[git] GnuPG - branch, master, updated. gnupg-2.1.0beta3-297-g2ba818d
by Werner Koch
cvs at cvs.gnupg.org
Fri Jan 31 22:48:32 CET 2014
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".
The branch, master has been updated
via 2ba818de1aa311ba8eb27012d69e93dd16e7d4ed (commit)
from 71540d40414dc8b304b45dc476e5e5650a2db20a (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2ba818de1aa311ba8eb27012d69e93dd16e7d4ed
Author: Werner Koch <wk at gnupg.org>
Date: Fri Jan 31 22:47:11 2014 +0100
gpg: Add configure options to disable algorithms
* acinclude.m4 (GNUPG_GPG_DISABLE_ALGO): New.
* configure.ac: Add --enable-gpg-* options to disable non MUS
algorithms.
* g10/misc.c (map_cipher_openpgp_to_gcry): Implement these options.
(openpgp_pk_test_algo2): Ditto.
(map_md_openpgp_to_gcry): Ditto.
(openpgp_cipher_test_algo, openpgp_md_test_algo): Simplify.
--
We have a similar feature in GnuPG-1. Although we don't shrink the
size of the gpg binary by disabling algorithms (they are implemented
in Libgcrypt), this feature may still be useful for inerop testing.
diff --git a/acinclude.m4 b/acinclude.m4
index a37e0f5..7c264a4 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -7,12 +7,12 @@ dnl GnuPG is free software; you can redistribute it and/or modify
dnl it under the terms of the GNU General Public License as published by
dnl the Free Software Foundation; either version 3 of the License, or
dnl (at your option) any later version.
-dnl
+dnl
dnl GnuPG is distributed in the hope that it will be useful,
dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
dnl GNU General Public License for more details.
-dnl
+dnl
dnl You should have received a copy of the GNU General Public License
dnl along with this program; if not, see <http://www.gnu.org/licenses/>.
@@ -38,7 +38,7 @@ AC_DEFUN([GNUPG_CHECK_TYPEDEF],
dnl GNUPG_CHECK_GNUMAKE
dnl
AC_DEFUN([GNUPG_CHECK_GNUMAKE],
- [
+ [
if ${MAKE-make} --version 2>/dev/null | grep '^GNU ' >/dev/null 2>&1; then
:
else
@@ -59,7 +59,7 @@ AC_DEFUN([GNUPG_CHECK_FAQPROG],
if faqprog.pl -V 2>/dev/null | grep '^faqprog.pl ' >/dev/null 2>&1; then
working_faqprog=yes
FAQPROG="faqprog.pl"
- else
+ else
working_faqprog=no
FAQPROG=": "
fi
@@ -77,7 +77,7 @@ dnl *** ftp://ftp.gnupg.org/gcrypt/contrib/faqprog.pl )
dnl *** No need to worry about this warning.
dnl ***]])
dnl fi
- ])
+ ])
dnl GNUPG_CHECK_DOCBOOK_TO_TEXI
dnl
@@ -93,7 +93,7 @@ AC_DEFUN([GNUPG_CHECK_DOCBOOK_TO_TEXI],
fi
AC_MSG_RESULT($working_sgmltotexi)
AM_CONDITIONAL(HAVE_DOCBOOK_TO_TEXI, test "$working_sgmltotexi" = "yes" )
- ])
+ ])
@@ -162,7 +162,7 @@ AC_DEFUN([GNUPG_CHECK_ENDIAN],
# Add a --enable-NAME option to configure an set the
# shell variable build_NAME either to "yes" or "no". DEFAULT must
# either be "yes" or "no" and decided on the default value for
-# build_NAME and whether --enable-NAME or --disable-NAME is shown with
+# build_NAME and whether --enable-NAME or --disable-NAME is shown with
# ./configure --help
AC_DEFUN([GNUPG_BUILD_PROGRAM],
[build_$1=$2
@@ -178,7 +178,7 @@ AC_DEFUN([GNUPG_BUILD_PROGRAM],
case "$build_$1" in
no|yes)
;;
- *)
+ *)
AC_MSG_ERROR([only yes or no allowed for feature --enable-$1])
;;
esac
@@ -186,6 +186,23 @@ AC_DEFUN([GNUPG_BUILD_PROGRAM],
+# GNUPG_DISABLE_GPG_ALGO(NAME,DESCRIPTION)
+#
+# Add a --disable-gpg-NAME option and the corresponding ac_define
+# GPG_USE_<NAME>.
+AC_DEFUN([GNUPG_GPG_DISABLE_ALGO],
+ [AC_MSG_CHECKING([whether to enable the $2 for gpg])
+ AC_ARG_ENABLE([gpg-$1], AC_HELP_STRING([--disable-gpg-$1],
+ [disable the $2 algorithm in gpg]),
+ , enableval=yes)
+ AC_MSG_RESULT($enableval)
+ if test x"$enableval" = xyes ; then
+ AC_DEFINE(GPG_USE_[]m4_toupper($1), 1, [Define to support the $2])
+ fi
+ ])
+
+
+
# Check whether mlock is broken (hpux 10.20 raises a SIGBUS if mlock
# is not called from uid 0 (not tested whether uid 0 works)
diff --git a/configure.ac b/configure.ac
index f4b2d38..9476dc4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -212,6 +212,39 @@ AC_ARG_ENABLE(selinux-support,
selinux_support=$enableval, selinux_support=no)
AC_MSG_RESULT($selinux_support)
+
+#
+# Options to disable algorithm
+#
+
+GNUPG_GPG_DISABLE_ALGO([rsa],[RSA public key])
+# Elgamal is a MUST algorithm
+# DSA is a MUST algorithm
+GNUPG_GPG_DISABLE_ALGO([ecdh],[ECDH public key])
+GNUPG_GPG_DISABLE_ALGO([ecdsa],[ECDSA public key])
+GNUPG_GPG_DISABLE_ALGO([eddsa],[EdDSA public key])
+
+GNUPG_GPG_DISABLE_ALGO([idea],[IDEA cipher])
+# 3DES is a MUST algorithm
+GNUPG_GPG_DISABLE_ALGO([cast5],[CAST5 cipher])
+GNUPG_GPG_DISABLE_ALGO([blowfish],[BLOWFISH cipher])
+GNUPG_GPG_DISABLE_ALGO([aes128],[AES128 cipher])
+GNUPG_GPG_DISABLE_ALGO([aes192],[AES192 cipher])
+GNUPG_GPG_DISABLE_ALGO([aes256],[AES256 cipher])
+GNUPG_GPG_DISABLE_ALGO([twofish],[TWOFISH cipher])
+GNUPG_GPG_DISABLE_ALGO([camellia128],[CAMELLIA128 cipher])
+GNUPG_GPG_DISABLE_ALGO([camellia192],[CAMELLIA192 cipher])
+GNUPG_GPG_DISABLE_ALGO([camellia256],[CAMELLIA256 cipher])
+
+GNUPG_GPG_DISABLE_ALGO([md5],[MD5 hash])
+# SHA1 is a MUSt algorithm
+GNUPG_GPG_DISABLE_ALGO([rmd160],[RIPE-MD160 hash])
+GNUPG_GPG_DISABLE_ALGO([sha224],[SHA-224 hash])
+GNUPG_GPG_DISABLE_ALGO([sha256],[SHA-256 hash])
+GNUPG_GPG_DISABLE_ALGO([sha384],[SHA-384 hash])
+GNUPG_GPG_DISABLE_ALGO([sha512],[SHA-512 hash])
+
+
# Allow disabling of zip support.
# This is in general not a good idea because according to rfc4880 OpenPGP
# implementations SHOULD support ZLIB.
diff --git a/g10/misc.c b/g10/misc.c
index 6d3a7b8..ef26a5a 100644
--- a/g10/misc.c
+++ b/g10/misc.c
@@ -348,17 +348,37 @@ map_cipher_openpgp_to_gcry (cipher_algo_t algo)
switch (algo)
{
case CIPHER_ALGO_NONE: return GCRY_CIPHER_NONE;
+#ifdef GPG_USE_IDEA
case CIPHER_ALGO_IDEA: return GCRY_CIPHER_IDEA;
+#endif
case CIPHER_ALGO_3DES: return GCRY_CIPHER_3DES;
+#ifdef GPG_USE_CAST5
case CIPHER_ALGO_CAST5: return GCRY_CIPHER_CAST5;
+#endif
+#ifdef GPG_USE_BLOWFISH
case CIPHER_ALGO_BLOWFISH: return GCRY_CIPHER_BLOWFISH;
+#endif
+#ifdef GPG_USE_AES128
case CIPHER_ALGO_AES: return GCRY_CIPHER_AES;
+#endif
+#ifdef GPG_USE_AES192
case CIPHER_ALGO_AES192: return GCRY_CIPHER_AES192;
+#endif
+#ifdef GPG_USE_AES256
case CIPHER_ALGO_AES256: return GCRY_CIPHER_AES256;
+#endif
+#ifdef GPG_USE_TWOFISH
case CIPHER_ALGO_TWOFISH: return GCRY_CIPHER_TWOFISH;
+#endif
+#ifdef GPG_USE_CAMELLIA128
case CIPHER_ALGO_CAMELLIA128: return GCRY_CIPHER_CAMELLIA128;
+#endif
+#ifdef GPG_USE_CAMELLIA192
case CIPHER_ALGO_CAMELLIA192: return GCRY_CIPHER_CAMELLIA192;
+#endif
+#ifdef GPG_USE_CAMELLIA256
case CIPHER_ALGO_CAMELLIA256: return GCRY_CIPHER_CAMELLIA256;
+#endif
}
return 0;
}
@@ -437,17 +457,6 @@ openpgp_cipher_test_algo (cipher_algo_t algo)
enum gcry_cipher_algos ga;
ga = map_cipher_openpgp_to_gcry (algo);
-
- /* Use this explicit list to disable certain algorithms. */
- switch (algo)
- {
- /* case CIPHER_ALGO_IDEA: */
- /* ga = 0; */
- /* break; */
- default:
- break;
- }
-
if (!ga)
return gpg_error (GPG_ERR_CIPHER_ALGO);
@@ -497,15 +506,23 @@ openpgp_pk_test_algo2 (pubkey_algo_t algo, unsigned int use)
switch (algo)
{
+#ifdef GPG_USE_RSA
case PUBKEY_ALGO_RSA: ga = GCRY_PK_RSA; break;
case PUBKEY_ALGO_RSA_E: ga = GCRY_PK_RSA_E; break;
case PUBKEY_ALGO_RSA_S: ga = GCRY_PK_RSA_S; break;
+#endif
case PUBKEY_ALGO_ELGAMAL_E: ga = GCRY_PK_ELG; break;
case PUBKEY_ALGO_DSA: ga = GCRY_PK_DSA; break;
- case PUBKEY_ALGO_ECDH:
- case PUBKEY_ALGO_ECDSA:
+#ifdef GPG_USE_ECDH
+ case PUBKEY_ALGO_ECDH: ga = GCRY_PK_ECC; break;
+#endif
+#ifdef GPG_USE_ECDSA
+ case PUBKEY_ALGO_ECDSA: ga = GCRY_PK_ECC; break;
+#endif
+#ifdef GPG_USE_EDDSA
case PUBKEY_ALGO_EDDSA: ga = GCRY_PK_ECC; break;
+#endif
case PUBKEY_ALGO_ELGAMAL:
/* Dont't allow type 20 keys unless in rfc2440 mode. */
@@ -587,32 +604,38 @@ map_md_openpgp_to_gcry (digest_algo_t algo)
{
switch (algo)
{
+#ifdef GPG_USE_MD5
case DIGEST_ALGO_MD5: return GCRY_MD_MD5;
+#endif
case DIGEST_ALGO_SHA1: return GCRY_MD_SHA1;
+#ifdef GPG_USE_RMD160
case DIGEST_ALGO_RMD160: return GCRY_MD_RMD160;
+#endif
+#ifdef GPG_USE_SHA224
case DIGEST_ALGO_SHA224: return GCRY_MD_SHA224;
+#endif
+#ifdef GPG_USE_SHA256
case DIGEST_ALGO_SHA256: return GCRY_MD_SHA256;
+#endif
+#ifdef GPG_USE_SHA384
case DIGEST_ALGO_SHA384: return GCRY_MD_SHA384;
+#endif
+#ifdef GPG_USE_512
case DIGEST_ALGO_SHA512: return GCRY_MD_SHA512;
+#endif
}
return 0;
}
/* Return 0 if ALGO is suitable and implemented OpenPGP hash
- algorithm. Note: To only test for a valid OpenPGP hash algorithm,
- it is better to use map_md_openpgp_to_gcry. */
+ algorithm. */
int
openpgp_md_test_algo (digest_algo_t algo)
{
enum gcry_md_algos ga;
ga = map_md_openpgp_to_gcry (algo);
- switch (algo)
- {
- default:
- break;
- }
if (!ga)
return gpg_error (GPG_ERR_DIGEST_ALGO);
-----------------------------------------------------------------------
Summary of changes:
acinclude.m4 | 33 ++++++++++++++++++++++--------
configure.ac | 33 ++++++++++++++++++++++++++++++
g10/misc.c | 63 +++++++++++++++++++++++++++++++++++++++-------------------
3 files changed, 101 insertions(+), 28 deletions(-)
hooks/post-receive
--
The GNU Privacy Guard
http://git.gnupg.org
More information about the Gnupg-commits
mailing list