aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWerner Koch <[email protected]>2023-10-24 12:51:16 +0000
committerWerner Koch <[email protected]>2023-10-24 12:54:26 +0000
commit2c3c049fd8a001dc9937e5ac3884831b6e25d2da (patch)
treef660641ea621ee4bb29ebd01b103a9bb91d88b13
parentsm: Flag Brainpool curves as compliant. (diff)
downloadgnupg-2c3c049fd8a001dc9937e5ac3884831b6e25d2da.tar.gz
gnupg-2c3c049fd8a001dc9937e5ac3884831b6e25d2da.zip
sm: Flag Brainpool curves as compliant for all other operations.
* sm/fingerprint.c (gpgsm_get_key_algo_info2): Rename to (gpgsm_get_key_algo_info): this. Remove the old wrapper. Adjust all callers. * sm/decrypt.c (gpgsm_decrypt): Pass the curve to the compliance checker. * sm/encrypt.c (gpgsm_encrypt): Ditto. * sm/sign.c (gpgsm_sign): Ditto. * sm/verify.c (gpgsm_verify): Ditto. -- GnuPG-bug-id: 6253
Diffstat
-rw-r--r--sm/decrypt.c9
-rw-r--r--sm/encrypt.c10
-rw-r--r--sm/export.c2
-rw-r--r--sm/fingerprint.c11
-rw-r--r--sm/gpgsm.h5
-rw-r--r--sm/keylist.c2
-rw-r--r--sm/sign.c9
-rw-r--r--sm/verify.c4
8 files changed, 27 insertions, 25 deletions
diff --git a/sm/decrypt.c b/sm/decrypt.c
index 62983fe9c..787e2f5e6 100644
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@@ -1065,6 +1065,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
int recp;
estream_t in_fp = NULL;
struct decrypt_filter_parm_s dfparm;
+ char *curve = NULL;
memset (&dfparm, 0, sizeof dfparm);
@@ -1309,14 +1310,15 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
pkalgostr = gpgsm_pubkey_algo_string (cert, NULL);
- pk_algo = gpgsm_get_key_algo_info (cert, &nbits);
+ xfree (curve);
+ pk_algo = gpgsm_get_key_algo_info (cert, &nbits, &curve);
if (!opt.quiet)
log_info (_("encrypted to %s key %s\n"), pkalgostr, pkfpr);
/* Check compliance. */
if (!gnupg_pk_is_allowed (opt.compliance,
PK_USE_DECRYPTION,
- pk_algo, 0, NULL, nbits, NULL))
+ pk_algo, 0, NULL, nbits, curve))
{
char kidstr[10+1];
@@ -1334,7 +1336,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
dfparm.is_de_vs =
(dfparm.is_de_vs
&& gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0,
- NULL, nbits, NULL));
+ NULL, nbits, curve));
oops:
if (rc)
@@ -1512,6 +1514,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
log_error ("message decryption failed: %s <%s>\n",
gpg_strerror (rc), gpg_strsource (rc));
}
+ xfree (curve);
ksba_cms_release (cms);
gnupg_ksba_destroy_reader (b64reader);
gnupg_ksba_destroy_writer (b64writer);
diff --git a/sm/encrypt.c b/sm/encrypt.c
index 6e78a0620..024f48673 100644
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@@ -758,11 +758,12 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
unsigned char *encval;
unsigned int nbits;
int pk_algo;
+ char *curve = NULL;
/* Check compliance. */
- pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
+ pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits, &curve);
if (!gnupg_pk_is_compliant (opt.compliance, pk_algo, 0,
- NULL, nbits, NULL))
+ NULL, nbits, curve))
{
char kidstr[10+1];
@@ -777,9 +778,12 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
/* Fixme: When adding ECC we need to provide the curvename and
* the key to gnupg_pk_is_compliant. */
if (compliant
- && !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, NULL, nbits, NULL))
+ && !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, NULL, nbits, curve))
compliant = 0;
+ xfree (curve);
+ curve = NULL;
+
rc = encrypt_dek (dek, cl->cert, pk_algo, &encval);
if (rc)
{
diff --git a/sm/export.c b/sm/export.c
index 54893b54d..a6ba40f5d 100644
--- a/sm/export.c
+++ b/sm/export.c
@@ -430,7 +430,7 @@ gpgsm_p12_export (ctrl_t ctrl, const char *name, estream_t stream, int rawmode)
if (rawmode == 0)
ctrl->pem_name = "PKCS12";
- else if (gpgsm_get_key_algo_info (cert, NULL) == GCRY_PK_ECC)
+ else if (gpgsm_get_key_algo_info (cert, NULL, NULL) == GCRY_PK_ECC)
ctrl->pem_name = "EC PRIVATE KEY";
else if (rawmode == 1)
ctrl->pem_name = "PRIVATE KEY";
diff --git a/sm/fingerprint.c b/sm/fingerprint.c
index 5f3f6f51f..375a8647e 100644
--- a/sm/fingerprint.c
+++ b/sm/fingerprint.c
@@ -222,7 +222,7 @@ gpgsm_get_keygrip_hexstring (ksba_cert_t cert)
* algorithm is used the name or OID of the curve is stored there; the
* caller needs to free this value. */
int
-gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
+gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
{
gcry_sexp_t s_pkey;
int rc;
@@ -299,18 +299,11 @@ gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
}
-int
-gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits)
-{
- return gpgsm_get_key_algo_info2 (cert, nbits, NULL);
-}
-
-
/* Return true if CERT is an ECC key. */
int
gpgsm_is_ecc_key (ksba_cert_t cert)
{
- return GCRY_PK_ECC == gpgsm_get_key_algo_info2 (cert, NULL, NULL);
+ return GCRY_PK_ECC == gpgsm_get_key_algo_info (cert, NULL, NULL);
}
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index a22327edc..684251fda 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -339,9 +339,8 @@ unsigned long gpgsm_get_short_fingerprint (ksba_cert_t cert,
unsigned long *r_high);
unsigned char *gpgsm_get_keygrip (ksba_cert_t cert, unsigned char *array);
char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert);
-int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits);
-int gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits,
- char **r_curve);
+int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits,
+ char **r_curve);
int gpgsm_is_ecc_key (ksba_cert_t cert);
char *gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid);
gcry_mpi_t gpgsm_get_rsa_modulus (ksba_cert_t cert);
diff --git a/sm/keylist.c b/sm/keylist.c
index e84eb31d3..ed1b74729 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -562,7 +562,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
if (*truststring)
es_fputs (truststring, fp);
- algo = gpgsm_get_key_algo_info2 (cert, &nbits, &curve);
+ algo = gpgsm_get_key_algo_info (cert, &nbits, &curve);
es_fprintf (fp, ":%u:%d:%s:", nbits, algo, fpr+24);
ksba_cert_get_validity (cert, 0, t);
diff --git a/sm/sign.c b/sm/sign.c
index 235dac8cb..c3781506d 100644
--- a/sm/sign.c
+++ b/sm/sign.c
@@ -640,6 +640,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
certlist_t cl;
int release_signerlist = 0;
int binary_detached = detached && !ctrl->create_pem && !ctrl->create_base64;
+ char *curve = NULL;
audit_set_type (ctrl->audit, AUDIT_TYPE_SIGN);
@@ -778,7 +779,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
unsigned int nbits;
int pk_algo;
- pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits);
+ xfree (curve);
+ pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits, &curve);
cl->pk_algo = pk_algo;
if (opt.forced_digest_algo)
@@ -838,8 +840,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
goto leave;
}
- if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0,
- NULL, nbits, NULL))
+ if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0,
+ NULL, nbits, curve))
{
char kidstr[10+1];
@@ -1205,6 +1207,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
gpg_strerror (rc), gpg_strsource (rc) );
if (release_signerlist)
gpgsm_release_certlist (signerlist);
+ xfree (curve);
ksba_cms_release (cms);
gnupg_ksba_destroy_writer (b64writer);
keydb_release (kh);
diff --git a/sm/verify.c b/sm/verify.c
index c7f4492ce..1f5c1d378 100644
--- a/sm/verify.c
+++ b/sm/verify.c
@@ -468,7 +468,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
pkalgostr = gpgsm_pubkey_algo_string (cert, NULL);
- pkalgo = gpgsm_get_key_algo_info2 (cert, &nbits, &pkcurve);
+ pkalgo = gpgsm_get_key_algo_info (cert, &nbits, &pkcurve);
/* Remap the ECC algo to the algo we use. Note that EdDSA has
* already been mapped. */
if (pkalgo == GCRY_PK_ECC)
@@ -504,7 +504,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
/* Check compliance. */
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
- pkalgo, pkalgoflags, NULL, nbits, NULL))
+ pkalgo, pkalgoflags, NULL, nbits, pkcurve))
{
char kidstr[10+1];
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-27 00:09:05 +0000