diff options
| author | Justus Winter <justus@g10code.com> | 2017-06-07 16:09:07 +0200 |
|---|---|---|
| committer | Justus Winter <justus@g10code.com> | 2017-06-07 16:54:44 +0200 |
| commit | e051e396156211449568afa0ca7505dc13eaa3b4 (patch) | |
| tree | f576501d9ac2c1eddeab08b8dc7182f314b685b8 | |
| parent | common,gpg,sm: Initialize compliance module. (diff) | |
| download | gnupg2-e051e396156211449568afa0ca7505dc13eaa3b4.tar.xz gnupg2-e051e396156211449568afa0ca7505dc13eaa3b4.zip | |
common: Add cipher mode to compliance predicate.
* common/compliance.c (gnupg_cipher_is_compliant): Add mode parameter.
* common/compliance.h (gnupg_cipher_is_compliant): Likewise.
* g10/mainproc.c (proc_encrypted): Adapt callsite.
* sm/decrypt.c (gpgsm_decrypt): Likewise.
GnuPG-bug-id: 3059
Signed-off-by: Justus Winter <justus@g10code.com>
| -rw-r--r-- | common/compliance.c | 16 | ||||
| -rw-r--r-- | common/compliance.h | 3 | ||||
| -rw-r--r-- | g10/mainproc.c | 2 | ||||
| -rw-r--r-- | sm/decrypt.c | 3 |
4 files changed, 17 insertions, 7 deletions
diff --git a/common/compliance.c b/common/compliance.c index c2daa654e..bcf621a45 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -193,9 +193,11 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, } -/* Return true if CIPHER is compliant to the given COMPLIANCE mode. */ +/* Return true if (CIPHER, MODE) is compliant to the given COMPLIANCE mode. */ int -gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance, cipher_algo_t cipher) +gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance, + cipher_algo_t cipher, + enum gcry_cipher_modes mode) { log_assert (initialized); @@ -208,7 +210,15 @@ gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance, cipher_algo_t case CIPHER_ALGO_AES192: case CIPHER_ALGO_AES256: case CIPHER_ALGO_3DES: - return 1; + switch (module) + { + case GNUPG_MODULE_NAME_GPG: + return mode == GCRY_CIPHER_MODE_CFB; + case GNUPG_MODULE_NAME_GPGSM: + return mode == GCRY_CIPHER_MODE_CBC; + } + log_assert (!"reached"); + default: return 0; } diff --git a/common/compliance.h b/common/compliance.h index 7235b007b..e57495da2 100644 --- a/common/compliance.h +++ b/common/compliance.h @@ -45,7 +45,8 @@ int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo, gcry_mpi_t key[], unsigned int keylength, const char *curvename); int gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance, - cipher_algo_t cipher); + cipher_algo_t cipher, + enum gcry_cipher_modes mode); int gnupg_digest_is_compliant (enum gnupg_compliance_mode compliance, digest_algo_t digest); const char *gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance); diff --git a/g10/mainproc.c b/g10/mainproc.c index 21ea6cafb..26cd0a9cc 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -607,7 +607,7 @@ proc_encrypted (CTX c, PACKET *pkt) /* Overriding session key voids compliance. */ && opt.override_session_key == NULL /* Check symmetric cipher. */ - && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo)) + && gnupg_cipher_is_compliant (CO_DE_VS, c->dek->algo, GCRY_CIPHER_MODE_CFB)) { struct kidlist_item *i; int compliant = 1; diff --git a/sm/decrypt.c b/sm/decrypt.c index aa621ddf3..a36f69027 100644 --- a/sm/decrypt.c +++ b/sm/decrypt.c @@ -359,8 +359,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) } /* For CMS, CO_DE_VS demands CBC mode. */ - is_de_vs = (mode == GCRY_CIPHER_MODE_CBC - && gnupg_cipher_is_compliant (CO_DE_VS, algo)); + is_de_vs = gnupg_cipher_is_compliant (CO_DE_VS, algo, mode); audit_log_i (ctrl->audit, AUDIT_DATA_CIPHER_ALGO, algo); dfparm.algo = algo; |