diff options
| -rw-r--r-- | agent/agent.h | 3 | ||||
| -rw-r--r-- | agent/findkey.c | 42 | ||||
| -rw-r--r-- | agent/pksign.c | 37 |
3 files changed, 23 insertions, 59 deletions
diff --git a/agent/agent.h b/agent/agent.h index 857dffef6..de0d25fb3 100644 --- a/agent/agent.h +++ b/agent/agent.h @@ -447,8 +447,7 @@ gpg_error_t agent_raw_key_from_file (ctrl_t ctrl, const unsigned char *grip, gpg_error_t agent_public_key_from_file (ctrl_t ctrl, const unsigned char *grip, gcry_sexp_t *result); -int agent_is_dsa_key (gcry_sexp_t s_key); -int agent_is_eddsa_key (gcry_sexp_t s_key); +int agent_pk_get_algo (gcry_sexp_t s_key); int agent_key_available (const unsigned char *grip); gpg_error_t agent_key_info_from_file (ctrl_t ctrl, const unsigned char *grip, int *r_keytype, diff --git a/agent/findkey.c b/agent/findkey.c index 53a08b89f..d1b688888 100644 --- a/agent/findkey.c +++ b/agent/findkey.c @@ -1258,10 +1258,10 @@ is_eddsa (gcry_sexp_t keyparms) } -/* Return the public key algorithm number if S_KEY is a DSA style key. - If it is not a DSA style key, return 0. */ +/* Return the public key algorithm number of S_KEY. For ECC, returns + GCRY_PK_ECC (generic), even if it is known specifically for ECDSA. */ int -agent_is_dsa_key (gcry_sexp_t s_key) +agent_pk_get_algo (gcry_sexp_t s_key) { int result; gcry_sexp_t list; @@ -1271,43 +1271,21 @@ agent_is_dsa_key (gcry_sexp_t s_key) return 0; if (key_parms_from_sexp (s_key, &list, algoname, sizeof algoname, NULL, 0)) - return 0; /* Error - assume it is not an DSA key. */ + return 0; - if (!strcmp (algoname, "dsa")) + if (!strcmp (algoname, "rsa")) + result = GCRY_PK_RSA; + else if (!strcmp (algoname, "dsa")) result = GCRY_PK_DSA; else if (!strcmp (algoname, "ecc")) { if (is_eddsa (list)) - result = 0; + result = GCRY_PK_EDDSA; else - result = GCRY_PK_ECDSA; + result = GCRY_PK_ECC; } else if (!strcmp (algoname, "ecdsa")) - result = GCRY_PK_ECDSA; - else - result = 0; - - gcry_sexp_release (list); - return result; -} - - -/* Return true if S_KEY is an EdDSA key as used with curve Ed25519. */ -int -agent_is_eddsa_key (gcry_sexp_t s_key) -{ - int result; - gcry_sexp_t list; - char algoname[6]; - - if (!s_key) - return 0; - - if (key_parms_from_sexp (s_key, &list, algoname, sizeof algoname, NULL, 0)) - return 0; /* Error - assume it is not an EdDSA key. */ - - if (!strcmp (algoname, "ecc") && is_eddsa (list)) - result = 1; + result = GCRY_PK_ECC; else result = 0; diff --git a/agent/pksign.c b/agent/pksign.c index 6993599f9..96f877415 100644 --- a/agent/pksign.c +++ b/agent/pksign.c @@ -155,7 +155,7 @@ do_encode_dsa (const byte *md, size_t mdlen, int pkalgo, gcry_sexp_t pkey, *r_hash = NULL; - if (pkalgo == GCRY_PK_ECDSA) + if (pkalgo == GCRY_PK_ECC) qbits = gcry_pk_get_nbits (pkey); else if (pkalgo == GCRY_PK_DSA) qbits = get_dsa_qbits (pkey); @@ -185,7 +185,7 @@ do_encode_dsa (const byte *md, size_t mdlen, int pkalgo, gcry_sexp_t pkey, /* ECDSA 521 is special has it is larger than the largest hash we have (SHA-512). Thus we change the size for further processing to 512. */ - if (pkalgo == GCRY_PK_ECDSA && qbits > 512) + if (pkalgo == GCRY_PK_ECC && qbits > 512) qbits = 512; /* Check if we're too short. Too long is safe as we'll @@ -288,6 +288,7 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, const unsigned char *data; int datalen; int check_signature = 0; + int algo; if (overridedata) { @@ -319,6 +320,8 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, goto leave; } + algo = agent_pk_get_algo (s_skey); + if (shadow_info || no_shadow_info) { /* Divert operation to the smartcard. With NO_SHADOW_INFO set @@ -326,10 +329,6 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, * is on the active card. */ size_t len; unsigned char *buf = NULL; - int key_type; - int is_RSA = 0; - int is_ECDSA = 0; - int is_EdDSA = 0; if (no_shadow_info) { @@ -385,17 +384,6 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, } } - if (agent_is_eddsa_key (s_pkey)) - is_EdDSA = 1; - else - { - key_type = agent_is_dsa_key (s_pkey); - if (key_type == 0) - is_RSA = 1; - else if (key_type == GCRY_PK_ECDSA) - is_ECDSA = 1; - } - { char *desc2 = NULL; @@ -415,7 +403,7 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, goto leave; } - if (is_RSA) + if (algo == GCRY_PK_RSA) { unsigned char *p = buf; @@ -441,12 +429,12 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, err = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%b)))", (int)len, p); } - else if (is_EdDSA) + else if (algo == GCRY_PK_EDDSA) { err = gcry_sexp_build (&s_sig, NULL, "(sig-val(eddsa(r%b)(s%b)))", (int)len/2, buf, (int)len/2, buf + len/2); } - else if (is_ECDSA) + else if (algo == GCRY_PK_ECC) { unsigned char *r_buf, *s_buf; int r_buflen, s_buflen; @@ -491,19 +479,18 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, else { /* No smartcard, but a private key (in S_SKEY). */ - int dsaalgo = 0; /* Put the hash into a sexp */ - if (agent_is_eddsa_key (s_skey)) + if (algo == GCRY_PK_EDDSA) err = do_encode_eddsa (data, datalen, &s_hash); else if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1) err = do_encode_raw_pkcs1 (data, datalen, gcry_pk_get_nbits (s_skey), &s_hash); - else if ( (dsaalgo = agent_is_dsa_key (s_skey)) ) + else if (algo == GCRY_PK_DSA || algo == GCRY_PK_ECC) err = do_encode_dsa (data, datalen, - dsaalgo, s_skey, + algo, s_skey, &s_hash); else err = do_encode_md (data, datalen, @@ -513,7 +500,7 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce, if (err) goto leave; - if (dsaalgo == 0 && GCRYPT_VERSION_NUMBER < 0x010700) + if (algo == GCRY_PK_RSA && GCRYPT_VERSION_NUMBER < 0x010700) { /* It's RSA and Libgcrypt < 1.7 */ check_signature = 1; |