From 77fb089835db9e07ce3bad3e16a099f3a56ef574 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Wed, 8 Nov 2023 17:09:04 +0100 Subject: [PATCH] gpgsm: Support ECDSA in de-vs mode. * common/compliance.h (PK_ALGO_FLAG_ECC18): New. * common/compliance.c (gnupg_pk_is_allowed): Implement. * sm/decrypt.c (gpgsm_decrypt): Pass new flag. * sm/sign.c (gpgsm_sign): Ditto. * sm/verify.c (gpgsm_verify): Ditto. -- GnuPG-bug-id: 6802 --- NEWS | 2 +- common/compliance.c | 13 +++++++++++-- common/compliance.h | 1 + sm/decrypt.c | 3 ++- sm/sign.c | 4 ++-- sm/verify.c | 1 + 6 files changed, 18 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 3c62e53fe..fa7005df3 100644 --- a/NEWS +++ b/NEWS @@ -32,7 +32,7 @@ Noteworthy changes in version 2.2.42 (unreleased) * gpg: Fix the "keytocard" command for moving ECC keys with non-standard ECDH parameters to OpenPGP cards. [rG92af3f88a9] - * gpgsm: Support ECC certificates. [T6253] + * gpgsm: Support ECC certificates. [T6253, T6802] * gpgsm: Print PROGRESS status lines. Add new --input-size-hint. [T6534] diff --git a/common/compliance.c b/common/compliance.c index 992c1d3e3..bb09d7ed9 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -261,6 +261,13 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, if (! initialized) return 1; + /* Map the the generic ECC algo to ECDSA if requested. */ + if ((algo_flags & PK_ALGO_FLAG_ECC18) + && algo == GCRY_PK_ECC + && (use == PK_USE_VERIFICATION + || use == PK_USE_SIGNING)) + algo = GCRY_PK_ECDSA; + switch (compliance) { case CO_DE_VS: @@ -285,7 +292,6 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, default: log_assert (!"reached"); } - (void)algo_flags; break; case PUBKEY_ALGO_DSA: @@ -306,7 +312,7 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance, result = (use == PK_USE_DECRYPTION); break; - case PUBKEY_ALGO_ECDH: + case PUBKEY_ALGO_ECDH: /* Same value as GCRY_PK_ECC, i.e. 18 */ case GCRY_PK_ECDH: if (use == PK_USE_DECRYPTION) result = 1; @@ -557,6 +563,9 @@ gnupg_rng_is_compliant (enum gnupg_compliance_mode compliance) int *result; int res; + /* #warning debug code ahead */ + /* return 1; */ + result = get_compliance_cache (compliance, 1); if (result && *result != -1) diff --git a/common/compliance.h b/common/compliance.h index 2451d606e..b89cd48b0 100644 --- a/common/compliance.h +++ b/common/compliance.h @@ -52,6 +52,7 @@ enum pk_use_case /* Flags to distinguish public key algorithm variants. */ #define PK_ALGO_FLAG_RSAPSS 1 /* Use rsaPSS padding. */ +#define PK_ALGO_FLAG_ECC18 256 /* GCRY_PK_ECC is used in a generic way. */ int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, diff --git a/sm/decrypt.c b/sm/decrypt.c index 93f2783af..742653ab7 100644 --- a/sm/decrypt.c +++ b/sm/decrypt.c @@ -1327,7 +1327,8 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) /* Check compliance. */ if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_DECRYPTION, - pk_algo, 0, NULL, nbits, curve)) + pk_algo, PK_ALGO_FLAG_ECC18, + NULL, nbits, curve)) { char kidstr[10+1]; diff --git a/sm/sign.c b/sm/sign.c index fd9aa2a64..4f603345a 100644 --- a/sm/sign.c +++ b/sm/sign.c @@ -732,8 +732,8 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, goto leave; } - if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, 0, - NULL, nbits, curve)) + if (!gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, + PK_ALGO_FLAG_ECC18, NULL, nbits, curve)) { char kidstr[10+1]; diff --git a/sm/verify.c b/sm/verify.c index db3ff5bf0..58911bb04 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -503,6 +503,7 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) audit_log_i (ctrl->audit, AUDIT_DATA_HASH_ALGO, algo); /* Check compliance. */ + pkalgoflags |= PK_ALGO_FLAG_ECC18; if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, pkalgo, pkalgoflags, NULL, nbits, pkcurve)) {