security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-03 22:56:33 +02:00
Code Activity

Implement GNUPG_ASSUME_COMPLIANCE envvar for testing

Browse source 
* common/compliance.c (assumed_de_vs_compliance): New.
(get_compliance_cache): Check envvar and fake compliance.
(gnupg_status_compliance_flag): Return 2023 for de-vs if in faked
mode.
* g10/gpg.c (gpgconf_list): For compliance_de_vs return 23 or 2023.
--

The user visible changes are that

   GNUPG_ASSUME_COMPLIANCE=de-vs gpgconf --list-options gpg \
     | awk -F: '$1=="compliance_de_vs" {print $8}'

returns 2023 if "compliance de-vs" is found in gpg.conf.  If
eventually the software is arpproved the returned value will be 23 and
not 1 as it was before.  Consumers should check whether they see value
of true (Kleopatra does this right now) and also check whether the
value is > 2000 and in this case print a beta/non-approved warning.

The envvar is currently used to assume that the underlying libgcrypt
is compliant and approved.  This is not yet the case but eventually
libgcrypt will announce this itself and from then on the envvar is not
anymore required for testing.
This commit is contained in:
Werner Koch 2024-10-07 09:59:26 +02:00
parent e8858807bc
commit b287fb5775
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
4 changed files with 33 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

20
common/compliance.c
View file

@ -40,6 +40,11 @@
static int initialized;
static int module;
/* The next variable and the code in get_compliance_cache should be
* removed after the software suite has been approved. */
static int assumed_de_vs_compliance = -1;
/* This value is used by DSA and RSA checks in addition to the hard
* coded length checks. It allows one to increase the required key length
* using a config file. */
@ -70,6 +75,19 @@ get_compliance_cache (enum gnupg_compliance_mode compliance, int for_rng)
case CO_DE_VS: ptr = for_rng? &r_de_vs : &s_de_vs ; break;
}
/* Remove this code after approval. */
if (ptr && compliance == CO_DE_VS)
{
if (assumed_de_vs_compliance == -1)
{
const char *s = getenv ("GNUPG_ASSUME_COMPLIANCE");
assumed_de_vs_compliance = (s && !strcmp (s, "de-vs"));
}
if (assumed_de_vs_compliance)
*ptr = 1;
}
return ptr;
}
@ -667,7 +685,7 @@ gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance)
case CO_PGP8:
log_assert (!"no status code assigned for this compliance mode");
case CO_DE_VS:
return "23";
return assumed_de_vs_compliance ? "2023" : "23";
}
log_assert (!"invalid compliance mode");
}