[Pkg-gnupg-commit] [gnupg2] 38/185: common: Add cipher mode to compliance predicate.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Aug 7 11:55:18 UTC 2017
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch experimental
in repository gnupg2.
commit e051e396156211449568afa0ca7505dc13eaa3b4
Author: Justus Winter <justus at g10code.com>
Date: Wed Jun 7 16:09:07 2017 +0200
common: Add cipher mode to compliance predicate.
* common/compliance.c (gnupg_cipher_is_compliant): Add mode parameter.
* common/compliance.h (gnupg_cipher_is_compliant): Likewise.
* g10/mainproc.c (proc_encrypted): Adapt callsite.
* sm/decrypt.c (gpgsm_decrypt): Likewise.
GnuPG-bug-id: 3059
Signed-off-by: Justus Winter <justus at g10code.com>
---
common/compliance.c | 16 +++++++++++++---
common/compliance.h | 3 ++-
g10/mainproc.c | 2 +-
sm/decrypt.c | 3 +--
4 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/common/compliance.c b/common/compliance.c
index c2daa65..bcf621a 100644
--- a/common/compliance.c
+++ b/common/compliance.c
@@ -193,9 +193,11 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
}
-/* Return true if CIPHER is compliant to the given COMPLIANCE mode. */
+/* Return true if (CIPHER, MODE) is compliant to the given COMPLIANCE mode. */
int
-gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance, cipher_algo_t cipher)
+gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance,
+ cipher_algo_t cipher,
+ enum gcry_cipher_modes mode)
{
log_assert (initialized);
@@ -208,7 +210,15 @@ gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance, cipher_algo_t
case CIPHER_ALGO_AES192:
case CIPHER_ALGO_AES256:
case CIPHER_ALGO_3DES:
- return 1;
+ switch (module)
+ {
+ case GNUPG_MODULE_NAME_GPG:
+ return mode == GCRY_CIPHER_MODE_CFB;
+ case GNUPG_MODULE_NAME_GPGSM:
+ return mode == GCRY_CIPHER_MODE_CBC;
+ }
+ log_assert (!"reached");
+
default:
return 0;
}
diff --git a/common/compliance.h b/common/compliance.h
index 7235b00..e57495d 100644
--- a/common/compliance.h
+++ b/common/compliance.h
@@ -45,7 +45,8 @@ int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
gcry_mpi_t key[], unsigned int keylength,
const char *curvename);
int gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance,
- cipher_algo_t cipher);
+ cipher_algo_t cipher,
+ enum gcry_cipher_modes mode);
int gnupg_digest_is_compliant (enum gnupg_compliance_mode compliance,
digest_algo_t digest);
const char *gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance);
diff --git a/g10/mainproc.c b/g10/mainproc.c
index 21ea6ca..26cd0a9 100644
--- a/g10/mainproc.c
+++ b/g10/mainproc.c
@@ -607,7 +607,7 @@ proc_encrypted (CTX c, PACKET *pkt)
/* Overriding session key voids compliance. */
&& opt.override_session_key == NULL
/* Check symmetric cipher. */
- && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo))
+ && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo, GCRY_CIPHER_MODE_CFB))
{
struct kidlist_item *i;
int compliant = 1;
diff --git a/sm/decrypt.c b/sm/decrypt.c
index aa621dd..a36f690 100644
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@@ -359,8 +359,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
}
/* For CMS, CO_DE_VS demands CBC mode. */
- is_de_vs = (mode == GCRY_CIPHER_MODE_CBC
- && gnupg_cipher_is_compliant (CO_DE_VS, algo));
+ is_de_vs = gnupg_cipher_is_compliant (CO_DE_VS, algo, mode);
audit_log_i (ctrl->audit, AUDIT_DATA_CIPHER_ALGO, algo);
dfparm.algo = algo;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list