gpgsm: Add --always-trust feature.

* sm/gpgsm.h (opt): Re-purpose unused flag always_trust.
(struct server_control_s): Add "always_trust".
(VALIDATE_FLAG_BYPASS): New.
* sm/gpgsm.c (oAlwaysTrust): New.
(opts): Add "--always-trust"
(main): Set option.
* sm/server.c (option_handler): Add option "always-trust".
(reset_notify): Clear that option.
(cmd_encrypt): Ditto.
(cmd_getinfo): Add sub-command always-trust.
* sm/certchain.c (gpgsm_validate_chain): Handle VALIDATE_FLAG_BYPASS.
* sm/certlist.c (gpgsm_add_to_certlist): Set that flag for recipients
in always-trust mode.
--

GnuPG-bug-id: 6559

doc/gpgsm.texi

@@ -694,6 +694,13 @@ instead to make sure that the gpgsm process exits with a failure if
 the compliance rules are not fulfilled.  Note that this option has
 currently an effect only in "de-vs" mode.
 
+@item --always-trust
+@opindex always-trust
+Force encryption to the specified certificates without any validation
+of the certificate chain.  The only requirement is that the
+certificate is capable of encryption.  Note that this option is
+ineffective if @option{--require-compliance} is used.
+
 @item --ignore-cert-with-oid @var{oid}
 @opindex ignore-cert-with-oid
 Add @var{oid} to the list of OIDs to be checked while reading
@@ -1603,6 +1610,10 @@ The leading two dashes usually used with @var{opt} shall not be given.
 Return OK if the connection is in offline mode.  This may be either
 due to a @code{OPTION offline=1} or due to @command{gpgsm} being
 started with option @option{--disable-dirmngr}.
+@item always-trust
+Returns OK of the connection is in always-trust mode.  That is either
+@option{--always-trust} or @option{GPGSM OPTION always-trust} are
+active.
 @end table
 
 @node GPGSM OPTION
@@ -1709,6 +1720,15 @@ If @var{value} is true or @var{value} is not given all network access
 is disabled for this session.  This is the same as the command line
 option @option{--disable-dirmngr}.
 
+@item always-trust
+If @var{value} is true or @var{value} is not given encryption to the
+specified certificates is forced without any validation of the
+certificate chain.  The only requirement is that the certificates are
+capable of encryption.  If set to false the standard behaviour is
+re-established.  This option is cleared by a RESET and after each
+encrypt operation.  Note that this option is ignored if
+@option{--always-trust} or @option{--require-compliance} are used.
+
 @item input-size-hint
 This is the same as the @option{--input-size-hint} command line option.
 

sm/certchain.c

@@ -2158,9 +2158,15 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime,
 
   memset (&rootca_flags, 0, sizeof rootca_flags);
 
-  rc = do_validate_chain (ctrl, cert, checktime,
+  if ((flags & VALIDATE_FLAG_BYPASS))
-                          r_exptime, listmode, listfp, flags,
+    {
-                          &rootca_flags);
+      *retflags |= VALIDATE_FLAG_BYPASS;
+      rc = 0;
+    }
+  else
+    rc = do_validate_chain (ctrl, cert, checktime,
+                            r_exptime, listmode, listfp, flags,
+                            &rootca_flags);
   if (!rc && (flags & VALIDATE_FLAG_STEED))
     {
       *retflags |= VALIDATE_FLAG_STEED;
@@ -2183,6 +2189,8 @@ gpgsm_validate_chain (ctrl_t ctrl, ksba_cert_t cert, ksba_isotime_t checktime,
 
   if (opt.verbose)
     do_list (0, listmode, listfp, _("validation model used: %s"),
+             (*retflags & VALIDATE_FLAG_BYPASS)?
+             "bypass" :
              (*retflags & VALIDATE_FLAG_STEED)?
              "steed" :
              (*retflags & VALIDATE_FLAG_CHAIN_MODEL)?

sm/certlist.c

@@ -454,6 +454,11 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
 
           if (!rc && !is_cert_in_certlist (cert, *listaddr))
             {
+              unsigned int valflags = 0;
+
+              if (!secret && (opt.always_trust || ctrl->always_trust))
+                valflags |= VALIDATE_FLAG_BYPASS;
+
               if (!rc && secret)
                 {
                   char *p;
@@ -467,9 +472,10 @@ gpgsm_add_to_certlist (ctrl_t ctrl, const char *name, int secret,
                       xfree (p);
                     }
                 }
+
               if (!rc)
                 rc = gpgsm_validate_chain (ctrl, cert, GNUPG_ISOTIME_NONE, NULL,
-                                           0, NULL, 0, NULL);
+                                           0, NULL, valflags, NULL);
               if (!rc)
                 {
                   certlist_t cl = xtrycalloc (1, sizeof *cl);

sm/gpgsm.c

@@ -203,6 +203,7 @@ enum cmd_and_opt_values {
   oRequireCompliance,
   oCompatibilityFlags,
   oKbxBufferSize,
+  oAlwaysTrust,
   oNoAutostart
  };
 
@@ -394,6 +395,7 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"),
   ARGPARSE_s_n (oNoRandomSeedFile,  "no-random-seed-file", "@"),
   ARGPARSE_s_n (oRequireCompliance, "require-compliance", "@"),
+  ARGPARSE_s_n (oAlwaysTrust,       "always-trust", "@"),
 
 
   ARGPARSE_header (NULL, N_("Options for unattended use")),
@@ -1441,6 +1443,7 @@ main ( int argc, char **argv)
         case oMinRSALength: opt.min_rsa_length = pargs.r.ret_ulong; break;
 
         case oRequireCompliance: opt.require_compliance = 1;  break;
+        case oAlwaysTrust: opt.always_trust = 1;  break;
 
         case oKbxBufferSize:
           keybox_set_buffersize (pargs.r.ret_ulong, 0);
@@ -1505,6 +1508,15 @@ main ( int argc, char **argv)
   if (may_coredump && !opt.quiet)
     log_info (_("WARNING: program may create a core file!\n"));
 
+  if (opt.require_compliance && opt.always_trust)
+    {
+      opt.always_trust = 0;
+      if (opt.quiet)
+        log_info (_("WARNING: %s overrides %s\n"),
+                  "--require-compliance","--always-trust");
+    }
+
+
 /*   if (opt.qualsig_approval && !opt.quiet) */
 /*     log_info (_("This software has officially been approved to " */
 /*                 "create and verify\n" */

sm/gpgsm.h

@@ -102,8 +102,6 @@ struct
   int extra_digest_algo;  /* A digest algorithm also used for
                              verification of signatures.  */
 
-  int always_trust;       /* Trust the given keys even if there is no
-                             valid certification chain */
   int skip_verify;        /* do not check signatures on data */
 
   int lock_once;          /* Keep lock once they are set */
@@ -150,6 +148,10 @@ struct
    * mode.  */
   int require_compliance;
 
+  /* Enable always-trust mode - note that there is also server option
+   * for this.  */
+  int always_trust;
+
   /* Compatibility flags (COMPAT_FLAG_xxxx).  */
   unsigned int compat_flags;
 } opt;
@@ -230,6 +232,9 @@ struct server_control_s
                            2 := STEED model. */
   int offline;        /* If true gpgsm won't do any network access.  */
 
+  int always_trust;   /* True in always-trust mode; see also
+                       * opt.always-trust.  */
+
   /* The current time.  Used as a helper in certchain.c.  */
   ksba_isotime_t current_time;
 };
@@ -340,6 +345,7 @@ int gpgsm_create_cms_signature (ctrl_t ctrl,
 #define VALIDATE_FLAG_NO_DIRMNGR  1
 #define VALIDATE_FLAG_CHAIN_MODEL 2
 #define VALIDATE_FLAG_STEED       4
+#define VALIDATE_FLAG_BYPASS      8  /* No actual validation.  */
 
 int gpgsm_walk_cert_chain (ctrl_t ctrl,
                            ksba_cert_t start, ksba_cert_t *r_next);

sm/server.c

@@ -290,6 +290,17 @@ option_handler (assuan_context_t ctx, const char *key, const char *value)
           ctrl->offline = i;
         }
     }
+  else if (!strcmp (key, "always-trust"))
+    {
+      /* We ignore this option if gpgsm has been started with
+         --always-trust (which also sets offline) and if
+         --require-compliance is active */
+      if (!opt.always_trust && !opt.require_compliance)
+        {
+          int i = *value? !!atoi (value) : 1;
+          ctrl->always_trust = i;
+        }
+    }
   else if (!strcmp (key, "request-origin"))
     {
       if (!opt.request_origin)
@@ -323,6 +334,7 @@ reset_notify (assuan_context_t ctx, char *line)
   gpgsm_release_certlist (ctrl->server_local->signerlist);
   ctrl->server_local->recplist = NULL;
   ctrl->server_local->signerlist = NULL;
+  ctrl->always_trust = 0;
   close_message_fd (ctrl);
   assuan_close_input_fd (ctx);
   assuan_close_output_fd (ctx);
@@ -491,6 +503,7 @@ cmd_encrypt (assuan_context_t ctx, char *line)
 
   gpgsm_release_certlist (ctrl->server_local->recplist);
   ctrl->server_local->recplist = NULL;
+  ctrl->always_trust = 0;
   /* Close and reset the fd */
   close_message_fd (ctrl);
   assuan_close_input_fd (ctx);
@@ -1131,7 +1144,8 @@ static const char hlp_getinfo[] =
   "  agent-check - Return success if the agent is running.\n"
   "  cmd_has_option CMD OPT\n"
   "              - Returns OK if the command CMD implements the option OPT.\n"
-  "  offline     - Returns OK if the connection is in offline mode.";
+  "  offline     - Returns OK if the connection is in offline mode."
+  "  always-trust- Returns OK if the connection is in always-trust mode.";
 static gpg_error_t
 cmd_getinfo (assuan_context_t ctx, char *line)
 {
@@ -1190,6 +1204,11 @@ cmd_getinfo (assuan_context_t ctx, char *line)
     {
       rc = ctrl->offline? 0 : gpg_error (GPG_ERR_FALSE);
     }
+  else if (!strcmp (line, "always-trust"))
+    {
+      rc = (ctrl->always_trust || opt.always_trust)? 0
+           /**/                                    : gpg_error (GPG_ERR_FALSE);
+    }
   else
     rc = set_error (GPG_ERR_ASS_PARAMETER, "unknown value for WHAT");