gpg: Report compliance with CO_DE_VS.

* common/compliance.c (gnupg_pk_is_compliant): Add DSA with certain parameters. (gnupg_cipher_is_compliant): New function. (gnupg_digest_is_compliant): Likewise. * common/compliance.h (gnupg_cipher_is_compliant): New prototype. (gnupg_digest_is_compliant): Likewise. * common/status.h (STATUS_DECRYPTION_COMPLIANCE_MODE): New status. (STATUS_VERIFICATION_COMPLIANCE_MODE): Likewise. * doc/DETAILS: Document the new status lines. * g10/mainproc.c (proc_encrypted): Compute compliance with CO_DE_VS and report that using the new status line. (check_sig_and_print): Likewise. * sm/decrypt.c (gpgsm_decrypt): Likewise. * sm/verify.c (gpgsm_verify): Likewise. -- When decrypting data and verifying signatures, report whether the operations are in compliance with the criteria for data classified as VS-NfD. This information will be picked up by the frontend and presented to the user. GnuPG-bug-id: 3059 Signed-off-by: Justus Winter <justus@g10code.com>
2025-07-02 22:46:30 +02:00 · 2017-05-30 14:30:24 +02:00 · 2017-05-30 14:30:24 +02:00 · be8ca88526
commit be8ca88526
parent 3b70f62423
7 changed files with 171 additions and 3 deletions
--- a/sm/decrypt.c
+++ b/sm/decrypt.c
@ -32,6 +32,7 @@

 #include "keydb.h"
 #include "../common/i18n.h"
+#include "../common/compliance.h"

 struct decrypt_filter_parm_s
 {
@ -325,6 +326,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
          int algo, mode;
          const char *algoid;
          int any_key = 0;
+          int is_de_vs;	/* Computed compliance with CO_DE_VS.  */

          audit_log (ctrl->audit, AUDIT_GOT_DATA);

@ -356,6 +358,10 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
              goto leave;
            }

+          /* For CMS, CO_DE_VS demands CBC mode.  */
+          is_de_vs = (mode == GCRY_CIPHER_MODE_CBC
+                      && gnupg_cipher_is_compliant (CO_DE_VS, algo));
+
          audit_log_i (ctrl->audit, AUDIT_DATA_CIPHER_ALGO, algo);
          dfparm.algo = algo;
          dfparm.mode = mode;
@ -460,7 +466,21 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
                  hexkeygrip = gpgsm_get_keygrip_hexstring (cert);
                  desc = gpgsm_format_keydesc (cert);

+                  /* Check that all certs are compliant with CO_DE_VS.  */
+                  if (is_de_vs)
+                    {
+                      unsigned int nbits;
+                      int pk_algo = gpgsm_get_key_algo_info (cert, &nbits);
+
+                      is_de_vs = gnupg_pk_is_compliant (CO_DE_VS, pk_algo, NULL,
+                                                        nbits, NULL);
+                    }
+
                oops:
+                  if (rc)
+                    /* We cannot check compliance of certs that we
+                     * don't have.  */
+                    is_de_vs = 0;
                  xfree (issuer);
                  xfree (serial);
                  ksba_cert_release (cert);
@ -489,6 +509,11 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
                      ksba_writer_set_filter (writer,
                                              decrypt_filter,
                                              &dfparm);
+
+                      if (is_de_vs)
+                        gpgsm_status (ctrl, STATUS_DECRYPTION_COMPLIANCE_MODE,
+                                      gnupg_status_compliance_flag (CO_DE_VS));
+
                    }
                  audit_log_ok (ctrl->audit, AUDIT_RECP_RESULT, rc);
                }