gpg: Report compliance with CO_DE_VS.

* common/compliance.c (gnupg_pk_is_compliant): Add DSA with certain parameters. (gnupg_cipher_is_compliant): New function. (gnupg_digest_is_compliant): Likewise. * common/compliance.h (gnupg_cipher_is_compliant): New prototype. (gnupg_digest_is_compliant): Likewise. * common/status.h (STATUS_DECRYPTION_COMPLIANCE_MODE): New status. (STATUS_VERIFICATION_COMPLIANCE_MODE): Likewise. * doc/DETAILS: Document the new status lines. * g10/mainproc.c (proc_encrypted): Compute compliance with CO_DE_VS and report that using the new status line. (check_sig_and_print): Likewise. * sm/decrypt.c (gpgsm_decrypt): Likewise. * sm/verify.c (gpgsm_verify): Likewise. -- When decrypting data and verifying signatures, report whether the operations are in compliance with the criteria for data classified as VS-NfD. This information will be picked up by the frontend and presented to the user. GnuPG-bug-id: 3059 Signed-off-by: Justus Winter <justus@g10code.com>
author: Justus Winter <justus@g10code.com> 2017-05-30 14:30:24 +0200
committer: Justus Winter <justus@g10code.com> 2017-06-01 13:16:18 +0200
commit: be8ca8852629786266db4d3d69b2c2fb03bd6365 (patch)
tree: 7f0b3de344c5ff6265c480b74b016d2799540605 /common
parent: common: Improve checking for compliance with CO_DE_VS. (diff)
download: gnupg2-be8ca8852629786266db4d3d69b2c2fb03bd6365.tar.xz
gnupg2-be8ca8852629786266db4d3d69b2c2fb03bd6365.zip
3 files changed, 76 insertions, 3 deletions
diff --git a/common/compliance.c b/common/compliance.c
index c0b69843b..80134d6b6 100644
--- a/common/compliance.c
+++ b/common/compliance.c
@@ -45,8 +45,8 @@ int
 gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
 		       gcry_mpi_t key[], unsigned int keylength, const char *curvename)
 {
-  enum { is_rsa, is_pgp5, is_elg_sign, is_ecc } algotype;
-  int result;
+  enum { is_rsa, is_dsa, is_pgp5, is_elg_sign, is_ecc } algotype;
+  int result = 0;
 
   switch (algo)
     {
@@ -56,8 +56,11 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
       algotype = is_rsa;
       break;
 
-    case PUBKEY_ALGO_ELGAMAL_E:
     case PUBKEY_ALGO_DSA:
+      algotype = is_dsa;
+      break;
+
+    case PUBKEY_ALGO_ELGAMAL_E:
       algotype = is_pgp5;
       break;
 
@@ -91,6 +94,16 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
                     || keylength == 4096);
           break;
 
+	case is_dsa:
+	  if (key)
+	    {
+	      size_t L = gcry_mpi_get_nbits (key[0] /* p */);
+	      size_t N = gcry_mpi_get_nbits (key[1] /* q */);
+	      result = (L == 256
+			&& (N == 2048 || N == 3072));
+	    }
+	  break;
+
         case is_ecc:
           if (!curvename && key)
             {
@@ -126,6 +139,59 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
 }
 
 
+/* Return true if CIPHER is compliant to the give COMPLIANCE mode.  */
+int
+gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance, cipher_algo_t cipher)
+{
+  switch (compliance)
+    {
+    case CO_DE_VS:
+      switch (cipher)
+	{
+	case CIPHER_ALGO_AES:
+	case CIPHER_ALGO_AES192:
+	case CIPHER_ALGO_AES256:
+	case CIPHER_ALGO_3DES:
+	  return 1;
+	default:
+	  return 0;
+	}
+      log_assert (!"reached");
+
+    default:
+      return 0;
+    }
+
+  log_assert (!"reached");
+}
+
+
+/* Return true if DIGEST is compliant to the give COMPLIANCE mode.  */
+int
+gnupg_digest_is_compliant (enum gnupg_compliance_mode compliance, digest_algo_t digest)
+{
+  switch (compliance)
+    {
+    case CO_DE_VS:
+      switch (digest)
+	{
+	case DIGEST_ALGO_SHA256:
+	case DIGEST_ALGO_SHA384:
+	case DIGEST_ALGO_SHA512:
+	  return 1;
+	default:
+	  return 0;
+	}
+      log_assert (!"reached");
+
+    default:
+      return 0;
+    }
+
+  log_assert (!"reached");
+}
+
+
 const char *
 gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance)
 {
diff --git a/common/compliance.h b/common/compliance.h
index 123bd1b50..4f78ad42f 100644
--- a/common/compliance.h
+++ b/common/compliance.h
@@ -42,6 +42,10 @@ enum gnupg_compliance_mode
 int gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
                            gcry_mpi_t key[], unsigned int keylength,
                            const char *curvename);
+int gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance,
+                               cipher_algo_t cipher);
+int gnupg_digest_is_compliant (enum gnupg_compliance_mode compliance,
+                               digest_algo_t digest);
 const char *gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance);
 
 #endif /*GNUPG_COMMON_COMPLIANCE_H*/
diff --git a/common/status.h b/common/status.h
index 8831a0f5f..0250a656f 100644
--- a/common/status.h
+++ b/common/status.h
@@ -141,6 +141,9 @@ enum
     STATUS_TOFU_STATS_SHORT,
     STATUS_TOFU_STATS_LONG,
 
+    STATUS_DECRYPTION_COMPLIANCE_MODE,
+    STATUS_VERIFICATION_COMPLIANCE_MODE,
+
     STATUS_TRUNCATED,
     STATUS_MOUNTPOINT,
     STATUS_BLOCKDEV,
author	Justus Winter <justus@g10code.com>	2017-05-30 14:30:24 +0200
committer	Justus Winter <justus@g10code.com>	2017-06-01 13:16:18 +0200
commit	be8ca8852629786266db4d3d69b2c2fb03bd6365 (patch)
tree	7f0b3de344c5ff6265c480b74b016d2799540605 /common
parent	common: Improve checking for compliance with CO_DE_VS. (diff)
download	gnupg2-be8ca8852629786266db4d3d69b2c2fb03bd6365.tar.xz gnupg2-be8ca8852629786266db4d3d69b2c2fb03bd6365.zip