security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-17 15:44:34 +02:00
Code Activity

Allow generation of card keys up to 4096 bit.

Browse Source 
This patch implementes a chunk mode to pass the key parameters from
scdaemon to gpg.  This allows to pass arbitrary long key paremeters;
it is used for keys larger than 3072 bit.
This commit is contained in:
Werner Koch 2011-07-07 11:20:53 +02:00
parent 3fe9938202
commit fb44677c9f
6 changed files with 173 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@ -1,6 +1,10 @@
Noteworthy changes in version 2.0.18 (unreleased) Noteworthy changes in version 2.0.18 (unreleased)
------------------------------------------------- -------------------------------------------------
* Allow generation of card keys up to 4096 bit.
* Bug fix for newer versions of Libgcrypt.
Noteworthy changes in version 2.0.17 (2011-01-13) Noteworthy changes in version 2.0.17 (2011-01-13)
------------------------------------------------- -------------------------------------------------

78
g10/call-agent.c
View File

@ -76,6 +76,12 @@ struct genkey_parm_s
size_t sexplen; size_t sexplen;
}; };
struct scd_genkey_parm_s
{
struct agent_card_genkey_s *cgk;
char *savedbytes; /* Malloced space to save key parameter chunks. */
};
static gpg_error_t learn_status_cb (void *opaque, const char *line); static gpg_error_t learn_status_cb (void *opaque, const char *line);
@ -694,14 +700,44 @@ agent_scd_writekey (int keyno, const char *serialno,
static gpg_error_t
scd_genkey_cb_append_savedbytes (struct scd_genkey_parm_s *parm,
const char *line)
{
gpg_error_t err = 0;
char *p;
if (!parm->savedbytes)
{
parm->savedbytes = xtrystrdup (line);
if (!parm->savedbytes)
err = gpg_error_from_syserror ();
}
else
{
p = xtrymalloc (strlen (parm->savedbytes) + strlen (line) + 1);
if (!p)
err = gpg_error_from_syserror ();
else
{
strcpy (stpcpy (p, parm->savedbytes), line);
xfree (parm->savedbytes);
parm->savedbytes = p;
}
}
return err;
}
/* Status callback for the SCD GENKEY command. */ /* Status callback for the SCD GENKEY command. */
static gpg_error_t static gpg_error_t
scd_genkey_cb (void *opaque, const char *line) scd_genkey_cb (void *opaque, const char *line)
{ {
struct agent_card_genkey_s *parm = opaque; struct scd_genkey_parm_s *parm = opaque;
const char *keyword = line; const char *keyword = line;
int keywordlen; int keywordlen;
gpg_error_t rc; gpg_error_t rc = 0;
for (keywordlen=0; *line && !spacep (line); line++, keywordlen++) for (keywordlen=0; *line && !spacep (line); line++, keywordlen++)
; ;
@ -710,7 +746,7 @@ scd_genkey_cb (void *opaque, const char *line)
if (keywordlen == 7 && !memcmp (keyword, "KEY-FPR", keywordlen)) if (keywordlen == 7 && !memcmp (keyword, "KEY-FPR", keywordlen))
{ {
parm->fprvalid = unhexify_fpr (line, parm->fpr); parm->cgk->fprvalid = unhexify_fpr (line, parm->cgk->fpr);
} }
else if (keywordlen == 8 && !memcmp (keyword, "KEY-DATA", keywordlen)) else if (keywordlen == 8 && !memcmp (keyword, "KEY-DATA", keywordlen))
{ {
@ -722,29 +758,47 @@ scd_genkey_cb (void *opaque, const char *line)
while (spacep (line)) while (spacep (line))
line++; line++;
if (*name == '-' && spacep (name+1))
rc = scd_genkey_cb_append_savedbytes (parm, line);
else
{
if (parm->savedbytes)
{
rc = scd_genkey_cb_append_savedbytes (parm, line);
if (!rc)
rc = gcry_mpi_scan (&a, GCRYMPI_FMT_HEX,
parm->savedbytes, 0, NULL);
}
else
rc = gcry_mpi_scan (&a, GCRYMPI_FMT_HEX, line, 0, NULL); rc = gcry_mpi_scan (&a, GCRYMPI_FMT_HEX, line, 0, NULL);
if (rc) if (rc)
log_error ("error parsing received key data: %s\n", gpg_strerror (rc)); log_error ("error parsing received key data: %s\n",
gpg_strerror (rc));
else if (*name == 'n' && spacep (name+1)) else if (*name == 'n' && spacep (name+1))
parm->n = a; parm->cgk->n = a;
else if (*name == 'e' && spacep (name+1)) else if (*name == 'e' && spacep (name+1))
parm->e = a; parm->cgk->e = a;
else else
{ {
log_info ("unknown parameter name in received key data\n"); log_info ("unknown parameter name in received key data\n");
gcry_mpi_release (a); gcry_mpi_release (a);
rc = gpg_error (GPG_ERR_INV_PARAMETER);
}
xfree (parm->savedbytes);
parm->savedbytes = NULL;
} }
} }
else if (keywordlen == 14 && !memcmp (keyword,"KEY-CREATED-AT", keywordlen)) else if (keywordlen == 14 && !memcmp (keyword,"KEY-CREATED-AT", keywordlen))
{ {
parm->created_at = (u32)strtoul (line, NULL, 10); parm->cgk->created_at = (u32)strtoul (line, NULL, 10);
} }
else if (keywordlen == 8 && !memcmp (keyword, "PROGRESS", keywordlen)) else if (keywordlen == 8 && !memcmp (keyword, "PROGRESS", keywordlen))
{ {
write_status_text (STATUS_PROGRESS, line); write_status_text (STATUS_PROGRESS, line);
} }
return 0; return rc;
} }
/* Send a GENKEY command to the SCdaemon. SERIALNO is not used in /* Send a GENKEY command to the SCdaemon. SERIALNO is not used in
@ -759,9 +813,13 @@ agent_scd_genkey (struct agent_card_genkey_s *info, int keyno, int force,
int rc; int rc;
char line[ASSUAN_LINELENGTH]; char line[ASSUAN_LINELENGTH];
gnupg_isotime_t tbuf; gnupg_isotime_t tbuf;
struct scd_genkey_parm_s parms;
(void)serialno; (void)serialno;
memset (&parms, 0, sizeof parms);
parms.cgk = info;
rc = start_agent (1); rc = start_agent (1);
if (rc) if (rc)
return rc; return rc;
@ -781,7 +839,9 @@ agent_scd_genkey (struct agent_card_genkey_s *info, int keyno, int force,
memset (info, 0, sizeof *info); memset (info, 0, sizeof *info);
rc = assuan_transact (agent_ctx, line, rc = assuan_transact (agent_ctx, line,
NULL, NULL, default_inq_cb, NULL, NULL, NULL, default_inq_cb, NULL,
scd_genkey_cb, info); scd_genkey_cb, &parms);
xfree (parms.savedbytes);
status_sc_op_failure (rc); status_sc_op_failure (rc);
return rc; return rc;

2
g10/card-util.c
View File

@ -1284,7 +1284,7 @@ static unsigned int
ask_card_keysize (int keyno, unsigned int nbits) ask_card_keysize (int keyno, unsigned int nbits)
{ {
unsigned int min_nbits = 1024; unsigned int min_nbits = 1024;
unsigned int max_nbits = 3072; /* GnuPG limit due to Assuan. */ unsigned int max_nbits = 4096;
char *prompt, *answer; char *prompt, *answer;
unsigned int req_nbits; unsigned int req_nbits;

25
scd/app-openpgp.c
View File

@ -756,20 +756,29 @@ static void
send_key_data (ctrl_t ctrl, const char *name, send_key_data (ctrl_t ctrl, const char *name,
const unsigned char *a, size_t alen) const unsigned char *a, size_t alen)
{ {
char *buf; char *buffer, *buf;
size_t buflen;
buf = bin2hex (a, alen, NULL); buffer = buf = bin2hex (a, alen, NULL);
if (!buf) if (!buffer)
{ {
log_error ("memory allocation error in send_key_data\n"); log_error ("memory allocation error in send_key_data\n");
return; return;
} }
buflen = strlen (buffer);
/* 768 is the hexified size for the modulus of an 3072 bit key. We
use extra chunks to transmit larger data (i.e for 4096 bit). */
for ( ;buflen > 768; buflen -= 768, buf += 768)
send_status_info (ctrl, "KEY-DATA",
"-", 1,
buf, 768,
NULL, 0);
send_status_info (ctrl, "KEY-DATA", send_status_info (ctrl, "KEY-DATA",
name, (size_t)strlen(name), name, (size_t)strlen(name),
buf, (size_t)strlen (buf), buf, buflen,
NULL, 0); NULL, 0);
xfree (buf); xfree (buffer);
} }
@ -2365,7 +2374,7 @@ change_keyattr (app_t app, int keyno, unsigned int nbits,
assert (keyno >=0 && keyno <= 2); assert (keyno >=0 && keyno <= 2);
if (nbits > 3072) if (nbits > 4096)
return gpg_error (GPG_ERR_TOO_LARGE); return gpg_error (GPG_ERR_TOO_LARGE);
/* Read the current attributes into a buffer. */ /* Read the current attributes into a buffer. */
@ -2823,7 +2832,7 @@ do_genkey (app_t app, ctrl_t ctrl, const char *keynostr, unsigned int flags,
already lead to a 527 byte long status line and thus a 4096 bit already lead to a 527 byte long status line and thus a 4096 bit
key would exceed the Assuan line length limit. */ key would exceed the Assuan line length limit. */
keybits = app->app_local->keyattr[keyno].n_bits; keybits = app->app_local->keyattr[keyno].n_bits;
if (keybits > 3072) if (keybits > 4096)
return gpg_error (GPG_ERR_TOO_LARGE); return gpg_error (GPG_ERR_TOO_LARGE);
/* Prepare for key generation by verifying the Admin PIN. */ /* Prepare for key generation by verifying the Admin PIN. */
@ -3377,6 +3386,8 @@ do_decipher (app_t app, const char *keyidstr,
fixuplen = 256 - indatalen; fixuplen = 256 - indatalen;
else if (indatalen >= (384-16) && indatalen < 384) /* 3072 bit key. */ else if (indatalen >= (384-16) && indatalen < 384) /* 3072 bit key. */
fixuplen = 384 - indatalen; fixuplen = 384 - indatalen;
else if (indatalen >= (512-16) && indatalen < 512) /* 4096 bit key. */
fixuplen = 512 - indatalen;
else else
fixuplen = 0; fixuplen = 0;

8
scd/command.c
View File

@ -1287,11 +1287,15 @@ static const char hlp_genkey[] =
"\n" "\n"
"Generate a key on-card identified by NO, which is application\n" "Generate a key on-card identified by NO, which is application\n"
"specific. Return values are application specific. For OpenPGP\n" "specific. Return values are application specific. For OpenPGP\n"
"cards 2 status lines are returned:\n" "cards 3 status lines are returned:\n"
"\n" "\n"
" S KEY-FPR <hexstring>\n" " S KEY-FPR <hexstring>\n"
" S KEY-CREATED-AT <seconds_since_epoch>\n" " S KEY-CREATED-AT <seconds_since_epoch>\n"
" S KEY-DATA [p|n] <hexdata>\n" " S KEY-DATA [-|p|n] <hexdata>\n"
"\n"
" 'p' and 'n' are the names of the RSA parameters; '-' is used to\n"
" indicate that HEXDATA is the first chunk of a parameter given\n"
" by the next KEY-DATA.\n"
"\n" "\n"
"--force is required to overwrite an already existing key. The\n" "--force is required to overwrite an already existing key. The\n"
"KEY-CREATED-AT is required for further processing because it is\n" "KEY-CREATED-AT is required for further processing because it is\n"