From f8075257afad4c7a41cd4409e334670a0097b5b8 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 8 Mar 2022 19:06:30 +0100
Subject: gpgsm: New option --require-compliance

* sm/gpgsm.c (oRequireCompliance): New.
(opts): Add --require-compliance.
(main): Set option.
* sm/gpgsm.h (opt): Add field require_compliance.
(gpgsm_errors_seen): Declare.
* sm/verify.c (gpgsm_verify): Emit error if non de-vs compliant.
* sm/encrypt.c (gpgsm_encrypt): Ditto.
* sm/decrypt.c (gpgsm_decrypt): Ditto.
--
---
 sm/encrypt.c | 9 +++++++++
 1 file changed, 9 insertions(+)

(limited to 'sm/encrypt.c')

diff --git a/sm/encrypt.c b/sm/encrypt.c
index ba2428e9a..4fd4f93b9 100644
--- a/sm/encrypt.c
+++ b/sm/encrypt.c
@@ -811,6 +811,15 @@ gpgsm_encrypt (ctrl_t ctrl, certlist_t recplist, int data_fd, estream_t out_fp)
   if (compliant && gnupg_gcrypt_is_compliant (CO_DE_VS))
     gpgsm_status (ctrl, STATUS_ENCRYPTION_COMPLIANCE_MODE,
                   gnupg_status_compliance_flag (CO_DE_VS));
+  else if (opt.require_compliance
+           && opt.compliance == CO_DE_VS)
+    {
+      log_error (_("operation forced to fail due to"
+                   " unfulfilled compliance rules\n"));
+      gpgsm_errors_seen = 1;
+      rc = gpg_error (GPG_ERR_FORBIDDEN);
+      goto leave;
+    }
 
   /* Main control loop for encryption. */
   recpno = 0;
-- 
cgit v1.2.3