diff options
| author | Werner Koch <[email protected]> | 2021-11-18 19:44:14 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2021-11-18 19:49:37 +0000 |
| commit | 5f39db70c069a95731a8a1f65547e3314d6b1f85 (patch) | |
| tree | 542a8ac70cc32c4fc1de79fa24cedd2fbd7a759d /common/compliance.c | |
| parent | gpgconf: --show-configs now prints a bunch of Registry entries. (diff) | |
| download | gnupg-5f39db70c069a95731a8a1f65547e3314d6b1f85.tar.gz gnupg-5f39db70c069a95731a8a1f65547e3314d6b1f85.zip | |
gpg,gpgsm: Add option --min-rsa-length.
* common/compliance.c (min_compliant_rsa_length): New.
(gnupg_pk_is_compliant): Take in account.
(gnupg_pk_is_allowed): Ditto.
(gnupg_set_compliance_extra_info): New.
* g10/gpg.c (oMinRSALength): New.
(opts): Add --min-rsa-length.
(main): Set value.
* g10/options.h (opt): Add field min_rsa_length.
* sm/gpgsm.c (oMinRSALength): New.
(opts): Add --min-rsa-length.
(main): Set value.
* sm/gpgsm.h (opt): Add field min_rsa_length.
Diffstat (limited to 'common/compliance.c')
| -rw-r--r-- | common/compliance.c | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/common/compliance.c b/common/compliance.c index 6c2fcd5b3..33a19fe06 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -40,6 +40,10 @@ static int initialized; static int module; +/* This value is used by DSA and RSA checks in addition to the hard + * coded length checks. It allows to increase the required key length + * using a confue file. */ +static unsigned int min_compliant_rsa_length; /* Return the address of a compliance cache variable for COMPLIANCE. * If no such variable exists NULL is returned. FOR_RNG returns the @@ -176,9 +180,10 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, break; case is_rsa: - result = (keylength == 2048 - || keylength == 3072 - || keylength == 4096); + result = ((keylength == 2048 + || keylength == 3072 + || keylength == 4096) + && keylength >= min_compliant_rsa_length); /* Although rsaPSS was not part of the original evaluation * we got word that we can claim compliance. */ (void)algo_flags; @@ -190,7 +195,8 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, size_t P = gcry_mpi_get_nbits (key[0]); size_t Q = gcry_mpi_get_nbits (key[1]); result = (Q == 256 - && (P == 2048 || P == 3072)); + && (P == 2048 || P == 3072) + && P >= min_compliant_rsa_length); } break; @@ -256,9 +262,10 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, break; case PK_USE_ENCRYPTION: case PK_USE_SIGNING: - result = (keylength == 2048 - || keylength == 3072 - || keylength == 4096); + result = ((keylength == 2048 + || keylength == 3072 + || keylength == 4096) + && keylength >= min_compliant_rsa_length); break; default: log_assert (!"reached"); @@ -273,7 +280,9 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, { size_t P = gcry_mpi_get_nbits (key[0]); size_t Q = gcry_mpi_get_nbits (key[1]); - result = (Q == 256 && (P == 2048 || P == 3072)); + result = (Q == 256 + && (P == 2048 || P == 3072) + && keylength >= min_compliant_rsa_length); } break; @@ -679,3 +688,11 @@ gnupg_compliance_option_string (enum gnupg_compliance_mode compliance) log_assert (!"invalid compliance mode"); } + + +/* Set additional infos for example taken from config files at startup. */ +void +gnupg_set_compliance_extra_info (unsigned int min_rsa) +{ + min_compliant_rsa_length = min_rsa; +} |