mirror of
git://git.gnupg.org/gnupg.git
synced 2024-12-22 10:19:57 +01:00
Implement GNUPG_ASSUME_COMPLIANCE envvar for testing
* common/compliance.c (assumed_de_vs_compliance): New. (get_compliance_cache): Check envvar and fake compliance. (gnupg_status_compliance_flag): Return 2023 for de-vs if in faked mode. * g10/gpg.c (gpgconf_list): For compliance_de_vs return 23 or 2023. -- The user visible changes are that GNUPG_ASSUME_COMPLIANCE=de-vs gpgconf --list-options gpg \ | awk -F: '$1=="compliance_de_vs" {print $8}' returns 2023 if "compliance de-vs" is found in gpg.conf. If eventually the software is arpproved the returned value will be 23 and not 1 as it was before. Consumers should check whether they see value of true (Kleopatra does this right now) and also check whether the value is > 2000 and in this case print a beta/non-approved warning. The envvar is currently used to assume that the underlying libgcrypt is compliant and approved. This is not yet the case but eventually libgcrypt will announce this itself and from then on the envvar is not anymore required for testing.
This commit is contained in:
parent
e8858807bc
commit
b287fb5775
@ -40,6 +40,11 @@
|
|||||||
static int initialized;
|
static int initialized;
|
||||||
static int module;
|
static int module;
|
||||||
|
|
||||||
|
|
||||||
|
/* The next variable and the code in get_compliance_cache should be
|
||||||
|
* removed after the software suite has been approved. */
|
||||||
|
static int assumed_de_vs_compliance = -1;
|
||||||
|
|
||||||
/* This value is used by DSA and RSA checks in addition to the hard
|
/* This value is used by DSA and RSA checks in addition to the hard
|
||||||
* coded length checks. It allows one to increase the required key length
|
* coded length checks. It allows one to increase the required key length
|
||||||
* using a config file. */
|
* using a config file. */
|
||||||
@ -70,6 +75,19 @@ get_compliance_cache (enum gnupg_compliance_mode compliance, int for_rng)
|
|||||||
case CO_DE_VS: ptr = for_rng? &r_de_vs : &s_de_vs ; break;
|
case CO_DE_VS: ptr = for_rng? &r_de_vs : &s_de_vs ; break;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Remove this code after approval. */
|
||||||
|
if (ptr && compliance == CO_DE_VS)
|
||||||
|
{
|
||||||
|
if (assumed_de_vs_compliance == -1)
|
||||||
|
{
|
||||||
|
const char *s = getenv ("GNUPG_ASSUME_COMPLIANCE");
|
||||||
|
assumed_de_vs_compliance = (s && !strcmp (s, "de-vs"));
|
||||||
|
}
|
||||||
|
if (assumed_de_vs_compliance)
|
||||||
|
*ptr = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
return ptr;
|
return ptr;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -667,7 +685,7 @@ gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance)
|
|||||||
case CO_PGP8:
|
case CO_PGP8:
|
||||||
log_assert (!"no status code assigned for this compliance mode");
|
log_assert (!"no status code assigned for this compliance mode");
|
||||||
case CO_DE_VS:
|
case CO_DE_VS:
|
||||||
return "23";
|
return assumed_de_vs_compliance ? "2023" : "23";
|
||||||
}
|
}
|
||||||
log_assert (!"invalid compliance mode");
|
log_assert (!"invalid compliance mode");
|
||||||
}
|
}
|
||||||
|
@ -257,6 +257,8 @@ described here.
|
|||||||
|
|
||||||
- 8 :: The key is compliant with RFC4880bis
|
- 8 :: The key is compliant with RFC4880bis
|
||||||
- 23 :: The key is compliant with compliance mode "de-vs".
|
- 23 :: The key is compliant with compliance mode "de-vs".
|
||||||
|
- 2023 :: The key is compliant with a compliance mode "de-vs" but
|
||||||
|
the software has not yet been approved.
|
||||||
- 6001 :: Screening hit on the ROCA vulnerability.
|
- 6001 :: Screening hit on the ROCA vulnerability.
|
||||||
|
|
||||||
*** Field 19 - Last update
|
*** Field 19 - Last update
|
||||||
|
@ -4205,6 +4205,14 @@ Operation is further controlled by a few environment variables:
|
|||||||
A numeric decimal value is expected. Bit 0 enables general
|
A numeric decimal value is expected. Bit 0 enables general
|
||||||
diagnostics, bit 1 enables certain warnings on Windows.
|
diagnostics, bit 1 enables certain warnings on Windows.
|
||||||
|
|
||||||
|
|
||||||
|
@item GNUPG_ASSUME_COMPLIANCE
|
||||||
|
@efindex GNUPG_ASSUME_COMPLIANCE
|
||||||
|
Debug helper to set the system into an assume compliance state. For
|
||||||
|
example in de-vs mode this will return 2023 as identifier instead of
|
||||||
|
23.
|
||||||
|
|
||||||
|
|
||||||
@end table
|
@end table
|
||||||
|
|
||||||
When calling the gpg-agent component @command{@gpgname} sends a set of
|
When calling the gpg-agent component @command{@gpgname} sends a set of
|
||||||
|
@ -2012,11 +2012,11 @@ gpgconf_list (void)
|
|||||||
get_default_pubkey_algo ());
|
get_default_pubkey_algo ());
|
||||||
/* This info only mode tells whether the we are running in de-vs
|
/* This info only mode tells whether the we are running in de-vs
|
||||||
* compliance mode. This does not test all parameters but the basic
|
* compliance mode. This does not test all parameters but the basic
|
||||||
* conditions like a proper RNG and Libgcrypt. AS of now we always
|
* conditions like a proper RNG and Libgcrypt. */
|
||||||
* return 0 because this version of gnupg has not yet received an
|
|
||||||
* approval. */
|
|
||||||
es_printf ("compliance_de_vs:%lu:%d:\n", GC_OPT_FLAG_DEFAULT,
|
es_printf ("compliance_de_vs:%lu:%d:\n", GC_OPT_FLAG_DEFAULT,
|
||||||
0 /*gnupg_rng_is_compliant (CO_DE_VS)*/);
|
(opt.compliance==CO_DE_VS
|
||||||
|
&& gnupg_rng_is_compliant (CO_DE_VS))?
|
||||||
|
atoi (gnupg_status_compliance_flag (CO_DE_VS)) : 0);
|
||||||
|
|
||||||
es_printf ("use_keyboxd:%lu:%d:\n", GC_OPT_FLAG_DEFAULT, opt.use_keyboxd);
|
es_printf ("use_keyboxd:%lu:%d:\n", GC_OPT_FLAG_DEFAULT, opt.use_keyboxd);
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user