add config_cipher_suite()

src/cryptotech.c

@@ -58,6 +58,7 @@ PEP_STATUS init_cryptotech(PEP_SESSION session, bool in_first)
         cryptotech[PEP_crypt_OpenPGP].key_created = pgp_key_created;
         cryptotech[PEP_crypt_OpenPGP].contains_priv_key = pgp_contains_priv_key;
         cryptotech[PEP_crypt_OpenPGP].find_private_keys = pgp_find_private_keys;
+        cryptotech[PEP_crypt_OpenPGP].config_cipher_suite = pgp_config_cipher_suite;
 #ifdef PGP_BINARY_PATH
         cryptotech[PEP_crypt_OpenPGP].binary_path = PGP_BINARY_PATH;
 #endif

src/cryptotech.h

@@ -95,6 +95,9 @@ typedef PEP_STATUS (*find_private_keys_t)(
     PEP_SESSION session, const char *pattern, stringlist_t **keylist
 );
 
+typedef PEP_STATUS (*config_cipher_suite_t)(PEP_SESSION session,
+        PEP_CYPHER_SUITE suite);
+
 typedef struct _PEP_cryptotech_t {
     uint8_t id;
     // the following are default values; comm_type may vary with key length or b0rken crypto
@@ -121,6 +124,7 @@ typedef struct _PEP_cryptotech_t {
     binary_path_t binary_path;
     contains_priv_key_t contains_priv_key;
     find_private_keys_t find_private_keys;
+    config_cipher_suite_t config_cipher_suite;
 } PEP_cryptotech_t;
 
 extern PEP_cryptotech_t cryptotech[PEP_crypt__count];
@@ -129,3 +133,4 @@ typedef uint64_t cryptotech_mask;
 
 PEP_STATUS init_cryptotech(PEP_SESSION session, bool in_first);
 void release_cryptotech(PEP_SESSION session, bool out_last);
+

src/pEpEngine.c

@@ -4399,6 +4399,17 @@ DYNAMIC_API PEP_STATUS key_revoked(
             revoked);
 }
 
+DYNAMIC_API PEP_STATUS config_cipher_suite(PEP_SESSION session,
+        PEP_CYPHER_SUITE suite)
+{
+    assert(session);
+    if (!session)
+        return PEP_ILLEGAL_VALUE;
+
+    return session->cryptotech[PEP_crypt_OpenPGP].config_cipher_suite(session,
+            suite);
+}
+
 static void _clean_log_value(char *text)
 {
     if (text) {

src/pEpEngine.h

@@ -118,6 +118,7 @@ typedef enum {
     PEP_COMMIT_FAILED                               = 0xff01,
     PEP_MESSAGE_CONSUME                             = 0xff02,
     PEP_MESSAGE_IGNORE                              = 0xff03,
+    PEP_CANNOT_CONFIG                               = 0xff04,
 
     PEP_RECORD_NOT_FOUND                            = -6,
     PEP_CANNOT_CREATE_TEMP_FILE                     = -5,
@@ -278,6 +279,35 @@ DYNAMIC_API void config_use_only_own_private_keys(PEP_SESSION session, bool enab
 DYNAMIC_API void config_service_log(PEP_SESSION session, bool enable);
 
 
+typedef enum {
+    PEP_CIPHER_SUITE_DEFAULT = 0,
+    PEP_CIPHER_SUITE_CV25519,
+    PEP_CIPHER_SUITE_RSA3K,
+    PEP_CIPHER_SUITE_P256,
+    PEP_CIPHER_SUITE_P384,
+    PEP_CIPHER_SUITE_P521,
+    PEP_CIPHER_SUITE_RSA2K,
+    PEP_CIPHER_SUITE_RSA4K,
+    PEP_CIPHER_SUITE_RSA8K
+} PEP_CYPHER_SUITE;
+
+// config_cipher_suite() - cipher suite being used when encrypting
+//
+//  parameters:
+//      session (in)            session handle
+//      cipher_suite (in)       cipher suite to use
+//
+//  return value:
+//      PEP_STATUS_OK           cipher suite configured
+//      PEP_CANNOT_CONFIG       configuration failed; falling back to default
+//
+//  caveat: the default ciphersuite for a crypt tech implementation is
+//  implementation defined
+
+DYNAMIC_API PEP_STATUS config_cipher_suite(PEP_SESSION session,
+        PEP_CYPHER_SUITE suite);
+
+
 // decrypt_and_verify() - decrypt and/or verify a message
 //
 //    parameters:

src/pEp_internal.h

@@ -148,6 +148,8 @@ struct _pEpSession {
 #endif
 
     PEP_cryptotech_t *cryptotech;
+    PEP_CYPHER_SUITE cipher_suite;
+
     PEP_transport_t *transports;
 
     sqlite3 *db;

src/pgp_gpg.c

@@ -3116,3 +3116,17 @@ PEP_STATUS pgp_contains_priv_key(PEP_SESSION session, const char *fpr,
     }
     return status;
 }
+
+PEP_STATUS pgp_config_cipher_suite(PEP_SESSION session,
+        PEP_CYPHER_SUITE suite)
+{
+    // functionaliy unsupported; use gpg.conf
+
+    switch (suite) {
+        case PEP_CIPHER_SUITE_DEFAULT:
+            return PEP_STATUS_OK;
+        default:
+            return PEP_CANNOT_CONFIG;
+    }
+}
+

src/pgp_gpg.h

@@ -28,7 +28,7 @@ PEP_STATUS pgp_init(PEP_SESSION session, bool in_first);
 void pgp_release(PEP_SESSION session, bool out_last);
 
 
-// pgp_decrypt_and_verify() - decrypt and verify cyphertext
+// pgp_decrypt_and_verify() - decrypt and verify ciphertext
 //
 //  parameters:
 //      session (in)        session handle
@@ -37,8 +37,8 @@ void pgp_release(PEP_SESSION session, bool out_last);
 //      dsigtext (in)       pointer to bytes with detached signature
 //                          or NULL if no detached signature
 //      dsigsize (in)       size of detached signature in bytes
-//      ptext (out)         bytes with cyphertext
-//      psize (out)         size of cyphertext in bytes
+//      ptext (out)         bytes with ciphertext
+//      psize (out)         size of ciphertext in bytes
 //      keylist (out)       list of keys being used; first is the key being
 //                          used for signing
 //	filename (out)	    PGP filename, when rendered (Optional, only necessary for some PGP implementations (e.g. Symantec),
@@ -299,4 +299,7 @@ PEP_STATUS pgp_replace_only_uid(
         const char* email
     );
 
+PEP_STATUS pgp_config_cipher_suite(PEP_SESSION session,
+        PEP_CYPHER_SUITE suite);
+
 #define PGP_BINARY_PATH pgp_binary

src/pgp_sequoia.c

@@ -2574,3 +2574,29 @@ PEP_STATUS pgp_contains_priv_key(PEP_SESSION session, const char *fpr,
       fpr, *has_private ? "priv" : "pub", pEp_status_to_string(status));
     return status;
 }
+
+DYNAMIC_API PEP_STATUS pgp_config_cipher_suite(PEP_SESSION session,
+        PEP_CYPHER_SUITE suite)
+{
+    switch (suite) {
+        // supported cipher suits
+        case PEP_CIPHER_SUITE_RSA3K:
+        case PEP_CIPHER_SUITE_CV25519:
+        case PEP_CIPHER_SUITE_P256:
+        case PEP_CIPHER_SUITE_P384:
+        case PEP_CIPHER_SUITE_P521:
+        case PEP_CIPHER_SUITE_RSA2K:
+            session->cipher_suite = suite;
+            return PEP_STATUS_OK;
+
+        case PEP_CIPHER_SUITE_DEFAULT:
+            session->cipher_suite = PEP_CIPHER_SUITE_RSA3K;
+            return PEP_STATUS_OK;
+
+        // unsupported cipher suits
+        default:
+            session->cipher_suite = PEP_CIPHER_SUITE_RSA3K;
+            return PEP_CANNOT_CONFIG;
+    }
+}
+

src/pgp_sequoia.h

@@ -112,4 +112,7 @@ PEP_STATUS pgp_find_private_keys(
 
 PEP_STATUS pgp_binary(const char **path);
 
+PEP_STATUS pgp_config_cipher_suite(PEP_SESSION session,
+        PEP_CYPHER_SUITE suite);
+
 #define PGP_BINARY_PATH pgp_binary