diff options
| author | Justus Winter <justus@g10code.com> | 2017-05-30 14:30:24 +0200 |
|---|---|---|
| committer | Justus Winter <justus@g10code.com> | 2017-06-01 13:16:18 +0200 |
| commit | be8ca8852629786266db4d3d69b2c2fb03bd6365 (patch) | |
| tree | 7f0b3de344c5ff6265c480b74b016d2799540605 /sm/decrypt.c | |
| parent | common: Improve checking for compliance with CO_DE_VS. (diff) | |
| download | gnupg2-be8ca8852629786266db4d3d69b2c2fb03bd6365.tar.xz gnupg2-be8ca8852629786266db4d3d69b2c2fb03bd6365.zip | |
gpg: Report compliance with CO_DE_VS.
* common/compliance.c (gnupg_pk_is_compliant): Add DSA with certain
parameters.
(gnupg_cipher_is_compliant): New function.
(gnupg_digest_is_compliant): Likewise.
* common/compliance.h (gnupg_cipher_is_compliant): New prototype.
(gnupg_digest_is_compliant): Likewise.
* common/status.h (STATUS_DECRYPTION_COMPLIANCE_MODE): New status.
(STATUS_VERIFICATION_COMPLIANCE_MODE): Likewise.
* doc/DETAILS: Document the new status lines.
* g10/mainproc.c (proc_encrypted): Compute compliance with CO_DE_VS
and report that using the new status line.
(check_sig_and_print): Likewise.
* sm/decrypt.c (gpgsm_decrypt): Likewise.
* sm/verify.c (gpgsm_verify): Likewise.
--
When decrypting data and verifying signatures, report whether the
operations are in compliance with the criteria for data classified as
VS-NfD. This information will be picked up by the frontend and
presented to the user.
GnuPG-bug-id: 3059
Signed-off-by: Justus Winter <justus@g10code.com>
Diffstat (limited to 'sm/decrypt.c')
| -rw-r--r-- | sm/decrypt.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/sm/decrypt.c b/sm/decrypt.c index f8b01994c..aa621ddf3 100644 --- a/sm/decrypt.c +++ b/sm/decrypt.c @@ -32,6 +32,7 @@ #include "keydb.h" #include "../common/i18n.h" +#include "../common/compliance.h" struct decrypt_filter_parm_s { @@ -325,6 +326,7 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) int algo, mode; const char *algoid; int any_key = 0; + int is_de_vs; /* Computed compliance with CO_DE_VS. */ audit_log (ctrl->audit, AUDIT_GOT_DATA); @@ -356,6 +358,10 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) goto leave; } + /* For CMS, CO_DE_VS demands CBC mode. */ + is_de_vs = (mode == GCRY_CIPHER_MODE_CBC + && gnupg_cipher_is_compliant (CO_DE_VS, algo)); + audit_log_i (ctrl->audit, AUDIT_DATA_CIPHER_ALGO, algo); dfparm.algo = algo; dfparm.mode = mode; @@ -460,7 +466,21 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) hexkeygrip = gpgsm_get_keygrip_hexstring (cert); desc = gpgsm_format_keydesc (cert); + /* Check that all certs are compliant with CO_DE_VS. */ + if (is_de_vs) + { + unsigned int nbits; + int pk_algo = gpgsm_get_key_algo_info (cert, &nbits); + + is_de_vs = gnupg_pk_is_compliant (CO_DE_VS, pk_algo, NULL, + nbits, NULL); + } + oops: + if (rc) + /* We cannot check compliance of certs that we + * don't have. */ + is_de_vs = 0; xfree (issuer); xfree (serial); ksba_cert_release (cert); @@ -489,6 +509,11 @@ gpgsm_decrypt (ctrl_t ctrl, int in_fd, estream_t out_fp) ksba_writer_set_filter (writer, decrypt_filter, &dfparm); + + if (is_de_vs) + gpgsm_status (ctrl, STATUS_DECRYPTION_COMPLIANCE_MODE, + gnupg_status_compliance_flag (CO_DE_VS)); + } audit_log_ok (ctrl->audit, AUDIT_RECP_RESULT, rc); } |