summaryrefslogtreecommitdiffstats
path: root/agent (follow)
Commit message (Collapse)AuthorAgeFilesLines
* gpg: Fix writing ECDH keys to OpenPGP smartcards.Werner Koch2023-04-211-8/+59
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * agent/command.c (cmd_keytocard): Add new arg for ECDH params. * scd/app-openpgp.c (ecc_writekey): Use provided ECDH params to compute the fingerprint. * g10/call-agent.c (agent_keytocard): Add arg ecdh_param_str. * g10/keyid.c (ecdh_param_str_from_pk): New. * g10/card-util.c (card_store_subkey): Pass ECDH params to writekey. * g10/keygen.c (card_store_key_with_backup): Ditto. * scd/app-openpgp.c (store_fpr): Add arg update. (rsa_read_pubkey, ecc_read_pubkey): Add arg meta_update and avoid writing the fingerprint back to the card if not set. (read_public_key): Also add arg meta_update. (get_public_key): Do not pass it as true here... (do_genkey): ... but here. (rsa_write_key, ecc_writekey): Force string the fingerprint. -- The problem showed up because in 2.4 we changed the standard ECDH parameter some years ago. Now when trying to write an ECDH key created by 2.2 with 2.4 to an openpgp card, scdaemon computes a wrong fingerprint and thus gpg was not able to find the key again by fingerprint. The patch also avoids updating the stored fingerprint in certain situations. This fix is somewhat related to GnuPG-bug-id: 6378
* ssh: Allow to prefer on-disk keys over active card keys.Werner Koch2023-04-182-6/+20
| | | | | | | | * agent/command-ssh.c (ssh_send_available_keys): Redefine the order of keys. -- GnuPG-bug-id: 6212
* agent: Add trustlist flag "de-vs".Werner Koch2023-04-031-1/+7
| | | | | | | | | | | | | | | | * agent/trustlist.c (struct trustitem_s): Add field de_vs. (read_one_trustfile): Parse it. (istrusted_internal): Emit TRUSTLISTFLAG status line. * sm/gpgsm.h (struct rootca_flags_s): Add field de_vs. * sm/call-agent.c (istrusted_status_cb): Detect the flags. * sm/sign.c (write_detached_signature): Remove unused vars. -- Right now this flag has no effect; we first need to specify the exact behaviour. GnuPG-bug-id: 5079
* agent: New option --restricted for PRESET_PASSPHRASE.Werner Koch2023-03-272-3/+19
| | | | | | | | | | | | | | | | | | | * agent/command.c (cmd_preset_passphrase): Add option. * agent/preset-passphrase.c (oRestricted): New. (opts): Add option --restricted. (main): Set option. (preset_passphrase): Use option. -- We use a different cache for connections from the extra-socket. However, with gpg-preset-passphrase is only able to preset a passphrase into the regular cache. Further, a restricted connection may not use PRESET_PASSPHRASE. To solve this we add an new option to preset the passphrase into the "restricted" cache. For the gpg-preset-passphrase tool we also add the option --restricted. Note that this does not yet work with gpg-preset-passphrase --forget.
* agent: Make --disable-extended-key-format a dummy option.Werner Koch2023-03-1310-276/+152
| | | | | | | | | | | | | | | | | | | | | * agent/agent.h (opt): Remove enable_extended_key_format. * agent/gpg-agent.c (enum cmd_and_opt_values): Turn oDisableExtendedKeyFormat and oEnableExtendedKeyFormat into dummy options. * agent/protect.c (do_encryption): Remove arg use_ocb and corresponding code. (agent_protect): Ditto. Change all callers. * agent/findkey.c (agent_write_private_key): Simplify due to the removal of disable-extended-key-format. (write_extended_private_key): Fold into agent_write_private_key. -- This change is related to GnuPG-bug-id: 6386 but should have no visible effect except for the removal of option --disable-extended-key-format.
* agent: Try to SETREPEATOK if the pinentry supports it.Ben Kibbey2023-03-101-0/+21
| | | | | | | * agent/call-pinentry.c (agent_get_passphrase): Do SETREPEATOK. (agent_askpin): Ditto. Signed-off-by: Ben Kibbey <bjk@luxsci.net>
* agent: Show "no secret key" instead of "card removed".Werner Koch2023-03-012-4/+20
| | | | | | | | | | | | | | | * agent/findkey.c (agent_key_from_file): Check the error of read_key_file again. * agent/pkdecrypt.c (agent_pkdecrypt): Restore error if no card was found. Also remove useless condition. -- The first patch fixes a likely merge error. The second is about the actual return code: If we have no smardcard but simply try to decrypt with the current smartcard we should return the originla error code. GnuPG-bug-id: 5170 Fixes-commit: eda3c688fc2e85c7cd63029cb9caf06552d203b4
* ssh: Allow to define the order in which keys are returned.Werner Koch2023-02-014-63/+185
| | | | | | | | | | | | | | | | | | | | | | | * agent/findkey.c (public_key_from_file): Add arg r_sshorder. (agent_ssh_key_from_file): Ditto. * agent/command-ssh.c (struct key_collection_item_s): New. (struct key_collection_s): New. (search_control_file): Add art r_lnr. (add_to_key_array): New. (free_key_array): New. (compare_key_collection_items): New. (ssh_send_available_keys): Rewrite to return the keys in the user given order. -- GnuPG-bug-id: 6212 We now first return the keys from active cards, followed by keys listed in sshcontrol, finally from those with the "Use-for-ssh" key attribute. Keys from active cards are returned sorted by their S/N. Keys from sshcontrol are returned in the order they are given in that file. Use-for-ssh keys are ordered by the value assigned to that key attribute. The values for the latter are clamped at 99999.
* common: Slight redefinition of nvc_get_boolean.Werner Koch2023-01-241-1/+2
| | | | | | | | | | * common/name-value.c (nvc_get_boolean): Rewrite. -- The function may now return a positive or negative number instead of just 1 for true. All callers were already prepared for this. GnuPG-bug-id: 6212
* agent: Allow arguments to "scd serialno" in restricted mode.Werner Koch2022-12-121-1/+1
| | | | | | | * agent/command.c (cmd_scd): Allow it. -- This is important because Scute uses "SCD SERIALNO --all".
* build: Remove Windows CE support.NIIBE Yutaka2022-12-091-7/+1
| | | | | | | | | | | | | | | | * agent/Makefile.am [HAVE_W32CE_SYSTEM]: Remove. * am/cmacros.am [HAVE_W32CE_SYSTEM]: Remove. * autogen.sh: Remove W32ce_ variables. * configure.ac: Likewise. * dirmngr/Makefile.am (extra_bin_ldflags): Remove. * g10/Makefile.am [HAVE_W32CE_SYSTEM]: Remove. * kbx/Makefile.am: Likewise. * sm/Makefile.am (extra_bin_ldflags): Remove. * tools/Makefile.am (extra_bin_ldflags): Remove. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* gpg: New export option "mode1003".Werner Koch2022-12-021-10/+26
| | | | | | | | | | | | | | | | | | | | | | * agent/command.c (cmd_export_key): Add option --mode1003. (command_has_option): Ditto. * g10/build-packet.c (do_key): Implement mode 1003. * g10/parse-packet.c (parse_key): Ditto. * g10/options.h (EXPORT_MODE1003): New.o * g10/call-agent.c (agent_export_key): Add arg mode1003. * g10/export.c (parse_export_options): Add "mode1003" (secret_key_to_mode1003): New. (receive_seckey_from_agent): Add arg mode1003. (do_export_one_keyblock): Pass option down. -- This option allows to export a secret key in GnuPG's native format. Thus no re-encryption is required and further the public key parameters are also authenticated if a protection passphrase has been used. Note that --import is not yet able to handle this new mode. Although old version of GnuPG will bail out with "invalid packet" if a mode1003 exported secret key is seen.
* agent: Fix import of protected v5 keys.Werner Koch2022-12-011-3/+4
| | | | | | | | * agent/cvt-openpgp.c (convert_from_openpgp_main): Take care of version 5 keys. -- GnuPG-bug-id: 6294
* tests: Support semihosted environment.NIIBE Yutaka2022-12-011-3/+4
| | | | | | | | | | | | * Makefile.am (check-all): Add EXEEXT. * agent/all-tests.scm: Append EXEEXT. * common/all-tests.scm: Likewise. * g10/all-tests.scm: Likewise. * g13/all-tests.scm: Likewise. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Allow trustlist on Windows in Unicode homedirs.Werner Koch2022-11-101-1/+1
| | | | * agent/trustlist.c (agent_marktrusted): Use gnupg_access.
* agent: Avoid blanks in the ssh key's comment.Werner Koch2022-11-021-0/+5
| | | | | | | | | | | | | | | | | | * agent/command-ssh.c (card_key_available): Replace blanks. -- For managing the authorized_key file of ssh it is convenient if the comment does not have any spaces. Thus we now return cardno:FFFE_50FF3D01 instead of cardno:FFFE 50FF3D01 Note that gpg --export-ssh-key uses the keyid as comment because it does not known the S/N of the card. Gpg-agent however does not know about OpenPGP and uses the s/n.
* agent: Automatically convert to extended key format by KEYATTR.NIIBE Yutaka2022-10-281-6/+15
| | | | | | | | | * agent/command.c (cmd_keyattr): Reject when disabled extended key format. Handle the case when key is in non-extended format. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent,common,dirmngr,tests,tools: Remove spawn PREEXEC argument.NIIBE Yutaka2022-10-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | * common/exechelp-posix.c (do_exec): Remove PREEXEC argument. (gnupg_spawn_process): Likewise. (gnupg_spawn_process_fd): Follow the change of do_exec. (gnupg_spawn_process_detached): Likewise. * common/exechelp-w32.c (gnupg_spawn_process): Remove PREEXEC. * common/exechelp.h (gnupg_spawn_process): Remove PREEXEC. * agent/genkey.c (do_check_passphrase_pattern): Follow the change. * common/exectool.c (gnupg_exec_tool_stream): Likewise. * dirmngr/ldap-wrapper.c (ldap_wrapper): Likewise. * tests/gpgscm/ffi.c (do_spawn_process): Likewise. * tools/gpgconf-comp.c (gc_component_check_options): Likewise. (retrieve_options_from_program): Likewise. * tools/gpgconf.c (show_versions_via_dirmngr): Likewise. * tools/gpgtar-create.c (gpgtar_create): Likewise. * tools/gpgtar-extract.c (gpgtar_extract): Likewise. * tools/gpgtar-list.c (gpgtar_list): Likewise. -- PREEXEC is not portable feature and it's not used. GnuPG-bug-id: 6249 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent,w32: Support Win32-OpenSSH emulation by gpg-agent.NIIBE Yutaka2022-10-143-35/+163
| | | | | | | | | | | | | | | | * agent/agent.h (start_command_handler_ssh_stream): New. * agent/command-ssh.c (start_command_handler_ssh_stream): New. * agent/gpg-agent.c (oWin32OpenSSHSupport): New. (W32_DEFAILT_AGENT_PIPE_NAME): New. (main): Add oWin32OpenSSHSupport support. (win32_openssh_thread): New. (handle_connections): Spawn win32_openssh_thread. * configure.ac (NEED_GPGRT_VERSION): Require libgpg-error 1.46. -- GnuPG-bug-id: 3883 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Introduce attribute "Remote-list" to KEYINFO.Werner Koch2022-10-122-22/+27
| | | | | | | * agent/command.c (do_one_keyinfo): Add arg list_mode. Check attribute Remote-list. (cmd_keyinfo): Change semantics to return nothing in restricted list mode.
* agent,dirmngr,gpg,scd: Clean up for modern compiler.NIIBE Yutaka2022-09-141-0/+1
| | | | | | | | | | | | | | | | | | * agent/protect.c (agent_get_shadow_info_type): It's a write only variable, useful for debugging. * g10/key-check.c (key_check_all_keysigs): Likewise. * g10/keyedit.c (show_basic_key_info, menu_expire): Likewise. * scd/app-sc-hsm.c (read_ef_prkd): Likewise. * dirmngr/crlfetch.c (fetch_next_ksba_cert): Initialize the vars. * dirmngr/ks-action.c (ks_action_help): Remove unused variables. * dirmngr/server.c (make_keyserver_item): Likewise. * dirmngr/validate.c (check_cert_sig): Initialize the variable. * scd/app-p15.c (select_and_read_record): Likewise. * tests/gpgscm/scheme.c (scheme_init_new): A function with no args. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Don't start in --supervised mode if no-autostart is enabled.Werner Koch2022-09-071-0/+11
| | | | | * agent/gpg-agent.c (main): Print an error message if no-autostart is set in common.conf.
* doc: Update description of the key format.Werner Koch2022-08-162-11/+21
| | | | --
* agent: New option --need-attr for KEYINFO.Werner Koch2022-08-112-17/+73
| | | | | | | | | | | | | | * agent/command.c (do_one_keyinfo): New arg need_Attr. (cmd_keyinfo): New option --need-attr. * agent/findkey.c (public_key_from_file): Use nvc_get_boolean. -- This option makes it easier to list keys suitable only for certain purposes. The second patch makes if compliant to the description in keyformat.txt
* agent: Add description for "Prompt" field.NIIBE Yutaka2022-06-281-0/+6
| | | | | | -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Don't assume "OPENPGP.3" key means "Use-for-ssh:".NIIBE Yutaka2022-06-282-17/+3
| | | | | | | | | | * agent/command-ssh.c: Fix comments. * agent/findkey.c (public_key_from_file): Remove "OPENPGP.3" check. -- GnuPG-bug-id: 5996 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Do not consider --min-passphrase-len for the magic wand.Werner Koch2022-06-271-10/+11
| | | | | * agent/call-pinentry.c (generate_pin): Lock to exactly 30 octets. * g10/gpg.c (main) <aGenRandom>: Add Level 30.
* agent: Flush before calling ftruncate.NIIBE Yutaka2022-06-231-0/+2
| | | | | | | | | | * agent/findkey.c (write_extended_private_key): Make sure it is flushed out. -- GnuPG-bug-id: 6035 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: KEYATTR only allows access to attribute.NIIBE Yutaka2022-06-231-0/+8
| | | | | | | | | * agent/command.c (cmd_keyattr): Check the ATTRNAME. -- GnuPG-bug-id: 5988 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Fix KEYATTR command for --delete option.NIIBE Yutaka2022-06-231-1/+5
| | | | | | | | * agent/command.c (cmd_keyattr): Write the result. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Add KEYATTR command.NIIBE Yutaka2022-06-224-7/+139
| | | | | | | | | | | | | | | | | * agent/agent.h (agent_raw_key_from_file): Add R_KEYMETA argument. (agent_update_private_key): New. * agent/command-ssh.c (data_sign): Follow the change of the function agent_raw_key_from_file. * agent/command.c (do_one_keyinfo): Likewise. (cmd_keyattr): New. (register_commands): Add an entry of cmd_keyattr. * agent/findkey.c (agent_update_private_key): New. (agent_raw_key_from_file): Add R_KEYMETA argument. -- GnuPG-bug-id: 5988 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent,gpg,tools: Fix use of log_get_fd.NIIBE Yutaka2022-06-222-10/+2
| | | | | | | | | | | | | | * agent/call-daemon.c (daemon_start): Don't put file descriptor from log_get_fd to no_close_list. * agent/call-pinentry.c (start_pinentry): Likewise. * common/call-gpg.c (start_gpg): Likewise. * call-syshelp.c (start_syshelp): Likewise. * tools/gpg-connect-agent.c (main): Likewise. -- GnuPG-bug-id: 5921 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Improve "Insert the card" message.Werner Koch2022-06-171-1/+2
| | | | * agent/findkey.c (prompt_for_card): Don't print "(null").
* agent,ssh: Fix for make not-inserted OpenPGP.3 keys available for SSH.Werner Koch2022-06-151-5/+8
| | | | | | | | | | | | | * agent/command-ssh.c (ssh_send_available_keys): Do not bump key_counter for ignored keys. Also use opt.debug instead of opt.verbose and fix a memory leak. -- The error shown by "ssh-add -l" before this fix was: error fetching identities: incomplete messag Fixes-commit: 193fcc2f7a8cca5240ce50499c54f99235a87e1c GnuPG-bug-id: 5996
* agent: New option --no-user-trustlist and --sys-trustlist-name.Werner Koch2022-06-143-9/+53
| | | | | | | | | | | | | | | | | | | | | | | | * agent/gpg-agent.c (oNoUserTrustlist,oSysTrustlistName): New. (opts): Add new option names. (parse_rereadable_options): Parse options. (finalize_rereadable_options): Reset allow-mark-trusted for the new option. * agent/agent.h (opt): Add fields no_user_trustlist and sys_trustlist_name. * agent/trustlist.c (make_sys_trustlist_name): New. (read_one_trustfile): Use here. (read_trustfiles): Use here. Implement --no-user-trustlist. -- With the global options we can now avoid that a user changes the Root-CA trust by editing the trustlist.txt. However, to implement this we need a new option so that we don't need to rely on some magic like --no-allow-mark-trusted has been put into a force section. The second option makes system administration easier as it allows to keep the trustlist in a non-distributed file. GnuPG-bug-id: 5990
* Remove remaining support for WindowsCEWerner Koch2022-06-033-29/+9
| | | | --
* agent: Support --format=ssh option for READKEY.NIIBE Yutaka2022-06-021-13/+40
| | | | | | | | | | * agent/command.c (cmd_readkey): Handle --format=ssh to return key in SSH format. -- GnuPG-bug-id: 6012 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: New field "Prompt" to prevent asking card key insertion.NIIBE Yutaka2022-05-271-4/+21
| | | | | | | | | * agent/findkey.c (prompt_for_card): Add "Prompt" field handling. -- GnuPG-bug-id: 5987 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent,ssh: Support "Use-for-ssh" flag in private key.NIIBE Yutaka2022-05-261-10/+22
| | | | | | | | | | * agent/findkey.c (public_key_from_file): Support "Use-for-ssh" when it's in extended format. -- GnuPG-bug-id: 5985 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent,ssh: Make not-inserted OpenPGP.3 keys available for SSH.NIIBE Yutaka2022-05-263-85/+206
| | | | | | | | | | | | | | | | | | * agent/agent.h (agent_ssh_key_from_file): New. * agent/command-ssh.c (get_ssh_keyinfo_on_cards): New. (ssh_send_available_keys): Loop on the GNUPG_PRIVATE_KEYS_DIR. Support keys by agent_ssh_key_from_file. (ssh_handler_request_identities): Move card key handling to ssh_send_available_keys. * agent/findkey.c (public_key_from_file): New. Adding handling for SSH. (agent_public_key_from_file): Use public_key_from_file. (agent_ssh_key_from_file): New. -- GnuPG-bug-id: 5996 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Fix get_keyinfo_on_cards.NIIBE Yutaka2022-05-261-2/+5
| | | | | | | | | * agent/command.c (get_keyinfo_on_cards): Make it static. Don't return bogus value on error. Return NULL when scdaemon is disabled. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Handle USAGE information in KEYINFO.NIIBE Yutaka2022-05-262-4/+25
| | | | | | | | | | | * agent/agent.h (struct card_key_info_s): Add USAGE field. * agent/call-scd.c (card_keyinfo_cb): Parse USAGE field. Allow optional SERIALNO, IDSTR, and USAGE fields. Fix releasing on possible allocation error. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent,scd: Make sure to set CONFIDENTIAL flag in Assuan.NIIBE Yutaka2022-05-252-5/+21
| | | | | | | | | | | | | * agent/call-scd.c (inq_needpin): Call assuan_begin_confidential and assuan_end_confidential, and wipe the memory after use. * agent/command.c (cmd_preset_passphrase): Likewise. (cmd_put_secret): Likewise. * scd/command.c (pin_cb): Likewise. -- GnuPG-bug-id: 5977 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Add missing assuan_end_confidential call.NIIBE Yutaka2022-05-251-0/+1
| | | | | | | | * agent/command.c (send_back_passphrase): Fix. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Fix a bug accessing after release when opt.verbose.NIIBE Yutaka2022-05-201-4/+4
| | | | | | | | | * agent/command-ssh.c (ssh_handler_request_identities): Don't release KEY_PUBLIC too early. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Factor out handling scanning over ssh keys.NIIBE Yutaka2022-05-201-42/+48
| | | | | | | | | | * agent/command-ssh.c (ssh_send_available_keys): New. (ssh_handler_request_identities): Use ssh_send_available_keys. -- GnuPG-bug-id: 5985 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Show "Label:" field of private key when prompt the insertion.NIIBE Yutaka2022-05-201-24/+27
| | | | | | | | | | * agent/findkey.c (prompt_for_card): Use "Label:" field. (agent_key_from_file): Use KEYMETA. -- GnuPG-bug-id: 5986 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Move confirmation handling into findkey.c.NIIBE Yutaka2022-05-206-165/+151
| | | | | | | | | | | | | | | | | | * agent/agent.h (divert_tpm2_pksign, divert_tpm2_pkdecrypt): Fix API. (divert_pksign, divert_pkdecrypt): Likewise. * agent/divert-scd.c (ask_for_card): Remove. (divert_pksign, divert_pkdecrypt): Don't call ask_for_card. * agent/divert-tpm2.c (divert_tpm2_pksign, divert_tpm2_pkdecrypt): Remove DESC_TEXT argument. * agent/findkey.c (prompt_for_card): New (was: ask_for_card). (agent_key_from_file): Call prompt_for_card when it's a key on card. * agent/pkdecrypt.c (agent_pkdecrypt): Follow the change of API. * agent/pksign.c (agent_pksign_do): Likewise. -- Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Pop up dialog window for confirmation, when specified so.NIIBE Yutaka2022-05-192-0/+46
| | | | | | | | | * agent/findkey.c (agent_key_from_file): Support "Confirm:". -- GnuPG-bug-id: 5099 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
* agent: Supply GRIP=NULL for agent_key_from_file, for real use.NIIBE Yutaka2022-05-193-18/+19
| | | | | | | | | | | | * agent/findkey.c (agent_key_from_file): Change the semantics of GRIP. Now, it's NULL for use by PKDECRYPT and PKSIGN/PKAUTH. * agent/pkdecrypt.c (agent_pkdecrypt): Set GRIP=NULL. * agent/pksign.c (agent_pksign_do): Likewise. -- GnuPG-bug-id: 5099 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-01 21:11:29 +0100