mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
gpg: Add configure options to disable algorithms
* acinclude.m4 (GNUPG_GPG_DISABLE_ALGO): New. * configure.ac: Add --enable-gpg-* options to disable non MUS algorithms. * g10/misc.c (map_cipher_openpgp_to_gcry): Implement these options. (openpgp_pk_test_algo2): Ditto. (map_md_openpgp_to_gcry): Ditto. (openpgp_cipher_test_algo, openpgp_md_test_algo): Simplify. -- We have a similar feature in GnuPG-1. Although we don't shrink the size of the gpg binary by disabling algorithms (they are implemented in Libgcrypt), this feature may still be useful for inerop testing.
This commit is contained in:
parent
71540d4041
commit
2ba818de1a
33
acinclude.m4
33
acinclude.m4
@ -7,12 +7,12 @@ dnl GnuPG is free software; you can redistribute it and/or modify
|
|||||||
dnl it under the terms of the GNU General Public License as published by
|
dnl it under the terms of the GNU General Public License as published by
|
||||||
dnl the Free Software Foundation; either version 3 of the License, or
|
dnl the Free Software Foundation; either version 3 of the License, or
|
||||||
dnl (at your option) any later version.
|
dnl (at your option) any later version.
|
||||||
dnl
|
dnl
|
||||||
dnl GnuPG is distributed in the hope that it will be useful,
|
dnl GnuPG is distributed in the hope that it will be useful,
|
||||||
dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
|
dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
dnl GNU General Public License for more details.
|
dnl GNU General Public License for more details.
|
||||||
dnl
|
dnl
|
||||||
dnl You should have received a copy of the GNU General Public License
|
dnl You should have received a copy of the GNU General Public License
|
||||||
dnl along with this program; if not, see <http://www.gnu.org/licenses/>.
|
dnl along with this program; if not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
@ -38,7 +38,7 @@ AC_DEFUN([GNUPG_CHECK_TYPEDEF],
|
|||||||
dnl GNUPG_CHECK_GNUMAKE
|
dnl GNUPG_CHECK_GNUMAKE
|
||||||
dnl
|
dnl
|
||||||
AC_DEFUN([GNUPG_CHECK_GNUMAKE],
|
AC_DEFUN([GNUPG_CHECK_GNUMAKE],
|
||||||
[
|
[
|
||||||
if ${MAKE-make} --version 2>/dev/null | grep '^GNU ' >/dev/null 2>&1; then
|
if ${MAKE-make} --version 2>/dev/null | grep '^GNU ' >/dev/null 2>&1; then
|
||||||
:
|
:
|
||||||
else
|
else
|
||||||
@ -59,7 +59,7 @@ AC_DEFUN([GNUPG_CHECK_FAQPROG],
|
|||||||
if faqprog.pl -V 2>/dev/null | grep '^faqprog.pl ' >/dev/null 2>&1; then
|
if faqprog.pl -V 2>/dev/null | grep '^faqprog.pl ' >/dev/null 2>&1; then
|
||||||
working_faqprog=yes
|
working_faqprog=yes
|
||||||
FAQPROG="faqprog.pl"
|
FAQPROG="faqprog.pl"
|
||||||
else
|
else
|
||||||
working_faqprog=no
|
working_faqprog=no
|
||||||
FAQPROG=": "
|
FAQPROG=": "
|
||||||
fi
|
fi
|
||||||
@ -77,7 +77,7 @@ dnl *** ftp://ftp.gnupg.org/gcrypt/contrib/faqprog.pl )
|
|||||||
dnl *** No need to worry about this warning.
|
dnl *** No need to worry about this warning.
|
||||||
dnl ***]])
|
dnl ***]])
|
||||||
dnl fi
|
dnl fi
|
||||||
])
|
])
|
||||||
|
|
||||||
dnl GNUPG_CHECK_DOCBOOK_TO_TEXI
|
dnl GNUPG_CHECK_DOCBOOK_TO_TEXI
|
||||||
dnl
|
dnl
|
||||||
@ -93,7 +93,7 @@ AC_DEFUN([GNUPG_CHECK_DOCBOOK_TO_TEXI],
|
|||||||
fi
|
fi
|
||||||
AC_MSG_RESULT($working_sgmltotexi)
|
AC_MSG_RESULT($working_sgmltotexi)
|
||||||
AM_CONDITIONAL(HAVE_DOCBOOK_TO_TEXI, test "$working_sgmltotexi" = "yes" )
|
AM_CONDITIONAL(HAVE_DOCBOOK_TO_TEXI, test "$working_sgmltotexi" = "yes" )
|
||||||
])
|
])
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -162,7 +162,7 @@ AC_DEFUN([GNUPG_CHECK_ENDIAN],
|
|||||||
# Add a --enable-NAME option to configure an set the
|
# Add a --enable-NAME option to configure an set the
|
||||||
# shell variable build_NAME either to "yes" or "no". DEFAULT must
|
# shell variable build_NAME either to "yes" or "no". DEFAULT must
|
||||||
# either be "yes" or "no" and decided on the default value for
|
# either be "yes" or "no" and decided on the default value for
|
||||||
# build_NAME and whether --enable-NAME or --disable-NAME is shown with
|
# build_NAME and whether --enable-NAME or --disable-NAME is shown with
|
||||||
# ./configure --help
|
# ./configure --help
|
||||||
AC_DEFUN([GNUPG_BUILD_PROGRAM],
|
AC_DEFUN([GNUPG_BUILD_PROGRAM],
|
||||||
[build_$1=$2
|
[build_$1=$2
|
||||||
@ -178,7 +178,7 @@ AC_DEFUN([GNUPG_BUILD_PROGRAM],
|
|||||||
case "$build_$1" in
|
case "$build_$1" in
|
||||||
no|yes)
|
no|yes)
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
AC_MSG_ERROR([only yes or no allowed for feature --enable-$1])
|
AC_MSG_ERROR([only yes or no allowed for feature --enable-$1])
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
@ -186,6 +186,23 @@ AC_DEFUN([GNUPG_BUILD_PROGRAM],
|
|||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
# GNUPG_DISABLE_GPG_ALGO(NAME,DESCRIPTION)
|
||||||
|
#
|
||||||
|
# Add a --disable-gpg-NAME option and the corresponding ac_define
|
||||||
|
# GPG_USE_<NAME>.
|
||||||
|
AC_DEFUN([GNUPG_GPG_DISABLE_ALGO],
|
||||||
|
[AC_MSG_CHECKING([whether to enable the $2 for gpg])
|
||||||
|
AC_ARG_ENABLE([gpg-$1], AC_HELP_STRING([--disable-gpg-$1],
|
||||||
|
[disable the $2 algorithm in gpg]),
|
||||||
|
, enableval=yes)
|
||||||
|
AC_MSG_RESULT($enableval)
|
||||||
|
if test x"$enableval" = xyes ; then
|
||||||
|
AC_DEFINE(GPG_USE_[]m4_toupper($1), 1, [Define to support the $2])
|
||||||
|
fi
|
||||||
|
])
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# Check whether mlock is broken (hpux 10.20 raises a SIGBUS if mlock
|
# Check whether mlock is broken (hpux 10.20 raises a SIGBUS if mlock
|
||||||
# is not called from uid 0 (not tested whether uid 0 works)
|
# is not called from uid 0 (not tested whether uid 0 works)
|
||||||
|
33
configure.ac
33
configure.ac
@ -212,6 +212,39 @@ AC_ARG_ENABLE(selinux-support,
|
|||||||
selinux_support=$enableval, selinux_support=no)
|
selinux_support=$enableval, selinux_support=no)
|
||||||
AC_MSG_RESULT($selinux_support)
|
AC_MSG_RESULT($selinux_support)
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Options to disable algorithm
|
||||||
|
#
|
||||||
|
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([rsa],[RSA public key])
|
||||||
|
# Elgamal is a MUST algorithm
|
||||||
|
# DSA is a MUST algorithm
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([ecdh],[ECDH public key])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([ecdsa],[ECDSA public key])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([eddsa],[EdDSA public key])
|
||||||
|
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([idea],[IDEA cipher])
|
||||||
|
# 3DES is a MUST algorithm
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([cast5],[CAST5 cipher])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([blowfish],[BLOWFISH cipher])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([aes128],[AES128 cipher])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([aes192],[AES192 cipher])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([aes256],[AES256 cipher])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([twofish],[TWOFISH cipher])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([camellia128],[CAMELLIA128 cipher])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([camellia192],[CAMELLIA192 cipher])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([camellia256],[CAMELLIA256 cipher])
|
||||||
|
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([md5],[MD5 hash])
|
||||||
|
# SHA1 is a MUSt algorithm
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([sha256],[SHA-256 hash])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash])
|
||||||
|
GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash])
|
||||||
|
|
||||||
|
|
||||||
# Allow disabling of zip support.
|
# Allow disabling of zip support.
|
||||||
# This is in general not a good idea because according to rfc4880 OpenPGP
|
# This is in general not a good idea because according to rfc4880 OpenPGP
|
||||||
# implementations SHOULD support ZLIB.
|
# implementations SHOULD support ZLIB.
|
||||||
|
63
g10/misc.c
63
g10/misc.c
@ -348,17 +348,37 @@ map_cipher_openpgp_to_gcry (cipher_algo_t algo)
|
|||||||
switch (algo)
|
switch (algo)
|
||||||
{
|
{
|
||||||
case CIPHER_ALGO_NONE: return GCRY_CIPHER_NONE;
|
case CIPHER_ALGO_NONE: return GCRY_CIPHER_NONE;
|
||||||
|
#ifdef GPG_USE_IDEA
|
||||||
case CIPHER_ALGO_IDEA: return GCRY_CIPHER_IDEA;
|
case CIPHER_ALGO_IDEA: return GCRY_CIPHER_IDEA;
|
||||||
|
#endif
|
||||||
case CIPHER_ALGO_3DES: return GCRY_CIPHER_3DES;
|
case CIPHER_ALGO_3DES: return GCRY_CIPHER_3DES;
|
||||||
|
#ifdef GPG_USE_CAST5
|
||||||
case CIPHER_ALGO_CAST5: return GCRY_CIPHER_CAST5;
|
case CIPHER_ALGO_CAST5: return GCRY_CIPHER_CAST5;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_BLOWFISH
|
||||||
case CIPHER_ALGO_BLOWFISH: return GCRY_CIPHER_BLOWFISH;
|
case CIPHER_ALGO_BLOWFISH: return GCRY_CIPHER_BLOWFISH;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_AES128
|
||||||
case CIPHER_ALGO_AES: return GCRY_CIPHER_AES;
|
case CIPHER_ALGO_AES: return GCRY_CIPHER_AES;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_AES192
|
||||||
case CIPHER_ALGO_AES192: return GCRY_CIPHER_AES192;
|
case CIPHER_ALGO_AES192: return GCRY_CIPHER_AES192;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_AES256
|
||||||
case CIPHER_ALGO_AES256: return GCRY_CIPHER_AES256;
|
case CIPHER_ALGO_AES256: return GCRY_CIPHER_AES256;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_TWOFISH
|
||||||
case CIPHER_ALGO_TWOFISH: return GCRY_CIPHER_TWOFISH;
|
case CIPHER_ALGO_TWOFISH: return GCRY_CIPHER_TWOFISH;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_CAMELLIA128
|
||||||
case CIPHER_ALGO_CAMELLIA128: return GCRY_CIPHER_CAMELLIA128;
|
case CIPHER_ALGO_CAMELLIA128: return GCRY_CIPHER_CAMELLIA128;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_CAMELLIA192
|
||||||
case CIPHER_ALGO_CAMELLIA192: return GCRY_CIPHER_CAMELLIA192;
|
case CIPHER_ALGO_CAMELLIA192: return GCRY_CIPHER_CAMELLIA192;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_CAMELLIA256
|
||||||
case CIPHER_ALGO_CAMELLIA256: return GCRY_CIPHER_CAMELLIA256;
|
case CIPHER_ALGO_CAMELLIA256: return GCRY_CIPHER_CAMELLIA256;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -437,17 +457,6 @@ openpgp_cipher_test_algo (cipher_algo_t algo)
|
|||||||
enum gcry_cipher_algos ga;
|
enum gcry_cipher_algos ga;
|
||||||
|
|
||||||
ga = map_cipher_openpgp_to_gcry (algo);
|
ga = map_cipher_openpgp_to_gcry (algo);
|
||||||
|
|
||||||
/* Use this explicit list to disable certain algorithms. */
|
|
||||||
switch (algo)
|
|
||||||
{
|
|
||||||
/* case CIPHER_ALGO_IDEA: */
|
|
||||||
/* ga = 0; */
|
|
||||||
/* break; */
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!ga)
|
if (!ga)
|
||||||
return gpg_error (GPG_ERR_CIPHER_ALGO);
|
return gpg_error (GPG_ERR_CIPHER_ALGO);
|
||||||
|
|
||||||
@ -497,15 +506,23 @@ openpgp_pk_test_algo2 (pubkey_algo_t algo, unsigned int use)
|
|||||||
|
|
||||||
switch (algo)
|
switch (algo)
|
||||||
{
|
{
|
||||||
|
#ifdef GPG_USE_RSA
|
||||||
case PUBKEY_ALGO_RSA: ga = GCRY_PK_RSA; break;
|
case PUBKEY_ALGO_RSA: ga = GCRY_PK_RSA; break;
|
||||||
case PUBKEY_ALGO_RSA_E: ga = GCRY_PK_RSA_E; break;
|
case PUBKEY_ALGO_RSA_E: ga = GCRY_PK_RSA_E; break;
|
||||||
case PUBKEY_ALGO_RSA_S: ga = GCRY_PK_RSA_S; break;
|
case PUBKEY_ALGO_RSA_S: ga = GCRY_PK_RSA_S; break;
|
||||||
|
#endif
|
||||||
case PUBKEY_ALGO_ELGAMAL_E: ga = GCRY_PK_ELG; break;
|
case PUBKEY_ALGO_ELGAMAL_E: ga = GCRY_PK_ELG; break;
|
||||||
case PUBKEY_ALGO_DSA: ga = GCRY_PK_DSA; break;
|
case PUBKEY_ALGO_DSA: ga = GCRY_PK_DSA; break;
|
||||||
|
|
||||||
case PUBKEY_ALGO_ECDH:
|
#ifdef GPG_USE_ECDH
|
||||||
case PUBKEY_ALGO_ECDSA:
|
case PUBKEY_ALGO_ECDH: ga = GCRY_PK_ECC; break;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_ECDSA
|
||||||
|
case PUBKEY_ALGO_ECDSA: ga = GCRY_PK_ECC; break;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_EDDSA
|
||||||
case PUBKEY_ALGO_EDDSA: ga = GCRY_PK_ECC; break;
|
case PUBKEY_ALGO_EDDSA: ga = GCRY_PK_ECC; break;
|
||||||
|
#endif
|
||||||
|
|
||||||
case PUBKEY_ALGO_ELGAMAL:
|
case PUBKEY_ALGO_ELGAMAL:
|
||||||
/* Dont't allow type 20 keys unless in rfc2440 mode. */
|
/* Dont't allow type 20 keys unless in rfc2440 mode. */
|
||||||
@ -587,32 +604,38 @@ map_md_openpgp_to_gcry (digest_algo_t algo)
|
|||||||
{
|
{
|
||||||
switch (algo)
|
switch (algo)
|
||||||
{
|
{
|
||||||
|
#ifdef GPG_USE_MD5
|
||||||
case DIGEST_ALGO_MD5: return GCRY_MD_MD5;
|
case DIGEST_ALGO_MD5: return GCRY_MD_MD5;
|
||||||
|
#endif
|
||||||
case DIGEST_ALGO_SHA1: return GCRY_MD_SHA1;
|
case DIGEST_ALGO_SHA1: return GCRY_MD_SHA1;
|
||||||
|
#ifdef GPG_USE_RMD160
|
||||||
case DIGEST_ALGO_RMD160: return GCRY_MD_RMD160;
|
case DIGEST_ALGO_RMD160: return GCRY_MD_RMD160;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_SHA224
|
||||||
case DIGEST_ALGO_SHA224: return GCRY_MD_SHA224;
|
case DIGEST_ALGO_SHA224: return GCRY_MD_SHA224;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_SHA256
|
||||||
case DIGEST_ALGO_SHA256: return GCRY_MD_SHA256;
|
case DIGEST_ALGO_SHA256: return GCRY_MD_SHA256;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_SHA384
|
||||||
case DIGEST_ALGO_SHA384: return GCRY_MD_SHA384;
|
case DIGEST_ALGO_SHA384: return GCRY_MD_SHA384;
|
||||||
|
#endif
|
||||||
|
#ifdef GPG_USE_512
|
||||||
case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512;
|
case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512;
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
/* Return 0 if ALGO is suitable and implemented OpenPGP hash
|
/* Return 0 if ALGO is suitable and implemented OpenPGP hash
|
||||||
algorithm. Note: To only test for a valid OpenPGP hash algorithm,
|
algorithm. */
|
||||||
it is better to use map_md_openpgp_to_gcry. */
|
|
||||||
int
|
int
|
||||||
openpgp_md_test_algo (digest_algo_t algo)
|
openpgp_md_test_algo (digest_algo_t algo)
|
||||||
{
|
{
|
||||||
enum gcry_md_algos ga;
|
enum gcry_md_algos ga;
|
||||||
|
|
||||||
ga = map_md_openpgp_to_gcry (algo);
|
ga = map_md_openpgp_to_gcry (algo);
|
||||||
switch (algo)
|
|
||||||
{
|
|
||||||
default:
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
if (!ga)
|
if (!ga)
|
||||||
return gpg_error (GPG_ERR_DIGEST_ALGO);
|
return gpg_error (GPG_ERR_DIGEST_ALGO);
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user