1268
1267
/****************
1269
1268
* Return -1 if we could not find an algorithm.
1272
select_algo_from_prefs(PK_LIST pk_list, int preftype, int request,
1273
const union pref_hint *hint)
1271
select_algo_from_prefs(PK_LIST pk_list, int preftype,
1272
int request, const union pref_hint *hint)
1277
const prefitem_t *prefs;
1285
memset( bits, ~0, 8 * sizeof *bits );
1286
for( pkr = pk_list; pkr; pkr = pkr->next ) {
1289
memset( mask, 0, 8 * sizeof *mask );
1290
if( preftype == PREFTYPE_SYM ) {
1292
pkr->pk->version < 4 &&
1293
pkr->pk->selfsigversion < 4 )
1294
mask[0] |= (1<<1); /* IDEA is implicitly there for v3 keys
1295
with v3 selfsigs (rfc2440:12.1) if
1296
--pgp2 mode is on. This doesn't
1297
mean it's actually available, of
1276
const prefitem_t *prefs;
1278
unsigned int best=-1;
1284
memset(bits,0xFF,sizeof(bits));
1285
memset(scores,0,sizeof(scores));
1287
for( pkr = pk_list; pkr; pkr = pkr->next )
1290
int rank=1,implicit=-1;
1292
memset(mask,0,sizeof(mask));
1297
/* IDEA is implicitly there for v3 keys with v3 selfsigs if
1298
--pgp2 mode is on. This was a 2440 thing that was
1299
dropped from 4880 but is still relevant to GPG's 1991
1300
support. All this doesn't mean IDEA is actually
1301
available, of course. */
1302
if(PGP2 && pkr->pk->version<4 && pkr->pk->selfsigversion<4)
1303
implicit=CIPHER_ALGO_IDEA;
1300
mask[0] |= (1<<2); /* 3DES is implicitly there for everyone else */
1302
else if( preftype == PREFTYPE_HASH ) {
1305
implicit=CIPHER_ALGO_3DES;
1303
1310
/* While I am including this code for completeness, note
1304
1311
that currently --pgp2 mode locks the hash at MD5, so this
1305
function will never even be called. Even if the hash
1306
wasn't locked at MD5, we don't support sign+encrypt in
1307
--pgp2 mode, and that's the only time PREFTYPE_HASH is
1308
used anyway. -dms */
1310
pkr->pk->version < 4 &&
1311
pkr->pk->selfsigversion < 4 )
1312
mask[0] |= (1<<1); /* MD5 is there for v3 keys with v3
1313
selfsigs when --pgp2 is on. */
1312
code will never even be called. Even if the hash wasn't
1313
locked at MD5, we don't support sign+encrypt in --pgp2
1314
mode, and that's the only time PREFTYPE_HASH is used
1317
/* MD5 is there for v3 keys with v3 selfsigs when --pgp2 is
1319
if(PGP2 && pkr->pk->version<4 && pkr->pk->selfsigversion<4)
1320
implicit=DIGEST_ALGO_MD5;
1315
mask[0] |= (1<<2); /* SHA1 is there for everyone else */
1317
else if( preftype == PREFTYPE_ZIP )
1318
mask[0] |= (1<<0); /* Uncompressed is implicit */
1320
if (pkr->pk->user_id) /* selected by user ID */
1321
prefs = pkr->pk->user_id->prefs;
1323
prefs = pkr->pk->prefs;
1327
for (i=0; prefs[i].type; i++ ) {
1328
if( prefs[i].type == preftype ) {
1329
mask[prefs[i].value/32] |= 1 << (prefs[i].value%32);
1335
if( (!prefs || !any) && preftype == PREFTYPE_ZIP ) {
1336
mask[0] |= 3; /* asume no_compression and old pgp */
1341
log_debug("pref mask=%08lX%08lX%08lX%08lX%08lX%08lX%08lX%08lX (%s)\n",
1342
(ulong)mask[7], (ulong)mask[6], (ulong)mask[5], (ulong)mask[4],
1343
(ulong)mask[3], (ulong)mask[2], (ulong)mask[1], (ulong)mask[0],
1344
keystr_from_pk (pkr->pk));
1346
for(i=0; i < 8; i++ )
1349
log_debug("pref bits=%08lX%08lX%08lX%08lX%08lX%08lX%08lX%08lX\n",
1350
(ulong)bits[7], (ulong)bits[6], (ulong)bits[5], (ulong)bits[4],
1351
(ulong)bits[3], (ulong)bits[2], (ulong)bits[1], (ulong)bits[0]);
1354
/* usable algorithms are now in bits
1355
* We now use the last key from pk_list to select
1356
* the algorithm we want to use. there are no
1357
* preferences for the last key, we select the one
1358
* corresponding to first set bit.
1363
/* Can we use the requested algorithm? */
1364
if(request>-1 && (bits[request/32] & (1<<(request%32))) &&
1365
algo_available(preftype,request,hint))
1368
/* If we have personal prefs set, use them instead of the last key */
1369
if(preftype==PREFTYPE_SYM && opt.personal_cipher_prefs)
1370
prefs=opt.personal_cipher_prefs;
1371
else if(preftype==PREFTYPE_HASH && opt.personal_digest_prefs)
1372
prefs=opt.personal_digest_prefs;
1373
else if(preftype==PREFTYPE_ZIP && opt.personal_compress_prefs)
1374
prefs=opt.personal_compress_prefs;
1377
for(j=0; prefs[j].type; j++ ) {
1378
if( prefs[j].type == preftype ) {
1379
if( (bits[prefs[j].value/32] & (1<<(prefs[j].value%32))) ) {
1380
if( algo_available( preftype, prefs[j].value, hint ) ) {
1389
if( !prefs || !any ) {
1390
for(j=0; j < 256; j++ )
1391
if( (bits[j/32] & (1<<(j%32))) ) {
1392
if( algo_available( preftype, j, hint ) ) {
1400
log_debug("prefs of type %d: selected %d\n", preftype, i );
1402
if( compr_hack && !i ) {
1403
/* selected no compression, but we should check whether
1404
* algorithm 1 is also available (the ordering is not relevant
1406
if( bits[0] & (1<<1) )
1407
i = 1; /* yep; we can use compression algo 1 */
1410
/* "If you are building an authentication system, the recipient
1411
may specify a preferred signing algorithm. However, the signer
1412
would be foolish to use a weak algorithm simply because the
1413
recipient requests it." RFC2440:13. If we settle on MD5, and
1414
SHA1 is also available, use SHA1 instead. Of course, if the
1415
user intentionally chose MD5 (by putting it in their personal
1416
prefs), then we should do what they say. */
1418
if(preftype==PREFTYPE_HASH &&
1419
i==DIGEST_ALGO_MD5 && (bits[0] & (1<<DIGEST_ALGO_SHA1)))
1423
if(opt.personal_digest_prefs)
1424
for(j=0; prefs[j].type; j++ )
1425
if(opt.personal_digest_prefs[j].type==PREFTYPE_HASH &&
1426
opt.personal_digest_prefs[j].value==DIGEST_ALGO_MD5)
1322
implicit=DIGEST_ALGO_SHA1;
1327
/* Uncompressed is always an option. */
1328
implicit=COMPRESS_ALGO_NONE;
1331
if (pkr->pk->user_id) /* selected by user ID */
1332
prefs = pkr->pk->user_id->prefs;
1334
prefs = pkr->pk->prefs;
1338
for (i=0; prefs[i].type; i++ )
1340
if( prefs[i].type == preftype )
1342
scores[prefs[i].value]+=rank;
1343
mask[prefs[i].value/32] |= 1<<(prefs[i].value%32);
1347
/* We saw the implicit algorithm, so we don't need
1348
tack it on the end ourselves. */
1349
if(implicit==prefs[i].value)
1355
if(rank==1 && preftype==PREFTYPE_ZIP)
1357
/* If the compression preferences are not present, they are
1358
assumed to be ZIP, Uncompressed (RFC4880:13.3.1) */
1359
scores[1]=1; /* ZIP is first choice */
1360
scores[0]=2; /* Uncompressed is second choice */
1364
/* If the key didn't have the implicit algorithm listed
1365
explicitly, add it here at the tail of the list. */
1368
scores[implicit]+=rank;
1369
mask[implicit/32] |= 1<<(implicit%32);
1376
/* We've now scored all of the algorithms, and the usable ones have
1377
bits set. Let's pick the winner. */
1379
/* The caller passed us a request. Can we use it? */
1380
if(request>-1 && (bits[request/32] & (1<<(request%32))) &&
1381
algo_available(preftype,request,hint))
1386
/* If we have personal prefs set, use them. */
1388
if(preftype==PREFTYPE_SYM && opt.personal_cipher_prefs)
1389
prefs=opt.personal_cipher_prefs;
1390
else if(preftype==PREFTYPE_HASH && opt.personal_digest_prefs)
1391
prefs=opt.personal_digest_prefs;
1392
else if(preftype==PREFTYPE_ZIP && opt.personal_compress_prefs)
1393
prefs=opt.personal_compress_prefs;
1396
for(i=0; prefs[i].type; i++ )
1398
if(bits[prefs[i].value/32] & (1<<(prefs[i].value%32))
1399
&& algo_available( preftype, prefs[i].value, hint))
1401
result = prefs[i].value;
1409
/* At this point, we have not selected an algorithm due to a
1410
special request or via personal prefs. Pick the highest
1411
ranked algorithm (i.e. the one with the lowest score). */
1415
/* Note the '<' here. This means in case of a tie, we will
1416
favor the lower algorithm number. We have a choice
1417
between the lower number (probably an older algorithm
1418
with more time in use), or the higher number (probably a
1419
newer algorithm with less time in use). Older is
1420
probably safer here, even though the newer algorithms
1421
tend to be "stronger". */
1422
if(scores[i] && scores[i]<best
1423
&& (bits[i/32] & (1<<(i%32)))
1424
&& algo_available(preftype,i,hint))
1431
/* "If you are building an authentication system, the recipient
1432
may specify a preferred signing algorithm. However, the
1433
signer would be foolish to use a weak algorithm simply
1434
because the recipient requests it." (RFC4880:14). If we
1435
settle on MD5, and SHA1 is also available, use SHA1 instead.
1436
Note that if the user intentionally chose MD5 by putting it
1437
in their personal prefs, then we do what the user said (as we
1438
never reach this code). */
1439
if(preftype==PREFTYPE_HASH && result==DIGEST_ALGO_MD5
1440
&& (bits[0] & (1<<DIGEST_ALGO_SHA1)))
1441
result=DIGEST_ALGO_SHA1;