Added flag: NCR_KEY_FLAG_ALLOW_TRANSPARENT_HASH

4 files changed, 20 insertions, 9 deletions

diff --git a/examples/pk.c b/examples/pk.c
index f307c6c..c27ab25 100644
--- a/examples/pk.c
+++ b/examples/pk.c
@@ -1440,7 +1440,7 @@ static int test_ncr_rsa(int cfd)
 	strcpy(kgen.algo, ALG_RSA);
 	kgen.flags_head.nla_len = NLA_HDRLEN + sizeof(kgen.flags);
 	kgen.flags_head.nla_type = NCR_ATTR_KEY_FLAGS;
-	kgen.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE;
+	kgen.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE|NCR_KEY_FLAG_ALLOW_TRANSPARENT_HASH;
 	kgen.bits_head.nla_len = NLA_HDRLEN + sizeof(kgen.bits);
 	kgen.bits_head.nla_type = NCR_ATTR_RSA_MODULUS_BITS;
 	kgen.bits = 1024;
@@ -1580,7 +1580,7 @@ static int test_ncr_dsa(int cfd)
 	strcpy(kgen.algo, ALG_DSA);
 	kgen.flags_head.nla_len = NLA_HDRLEN + sizeof(kgen.flags);
 	kgen.flags_head.nla_type = NCR_ATTR_KEY_FLAGS;
-	kgen.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE;
+	kgen.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE|NCR_KEY_FLAG_ALLOW_TRANSPARENT_HASH;
 	kgen.q_bits_head.nla_len = NLA_HDRLEN + sizeof(kgen.q_bits);
 	kgen.q_bits_head.nla_type = NCR_ATTR_DSA_Q_BITS;
 	kgen.q_bits = 160;
diff --git a/ncr-int.h b/ncr-int.h
index c413f84..5f4dced 100644
--- a/ncr-int.h
+++ b/ncr-int.h
@@ -21,7 +21,7 @@ struct ncr_out;
 // Not all known algorithms - only for quick internal identification.  Note
 // that more than one struct algo_properties_st may share the same enum value!
 enum ncr_algorithm {
-	NCR_ALG_NONE__,
+	NCR_ALG_NONE,
 	NCR_ALG_NULL,
 
 	NCR_ALG_3DES_CBC,
diff --git a/ncr-sessions.c b/ncr-sessions.c
index 46266f2..bf7c5fa 100644
--- a/ncr-sessions.c
+++ b/ncr-sessions.c
@@ -365,18 +365,20 @@ static const struct algo_properties_st algo_properties[] = {
 	{ .algo = NCR_ALG_RSA, KSTR("rsa"), .is_pk = 1,
 		.can_encrypt=1, .can_sign=1, .key_type = NCR_KEY_TYPE_PUBLIC,
 		.oids = rsa_oid },
-	{ .algo = NCR_ALG_RSA, KSTR(NCR_ALG_RSA_TRANSPARENT_HASH), .is_pk = 1,
-	  .can_encrypt=1, .can_sign=1, .has_transparent_hash = 1,
-	  .key_type = NCR_KEY_TYPE_PUBLIC, /* FIXME: no OIDs */ },
 	{ .algo = NCR_ALG_DSA, KSTR("dsa"), .is_pk = 1,
 		.can_sign=1, .key_type = NCR_KEY_TYPE_PUBLIC,
 		.oids = dsa_oid },
-	{ .algo = NCR_ALG_DSA, KSTR(NCR_ALG_DSA_TRANSPARENT_HASH), .is_pk = 1,
-	  .can_sign=1, .has_transparent_hash = 1,
-	  .key_type = NCR_KEY_TYPE_PUBLIC, /* FIXME: no OIDs */ },
 	{ .algo = NCR_ALG_DH, KSTR("dh"), .is_pk = 1,
 		.can_kx=1, .key_type = NCR_KEY_TYPE_PUBLIC,
 		.oids = dh_oid },
+
+	{ .algo = NCR_ALG_DSA, KSTR(NCR_ALG_DSA_TRANSPARENT_HASH), .is_pk = 1,
+	  .can_sign=1, .has_transparent_hash = 1,
+	  .key_type = NCR_KEY_TYPE_PUBLIC, .oids = rsa_oid },
+	{ .algo = NCR_ALG_RSA, KSTR(NCR_ALG_RSA_TRANSPARENT_HASH), .is_pk = 1,
+	  .can_encrypt=1, .can_sign=1, .has_transparent_hash = 1,
+	  .key_type = NCR_KEY_TYPE_PUBLIC, .oids = dsa_oid },
+
 #undef KSTR
 };
 
@@ -726,6 +728,14 @@ static struct session_item_st *_ncr_session_init(struct ncr_lists *lists,
 					}
 
 					if (ns->algorithm->has_transparent_hash) {
+						/* transparent hash has to be allowed by the key
+						 */
+						if (!(ns->key->flags & NCR_KEY_FLAG_ALLOW_TRANSPARENT_HASH)) {
+							err();
+							ret = -EPERM;
+							goto fail;
+						}
+
 						ns->transparent_hash = kzalloc(ns->hash.digestsize, GFP_KERNEL);
 						if (ns->transparent_hash == NULL) {
 							err();
diff --git a/ncr.h b/ncr.h
index 734382b..e4500b9 100644
--- a/ncr.h
+++ b/ncr.h
@@ -107,6 +107,7 @@ typedef __s32 ncr_key_t;
 #define NCR_KEY_FLAG_WRAPPING (1<<6)
 #define NCR_KEY_FLAG_UNWRAPPING (1<<7)
 #define NCR_KEY_FLAG_HASHABLE (1<<8)
+#define NCR_KEY_FLAG_ALLOW_TRANSPARENT_HASH (1<<9)
 
 struct ncr_key_generate {
 	__u32 input_size, output_size;