gpgsm: New option --require-compliance

* sm/gpgsm.c (oRequireCompliance): New. (opts): Add --require-compliance. (main): Set option. * sm/gpgsm.h (opt): Add field require_compliance. (gpgsm_errors_seen): Declare. * sm/verify.c (gpgsm_verify): Emit error if non de-vs compliant. * sm/encrypt.c (gpgsm_encrypt): Ditto. * sm/decrypt.c (gpgsm_decrypt): Ditto. --
author: Werner Koch <wk@gnupg.org> 2022-03-08 19:06:30 +0100
committer: Werner Koch <wk@gnupg.org> 2022-03-08 19:28:16 +0100
commit: f8075257afad4c7a41cd4409e334670a0097b5b8 (patch)
tree: e6de29104400b4a08d95746570ffcb0e69a8d520 /sm
parent: gpg: New option --require-compliance. (diff)
download: gnupg2-f8075257afad4c7a41cd4409e334670a0097b5b8.tar.xz
gnupg2-f8075257afad4c7a41cd4409e334670a0097b5b8.zip
5 files changed, 35 insertions, 3 deletions
diff --git a/sm/decrypt.c b/sm/decrypt.c
index 1fe2522b5..3702cd893 100644
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@@ -1389,7 +1389,13 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
                           && gnupg_gcrypt_is_compliant (CO_DE_VS))
                         gpgsm_status (ctrl, STATUS_DECRYPTION_COMPLIANCE_MODE,
                                       gnupg_status_compliance_flag (CO_DE_VS));
-
+                      else if (opt.require_compliance
+                               && opt.compliance == CO_DE_VS)
+                        {
+                          log_error (_("operation forced to fail due to"
+                                       " unfulfilled compliance rules\n"));
+                          gpgsm_errors_seen = 1;
+                        }
                     }
                   audit_log_ok (ctrl->audit, AUDIT_RECP_RESULT, rc);
                 }
diff --git a/sm/encrypt.c b/sm/encrypt.c
index ba2428e9a..4fd4f93b9 100644
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@@ -811,6 +811,15 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
   if (compliant && gnupg_gcrypt_is_compliant (CO_DE_VS))
     gpgsm_status (ctrl, STATUS_ENCRYPTION_COMPLIANCE_MODE,
                   gnupg_status_compliance_flag (CO_DE_VS));
+  else if (opt.require_compliance
+           && opt.compliance == CO_DE_VS)
+    {
+      log_error (_("operation forced to fail due to"
+                   " unfulfilled compliance rules\n"));
+      gpgsm_errors_seen = 1;
+      rc = gpg_error (GPG_ERR_FORBIDDEN);
+      goto leave;
+    }
 
   /* Main control loop for encryption. */
   recpno = 0;
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 61dd86aab..9e9a2297f 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -209,6 +209,7 @@ enum cmd_and_opt_values {
   oChUid,
   oUseKeyboxd,
   oKeyboxdProgram,
+  oRequireCompliance,
   oNoAutostart
  };
 
@@ -301,6 +302,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_s (oPolicyFile, "policy-file",
                 N_("|FILE|take policy information from FILE")),
   ARGPARSE_s_s (oCompliance, "compliance",   "@"),
+  ARGPARSE_p_u (oMinRSALength, "min-rsa-length", "@"),
   ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
   ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
   ARGPARSE_s_s (oIgnoreCertWithOID, "ignore-cert-with-oid", "@"),
@@ -407,7 +409,7 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_s (oDisablePubkeyAlgo,  "disable-pubkey-algo", "@"),
   ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"),
   ARGPARSE_s_n (oNoRandomSeedFile,  "no-random-seed-file", "@"),
-  ARGPARSE_p_u (oMinRSALength, "min-rsa-length", "@"),
+  ARGPARSE_s_n (oRequireCompliance, "require-compliance", "@"),
 
   ARGPARSE_header (NULL, N_("Options for unattended use")),
 
@@ -441,7 +443,6 @@ static gpgrt_opt_t opts[] = {
   ARGPARSE_s_s (oXauthority, "xauthority", "@"),
   ARGPARSE_s_s (oChUid, "chuid", "@"),
 
-
   ARGPARSE_header (NULL, ""),  /* Stop the header group.  */
 
 
@@ -1459,6 +1460,8 @@ main ( int argc, char **argv)
 
         case oMinRSALength: opt.min_rsa_length = pargs.r.ret_ulong; break;
 
+        case oRequireCompliance: opt.require_compliance = 1;  break;
+
         default:
           if (configname)
             pargs.err = ARGPARSE_PRINT_WARNING;
diff --git a/sm/gpgsm.h b/sm/gpgsm.h
index acb9332ba..0eec0c025 100644
--- a/sm/gpgsm.h
+++ b/sm/gpgsm.h
@@ -155,8 +155,13 @@ struct
    * sunch an OID during --learn-card.  */
   strlist_t ignore_cert_with_oid;
 
+  /* The current compliance mode.  */
   enum gnupg_compliance_mode compliance;
 
+  /* Fail if an operation can't be done in the requested compliance
+   * mode.  */
+  int require_compliance;
+
   /* Enable creation of authenticode signatures.  */
   int authenticode;
 
@@ -274,6 +279,8 @@ struct rootca_flags_s
 
 
 /*-- gpgsm.c --*/
+extern int gpgsm_errors_seen;
+
 void gpgsm_exit (int rc);
 void gpgsm_init_default_ctrl (struct server_control_s *ctrl);
 void gpgsm_deinit_default_ctrl (ctrl_t ctrl);
diff --git a/sm/verify.c b/sm/verify.c
index fe111c32a..c9a435895 100644
--- a/sm/verify.c
+++ b/sm/verify.c
@@ -520,6 +520,13 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
           && gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo))
         gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE,
                       gnupg_status_compliance_flag (CO_DE_VS));
+      else if (opt.require_compliance
+               && opt.compliance == CO_DE_VS)
+        {
+          log_error (_("operation forced to fail due to"
+                       " unfulfilled compliance rules\n"));
+          gpgsm_errors_seen = 1;
+        }
 
 
       /* Now we can check the signature.  */
author	Werner Koch <wk@gnupg.org>	2022-03-08 19:06:30 +0100
committer	Werner Koch <wk@gnupg.org>	2022-03-08 19:28:16 +0100
commit	f8075257afad4c7a41cd4409e334670a0097b5b8 (patch)
tree	e6de29104400b4a08d95746570ffcb0e69a8d520 /sm
parent	gpg: New option --require-compliance. (diff)
download	gnupg2-f8075257afad4c7a41cd4409e334670a0097b5b8.tar.xz gnupg2-f8075257afad4c7a41cd4409e334670a0097b5b8.zip