aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Koch <[email protected]>2023-10-24 12:51:16 +0000
committerWerner Koch <[email protected]>2023-10-24 12:51:16 +0000
commitf0e127defb87b225dde7d4c3d81099d9e32459b6 (patch)
tree762717dbfcbfa566086a995f58d58902164f4fae
parentsm: Flag Brainpool curves as compliant. (diff)
downloadgnupg-f0e127defb87b225dde7d4c3d81099d9e32459b6.tar.gz
gnupg-f0e127defb87b225dde7d4c3d81099d9e32459b6.zip
sm: Flag Brainpool curves as compliant for all other operations.
* sm/fingerprint.c (gpgsm_get_key_algo_info2): Rename to (gpgsm_get_key_algo_info): this. Remove the old wrapper. Adjust all callers. * sm/decrypt.c (gpgsm_decrypt): Pass the curve to the compliance checker. * sm/encrypt.c (gpgsm_encrypt): Ditto. * sm/sign.c (gpgsm_sign): Ditto. * sm/verify.c (gpgsm_verify): Ditto. -- GnuPG-bug-id: 6253
Diffstat
-rw-r--r--sm/decrypt.c9
-rw-r--r--sm/encrypt.c10
-rw-r--r--sm/fingerprint.c11
-rw-r--r--sm/gpgsm.h5
-rw-r--r--sm/keylist.c2
-rw-r--r--sm/sign.c7
-rw-r--r--sm/verify.c4
7 files changed, 25 insertions, 23 deletions
diff --git a/sm/decrypt.c b/sm/decrypt.c
index c9b50632c..93f2783af 100644
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@@ -1074,6 +1074,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
int recp;
estream_t in_fp = NULL;
struct decrypt_filter_parm_s dfparm;
+ char *curve = NULL;
memset (&dfparm, 0, sizeof dfparm);
@@ -1318,14 +1319,15 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
pkalgostr = gpgsm_pubkey_algo_string (cert, NULL);
- pk_algo = gpgsm_get_key_algo_info (cert, &nbits);
+ xfree (curve);
+ pk_algo = gpgsm_get_key_algo_info (cert, &nbits, &curve);
if (!opt.quiet)
log_info (_("encrypted to %s key %s\n"), pkalgostr, pkfpr);
/* Check compliance. */
if (!gnupg_pk_is_allowed (opt.compliance,
PK_USE_DECRYPTION,
- pk_algo, 0, NULL, nbits, NULL))
+ pk_algo, 0, NULL, nbits, curve))
{
char kidstr[10+1];
@@ -1343,7 +1345,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
dfparm.is_de_vs =
(dfparm.is_de_vs
&& gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0,
- NULL, nbits, NULL));
+ NULL, nbits, curve));
oops:
if (rc)
@@ -1521,6 +1523,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
log_error ("message decryption failed: %s <%s>\n",
gpg_strerror (rc), gpg_strsource (rc));
}
+ xfree (curve);
ksba_cms_release (cms);
gnupg_ksba_destroy_reader (b64reader);
gnupg_ksba_destroy_writer (b64writer);
diff --git a/sm/encrypt.c b/sm/encrypt.c
index fc104db1d..b9e8c92c8 100644
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@@ -777,11 +777,12 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
unsigned char *encval;
unsigned int nbits;
int pk_algo;
+ char *curve = NULL;
/* Check compliance. */
- pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
+ pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits, &curve);
if (!gnupg_pk_is_compliant (opt.compliance, pk_algo, 0,
- NULL, nbits, NULL))
+ NULL, nbits, curve))
{
char kidstr[10+1];
@@ -796,9 +797,12 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
/* Fixme: When adding ECC we need to provide the curvename and
* the key to gnupg_pk_is_compliant. */
if (compliant
- && !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, NULL, nbits, NULL))
+ && !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, NULL, nbits, curve))
compliant = 0;
+ xfree (curve);
+ curve = NULL;
+
rc = encrypt_dek (dek, cl->cert, pk_algo, &encval);
if (rc)
{
diff --git a/sm/fingerprint.c b/sm/fingerprint.c
index ce0830e29..ab898fdec 100644
--- a/sm/fingerprint.c
+++ b/sm/fingerprint.c
@@ -223,7 +223,7 @@ gpgsm_get_keygrip_hexstring (ksba_cert_t cert)
* algorithm is used the name or OID of the curve is stored there; the
* caller needs to free this value. */
int
-gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
+gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
{
gcry_sexp_t s_pkey;
int rc;
@@ -300,18 +300,11 @@ gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
}
-int
-gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits)
-{
- return gpgsm_get_key_algo_info2 (cert, nbits, NULL);
-}
-
-
/* Return true if CERT is an ECC key. */
int
gpgsm_is_ecc_key (ksba_cert_t cert)
{
- return GCRY_PK_ECC == gpgsm_get_key_algo_info2 (cert, NULL, NULL);
+ return GCRY_PK_ECC == gpgsm_get_key_algo_info (cert, NULL, NULL);
}
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index 7038e0ea8..4140c9709 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -295,9 +295,8 @@ unsigned long gpgsm_get_short_fingerprint (ksba_cert_t cert,
unsigned long *r_high);
unsigned char *gpgsm_get_keygrip (ksba_cert_t cert, unsigned char *array);
char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert);
-int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits);
-int gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits,
- char **r_curve);
+int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits,
+ char **r_curve);
int gpgsm_is_ecc_key (ksba_cert_t cert);
char *gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid);
char *gpgsm_get_certid (ksba_cert_t cert);
diff --git a/sm/keylist.c b/sm/keylist.c
index e49215376..bac973984 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -502,7 +502,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
if (*truststring)
es_fputs (truststring, fp);
- algo = gpgsm_get_key_algo_info2 (cert, &nbits, &curve);
+ algo = gpgsm_get_key_algo_info (cert, &nbits, &curve);
es_fprintf (fp, ":%u:%d:%s:", nbits, algo, fpr+24);
ksba_cert_get_validity (cert, 0, t);
diff --git a/sm/sign.c b/sm/sign.c
index 83d44ebba..013f4b87c 100644
--- a/sm/sign.c
+++ b/sm/sign.c
@@ -543,6 +543,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
certlist_t cl;
int release_signerlist = 0;
int binary_detached = detached && !ctrl->create_pem && !ctrl->create_base64;
+ char *curve = NULL;
audit_set_type (ctrl->audit, AUDIT_TYPE_SIGN);
@@ -676,7 +677,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
unsigned int nbits;
int pk_algo;
- pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
+ xfree (curve);
+ pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits, &curve);
cl->pk_algo = pk_algo;
if (opt.forced_digest_algo)
@@ -736,7 +738,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
}
if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0,
- NULL, nbits, NULL))
+ NULL, nbits, curve))
{
char kidstr[10+1];
@@ -1092,6 +1094,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
gpg_strerror (rc), gpg_strsource (rc) );
if (release_signerlist)
gpgsm_release_certlist (signerlist);
+ xfree (curve);
ksba_cms_release (cms);
gnupg_ksba_destroy_writer (b64writer);
keydb_release (kh);
diff --git a/sm/verify.c b/sm/verify.c
index b092b90da..db3ff5bf0 100644
--- a/sm/verify.c
+++ b/sm/verify.c
@@ -469,7 +469,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
pkalgostr = gpgsm_pubkey_algo_string (cert, NULL);
- pkalgo = gpgsm_get_key_algo_info2 (cert, &nbits, &pkcurve);
+ pkalgo = gpgsm_get_key_algo_info (cert, &nbits, &pkcurve);
/* Remap the ECC algo to the algo we use. Note that EdDSA has
* already been mapped. */
if (pkalgo == GCRY_PK_ECC)
@@ -504,7 +504,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
/* Check compliance. */
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
- pkalgo, pkalgoflags, NULL, nbits, NULL))
+ pkalgo, pkalgoflags, NULL, nbits, pkcurve))
{
char kidstr[10+1];
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-17 06:30:39 +0000