dgit.raspbian.org Git - gnupg2.git/log

Merge version 2.2.12-1+rpi1+deb10u1 and 2.2.12-1+deb10u2 to produce 2.2.12-1+rpi1+deb10u2

Merge gnupg2 (2.2.12-1+deb10u2) import into refs/heads/workingbranch

g10: Fix garbled status messages in NOTATION_DATA

* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one
--

Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong. Fixed by always using a break to
terminate the escape detection loop. Might have happened for all
status lines which may wrap.

GnuPG-bug-id: T6027
(cherry picked from commit 34c649b3601383cd11dbc76221747ec16fd68e1b)

Gbp-Pq: Topic from-master
Gbp-Pq: Name g10-Fix-garbled-status-messages-in-NOTATION_DATA.patch

gpg: accept subkeys with a good revocation but no self-sig during import

* g10/import.c (chk_self_sigs): Set the NODE_GOOD_SELFSIG flag when we
encounter a valid revocation signature. This allows import of subkey
revocation signatures, even in the absence of a corresponding subkey
binding signature.

--

This fixes the remaining test in import-incomplete.scm.

GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic import-merge-without-userid
Gbp-Pq: Name gpg-accept-subkeys-with-a-good-revocation-but-no-self-sig.patch

gpg: allow import of previously known keys, even without UIDs

* g10/import.c (import_one): Accept an incoming OpenPGP certificate that
has no user id, as long as we already have a local variant of the cert
that matches the primary key.

--

This fixes two of the three broken tests in import-incomplete.scm.

GnuPG-Bug-id: 4393
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic import-merge-without-userid
Gbp-Pq: Name gpg-allow-import-of-previously-known-keys-even-without-UI.patch

tests: add test cases for import without uid

This commit adds a test case that does the following, in order:
- Import of a primary key plus user id
- Check that import of a subkey works, without a user id present in the
imported key
- Check that import of a subkey revocation works, without a user id or
subkey binding signature present in the imported key
- Check that import of a primary key revocation works, without a user id
present in the imported key

--

Note that this test currently fails. The following changesets will
fix gpg so that the tests pass.

GnuPG-Bug-id: 4393
Signed-Off-By: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic import-merge-without-userid
Gbp-Pq: Name tests-add-test-cases-for-import-without-uid.patch

Use hkps://keys.openpgp.org as the default keyserver

As of 2.2.17, GnuPG will refuse to accept any third-party
certifications from OpenPGP certificates pulled from the keyserver
network.

The SKS keyserver network currently has at least a dozen popular
certificates which are flooded with enough unusable third-party
certifications that they cannot be retrieved in any reasonable amount
of time.

The hkps://keys.openpgp.org keyserver installation offers HKPS,
performs cryptographic validation, and by policy does not distribute
third-party certifications anyway.

It is not distributed or federated yet, unfortunately, but it is
functional, which is more than can be said for the dying SKS pool.
And given that GnuPG is going to reject all the third-party
certifications anyway, there is no clear "web of trust" rationale for
relying on the SKS pool.

One sticking point is that keys.openpgp.org does not distribute user
IDs unless the user has proven control of the associated e-mail
address. This means that on standard upstream GnuPG, retrieving
revocations or subkey updates of those certificates will fail, because
upstream GnuPG ignores any incoming certificate without a user ID,
even if it knows a user ID in the local copy of the certificate (see
https://dev.gnupg.org/T4393).

However, we have three patches in
debian/patches/import-merge-without-userid/ that together fix that
bug.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 59e8aac9d6f2ee322a753373013032bbb13e3eb3)

Gbp-Pq: Topic keyserver-cleanup
Gbp-Pq: Name Use-hkps-keys.openpgp.org-as-the-default-keyserver.patch

gpg: drop import-clean from default keyserver import options

* g10/gpg.c (main): drop IMPORT_CLEAN from the
default opt.keyserver_options.import_options
* doc/gpg.texi: reflect this change in the documentation

Given that SELF_SIGS_ONLY is already set, it's not clear what
additional benefit IMPORT_CLEAN provides. Furthermore, IMPORT_CLEAN
means that receiving an OpenPGP certificate from a keyserver will
potentially delete data that is otherwise held in the local keyring,
which is surprising to users who expect retrieval from the keyservers
to be purely additive.

GnuPG-Bug-Id: 4628
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 84bce011aaa2db19f10c1f763110e840c7b7019f)

Gbp-Pq: Topic keyserver-cleanup
Gbp-Pq: Name gpg-drop-import-clean-from-default-keyserver-import-optio.patch

dirmngr: Only use SKS pool CA for SKS pool

* dirmngr/http.c (http_session_new): when checking whether the
keyserver is the HKPS pool, check specifically against the pool name,
as ./configure might have been used to select a different default
keyserver. It makes no sense to apply Kristian's certificate
authority to anything other than the literal host
hkps.pool.sks-keyservers.net.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 3233382068b7c477907daac697164b81ae45a7f4)

Gbp-Pq: Topic keyserver-cleanup
Gbp-Pq: Name dirmngr-Only-use-SKS-pool-CA-for-SKS-pool.patch

dirmngr: Don't add system CAs for SKS HKPS pool.

* dirmngr/http.c [HTTP_USE_GNUTLS] (http_session_new): Clear
add_system_cas.

--

Cherry-picking the master commit of:
75e0ec65170b7053743406e3f3b605febcf7312a

GnuPG-bug-id: 4594
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 58e234fbeb6cc5908b69a73e50428f02e584e504)

Gbp-Pq: Topic from-2.2.18-prerelease
Gbp-Pq: Name dirmngr-Don-t-add-system-CAs-for-SKS-HKPS-pool.patch

gpg: Improve import slowness.

* g10/import.c (read_block): Avoid O(N^2) append.
(sec_to_pub_keyblock): Likewise.

--

Cherry-picking the master commit of:
33c17a8008c3ba3bb740069f9f97c7467f156b54

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit eb00a14f6d2de7c53487f39494c5cb9c0598fc96)

Gbp-Pq: Topic from-2.2.18-prerelease
Gbp-Pq: Name gpg-Improve-import-slowness.patch

gpg: Fix keyring retrieval.

* g10/keyring.c (keyring_get_keyblock): Avoid O(N^2) append.

--

Cherry-picking the master commit of:
a7a043e82555a9da984c6fb01bfec4990d904690

GnuPG-bug-id: 4592
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit b7df72d3074b72cf8b537ac87416b6b719c1b1b7)

Gbp-Pq: Topic from-2.2.18-prerelease
Gbp-Pq: Name gpg-Fix-keyring-retrieval.patch

gpg: Do not try the import fallback if the options are already used.

* g10/import.c (import_one): Check options.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 3c2cf5ea952015a441ee5701c41dadc63be60d87)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name gpg-Do-not-try-the-import-fallback-if-the-options-are-alr.patch

gpg: Fix regression in option "self-sigs-only".

* g10/import.c (read_block): Make sure KEYID is availabale also on a
pending packet.
--

Reported-by: Phil Pennock
Fixes-commit: adb120e663fc5e78f714976c6e42ae233c1990b0
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit b6effaf4669b2c3707932e3c5f2f57df886d759e)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name gpg-Fix-regression-in-option-self-sigs-only.patch

dirmngr: fix handling of HTTPS redirections during HKP

* dirmngr/ks-engine-hkp.c (send_request): Reinitialize HTTP session when
following a HTTP redirection.

--
inspired by patch from Damien Goutte-Gattat <dgouttegattat@incenp.org>

GnuPG-Bug_id: 4566
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit efb6e08ea2ca1cf2d39135d94195802cd69b9ea6)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name dirmngr-fix-handling-of-HTTPS-redirections-during-HKP.patch

gpg: Add "self-sigs-only" and "import-clean" to the keyserver options.

* g10/gpg.c (main): Change default.
--

Due to the DoS attack on the keyeservers we do not anymore default to
import key signatures. That makes the keyserver unsuable for getting
keys for the WoT but it still allows to retriev keys - even if that
takes long to download the large keyblocks.

To revert to the old behavior add

keyserver-optiions no-self-sigs-only,no-import-clean

to gpg.conf.

GnuPG-bug-id: 4607
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 23c978640812d123eaffd4108744bdfcf48f7c93)
(cherry picked from commit 2b7151b0a57f5fe7d67fd76dfa1ba7a8731642c6)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name gpg-Add-self-sigs-only-and-import-clean-to-the-keyserver-.patch

dirmngr: Avoid endless loop in case of HTTP error 503.

* dirmngr/ks-engine-hkp.c (SEND_REQUEST_EXTRA_RETRIES): New.
(handle_send_request_error): Use it for 503 and 504.
(ks_hkp_search, ks_hkp_get, ks_hkp_put): Pass a new var for
extra_tries.
--

This is a pretty stupid fix but one which works without much risk of
regressions.  We could have used the existing TRIES but in that case
the fallback to other host would have been too limited.  With the used
value we can have several fallbacks to other hosts.  Note that the
TRIES is still cumulative and not per host.

GnuPG-bug-id: 4600
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 8b113bb148f273524682252233b3c65954e1419e)
(cherry picked from commit d2e8d71251813e61b15a07637497fabe823b822c)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name dirmngr-Avoid-endless-loop-in-case-of-HTTP-error-503.patch

dirmngr: Do not rewrite the redirection for the "openpgpkey" subdomain.

* dirmngr/http.c (same_host_p): Consider certain subdomains to be the
same.
--

GnuPG-bug-id: 4603
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 37f0c55c7be3fc4912237f2bc72466aef6f8aa36)
(cherry picked from commit c9b133a54e93b7f2365b5d6b1c39ec2cc6dac8f9)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name dirmngr-Do-not-rewrite-the-redirection-for-the-openpgpkey.patch

Mention --sender in documentation

(cherry picked from commit 37b549dfe0acd362399debd7c93794eb75937402)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name Mention-sender-in-documentation.patch

dirmngr: Support the new WKD draft with the openpgpkey subdomain.

* dirmngr/server.c (proc_wkd_get): Implement new openpgpkey subdomain
method.

--
Also includes actual backport fix from
2c6d94702a676de9fadaaf003b9c80dc76c02f92

GnuPG-bug-id: 4590
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 914fa3be22bf8848a97a7dd405a040d6ef31e2fd)
(cherry picked from commit 458973f502b9a43ecf29e804a2c0c86e78f5927a)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name dirmngr-Support-the-new-WKD-draft-with-the-openpgpkey-sub.patch

gpg: Fallback to import with self-sigs-only on too large keyblocks.

* g10/import.c (import_one): Rename to ...
(import_one_real): this. Do not print and update stats on keyring
write errors.
(import_one): New. Add fallback code.
--

GnuPG-bug-id: 4591
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 3a403ab04eeb45f12b34f9d9c421dac93eaf2160)
(cherry picked from commit a1f2f38dfb2ba5ed66d3aef66fc3be9b67f9b800)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name gpg-Fallback-to-import-with-self-sigs-only-on-too-large-k.patch

gpg: New import and keyserver option "self-sigs-only"

* g10/options.h (IMPORT_SELF_SIGS_ONLY): New.
* g10/import.c (parse_import_options): Add option "self-sigs-only".
(read_block): Handle that option.
--

This option is intended to help against importing keys with many bogus
key-signatures. It has obvious drawbacks and is not a bullet-proof
solution because a self-signature can also be faked and would be
detected only later.

GnuPG-bug-id: 4591
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 15a425a1dfe60bd976b17671aa8e3d9aed12e1c0)
(cherry picked from commit adb120e663fc5e78f714976c6e42ae233c1990b0)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name gpg-New-import-and-keyserver-option-self-sigs-only.patch

gpg: Make read_block in import.c more flexible.

* g10/import.c: Change arg 'with_meta' to 'options'. Change callers.
--

This chnage allows to pass more options to read_block.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 15a425a1dfe60bd976b17671aa8e3d9aed12e1c0)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name gpg-Make-read_block-in-import.c-more-flexible.patch

tools: gpgconf: Killing order is children-first.

* tools/gpgconf-comp.c (gc_component_kill): Reverse the order.

--

Cherry-picked from master commit:
7c877f942a344e7778005840ed7f3e20ace12f4a

The order matters in a corner case; On a busy machine, there was a
race condition between gpg-agent's running KILLAGENT command and its
accepting incoming request on the socket. If a request by
gpg-connect-agent was accepted, it resulted an error by sudden
shutdown. This change of the order can remove such a race.

Here, we know backend=0 is none.

GnuPG-bug-id: 4577
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 526714806da4e50c8e683b25d76460916d58ff41)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name tools-gpgconf-Killing-order-is-children-first.patch

spelling: Fix "synchronize"

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 520f5d70e4128b61c30da2a463f6c34ca24b628e)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name spelling-Fix-synchronize.patch

Return better error code for some getinfo IPC commands.

* agent/command.c (cmd_getinfo): Return GPG_ERR_FALSE as boolean False.
* g13/server.c (cmd_getinfo): Ditto.
* sm/server.c (cmd_getinfo): Ditto.
--

GPG_ERR_FALSE was introduced with libgpg-error 1.21 and we now require
a later version for gnupg 2. Thus we can switch to this more
descriptive code.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f3251023750d6bd9023dbb8373c804d7d4540a56)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name Return-better-error-code-for-some-getinfo-IPC-commands.patch

doc/wks.texi: fix typo

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 175d194b5d6063895ecfcfed6ed2154e4a0d1421)

Gbp-Pq: Topic from-2.2.17
Gbp-Pq: Name doc-wks.texi-fix-typo.patch

dirmngr: Allow for other hash algorithms than SHA-1 in OCSP.

* dirmngr/ocsp.c (do_ocsp_request): Remove arg md.  Add args r_sigval,
r_produced_at, and r_md.  Get the hash algo from the signature and
create the context here.
(check_signature): Allow any hash algo.  Print a diagnostic if the
signature does not verify.
--

GnuPG-bug-id: 3966
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 5281ecbe3ae8364407d9831243b81d664b040805)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name dirmngr-Allow-for-other-hash-algorithms-than-SHA-1-in-OCS.patch

gpg: Allow deletion of subkeys with --delete-[secret-]key.

* common/userids.c (classify_user_id): Do not set the EXACT flag in
the default case.
* g10/export.c (exact_subkey_match_p): Make static,
* g10/delkey.c (do_delete_key): Implement subkey only deleting.
--

GnuPG-bug-id: 4457
(cherry picked from commit d9b31d3a20b89a5ad7e9a2158b6da63a9a37fa8a)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-Allow-deletion-of-subkeys-with-delete-secret-key.patch

agent: Stop scdaemon after reload when disable_scdaemon.

* agent/call-scd.c (agent_card_killscd): New.
* agent/gpg-agent.c (agent_sighup_action): Call agent_card_killscd.

--

GnuPG-bug-id: 4326
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 9ccdd59e4e1e0b0e3b03b288f52f3c71e86a04dd)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name agent-Stop-scdaemon-after-reload-when-disable_scdaemon.patch

gpg: Do not bail on an invalid packet in the local keyring.

* g10/keydb.c (parse_keyblock_image): Treat invalid packet special.
--

This is in particular useful to run --list-keys on a keyring with
corrupted packets. The extra flush is to keep the diagnostic close to
the regular --list-key output.

Signed-off-by: Werner Koch <wk@gnupg.org>
This is a backport from master with support for the unsupported v5 key
handling.

(cherry picked from commit 30f44957ccd1433846709911798af3da4e437900)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-Do-not-bail-on-an-invalid-packet-in-the-local-keyring.patch

gpg: Do not allow creation of user ids larger than our parser allows.

* g10/parse-packet.c: Move max packet lengths constants to ...
* g10/packet.h: ... here.
* g10/build-packet.c (do_user_id): Return an error if too data is too
large.
* g10/keygen.c (write_uid): Return an error for too large data.
--

This can lead to keyring corruption becuase we expect that our parser
is abale to parse packts created by us.  Test case is

  gpg --batch --passphrase 'abc' -v  \
      --quick-gen-key $(yes 'a'| head -4000|tr -d '\n')

GnuPG-bug-id: 4532
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit d32963eeb33fd3053d40a4e7071fb0e8b28a8651)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-Do-not-allow-creation-of-user-ids-larger-than-our-par.patch

agent: For SSH key, don't put NUL-byte at the end.

* agent/command-ssh.c (ssh_key_to_protected_buffer): Update
the length by the second call of gcry_sexp_sprint.

--

GnuPG-bug-id: 4502
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 6e39541f4f488fe59eac399bad18c465f373a784)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name agent-For-SSH-key-don-t-put-NUL-byte-at-the-end.patch

gpg: Do not delete any keys if --dry-run is passed.

* g10/delkey.c (do_delete_key): Don't delete the keyblock on dry runs.
Do not clear the ownertrust. Do not let the agent delete the key.
--

Co-authored-by: Matheus Afonso Martins Moreira
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 5c46c5f74540ad753b925b74593332ca92de47fa)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-Do-not-delete-any-keys-if-dry-run-is-passed.patch

gpgconf: Before --launch check that the config file is fine.

* tools/gpgconf-comp.c (gc_component_launch): Check the conf file.
* tools/gpgconf.c (gpgconf_failure): Call log_flush.
--
GnuPG-bug-id: 4497
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 3a28706cfd960ff84dda9a22aa2f160b4c2efbb5)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpgconf-Before-launch-check-that-the-config-file-is-fine.patch

doc: Do not mention gpg's deprecated --keyserver option.

--
GnuPG-bug-id: 4466

(cherry picked from commit 0d669a360c6e6729e2423534847a5ad47830bb9a)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name doc-Do-not-mention-gpg-s-deprecated-keyserver-option.patch

gpg: enable OpenPGP export of cleartext keys with comments

* g10/export.c (cleartext_secret_key_to_openpgp): ignore trailing
sublists in private-key S-expression.

--

When gpg-agent learns about a private key from its ssh-agent
interface, it stores its S-expression with the comment attached. The
export mechanism for OpenPGP keys already in cleartext was too brittle
because it would choke on these comments. This change lets it ignore
any additional trailing sublists.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gnupg-Bug-Id: 4490
(cherry picked from commit 9c704d9d46338769a66bfc6c378efeda3c4bd9ec)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-enable-OpenPGP-export-of-cleartext-keys-with-comments.patch

gpgconf: Support --homedir for --launch.

* tools/gpgconf-comp.c (gpg_agent_runtime_change): Simplify because
gnupg_homedir already returns abd absolute name.
(scdaemon_runtime_change): Ditto.
(dirmngr_runtime_change): Ditto.
(gc_component_launch): Support --homedir.
--

GnuPG-bug-id: 4496
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 31e26037bd727a6ee9c96ba168a55c4f9def43b6)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpgconf-Support-homedir-for-launch.patch

agent: correct length for uri and comment on 64-bit big-endian platforms

* agent/findkey.c (agent_public_key_from_file): pass size_t as int to
gcry_sexp_build_array's %b.

--

This is only a problem on big-endian systems where size_t is not the
same size as an int. It was causing failures on debian's s390x,
powerpc64, and sparc64 platforms.

There may well be other failures with %b on those platforms in the
codebase, and it probably needs an audit.

Once you have a key in private-keys-v1.d/$KEYGRIP.key with a comment
or a uri of reasonable length associated with it, this fix can be
tested with:

gpg-agent --server <<<"READKEY $KEYGRIP"

On the failing platforms, the printed comment will be of length 0.

Gnupg-bug-id: 4501
Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 110932925ba8e0169da18d7774440f8d1fd8a344)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name agent-correct-length-for-uri-and-comment-on-64-bit-big-en.patch

doc: Minor edit for a gpg option.

--
GnuPG-bug-id: 4507

(cherry picked from commit 49a679eb3596ef273afacb49ef9044c4a063694b)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name doc-Minor-edit-for-a-gpg-option.patch

gpg: Do not print a hint to use the deprecated --keyserver option.

* g10/keyserver.c (keyserver_search): Remove a specialized error
message.
--

Dirmngr comes with a default keyserver and the suggestion to use
gpg --keyserver
is not good because that option is deprecated. An error message
"No keyserver available" is sufficient.

GnuPG-bug-id: 4512
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 8d645f1d1f2b0f4e2d3b72f2a585acac4bdd8846)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-Do-not-print-a-hint-to-use-the-deprecated-keyserver-o.patch

g10: Fix possible null dereference.

* g10/armor.c (armor_filter): Access ->d in the internal loop.

--

Cherry-picked master commit of:
802a2aa300bad3d4385d17a2deeb0966da4e737d

GnuPG-bug-id: 4494
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 5b22d2c400890fc366ccb7ca74ee886d9cef22a3)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name g10-Fix-possible-null-dereference.patch

gpg: Change update_keysig_packet to replace SHA-1 by SHA-256.

* g10/sign.c (update_keysig_packet): Convert digest algo when needed.
--

Several gpg commands try to keep most properties of a key signature
when updating (i.e. creating a new version of a key signature).  This
included the use of the current hash-algorithm.  This patch changes
this so that SHA-1 or RMD160 are replaced by SHA-256 if
possible (i.e. for RSA signatures).  Affected commands are for example
--quick-set-expire and --quick-set-primary-uid.

GnuPG-bug-id: 4508
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit c1dc7a832921fdf5686d377f33db78707c0345e2)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-Change-update_keysig_packet-to-replace-SHA-1-by-SHA-2.patch

doc: correct documentation for gpgconf --kill

* doc/tools.texi(gpgconf): Correct documentation for gpgconf --kill.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 9662538be6afc8beee0f2654f9a8f234c5dac016)
(cherry picked from commit be116f871dbf14dd44d3a7909c2a052f8979c480)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name doc-correct-documentation-for-gpgconf-kill.patch

dirmngr: Add a CSRF expection for pm.me

--

Also comment typo fix.

(cherry picked from commit 7c4029110ab45d02e746ddcc13a87952ca0099f5)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name dirmngr-Add-a-CSRF-expection-for-pm.me.patch

doc: Minor doc fix to dirmngr.

--

Reported-by: dkg
(cherry picked from commit 781d2c5c8995b92e58fcf344fa8931523583f537)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name doc-Minor-doc-fix-to-dirmngr.patch

gpg: Use just the addrspec from the Signer's UID.

* g10/parse-packet.c (parse_signature): Take only the addrspec from a
Signer's UID subpacket.
--

This is to address a problem in the currentr OpenKeychain which put
the entire UID into the subpacket. For example our Tofu code can only
use the addrspec and not the entire UID.

Reported-by: Wiktor Kwapisiewicz <wiktor@metacode.biz>
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 05204b72497db093f5d2da4a2446c0264a946296)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-Use-just-the-addrspec-from-the-Signer-s-UID.patch

g10: Fix double free when locating by mbox

* g10/getkey.c (get_best_pubkey_byname): Set new.uid always
to NULL after use.

--
pubkey_cmp is not guranteed to set new.uid.
So if the diff < 0 case is reached best is set to new.

If then diff > 0 is reached without modifying new.uid
e.g. if the key has no matching mboxes. new.uid is
free'd even though the uid is still referenced in
best.

GnuPG-Bug-Id: T4462
(cherry picked from commit e57954ed278cb5e6e725005b1ecaf7ce70006ce0)
(cherry picked from commit 35899dc2903b118620e6f9f0fa6b21c8568abbf1)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name g10-Fix-double-free-when-locating-by-mbox.patch

gpg: Accept also armored data from the WKD.

* g10/keyserver.c (keyserver_import_wkd): Clear NO_ARMOR.
--

We may even adjust the specs to allow that. It should not be a
problem for any OpenPGP implementation because armored keys are very
common and de-armoring code is de-facto a mandatory feature.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit dc4c7f65e32a0cddc075d06fa0132e099bcb6455)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-Accept-also-armored-data-from-the-WKD.patch

gpg: Set a limit of 5 to the number of keys imported from the WKD.

* g10/import.c (import): Limit the number of considered keys to 5.
(import_one): Return the first fingerprint in case of WKD.
--

The Web Key Directory should carry only one key.  However, some
providers like to put old or expired keys also into the WKD.  I don't
thunk that this is a good idea but I heard claims that this is needed
for them to migrate existing key data bases.

This patch puts a limit on 5 on it (we had none right now) and also
fixes the issue that gpg could not work immediately with the requested
key because the code uses the fingerprint of the key to use the
imported key.  Now the first key is used.  On a second try (w/o
accessing the WKD) the regular key selection mechanism would be in
effect.  I think this is the most conservative approach.  Let's see
whether it helps.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit e9fcb0361ab4ef1f6fb0ea235f1b15667932aba2)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-Set-a-limit-of-5-to-the-number-of-keys-imported-from-.patch

dirmngr: Better error code for http status 413.

* dirmngr/ks-engine-hkp.c (send_request): New case for 413.
* dirmngr/ks-engine-http.c (ks_http_fetch): Ditto.
* dirmngr/ocsp.c (do_ocsp_request): Ditto.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 0a30ce036a615bc95382e0640d185b031f8c6a63)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name dirmngr-Better-error-code-for-http-status-413.patch

g10: Fix symmetric cipher algo constant for ECDH.

* g10/ecdh.c (kek_params_table): Use CIPHER_ALGO_AES192 for
ECC strength 384, according to RFC-6637.

--

Reported-by: Trevor Bentley
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit af3efd149f555d36a455cb2ea311ff81caf5124c)
(cherry picked from commit 38c2a9a644e0bc1e2594ea437a5930982f7b8c4e)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name g10-Fix-symmetric-cipher-algo-constant-for-ECDH.patch

gpg: Don't use EdDSA algo ID for ECDSA curves.

* g10/keygen.c (ask_curve): Change algo ID to ECDSA if it changed from
an EdDSA curve.

--

(cherry picked from commit 4324560b2c0bb76a1769535c383424a042e505ae)

This change matters when it is called from ask_card_keyattr.

Some-comments-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 2f455d18ab99a1d94029d3f607ae918bd5c9fecf)

Gbp-Pq: Topic from-2.2.16
Gbp-Pq: Name gpg-Don-t-use-EdDSA-algo-ID-for-ECDSA-curves.patch

sm: Allow decryption even if expired other keys are configured.

* sm/gpgsm.c (main): Add special handling for bad keys in decrypt
mode.
--

The problem can easily be tested by adding --encrypt-to EXPIRED_KEY to
a decryption command. With that patch the errors are printed but
decryption continues and the process returns success unless other
errors occur.

GnuPG-bug-id: 4431
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 30972d21824264aef2088d30b4f2e5ce3aca889e)

Gbp-Pq: Topic from-2.2.15
Gbp-Pq: Name sm-Allow-decryption-even-if-expired-other-keys-are-config.patch

agent: Allow other ssh fingerprint algos in KEYINFO.

* agent/command.c (cmd_keyinfo): Allow for --ssh-fpr=ALGO. Default to
the standard algo.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 1c2fa8b6d747aa171bfef35a50754893aa80a562)

Gbp-Pq: Topic from-2.2.15
Gbp-Pq: Name agent-Allow-other-ssh-fingerprint-algos-in-KEYINFO.patch

wkd: New command --print-wkd-url for gpg-wks-client.

* tools/gpg-wks-client.c (aPrintWKDURL): New.
(opts): Add option.
(main): Implement.
* tools/wks-util.c (wks_cmd_print_wkd_url): New.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 2f3eebf1865a85f8c09a1c052513260ed55acec6)

Gbp-Pq: Topic from-2.2.15
Gbp-Pq: Name wkd-New-command-print-wkd-url-for-gpg-wks-client.patch

doc: Clarify option --no-keyring.

--
GnuPG-bug-id: 4424

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 7a38af6a1015a7a0b47502850cf3bfd60d61ee56)

Gbp-Pq: Topic from-2.2.15
Gbp-Pq: Name doc-Clarify-option-no-keyring.patch

wkd: New command --print-wkd-hash for gpg-wks-client.

* tools/gpg-wks-client.c (aPrintWKDHash): New.
(opts) : Add "--print-wkd-hash".
(main): Implement that command.
(proc_userid_from_stdin): New.
* tools/wks-util.c (wks_fname_from_userid): Add option HASH_ONLY.
(wks_cmd_print_wkd_hash): New.
--

GnuPG-bug-id: 4418
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 64621f1f40c31c7f453da98efb860ff8cf11edbc)

Gbp-Pq: Topic from-2.2.15
Gbp-Pq: Name wkd-New-command-print-wkd-hash-for-gpg-wks-client.patch

doc: fix formatting error

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 93782de23fe45e7f7f86140fda6de39395c3a9d8)

Gbp-Pq: Topic from-2.2.15
Gbp-Pq: Name doc-fix-formatting-error.patch

gpg: Do not bail out on v5 keys in the local keyring.

* g10/parse-packet.c (parse_key): Return GPG_ERR_UNKNOWN_VERSION
instead of invalid packet.
* g10/keydb.c (parse_keyblock_image): Do not map the unknown version
error to invalid keyring.
(keydb_search): Skip unknown version errors simlar to legacy keys.
* g10/keyring.c (keyring_rebuild_cache): Skip keys with unknown
versions.
* g10/import.c (read_block): Handle unknown version.
--

When using gpg 2.3 the local keyring may contain v5 keys. This patch
allows the use of such a keyring also with a 2.2 version which does
not support v5 keys. We will probably need some more tweaking here
but this covers the most common cases of listing keys and also
importing v5 keys.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit de70a2f377c1647417fb8a2b6476c3744a901296)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name gpg-Do-not-bail-out-on-v5-keys-in-the-local-keyring.patch

gpg: Allow import of PGP desktop exported secret keys.

* g10/import.c (NODE_TRANSFER_SECKEY): New.
(import): Add attic kludge.
(transfer_secret_keys): Add arg only_marked.
(resync_sec_with_pub_keyblock): Return removed seckeys via new arg
r_removedsecs.
(import_secret_one): New arg r_secattic.  Change to take ownership of
arg keyblock.  Implement extra secret key import logic.  Factor some
code out to ...
(do_transfer): New.
(import_matching_seckeys): New.
--

The PGP desktops exported secret keys are really stupid.  And they
even a have kind of exception in rfc4880 which does not rule that
out (section 11.2):

  [...]  Implementations SHOULD include self-signatures on any user
  IDs and subkeys, as this allows for a complete public key to be
  automatically extracted from the transferable secret key.
  Implementations MAY choose to omit the self-signatures, especially
  if a transferable public key accompanies the transferable secret
  key.

Now if they would only put the public key before the secret
key. Anyway we now have a workaround for that ugliness.

GnuPG-bug-id: 4392
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 5205512fc092c53c0a52c8379ef2a129ce6e58a9)
(cherry picked from commit 0e73214dd208fca4df26ac796416c6f25b3ae50d)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name gpg-Allow-import-of-PGP-desktop-exported-secret-keys.patch

gpg: Avoid importing secret keys if the keyblock is not valid.

* g10/keydb.h (struct kbnode_struct): Replace unused field RECNO by
new field TAG.
* g10/kbnode.c (alloc_node): Change accordingly.
* g10/import.c (import_one): Add arg r_valid.
(sec_to_pub_keyblock): Set tags.
(resync_sec_with_pub_keyblock): New.
(import_secret_one): Change return code to gpg_error_t.   Return an
error code if sec_to_pub_keyblock failed.  Resync secret keyblock.
--

When importing an invalid secret key ring for example without key
binding signatures or no UIDs, gpg used to let gpg-agent store the
secret keys anyway.  This is clearly a bug because the diagnostics
before claimed that for example the subkeys have been skipped.
Importing the secret key parameters then anyway is surprising in
particular because a gpg -k does not show the key.  After importing
the public key the secret keys suddenly showed up.

This changes the behaviour of
GnuPG-bug-id: 4392
to me more consistent but is not a solution to the actual bug.

Caution: The ecc.scm test now fails because two of the sample keys
         don't have binding signatures.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f799e9728bcadb3d4148a47848c78c5647860ea4)
(cherry picked from commit 43b23aa82be7e02414398af506986b812e2b9349)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name gpg-Avoid-importing-secret-keys-if-the-keyblock-is-not-va.patch

tests: Add sample secret key w/o binding signatures.

--

GnuPG-bug-id: 4392
(cherry picked from commit 8c20a363c221438373439cde8c242e04c1bd925e)
(cherry picked from commit 61fc831885b0860e2143587b614c5a57f8c3f45f)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name tests-Add-sample-secret-key-w-o-binding-signatures.patch

gpg: During secret key import print "sec" instead of "pub".

* g10/keyedit.c (show_basic_key_info): New arg 'print_sec'.  Remove
useless code for "sub" and "ssb".
* g10/import.c (import_one): Pass FROM_SK to show_basic_key_info.  Do
not print the first  keyinfo in FROM_SK mode.
printing.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f64477db86568bdc28c313bfeb8b95d8edf05a3c)
(cherry picked from commit db2d75f1ffede2ea77163b487a15e60249daffa0)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name gpg-During-secret-key-import-print-sec-instead-of-pub.patch

dirmngr: Add CSRF protection exception for protonmail.

* dirmngr/http.c (same_host_p): Add exception table.
--

Please: Adding entries to this table shall be an exception and not the
rule.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 134c3c16523b1a267ebdd2df6339240fd9e1e3b3)
(cherry picked from commit 557c721e787e7e6d311ccb48d8aa677123061cf5)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name dirmngr-Add-CSRF-protection-exception-for-protonmail.patch

gpg: Make invalid primary key algos obvious in key listings.

* g10/keylist.c (print_key_line): Print a warning for invalid algos.
--

Non-OpenPGP compliant keys now show a warning flag on the sec or pub
line like in:

  gpg: can't encode a 256 bit MD into a 88 bits frame, algo=8
  sec   cv25519 2019-01-30 [INVALID_ALGO]
        4239F3D606A19258E7A88C3F9A3F4F909C5034C5
  uid           [ultimate] ffffff

Instead of showing the usage flags "[CE]".  Without this patch only
the error message is printed and the reason for it was not immediately
obvious (cv25519 is encryption only but we always consider the primary
key as having the "C" flag).

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit db87132b10664718b7db6ec1dad584b54d1fb265)
(cherry picked from commit d2a7f9078a4673ec53733e4f69fd17a8f1ac962d)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name gpg-Make-invalid-primary-key-algos-obvious-in-key-listing.patch

sm: Print Yubikey attestation extensions with --dump-cert.

* sm/keylist.c (oidtranstbl): Add Yubikey OIDs.
(OID_FLAG_HEX): New.
(print_hex_extn): New.
(list_cert_raw): Make use of that flag.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 86c241a8c9a952ea8007066b70b04f435e2e483e)
(cherry picked from commit b3c8ce9e4343f1b68b9ba94bdd71b7d8e13b139a)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name sm-Print-Yubikey-attestation-extensions-with-dump-cert.patch

tests: Add "disable-scdaemon" in gpg-agent.conf.

* tests/openpgp/defs.scm: Add "disable-scdaemon".  Remove
  "scdaemon-program".
* tests/gpgme/gpgme-defs.scm, tests/gpgsm/gpgsm-defs.scm: Likewise.
* tests/inittests, tests/pkits/inittests: Add "disable-scdaemon"

--

Before this change, running "make check" accesses USB device by
scdaemon on host computer.  If there is any smartcard/token available,
it may affect test results.  Because default key choice depends on
smartcard/token availability now and existing tests have nothing about
testing smartcard/token, disabling scdaemon is good.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 64b7c6fd1945bc206cf56979633dfca8a7494374)
(cherry picked from commit 150d5452318eafa6aa800ff3b87f8f8eb35ed203)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name tests-Add-disable-scdaemon-in-gpg-agent.conf.patch

agent: Support --mode=ssh option for CLEAR_PASSPHRASE.

* agent/command.c (cmd_clear_passphrase): Add support for SSH.

--

GnuPG-bug-id: 4340
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit ae966bbe9b16ed68a51391afdde615339755e22d)
(cherry picked from commit 77a285a0a94994ee9b42289897f9bf3075c7192d)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name agent-Support-mode-ssh-option-for-CLEAR_PASSPHRASE.patch

gpgv: Improve documentation for keyring choices

* doc/gpgv.texi: Improve documentation for keyring choices

--

From the existing documentation, it's not clear whether the default
keyring will always be mixed into the set of keyrings, or whether it
will be skipped if a --keyring is present. The updated text here
attempts to describe the keyring selection logic more completely.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit a7b2a87f940dba078867c44f1f50d46211d51719)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name gpgv-Improve-documentation-for-keyring-choices.patch

sm: Don't mark a cert as de-vs compliant if it leads to SHA-1 sigs.

* sm/keylist.c (print_compliance_flags): Also check the digest_algo.
Add new arg 'cert'.
--

A certificate with algorithm sha1WithRSAEncryption can be de-vs
compliant (e.g. if the next in the chain used sha256WithRSAEncryption
to sign it and RSA is long enough) but flagging it as such is useless
because that certificate can't be used because it will create
signatures using the non-compliant SHA-1 algorithm.

Well, it could be used for encryption. But also evaluating the
key-usage flags here would make it harder for the user to understand
why certain certificates are listed as de-vs compliant and others are
not.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 2c75af9f65d15653ed1bc191f1098ae316607041)

Reworked to also pass the CERT. Note that 2.2 won't get the PK
Screening feature.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit be69bf0cbd11cb8c0d452e07066669aacc6caafa)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name sm-Don-t-mark-a-cert-as-de-vs-compliant-if-it-leads-to-SH.patch

gpgsm: default to 3072-bit keys.

* doc/gpgsm.texi, doc/howto-create-a-server-cert.texi: : update
default to 3072 bits.
* sm/certreqgen-ui.c (gpgsm_gencertreq_tty): update default to
3072 bits.
* sm/certreqgen.c (proc_parameters): update default to 3072 bits.
* sm/gpgsm.c (main): print correct default_pubkey_algo.

--

3072-bit RSA is widely considered to be 128-bit-equivalent security.
This is a sensible default in 2017.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 7955262151a5c755814dd23414e6804f79125355)
(cherry picked from commit 121286d9d1506dbaad9ba33bae2e459814fe5849)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name gpgsm-default-to-3072-bit-keys.patch

agent: Fix for suggested Libgcrypt use.

* agent/divert-scd.c (divert_pkdecrypt): Skip a flags parameter.
--

The libgcrypt docs say that a "flags" parameter should always be used
in the input of pkdecrypt. Thus we should allow that parameter also
when parsing an s-expression to figure out the algorithm for use with
scdaemon.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit a12c3a566e2e4b10bc02976a2819070877ee895c)
(cherry picked from commit 0a95b153811f36739d1b20f23920bad0bb07c68b)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name agent-Fix-for-suggested-Libgcrypt-use.patch

gpgscm: Build well even if NDEBUG defined.

* gpgscm/scheme.c (gc_reservation_failure): Fix adding ";".
[!NDEBUG] (scheme_init_custom_alloc): Don't init seserved_lineno.

--

Cherry icked from master commit of:
e140c6d4f581be1a60a34b67b16430452f3987e8

In some build environment, NDEBUG is defined (although it's
bad practice). This change supports such a situation.

GnuPG-bug-id: 3959
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 8161afb9dddaba839be92fbe9d85c05235eda825)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name gpgscm-Build-well-even-if-NDEBUG-defined.patch

gpg: Fix comparison.

* g10/gpgcompose.c (literal_name): Complain if passed zero arguments,
not one or fewer.

Signed-off-by: Neal H. Walfield <neal@walfield.org>
(cherry picked from commit 1ed21eee79749b976b4a935f2279b162634e9c5e)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name gpg-Fix-comparison.patch

scd: Distinguish cancel by user and protocol error.

* scd/apdu.h (SW_HOST_CANCELLED): New.
* scd/apdu.c (host_sw_string): Support SW_HOST_CANCELLED.
(pcsc_error_to_sw): Return SW_HOST_CANCELLED for PCSC_E_CANCELLED.
* scd/iso7816.c (map_sw): Return GPG_ERR_INV_RESPONSE for
SW_HOST_ABORTED and GPG_ERR_CANCELED for SW_HOST_CANCELLED.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 2396055c096884d521c26b76f26263a146207c24)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name scd-Distinguish-cancel-by-user-and-protocol-error.patch

common: Fix gnupg_wait_processes.

* common/exechelp-posix.c (gnupg_wait_processes): Loop for r_exitcodes
even if we already see an error.

--

The value stored by waitpid for exit code is encoded; It requires
decoded by WEXITSTATUS macro, regardless of an error.

For example, when one of processes is already exited and another is
still running, it resulted wrong value of in r_exitcodes[n].

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit eeb3da6eb717ed6a1a1069a7611eb37503e8672d)

Gbp-Pq: Topic from-2.2.14
Gbp-Pq: Name common-Fix-gnupg_wait_processes.patch

gpg: Emit an ERROR status if no key was found with --list-keys.

* g10/keylist.c (list_one): Emit status line.
--

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 140fda8c61422ec055c3f7e214cc35706c4320dd)
(cherry picked from commit 14ea581a1c040b53b0ad4c51136a7948363b1e4b)

Gbp-Pq: Topic from-2.2.13
Gbp-Pq: Name gpg-Emit-an-ERROR-status-if-no-key-was-found-with-list-ke.patch

agent: Clear bogus pinentry cache, when it causes an error.

* agent/agent.h (PINENTRY_STATUS_*): Expose to public.
(struct pin_entry_info_s): Add status.
* agent/call-pinentry.c (agent_askpin): Clearing the ->status
before the loop, let the assuan_transact set ->status. When
failure with PINENTRY_STATUS_PASSWORD_FROM_CACHE, it returns
soon.
* agent/findkey.c (unprotect): Clear the pinentry cache,
when it causes an error.

--

Cherry-picked from master commit of:
02a2633a7f0b7d91aa48ea615fb3a0edfd6ed6bb

Debian-bug-id: 919856
GnuPG-bug-id: 4348
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 9109bb9919f84d5472b7e62e84b961414a79d3c2)

Gbp-Pq: Topic from-2.2.13
Gbp-Pq: Name agent-Clear-bogus-pinentry-cache-when-it-causes-an-error.patch

dirmngr: Fix initialization of assuan's nPth hook.

* dirmngr/dirmngr.c (main): Move assuan_set_system_hooks to...
(thread_init): ... here.

--

Cherry picked master commit of:
1f8817475f59ede3f28f57edc10ba56bbdd08b49

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 7f4c3eb0a039621c564b6095ab5f810524843157)

Gbp-Pq: Topic from-2.2.13
Gbp-Pq: Name dirmngr-Fix-initialization-of-assuan-s-nPth-hook.patch

gpg: Allow generating Ed25519 key from an existing key.

* g10/misc.c (map_pk_gcry_to_openpgp): Add EdDSA mapping.
--

Due to this missing mapping a "gpg --export --full-gen-key" with
selection "13 - Existing key" did not worked for an ed25519 key.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 346a98fabe03adf2e202e36fc2aa24b1c2571154)
(cherry picked from commit 31d2a1eecaee766919b18bc42b918d9168f601f8)

Gbp-Pq: Topic from-2.2.13
Gbp-Pq: Name gpg-Allow-generating-Ed25519-key-from-an-existing-key.patch

doc: Mark keyserver-options timeout and http-proxy as obsolete.

--

(cherry picked from commit 6c000d4b78b836686e5a2789cc88a41e465e4400)
(cherry picked from commit 9fd6ba268f1fdf77cc5baa6e8fd3ab28e432e49b)

Gbp-Pq: Topic from-2.2.13
Gbp-Pq: Name doc-Mark-keyserver-options-timeout-and-http-proxy-as-obso.patch

gpg: Stop early when trying to create a primary Elgamal key.

* g10/misc.c (openpgp_pk_test_algo2): Add extra check.
--

The problem is that --key-gen --batch with a parameter file didn't
detect that Elgamal is not capable of signing and so an error was only
triggered at the time the self-signature was created. See the code
comment for details.

GnuPG-bug-id: 4329
Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit f97dc55ff1b041071bc3cbe98aa761bf77bb7ac8)
(cherry picked from commit f5d3b982e44c5cfc60e9936020102a598b635187)

Gbp-Pq: Topic from-2.2.13
Gbp-Pq: Name gpg-Stop-early-when-trying-to-create-a-primary-Elgamal-ke.patch

Silence compiler warnings new with gcc 8.

* dirmngr/dns.c: Include gpgrt.h. Silence -Warray-bounds also gcc.
* tests/gpgscm/scheme.c: Include gpgrt.h.
(Eval_Cycle): Ignore -Wimplicit-fallthrough.
--

The funny use of case and labels in the CASE macro seems confuse the
fallthrough detection.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 21fc089148678f59edb02e0e16bed65b709fb972)

Gbp-Pq: Topic from-2.2.13
Gbp-Pq: Name Silence-compiler-warnings-new-with-gcc-8.patch

wks: Do not use compression for the encrypted data.

* tools/gpg-wks-client.c (encrypt_response): Add arg -z0.
* tools/gpg-wks-server.c (encrypt_stream): Ditto.
--

If for example a server was built without the development packages of
the compression libraries installed, the server will not be able to
decrypt a request. In theory this can't happen due to the preference
system but it is just to easy to create the server's key using a
different version of gpg and then use gpg-wks-server built
differently.

For the short messages we exchange compression is not really required
and thus we better do without to make the system more robust.

Signed-off-by: Werner Koch <wk@gnupg.org>
(cherry picked from commit 70a8db0333e3c22403b3647f8b5f924f6dace719)
(cherry picked from commit 16424d8a34c7f6af1071fd19dfc180cb7d17c052)

Gbp-Pq: Topic from-2.2.13
Gbp-Pq: Name wks-Do-not-use-compression-for-the-encrypted-data.patch

fix spelling

Gbp-Pq: Name fix-spelling.patch

Make gpg-zip use tar from $PATH

Apparently there is no clean way to configure this from ./configure,
and upstream is deprecating gpg-zip anyway. So just force-set tar to
be manually "tar" (meaning, that we should look in the $PATH at
runtime).

See also https://dev.gnupg.org/T4251 and https://bugs.debian.org/913582

Gbp-Pq: Name Make-gpg-zip-use-tar-from-PATH.patch

gpg: Prefer SHA-512 and SHA-384 in personal-digest-preferences.

* g10/keygen.c (keygen_set_std_prefs): prefer SHA-512
and SHA-384 by default.

--

In 8ede3ae29a39641a2f98ad9a4cf61ea99085a892, upstream changed the
defaults for --default-preference-list to advertise a preference for
SHA-512, without touching --personal-digest-preferences. This makes
the same change for --personal-digest-preferences, since every modern
OpenPGP library supports them all.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic update-defaults
Gbp-Pq: Name gpg-Prefer-SHA-512-and-SHA-384-in-personal-digest.patch

gpg: Default to SHA-512 for all signature types on RSA keys.

* g10/main.h (DEFAULT_DIGEST_ALGO): Use SHA512 instead of SHA256 in
--gnupg mode (leave strict RFC and PGP modes alone).
* configure.ac: Do not allow disabling sha512.
* g10/misc.c (map_md_openpgp_to_gcry): Always support SHA512.

--

SHA512 is more performant on most 64-bit platforms than SHA256, and
offers a better security margin. It is also widely implemented.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic update-defaults
Gbp-Pq: Name gpg-Default-to-SHA-512-for-all-signature-types-on-RS.patch

agent: Fix cancellation handling for scdaemon.

* agent/call-scd.c (cancel_inquire): Remove.
(agent_card_pksign, agent_card_pkdecrypt, agent_card_writekey)
(agent_card_scd): Don't call cancel_inquire.

--

Since libassuan 2.1.0, cancellation command "CAN" is handled within
the library, by assuan_transact. So, cancel_inquire just caused
spurious "CAN" command to scdaemon which resulted an error.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
(cherry picked from commit 9f5e50e7c85aa8b847d38010241ed570ac114fc3)

Gbp-Pq: Topic from-master
Gbp-Pq: Name agent-Fix-cancellation-handling-for-scdaemon.patch

gpg: default to AES-256.

* g10/main.h (DEFAULT_CIPHER_ALGO): Prefer AES256 by default.

--

It's 2017, and pretty much everyone has AES-256 available. Symmetric
crypto is also rarely the bottleneck (asymmetric crypto is much more
expensive). AES-256 provides some level of protection against
large-scale decryption efforts, and longer key lengths provide a hedge
against unforseen cryptanalysis.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 73ff075204df09db5248170a049f06498cdbb7aa)

Gbp-Pq: Topic from-master
Gbp-Pq: Name gpg-default-to-AES-256.patch

gpg: default to 3072-bit RSA keys.

* agent/command.c (hlp_genkey): update help text to suggest the use of
3072 bits.
* doc/wks.texi: Make example match default generation.
* g10/keygen.c (DEFAULT_STD_KEY_PARAM): update to
rsa3072/cert,sign+rsa3072/encr, and fix neighboring comment,
(gen_rsa, get_keysize_range): update default from 2048 to 3072).
* g10/keyid.c (pubkey_string): update comment so that first example
is the default 3072-bit RSA.

--

3072-bit RSA is widely considered to be 128-bit-equivalent security.
This is a sensible default in 2017.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
(cherry picked from commit 909fbca19678e6e36968607e8a2348381da39d8c)

Gbp-Pq: Topic from-master
Gbp-Pq: Name gpg-default-to-3072-bit-RSA-keys.patch

agent: Avoid scheduled checks on socket when inotify is working.

* agent/gpg-agent.c (handle_connections): When inotify is working, we
do not need to schedule a timer to evaluate whether we control our own
socket or not.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic gpg-agent-idling
Gbp-Pq: Name agent-Avoid-scheduled-checks-on-socket-when-inotify-.patch

agent: Avoid tight timer tick when possible.

* agent/gpg-agent.c (need_tick): Evaluate whether the short-phase
handle_tick() is needed.
(handle_connections): On each cycle of the select loop, adjust whether
we should call handle_tick() or not.
(start_connection_thread_ssh, do_start_connection_thread): Signal the
main loop when the child terminates.
* agent/call-scd.c (start_scd): Call interrupt_main_thread_loop() once
the scdaemon thread context has started up.

--

With this change, an idle gpg-agent that has no scdaemon running only
wakes up once a minute (to check_own_socket).

Thanks to Ian Jackson and NIIBE Yutaka who helped me improve some of
the blocking and corner cases.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic gpg-agent-idling
Gbp-Pq: Name agent-Avoid-tight-timer-tick-when-possible.patch

agent: Allow threads to interrupt main select loop with SIGCONT.

* agent/gpg-agent.c (interrupt_main_thread_loop): New function on
non-windows platforms, allows other threads to interrupt the main loop
if there's something that the main loop might be interested in.

--

For example, the main loop might be interested in changes in program
state that affect the timers it expects to see.

I don't know how to do this on Windows platforms, but i welcome any
proposed improvements.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic gpg-agent-idling
Gbp-Pq: Name agent-Allow-threads-to-interrupt-main-select-loop-wi.patch

agent: Create framework of scheduled timers.

agent/gpg-agent.c (handle_tick): Remove intermittent call to
check_own_socket.
(tv_is_set): Add inline helper function for readability.
(handle_connections) Create general table of pending scheduled
timeouts.

--

handle_tick() does fine-grained, rapid activity. check_own_socket()
is supposed to happen at a different interval.

Mixing the two of them makes it a requirement that one interval be a
multiple of the other, which isn't ideal if there are different delay
strategies that we might want in the future.

Creating an extensible regular timer framework in handle_connections
should make it possible to have any number of cadenced timers fire
regularly, without requiring that they happen in cadences related to
each other.

It should also make it possible to dynamically change the cadence of
any regularly-scheduled timeout.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic gpg-agent-idling
Gbp-Pq: Name agent-Create-framework-of-scheduled-timers.patch

dirmngr: Avoid automatically checking upstream swdb.

* dirmngr/dirmngr.c (housekeeping_thread): Avoid automatically
checking upstream's software database. In Debian, software updates
should be handled by the distro mechanism, and additional upstream
checks only confuse the user.
* doc/dirmngr.texi: document that --allow-version-check does nothing.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic dirmngr-idling
Gbp-Pq: Name dirmngr-Avoid-automatically-checking-upstream-swdb.patch

dirmngr: Avoid need for hkp housekeeping.

* dirmngr/ks-engine-hkp.c (host_is_alive): New function. Test whether
host is alive and resurrects it if it has been dead long enough.
(select_random_host, map_host, ks_hkp_mark_host): Use host_is_alive
instead of testing hostinfo_t->dead directly.
(ks_hkp_housekeeping): Remove function, no longer needed.
* dirmngr/dirmngr.c (housekeeping_thread): Remove call to
ks_hkp_housekeeping.

--

Rather than resurrecting hosts upon scheduled resurrection times, test
whether hosts should be resurrected as they're inspected for being
dead. This removes the need for explicit housekeeping, and makes host
resurrections happen "just in time", rather than being clustered on
HOUSEKEEPING_INTERVAL seconds.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic dirmngr-idling
Gbp-Pq: Name dirmngr-Avoid-need-for-hkp-housekeeping.patch

dirmngr: hkp: Avoid potential race condition when some hosts die.

* dirmngr/ks-engine-hkp.c (select_random_host): Use atomic pass
through the host table instead of risking out-of-bounds write.

--

Multiple threads may write to hosttable[x]->dead while
select_random_host() is running. For example, a housekeeping thread
might clear the ->dead bit on some entries, or another connection to
dirmngr might manually mark a host as alive.

If one or more hosts are resurrected between the two loops over a
given table in select_random_host(), then the allocation of tbl might
not be large enough, resulting in a write past the end of tbl on the
second loop.

This change collapses the two loops into a single loop to avoid this
discrepancy: each host's "dead" bit is now only checked once.

As Werner points out, this isn't currently strictly necessary, since
npth will not switch threads unless a blocking system call is made,
and no blocking system call is made in these two loops.

However, in a subsequent change in this series, we will call a
function in this loop, and that function may sometimes write(2), or
call other functions, which may themselves block. Keeping this as a
single-pass loop avoids the need to keep track of what might block and
what might not.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Gbp-Pq: Topic dirmngr-idling
Gbp-Pq: Name dirmngr-hkp-Avoid-potential-race-condition-when-some.patch

Avoid simple memory dumps via ptrace

This avoids needing to setgid gpg-agent. It probably doesn't defend
against all possible attacks, but it defends against one specific (and
easy) one. If there are other protections we should do them too.

This will make it slightly harder to debug the agent because the
normal user won't be able to attach gdb to it directly while it runs.

The remaining options for debugging are:

* launch the agent from gdb directly
* connect gdb to a running agent as the superuser

Upstream bug: https://dev.gnupg.org/T1211

Gbp-Pq: Topic block-ptrace-on-secret-daemons
Gbp-Pq: Name Avoid-simple-memory-dumps-via-ptrace.patch