common,gpg,sm: Restrict the use of algorithms according to CO_DE_VS.

* common/compliance.c (gnupg_pk_is_allowed): New function.
(gnupg_cipher_is_allowed): Likewise.
(gnupg_digest_is_allowed): Likewise.
* common/compliance.h (enum pk_use_case): New definition.
(gnupg_pk_is_allowed): New prototype.
(gnupg_cipher_is_allowed): Likewise.
(gnupg_digest_is_allowed): Likewise.
* g10/decrypt-data.c (decrypt_data): Restrict use of algorithms using
the new predicates.
* g10/encrypt.c (encrypt_crypt): Likewise.
* g10/gpg.c (main): Likewise.
* g10/pubkey-enc.c (get_session_key): Likewise.
* g10/sig-check.c (check_signature2): Likewise.
* g10/sign.c (do_sign): Likewise.
* sm/decrypt.c (gpgsm_decrypt): Likewise.
* sm/encrypt.c (gpgsm_encrypt): Likewise.
* sm/gpgsm.c (main): Likewise.
* sm/sign.c (gpgsm_sign): Likewise.
* sm/verify.c (gpgsm_verify): Likewise.
--

With this change, policies can effectively restrict what algorithms
are used for different purposes.  The algorithm policy for CO_DE_VS is
implemented.

GnuPG-bug-id: 3191
Signed-off-by: Justus Winter <[email protected]>

1 files changed, 31 insertions, 11 deletions

diff --git a/sm/verify.c b/sm/verify.c
index e19c04e38..89f06efee 100644
--- a/sm/verify.c
+++ b/sm/verify.c
@@ -450,6 +450,37 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
           goto next_signer;
         }
 
+      /* Check compliance.  */
+      {
+        unsigned int nbits;
+        int pk_algo = gpgsm_get_key_algo_info (cert, &nbits);
+
+        if (! gnupg_pk_is_allowed (opt.compliance, PK_USE_VERIFICATION,
+                                   pk_algo, NULL, nbits, NULL))
+          {
+            log_error ("certificate ID 0x%08lX not suitable for "
+                       "verification while in %s mode\n",
+                       gpgsm_get_short_fingerprint (cert, NULL),
+                       gnupg_compliance_option_string (opt.compliance));
+            goto next_signer;
+          }
+
+        if (! gnupg_digest_is_allowed (opt.compliance, 0, sigval_hash_algo))
+          {
+            log_error (_ ("you may not use digest algorithm '%s'"
+                          " while in %s mode\n"),
+                       gcry_md_algo_name (sigval_hash_algo),
+                       gnupg_compliance_option_string (opt.compliance));
+            goto next_signer;
+          }
+
+        /* Check compliance with CO_DE_VS.  */
+        if (gnupg_pk_is_compliant (CO_DE_VS, pk_algo, NULL, nbits, NULL)
+            && gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo))
+          gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE,
+                        gnupg_status_compliance_flag (CO_DE_VS));
+      }
+
       log_info (_("Signature made "));
       if (*sigtime)
         dump_isotime (sigtime);
@@ -632,17 +663,6 @@ gpgsm_verify (ctrl_t ctrl, int in_fd, int data_fd, estream_t out_fp)
                     (verifyflags & VALIDATE_FLAG_CHAIN_MODEL)?
                     "0 chain": "0 shell");
 
-      /* Check compliance with CO_DE_VS.  */
-      {
-        unsigned int nbits;
-        int pk_algo = gpgsm_get_key_algo_info (cert, &nbits);
-
-        if (gnupg_pk_is_compliant (CO_DE_VS, pk_algo, NULL, nbits, NULL)
-            && gnupg_digest_is_compliant (CO_DE_VS, sigval_hash_algo))
-          gpgsm_status (ctrl, STATUS_VERIFICATION_COMPLIANCE_MODE,
-                        gnupg_status_compliance_flag (CO_DE_VS));
-      }
-
     next_signer:
       rc = 0;
       xfree (issuer);