security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-02-12 18:23:04 +01:00
Code Activity

gpg: Simplify the compliance settings.

Browse Source 
* g10/gpg.c (set_compliance_option): Base most settings on oGnuPG.
For oGnuPG explictly clear the allow_old_cipher_algos flag.
--

Note that --allow-old-cipher-algos must now come after a compliance
settings.  This avoids a bug when first setting oRFC2440 and then
oGnuPG which would not clear the flag.

GnuPG-bug-id: T7501
This commit is contained in:
Werner Koch 2025-02-03 11:46:57 +01:00
parent aa46ba28ba
commit 4b2729b983
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 41 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/gpg.texi
View File

@ -3687,7 +3687,9 @@ blocks of 64 bits; modern algorithms use blocks of 128 bit instead.
To avoid certain attack on these old algorithms it is suggested not to To avoid certain attack on these old algorithms it is suggested not to
encrypt more than 150 MiByte using the same key. For this reason gpg encrypt more than 150 MiByte using the same key. For this reason gpg
does not allow the use of 64 bit block size algorithms for encryption does not allow the use of 64 bit block size algorithms for encryption
unless this option is specified. unless this option is specified. Some compliance modes already set or
clear this flag and thus this flags should be used after a compliance
mode setting.
@item --allow-weak-digest-algos @item --allow-weak-digest-algos
@opindex allow-weak-digest-algos @opindex allow-weak-digest-algos

86
g10/gpg.c
View File

@ -2277,54 +2277,6 @@ set_compliance_option (enum cmd_and_opt_values option)
{ {
switch (option) switch (option)
{ {
case oOpenPGP:
case oRFC4880:
/* This is effectively the same as RFC2440, but with
"--enable-dsa2 --no-rfc2440-text --escape-from-lines
--require-cross-certification". */
opt.compliance = CO_RFC4880;
opt.flags.dsa2 = 1;
opt.flags.require_cross_cert = 1;
opt.rfc2440_text = 0;
opt.allow_non_selfsigned_uid = 1;
opt.allow_freeform_uid = 1;
opt.escape_from = 1;
opt.not_dash_escaped = 0;
opt.def_cipher_algo = 0;
opt.def_digest_algo = 0;
opt.cert_digest_algo = 0;
opt.compress_algo = -1;
opt.s2k_mode = 3; /* iterated+salted */
opt.s2k_digest_algo = DIGEST_ALGO_SHA1;
opt.s2k_cipher_algo = CIPHER_ALGO_3DES;
opt.flags.allow_old_cipher_algos = 1;
break;
case oRFC2440:
opt.compliance = CO_RFC2440;
opt.flags.dsa2 = 0;
opt.flags.require_cross_cert = 0;
opt.rfc2440_text = 1;
opt.allow_non_selfsigned_uid = 1;
opt.allow_freeform_uid = 1;
opt.escape_from = 0;
opt.not_dash_escaped = 0;
opt.def_cipher_algo = 0;
opt.def_digest_algo = 0;
opt.cert_digest_algo = 0;
opt.compress_algo = -1;
opt.s2k_mode = 3; /* iterated+salted */
opt.s2k_digest_algo = DIGEST_ALGO_SHA1;
opt.s2k_cipher_algo = CIPHER_ALGO_3DES;
opt.flags.allow_old_cipher_algos = 1;
break;
case oPGP7:
set_compliance_option (oGnuPG);
opt.compliance = CO_PGP7;
break;
case oPGP8:
set_compliance_option (oGnuPG);
opt.compliance = CO_PGP8;
break;
case oGnuPG: case oGnuPG:
/* set up default options affected by policy compliance: */ /* set up default options affected by policy compliance: */
opt.compliance = CO_GNUPG; opt.compliance = CO_GNUPG;
@ -2342,6 +2294,44 @@ set_compliance_option (enum cmd_and_opt_values option)
opt.s2k_mode = 3; /* iterated+salted */ opt.s2k_mode = 3; /* iterated+salted */
opt.s2k_digest_algo = 0; opt.s2k_digest_algo = 0;
opt.s2k_cipher_algo = DEFAULT_CIPHER_ALGO; opt.s2k_cipher_algo = DEFAULT_CIPHER_ALGO;
opt.flags.allow_old_cipher_algos = 0;
break;
case oOpenPGP:
case oRFC4880:
/* This is effectively the same as RFC2440, but with
"--enable-dsa2 --no-rfc2440-text --escape-from-lines
--require-cross-certification". */
set_compliance_option (oGnuPG);
opt.compliance = CO_RFC4880;
opt.flags.dsa2 = 1;
opt.allow_non_selfsigned_uid = 1;
opt.allow_freeform_uid = 1;
opt.s2k_digest_algo = DIGEST_ALGO_SHA1;
opt.s2k_cipher_algo = CIPHER_ALGO_3DES;
opt.flags.allow_old_cipher_algos = 1;
break;
case oRFC2440:
set_compliance_option (oGnuPG);
opt.compliance = CO_RFC2440;
opt.flags.require_cross_cert = 0;
opt.rfc2440_text = 1;
opt.allow_non_selfsigned_uid = 1;
opt.allow_freeform_uid = 1;
opt.escape_from = 0;
opt.s2k_digest_algo = DIGEST_ALGO_SHA1;
opt.s2k_cipher_algo = CIPHER_ALGO_3DES;
opt.flags.allow_old_cipher_algos = 1;
break;
case oPGP7:
set_compliance_option (oGnuPG);
opt.compliance = CO_PGP7;
break;
case oPGP8:
set_compliance_option (oGnuPG);
opt.compliance = CO_PGP8;
break; break;
case oDE_VS: case oDE_VS: