security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-04-11 22:01:08 +02:00
Code Activity

gpg,sm: String changes for compliance diagnostics.

Browse Source 
Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2017-07-28 17:46:43 +02:00
parent 5cf95157c5
commit efe187e8a2
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
12 changed files with 48 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
g10/decrypt-data.c
View File

@ -102,8 +102,7 @@ decrypt_data (ctrl_t ctrl, void *procctx, PKT_encrypted *ed, DEK *dek)
if (! gnupg_cipher_is_allowed (opt.compliance, 0, dek->algo, if (! gnupg_cipher_is_allowed (opt.compliance, 0, dek->algo,
GCRY_CIPHER_MODE_CFB)) GCRY_CIPHER_MODE_CFB))
{ {
log_error (_("you may not use cipher algorithm '%s'" log_error (_("cipher algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
openpgp_cipher_algo_name (dek->algo), openpgp_cipher_algo_name (dek->algo),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
rc = gpg_error (GPG_ERR_CIPHER_ALGO); rc = gpg_error (GPG_ERR_CIPHER_ALGO);

5
g10/encrypt.c
View File

@ -628,8 +628,7 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
if (! gnupg_cipher_is_allowed (opt.compliance, 1, cfx.dek->algo, if (! gnupg_cipher_is_allowed (opt.compliance, 1, cfx.dek->algo,
GCRY_CIPHER_MODE_CFB)) GCRY_CIPHER_MODE_CFB))
{ {
log_error (_("you may not use cipher algorithm '%s'" log_error (_("cipher algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
openpgp_cipher_algo_name (cfx.dek->algo), openpgp_cipher_algo_name (cfx.dek->algo),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
rc = gpg_error (GPG_ERR_CIPHER_ALGO); rc = gpg_error (GPG_ERR_CIPHER_ALGO);
@ -996,7 +995,7 @@ write_pubkey_enc_from_list (ctrl_t ctrl, PK_LIST pk_list, DEK *dek, iobuf_t out)
{ {
if (opt.throw_keyids && (PGP6 || PGP7 || PGP8)) if (opt.throw_keyids && (PGP6 || PGP7 || PGP8))
{ {
log_info(_("you may not use %s while in %s mode\n"), log_info(_("option '%s' may not be used in %s mode\n"),
"--throw-keyids", "--throw-keyids",
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
compliance_failure(); compliance_failure();

31
g10/gpg.c
View File

@ -3860,19 +3860,22 @@ main (int argc, char **argv)
switch(badtype) switch(badtype)
{ {
case PREFTYPE_SYM: case PREFTYPE_SYM:
log_info(_("you may not use cipher algorithm '%s'" log_info (_("cipher algorithm '%s'"
" while in %s mode\n"), " may not be used in %s mode\n"),
badalg, gnupg_compliance_option_string (opt.compliance)); badalg,
gnupg_compliance_option_string (opt.compliance));
break; break;
case PREFTYPE_HASH: case PREFTYPE_HASH:
log_info(_("you may not use digest algorithm '%s'" log_info (_("digest algorithm '%s'"
" while in %s mode\n"), " may not be used in %s mode\n"),
badalg, gnupg_compliance_option_string (opt.compliance)); badalg,
gnupg_compliance_option_string (opt.compliance));
break; break;
case PREFTYPE_ZIP: case PREFTYPE_ZIP:
log_info(_("you may not use compression algorithm '%s'" log_info (_("compression algorithm '%s'"
" while in %s mode\n"), " may not be used in %s mode\n"),
badalg, gnupg_compliance_option_string (opt.compliance)); badalg,
gnupg_compliance_option_string (opt.compliance));
break; break;
default: default:
BUG(); BUG();
@ -3897,8 +3900,7 @@ main (int argc, char **argv)
|| cmd == aSignEncrSym, || cmd == aSignEncrSym,
opt.def_cipher_algo, opt.def_cipher_algo,
GCRY_CIPHER_MODE_NONE)) GCRY_CIPHER_MODE_NONE))
log_error (_("you may not use cipher algorithm '%s'" log_error (_("cipher algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
openpgp_cipher_algo_name (opt.def_cipher_algo), openpgp_cipher_algo_name (opt.def_cipher_algo),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
@ -3910,8 +3912,7 @@ main (int argc, char **argv)
|| cmd == aSignSym || cmd == aSignSym
|| cmd == aClearsign, || cmd == aClearsign,
opt.def_digest_algo)) opt.def_digest_algo))
log_error (_("you may not use digest algorithm '%s'" log_error (_("digest algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
gcry_md_algo_name (opt.def_digest_algo), gcry_md_algo_name (opt.def_digest_algo),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
@ -4128,7 +4129,7 @@ main (int argc, char **argv)
" with --s2k-mode 0\n")); " with --s2k-mode 0\n"));
else if(PGP6 || PGP7) else if(PGP6 || PGP7)
log_error(_("you cannot use --symmetric --encrypt" log_error(_("you cannot use --symmetric --encrypt"
" while in %s mode\n"), " in %s mode\n"),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
else else
{ {
@ -4189,7 +4190,7 @@ main (int argc, char **argv)
" with --s2k-mode 0\n")); " with --s2k-mode 0\n"));
else if(PGP6 || PGP7) else if(PGP6 || PGP7)
log_error(_("you cannot use --symmetric --sign --encrypt" log_error(_("you cannot use --symmetric --sign --encrypt"
" while in %s mode\n"), " in %s mode\n"),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
else else
{ {

4
g10/pkclist.c
View File

@ -1026,7 +1026,7 @@ build_pk_list (ctrl_t ctrl, strlist_t rcpts, PK_LIST *ret_pk_list)
issue a warning and switch into GnuPG mode. */ issue a warning and switch into GnuPG mode. */
if ((rov->flags & PK_LIST_HIDDEN) && (PGP6 || PGP7 || PGP8)) if ((rov->flags & PK_LIST_HIDDEN) && (PGP6 || PGP7 || PGP8))
{ {
log_info(_("you may not use %s while in %s mode\n"), log_info(_("option '%s' may not be used in %s mode\n"),
"--hidden-recipient", "--hidden-recipient",
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
@ -1077,7 +1077,7 @@ build_pk_list (ctrl_t ctrl, strlist_t rcpts, PK_LIST *ret_pk_list)
GnuPG mode. */ GnuPG mode. */
if ((r->flags&PK_LIST_ENCRYPT_TO) && (PGP6 || PGP7 || PGP8)) if ((r->flags&PK_LIST_ENCRYPT_TO) && (PGP6 || PGP7 || PGP8))
{ {
log_info(_("you may not use %s while in %s mode\n"), log_info(_("option '%s' may not be used in %s mode\n"),
"--hidden-encrypt-to", "--hidden-encrypt-to",
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));

4
g10/pubkey-enc.c
View File

@ -94,7 +94,7 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
if (!gnupg_pk_is_compliant (opt.compliance, if (!gnupg_pk_is_compliant (opt.compliance,
sk->pubkey_algo, sk->pubkey_algo,
sk->pkey, nbits_from_pk (sk), NULL)) sk->pkey, nbits_from_pk (sk), NULL))
log_info (_("Note: key %s was not suitable for encryption" log_info (_("Note: key %s is not suitable for encryption"
" in %s mode\n"), " in %s mode\n"),
keystr_from_pk (sk), keystr_from_pk (sk),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
@ -132,7 +132,7 @@ get_session_key (ctrl_t ctrl, PKT_pubkey_enc * k, DEK * dek)
if (!gnupg_pk_is_compliant (opt.compliance, if (!gnupg_pk_is_compliant (opt.compliance,
sk->pubkey_algo, sk->pubkey_algo,
sk->pkey, nbits_from_pk (sk), NULL)) sk->pkey, nbits_from_pk (sk), NULL))
log_info (_("Note: key %s was not suitable for encryption" log_info (_("Note: key %s is not suitable for encryption"
" in %s mode\n"), " in %s mode\n"),
keystr_from_pk (sk), keystr_from_pk (sk),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));

6
g10/sig-check.c
View File

@ -136,8 +136,7 @@ check_signature2 (ctrl_t ctrl,
else if (! gnupg_digest_is_allowed (opt.compliance, 0, sig->digest_algo)) else if (! gnupg_digest_is_allowed (opt.compliance, 0, sig->digest_algo))
{ {
/* Compliance failure. */ /* Compliance failure. */
log_info (_("you may not use digest algorithm '%s'" log_info (_("digest algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
gcry_md_algo_name (sig->digest_algo), gcry_md_algo_name (sig->digest_algo),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
rc = gpg_error (GPG_ERR_DIGEST_ALGO); rc = gpg_error (GPG_ERR_DIGEST_ALGO);
@ -162,8 +161,7 @@ check_signature2 (ctrl_t ctrl,
NULL)) NULL))
{ {
/* Compliance failure. */ /* Compliance failure. */
log_error (_("key %s is not suitable for signature verification" log_error (_("key %s may not be used for signing in %s mode\n"),
" in %s mode\n"),
keystr_from_pk (pk), keystr_from_pk (pk),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
rc = gpg_error (GPG_ERR_PUBKEY_ALGO); rc = gpg_error (GPG_ERR_PUBKEY_ALGO);

5
g10/sign.c
View File

@ -281,8 +281,7 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
/* Check compliance. */ /* Check compliance. */
if (! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo)) if (! gnupg_digest_is_allowed (opt.compliance, 1, mdalgo))
{ {
log_error (_("you may not use digest algorithm '%s'" log_error (_("digest algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
gcry_md_algo_name (mdalgo), gcry_md_algo_name (mdalgo),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
err = gpg_error (GPG_ERR_DIGEST_ALGO); err = gpg_error (GPG_ERR_DIGEST_ALGO);
@ -292,7 +291,7 @@ do_sign (ctrl_t ctrl, PKT_public_key *pksk, PKT_signature *sig,
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pksk->pubkey_algo, if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pksk->pubkey_algo,
pksk->pkey, nbits_from_pk (pksk), NULL)) pksk->pkey, nbits_from_pk (pksk), NULL))
{ {
log_error (_("key %s not suitable for signing while in %s mode\n"), log_error (_("key %s may not be used for signing in %s mode\n"),
keystr_from_pk (pksk), keystr_from_pk (pksk),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
err = gpg_error (GPG_ERR_PUBKEY_ALGO); err = gpg_error (GPG_ERR_PUBKEY_ALGO);

6
sm/decrypt.c
View File

@ -361,8 +361,8 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
/* Check compliance. */ /* Check compliance. */
if (! gnupg_cipher_is_allowed (opt.compliance, 0, algo, mode)) if (! gnupg_cipher_is_allowed (opt.compliance, 0, algo, mode))
{ {
log_error (_("you may not use cipher algorithm '%s'" log_error (_("cipher algorithm '%s'"
" while in %s mode\n"), " may not be used in %s mode\n"),
gcry_cipher_algo_name (algo), gcry_cipher_algo_name (algo),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
rc = gpg_error (GPG_ERR_CIPHER_ALGO); rc = gpg_error (GPG_ERR_CIPHER_ALGO);
@ -489,7 +489,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
snprintf (kidstr, sizeof kidstr, "0x%08lX", snprintf (kidstr, sizeof kidstr, "0x%08lX",
gpgsm_get_short_fingerprint (cert, NULL)); gpgsm_get_short_fingerprint (cert, NULL));
log_info log_info
(_("Note: key %s was not suitable for encryption" (_("Note: key %s is not suitable for encryption"
" in %s mode\n"), " in %s mode\n"),
kidstr, kidstr,
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));

3
sm/encrypt.c
View File

@ -412,8 +412,7 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
(opt.compliance, 1, gcry_cipher_map_name (opt.def_cipher_algoid), (opt.compliance, 1, gcry_cipher_map_name (opt.def_cipher_algoid),
gcry_cipher_mode_from_oid (opt.def_cipher_algoid))) gcry_cipher_mode_from_oid (opt.def_cipher_algoid)))
{ {
log_error (_("you may not use cipher algorithm '%s'" log_error (_("cipher algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
opt.def_cipher_algoid, opt.def_cipher_algoid,
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
rc = gpg_error (GPG_ERR_CIPHER_ALGO); rc = gpg_error (GPG_ERR_CIPHER_ALGO);

9
sm/gpgsm.c
View File

@ -1628,8 +1628,7 @@ main ( int argc, char **argv)
gcry_cipher_mode_from_oid gcry_cipher_mode_from_oid
(opt.def_cipher_algoid), (opt.def_cipher_algoid),
GCRY_CIPHER_MODE_NONE)) GCRY_CIPHER_MODE_NONE))
log_error (_("you may not use cipher algorithm '%s'" log_error (_("cipher algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
opt.def_cipher_algoid, opt.def_cipher_algoid,
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
@ -1639,8 +1638,7 @@ main ( int argc, char **argv)
|| cmd == aSignEncr || cmd == aSignEncr
|| cmd == aClearsign, || cmd == aClearsign,
opt.forced_digest_algo)) opt.forced_digest_algo))
log_error (_("you may not use digest algorithm '%s'" log_error (_("digest algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
forced_digest_algo, forced_digest_algo,
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
@ -1650,8 +1648,7 @@ main ( int argc, char **argv)
|| cmd == aSignEncr || cmd == aSignEncr
|| cmd == aClearsign, || cmd == aClearsign,
opt.extra_digest_algo)) opt.extra_digest_algo))
log_error (_("you may not use digest algorithm '%s'" log_error (_("digest algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
forced_digest_algo, forced_digest_algo,
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));

12
sm/sign.c
View File

@ -475,8 +475,7 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
/* Check compliance. */ /* Check compliance. */
if (! gnupg_digest_is_allowed (opt.compliance, 1, cl->hash_algo)) if (! gnupg_digest_is_allowed (opt.compliance, 1, cl->hash_algo))
{ {
log_error (_("you may not use digest algorithm '%s'" log_error (_("digest algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
gcry_md_algo_name (cl->hash_algo), gcry_md_algo_name (cl->hash_algo),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
err = gpg_error (GPG_ERR_DIGEST_ALGO); err = gpg_error (GPG_ERR_DIGEST_ALGO);
@ -490,9 +489,12 @@ gpgsm_sign (ctrl_t ctrl, certlist_t signerlist,
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo, if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_SIGNING, pk_algo,
NULL, nbits, NULL)) NULL, nbits, NULL))
{ {
log_error ("certificate ID 0x%08lX not suitable for " char kidstr[10+1];
"signing while in %s mode\n",
gpgsm_get_short_fingerprint (cl->cert, NULL), snprintf (kidstr, sizeof kidstr, "0x%08lX",
gpgsm_get_short_fingerprint (cl->cert, NULL));
log_error (_("key %s may not be used for signing in %s mode\n"),
kidstr,
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
err = gpg_error (GPG_ERR_PUBKEY_ALGO); err = gpg_error (GPG_ERR_PUBKEY_ALGO);
goto leave; goto leave;

12
sm/verify.c
View File

@ -458,17 +458,19 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION, if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
pk_algo, NULL, nbits, NULL)) pk_algo, NULL, nbits, NULL))
{ {
log_error ("certificate ID 0x%08lX not suitable for " char kidstr[10+1];
"verification while in %s mode\n",
gpgsm_get_short_fingerprint (cert, NULL), snprintf (kidstr, sizeof kidstr, "0x%08lX",
gpgsm_get_short_fingerprint (cert, NULL));
log_error (_("key %s may not be used for signing in %s mode\n"),
kidstr,
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
goto next_signer; goto next_signer;
} }
if (! gnupg_digest_is_allowed (opt.compliance, 0, sigval_hash_algo)) if (! gnupg_digest_is_allowed (opt.compliance, 0, sigval_hash_algo))
{ {
log_error (_("you may not use digest algorithm '%s'" log_error (_("digest algorithm '%s' may not be used in %s mode\n"),
" while in %s mode\n"),
gcry_md_algo_name (sigval_hash_algo), gcry_md_algo_name (sigval_hash_algo),
gnupg_compliance_option_string (opt.compliance)); gnupg_compliance_option_string (opt.compliance));
goto next_signer; goto next_signer;