mirror of
git://git.gnupg.org/gnupg.git
synced 2025-07-02 22:46:30 +02:00
sm: Fix compliance checking for ECC signature verification.
* common/compliance.c (gnupg_pk_is_compliant): Also consider the
gcrypt vids for ECDSA et al.
(gnupg_pk_is_allowed): Ditto.
* sm/verify.c (gpgsm_verify): Consider the curve. Print a compliance
notice for a non-compliant key.
* sm/certchain.c (gpgsm_validate_chain): Silence the "switching to
chain model".
--
Backported-from-master: 338a5ecaa1
This commit is contained in:
Werner Koch
parent
818051432c
commit
f2d25b04d7
4 changed files with 34 additions and 7 deletions
|
|
@ -88,7 +88,9 @@ gnupg_initialize_compliance (int gnupg_module_name)
|
|||
log_assert (! initialized);
|
||||
|
||||
/* We accept both OpenPGP-style and gcrypt-style algorithm ids.
|
||||
* Assert that they are compatible. */
|
||||
* Assert that they are compatible. At some places gcrypt ids are
|
||||
* used which can't be encoded in an OpenPGP algo octet; we also
|
||||
* assert this. */
|
||||
log_assert ((int) GCRY_PK_RSA == (int) PUBKEY_ALGO_RSA);
|
||||
log_assert ((int) GCRY_PK_RSA_E == (int) PUBKEY_ALGO_RSA_E);
|
||||
log_assert ((int) GCRY_PK_RSA_S == (int) PUBKEY_ALGO_RSA_S);
|
||||
|
|
@ -96,6 +98,9 @@ gnupg_initialize_compliance (int gnupg_module_name)
|
|||
log_assert ((int) GCRY_PK_DSA == (int) PUBKEY_ALGO_DSA);
|
||||
log_assert ((int) GCRY_PK_ECC == (int) PUBKEY_ALGO_ECDH);
|
||||
log_assert ((int) GCRY_PK_ELG == (int) PUBKEY_ALGO_ELGAMAL);
|
||||
log_assert ((int) GCRY_PK_ECDSA > 255);
|
||||
log_assert ((int) GCRY_PK_ECDH > 255);
|
||||
log_assert ((int) GCRY_PK_EDDSA > 255);
|
||||
log_assert ((int) GCRY_CIPHER_NONE == (int) CIPHER_ALGO_NONE);
|
||||
log_assert ((int) GCRY_CIPHER_IDEA == (int) CIPHER_ALGO_IDEA);
|
||||
log_assert ((int) GCRY_CIPHER_3DES == (int) CIPHER_ALGO_3DES);
|
||||
|
|
@ -164,6 +169,9 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
|
|||
case PUBKEY_ALGO_ECDH:
|
||||
case PUBKEY_ALGO_ECDSA:
|
||||
case PUBKEY_ALGO_EDDSA:
|
||||
case GCRY_PK_ECDSA:
|
||||
case GCRY_PK_ECDH:
|
||||
case GCRY_PK_EDDSA:
|
||||
algotype = is_ecc;
|
||||
break;
|
||||
|
||||
|
|
@ -216,7 +224,9 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
|
|||
|
||||
result = (curvename
|
||||
&& (algo == PUBKEY_ALGO_ECDH
|
||||
|| algo == PUBKEY_ALGO_ECDSA)
|
||||
|| algo == PUBKEY_ALGO_ECDSA
|
||||
|| algo == GCRY_PK_ECDH
|
||||
|| algo == GCRY_PK_ECDSA)
|
||||
&& (!strcmp (curvename, "brainpoolP256r1")
|
||||
|| !strcmp (curvename, "brainpoolP384r1")
|
||||
|| !strcmp (curvename, "brainpoolP512r1")));
|
||||
|
|
@ -297,6 +307,7 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
|
|||
break;
|
||||
|
||||
case PUBKEY_ALGO_ECDH:
|
||||
case GCRY_PK_ECDH:
|
||||
if (use == PK_USE_DECRYPTION)
|
||||
result = 1;
|
||||
else if (use == PK_USE_ENCRYPTION)
|
||||
|
|
@ -321,6 +332,7 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
|
|||
break;
|
||||
|
||||
case PUBKEY_ALGO_ECDSA:
|
||||
case GCRY_PK_ECDSA:
|
||||
if (use == PK_USE_VERIFICATION)
|
||||
result = 1;
|
||||
else
|
||||
|
|
|
|||
|
|
@ -47,7 +47,7 @@ enum gnupg_compliance_mode
|
|||
enum pk_use_case
|
||||
{
|
||||
PK_USE_ENCRYPTION, PK_USE_DECRYPTION,
|
||||
PK_USE_SIGNING, PK_USE_VERIFICATION,
|
||||
PK_USE_SIGNING, PK_USE_VERIFICATION
|
||||
};
|
||||
|
||||
/* Flags to distinguish public key algorithm variants. */
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue