diff --git a/common/compliance.c b/common/compliance.c index d421b0371..faea384d9 100644 --- a/common/compliance.c +++ b/common/compliance.c @@ -40,6 +40,11 @@ static int initialized; static int module; + +/* The next variable and the code in get_compliance_cache should be + * removed after the software suite has been approved. */ +static int assumed_de_vs_compliance = -1; + /* This value is used by DSA and RSA checks in addition to the hard * coded length checks. It allows one to increase the required key length * using a config file. */ @@ -70,6 +75,19 @@ get_compliance_cache (enum gnupg_compliance_mode compliance, int for_rng) case CO_DE_VS: ptr = for_rng? &r_de_vs : &s_de_vs ; break; } + /* Remove this code after approval. */ + if (ptr && compliance == CO_DE_VS) + { + if (assumed_de_vs_compliance == -1) + { + const char *s = getenv ("GNUPG_ASSUME_COMPLIANCE"); + assumed_de_vs_compliance = (s && !strcmp (s, "de-vs")); + } + if (assumed_de_vs_compliance) + *ptr = 1; + } + + return ptr; } @@ -667,7 +685,7 @@ gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance) case CO_PGP8: log_assert (!"no status code assigned for this compliance mode"); case CO_DE_VS: - return "23"; + return assumed_de_vs_compliance ? "2023" : "23"; } log_assert (!"invalid compliance mode"); } diff --git a/doc/DETAILS b/doc/DETAILS index d50de6d60..a02456499 100644 --- a/doc/DETAILS +++ b/doc/DETAILS @@ -257,6 +257,8 @@ described here. - 8 :: The key is compliant with RFC4880bis - 23 :: The key is compliant with compliance mode "de-vs". + - 2023 :: The key is compliant with a compliance mode "de-vs" but + the software has not yet been approved. - 6001 :: Screening hit on the ROCA vulnerability. *** Field 19 - Last update diff --git a/doc/gpg.texi b/doc/gpg.texi index e88ba8589..9aac29fb2 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -4205,6 +4205,14 @@ Operation is further controlled by a few environment variables: A numeric decimal value is expected. Bit 0 enables general diagnostics, bit 1 enables certain warnings on Windows. + + @item GNUPG_ASSUME_COMPLIANCE + @efindex GNUPG_ASSUME_COMPLIANCE + Debug helper to set the system into an assume compliance state. For + example in de-vs mode this will return 2023 as identifier instead of + 23. + + @end table When calling the gpg-agent component @command{@gpgname} sends a set of diff --git a/g10/gpg.c b/g10/gpg.c index 6068eefd3..d8b1051d5 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -2012,11 +2012,11 @@ gpgconf_list (void) get_default_pubkey_algo ()); /* This info only mode tells whether the we are running in de-vs * compliance mode. This does not test all parameters but the basic - * conditions like a proper RNG and Libgcrypt. AS of now we always - * return 0 because this version of gnupg has not yet received an - * approval. */ + * conditions like a proper RNG and Libgcrypt. */ es_printf ("compliance_de_vs:%lu:%d:\n", GC_OPT_FLAG_DEFAULT, - 0 /*gnupg_rng_is_compliant (CO_DE_VS)*/); + (opt.compliance==CO_DE_VS + && gnupg_rng_is_compliant (CO_DE_VS))? + atoi (gnupg_status_compliance_flag (CO_DE_VS)) : 0); es_printf ("use_keyboxd:%lu:%d:\n", GC_OPT_FLAG_DEFAULT, opt.use_keyboxd);