diff options
-rw-r--r-- | cipher/dsa.c | 59 | ||||
-rw-r--r-- | cipher/ecc.c | 20 | ||||
-rw-r--r-- | cipher/pubkey-internal.h | 3 | ||||
-rw-r--r-- | cipher/pubkey-util.c | 21 | ||||
-rw-r--r-- | cipher/rsa.c | 31 | ||||
-rw-r--r-- | src/cipher.h | 5 |
6 files changed, 103 insertions, 36 deletions
diff --git a/cipher/dsa.c b/cipher/dsa.c index f86ff15e..e43bdf44 100644 --- a/cipher/dsa.c +++ b/cipher/dsa.c @@ -710,9 +710,7 @@ dsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) gcry_sexp_t deriveparms = NULL; gcry_sexp_t seedinfo = NULL; gcry_sexp_t misc_info = NULL; - int transient_key = 0; - int use_fips186_2 = 0; - int use_fips186 = 0; + int flags = 0; dsa_domain_t domain; gcry_mpi_t *factors = NULL; @@ -723,6 +721,16 @@ dsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) if (rc) return rc; + /* Parse the optional flags list. */ + l1 = gcry_sexp_find_token (genparms, "flags", 0); + if (l1) + { + rc = _gcry_pk_util_parse_flaglist (l1, &flags, NULL); + gcry_sexp_release (l1); + if (rc) + return rc;\ + } + /* Parse the optional qbits element. */ l1 = gcry_sexp_find_token (genparms, "qbits", 0); if (l1) @@ -744,28 +752,37 @@ dsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) } /* Parse the optional transient-key flag. */ - l1 = gcry_sexp_find_token (genparms, "transient-key", 0); - if (l1) + if (!(flags & PUBKEY_FLAG_TRANSIENT_KEY)) { - transient_key = 1; - gcry_sexp_release (l1); + l1 = gcry_sexp_find_token (genparms, "transient-key", 0); + if (l1) + { + flags |= PUBKEY_FLAG_TRANSIENT_KEY; + gcry_sexp_release (l1); + } } /* Get the optional derive parameters. */ deriveparms = gcry_sexp_find_token (genparms, "derive-parms", 0); /* Parse the optional "use-fips186" flags. */ - l1 = gcry_sexp_find_token (genparms, "use-fips186", 0); - if (l1) + if (!(flags & PUBKEY_FLAG_USE_FIPS186)) { - use_fips186 = 1; - gcry_sexp_release (l1); + l1 = gcry_sexp_find_token (genparms, "use-fips186", 0); + if (l1) + { + flags |= PUBKEY_FLAG_USE_FIPS186; + gcry_sexp_release (l1); + } } - l1 = gcry_sexp_find_token (genparms, "use-fips186-2", 0); - if (l1) + if (!(flags & PUBKEY_FLAG_USE_FIPS186_2)) { - use_fips186_2 = 1; - gcry_sexp_release (l1); + l1 = gcry_sexp_find_token (genparms, "use-fips186-2", 0); + if (l1) + { + flags |= PUBKEY_FLAG_USE_FIPS186_2; + gcry_sexp_release (l1); + } } /* Check whether domain parameters are given. */ @@ -809,14 +826,18 @@ dsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) qbits = mpi_get_nbits (domain.q); } - if (deriveparms || use_fips186 || use_fips186_2 || fips_mode ()) + if (deriveparms + || (flags & PUBKEY_FLAG_USE_FIPS186) + || (flags & PUBKEY_FLAG_USE_FIPS186_2) + || fips_mode ()) { int counter; void *seed; size_t seedlen; gcry_mpi_t h_value; - rc = generate_fips186 (&sk, nbits, qbits, deriveparms, use_fips186_2, + rc = generate_fips186 (&sk, nbits, qbits, deriveparms, + !!(flags & PUBKEY_FLAG_USE_FIPS186_2), &domain, &counter, &seed, &seedlen, &h_value); if (!rc && h_value) @@ -832,7 +853,9 @@ dsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) } else { - rc = generate (&sk, nbits, qbits, transient_key, &domain, &factors); + rc = generate (&sk, nbits, qbits, + !!(flags & PUBKEY_FLAG_TRANSIENT_KEY), + &domain, &factors); } if (!rc) diff --git a/cipher/ecc.c b/cipher/ecc.c index bd4d2539..da384e87 100644 --- a/cipher/ecc.c +++ b/cipher/ecc.c @@ -1247,13 +1247,13 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) gcry_mpi_t y = NULL; char *curve_name = NULL; gcry_sexp_t l1; - int transient_key = 0; gcry_random_level_t random_level; mpi_ec_t ctx = NULL; gcry_sexp_t curve_info = NULL; gcry_mpi_t base = NULL; gcry_mpi_t public = NULL; gcry_mpi_t secret = NULL; + int flags = 0; memset (&E, 0, sizeof E); memset (&sk, 0, sizeof sk); @@ -1276,10 +1276,20 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) l1 = gcry_sexp_find_token (genparms, "transient-key", 0); if (l1) { - transient_key = 1; + flags |= PUBKEY_FLAG_TRANSIENT_KEY; gcry_sexp_release (l1); } + /* Parse the optional flags list. */ + l1 = gcry_sexp_find_token (genparms, "flags", 0); + if (l1) + { + rc = _gcry_pk_util_parse_flaglist (l1, &flags, NULL); + gcry_sexp_release (l1); + if (rc) + goto leave; + } + /* NBITS is required if no curve name has been given. */ if (!nbits && !curve_name) return GPG_ERR_NO_OBJ; /* No NBITS parameter. */ @@ -1303,7 +1313,11 @@ ecc_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) log_printpnt ("ecgen curve G", &E.G, NULL); } - random_level = transient_key ? GCRY_STRONG_RANDOM : GCRY_VERY_STRONG_RANDOM; + if ((flags & PUBKEY_FLAG_TRANSIENT_KEY)) + random_level = GCRY_STRONG_RANDOM; + else + random_level = GCRY_VERY_STRONG_RANDOM; + ctx = _gcry_mpi_ec_p_internal_new (E.model, E.dialect, E.p, E.a, E.b); x = mpi_new (0); y = mpi_new (0); diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h index 7e3667e9..cb2721d1 100644 --- a/cipher/pubkey-internal.h +++ b/cipher/pubkey-internal.h @@ -21,6 +21,9 @@ #define GCRY_PUBKEY_INTERNAL_H /*-- pubkey-util.c --*/ +gpg_err_code_t _gcry_pk_util_parse_flaglist (gcry_sexp_t list, + int *r_flags, + enum pk_encoding *r_encoding); gpg_err_code_t _gcry_pk_util_get_nbits (gcry_sexp_t list, unsigned int *r_nbits); gpg_err_code_t _gcry_pk_util_get_rsa_use_e (gcry_sexp_t list, diff --git a/cipher/pubkey-util.c b/cipher/pubkey-util.c index 52d69cf9..3dfc0279 100644 --- a/cipher/pubkey-util.c +++ b/cipher/pubkey-util.c @@ -50,9 +50,9 @@ pss_verify_cmp (void *opaque, gcry_mpi_t tmp) R_ENCODING and the flags are stored at R_FLAGS. if any of them is not needed, NULL may be passed. The function returns 0 on success or an error code. */ -static gpg_err_code_t -parse_flag_list (gcry_sexp_t list, - int *r_flags, enum pk_encoding *r_encoding) +gpg_err_code_t +_gcry_pk_util_parse_flaglist (gcry_sexp_t list, + int *r_flags, enum pk_encoding *r_encoding) { gpg_err_code_t rc = 0; const char *s; @@ -101,6 +101,14 @@ parse_flag_list (gcry_sexp_t list, } else if (n == 11 && ! memcmp (s, "no-blinding", 11)) flags |= PUBKEY_FLAG_NO_BLINDING; + else if (n == 13 && ! memcmp (s, "transient-key", 13)) + flags |= PUBKEY_FLAG_TRANSIENT_KEY; + else if (n == 8 && ! memcmp (s, "use-x931", 8)) + flags |= PUBKEY_FLAG_USE_X931; + else if (n == 11 && ! memcmp (s, "use-fips186", 11)) + flags |= PUBKEY_FLAG_USE_FIPS186; + else if (n == 13 && ! memcmp (s, "use-fips186-2", 13)) + flags |= PUBKEY_FLAG_USE_FIPS186_2; else rc = GPG_ERR_INV_FLAG; } @@ -524,7 +532,7 @@ _gcry_pk_util_preparse_encval (gcry_sexp_t sexp, const char **algo_names, const char *s; /* There is a flags element - process it. */ - rc = parse_flag_list (l2, &parsed_flags, &ctx->encoding); + rc = _gcry_pk_util_parse_flaglist (l2, &parsed_flags, &ctx->encoding); if (rc) goto leave; if (ctx->encoding == PUBKEY_ENC_PSS) @@ -701,12 +709,13 @@ _gcry_pk_util_data_to_mpi (gcry_sexp_t input, gcry_mpi_t *ret_mpi, return *ret_mpi ? GPG_ERR_NO_ERROR : GPG_ERR_INV_OBJ; } - /* see whether there is a flags object */ + /* See whether there is a flags list. */ { gcry_sexp_t lflags = gcry_sexp_find_token (ldata, "flags", 0); if (lflags) { - if (parse_flag_list (lflags, &parsed_flags, &ctx->encoding)) + if (_gcry_pk_util_parse_flaglist (lflags, + &parsed_flags, &ctx->encoding)) unknown_flag = 1; gcry_sexp_release (lflags); } diff --git a/cipher/rsa.c b/cipher/rsa.c index fc6bbe5b..d4d2a0ab 100644 --- a/cipher/rsa.c +++ b/cipher/rsa.c @@ -760,8 +760,7 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) unsigned long evalue; RSA_secret_key sk; gcry_sexp_t deriveparms; - int transient_key = 0; - int use_x931 = 0; + int flags = 0; gcry_sexp_t l1; gcry_sexp_t swap_info = NULL; @@ -775,6 +774,16 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) if (ec) return ec; + /* Parse the optional flags list. */ + l1 = gcry_sexp_find_token (genparms, "flags", 0); + if (l1) + { + ec = _gcry_pk_util_parse_flaglist (l1, &flags, NULL); + gcry_sexp_release (l1); + if (ec) + return ec; + } + deriveparms = (genparms? gcry_sexp_find_token (genparms, "derive-parms", 0) : NULL); if (!deriveparms) @@ -783,12 +792,12 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) l1 = gcry_sexp_find_token (genparms, "use-x931", 0); if (l1) { - use_x931 = 1; + flags |= PUBKEY_FLAG_USE_X931; gcry_sexp_release (l1); } } - if (deriveparms || use_x931 || fips_mode ()) + if (deriveparms || (flags & PUBKEY_FLAG_USE_X931) || fips_mode ()) { int swapped; ec = generate_x931 (&sk, nbits, evalue, deriveparms, &swapped); @@ -799,14 +808,18 @@ rsa_generate (const gcry_sexp_t genparms, gcry_sexp_t *r_skey) else { /* Parse the optional "transient-key" flag. */ - l1 = gcry_sexp_find_token (genparms, "transient-key", 0); - if (l1) + if (!(flags & PUBKEY_FLAG_TRANSIENT_KEY)) { - transient_key = 1; - gcry_sexp_release (l1); + l1 = gcry_sexp_find_token (genparms, "transient-key", 0); + if (l1) + { + flags |= PUBKEY_FLAG_TRANSIENT_KEY; + gcry_sexp_release (l1); + } } /* Generate. */ - ec = generate_std (&sk, nbits, evalue, transient_key); + ec = generate_std (&sk, nbits, evalue, + !!(flags & PUBKEY_FLAG_TRANSIENT_KEY)); } if (!ec) diff --git a/src/cipher.h b/src/cipher.h index 28f50708..b3469e57 100644 --- a/src/cipher.h +++ b/src/cipher.h @@ -32,6 +32,11 @@ #define PUBKEY_FLAG_FIXEDLEN (1 << 3) #define PUBKEY_FLAG_LEGACYRESULT (1 << 4) #define PUBKEY_FLAG_RAW_FLAG (1 << 5) +#define PUBKEY_FLAG_TRANSIENT_KEY (1 << 6) +#define PUBKEY_FLAG_USE_X931 (1 << 7) +#define PUBKEY_FLAG_USE_FIPS186 (1 << 8) +#define PUBKEY_FLAG_USE_FIPS186_2 (1 << 9) + enum pk_operation { |