gpg: Add compatibility flag "vsd-allow-ocb"

* common/compliance.h (enum gnupg_co_extra_infos): New. * common/compliance.c (vsd_allow_ocb): New. (gnupg_cipher_is_compliant): Allow OCB if flag is set. (gnupg_cipher_is_allowed): Ditto. (gnupg_set_compliance_extra_info): Change to take two args. Adjust callers. * g10/gpg.c (compatibility_flags): Add "vsd-allow-ocb". (main): And set it. * g10/options.h (COMPAT_VSD_ALLOW_OCB): NEw. -- This is a temporary flag until the new mode has been evaluated and can always be enabled. GnuPG-bug-id: 6263
2024-06-09 23:39:51 +02:00 · 2022-10-31 17:23:41 +01:00 · 2022-10-31 17:23:41 +01:00 · 0a355b2fe7
commit 0a355b2fe7
parent 4a9f3f94c6
5 changed files with 35 additions and 9 deletions
--- a/common/compliance.c
+++ b/common/compliance.c
@ -45,6 +45,9 @@ static int module;
 * using a confue file.  */
 static unsigned int min_compliant_rsa_length;

+/* Temporary hack to allow OCB mode in de-vs mode.  */
+static unsigned int vsd_allow_ocb;
+
 /* Return the address of a compliance cache variable for COMPLIANCE.
 * If no such variable exists NULL is returned.  FOR_RNG returns the
 * cache variable for the RNG compliance check. */
@ -380,7 +383,8 @@ gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance,
 	  switch (module)
 	    {
 	    case GNUPG_MODULE_NAME_GPG:
-	      return mode == GCRY_CIPHER_MODE_CFB;
+	      return (mode == GCRY_CIPHER_MODE_CFB
+                      || (vsd_allow_ocb && mode == GCRY_CIPHER_MODE_OCB));
 	    case GNUPG_MODULE_NAME_GPGSM:
 	      return mode == GCRY_CIPHER_MODE_CBC;
 	    }
@ -424,7 +428,8 @@ gnupg_cipher_is_allowed (enum gnupg_compliance_mode compliance, int producer,
 	    {
 	    case GNUPG_MODULE_NAME_GPG:
 	      return (mode == GCRY_CIPHER_MODE_NONE
-                      || mode == GCRY_CIPHER_MODE_CFB);
+                      || mode == GCRY_CIPHER_MODE_CFB
+                      || (vsd_allow_ocb && mode == GCRY_CIPHER_MODE_OCB));
 	    case GNUPG_MODULE_NAME_GPGSM:
 	      return (mode == GCRY_CIPHER_MODE_NONE
                      || mode == GCRY_CIPHER_MODE_CBC
@ -441,7 +446,8 @@ gnupg_cipher_is_allowed (enum gnupg_compliance_mode compliance, int producer,
 	case CIPHER_ALGO_TWOFISH:
 	  return (module == GNUPG_MODULE_NAME_GPG
 		  && (mode == GCRY_CIPHER_MODE_NONE
-                      || mode == GCRY_CIPHER_MODE_CFB)
+                      || mode == GCRY_CIPHER_MODE_CFB
+                      || (vsd_allow_ocb && mode == GCRY_CIPHER_MODE_OCB))
 		  && ! producer);
 	default:
 	  return 0;
@ -696,7 +702,15 @@ gnupg_compliance_option_string (enum gnupg_compliance_mode compliance)

 /* Set additional infos for example taken from config files at startup.  */
 void
-gnupg_set_compliance_extra_info (unsigned int min_rsa)
+gnupg_set_compliance_extra_info (enum gnupg_co_extra_infos what,
+                                 unsigned int value)
 {
-  min_compliant_rsa_length = min_rsa;
+  switch (what)
+    {
+    case CO_EXTRA_INFO_MIN_RSA:
+      min_compliant_rsa_length = value;
+      break;
+    case CO_EXTRA_INFO_VSD_ALLOW_OCB:
+      vsd_allow_ocb = value;
+    }
 }
--- a/common/compliance.h
+++ b/common/compliance.h
@ -36,12 +36,14 @@

 void gnupg_initialize_compliance (int gnupg_module_name);

+
 enum gnupg_compliance_mode
  {
    CO_GNUPG, CO_RFC4880, CO_RFC2440,
    CO_PGP6, CO_PGP7, CO_PGP8, CO_DE_VS
  };

+
 enum pk_use_case
  {
    PK_USE_ENCRYPTION, PK_USE_DECRYPTION,
@ -91,7 +93,14 @@ int gnupg_parse_compliance_option (const char *string,
 const char *gnupg_compliance_option_string (enum gnupg_compliance_mode
                                            compliance);

-void gnupg_set_compliance_extra_info (unsigned int min_rsa);
+enum gnupg_co_extra_infos
+  {
+   CO_EXTRA_INFO_MIN_RSA,
+   CO_EXTRA_INFO_VSD_ALLOW_OCB
+  };
+
+void gnupg_set_compliance_extra_info (enum gnupg_co_extra_infos what,
+                                      unsigned int value);


 #endif /*GNUPG_COMMON_COMPLIANCE_H*/
--- a/g10/gpg.c
+++ b/g10/gpg.c
@ -993,6 +993,7 @@ static struct debug_flags_s debug_flags [] =
 /* The list of compatibility flags.  */
 static struct compatibility_flags_s compatibility_flags [] =
  {
+    { COMPAT_VSD_ALLOW_OCB, "vsd-allow-ocb" },
    { 0, NULL }
  };

@ -3796,7 +3797,9 @@ main (int argc, char **argv)
    set_debug (debug_level);
    if (opt.verbose) /* Print the compatibility flags.  */
      parse_compatibility_flags (NULL, &opt.compat_flags, compatibility_flags);
-    gnupg_set_compliance_extra_info (opt.min_rsa_length);
+    gnupg_set_compliance_extra_info (CO_EXTRA_INFO_MIN_RSA, opt.min_rsa_length);
+    if ((opt.compat_flags & COMPAT_VSD_ALLOW_OCB))
+      gnupg_set_compliance_extra_info (CO_EXTRA_INFO_VSD_ALLOW_OCB, 1);
    if (DBG_CLOCK)
      log_clock ("start");

--- a/g10/options.h
+++ b/g10/options.h
@ -351,7 +351,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_debug_mode;
 EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;

 /* Compatibility flags */
-/* #define COMPAT_FOO   1 */
+#define COMPAT_VSD_ALLOW_OCB  1


 /* Compliance test macors.  */
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@ -1531,7 +1531,7 @@ main ( int argc, char **argv)
  set_debug ();
  if (opt.verbose) /* Print the compatibility flags.  */
    parse_compatibility_flags (NULL, &opt.compat_flags, compatibility_flags);
-  gnupg_set_compliance_extra_info (opt.min_rsa_length);
+  gnupg_set_compliance_extra_info (CO_EXTRA_INFO_MIN_RSA, opt.min_rsa_length);

  /* Although we always use gpgsm_exit, we better install a regualr
     exit handler so that at least the secure memory gets wiped