gpg: Remove MDC options

* g10/gpg.c: Tuen options --force-mdc, --no-force-mdc, --disable-mdc
and --no-disable-mdc into NOPs.
* g10/encrypt.c (use_mdc): Simplify.  MDC is now almost always used.
(use_aead): Ignore MDC options. Print warning for missing MDC feature
flags.
* g10/pkclist.c (warn_missing_mdc_from_pklist): Rename to ...
(warn_missing_aead_from_pklist): this and adjust.
--

The MDC is now always used except with --rfc2440 which will lead to a
a big fat warning.

Signed-off-by: Werner Koch <wk@gnupg.org>

doc/gpg.texi

@@ -2596,21 +2596,18 @@ modern and faster way to do authenticated encrytion than the old MDC
 method.  See also options @option{--aead-algo} and
 @option{--chunk-size}.
 
-This option requires the use of option @option{--rfc4880bis} to
-declare that a not yet standardized feature is used.
+As of now this option requires the use of option @option{--rfc4880bis}
+to declare that a not yet standardized feature is used.
 
 @item --force-mdc
+@itemx --disable-mdc
 @opindex force-mdc
-Force the use of encryption with a modification detection code. This
-is always used with the newer ciphers (those with a blocksize greater
-than 64 bits), or if all of the recipient keys indicate MDC support in
-their feature flags.
-
-@item --disable-mdc
 @opindex disable-mdc
-Disable the use of the modification detection code. Note that by
-using this option, the encrypted message becomes vulnerable to a
-message modification attack.
+These options are obsolete and have no effect since GnuPG 2.2.8.  The
+MDC is always used unless the keys indicate that an AEAD algorithm can
+be used in which case AEAD is used.  But note: If the creation or of a
+legacy non-MDC message is exceptionally required, the option
+@option{--rfc2440} allows for this.
 
 @item --disable-signer-uid
 @opindex disable-signer-uid
@@ -2740,7 +2737,10 @@ keys or data may not be usable with future GnuPG versions.
 @item --rfc2440
 @opindex rfc2440
 Reset all packet, cipher and digest options to strict RFC-2440
-behavior.
+behavior.  Note that by using this option encryption packets are
+created in a legacy mode without MDC protection.  This is dangerous
+and should thus only be used for experiments.  See also option
+@option{--ignore-mdc-error}.
 
 @item --pgp6
 @opindex pgp6
@@ -2750,8 +2750,9 @@ restricts you to the ciphers IDEA (if the IDEA plugin is installed),
 compression algorithms none and ZIP. This also disables
 @option{--throw-keyids}, and making signatures with signing subkeys as PGP 6
 does not understand signatures made by signing subkeys.
+FIXME: remove this options.
 
-This option implies @option{--disable-mdc --escape-from-lines}.
+This option implies @option{--escape-from-lines}.
 
 @item --pgp7
 @opindex pgp7
@@ -3234,7 +3235,7 @@ It is required to decrypt old messages which did not use an MDC.  It
 may also be useful if a message is partially garbled, but it is
 necessary to get as much data as possible out of that garbled message.
 Be aware that a missing or failed MDC can be an indication of an
-attack.  Use with caution.
+attack.  Use with great caution; see also option @option{--rfc2440}.
 
 @item --allow-weak-digest-algos
 @opindex allow-weak-digest-algos

g10/cipher-cfb.c

@@ -33,6 +33,7 @@
 #include "packet.h"
 #include "options.h"
 #include "main.h"
+#include "../common/i18n.h"
 #include "../common/status.h"
 
 
@@ -66,8 +67,9 @@ write_header (cipher_filter_context_t *cfx, iobuf_t a)
     }
   else
     {
-      log_info ("WARNING: "
-                "encrypting without integrity protection is dangerous\n");
+      log_info (_("WARNING: "
+                  "encrypting without integrity protection is dangerous\n"));
+      log_info (_("Hint: Do not use option %s\n"), "--rfc2440");
     }
 
   write_status_printf (STATUS_BEGIN_ENCRYPTION, "%d %d",

g10/encrypt.c

@@ -212,11 +212,7 @@ use_aead (pk_list_t pk_list, int algo)
 
   can_use = openpgp_cipher_get_algo_blklen (algo) == 16;
 
-  /* With --force-mdc we clearly do not want AEAD.  */
-  if (opt.force_mdc)
-    return 0;
-
-  /* However with --force-aead we want AEAD.  */
+  /* With --force-aead we want AEAD.  */
   if (opt.force_aead)
     {
       if (!can_use)
@@ -232,62 +228,29 @@ use_aead (pk_list_t pk_list, int algo)
   if (!can_use)
     return 0;
 
+  /* Note the user which keys have no AEAD feature flag set.  */
+  if (opt.verbose)
+    warn_missing_aead_from_pklist (pk_list);
+
   /* If all keys support AEAD we can use it.  */
   return select_aead_from_pklist (pk_list);
 }
 
 
-/* We try very hard to use a MDC */
+/* Shall we use the MDC?  Yes - unless rfc-2440 compatibility is
+ * requested. */
 int
 use_mdc (pk_list_t pk_list,int algo)
 {
-  /* RFC-2440 don't has MDC */
+  (void)pk_list;
+  (void)algo;
+
+  /* RFC-2440 don't has MDC - this is the only way to create a legacy
+   * non-MDC encryption packet.  */
   if (RFC2440)
     return 0;
 
-  /* --force-mdc overrides --disable-mdc */
-  if(opt.force_mdc)
-    return 1;
-
-  if(opt.disable_mdc)
-    return 0;
-
-  /* Do the keys really support MDC? */
-
-  if(select_mdc_from_pklist(pk_list))
-    return 1;
-
-  /* The keys don't support MDC, so now we do a bit of a hack - if any
-     of the AESes or TWOFISH are in the prefs, we assume that the user
-     can handle a MDC.  This is valid for PGP 7, which can handle MDCs
-     though it will not generate them.  2440bis allows this, by the
-     way. */
-
-  if(select_algo_from_prefs(pk_list,PREFTYPE_SYM,
-			    CIPHER_ALGO_AES,NULL)==CIPHER_ALGO_AES)
-    return 1;
-
-  if(select_algo_from_prefs(pk_list,PREFTYPE_SYM,
-			    CIPHER_ALGO_AES192,NULL)==CIPHER_ALGO_AES192)
-    return 1;
-
-  if(select_algo_from_prefs(pk_list,PREFTYPE_SYM,
-			    CIPHER_ALGO_AES256,NULL)==CIPHER_ALGO_AES256)
-    return 1;
-
-  if(select_algo_from_prefs(pk_list,PREFTYPE_SYM,
-			    CIPHER_ALGO_TWOFISH,NULL)==CIPHER_ALGO_TWOFISH)
-    return 1;
-
-  /* Last try.  Use MDC for the modern ciphers. */
-
-  if (openpgp_cipher_get_algo_blklen (algo) != 8)
-    return 1;
-
-  if (opt.verbose)
-    warn_missing_mdc_from_pklist (pk_list);
-
-  return 0; /* No MDC */
+  return 1; /* In all other cases we use the MDC */
 }
 
 

g10/gpg.c

@@ -301,10 +301,6 @@ enum cmd_and_opt_values
     oShowPhotos,
     oNoShowPhotos,
     oPhotoViewer,
-    oForceMDC,
-    oNoForceMDC,
-    oDisableMDC,
-    oNoDisableMDC,
     oForceAEAD,
     oS2KMode,
     oS2KDigest,
@@ -605,11 +601,6 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oQuiet,	  "quiet",   "@"),
   ARGPARSE_s_n (oNoTTY,   "no-tty",  "@"),
 
-  ARGPARSE_s_n (oForceMDC, "force-mdc", "@"),
-  ARGPARSE_s_n (oNoForceMDC, "no-force-mdc", "@"),
-  ARGPARSE_s_n (oDisableMDC, "disable-mdc", "@"),
-  ARGPARSE_s_n (oNoDisableMDC, "no-disable-mdc", "@"),
-
   ARGPARSE_s_n (oForceAEAD, "force-aead", "@"),
 
   ARGPARSE_s_n (oDisableSignerUID, "disable-signer-uid", "@"),
@@ -924,6 +915,11 @@ static ARGPARSE_OPTS opts[] = {
   ARGPARSE_s_n (oNoop, "force-v4-certs", "@"),
   ARGPARSE_s_n (oNoop, "no-force-v4-certs", "@"),
   ARGPARSE_s_n (oNoop, "no-mdc-warning", "@"),
+  ARGPARSE_s_n (oNoop, "force-mdc", "@"),
+  ARGPARSE_s_n (oNoop, "no-force-mdc", "@"),
+  ARGPARSE_s_n (oNoop, "disable-mdc", "@"),
+  ARGPARSE_s_n (oNoop, "no-disable-mdc", "@"),
+
 
   ARGPARSE_end ()
 };
@@ -2201,7 +2197,6 @@ set_compliance_option (enum cmd_and_opt_values option)
     case oDE_VS:
       set_compliance_option (oOpenPGP);
       opt.compliance = CO_DE_VS;
-      opt.force_mdc = 1;
       opt.def_aead_algo = 0;
       /* Fixme: Change other options.  */
       break;
@@ -3019,11 +3014,6 @@ main (int argc, char **argv)
 	    break;
 	  case oPhotoViewer: opt.photo_viewer = pargs.r.ret_str; break;
 
-	  case oForceMDC: opt.force_mdc = 1; break;
-	  case oNoForceMDC: opt.force_mdc = 0; break;
-	  case oDisableMDC: opt.disable_mdc = 1; break;
-	  case oNoDisableMDC: opt.disable_mdc = 0; break;
-
 	  case oForceAEAD: opt.force_aead = 1; break;
 
           case oDisableSignerUID: opt.flags.disable_signer_uid = 1; break;
@@ -3802,7 +3792,6 @@ main (int argc, char **argv)
       {
         /* That does not anymore work because we have no more support
            for v3 signatures.  */
-	opt.disable_mdc=1;
 	opt.escape_from=1;
 	opt.ask_sig_expire=0;
       }

g10/keydb.h

@@ -236,7 +236,7 @@ int  select_algo_from_prefs( PK_LIST pk_list, int preftype,
 			     int request, const union pref_hint *hint);
 int  select_mdc_from_pklist (PK_LIST pk_list);
 aead_algo_t select_aead_from_pklist (pk_list_t pk_list);
-void warn_missing_mdc_from_pklist (PK_LIST pk_list);
+void warn_missing_aead_from_pklist (PK_LIST pk_list);
 void warn_missing_aes_from_pklist (PK_LIST pk_list);
 
 /*-- skclist.c --*/

g10/pkclist.c

@@ -1677,9 +1677,10 @@ select_aead_from_pklist (PK_LIST pk_list)
 }
 
 
-/* Print a warning for all keys in PK_LIST missing the MDC feature. */
+/* Print a warning for all keys in PK_LIST missing the AEAD feature
+ * flag or AEAD algorithms. */
 void
-warn_missing_mdc_from_pklist (PK_LIST pk_list)
+warn_missing_aead_from_pklist (PK_LIST pk_list)
 {
   PK_LIST pkr;
 
@@ -1688,12 +1689,12 @@ warn_missing_mdc_from_pklist (PK_LIST pk_list)
       int mdc;
 
       if (pkr->pk->user_id) /* selected by user ID */
-        mdc = pkr->pk->user_id->flags.mdc;
+        mdc = pkr->pk->user_id->flags.aead;
       else
-        mdc = pkr->pk->flags.mdc;
+        mdc = pkr->pk->flags.aead;
       if (!mdc)
         log_info (_("Note: key %s has no %s feature\n"),
-                  keystr_from_pk (pkr->pk), "MDC");
+                  keystr_from_pk (pkr->pk), "AEAD");
     }
 }
 

po/POTFILES.in

@@ -75,6 +75,8 @@ g10/tofu.c
 g10/trustdb.c
 g10/trust.c
 g10/verify.c
+g10/cipher-cfb.c
+g10/cipher-aead.c
 
 kbx/kbxutil.c