[git] GnuPG - branch, master, updated. gnupg-2.1.21-74-g815ecdf
by Werner Koch
cvs at cvs.gnupg.org
Fri Jun 23 12:17:44 CEST 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 815ecdf08a4285c75892cf9ab72feb13f3bcf590 (commit)
via f31dc2540acf7cd7f09fd94658e815822222bfcb (commit)
via e0877a98a06de797184d3871545979887d5c2b38 (commit)
from a68a98233ab83f0c7b90e6e588b882085fe59d91 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 815ecdf08a4285c75892cf9ab72feb13f3bcf590
Author: Werner Koch <wk at gnupg.org>
Date: Fri Jun 23 12:00:28 2017 +0200
build: Add missing LIBASSUAN_CFLAGS to dirmngr/.
* dirmngr/Makefile.am (t_http_CFLAGS): Add LIBASSUAN_CFLAGS.
(t_ldap_parse_uri_CFLAGS): Ditto.
(t_dns_stuff_CFLAGS): Ditto.
--
GnuPG-bug-id: 2424
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/dirmngr/Makefile.am b/dirmngr/Makefile.am
index 34f2c5d..b404165 100644
--- a/dirmngr/Makefile.am
+++ b/dirmngr/Makefile.am
@@ -143,7 +143,7 @@ endif
t_http_SOURCES = $(t_common_src) t-http.c http.c dns-stuff.c http-common.c
t_http_CFLAGS = -DWITHOUT_NPTH=1 $(USE_C99_CFLAGS) \
$(LIBGCRYPT_CFLAGS) $(NTBTLS_CFLAGS) $(LIBGNUTLS_CFLAGS) \
- $(GPG_ERROR_CFLAGS) $(KSBA_CFLAGS)
+ $(LIBASSUAN_CFLAGS) $(GPG_ERROR_CFLAGS) $(KSBA_CFLAGS)
t_http_LDADD = $(t_common_ldadd) \
$(NTBTLS_LIBS) $(KSBA_LIBS) $(LIBGNUTLS_LIBS) $(DNSLIBS)
@@ -152,11 +152,13 @@ t_ldap_parse_uri_SOURCES = \
http.c http-common.c dns-stuff.c \
$(ldap_url) $(t_common_src)
t_ldap_parse_uri_CFLAGS = -DWITHOUT_NPTH=1 $(USE_C99_CFLAGS) \
- $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS)
+ $(LIBGCRYPT_CFLAGS) \
+ $(LIBASSUAN_CFLAGS) $(GPG_ERROR_CFLAGS)
t_ldap_parse_uri_LDADD = $(ldaplibs) $(t_common_ldadd) $(DNSLIBS)
t_dns_stuff_CFLAGS = -DWITHOUT_NPTH=1 $(USE_C99_CFLAGS) \
- $(LIBGCRYPT_CFLAGS) $(GPG_ERROR_CFLAGS)
+ $(LIBGCRYPT_CFLAGS) \
+ $(LIBASSUAN_CFLAGS) $(GPG_ERROR_CFLAGS)
t_dns_stuff_SOURCES = $(t_common_src) t-dns-stuff.c dns-stuff.c
t_dns_stuff_LDADD = $(t_common_ldadd) $(DNSLIBS)
commit f31dc2540acf7cd7f09fd94658e815822222bfcb
Author: Werner Koch <wk at gnupg.org>
Date: Tue Jun 20 09:25:56 2017 +0200
gpg,gpgsm: Emit status code ENCRYPTION_COMPLIANCE_MODE.
* common/status.h (STATUS_ENCRYPTION_COMPLIANCE_MODE): New.
* g10/encrypt.c (encrypt_crypt): Emit new status code.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
--
This status code allows to report whether an encryption operation was
compliant to de-vs.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/common/status.h b/common/status.h
index 0250a65..dc62f36 100644
--- a/common/status.h
+++ b/common/status.h
@@ -141,6 +141,7 @@ enum
STATUS_TOFU_STATS_SHORT,
STATUS_TOFU_STATS_LONG,
+ STATUS_ENCRYPTION_COMPLIANCE_MODE,
STATUS_DECRYPTION_COMPLIANCE_MODE,
STATUS_VERIFICATION_COMPLIANCE_MODE,
diff --git a/doc/DETAILS b/doc/DETAILS
index 01b5cf9..b915f06 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -638,6 +638,12 @@ pkd:0:1024:B665B1435F4C2 .... FF26ABB:
This indicates that a signature subpacket was seen. The format is
the same as the "spk" record above.
+*** ENCRYPTION_COMPLIANCE_MODE <flags>
+ Indicates that the current encryption operation was in compliance
+ with the given set of modes for all recipients. "flags" is a
+ space separated list of numerical flags, see "Field 18 -
+ Compliance flags" above.
+
*** DECRYPTION_COMPLIANCE_MODE <flags>
Indicates that the current decryption operation is in compliance
with the given set of modes. "flags" is a space separated list of
diff --git a/g10/encrypt.c b/g10/encrypt.c
index 0d96659..4b21a61 100644
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@@ -486,6 +486,7 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
progress_filter_context_t *pfx;
PK_LIST pk_list;
int do_compress;
+ int compliant;
if (filefd != -1 && filename)
return gpg_error (GPG_ERR_INV_ARG); /* Both given. */
@@ -625,15 +626,19 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
goto leave;
}
+ compliant = gnupg_cipher_is_compliant (CO_DE_VS, cfx.dek->algo,
+ GCRY_CIPHER_MODE_CFB);
+
{
pk_list_t pkr;
+
for (pkr = pk_list; pkr; pkr = pkr->next)
{
PKT_public_key *pk = pkr->pk;
+ unsigned int nbits = nbits_from_pk (pk);
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_ENCRYPTION,
- pk->pubkey_algo,
- pk->pkey, nbits_from_pk (pk), NULL))
+ pk->pubkey_algo, pk->pkey, nbits, NULL))
{
log_error (_("key %s not suitable for encryption"
" while in %s mode\n"),
@@ -642,9 +647,20 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
goto leave;
}
+
+ if (compliant
+ && !gnupg_pk_is_compliant (CO_DE_VS, pk->pubkey_algo, pk->pkey,
+ nbits, NULL))
+ compliant = 0;
}
+
}
+ if (compliant)
+ write_status_strings (STATUS_ENCRYPTION_COMPLIANCE_MODE,
+ gnupg_status_compliance_flag (CO_DE_VS),
+ NULL);
+
cfx.dek->use_mdc = use_mdc (pk_list,cfx.dek->algo);
/* Only do the is-file-already-compressed check if we are using a
@@ -965,7 +981,8 @@ write_pubkey_enc_from_list (ctrl_t ctrl, PK_LIST pk_list, DEK *dek, iobuf_t out)
if (opt.throw_keyids && (PGP6 || PGP7 || PGP8))
{
log_info(_("you may not use %s while in %s mode\n"),
- "--throw-keyids", gnupg_compliance_option_string (opt.compliance));
+ "--throw-keyids",
+ gnupg_compliance_option_string (opt.compliance));
compliance_failure();
}
diff --git a/sm/encrypt.c b/sm/encrypt.c
index 2819a22..9e3216a 100644
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@@ -313,6 +313,7 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
estream_t data_fp = NULL;
certlist_t cl;
int count;
+ int compliant;
memset (&encparm, 0, sizeof encparm);
@@ -456,15 +457,19 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
audit_log_s (ctrl->audit, AUDIT_SESSION_KEY, dek->algoid);
+ compliant = gnupg_cipher_is_compliant (CO_DE_VS, dek->algo,
+ GCRY_CIPHER_MODE_CBC);
+
/* Gather certificates of recipients, encrypt the session key for
each and store them in the CMS object */
for (recpno = 0, cl = recplist; cl; recpno++, cl = cl->next)
{
unsigned char *encval;
+ unsigned int nbits;
+ int pk_algo;
/* Check compliance. */
- unsigned int nbits;
- int pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
+ pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_ENCRYPTION, pk_algo,
NULL, nbits, NULL))
{
@@ -476,6 +481,12 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
goto leave;
}
+ /* Fixme: When adding ECC we need to provide the curvename and
+ * the key to gnupg_pk_is_compliant. */
+ if (compliant
+ && !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, NULL, nbits, NULL))
+ compliant = 0;
+
rc = encrypt_dek (dek, cl->cert, &encval);
if (rc)
{
@@ -508,6 +519,10 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
}
}
+ if (compliant)
+ gpgsm_status (ctrl, STATUS_ENCRYPTION_COMPLIANCE_MODE,
+ gnupg_status_compliance_flag (CO_DE_VS));
+
/* Main control loop for encryption. */
recpno = 0;
do
commit e0877a98a06de797184d3871545979887d5c2b38
Author: Werner Koch <wk at gnupg.org>
Date: Tue Jun 20 08:31:07 2017 +0200
indent,i18n: Make some new strings translatable. Wrap too long lines.
--
diff --git a/g10/decrypt-data.c b/g10/decrypt-data.c
index 77681d1..12693fe 100644
--- a/g10/decrypt-data.c
+++ b/g10/decrypt-data.c
@@ -99,7 +99,8 @@ decrypt_data (ctrl_t ctrl, void *procctx, PKT_encrypted *ed, DEK *dek)
}
/* Check compliance. */
- if (! gnupg_cipher_is_allowed (opt.compliance, 0, dek->algo, GCRY_CIPHER_MODE_CFB))
+ if (! gnupg_cipher_is_allowed (opt.compliance, 0, dek->algo,
+ GCRY_CIPHER_MODE_CFB))
{
log_error (_("you may not use cipher algorithm '%s'"
" while in %s mode\n"),
diff --git a/g10/encrypt.c b/g10/encrypt.c
index b92a4f0..0d96659 100644
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@@ -630,10 +630,13 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
for (pkr = pk_list; pkr; pkr = pkr->next)
{
PKT_public_key *pk = pkr->pk;
- if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_ENCRYPTION, pk->pubkey_algo,
+
+ if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_ENCRYPTION,
+ pk->pubkey_algo,
pk->pkey, nbits_from_pk (pk), NULL))
{
- log_error ("key %s not suitable for encryption while in %s mode\n",
+ log_error (_("key %s not suitable for encryption"
+ " while in %s mode\n"),
keystr_from_pk (pk),
gnupg_compliance_option_string (opt.compliance));
rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
diff --git a/g10/pubkey-enc.c b/g10/pubkey-enc.c
index 9a7c091..0ddb8d7 100644
--- a/g10/pubkey-enc.c
+++ b/g10/pubkey-enc.c
@@ -95,13 +95,14 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
sk->pubkey_algo,
sk->pkey, nbits_from_pk (sk), NULL))
{
- log_info ("key %s not suitable for decryption while in %s mode\n",
- keystr_from_pk (sk), gnupg_compliance_option_string (opt.compliance));
- free_public_key (sk);
- return gpg_error (GPG_ERR_PUBKEY_ALGO);
+ log_info (_("key %s not suitable for decryption"
+ " while in %s mode\n"),
+ keystr_from_pk (sk),
+ gnupg_compliance_option_string (opt.compliance));
+ rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
}
-
- rc = get_it (ctrl, k, dek, sk, k->keyid);
+ else
+ rc = get_it (ctrl, k, dek, sk, k->keyid);
}
}
else if (opt.skip_hidden_recipients)
@@ -135,8 +136,10 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
sk->pubkey_algo,
sk->pkey, nbits_from_pk (sk), NULL))
{
- log_info ("key %s not suitable for decryption while in %s mode\n",
- keystr_from_pk (sk), gnupg_compliance_option_string (opt.compliance));
+ log_info (_("key %s not suitable for decryption"
+ " while in %s mode\n"),
+ keystr_from_pk (sk),
+ gnupg_compliance_option_string (opt.compliance));
continue;
}
@@ -153,7 +156,7 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
enum_secret_keys (ctrl, &enum_context, NULL); /* free context */
}
-leave:
+ leave:
free_public_key (sk);
if (DBG_CLOCK)
log_clock ("get_session_key leave");
diff --git a/g10/sign.c b/g10/sign.c
index 71b0408..0ba1151 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -292,7 +292,7 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pksk->pubkey_algo,
pksk->pkey, nbits_from_pk (pksk), NULL))
{
- log_error ("key %s not suitable for signing while in %s mode\n",
+ log_error (_("key %s not suitable for signing while in %s mode\n"),
keystr_from_pk (pksk),
gnupg_compliance_option_string (opt.compliance));
err = gpg_error (GPG_ERR_PUBKEY_ALGO);
diff --git a/sm/decrypt.c b/sm/decrypt.c
index 16181df..170ad5a 100644
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@@ -481,7 +481,8 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
int pk_algo = gpgsm_get_key_algo_info (cert, &nbits);
/* Check compliance. */
- if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION,
+ if (! gnupg_pk_is_allowed (opt.compliance,
+ PK_USE_DECRYPTION,
pk_algo, NULL, nbits, NULL))
{
log_error ("certificate ID 0x%08lX not suitable for "
diff --git a/sm/encrypt.c b/sm/encrypt.c
index 9957bb9..2819a22 100644
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@@ -407,9 +407,9 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
}
/* Check compliance. */
- if (! gnupg_cipher_is_allowed (opt.compliance, 1,
- gcry_cipher_map_name (opt.def_cipher_algoid),
- gcry_cipher_mode_from_oid (opt.def_cipher_algoid)))
+ if (!gnupg_cipher_is_allowed
+ (opt.compliance, 1, gcry_cipher_map_name (opt.def_cipher_algoid),
+ gcry_cipher_mode_from_oid (opt.def_cipher_algoid)))
{
log_error (_("you may not use cipher algorithm '%s'"
" while in %s mode\n"),
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 5277140..4e337fe 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -1625,11 +1625,13 @@ main ( int argc, char **argv)
GCRY_CIPHER_MODE_NONE)
&& ! gnupg_cipher_is_allowed (opt.compliance,
cmd == aEncr || cmd == aSignEncr,
- gcry_cipher_mode_from_oid (opt.def_cipher_algoid),
+ gcry_cipher_mode_from_oid
+ (opt.def_cipher_algoid),
GCRY_CIPHER_MODE_NONE))
log_error (_("you may not use cipher algorithm '%s'"
" while in %s mode\n"),
- opt.def_cipher_algoid, gnupg_compliance_option_string (opt.compliance));
+ opt.def_cipher_algoid,
+ gnupg_compliance_option_string (opt.compliance));
if (forced_digest_algo
&& ! gnupg_digest_is_allowed (opt.compliance,
@@ -1639,7 +1641,8 @@ main ( int argc, char **argv)
opt.forced_digest_algo))
log_error (_("you may not use digest algorithm '%s'"
" while in %s mode\n"),
- forced_digest_algo, gnupg_compliance_option_string (opt.compliance));
+ forced_digest_algo,
+ gnupg_compliance_option_string (opt.compliance));
if (extra_digest_algo
&& ! gnupg_digest_is_allowed (opt.compliance,
@@ -1649,7 +1652,8 @@ main ( int argc, char **argv)
opt.extra_digest_algo))
log_error (_("you may not use digest algorithm '%s'"
" while in %s mode\n"),
- forced_digest_algo, gnupg_compliance_option_string (opt.compliance));
+ forced_digest_algo,
+ gnupg_compliance_option_string (opt.compliance));
if (log_get_errorcount(0))
gpgsm_exit(2);
-----------------------------------------------------------------------
Summary of changes:
common/status.h | 1 +
dirmngr/Makefile.am | 8 +++++---
doc/DETAILS | 6 ++++++
g10/decrypt-data.c | 3 ++-
g10/encrypt.c | 28 ++++++++++++++++++++++++----
g10/pubkey-enc.c | 21 ++++++++++++---------
g10/sign.c | 2 +-
sm/decrypt.c | 3 ++-
sm/encrypt.c | 25 ++++++++++++++++++++-----
sm/gpgsm.c | 12 ++++++++----
10 files changed, 81 insertions(+), 28 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list