[git] GnuPG - branch, master, updated. gnupg-2.1.19-64-gfe0b37e
by Werner Koch
cvs at cvs.gnupg.org
Mon Mar 20 10:16:48 CET 2017
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via fe0b37e123ded51cc5f4cb5e3547fdfbce37a43e (commit)
via e2c63a13e2fa4ce39af8471a34c06d73ff3ee6f6 (commit)
from fb9d68d636490ca88925051f48b08963c324aed1 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit fe0b37e123ded51cc5f4cb5e3547fdfbce37a43e
Author: Werner Koch <wk at gnupg.org>
Date: Mon Mar 20 10:09:40 2017 +0100
gpg: Add new field no 18 to the colon listing.
* g10/misc.c (gnupg_pk_is_compliant): New.
* g10/keylist.c (print_compliance_flags): New.
(list_keyblock_colon): Call it here.
* sm/keylist.c (print_compliance_flags): New.
(list_cert_colon): Call it here.
--
This patch is to convey information about DE_VS compliant keys to the
caller. The double digit value is used so that parsers do the right
thing and don't just look for a single digit.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/doc/DETAILS b/doc/DETAILS
index 8c11872..cfe70e1 100644
--- a/doc/DETAILS
+++ b/doc/DETAILS
@@ -218,6 +218,15 @@ described here.
For pub, sub, sec, and ssb records this field is used for the ECC
curve name.
+*** Field 18 - Compliance flags
+
+ Space separated list of asserted compliance modes for this key.
+
+ Valid values are:
+
+ - 8 :: The key is compliant with RFC4880bis
+ - 23 :: The key is compliant with compliance mode "de-vs".
+
** Special fields
*** PKD - Public key data
diff --git a/g10/keylist.c b/g10/keylist.c
index 32cf1e8..b8f32be 100644
--- a/g10/keylist.c
+++ b/g10/keylist.c
@@ -1170,6 +1170,29 @@ print_revokers (estream_t fp, PKT_public_key * pk)
}
+/* Print the compliance flags to field 18. PK is the public key.
+ * KEYLENGTH is the length of the key in bits and CURVENAME is either
+ * NULL or the name of the curve. The latter two args are here
+ * merely because the caller has already computed them. */
+static void
+print_compliance_flags (PKT_public_key *pk,
+ unsigned int keylength, const char *curvename)
+{
+ int any = 0;
+
+ if (pk->version == 5)
+ {
+ es_fputs ("8", es_stdout);
+ any++;
+ }
+ if (gnupg_pk_is_compliant (CO_DE_VS, pk, keylength, curvename))
+ {
+ es_fputs (any? " 23":"23", es_stdout);
+ any++;
+ }
+}
+
+
/* List a key in colon mode. If SECRET is true this is a secret key
record (i.e. requested via --list-secret-key). If HAS_SECRET a
secret key is available even if SECRET is not set. */
@@ -1191,6 +1214,9 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
const char *hexgrip = NULL;
char *serialno = NULL;
int stubkey;
+ unsigned int keylength;
+ char *curve = NULL;
+ const char *curvename = NULL;
/* Get the keyid from the keyblock. */
node = find_kbnode (keyblock, PKT_PUBLIC_KEY);
@@ -1239,14 +1265,16 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
else
ownertrust_print = 0;
+ keylength = nbits_from_pk (pk);
+
es_fputs (secret? "sec:":"pub:", es_stdout);
if (trustletter_print)
es_putc (trustletter_print, es_stdout);
es_fprintf (es_stdout, ":%u:%d:%08lX%08lX:%s:%s::",
- nbits_from_pk (pk),
- pk->pubkey_algo,
- (ulong) keyid[0], (ulong) keyid[1],
- colon_datestr_from_pk (pk), colon_strtime (pk->expiredate));
+ keylength,
+ pk->pubkey_algo,
+ (ulong) keyid[0], (ulong) keyid[1],
+ colon_datestr_from_pk (pk), colon_strtime (pk->expiredate));
if (ownertrust_print)
es_putc (ownertrust_print, es_stdout);
@@ -1272,14 +1300,14 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
|| pk->pubkey_algo == PUBKEY_ALGO_EDDSA
|| pk->pubkey_algo == PUBKEY_ALGO_ECDH)
{
- char *curve = openpgp_oid_to_str (pk->pkey[0]);
- const char *name = openpgp_oid_to_curve (curve, 0);
- if (!name)
- name = curve;
- es_fputs (name, es_stdout);
- xfree (curve);
+ curve = openpgp_oid_to_str (pk->pkey[0]);
+ curvename = openpgp_oid_to_curve (curve, 0);
+ if (!curvename)
+ curvename = curve;
+ es_fputs (curvename, es_stdout);
}
es_putc (':', es_stdout); /* End of field 17. */
+ print_compliance_flags (pk, keylength, curvename);
es_putc (':', es_stdout); /* End of field 18. */
es_putc ('\n', es_stdout);
@@ -1380,13 +1408,13 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
if (trustletter)
es_fprintf (es_stdout, "%c", trustletter);
}
+ keylength = nbits_from_pk (pk2);
es_fprintf (es_stdout, ":%u:%d:%08lX%08lX:%s:%s:::::",
- nbits_from_pk (pk2),
- pk2->pubkey_algo,
- (ulong) keyid2[0], (ulong) keyid2[1],
- colon_datestr_from_pk (pk2), colon_strtime (pk2->expiredate)
- /* fixme: add LID and ownertrust here */
- );
+ keylength,
+ pk2->pubkey_algo,
+ (ulong) keyid2[0], (ulong) keyid2[1],
+ colon_datestr_from_pk (pk2),
+ colon_strtime (pk2->expiredate));
print_capabilities (pk2, NULL);
es_putc (':', es_stdout); /* End of field 13. */
es_putc (':', es_stdout); /* End of field 14. */
@@ -1405,14 +1433,16 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
|| pk2->pubkey_algo == PUBKEY_ALGO_EDDSA
|| pk2->pubkey_algo == PUBKEY_ALGO_ECDH)
{
- char *curve = openpgp_oid_to_str (pk2->pkey[0]);
- const char *name = openpgp_oid_to_curve (curve, 0);
- if (!name)
- name = curve;
- es_fputs (name, es_stdout);
xfree (curve);
+ curve = openpgp_oid_to_str (pk2->pkey[0]);
+ curvename = openpgp_oid_to_curve (curve, 0);
+ if (!curvename)
+ curvename = curve;
+ es_fputs (curvename, es_stdout);
}
es_putc (':', es_stdout); /* End of field 17. */
+ print_compliance_flags (pk2, keylength, curvename);
+ es_putc (':', es_stdout); /* End of field 18. */
es_putc ('\n', es_stdout);
print_fingerprint (NULL, pk2, 0);
if (hexgrip)
@@ -1540,6 +1570,7 @@ list_keyblock_colon (ctrl_t ctrl, kbnode_t keyblock,
}
}
+ xfree (curve);
xfree (hexgrip_buffer);
xfree (serialno);
}
diff --git a/g10/main.h b/g10/main.h
index f58f041..c9c3454 100644
--- a/g10/main.h
+++ b/g10/main.h
@@ -125,6 +125,9 @@ int openpgp_pk_test_algo2 (pubkey_algo_t algo, unsigned int use);
int openpgp_pk_algo_usage ( int algo );
const char *openpgp_pk_algo_name (pubkey_algo_t algo);
+int gnupg_pk_is_compliant (int compliance, PKT_public_key *pk,
+ unsigned int keylength, const char *curvename);
+
enum gcry_md_algos map_md_openpgp_to_gcry (digest_algo_t algo);
int openpgp_md_test_algo (digest_algo_t algo);
const char *openpgp_md_algo_name (int algo);
diff --git a/g10/misc.c b/g10/misc.c
index c69f994..0ecdb04 100644
--- a/g10/misc.c
+++ b/g10/misc.c
@@ -640,7 +640,7 @@ openpgp_pk_test_algo2 (pubkey_algo_t algo, unsigned int use)
if (!ga)
return gpg_error (GPG_ERR_PUBKEY_ALGO);
- /* No check whether Libgcrypt has support for the algorithm. */
+ /* Now check whether Libgcrypt has support for the algorithm. */
return gcry_pk_algo_info (ga, GCRYCTL_TEST_ALGO, NULL, &use_buf);
}
@@ -704,6 +704,94 @@ openpgp_pk_algo_name (pubkey_algo_t algo)
}
+/* Return true if PK is compliant to the give COMPLIANCE mode. If
+ * KEYLENGTH and CURVENAME are not 0/NULL the are assumed to be the
+ * already computed values from PK. */
+int
+gnupg_pk_is_compliant (int compliance, PKT_public_key *pk,
+ unsigned int keylength, const char *curvename)
+{
+ enum { is_rsa, is_pgp5, is_elg_sign, is_ecc } algotype;
+ int result;
+
+ switch (pk->pubkey_algo)
+ {
+ case PUBKEY_ALGO_RSA:
+ case PUBKEY_ALGO_RSA_E:
+ case PUBKEY_ALGO_RSA_S:
+ algotype = is_rsa;
+ break;
+
+ case PUBKEY_ALGO_ELGAMAL_E:
+ case PUBKEY_ALGO_DSA:
+ algotype = is_pgp5;
+ break;
+
+ case PUBKEY_ALGO_ECDH:
+ case PUBKEY_ALGO_ECDSA:
+ case PUBKEY_ALGO_EDDSA:
+ algotype = is_ecc;
+ break;
+
+ case PUBKEY_ALGO_ELGAMAL:
+ algotype = is_elg_sign;
+ break;
+
+ default: /* Unknown. */
+ return 0;
+ }
+
+ if (compliance == CO_DE_VS)
+ {
+ char *curve = NULL;
+
+ switch (algotype)
+ {
+ case is_pgp5:
+ result = 0;
+ break;
+
+ case is_rsa:
+ if (!keylength)
+ keylength = nbits_from_pk (pk);
+ result = (keylength >= 2048);
+ break;
+
+ case is_ecc:
+ if (!curvename)
+ {
+ curve = openpgp_oid_to_str (pk->pkey[0]);
+ curvename = openpgp_oid_to_curve (curve, 0);
+ if (!curvename)
+ curvename = curve;
+ }
+
+ result = (curvename
+ && pk->pubkey_algo != PUBKEY_ALGO_EDDSA
+ && (!strcmp (curvename, "brainpoolP256r1")
+ || !strcmp (curvename, "brainpoolP384r1")
+ || !strcmp (curvename, "brainpoolP512r1")));
+ break;
+
+ default:
+ result = 0;
+ }
+ xfree (curve);
+ }
+ else if (algotype == is_elg_sign)
+ {
+ /* An Elgamal signing key is only RFC-2440 compliant. */
+ result = (compliance == RFC2440);
+ }
+ else
+ {
+ result = 1; /* Assume compliance. */
+ }
+
+ return result;
+}
+
+
/* Explicit mapping of OpenPGP digest algos to Libgcrypt. */
/* FIXME: We do not yes use it everywhere. */
enum gcry_md_algos
diff --git a/sm/keylist.c b/sm/keylist.c
index d27d4f4..1b1a261 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -346,6 +346,14 @@ email_kludge (const char *name)
}
+/* Print the compliance flags to field 18. ALGO is the gcrypt algo
+ * number. NBITS is the length of the key in bits. */
+static void
+print_compliance_flags (int algo, unsigned int nbits, estream_t fp)
+{
+ if (algo == GCRY_PK_RSA && nbits >= 2048)
+ es_fputs ("23", fp);
+}
/* List one certificate in colon mode */
@@ -496,6 +504,8 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
print_capabilities (cert, fp);
/* Field 13, not used: */
es_putc (':', fp);
+ /* Field 14, not used: */
+ es_putc (':', fp);
if (have_secret || ctrl->with_secret)
{
char *cardsn;
@@ -504,18 +514,20 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
if (!gpgsm_agent_keyinfo (ctrl, p, &cardsn)
&& (cardsn || ctrl->with_secret))
{
- /* Field 14, not used: */
- es_putc (':', fp);
/* Field 15: Token serial number or secret key indicator. */
if (cardsn)
es_fputs (cardsn, fp);
else if (ctrl->with_secret)
es_putc ('+', fp);
- es_putc (':', fp);
}
xfree (cardsn);
xfree (p);
}
+ es_putc (':', fp); /* End of field 15. */
+ es_putc (':', fp); /* End of field 16. */
+ es_putc (':', fp); /* End of field 17. */
+ print_compliance_flags (algo, nbits, fp);
+ es_putc (':', fp); /* End of field 18. */
es_putc ('\n', fp);
/* FPR record */
commit e2c63a13e2fa4ce39af8471a34c06d73ff3ee6f6
Author: Werner Koch <wk at gnupg.org>
Date: Mon Mar 20 08:38:54 2017 +0100
gpg: Remove unused stuff.
* g10/OPTIONS: Remove.
* g10/options.h (struct opt): Remove 'shm_coprocess'.
Signed-off-by: Werner Koch <wk at gnupg.org>
diff --git a/doc/HACKING b/doc/HACKING
index e717479..fc0c3f4 100644
--- a/doc/HACKING
+++ b/doc/HACKING
@@ -168,13 +168,13 @@ Note that such a comment will be removed if the git commit option
that the freed variable is not anymore used, explicitly set the
variable to NULL.
- New code shall in general use xtrymalloc or xtrycalloc and check
- for an error (use gpg_error_from_errno()).
+ for an error (use gpg_error_from_syserror()).
- Init function local variables only if needed so that the compiler
can do a better job in detecting uninitialized variables which may
indicate a problem with the code.
- Never init static or file local variables to 0 to make sure they
end up in BSS.
- - But extra parenthesis around terms with binary operators to make
+ - Put extra parenthesis around terms with binary operators to make
it clear that the binary operator was indeed intended.
- Use --enable-maintainer-mode with configure so that all suitable
warnings are enabled.
diff --git a/g10/OPTIONS b/g10/OPTIONS
deleted file mode 100644
index b1a49e2..0000000
--- a/g10/OPTIONS
+++ /dev/null
@@ -1,24 +0,0 @@
-# Some notes used by the maintainers
-
-
-store
-# simply packs the input data into a rfc1991 packet format
-
-check-trustdb
-
-
-compress-keys
-# compress exported key, compress level is still set with "-z" and
-# algorithm with --compress-algo" - Default is to not compress keys, as
-# this is better for interoperability.
-
-compress-sigs
-# Normally, compressing of signatures does not make sense; so this
-# is disabled for detached signatures unless this option is used.
-
-run-as-shm-coprocess [request-locked-shm-size]
-# very special :-)
-# You will have to use "--status-fd" too
-# Note: This option does only work if given on the command line.
-
-
diff --git a/g10/options.h b/g10/options.h
index def6385..c634f0f 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -148,7 +148,6 @@ struct
{
KF_DEFAULT, KF_NONE, KF_SHORT, KF_LONG, KF_0xSHORT, KF_0xLONG
} keyid_format;
- int shm_coprocess;
const char *set_filename;
strlist_t comments;
int throw_keyids;
-----------------------------------------------------------------------
Summary of changes:
doc/DETAILS | 9 ++++++
doc/HACKING | 4 +--
g10/OPTIONS | 24 ----------------
g10/keylist.c | 73 ++++++++++++++++++++++++++++++++++--------------
g10/main.h | 3 ++
g10/misc.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
g10/options.h | 1 -
sm/keylist.c | 18 ++++++++++--
8 files changed, 170 insertions(+), 52 deletions(-)
delete mode 100644 g10/OPTIONS
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list