From efe187e8a2b583defdcd9d4b96e3dc83f95bef0d Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Fri, 28 Jul 2017 17:46:43 +0200 Subject: [PATCH] gpg,sm: String changes for compliance diagnostics. Signed-off-by: Werner Koch --- g10/decrypt-data.c | 3 +-- g10/encrypt.c | 5 ++--- g10/gpg.c | 31 ++++++++++++++++--------------- g10/pkclist.c | 4 ++-- g10/pubkey-enc.c | 4 ++-- g10/sig-check.c | 6 ++---- g10/sign.c | 5 ++--- sm/decrypt.c | 6 +++--- sm/encrypt.c | 3 +-- sm/gpgsm.c | 9 +++------ sm/sign.c | 12 +++++++----- sm/verify.c | 12 +++++++----- 12 files changed, 48 insertions(+), 52 deletions(-) diff --git a/g10/decrypt-data.c b/g10/decrypt-data.c index 12693fe61..736534d75 100644 --- a/g10/decrypt-data.c +++ b/g10/decrypt-data.c @@ -102,8 +102,7 @@ decrypt_data (ctrl_t ctrl, void *procctx, PKT_encrypted *ed, DEK *dek) if (! gnupg_cipher_is_allowed (opt.compliance, 0, dek->algo, GCRY_CIPHER_MODE_CFB)) { - log_error (_("you may not use cipher algorithm '%s'" - " while in %s mode\n"), + log_error (_("cipher algorithm '%s' may not be used in %s mode\n"), openpgp_cipher_algo_name (dek->algo), gnupg_compliance_option_string (opt.compliance)); rc = gpg_error (GPG_ERR_CIPHER_ALGO); diff --git a/g10/encrypt.c b/g10/encrypt.c index c7982d448..c68d6d5d1 100644 --- a/g10/encrypt.c +++ b/g10/encrypt.c @@ -628,8 +628,7 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename, if (! gnupg_cipher_is_allowed (opt.compliance, 1, cfx.dek->algo, GCRY_CIPHER_MODE_CFB)) { - log_error (_("you may not use cipher algorithm '%s'" - " while in %s mode\n"), + log_error (_("cipher algorithm '%s' may not be used in %s mode\n"), openpgp_cipher_algo_name (cfx.dek->algo), gnupg_compliance_option_string (opt.compliance)); rc = gpg_error (GPG_ERR_CIPHER_ALGO); @@ -996,7 +995,7 @@ write_pubkey_enc_from_list (ctrl_t ctrl, PK_LIST pk_list, DEK *dek, iobuf_t out) { if (opt.throw_keyids && (PGP6 || PGP7 || PGP8)) { - log_info(_("you may not use %s while in %s mode\n"), + log_info(_("option '%s' may not be used in %s mode\n"), "--throw-keyids", gnupg_compliance_option_string (opt.compliance)); compliance_failure(); diff --git a/g10/gpg.c b/g10/gpg.c index 52b6089e9..d2227b395 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -3860,19 +3860,22 @@ main (int argc, char **argv) switch(badtype) { case PREFTYPE_SYM: - log_info(_("you may not use cipher algorithm '%s'" - " while in %s mode\n"), - badalg, gnupg_compliance_option_string (opt.compliance)); + log_info (_("cipher algorithm '%s'" + " may not be used in %s mode\n"), + badalg, + gnupg_compliance_option_string (opt.compliance)); break; case PREFTYPE_HASH: - log_info(_("you may not use digest algorithm '%s'" - " while in %s mode\n"), - badalg, gnupg_compliance_option_string (opt.compliance)); + log_info (_("digest algorithm '%s'" + " may not be used in %s mode\n"), + badalg, + gnupg_compliance_option_string (opt.compliance)); break; case PREFTYPE_ZIP: - log_info(_("you may not use compression algorithm '%s'" - " while in %s mode\n"), - badalg, gnupg_compliance_option_string (opt.compliance)); + log_info (_("compression algorithm '%s'" + " may not be used in %s mode\n"), + badalg, + gnupg_compliance_option_string (opt.compliance)); break; default: BUG(); @@ -3897,8 +3900,7 @@ main (int argc, char **argv) || cmd == aSignEncrSym, opt.def_cipher_algo, GCRY_CIPHER_MODE_NONE)) - log_error (_("you may not use cipher algorithm '%s'" - " while in %s mode\n"), + log_error (_("cipher algorithm '%s' may not be used in %s mode\n"), openpgp_cipher_algo_name (opt.def_cipher_algo), gnupg_compliance_option_string (opt.compliance)); @@ -3910,8 +3912,7 @@ main (int argc, char **argv) || cmd == aSignSym || cmd == aClearsign, opt.def_digest_algo)) - log_error (_("you may not use digest algorithm '%s'" - " while in %s mode\n"), + log_error (_("digest algorithm '%s' may not be used in %s mode\n"), gcry_md_algo_name (opt.def_digest_algo), gnupg_compliance_option_string (opt.compliance)); @@ -4128,7 +4129,7 @@ main (int argc, char **argv) " with --s2k-mode 0\n")); else if(PGP6 || PGP7) log_error(_("you cannot use --symmetric --encrypt" - " while in %s mode\n"), + " in %s mode\n"), gnupg_compliance_option_string (opt.compliance)); else { @@ -4189,7 +4190,7 @@ main (int argc, char **argv) " with --s2k-mode 0\n")); else if(PGP6 || PGP7) log_error(_("you cannot use --symmetric --sign --encrypt" - " while in %s mode\n"), + " in %s mode\n"), gnupg_compliance_option_string (opt.compliance)); else { diff --git a/g10/pkclist.c b/g10/pkclist.c index 48cfe4548..67d932e2a 100644 --- a/g10/pkclist.c +++ b/g10/pkclist.c @@ -1026,7 +1026,7 @@ build_pk_list (ctrl_t ctrl, strlist_t rcpts, PK_LIST *ret_pk_list) issue a warning and switch into GnuPG mode. */ if ((rov->flags & PK_LIST_HIDDEN) && (PGP6 || PGP7 || PGP8)) { - log_info(_("you may not use %s while in %s mode\n"), + log_info(_("option '%s' may not be used in %s mode\n"), "--hidden-recipient", gnupg_compliance_option_string (opt.compliance)); @@ -1077,7 +1077,7 @@ build_pk_list (ctrl_t ctrl, strlist_t rcpts, PK_LIST *ret_pk_list) GnuPG mode. */ if ((r->flags&PK_LIST_ENCRYPT_TO) && (PGP6 || PGP7 || PGP8)) { - log_info(_("you may not use %s while in %s mode\n"), + log_info(_("option '%s' may not be used in %s mode\n"), "--hidden-encrypt-to", gnupg_compliance_option_string (opt.compliance)); diff --git a/g10/pubkey-enc.c b/g10/pubkey-enc.c index 013fd2f1b..272562b18 100644 --- a/g10/pubkey-enc.c +++ b/g10/pubkey-enc.c @@ -94,7 +94,7 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek) if (!gnupg_pk_is_compliant (opt.compliance, sk->pubkey_algo, sk->pkey, nbits_from_pk (sk), NULL)) - log_info (_("Note: key %s was not suitable for encryption" + log_info (_("Note: key %s is not suitable for encryption" " in %s mode\n"), keystr_from_pk (sk), gnupg_compliance_option_string (opt.compliance)); @@ -132,7 +132,7 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek) if (!gnupg_pk_is_compliant (opt.compliance, sk->pubkey_algo, sk->pkey, nbits_from_pk (sk), NULL)) - log_info (_("Note: key %s was not suitable for encryption" + log_info (_("Note: key %s is not suitable for encryption" " in %s mode\n"), keystr_from_pk (sk), gnupg_compliance_option_string (opt.compliance)); diff --git a/g10/sig-check.c b/g10/sig-check.c index 2a3acc40b..60e988e60 100644 --- a/g10/sig-check.c +++ b/g10/sig-check.c @@ -136,8 +136,7 @@ check_signature2 (ctrl_t ctrl, else if (! gnupg_digest_is_allowed (opt.compliance, 0, sig->digest_algo)) { /* Compliance failure. */ - log_info (_("you may not use digest algorithm '%s'" - " while in %s mode\n"), + log_info (_("digest algorithm '%s' may not be used in %s mode\n"), gcry_md_algo_name (sig->digest_algo), gnupg_compliance_option_string (opt.compliance)); rc = gpg_error (GPG_ERR_DIGEST_ALGO); @@ -162,8 +161,7 @@ check_signature2 (ctrl_t ctrl, NULL)) { /* Compliance failure. */ - log_error (_("key %s is not suitable for signature verification" - " in %s mode\n"), + log_error (_("key %s may not be used for signing in %s mode\n"), keystr_from_pk (pk), gnupg_compliance_option_string (opt.compliance)); rc = gpg_error (GPG_ERR_PUBKEY_ALGO); diff --git a/g10/sign.c b/g10/sign.c index f7dd974fe..4cf0cd39a 100644 --- a/g10/sign.c +++ b/g10/sign.c @@ -281,8 +281,7 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig, /* Check compliance. */ if (! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo)) { - log_error (_("you may not use digest algorithm '%s'" - " while in %s mode\n"), + log_error (_("digest algorithm '%s' may not be used in %s mode\n"), gcry_md_algo_name (mdalgo), gnupg_compliance_option_string (opt.compliance)); err = gpg_error (GPG_ERR_DIGEST_ALGO); @@ -292,7 +291,7 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig, if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pksk->pubkey_algo, pksk->pkey, nbits_from_pk (pksk), NULL)) { - log_error (_("key %s not suitable for signing while in %s mode\n"), + log_error (_("key %s may not be used for signing in %s mode\n"), keystr_from_pk (pksk), gnupg_compliance_option_string (opt.compliance)); err = gpg_error (GPG_ERR_PUBKEY_ALGO); diff --git a/sm/decrypt.c b/sm/decrypt.c index 3de742a25..cdce1d434 100644 --- a/sm/decrypt.c +++ b/sm/decrypt.c @@ -361,8 +361,8 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) /* Check compliance. */ if (! gnupg_cipher_is_allowed (opt.compliance, 0, algo, mode)) { - log_error (_("you may not use cipher algorithm '%s'" - " while in %s mode\n"), + log_error (_("cipher algorithm '%s'" + " may not be used in %s mode\n"), gcry_cipher_algo_name (algo), gnupg_compliance_option_string (opt.compliance)); rc = gpg_error (GPG_ERR_CIPHER_ALGO); @@ -489,7 +489,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) snprintf (kidstr, sizeof kidstr, "0x%08lX", gpgsm_get_short_fingerprint (cert, NULL)); log_info - (_("Note: key %s was not suitable for encryption" + (_("Note: key %s is not suitable for encryption" " in %s mode\n"), kidstr, gnupg_compliance_option_string (opt.compliance)); diff --git a/sm/encrypt.c b/sm/encrypt.c index 0225476e7..6213a6604 100644 --- a/sm/encrypt.c +++ b/sm/encrypt.c @@ -412,8 +412,7 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp) (opt.compliance, 1, gcry_cipher_map_name (opt.def_cipher_algoid), gcry_cipher_mode_from_oid (opt.def_cipher_algoid))) { - log_error (_("you may not use cipher algorithm '%s'" - " while in %s mode\n"), + log_error (_("cipher algorithm '%s' may not be used in %s mode\n"), opt.def_cipher_algoid, gnupg_compliance_option_string (opt.compliance)); rc = gpg_error (GPG_ERR_CIPHER_ALGO); diff --git a/sm/gpgsm.c b/sm/gpgsm.c index 4e337fe8c..10eff0a84 100644 --- a/sm/gpgsm.c +++ b/sm/gpgsm.c @@ -1628,8 +1628,7 @@ main ( int argc, char **argv) gcry_cipher_mode_from_oid (opt.def_cipher_algoid), GCRY_CIPHER_MODE_NONE)) - log_error (_("you may not use cipher algorithm '%s'" - " while in %s mode\n"), + log_error (_("cipher algorithm '%s' may not be used in %s mode\n"), opt.def_cipher_algoid, gnupg_compliance_option_string (opt.compliance)); @@ -1639,8 +1638,7 @@ main ( int argc, char **argv) || cmd == aSignEncr || cmd == aClearsign, opt.forced_digest_algo)) - log_error (_("you may not use digest algorithm '%s'" - " while in %s mode\n"), + log_error (_("digest algorithm '%s' may not be used in %s mode\n"), forced_digest_algo, gnupg_compliance_option_string (opt.compliance)); @@ -1650,8 +1648,7 @@ main ( int argc, char **argv) || cmd == aSignEncr || cmd == aClearsign, opt.extra_digest_algo)) - log_error (_("you may not use digest algorithm '%s'" - " while in %s mode\n"), + log_error (_("digest algorithm '%s' may not be used in %s mode\n"), forced_digest_algo, gnupg_compliance_option_string (opt.compliance)); diff --git a/sm/sign.c b/sm/sign.c index 14115017d..24ecad3d7 100644 --- a/sm/sign.c +++ b/sm/sign.c @@ -475,8 +475,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, /* Check compliance. */ if (! gnupg_digest_is_allowed (opt.compliance, 1, cl->hash_algo)) { - log_error (_("you may not use digest algorithm '%s'" - " while in %s mode\n"), + log_error (_("digest algorithm '%s' may not be used in %s mode\n"), gcry_md_algo_name (cl->hash_algo), gnupg_compliance_option_string (opt.compliance)); err = gpg_error (GPG_ERR_DIGEST_ALGO); @@ -490,9 +489,12 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist, if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, NULL, nbits, NULL)) { - log_error ("certificate ID 0x%08lX not suitable for " - "signing while in %s mode\n", - gpgsm_get_short_fingerprint (cl->cert, NULL), + char kidstr[10+1]; + + snprintf (kidstr, sizeof kidstr, "0x%08lX", + gpgsm_get_short_fingerprint (cl->cert, NULL)); + log_error (_("key %s may not be used for signing in %s mode\n"), + kidstr, gnupg_compliance_option_string (opt.compliance)); err = gpg_error (GPG_ERR_PUBKEY_ALGO); goto leave; diff --git a/sm/verify.c b/sm/verify.c index f79c0aeb8..10b3f4378 100644 --- a/sm/verify.c +++ b/sm/verify.c @@ -458,17 +458,19 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp) if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, pk_algo, NULL, nbits, NULL)) { - log_error ("certificate ID 0x%08lX not suitable for " - "verification while in %s mode\n", - gpgsm_get_short_fingerprint (cert, NULL), + char kidstr[10+1]; + + snprintf (kidstr, sizeof kidstr, "0x%08lX", + gpgsm_get_short_fingerprint (cert, NULL)); + log_error (_("key %s may not be used for signing in %s mode\n"), + kidstr, gnupg_compliance_option_string (opt.compliance)); goto next_signer; } if (! gnupg_digest_is_allowed (opt.compliance, 0, sigval_hash_algo)) { - log_error (_("you may not use digest algorithm '%s'" - " while in %s mode\n"), + log_error (_("digest algorithm '%s' may not be used in %s mode\n"), gcry_md_algo_name (sigval_hash_algo), gnupg_compliance_option_string (opt.compliance)); goto next_signer;