4 years agoagent: Remove useless conditions.
Werner Koch [Sun, 15 Mar 2015 11:57:13 +0000 (12:57 +0100)]
agent: Remove useless conditions.

* agent/genkey.c (agent_ask_new_passphrase): Remove useless condition.
* agent/command-ssh.c (ssh_identity_register): Ditto.

Detected by Stack 0.3:

  bug: anti-simplify
  model: |
    %tobool22 = icmp ne i8* %arraydecay21, null, !dbg !717
    -->  true
    - /home/wk/s/gnupg/agent/genkey.c:385:0
  ncore: 1
    - /home/wk/s/gnupg/agent/genkey.c:362:0
      - pointer overflow

  bug: anti-simplify
  model: |
    %tobool35 = icmp ne i8* %arraydecay34, null, !dbg !1053
    -->  true
    - /home/wk/s/gnupg/agent/command-ssh.c:3120:0
  ncore: 1
    - /home/wk/s/gnupg/agent/command-ssh.c:3103:0
      - pointer overflow

4 years agogpg: Remove useless condition.
Werner Koch [Sun, 15 Mar 2015 11:30:06 +0000 (12:30 +0100)]
gpg: Remove useless condition.

* g10/keylist.c (list_keyblock_colon): Remove useless condition (PK).
(list_keyblock_print):  Likewise.

PK is already derefed above and thus testing for PK is dead code.
Detected by Stack 0.3:

  bug: anti-simplify
  model: |
    %tobool200 = icmp ne %struct.PKT_public_key* %3, null, !dbg !1498
    -->  true
    - /home/wk/s/gnupg/g10/keylist.c:1367:0
  ncore: 1
    - /home/wk/s/gnupg/g10/keylist.c:1319:0
      - null pointer dereference

  bug: anti-simplify
  model: |
    %tobool102 = icmp ne %struct.PKT_public_key* %4, null, !dbg !1462
    -->  true
    - /home/wk/s/gnupg/g10/keylist.c:978:0
  ncore: 1
    - /home/wk/s/gnupg/g10/keylist.c:955:0
      - null pointer dereference

  bug: anti-simplify
  model: |
    %tobool128 = icmp ne %struct.PKT_public_key* %4, null, !dbg !1469
    -->  true
    - /home/wk/s/gnupg/g10/keylist.c:990:0
  ncore: 1
    - /home/wk/s/gnupg/g10/keylist.c:955:0
      - null pointer dereference

4 years agoscd: Fix possible NULL deref in apdu.c
Werner Koch [Sun, 15 Mar 2015 11:15:55 +0000 (12:15 +0100)]
scd: Fix possible NULL deref in apdu.c

* scd/apdu.c (control_pcsc_direct): Take care of BUFLEN being NULL.
(control_pcsc_wrapped): Ditto.

pcsc_vendor_specific_init calls the above with BUFFER and BUFLEN as

Reported by Stack 0.3:

  bug: anti-dce
  model: |
    %retval.0.i.i76 = phi i32 [ %rc.0.i.i.i73, \
            %pcsc_error_to_sw.exit.i.i74 ], [ 0, %if.end.i.i75 ]
    %tobool198 = icmp ne i32 %retval.0.i.i76, 0, !dbg !728
    br i1 %tobool198, label %if.then199, label %if.end200, !dbg !728
    - /home/wk/s/gnupg/scd/apdu.c:1882:0
  ncore: 1
    - /home/wk/s/gnupg/scd/apdu.c:1309:0
      - buffer overflow

4 years agocommon: Make openpgp_oid_to_str more robust.
Werner Koch [Sun, 15 Mar 2015 11:07:21 +0000 (12:07 +0100)]
common: Make openpgp_oid_to_str more robust.

* common/openpgp-oid.c (openpgp_oid_to_str): Take care of
gcry_mpi_get_opaque returning NULL.  Remove useless condition !BUF.

It is possible that an opaque MPI stores just a NULL pointer.  Take
care of that before incrementing the pointer.  We return an error in
this case because at least a length byte is required.

Found due to hint from stack 0.3:

  bug: anti-simplify
  model: |
    %tobool15 = icmp ne i8* %incdec.ptr, null, !dbg !567
    -->  true
    - /home/wk/s/gnupg/common/openpgp-oid.c:220:0
  ncore: 1
    - /home/wk/s/gnupg/common/openpgp-oid.c:212:0
      - pointer overflow

Signed-off-by: Werner Koch <>
4 years agoagent: Improve error reporting from Pinentry.
Werner Koch [Wed, 11 Mar 2015 15:28:32 +0000 (16:28 +0100)]
agent: Improve error reporting from Pinentry.

* agent/call-pinentry.c (unlock_pinentry): Add error logging.  Map
error source of uncommon errors to Pinentry.

With this change it is possible to detect whether an error like
GPG_ERR_ASS_INV_RESPONSE has its origin in a call to Pinentry or comes
from another part of gpg-agent.

Signed-off-by: Werner Koch <>
4 years agogpg: Change --print-pka-records into an option.
Werner Koch [Tue, 10 Mar 2015 12:44:40 +0000 (13:44 +0100)]
gpg: Change --print-pka-records into an option.

* g10/gpg.c (aPrintPKARecords): Rename to oPrintPKARecords and do not
use it as a command.
* g10/keylist.c (list_keyblock): List PKA rceords also for secret

An option allows to use it more flexible.  For example to select only
secret keys.

Signed-off-by: Werner Koch <>
4 years agogpg: Add --list-gcrypt-config and "curve" item for --list-config.
Werner Koch [Tue, 10 Mar 2015 14:26:02 +0000 (15:26 +0100)]
gpg: Add --list-gcrypt-config and "curve" item for --list-config.

* common/openpgp-oid.c (curve_supported_p): New.
(openpgp_enum_curves): New.
* common/t-openpgp-oid.c (test_openpgp_enum_curves): New.
(main): Add option --verbose.
* g10/gpg.c (opts): Add --list-gcrypt-config.
(list_config): Add items "curve" and "curveoid".  Remove unused code.

GnuPG-bug-id: 1917
Signed-off-by: Werner Koch <>
4 years agoscd: fix for 64-bit arch.
NIIBE Yutaka [Mon, 9 Mar 2015 02:00:03 +0000 (11:00 +0900)]
scd: fix for 64-bit arch.

* agent/pksign.c (agent_pksign_do): Use int.
* scd/app-openpgp.c (get_public_key): Likewise.


On 64-bit architecture, int and size_t might be different.
For the first argument for '%b', int is expected.

4 years agodoc: Some typo fixes.
Werner Koch [Fri, 6 Mar 2015 09:46:40 +0000 (10:46 +0100)]
doc: Some typo fixes.


4 years agodoc: Fix FAQ stub and remove faq build rules.
Werner Koch [Wed, 4 Mar 2015 14:10:52 +0000 (15:10 +0100)]
doc: Fix FAQ stub and remove faq build rules.


The FAQ is maintained in the gnupg-doc repo.

4 years agogpg: avoid chatter about trustdb when --quiet
Daniel Kahn Gillmor [Sat, 21 Feb 2015 16:04:13 +0000 (11:04 -0500)]
gpg: avoid chatter about trustdb when --quiet

* g10/trustdb.c (tdb_check_trustdb_stale): avoid log_info() when

gpg(1) says:

       -q, --quiet
              Try to be as quiet as possible.

While the mentions about the stale trustdb information are edifying,
they aren't necessary, and shouldn't be emitted when the user requests

Signed-off-by: Daniel Kahn Gillmor <>
4 years agogpg: Lowercase mailbox for PKA lookups.
Werner Koch [Thu, 26 Feb 2015 17:16:45 +0000 (18:16 +0100)]
gpg: Lowercase mailbox for PKA lookups.

* common/stringhelp.c (ascii_strlwr): New.
* common/mbox-util.c (mailbox_from_userid): Downcase result.

Signed-off-by: Werner Koch <>
4 years agoRemove an unused variable.
Werner Koch [Thu, 26 Feb 2015 17:15:10 +0000 (18:15 +0100)]
Remove an unused variable.


4 years agogpg: Fix memory leak due to PKA lookup.
Werner Koch [Thu, 26 Feb 2015 17:01:13 +0000 (18:01 +0100)]
gpg: Fix memory leak due to PKA lookup.

* g10/keyserver.c (keyserver_import_pka): Move the xfree.

4 years agodoc: Fix name of keep-ownertrust.
Werner Koch [Thu, 26 Feb 2015 14:06:00 +0000 (15:06 +0100)]
doc: Fix name of keep-ownertrust.


Reported-by: Guilhem Moulin <>
(cherry picked from commit 0d286a11c857a8f84b084b6f4e8a38737adca034)

4 years agodoc: Update the description of the S2K extension.
Werner Koch [Thu, 26 Feb 2015 10:57:06 +0000 (11:57 +0100)]
doc: Update the description of the S2K extension.


4 years agogpg: Switch to a hash and CERT record based PKA system.
Werner Koch [Wed, 25 Feb 2015 15:34:19 +0000 (16:34 +0100)]
gpg: Switch to a hash and CERT record based PKA system.

* common/dns-cert.c (get_dns_cert): Make r_key optional.
* common/pka.c: Rewrite for the new hash based lookup.
* common/t-pka.c: New.
* Remove option --disable-dns-pka.
(USE_DNS_PKA): Remove ac_define.
* g10/getkey.c (parse_auto_key_locate): Always include PKA.


Note that although PKA is now always build, it will only work if
support for looking up via DNS has not been disabled.

The new PKA only works with the IPGP DNS certtype and shall be used
only to retrieve the fingerprint and optional the key for the first
time.  Due to the security problems with DNSSEC the former assumption
to validate the key using DNSSEC is not anymore justified.  Instead an
additional layer (e.g. Trust-On-First-Use) needs to be implemented to
track change to the key.  Having a solid way of getting a key matching
a mail address is however a must have.

More work needs to go into a redefinition of the --verify-options
pka-lookups and pka-trust-increase.  The auto-key-locate mechanism
should also be able to continue key fetching with another methods once
the fingerprint has been retrieved with PKA.

Signed-off-by: Werner Koch <>
4 years agocommon: Allow requesting a specific certtype with get_dns_cert()
Werner Koch [Wed, 25 Feb 2015 11:03:21 +0000 (12:03 +0100)]
common: Allow requesting a specific certtype with get_dns_cert()

* common/dns-cert.c (get_dns_cert): Add arg want_certtype.  Change all
(CERTTYPE_): Move constants to ...
* common/dns-cert.h: here as DNS_CERTTYPE_.

Signed-off-by: Werner Koch <>
4 years agoMove new mailbox.c source file to common/.
Werner Koch [Wed, 25 Feb 2015 10:43:50 +0000 (11:43 +0100)]
Move new mailbox.c source file to common/.

* g10/mailbox.c: Move to ...
* common/mbox-util.c: new file.
* common/mbox-util.h: New. Include where needed.
* g10/t-mailbox.c: Move to ...
* common/t-mbox-util.c: new file.

This will make it easier to use the code by other modules in common/.

4 years agogpg: Add command --print-pka-records.
Werner Koch [Tue, 24 Feb 2015 18:31:59 +0000 (19:31 +0100)]
gpg: Add command --print-pka-records.

* g10/gpg.c (main): Add command --print-pka-records.
* g10/options.h (struct opt): Add field "print_pka_records".
* g10/keylist.c (list_keyblock_pka): New.
(list_keyblock): Call it if new option is set.
(print_fingerprint): Add mode 10.

This is a fist step towards a slightly updated PKA implementation.

Signed-off-by: Werner Koch <>
4 years agogpg: Add function to extract the mailbox.
Werner Koch [Tue, 24 Feb 2015 16:43:57 +0000 (17:43 +0100)]
gpg: Add function to extract the mailbox.

* g10/misc.c (has_invalid_email_chars, is_valid_mailbox)
(is_valid_user_id): Move to ...
* g10/mailbox.c: new file.
(string_has_ctrl_or_space, has_dotdot_after_at): New.
(has_invalid_email_chars): New.

* g10/t-mailbox.c: New.
* g10/ (module_tests): Add t-mailbox.
(t_mailbox_SOURCES, t_mailbox_LDADD): New.

Signed-off-by: Werner Koch <>
4 years agocommon: Add another test case to zb32.c
Werner Koch [Tue, 24 Feb 2015 16:02:00 +0000 (17:02 +0100)]
common: Add another test case to zb32.c


Fingerprints may eventually be used with zb32 and thus thre should be
a test case.

4 years agogpg: Add option to print fingerprints in ICAO spelling.
Werner Koch [Mon, 23 Feb 2015 16:54:05 +0000 (17:54 +0100)]
gpg: Add option to print fingerprints in ICAO spelling.

* g10/gpg.c: Add option --with-icao-spelling.
* g10/options.h (struct opt): Add with_icao_spelling.
* g10/keylist.c (print_icao_hexdigit): New.
(print_fingerprint): Print ICAO spelling.

Signed-off-by: Werner Koch <>
4 years agogpg: Skip legacy keys while searching keyrings.
Werner Koch [Mon, 23 Feb 2015 15:37:57 +0000 (16:37 +0100)]
gpg: Skip legacy keys while searching keyrings.

* g10/getkey.c (search_modes_are_fingerprint): New.
(lookup): Skip over legacy keys.

GnuPG-bug-id: 1847
Signed-off-by: Werner Koch <>
4 years agocommon: Fix regression due to commit 2183683b.
Werner Koch [Mon, 23 Feb 2015 14:25:37 +0000 (15:25 +0100)]
common: Fix regression due to commit 2183683b.

* common/dns-cert.c (get_dns_cert): Remove cruft.

GnuPG-bug-id: 1850
Signed-off-by: Werner Koch <>
4 years agogpg: Replace remaining uses of stdio by estream.
Werner Koch [Thu, 19 Feb 2015 16:22:27 +0000 (17:22 +0100)]
gpg: Replace remaining uses of stdio by estream.

* g10/sign.c (sign_file):  Use log_printf instead of stderr.
* g10/tdbdump.c (export_ownertrust): Use estream fucntions.
(import_ownertrust): Ditto.
* g10/tdbio.c (tdbio_dump_record): Ditto.  Change arg to estream_t.

Reported-by: Guilhem Moulin <>
  Needed for unattended key edits with --status-fd, because since 2.1
  status prompts are preceded by es_fflush (in cpr.c:do_get_from_fd)
  not fflush(3), so the standard output may not be flushed before each
  prompt. (Which breaks scripts using select(2) to multiplex between
  the standard and status outputs.)

His patch only affected print_and_check_one_sig_colon() but there are
many more places where stdio and estream are mixed.  This patch now
replaces most of them in g10/.  At some places stdio is still used,
but that is local to a function and should not have side effects.

Signed-off-by: Werner Koch <>
4 years agogpg: Fix segv due to NULL value stored as opaque MPI.
Werner Koch [Thu, 19 Feb 2015 15:29:58 +0000 (16:29 +0100)]
gpg: Fix segv due to NULL value stored as opaque MPI.

* g10/build-packet.c (gpg_mpi_write): Check for NULL return from
(gpg_mpi_write_nohdr, do_key): Ditto.
* g10/keyid.c (hash_public_key): Ditto.

This fix extends commmit 0835d2f44ef62eab51fce6a927908f544e01cf8f.

  gpg2 --export --no-default-keyring --keyring TESTDATA

With TESTDATA being below after unpacking.



Reported-by: Jodie Cunningham
Signed-off-by: Werner Koch <>
4 years agoscd: Fix regression in 2.1.2 (due to commit 2183683)
Werner Koch [Thu, 12 Feb 2015 19:40:39 +0000 (20:40 +0100)]
scd: Fix regression in 2.1.2 (due to commit 2183683)

* scd/apdu.c (pcsc_vendor_specific_init): Replace use of
bufNN_to_uint by direct code.

Hey, that was little endian.

4 years agodirmngr: Initialize cache from sysconfig dir
Andre Heinecke [Thu, 5 Feb 2015 12:58:50 +0000 (13:58 +0100)]
dirmngr: Initialize cache from sysconfig dir

* dirmngr/certcache.c (cert_cache_init): Load certificates
from sysconfig dir instead of the homeidr.
* dirmngr/dirmngr.c (main): Removed parsing of obsolete
homedir_data option.
* dirmngr/dirmngr.h (opt): Removed homedir_data.
* doc/dirmngr.texi: Update and clarify certs directory doc.


Using the homedir for extra-certs and trusted-certs makes
little sense when dirmngr is used with a caller that
manages it's own store of certificates and can
provide those through the SENDCERT command.
You can use trusted-certs and extra-certs to provide
users with a base of locally available certificates that are
not already in store of the applications.

4 years agoPost release updates.
Werner Koch [Wed, 11 Feb 2015 18:48:21 +0000 (19:48 +0100)]
Post release updates.


4 years agoRelease 2.1.2 gnupg-2.1.2
Werner Koch [Wed, 11 Feb 2015 18:22:25 +0000 (19:22 +0100)]
Release 2.1.2

4 years agopo: Auto update.
Werner Koch [Wed, 11 Feb 2015 18:20:46 +0000 (19:20 +0100)]
po: Auto update.


4 years agodirmngr: Avoid warning about unused function.
Werner Koch [Wed, 11 Feb 2015 18:01:11 +0000 (19:01 +0100)]
dirmngr: Avoid warning about unused function.

* dirmngr/dirmngr.c (my_gnutls_log): Build only if gnutls is used.

4 years agobuild: Update standard build-aux files.
Werner Koch [Wed, 11 Feb 2015 17:51:00 +0000 (18:51 +0100)]
build: Update standard build-aux files.

4 years agodoc: Add another use case for --show-session-key.
Werner Koch [Wed, 11 Feb 2015 11:21:30 +0000 (12:21 +0100)]
doc: Add another use case for --show-session-key.

GnuPG-bug-id: 1835

4 years agodoc: Change remaining http links to to https
Werner Koch [Wed, 11 Feb 2015 11:10:39 +0000 (12:10 +0100)]
doc: Change remaining http links to to https

GnuPG-bug-id: 1830

4 years agoUse inline functions to convert buffer data to scalars.
Werner Koch [Wed, 11 Feb 2015 09:27:57 +0000 (10:27 +0100)]
Use inline functions to convert buffer data to scalars.

* common/host2net.h (buf16_to_ulong, buf16_to_uint): New.
(buf16_to_ushort, buf16_to_u16): New.
(buf32_to_size_t, buf32_to_ulong, buf32_to_uint, buf32_to_u32): New.

Commit 91b826a38880fd8a989318585eb502582636ddd8 was not enough to
avoid all sign extension on shift problems.  Hanno Böck found a case
with an invalid read due to this problem.  To fix that once and for
all almost all uses of "<< 24" and "<< 8" are changed by this patch to
use an inline function from host2net.h.

Signed-off-by: Werner Koch <>
4 years agogpg: Prevent an invalid memory read using a garbled keyring.
Werner Koch [Mon, 9 Feb 2015 14:46:00 +0000 (15:46 +0100)]
gpg: Prevent an invalid memory read using a garbled keyring.

* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
* g10/keydb.c (parse_keyblock_image): Ditto.

The keyring DB code did not reject packets which don't belong into a
keyring.  If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).

We now skip all packets which are not allowed in a keyring.

Reported-by: Hanno Böck <>
Test data:

  gpg2 --no-default-keyring --keyring FILE --export >/dev/null

With this unpacked data for FILE:



Signed-off-by: Werner Koch <>
4 years agogpg: Fix a NULL-deref in export due to invalid packet lengths.
Werner Koch [Mon, 9 Feb 2015 09:54:06 +0000 (10:54 +0100)]
gpg: Fix a NULL-deref in export due to invalid packet lengths.

* g10/build-packet.c (write_fake_data): Take care of a NULL stored as
opaque MPI.

Reported-by: Hanno Böck <>
Test data:

     gpg2 --no-default-keyring --keyring FILE --export

With this unpacked data for FILE:

Version: GnuPG v2
Comment: Use "gpg --dearmor" for unpacking


Signed-off-by: Werner Koch <>
4 years agogpg: Fix a NULL-deref due to empty ring trust packets.
Werner Koch [Mon, 9 Feb 2015 09:21:19 +0000 (10:21 +0100)]
gpg: Fix a NULL-deref due to empty ring trust packets.

* g10/parse-packet.c (parse_trust): Always allocate a packet.

Reported-by: Hanno Böck <>
Signed-off-by: Werner Koch <>
Test data:

 gpg2 --no-default-keyring --keyring FILE --export

With this unpacked data for FILE:

Version: GnuPG v2
Comment: Use "gpg --dearmor" for unpacking


4 years agogpg-agent: Use "pinentry-basic" as fallback.
Werner Koch [Wed, 4 Feb 2015 09:09:28 +0000 (10:09 +0100)]
gpg-agent: Use "pinentry-basic" as fallback.

* common/homedir.c (get_default_pinentry_name): New.
(gnupg_module_name): Use that for the default pinentry.
(gnupg_module_name_flush_some): New.
* agent/gpg-agent.c (agent_sighup_action): Flush some module names.
* agent/call-pinentry.c (start_pinentry): Do not modify

The idea with this change is that under Windows we can install a
simple native Windows pinentry as "pinentry-basic" and a full GUI
version may then later install pinentry-gtk etc which would then
automatically be used.

Unfortunately installing another pinentry from a different package
would clobber the GnuPG core directory which is not nice.  To fix that
we would need to agree on standard installation directories for GUIs
to also look there.

Signed-off-by: Werner Koch <>
4 years agow32: Add manifest to gpg.
Werner Koch [Tue, 3 Feb 2015 18:11:44 +0000 (19:11 +0100)]
w32: Add manifest to gpg.

* g10/ New.
* g10/gpg-w32info.rc: Add manifest.
* g10/ (EXTRA_DIST): Add manifest.
(gpg-w32info.o): Depend on manifest.
(AC_CONFIG_FILES): Add manifest.

There are no dependencies yet defined - we need to do this for the
libs first.

Signed-off-by: Werner Koch <>
4 years agoUpdate copyright years.
Werner Koch [Tue, 3 Feb 2015 08:12:45 +0000 (09:12 +0100)]
Update copyright years.

* common/ (W32INFO_COMPANYNAME): Change to "The GnuPG

4 years agow32: Change default Windows install dir and add bin to PATH.
Werner Koch [Sun, 1 Feb 2015 14:35:57 +0000 (15:35 +0100)]
w32: Change default Windows install dir and add bin to PATH.

* build-aux/ (WITH_GUI): New macro.  The Windows installer is
now build by default without any GUI stuff.
* build-aux/speedo/w32/inst.nsi: Change standard installation
(AddToPath, un.RemoveFromPath): New.
(gnupginst): Add bin directory to the PATH.

Signed-off-by: Werner Koch <>
4 years agow32: Allow for Unicocde installation directory.
Werner Koch [Sun, 1 Feb 2015 14:27:32 +0000 (15:27 +0100)]
w32: Allow for Unicocde installation directory.

* common/homedir.c (w32_rootdir): Use Unicode fucntion not only for

This uses the same code We used for WindowsCE.  It has not been tested
with a Unicode requiring installation directory.

Signed-off-by: Werner Koch <>
4 years agokbx: Fix resource leak.
Joshua Rogers [Fri, 30 Jan 2015 02:42:52 +0000 (11:42 +0900)]
kbx: Fix resource leak.

* kbx/keybox-update.c (blob_filecopy): Fix resource leak.  On error
return, 'fp' and 'newfp' was never closed.


Signed-off-by: Joshua Rogers <>
[Log entry reformatted, and added more fixes - gniibe]

4 years agoagent: Fix use of imported but unprotected openpgp keys.
Werner Koch [Thu, 29 Jan 2015 15:26:07 +0000 (16:26 +0100)]
agent: Fix use of imported but unprotected openpgp keys.

* agent/agent.h (PRIVATE_KEY_OPENPGP_NONE): New.
* agent/command.c (do_one_keyinfo): Implement it.
* agent/findkey.c (agent_key_from_file): Ditto.
(agent_key_info_from_file): Ditto.
(agent_delete_key): Ditto.
* agent/protect.c (agent_private_key_type): Add detection for openpgp
"none" method.

Signed-off-by: Werner Koch <>
4 years agopo: Update Japanese Translation.
NIIBE Yutaka [Thu, 29 Jan 2015 06:00:30 +0000 (15:00 +0900)]
po: Update Japanese Translation.

4 years agogpg: Limit the size of key packets to a sensible value.
Werner Koch [Wed, 28 Jan 2015 19:32:28 +0000 (20:32 +0100)]
gpg: Limit the size of key packets to a sensible value.

* g10/parse-packet.c (MAX_KEY_PACKET_LENGTH): New.
(parse_key): Limit the size of a key packet to 256k.
(parse_user_id): Use macro for the packet size limit.
(parse_attribute): Ditto.
(parse_comment): Ditto.

Without that it is possible to force gpg to allocate large amounts of
memory by using a bad encoded MPI.  This would be an too easy DoS.
Another way to mitigate would be to change the MPI read function to
allocate memory dynamically while reading the MPI.  However, that
complicates and possibly slows down the code.  A too large key packet
is in any case a sign for broken data and thus gpg should not use it.

Reported-by: Hanno Böck
GnuPG-bug-id: 1823
Signed-off-by: Werner Koch <>
4 years agogpg: Fix buffering problem in --list-config.
Werner Koch [Wed, 28 Jan 2015 19:12:21 +0000 (20:12 +0100)]
gpg: Fix buffering problem in --list-config.

* g10/gpg.c (list_config): Replace print_sanitized_string2 by

* common/stringhelp.c (print_sanitized_buffer2): Remove.
(print_sanitized_buffer, print_sanitized_utf8_buffer): Remove.
(print_sanitized_utf8_buffer, print_sanitized_utf8_string): Remove.
(print_sanitized_string): Remove.

* sm/certdump.c (print_dn_part, print_dn_parts): Remove arg FP.
(pretty_print_sexp, gpgsm_print_name2, gpgsm_print_name): Remove.

Mixing stdio and estream is never a good idea.  This fix also allows
us to remove a lot of garbage.

Reported-by: Jason A. Donenfeld <>
GnuPG-bug-id: 1822
Signed-off-by: Werner Koch <>
4 years agoAdd a hook to be called right after main.
Werner Koch [Wed, 28 Jan 2015 18:57:22 +0000 (19:57 +0100)]
Add a hook to be called right after main.

* common/init.c (early_system_init): New stub function.

Signed-off-by: Werner Koch <>
4 years agogpg: Allow predefined names as answer to the keygen.algo prompt.
Werner Koch [Wed, 28 Jan 2015 08:11:02 +0000 (09:11 +0100)]
gpg: Allow predefined names as answer to the keygen.algo prompt.

* g10/keygen.c (ask_algo): Add list of strings.

Signed-off-by: Werner Koch <>
4 years agoagent: Add some extra robustness to extract_private_key
Werner Koch [Tue, 27 Jan 2015 09:22:47 +0000 (10:22 +0100)]
agent: Add some extra robustness to extract_private_key

* agent/cvt-openpgp.c (extract_private_key): Add arg "arraysize".
Make sure that R_FLAGS and R_CURVE are set to NULL.

Given that extract_private_key is not file local it is good to have some
extra asserts to protect against future wrong use.

Signed-off-by: Werner Koch <>
4 years agoscd: Fix varargs call for 64-bit arch on ECC keys.
NIIBE Yutaka [Wed, 28 Jan 2015 02:24:29 +0000 (11:24 +0900)]
scd: Fix varargs call for 64-bit arch on ECC keys.

* scd/app-openpgp.c (store_fpr): Remove CARD_VERSION from the
(rsa_writekey): Follow the change.
(do_genkey): Likewise.
(ecc_writekey): Likewise.  Cast to size_t.


KEYTOCARD caused SEGV of scdaemon on 64-bit arch.  That's because
int is 32-bit, but size_t is 64-bit.

4 years agogpg: Fix segv introduced to commit 4d7c9b0.
Werner Koch [Tue, 27 Jan 2015 08:11:13 +0000 (09:11 +0100)]
gpg: Fix segv introduced to commit 4d7c9b0.

* g10/keygen.c (get_parameter_passphrase): Take care of R == NULL.

Signed-off-by: Werner Koch <>
4 years agoagent: Fix agent_public_key_from_file for ECC.
NIIBE Yutaka [Tue, 27 Jan 2015 00:30:11 +0000 (09:30 +0900)]
agent: Fix agent_public_key_from_file for ECC.

* agent/cvt-openpgp.c (extract_private_key): New.
(convert_to_openpgp): Use extract_private_key.
* agent/findkey.c (agent_public_key_from_file): Use


This patch add support of ECC key with a curve name and flags.  Since
same functionality is also needed for convert_to_openpgp, it was
factored out into the extract_private_key function.

4 years agosm: Simplify fix ed8383c6
Werner Koch [Mon, 26 Jan 2015 16:56:52 +0000 (17:56 +0100)]
sm: Simplify fix ed8383c6

* sm/minip12.c (p12_build): Release PWBUF only at the end.

Suggested-by: Eygene Ryabinkin <>
Signed-off-by: Werner Koch <>
4 years agoccid: Remove incorrect expression leading to errors.
Joshua Rogers [Fri, 23 Jan 2015 16:03:33 +0000 (03:03 +1100)]
ccid: Remove incorrect expression leading to errors.

* scd/ccid-driver.c (send_escape_cmd): Fix setting of 'rc'.

Variable 'rc' in send_escape_cmd was overwritten before it was
returned, leading to incorrect computation.

Signed-off-by: Joshua Rogers <>
[Log entry reformatted - wk]

(cherry picked from commit 3d9f8bf1dc0c7165a5d2a31568ed425d2dc3b91e)

4 years agogpgconf: Fix validity check for UINT32 values.
Werner Koch [Fri, 23 Jan 2015 14:37:51 +0000 (15:37 +0100)]
gpgconf: Fix validity check for UINT32 values.

* tools/gpgconf-comp.c (option_check_validity): Enable check for

Reported-by: Günther Noack <>
This is actually a bug which inhibited the checking of values of type

Signed-off-by: Werner Koch <>
4 years agogpg,sm: Remove unnecessary duplicated checks
Werner Koch [Fri, 23 Jan 2015 14:30:03 +0000 (15:30 +0100)]
gpg,sm: Remove unnecessary duplicated checks


Reported-by: Günther Noack <>
4 years agodoc: Fix some typos and add missing options.
Werner Koch [Thu, 22 Jan 2015 16:49:55 +0000 (17:49 +0100)]
doc: Fix some typos and add missing options.


GnuPG-bug-id: 1602

I added options shown with --help but missing in the man page.
However, --help won't show everything listed in the man age and
frankly there are even more options not listed anywhere (to see them
use --dump-options).

4 years agogpg: Improve skipping of PGP-2 keys.
Werner Koch [Thu, 22 Jan 2015 15:36:28 +0000 (16:36 +0100)]
gpg: Improve skipping of PGP-2 keys.

* g10/keydb.c (keydb_search_first, keydb_search_next): Skip legacy
* g10/keyring.c (keyring_get_keyblock): Handle GPG_ERR_LEGACY_KEY.
(prepare_search): Ditto.
(keyring_rebuild_cache): Skip legacy keys.
* g10/keyserver.c (keyidlist): Ditto.
* g10/trustdb.c (validate_key_list): Ditto.

This is not the most elegant way to handle it but it reduces the
chance for unwanted side effects.

GnuPG-bug-id: 1816
Signed-off-by: Werner Koch <>
4 years agogpg: Add dedicated error code for PGP-2 keys.
Werner Koch [Thu, 22 Jan 2015 11:14:48 +0000 (12:14 +0100)]
gpg: Add dedicated error code for PGP-2 keys.

* g10/parse-packet.c (parse_key): Return GPG_ERR_LEGACY_KEY for PGP2
* g10/import.c (read_block): Simplify by checking GPG_ERR_LEGACY_KEY.
* g10/getkey.c (lookup): Silence error message for PGP-2 keys.

* common/util.h (GPG_ERR_LEGACY_KEY): Add replacement for older

Signed-off-by: Werner Koch <>
4 years agogpg: Replace remaining old error code macros by GPG_ERR_.
Werner Koch [Thu, 22 Jan 2015 11:06:11 +0000 (12:06 +0100)]
gpg: Replace remaining old error code macros by GPG_ERR_.

* g10/gpg.h (g10_errstr): Remove macro and change all occurrences by
(G10ERR_): Remove all macros and change all occurrences by their
GPG_ERR_ counterparts.

Signed-off-by: Werner Koch <>
4 years agogpg: Remove an unused variable.
Werner Koch [Thu, 22 Jan 2015 08:45:45 +0000 (09:45 +0100)]
gpg: Remove an unused variable.

* g10/getkey.c (getkey_ctx_s): Remove last_rc.

4 years agodirmngr: Fix TLS build problems.
Werner Koch [Wed, 21 Jan 2015 14:54:06 +0000 (15:54 +0100)]
dirmngr: Fix TLS build problems.

* dirmngr/ (AM_CFLAGS): Add flags for TLS libs.

This should fix
GnuPG-bug-id: 1813.

4 years agogpg: Support --passphrase with --quick-gen-key.
Werner Koch [Wed, 21 Jan 2015 11:42:14 +0000 (12:42 +0100)]
gpg: Support --passphrase with --quick-gen-key.

* g10/keygen.c: Include shareddefs.h.
(quick_generate_keypair): Support static passphrase.
(get_parameter_passphrase): New.
(do_generate_keypair): Use it.

Signed-off-by: Werner Koch <>
4 years agogpg: Re-enable the "Passphrase" parameter for batch key generation.
Werner Koch [Wed, 21 Jan 2015 10:31:20 +0000 (11:31 +0100)]
gpg: Re-enable the "Passphrase" parameter for batch key generation.

* agent/command.c (cmd_genkey): Add option --inq-passwd.
* agent/genkey.c (agent_genkey): Add new arg override_passphrase.
* g10/call-agent.c (inq_genkey_parms): Handle NEWPASSWD keyword.
(agent_genkey): Add arg optional arg "passphrase".
* g10/keygen.c (common_gen, gen_elg, gen_dsa, gen_ecc)
(gen_rsa, do_create): Add arg "passphrase" and pass it through.
(do_generate_keypair): Make use of pPASSPHRASE.
(release_parameter_list): Wipe out a passphrase parameter.

Signed-off-by: Werner Koch <>
4 years agoartwork: Crop and rename the commonly used logo.
Werner Koch [Tue, 20 Jan 2015 16:06:50 +0000 (17:06 +0100)]
artwork: Crop and rename the commonly used logo.


4 years agokbx: Minor cleanup for the previous fix.
Werner Koch [Mon, 19 Jan 2015 13:58:06 +0000 (14:58 +0100)]
kbx: Minor cleanup for the previous fix.

* kbx/keybox-search.c (blob_get_keyid): Rename to
blob_get_first_keyid. Check number of keys and remove blob type check.

There is no need to check the blob type.  We already know that it is a
key blob type and keyids are used for X.509 and OpenPGP.  Also added
check for number of keys because the other parser functions do it as

Signed-off-by: Werner Koch <>
4 years agokbx: Call skipfnc callback to filter out keys
Damien Goutte-Gattat [Fri, 16 Jan 2015 15:56:35 +0000 (16:56 +0100)]
kbx: Call skipfnc callback to filter out keys

* kbx/keybox-search.c (blob_get_keyid): New.
(keybox-search): Call skipfnc callback function.

This patch (tentatively) fixes
GnuPG-bug-id: 1794

The keybox_search function in kbx/keybox-search.c currently ignores
the skipfnc callback, but the validate_key_list function in
g10/trustdb.c uses such a callback to exclude ultimately trusted keys.

4 years agoRegister DCO for Damien Goutte-Gattat.
Werner Koch [Mon, 19 Jan 2015 10:06:59 +0000 (11:06 +0100)]
Register DCO for Damien Goutte-Gattat.


4 years agoscd: Allow for certificates > 1024 with PC/SC.
Andreas Schwier [Fri, 18 Jul 2014 16:22:26 +0000 (18:22 +0200)]
scd: Allow for certificates > 1024 with PC/SC.

* scd/pcsc-wrapper.c (handle_transmit): Enlarge buffer to 4096 too
allow for larger certificates.


Cherry-pick from 5798673156a66f4c39e1d34e358b03539194d57c.
Forward ported from 2.0.

4 years agopo: Update the German translation.
Werner Koch [Fri, 9 Jan 2015 11:52:35 +0000 (12:52 +0100)]
po: Update the German translation.


This also fixes
GnuPG-bug-id: 1808

4 years agodirmngr: Fix error code path of map_host.
NIIBE Yutaka [Thu, 8 Jan 2015 03:14:13 +0000 (12:14 +0900)]
dirmngr: Fix error code path of map_host.

* dirmngr/ks-engine-hkp.c (map_host): Fix error return.


In ks-engine-hkp.c on line 509 'reftbl' is freed, but it is then
used on line 511. I'm guessing this is a missing return;.

Reported-by: Joshua Rogers <>
Debian-Bug-Id: 773520

Other fixes on error added too.

4 years agoscd: fix get_public_key for OpenPGPcard v1.0.
Joshua Rogers [Sat, 20 Dec 2014 00:38:53 +0000 (11:38 +1100)]
scd: fix get_public_key for OpenPGPcard v1.0.

* scd/app-openpgp.c (get_public_key): correctly close 'fp' upon use.


Inside the get_public_key function, 'fp' was opened using popen, but
incorrectly closed using fclose.

Debian-Bug-Id: 773474

4 years agodirmngr: fix LDAP query PATTERNS limit check.
NIIBE Yutaka [Wed, 7 Jan 2015 07:56:43 +0000 (16:56 +0900)]
dirmngr: fix LDAP query PATTERNS limit check.

* dirmngr/ldap.c (start_cert_fetch_ldap): fix ARGC limitation.


Reported-by: Joshua Rogers <>
Debian-Bug-Id: 773507

4 years agoscd: fix merge failure.
NIIBE Yutaka [Tue, 6 Jan 2015 23:15:12 +0000 (08:15 +0900)]
scd: fix merge failure.

* scd/apdu.c (pcsc_pinpad_verify): Remove wrong lines inserted by


Thanks to Joshua Rogers for reviewing and reporting.

4 years agosm,g13: Init local vars to avoid compiler warnings.
Werner Koch [Mon, 5 Jan 2015 14:10:03 +0000 (15:10 +0100)]
sm,g13: Init local vars to avoid compiler warnings.

* sm/misc.c (transform_sigval): Init RSA_S_LEN.
* g13/mount.c (read_keyblob): Init HEADERLEN.

Not a bug but the compiler (gcc 4.9.1) can't detect that it is not
used uninitialized.

Signed-off-by: Werner Koch <>
4 years agogpg: Remove unused args from a function.
Werner Koch [Mon, 5 Jan 2015 14:07:23 +0000 (15:07 +0100)]
gpg: Remove unused args from a function.

* g10/keyserver.c (parse_keyserver_uri): Remove args configname and
configlineno.  Change all callers.

Signed-off-by: Werner Koch <>
4 years agogpg: Clear a possible rest of the KDF secret buffer.
Werner Koch [Mon, 5 Jan 2015 14:03:12 +0000 (15:03 +0100)]
gpg: Clear a possible rest of the KDF secret buffer.

* g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Fix order of args.

That bug has been here since the beginning.  The entire function needs
a review or be be moved to Libgcrypt.

Signed-off-by: Werner Koch <>
4 years agobuild: Require automake 1.14.
Werner Koch [Mon, 5 Jan 2015 13:55:36 +0000 (14:55 +0100)]
build: Require automake 1.14.

* (AM_INIT_AUTOMAKE): Add serial-tests.

4 years agoagent: Make --allow-loopback-pinentry gpgconf changeable.
Werner Koch [Sun, 4 Jan 2015 16:19:06 +0000 (17:19 +0100)]
agent: Make --allow-loopback-pinentry gpgconf changeable.

4 years agotools: Free variable before return
Joshua Rogers [Mon, 22 Dec 2014 13:47:50 +0000 (00:47 +1100)]
tools: Free variable before return

* tools/gpgconf-comp.c: Free 'dest_filename' before it is returned
upon error.

Signed-off-by: Joshua Rogers <>
4 years agoRegister DCO for Joshua Rogers.
Werner Koch [Mon, 22 Dec 2014 13:27:33 +0000 (14:27 +0100)]
Register DCO for Joshua Rogers.


4 years agosm: Avoid double-free on iconv failure
Daniel Kahn Gillmor [Fri, 19 Dec 2014 23:53:34 +0000 (18:53 -0500)]
sm: Avoid double-free on iconv failure

* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid
double-free of pwbuf.


Observed by Joshua Rogers <>, who proposed a
slightly different fix.

Debian-Bug-Id: 773472

Added fix at a second place - wk.

4 years agoscd: Avoid double-free on error condition in scd
Daniel Kahn Gillmor [Fri, 19 Dec 2014 23:07:55 +0000 (18:07 -0500)]
scd: Avoid double-free on error condition in scd

* scd/command.c (cmd_readkey): avoid double-free of cert


When ksba_cert_new() fails, cert will be double-freed.

Debian-Bug-Id: 773471

Original patch changed by wk to do the free only at leave.

4 years agoavoid future chance of using uninitialized memory
Daniel Kahn Gillmor [Fri, 19 Dec 2014 22:53:36 +0000 (17:53 -0500)]
avoid future chance of using uninitialized memory

* common/iobuf.c: (iobuf_open): initialize len


In iobuf_open, IOBUFCTRL_DESC and IOBUFCTRL_INIT commands are invoked
(via file_filter()) on fcx, passing in a pointer to an uninitialized

With these two commands, file_filter doesn't actually do anything with
the value of len, so there's no actual risk of use of uninitialized
memory in the code as it stands.

However, some static analysis tools might flag this situation with a
warning, and initializing the value doesn't hurt anything, so i think
this trivial cleanup is warranted.

Debian-Bug-Id: 773469

4 years agoavoid double-close in unusual dotlock situations
Daniel Kahn Gillmor [Fri, 19 Dec 2014 22:12:37 +0000 (17:12 -0500)]
avoid double-close in unusual dotlock situations

* common/dotlock.c: (dotlock_create_unix) avoid double-close()
 in unusual situations.


close(2) says:

 close() should not be retried after an EINTR since this  may
       cause a reused descriptor from another thread to be closed.

Before this patch was applied, if close(fd) failed with EINTR, it
would be closed again in the write_failed: block.

It could also have been closed a second time in the case that
(use_hardlinks_p (h->tname)) evaluated to something other than 0 or 1.

This patch avoids both of those scenarios.

Note that close() could still be called twice on the same file
descriptor if the first close(fd) fails but errno is not EINTR.  I'm
not sure the right thing to do in that scenario.  An alternate
resolution could be to unequivocally set fd to -1 after the first
failed close(fd), avoiding the errno == EINTR test.

Debian-Bug-Id: 773423

4 years agogpgkey2ssh: clean up varargs
Daniel Kahn Gillmor [Fri, 19 Dec 2014 22:12:05 +0000 (17:12 -0500)]
gpgkey2ssh: clean up varargs

* tools/gpgkey2ssh.c (key_to_blob) : ensure that va_end is called.


stdarg(3) says:
       Each invocation of va_start() must be matched by a
       corresponding invocation of va_end() in the same function.

Observed by Joshua Rogers <>

Debian-Bug-Id: 773415

4 years agodoc: Fix memory leak in yat2m.
Werner Koch [Mon, 22 Dec 2014 11:44:13 +0000 (12:44 +0100)]
doc: Fix memory leak in yat2m.

* doc/yat2m.c (write_th): Free NAME.

Reported-by: Joshua Rogers <>
4 years agodirmngr: Fix memory leak.
Werner Koch [Mon, 22 Dec 2014 11:34:57 +0000 (12:34 +0100)]
dirmngr: Fix memory leak.

* dirmngr/server.c (cmd_ks_search, cmd_ks_get): Fix memory leak.

* dirmngr/ks-engine-hkp.c (ks_hkp_mark_host): Remove double check.

Reported-by: Joshua Rogers <>
Signed-off-by: Werner Koch <>
4 years agodirmngr: Remove un-needed check.
Werner Koch [Mon, 22 Dec 2014 11:29:32 +0000 (12:29 +0100)]
dirmngr: Remove un-needed check.

* dirmngr/crlfetch.c (crl_fetch): Check that URL is not NULL.

Reported-by: Joshua Rogers <>
  "Remove un-needed check. If 'url' were not to be true,
   http_parse_uri(parse_uri(do_parse_uri))) would fail, leaving 'err'

In addition I added an explicit check for the URL arg not beeing NULL.

Signed-off-by: Werner Koch <>
4 years agodirmngr,gpgsm: Return NULL on fail
Werner Koch [Mon, 22 Dec 2014 11:16:46 +0000 (12:16 +0100)]
dirmngr,gpgsm: Return NULL on fail

* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL.
* sm/gpgsm.c (parse_keyserver_line): Ditto.

Reported-by: Joshua Rogers <>
  "If something inside the ldapserver_parse_one function failed,
   'server' would be freed, then returned, leading to a
   use-after-free.  This code is likely copied from sm/gpgsm.c, which
   was also susceptible to this bug."

Signed-off-by: Werner Koch <>
4 years agoscd: ECDH Support.
NIIBE Yutaka [Mon, 22 Dec 2014 00:27:00 +0000 (09:27 +0900)]
scd: ECDH Support.

* agent/divert-scd.c (divert_pkdecrypt): Support ECDH.
* scd/app-openpgp.c (get_algo_byte, store_fpr): Support ECDH.
(send_key_attr): Support ECDH.  Fix EdDSA algorithm value.
(retrieve_key_material): Initialize fields.
(get_public_key, ecc_writekey, do_writekey): Support ECDH.
(ecdh_writekey): Remove.
(do_decipher): Support ECDH.
(parse_algorithm_attribute): Support ECDH.  Fix EdDSA.


Following the gpg-agent protocol, SCDaemon's counter part is now

4 years agoagent: Make sure --max-cache-ttl is >= --default-cache-ttl.
Werner Koch [Fri, 19 Dec 2014 12:28:14 +0000 (13:28 +0100)]
agent: Make sure --max-cache-ttl is >= --default-cache-ttl.

* agent/gpg-agent.c (finalize_rereadable_options): New.
(main, reread_configuration): Call it.

This change should help to avoid surprising behaviour.

Signed-off-by: Werner Koch <>
4 years agoagent: Keep the session environment for restricted connections.
Werner Koch [Fri, 19 Dec 2014 12:07:09 +0000 (13:07 +0100)]
agent: Keep the session environment for restricted connections.

* agent/command-ssh.c (setup_ssh_env): Move code to ...
* agent/gpg-agent.c (agent_copy_startup_env): .. new function.  Change
* agent/command.c (start_command_handler): Call that fucntion for
restricted connections.

A remote connection is and should not be able to setup the local
session environment.  However, unless --keep-display is used we would
be left without an environment and thus pinentry can't be used.  The
fix is the same as used for ssh-agent connection: We use the default
environment as used at the startup of the agent.

Signed-off-by: Werner Koch <>
4 years agoagent: Fix string prepended to remotely initiated prompts.
Werner Koch [Fri, 19 Dec 2014 11:03:38 +0000 (12:03 +0100)]
agent: Fix string prepended to remotely initiated prompts.

* agent/command.c (cmd_setkeydesc): Use %0A and not \n. Make

Signed-off-by: Werner Koch <>
4 years agobuild: Remove option to build without agent.
Werner Koch [Thu, 18 Dec 2014 08:38:41 +0000 (09:38 +0100)]
build: Remove option to build without agent.

* (build-agent): Set to yes.

4 years agogpgconf: Exit with failure if --launch fails.
Werner Koch [Wed, 17 Dec 2014 09:36:24 +0000 (10:36 +0100)]
gpgconf: Exit with failure if --launch fails.

* tools/gpgconf-comp.c (gc_component_launch): Return an error code.
* tools/gpgconf.c (main): Exit if launch failed.
GnuPG-bug-id: 1791