From 5a2cef801d3506bedd700db1a5d88b7a75c4083b Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 31 Oct 2022 15:51:21 +0100 Subject: [PATCH] gpg: Allow only OCB for AEAD encryption. * g10/gpg.c (opts): New option--force-ocb as alias for force-aead. Turn --aead-algo and --personal-aead-preferences into dummy options. (build_list_md_test_algo, build_list_aead_algo_name): Remove. (my_strusage): Remove output of AEAD algos. (main): Remove code from the --aead options. * g10/encrypt.c (encrypt_seskey): Make file local. (use_aead): Remove requirement for rfc4880bis. Always return AEAD_ALGO_OCB. * g10/main.h (DEFAULT_AEAD_ALGO): Removed unused macro. * g10/misc.c (default_aead_algo): Remove. * g10/pkclist.c (select_aead_from_pklist): Return AEAD_ALGO_OCB or 0. (select_algo_from_prefs): Remove personal AEAD algo setting. * g10/keygen.c (keygen_set_std_prefs): Remove AEAD preference option parsing. * g10/options.h (opt): Remove def_aead_algo and personal_aead_prefs. -- Due to the meanwhile expired patent on OCB there is no more reason for using EAX. Thus we forcefully use OCB if the AEAD feature flag is set on a key. --- doc/gpg.texi | 35 +++++++++----------------- g10/encrypt.c | 12 ++------- g10/gpg.c | 68 ++++----------------------------------------------- g10/keygen.c | 23 ----------------- g10/main.h | 5 ---- g10/misc.c | 11 --------- g10/options.h | 2 -- g10/pkclist.c | 4 +-- 8 files changed, 20 insertions(+), 140 deletions(-) diff --git a/doc/gpg.texi b/doc/gpg.texi index 59d5e578f..c617e1971 100644 --- a/doc/gpg.texi +++ b/doc/gpg.texi @@ -2760,12 +2760,14 @@ is the default. @itemx --no-force-v4-certs These options are obsolete and have no effect since GnuPG 2.1. -@item --force-aead +@item --force-ocb +@itemx --force-aead +@opindex force-ocb @opindex force-aead Force the use of AEAD encryption over MDC encryption. AEAD is a modern and faster way to do authenticated encryption than the old MDC -method. See also options @option{--aead-algo} and -@option{--chunk-size}. +method. @option{--force-aead} is an alias and deprecated. See also +option @option{--chunk-size}. @item --force-mdc @itemx --disable-mdc @@ -2810,16 +2812,6 @@ preferences, as GPG will only select an algorithm that is usable by all recipients. The most highly ranked cipher in this list is also used for the @option{--symmetric} encryption command. -@item --personal-aead-preferences @var{string} -@opindex personal-aead-preferences -Set the list of personal AEAD preferences to @var{string}. Use -@command{@gpgname --version} to get a list of available algorithms, -and use @code{none} to set no preference at all. This allows the user -to safely override the algorithm chosen by the recipient key -preferences, as GPG will only select an algorithm that is usable by -all recipients. The most highly ranked cipher in this list is also -used for the @option{--symmetric} encryption command. - @item --personal-digest-preferences @var{string} @opindex personal-digest-preferences Set the list of personal digest preferences to @var{string}. Use @@ -3233,16 +3225,6 @@ it allows you to violate the OpenPGP standard. The option @option{--personal-cipher-preferences} is the safe way to accomplish the same thing. -@item --aead-algo @var{name} -@opindex aead-algo -Specify that the AEAD algorithm @var{name} is to be used. This is -useful for symmetric encryption where no key preference are available -to select the AEAD algorithm. Running @command{@gpgname} with option -@option{--version} shows the available AEAD algorithms. In general, -you do not want to use this option as it allows you to violate the -OpenPGP standard. The option @option{--personal-aead-preferences} is -the safe way to accomplish the same thing. - @item --digest-algo @var{name} @opindex digest-algo Use @var{name} as the message digest algorithm. Running the program @@ -3786,6 +3768,13 @@ it. These options are deprecated. Use @option{--list-options [no-]show-policy-url} and/or @option{--verify-options [no-]show-policy-url} instead. +@item --personal-aead-preferences @var{string} +@opindex personal-aead-preferences +This option is deprecated and has no more effect since version 2.3.9. + +@item --aead-algo @var{name} +This option is deprecated and has no more effect since version 2.3.9. + @end table diff --git a/g10/encrypt.c b/g10/encrypt.c index 019bf0be4..33a5126d0 100644 --- a/g10/encrypt.c +++ b/g10/encrypt.c @@ -219,7 +219,7 @@ check_encryption_compliance (DEK *dek, pk_list_t pk_list) * stored at R_SESKEY. If AEAD_ALGO is not 0 the given AEAD algorithm * is used for encryption. */ -gpg_error_t +static gpg_error_t encrypt_seskey (DEK *dek, aead_algo_t aead_algo, DEK **r_seskey, void **r_enckey, size_t *r_enckeylen) { @@ -344,14 +344,6 @@ use_aead (pk_list_t pk_list, int algo) { int can_use; - if (!opt.flags.rfc4880bis) - { - if (opt.force_aead) - log_info ("Warning: Option %s currently requires option '%s'\n", - "--force-aead", "--rfc4880bis"); - return 0; - } - can_use = openpgp_cipher_get_algo_blklen (algo) == 16; /* With --force-aead we want AEAD. */ @@ -363,7 +355,7 @@ use_aead (pk_list_t pk_list, int algo) openpgp_cipher_algo_name (algo)); return 0; } - return default_aead_algo (); + return AEAD_ALGO_OCB; } /* AEAD does only work with 128 bit cipher blocklength. */ diff --git a/g10/gpg.c b/g10/gpg.c index 07f62e9b8..f6d4d2b4c 100644 --- a/g10/gpg.c +++ b/g10/gpg.c @@ -254,7 +254,6 @@ enum cmd_and_opt_values oRFC2440Text, oNoRFC2440Text, oCipherAlgo, - oAEADAlgo, oDigestAlgo, oCertDigestAlgo, oCompressAlgo, @@ -383,7 +382,6 @@ enum cmd_and_opt_values oDefaultPreferenceList, oDefaultKeyserverURL, oPersonalCipherPreferences, - oPersonalAEADPreferences, oPersonalDigestPreferences, oPersonalCompressPreferences, oAgentProgram, @@ -675,7 +673,6 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oEnableDSA2, "enable-dsa2", "@"), ARGPARSE_s_n (oDisableDSA2, "disable-dsa2", "@"), ARGPARSE_s_s (oPersonalCipherPreferences, "personal-cipher-preferences","@"), - ARGPARSE_s_s (oPersonalAEADPreferences, "personal-aead-preferences","@"), ARGPARSE_s_s (oPersonalDigestPreferences, "personal-digest-preferences","@"), ARGPARSE_s_s (oPersonalCompressPreferences, "personal-compress-preferences", "@"), @@ -855,7 +852,8 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_s (oS2KDigest, "s2k-digest-algo", "@"), ARGPARSE_s_s (oS2KCipher, "s2k-cipher-algo", "@"), ARGPARSE_s_i (oS2KCount, "s2k-count", "@"), - ARGPARSE_s_n (oForceAEAD, "force-aead", "@"), + ARGPARSE_s_n (oForceAEAD, "force-ocb", "@"), + ARGPARSE_s_n (oForceAEAD, "force-aead", "@"), /*(old name)*/ ARGPARSE_s_n (oRequireCrossCert, "require-backsigs", "@"), ARGPARSE_s_n (oRequireCrossCert, "require-cross-certification", "@"), ARGPARSE_s_n (oNoRequireCrossCert, "no-require-backsigs", "@"), @@ -876,7 +874,6 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_s (oDisableCipherAlgo, "disable-cipher-algo", "@"), ARGPARSE_s_s (oDisablePubkeyAlgo, "disable-pubkey-algo", "@"), ARGPARSE_s_s (oCipherAlgo, "cipher-algo", "@"), - ARGPARSE_s_s (oAEADAlgo, "aead-algo", "@"), ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"), ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"), ARGPARSE_s_n (oOverrideComplianceCheck, "override-compliance-check", "@"), @@ -928,8 +925,6 @@ static gpgrt_opt_t opts[] = { /* Aliases. I constantly mistype these, and assume other people do as well. */ ARGPARSE_s_s (oPersonalCipherPreferences, "personal-cipher-prefs", "@"), - ARGPARSE_s_s (oPersonalAEADPreferences, "personal-aead-prefs", "@"), - ARGPARSE_s_s (oPersonalDigestPreferences, "personal-digest-prefs", "@"), ARGPARSE_s_s (oPersonalCompressPreferences, "personal-compress-prefs", "@"), /* These two are aliases to help users of the PGP command line @@ -972,6 +967,8 @@ static gpgrt_opt_t opts[] = { ARGPARSE_s_n (oNoop, "allow-multisig-verification", "@"), ARGPARSE_s_n (oNoop, "allow-multiple-messages", "@"), ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"), + ARGPARSE_s_s (oNoop, "aead-algo", "@"), + ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"), ARGPARSE_group (302, N_( @@ -1112,18 +1109,6 @@ build_list_cipher_algo_name (int algo) return openpgp_cipher_algo_name (algo); } -static int -build_list_aead_test_algo (int algo) -{ - return openpgp_aead_test_algo (algo); -} - -static const char * -build_list_aead_algo_name (int algo) -{ - return openpgp_aead_algo_name (algo); -} - static int build_list_md_test_algo (int algo) { @@ -1145,7 +1130,7 @@ build_list_md_algo_name (int algo) static const char * my_strusage( int level ) { - static char *digests, *pubkeys, *ciphers, *zips, *aeads, *ver_gcry; + static char *digests, *pubkeys, *ciphers, *zips, *ver_gcry; const char *p; switch( level ) { @@ -1207,13 +1192,6 @@ my_strusage( int level ) build_list_cipher_test_algo ); p = ciphers; break; - case 36: - if (!aeads) - aeads = build_list ("AEAD: ", 'A', - build_list_aead_algo_name, - build_list_aead_test_algo); - p = aeads; - break; case 37: if( !digests ) digests = build_list(_("Hash: "), 'H', @@ -2251,7 +2229,6 @@ set_compliance_option (enum cmd_and_opt_values option) opt.escape_from = 1; opt.not_dash_escaped = 0; opt.def_cipher_algo = 0; - opt.def_aead_algo = 0; opt.def_digest_algo = 0; opt.cert_digest_algo = 0; opt.compress_algo = -1; @@ -2273,7 +2250,6 @@ set_compliance_option (enum cmd_and_opt_values option) opt.escape_from = 1; opt.not_dash_escaped = 0; opt.def_cipher_algo = 0; - opt.def_aead_algo = 0; opt.def_digest_algo = 0; opt.cert_digest_algo = 0; opt.compress_algo = -1; @@ -2291,7 +2267,6 @@ set_compliance_option (enum cmd_and_opt_values option) opt.escape_from = 0; opt.not_dash_escaped = 0; opt.def_cipher_algo = 0; - opt.def_aead_algo = 0; opt.def_digest_algo = 0; opt.cert_digest_algo = 0; opt.compress_algo = -1; @@ -2310,7 +2285,6 @@ set_compliance_option (enum cmd_and_opt_values option) case oDE_VS: set_compliance_option (oOpenPGP); opt.compliance = CO_DE_VS; - opt.def_aead_algo = 0; /* We divert here from the backward compatible rfc4880 algos. */ opt.s2k_digest_algo = DIGEST_ALGO_SHA256; opt.s2k_cipher_algo = CIPHER_ALGO_AES256; @@ -2391,14 +2365,12 @@ main (int argc, char **argv) const char *trustdb_name = NULL; #endif /*!NO_TRUST_MODELS*/ char *def_cipher_string = NULL; - char *def_aead_string = NULL; char *def_digest_string = NULL; char *compress_algo_string = NULL; char *cert_digest_string = NULL; char *s2k_cipher_string = NULL; char *s2k_digest_string = NULL; char *pers_cipher_list = NULL; - char *pers_aead_list = NULL; char *pers_digest_list = NULL; char *pers_compress_list = NULL; int eyes_only=0; @@ -2464,7 +2436,6 @@ main (int argc, char **argv) opt.bz2_compress_level = -1; /* defaults to standard compress level */ /* note: if you change these lines, look at oOpenPGP */ opt.def_cipher_algo = 0; - opt.def_aead_algo = 0; opt.def_digest_algo = 0; opt.cert_digest_algo = 0; opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */ @@ -3287,9 +3258,6 @@ main (int argc, char **argv) case oCipherAlgo: def_cipher_string = xstrdup(pargs.r.ret_str); break; - case oAEADAlgo: - def_aead_string = xstrdup (pargs.r.ret_str); - break; case oDigestAlgo: def_digest_string = xstrdup(pargs.r.ret_str); break; @@ -3571,9 +3539,6 @@ main (int argc, char **argv) case oPersonalCipherPreferences: pers_cipher_list=pargs.r.ret_str; break; - case oPersonalAEADPreferences: - pers_aead_list = pargs.r.ret_str; - break; case oPersonalDigestPreferences: pers_digest_list=pargs.r.ret_str; break; @@ -3964,13 +3929,6 @@ main (int argc, char **argv) if ( openpgp_cipher_test_algo (opt.def_cipher_algo) ) log_error(_("selected cipher algorithm is invalid\n")); } - if (def_aead_string) - { - opt.def_aead_algo = string_to_aead_algo (def_aead_string); - xfree (def_aead_string); def_aead_string = NULL; - if (openpgp_aead_test_algo (opt.def_aead_algo)) - log_error(_("selected AEAD algorithm is invalid\n")); - } if( def_digest_string ) { opt.def_digest_algo = string_to_digest_algo (def_digest_string); xfree(def_digest_string); def_digest_string = NULL; @@ -4031,9 +3989,6 @@ main (int argc, char **argv) keygen_set_std_prefs(pers_cipher_list,PREFTYPE_SYM)) log_error(_("invalid personal cipher preferences\n")); - if (pers_aead_list && keygen_set_std_prefs (pers_aead_list, PREFTYPE_AEAD)) - log_error(_("invalid personal AEAD preferences\n")); - if(pers_digest_list && keygen_set_std_prefs(pers_digest_list,PREFTYPE_HASH)) log_error(_("invalid personal digest preferences\n")); @@ -4118,12 +4073,6 @@ main (int argc, char **argv) badalg = openpgp_cipher_algo_name (opt.def_cipher_algo); badtype = PREFTYPE_SYM; } - else if(opt.def_aead_algo - && !algo_available(PREFTYPE_AEAD, opt.def_aead_algo, NULL)) - { - badalg = openpgp_aead_algo_name (opt.def_aead_algo); - badtype = PREFTYPE_AEAD; - } else if(opt.def_digest_algo && !algo_available(PREFTYPE_HASH,opt.def_digest_algo,NULL)) { @@ -4153,12 +4102,6 @@ main (int argc, char **argv) badalg, gnupg_compliance_option_string (opt.compliance)); break; - case PREFTYPE_AEAD: - log_info (_("AEAD algorithm '%s'" - " may not be used in %s mode\n"), - badalg, - gnupg_compliance_option_string (opt.compliance)); - break; case PREFTYPE_HASH: log_info (_("digest algorithm '%s'" " may not be used in %s mode\n"), @@ -4184,7 +4127,6 @@ main (int argc, char **argv) * is not. This is us being nice to the user informing her early * that the chosen algorithms are not available. We also check * and enforce this right before the actual operation. */ - /* FIXME: We also need to check the AEAD algo. */ if (opt.def_cipher_algo && ! gnupg_cipher_is_allowed (opt.compliance, cmd == aEncr diff --git a/g10/keygen.c b/g10/keygen.c index 7a79b378f..484352583 100644 --- a/g10/keygen.c +++ b/g10/keygen.c @@ -564,29 +564,6 @@ keygen_set_std_prefs (const char *string,int personal) opt.personal_cipher_prefs[i].value = 0; } } - else if (personal == PREFTYPE_AEAD) - { - xfree(opt.personal_aead_prefs); - - if (!naead) - opt.personal_aead_prefs = NULL; - else - { - int i; - - opt.personal_aead_prefs= - xmalloc(sizeof(prefitem_t *)*(naead+1)); - - for (i=0; i