gpgsm: New option --require-compliance

* sm/gpgsm.c (oRequireCompliance): New. (opts): Add --require-compliance. (main): Set option. * sm/gpgsm.h (opt): Add field require_compliance. (gpgsm_errors_seen): Declare. * sm/verify.c (gpgsm_verify): Emit error if non de-vs compliant. * sm/encrypt.c (gpgsm_encrypt): Ditto. * sm/decrypt.c (gpgsm_decrypt): Ditto. --
2025-07-02 22:46:30 +02:00 · 2022-03-08 19:06:30 +01:00 · 2022-03-08 19:06:30 +01:00 · f8075257af
commit f8075257af
parent ee013c5350
6 changed files with 46 additions and 3 deletions
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@ -811,6 +811,15 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
  if (compliant && gnupg_gcrypt_is_compliant (CO_DE_VS))
    gpgsm_status (ctrl, STATUS_ENCRYPTION_COMPLIANCE_MODE,
                  gnupg_status_compliance_flag (CO_DE_VS));
+  else if (opt.require_compliance
+           && opt.compliance == CO_DE_VS)
+    {
+      log_error (_("operation forced to fail due to"
+                   " unfulfilled compliance rules\n"));
+      gpgsm_errors_seen = 1;
+      rc = gpg_error (GPG_ERR_FORBIDDEN);
+      goto leave;
+    }

  /* Main control loop for encryption. */
  recpno = 0;