[git] GnuPG - branch, ECC-INTEGRATION-2-1, updated. gnupg-2.1.0beta1-40-gc3db770
by Werner Koch
cvs at cvs.gnupg.org
Fri Jan 21 16:28:23 CET 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, ECC-INTEGRATION-2-1 has been updated
via c3db7705c049e31e678ff87e230b8160aa0027f1 (commit)
via 27929981fc23fabecf6af9fa1361361b821bb2fd (commit)
from 90b0ff23b7e51332592668e4034967c1aac1c593 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit c3db7705c049e31e678ff87e230b8160aa0027f1
Author: Werner Koch <wk at gnupg.org>
Date: Fri Jan 21 15:58:07 2011 +0100
Truncate the DSA hash; fixes regression.
Removed left over debug code.
diff --git a/g10/ChangeLog b/g10/ChangeLog
index 75415f4..8e79587 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,5 +1,7 @@
2011-01-21 Werner Koch <wk at g10code.com>
+ * seskey.c (encode_md_value): Truncate the DSA hash again.
+
* misc.c (openpgp_pk_algo_name): Always use the gcrypt function.
2010-12-09 Werner Koch <wk at g10code.com>
diff --git a/g10/seskey.c b/g10/seskey.c
index fa6765d..2d7918d 100644
--- a/g10/seskey.c
+++ b/g10/seskey.c
@@ -319,11 +319,13 @@ encode_md_value (PKT_public_key *pk, gcry_md_hd_t md, int hash_algo)
return NULL;
}
- /* Note that in case of ECDSA 521 hash is always smaller than
- the key size. */
+ /* By passing QBYTES as length to mpi_scan, we do the truncation
+ of the hash.
+
+ Note that in case of ECDSA 521 the hash is always smaller
+ than the key size. */
if (gcry_mpi_scan (&frame, GCRYMPI_FMT_USG,
- gcry_md_read (md, hash_algo),
- gcry_md_get_algo_dlen (hash_algo), &qbytes))
+ gcry_md_read (md, hash_algo), qbytes, &qbytes))
BUG();
}
else
diff --git a/g10/sign.c b/g10/sign.c
index cbb3c62..30dc66d 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -298,9 +298,6 @@ do_sign (PKT_public_key *pksk, PKT_signature *sig,
{
PKT_public_key *pk = xmalloc_clear (sizeof *pk);
- log_debug ("checking created signature algo=%d\n", mdalgo);
- log_printhex ("md:", dp, gcry_md_get_algo_dlen (mdalgo));
-
if (get_pubkey (pk, sig->keyid ))
err = gpg_error (GPG_ERR_NO_PUBKEY);
else
commit 27929981fc23fabecf6af9fa1361361b821bb2fd
Author: Werner Koch <wk at gnupg.org>
Date: Fri Jan 21 15:22:41 2011 +0100
Make most of the selftests work.
Note that there is still a problem with tests/openpgp/sigs.test while
using the option --digest-algo SHA256.
diff --git a/agent/ChangeLog b/agent/ChangeLog
index 6992827..4b0712c 100644
--- a/agent/ChangeLog
+++ b/agent/ChangeLog
@@ -1,5 +1,7 @@
2011-01-21 Werner Koch <wk at g10code.com>
+ * pksign.c (do_encode_dsa): Compare MDLEN to bytes.
+
* cvt-openpgp.c (GCRY_PK_ECDH) [!HAVE_GCRY_PK_ECDH]: New.
2010-12-02 Werner Koch <wk at g10code.com>
diff --git a/agent/pksign.c b/agent/pksign.c
index a6dbf25..0414bc3 100644
--- a/agent/pksign.c
+++ b/agent/pksign.c
@@ -113,21 +113,21 @@ get_dsa_qbits (gcry_sexp_t key)
/* Encode a message digest for use with an DSA algorithm. */
static gpg_error_t
-do_encode_dsa (const byte * md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey,
+do_encode_dsa (const byte *md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey,
gcry_sexp_t *r_hash)
{
gpg_error_t err;
gcry_sexp_t hash;
unsigned int qbits;
- int gcry_pkalgo;
+ int pkalgo;
*r_hash = NULL;
- gcry_pkalgo = map_pk_openpgp_to_gcry( dsaalgo );
+ pkalgo = map_pk_openpgp_to_gcry (dsaalgo);
- if (gcry_pkalgo == GCRY_PK_ECDSA)
+ if (pkalgo == GCRY_PK_ECDSA)
qbits = gcry_pk_get_nbits (pkey);
- else if (gcry_pkalgo == GCRY_PK_DSA)
+ else if (pkalgo == GCRY_PK_DSA)
qbits = get_dsa_qbits (pkey);
else
return gpg_error (GPG_ERR_WRONG_PUBKEY_ALGO);
@@ -146,25 +146,28 @@ do_encode_dsa (const byte * md, size_t mdlen, int dsaalgo, gcry_sexp_t pkey,
if (qbits < 160)
{
log_error (_("%s key uses an unsafe (%u bit) hash\n"),
- gcry_pk_algo_name (gcry_pkalgo), qbits);
+ gcry_pk_algo_name (pkalgo), qbits);
return gpg_error (GPG_ERR_INV_LENGTH);
}
/* Check if we're too short. Too long is safe as we'll
- automatically left-truncate. */
-
- /* This check would require the use of SHA512 with ECDSA 512. I think this is overkill to fail in this case.
- * Therefore, relax the check, but only for ECDSA keys. We may need to adjust it later for general case.
- * ( Note that the check is really a bug for ECDSA 521 as the only hash that matches it is SHA 512, but 512 < 521 ).
+ * automatically left-truncate.
+ *
+ * This check would require the use of SHA512 with ECDSA 512. I
+ * think this is overkill to fail in this case. Therefore, relax
+ * the check, but only for ECDSA keys. We may need to adjust it
+ * later for general case. (Note that the check is really a bug for
+ * ECDSA 521 as the only hash that matches it is SHA 512, but 512 <
+ * 521 ).
*/
- if( mdlen < ((gcry_pkalgo==GCRY_PK_ECDSA && qbits>521) ? 512 : qbits) )
+ if (mdlen < ((pkalgo==GCRY_PK_ECDSA && qbits > 521) ? 512 : qbits)/8)
{
log_error (_("a %zu bit hash is not valid for a %u bit %s key\n"),
- mdlen,
+ mdlen*8,
gcry_pk_get_nbits (pkey),
- gcry_pk_algo_name (gcry_pkalgo));
+ gcry_pk_algo_name (pkalgo));
/* FIXME: we need to check the requirements for ECDSA. */
- if (mdlen < 20 || gcry_pkalgo == GCRY_PK_DSA)
+ if (mdlen < 20 || pkalgo == GCRY_PK_DSA)
return gpg_error (GPG_ERR_INV_LENGTH);
}
diff --git a/g10/ChangeLog b/g10/ChangeLog
index 0c8cbd4..75415f4 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,7 @@
+2011-01-21 Werner Koch <wk at g10code.com>
+
+ * misc.c (openpgp_pk_algo_name): Always use the gcrypt function.
+
2010-12-09 Werner Koch <wk at g10code.com>
* tdbio.c (tdbio_set_dbname) [W32CE]: Take care of missing errno.
diff --git a/g10/misc.c b/g10/misc.c
index 6f77119..bdd797c 100644
--- a/g10/misc.c
+++ b/g10/misc.c
@@ -503,25 +503,7 @@ openpgp_pk_algo_usage ( int algo )
const char *
openpgp_pk_algo_name (int algo)
{
- /* We use fixed strings to have pretty names instead of those from
- libgcrypt. */
- switch (algo)
- {
- case PUBKEY_ALGO_RSA:
- case PUBKEY_ALGO_RSA_E:
- case PUBKEY_ALGO_RSA_S: return "rsa";
-
- case PUBKEY_ALGO_ELGAMAL:
- case PUBKEY_ALGO_ELGAMAL_E: return "elg";
-
- case PUBKEY_ALGO_DSA: return "dsa";
-
- case PUBKEY_ALGO_ECDSA:return "ecdsa";
-
- case PUBKEY_ALGO_ECDH: return "ecdh";
-
- default: gcry_pk_algo_name (map_pk_openpgp_to_gcry (algo));
- }
+ return gcry_pk_algo_name (map_pk_openpgp_to_gcry (algo));
}
diff --git a/g10/sign.c b/g10/sign.c
index 30dc66d..cbb3c62 100644
--- a/g10/sign.c
+++ b/g10/sign.c
@@ -298,6 +298,9 @@ do_sign (PKT_public_key *pksk, PKT_signature *sig,
{
PKT_public_key *pk = xmalloc_clear (sizeof *pk);
+ log_debug ("checking created signature algo=%d\n", mdalgo);
+ log_printhex ("md:", dp, gcry_md_get_algo_dlen (mdalgo));
+
if (get_pubkey (pk, sig->keyid ))
err = gpg_error (GPG_ERR_NO_PUBKEY);
else
diff --git a/include/ChangeLog b/include/ChangeLog
index 7c1b372..8dd88ff 100644
--- a/include/ChangeLog
+++ b/include/ChangeLog
@@ -1,6 +1,6 @@
2011-01-21 Werner Koch <wk at g10code.com>
- * cipher.h (GCRY_PK_USAGE_CERT): Remove comaptibility macros
+ * cipher.h (GCRY_PK_USAGE_CERT): Remove compatibility macros
because we now require libgcrypt 1.4.6.
(GCRY_PK_ECDH): Add replacement.
-----------------------------------------------------------------------
Summary of changes:
agent/ChangeLog | 2 ++
agent/pksign.c | 33 ++++++++++++++++++---------------
g10/ChangeLog | 6 ++++++
g10/misc.c | 20 +-------------------
g10/seskey.c | 10 ++++++----
include/ChangeLog | 2 +-
6 files changed, 34 insertions(+), 39 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list