4 years agobuild: Update standard build-aux files.
Werner Koch [Wed, 11 Feb 2015 17:51:00 +0000 (18:51 +0100)]
build: Update standard build-aux files.

4 years agodoc: Add another use case for --show-session-key.
Werner Koch [Wed, 11 Feb 2015 11:21:30 +0000 (12:21 +0100)]
doc: Add another use case for --show-session-key.

GnuPG-bug-id: 1835

4 years agodoc: Change remaining http links to to https
Werner Koch [Wed, 11 Feb 2015 11:10:39 +0000 (12:10 +0100)]
doc: Change remaining http links to to https

GnuPG-bug-id: 1830

4 years agoUse inline functions to convert buffer data to scalars.
Werner Koch [Wed, 11 Feb 2015 09:27:57 +0000 (10:27 +0100)]
Use inline functions to convert buffer data to scalars.

* common/host2net.h (buf16_to_ulong, buf16_to_uint): New.
(buf16_to_ushort, buf16_to_u16): New.
(buf32_to_size_t, buf32_to_ulong, buf32_to_uint, buf32_to_u32): New.

Commit 91b826a38880fd8a989318585eb502582636ddd8 was not enough to
avoid all sign extension on shift problems.  Hanno Böck found a case
with an invalid read due to this problem.  To fix that once and for
all almost all uses of "<< 24" and "<< 8" are changed by this patch to
use an inline function from host2net.h.

Signed-off-by: Werner Koch <>
4 years agogpg: Prevent an invalid memory read using a garbled keyring.
Werner Koch [Mon, 9 Feb 2015 14:46:00 +0000 (15:46 +0100)]
gpg: Prevent an invalid memory read using a garbled keyring.

* g10/keyring.c (keyring_get_keyblock): Whitelist allowed packet
* g10/keydb.c (parse_keyblock_image): Ditto.

The keyring DB code did not reject packets which don't belong into a
keyring.  If for example the keyblock contains a literal data packet
it is expected that the processing code stops at the data packet and
reads from the input stream which is referenced from the data packets.
Obviously the keyring processing code does not and cannot do that.
However, when exporting this messes up the IOBUF and leads to an
invalid read of sizeof (int).

We now skip all packets which are not allowed in a keyring.

Reported-by: Hanno Böck <>
Test data:

  gpg2 --no-default-keyring --keyring FILE --export >/dev/null

With this unpacked data for FILE:



Signed-off-by: Werner Koch <>
4 years agogpg: Fix a NULL-deref in export due to invalid packet lengths.
Werner Koch [Mon, 9 Feb 2015 09:54:06 +0000 (10:54 +0100)]
gpg: Fix a NULL-deref in export due to invalid packet lengths.

* g10/build-packet.c (write_fake_data): Take care of a NULL stored as
opaque MPI.

Reported-by: Hanno Böck <>
Test data:

     gpg2 --no-default-keyring --keyring FILE --export

With this unpacked data for FILE:

Version: GnuPG v2
Comment: Use "gpg --dearmor" for unpacking


Signed-off-by: Werner Koch <>
4 years agogpg: Fix a NULL-deref due to empty ring trust packets.
Werner Koch [Mon, 9 Feb 2015 09:21:19 +0000 (10:21 +0100)]
gpg: Fix a NULL-deref due to empty ring trust packets.

* g10/parse-packet.c (parse_trust): Always allocate a packet.

Reported-by: Hanno Böck <>
Signed-off-by: Werner Koch <>
Test data:

 gpg2 --no-default-keyring --keyring FILE --export

With this unpacked data for FILE:

Version: GnuPG v2
Comment: Use "gpg --dearmor" for unpacking


4 years agogpg-agent: Use "pinentry-basic" as fallback.
Werner Koch [Wed, 4 Feb 2015 09:09:28 +0000 (10:09 +0100)]
gpg-agent: Use "pinentry-basic" as fallback.

* common/homedir.c (get_default_pinentry_name): New.
(gnupg_module_name): Use that for the default pinentry.
(gnupg_module_name_flush_some): New.
* agent/gpg-agent.c (agent_sighup_action): Flush some module names.
* agent/call-pinentry.c (start_pinentry): Do not modify

The idea with this change is that under Windows we can install a
simple native Windows pinentry as "pinentry-basic" and a full GUI
version may then later install pinentry-gtk etc which would then
automatically be used.

Unfortunately installing another pinentry from a different package
would clobber the GnuPG core directory which is not nice.  To fix that
we would need to agree on standard installation directories for GUIs
to also look there.

Signed-off-by: Werner Koch <>
4 years agow32: Add manifest to gpg.
Werner Koch [Tue, 3 Feb 2015 18:11:44 +0000 (19:11 +0100)]
w32: Add manifest to gpg.

* g10/ New.
* g10/gpg-w32info.rc: Add manifest.
* g10/ (EXTRA_DIST): Add manifest.
(gpg-w32info.o): Depend on manifest.
(AC_CONFIG_FILES): Add manifest.

There are no dependencies yet defined - we need to do this for the
libs first.

Signed-off-by: Werner Koch <>
4 years agoUpdate copyright years.
Werner Koch [Tue, 3 Feb 2015 08:12:45 +0000 (09:12 +0100)]
Update copyright years.

* common/ (W32INFO_COMPANYNAME): Change to "The GnuPG

4 years agow32: Change default Windows install dir and add bin to PATH.
Werner Koch [Sun, 1 Feb 2015 14:35:57 +0000 (15:35 +0100)]
w32: Change default Windows install dir and add bin to PATH.

* build-aux/ (WITH_GUI): New macro.  The Windows installer is
now build by default without any GUI stuff.
* build-aux/speedo/w32/inst.nsi: Change standard installation
(AddToPath, un.RemoveFromPath): New.
(gnupginst): Add bin directory to the PATH.

Signed-off-by: Werner Koch <>
4 years agow32: Allow for Unicocde installation directory.
Werner Koch [Sun, 1 Feb 2015 14:27:32 +0000 (15:27 +0100)]
w32: Allow for Unicocde installation directory.

* common/homedir.c (w32_rootdir): Use Unicode fucntion not only for

This uses the same code We used for WindowsCE.  It has not been tested
with a Unicode requiring installation directory.

Signed-off-by: Werner Koch <>
4 years agokbx: Fix resource leak.
Joshua Rogers [Fri, 30 Jan 2015 02:42:52 +0000 (11:42 +0900)]
kbx: Fix resource leak.

* kbx/keybox-update.c (blob_filecopy): Fix resource leak.  On error
return, 'fp' and 'newfp' was never closed.


Signed-off-by: Joshua Rogers <>
[Log entry reformatted, and added more fixes - gniibe]

4 years agoagent: Fix use of imported but unprotected openpgp keys.
Werner Koch [Thu, 29 Jan 2015 15:26:07 +0000 (16:26 +0100)]
agent: Fix use of imported but unprotected openpgp keys.

* agent/agent.h (PRIVATE_KEY_OPENPGP_NONE): New.
* agent/command.c (do_one_keyinfo): Implement it.
* agent/findkey.c (agent_key_from_file): Ditto.
(agent_key_info_from_file): Ditto.
(agent_delete_key): Ditto.
* agent/protect.c (agent_private_key_type): Add detection for openpgp
"none" method.

Signed-off-by: Werner Koch <>
4 years agopo: Update Japanese Translation.
NIIBE Yutaka [Thu, 29 Jan 2015 06:00:30 +0000 (15:00 +0900)]
po: Update Japanese Translation.

4 years agogpg: Limit the size of key packets to a sensible value.
Werner Koch [Wed, 28 Jan 2015 19:32:28 +0000 (20:32 +0100)]
gpg: Limit the size of key packets to a sensible value.

* g10/parse-packet.c (MAX_KEY_PACKET_LENGTH): New.
(parse_key): Limit the size of a key packet to 256k.
(parse_user_id): Use macro for the packet size limit.
(parse_attribute): Ditto.
(parse_comment): Ditto.

Without that it is possible to force gpg to allocate large amounts of
memory by using a bad encoded MPI.  This would be an too easy DoS.
Another way to mitigate would be to change the MPI read function to
allocate memory dynamically while reading the MPI.  However, that
complicates and possibly slows down the code.  A too large key packet
is in any case a sign for broken data and thus gpg should not use it.

Reported-by: Hanno Böck
GnuPG-bug-id: 1823
Signed-off-by: Werner Koch <>
4 years agogpg: Fix buffering problem in --list-config.
Werner Koch [Wed, 28 Jan 2015 19:12:21 +0000 (20:12 +0100)]
gpg: Fix buffering problem in --list-config.

* g10/gpg.c (list_config): Replace print_sanitized_string2 by

* common/stringhelp.c (print_sanitized_buffer2): Remove.
(print_sanitized_buffer, print_sanitized_utf8_buffer): Remove.
(print_sanitized_utf8_buffer, print_sanitized_utf8_string): Remove.
(print_sanitized_string): Remove.

* sm/certdump.c (print_dn_part, print_dn_parts): Remove arg FP.
(pretty_print_sexp, gpgsm_print_name2, gpgsm_print_name): Remove.

Mixing stdio and estream is never a good idea.  This fix also allows
us to remove a lot of garbage.

Reported-by: Jason A. Donenfeld <>
GnuPG-bug-id: 1822
Signed-off-by: Werner Koch <>
4 years agoAdd a hook to be called right after main.
Werner Koch [Wed, 28 Jan 2015 18:57:22 +0000 (19:57 +0100)]
Add a hook to be called right after main.

* common/init.c (early_system_init): New stub function.

Signed-off-by: Werner Koch <>
4 years agogpg: Allow predefined names as answer to the keygen.algo prompt.
Werner Koch [Wed, 28 Jan 2015 08:11:02 +0000 (09:11 +0100)]
gpg: Allow predefined names as answer to the keygen.algo prompt.

* g10/keygen.c (ask_algo): Add list of strings.

Signed-off-by: Werner Koch <>
4 years agoagent: Add some extra robustness to extract_private_key
Werner Koch [Tue, 27 Jan 2015 09:22:47 +0000 (10:22 +0100)]
agent: Add some extra robustness to extract_private_key

* agent/cvt-openpgp.c (extract_private_key): Add arg "arraysize".
Make sure that R_FLAGS and R_CURVE are set to NULL.

Given that extract_private_key is not file local it is good to have some
extra asserts to protect against future wrong use.

Signed-off-by: Werner Koch <>
4 years agoscd: Fix varargs call for 64-bit arch on ECC keys.
NIIBE Yutaka [Wed, 28 Jan 2015 02:24:29 +0000 (11:24 +0900)]
scd: Fix varargs call for 64-bit arch on ECC keys.

* scd/app-openpgp.c (store_fpr): Remove CARD_VERSION from the
(rsa_writekey): Follow the change.
(do_genkey): Likewise.
(ecc_writekey): Likewise.  Cast to size_t.


KEYTOCARD caused SEGV of scdaemon on 64-bit arch.  That's because
int is 32-bit, but size_t is 64-bit.

4 years agogpg: Fix segv introduced to commit 4d7c9b0.
Werner Koch [Tue, 27 Jan 2015 08:11:13 +0000 (09:11 +0100)]
gpg: Fix segv introduced to commit 4d7c9b0.

* g10/keygen.c (get_parameter_passphrase): Take care of R == NULL.

Signed-off-by: Werner Koch <>
4 years agoagent: Fix agent_public_key_from_file for ECC.
NIIBE Yutaka [Tue, 27 Jan 2015 00:30:11 +0000 (09:30 +0900)]
agent: Fix agent_public_key_from_file for ECC.

* agent/cvt-openpgp.c (extract_private_key): New.
(convert_to_openpgp): Use extract_private_key.
* agent/findkey.c (agent_public_key_from_file): Use


This patch add support of ECC key with a curve name and flags.  Since
same functionality is also needed for convert_to_openpgp, it was
factored out into the extract_private_key function.

4 years agosm: Simplify fix ed8383c6
Werner Koch [Mon, 26 Jan 2015 16:56:52 +0000 (17:56 +0100)]
sm: Simplify fix ed8383c6

* sm/minip12.c (p12_build): Release PWBUF only at the end.

Suggested-by: Eygene Ryabinkin <>
Signed-off-by: Werner Koch <>
4 years agoccid: Remove incorrect expression leading to errors.
Joshua Rogers [Fri, 23 Jan 2015 16:03:33 +0000 (03:03 +1100)]
ccid: Remove incorrect expression leading to errors.

* scd/ccid-driver.c (send_escape_cmd): Fix setting of 'rc'.

Variable 'rc' in send_escape_cmd was overwritten before it was
returned, leading to incorrect computation.

Signed-off-by: Joshua Rogers <>
[Log entry reformatted - wk]

(cherry picked from commit 3d9f8bf1dc0c7165a5d2a31568ed425d2dc3b91e)

4 years agogpgconf: Fix validity check for UINT32 values.
Werner Koch [Fri, 23 Jan 2015 14:37:51 +0000 (15:37 +0100)]
gpgconf: Fix validity check for UINT32 values.

* tools/gpgconf-comp.c (option_check_validity): Enable check for

Reported-by: Günther Noack <>
This is actually a bug which inhibited the checking of values of type

Signed-off-by: Werner Koch <>
4 years agogpg,sm: Remove unnecessary duplicated checks
Werner Koch [Fri, 23 Jan 2015 14:30:03 +0000 (15:30 +0100)]
gpg,sm: Remove unnecessary duplicated checks


Reported-by: Günther Noack <>
4 years agodoc: Fix some typos and add missing options.
Werner Koch [Thu, 22 Jan 2015 16:49:55 +0000 (17:49 +0100)]
doc: Fix some typos and add missing options.


GnuPG-bug-id: 1602

I added options shown with --help but missing in the man page.
However, --help won't show everything listed in the man age and
frankly there are even more options not listed anywhere (to see them
use --dump-options).

4 years agogpg: Improve skipping of PGP-2 keys.
Werner Koch [Thu, 22 Jan 2015 15:36:28 +0000 (16:36 +0100)]
gpg: Improve skipping of PGP-2 keys.

* g10/keydb.c (keydb_search_first, keydb_search_next): Skip legacy
* g10/keyring.c (keyring_get_keyblock): Handle GPG_ERR_LEGACY_KEY.
(prepare_search): Ditto.
(keyring_rebuild_cache): Skip legacy keys.
* g10/keyserver.c (keyidlist): Ditto.
* g10/trustdb.c (validate_key_list): Ditto.

This is not the most elegant way to handle it but it reduces the
chance for unwanted side effects.

GnuPG-bug-id: 1816
Signed-off-by: Werner Koch <>
4 years agogpg: Add dedicated error code for PGP-2 keys.
Werner Koch [Thu, 22 Jan 2015 11:14:48 +0000 (12:14 +0100)]
gpg: Add dedicated error code for PGP-2 keys.

* g10/parse-packet.c (parse_key): Return GPG_ERR_LEGACY_KEY for PGP2
* g10/import.c (read_block): Simplify by checking GPG_ERR_LEGACY_KEY.
* g10/getkey.c (lookup): Silence error message for PGP-2 keys.

* common/util.h (GPG_ERR_LEGACY_KEY): Add replacement for older

Signed-off-by: Werner Koch <>
4 years agogpg: Replace remaining old error code macros by GPG_ERR_.
Werner Koch [Thu, 22 Jan 2015 11:06:11 +0000 (12:06 +0100)]
gpg: Replace remaining old error code macros by GPG_ERR_.

* g10/gpg.h (g10_errstr): Remove macro and change all occurrences by
(G10ERR_): Remove all macros and change all occurrences by their
GPG_ERR_ counterparts.

Signed-off-by: Werner Koch <>
4 years agogpg: Remove an unused variable.
Werner Koch [Thu, 22 Jan 2015 08:45:45 +0000 (09:45 +0100)]
gpg: Remove an unused variable.

* g10/getkey.c (getkey_ctx_s): Remove last_rc.

4 years agodirmngr: Fix TLS build problems.
Werner Koch [Wed, 21 Jan 2015 14:54:06 +0000 (15:54 +0100)]
dirmngr: Fix TLS build problems.

* dirmngr/ (AM_CFLAGS): Add flags for TLS libs.

This should fix
GnuPG-bug-id: 1813.

4 years agogpg: Support --passphrase with --quick-gen-key.
Werner Koch [Wed, 21 Jan 2015 11:42:14 +0000 (12:42 +0100)]
gpg: Support --passphrase with --quick-gen-key.

* g10/keygen.c: Include shareddefs.h.
(quick_generate_keypair): Support static passphrase.
(get_parameter_passphrase): New.
(do_generate_keypair): Use it.

Signed-off-by: Werner Koch <>
4 years agogpg: Re-enable the "Passphrase" parameter for batch key generation.
Werner Koch [Wed, 21 Jan 2015 10:31:20 +0000 (11:31 +0100)]
gpg: Re-enable the "Passphrase" parameter for batch key generation.

* agent/command.c (cmd_genkey): Add option --inq-passwd.
* agent/genkey.c (agent_genkey): Add new arg override_passphrase.
* g10/call-agent.c (inq_genkey_parms): Handle NEWPASSWD keyword.
(agent_genkey): Add arg optional arg "passphrase".
* g10/keygen.c (common_gen, gen_elg, gen_dsa, gen_ecc)
(gen_rsa, do_create): Add arg "passphrase" and pass it through.
(do_generate_keypair): Make use of pPASSPHRASE.
(release_parameter_list): Wipe out a passphrase parameter.

Signed-off-by: Werner Koch <>
4 years agoartwork: Crop and rename the commonly used logo.
Werner Koch [Tue, 20 Jan 2015 16:06:50 +0000 (17:06 +0100)]
artwork: Crop and rename the commonly used logo.


4 years agokbx: Minor cleanup for the previous fix.
Werner Koch [Mon, 19 Jan 2015 13:58:06 +0000 (14:58 +0100)]
kbx: Minor cleanup for the previous fix.

* kbx/keybox-search.c (blob_get_keyid): Rename to
blob_get_first_keyid. Check number of keys and remove blob type check.

There is no need to check the blob type.  We already know that it is a
key blob type and keyids are used for X.509 and OpenPGP.  Also added
check for number of keys because the other parser functions do it as

Signed-off-by: Werner Koch <>
4 years agokbx: Call skipfnc callback to filter out keys
Damien Goutte-Gattat [Fri, 16 Jan 2015 15:56:35 +0000 (16:56 +0100)]
kbx: Call skipfnc callback to filter out keys

* kbx/keybox-search.c (blob_get_keyid): New.
(keybox-search): Call skipfnc callback function.

This patch (tentatively) fixes
GnuPG-bug-id: 1794

The keybox_search function in kbx/keybox-search.c currently ignores
the skipfnc callback, but the validate_key_list function in
g10/trustdb.c uses such a callback to exclude ultimately trusted keys.

4 years agoRegister DCO for Damien Goutte-Gattat.
Werner Koch [Mon, 19 Jan 2015 10:06:59 +0000 (11:06 +0100)]
Register DCO for Damien Goutte-Gattat.


4 years agoscd: Allow for certificates > 1024 with PC/SC.
Andreas Schwier [Fri, 18 Jul 2014 16:22:26 +0000 (18:22 +0200)]
scd: Allow for certificates > 1024 with PC/SC.

* scd/pcsc-wrapper.c (handle_transmit): Enlarge buffer to 4096 too
allow for larger certificates.


Cherry-pick from 5798673156a66f4c39e1d34e358b03539194d57c.
Forward ported from 2.0.

4 years agopo: Update the German translation.
Werner Koch [Fri, 9 Jan 2015 11:52:35 +0000 (12:52 +0100)]
po: Update the German translation.


This also fixes
GnuPG-bug-id: 1808

4 years agodirmngr: Fix error code path of map_host.
NIIBE Yutaka [Thu, 8 Jan 2015 03:14:13 +0000 (12:14 +0900)]
dirmngr: Fix error code path of map_host.

* dirmngr/ks-engine-hkp.c (map_host): Fix error return.


In ks-engine-hkp.c on line 509 'reftbl' is freed, but it is then
used on line 511. I'm guessing this is a missing return;.

Reported-by: Joshua Rogers <>
Debian-Bug-Id: 773520

Other fixes on error added too.

4 years agoscd: fix get_public_key for OpenPGPcard v1.0.
Joshua Rogers [Sat, 20 Dec 2014 00:38:53 +0000 (11:38 +1100)]
scd: fix get_public_key for OpenPGPcard v1.0.

* scd/app-openpgp.c (get_public_key): correctly close 'fp' upon use.


Inside the get_public_key function, 'fp' was opened using popen, but
incorrectly closed using fclose.

Debian-Bug-Id: 773474

4 years agodirmngr: fix LDAP query PATTERNS limit check.
NIIBE Yutaka [Wed, 7 Jan 2015 07:56:43 +0000 (16:56 +0900)]
dirmngr: fix LDAP query PATTERNS limit check.

* dirmngr/ldap.c (start_cert_fetch_ldap): fix ARGC limitation.


Reported-by: Joshua Rogers <>
Debian-Bug-Id: 773507

4 years agoscd: fix merge failure.
NIIBE Yutaka [Tue, 6 Jan 2015 23:15:12 +0000 (08:15 +0900)]
scd: fix merge failure.

* scd/apdu.c (pcsc_pinpad_verify): Remove wrong lines inserted by


Thanks to Joshua Rogers for reviewing and reporting.

4 years agosm,g13: Init local vars to avoid compiler warnings.
Werner Koch [Mon, 5 Jan 2015 14:10:03 +0000 (15:10 +0100)]
sm,g13: Init local vars to avoid compiler warnings.

* sm/misc.c (transform_sigval): Init RSA_S_LEN.
* g13/mount.c (read_keyblob): Init HEADERLEN.

Not a bug but the compiler (gcc 4.9.1) can't detect that it is not
used uninitialized.

Signed-off-by: Werner Koch <>
4 years agogpg: Remove unused args from a function.
Werner Koch [Mon, 5 Jan 2015 14:07:23 +0000 (15:07 +0100)]
gpg: Remove unused args from a function.

* g10/keyserver.c (parse_keyserver_uri): Remove args configname and
configlineno.  Change all callers.

Signed-off-by: Werner Koch <>
4 years agogpg: Clear a possible rest of the KDF secret buffer.
Werner Koch [Mon, 5 Jan 2015 14:03:12 +0000 (15:03 +0100)]
gpg: Clear a possible rest of the KDF secret buffer.

* g10/ecdh.c (pk_ecdh_encrypt_with_shared_point): Fix order of args.

That bug has been here since the beginning.  The entire function needs
a review or be be moved to Libgcrypt.

Signed-off-by: Werner Koch <>
4 years agobuild: Require automake 1.14.
Werner Koch [Mon, 5 Jan 2015 13:55:36 +0000 (14:55 +0100)]
build: Require automake 1.14.

* (AM_INIT_AUTOMAKE): Add serial-tests.

4 years agoagent: Make --allow-loopback-pinentry gpgconf changeable.
Werner Koch [Sun, 4 Jan 2015 16:19:06 +0000 (17:19 +0100)]
agent: Make --allow-loopback-pinentry gpgconf changeable.

4 years agotools: Free variable before return
Joshua Rogers [Mon, 22 Dec 2014 13:47:50 +0000 (00:47 +1100)]
tools: Free variable before return

* tools/gpgconf-comp.c: Free 'dest_filename' before it is returned
upon error.

Signed-off-by: Joshua Rogers <>
4 years agoRegister DCO for Joshua Rogers.
Werner Koch [Mon, 22 Dec 2014 13:27:33 +0000 (14:27 +0100)]
Register DCO for Joshua Rogers.


4 years agosm: Avoid double-free on iconv failure
Daniel Kahn Gillmor [Fri, 19 Dec 2014 23:53:34 +0000 (18:53 -0500)]
sm: Avoid double-free on iconv failure

* sm/minip12.c: (p12_build) if jnlib_iconv_open fails, avoid
double-free of pwbuf.


Observed by Joshua Rogers <>, who proposed a
slightly different fix.

Debian-Bug-Id: 773472

Added fix at a second place - wk.

4 years agoscd: Avoid double-free on error condition in scd
Daniel Kahn Gillmor [Fri, 19 Dec 2014 23:07:55 +0000 (18:07 -0500)]
scd: Avoid double-free on error condition in scd

* scd/command.c (cmd_readkey): avoid double-free of cert


When ksba_cert_new() fails, cert will be double-freed.

Debian-Bug-Id: 773471

Original patch changed by wk to do the free only at leave.

4 years agoavoid future chance of using uninitialized memory
Daniel Kahn Gillmor [Fri, 19 Dec 2014 22:53:36 +0000 (17:53 -0500)]
avoid future chance of using uninitialized memory

* common/iobuf.c: (iobuf_open): initialize len


In iobuf_open, IOBUFCTRL_DESC and IOBUFCTRL_INIT commands are invoked
(via file_filter()) on fcx, passing in a pointer to an uninitialized

With these two commands, file_filter doesn't actually do anything with
the value of len, so there's no actual risk of use of uninitialized
memory in the code as it stands.

However, some static analysis tools might flag this situation with a
warning, and initializing the value doesn't hurt anything, so i think
this trivial cleanup is warranted.

Debian-Bug-Id: 773469

4 years agoavoid double-close in unusual dotlock situations
Daniel Kahn Gillmor [Fri, 19 Dec 2014 22:12:37 +0000 (17:12 -0500)]
avoid double-close in unusual dotlock situations

* common/dotlock.c: (dotlock_create_unix) avoid double-close()
 in unusual situations.


close(2) says:

 close() should not be retried after an EINTR since this  may
       cause a reused descriptor from another thread to be closed.

Before this patch was applied, if close(fd) failed with EINTR, it
would be closed again in the write_failed: block.

It could also have been closed a second time in the case that
(use_hardlinks_p (h->tname)) evaluated to something other than 0 or 1.

This patch avoids both of those scenarios.

Note that close() could still be called twice on the same file
descriptor if the first close(fd) fails but errno is not EINTR.  I'm
not sure the right thing to do in that scenario.  An alternate
resolution could be to unequivocally set fd to -1 after the first
failed close(fd), avoiding the errno == EINTR test.

Debian-Bug-Id: 773423

4 years agogpgkey2ssh: clean up varargs
Daniel Kahn Gillmor [Fri, 19 Dec 2014 22:12:05 +0000 (17:12 -0500)]
gpgkey2ssh: clean up varargs

* tools/gpgkey2ssh.c (key_to_blob) : ensure that va_end is called.


stdarg(3) says:
       Each invocation of va_start() must be matched by a
       corresponding invocation of va_end() in the same function.

Observed by Joshua Rogers <>

Debian-Bug-Id: 773415

4 years agodoc: Fix memory leak in yat2m.
Werner Koch [Mon, 22 Dec 2014 11:44:13 +0000 (12:44 +0100)]
doc: Fix memory leak in yat2m.

* doc/yat2m.c (write_th): Free NAME.

Reported-by: Joshua Rogers <>
4 years agodirmngr: Fix memory leak.
Werner Koch [Mon, 22 Dec 2014 11:34:57 +0000 (12:34 +0100)]
dirmngr: Fix memory leak.

* dirmngr/server.c (cmd_ks_search, cmd_ks_get): Fix memory leak.

* dirmngr/ks-engine-hkp.c (ks_hkp_mark_host): Remove double check.

Reported-by: Joshua Rogers <>
Signed-off-by: Werner Koch <>
4 years agodirmngr: Remove un-needed check.
Werner Koch [Mon, 22 Dec 2014 11:29:32 +0000 (12:29 +0100)]
dirmngr: Remove un-needed check.

* dirmngr/crlfetch.c (crl_fetch): Check that URL is not NULL.

Reported-by: Joshua Rogers <>
  "Remove un-needed check. If 'url' were not to be true,
   http_parse_uri(parse_uri(do_parse_uri))) would fail, leaving 'err'

In addition I added an explicit check for the URL arg not beeing NULL.

Signed-off-by: Werner Koch <>
4 years agodirmngr,gpgsm: Return NULL on fail
Werner Koch [Mon, 22 Dec 2014 11:16:46 +0000 (12:16 +0100)]
dirmngr,gpgsm: Return NULL on fail

* dirmngr/ldapserver.c (ldapserver_parse_one): Set SERVER to NULL.
* sm/gpgsm.c (parse_keyserver_line): Ditto.

Reported-by: Joshua Rogers <>
  "If something inside the ldapserver_parse_one function failed,
   'server' would be freed, then returned, leading to a
   use-after-free.  This code is likely copied from sm/gpgsm.c, which
   was also susceptible to this bug."

Signed-off-by: Werner Koch <>
4 years agoscd: ECDH Support.
NIIBE Yutaka [Mon, 22 Dec 2014 00:27:00 +0000 (09:27 +0900)]
scd: ECDH Support.

* agent/divert-scd.c (divert_pkdecrypt): Support ECDH.
* scd/app-openpgp.c (get_algo_byte, store_fpr): Support ECDH.
(send_key_attr): Support ECDH.  Fix EdDSA algorithm value.
(retrieve_key_material): Initialize fields.
(get_public_key, ecc_writekey, do_writekey): Support ECDH.
(ecdh_writekey): Remove.
(do_decipher): Support ECDH.
(parse_algorithm_attribute): Support ECDH.  Fix EdDSA.


Following the gpg-agent protocol, SCDaemon's counter part is now

4 years agoagent: Make sure --max-cache-ttl is >= --default-cache-ttl.
Werner Koch [Fri, 19 Dec 2014 12:28:14 +0000 (13:28 +0100)]
agent: Make sure --max-cache-ttl is >= --default-cache-ttl.

* agent/gpg-agent.c (finalize_rereadable_options): New.
(main, reread_configuration): Call it.

This change should help to avoid surprising behaviour.

Signed-off-by: Werner Koch <>
4 years agoagent: Keep the session environment for restricted connections.
Werner Koch [Fri, 19 Dec 2014 12:07:09 +0000 (13:07 +0100)]
agent: Keep the session environment for restricted connections.

* agent/command-ssh.c (setup_ssh_env): Move code to ...
* agent/gpg-agent.c (agent_copy_startup_env): .. new function.  Change
* agent/command.c (start_command_handler): Call that fucntion for
restricted connections.

A remote connection is and should not be able to setup the local
session environment.  However, unless --keep-display is used we would
be left without an environment and thus pinentry can't be used.  The
fix is the same as used for ssh-agent connection: We use the default
environment as used at the startup of the agent.

Signed-off-by: Werner Koch <>
4 years agoagent: Fix string prepended to remotely initiated prompts.
Werner Koch [Fri, 19 Dec 2014 11:03:38 +0000 (12:03 +0100)]
agent: Fix string prepended to remotely initiated prompts.

* agent/command.c (cmd_setkeydesc): Use %0A and not \n. Make

Signed-off-by: Werner Koch <>
4 years agobuild: Remove option to build without agent.
Werner Koch [Thu, 18 Dec 2014 08:38:41 +0000 (09:38 +0100)]
build: Remove option to build without agent.

* (build-agent): Set to yes.

4 years agogpgconf: Exit with failure if --launch fails.
Werner Koch [Wed, 17 Dec 2014 09:36:24 +0000 (10:36 +0100)]
gpgconf: Exit with failure if --launch fails.

* tools/gpgconf-comp.c (gc_component_launch): Return an error code.
* tools/gpgconf.c (main): Exit if launch failed.
GnuPG-bug-id: 1791

4 years agopo: Update Japanese Translation.
NIIBE Yutaka [Wed, 17 Dec 2014 00:54:19 +0000 (09:54 +0900)]
po: Update Japanese Translation.


Investigated who is P.KATOH, and fixed the header, accordingly.

4 years agoPost release updates
Werner Koch [Tue, 16 Dec 2014 16:00:45 +0000 (17:00 +0100)]
Post release updates


4 years agoRelease 2.1.1 gnupg-2.1.1
Werner Koch [Tue, 16 Dec 2014 14:53:28 +0000 (15:53 +0100)]
Release 2.1.1

4 years agopo: auto update
Werner Koch [Tue, 16 Dec 2014 14:52:44 +0000 (15:52 +0100)]
po: auto update


4 years agopo: Update the German translation
Werner Koch [Tue, 16 Dec 2014 14:51:48 +0000 (15:51 +0100)]
po: Update the German translation

4 years agopo: Update Czech translation
Petr Pisar [Tue, 16 Dec 2014 14:34:03 +0000 (15:34 +0100)]
po: Update Czech translation

4 years agogpg: Show private DO information in the card status.
Werner Koch [Tue, 16 Dec 2014 12:10:09 +0000 (13:10 +0100)]
gpg: Show private DO information in the card status.

* g10/call-agent.c (agent_release_card_info): Free private_do.
(learn_status_cb): Parse PRIVATE-DO-n stati.

Reported-by: Damien Goutte-Gattat <>
Provided patch extended to release the memory.

4 years agopo: Update Russian translation
Ineiev [Tue, 16 Dec 2014 10:40:11 +0000 (11:40 +0100)]
po: Update Russian translation

4 years agopo: Update zh_TW translation
Jedi [Tue, 16 Dec 2014 10:34:39 +0000 (11:34 +0100)]
po: Update zh_TW translation

4 years agogpg: Add sub-command "factory-reset" to --card-edit.
Werner Koch [Mon, 15 Dec 2014 16:38:40 +0000 (17:38 +0100)]
gpg: Add sub-command "factory-reset" to --card-edit.

* common/util.h (GPG_ERR_OBJ_TERM_STATE): New.
* scd/iso7816.c (map_sw): Add this error code.
* scd/app-openpgp.c (do_getattr): Return the life cycle indicator.
* scd/app.c (select_application): Allow a return value of
* scd/scdaemon.c (set_debug): Print the DBG_READER value.
* g10/call-agent.c (start_agent): Print a status line for the
termination state.
(agent_scd_learn): Make arg "info" optional.
(agent_scd_apdu): New.
* g10/card-util.c (send_apdu): New.
(factory_reset): New.
(card_edit): Add command factory-reset.

Signed-off-by: Werner Koch <>
4 years agogpg: Fix regression in notation data regression.
Werner Koch [Mon, 15 Dec 2014 08:50:19 +0000 (09:50 +0100)]
gpg: Fix regression in notation data regression.

* g10/misc.c (pct_expando): Reorder conditions for clarity.
* g10/sign.c (write_signature_packets): Fix notation data creation.

Also re-added the check for signature version > 3.

Reported-by: MFPA
Signed-off-by: Werner Koch <>
4 years agogpg: Avoid extra LF in notaion data listing.
Werner Koch [Mon, 15 Dec 2014 08:47:21 +0000 (09:47 +0100)]
gpg: Avoid extra LF in notaion data listing.

* g10/keylist.c (show_notation): Use log_printf.

4 years agodoc: Typo fixes.
Werner Koch [Sun, 14 Dec 2014 11:15:21 +0000 (12:15 +0100)]
doc: Typo fixes.


4 years agoscd: Fix possibly inhibited checkpin of the admin pin.
Werner Koch [Fri, 12 Dec 2014 19:08:45 +0000 (20:08 +0100)]
scd: Fix possibly inhibited checkpin of the admin pin.

* scd/app-openpgp.c (do_check_pin): Do not check a byte of a released

Signed-off-by: Werner Koch <>
4 years agogpg: Let --card--status create a shadow key (card key stub).
Werner Koch [Fri, 12 Dec 2014 11:35:45 +0000 (12:35 +0100)]
gpg: Let --card--status create a shadow key (card key stub).

* agent/command.c (cmd_learn): Add option --sendinfo.
* agent/learncard.c (agent_handle_learn): Add arg "send" andsend
certifciate only if that is set.
* g10/call-agent.c (agent_scd_learn): Use --sendinfo.  Make INFO
(agent_learn): Remove.
* g10/keygen.c (gen_card_key): Replace agent_learn by agent_scd_learn.

The requirement of using --card-status on the first use of card on a
new box is a bit annoying but the alternative of always checking
whether a card is available before a decryption starts does not sound
promising either.

Signed-off-by: Werner Koch <>
4 years agogpg: Fix possible read of unallocated memory
Werner Koch [Fri, 12 Dec 2014 09:41:25 +0000 (10:41 +0100)]
gpg: Fix possible read of unallocated memory

* g10/parse-packet.c (can_handle_critical): Check content length
before calling can_handle_critical_notation.

The problem was found by Jan Bee and gniibe proposed the used fix.

This bug can't be exploited: Only if the announced length of the
notation is 21 or 32 a memcmp against fixed strings using that length
would be done.  The compared data is followed by the actual signature
and thus it is highly likely that not even read of unallocated memory
will happen.  Nevertheless such a bug needs to be fixed.

Signed-off-by: Werner Koch <>
4 years agobuild: Replace deprecated autconf macro.
Werner Koch [Thu, 11 Dec 2014 14:14:44 +0000 (15:14 +0100)]
build: Replace deprecated autconf macro.

* m4/intl.m4: s/AM_PROG_MKDIR_P/AC_PROG_MKDIR_P/
* m4/po.m4: Ditto.

In preparation of moving to automake 1.14.

GnuPG-bug-id: 1776

4 years agodirmngr: Improve dead host detection.
Werner Koch [Mon, 8 Dec 2014 16:13:11 +0000 (17:13 +0100)]
dirmngr: Improve dead host detection.

* dirmngr/ks-engine-hkp.c (handle_send_request_error): Mark host dead
also for 2 other error messages.

4 years agohttp: Improve diagnostic messages.
Werner Koch [Mon, 8 Dec 2014 16:12:23 +0000 (17:12 +0100)]
http: Improve diagnostic messages.

* common/http.c (send_request): Print TLS alert info
(connect_server): Detect bogus DNS entry.

1. Prints the TLS alert description.

2. Detect case where the DNS returns an IP address but the server is
   not reachable at this address.  This may happen for a server which
   is reachable only at IPv6 but but the local machine has no full
   IPv6 configuration.

4 years agogpg: Obsolete some keyserver helper options.
Werner Koch [Mon, 8 Dec 2014 14:14:35 +0000 (15:14 +0100)]
gpg: Obsolete some keyserver helper options.

* g10/options.h (opt): Remove keyserver_options.other.
* g10/gpg.c (main): Obsolete option --honor-http-proxt.
* g10/keyserver.c (add_canonical_option): Replace by ...
(warn_kshelper_option): New.
(parse_keyserver_uri): Obsolete "x-broken-http".

Some of these options are deprecated for 10 years and they do not make
any sense without the keyserver helpers.  For one we print a hint on
how to replace it:

  gpg: keyserver option 'ca-cert-file' is obsolete; \
  please use 'hkp-cacert' in dirmngr.conf

Signed-off-by: Werner Koch <>
4 years agogpg: Add OpenPGP card vendor 0x1337.
Werner Koch [Mon, 8 Dec 2014 10:46:48 +0000 (11:46 +0100)]
gpg: Add OpenPGP card vendor 0x1337.


4 years agodirmngr: Return a proper error for all dead hosts.
Werner Koch [Mon, 8 Dec 2014 10:13:17 +0000 (11:13 +0100)]
dirmngr: Return a proper error for all dead hosts.

* dirmngr/ks-engine-hkp.c (map_host): Change to return an gpg_error_t.
Return an error code for all dead hosts.
(make_host_part): Change to return an gpg_error_t.  Change all

The functions used to return an error code via ERRNO.  However, this
does not allow to return extra error codes in a portable way.  Thus we
change the function to directly return a gpg_error_t.

Signed-off-by: Werner Koch <>
4 years agogpg: Write a status line for a failed --send-keys.
Werner Koch [Mon, 8 Dec 2014 10:10:11 +0000 (11:10 +0100)]
gpg: Write a status line for a failed --send-keys.

* g10/keyserver.c (keyserver_put): Write an status error.

4 years agoscd: Fix for EdDSA.
NIIBE Yutaka [Mon, 8 Dec 2014 01:21:55 +0000 (10:21 +0900)]
scd: Fix for EdDSA.

* scd/app-openpgp.c (get_algo_byte): It catches 22.
(store_fpr): It's MPI usually, but it's opaque bytes for EdDSA.

4 years agoDocument no-allow-mark-trusted option
Andre Heinecke [Fri, 5 Dec 2014 10:16:14 +0000 (11:16 +0100)]
Document no-allow-mark-trusted option

    doc: Document no-allow-mark-trusted for gpg-agent

    * doc/gpg-agent.texi: Change allow-mark-trusted doc to

    Since rev. 78a56b14 allow-mark-trusted is the default option
    and was replaced by no-allow-mark-trusted to disable the
    interactive prompt.

Signed-off-by: Andre Heinecke <>
4 years agoscd: Fix for NIST P-256.
NIIBE Yutaka [Fri, 5 Dec 2014 05:20:50 +0000 (14:20 +0900)]
scd: Fix for NIST P-256.

* g10/card-util.c (card_store_subkey): Error check.
* scd/app-opengpg.c (ecc_writekey): Support NIST P-256.
(do_writekey): Error check.

4 years agogpg: Allow import of large keys.
Werner Koch [Thu, 4 Dec 2014 09:53:10 +0000 (10:53 +0100)]
gpg: Allow import of large keys.

* g10/import.c (import): Skip too large keys.
* kbx/keybox-file.c (IMAGELEN_LIMIT): Change limit from 2MB to 5MB.

The key which triggered the problem was 0x57930DAB0B86B067.  With this
patch it can be imported.  Keys larger than the now increased limit of
5MB will are skipped and the already existing not_imported counter is
bumped up.

Signed-off-by: Werner Koch <>
4 years agoindentation: Update g10/import.c
Werner Koch [Thu, 4 Dec 2014 09:45:53 +0000 (10:45 +0100)]
indentation: Update g10/import.c


4 years agogpg: Remove option aliases --[no-]throw-keyid and --notation-data.
Werner Koch [Wed, 3 Dec 2014 10:28:10 +0000 (11:28 +0100)]
gpg: Remove option aliases --[no-]throw-keyid and --notation-data.

* g10/gpg.c (opts): Remove them.
* g10/options.h (opt): s/throw_keyid/throw_keyids/ and change users.

See mails starting

4 years agoagent: Replace some sprintf.
Werner Koch [Tue, 2 Dec 2014 13:13:53 +0000 (14:13 +0100)]
agent: Replace some sprintf.

* agent/call-scd.c (agent_card_pksign): Replace sprintf by bin2hex.
* agent/command-ssh.c (ssh_identity_register): Ditto.
* agent/pkdecrypt.c (agent_pkdecrypt): Replace sprintf by

Signed-off-by: Werner Koch <>
4 years agotools: Improve watchgnupg portability.
Werner Koch [Mon, 1 Dec 2014 14:55:28 +0000 (15:55 +0100)]
tools: Improve watchgnupg portability.

* (AC_CHECK_HEADERS): Check for
* tools/watchgnupg.c: Include it.

It seems is quite limited and requires
the use sys/select.h instead of unistd.h et al.

4 years agogpg: Fix export bug using exact search with only one key in the keybox.
Werner Koch [Mon, 1 Dec 2014 10:54:51 +0000 (11:54 +0100)]
gpg: Fix export bug using exact search with only one key in the keybox.

* g10/export.c (do_export_stream): Disable caching.
* g10/keyserver.c (keyidlist): Ditto.

GnuPG-bug-id: 1774

4 years agoscd: Implement socket redirection.
Werner Koch [Mon, 1 Dec 2014 09:45:06 +0000 (10:45 +0100)]
scd: Implement socket redirection.

* scd/scdaemon.c (ENAMETOOLONG): New.
(redir_socket_name): New.
(cleanup): Take care of a redirected socket.
(main): Pass redir_socket_name to create_server_socket.
(create_socket_name): Remove superfluous length check.
(create_server_socket): Add arg r_redir_name and implement
redirection.  Replace assert for older Assuan by an error message.

Signed-off-by: Werner Koch <>