diff options
| author | Werner Koch <[email protected]> | 2023-11-08 16:09:04 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2023-11-08 16:16:31 +0000 |
| commit | 77fb089835db9e07ce3bad3e16a099f3a56ef574 (patch) | |
| tree | 9527d1d8e85036fd25f829c47b6a02a2c4df00e2 | |
| parent | gpgsm: Cleanup of legacy variable name use. (diff) | |
| download | gnupg-77fb089835db9e07ce3bad3e16a099f3a56ef574.tar.gz gnupg-77fb089835db9e07ce3bad3e16a099f3a56ef574.zip | |
gpgsm: Support ECDSA in de-vs mode.
* common/compliance.h (PK_ALGO_FLAG_ECC18): New.
* common/compliance.c (gnupg_pk_is_allowed): Implement.
* sm/decrypt.c (gpgsm_decrypt): Pass new flag.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--
GnuPG-bug-id: 6802
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | common/compliance.c | 13 | ||||
| -rw-r--r-- | common/compliance.h | 1 | ||||
| -rw-r--r-- | sm/decrypt.c | 3 | ||||
| -rw-r--r-- | sm/sign.c | 4 | ||||
| -rw-r--r-- | sm/verify.c | 1 |
6 files changed, 18 insertions, 6 deletions
@@ -32,7 +32,7 @@ Noteworthy changes in version 2.2.42 (unreleased) * gpg: Fix the "keytocard" command for moving ECC keys with non-standard ECDH parameters to OpenPGP cards. [rG92af3f88a9] - * gpgsm: Support ECC certificates. [T6253] + * gpgsm: Support ECC certificates. [T6253, T6802] * gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534] diff --git a/common/compliance.c b/common/compliance.c index 992c1d3e3..bb09d7ed9 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -261,6 +261,13 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, if (! initialized) return 1; + /* Map the the generic ECC algo to ECDSA if requested. */ + if ((algo_flags & PK_ALGO_FLAG_ECC18) + && algo == GCRY_PK_ECC + && (use == PK_USE_VERIFICATION + || use == PK_USE_SIGNING)) + algo = GCRY_PK_ECDSA; + switch (compliance) { case CO_DE_VS: @@ -285,7 +292,6 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, default: log_assert (!"reached"); } - (void)algo_flags; break; case PUBKEY_ALGO_DSA: @@ -306,7 +312,7 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, result = (use == PK_USE_DECRYPTION); break; - case PUBKEY_ALGO_ECDH: + case PUBKEY_ALGO_ECDH: /* Same value as GCRY_PK_ECC, i.e. 18 */ case GCRY_PK_ECDH: if (use == PK_USE_DECRYPTION) result = 1; @@ -557,6 +563,9 @@ gnupg_rng_is_compliant (enum gnupg_compliance_mode compliance) int *result; int res; + /* #warning debug code ahead */ + /* return 1; */ + result = get_compliance_cache (compliance, 1); if (result && *result != -1) diff --git a/common/compliance.h b/common/compliance.h index 2451d606e..b89cd48b0 100644 --- a/common/compliance.h +++ b/common/compliance.h @@ -52,6 +52,7 @@ enum pk_use_case /* Flags to distinguish public key algorithm variants. */ #define PK_ALGO_FLAG_RSAPSS 1 /* Use rsaPSS padding. */ +#define PK_ALGO_FLAG_ECC18 256 /* GCRY_PK_ECC is used in a generic way. */ int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, diff --git a/sm/decrypt.c b/sm/decrypt.c index 93f2783af..742653ab7 100644 --- a/sm/decrypt.c +++ b/sm/decrypt.c @@ -1327,7 +1327,8 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) /* Check compliance. */ if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION, - pk_algo, 0, NULL, nbits, curve)) + pk_algo, PK_ALGO_FLAG_ECC18, + NULL, nbits, curve)) { char kidstr[10+1]; @@ -732,8 +732,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, goto leave; } - if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0, - NULL, nbits, curve)) + if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, + PK_ALGO_FLAG_ECC18, NULL, nbits, curve)) { char kidstr[10+1]; diff --git a/sm/verify.c b/sm/verify.c index db3ff5bf0..58911bb04 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -503,6 +503,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) audit_log_i (ctrl->audit, AUDIT_DATA_HASH_ALGO, algo); /* Check compliance. */ + pkalgoflags |= PK_ALGO_FLAG_ECC18; if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, pkalgo, pkalgoflags, NULL, nbits, pkcurve)) { |