From a149afe338d61d86985c533cde5e7dbcd31e8698 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 17 Jul 2017 15:52:26 +0200
Subject: gpg,sm: Check compliance of the RNG.

* common/compliance.c (gnupg_rng_is_compliant): New.
* g10/call-agent.c (start_agent) [W32]: Check rng compliance.
* sm/call-agent.c (start_agent) [W32]: Ditto.
* g10/encrypt.c (encrypt_simple, encrypt_crypt): Check that the RNG is
compliant.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* g10/sign.c (do_sign): Ditto.
* sm/sign.c (gpgsm_sign): Ditto.
--

Under Windows we need to check that the Jitter RNG is active in de-vs
mode.  Under Linux this is not necessary because /dev/random can be
scrutinized and is believed to provide enough entropy.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 common/compliance.c | 40 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

(limited to 'common/compliance.c')

diff --git a/common/compliance.c b/common/compliance.c
index 8b9167758..268ea4dbf 100644
--- a/common/compliance.c
+++ b/common/compliance.c
@@ -466,6 +466,46 @@ gnupg_digest_is_allowed (enum gnupg_compliance_mode compliance, int producer,
 }
 
 
+/* Return True if the random number generator is compliant in
+ * COMPLIANCE mode.  */
+int
+gnupg_rng_is_compliant (enum gnupg_compliance_mode compliance)
+{
+  static int result = -1;
+
+  if (result != -1)
+    ; /* Use cached result.  */
+  else if (compliance == CO_DE_VS)
+    {
+      /* In DE_VS mode under Windows we require that the JENT RNG
+       * is active.  */
+#ifdef HAVE_W32_SYSTEM
+# if GCRYPT_VERSION_NUMBER >= 0x010800
+      char *buf;
+      char *fields[5];
+
+      buf = gcry_get_config (0, "rng-type");
+      if (buf
+          && split_fields_colon (buf, fields, DIM (fields)) >= 5
+          && atoi (fields[4]) > 0)
+        result = 1;
+      else
+        result = 0;
+      gcry_free (buf);
+# else
+      result = 0;  /* No JENT - can't be compliant.  */
+# endif
+#else /*!HAVE_W32_SYSTEM*/
+      result = 1;  /* Not Windows - RNG is good.  */
+#endif /*!HAVE_W32_SYSTEM*/
+    }
+  else
+    result = 1;
+
+  return result;
+}
+
+
 const char *
 gnupg_status_compliance_flag (enum gnupg_compliance_mode compliance)
 {
-- 
cgit v1.2.3