security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

sm: Flag Brainpool curves as compliant for all other operations.

Browse Source 
* sm/fingerprint.c (gpgsm_get_key_algo_info2): Rename to
(gpgsm_get_key_algo_info): this.  Remove the old wrapper.  Adjust all
callers.
* sm/decrypt.c (gpgsm_decrypt): Pass the curve to the compliance
checker.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* sm/sign.c (gpgsm_sign): Ditto.
* sm/verify.c (gpgsm_verify): Ditto.
--

GnuPG-bug-id: 6253
This commit is contained in:
Werner Koch 2023-10-24 14:51:16 +02:00
parent 97708e2ac7
commit 2c3c049fd8
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
8 changed files with 27 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
sm/decrypt.c
View File

@ -1065,6 +1065,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
int recp; int recp;
estream_t in_fp = NULL; estream_t in_fp = NULL;
struct decrypt_filter_parm_s dfparm; struct decrypt_filter_parm_s dfparm;
char *curve = NULL;
memset (&dfparm, 0, sizeof dfparm); memset (&dfparm, 0, sizeof dfparm);
@ -1309,14 +1310,15 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
pkalgostr = gpgsm_pubkey_algo_string (cert, NULL); pkalgostr = gpgsm_pubkey_algo_string (cert, NULL);
pk_algo = gpgsm_get_key_algo_info (cert, &nbits); xfree (curve);
pk_algo = gpgsm_get_key_algo_info (cert, &nbits, &curve);
if (!opt.quiet) if (!opt.quiet)
log_info (_("encrypted to %s key %s\n"), pkalgostr, pkfpr); log_info (_("encrypted to %s key %s\n"), pkalgostr, pkfpr);
/* Check compliance. */ /* Check compliance. */
if (!gnupg_pk_is_allowed (opt.compliance, if (!gnupg_pk_is_allowed (opt.compliance,
PK_USE_DECRYPTION, PK_USE_DECRYPTION,
pk_algo, 0, NULL, nbits, NULL)) pk_algo, 0, NULL, nbits, curve))
{ {
char kidstr[10+1]; char kidstr[10+1];
@ -1334,7 +1336,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
dfparm.is_de_vs = dfparm.is_de_vs =
(dfparm.is_de_vs (dfparm.is_de_vs
&& gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, && gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0,
NULL, nbits, NULL)); NULL, nbits, curve));
oops: oops:
if (rc) if (rc)
@ -1512,6 +1514,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
log_error ("message decryption failed: %s <%s>\n", log_error ("message decryption failed: %s <%s>\n",
gpg_strerror (rc), gpg_strsource (rc)); gpg_strerror (rc), gpg_strsource (rc));
} }
xfree (curve);
ksba_cms_release (cms); ksba_cms_release (cms);
gnupg_ksba_destroy_reader (b64reader); gnupg_ksba_destroy_reader (b64reader);
gnupg_ksba_destroy_writer (b64writer); gnupg_ksba_destroy_writer (b64writer);

10
sm/encrypt.c
View File

@ -758,11 +758,12 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
unsigned char *encval; unsigned char *encval;
unsigned int nbits; unsigned int nbits;
int pk_algo; int pk_algo;
char *curve = NULL;
/* Check compliance. */ /* Check compliance. */
pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits); pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits, &curve);
if (!gnupg_pk_is_compliant (opt.compliance, pk_algo, 0, if (!gnupg_pk_is_compliant (opt.compliance, pk_algo, 0,
NULL, nbits, NULL)) NULL, nbits, curve))
{ {
char kidstr[10+1]; char kidstr[10+1];
@ -777,9 +778,12 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
/* Fixme: When adding ECC we need to provide the curvename and /* Fixme: When adding ECC we need to provide the curvename and
* the key to gnupg_pk_is_compliant. */ * the key to gnupg_pk_is_compliant. */
if (compliant if (compliant
&& !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, NULL, nbits, NULL)) && !gnupg_pk_is_compliant (CO_DE_VS, pk_algo, 0, NULL, nbits, curve))
compliant = 0; compliant = 0;
xfree (curve);
curve = NULL;
rc = encrypt_dek (dek, cl->cert, pk_algo, &encval); rc = encrypt_dek (dek, cl->cert, pk_algo, &encval);
if (rc) if (rc)
{ {

2
sm/export.c
View File

@ -430,7 +430,7 @@ gpgsm_p12_export (ctrl_t ctrl, const char *name, estream_t stream, int rawmode)
if (rawmode == 0) if (rawmode == 0)
ctrl->pem_name = "PKCS12"; ctrl->pem_name = "PKCS12";
else if (gpgsm_get_key_algo_info (cert, NULL) == GCRY_PK_ECC) else if (gpgsm_get_key_algo_info (cert, NULL, NULL) == GCRY_PK_ECC)
ctrl->pem_name = "EC PRIVATE KEY"; ctrl->pem_name = "EC PRIVATE KEY";
else if (rawmode == 1) else if (rawmode == 1)
ctrl->pem_name = "PRIVATE KEY"; ctrl->pem_name = "PRIVATE KEY";

11
sm/fingerprint.c
View File

@ -222,7 +222,7 @@ gpgsm_get_keygrip_hexstring (ksba_cert_t cert)
* algorithm is used the name or OID of the curve is stored there; the * algorithm is used the name or OID of the curve is stored there; the
* caller needs to free this value. */ * caller needs to free this value. */
int int
gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve) gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
{ {
gcry_sexp_t s_pkey; gcry_sexp_t s_pkey;
int rc; int rc;
@ -299,18 +299,11 @@ gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve)
} }
int
gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits)
{
return gpgsm_get_key_algo_info2 (cert, nbits, NULL);
}
/* Return true if CERT is an ECC key. */ /* Return true if CERT is an ECC key. */
int int
gpgsm_is_ecc_key (ksba_cert_t cert) gpgsm_is_ecc_key (ksba_cert_t cert)
{ {
return GCRY_PK_ECC == gpgsm_get_key_algo_info2 (cert, NULL, NULL); return GCRY_PK_ECC == gpgsm_get_key_algo_info (cert, NULL, NULL);
} }

5
sm/gpgsm.h
View File

@ -339,9 +339,8 @@ unsigned long gpgsm_get_short_fingerprint (ksba_cert_t cert,
unsigned long *r_high); unsigned long *r_high);
unsigned char *gpgsm_get_keygrip (ksba_cert_t cert, unsigned char *array); unsigned char *gpgsm_get_keygrip (ksba_cert_t cert, unsigned char *array);
char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert); char *gpgsm_get_keygrip_hexstring (ksba_cert_t cert);
int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits); int gpgsm_get_key_algo_info (ksba_cert_t cert, unsigned int *nbits,
int gpgsm_get_key_algo_info2 (ksba_cert_t cert, unsigned int *nbits, char **r_curve);
char **r_curve);
int gpgsm_is_ecc_key (ksba_cert_t cert); int gpgsm_is_ecc_key (ksba_cert_t cert);
char *gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid); char *gpgsm_pubkey_algo_string (ksba_cert_t cert, int *r_algoid);
gcry_mpi_t gpgsm_get_rsa_modulus (ksba_cert_t cert); gcry_mpi_t gpgsm_get_rsa_modulus (ksba_cert_t cert);

2
sm/keylist.c
View File

@ -562,7 +562,7 @@ list_cert_colon (ctrl_t ctrl, ksba_cert_t cert, unsigned int validity,
if (*truststring) if (*truststring)
es_fputs (truststring, fp); es_fputs (truststring, fp);
algo = gpgsm_get_key_algo_info2 (cert, &nbits, &curve); algo = gpgsm_get_key_algo_info (cert, &nbits, &curve);
es_fprintf (fp, ":%u:%d:%s:", nbits, algo, fpr+24); es_fprintf (fp, ":%u:%d:%s:", nbits, algo, fpr+24);
ksba_cert_get_validity (cert, 0, t); ksba_cert_get_validity (cert, 0, t);

9
sm/sign.c
View File

@ -640,6 +640,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
certlist_t cl; certlist_t cl;
int release_signerlist = 0; int release_signerlist = 0;
int binary_detached = detached && !ctrl->create_pem && !ctrl->create_base64; int binary_detached = detached && !ctrl->create_pem && !ctrl->create_base64;
char *curve = NULL;
audit_set_type (ctrl->audit, AUDIT_TYPE_SIGN); audit_set_type (ctrl->audit, AUDIT_TYPE_SIGN);
@ -778,7 +779,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
unsigned int nbits; unsigned int nbits;
int pk_algo; int pk_algo;
pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits); xfree (curve);
pk_algo = gpgsm_get_key_algo_info (cl->cert, &nbits, &curve);
cl->pk_algo = pk_algo; cl->pk_algo = pk_algo;
if (opt.forced_digest_algo) if (opt.forced_digest_algo)
@ -838,8 +840,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
goto leave; goto leave;
} }
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0, if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0,
NULL, nbits, NULL)) NULL, nbits, curve))
{ {
char kidstr[10+1]; char kidstr[10+1];
@ -1205,6 +1207,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
gpg_strerror (rc), gpg_strsource (rc) ); gpg_strerror (rc), gpg_strsource (rc) );
if (release_signerlist) if (release_signerlist)
gpgsm_release_certlist (signerlist); gpgsm_release_certlist (signerlist);
xfree (curve);
ksba_cms_release (cms); ksba_cms_release (cms);
gnupg_ksba_destroy_writer (b64writer); gnupg_ksba_destroy_writer (b64writer);
keydb_release (kh); keydb_release (kh);

4
sm/verify.c
View File

@ -468,7 +468,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1); pkfpr = gpgsm_get_fingerprint_hexstring (cert, GCRY_MD_SHA1);
pkalgostr = gpgsm_pubkey_algo_string (cert, NULL); pkalgostr = gpgsm_pubkey_algo_string (cert, NULL);
pkalgo = gpgsm_get_key_algo_info2 (cert, &nbits, &pkcurve); pkalgo = gpgsm_get_key_algo_info (cert, &nbits, &pkcurve);
/* Remap the ECC algo to the algo we use. Note that EdDSA has /* Remap the ECC algo to the algo we use. Note that EdDSA has
* already been mapped. */ * already been mapped. */
if (pkalgo == GCRY_PK_ECC) if (pkalgo == GCRY_PK_ECC)
@ -504,7 +504,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
/* Check compliance. */ /* Check compliance. */
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
pkalgo, pkalgoflags, NULL, nbits, NULL)) pkalgo, pkalgoflags, NULL, nbits, pkcurve))
{ {
char kidstr[10+1]; char kidstr[10+1];