summaryrefslogtreecommitdiffstats
path: root/common/compliance.c
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2024-11-14 15:15:11 +0100
committerWerner Koch <wk@gnupg.org>2024-11-14 15:15:11 +0100
commite5f450f3bb83f80c37cbc6cc9bbe19cbd3359eba (patch)
tree05397b2600c9c051e3114857cc8ade9841998018 /common/compliance.c
parentgpg: Allow "Kyber" as algorithm for the Subkey-Type keyword. (diff)
downloadgnupg2-e5f450f3bb83f80c37cbc6cc9bbe19cbd3359eba.tar.xz
gnupg2-e5f450f3bb83f80c37cbc6cc9bbe19cbd3359eba.zip
gpg: Consider Kyber to be de-vs compliant.
* common/compliance.c (gnupg_pk_is_compliant) <CO_DE_VS>: Consider Brainpool Kyber variants compliant. (gnupg_pk_is_allowed): Ditto. (assumed_de_vs_compliance): Remove variable. (get_assumed_de_vs_compliance): New. (get_compliance_cache): Use new accessor. (gnupg_status_compliance_flag): Ditto. -- Use GNUPG_ASSUME_COMPLIANCE=de-vs gpg --compliance=de-vs .... for testing. This returns 2023 instead of 23 to indicate the non-approval state. GnuPG-bug-id: 6638
Diffstat (limited to 'common/compliance.c')
-rw-r--r--common/compliance.c74
1 files changed, 61 insertions, 13 deletions
diff --git a/common/compliance.c b/common/compliance.c
index 997cc37cc..f37f5a013 100644
--- a/common/compliance.c
+++ b/common/compliance.c
@@ -41,15 +41,31 @@ static int initialized;
static int module;
-/* The next variable and the code in get_compliance_cache should be
- * removed after the software suite has been approved. */
-static int assumed_de_vs_compliance = -1;
-
/* This value is used by DSA and RSA checks in addition to the hard
* coded length checks. It allows one to increase the required key length
* using a config file. */
static unsigned int min_compliant_rsa_length;
+
+/* Kludge to allow testing of the compliance options while not yet
+ * approved. */
+static int
+get_assumed_de_vs_compliance (void)
+{
+#if 0 /* Set to 1 if the software suite has been approved. */
+ return 0;
+#else
+ static int value = -1;
+
+ if (value == -1)
+ {
+ const char *s = getenv ("GNUPG_ASSUME_COMPLIANCE");
+ value = (s && !strcmp (s, "de-vs"));
+ }
+ return value > 0;
+#endif
+}
+
/* Return the address of a compliance cache variable for COMPLIANCE.
* If no such variable exists NULL is returned. FOR_RNG returns the
* cache variable for the RNG compliance check. */
@@ -75,15 +91,9 @@ get_compliance_cache (enum gnupg_compliance_mode compliance, int for_rng)
case CO_DE_VS: ptr = for_rng? &r_de_vs : &s_de_vs ; break;
}
- /* Remove this code after approval. */
if (ptr && compliance == CO_DE_VS)
{
- if (assumed_de_vs_compliance == -1)
- {
- const char *s = getenv ("GNUPG_ASSUME_COMPLIANCE");
- assumed_de_vs_compliance = (s && !strcmp (s, "de-vs"));
- }
- if (assumed_de_vs_compliance)
+ if (get_assumed_de_vs_compliance ())
*ptr = 1;
}
@@ -250,7 +260,20 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
break;
case is_kem:
- result = 0;
+ if (!curvename && key)
+ {
+ curve = openpgp_oid_to_str (key[0]);
+ curvename = openpgp_oid_to_curve (curve, 0);
+ if (!curvename)
+ curvename = curve;
+ }
+
+ result = (curvename
+ && (keylength == 768 || keylength == 1024)
+ && (algo == PUBKEY_ALGO_KYBER)
+ && (!strcmp (curvename, "brainpoolP256r1")
+ || !strcmp (curvename, "brainpoolP384r1")
+ || !strcmp (curvename, "brainpoolP512r1")));
break;
default:
@@ -391,6 +414,31 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
result = 0;
break;
+ case PUBKEY_ALGO_KYBER:
+ if (use == PK_USE_DECRYPTION)
+ result = 1;
+ else if (use == PK_USE_ENCRYPTION)
+ {
+ char *curve = NULL;
+
+ if (!curvename && key)
+ {
+ curve = openpgp_oid_to_str (key[0]);
+ curvename = openpgp_oid_to_curve (curve, 0);
+ if (!curvename)
+ curvename = curve;
+ }
+
+ result = (curvename
+ && (keylength == 768 || keylength == 1024)
+ && (!strcmp (curvename, "brainpoolP256r1")
+ || !strcmp (curvename, "brainpoolP384r1")
+ || !strcmp (curvename, "brainpoolP512r1")));
+
+ xfree (curve);
+ }
+ break;
+
default:
break;
}
@@ -685,7 +733,7 @@ gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance)
case CO_PGP8:
log_assert (!"no status code assigned for this compliance mode");
case CO_DE_VS:
- return assumed_de_vs_compliance > 0 ? "2023" : "23";
+ return get_assumed_de_vs_compliance ()? "2023" : "23";
}
log_assert (!"invalid compliance mode");
}