From ee013c5350ce6a5b3d4089753cb99a44802fdfa8 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 8 Mar 2022 10:13:44 +0100
Subject: gpg: New option --require-compliance.

* g10/options.h (opt): Add field flags.require_compliance.
* g10/gpg.c (oRequireCompliance): New.
(opts): Add --require-compliance.
(main): Set option.
* g10/mainproc.c (proc_encrypted): Emit error if non de-vs compliant.
(check_sig_and_print): Ditto.
* g10/encrypt.c (encrypt_crypt): Ditto.
--

Note that in the --encrypt and --verify cased other checks may kick in
earlier than this new --require-compliance controlled one.
---
 g10/encrypt.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'g10/encrypt.c')

diff --git a/g10/encrypt.c b/g10/encrypt.c
index bca7344f4..28a761747 100644
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@@ -847,6 +847,17 @@ encrypt_crypt (ctrl_t ctrl, int filefd, const char *filename,
                           gnupg_status_compliance_flag (CO_DE_VS),
                           NULL);
 
+  if (opt.flags.require_compliance
+      && opt.compliance == CO_DE_VS
+      && !compliant)
+    {
+      log_error (_("operation forced to fail due to"
+                   " unfulfilled compliance rules\n"));
+      rc = gpg_error (GPG_ERR_FORBIDDEN);
+      g10_errors_seen = 1;
+      goto leave;
+    }
+
   cfx.dek->use_aead = use_aead (pk_list, cfx.dek->algo);
   if (!cfx.dek->use_aead)
     cfx.dek->use_mdc = !!use_mdc (pk_list, cfx.dek->algo);
-- 
cgit v1.2.3