aboutsummaryrefslogtreecommitdiffstats
path: root/sm
diff options
context:
space:
mode:
authorWerner Koch <[email protected]>2023-12-22 12:45:02 +0000
committerWerner Koch <[email protected]>2023-12-22 12:45:02 +0000
commit2764ee309a2e0c10cef606345f06dd37c637fc41 (patch)
tree4238a756e7624b31ade6e558a1c0794af691412d /sm
parentRegister DCO for Mario Haustein (diff)
parentdoc: Explain why socket activation is a problem (diff)
downloadgnupg-2764ee309a2e0c10cef606345f06dd37c637fc41.tar.gz
gnupg-2764ee309a2e0c10cef606345f06dd37c637fc41.zip
Merge branch 'STABLE-BRANCH-2-4'
-- Fixed conflicts in NEWS g10/encrypt.c sm/encrypt.c sm/sign.c
Diffstat (limited to 'sm')
-rw-r--r--sm/call-agent.c5
-rw-r--r--sm/decrypt.c3
-rw-r--r--sm/encrypt.c74
-rw-r--r--sm/keydb.c23
-rw-r--r--sm/keylist.c2
-rw-r--r--sm/minip12.c2
-rw-r--r--sm/sign.c132
-rw-r--r--sm/verify.c1
8 files changed, 122 insertions, 120 deletions
diff --git a/sm/call-agent.c b/sm/call-agent.c
index 7f7205f26..acce19058 100644
--- a/sm/call-agent.c
+++ b/sm/call-agent.c
@@ -1323,6 +1323,7 @@ gpgsm_agent_ask_passphrase (ctrl_t ctrl, const char *desc_msg, int repeat,
char *arg4 = NULL;
membuf_t data;
struct default_inq_parm_s inq_parm;
+ int wasconf;
*r_passphrase = NULL;
@@ -1341,9 +1342,13 @@ gpgsm_agent_ask_passphrase (ctrl_t ctrl, const char *desc_msg, int repeat,
xfree (arg4);
init_membuf_secure (&data, 64);
+ wasconf = assuan_get_flag (agent_ctx, ASSUAN_CONFIDENTIAL);
+ assuan_begin_confidential (agent_ctx);
err = assuan_transact (agent_ctx, line,
put_membuf_cb, &data,
default_inq_cb, &inq_parm, NULL, NULL);
+ if (!wasconf)
+ assuan_end_confidential (agent_ctx);
if (err)
xfree (get_membuf (&data, NULL));
diff --git a/sm/decrypt.c b/sm/decrypt.c
index 6121fd278..5a947779f 100644
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@@ -1309,7 +1309,8 @@ gpgsm_decrypt (ctrl_t ctrl, estream_t in_fp, estream_t out_fp)
/* Check compliance. */
if (!gnupg_pk_is_allowed (opt.compliance,
PK_USE_DECRYPTION,
- pk_algo, 0, NULL, nbits, curve))
+ pk_algo, PK_ALGO_FLAG_ECC18,
+ NULL, nbits, curve))
{
char kidstr[10+1];
diff --git a/sm/encrypt.c b/sm/encrypt.c
index 9113028db..16c48c8d5 100644
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@@ -577,9 +577,8 @@ int
gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
estream_t out_fp)
{
- int rc = 0;
+ gpg_error_t err = 0;
gnupg_ksba_io_t b64writer = NULL;
- gpg_error_t err;
ksba_writer_t writer;
ksba_reader_t reader = NULL;
ksba_cms_t cms = NULL;
@@ -607,7 +606,7 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
log_error(_("no valid recipients given\n"));
gpgsm_status (ctrl, STATUS_NO_RECP, "0");
audit_log_i (ctrl->audit, AUDIT_GOT_RECIPIENTS, 0);
- rc = gpg_error (GPG_ERR_NO_PUBKEY);
+ err = gpg_error (GPG_ERR_NO_PUBKEY);
goto leave;
}
@@ -619,28 +618,26 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
if (!kh)
{
log_error (_("failed to allocate keyDB handle\n"));
- rc = gpg_error (GPG_ERR_GENERAL);
+ err = gpg_error (GPG_ERR_GENERAL);
goto leave;
}
err = ksba_reader_new (&reader);
+ if (!err)
+ err = ksba_reader_set_cb (reader, encrypt_cb, &encparm);
if (err)
- rc = err;
- if (!rc)
- rc = ksba_reader_set_cb (reader, encrypt_cb, &encparm);
- if (rc)
- goto leave;
+ goto leave;
encparm.fp = data_fp;
ctrl->pem_name = "ENCRYPTED MESSAGE";
- rc = gnupg_ksba_create_writer
+ err = gnupg_ksba_create_writer
(&b64writer, ((ctrl->create_pem? GNUPG_KSBA_IO_PEM : 0)
| (ctrl->create_base64? GNUPG_KSBA_IO_BASE64 : 0)),
ctrl->pem_name, out_fp, &writer);
- if (rc)
+ if (err)
{
- log_error ("can't create writer: %s\n", gpg_strerror (rc));
+ log_error ("can't create writer: %s\n", gpg_strerror (err));
goto leave;
}
@@ -650,17 +647,13 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
err = ksba_cms_new (&cms);
if (err)
- {
- rc = err;
- goto leave;
- }
+ goto leave;
err = ksba_cms_set_reader_writer (cms, reader, writer);
if (err)
{
log_error ("ksba_cms_set_reader_writer failed: %s\n",
gpg_strerror (err));
- rc = err;
goto leave;
}
@@ -675,7 +668,6 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
{
log_error ("ksba_cms_set_content_type failed: %s\n",
gpg_strerror (err));
- rc = err;
goto leave;
}
@@ -687,34 +679,34 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
log_error (_("cipher algorithm '%s' may not be used in %s mode\n"),
opt.def_cipher_algoid,
gnupg_compliance_option_string (opt.compliance));
- rc = gpg_error (GPG_ERR_CIPHER_ALGO);
+ err = gpg_error (GPG_ERR_CIPHER_ALGO);
goto leave;
}
if (!gnupg_rng_is_compliant (opt.compliance))
{
- rc = gpg_error (GPG_ERR_FORBIDDEN);
+ err = gpg_error (GPG_ERR_FORBIDDEN);
log_error (_("%s is not compliant with %s mode\n"),
"RNG",
gnupg_compliance_option_string (opt.compliance));
gpgsm_status_with_error (ctrl, STATUS_ERROR,
- "random-compliance", rc);
+ "random-compliance", err);
goto leave;
}
/* Create a session key */
dek = xtrycalloc_secure (1, sizeof *dek);
if (!dek)
- rc = out_of_core ();
+ err = gpg_error_from_syserror ();
else
- {
- dek->algoid = opt.def_cipher_algoid;
- rc = init_dek (dek);
- }
- if (rc)
+ {
+ dek->algoid = opt.def_cipher_algoid;
+ err = init_dek (dek);
+ }
+ if (err)
{
log_error ("failed to create the session key: %s\n",
- gpg_strerror (rc));
+ gpg_strerror (err));
goto leave;
}
@@ -723,7 +715,6 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
{
log_error ("ksba_cms_set_content_enc_algo failed: %s\n",
gpg_strerror (err));
- rc = err;
goto leave;
}
@@ -733,7 +724,7 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
encparm.buffer = xtrymalloc (encparm.bufsize);
if (!encparm.buffer)
{
- rc = out_of_core ();
+ err = gpg_error_from_syserror ();
goto leave;
}
@@ -775,12 +766,12 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
xfree (curve);
curve = NULL;
- rc = encrypt_dek (dek, cl->cert, pk_algo, &encval);
- if (rc)
+ err = encrypt_dek (dek, cl->cert, pk_algo, &encval);
+ if (err)
{
- audit_log_cert (ctrl->audit, AUDIT_ENCRYPTED_TO, cl->cert, rc);
+ audit_log_cert (ctrl->audit, AUDIT_ENCRYPTED_TO, cl->cert, err);
log_error ("encryption failed for recipient no. %d: %s\n",
- recpno, gpg_strerror (rc));
+ recpno, gpg_strerror (err));
goto leave;
}
@@ -790,7 +781,6 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
audit_log_cert (ctrl->audit, AUDIT_ENCRYPTED_TO, cl->cert, err);
log_error ("ksba_cms_add_recipient failed: %s\n",
gpg_strerror (err));
- rc = err;
xfree (encval);
goto leave;
}
@@ -802,7 +792,6 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
{
log_error ("ksba_cms_set_enc_val failed: %s\n",
gpg_strerror (err));
- rc = err;
goto leave;
}
}
@@ -816,7 +805,7 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
log_error (_("operation forced to fail due to"
" unfulfilled compliance rules\n"));
gpgsm_errors_seen = 1;
- rc = gpg_error (GPG_ERR_FORBIDDEN);
+ err = gpg_error (GPG_ERR_FORBIDDEN);
goto leave;
}
@@ -828,7 +817,6 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
if (err)
{
log_error ("creating CMS object failed: %s\n", gpg_strerror (err));
- rc = err;
goto leave;
}
}
@@ -837,15 +825,15 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
if (encparm.readerror)
{
log_error ("error reading input: %s\n", strerror (encparm.readerror));
- rc = gpg_error (gpg_err_code_from_errno (encparm.readerror));
+ err = gpg_error (gpg_err_code_from_errno (encparm.readerror));
goto leave;
}
- rc = gnupg_ksba_finish_writer (b64writer);
- if (rc)
+ err = gnupg_ksba_finish_writer (b64writer);
+ if (err)
{
- log_error ("write failed: %s\n", gpg_strerror (rc));
+ log_error ("write failed: %s\n", gpg_strerror (err));
goto leave;
}
audit_log (ctrl->audit, AUDIT_ENCRYPTION_DONE);
@@ -859,5 +847,5 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, estream_t data_fp,
keydb_release (kh);
xfree (dek);
xfree (encparm.buffer);
- return rc;
+ return err;
}
diff --git a/sm/keydb.c b/sm/keydb.c
index 512ab1af8..151ae8103 100644
--- a/sm/keydb.c
+++ b/sm/keydb.c
@@ -1137,6 +1137,23 @@ keydb_set_flags (KEYDB_HANDLE hd, int which, int idx, unsigned int value)
}
+/* Default status callback used to show diagnostics from the keyboxd */
+static gpg_error_t
+keydb_default_status_cb (void *opaque, const char *line)
+{
+ const char *s;
+
+ (void)opaque;
+
+ if ((s = has_leading_keyword (line, "NOTE")))
+ log_info (_("Note: %s\n"), s);
+ else if ((s = has_leading_keyword (line, "WARNING")))
+ log_info (_("WARNING: %s\n"), s);
+
+ return 0;
+}
+
+
/* Communication object for Keyboxd STORE commands. */
struct store_parm_s
@@ -1200,7 +1217,7 @@ keydb_insert_cert (KEYDB_HANDLE hd, ksba_cert_t cert)
err = assuan_transact (hd->kbl->ctx, "STORE --insert",
NULL, NULL,
store_inq_cb, &parm,
- NULL, NULL);
+ keydb_default_status_cb, hd);
goto leave;
}
@@ -1335,7 +1352,7 @@ keydb_delete (KEYDB_HANDLE hd)
err = assuan_transact (hd->kbl->ctx, line,
NULL, NULL,
NULL, NULL,
- NULL, NULL);
+ keydb_default_status_cb, hd);
goto leave;
}
@@ -1563,6 +1580,8 @@ search_status_cb (void *opaque, const char *line)
}
}
}
+ else
+ err = keydb_default_status_cb (opaque, line);
return err;
}
diff --git a/sm/keylist.c b/sm/keylist.c
index ed1b74729..47fe69f30 100644
--- a/sm/keylist.c
+++ b/sm/keylist.c
@@ -532,6 +532,8 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
{
if (gpgsm_cert_has_well_known_private_key (cert))
*truststring = 'w'; /* Well, this is dummy CA. */
+ else if (gpg_err_code (valerr) == GPG_ERR_NOT_TRUSTED)
+ *truststring = 'n'; /* Likely the root cert is not trusted. */
else
*truststring = 'i';
}
diff --git a/sm/minip12.c b/sm/minip12.c
index ae81d821b..1bbe126ae 100644
--- a/sm/minip12.c
+++ b/sm/minip12.c
@@ -936,6 +936,7 @@ parse_bag_encrypted_data (struct p12_parse_ctx_s *ctx, tlv_parser_t tlv)
if (!datalen)
{
err = gpg_error (GPG_ERR_DECRYPT_FAILED);
+ ctx->badpass = 1; /* This is the most likley reason. */
goto bailout;
}
@@ -1461,6 +1462,7 @@ parse_shrouded_key_bag (struct p12_parse_ctx_s *ctx, tlv_parser_t tlv)
if (!datalen)
{
err = gpg_error (GPG_ERR_DECRYPT_FAILED);
+ ctx->badpass = 1;
goto bailout;
}
diff --git a/sm/sign.c b/sm/sign.c
index 8fd111a7d..ec0172b4b 100644
--- a/sm/sign.c
+++ b/sm/sign.c
@@ -606,8 +606,8 @@ int
gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
estream_t data_fp, int detached, estream_t out_fp)
{
- int i, rc;
gpg_error_t err;
+ int i;
gnupg_ksba_io_t b64writer = NULL;
ksba_writer_t writer;
estream_t sig_fp = NULL; /* Used for detached signatures. */
@@ -630,18 +630,18 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
if (!kh)
{
log_error (_("failed to allocate keyDB handle\n"));
- rc = gpg_error (GPG_ERR_GENERAL);
+ err = gpg_error (GPG_ERR_GENERAL);
goto leave;
}
if (!gnupg_rng_is_compliant (opt.compliance))
{
- rc = gpg_error (GPG_ERR_FORBIDDEN);
+ err = gpg_error (GPG_ERR_FORBIDDEN);
log_error (_("%s is not compliant with %s mode\n"),
"RNG",
gnupg_compliance_option_string (opt.compliance));
gpgsm_status_with_error (ctrl, STATUS_ERROR,
- "random-compliance", rc);
+ "random-compliance", err);
goto leave;
}
@@ -653,20 +653,20 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
if (binary_detached)
{
sig_fp = es_fopenmem (0, "w+");
- rc = sig_fp? 0 : gpg_error_from_syserror ();
- if (!rc)
- rc = gnupg_ksba_create_writer (&b64writer, 0, NULL, sig_fp, &writer);
+ err = sig_fp? 0 : gpg_error_from_syserror ();
+ if (!err)
+ err = gnupg_ksba_create_writer (&b64writer, 0, NULL, sig_fp, &writer);
}
else
{
- rc = gnupg_ksba_create_writer
+ err = gnupg_ksba_create_writer
(&b64writer, ((ctrl->create_pem? GNUPG_KSBA_IO_PEM : 0)
| (ctrl->create_base64? GNUPG_KSBA_IO_BASE64 : 0)),
ctrl->pem_name, out_fp, &writer);
}
- if (rc)
+ if (err)
{
- log_error ("can't create writer: %s\n", gpg_strerror (rc));
+ log_error ("can't create writer: %s\n", gpg_strerror (err));
goto leave;
}
@@ -676,17 +676,13 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
err = ksba_cms_new (&cms);
if (err)
- {
- rc = err;
- goto leave;
- }
+ goto leave;
err = ksba_cms_set_reader_writer (cms, NULL, writer);
if (err)
{
log_debug ("ksba_cms_set_reader_writer failed: %s\n",
gpg_strerror (err));
- rc = err;
goto leave;
}
@@ -703,7 +699,6 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
{
log_debug ("ksba_cms_set_content_type failed: %s\n",
gpg_strerror (err));
- rc = err;
goto leave;
}
@@ -716,23 +711,23 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
log_error ("no default signer found\n");
gpgsm_status2 (ctrl, STATUS_INV_SGNR,
get_inv_recpsgnr_code (GPG_ERR_NO_SECKEY), NULL);
- rc = gpg_error (GPG_ERR_GENERAL);
+ err = gpg_error (GPG_ERR_GENERAL);
goto leave;
}
/* Although we don't check for ambiguous specification we will
check that the signer's certificate is usable and valid. */
- rc = gpgsm_cert_use_sign_p (cert, 0);
- if (!rc)
- rc = gpgsm_validate_chain (ctrl, cert,
+ err = gpgsm_cert_use_sign_p (cert, 0);
+ if (!err)
+ err = gpgsm_validate_chain (ctrl, cert,
GNUPG_ISOTIME_NONE, NULL, 0, NULL, 0, NULL);
- if (rc)
+ if (err)
{
char *tmpfpr;
tmpfpr = gpgsm_get_fingerprint_hexstring (cert, 0);
gpgsm_status2 (ctrl, STATUS_INV_SGNR,
- get_inv_recpsgnr_code (rc), tmpfpr, NULL);
+ get_inv_recpsgnr_code (err), tmpfpr, NULL);
xfree (tmpfpr);
goto leave;
}
@@ -741,7 +736,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
signerlist = xtrycalloc (1, sizeof *signerlist);
if (!signerlist)
{
- rc = out_of_core ();
+ err = gpg_error_from_syserror ();
ksba_cert_release (cert);
goto leave;
}
@@ -822,8 +817,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
goto leave;
}
- if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0,
- NULL, nbits, curve))
+ if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo,
+ PK_ALGO_FLAG_ECC18, NULL, nbits, curve))
{
char kidstr[10+1];
@@ -849,22 +844,21 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
/* Gather certificates of signers and store them in the CMS object. */
for (cl=signerlist; cl; cl = cl->next)
{
- rc = gpgsm_cert_use_sign_p (cl->cert, 0);
- if (rc)
+ err = gpgsm_cert_use_sign_p (cl->cert, 0);
+ if (err)
goto leave;
err = ksba_cms_add_signer (cms, cl->cert);
if (err)
{
log_error ("ksba_cms_add_signer failed: %s\n", gpg_strerror (err));
- rc = err;
goto leave;
}
- rc = add_certificate_list (ctrl, cms, cl->cert);
- if (rc)
+ err = add_certificate_list (ctrl, cms, cl->cert);
+ if (err)
{
log_error ("failed to store list of certificates: %s\n",
- gpg_strerror(rc));
+ gpg_strerror (err));
goto leave;
}
/* Set the hash algorithm we are going to use */
@@ -873,7 +867,6 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
{
log_debug ("ksba_cms_add_digest_algo failed: %s\n",
gpg_strerror (err));
- rc = err;
goto leave;
}
}
@@ -895,7 +888,6 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
{
log_error (_("checking for qualified certificate failed: %s\n"),
gpg_strerror (err));
- rc = err;
goto leave;
}
if (*buffer)
@@ -903,19 +895,16 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
else
err = gpgsm_not_qualified_warning (ctrl, cl->cert);
if (err)
- {
- rc = err;
- goto leave;
- }
+ goto leave;
}
}
/* Prepare hashing (actually we are figuring out what we have set
above). */
- rc = gcry_md_open (&data_md, 0, 0);
- if (rc)
+ err = gcry_md_open (&data_md, 0, 0);
+ if (err)
{
- log_error ("md_open failed: %s\n", gpg_strerror (rc));
+ log_error ("md_open failed: %s\n", gpg_strerror (err));
goto leave;
}
if (DBG_HASHING)
@@ -927,7 +916,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
if (!algo)
{
log_error ("unknown hash algorithm '%s'\n", algoid? algoid:"?");
- rc = gpg_error (GPG_ERR_BUG);
+ err = gpg_error (GPG_ERR_BUG);
goto leave;
}
gcry_md_enable (data_md, algo);
@@ -952,7 +941,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
if ( !digest || !digest_len )
{
log_error ("problem getting the hash of the data\n");
- rc = gpg_error (GPG_ERR_BUG);
+ err = gpg_error (GPG_ERR_BUG);
goto leave;
}
err = ksba_cms_set_message_digest (cms, signer, digest, digest_len);
@@ -960,7 +949,6 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
{
log_error ("ksba_cms_set_message_digest failed: %s\n",
gpg_strerror (err));
- rc = err;
goto leave;
}
}
@@ -974,7 +962,6 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
{
log_error ("ksba_cms_set_signing_time failed: %s\n",
gpg_strerror (err));
- rc = err;
goto leave;
}
}
@@ -1016,7 +1003,6 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
if (err)
{
log_error ("creating CMS object failed: %s\n", gpg_strerror (err));
- rc = err;
goto leave;
}
@@ -1028,8 +1014,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
log_assert (!detached);
- rc = hash_and_copy_data (data_fp, data_md, writer);
- if (rc)
+ err = hash_and_copy_data (data_fp, data_md, writer);
+ if (err)
goto leave;
audit_log (ctrl->audit, AUDIT_GOT_DATA);
for (cl=signerlist,signer=0; cl; cl = cl->next, signer++)
@@ -1039,7 +1025,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
if ( !digest || !digest_len )
{
log_error ("problem getting the hash of the data\n");
- rc = gpg_error (GPG_ERR_BUG);
+ err = gpg_error (GPG_ERR_BUG);
goto leave;
}
err = ksba_cms_set_message_digest (cms, signer,
@@ -1048,7 +1034,6 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
{
log_error ("ksba_cms_set_message_digest failed: %s\n",
gpg_strerror (err));
- rc = err;
goto leave;
}
}
@@ -1058,10 +1043,10 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
/* Compute the signature for all signers. */
gcry_md_hd_t md;
- rc = gcry_md_open (&md, 0, 0);
- if (rc)
+ err = gcry_md_open (&md, 0, 0);
+ if (err)
{
- log_error ("md_open failed: %s\n", gpg_strerror (rc));
+ log_error ("md_open failed: %s\n", gpg_strerror (err));
goto leave;
}
if (DBG_HASHING)
@@ -1086,20 +1071,20 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
}
}
- rc = ksba_cms_hash_signed_attrs (cms, signer);
- if (rc)
+ err = ksba_cms_hash_signed_attrs (cms, signer);
+ if (err)
{
log_debug ("hashing signed attrs failed: %s\n",
- gpg_strerror (rc));
+ gpg_strerror (err));
gcry_md_close (md);
goto leave;
}
- rc = gpgsm_create_cms_signature (ctrl, cl->cert,
- md, cl->hash_algo, &sigval);
- if (rc)
+ err = gpgsm_create_cms_signature (ctrl, cl->cert,
+ md, cl->hash_algo, &sigval);
+ if (err)
{
- audit_log_cert (ctrl->audit, AUDIT_SIGNED_BY, cl->cert, rc);
+ audit_log_cert (ctrl->audit, AUDIT_SIGNED_BY, cl->cert, err);
gcry_md_close (md);
goto leave;
}
@@ -1111,7 +1096,6 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
audit_log_cert (ctrl->audit, AUDIT_SIGNED_BY, cl->cert, err);
log_error ("failed to store the signature: %s\n",
gpg_strerror (err));
- rc = err;
gcry_md_close (md);
goto leave;
}
@@ -1120,11 +1104,10 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
fpr = gpgsm_get_fingerprint_hexstring (cl->cert, GCRY_MD_SHA1);
if (!fpr)
{
- rc = gpg_error (GPG_ERR_ENOMEM);
+ err = gpg_error (GPG_ERR_ENOMEM);
gcry_md_close (md);
goto leave;
}
- rc = 0;
if (opt.verbose)
{
char *pkalgostr = gpgsm_pubkey_algo_string (cl->cert, NULL);
@@ -1141,9 +1124,9 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
signed_at,
fpr);
if (!buf)
- rc = gpg_error_from_syserror ();
+ err = gpg_error_from_syserror ();
xfree (fpr);
- if (rc)
+ if (err)
{
gcry_md_close (md);
goto leave;
@@ -1157,10 +1140,10 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
}
while (stopreason != KSBA_SR_READY);
- rc = gnupg_ksba_finish_writer (b64writer);
- if (rc)
+ err = gnupg_ksba_finish_writer (b64writer);
+ if (err)
{
- log_error ("write failed: %s\n", gpg_strerror (rc));
+ log_error ("write failed: %s\n", gpg_strerror (err));
goto leave;
}
@@ -1169,13 +1152,14 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
void *blob = NULL;
size_t bloblen;
- rc = es_fclose_snatch (sig_fp, &blob, &bloblen);
+ err = (es_fclose_snatch (sig_fp, &blob, &bloblen)?
+ gpg_error_from_syserror () : 0);
sig_fp = NULL;
- if (rc)
+ if (err)
goto leave;
- rc = write_detached_signature (ctrl, blob, bloblen, out_fp);
+ err = write_detached_signature (ctrl, blob, bloblen, out_fp);
xfree (blob);
- if (rc)
+ if (err)
goto leave;
}
@@ -1184,9 +1168,9 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
log_info ("signature created\n");
leave:
- if (rc)
+ if (err)
log_error ("error creating signature: %s <%s>\n",
- gpg_strerror (rc), gpg_strsource (rc) );
+ gpg_strerror (err), gpg_strsource (err) );
if (release_signerlist)
gpgsm_release_certlist (signerlist);
xfree (curve);
@@ -1195,5 +1179,5 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
keydb_release (kh);
gcry_md_close (data_md);
es_fclose (sig_fp);
- return rc;
+ return err;
}
diff --git a/sm/verify.c b/sm/verify.c
index 9c012596d..53d1b468a 100644
--- a/sm/verify.c
+++ b/sm/verify.c
@@ -485,6 +485,7 @@ gpgsm_verify (ctrl_t ctrl, estream_t in_fp, estream_t data_fp,
audit_log_i (ctrl->audit, AUDIT_DATA_HASH_ALGO, algo);
/* Check compliance. */
+ pkalgoflags |= PK_ALGO_FLAG_ECC18;
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
pkalgo, pkalgoflags, NULL, nbits, pkcurve))
{
generated by cgit v1.2.3 (git 2.25.1) at 2025-04-27 00:19:48 +0000