security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-21 10:09:57 +01:00
Code Activity

sm: Optmize clearing of the ephemeral flag.

Browse Source 
* kbx/keybox-search.c (keybox_get_cert): Store the blob clags in the
cert object.
* sm/certchain.c (do_validate_chain): Skip clearing of the ephemeral
flag if we know that it is not set.
--

GnuPG-bug-id: 7308
This commit is contained in:
Werner Koch 2024-09-27 15:50:46 +02:00
parent ca953ae5f7
commit cb6c506e4e
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
kbx/keybox-search.c
View File

@ -1363,6 +1363,7 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert)
size_t cert_off, cert_len; size_t cert_off, cert_len;
ksba_reader_t reader = NULL; ksba_reader_t reader = NULL;
ksba_cert_t cert = NULL; ksba_cert_t cert = NULL;
unsigned int blobflags;
int rc; int rc;
if (!hd) if (!hd)
@ -1408,6 +1409,17 @@ keybox_get_cert (KEYBOX_HANDLE hd, ksba_cert_t *r_cert)
return gpg_error (GPG_ERR_GENERAL); return gpg_error (GPG_ERR_GENERAL);
} }
rc = get_flag_from_image (buffer, length, KEYBOX_FLAG_BLOB, &blobflags);
if (!rc)
rc = ksba_cert_set_user_data (cert, "keydb.blobflags",
&blobflags, sizeof blobflags);
if (rc)
{
ksba_cert_release (cert);
ksba_reader_release (reader);
return gpg_error (rc);
}
*r_cert = cert; *r_cert = cert;
ksba_reader_release (reader); ksba_reader_release (reader);
return 0; return 0;

13
sm/certchain.c
View File

@ -2085,9 +2085,22 @@ do_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime_arg,
{ {
gpg_error_t err; gpg_error_t err;
chain_item_t ci; chain_item_t ci;
unsigned int blobflags;
size_t userdatalen;
for (ci = chain; ci; ci = ci->next) for (ci = chain; ci; ci = ci->next)
{ {
/* First do a quick check by looking at the blob flags to
* see whether the certificate is flagged ephemeral. This
* avoids the overhead of looking up the certificate again
* just to decide that there is no need to clear it. */
if (!ksba_cert_get_user_data (cert, "keydb.blobflags",
&blobflags, sizeof (blobflags),
&userdatalen)
&& userdatalen == sizeof blobflags
&& !(blobflags & KEYBOX_FLAG_BLOB_EPHEMERAL))
continue;
/* Note that it is possible for the last certificate in the /* Note that it is possible for the last certificate in the
chain (i.e. our target certificate) that it has not yet chain (i.e. our target certificate) that it has not yet
been stored in the keybox and thus the flag can't be set. been stored in the keybox and thus the flag can't be set.