc || exit 3 +# We use use a lower than default value for the S2K count to run the +# tests faster. We used a fixed value of 65536 already the past. +s2k="--s2k-count=65536" + #info Checking conventional encryption for ciph in `all_cipher_algos`; do progress "$ciph" @@ -20,9 +24,9 @@ for ciph in `all_cipher_algos`; do else dd if=data-80000 of=z bs=1 count=$i 2>/dev/null fi - echo "Hier spricht HAL" | $GPG --passphrase-fd 0 \ + echo "Hier spricht HAL" | $GPG --passphrase-fd 0 $s2k \ --force-mdc --cipher $ciph -c -o x --yes z - echo "Hier spricht HAL" | $GPG --passphrase-fd 0 \ + echo "Hier spricht HAL" | $GPG --passphrase-fd 0 $s2k \ -o y --yes x cmp z y || error "$ciph/$i: mismatch" done diff --git a/tests/openpgp/conventional.test b/tests/openpgp/conventional.test index 5028b29..30c9ba0 100755 --- a/tests/openpgp/conventional.test +++ b/tests/openpgp/conventional.test @@ -10,19 +10,23 @@ . $srcdir/defs.inc || exit 3 +# We use use a lower than default value for the S2K count to run the +# tests faster. We used a fixed value of 65536 already the past. +s2k="--s2k-count=65536" + #info Checking conventional encryption for i in plain-2 data-32000 ; do - echo "Hier spricht HAL" | $GPG --passphrase-fd 0 -c -o x --yes $i - echo "Hier spricht HAL" | $GPG --passphrase-fd 0 -o y --yes x + echo "Hier spricht HAL" | $GPG --passphrase-fd 0 $s2k -c -o x --yes $i + echo "Hier spricht HAL" | $GPG --passphrase-fd 0 $s2k -o y --yes x cmp $i y || error "$i: mismatch" done for a in `all_cipher_algos`; do progress "$a" for i in plain-1 data-80000 ; do - echo "Hier spricht HAL" | $GPG --passphrase-fd 0 \ + echo "Hier spricht HAL" | $GPG --passphrase-fd 0 $s2k \ --cipher-algo $a -c -o x --yes $i - echo "Hier spricht HAL" | $GPG --passphrase-fd 0 -o y --yes x + echo "Hier spricht HAL" | $GPG --passphrase-fd 0 $s2k -o y --yes x cmp $i y || error "$i: ($a) mismatch" done done ----------------------------------------------------------------------- Summary of changes: doc/DETAILS | 2 +- g10/build-packet.c | 16 +--- g10/getkey.c | 111 +++++++++++++++++++---- g10/gpg.h | 3 +- g10/import.c | 44 ++++----- g10/keydb.c | 33 +++++-- g10/keydb.h | 5 +- g10/keyid.c | 3 +- tests/openpgp/Makefile.am | 4 +- tests/openpgp/conventional-mdc.test | 8 +- tests/openpgp/conventional.test | 12 ++- tests/openpgp/import.test | 15 +++ tests/openpgp/samplekeys/README | 2 + tests/openpgp/samplekeys/dda252ebb8ebe1af-1.asc | 29 ++++++ tests/openpgp/samplekeys/dda252ebb8ebe1af-2.asc | 29 ++++++ 15 files changed, 239 insertions(+), 77 deletions(-) create mode 100644 tests/openpgp/samplekeys/dda252ebb8ebe1af-1.asc create mode 100644 tests/openpgp/samplekeys/dda252ebb8ebe1af-2.asc hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Mon Oct 13 15:16:46 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Mon, 13 Oct 2014 15:16:46 +0200 Subject: [git] GnuPG - branch, wk/test-master, updated. gnupg-2.1.0-beta864-21-gbf91c4c Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, wk/test-master has been updated via bf91c4c8d50ba6fc9ab06f79b02c01389e337c5e (commit) via fab89f159bcb36ea7285af661d5756eefa981822 (commit) via 21c0ea6bafafbcc4a2e07f0ac76275cc0229e9a0 (commit) via c60814a5ce13932d933b363abc0c60c12783ae2f (commit) via a2567225373a7e4e4a6eb0cba1d9ab6ff2d1330a (commit) via 2543f0ab9c7b4247347688863f898667bae31984 (commit) from bb961e062bbf1011ef3430afdf2075561ba400ab (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit bf91c4c8d50ba6fc9ab06f79b02c01389e337c5e Merge: bb961e0 fab89f1 Author: Werner Koch Date: Mon Oct 13 15:13:44 2014 +0200 Merge branch 'master' into wk/test-master diff --cc g10/keyid.c index f1fbec2,8b4eeb1..662806b --- a/g10/keyid.c +++ b/g10/keyid.c @@@ -680,22 -706,69 +680,23 @@@ colon_expirestr_from_sig (PKT_signatur byte * fingerprint_from_pk (PKT_public_key *pk, byte *array, size_t *ret_len) { - byte *buf; const byte *dp; - size_t len, nbytes; - int i; - - if ( pk->version < 4 ) - { - if ( is_RSA(pk->pubkey_algo) ) - { - /* RSA in version 3 packets is special. */ - gcry_md_hd_t md; - - if (gcry_md_open (&md, DIGEST_ALGO_MD5, 0)) - BUG (); - if ( pubkey_get_npkey (pk->pubkey_algo) > 1 ) - { - for (i=0; i < 2; i++) - { - if (gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, - &nbytes, pk->pkey[i])) - BUG (); - /* fixme: Better allocate BUF on the stack */ - buf = xmalloc (nbytes); - if (gcry_mpi_print (GCRYMPI_FMT_USG, buf, nbytes, - NULL, pk->pkey[i])) - BUG (); - gcry_md_write (md, buf, nbytes); - xfree (buf); - } - } - gcry_md_final (md); - if (!array) - array = xmalloc (16); - len = 16; - memcpy (array, gcry_md_read (md, DIGEST_ALGO_MD5), 16); - gcry_md_close(md); - } - else - { - if (!array) - array = xmalloc(16); - len = 16; - memset (array,0,16); - } - } - else - { - gcry_md_hd_t md; + size_t len; + gcry_md_hd_t md; - md = do_fingerprint_md(pk); - dp = gcry_md_read( md, 0 ); - len = gcry_md_get_algo_dlen (gcry_md_get_algo (md)); - assert( len <= MAX_FINGERPRINT_LEN ); - if (!array) - array = xmalloc ( len ); - memcpy (array, dp, len ); - pk->keyid[0] = dp[12] << 24 | dp[13] << 16 | dp[14] << 8 | dp[15] ; - pk->keyid[1] = dp[16] << 24 | dp[17] << 16 | dp[18] << 8 | dp[19] ; - gcry_md_close( md); - } + md = do_fingerprint_md(pk); + dp = gcry_md_read( md, 0 ); + len = gcry_md_get_algo_dlen (gcry_md_get_algo (md)); + assert( len <= MAX_FINGERPRINT_LEN ); + if (!array) + array = xmalloc ( len ); + memcpy (array, dp, len ); + pk->keyid[0] = dp[12] << 24 | dp[13] << 16 | dp[14] << 8 | dp[15] ; + pk->keyid[1] = dp[16] << 24 | dp[17] << 16 | dp[18] << 8 | dp[19] ; + gcry_md_close( md); - *ret_len = len; + if (ret_len) + *ret_len = len; return array; } ----------------------------------------------------------------------- Summary of changes: doc/DETAILS | 2 +- g10/getkey.c | 111 +++++++++++++++++++---- g10/gpg.h | 3 +- g10/import.c | 44 ++++----- g10/keydb.c | 33 +++++-- g10/keydb.h | 5 +- g10/keyid.c | 3 +- tests/openpgp/Makefile.am | 4 +- tests/openpgp/conventional-mdc.test | 8 +- tests/openpgp/conventional.test | 12 ++- tests/openpgp/import.test | 15 +++ tests/openpgp/samplekeys/README | 2 + tests/openpgp/samplekeys/dda252ebb8ebe1af-1.asc | 29 ++++++ tests/openpgp/samplekeys/dda252ebb8ebe1af-2.asc | 29 ++++++ 14 files changed, 236 insertions(+), 64 deletions(-) create mode 100644 tests/openpgp/samplekeys/dda252ebb8ebe1af-1.asc create mode 100644 tests/openpgp/samplekeys/dda252ebb8ebe1af-2.asc hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Mon Oct 13 19:30:10 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Mon, 13 Oct 2014 19:30:10 +0200 Subject: [git] gnupg-doc - branch, master, updated. 0862f792100b1e7d73466592b6922e12aba0cb28 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GnuPG website and other docs". The branch, master has been updated via 0862f792100b1e7d73466592b6922e12aba0cb28 (commit) from 1e43180ee23ec011709494f906b19125cc39538f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 0862f792100b1e7d73466592b6922e12aba0cb28 Author: Werner Koch Date: Mon Oct 13 19:30:18 2014 +0200 tools: Send a thank you mail for payproc received donations. diff --git a/tools/append-to-donors.sh b/tools/append-to-donors.sh index 86697ad..f1156c5 100755 --- a/tools/append-to-donors.sh +++ b/tools/append-to-donors.sh @@ -1,11 +1,17 @@ #!/bin/sh # append-to-donors.sh -# Append new names from the payproc journal tothe donros file. +# Append new names from the payproc journal to the donors file +# and send a Thank You mail. pgm="append-to-donors.sh" set -e PATH=/usr/local/bin:$PATH +SENDMAIL="/usr/sbin/sendmail" +LC_ALL=C +LC_CTYPE=C +RFCDATE="$(date -R)" +SIGDELIM="-- " htdocs="/var/www/www/www.gnupg.org/htdocs" @@ -25,6 +31,76 @@ fi trap "rm -f $LOCKFILE" 0 +# Send a thank you mail +# Uses these variables: +# amount - The amount of the donation +# currency - The currency for the amount +# euro - The amount cinvertet to Euro +# xmail - The mailbox +# name - The name or empty for an anonymous donation +# message - The message to us or empty +# Used scratch variables: +# upcurrency +# ineuro +# +# FIXME: Clean message and name and use an appropriate encoding. +# The second mail should actually be encrypted. In fact +# we would better try to encrypt also the first mail. Add a +# pubkey field to the donation page? +# +send_thanks () { + upcurrency=$(echo $currency | tr [a-z] [A-Z]) + if [ "$upcurrency" = EUR ]; then + ineuro= + else + ineuro=" (about $euro EUR)" + fi + ( cat < $lastline" -Stype=C -Saccount==1 \ --html --print "$journal_dir/journal-$jdate.log" \ - | while IFS=: read lnr datestr name rest; do + | while IFS=: read lnr datestr name message \ + xmail amount currency euro rest; do + name=$(echo "$name" | tr \`\$: ...) + message=$(echo "$message" | tr \`\$ ..) + xmail=$(echo "$xmail" | tr \`\$ ..) if [ -n "$name" ]; then + # Note that we removed colons from $name echo "$jyear:$datestr:$name::$lnr:" >> "$donors.tmp" fi + send_thanks done fi done ----------------------------------------------------------------------- Summary of changes: tools/append-to-donors.sh | 89 +++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 86 insertions(+), 3 deletions(-) hooks/post-receive -- The GnuPG website and other docs http://git.gnupg.org From cvs at cvs.gnupg.org Wed Oct 15 12:48:07 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Wed, 15 Oct 2014 12:48:07 +0200 Subject: [git] GPGME - branch, bjk/master, created. gpgme-1.5.1-11-g4027a0a Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GnuPG Made Easy". The branch, bjk/master has been created at 4027a0a89724df3aeef8a964c529548d724b6a5a (commit) - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- hooks/post-receive -- GnuPG Made Easy http://git.gnupg.org From cvs at cvs.gnupg.org Wed Oct 15 15:25:35 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Wed, 15 Oct 2014 15:25:35 +0200 Subject: [git] GPG-ERROR - branch, master, updated. libgpg-error-1.17-1-g99c8336 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "Error codes used by GnuPG et al.". The branch, master has been updated via 99c8336aa6ee571c6305d121c55e987fa37e3882 (commit) from 1d9e4c29fc23da64f964ed3337cd18429e1a2964 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 99c8336aa6ee571c6305d121c55e987fa37e3882 Author: Werner Koch Date: Wed Oct 15 15:25:41 2014 +0200 Post release updates. -- diff --git a/NEWS b/NEWS index 255509b..3404f7d 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,7 @@ +Noteworthy changes in version 1.18 (unreleased) [C13/A13/R_] +----------------------------------------------- + + Noteworthy changes in version 1.17 (2014-10-15) [C13/A13/R0] ----------------------------------------------- diff --git a/configure.ac b/configure.ac index bb1071a..9683c81 100644 --- a/configure.ac +++ b/configure.ac @@ -27,7 +27,7 @@ min_automake_version="1.11" # another commit, and a push so that the git magic is able to work. # See below for the LT versions. m4_define([mym4_version_major], [1]) -m4_define([mym4_version_minor], [17]) +m4_define([mym4_version_minor], [18]) # Below is m4 magic to extract and compute the revision number, the # decimalized short revision number, a beta version string, and a flag ----------------------------------------------------------------------- Summary of changes: NEWS | 4 ++++ configure.ac | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) hooks/post-receive -- Error codes used by GnuPG et al. http://git.gnupg.org From cvs at cvs.gnupg.org Thu Oct 16 21:34:16 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Thu, 16 Oct 2014 21:34:16 +0200 Subject: [git] gnupg-doc - branch, master, updated. 971c62e094e2145f5bba47812229246f478edc23 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GnuPG website and other docs". The branch, master has been updated via 971c62e094e2145f5bba47812229246f478edc23 (commit) via 3090737ffb231261c9aa02352756e4b88edee2e2 (commit) from 0862f792100b1e7d73466592b6922e12aba0cb28 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 971c62e094e2145f5bba47812229246f478edc23 Author: Werner Koch Date: Thu Oct 16 21:34:26 2014 +0200 swdb: Update libgpg-error to 1.17. diff --git a/web/swdb.mac b/web/swdb.mac index 3392047..e441330 100644 --- a/web/swdb.mac +++ b/web/swdb.mac @@ -92,9 +92,9 @@ # # LIBGPG-ERROR # -#+macro: libgpg_error_ver 1.16 -#+macro: libgpg_error_size 534k -#+macro: libgpg_error_sha1 059c40a2b78c3ac2b4cbec0e0481faba5af332fe +#+macro: libgpg_error_ver 1.17 +#+macro: libgpg_error_size 654k +#+macro: libgpg_error_sha1 ba5858b2947e7272dd197c87bac9f32caf29b256 # commit 3090737ffb231261c9aa02352756e4b88edee2e2 Author: Werner Koch Date: Thu Oct 16 21:33:32 2014 +0200 web: Allow publishing of donation stats. * tools/append-to-donors.sh: Create donations summaray file. * tools/mkkudos.sh: Add new template for this months donations. * web/donate/kudos.org: Add a line wit the current donations. -- This requires the latest payproc version. diff --git a/tools/append-to-donors.sh b/tools/append-to-donors.sh index f1156c5..492ab32 100755 --- a/tools/append-to-donors.sh +++ b/tools/append-to-donors.sh @@ -16,6 +16,8 @@ SIGDELIM="-- " htdocs="/var/www/www/www.gnupg.org/htdocs" donors="$htdocs/donate/donors.dat" +donations="$htdocs/donate/donations.dat" + journal_dir="/var/log/payproc" LOCKFILE="$donors.lock" @@ -28,7 +30,7 @@ if ! lockfile -l 7200 -r 2 $LOCKFILE; then echo "$pgm: another instance is still running" exit 0 fi -trap "rm -f $LOCKFILE" 0 +trap "rm -f $LOCKFILE $donors.tmp $donors.stamp" 0 # Send a thank you mail @@ -42,6 +44,7 @@ trap "rm -f $LOCKFILE" 0 # Used scratch variables: # upcurrency # ineuro +# xamount # # FIXME: Clean message and name and use an appropriate encoding. # The second mail should actually be encrypted. In fact @@ -53,8 +56,9 @@ send_thanks () { if [ "$upcurrency" = EUR ]; then ineuro= else - ineuro=" (about $euro EUR)" + ineuro=" (about $(echo $euro| awk '{print int($0 + 0.5)}') EUR)" fi + xamount="$(echo $amount| awk '{print int($0 + 0.5)}')" ( cat < "$donors.tmp" find $journal_dir -type f -name 'journal-????????.log' -print \ | sort | while read fname; do @@ -131,15 +137,31 @@ find $journal_dir -type f -name 'journal-????????.log' -print \ name=$(echo "$name" | tr \`\$: ...) message=$(echo "$message" | tr \`\$ ..) xmail=$(echo "$xmail" | tr \`\$ ..) - if [ -n "$name" ]; then - # Note that we removed colons from $name - echo "$jyear:$datestr:$name::$lnr:" >> "$donors.tmp" - fi + # Note that we removed colons from $name + echo "$jyear:$datestr:$name::$lnr:" >> "$donors.tmp" + touch "$donors".stamp send_thanks done fi done -if ! mv "$donors.tmp" "$donors"; then - echo "$pgm: error updating $donors" >&2 - exit 1 + +# If we have any new records update the files. +if [ -f "$donors".stamp ]; then + + if ! mv "$donors.tmp" "$donors"; then + echo "$pgm: error updating $donors" >&2 + exit 1 + fi + + if [ -f "$donations" ]; then + payproc-stat -u "$donations" -- > "$donations".tmp \ + $(find /var/log/payproc -type f -name 'journal-????????.log' -print|sort) + if ! mv "$donations".tmp "$donations"; then + echo "$pgm: error updating $donations" >&2 + exit 1 + fi + else + payproc-stat -u "$donations" -- > "$donations" \ + $(find /var/log/payproc -type f -name 'journal-????????.log' -print|sort) + fi fi diff --git a/tools/mkkudos.sh b/tools/mkkudos.sh index f3625e0..3c42a8a 100755 --- a/tools/mkkudos.sh +++ b/tools/mkkudos.sh @@ -6,11 +6,25 @@ htdocs="/var/www/www/www.gnupg.org/htdocs" #htdocs="/home/wk/s/gnupg-doc/web" donors="$htdocs/donate/donors.dat" +donations="$htdocs/donate/donations.dat" if [ ! -f "$donors" ]; then echo "mkkudos.sh: '$donors' not found" >&2; exit 1 fi +if [ ! -f "$donations" ]; then + echo "mkkudos.sh: '$donations' not found" >&2; + exit 1 +fi + +tmp=$(head -1 "$donations") +monyear=$(echo "$tmp" | awk -F: 'BEGIN { m[1] = "January"; + m[2] = "February"; m[3] = "March"; m[4] = "April"; m[5] = "May"; + m[6] = "June"; m[7] = "July"; m[8] = "August"; m[9] = "September"; + m[10] = "October"; m[11] = "November"; m[12] = "December"; } + {printf "%s %d", m[$2] , $1}') +euro=$(echo "$tmp" | awk -F: '{printf "%d Euro", int($8 + 0.5)}') + for file in "$htdocs/donate/"kudos-????.html "$htdocs/donate/"kudos.html; do [ "$file" -ot "$donors" ] || continue @@ -22,17 +36,28 @@ for file in "$htdocs/donate/"kudos-????.html "$htdocs/donate/"kudos.html; do fi echo "processing $file" >&2 [ -f "$file.tmp" ] && rm "$file.tmp" - awk -F: -v year=$year -v donors="$donors" <"$file" >"$file.tmp" ' + awk -F: -v year=$year -v donors="$donors" \ + -v monyear="$monyear" -v euro="$euro" <"$file" >"$file.tmp" ' // {indon=1; print; insert("") } // {indon=0} // {indon=1; print; insert("goteo13") } // {indon=0} + // { + printf " %s\n", monyear; + next + } + // { + printf " %s\n", euro; + next + } !indon { print } function insert (tag) { while (getline < donors) { if ( $0 ~ /^(#.*)?$/ ) continue; + if ( $3 == "" ) + continue; if ($1==year && $4==tag) { printf "
  • %s
    • \n", $3 } diff --git a/web/donate/kudos.org b/web/donate/kudos.org index e3c4a46..fbee1a5 100644 --- a/web/donate/kudos.org +++ b/web/donate/kudos.org @@ -25,6 +25,14 @@ ** Donation summary +#+HTML:

    In +#+HTML: +#+HTML: we received +#+HTML: +#+HTML: of donations by credit card plus some more donations via Paypal. +#+HTML:

    + + | Year | # | \EUR | net \EUR | | | | | | |------+-----+-------+----------| ----------------------------------------------------------------------- Summary of changes: tools/append-to-donors.sh | 42 ++++++++++++++++++++++++++++++++---------- tools/mkkudos.sh | 27 ++++++++++++++++++++++++++- web/donate/kudos.org | 8 ++++++++ web/swdb.mac | 6 +++--- 4 files changed, 69 insertions(+), 14 deletions(-) hooks/post-receive -- The GnuPG website and other docs http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 17 01:37:07 2014 From: cvs at cvs.gnupg.org (by Ben Kibbey) Date: Fri, 17 Oct 2014 01:37:07 +0200 Subject: [git] GPGME - branch, bjk/master, updated. gpgme-1.5.1-13-gfff2049 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "GnuPG Made Easy". The branch, bjk/master has been updated via fff2049c1bc7c627e11df8062ef1f96a7697954f (commit) from aea2c168fc9c12148181dbcc33d7085aad8e6d90 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit fff2049c1bc7c627e11df8062ef1f96a7697954f Author: Ben Kibbey Date: Thu Oct 16 19:26:41 2014 -0400 Fix crash with built-in [v]asprintf(). * src/vasprintf.c (__gpgme_vasprintf): Copy the va_list. -- Not sure why it needs to be done. Maybe because of dereferencing the pointer while doing va_copy() int_vasprintf()? If we remove the _BSD_VA_LIST stuff and pass a regular va_list all is fine. diff --git a/src/vasprintf.c b/src/vasprintf.c index 326a2c3..18b1ef1 100644 --- a/src/vasprintf.c +++ b/src/vasprintf.c @@ -26,8 +26,6 @@ Boston, MA 02111-1307, USA. */ #include #include -#include "mem.h" - #ifndef va_copy /* According to POSIX, va_copy is a macro. */ #if defined (__GNUC__) && defined (__PPC__) \ @@ -42,7 +40,14 @@ Boston, MA 02111-1307, USA. */ #ifdef TEST +#define _gpgme_malloc malloc +#define _gpgme_calloc calloc +#define _gpgme_realloc realloc +#define _gpgme_strdup strdup +#define _gpgme_free free int global_total_width; +#else +#include "mem.h" #endif static int int_vasprintf (char **, const char *, va_list *); @@ -161,7 +166,17 @@ _gpgme_vasprintf (result, format, args) va_list args; #endif { - return int_vasprintf (result, format, &args); +#if defined (_BSD_VA_LIST_) && defined (__FreeBSD__) + _BSD_VA_LIST_ cp; +#else + va_list cp; +#endif + int ret; + + va_copy(cp, args); + ret = int_vasprintf (result, format, &cp); + va_end(cp); + return ret; } ----------------------------------------------------------------------- Summary of changes: src/vasprintf.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) hooks/post-receive -- GnuPG Made Easy http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 17 13:12:06 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 17 Oct 2014 13:12:06 +0200 Subject: [git] gnupg-doc - branch, master, updated. f5e7a838cc7d6b84e818f014e7132d84a12927d9 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GnuPG website and other docs". The branch, master has been updated via f5e7a838cc7d6b84e818f014e7132d84a12927d9 (commit) from 971c62e094e2145f5bba47812229246f478edc23 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit f5e7a838cc7d6b84e818f014e7132d84a12927d9 Author: Werner Koch Date: Fri Oct 17 13:12:16 2014 +0200 tools: Add yearly stats to mkkudos.sh. diff --git a/tools/mkkudos.sh b/tools/mkkudos.sh index 3c42a8a..8e5ed96 100755 --- a/tools/mkkudos.sh +++ b/tools/mkkudos.sh @@ -8,6 +8,45 @@ htdocs="/var/www/www/www.gnupg.org/htdocs" donors="$htdocs/donate/donors.dat" donations="$htdocs/donate/donations.dat" + +usage() +{ + cat <&2 + ;; + esac + shift +done + + if [ ! -f "$donors" ]; then echo "mkkudos.sh: '$donors' not found" >&2; exit 1 @@ -24,10 +63,14 @@ monyear=$(echo "$tmp" | awk -F: 'BEGIN { m[1] = "January"; m[10] = "October"; m[11] = "November"; m[12] = "December"; } {printf "%s %d", m[$2] , $1}') euro=$(echo "$tmp" | awk -F: '{printf "%d Euro", int($8 + 0.5)}') - +euroyr=$(echo "$tmp" | awk -F: '{printf "%d Euro", int($10 + 0.5)}') +n=$(echo "$tmp" | awk -F: '{printf "%d", $7}') +nyr=$(echo "$tmp" | awk -F: '{printf "%d", $9}') for file in "$htdocs/donate/"kudos-????.html "$htdocs/donate/"kudos.html; do - [ "$file" -ot "$donors" ] || continue + if [ $force = no ]; then + [ "$file" -ot "$donors" ] || continue + fi if [ "$file" = "$htdocs/donate/"kudos.html ]; then year=$(date +%Y) else @@ -37,7 +80,9 @@ for file in "$htdocs/donate/"kudos-????.html "$htdocs/donate/"kudos.html; do echo "processing $file" >&2 [ -f "$file.tmp" ] && rm "$file.tmp" awk -F: -v year=$year -v donors="$donors" \ - -v monyear="$monyear" -v euro="$euro" <"$file" >"$file.tmp" ' + -v monyear="$monyear" -v euro="$euro" -v euroyr="$euroyr" \ + -v n="$n" -v nyr="$nyr" \ + <"$file" >"$file.tmp" ' // {indon=1; print; insert("") } // {indon=0} // {indon=1; print; insert("goteo13") } @@ -50,6 +95,18 @@ for file in "$htdocs/donate/"kudos-????.html "$htdocs/donate/"kudos.html; do printf " %s\n", euro; next } + // { + printf " %s\n", n; + next + } + // { + printf " %s\n", euroyr; + next + } + // { + printf " %s\n", nyr; + next + } !indon { print } function insert (tag) { diff --git a/web/donate/kudos.org b/web/donate/kudos.org index fbee1a5..2e6e151 100644 --- a/web/donate/kudos.org +++ b/web/donate/kudos.org @@ -25,12 +25,20 @@ ** Donation summary -#+HTML:

    In -#+HTML: -#+HTML: we received -#+HTML: -#+HTML: of donations by credit card plus some more donations via Paypal. -#+HTML:

    +#+HTML:

    In +#+HTML: October 2014 +#+HTML:we received +#+HTML: 2 +#+HTML:donations of +#+HTML: 28 Euro +#+HTML:. For the entire year we +#+HTML:received a total of +#+HTML: 52 Euro +#+HTML:from +#+HTML: 28 +#+HTML:donations. Note that these numbers are only for donations via Stripe +#+HTML:(credit card) and do not yet account for those received via Paypal. +#+HTML:

    | Year | # | \EUR | net \EUR | ----------------------------------------------------------------------- Summary of changes: tools/mkkudos.sh | 63 +++++++++++++++++++++++++++++++++++++++++++++++--- web/donate/kudos.org | 20 +++++++++++----- 2 files changed, 74 insertions(+), 9 deletions(-) hooks/post-receive -- The GnuPG website and other docs http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 17 13:40:35 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 17 Oct 2014 13:40:35 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864-22-g8fd150b Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 8fd150b05b744fe9465057c12529d5e6b6b02785 (commit) via 60d22d54a50f63b4026aa8bbc97efa8d3c76e614 (commit) via 0df36db63e29dd755266d06c55d9c434eef5e084 (commit) from fab89f159bcb36ea7285af661d5756eefa981822 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 8fd150b05b744fe9465057c12529d5e6b6b02785 Author: Werner Koch Date: Sun Oct 12 20:07:12 2014 +0200 gpg: Remove all support for v3 keys and always create v4-signatures. * g10/build-packet.c (do_key): Remove support for building v3 keys. * g10/parse-packet.c (read_protected_v3_mpi): Remove. (parse_key): Remove support for v3-keys. Add dedicated warnings for v3-key packets. * g10/keyid.c (hash_public_key): Remove v3-key support. (keyid_from_pk): Ditto. (fingerprint_from_pk): Ditto. * g10/options.h (opt): Remove fields force_v3_sigs and force_v4_certs. * g10/gpg.c (cmd_and_opt_values): Remove oForceV3Sigs, oNoForceV3Sigs, oForceV4Certs, oNoForceV4Certs. (opts): Turn --force-v3-sigs, --no-force-v3-sigs, --force-v4-certs, --no-force-v4-certs int dummy options. (main): Remove setting of the force_v3_sigs force_v4_certs flags. * g10/revoke.c (gen_revoke, create_revocation): Always create v4 certs. * g10/sign.c (hash_uid): Remove support for v3-signatures (hash_sigversion_to_magic): Ditto. (only_old_style): Remove this v3-key function. (write_signature_packets): Remove support for creating v3-signatures. (sign_file): Ditto. (sign_symencrypt_file): Ditto. (clearsign_file): Ditto. Remove code to emit no Hash armor line if only v3-keys are used. (make_keysig_packet): Remove arg SIGVERSION and force using v4-signatures. Change all callers to not pass a value for this arg. Remove all v3-key related code. (update_keysig_packet): Remove v3-signature support. * g10/keyedit.c (sign_uids): Always create v4-signatures. * g10/textfilter.c (copy_clearsig_text): Remove arg pgp2mode and change caller. -- v3 keys are deprecated for about 15 years and due the severe weaknesses of MD5 it does not make any sense to keep code around to use these old and broken keys. Users who need to decrypt old messages should use gpg 1.4 and best re-encrypt them to modern standards. verification of old (i.e. PGP2) created signatures is thus also not anymore possible but such signatures have no values anyway - MD5 is just too broken. We have also kept support for v3 signatures until now. With the removal of support for v3 keys it is questionable whether it makes any sense to keep support for v3-signatures. What we do now is to keep support for verification of v3-signatures but we force the use of v4-signatures. The latter makes the --pgp6 and --pgp7 switch a bit obsolete because those PGP versions require v3-signatures for messages. These versions of PGP are also really old and not anymore maintained so they have not received any bug fixes and should not be used anyway. Signed-off-by: Werner Koch diff --git a/doc/OpenPGP b/doc/OpenPGP index 96223d7..794f669 100644 --- a/doc/OpenPGP +++ b/doc/OpenPGP @@ -9,6 +9,15 @@ =================== GnuPG (>=1.0.3) is in compliance with RFC2440 despite these exceptions: + * With GnuPG >= 2.1.0 all support for version 3 keys has been + removed. Thus there is no more compatibility with PGP-2. Users + who need to be able to decrypt old PGP 2 messages should use + GnuPG 1.4.x along with the option --allow-weak-digest-algos. + + * With GnuPG >= 2.1.0 all signatures (on messages and keys) are + created using version 4 signatures. Support for verifying + version 3 signature is still available. + * (9.2) states that IDEA SHOULD be implemented. This is not done due to patent problems. UPDATE: Since version 1.4.13 (or GnuPG 2.x with Libgcrypt 1.6) diff --git a/doc/gpg.texi b/doc/gpg.texi index 2997b64..cddf462 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -2129,6 +2129,7 @@ platforms that have different line ending conventions (UNIX-like to Mac, Mac to Windows, etc). @option{--no-textmode} disables this option, and is the default. + at ifclear gpgtwoone @item --force-v3-sigs @itemx --no-force-v3-sigs @opindex force-v3-sigs @@ -2147,6 +2148,15 @@ Defaults to no. Always use v4 key signatures even on v3 keys. This option also changes the default hash algorithm for v3 RSA keys from MD5 to SHA-1. @option{--no-force-v4-certs} disables this option. + at end ifclear + + at ifset gpgtwoone + at item --force-v3-sigs + at itemx --no-force-v3-sigs + at item --force-v4-certs + at itemx --no-force-v4-certs +These options are obsolete and have no effect since GnuPG 2.1. + at end ifset @item --force-mdc @opindex force-mdc @@ -2301,8 +2311,12 @@ compression algorithms none and ZIP. This also disables --throw-keyids, and making signatures with signing subkeys as PGP 6 does not understand signatures made by signing subkeys. -This option implies @option{--disable-mdc --escape-from-lines ---force-v3-sigs}. + at ifclear gpgtwoone +This option implies @option{--disable-mdc --escape-from-lines --force-v3-sigs}. + at end ifclear + at ifset gpgtwoone +This option implies @option{--disable-mdc --escape-from-lines}. + at end ifset @item --pgp7 @opindex pgp7 diff --git a/g10/build-packet.c b/g10/build-packet.c index af0de3b..c04abab 100644 --- a/g10/build-packet.c +++ b/g10/build-packet.c @@ -291,24 +291,13 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk) int i, nskey, npkey; iobuf_t a = iobuf_temp(); /* Build in a self-enlarging buffer. */ - /* Write the version number - if none is specified, use 3 */ + /* Write the version number - if none is specified, use 4 */ if ( !pk->version ) - iobuf_put ( a, 3 ); + iobuf_put ( a, 4 ); else iobuf_put ( a, pk->version ); write_32 (a, pk->timestamp ); - /* v3 needs the expiration time. */ - if ( pk->version < 4 ) - { - u16 ndays; - if ( pk->expiredate ) - ndays = (u16)((pk->expiredate - pk->timestamp) / 86400L); - else - ndays = 0; - write_16(a, ndays); - } - iobuf_put (a, pk->pubkey_algo ); /* Get number of secret and public parameters. They are held in one @@ -347,45 +336,37 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk) /* Build the header for protected (encrypted) secret parameters. */ if (ski->is_protected) { - if ( is_RSA (pk->pubkey_algo) && pk->version < 4 && !ski->s2k.mode ) + /* OpenPGP protection according to rfc2440. */ + iobuf_put (a, ski->sha1chk? 0xfe : 0xff); + iobuf_put (a, ski->algo); + if (ski->s2k.mode >= 1000) { - /* The simple rfc1991 (v3) way. */ - iobuf_put (a, ski->algo ); - iobuf_write (a, ski->iv, ski->ivlen); + /* These modes are not possible in OpenPGP, we use them + to implement our extensions, 101 can be viewed as a + private/experimental extension (this is not specified + in rfc2440 but the same scheme is used for all other + algorithm identifiers). */ + iobuf_put (a, 101); + iobuf_put (a, ski->s2k.hash_algo); + iobuf_write (a, "GNU", 3 ); + iobuf_put (a, ski->s2k.mode - 1000); } else { - /* OpenPGP protection according to rfc2440. */ - iobuf_put (a, ski->sha1chk? 0xfe : 0xff); - iobuf_put (a, ski->algo); - if (ski->s2k.mode >= 1000) - { - /* These modes are not possible in OpenPGP, we use - them to implement our extensions, 101 can be - viewed as a private/experimental extension (this - is not specified in rfc2440 but the same scheme - is used for all other algorithm identifiers). */ - iobuf_put (a, 101); - iobuf_put (a, ski->s2k.hash_algo); - iobuf_write (a, "GNU", 3 ); - iobuf_put (a, ski->s2k.mode - 1000); - } - else - { - iobuf_put (a, ski->s2k.mode); - iobuf_put (a, ski->s2k.hash_algo); - } - - if (ski->s2k.mode == 1 || ski->s2k.mode == 3) - iobuf_write (a, ski->s2k.salt, 8); - - if (ski->s2k.mode == 3) - iobuf_put (a, ski->s2k.count); - - /* For our special modes 1001, 1002 we do not need an IV. */ - if (ski->s2k.mode != 1001 && ski->s2k.mode != 1002) - iobuf_write (a, ski->iv, ski->ivlen); + iobuf_put (a, ski->s2k.mode); + iobuf_put (a, ski->s2k.hash_algo); } + + if (ski->s2k.mode == 1 || ski->s2k.mode == 3) + iobuf_write (a, ski->s2k.salt, 8); + + if (ski->s2k.mode == 3) + iobuf_put (a, ski->s2k.count); + + /* For our special modes 1001, 1002 we do not need an IV. */ + if (ski->s2k.mode != 1001 && ski->s2k.mode != 1002) + iobuf_write (a, ski->iv, ski->ivlen); + } else /* Not protected. */ iobuf_put (a, 0 ); @@ -400,7 +381,7 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk) /* The serial number gets stored in the IV field. */ iobuf_write (a, ski->iv, ski->ivlen); } - else if (ski->is_protected && pk->version >= 4) + else if (ski->is_protected) { /* The secret key is protected - write it out as it is. */ byte *p; @@ -410,20 +391,6 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk) p = gcry_mpi_get_opaque (pk->pkey[npkey], &ndatabits); iobuf_write (a, p, (ndatabits+7)/8 ); } - else if (ski->is_protected) - { - /* The secret key is protected the old v4 way. */ - for ( ; i < nskey; i++ ) - { - byte *p; - unsigned int ndatabits; - - assert (gcry_mpi_get_flag (pk->pkey[i], GCRYMPI_FLAG_OPAQUE)); - p = gcry_mpi_get_opaque (pk->pkey[i], &ndatabits); - iobuf_write (a, p, (ndatabits+7)/8); - } - write_16 (a, ski->csum ); - } else { /* Non-protected key. */ diff --git a/g10/filter.h b/g10/filter.h index 40c5134..731ad0f 100644 --- a/g10/filter.h +++ b/g10/filter.h @@ -152,7 +152,7 @@ int cipher_filter( void *opaque, int control, int text_filter( void *opaque, int control, iobuf_t chain, byte *buf, size_t *ret_len); int copy_clearsig_text (iobuf_t out, iobuf_t inp, gcry_md_hd_t md, - int escape_dash, int escape_from, int pgp2mode); + int escape_dash, int escape_from); /*-- progress.c --*/ progress_filter_context_t *new_progress_context (void); diff --git a/g10/gpg.c b/g10/gpg.c index 57deb8d..1df44fe 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -272,10 +272,6 @@ enum cmd_and_opt_values oShowPhotos, oNoShowPhotos, oPhotoViewer, - oForceV3Sigs, - oNoForceV3Sigs, - oForceV4Certs, - oNoForceV4Certs, oForceMDC, oNoForceMDC, oDisableMDC, @@ -525,10 +521,6 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oQuiet, "quiet", "@"), ARGPARSE_s_n (oNoTTY, "no-tty", "@"), - ARGPARSE_s_n (oForceV3Sigs, "force-v3-sigs", "@"), - ARGPARSE_s_n (oNoForceV3Sigs, "no-force-v3-sigs", "@"), - ARGPARSE_s_n (oForceV4Certs, "force-v4-certs", "@"), - ARGPARSE_s_n (oNoForceV4Certs, "no-force-v4-certs", "@"), ARGPARSE_s_n (oForceMDC, "force-mdc", "@"), ARGPARSE_s_n (oNoForceMDC, "no-force-mdc", "@"), ARGPARSE_s_n (oDisableMDC, "disable-mdc", "@"), @@ -810,6 +802,10 @@ static ARGPARSE_OPTS opts[] = { ARGPARSE_s_n (oNoop, "no-sk-comments", "@"), ARGPARSE_s_n (oNoop, "compress-keys", "@"), ARGPARSE_s_n (oNoop, "compress-sigs", "@"), + ARGPARSE_s_n (oNoop, "force-v3-sigs", "@"), + ARGPARSE_s_n (oNoop, "no-force-v3-sigs", "@"), + ARGPARSE_s_n (oNoop, "force-v4-certs", "@"), + ARGPARSE_s_n (oNoop, "no-force-v4-certs", "@"), ARGPARSE_end () }; @@ -2535,7 +2531,6 @@ main (int argc, char **argv) opt.allow_freeform_uid = 1; opt.pgp2_workarounds = 0; opt.escape_from = 1; - opt.force_v3_sigs = 0; opt.not_dash_escaped = 0; opt.def_cipher_algo = 0; opt.def_digest_algo = 0; @@ -2553,7 +2548,6 @@ main (int argc, char **argv) opt.allow_freeform_uid = 1; opt.pgp2_workarounds = 0; opt.escape_from = 0; - opt.force_v3_sigs = 0; opt.not_dash_escaped = 0; opt.def_cipher_algo = 0; opt.def_digest_algo = 0; @@ -2637,10 +2631,7 @@ main (int argc, char **argv) opt.verify_options&=~VERIFY_SHOW_PHOTOS; break; case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break; - case oForceV3Sigs: opt.force_v3_sigs = 1; break; - case oNoForceV3Sigs: opt.force_v3_sigs = 0; break; - case oForceV4Certs: opt.force_v4_certs = 1; break; - case oNoForceV4Certs: opt.force_v4_certs = 0; break; + case oForceMDC: opt.force_mdc = 1; break; case oNoForceMDC: opt.force_mdc = 0; break; case oDisableMDC: opt.disable_mdc = 1; break; @@ -3288,15 +3279,17 @@ main (int argc, char **argv) /* Do these after the switch(), so they can override settings. */ if(PGP6) { + /* That does not anymore work becuase we have no more support + for v3 signatures. */ opt.disable_mdc=1; opt.escape_from=1; - opt.force_v3_sigs=1; opt.ask_sig_expire=0; } else if(PGP7) { + /* That does not anymore work because we have no more support + for v3 signatures. */ opt.escape_from=1; - opt.force_v3_sigs=1; opt.ask_sig_expire=0; } else if(PGP8) diff --git a/g10/keyedit.c b/g10/keyedit.c index 308576d..a8e6f5d 100644 --- a/g10/keyedit.c +++ b/g10/keyedit.c @@ -536,14 +536,10 @@ sign_uids (estream_t fp, { u32 sk_keyid[2], pk_keyid[2]; char *p, *trust_regexp = NULL; - int force_v4 = 0, class = 0, selfsig = 0; + int class = 0, selfsig = 0; u32 duration = 0, timestamp = 0; byte trust_depth = 0, trust_value = 0; - if (local || nonrevocable || trust - || opt.cert_policy_url || opt.cert_notations) - force_v4 = 1; - pk = sk_rover->pk; keyid_from_pk (pk, sk_keyid); @@ -567,14 +563,7 @@ sign_uids (estream_t fp, /* Is this a self-sig? */ if (pk_keyid[0] == sk_keyid[0] && pk_keyid[1] == sk_keyid[1]) - { - selfsig = 1; - /* Do not force a v4 sig here, otherwise it would - be difficult to remake a v3 selfsig. If this - is a v3->v4 promotion case, then we set - force_v4 later anyway. */ - force_v4 = 0; - } + selfsig = 1; } else if (node->pkt->pkttype == PKT_USER_ID) { @@ -716,7 +705,6 @@ sign_uids (estream_t fp, "it to an OpenPGP self-" "signature? (y/N) "))) { - force_v4 = 1; node->flag |= NODFLG_DELSIG; xfree (user); continue; @@ -860,7 +848,6 @@ sign_uids (estream_t fp, passphrase, etc). */ timestamp = now; duration = primary_pk->expiredate - now; - force_v4 = 1; } cpr_kill_prompt (); @@ -879,9 +866,6 @@ sign_uids (estream_t fp, duration = parse_expire_string (opt.def_cert_expire); } - if (duration) - force_v4 = 1; - if (selfsig) ; else @@ -1041,7 +1025,7 @@ sign_uids (estream_t fp, node->pkt->pkt.user_id, NULL, pk, - 0x13, 0, force_v4 ? 4 : 0, 0, 0, + 0x13, 0, 0, 0, keygen_add_std_prefs, primary_pk, NULL); else @@ -1049,7 +1033,7 @@ sign_uids (estream_t fp, node->pkt->pkt.user_id, NULL, pk, - class, 0, force_v4 ? 4 : 0, + class, 0, timestamp, duration, sign_mk_attrib, &attrib, NULL); @@ -3290,7 +3274,7 @@ menu_adduid (KBNODE pub_keyblock, int photo, const char *photo_name) if (!uid) return 0; - err = make_keysig_packet (&sig, pk, uid, NULL, pk, 0x13, 0, 0, 0, 0, + err = make_keysig_packet (&sig, pk, uid, NULL, pk, 0x13, 0, 0, 0, keygen_add_std_prefs, pk, NULL); if (err) { @@ -3674,9 +3658,7 @@ menu_addrevoker (ctrl_t ctrl, kbnode_t pub_keyblock, int sensitive) break; } - /* The 1F signature must be at least v4 to carry the revocation key - subpacket. */ - rc = make_keysig_packet (&sig, pk, NULL, NULL, pk, 0x1F, 0, 4, 0, 0, + rc = make_keysig_packet (&sig, pk, NULL, NULL, pk, 0x1F, 0, 0, 0, keygen_add_revkey, &revkey, NULL); if (rc) { @@ -4966,7 +4948,7 @@ reloop: /* (must use this, because we are modifing the list) */ } rc = make_keysig_packet (&sig, primary_pk, unode->pkt->pkt.user_id, - NULL, signerkey, 0x30, 0, 0, 0, 0, + NULL, signerkey, 0x30, 0, 0, 0, sign_mk_attrib, &attrib, NULL); free_public_key (signerkey); if (rc) @@ -5058,7 +5040,7 @@ menu_revuid (KBNODE pub_keyblock) node->flag &= ~NODFLG_SELUID; rc = make_keysig_packet (&sig, pk, uid, NULL, pk, 0x30, 0, - (reason == NULL) ? 3 : 0, timestamp, 0, + timestamp, 0, sign_mk_attrib, &attrib, NULL); if (rc) { @@ -5122,7 +5104,7 @@ menu_revkey (KBNODE pub_keyblock) return 0; rc = make_keysig_packet (&sig, pk, NULL, NULL, pk, - 0x20, 0, opt.force_v4_certs ? 4 : 0, 0, 0, + 0x20, 0, 0, 0, revocation_reason_build_cb, reason, NULL); if (rc) { @@ -5183,7 +5165,7 @@ menu_revsubkey (KBNODE pub_keyblock) node->flag &= ~NODFLG_SELKEY; rc = make_keysig_packet (&sig, mainpk, NULL, subpk, mainpk, - 0x28, 0, 0, 0, 0, sign_mk_attrib, &attrib, + 0x28, 0, 0, 0, sign_mk_attrib, &attrib, NULL); if (rc) { diff --git a/g10/keygen.c b/g10/keygen.c index 6079ff0..8095452 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -812,7 +812,7 @@ make_backsig (PKT_signature *sig, PKT_public_key *pk, cache_public_key (sub_pk); err = make_keysig_packet (&backsig, pk, NULL, sub_pk, sub_psk, 0x19, - 0, 0, timestamp, 0, NULL, NULL, cache_nonce); + 0, timestamp, 0, NULL, NULL, cache_nonce); if (err) log_error ("make_keysig_packet failed for backsig: %s\n", g10_errstr(err)); else @@ -922,7 +922,7 @@ write_direct_sig (KBNODE root, PKT_public_key *psk, /* Make the signature. */ err = make_keysig_packet (&sig, pk, NULL,NULL, psk, 0x1F, - 0, 0, timestamp, 0, + 0, timestamp, 0, keygen_add_revkey, revkey, cache_nonce); if (err) { @@ -977,7 +977,7 @@ write_selfsigs (KBNODE root, PKT_public_key *psk, /* Make the signature. */ err = make_keysig_packet (&sig, pk, uid, NULL, psk, 0x13, - 0, 0, timestamp, 0, + 0, timestamp, 0, keygen_add_std_prefs, pk, cache_nonce); if (err) { @@ -1036,12 +1036,12 @@ write_keybinding (KBNODE root, PKT_public_key *pri_psk, PKT_public_key *sub_psk, oduap.usage = use; oduap.pk = sub_pk; err = make_keysig_packet (&sig, pri_pk, NULL, sub_pk, pri_psk, 0x18, - 0, 0, timestamp, 0, + 0, timestamp, 0, keygen_add_key_flags_and_expire, &oduap, cache_nonce); if (err) { - log_error ("make_keysig_packet failed: %s\n", g10_errstr (err)); + log_error ("make_keysig_packeto failed: %s\n", g10_errstr (err)); return err; } diff --git a/g10/keyid.c b/g10/keyid.c index 8b4eeb1..662806b 100644 --- a/g10/keyid.c +++ b/g10/keyid.c @@ -147,10 +147,6 @@ hash_public_key (gcry_md_hd_t md, PKT_public_key *pk) size_t nbytes; int npkey = pubkey_get_npkey (pk->pubkey_algo); - /* Two extra bytes for the expiration date in v3 */ - if(pk->version<4) - n+=2; - /* FIXME: We can avoid the extra malloc by calling only the first mpi_print here which computes the required length and calling the real mpi_print only at the end. The speed advantage would only be @@ -211,16 +207,6 @@ hash_public_key (gcry_md_hd_t md, PKT_public_key *pk) gcry_md_putc ( md, pk->timestamp >> 8 ); gcry_md_putc ( md, pk->timestamp ); - if(pk->version<4) - { - u16 days=0; - if(pk->expiredate) - days=(u16)((pk->expiredate - pk->timestamp) / 86400L); - - gcry_md_putc ( md, days >> 8 ); - gcry_md_putc ( md, days ); - } - gcry_md_putc ( md, pk->pubkey_algo ); if(npkey==0 && pk->pkey[0] @@ -432,18 +418,6 @@ keyid_from_pk (PKT_public_key *pk, u32 *keyid) keyid[1] = pk->keyid[1]; lowbits = keyid[1]; } - else if( pk->version < 4 ) - { - if( is_RSA(pk->pubkey_algo) ) - { - lowbits = (pubkey_get_npkey (pk->pubkey_algo) ? - v3_keyid ( pk->pkey[0], keyid ) : 0); /* From n. */ - pk->keyid[0] = keyid[0]; - pk->keyid[1] = keyid[1]; - } - else - pk->keyid[0]=pk->keyid[1]=keyid[0]=keyid[1]=lowbits=0xFFFFFFFF; - } else { const byte *dp; @@ -706,66 +680,20 @@ colon_expirestr_from_sig (PKT_signature *sig) byte * fingerprint_from_pk (PKT_public_key *pk, byte *array, size_t *ret_len) { - byte *buf; const byte *dp; - size_t len, nbytes; - int i; - - if ( pk->version < 4 ) - { - if ( is_RSA(pk->pubkey_algo) ) - { - /* RSA in version 3 packets is special. */ - gcry_md_hd_t md; - - if (gcry_md_open (&md, DIGEST_ALGO_MD5, 0)) - BUG (); - if ( pubkey_get_npkey (pk->pubkey_algo) > 1 ) - { - for (i=0; i < 2; i++) - { - if (gcry_mpi_print (GCRYMPI_FMT_USG, NULL, 0, - &nbytes, pk->pkey[i])) - BUG (); - /* fixme: Better allocate BUF on the stack */ - buf = xmalloc (nbytes); - if (gcry_mpi_print (GCRYMPI_FMT_USG, buf, nbytes, - NULL, pk->pkey[i])) - BUG (); - gcry_md_write (md, buf, nbytes); - xfree (buf); - } - } - gcry_md_final (md); - if (!array) - array = xmalloc (16); - len = 16; - memcpy (array, gcry_md_read (md, DIGEST_ALGO_MD5), 16); - gcry_md_close(md); - } - else - { - if (!array) - array = xmalloc(16); - len = 16; - memset (array,0,16); - } - } - else - { - gcry_md_hd_t md; + size_t len; + gcry_md_hd_t md; - md = do_fingerprint_md(pk); - dp = gcry_md_read( md, 0 ); - len = gcry_md_get_algo_dlen (gcry_md_get_algo (md)); - assert( len <= MAX_FINGERPRINT_LEN ); - if (!array) - array = xmalloc ( len ); - memcpy (array, dp, len ); - pk->keyid[0] = dp[12] << 24 | dp[13] << 16 | dp[14] << 8 | dp[15] ; - pk->keyid[1] = dp[16] << 24 | dp[17] << 16 | dp[18] << 8 | dp[19] ; - gcry_md_close( md); - } + md = do_fingerprint_md(pk); + dp = gcry_md_read( md, 0 ); + len = gcry_md_get_algo_dlen (gcry_md_get_algo (md)); + assert( len <= MAX_FINGERPRINT_LEN ); + if (!array) + array = xmalloc ( len ); + memcpy (array, dp, len ); + pk->keyid[0] = dp[12] << 24 | dp[13] << 16 | dp[14] << 8 | dp[15] ; + pk->keyid[1] = dp[16] << 24 | dp[17] << 16 | dp[18] << 8 | dp[19] ; + gcry_md_close( md); if (ret_len) *ret_len = len; diff --git a/g10/options.h b/g10/options.h index edd31a9..0875eb5 100644 --- a/g10/options.h +++ b/g10/options.h @@ -74,8 +74,6 @@ struct int no_armor; int list_packets; /* list-packets mode: 1=normal, 2=invoked by command*/ int def_cipher_algo; - int force_v3_sigs; - int force_v4_certs; int force_mdc; int disable_mdc; int def_digest_algo; diff --git a/g10/packet.h b/g10/packet.h index b1b82d7..ba43638 100644 --- a/g10/packet.h +++ b/g10/packet.h @@ -530,7 +530,7 @@ int ask_for_detached_datafile( gcry_md_hd_t md, gcry_md_hd_t md2, int make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, PKT_user_id *uid, PKT_public_key *subpk, PKT_public_key *pksk, int sigclass, int digest_algo, - int sigversion, u32 timestamp, u32 duration, + u32 timestamp, u32 duration, int (*mksubpkt)(PKT_signature *, void *), void *opaque, const char *cache_nonce); diff --git a/g10/parse-packet.c b/g10/parse-packet.c index f7b2079..50da17c 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -1901,53 +1901,6 @@ parse_onepass_sig (IOBUF inp, int pkttype, unsigned long pktlen, } -static gcry_mpi_t -read_protected_v3_mpi (IOBUF inp, unsigned long *length) -{ - int c; - unsigned int nbits, nbytes; - unsigned char *buf, *p; - gcry_mpi_t val; - - if (*length < 2) - { - log_error ("mpi too small\n"); - return NULL; - } - - if ((c = iobuf_get (inp)) == -1) - return NULL; - --*length; - nbits = c << 8; - if ((c = iobuf_get (inp)) == -1) - return NULL; - --*length; - nbits |= c; - - if (nbits > 16384) - { - log_error ("mpi too large (%u bits)\n", nbits); - return NULL; - } - nbytes = (nbits + 7) / 8; - buf = p = xmalloc (2 + nbytes); - *p++ = nbits >> 8; - *p++ = nbits; - for (; nbytes && *length; nbytes--, --*length) - *p++ = iobuf_get (inp); - if (nbytes) - { - log_error ("packet shorter than mpi\n"); - xfree (buf); - return NULL; - } - - /* Convert buffer into an opaque MPI. */ - val = gcry_mpi_set_opaque (NULL, buf, (p - buf) * 8); - return val; -} - - static int parse_key (IOBUF inp, int pkttype, unsigned long pktlen, byte * hdr, int hdrlen, PACKET * pkt) @@ -1956,7 +1909,6 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, int i, version, algorithm; unsigned long timestamp, expiredate, max_expiredate; int npkey, nskey; - int is_v4 = 0; int rc = 0; u32 keyid[2]; PKT_public_key *pk; @@ -1991,8 +1943,19 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, return 0; } else if (version == 4) - is_v4 = 1; - else if (version != 2 && version != 3) + { + /* The only supported version. Use an older gpg + versions (i.e. gpg 1.4 to parse v3 packets). */ + } + else if (version == 2 || version == 3) + { + log_info ("packet(%d) with obsolete version %d\n", pkttype, version); + if (list_mode) + es_fprintf (listfp, ":key packet: [obsolete version %d]\n", version); + err = gpg_error (GPG_ERR_INV_PACKET); + goto leave; + } + else { log_error ("packet(%d) with unknown version %d\n", pkttype, version); if (list_mode) @@ -2012,23 +1975,8 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, timestamp = read_32 (inp); pktlen -= 4; - if (is_v4) - { - expiredate = 0; /* have to get it from the selfsignature */ - max_expiredate = 0; - } - else - { - unsigned short ndays; - ndays = read_16 (inp); - pktlen -= 2; - if (ndays) - expiredate = timestamp + ndays * 86400L; - else - expiredate = 0; - - max_expiredate = expiredate; - } + expiredate = 0; /* have to get it from the selfsignature */ + max_expiredate = 0; algorithm = iobuf_get_noeof (inp); pktlen--; if (list_mode) @@ -2145,7 +2093,7 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, ski->s2k.hash_algo = iobuf_get_noeof (inp); pktlen--; /* Check for the special GNU extension. */ - if (is_v4 && ski->s2k.mode == 101) + if (ski->s2k.mode == 101) { for (i = 0; i < 4 && pktlen; i++, pktlen--) temp[i] = iobuf_get_noeof (inp); @@ -2312,7 +2260,7 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, 10 * 8); pktlen = 0; } - else if (is_v4 && ski->is_protected) + else if (ski->is_protected) { /* Ugly: The length is encrypted too, so we read all stuff * up to the end of the packet into the first SKEY @@ -2331,29 +2279,18 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, } else { - /* The v3 method: The mpi length is not encrypted. */ + /* Not encrypted. */ for (i = npkey; i < nskey; i++) { - if (ski->is_protected) - { - pk->pkey[i] = read_protected_v3_mpi (inp, &pktlen); - if (pk->pkey[i]) - gcry_mpi_set_flag (pk->pkey[i], GCRYMPI_FLAG_USER1); - if (list_mode) - es_fprintf (listfp, "\tskey[%d]: [v3 protected]\n", i); - } - else - { - unsigned int n = pktlen; - pk->pkey[i] = mpi_read (inp, &n, 0); - pktlen -= n; - if (list_mode) - { - es_fprintf (listfp, "\tskey[%d]: ", i); - mpi_print (listfp, pk->pkey[i], mpi_print_mode); - es_putc ('\n', listfp); - } - } + unsigned int n = pktlen; + pk->pkey[i] = mpi_read (inp, &n, 0); + pktlen -= n; + if (list_mode) + { + es_fprintf (listfp, "\tskey[%d]: ", i); + mpi_print (listfp, pk->pkey[i], mpi_print_mode); + es_putc ('\n', listfp); + } if (!pk->pkey[i]) err = gpg_error (GPG_ERR_INV_PACKET); diff --git a/g10/revoke.c b/g10/revoke.c index 81b5d6d..6b9e709 100644 --- a/g10/revoke.c +++ b/g10/revoke.c @@ -338,7 +338,7 @@ gen_desig_revoke( const char *uname, strlist_t locusr ) /* create it */ rc = make_keysig_packet( &sig, pk, NULL, NULL, pk2, 0x20, 0, - 0, 0, 0, + 0, 0, revocation_reason_build_cb, reason, NULL); if( rc ) { @@ -465,7 +465,6 @@ create_revocation (const char *filename, push_armor_filter (afx, out); rc = make_keysig_packet (&sig, psk, NULL, NULL, psk, 0x20, 0, - opt.force_v4_certs? 4:0, 0, 0, revocation_reason_build_cb, reason, cache_nonce); if (rc) @@ -649,16 +648,13 @@ gen_revoke (const char *uname) goto leave; } - if (psk->version >= 4 || opt.force_v4_certs) + /* Get the reason for the revocation. */ + reason = ask_revocation_reason (1, 0, 1); + if (!reason) { - /* Get the reason for the revocation. */ - reason = ask_revocation_reason (1, 0, 1); - if (!reason) - { - /* user decided to cancel */ - rc = 0; - goto leave; - } + /* User decided to cancel. */ + rc = 0; + goto leave; } if (!opt.armor) diff --git a/g10/sign.c b/g10/sign.c index bd78c17..e7d4a68 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -155,30 +155,32 @@ mk_notation_policy_etc (PKT_signature *sig, static void hash_uid (gcry_md_hd_t md, int sigversion, const PKT_user_id *uid) { - if ( sigversion >= 4 ) { - byte buf[5]; - - if(uid->attrib_data) { - buf[0] = 0xd1; /* indicates an attribute packet */ - buf[1] = uid->attrib_len >> 24; /* always use 4 length bytes */ - buf[2] = uid->attrib_len >> 16; - buf[3] = uid->attrib_len >> 8; - buf[4] = uid->attrib_len; - } - else { - buf[0] = 0xb4; /* indicates a userid packet */ - buf[1] = uid->len >> 24; /* always use 4 length bytes */ - buf[2] = uid->len >> 16; - buf[3] = uid->len >> 8; - buf[4] = uid->len; - } - gcry_md_write( md, buf, 5 ); + byte buf[5]; + + (void)sigversion; + + if (uid->attrib_data) + { + buf[0] = 0xd1; /* Indicates an attribute packet. */ + buf[1] = uid->attrib_len >> 24; /* Always use 4 length bytes. */ + buf[2] = uid->attrib_len >> 16; + buf[3] = uid->attrib_len >> 8; + buf[4] = uid->attrib_len; + } + else + { + buf[0] = 0xb4; /* Indicates a userid packet. */ + buf[1] = uid->len >> 24; /* Always use 4 length bytes. */ + buf[2] = uid->len >> 16; + buf[3] = uid->len >> 8; + buf[4] = uid->len; } + gcry_md_write( md, buf, 5 ); - if(uid->attrib_data) - gcry_md_write (md, uid->attrib_data, uid->attrib_len ); - else - gcry_md_write (md, uid->name, uid->len ); + if (uid->attrib_data) + gcry_md_write (md, uid->attrib_data, uid->attrib_len ); + else + gcry_md_write (md, uid->name, uid->len ); } @@ -188,45 +190,38 @@ hash_uid (gcry_md_hd_t md, int sigversion, const PKT_user_id *uid) static void hash_sigversion_to_magic (gcry_md_hd_t md, const PKT_signature *sig) { - if (sig->version >= 4) - gcry_md_putc (md, sig->version); - gcry_md_putc (md, sig->sig_class); - if (sig->version < 4) { - u32 a = sig->timestamp; - gcry_md_putc (md, (a >> 24) & 0xff ); - gcry_md_putc (md, (a >> 16) & 0xff ); - gcry_md_putc (md, (a >> 8) & 0xff ); - gcry_md_putc (md, a & 0xff ); + byte buf[6]; + size_t n; + + gcry_md_putc (md, sig->version); + gcry_md_putc (md, sig->sig_class); + gcry_md_putc (md, sig->pubkey_algo); + gcry_md_putc (md, sig->digest_algo); + if (sig->hashed) + { + n = sig->hashed->len; + gcry_md_putc (md, (n >> 8) ); + gcry_md_putc (md, n ); + gcry_md_write (md, sig->hashed->data, n ); + n += 6; } - else { - byte buf[6]; - size_t n; - - gcry_md_putc (md, sig->pubkey_algo); - gcry_md_putc (md, sig->digest_algo); - if (sig->hashed) { - n = sig->hashed->len; - gcry_md_putc (md, (n >> 8) ); - gcry_md_putc (md, n ); - gcry_md_write (md, sig->hashed->data, n ); - n += 6; - } - else { - gcry_md_putc (md, 0); /* always hash the length of the subpacket*/ - gcry_md_putc (md, 0); - n = 6; - } - /* add some magic */ - buf[0] = sig->version; - buf[1] = 0xff; - buf[2] = n >> 24; /* hmmm, n is only 16 bit, so this is always 0 */ - buf[3] = n >> 16; - buf[4] = n >> 8; - buf[5] = n; - gcry_md_write (md, buf, 6); + else + { + gcry_md_putc (md, 0); /* Always hash the length of the subpacket. */ + gcry_md_putc (md, 0); + n = 6; } + /* Add some magic. */ + buf[0] = sig->version; + buf[1] = 0xff; + buf[2] = n >> 24; /* (n is only 16 bit, so this is always 0) */ + buf[3] = n >> 16; + buf[4] = n >> 8; + buf[5] = n; + gcry_md_write (md, buf, 6); } + /* Perform the sign operation. If CACHE_NONCE is given the agent is advised to use that cached passphrase fro the key. */ static int @@ -520,26 +515,6 @@ hash_for (PKT_public_key *pk) } -/* Return true iff all keys in SK_LIST are old style (v3 RSA). */ -static int -only_old_style (SK_LIST sk_list) -{ - SK_LIST sk_rover = NULL; - int old_style = 0; - - for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) - { - PKT_public_key *pk = sk_rover->pk; - - if (pk->pubkey_algo == PUBKEY_ALGO_RSA && pk->version < 4) - old_style = 1; - else - return 0; - } - return old_style; -} - - static void print_status_sig_created (PKT_public_key *pk, PKT_signature *sig, int what) { @@ -705,10 +680,8 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash, /* Build the signature packet. */ sig = xmalloc_clear (sizeof *sig); - if (opt.force_v3_sigs) - sig->version = 3; - else if (duration || opt.sig_policy_url - || opt.sig_notations || opt.sig_keyserver_url) + if (duration || opt.sig_policy_url + || opt.sig_notations || opt.sig_keyserver_url) sig->version = 4; else sig->version = pk->version; @@ -727,11 +700,8 @@ write_signature_packets (SK_LIST sk_list, IOBUF out, gcry_md_hd_t hash, if (gcry_md_copy (&md, hash)) BUG (); - if (sig->version >= 4) - { - build_sig_subpkt_from_sig (sig); - mk_notation_policy_etc (sig, pk, NULL); - } + build_sig_subpkt_from_sig (sig); + mk_notation_policy_etc (sig, pk, NULL); hash_sigversion_to_magic (md, sig); gcry_md_final (md); @@ -814,13 +784,10 @@ sign_file (ctrl_t ctrl, strlist_t filenames, int detached, strlist_t locusr, && (rc=setup_symkey(&efx.symkey_s2k,&efx.symkey_dek))) goto leave; - if(!opt.force_v3_sigs) - { - if(opt.ask_sig_expire && !opt.batch) - duration=ask_expire_interval(1,opt.def_sig_expire); - else - duration=parse_expire_string(opt.def_sig_expire); - } + if (opt.ask_sig_expire && !opt.batch) + duration = ask_expire_interval(1,opt.def_sig_expire); + else + duration = parse_expire_string(opt.def_sig_expire); /* Note: In the old non-agent version the following call used to unprotect the secret key. This is now done on demand by the agent. */ @@ -1123,30 +1090,22 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile ) int rc = 0; SK_LIST sk_list = NULL; SK_LIST sk_rover = NULL; - int old_style = 0; - int only_md5 = 0; u32 duration=0; pfx = new_progress_context (); afx = new_armor_context (); init_packet( &pkt ); - if(!opt.force_v3_sigs) - { - if(opt.ask_sig_expire && !opt.batch) - duration=ask_expire_interval(1,opt.def_sig_expire); - else - duration=parse_expire_string(opt.def_sig_expire); - } + if (opt.ask_sig_expire && !opt.batch) + duration = ask_expire_interval (1,opt.def_sig_expire); + else + duration = parse_expire_string (opt.def_sig_expire); /* Note: In the old non-agent version the following call used to unprotect the secret key. This is now done on demand by the agent. */ if( (rc=build_sk_list( locusr, &sk_list, PUBKEY_USAGE_SIG )) ) goto leave; - if(!duration ) - old_style = only_old_style( sk_list ); - /* prepare iobufs */ inp = iobuf_open(fname); if (inp && is_secured_file (iobuf_get_fd (inp))) @@ -1184,18 +1143,7 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile ) iobuf_writestr(out, "-----BEGIN PGP SIGNED MESSAGE-----" LF ); - for (sk_rover = sk_list; sk_rover; sk_rover = sk_rover->next) - { - if (hash_for (sk_rover->pk) == DIGEST_ALGO_MD5) - only_md5 = 1; - else - { - only_md5 = 0; - break; - } - } - - if( !(old_style && only_md5) ) { + { const char *s; int any = 0; byte hashs_seen[256]; @@ -1234,8 +1182,8 @@ clearsign_file( const char *fname, strlist_t locusr, const char *outfile ) if ( DBG_HASHING ) gcry_md_debug ( textmd, "clearsign" ); - copy_clearsig_text( out, inp, textmd, !opt.not_dash_escaped, - opt.escape_from, (old_style && only_md5) ); + copy_clearsig_text (out, inp, textmd, !opt.not_dash_escaped, + opt.escape_from); /* fixme: check for read errors */ /* now write the armor */ @@ -1292,13 +1240,10 @@ sign_symencrypt_file (const char *fname, strlist_t locusr) memset( &cfx, 0, sizeof cfx); init_packet( &pkt ); - if(!opt.force_v3_sigs) - { - if(opt.ask_sig_expire && !opt.batch) - duration=ask_expire_interval(1,opt.def_sig_expire); - else - duration=parse_expire_string(opt.def_sig_expire); - } + if (opt.ask_sig_expire && !opt.batch) + duration = ask_expire_interval (1, opt.def_sig_expire); + else + duration = parse_expire_string (opt.def_sig_expire); /* Note: In the old non-agent version the following call used to unprotect the secret key. This is now done on demand by the agent. */ @@ -1441,52 +1386,39 @@ sign_symencrypt_file (const char *fname, strlist_t locusr) * applied (actually: dropped) when a v3 key is used. TIMESTAMP is * the timestamp to use for the signature. 0 means "now" */ int -make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, +make_keysig_packet (PKT_signature **ret_sig, PKT_public_key *pk, PKT_user_id *uid, PKT_public_key *subpk, PKT_public_key *pksk, int sigclass, int digest_algo, - int sigversion, u32 timestamp, u32 duration, + u32 timestamp, u32 duration, int (*mksubpkt)(PKT_signature *, void *), void *opaque, const char *cache_nonce) { PKT_signature *sig; int rc=0; + int sigversion; gcry_md_hd_t md; assert( (sigclass >= 0x10 && sigclass <= 0x13) || sigclass == 0x1F || sigclass == 0x20 || sigclass == 0x18 || sigclass == 0x19 || sigclass == 0x30 || sigclass == 0x28 ); - if (opt.force_v4_certs) - sigversion = 4; - + sigversion = 4; if (sigversion < pksk->version) sigversion = pksk->version; - /* If you are making a signature on a v4 key using your v3 key, it - doesn't make sense to generate a v3 sig. After all, no v3-only - PGP implementation could understand the v4 key in the first - place. Note that this implies that a signature on an attribute - uid is usually going to be v4 as well, since they are not - generally found on v3 keys. */ - if (sigversion < pk->version) - sigversion = pk->version; - if( !digest_algo ) { - /* Basically, this means use SHA1 always unless it's a v3 RSA - key making a v3 cert (use MD5), or the user specified - something (use whatever they said), or it's DSA (use the - best match). They still can't pick an inappropriate hash - for DSA or the signature will fail. Note that this still - allows the caller of make_keysig_packet to override the - user setting if it must. */ + /* Basically, this means use SHA1 always unless the user + specified something (use whatever they said), or it's DSA + (use the best match). They still can't pick an + inappropriate hash for DSA or the signature will fail. + Note that this still allows the caller of + make_keysig_packet to override the user setting if it + must. */ if(opt.cert_digest_algo) digest_algo=opt.cert_digest_algo; - else if(pksk->pubkey_algo == PUBKEY_ALGO_RSA - && pk->version<4 && sigversion<4) - digest_algo = DIGEST_ALGO_MD5; else if(pksk->pubkey_algo == PUBKEY_ALGO_DSA) digest_algo = match_dsa_hash (gcry_mpi_get_nbits (pksk->pkey[1])/8); else if (pksk->pubkey_algo == PUBKEY_ALGO_ECDSA @@ -1533,16 +1465,14 @@ make_keysig_packet( PKT_signature **ret_sig, PKT_public_key *pk, if(duration) sig->expiredate=sig->timestamp+duration; sig->sig_class = sigclass; - if( sig->version >= 4 ) - { - build_sig_subpkt_from_sig( sig ); - mk_notation_policy_etc (sig, pk, pksk); - } + + build_sig_subpkt_from_sig( sig ); + mk_notation_policy_etc (sig, pk, pksk); /* Crucial that the call to mksubpkt comes LAST before the calls to finalize the sig as that makes it possible for the mksubpkt function to get a reliable pointer to the subpacket area. */ - if( sig->version >= 4 && mksubpkt ) + if (mksubpkt) rc = (*mksubpkt)( sig, opaque ); if( !rc ) { @@ -1627,17 +1557,14 @@ update_keysig_packet( PKT_signature **ret_sig, duration of 1) since build-packet.c:build_sig_subpkt_from_sig detects this case. */ - if( sig->version >= 4 ) - { - /* Put the updated timestamp into the sig. Note that this - will automagically lower any sig expiration dates to - correctly correspond to the differences in the timestamps - (i.e. the duration will shrink). */ - build_sig_subpkt_from_sig( sig ); - - if (mksubpkt) - rc = (*mksubpkt)(sig, opaque); - } + /* Put the updated timestamp into the sig. Note that this will + automagically lower any sig expiration dates to correctly + correspond to the differences in the timestamps (i.e. the + duration will shrink). */ + build_sig_subpkt_from_sig( sig ); + + if (mksubpkt) + rc = (*mksubpkt)(sig, opaque); if (!rc) { hash_sigversion_to_magic (md, sig); diff --git a/g10/textfilter.c b/g10/textfilter.c index 14bf699..394d9c3 100644 --- a/g10/textfilter.c +++ b/g10/textfilter.c @@ -161,7 +161,7 @@ text_filter( void *opaque, int control, */ int copy_clearsig_text( IOBUF out, IOBUF inp, gcry_md_hd_t md, - int escape_dash, int escape_from, int pgp2mode ) + int escape_dash, int escape_from) { unsigned int maxlen; byte *buffer = NULL; /* malloced buffer */ @@ -170,10 +170,7 @@ copy_clearsig_text( IOBUF out, IOBUF inp, gcry_md_hd_t md, int truncated = 0; int pending_lf = 0; - if( !opt.pgp2_workarounds ) - pgp2mode = 0; - - if( !escape_dash ) + if( !escape_dash ) escape_from = 0; write_status_begin_signing (md); @@ -194,9 +191,7 @@ copy_clearsig_text( IOBUF out, IOBUF inp, gcry_md_hd_t md, gcry_md_putc ( md, '\n' ); } gcry_md_write ( md, buffer, - len_without_trailing_chars (buffer, n, - pgp2mode? - " \r\n":" \t\r\n")); + len_without_trailing_chars (buffer, n, " \t\r\n")); } else gcry_md_write ( md, buffer, n ); diff --git a/tests/openpgp/defs.inc b/tests/openpgp/defs.inc index 2faa4c2..b7320d5 100755 --- a/tests/openpgp/defs.inc +++ b/tests/openpgp/defs.inc @@ -24,7 +24,7 @@ dsa_usrname1="pgp5" # we use the sub key because we do not yet have the logic to to derive # the first encryption key from a keyblock (I guess) (Well of course # we have this by now and the notation below will lookup the primary -# first and the search for the encryption subkey.) +# first and then search for the encryption subkey.) dsa_usrname2="0xCB879DE9" commit 60d22d54a50f63b4026aa8bbc97efa8d3c76e614 Author: Werner Koch Date: Fri Oct 17 13:31:07 2014 +0200 dirmngr: Minor usage output fix. -- diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index b6892bf..f629cfd 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -1,4 +1,4 @@ -/* dirmngr.c - LDAP access +/* dirmngr.c - Keyserver and X.509 LDAP access * Copyright (C) 2002 Klar?lvdalens Datakonsult AB * Copyright (C) 2003, 2004, 2006, 2007, 2008, 2010, 2011 g10 Code GmbH * Copyright (C) 2014 Werner Koch @@ -320,7 +320,7 @@ my_strusage( int level ) case 40: p = _("Usage: @DIRMNGR@ [options] (-h for help)"); break; case 41: p = _("Syntax: @DIRMNGR@ [options] [command [args]]\n" - "LDAP and OCSP access for @GNUPG@\n"); + "Keyserver, CRL, and OCSP access for @GNUPG@\n"); break; default: p = NULL; commit 0df36db63e29dd755266d06c55d9c434eef5e084 Author: Werner Koch Date: Wed Oct 15 16:22:03 2014 +0200 doc: Minor doc fix for --quick-lsign-key. -- diff --git a/doc/gpg.texi b/doc/gpg.texi index e7360e9..2997b64 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -906,7 +906,7 @@ from @option{--edit-key}. @ifset gpgtwoone @item --quick-sign-key @code{fpr} [@code{names}] - at itemx --quick-lsign-key @code{name} + at itemx --quick-lsign-key @code{fpr} [@code{names}] @opindex quick-sign-key @opindex quick-lsign-key Directly sign a key from the passphrase without any further user ----------------------------------------------------------------------- Summary of changes: dirmngr/dirmngr.c | 4 +- doc/OpenPGP | 9 ++ doc/gpg.texi | 20 +++- g10/build-packet.c | 91 ++++++----------- g10/filter.h | 2 +- g10/gpg.c | 25 ++--- g10/keyedit.c | 38 ++----- g10/keygen.c | 10 +- g10/keyid.c | 96 +++--------------- g10/options.h | 2 - g10/packet.h | 2 +- g10/parse-packet.c | 117 +++++----------------- g10/revoke.c | 18 ++-- g10/sign.c | 261 +++++++++++++++++------------------------------- g10/textfilter.c | 11 +- tests/openpgp/defs.inc | 2 +- 16 files changed, 227 insertions(+), 481 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Fri Oct 17 16:02:11 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Fri, 17 Oct 2014 16:02:11 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864-24-g6d94918 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 6d9491842d5da597980eaa59e1e3e2137965fe09 (commit) via a13705f4c18db56765f4af31376e81241dbabebe (commit) from 8fd150b05b744fe9465057c12529d5e6b6b02785 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 6d9491842d5da597980eaa59e1e3e2137965fe09 Author: Werner Koch Date: Fri Oct 17 15:59:45 2014 +0200 dirmngr: Allow building without LDAP support. * configure.ac: Add option --disable-ldap. (USE_LDAP): New ac_define and am_conditional. * dirmngr/Makefile.am: Take care of USE_LDAP. * dirmngr/dirmngr.c (!USE_LDAP): Make all ldap options dummy options and do not call any ldap function. * dirmngr/server.c (!USE_LDAP): Do not call any ldap function. * dirmngr/crlfetch.c (!USE_LDAP): Ditto. Signed-off-by: Werner Koch diff --git a/NEWS b/NEWS index fe80aab..ffe7733 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ Noteworthy changes in version 2.1.0 (unreleased) ------------------------------------------------ + * Dirmngr may now be build without support for LDAP. + * For a complete list of changes see the lists of changes for the 2.1.0 beta versions below. diff --git a/configure.ac b/configure.ac index 7ce8c09..ce328e6 100644 --- a/configure.ac +++ b/configure.ac @@ -716,11 +716,6 @@ if test "$run_tests" = yes; then fi AM_CONDITIONAL(RUN_TESTS, test "$run_tests" = yes) -if test "$use_ldapwrapper" = yes; then - AC_DEFINE(USE_LDAPWRAPPER,1, [Build dirmngr with LDAP wrapper process]) -fi -AM_CONDITIONAL(USE_LDAPWRAPPER, test "$use_ldapwrapper" = yes) - # (These need to go after AC_PROG_CC so that $EXEEXT is defined) AC_DEFINE_UNQUOTED(EXEEXT,"$EXEEXT",[The executable file extension, if any]) @@ -1049,16 +1044,45 @@ AM_CONDITIONAL(USE_DNS_SRV, test x"$use_dns_srv" = xyes) # # Note that running the check changes the variable # gnupg_have_ldap from "n/a" to "no" or "yes". -if test "$build_dirmngr" = "yes" ; then - GNUPG_CHECK_LDAP($NETLIBS) - AC_CHECK_LIB(lber, ber_free, - [ LBER_LIBS="$LBER_LIBS -llber" - AC_DEFINE(HAVE_LBER,1, - [defined if liblber is available]) - have_lber=yes - ]) + +AC_ARG_ENABLE(ldap, + AC_HELP_STRING([--disable-ldap],[disable LDAP support]), + [if test "$enableval" = "no"; then gnupg_have_ldap=no; fi]) + +if test "$gnupg_have_ldap" != "no" ; then + if test "$build_dirmngr" = "yes" ; then + GNUPG_CHECK_LDAP($NETLIBS) + AC_CHECK_LIB(lber, ber_free, + [ LBER_LIBS="$LBER_LIBS -llber" + AC_DEFINE(HAVE_LBER,1, + [defined if liblber is available]) + have_lber=yes + ]) + fi fi AC_SUBST(LBER_LIBS) +if test "$gnupg_have_ldap" = "no"; then + AC_MSG_WARN([[ +*** +*** Building without LDAP support. +*** No CRL access or X.509 certificate search available. +***]]) +fi + +AM_CONDITIONAL(USE_LDAP, [test "$gnupg_have_ldap" = yes]) +if test "$gnupg_have_ldap" = yes ; then + AC_DEFINE(USE_LDAP,1,[Defined if LDAP is support]) +else + use_ldapwrapper=no +fi + +if test "$use_ldapwrapper" = yes; then + AC_DEFINE(USE_LDAPWRAPPER,1, [Build dirmngr with LDAP wrapper process]) +fi +AM_CONDITIONAL(USE_LDAPWRAPPER, test "$use_ldapwrapper" = yes) + + + # # Check for sendmail @@ -1703,16 +1727,8 @@ if test "$have_ksba" = "no"; then *** (at least version $NEED_KSBA_VERSION using API $NEED_KSBA_API is required). ***]]) fi -if test "$gnupg_have_ldap" = "no"; then - die=yes - AC_MSG_NOTICE([[ -*** -*** The Dirmngr part requires an LDAP library -*** Check out -*** http://www.openldap.org -*** for a suitable implementation. -***]]) - if test "$have_w32ce_system" = yes; then +if test "$gnupg_have_ldap" = yes; then + if test "$have_w32ce_system" = yes; then AC_MSG_NOTICE([[ *** Note that CeGCC might be broken, a package fixing this is: *** http://files.kolab.org/local/windows-ce/ @@ -1804,6 +1820,7 @@ echo " Dirmngr auto start: $dirmngr_auto_start Readline support: $gnupg_cv_have_readline + LDAP support: $gnupg_have_ldap DNS SRV support: $use_dns_srv TLS support: $use_tls_library " diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am index 632e525..0e9a7c7 100644 --- a/dirmngr/Makefile.am +++ b/dirmngr/Makefile.am @@ -44,19 +44,27 @@ else ldap_url = endif +if USE_LDAPWRAPPER +extraldap_src = ldap-wrapper.c +else +extraldap_src = ldap-wrapper-ce.c dirmngr_ldap.c +endif + noinst_HEADERS = dirmngr.h crlcache.h crlfetch.h misc.h dirmngr_SOURCES = dirmngr.c dirmngr.h server.c crlcache.c crlfetch.c \ - ldapserver.h ldapserver.c certcache.c certcache.h \ - cdb.h cdblib.c ldap.c misc.c dirmngr-err.h w32-ldap-help.h \ - ocsp.c ocsp.h validate.c validate.h ldap-wrapper.h $(ldap_url) \ + certcache.c certcache.h \ + cdb.h cdblib.c misc.c dirmngr-err.h \ + ocsp.c ocsp.h validate.c validate.h \ ks-action.c ks-action.h ks-engine.h \ ks-engine-hkp.c ks-engine-http.c ks-engine-finger.c ks-engine-kdns.c -if USE_LDAPWRAPPER -dirmngr_SOURCES += ldap-wrapper.c +if USE_LDAP +dirmngr_SOURCES += ldapserver.h ldapserver.c ldap.c w32-ldap-help.h \ + ldap-wrapper.h $(ldap_url) $(extraldap_src) +ldaplibs = $(LDAPLIBS) else -dirmngr_SOURCES += ldap-wrapper-ce.c dirmngr_ldap.c +ldaplibs = endif @@ -65,7 +73,7 @@ dirmngr_LDADD = $(libcommontlsnpth) $(libcommonpth) \ $(LIBGCRYPT_LIBS) $(KSBA_LIBS) $(NPTH_LIBS) \ $(NTBTLS_LIBS) $(LIBGNUTLS_LIBS) $(LIBINTL) $(LIBICONV) if !USE_LDAPWRAPPER -dirmngr_LDADD += $(LDAPLIBS) +dirmngr_LDADD += $(ldaplibs) endif dirmngr_LDFLAGS = $(extra_bin_ldflags) diff --git a/dirmngr/crlfetch.c b/dirmngr/crlfetch.c index f335de8..2471ca2 100644 --- a/dirmngr/crlfetch.c +++ b/dirmngr/crlfetch.c @@ -29,8 +29,9 @@ #include "misc.h" #include "http.h" -#include "ldap-wrapper.h" - +#if USE_LDAP +# include "ldap-wrapper.h" +#endif /* For detecting armored CRLs received via HTTP (yes, such CRLS really exits, e.g. http://grid.fzk.de/ca/gridka-crl.pem at least in June @@ -156,6 +157,10 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) char *free_this = NULL; int redirects_left = 2; /* We allow for 2 redirect levels. */ +#ifndef USE_LDAP + (void)ctrl; +#endif + *reader = NULL; once_more: @@ -286,7 +291,13 @@ crl_fetch (ctrl_t ctrl, const char *url, ksba_reader_t *reader) err = gpg_error (GPG_ERR_NOT_SUPPORTED); } else - err = url_fetch_ldap (ctrl, url, NULL, 0, reader); + { +# if USE_LDAP + err = url_fetch_ldap (ctrl, url, NULL, 0, reader); +# else /*!USE_LDAP*/ + err = gpg_error (GPG_ERR_NOT_IMPLEMENTED); +# endif /*!USE_LDAP*/ + } } xfree (free_this); @@ -305,8 +316,15 @@ crl_fetch_default (ctrl_t ctrl, const char *issuer, ksba_reader_t *reader) "LDAP"); return gpg_error (GPG_ERR_NOT_SUPPORTED); } +#if USE_LDAP return attr_fetch_ldap (ctrl, issuer, "certificateRevocationList", reader); +#else + (void)ctrl; + (void)issuer; + (void)reader; + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif } @@ -323,7 +341,14 @@ ca_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, const char *dn) "LDAP"); return gpg_error (GPG_ERR_NOT_SUPPORTED); } +#if USE_LDAP return start_default_fetch_ldap (ctrl, context, dn, "cACertificate"); +#else + (void)ctrl; + (void)context; + (void)dn; + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif } @@ -337,7 +362,15 @@ start_cert_fetch (ctrl_t ctrl, cert_fetch_context_t *context, "LDAP"); return gpg_error (GPG_ERR_NOT_SUPPORTED); } +#if USE_LDAP return start_cert_fetch_ldap (ctrl, context, patterns, server); +#else + (void)ctrl; + (void)context; + (void)patterns; + (void)server; + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif } @@ -345,7 +378,14 @@ gpg_error_t fetch_next_cert (cert_fetch_context_t context, unsigned char **value, size_t * valuelen) { +#if USE_LDAP return fetch_next_cert_ldap (context, value, valuelen); +#else + (void)context; + (void)value; + (void)valuelen; + return gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif } @@ -361,9 +401,14 @@ fetch_next_ksba_cert (cert_fetch_context_t context, ksba_cert_t *r_cert) *r_cert = NULL; +#if USE_LDAP err = fetch_next_cert_ldap (context, &value, &valuelen); if (!err && !value) err = gpg_error (GPG_ERR_BUG); +#else + (void)context; + err = gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif if (err) return err; @@ -389,7 +434,11 @@ fetch_next_ksba_cert (cert_fetch_context_t context, ksba_cert_t *r_cert) void end_cert_fetch (cert_fetch_context_t context) { - return end_cert_fetch_ldap (context); +#if USE_LDAP + end_cert_fetch_ldap (context); +#else + (void)context; +#endif } @@ -410,7 +459,13 @@ fetch_cert_by_url (ctrl_t ctrl, const char *url, reader = NULL; cert = NULL; +#if USE_LDAP err = url_fetch_ldap (ctrl, url, NULL, 0, &reader); +#else + (void)ctrl; + (void)url; + err = gpg_error (GPG_ERR_NOT_IMPLEMENTED); +#endif /*USE_LDAP*/ if (err) goto leave; @@ -442,7 +497,9 @@ fetch_cert_by_url (ctrl_t ctrl, const char *url, leave: ksba_cert_release (cert); +#if USE_LDAP ldap_wrapper_release_context (reader); +#endif /*USE_LDAP*/ return err; } @@ -472,7 +529,11 @@ crl_close_reader (ksba_reader_t reader) xfree (cb_ctx); } else /* This is an ldap wrapper context (Currently not used). */ - ldap_wrapper_release_context (reader); + { +#if USE_LDAP + ldap_wrapper_release_context (reader); +#endif /*USE_LDAP*/ + } /* Now get rid of the reader object. */ ksba_reader_release (reader); diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index f629cfd..95f9058 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -60,9 +60,13 @@ #include "crlcache.h" #include "crlfetch.h" #include "misc.h" -#include "ldapserver.h" +#if USE_LDAP +# include "ldapserver.h" +#endif #include "asshelp.h" -#include "ldap-wrapper.h" +#if USE_LDAP +# include "ldap-wrapper.h" +#endif #include "../common/init.h" #include "gc-opt-flags.h" @@ -294,7 +298,9 @@ static int my_tlskey_current_fd; /* Prototypes. */ static void cleanup (void); +#if USE_LDAP static ldap_server_t parse_ldapserver_file (const char* filename); +#endif /*USE_LDAP*/ static fingerprint_list_t parse_ocsp_signer (const char *string); static void handle_connections (assuan_fd_t listen_fd); @@ -445,7 +451,9 @@ wrong_args (const char *text) static void shutdown_reaper (void) { +#if USE_LDAP ldap_wrapper_wait_connections (); +#endif } @@ -627,7 +635,9 @@ main (int argc, char **argv) int nodetach = 0; int csh_style = 0; char *logfile = NULL; +#if USE_LDAP char *ldapfile = NULL; +#endif /*USE_LDAP*/ int debug_wait = 0; int rc; int homedir_seen = 0; @@ -869,7 +879,11 @@ main (int argc, char **argv) case oLogFile: logfile = pargs.r.ret_str; break; case oCsh: csh_style = 1; break; case oSh: csh_style = 0; break; - case oLDAPFile: ldapfile = pargs.r.ret_str; break; + case oLDAPFile: +# if USE_LDAP + ldapfile = pargs.r.ret_str; +# endif /*USE_LDAP*/ + break; case oLDAPAddServers: opt.add_new_ldapservers = 1; break; case oLDAPTimeout: opt.ldaptimeout = pargs.r.ret_int; @@ -948,6 +962,7 @@ main (int argc, char **argv) set_debug (); /* Get LDAP server list from file. */ +#if USE_LDAP if (!ldapfile) { ldapfile = make_filename (opt.homedir, @@ -959,6 +974,7 @@ main (int argc, char **argv) } else opt.ldapservers = parse_ldapserver_file (ldapfile); +#endif /*USE_LDAP*/ #ifndef HAVE_W32_SYSTEM /* We need to ignore the PIPE signal because the we might log to a @@ -995,7 +1011,10 @@ main (int argc, char **argv) log_debug ("... okay\n"); } +#if USE_LDAP ldap_wrapper_launch_thread (); +#endif /*USE_LDAP*/ + cert_cache_init (); crl_cache_init (); start_command_handler (ASSUAN_INVALID_FD); @@ -1170,7 +1189,10 @@ main (int argc, char **argv) } #endif +#if USE_LDAP ldap_wrapper_launch_thread (); +#endif /*USE_LDAP*/ + cert_cache_init (); crl_cache_init (); #ifdef USE_W32_SERVICE @@ -1196,7 +1218,9 @@ main (int argc, char **argv) /* Just list the CRL cache and exit. */ if (argc) wrong_args ("--list-crls"); +#if USE_LDAP ldap_wrapper_launch_thread (); +#endif /*USE_LDAP*/ crl_cache_init (); crl_cache_list (es_stdout); } @@ -1207,7 +1231,9 @@ main (int argc, char **argv) memset (&ctrlbuf, 0, sizeof ctrlbuf); dirmngr_init_default_ctrl (&ctrlbuf); +#if USE_LDAP ldap_wrapper_launch_thread (); +#endif /*USE_LDAP*/ cert_cache_init (); crl_cache_init (); if (!argc) @@ -1229,7 +1255,9 @@ main (int argc, char **argv) memset (&ctrlbuf, 0, sizeof ctrlbuf); dirmngr_init_default_ctrl (&ctrlbuf); +#if USE_LDAP ldap_wrapper_launch_thread (); +#endif /*USE_LDAP*/ cert_cache_init (); crl_cache_init (); rc = crl_fetch (&ctrlbuf, argv[0], &reader); @@ -1376,7 +1404,9 @@ cleanup (void) crl_cache_deinit (); cert_cache_deinit (1); +#if USE_LDAP ldapserver_list_free (opt.ldapservers); +#endif /*USE_LDAP*/ opt.ldapservers = NULL; if (cleanup_socket) @@ -1419,6 +1449,7 @@ dirmngr_init_default_ctrl (ctrl_t ctrl) 5. field: Base DN */ +#if USE_LDAP static ldap_server_t parse_ldapserver_file (const char* filename) { @@ -1475,7 +1506,7 @@ parse_ldapserver_file (const char* filename) return serverstart; } - +#endif /*USE_LDAP*/ static fingerprint_list_t parse_ocsp_signer (const char *string) diff --git a/dirmngr/server.c b/dirmngr/server.c index 6cf4dd6..9b4cdb2 100644 --- a/dirmngr/server.c +++ b/dirmngr/server.c @@ -36,12 +36,16 @@ #include "crlcache.h" #include "crlfetch.h" -#include "ldapserver.h" +#if USE_LDAP +# include "ldapserver.h" +#endif #include "ocsp.h" #include "certcache.h" #include "validate.h" #include "misc.h" -#include "ldap-wrapper.h" +#if USE_LDAP +# include "ldap-wrapper.h" +#endif #include "ks-action.h" #include "ks-engine.h" /* (ks_hkp_print_hosttable) */ @@ -595,6 +599,7 @@ static const char hlp_ldapserver[] = static gpg_error_t cmd_ldapserver (assuan_context_t ctx, char *line) { +#if USE_LDAP ctrl_t ctrl = assuan_get_pointer (ctx); ldap_server_t server; ldap_server_t *last_next_p; @@ -613,6 +618,10 @@ cmd_ldapserver (assuan_context_t ctx, char *line) last_next_p = &(*last_next_p)->next; *last_next_p = server; return leave_cmd (ctx, 0); +#else + (void)line; + return leave_cmd (ctx, gpg_error (GPG_ERR_NOT_IMPLEMENTED)); +#endif } @@ -991,17 +1000,19 @@ static int lookup_cert_by_pattern (assuan_context_t ctx, char *line, int single, int cache_only) { - ctrl_t ctrl = assuan_get_pointer (ctx); gpg_error_t err = 0; char *p; strlist_t sl, list = NULL; int truncated = 0, truncation_forced = 0; int count = 0; int local_count = 0; +#if USE_LDAP + ctrl_t ctrl = assuan_get_pointer (ctx); unsigned char *value = NULL; size_t valuelen; struct ldapserver_iter ldapserver_iter; cert_fetch_context_t fetch_context; +#endif /*USE_LDAP*/ int any_no_data = 0; /* Break the line down into an STRLIST */ @@ -1060,6 +1071,7 @@ lookup_cert_by_pattern (assuan_context_t ctx, char *line, /* Loop over all configured servers unless we want only the certificates from the cache. */ +#if USE_LDAP for (ldapserver_iter_begin (&ldapserver_iter, ctrl); !cache_only && !ldapserver_iter_end_p (&ldapserver_iter) && ldapserver_iter.server->host && !truncation_forced; @@ -1152,6 +1164,7 @@ lookup_cert_by_pattern (assuan_context_t ctx, char *line, end_cert_fetch (fetch_context); } +#endif /*USE_LDAP*/ ready: if (truncated || truncation_forced) @@ -1916,7 +1929,9 @@ reset_notify (assuan_context_t ctx, char *line) ctrl_t ctrl = assuan_get_pointer (ctx); (void)line; +#if USE_LDAP ldapserver_list_free (ctrl->server_local->ldapservers); +#endif /*USE_LDAP*/ ctrl->server_local->ldapservers = NULL; return 0; } @@ -2042,9 +2057,11 @@ start_command_handler (assuan_fd_t fd) } } +#if USE_LDAP ldap_wrapper_connection_cleanup (ctrl); ldapserver_list_free (ctrl->server_local->ldapservers); +#endif /*USE_LDAP*/ ctrl->server_local->ldapservers = NULL; ctrl->server_local->assuan_ctx = NULL; commit a13705f4c18db56765f4af31376e81241dbabebe Author: Werner Koch Date: Fri Oct 17 15:55:08 2014 +0200 w32: Set SYSROOT to help finding config scripts. * autogen.sh : Set SYSROOT. diff --git a/autogen.sh b/autogen.sh index 31cfeeb..112d2ee 100755 --- a/autogen.sh +++ b/autogen.sh @@ -310,7 +310,7 @@ if [ "$myhost" = "w32" ]; then $tsdir/configure --enable-maintainer-mode ${SILENT} \ --prefix=${w32root} \ - --host=${host} --build=${build} \ + --host=${host} --build=${build} SYSROOT=${w32root} \ ${configure_opts} ${extraoptions} "$@" rc=$? exit $rc ----------------------------------------------------------------------- Summary of changes: NEWS | 2 ++ autogen.sh | 2 +- configure.ac | 63 ++++++++++++++++++++++++++++----------------- dirmngr/Makefile.am | 22 +++++++++++----- dirmngr/crlfetch.c | 71 +++++++++++++++++++++++++++++++++++++++++++++++---- dirmngr/dirmngr.c | 39 +++++++++++++++++++++++++--- dirmngr/server.c | 23 ++++++++++++++--- 7 files changed, 179 insertions(+), 43 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Sun Oct 19 14:25:06 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Sun, 19 Oct 2014 14:25:06 +0200 Subject: [git] GnuPG - branch, master, updated. gnupg-2.1.0-beta864-26-g472a4a0 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GNU Privacy Guard". The branch, master has been updated via 472a4a0d82add2d17154fa38e0074eaea56c28c1 (commit) via 1b8decc4767f0c55867327bdf3113204efcd19a7 (commit) from 6d9491842d5da597980eaa59e1e3e2137965fe09 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 472a4a0d82add2d17154fa38e0074eaea56c28c1 Author: Werner Koch Date: Sun Oct 19 14:17:23 2014 +0200 gpg: Silence "packet with obsolete versoin" warnings. * g10/parse-packet.c (parse_key): Print warning only in very verbose mode. Signed-off-by: Werner Koch diff --git a/g10/parse-packet.c b/g10/parse-packet.c index 50da17c..7787825 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -1949,7 +1949,8 @@ parse_key (IOBUF inp, int pkttype, unsigned long pktlen, } else if (version == 2 || version == 3) { - log_info ("packet(%d) with obsolete version %d\n", pkttype, version); + if (opt.verbose > 1) + log_info ("packet(%d) with obsolete version %d\n", pkttype, version); if (list_mode) es_fprintf (listfp, ":key packet: [obsolete version %d]\n", version); err = gpg_error (GPG_ERR_INV_PACKET); commit 1b8decc4767f0c55867327bdf3113204efcd19a7 Author: Werner Koch Date: Sun Oct 19 14:09:04 2014 +0200 gpg: Make card key generation work again. * g10/call-agent.c (agent_scd_learn): Rename from agent_learn. (agent_learn): New. * g10/keygen.c (gen_card_key): Call new agent-learn. -- Without a shadow key we can't create the self-signatures. Thus we need to issue the learn command after each key generation. Signed-off-by: Werner Koch diff --git a/g10/call-agent.c b/g10/call-agent.c index 080df18..cadc02c 100644 --- a/g10/call-agent.c +++ b/g10/call-agent.c @@ -639,9 +639,9 @@ learn_status_cb (void *opaque, const char *line) return 0; } -/* Call the agent to learn about a smartcard */ +/* Call the scdaemon to learn about a smartcard */ int -agent_learn (struct agent_card_info_s *info) +agent_scd_learn (struct agent_card_info_s *info) { int rc; struct default_inq_parm_s parm; @@ -677,6 +677,29 @@ agent_learn (struct agent_card_info_s *info) } +/* Call the agent to learn about the current smartcard. This is + currently only used to have the agent create the shadow key. */ +gpg_error_t +agent_learn (void) +{ + gpg_error_t err; + struct default_inq_parm_s parm; + + memset (&parm, 0, sizeof parm); + + err = start_agent (NULL, 1); + if (err) + return err; + + parm.ctx = agent_ctx; + err = assuan_transact (agent_ctx, "LEARN", + dummy_data_cb, NULL, default_inq_cb, &parm, + NULL, NULL); + + return err; +} + + int agent_keytocard (const char *hexgrip, int keyno, int force, const char *serialno, const char *timestamp) diff --git a/g10/call-agent.h b/g10/call-agent.h index 5b4cd09..a99cac9 100644 --- a/g10/call-agent.h +++ b/g10/call-agent.h @@ -76,7 +76,10 @@ struct agent_card_genkey_s { void agent_release_card_info (struct agent_card_info_s *info); /* Return card info. */ -int agent_learn (struct agent_card_info_s *info); +int agent_scd_learn (struct agent_card_info_s *info); + +/* Let the agent learn about the current card. */ +gpg_error_t agent_learn (void); /* Update INFO with the attribute NAME. */ int agent_scd_getattr (const char *name, struct agent_card_info_s *info); diff --git a/g10/card-util.c b/g10/card-util.c index b5be80a..d7a6754 100644 --- a/g10/card-util.c +++ b/g10/card-util.c @@ -80,7 +80,7 @@ change_pin (int unblock_v2, int allow_admin) struct agent_card_info_s info; int rc; - rc = agent_learn (&info); + rc = agent_scd_learn (&info); if (rc) { log_error (_("OpenPGP card not available: %s\n"), @@ -370,7 +370,7 @@ card_status (estream_t fp, char *serialno, size_t serialnobuflen) if (serialno && serialnobuflen) *serialno = 0; - rc = agent_learn (&info); + rc = agent_scd_learn (&info); if (rc) { if (opt.with_colons) diff --git a/g10/keygen.c b/g10/keygen.c index 8095452..e25ecc3 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -4510,6 +4510,19 @@ gen_card_key (int algo, int keyno, int is_primary, kbnode_t pub_root, return err; } + /* Send the learn command so that the agent creates a shadow key for + card key. We need to do that now so that we are able to create + the self-signatures. */ + err = agent_learn (); + if (err) + { + /* Oops: Card removed during generation. */ + log_error (_("OpenPGP card not available: %s\n"), gpg_strerror (err)); + xfree (pkt); + xfree (pk); + return err; + } + if (*timestamp != info.created_at) log_info ("NOTE: the key does not use the suggested creation date\n"); *timestamp = info.created_at; ----------------------------------------------------------------------- Summary of changes: g10/call-agent.c | 27 +++++++++++++++++++++++++-- g10/call-agent.h | 5 ++++- g10/card-util.c | 4 ++-- g10/keygen.c | 13 +++++++++++++ g10/parse-packet.c | 3 ++- 5 files changed, 46 insertions(+), 6 deletions(-) hooks/post-receive -- The GNU Privacy Guard http://git.gnupg.org From cvs at cvs.gnupg.org Tue Oct 21 21:52:26 2014 From: cvs at cvs.gnupg.org (by Werner Koch) Date: Tue, 21 Oct 2014 21:52:26 +0200 Subject: [git] gnupg-doc - branch, master, updated. 963c8c078713bdbd1abc8174fff6075031152943 Message-ID: This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "The GnuPG website and other docs". The branch, master has been updated via 963c8c078713bdbd1abc8174fff6075031152943 (commit) from f5e7a838cc7d6b84e818f014e7132d84a12927d9 (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit 963c8c078713bdbd1abc8174fff6075031152943 Author: Werner Koch Date: Tue Oct 21 20:54:13 2014 +0200 Reworked the donation work flow. * web/donate/checkout-pp.org: New. * web/donate/index.org: Add paytype radio buttons and some label tags. * web/share/gnupg-logo-180x59tr.png: New. * web/donate/checkout-cc.org: Improve buttons. * web/share/site.css: Add hacks for the donation buttons. * web/donate/donate-thanks.org: Fix a link. * web/donate/checkout.org: Remove. * web/donate/paypal-thx.org: Remove. * cgi/config.rc (baseurl): New. * cgi/procdonate.cgi: Rewrite to support Paypal. diff --git a/cgi/config.rc b/cgi/config.rc index 64290f2..f139b53 100644 --- a/cgi/config.rc +++ b/cgi/config.rc @@ -1,5 +1,6 @@ # config.rc - Configuration variables for all CGIs -*- perl -*- +baseurl => 'https://gnupg.org' htdocs => '/var/www/www/www.gnupg.org/htdocs/', payprocd_socket => '/var/run/payproc/daemon', diff --git a/cgi/procdonate.cgi b/cgi/procdonate.cgi index a61c75c..3b2ecf4 100755 --- a/cgi/procdonate.cgi +++ b/cgi/procdonate.cgi @@ -20,6 +20,7 @@ use IO::Socket::UNIX; realpath($0) =~ /^(.*)\/.*$/; my %config = do $1 . '/config.rc'; +my $baseurl = $config{baseurl}; my $htdocs = $config{htdocs}; my $socket_name = $config{payprocd_socket}; my $error_marker = '* error'; @@ -33,6 +34,7 @@ my $sessid = $q->param("sessid"); # Variables used in the template pages. my $amount = ""; +my $paytype = ""; my $stripeamount = ""; my $euroamount = ""; my $currency = ""; @@ -47,6 +49,7 @@ my %errdict = (); # Prototypes sub fail ($); +sub get_paypal_approval (); # Write a template file. A template is a proper HTML file with @@ -65,13 +68,15 @@ sub write_template ($) { my $err_amount = ''; my $err_name = ''; my $err_mail = ''; - my $checkother = ' checked="checked"'; + my $err_paytype = ''; + my $check_checked = ' checked="checked"'; my $sel_eur = ''; my $sel_usd = ''; my $sel_gbp = ''; my $sel_jpy = ''; my $message_fmt; my $publishname; + my $check_paytype = 'none'; # Avoid broken HTML attributes. $amount =~ s/\x22/\x27/g; @@ -106,6 +111,12 @@ sub write_template ($) { $sel_jpy = ' selected="selected"'; } + if ( $paytype eq "cc" ) { + $check_paytype = "CC"; + } elsif ( $paytype eq "pp" ) { + $check_paytype = "PP"; + } + # Set var for the paypal button if ( $name eq 'Anonymous' or $name eq '') { $publishname = 'No'; @@ -119,6 +130,7 @@ sub write_template ($) { if (/amount/) { $err_amount = $error_marker; } elsif (/name/) { $err_name = $error_marker; } elsif (/mail/) { $err_mail = $error_marker; } + elsif (/paytype/){ $err_paytype = $error_marker; } $errorpanel = $errorpanel . "Field $_: " . $errdict{$_} . "
    \n" } @@ -128,6 +140,7 @@ sub write_template ($) { "

    \n" . $errorpanel . "

    \n"; } + open TEMPLATE, $htdocs . $fname; while (