diff options
| -rw-r--r-- | common/percent.c | 1 | ||||
| -rw-r--r-- | dirmngr/dirmngr.c | 27 | ||||
| -rw-r--r-- | dirmngr/dirmngr.h | 4 | ||||
| -rw-r--r-- | dirmngr/ocsp.c | 4 |
4 files changed, 28 insertions, 8 deletions
diff --git a/common/percent.c b/common/percent.c index debf15784..80ebb5387 100644 --- a/common/percent.c +++ b/common/percent.c @@ -25,6 +25,7 @@ * * You should have received a copy of the GNU General Public License * along with this program; if not, see <https://www.gnu.org/licenses/>. + * SPDX-License-Identifier: (LGPL-3.0-or-later OR GPL-2.0-or-later) */ #include <config.h> diff --git a/dirmngr/dirmngr.c b/dirmngr/dirmngr.c index 32a4df3a9..97780eccc 100644 --- a/dirmngr/dirmngr.c +++ b/dirmngr/dirmngr.c @@ -340,6 +340,7 @@ static struct debug_flags_s debug_flags [] = static struct compatibility_flags_s compatibility_flags [] = { { COMPAT_RESTRICT_HTTP_REDIR, "restrict-http-redir" }, + { COMPAT_OCSP_SHA256_CERTID, "ocsp-sha256-certid" }, { 0, NULL } }; @@ -487,9 +488,9 @@ my_strusage( int level ) /* Callback from libksba to hash a provided buffer. Our current - implementation does only allow SHA-1 for hashing. This may be - extended by mapping the name, testing for algorithm availability - and adjust the length checks accordingly. */ + * implementation does only allow SHA-1 and SHA-256 for hashing. This + * may be extended by mapping the name, testing for algorithm + * availibility and adjust the length checks accordingly. */ static gpg_error_t my_ksba_hash_buffer (void *arg, const char *oid, const void *buffer, size_t length, size_t resultsize, @@ -497,12 +498,22 @@ my_ksba_hash_buffer (void *arg, const char *oid, { (void)arg; - if (oid && strcmp (oid, "1.3.14.3.2.26")) + if (!oid || !strcmp (oid, "1.3.14.3.2.26")) + { + if (resultsize < 20) + return gpg_error (GPG_ERR_BUFFER_TOO_SHORT); + gcry_md_hash_buffer (GCRY_MD_SHA1, result, buffer, length); + *resultlen = 20; + } + else if (!strcmp (oid, "2.16.840.1.101.3.4.2.1")) + { + if (resultsize < 32) + return gpg_error (GPG_ERR_BUFFER_TOO_SHORT); + gcry_md_hash_buffer (GCRY_MD_SHA256, result, buffer, length); + *resultlen = 32; + } + else return gpg_error (GPG_ERR_NOT_SUPPORTED); - if (resultsize < 20) - return gpg_error (GPG_ERR_BUFFER_TOO_SHORT); - gcry_md_hash_buffer (2, result, buffer, length); - *resultlen = 20; return 0; } diff --git a/dirmngr/dirmngr.h b/dirmngr/dirmngr.h index d32f125d2..bf267cf72 100644 --- a/dirmngr/dirmngr.h +++ b/dirmngr/dirmngr.h @@ -207,6 +207,10 @@ struct * https://dev.gnupg.org/T6477. */ #define COMPAT_RESTRICT_HTTP_REDIR 1 +/* There is a demand to use SHA-256 for hashing elements of the OCSP + * CertID. Allow to enable this with a recent enough Libksba. */ +#define COMPAT_OCSP_SHA256_CERTID 2 + /* A simple list of certificate references. FIXME: Better use certlist_t also for references (Store NULL at .cert) */ diff --git a/dirmngr/ocsp.c b/dirmngr/ocsp.c index 40e282484..eb24e2954 100644 --- a/dirmngr/ocsp.c +++ b/dirmngr/ocsp.c @@ -165,6 +165,10 @@ do_ocsp_request (ctrl_t ctrl, ksba_ocsp_t ocsp, return err; } + /* Tell Libksba to use SHA256 for hashing elements of the CERTID. */ + if ((opt.compat_flags & COMPAT_OCSP_SHA256_CERTID)) + ksba_ocsp_set_nonce (ocsp, NULL, 32); + { size_t n; unsigned char nonce[32]; |