Patches gpg-agent + scute for ssl/tls auth using opengpg card with 2048 rsa key

Oliver Winker oliverml1 at oli1170.net
Sun Aug 31 11:56:01 CEST 2014 

Hello,

The two patches below against gpg-agent (gnupg2-2.0.26)  [1] and scute-1.4.0 
[2] allow ssl/tls auth using an opengpg card with 2048 rsa key.

The patch against gpg-agent basically allow a hash length of 51 bytes for 
signing. And the patch against scute increases a string buffer to be able to 
hold 51 bytes hash string.

The agent command concerned are basically:
---
SETHASH --hash=tls-md5sha1 [102 chars =^ 51 bytes here]
PKSIGN
---

The patches are functional for me, but I can imagine not 100% perfect for a 
maintainer (string buffer to big, hash-length check not optimally placed). But 
I prefer to leave the tuning of the details to the specialists ;).

Best Regards, Oliver


[1]: Patch against gpg-agent (gnupg2-2.0.26) 
---
Author: Oliver Winker <oliver at oli1170.net>
Date:   Sat Aug 30 21:09:29 2014 +0200

    agent/command: Allow hash length 51 for SSL auth with OpenGPG card and 
2048 bit key

diff --git a/agent/command.c b/agent/command.c
index 2405c54..3849e2c 100644
--- a/agent/command.c
+++ b/agent/command.c
@@ -652,7 +652,7 @@ cmd_sethash (assuan_context_t ctx, char *line)
   if (algo == MD_USER_TLS_MD5SHA1 && n == 36)
     ;
   else if (n != 16 && n != 20 && n != 24
-           && n != 28 && n != 32 && n != 48 && n != 64)
+           && n != 28 && n != 32 && n != 48 && n != 64 && n != 51)
     return set_error (GPG_ERR_ASS_PARAMETER, "unsupported length of hash");
 
   if (n > MAX_DIGEST_LEN)
---

[2] Patch against scute-1.4.0:
---
Author: Oliver Winker <oliver at oli1170.net>
Date:   Sat Aug 30 21:30:11 2014 +0200

    agent: Increase MAX_DATA_LEN buffer length to hold hash for SSL auth using 
OpenGPG card and 2048 bit key

diff --git a/src/agent.c b/src/agent.c
index 9265ca2..a1f1d99 100644
--- a/src/agent.c
+++ b/src/agent.c
@@ -996,7 +996,7 @@ scute_agent_sign (char *grip, unsigned char *data, int 
len,
 {
   char cmd[150];
   gpg_error_t err;
-#define MAX_DATA_LEN 36
+#define MAX_DATA_LEN 128
   unsigned char pretty_data[2 * MAX_DATA_LEN + 1];
   int i;
   struct signature sig;
---

More information about the Gnupg-users mailing list