sm: Support AES-GCM decryption.

* sm/gpgsm.c (main): Use gpgrt_fcancel on decryption error if gpgrt supports this. * sm/decrypt.c (decrypt_gcm_filter): New. (gpgsm_decrypt): Use this filter if requested. Check authtag. * common/compliance.c (gnupg_cipher_is_allowed): Allow GCM for gpgsm in consumer (decrypt) de-vs mode. -- Backported-from-master: 4980fb3c6d We allow GCM in de-vs mode for decryption although this has not been evaluation. It is decryption and thus no serious harm may happen. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2021-06-02 11:03:55 +02:00 · 2021-06-02 11:03:55 +02:00 · b722fd755c
commit b722fd755c
parent c8f0b02936
3 changed files with 89 additions and 8 deletions
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@ -1825,16 +1825,22 @@ main ( int argc, char **argv)
    case aDecrypt:
      {
        estream_t fp = open_es_fwrite (opt.outfile?opt.outfile:"-");
+        gpg_error_t err;

        set_binary (stdin);
        if (!argc)
-          gpgsm_decrypt (&ctrl, 0, fp); /* from stdin */
+          err = gpgsm_decrypt (&ctrl, 0, fp); /* from stdin */
        else if (argc == 1)
-          gpgsm_decrypt (&ctrl, open_read (*argv), fp); /* from file */
+          err = gpgsm_decrypt (&ctrl, open_read (*argv), fp); /* from file */
        else
          wrong_args ("--decrypt [filename]");

-        es_fclose (fp);
+#if GPGRT_VERSION_NUMBER >= 0x012700  /* 1.39 */
+        if (err)
+          gpgrt_fcancel (fp);
+        else
+#endif
+          es_fclose (fp);
      }
      break;