security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

gpgsm: New option --require-compliance

Browse Source 
* sm/gpgsm.c (oRequireCompliance): New.
(opts): Add --require-compliance.
(main): Set option.
* sm/gpgsm.h (opt): Add field require_compliance.
(gpgsm_errors_seen): Declare.
* sm/verify.c (gpgsm_verify): Emit error if non de-vs compliant.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
--
This commit is contained in:
Werner Koch 2022-03-08 19:06:30 +01:00
parent ee013c5350
commit f8075257af
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
6 changed files with 46 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
doc/gpgsm.texi
View File

@ -699,6 +699,17 @@ This option adjusts the compliance mode "de-vs" for stricter key size
requirements. For example, a value of 3000 turns rsa2048 and dsa2048 requirements. For example, a value of 3000 turns rsa2048 and dsa2048
keys into non-VS-NfD compliant keys. keys into non-VS-NfD compliant keys.
@item --require-compliance
@opindex require-compliance
To check that data has been encrypted according to the rules of the
current compliance mode, a gpgsm user needs to evaluate the status
lines. This is allows frontends to handle compliance check in a more
flexible way. However, for scripted use the required evaluation of
the status-line requires quite some effort; this option can be used
instead to make sure that the gpgsm process exits with a failure if
the compliance rules are not fulfilled. Note that this option has
currently an effect only in "de-vs" mode.
@item --ignore-cert-with-oid @var{oid} @item --ignore-cert-with-oid @var{oid}
@opindex ignore-cert-with-oid @opindex ignore-cert-with-oid
Add @var{oid} to the list of OIDs to be checked while reading Add @var{oid} to the list of OIDs to be checked while reading

8
sm/decrypt.c
View File

@ -1389,7 +1389,13 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp)
&& gnupg_gcrypt_is_compliant (CO_DE_VS)) && gnupg_gcrypt_is_compliant (CO_DE_VS))
gpgsm_status (ctrl, STATUS_DECRYPTION_COMPLIANCE_MODE, gpgsm_status (ctrl, STATUS_DECRYPTION_COMPLIANCE_MODE,
gnupg_status_compliance_flag (CO_DE_VS)); gnupg_status_compliance_flag (CO_DE_VS));
else if (opt.require_compliance
&& opt.compliance == CO_DE_VS)
{
log_error (_("operation forced to fail due to"
" unfulfilled compliance rules\n"));
gpgsm_errors_seen = 1;
}
} }
audit_log_ok (ctrl->audit, AUDIT_RECP_RESULT, rc); audit_log_ok (ctrl->audit, AUDIT_RECP_RESULT, rc);
} }

9
sm/encrypt.c
View File

@ -811,6 +811,15 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
if (compliant && gnupg_gcrypt_is_compliant (CO_DE_VS)) if (compliant && gnupg_gcrypt_is_compliant (CO_DE_VS))
gpgsm_status (ctrl, STATUS_ENCRYPTION_COMPLIANCE_MODE, gpgsm_status (ctrl, STATUS_ENCRYPTION_COMPLIANCE_MODE,
gnupg_status_compliance_flag (CO_DE_VS)); gnupg_status_compliance_flag (CO_DE_VS));
else if (opt.require_compliance
&& opt.compliance == CO_DE_VS)
{
log_error (_("operation forced to fail due to"
" unfulfilled compliance rules\n"));
gpgsm_errors_seen = 1;
rc = gpg_error (GPG_ERR_FORBIDDEN);
goto leave;
}
/* Main control loop for encryption. */ /* Main control loop for encryption. */
recpno = 0; recpno = 0;

7
sm/gpgsm.c
View File

@ -209,6 +209,7 @@ enum cmd_and_opt_values {
oChUid, oChUid,
oUseKeyboxd, oUseKeyboxd,
oKeyboxdProgram, oKeyboxdProgram,
oRequireCompliance,
oNoAutostart oNoAutostart
}; };
@ -301,6 +302,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oPolicyFile, "policy-file", ARGPARSE_s_s (oPolicyFile, "policy-file",
N_("|FILE|take policy information from FILE")), N_("|FILE|take policy information from FILE")),
ARGPARSE_s_s (oCompliance, "compliance", "@"), ARGPARSE_s_s (oCompliance, "compliance", "@"),
ARGPARSE_p_u (oMinRSALength, "min-rsa-length", "@"),
ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"), ARGPARSE_s_n (oNoCommonCertsImport, "no-common-certs-import", "@"),
ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"), ARGPARSE_s_s (oIgnoreCertExtension, "ignore-cert-extension", "@"),
ARGPARSE_s_s (oIgnoreCertWithOID, "ignore-cert-with-oid", "@"), ARGPARSE_s_s (oIgnoreCertWithOID, "ignore-cert-with-oid", "@"),
@ -407,7 +409,7 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oDisablePubkeyAlgo, "disable-pubkey-algo", "@"), ARGPARSE_s_s (oDisablePubkeyAlgo, "disable-pubkey-algo", "@"),
ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"), ARGPARSE_s_n (oIgnoreTimeConflict, "ignore-time-conflict", "@"),
ARGPARSE_s_n (oNoRandomSeedFile, "no-random-seed-file", "@"), ARGPARSE_s_n (oNoRandomSeedFile, "no-random-seed-file", "@"),
ARGPARSE_p_u (oMinRSALength, "min-rsa-length", "@"), ARGPARSE_s_n (oRequireCompliance, "require-compliance", "@"),
ARGPARSE_header (NULL, N_("Options for unattended use")), ARGPARSE_header (NULL, N_("Options for unattended use")),
@ -441,7 +443,6 @@ static gpgrt_opt_t opts[] = {
ARGPARSE_s_s (oXauthority, "xauthority", "@"), ARGPARSE_s_s (oXauthority, "xauthority", "@"),
ARGPARSE_s_s (oChUid, "chuid", "@"), ARGPARSE_s_s (oChUid, "chuid", "@"),
ARGPARSE_header (NULL, ""), /* Stop the header group. */ ARGPARSE_header (NULL, ""), /* Stop the header group. */
@ -1459,6 +1460,8 @@ main ( int argc, char **argv)
case oMinRSALength: opt.min_rsa_length = pargs.r.ret_ulong; break; case oMinRSALength: opt.min_rsa_length = pargs.r.ret_ulong; break;
case oRequireCompliance: opt.require_compliance = 1; break;
default: default:
if (configname) if (configname)
pargs.err = ARGPARSE_PRINT_WARNING; pargs.err = ARGPARSE_PRINT_WARNING;

7
sm/gpgsm.h
View File

@ -155,8 +155,13 @@ struct
* sunch an OID during --learn-card. */ * sunch an OID during --learn-card. */
strlist_t ignore_cert_with_oid; strlist_t ignore_cert_with_oid;
/* The current compliance mode. */
enum gnupg_compliance_mode compliance; enum gnupg_compliance_mode compliance;
/* Fail if an operation can't be done in the requested compliance
* mode. */
int require_compliance;
/* Enable creation of authenticode signatures. */ /* Enable creation of authenticode signatures. */
int authenticode; int authenticode;
@ -274,6 +279,8 @@ struct rootca_flags_s
/*-- gpgsm.c --*/ /*-- gpgsm.c --*/
extern int gpgsm_errors_seen;
void gpgsm_exit (int rc); void gpgsm_exit (int rc);
void gpgsm_init_default_ctrl (struct server_control_s *ctrl); void gpgsm_init_default_ctrl (struct server_control_s *ctrl);
void gpgsm_deinit_default_ctrl (ctrl_t ctrl); void gpgsm_deinit_default_ctrl (ctrl_t ctrl);

7
sm/verify.c
View File

@ -520,6 +520,13 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
&& gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo)) && gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo))
gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE, gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE,
gnupg_status_compliance_flag (CO_DE_VS)); gnupg_status_compliance_flag (CO_DE_VS));
else if (opt.require_compliance
&& opt.compliance == CO_DE_VS)
{
log_error (_("operation forced to fail due to"
" unfulfilled compliance rules\n"));
gpgsm_errors_seen = 1;
}
/* Now we can check the signature. */ /* Now we can check the signature. */