security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-21 10:09:57 +01:00
Code Activity

gpg: Consider Kyber to be de-vs compliant.

Browse Source 
* common/compliance.c (gnupg_pk_is_compliant) <CO_DE_VS>: Consider
Brainpool Kyber variants compliant.
(gnupg_pk_is_allowed): Ditto.
(assumed_de_vs_compliance): Remove variable.
(get_assumed_de_vs_compliance): New.
(get_compliance_cache): Use new accessor.
(gnupg_status_compliance_flag): Ditto.
--

Use

  GNUPG_ASSUME_COMPLIANCE=de-vs gpg --compliance=de-vs ....

for testing.  This returns 2023 instead of 23 to indicate the
non-approval state.

GnuPG-bug-id: 6638
This commit is contained in:
Werner Koch 2024-11-14 15:15:11 +01:00
parent 996e8ae3cb
commit e5f450f3bb
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 61 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
common/compliance.c
View File

@ -41,15 +41,31 @@ static int initialized;
static int module;
/* The next variable and the code in get_compliance_cache should be
* removed after the software suite has been approved. */
static int assumed_de_vs_compliance = -1;
/* This value is used by DSA and RSA checks in addition to the hard
* coded length checks. It allows one to increase the required key length
* using a config file. */
static unsigned int min_compliant_rsa_length;
/* Kludge to allow testing of the compliance options while not yet
* approved. */
static int
get_assumed_de_vs_compliance (void)
{
#if 0 /* Set to 1 if the software suite has been approved. */
return 0;
#else
static int value = -1;
if (value == -1)
{
const char *s = getenv ("GNUPG_ASSUME_COMPLIANCE");
value = (s && !strcmp (s, "de-vs"));
}
return value > 0;
#endif
}
/* Return the address of a compliance cache variable for COMPLIANCE.
* If no such variable exists NULL is returned. FOR_RNG returns the
* cache variable for the RNG compliance check. */
@ -75,15 +91,9 @@ get_compliance_cache (enum gnupg_compliance_mode compliance, int for_rng)
case CO_DE_VS: ptr = for_rng? &r_de_vs : &s_de_vs ; break;
}
/* Remove this code after approval. */
if (ptr && compliance == CO_DE_VS)
{
if (assumed_de_vs_compliance == -1)
{
const char *s = getenv ("GNUPG_ASSUME_COMPLIANCE");
assumed_de_vs_compliance = (s && !strcmp (s, "de-vs"));
}
if (assumed_de_vs_compliance)
if (get_assumed_de_vs_compliance ())
*ptr = 1;
}
@ -250,7 +260,20 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
break;
case is_kem:
result = 0;
if (!curvename && key)
{
curve = openpgp_oid_to_str (key[0]);
curvename = openpgp_oid_to_curve (curve, 0);
if (!curvename)
curvename = curve;
}
result = (curvename
&& (keylength == 768 || keylength == 1024)
&& (algo == PUBKEY_ALGO_KYBER)
&& (!strcmp (curvename, "brainpoolP256r1")
|| !strcmp (curvename, "brainpoolP384r1")
|| !strcmp (curvename, "brainpoolP512r1")));
break;
default:
@ -391,6 +414,31 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
result = 0;
break;
case PUBKEY_ALGO_KYBER:
if (use == PK_USE_DECRYPTION)
result = 1;
else if (use == PK_USE_ENCRYPTION)
{
char *curve = NULL;
if (!curvename && key)
{
curve = openpgp_oid_to_str (key[0]);
curvename = openpgp_oid_to_curve (curve, 0);
if (!curvename)
curvename = curve;
}
result = (curvename
&& (keylength == 768 || keylength == 1024)
&& (!strcmp (curvename, "brainpoolP256r1")
|| !strcmp (curvename, "brainpoolP384r1")
|| !strcmp (curvename, "brainpoolP512r1")));
xfree (curve);
}
break;
default:
break;
}
@ -685,7 +733,7 @@ gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance)
case CO_PGP8:
log_assert (!"no status code assigned for this compliance mode");
case CO_DE_VS:
return assumed_de_vs_compliance > 0 ? "2023" : "23";
return get_assumed_de_vs_compliance ()? "2023" : "23";
}
log_assert (!"invalid compliance mode");
}