2020-09-03  Werner Koch  <wk@gnupg.org>

	Release 2.2.23.
	+ commit e234d04c3c91cd4e84cb5790a131bf6a8b6733c4


	gpg: Fix AEAD preference list overflow.
	+ commit aeb8272ca8aad403a4baac33b8d5673719cfd8f0
	* g10/getkey.c (fixup_uidnode): Increase size of prefs array.

2020-09-02  Werner Koch  <wk@gnupg.org>

	gpg: Fix segv importing certain keys.
	+ commit 896c528ba0555443cca81b3f091f761e70c698cd
	* g10/key-check.c (key_check_all_keysigs): Initialize issuer.

2020-09-01  NIIBE Yutaka  <gniibe@fsij.org>

	scd: Fix a regression for OpenPGP card.
	+ commit 0a9665187a7cbf68933b7162fb5f974177684a50
	* scd/app-openpgp.c (verify_chv2): Make sure loading keys.

2020-08-28  Werner Koch  <wk@gnupg.org>

	sm: Fix a bug in the rfc2253 parser.
	+ commit d2fe2ffd753706d07b26fbe22b17a561a2e535fc
	* sm/certdump.c (parse_dn_part): Fix parser flaw.

2020-08-27  Werner Koch  <wk@gnupg.org>

	Release 2.2.22.
	+ commit f9c120a29986e82d1179b38167ef2696dd0cc10a


	dirmngr: Print the last alert message returned by NTBTLS.
	+ commit 45499b2ca3e8f3466e725dbc381757c89a7c39bf
	* dirmngr/http.c (send_request): Print the last TLS alert.

2020-08-27  NIIBE Yutaka  <gniibe@fsij.org>

	scd: Add condition for VERIFY with 0x82.
	+ commit d2f1a0a791db3eb03c003365cbcd010bd8066edb
	* scd/app-openpgp.c (verify_chv2): Check availability of keys in
	question.

2020-08-26  Werner Koch  <wk@gnupg.org>

	build: Silence gcc warning -Wformat-zero-length.
	+ commit 0be5decc097286e3502b6a12e019d40b8caf27b4
	* configure.ac: Avoid useless gcc warning.  We use an empty string
	quite often, for example in log_printhex.

2020-08-26  NIIBE Yutaka  <gniibe@fsij.org>

	agent: Allow TERM="".
	+ commit 4c8d5eb0bdd380c412c5f5fbc2b92fe6bcea825d
	* agent/call-pinentry.c (start_pinentry): When TERM is none,
	don't send OPTION ttytype to pinentry.

2020-08-25  Ineiev  <ineiev@gnu.org>

	po: Update Russian translation.
	+ commit 00ac538e928076e1879366cdce0e57be41f6c8fb


2020-08-25  Werner Koch  <wk@gnupg.org>

	gpg: Set default keysize to rsa3072.
	+ commit 60f08969e13b2bb7f194eff80c3a275d444dc6b7
	* g10/keygen.c (DEFAULT_STD_KEY_PARAM): Change.
	(gen_rsa): Set fallback to 3072.
	(get_keysize_range): Set default to 3072.
	* doc/examples/vsnfd.prf: No more need for default-new-key-algo.

	sm: Do not require a default keyring for --gpgconf-list.
	+ commit 0847133e4cafa214c8129c245194d97c1e192cd5
	* sm/gpgsm.c (main): No default keyring for gpgconf mode.

	agent: Allow using --gogconf-list even if HOME does not exist.
	+ commit adea5ba7e75261705ba6e9c2456207e9455677f3
	* agent/gpg-agent.c (main): Do not create directories in gpgconf mode.

2020-08-23  Werner Koch  <wk@gnupg.org>

	gpg,gpgsm: Record the creation time of a private key.
	+ commit 5ac0cf1b8198dcaac7e7abaf05c28dd413f38cad
	* sm/call-agent.c (gpgsm_agent_genkey): Pass --timestamp option.
	(gpgsm_agent_import_key): Ditto.
	* g10/call-agent.c (agent_genkey): Add arg timestamp and pass it on.
	(agent_import_key): Ditto.
	* g10/import.c (transfer_secret_keys): Pass the creation date to the
	agent.
	* g10/keygen.c (common_gen): Ditto.

	agent: Allow to pass a timestamp to genkey and import.
	+ commit 051830d7b4862b6eca6c18c9fd53b51fa1158c34
	* agent/command.c (cmd_genkey): Add option --timestamp.
	(cmd_import_key): Ditto.
	* agent/genkey.c (store_key): Add arg timestamp and change callers.
	(agent_genkey): Ditto.
	* agent/findkey.c (write_extended_private_key): Add args timestamp and
	newkey to write a Created line.
	(agent_write_private_key): Add arg timestamp.
	(agent_write_shadow_key): Ditto.
	* agent/protect-tool.c (agent_write_private_key): Ditto as dummy arg.

2020-08-22  Werner Koch  <wk@gnupg.org>

	agent: Default to extended key format.
	+ commit 5b927b7b27bddc8ee70176414690d8ca8d879b54
	* agent/gpg-agent.c (oDisableExtendedKeyFormat, oNoop): New.
	(opts): Make --enable-extended-key-format a dummy option.  Add
	disable-extended-key-format.
	(parse_rereadable_options): Implement oDisableExtendedKeyFormat.
	* agent/protect.c (agent_protect): Be safe and set use_ocb either to
	to 1 or 0.

	gpgtar,w32: Handle Unicode file names.
	+ commit 843890663b6c68b4361ccfbeb11a50b02d5cc13f
	* tools/gpgtar.c (oUtf8Strings): New.
	(opts): Add option --utf8-strings.
	(parse_arguments): Set option.
	* tools/gpgtar.h (opt): Add field utf8strings.
	* tools/gpgtar-create.c (name_to_utf8): New.
	(fillup_entry_w32): Use that.
	(scan_directory): Ditto.
	(scan_directory) [W32]: Convert file name to utf8.
	(gpgtar_create): Convert pattern.

	common: Use gpgrt functions for mkdir and chdir if available.
	+ commit 364cef997c0ac5632152acfb7ab2330c4f289a9a
	* common/sysutils.c (gnupg_mkdir): Divert to gpgrt_mkdir.
	(gnupg_chdir): Divert to gpgrt_chdir

	common,w32: Do not assume the ANSI codepage during string conversion.
	+ commit bef68efd8da92115142005d22e9336ff798dcf4b
	* common/utf8conv.c (get_w32_codepage): New.
	(wchar_to_native): Use instead oc CP_ACP.
	(native_to_wchar): Ditto.

	common: Strip trailing CR,LF from w32_strerror.
	+ commit 73b0fdabdb108880034b7730d04614d8a7cf943a
	* common/stringhelp.c (w32_strerror): Strip trailing CR,LF.
	* common/iobuf.c (iobuf_get_filelength): Use -1 and not 0 for the
	arg to w32_strerror.

2020-08-20  Werner Koch  <wk@gnupg.org>

	gpgtar: Make --files-from and --null work as described.
	+ commit 1efe99f3d9e3c6d5733cf512b7e494284a445bfa
	* tools/gpgtar-create.c (gpgtar_create): Add args files_from and
	null_names.  Improve reading from a file.
	* tools/gpgtar.c: Make global vars static.
	(main): Remove tests for --files-from and --null option combinations.
	Pass option variables to gpgtar_create.

	build: New configure option --disable-tests.
	+ commit 829bc3bc60da134841705f7d701b0870e1629b38
	* configure.ac: Add option --disable-tests.  Print warnings in the
	summary.
	(DISABLE_TESTS): New am_conditional.

	gpg: Fix regression for non-default --passphrase-repeat option.
	+ commit a4d73b1c8e2a312e78831843aa04364d7d3c8e6f
	* agent/command.c (cmd_get_passphrase): Take care of --repeat with
	--newsymkey.

2020-08-13  Werner Koch  <wk@gnupg.org>

	gpg: Ignore personal_digest_prefs for ECDSA keys.
	+ commit f0f8b124f0d2332e1c0b496df5e5f9c4b3db6bc3
	* g10/sign.c (hash_for): Simplify hash algo selection for ECDSA.

2020-08-12  Werner Koch  <wk@gnupg.org>

	common: Pass the WAYLAND_DISPLAY envvar along.
	+ commit 3cf920a1e353ceec7a3d854d5b509be417e4c801
	* common/session-env.c (stdenvnames): Add WAYLAND_DISPLAY.

2020-08-04  Werner Koch  <wk@gnupg.org>

	sm: Also show the SHA-256 fingerprint.
	+ commit 9c57de75cf36cfcf408eda1b59a0362a061517ce
	* sm/keylist.c (list_cert_colon): Emit a new "fp2" record.
	(list_cert_raw): Print the SHA2 fingerprint.
	(list_cert_std): Ditto.

2020-07-30  NIIBE Yutaka  <gniibe@fsij.org>

	w32: More adding NETLIBS.
	+ commit 8d9ce32c30db2bba5736fff5f56b7c145aaec42c
	* common/Makefile.am (t_common_ldadd): Add $(NETLIBS).

	w32: Add link to $(NETLIB) for -lws2_32.
	+ commit f95d923090e119a7a05eef13bbbc108ed98e513a
	* dirmngr/Makefile.am (dirmngr_LDADD): Add $(NETLIBS).
	* sm/Makefile.am (gpgsm_LDADD): Ditto.
	* tools/Makefile.am (gpg_wks_client_LDADD): Ditto.

2020-07-16  Werner Koch  <wk@gnupg.org>

	gpg: Do not close stdout after --export-ssh-key.
	+ commit 970e43130506186c82d528d0a4fe34725e3c8e6b
	* g10/export.c (export_ssh_key): Do not close stdout.

2020-07-15  NIIBE Yutaka  <gniibe@fsij.org>

	tools: Use internal regexp routines.
	+ commit b4cbb5f58a00fa5ac9f1282664c0adb7ecfa9e57
	* tools/gpg-check-pattern.c: Use jimregexp.h.

	regexp: Import change from JimTcl.
	+ commit 1d1f2aa94370dcb715f6ae02ea5e14eb7ec5fa98
	* regexp/jimregexp.h, regexp/jimregexp.c: Fix from JimTcl.

	regexp: Fix generation of _unicode_mapping.c.
	+ commit 8904b18822fc2203ed667844cc3885dc459dbfef
	* configure.ac (AWK_HEX_NUMBER_OPTION): Detect GNU Awk.
	* regexp/Makefile.am: Use AWK_HEX_NUMBER_OPTION.
	* regexp/parse-unidata.awk: Don't use strtonum.

	gpg: Add regular expression support.
	+ commit 199309190a0b9966445bc386747c433949d3b81e
	* AUTHORS, COPYING.other: Update.
	* Makefile.am (SUBDIRS): Add regexp sub directory.
	* configure.ac (DISABLE_REGEX): Remove.
	* g10/Makefile.am (needed_libs): Add libregexp.a.
	* g10/trustdb.c: Remove DISABLE_REGEX support.
	* regexp/LICENSE, regexp/jimregexp.c, regexp/jimregexp.h,
	  regexp/utf8.c, regexp/utf8.h: New from Jim Tcl.
	* regexp/UnicodeData.txt: New from Unicode.
	* regexp/Makefile.am, regexp/parse-unidata.awk: New.
	* tests/openpgp/Makefile.am: Remove DISABLE_REGEX support.
	* tools/Makefile.am: Remove DISABLE_REGEX support.

2020-07-13  Werner Koch  <wk@gnupg.org>

	agent: Fix regression with --newsymkey in loopback mode.
	+ commit d9ea47f702840c87431df984b9b3f7e60c9ea815
	* agent/command.c (cmd_get_passphrase): Never repeat in loopback mode;
	same as with !OPT_NEWSYMKEY.

2020-07-13  NIIBE Yutaka  <gniibe@fsij.org>

	dirmngr: Handle EAFNOSUPPORT at connect_server.
	+ commit ce793fc2f838a97cb1e92b3060337b8052f3dc3a
	* dirmngr/http.c (connect_server): Skip server with EAFNOSUPPORT.

2020-07-09  Werner Koch  <wk@gnupg.org>

	Release 2.2.21.
	+ commit be6fc39ed9b4ffd56d960e20499599c851c17b44


2020-07-08  Werner Koch  <wk@gnupg.org>

	Do not use the pinentry's qualitybar.
	+ commit b451c4f5ea672c9915e28d8dde30abc675060f06
	* agent/genkey.c (agent_ask_new_passphrase): No qualitybar.
	* g10/call-agent.c (agent_get_passphrase): Ditto.
	* sm/call-agent.c (gpgsm_agent_ask_passphrase): Ditto.

	gpg: Use integrated passphrase repeat entry also for -c.
	+ commit ae8b88c635424ef36f024d0016949d11187dc21e
	* g10/call-agent.c (agent_get_passphrase): Add arg newsymkey.
	* g10/passphrase.c (passphrase_get): Add arg newsymkey.
	(passphrase_to_dek): Pass it on.

	agent: New option --newsymkey for GET_PASSPHRASE.
	+ commit d9e2dfa4c585de7c261fde13c18bd0f82415d6c3
	* agent/call-pinentry.c (do_getpin): New.
	(agent_askpin): Use do_getpin.
	(agent_get_passphrase): Add arg pininfo.  Use do_getpin.
	* agent/genkey.c (check_passphrase_constraints): New arg no_empty.
	* agent/command.c (reenter_passphrase_cmp_cb): New.
	(cmd_get_passphrase): Add option --newsymkey.

2020-07-07  Werner Koch  <wk@gnupg.org>

	gpg: Fix flaw in symmetric algorithm selection in mixed mode.
	+ commit 7b6071a45fbf14219b6aca4fff8fa0eaf6c6dd8e
	* g10/encrypt.c (setup_symkey): Use default_cipher_algo function
	instead of the fallback s2k_cipher_algo.  Fix error code.
	(encrypt_simple): Use setup_symkey.

2020-07-03  Werner Koch  <wk@gnupg.org>

	sm: Exclude rsaPSS from de-vs compliance mode.
	+ commit 4a36adaa64311a42eb78d9e52390df489454cafb
	* common/compliance.h (PK_ALGO_FLAG_RSAPSS): New.
	* common/compliance.c (gnupg_pk_is_compliant): Add arg alog_flags and
	test rsaPSS.  Adjust all callers.
	* common/util.c (pubkey_algo_to_string): New.
	(gnupg_pk_is_allowed): Ditto.
	* sm/misc.c (gpgsm_ksba_cms_get_sig_val): New wrapper function.
	(gpgsm_get_hash_algo_from_sigval): New.
	* sm/certcheck.c (gpgsm_check_cms_signature): Change type of sigval
	arg.  Add arg pkalgoflags.  Use the PK_ALGO_FLAG_RSAPSS.
	* sm/verify.c (gpgsm_verify): Use the new wrapper and new fucntion to
	also get the algo flags.  Pass algo flags along.  Change some of the
	info output to be more like current master.

2020-07-02  Werner Koch  <wk@gnupg.org>

	dirmngr: Silence annoying warning for missing default ldap server file.
	+ commit daca1a011b0e4ae888fd6b11253993cb3537990f
	* dirmngr/dirmngr.c (parse_ldapserver_file): Add arg ignore_enoent.
	(main): Use that arg for the default file.

	dirmngr: Fix case handling of "ldapi" scheme.
	+ commit 0795ab1c8f95831c15d4ae36d197805a26f8c899
	* dirmngr/ldap-parse-uri.c (ldap_uri_p): s/'i'/'I'.

2020-06-26  Werner Koch  <wk@gnupg.org>

	sm: Print the serial number of a cert also in decimal.
	+ commit ad6bf5d67f58dcdd76b621e77b81efa7b41ca885
	* sm/certdump.c: Include membuf.h.
	(gpgsm_print_serial_decimal): New.
	* sm/keylist.c (list_cert_raw): Print s/n also in decimal
	(list_cert_std): Ditto.

2020-06-03  Werner Koch  <wk@gnupg.org>

	doc: Minor enhancement for reproducibility.
	+ commit 5ade2b68db231c78d8ecca0eb21db2153da958d2
	* doc/Makefile.am (defsincdate): In no repo mode and with
	SOURCE_DATE_EPOCH set, use that instead of blanking the date.

	common: Add missing error code GPG_ERR_WRONG_NAME.
	+ commit 381c54179c2adefd558035f573a2029de2e1a2f7
	* configure.ac: Require libgpg-error 1.25.
	* common/util.h: Define some extra error codes.

2020-05-29  NIIBE Yutaka  <gniibe@fsij.org>

	scd: Fix condition for C5 data object for newer Yubikey.
	+ commit e285b1197b93e5114679b2ece9f10743abc715ef
	* scd/app-openpgp.c (compare_fingerprint): Relax the condition.

2020-05-21  NIIBE Yutaka  <gniibe@fsij.org>

	dirmngr: dns: Fix allocation of string buffer in stack.
	+ commit ab724d3206c8d3500ab2d982c98bad93ee550e42
	* dirmngr/dns.h (dns_strsection, dns_strclass)
	(dns_strtype): Change APIs.
	* dirmngr/dns.c (dns_p_lines): Use __dst for dns_strsection.
	(dns_rr_print): Use __dst for dns_strclass and dns_strtype.
	(dns_trace_dump): Likewise.
	(dns_ai_print): Use __dst for dns_strtype.
	(dns_strsection): Add an argument __dst for storage.
	(dns_strclass, dns_strtype): Likewise.
	(parse_packet): Use __dst for dns_strsection.
	(send_query): Use __dst for dns_strtype.
	(isection): Use __dst for dns_strsection.
	(iclass): Use __dst for dns_strclass.
	(itype): Use __dst for dns_strtype.

2020-05-12  Werner Koch  <wk@gnupg.org>

	common: Change argument order of log_printhex.
	+ commit c6324ee07a9ff2a626d6dfcc094a67b62628d42e
	* common/logging.c (log_printhex): Chnage order of args.  Make it
	printf alike.  Change all callers.
	* configure.ac: Add -Wno-format-zero-length

2020-04-16  Werner Koch  <wk@gnupg.org>

	sm: Always allow authorityInfoAccess lookup if CRLs are also enabled.
	+ commit aec7d136e4bdfd53709dc04e3e92f4c50135d368
	* sm/certchain.c (find_up): Disable external lookups in offline mode.
	Always allow AKI lookup if CRLs are also enabled.

	sm: Lookup missing issuers first using authorityInfoAccess.
	+ commit d57209553da7da85a369cd362aabeaef07e0bc26
	* sm/call-dirmngr.c (gpgsm_dirmngr_lookup): Add optional arg URL and
	adjust all callers.
	* sm/certchain.c (oidstr_caIssuers): New.
	(struct find_up_store_certs_s): Add additional fields.
	(find_up_store_certs_cb): Store the fingerprint.
	(find_up_via_auth_info_access): New.
	(find_up): Try the AIA URI first.

	dirmngr: Allow http URLs with "LOOKUP --url"
	+ commit 3b27c26241ee25cf75555e11d9bb463faac8237d
	* dirmngr/crlfetch.c (read_cert_via_http): New.
	(fetch_cert_by_url): Implement http scheme.

	gpg: Add missing options --no-include-key-block.
	+ commit 7dbfd92b3e231cfe111c8832ff1048305c8d2d92
	* g10/gpg.c (opts): Add it.

	gpg: Make AEAD modes subject to compliance checks.
	+ commit 37b116db20080f6e1c6ca1dec79014fecf2c3248
	* g10/decrypt-data.c (decrypt_data): Move aead algo detection up.

	gpg: Show AEAD preferences.
	+ commit ab7a0b07024c432233e691b5e4be7e32baf8d80f
	* g10/packet.h (preftype_t): Add PREFTYPE_AEAD.
	* g10/keyedit.c (show_prefs): Print AEAD preferences.
	* g10/getkey.c (fixup_uidnode): Set AEAD flags.
	(merge_selfsigs): Ditto.

	gpg: Support decryption of the new AEAD packet.
	+ commit 1dfe71c62b184c84723c5f926f2596f46ee967cf
	* common/openpgpdefs.h (aead_algo_t): New.
	(pkttype_t): Add PKT_ENCRYPTED_AEAD.
	* g10/decrypt-data.c (struct decode_filter_context_s): Add fields for
	AEAD.
	(aead_set_nonce_and_ad): New.
	(aead_checktag): New.
	(decrypt_data): Support AEAD.
	(aead_underflow): New.
	(aead_decode_filter): New.
	* g10/dek.h (DEK): Add field use_aead.  Turn use_mdc,
	algo_info_printed, and symmetric into bit flags.
	* g10/mainproc.c (struct mainproc_context): Add field
	seen_pkt_encrypted_aead.
	(release_list): Clear it.
	(have_seen_pkt_encrypted_aead): New.
	(symkey_decrypt_seskey): Support AEAD.
	(proc_symkey_enc): Ditto.
	(proc_encrypted): Ditto.
	(proc_plaintext): Ditto.
	* g10/misc.c (MY_GCRY_CIPHER_MODE_EAX): New.
	(openpgp_aead_test_algo): New.
	(openpgp_aead_algo_name): New.
	(openpgp_aead_algo_info): New.
	* g10/packet.h (PKT_symkey_enc): Add field use_aead.
	(PKT_user_id): Add field flags.aead
	(PKT_public_key): Ditto.
	(PKT_encrypted): Add fields for AEAD.
	* g10/parse-packet.c (parse): Handle PKT_ENCRYPTED_AEAD.
	(parse_symkeyenc): Support AEAD.
	(parse_encrypted): Ditto.
	(dump_sig_subpkt): Dump AEAD preference packet.
	(parse_encrypted_aead): New.

2020-04-15  Werner Koch  <wk@gnupg.org>

	gpg: Improve symmetric decryption speed by about 25%
	+ commit 144b95cc9d0f03a2fe5d91120f6b4b30f4bb8f71
	* g10/decrypt-data.c (mdc_decode_filter, decode_filter): Fatcor buffer
	filling code out to ...
	(fill_buffer): new.

	gpg: Reformat parts of decrypt-data.c.
	+ commit 2f39e00b6b7d2aa57cd268c579127947042a0fcf
	* g10/decrypt-data.c (struct decode_filter_context_s): Rename 'defer'
	to 'holdback' and 'defer_filled' to 'holdbacklen'.  Increase size of
	holdback to allow for future AEAD decryption.  Turn 'partial' and
	'eof_seen' into bit fields.
	(decrypt_data): Replace write_status_text by write_Status_printf.
	Indent parts of the code.

	sm,dirmngr: Restrict allowed parameters used with rsaPSS.
	+ commit ddc74f50d42370421b4802dc13df88f0ca2fcee5
	* sm/certcheck.c (extract_pss_params): Check the used PSS params.
	* dirmngr/crlcache.c (finish_sig_check): Ditto.
	* dirmngr/validate.c (check_cert_sig): Ditto.

	sm: Support rsaPSS verification also for CMS signatures.
	+ commit 24d563749f50f51841b3fd00eb615a871e45bb28
	* sm/certcheck.c (gpgsm_check_cert_sig): Factor PSS parsing out to ...
	(extract_pss_params): new.
	(gpgsm_check_cms_signature): Implement PSS.

	dirmngr: Support rsaPSS also in the general validate module.
	+ commit 8bf17eb94d0d85f34477ec0c2c0514000b6aa045
	* dirmngr/validate.c (hash_algo_from_buffer): New.
	(uint_from_buffer): New.
	(check_cert_sig): Support rsaPSS.
	* sm/certcheck.c (gpgsm_check_cert_sig): Fix small memory leak on
	error.

	sm,dirmngr: Support rsaPSS signature verification.
	+ commit 0626cc8fed340deb36f0c10e7a68afc287d0f626
	* sm/certcheck.c (hash_algo_from_buffer): New.
	(uint_from_buffer): New.
	(gpgsm_check_cert_sig): Handle PSS.
	* dirmngr/crlcache.c (hash_algo_from_buffer): New.
	(uint_from_buffer): New.
	(start_sig_check): Detect PSS and extract hash algo.  New arg to
	return a PSS flag.
	(finish_sig_check): New arg use_pss.  Extract PSS args and use them.
	(crl_parse_insert): Pass use_pss flag along.

	common: New function to map hash algo names.
	+ commit 4d37cc72b83f601118c2c6c79d9d96c85e250f7e
	* common/sexputil.c (hash_algo_to_string): New.

	scd:p15: Return a display S/N via Assuan.
	+ commit 39e2260d7e05ef2fd6ff94a1bc538cf0d640193c
	* scd/app-p15.c (make_pin_prompt): Factor some code out to ...
	(get_dispserialno): this.
	(do_getattr): Use new fucntion for a $DISPSERIALNO.

	scd:p15: Show a pretty PIN prompt.
	+ commit beaa2cbb7f039c6ebfcfff483cfe6002a858993d
	* scd/app-p15.c (struct prkdf_object_s): New fields common_name and
	serial_number.
	(release_prkdflist): Free them.
	(keygrip_from_prkdf): Parse cert and set them.
	(any_control_or_space): New.
	(make_pin_prompt): New.
	(verify_pin): Construct a pretty PIN prompt.
	(do_sign): Remove debug output.

	scd: Return GPG_ERR_BAD_PIN on 0x63Cn status word.
	+ commit 9e6a3290dad1b19144a2b413902e9918094a2cea
	* scd/iso7816.c (map_sw): Detect 0x63Cn status code.

	scd: Factor common PIN status check out.
	+ commit 9497d25c567d4fb8b6be603b102a149060e7aa56
	* scd/iso7816.h (ISO7816_VERIFY_ERROR): New.
	(ISO7816_VERIFY_NO_PIN): New.
	(ISO7816_VERIFY_BLOCKED): New.
	(ISO7816_VERIFY_NULLPIN): New.
	(ISO7816_VERIFY_NOT_NEEDED): New.
	* scd/iso7816.c (iso7816_verify_status): New.
	* scd/app-nks.c (get_chv_status): Use new function.

	scd:p15: Fix decrypt followed by sign problem for D-Trust cards.
	+ commit 471b06e91b6ae47e1f71cd7a698763cd9d32ff12
	* scd/iso7816.c (iso7816_select_mf): New.
	* scd/app-p15.c (card_product_t): New.
	(struct app_local_s): Add field 'card_product'.
	(read_ef_tokeninfo): Detect D-Trust card.
	(prepare_verify_pin): Switch to D-Trust AID.
	(do_decipher): Restore a SE for D-TRust cards.  Change the padding
	indicator to 0x81.

	* common/percent.c (percent_data_escape): new.  Taken from master.

	scd:p15: Emit MANUFACTURER, $ENCRKEYID, $SIGNKEYID.
	+ commit 4148976841d154c94e6d1d4dcc1720908582086b
	* scd/app-p15.c (read_ef_tokeninfo): Store manufacturer_id.
	(do_getattr): Implement MANUFACTURER, $ENCRKEYID and $SIGNKEYID.
	(send_keypairinfo): Also print usage flags.

	gpg: Use the new MANUFACTURER attribute.
	+ commit 88b456bdf4e4763e8f1b718f5597d4d075d989cd
	* g10/call-agent.h (struct agent_card_info_s): Add manufacturer fields.
	* g10/call-agent.c (agent_release_card_info): Release them.
	(learn_status_cb): Parse MANUFACTURER attribute.
	* g10/card-util.c (get_manufacturer): Remove.
	(current_card_status): Use new attribute.

	scd:openpgp: New attribute "MANUFACTURER".
	+ commit 431b3e68e071d2bdc22b2c845ca929182830ddbd
	* scd/app-openpgp.c (get_manufacturer): New..
	(do_getattr): Add new attribute "MANUFACTURER".
	(do_learn_status): Always print it.

	scd:p15: Rename some variables and functions for clarity.
	+ commit b0cb2c2ab8c71738167785564698c43b50c15fee
	* scd/app-p15.c: Rename keyinfo to prkdf.


	Backported from master.  Removed the do_with_keygrip related parts
	because that function is not available.

	scd:p15: Cache the PIN.
	+ commit 133b6ff8cd0c938abbf55ba6dc50299240d247f6
	* scd/app-p15.c (struct prkdf_object_s): Add flag pin_verified.
	(verify_pin): Make use of it.

2020-04-08  NIIBE Yutaka  <gniibe@fsij.org>

	gpg: ECDH: Accept longer padding.
	+ commit 2f08a4f25df7d1cbf037bdf0d7f5c1ef5859fa1e
	* g10/pubkey-enc.c (get_it): Remove check which mandates shorter
	padding.

2020-04-01  Werner Koch  <wk@gnupg.org>

	scd:p15: Add missing keygrip retrieval for decryption.
	+ commit b95a0bfbba75025761aa163eca74c7653d76981a
	* scd/app-p15.c (do_decipher): Get the keygrip.

	scd:p15: Support decryption with CardOS 5 cards.
	+ commit 4af38ea5e450b3eb79af98b9876b2b968110a459
	* scd/app-p15.c (do_decipher): New.

	scd:p15: Factor PIN verification out to a new function.
	+ commit ce9406ca370b482c05c859d963949ae75c99cb6f
	* scd/app-p15.c (do_sign): Factor code out to ...
	(prepare_verify_pin, verify_pin): new functions.

	scd:p15: Support signing with CardOS 5 cards.
	+ commit e730444e7b7502b935bbe343935f68f764b95b96
	* scd/app-help.c (app_help_get_keygrip_string_pk): Add optional arg
	r_pkey and change all callers.
	(app_help_get_keygrip_string): Ditto.
	* scd/app-p15.c (struct cdf_object_s): Use bit flags
	(struct aodf_object_s): Ditto.  Add field 'fid'.
	(struct prkdf_object_s): Ditto.  Add fields keygrip, keyalgo, and
	keynbits.
	(parse_certid): Allow a keygrip instead of a certid aka keyref.
	(read_ef_aodf): Store the FID.
	(keygripstr_from_prkdf): Rename to ...
	(keygrip_from_prkdf): this.  Remove arg r_gripstr and implement cache.
	Change callers to directly use the values from the object.  Also store
	the algo and length of the key ion the object.
	(keyref_from_keyinfo): New. Factored out code.
	(do_sign): Support SHA-256 and >2048 bit RSA keys.
	common/scd:p15: Support signing with CardOS 5 cards.
	* common/util.h (KEYGRIP_LEN): New.

	scd:p15: Read certificates in extended mode.
	+ commit 368f006a2840cd6b37caf7b4b98a16b818ac2289
	* scd/app-p15.c (readcert_by_cdf): Allow reading in extended mode.
	* scd/app-common.h (app_get_slot): New.

	scd: Add function for binary read in extended mode.
	+ commit 64142caafe5c89ad4db36b47c2dc917a9ac66a8e
	* scd/iso7816.c (iso7816_read_binary): Factor code out to ...
	(iso7816_read_binary_ext): new function.  Add arg extended_mode.

	scd:p15: Detect CardOS 5 cards and print some basic infos.
	+ commit 60b0aa7e57e787cbeca22adf77b330f753553d87
	* scd/app-p15.c (read_ef_odf): Detect the home_DF on the fly.  Silence
	the garbage warning for null bytes.
	(print_tokeninfo_tokenflags): New.
	(read_ef_tokeninfo): Print manufacturer, label, and flags.
	(app_select_p15): No need to use the app_get_slot macro.
	(CARD_TYPE_CARDOS_50): New const.
	(card_atr_list): Detect CardOS 5.0

2020-03-30  Werner Koch  <wk@gnupg.org>

	wks: Take name of sendmail from configure.
	+ commit 76d2a02dfe8f923c0d4d8ef86ca71a9ac47c243d
	* configure.ac (NAME_OF_SENDMAIL): New ac_define.
	* tools/send-mail.c (run_sendmail): Use it.

	agent: Print an error if gpg-protect reads the extended key format.
	+ commit 011a2f5fb77c7963f25550e423160507818f7a91
	* agent/protect-tool.c (read_key): Detect simple extended key format.

	sm: Fix possible NULL deref in error messages of --gen-key.
	+ commit 2b4b0b1223aab955aafa2a150fe2dbc04c210bcd
	* sm/certreqgen.c: Protect printing the line numbers in case of !R.

2020-03-27  Werner Koch  <wk@gnupg.org>

	sm: Consider certificates w/o CRL DP as valid.
	+ commit 1424c12e4c7164990797a0a1daa3db6f3329aed4
	* sm/certchain.c (is_cert_still_valid): Shortcut if tehre is no DP.
	* common/audit.c (proc_type_verify): Print "n/a" if a cert has no
	distribution point.
	* sm/gpgsm.h (opt): Add field enable_issuer_based_crl_check.
	* sm/gpgsm.c (oEnableIssuerBasedCRLCheck): New.
	(opts): Add option --enable-issuer-based-crl-check.
	(main): Set option.

2020-03-20  Werner Koch  <wk@gnupg.org>

	Release 2.2.20.
	+ commit 5094bb08edd48087a5aa89494fc361f0ce4f34aa
	* build-aux/speedo.mk (sign-installer): Fix syntax error.

2020-03-19  Werner Koch  <wk@gnupg.org>

	gpgconf: Take care of --homedir when reading/updating options.
	+ commit b92860a8b9d253661de0060623e920b3f58e4443
	* tools/gpgconf-comp.c (gc_component_check_options): Take care of
	--homedir.
	(retrieve_options_from_program): Ditto.

2020-03-18  NIIBE Yutaka  <gniibe@fsij.org>

	scd: Fix pinpad handling when KDF enabled.
	+ commit 133248b297a1d72897f280d8bd21081cd6ebd66c
	* scd/app-openpgp.c (do_getattr): Send the KDF DO information.

	scd: Disable pinpad if it's impossible by KDF DO.
	+ commit b27e20a95cb7af59dcaa6e59aacf52ed766be1f3
	* scd/app-openpgp.c (struct app_local_s): Add pinpad.disabled field.
	(do_getattr): Set pinpad.disabled field.
	(check_pinpad_request): Use the pinpad.disabled field.
	(do_setattr): Update pinpad.disabled field.

2020-03-18  Werner Koch  <wk@gnupg.org>

	gpg: Print a hint for --batch mode and --delete-secret-key.
	+ commit fbe318475236166b54e19d228bf9b24e442e0fa5
	* g10/delkey.c: Include shareddefs.h.
	(delete_keys): Print a hint.

	dirmngr: Improve finding OCSP cert.
	+ commit 25dc0e5b1eb02f79946a86c799c7720001a296bc
	* dirmngr/certcache.c (find_cert_bysubject): Add better debug output
	and try to locate by keyid.

2020-03-18  Daniel Kahn Gillmor  <dkg@fifthhorseman.net>

	gpg: Update --trusted-key to accept fingerprint as well as long key id.
	+ commit b6d89d1944c55f302fb797cce0e007f59aabaf54
	* g10/trustdb.c (tdb_register_trusted_key): accept fingerprint as well
	as long key ID.
	* doc/gpg.texi: document that --trusted-key can accept a fingerprint.

2020-03-18  Werner Koch  <wk@gnupg.org>
	    gniibe@fsij.org

	gpg: Fix key expiration and usage for keys created at the Epoch.
	+ commit e77f332b01f13af606ae0158dabcd644c274e456
	* g10/getkey.c (merge_selfsigs_main): Take a zero key creation time in
	account.

2020-03-14  Werner Koch  <wk@gnupg.org>

	gpg: New option --auto-key-import.
	+ commit 95b42278cafe7520d87168fb993ba715699e6bb6
	* g10/gpg.c (opts): New options --auto-key-import,
	--no-auto-key-import, and --no-include-key-block.
	(gpgconf_list): Add them.
	* g10/options.h (opt): Add field flags.auto_key_import.
	* g10/mainproc.c (check_sig_and_print): Use flag to enable that
	feature.
	* tools/gpgconf-comp.c: Give the new options a Basic config level.

	gpg: Make use of the included key block in a signature.
	+ commit b42d9f540c7484e45cfc997f77e360d0f0ec4bb9
	* g10/import.c (read_key_from_file): Rename to ...
	(read_key_from_file_or_buffer): this and add new parameters.  Adjust
	callers.
	(import_included_key_block): New.
	* g10/packet.h (PKT_signature): Add field flags.key_block.
	* g10/parse-packet.c (parse_signature): Set that flags.
	* g10/sig-check.c (check_signature2): Add parm forced_pk and change
	all callers.
	* g10/mainproc.c (do_check_sig): Ditto.
	(check_sig_and_print): Try the included key block if no key is
	available.

	gpg: New option --include-key-block.
	+ commit d79ebee64ea582da3c3be69cc23e146e2db3738b
	* common/openpgpdefs.h (SIGSUBPKT_KEY_BLOCK): New.
	* g10/gpg.c (oIncludeKeyBlock): New.
	(opts): New option --include-key-block.
	(main): Implement.
	* g10/options.h (opt): New flag include_key_block.
	* g10/parse-packet.c (dump_sig_subpkt): Support SIGSUBPKT_KEY_BLOCK.
	(parse_one_sig_subpkt): Ditto.
	(can_handle_critical): Ditto.
	* g10/sign.c (mk_sig_subpkt_key_block): New.
	(write_signature_packets): Call it for data signatures.

	gpg: Add property "fpr" for use by --export-filter.
	+ commit 2baa00ea186359f758fea5cb61aff99b09fec821
	* g10/export.c (push_export_filters): New.
	(pop_export_filters): New.
	(export_pubkey_buffer): Add args prefix and prefixlen.  Adjust
	callers.
	* g10/import.c (impex_filter_getval): Add property "fpr".
	* g10/main.h (struct impex_filter_parm_s): Add field hexfpr.

2020-02-19  NIIBE Yutaka  <gniibe@fsij.org>

	gpg: Fix default-key selection when card is available.
	+ commit 1cdd9e57f701f0d99d118d32adffe5216a94b0b2
	* g10/getkey.c (get_seckey_default_or_card): Handle the case
	when card key is not suitable for requested usage.

2020-02-19  Nick Piper  <nick.piper@cgi.com>

	doc: Correction of typo in documentation of KEY_CONSIDERED.
	+ commit 60dbe082949b13635f3f31aa03d12aa9f671c941
	(cherry picked from commit 0e1cbabc0ad4fe2ca9644fffb5cf27b1a8a1509f)

2020-02-15  Werner Koch  <wk@gnupg.org>

	gpgsm: Fix import of some CR,LF ternminated certificates.
	+ commit 38f819bd6d77d068d8626bf7f5b968ff03c263af
	* common/ksba-io-support.c (base64_reader_cb): Detect the END tag and
	don't just rely on the padding chars.  This could happen only with
	CR+LF termnmated PEM files.  Also move the detection into the invalid
	character detection branch for a minor parser speedup.

2020-02-10  Werner Koch  <wk@gnupg.org>

	doc: Improve the warning section of the gpg man page.
	+ commit 146dacd3b13bf5d917978313092c022641305a27
	* doc/gpg.texi: Update return value and warning sections.

	(cherry picked from commit 113a8288b85725f7726bb2952431deea745997d8)

2020-02-10  Werner Koch  <wk@gnupg.org>
	    Tomáš Mráz

	build: Always use EXTERN_UNLESS_MAIN_MODULE pattern.
	+ commit 21d9bd8b87a9f793a106095e3838eb71825189d7
	* common/util.h (EXTERN_UNLESS_MAIN_MODULE): Add the definion only
	here but now without the Norcroft-C.  Change all other places where it
	gets defined.
	* common/iobuf.h (iobuf_debug_mode): Declare unconditionally as
	extern.
	* common/iobuf.c (iobuf_debug_mode): Define it here.
	* agent/gpg-agent.c (INCLUDED_BY_MAIN_MODULE): Define here and also in
	all main modules of all other programs.

	* g10/main.h: Put util.h before the local header files.

2020-02-10  Werner Koch  <wk@gnupg.org>

	gpg: Make really sure that --verify-files always returns an error.
	+ commit 49151255f3b1decf2e394a58bc0ac412bda2b214
	* g10/verify.c (verify_files): Track the first error code.

	common: Also protect log_inc_errorcount against counter overflow.
	+ commit 47f514fde6e29137d660c19e6eea0b842d2b03f5
	* common/logging.c (log_inc_errorcount): Also protect against
	overflow.
	(log_error): Call log_inc_errorcount instead of directly bumping the
	counter.

2020-01-17  Werner Koch  <wk@gnupg.org>

	gpgconf,w32: Print a warning for a suspicious homedir.
	+ commit a265d3997a9120cb607c2d9b843bf9ee9e944378
	* tools/gpgconf.c (list_dirs): Check whether the homedir has been
	taken from the registry.

2020-01-16  NIIBE Yutaka  <gniibe@fsij.org>

	gpg: default-key: Simply don't limit by capability.
	+ commit a7840777e4277039482ce3ea3e6fc919526be2f1
	* g10/getkey.c (parse_def_secret_key): Remove the check.

2019-12-23  Werner Koch  <wk@gnupg.org>

	gpg: Fix output of --with-secret if a pattern is given.
	+ commit def1ceccf05baf187b9313e6e37171709ab44225
	* g10/keylist.c (list_one): Probe for a secret key in --with-secret
	mode.

2019-12-19  Andre Heinecke  <aheinecke@gnupg.org>

	speedo: Make signing optional for w32-release.
	+ commit a56c591f9063d895544d681e25bda2ffb22f7ca0
	* build-aux/speedo.mk (AUTHENTICODE_sign): Check if
	certificates are available.

	speedo: Use multithreaded xz for w32 source.
	+ commit 28403cb5fe4eea2ac1ad514fdfcfa282e795c69f
	* build-aux/speedo.mk (dist-source): Add -T0 parameter to xz.

	speedo: Improve and document wixlib build.
	+ commit 4d9b262584fb15e7965d579fad9a149e26849c18
	* Makefile.am (sign-release): Add handling for wixlib.
	* build-aux/speedo.mk: Add help-wixlib and improve handling.

2019-12-17  Andre Heinecke  <aheinecke@intevation.de>

	speedo, w32: Add w32-wixlib target for MSI package.
	+ commit c461de93f44efaa6a1d9669eb9d4033943368431
	* Makefile.am (EXTRA_DIST): Add wixlib.wxs
	* build-aux/speedo.mk (w32-wixlib): New target.
	(w32-release): Build wixlib if WIXPREFIX is set.
	(help): Add documentation.
	* build-aux/speedo/w32/wixlib.wxs

2019-12-07  Werner Koch  <wk@gnupg.org>

	Release 2.2.19.
	+ commit 1c841c8389fb9640762822395b988e0d1584c9ae


	po: Make g10/call-dirmngr.c translatable.
	+ commit 03983711b3376a5dff518a99adf5fb3a5bd8be4a
	* po/POTFILES.in: Add g10/call-dirmngr.c
	* g10/call-dirmngr.c (create_context): Change an i18n sting for easier
	reuse.

	dirmngr: Tell gpg about WKD lookups resulting from a cache.
	+ commit 438a1ec2978c64ecfe6b5ddaa61f214c2dcae88f
	* dirmngr/server.c (proc_wkd_get): Print new NOTE status
	"wkd_cached_result".
	* g10/call-dirmngr.c (ks_status_cb): Detect this and print a not ein
	verbose mode.

2019-12-06  Werner Koch  <wk@gnupg.org>

	sm: Add special case for expired intermediate certificates.
	+ commit 8c167febc0abc00be281a9dc8c2544b8d048a002
	* sm/gpgsm.h (struct server_control_s): Add field 'current_time'.
	* sm/certchain.c (find_up_search_by_keyid): Detect a corner case.
	Also simplify by using ref-ed cert objects in place of an anyfound
	var.

2019-12-04  Werner Koch  <wk@gnupg.org>

	gpg: Use AKL for angle bracketed mail address with -r.
	+ commit 78bb81e9deeca264f6a516630496470341e78fa9
	* g10/getkey.c (get_pubkey_byname): Extend is_mbox checking.
	(get_best_pubkey_byname): Ditto.

2019-11-29  Werner Koch  <wk@gnupg.org>

	gpg: Fix double free with anonymous recipients.
	+ commit 9ac182f376abf910a7b737b0e1ebd447eaa582f1
	* g10/pubkey-enc.c (get_session_key): Do not release SK.

2019-11-25  Werner Koch  <wk@gnupg.org>

	Release 2.2.18.
	+ commit 82b9e1bdbdd756290b8873b3e244dcc8d1f840fb


	tests: Adjust for now invalid SHA-1 key signatures.
	+ commit 8e49fc7f43ecfe44dac57d97c555e2cbc7eb8e9a
	* tests/openpgp/defs.scm (create-gpghome): Add
	allow-weak-key-signatures.

	agent: Improve --debug-pinentry diagnostics.
	+ commit 96c4943a5bd070772d8be7bb7db8548840af5f8f
	* agent/call-pinentry.c (atfork_cb): Factor code out to ...
	(atfork_core): new.

2019-11-23  Werner Koch  <wk@gnupg.org>

	wkd: Let --install-key write a template policy file.
	+ commit 6e893061b54ddd38e83531f5513e3168d0002e41
	* tools/wks-util.c (ensure_policy_file): New.
	(wks_cmd_install_key): Call it.

2019-11-18  Werner Koch  <wk@gnupg.org>

	dirmngr,gpg: Better diagnostic in case of bad TLS certificates.
	+ commit 3efc94f1eb17eb5c5950c2fab9f701518352ae19
	* doc/DETAILS: Specify new status code "NOTE".
	* dirmngr/ks-engine-http.c (ks_http_fetch): Print a NOTE status for a
	bad TLS certificate.
	* g10/call-dirmngr.c (ks_status_cb): Detect this status.

	dirmngr: Forward http redirect warnings to gpg.
	+ commit 4dd50991252409eb2023ab8ad11f36a050f421af
	* dirmngr/http.c: Include dirmngr-status.h
	(http_prepare_redirect): Emit WARNING status lines for redirection
	problems.
	* dirmngr/http.h: Include fwddecl.h.
	(struct http_redir_info_s): Add field ctrl.
	* dirmngr/ks-engine-hkp.c (send_request): Set it.
	* dirmngr/ks-engine-http.c (ks_http_fetch): Set it.
	* g10/call-dirmngr.c (ks_status_cb): Detect the two new warnings.

	dirmngr: Factor some prototypes out to dirmngr-status.h.
	+ commit 466bdf7c07f4ebfc69d503f85b9423f2f6440682
	* dirmngr/dirmngr-status.h: New.
	* dirmngr/dirmngr.h: Include dirmngr-status.h and move some prototypes
	to that file.
	* dirmngr/t-support.c: New.
	* dirmngr/Makefile.am (t_common_src): Add new file.

2019-11-15  NIIBE Yutaka  <gniibe@fsij.org>

	scd,ccid: Add support of GEMPC_EZIO.
	+ commit 9b41f58c8a549055fa6bf7e21e2931b86f4da776
	* scd/ccid-driver.h (GEMPC_EZIO): New.
	* scd/ccid-driver.c (ccid_transceive_secure): Support GEMPC_EZIO.

2019-11-12  Werner Koch  <wk@gnupg.org>

	dirmngr: Use IPv4 or IPv6 interface only if available.
	+ commit 392e068e9f143d41f6350345619543cbcd47380f
	* dirmngr/dns-stuff.c (cached_inet_support): New variable.
	(dns_stuff_housekeeping): New.
	(check_inet_support): New.
	* dirmngr/http.c (connect_server): Use only detected interfaces.
	* dirmngr/dirmngr.c (housekeeping_thread): Flush the new cache.

2019-11-11  Werner Koch  <wk@gnupg.org>

	gpg: Forbid the creation of SHA-1 third-party key signatures.
	+ commit 754a03f5a279964af62025d11d92391e650fddb7
	* g10/sign.c (SIGNHINT_KEYSIG, SIGNHINT_SELFSIG): New.
	(do_sign): Add arg signhints and inhibit SHA-1 signatures.  Change
	callers to pass 0.
	(complete_sig): Add arg signhints and pass on.
	(make_keysig_packet, update_keysig_packet): Set signhints.

	gpg: Add option --allow-weak-key-signatures.
	+ commit 3b1fcf65239d9c73cc54760ea52a5749e024fa76
	* g10/gpg.c (oAllowWeakKeySignatures): New.
	(opts): Add --allow-weak-key-signatures.
	(main): Set it.
	* g10/options.h (struct opt): Add flags.allow_weak_key_signatures.
	* g10/misc.c (print_sha1_keysig_rejected_note): New.
	* g10/sig-check.c (check_signature_over_key_or_uid): Print note and
	act on new option.

2019-11-07  Werner Koch  <wk@gnupg.org>

	gpg: Fix a potential loss of key sigs during import with self-sigs-only.
	+ commit 2975868ede40ce8b8a0d20e7f0e4cd687772f9d0
	* g10/import.c (import_one_real): Don't do the final clean in the
	merge case.

