gpg: Add compatibility flag "vsd-allow-ocb"

* common/compliance.h (enum gnupg_co_extra_infos): New.
* common/compliance.c (vsd_allow_ocb): New.
(gnupg_cipher_is_compliant): Allow OCB if flag is set.
(gnupg_cipher_is_allowed): Ditto.
(gnupg_set_compliance_extra_info): Change to take two args.  Adjust
callers.
* g10/gpg.c (compatibility_flags): Add "vsd-allow-ocb".
(main): And set it.
* g10/options.h (COMPAT_VSD_ALLOW_OCB): NEw.
--

This is a temporary flag until the new mode has been evaluated and can
always be enabled.

GnuPG-bug-id: 6263

5 files changed, 35 insertions, 9 deletions

diff --git a/common/compliance.c b/common/compliance.c
index eaecee7b0..9f407fad2 100644
--- a/common/compliance.c
+++ b/common/compliance.c
@@ -45,6 +45,9 @@ static int module;
  * using a confue file.  */
 static unsigned int min_compliant_rsa_length;
 
+/* Temporary hack to allow OCB mode in de-vs mode.  */
+static unsigned int vsd_allow_ocb;
+
 /* Return the address of a compliance cache variable for COMPLIANCE.
  * If no such variable exists NULL is returned.  FOR_RNG returns the
  * cache variable for the RNG compliance check. */
@@ -380,7 +383,8 @@ gnupg_cipher_is_compliant (enum gnupg_compliance_mode compliance,
 	  switch (module)
 	    {
 	    case GNUPG_MODULE_NAME_GPG:
-	      return mode == GCRY_CIPHER_MODE_CFB;
+	      return (mode == GCRY_CIPHER_MODE_CFB
+                      || (vsd_allow_ocb && mode == GCRY_CIPHER_MODE_OCB));
 	    case GNUPG_MODULE_NAME_GPGSM:
 	      return mode == GCRY_CIPHER_MODE_CBC;
 	    }
@@ -424,7 +428,8 @@ gnupg_cipher_is_allowed (enum gnupg_compliance_mode compliance, int producer,
 	    {
 	    case GNUPG_MODULE_NAME_GPG:
 	      return (mode == GCRY_CIPHER_MODE_NONE
-                      || mode == GCRY_CIPHER_MODE_CFB);
+                      || mode == GCRY_CIPHER_MODE_CFB
+                      || (vsd_allow_ocb && mode == GCRY_CIPHER_MODE_OCB));
 	    case GNUPG_MODULE_NAME_GPGSM:
 	      return (mode == GCRY_CIPHER_MODE_NONE
                       || mode == GCRY_CIPHER_MODE_CBC
@@ -441,7 +446,8 @@ gnupg_cipher_is_allowed (enum gnupg_compliance_mode compliance, int producer,
 	case CIPHER_ALGO_TWOFISH:
 	  return (module == GNUPG_MODULE_NAME_GPG
 		  && (mode == GCRY_CIPHER_MODE_NONE
-                      || mode == GCRY_CIPHER_MODE_CFB)
+                      || mode == GCRY_CIPHER_MODE_CFB
+                      || (vsd_allow_ocb && mode == GCRY_CIPHER_MODE_OCB))
 		  && ! producer);
 	default:
 	  return 0;
@@ -696,7 +702,15 @@ gnupg_compliance_option_string (enum gnupg_compliance_mode compliance)
 
 /* Set additional infos for example taken from config files at startup.  */
 void
-gnupg_set_compliance_extra_info (unsigned int min_rsa)
+gnupg_set_compliance_extra_info (enum gnupg_co_extra_infos what,
+                                 unsigned int value)
 {
-  min_compliant_rsa_length = min_rsa;
+  switch (what)
+    {
+    case CO_EXTRA_INFO_MIN_RSA:
+      min_compliant_rsa_length = value;
+      break;
+    case CO_EXTRA_INFO_VSD_ALLOW_OCB:
+      vsd_allow_ocb = value;
+    }
 }
diff --git a/common/compliance.h b/common/compliance.h
index e29ff4ee2..bd805258a 100644
--- a/common/compliance.h
+++ b/common/compliance.h
@@ -36,12 +36,14 @@
 
 void gnupg_initialize_compliance (int gnupg_module_name);
 
+
 enum gnupg_compliance_mode
   {
     CO_GNUPG, CO_RFC4880, CO_RFC2440,
     CO_PGP6, CO_PGP7, CO_PGP8, CO_DE_VS
   };
 
+
 enum pk_use_case
   {
     PK_USE_ENCRYPTION, PK_USE_DECRYPTION,
@@ -91,7 +93,14 @@ int gnupg_parse_compliance_option (const char *string,
 const char *gnupg_compliance_option_string (enum gnupg_compliance_mode
                                             compliance);
 
-void gnupg_set_compliance_extra_info (unsigned int min_rsa);
+enum gnupg_co_extra_infos
+  {
+   CO_EXTRA_INFO_MIN_RSA,
+   CO_EXTRA_INFO_VSD_ALLOW_OCB
+  };
+
+void gnupg_set_compliance_extra_info (enum gnupg_co_extra_infos what,
+                                      unsigned int value);
 
 
 #endif /*GNUPG_COMMON_COMPLIANCE_H*/
diff --git a/g10/gpg.c b/g10/gpg.c
index 12770987c..d2db2831a 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -993,6 +993,7 @@ static struct debug_flags_s debug_flags [] =
 /* The list of compatibility flags.  */
 static struct compatibility_flags_s compatibility_flags [] =
   {
+    { COMPAT_VSD_ALLOW_OCB, "vsd-allow-ocb" },
     { 0, NULL }
   };
 
@@ -3796,7 +3797,9 @@ main (int argc, char **argv)
     set_debug (debug_level);
     if (opt.verbose) /* Print the compatibility flags.  */
       parse_compatibility_flags (NULL, &opt.compat_flags, compatibility_flags);
-    gnupg_set_compliance_extra_info (opt.min_rsa_length);
+    gnupg_set_compliance_extra_info (CO_EXTRA_INFO_MIN_RSA, opt.min_rsa_length);
+    if ((opt.compat_flags & COMPAT_VSD_ALLOW_OCB))
+      gnupg_set_compliance_extra_info (CO_EXTRA_INFO_VSD_ALLOW_OCB, 1);
     if (DBG_CLOCK)
       log_clock ("start");
 
diff --git a/g10/options.h b/g10/options.h
index 351e18b0b..216e61f83 100644
--- a/g10/options.h
+++ b/g10/options.h
@@ -351,7 +351,7 @@ EXTERN_UNLESS_MAIN_MODULE int memory_debug_mode;
 EXTERN_UNLESS_MAIN_MODULE int memory_stat_debug_mode;
 
 /* Compatibility flags */
-/* #define COMPAT_FOO   1 */
+#define COMPAT_VSD_ALLOW_OCB  1
 
 
 /* Compliance test macors.  */
diff --git a/sm/gpgsm.c b/sm/gpgsm.c
index 70952391a..6f949e951 100644
--- a/sm/gpgsm.c
+++ b/sm/gpgsm.c
@@ -1531,7 +1531,7 @@ main ( int argc, char **argv)
   set_debug ();
   if (opt.verbose) /* Print the compatibility flags.  */
     parse_compatibility_flags (NULL, &opt.compat_flags, compatibility_flags);
-  gnupg_set_compliance_extra_info (opt.min_rsa_length);
+  gnupg_set_compliance_extra_info (CO_EXTRA_INFO_MIN_RSA, opt.min_rsa_length);
 
   /* Although we always use gpgsm_exit, we better install a regualr
      exit handler so that at least the secure memory gets wiped