2022-12-09  Werner Koch  <wk@gnupg.org>

	Release 2.2.41.
	+ commit 75ad0ea6dcad2d0e7ffff06a91fc3f519b448404


2022-12-08  Werner Koch  <wk@gnupg.org>

	scd:p15: Skip deleted records.
	+ commit e778c9ce8926c05f35fcc38cc7d863dc0d0242f3
	* scd/app-p15.c (select_and_read_record): Special case deleted
	records.  Support 3 byte TLVs.
	(read_ef_prkdf): Skip deleted records.
	(read_ef_pukdf): Ditto.
	(read_ef_cdf): Ditto.
	(read_ef_aodf): Ditto.

2022-12-06  Werner Koch  <wk@gnupg.org>

	wkd: Do not send/install/mirror expired user ids.
	+ commit 115cc4d37c184e90100407b57d170259adf18b6c
	* tools/gpg-wks.h (struct uidinfo_list_s): Add fields expired and
	revoked.
	* tools/wks-util.c (append_to_uidinfo_list): Add args expired and
	revoked.
	(set_expired_revoked): New.
	(wks_list_key): Set expired and revoked.
	(wks_cmd_install_key): Skip expired uids.
	* tools/gpg-wks-client.c (command_check): Print flags.
	(command_send): Ignore expired keys.
	(mirror_one_key): Ditto.

	* g10/export.c (do_export_stream): Silence warning.

	gpgsm: Silence the "non-critical certificate policy not allowed".
	+ commit d9271d594b5b81cc4242de141ef99767390e83a5
	* sm/certchain.c (check_cert_policy): Print non-critical policy
	warning only in verbose mode.

	(cherry picked from commit 4f1b9e3abb337470e5e4809b3a7f2df33f5a63a4)

2022-11-30  Werner Koch  <wk@gnupg.org>

	wkd: New option --add-revocs and some fixes.
	+ commit 2f4492f3be6a6b9d553da07705a1b5cd48aee80b
	* tools/gpg-wks.h (opt): Add add_revocs.
	* tools/wks-util.c (wks_get_key): Add arg 'binary'.
	(wks_armor_key): New.
	(wks_find_add_revocs): New.
	(wks_cmd_install_key): Get key in binary mode and add revocations if
	enabled.
	* tools/gpg-wks-client.c (oAddRevocs): New.
	(opts): Add --add-revocs.
	(parse_arguments): Set option,
	(command_send): Get key in binary mode, add revocations if enabled,
	and explictly armor key.  Remove kludge to skip the Content-type line
	in no_encrypt mode.

	(mirror_one_keys_userid): Always filter the key to get rid of the
	armor as received from dirmngr.  Add revocations from the local
	keyring.

	wkd: Make use of --debug extprog.
	+ commit deac3e91eb68dd1e1a1d25a68f4f8139f06a56d9
	* tools/wks-util.c (debug_gpg_invocation): New.
	(get_key_status_cb): Enable debug output.
	(wks_get_key): Show gpg invocation.
	(wks_list_key): Ditto.
	(wks_filter_uid): Ditto.

	gpg: New export-filter export-revocs.
	+ commit edbe30c1528ca8c5d46a7d2718e3085e55ebde64
	* g10/options.h (EXPORT_REVOCS): New.
	* g10/export.c (export_select_filter): New.
	(struct export_filter_attic_s): Add field.
	(cleanup_export_globals): Cleanup.
	(parse_export_options): Add option "export-revocs".
	(parse_and_set_export_filter): Parse the select type.
	(do_export_revocs): New.
	(do_export_stream): Add a way to select things for export.

2022-11-30  NIIBE Yutaka  <gniibe@fsij.org>

	gpg: Fix double-free in gpg --card-edit.
	+ commit cd29ab0435d38dbda7a4aa7a0ed53ffb06460afa
	* g10/card-util.c (change_name): Don't free ISONAME here.

2022-11-29  Werner Koch  <wk@gnupg.org>

	gpg: use iobuf_read for higher detached signing speed.
	+ commit 2302e180c010dffe0b792063955938cd3599e8fe
	* g10/sign.c (sign_file): Use iobuf_read instead of iobuf_get for
	reading data from detached file.

2022-11-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	g10/plaintext: do_hash: use iobuf_read for higher performance.
	+ commit 15b8d100c9c8d0dc65706451d7edaef8b4abaafc
	* g10/plaintext.c (do_hash): Use iobuf_read instead of iobuf_get for
	reading data; Use gcry_md_write instead of gcry_md_putc for hash data.

2022-11-28  Werner Koch  <wk@gnupg.org>

	gpg: Make --require-compliance work with out --status-fd.
	+ commit 11f3232716716511ff9ea8c9c15c984ce4614d83
	* g10/mainproc.c (proc_encrypted): Set complaince_de_vs also if
	require-compliance is set.

2022-11-25  NIIBE Yutaka  <gniibe@fsij.org>

	w32: Fix for make check.
	+ commit ff266aef29119b365576617c06614f2cc0af0bf2
	* tests/gpgsm/Makefile.am: Add $(EXEEXT).

	tests: Fix to support --enable-all-tests and variants.
	+ commit 8b1061a5dec787de063a83db334edd7349ab77d8
	* tests/gpgscm/tests.scm (test::scm): Add VARIANT argument.
	(tests::new): Likewise.
	(open-log-file, report): Support VARIANT.
	* tests/gpgme/all-tests.scm (setup-c, setup-py): Follow the change.
	* tests/gpgsm/all-tests.scm (setup): Likewise.
	* tests/gpgsm/run-tests.scm: Likewise.
	* tests/migrations/all-tests.scm: Likewise.
	* tests/migrations/run-tests.scm: Likewise.
	* tests/openpgp/all-tests.scm: Likewise.
	* tests/openpgp/run-tests.scm: Likewise.

	tests:w32: Fix for non-dot file name for Windows.
	+ commit ddfc90e5242ec751bf5275c6acbe12dc51d64b6d
	* tests/migrations/from-classic.scm (assert-migrated): Handle the case
	on Windows.

	tests:gpgscm:w32: Fix for GetTempPath.
	+ commit 4ea7f03c1013f886e51c7740a06afaa9060dada7
	* tests/gpgscm/ffi.c (do_get_temp_path): Remove the last backslash.

	tests: Keep .log files in objdir.
	+ commit 44cbe6fbc0627ef33918e8f489bb2a379cb4f347
	* tests/gpgscm/tests.scm (open-log-file): Keep the log file in objdir.

	tests: Use 233 for invalid value of FD.
	+ commit b94fe0e0077f1b8a1622eb67eac85675e6c24198
	* tests/openpgp/issue2941.scm: Use 233.

	w32: Exclude tests with HOME.
	+ commit 1e62c4b7c24f50d043b74ce6fad36a615ec65757
	* common/t-session-env.c [HAVE_W32_SYSTEM] (test_all): HOME is not
	defined, so, exclude the tests.

	w32: Fix for make check.
	+ commit b13c0b595ebdddc7760eeab901ee5a6d0e8daa10
	* common/Makefile.am (module_tests): Exclude t-exechelp and
	t-exectool.
	* common/t-stringhelp.c (mygetcwd): Convert '\' to '/'.
	* tests/gpgme/Makefile.am: Add $(EXEEXT).
	* tests/migrations/Makefile.am: Likewise.
	* tests/openpgp/Makefile.am: Likewise.

2022-11-25  Werner Koch  <wk@gnupg.org>

	scd: Redact --debug cardio output of a VERIFY APDU.
	+ commit 2e18c371d2417b86c34f986d075a2ef6a374ab92
	* scd/apdu.c (pcsc_send_apdu) [DBG_CARD_IO]: Detect and redact a
	VERIFY.
	(send_apdu_ccid): Ditto.

	gpg: Add a notation to encryption subkeys in de-vs mode.
	+ commit ce50dea7cfe16ab4acf2600b1ef40d47635c93d8
	* g10/keygen.c (struct opaque_data_usage_and_pk): Add cpl_notation.
	(do_add_notation): New.
	(keygen_add_key_flags_and_expire): Set cpl@gnupg.org notation if
	requested.
	(write_keybinding): Request notation for subkeys in de-vs mode.

	scd:nks: Fix ECC signing if key not given by keygrip.
	+ commit 84aba39491c29b3b65e4746a7301cb13cde43c8d
	* scd/app-nks.c (keygripstr_from_pk_file): Set r_algo if not in cache.

	agent: Allow trustlist on Windows in Unicode homedirs.
	+ commit 6ba5b6b85451ef6374656b101ab3d4551e11b97b
	* agent/trustlist.c (agent_marktrusted): Use gnupg_access.

	gpg: Fix trusted introducer for user-ids with only the mbox.
	+ commit c1f5fcff42315345e40e445d8d6d8e0a10e23ad0
	* g10/trustdb.c (check_regexp): Kludge to match user-ids with only an
	mbox.

	gpg: Import stray revocation certificates.
	+ commit 290f458ad66f4ffacea140fe03be9b36e46831d5
	* g10/kbnode.c (new_kbnode2): New.
	* g10/import.c (delete_inv_parts): New arg r_otherrevsigs to store
	misplaced revocations.
	(import_revoke_cert): Allow to pass an entire list.
	(import_one): Import revocations found by delete_inv_parts.

	gpg: Make --list-packets work w/o --no-armor for plain OCB packets.
	+ commit af1d4ff2eadc4d4175ccc24f88d38dc9d48dcfca
	* g10/armor.c (is_armored): Add PKT_ENCRYPTED_AEAD.

	gpg: New option --compatibility-flags.
	+ commit 865386c0cf0b5975b4da66b8da4a5f77a0610081
	* g10/gpg.c (oCompatibilityFlags): New.
	(opts): Add option.
	(compatibility_flags): New list.
	(main): Set flags and print help.
	* g10/options.h (opt): Add field compatibility_flags.

	scd:nks: Support non-ESIGN signing with the Signature Card v2.
	+ commit adbe5a35a5f85a2231f378988edbc79c6ec42f72
	* scd/app-nks.c (do_sign): Handle ECC for NKS cards

	scd: Use APP_LEARN_FLAG_KEYPAIRINFO with more apps.
	+ commit ea222a0d9c7359430dfe9be36f4446a3b60a64df
	* scd/app-nks.c (do_learn_status_core): Use new flag.
	* scd/app-sc-hsm.c (do_learn_status): Ditto.

2022-11-25  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update gpg-error.m4.
	+ commit 44dc253c4c5342f5eda70ebf04ca9700e70c300c
	* m4/gpg-error.m4: Update from libgpg-error 1.46.

2022-10-20  Werner Koch  <wk@gnupg.org>

	scd:nks: Don't flag the ESIGN keypair EF as encryption capable.
	+ commit 1e69676981ac4849bc687c975da0925d65ee03a8
	* scd/app-nks.c (filelist): Tweak 0x4531.

	scd:nks: Some code cleanup.
	+ commit f24904ee35409dd2b1e728f62519319536b4286b
	* scd/app-nks.c (find_fid_by_keyref): Factor keyref parsing out to ...
	(parse_keyref): new.
	(do_readcert): Use new function instead of partly duplicated code.
	Make detection of keygrip more robust.
	(do_readkey): Make detection of keygrip more robust.
	(do_with_keygrip): Use get_nks_tag.

	scd:nks: Support the Telesec ESIGN application.
	+ commit 5cd25f4ca48573207db25d6d01a7c5c60aa773f2
	* scd/app-nks.c (find_fid_by_keyref): Disable the cache for now.
	(readcert_from_ef): Considere an all zero certificate as not found.
	(do_sign): Support ECC and the ESIGN application.

2022-10-20  NIIBE Yutaka  <gniibe@fsij.org>

	scd:nks: Return USAGE information for KEYINFO command.
	+ commit b19958278931e474acb266c9698839118b04f7f1
	* scd/app-nks.c (set_usage_string): New.
	(do_learn_status_core, do_readkey): Use set_usage_string.
	(do_with_keygrip): Add USAGE to call send_keyinfo,
	using set_usage_string.
	* scd/command.c (send_keyinfo): Add arg usage.

2022-10-20  Werner Koch  <wk@gnupg.org>

	scd:nks: Handle APP_READKEY_FLAG_INFO.
	+ commit 77b008d1e74bae048efc26eace49994deea13b65
	* scd/app-nks.c (keygripstr_from_pk_file): Fix ignored error.
	(get_nks_tag): New.
	(do_learn_status_core): Use it.  Make sure not to mange the
	KEYPAIRINFO line if no usage is known.
	(do_readkey): Output the KEYPAIRINFO for the keygrip case.

2022-10-20  Ingo Klöcker  <dev@ingo-kloecker.de>

	scd:nks: Add support for signing plain SHA-2 digests.
	+ commit 8bccd95b38f2eb7f9c27dcd24b7e1adcdee0303d
	* scd/app-nks.c (do_sign): Handle plain SHA-2 digests and verify
	encoding of ASN.1 encoded hashes.

2022-10-20  NIIBE Yutaka  <gniibe@fsij.org>

	scd:nks: Support READKEY with keygrip and for "NKS-IDLM" keyref.
	+ commit 3c1acb7b9fa4edd43a5b2bf957d8cae9dfcdd5bc
	* scd/app-nks.c (do_readkey): Allow KEYGRIP access.
	Support NKS-IDLM.XXXX keyref.

	scd:nks: Factor out pubkey retrieval from keygrip handling.
	+ commit 0979ae3491316ca180faeb336565c56f1dbebd2e
	* scd/app-nks.c (pubkey_from_pk_file): New.
	(keygripstr_from_pk_file): Use pubkey_from_pk_file.

	(cherry picked from commit b7c087375d84c31ab8a645cd81e6b1e6185cb30d)

	scd:nks: Add support of KEYGRIP for do_readcert.
	+ commit 1f2823e0beee8567461d509ad6e59002718b4271
	* scd/app-nks.c (do_readcert): Support KEYGRIP.

	scd:nks: Factor out iteration over filelist.
	+ commit ea7234d2f5918a6c27202e437d7666d25deebdab
	* scd/app-nks.c (iterate_over_filelist): New.
	(do_with_keygrip): Use iterate_over_filelist.

	(cherry picked from commit 6c4365847666cefac73ccc743a99fac473da2186)

	scd:nks: Fix caching keygrip (more).
	+ commit c9eb4c0632318270dea7cc4c22957539648a3707
	* scd/app-nks.c (keygripstr_from_pk_file): Distinguish by APP_ID.

2022-10-20  Werner Koch  <wk@gnupg.org>

	scd:nks: Minor additions to the basic IDLM application support.
	+ commit cf5f6896f810ea92443ba43e384b0a319bc73467
	* scd/app-nks.c (filelist): Use special value -1 for IDLM pubkeys.
	(keygripstr_from_pk_file): Handle special value.
	(do_readcert): Ditto.
	(do_writecert): Ditto.

2022-10-20  NIIBE Yutaka  <gniibe@fsij.org>

	scd,nks: Fix caching keygrip.
	+ commit f1bd7369a7543f14cf27fed9ddff2e3d535a44fb
	* scd/app-nks.c (keygripstr_from_pk_file): Identify by cfid if
	available.

2022-10-20  Werner Koch  <wk@gnupg.org>

	scd:nks: Emit the algo string with KEYPAIRINFO.
	+ commit c1c3331cf96542d3ab6704a41ac85ccf2c064d5d
	* scd/app-nks.c (do_learn_status_core): Emit the algo string as part
	of a KEYPAIRINFO.
	(struct fid_cache_s): Add field algostr.
	(flush_fid_cache): Release it.
	(keygripstr_from_pk_file): Fill it and add it to the cache.  Use a
	single exit label.  Set algostr.

	scd:nks: Implement writecert for the Signature card v2.
	+ commit fe698586b5d4b14fecf0295945f341e1de795c71
	* scd/iso7816.c (CMD_UPDATE_BINARY): New.
	(iso7816_update_binary): New.
	* scd/app-nks.c (do_deinit): Factor some code out to...
	(flush_fid_cache): new.
	(do_writecert): New.
	(app_select_nks): Register new handler.

	scd:nks: Fix certificate read problem with TCOS signature card v2.
	+ commit c99870f790c61db85ba8209e1983eab8447e3f96
	* scd/app-nks.c (filelist): Add a dedicated key entry for ESIGN.
	(do_readcert): Test for the app_id.

	scd:nks: Fix remaining tries warning in --reset mode.
	+ commit a974d8aefab1fe69b34dabc4a31105de6f70bac8
	* scd/app-nks.c (do_change_pin): Change computation of 'remaining'.

	scd:nks: Add framework to support IDKey cards.
	+ commit 60ba61e78ea36ce662b485ac8d3102c866f08caf
	* scd/app-nks.c (NKS_APP_IDLM): New.
	(struct app_local_s): Replace NKS_VERSION by the global APPVERSION.
	(do_learn_status): Always send CHV-STATUS.
	(find_fid_by_keyref): Basic support for IDLM only use.
	(do_learn_status_core): Ditto.
	(do_readcert): Ditto.
	(verify_pin): Ditto.
	(parse_pwidstr): Ditto.
	(do_with_keygrip): Ditto.
	(switch_application): Ditto.
	(app_select_nks): Fallback to IDLM.

	scd:nks: Get the PIN prompts right for the Signature Card.
	+ commit a83281176c2bad81b4a10c1ce9be62fbec2bc690
	* scd/app-nks.c (get_dispserialno): Move more to the top.
	(do_getattr): Add $DISPSERIALNO and SERIALNO.  Make CHV-STATUS work
	with NKS15.
	(verify_pin): Use dedicated min. PIN lengths.
	(parse_pwidstr): Support NKS15

	scd:nks: Support decryption using ECDH.
	+ commit bbef2d17902b9bebcec2e073e0f4ac5826c2544c
	* scd/app-nks.c (struct fid_cache_s): Add field 'algo'.
	(keygripstr_from_pk_file): Add arg 'r_algo' to return the algo.
	(find_fid_by_keyref): Ditto.
	(get_dispserialno): New.
	(make_prompt): New.
	(verify_pin): Provide better prompts.
	(do_decipher): Support ECDH.
	(parse_pwidstr): Add hack tospecify any pwid..
	(do_change_pin): Support Signature Card V2.0 (NKS15) style NullPIN.
	Provide a better prompt.

	scd:nks: Add do_with_keygrip and implement a cache.
	+ commit f5e0469d6e744983c21a7de55bd74b674e47d1af
	* scd/app-nks.c (struct fid_cache_s): New.
	(struct app_local_s): Add field 'fid_cache'.
	(do_deinit): Release the cache.
	(keygripstr_from_pk_file): Implement the cache.
	(find_fid_by_keyref): New
	(do_sign, do_decipher): Use new function.
	(do_with_keygrip): New.

	scd:nks: Allow retrieving certificates from a Signature Card v.20.
	+ commit 471e610fcd63db0271929ce9a134907a57e9c5de
	* scd/app-nks.c: Major rework to support non-RSA cards.

2022-10-18  NIIBE Yutaka  <gniibe@fsij.org>

	gpg: Move NETLIBS after GPG_ERROR_LIBS (another).
	+ commit 256b3c05789d8026b62f594bd592199a90b1b446
	* g10/Makefile.am (t_keydb_LDADD): Add NETLIBS after GPG_ERROR_LIBS.

	dirmngr: Fix build with no LDAP support.
	+ commit a5c3821664886ffffbe6a83aac088a6e0088a607
	* dirmngr/server.c [USE_LDAP] (start_command_handler): Conditionalize.

	gpg: Move NETLIBS after GPG_ERROR_LIBS.
	+ commit b26bb03ed96f380ad603f7ad902862625233c931
	* g10/Makefile.am (LDADD): Remove NETLIBS.
	(gpg_LDADD, gpgv_LDADD): Add NETLIBS after GPG_ERROR_LIBS.
	(gpgcompose_LDADD, t_keydb_get_keyblock_LDADD): Likewise.
	(t_stutter_LDADD): Likewise.

2022-10-13  NIIBE Yutaka  <gniibe@fsij.org>

	gpg: Report an error for receiving key from agent.
	+ commit 6f0066db2c87e6362473d17c0621011ed1e1eae6
	* g10/export.c (do_export_one_keyblock): Report an error.

2022-10-10  Werner Koch  <wk@gnupg.org>

	Release 2.2.40.
	+ commit 2e9f8a511dc01ef9ffc59c90f1cb5082e052da06


	gpg: For de-vs use AES-128 instead of 3DES as implicit preference.
	+ commit 5df1c247be5223343668f9a56eb5f8290c954b6e
	* g10/pkclist.c (select_algo_from_prefs): Change implicit cipher
	algorithm.

2022-10-10  Ingo Klöcker  <dev@ingo-kloecker.de>

	sm: Fix reporting of bad passphrase error.
	+ commit 94092793f6a23bbd93c7a26add4d1a23a6f9acb7
	* sm/minip12.c (p12_parse): Set badpass flag to result in ctx.

2022-10-07  Werner Koch  <wk@gnupg.org>

	wkd: Implement --blacklist option for gpg-wks-client.
	+ commit cd020284c9cf352e02e85c52884fc7d56b0f4ec9
	* tools/gpg-wks-client.c (blacklist_array, blacklist_array_len): New.
	(parse_arguments): Install blacklist.
	(read_file): New.
	(cmp_blacklist, add_blacklist, is_in_blacklist): New.
	(mirror_one_key): Check list.
	* tools/gpg-wks.h (opt): Remove field blacklist.

	wkd: Restrict gpg-wks-client --mirror to the given domains.
	+ commit 88042821d81b93b793ddf67546bb6697d8a6881f
	* tools/gpg-wks-client.c (domain_matches_mbox): New.
	(mirror_one_key): Skip non-matching domains.
	(command_mirror): Change args to allow for several domains.

	wkd: Silence gpg-wks-client diagnostics from gpg.
	+ commit b18b9b972e2da2fd30c4bfd64c2c6b09213bd1cf
	* tools/gpg-wks-client.c (add_user_id): PAss --quiet to gpg unless we
	are running in double verbose mode.
	(decrypt_stream): Ditto
	(encrypt_response): Ditto.
	(mirror_one_keys_userid): Ditto.
	* tools/wks-util.c (wks_get_key): Ditto.
	(wks_list_key): Ditto.
	(wks_filter_uid): Ditto.

	(cherry picked from commit 4364283f757fceab454d48d461a9f88c31247a07)

	wkd: New command --mirror for gpg-wks-client.
	+ commit a946343f14752ab06f1a62762e4a5a9203d38d55
	* tools/gpg-wks-client.c (aMirror,oBlacklist,oNoAutostart): New.
	(opts): Add --mirror, --no-autostart, and --blacklist.
	(parse_arguments): Parse new options.
	(main): Implement aMirror.
	(mirror_one_key_parm): New.
	(mirror_one_keys_userid, mirror_one_key): New.
	(command_mirror): New.

	* tools/gpg-wks.h (struct uidinfo_list_s): Add fields flags.
	* tools/wks-util.c (wks_cmd_install_key): Factor some code out to ...
	(wks_install_key_core): new.

	* tools/call-dirmngr.c (wkd_dirmngr_ks_get): New.

	common: Protect against a theoretical integer overflow in tlv.c.
	+ commit c300253181cfc591cbcae9251eda5296ed29591b
	* common/tlv.c (parse_ber_header): Protect agains integer overflow.

	dirmngr: Support paged LDAP mode for KS_GET.
	+ commit a70a3204c24a00e688224ee24575be6e523d42ce
	* dirmngr/ks-engine-ldap.c (PAGE_SIZE): New.
	(struct ks_engine_ldap_local_s): Add several new fields.
	(ks_ldap_clear_state): Release them.
	(search_and_parse): Factored out from ks_ldap_get and extended to
	support the paged mode.
	(ks_ldap_get):  Implement the pages mode for --first and --next.
	* dirmngr/server.c (cmd_ks_get): Provide a dummy passphrase in --first
	mode.
	* dirmngr/Makefile.am (dirmngr_LDADD): Add LBER_LIBS.

	dirmngr: New options --first and --next for KS_GET.
	+ commit 20cb9319d998fb4eb3c096ca7d534706d4afc10a
	* dirmngr/server.c (cmd_ks_get): Add option --first and --next.
	(start_command_handler): Free that new ldap state.
	* dirmngr/ks-engine-ldap.c (struct ks_engine_ldap_local_s): New.
	(ks_ldap_new_state, ks_ldap_clear_state): New.
	(ks_ldap_free_state): New.
	(return_one_keyblock): New.  Mostly factored out from ....
	(ks_ldap_get): here.  Implement --first/--next feature.

	* dirmngr/ks-action.c (ks_action_get): Rename arg ldap_only to
	ks_get_flags.
	* dirmngr/ks-engine.h (KS_GET_FLAG_ONLY_LDAP): New.
	(KS_GET_FLAG_FIRST): New.
	(KS_GET_FLAG_NEXT): New.

	* dirmngr/dirmngr.h (struct server_control_s): Add member
	ks_get_state.
	(struct ks_engine_ldap_local_s): New forward reference.

	gpg: Show just keyserver and port with --send-keys.
	+ commit 2b2f8a1a0ca12e9903df3f20955f16e206a0c976
	* g10/call-dirmngr.c (ks_status_cb): Mangle the keyserver url

	dirmngr: Minor fix for baseDN fallback.
	+ commit 4cf8dc2d968f966d99ec3db4ee40a1ff5321d5a7
	* dirmngr/ks-engine-ldap.c (my_ldap_connect): Avoid passing data
	behind the EOS.
	(interrogate_ldap_dn): Stylistic change.

2022-10-07  NIIBE Yutaka  <gniibe@fsij.org>

	dirnmgr: Fix the function prototype.
	+ commit 73cc5e073ce9e153cacdb020b15b2abc5e2cf8b2
	* dirmngr/ldap-wrapper.c (ldap_wrapper_wait_connections): It's with
	no arguments.

	dirmngr: Change interrogate_ldap_dn for better memory semantics.
	+ commit 98fbac614105b5690d57b4268c6792f4f3538bd5
	* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): Return BASEDN found,
	memory allocated.
	(my_ldap_connect): Follow the change, removing needless allocation.

2022-10-07  Joey Berkovitz  <joeyberkovitz@gmail.com>

	dirmngr: Interrogate LDAP server when base DN specified.
	+ commit 5516f92224b6baf6d100d58fc273018bdac173f8
	* dirmngr/ks-engine-ldap.c (my_ldap_connect): interrogate LDAP
	server when basedn specified.

2022-10-07  Werner Koch  <wk@gnupg.org>

	dirmngr: Support gpgMailbox for mode MAILSUB and MAILEND.
	+ commit 615c9717c15a541b212117bfaa88d41ff724127a
	* dirmngr/ks-engine-ldap.c (keyspec_to_ldap_filter): Use gpgMailbox if
	server supports this.

	dirmngr: Factor out interrogate_ldap_dn function.
	+ commit 44960e702ee3e806331ee63c373c3f7e0931364b
	* dirmngr/ks-engine-ldap.c (interrogate_ldap_dn): New.

2022-09-29  Werner Koch  <wk@gnupg.org>

	gpg: Avoid to emit a compliance mode line if libgcrypt is non-compliant.
	+ commit 07c6743148d4abd30fb8bf08b07eb9755fdfff2d
	* g10/encrypt.c (check_encryption_compliance): Check gcrypt compliance
	before emitting an ENCRYPTION_COMPLIANCE_MODE status.

2022-09-28  Werner Koch  <wk@gnupg.org>

	dirmngr: Fix lost flags during LDAP upload.
	+ commit 32ce7ac0c67489e206544dce93a2364c2f7d9410
	* dirmngr/ldapserver.c (ldapserver_parse_one): Turn LINE into a const.
	Use strtokenize instead of strtok style parsing.

	dirmngr: New server flag "areconly" (A-record-only)
	+ commit 6300035ba17b4115df7139926ba55556362038ed
	* dirmngr/dirmngr.h (struct ldap_server_s): Add field areconly.
	* dirmngr/ldapserver.c (ldapserver_parse_one): Parse "areconly"
	* dirmngr/ks-engine-ldap.c (my_ldap_connect): Implement this flag.
	* dirmngr/dirmngr_ldap.c: Add option --areconly
	(connect_ldap): Implement option.
	* dirmngr/ldap.c (run_ldap_wrapper): Add and pass that option.

2022-09-22  Werner Koch  <wk@gnupg.org>

	gpg: Don't consider unknown keys as non-compliant while decrypting.
	+ commit 05b7e4a405c84da14e5f7ee04cfd3de4b0cb8290
	* g10/mainproc.c (proc_encrypted):  Change compliance logic.

2022-09-16  Werner Koch  <wk@gnupg.org>

	dirmngr: Fix CRL DP error fallback to other schemes.
	+ commit 289fbc550d18a7f9b26c794a2409ba820811f6b3
	* dirmngr/crlcache.c (crl_cache_reload_crl): Rework the double loop.
	Remove the unused issuername_uri stuff.

2022-09-15  NIIBE Yutaka  <gniibe@fsij.org>

	build: Update gpg-error.m4.
	+ commit ed1264e74b11c4ba7d17e6209ecf55655e2a6027
	* m4/gpg-error.m4: Update from libgpg-error.

2022-09-02  Werner Koch  <wk@gnupg.org>

	Release 2.2.39.
	+ commit 7c2078a680dde2eaef30a8a6dc49de4540498736


2022-09-01  Werner Koch  <wk@gnupg.org>

	common: Make nvc_lookup more robust.
	+ commit 8c22b00268bf5b2374cf7af69465a902b91946aa
	* common/name-value.c (nvc_first): Allow for NULL arg.
	(nvc_lookup): Allow for PK being NULL.

	Release 2.2.38.
	+ commit 0b786fde775588413e5c9842bca3a3d8ea06fad5


2022-08-31  Werner Koch  <wk@gnupg.org>

	dirmngr: New option --debug-cache-expired-certs.
	+ commit ea34325c54a2746bdc2d667a1c98ab07b051cf75
	* dirmngr/dirmngr.h (opt): Add debug_cache_expired_certs:
	* dirmngr/dirmngr.c (oDebugCacheExpiredCerts): New.
	(opts): Add option.
	(parse_rereadable_options): Set option.
	* dirmngr/certcache.c (put_cert): Handle the option.

	common,w32: Fix an encoding problem of the printed timezone.
	+ commit 0b91fa0f13fd3644d0be137ed02e006aa05b9501
	* common/gettime.c (w32_strftime) [W32]: New function.
	(strftime) [W32]: New refinition macro.

	gpg: Emit STATUS_FAILURE for --require-compliance errors.
	+ commit e05fb5ca3711f02eb562868dc38d30e3cccda270
	* g10/misc.c (compliance_failure): Do not fallback to CO_GNUPG.  Print
	compliance failure error and status for CO_DE_VS.
	* g10/mainproc.c (proc_encrypted): Call compliance_failure in the
	require-compliance error case.
	* g10/encrypt.c (check_encryption_compliance): Ditto.

2022-08-31  NIIBE Yutaka  <gniibe@fsij.org>

	scd: Add npth_unprotect/npth_protect for blocking operations.
	+ commit e1169e8f8ac75ad32fccb7743ffd06803bd50f93
	* scd/ccid-driver.c (ccid_open_usb_reader): Name the thread.
	(ccid_vendor_specific_setup, ccid_open_usb_reader): Wrap
	blocking operations by npth_unprotect/npth_protect.

	dirmngr: Reject certificate which is not valid into cache.
	+ commit 14ccabe7f82f64bbf84b8a880cd8b4a34cea9061
	* dirmngr/certcache.c (put_cert): When PERMANENT, reject the
	certificate which is obviously invalid.

2022-08-31  Werner Koch  <wk@gnupg.org>

	gpg: Fix assertion failure due to errors in encrypt_filter.
	+ commit aa0c942521d89f4f0aac90bacaf8a7a7cefc88d8
	* common/iobuf.c (iobuf_copy): Use log_assert.  Explicitly cast error
	return value.
	* g10/build-packet.c (do_plaintext): Check for iobuf_copy error.

	* g10/encrypt.c (encrypt_filter): Immediately set header_okay.

2022-08-30  Werner Koch  <wk@gnupg.org>

	gpg: Make --require-compliance work for -se.
	+ commit f88cb12f8e3c1234a094d09e2505d3a3eec4cbfe
	* g10/encrypt.c (encrypt_crypt, encrypt_filter): Factor common code
	out to ...
	(create_dek_with_warnings): new
	(check_encryption_compliance): and new.

	* g10/encrypt.c (encrypt_filter): Add the compliance check.

2022-08-29  Werner Koch  <wk@gnupg.org>

	gpg: Rename a function.
	+ commit 15cf36f6a84deb739bef9944819c5f79f8de3334
	* g10/cipher.c (cipher_filter): Rename to cipher_file_cfb.

	gpg: Very minor cleanup in decrypt_data.
	+ commit 5b24c41ba72c2d06f6acc7c2ad51cf6f384d41d8
	* g10/decrypt-data.c (decrypt_data): Show also the aead algo with
	--show-session-key.  Remove meanwhile superfluous NULL-ptr test.

2022-08-29  Jussi Kivilinna  <jussi.kivilinna@iki.fi>

	g10/decrypt-data: disable output estream buffering to reduce overhead.
	+ commit e92812a4752e56977286f96f7b5064db1e22936d
	* g10/decrypt-data.c (decrypt_data): Disable estream buffering for
	output file.

2022-08-24  Werner Koch  <wk@gnupg.org>

	Release 2.2.37.
	+ commit 8e60f885713b833dfd8cef7f5b0272df0e48d62f


2022-08-19  Werner Koch  <wk@gnupg.org>

	gpgsm: New option --compatibility-flags.
	+ commit 77b6896f7a85a4b1c9cdd731e1d68d59a0e09950
	* sm/gpgsm.c (oCompatibilityFlags): New option.
	(compatibility_flags): new.
	(main): Parse and print them in verbose mode.
	* sm/gpgsm.h (opt): Add field compat_glags.:
	(COMPAT_ALLOW_KA_TO_ENCR): New.
	* sm/keylist.c (print_capabilities): Take care of the new flag.
	* sm/certlist.c (cert_usage_p): Ditto.

	* common/miscellaneous.c (parse_compatibility_flags): New.
	* common/util.h (struct compatibility_flags_s): New.

2022-08-17  Werner Koch  <wk@gnupg.org>

	gpgconf: Make --auto-key-import and --include-key-block visible again.
	+ commit b356eddf3d7a1ed0fae808b9277134d50f4974af
	* tools/gpgconf-comp.c: Add options.

2022-08-16  Werner Koch  <wk@gnupg.org>

	agent: Fix bug introduced earlier today.
	+ commit 3591112fdb013dee1a1a668c9f777d0890520311
	* agent/findkey.c (agent_write_private_key): Fix condition.

	gpg: Fix "generate" command in --card-edit.
	+ commit 914ee7247562dc8f1e4b8503b3b574a5d2749bde
	* g10/card-util.c (get_info_for_key_operation): Get the APPTYPE before
	testing for it.

	* g10/card-util.c (current_card_status): Always try to update the
	shadow keys.
	* g10/call-agent.c (agent_scd_getattr): Handle $AUTHKEYID.

	gpg: Update shadow-keys with --card-status also for non-openpgp cards.
	+ commit 2d23a72690b44528783264a93e170585a99cc774
	* agent/command.c (cmd_readkey): Also allow for $AUTHKEYID in card
	mode.
	* g10/call-agent.c (agent_update_shadow_keys): new.
	* g10/card-util.c (current_card_status): Call it.

	agent: Let READKEY update the display-s/n of the Token entry.
	+ commit 755920d4335730fbf25e24342dc9c8a8a772dac3
	* agent/findkey.c (agent_write_private_key): Factor file name
	generation out to ...
	(fname_from_keygrip): new.
	(write_extended_private_key): Add and implement new arg MAYBE_UPDATE.
	(agent_write_shadow_key): Ditto.

	* agent/command.c (cmd_readkey): Update the shadow-key in card mode.

	gpg: Fix --card-status to handle lowercase APPTYPEs.
	+ commit 8e393e2592646f7d2a11ec32232b8f29eacdce13
	* g10/card-util.c (current_card_status): Use ascii_strcasecmp.

2022-08-16  NIIBE Yutaka  <gniibe@fsij.org>

	gpg: Fix detecting OpenPGP card by serialno.
	+ commit 27ae89db6e6901a8fd6f1dce50a25c1a4b845086
	* g10/card-util.c (get_info_for_key_operation): Use ->apptype to
	determine card's APP.
	(current_card_status): Even if its SERIALNO is not like OpenPGP card,
	it's OpenPGP card when app says so.

2022-08-16  Werner Koch  <wk@gnupg.org>

	common: In private key mode write "Key:" always last in name-value.
	+ commit 12ad9529782df1eecf628281b8db62cafd775c4f
	* common/name-value.c (nvc_write): Take care of Key. Factor some code
	out to ...
	(write_one_entry): new.

2022-08-15  Werner Koch  <wk@gnupg.org>

	agent: Create and use Token entries to track the display s/n.
	+ commit dc9b2426288e4eb6ab42aa7f731a35bc8d383b46
	* agent/divert-scd.c (linefeed_to_percent0A): New.
	(ask_for_card): Add arg grip.  Read Token and Label items and use
	them.
	(divert_pksign, divert_pkdecrypt): Pass down grip.
	* agent/findkey.c (write_extended_private_key): Add args serialno,
	keyref, and dispserialno.  Writen Token item.
	(agent_write_private_key): Add args serialno, keyref, and
	dispserialno.
	(read_key_file): Add arg r_keymeta.
	(agent_keymeta_from_file): New.
	(agent_write_shadow_key): Remove leading spaces from serialno and keyid.
	* agent/protect-tool.c (agent_write_private_key): Ditto.
	* agent/learncard.c (agent_handle_learn): Get DISPSERIALNO and pass to
	agent_write_shadow_key.
	* agent/command-ssh.c (card_key_available): Ditto.

	common: New function nve_set.
	+ commit 706adf669173ec604158e4a2f4337e3da6cb1e45
	* common/name-value.c (nve_set): New.
	(nvc_set): Use nve_set.
	(nvc_delete_named): New.
	(nvc_get_string): New.
	(nvc_get_boolean): New.

2022-08-04  Werner Koch  <wk@gnupg.org>

	gpg: Fix wrong error message for keytocard.
	+ commit f2a81e3745017072585c9999a129ee5dd0bdc6e6
	* g10/call-agent.c (agent_keytocard): Emit SC_OP_FAILURE.

2022-08-03  Werner Koch  <wk@gnupg.org>

	common: Silence warnings from AllowSetForegroundWindow.
	+ commit 6583abedf3f0ffe5cc8283fe683144fc1d5add40
	* common/sysutils.c (gnupg_allow_set_foregound_window): Print warning
	only with debug flag set.

	dirmngr: Fix failed malloc error message.
	+ commit 94908857e1f54a3550a3704a5de6bd10b7902169
	* dirmngr/ocsp.c (check_signature): Fix error printing of xtrymalloc.

	gpgconf: Add config file for Windows Registry dumps.
	+ commit ebb736b2c310c8736d1165be9c8e2de413dd0ac6
	* tools/gpgconf.c (show_registry_entries_from_file): New.
	(show_configs): Call it.
	* doc/examples/gpgconf.rnames: New.
	* doc/Makefile.am (examples): Add it.

2022-08-02  Werner Koch  <wk@gnupg.org>

	gpg: Make symmetric + pubkey encryption de-vs compliant.
	+ commit e8011a7ceca7d5d9fd703f227e56931a7ea151d6
	* g10/mainproc.c (proc_encrypted): Make symmetric + pubkey encryption
	de-vs compliant.

	* g10/mainproc.c (struct symlist_item): New.
	(struct mainproc_context): Add field symenc_list.
	(release_list): Free that list.
	(proc_symkey_enc): Record infos from symmetric session packet.
	(proc_encrypted): Check symkey packet algos

	gpgconf: Improve registry dumping.
	+ commit 6bc959231802d60694b7677d3537261d9cda1e1d
	* common/w32-reg.c (read_w32_registry_string): Map REG_DWORD to a
	string.
	(read_w32_reg_string): Add arg r_hklm_fallback and change all callers.
	(show_configs): Indicate whether the HKLM fallback was used.
	* tools/gpgconf.c (show_other_registry_entries): Fix the Outlook Addin
	Registry key.  Indicate whether the HKLM fallback was used.

2022-07-28  Werner Koch  <wk@gnupg.org>

	gpg: For de-vs use SHA-256 instead of SHA-1 as implicit preference.
	+ commit 890e616593af5d1e0f2eb932768205ef90928e5e
	* g10/pkclist.c (select_algo_from_prefs): Change implicit hash
	algorithm.

2022-07-27  Werner Koch  <wk@gnupg.org>

	agent: New option --no-user-trustlist and --sys-trustlist-name.
	+ commit d0bd91ba73a7e333e9b5007875c9bd475fb9581e
	* agent/gpg-agent.c (oNoUserTrustlist,oSysTrustlistName): New.
	(opts): Add new option names.
	(parse_rereadable_options): Parse options.
	(finalize_rereadable_options): Reset allow-mark-trusted for the new
	option.
	* agent/agent.h (opt): Add fields no_user_trustlist and
	sys_trustlist_name.
	* agent/trustlist.c (make_sys_trustlist_name): New.
	(read_one_trustfile): Use here.
	(read_trustfiles): Use here.  Implement --no-user-trustlist.  Also
	repalce "allow_include" by "systrust" and adjust callers.

2022-07-27  Ingo Klöcker  <dev@ingo-kloecker.de>

	gpg: Look up user ID to revoke by UID hash.
	+ commit abe69b2094dd749fc2f285b672d30a4f1e3f12a7
	* g10/keyedit.c (find_userid_by_namehash, find_userid): New.
	(keyedit_quick_revuid): Use find_userid() instead of iterating over the
	nodes of the keyblock.
	* tests/openpgp/quick-key-manipulation.scm: Add test for revoking a
	user ID specified by its hash.

2022-07-27  Werner Koch  <wk@gnupg.org>

	wkd: Bind the address to the nonce.
	+ commit 73a98c13969169fee6bf5eaa71507a409eb17caf
	* tools/gpg-wks-server.c (make_pending_fname): New.
	(store_key_as_pending, check_and_publish): Use here.
	(process_new_key): Pass addrspec to store_key_as_pending.
	(expire_one_domain): Expire also the new files.

2022-07-26  Ingo Klöcker  <dev@ingo-kloecker.de>

	dirmngr: Ask keyservers to provide the key fingerprints.
	+ commit 22e8dc792702cd485408b5a8212d34a3917851ca
	* dirmngr/ks-engine-hkp.c (ks_hkp_search): Add "fingerprint=on" to
	request URL.

2022-07-25  Ingo Klöcker  <dev@ingo-kloecker.de>

	gpg: Request keygrip of key to add via command interface.
	+ commit ee8f1c10a7a54714fb2a9ca141d38e666b9a424d
	* g10/keygen.c (ask_algo): Request keygrip via cpr_get.
	* doc/help.txt (gpg.keygen.keygrip): New help text.

2022-07-25  Werner Koch  <wk@gnupg.org>

	wkd: Fix path traversal attack on gpg-wks-server.
	+ commit c1489ca0e101a81df6f8b1ba8d8a9afd9ebc6412
	* tools/gpg-wks-server.c (check_and_publish): Check for invalid
	characters in sender controlled data.
	* tools/wks-util.c (wks_fname_from_userid): Ditto.
	(wks_compute_hu_fname): Ditto.
	(ensure_policy_file): Ditto.

2022-07-13  NIIBE Yutaka  <gniibe@fsij.org>

	scd:openpgp: Fix workaround for Yubikey heuristics.
	+ commit 8c9f879d4aa01ad96320869fb3da83a843292504
	* scd/app-openpgp.c (parse_algorithm_attribute): Handle the case
	of firmware 5.4, too.

	scd: Fail when no good algorithm attribute.
	+ commit 225c66f13b8700d9d283367705b31070a3d38d93
	* scd/app-openpgp.c (parse_algorithm_attribute): Return the error.
	(change_keyattr): Follow the change.
	(app_select_openpgp): Handle the error of parse_algorithm_attribute.

2022-07-12  NIIBE Yutaka  <gniibe@fsij.org>

	scd: Don't inhibit SSH authentication for larger data if it can.
	+ commit 07e43eda8dc69cecc385a6b3723e155afbc59257
	* scd/app-openpgp.c (do_auth): Use command chaining if available.

2022-07-06  Werner Koch  <wk@gnupg.org>

	Release 2.3.36.
	+ commit 491645b50ec97db12520483d347291d660db209c


2022-06-29  Werner Koch  <wk@gnupg.org>

	gpgconf: New short options -V and -X.
	+ commit f357a5f239919de976b86a666410f504682973e4
	* tools/gpgconf.c: Assign short options -X and -V
	(show_version_gnupg): Print the vsd version if available.

2022-06-24  NIIBE Yutaka  <gniibe@fsij.org>

	agent: Flush before calling ftruncate.
	+ commit 9e2307ddf0c2608e9cfb435f870b75cbb35791d7
	* agent/findkey.c (write_extended_private_key): Make sure
	it is flushed out.

2022-06-21  Werner Koch  <wk@gnupg.org>

	sm: Update pkcs#12 module from master.
	+ commit 4c14bbf56fb544541bd65f9d6e6e0b81779dcab6
	* sm/minip12.c: Update from master.
	* sm/import.c (parse_p12): Pass NULL for curve.

2022-06-20  Werner Koch  <wk@gnupg.org>

	common: Add an easy to use DER builder.
	+ commit d21ced1e3596dc9e4fa53995286b4cbbd6e94195
	* common/tlv-builder.c: New.
	* common/tlv.c: Remove stuff only used by GnuPG 1.
	(put_tlv_to_membuf, get_tlv_length): Move to ...
	* common/tlv-builder.c: here.
	* common/tlv.h (tlv_builder_t): New.

2022-06-14  Werner Koch  <wk@gnupg.org>

	g10: Fix garbled status messages in NOTATION_DATA.
	+ commit 7b1db7192e6e4d0cfc439b23b13831837c85bc21
	* g10/cpr.c (write_status_text_and_buffer): Fix off-by-one

2022-06-09  NIIBE Yutaka  <gniibe@fsij.org>

	agent,scd: Make sure to set CONFIDENTIAL flag in Assuan.
	+ commit aeee62593ae9147a38fd79f0782f3fa0e4ac5c4a
	* agent/call-scd.c (inq_needpin): Call assuan_begin_confidential
	and assuan_end_confidential, and wipe the memory after use.
	* agent/command.c (cmd_preset_passphrase): Likewise.
	* scd/command.c (pin_cb): Likewise.

2022-06-03  Werner Koch  <wk@gnupg.org>

	w32: Avoid warning about not including winsock2.h after windows.h.
	+ commit dfc01118ce0707c2d920fb31f7731f3a383df761
	* common/dynload.h: Include winsock2.h first.

	w32: Allow Unicode filenames for iobuf_cancel.
	+ commit 10db566489880acd510f8e07dc52a38dd82feafe
	* common/iobuf.c (iobuf_cancel): Use gnupg_remove
	* common/mischelp.c (same_file_p): Allow for Unicode names.

2022-06-01  Werner Koch  <wk@gnupg.org>

	scd:p15: Fix accidental commit of debug code.
	+ commit e3db6c74a6305e86eaefb0ca8d49d4d9754104ff
	* scd/app-p15.c (do_sign): Revert MSE setting.

	scd: Shorten cardio debug output for all zeroes.
	+ commit 62becf599eb861936faf88b6ec5e0f7b1658b54e
