gpg: Allow only OCB for AEAD encryption.

* g10/gpg.c (opts): New option--force-ocb as alias for force-aead. Turn --aead-algo and --personal-aead-preferences into dummy options. (build_list_md_test_algo, build_list_aead_algo_name): Remove. (my_strusage): Remove output of AEAD algos. (main): Remove code from the --aead options. * g10/encrypt.c (encrypt_seskey): Make file local. (use_aead): Remove requirement for rfc4880bis. Always return AEAD_ALGO_OCB. * g10/main.h (DEFAULT_AEAD_ALGO): Removed unused macro. * g10/misc.c (default_aead_algo): Remove. * g10/pkclist.c (select_aead_from_pklist): Return AEAD_ALGO_OCB or 0. (select_algo_from_prefs): Remove personal AEAD algo setting. * g10/keygen.c (keygen_set_std_prefs): Remove AEAD preference option parsing. * g10/options.h (opt): Remove def_aead_algo and personal_aead_prefs. -- Due to the meanwhile expired patent on OCB there is no more reason for using EAX. Thus we forcefully use OCB if the AEAD feature flag is set on a key.
2024-12-22 10:19:57 +01:00 · 2022-10-31 15:51:21 +01:00 · 2022-10-31 15:51:21 +01:00 · 5a2cef801d
commit 5a2cef801d
parent 03f04dfb9a
8 changed files with 20 additions and 140 deletions
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@ -2760,12 +2760,14 @@ is the default.
@itemx --no-force-v4-certs
 These options are obsolete and have no effect since GnuPG 2.1.
-@item --force-aead
+@item --force-ocb
@itemx --force-aead
@opindex force-ocb
@opindex force-aead
 Force the use of AEAD encryption over MDC encryption.  AEAD is a
 modern and faster way to do authenticated encryption than the old MDC
-method.  See also options @option{--aead-algo} and
+method.  @option{--force-aead} is an alias and deprecated.  See also
-@option{--chunk-size}.
+option @option{--chunk-size}.
@item --force-mdc
@itemx --disable-mdc
@ -2810,16 +2812,6 @@ preferences, as GPG will only select an algorithm that is usable by
 all recipients.  The most highly ranked cipher in this list is also
 used for the @option{--symmetric} encryption command.
@item --personal-aead-preferences @var{string}
@opindex personal-aead-preferences
 Set the list of personal AEAD preferences to @var{string}.  Use
@command{@gpgname --version} to get a list of available algorithms,
 and use @code{none} to set no preference at all.  This allows the user
 to safely override the algorithm chosen by the recipient key
 preferences, as GPG will only select an algorithm that is usable by
 all recipients.  The most highly ranked cipher in this list is also
 used for the @option{--symmetric} encryption command.
@item --personal-digest-preferences @var{string}
@opindex personal-digest-preferences
 Set the list of personal digest preferences to @var{string}.  Use
@ -3233,16 +3225,6 @@ it allows you to violate the OpenPGP standard.  The option
@option{--personal-cipher-preferences} is the safe way to accomplish the
 same thing.
@item --aead-algo @var{name}
@opindex aead-algo
 Specify that the AEAD algorithm @var{name} is to be used.  This is
 useful for symmetric encryption where no key preference are available
 to select the AEAD algorithm.  Running @command{@gpgname} with option
@option{--version} shows the available AEAD algorithms.  In general,
 you do not want to use this option as it allows you to violate the
 OpenPGP standard.  The option @option{--personal-aead-preferences} is
 the safe way to accomplish the same thing.
@item --digest-algo @var{name}
@opindex digest-algo
 Use @var{name} as the message digest algorithm. Running the program
@ -3786,6 +3768,13 @@ it. These options are deprecated. Use @option{--list-options
 [no-]show-policy-url} and/or @option{--verify-options
 [no-]show-policy-url} instead.
@item --personal-aead-preferences @var{string}
@opindex personal-aead-preferences
 This option is deprecated and has no more effect since version 2.3.9.
@item --aead-algo @var{name}
 This option is deprecated and has no more effect since version 2.3.9.
@end table
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@ -219,7 +219,7 @@ check_encryption_compliance (DEK *dek, pk_list_t pk_list)
 * stored at R_SESKEY.  If AEAD_ALGO is not 0 the given AEAD algorithm
 * is used for encryption.
 */
-gpg_error_t
+static gpg_error_t
 encrypt_seskey (DEK *dek, aead_algo_t aead_algo,
                DEK **r_seskey, void **r_enckey, size_t *r_enckeylen)
 {
@ -344,14 +344,6 @@ use_aead (pk_list_t pk_list, int algo)
 {
  int can_use;
  if (!opt.flags.rfc4880bis)
    {
      if (opt.force_aead)
        log_info ("Warning: Option %s currently requires option '%s'\n",
                  "--force-aead", "--rfc4880bis");
      return 0;
    }
  can_use = openpgp_cipher_get_algo_blklen (algo) == 16;
  /* With --force-aead we want AEAD.  */
@ -363,7 +355,7 @@ use_aead (pk_list_t pk_list, int algo)
                    openpgp_cipher_algo_name (algo));
          return 0;
        }
-      return default_aead_algo ();
+      return AEAD_ALGO_OCB;
    }
  /* AEAD does only work with 128 bit cipher blocklength.  */
--- a/g10/gpg.c
+++ b/g10/gpg.c
@ -254,7 +254,6 @@ enum cmd_and_opt_values
    oRFC2440Text,
    oNoRFC2440Text,
    oCipherAlgo,
    oAEADAlgo,
    oDigestAlgo,
    oCertDigestAlgo,
    oCompressAlgo,
@ -383,7 +382,6 @@ enum cmd_and_opt_values
    oDefaultPreferenceList,
    oDefaultKeyserverURL,
    oPersonalCipherPreferences,
    oPersonalAEADPreferences,
    oPersonalDigestPreferences,
    oPersonalCompressPreferences,
    oAgentProgram,
@ -675,7 +673,6 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_n (oEnableDSA2, "enable-dsa2", "@"),
  ARGPARSE_s_n (oDisableDSA2, "disable-dsa2", "@"),
  ARGPARSE_s_s (oPersonalCipherPreferences, "personal-cipher-preferences","@"),
  ARGPARSE_s_s (oPersonalAEADPreferences, "personal-aead-preferences","@"),
  ARGPARSE_s_s (oPersonalDigestPreferences, "personal-digest-preferences","@"),
  ARGPARSE_s_s (oPersonalCompressPreferences,
                                         "personal-compress-preferences", "@"),
@ -855,7 +852,8 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_s (oS2KDigest, "s2k-digest-algo", "@"),
  ARGPARSE_s_s (oS2KCipher, "s2k-cipher-algo", "@"),
  ARGPARSE_s_i (oS2KCount, "s2k-count", "@"),
-  ARGPARSE_s_n (oForceAEAD, "force-aead", "@"),
+  ARGPARSE_s_n (oForceAEAD, "force-ocb", "@"),
  ARGPARSE_s_n (oForceAEAD, "force-aead", "@"),  /*(old name)*/
  ARGPARSE_s_n (oRequireCrossCert, "require-backsigs", "@"),
  ARGPARSE_s_n (oRequireCrossCert, "require-cross-certification", "@"),
  ARGPARSE_s_n (oNoRequireCrossCert, "no-require-backsigs", "@"),
@ -876,7 +874,6 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_s (oDisableCipherAlgo,  "disable-cipher-algo", "@"),
  ARGPARSE_s_s (oDisablePubkeyAlgo,  "disable-pubkey-algo", "@"),
  ARGPARSE_s_s (oCipherAlgo, "cipher-algo", "@"),
  ARGPARSE_s_s (oAEADAlgo,   "aead-algo", "@"),
  ARGPARSE_s_s (oDigestAlgo, "digest-algo", "@"),
  ARGPARSE_s_s (oCertDigestAlgo, "cert-digest-algo", "@"),
  ARGPARSE_s_n (oOverrideComplianceCheck, "override-compliance-check", "@"),
@ -928,8 +925,6 @@ static gpgrt_opt_t opts[] = {
  /* Aliases.  I constantly mistype these, and assume other people do
     as well. */
  ARGPARSE_s_s (oPersonalCipherPreferences, "personal-cipher-prefs", "@"),
  ARGPARSE_s_s (oPersonalAEADPreferences,   "personal-aead-prefs", "@"),
  ARGPARSE_s_s (oPersonalDigestPreferences, "personal-digest-prefs", "@"),
  ARGPARSE_s_s (oPersonalCompressPreferences, "personal-compress-prefs", "@"),
  /* These two are aliases to help users of the PGP command line
@ -972,6 +967,8 @@ static gpgrt_opt_t opts[] = {
  ARGPARSE_s_n (oNoop, "allow-multisig-verification", "@"),
  ARGPARSE_s_n (oNoop, "allow-multiple-messages", "@"),
  ARGPARSE_s_n (oNoop, "no-allow-multiple-messages", "@"),
  ARGPARSE_s_s (oNoop, "aead-algo", "@"),
  ARGPARSE_s_s (oNoop, "personal-aead-preferences","@"),
  ARGPARSE_group (302, N_(
@ -1112,18 +1109,6 @@ build_list_cipher_algo_name (int algo)
  return openpgp_cipher_algo_name (algo);
 }
 static int
 build_list_aead_test_algo (int algo)
 {
  return openpgp_aead_test_algo (algo);
 }
 static const char *
 build_list_aead_algo_name (int algo)
 {
  return openpgp_aead_algo_name (algo);
 }
 static int
 build_list_md_test_algo (int algo)
 {
@ -1145,7 +1130,7 @@ build_list_md_algo_name (int algo)
 static const char *
 my_strusage( int level )
 {
-  static char *digests, *pubkeys, *ciphers, *zips, *aeads, *ver_gcry;
+  static char *digests, *pubkeys, *ciphers, *zips, *ver_gcry;
  const char *p;
  switch( level ) {
@ -1207,13 +1192,6 @@ my_strusage( int level )
                                 build_list_cipher_test_algo );
 	p = ciphers;
 	break;
      case 36:
 	if (!aeads)
          aeads = build_list ("AEAD: ", 'A',
                              build_list_aead_algo_name,
                              build_list_aead_test_algo);
 	p = aeads;
 	break;
      case 37:
 	if( !digests )
 	    digests = build_list(_("Hash: "), 'H',
@ -2251,7 +2229,6 @@ set_compliance_option (enum cmd_and_opt_values option)
      opt.escape_from = 1;
      opt.not_dash_escaped = 0;
      opt.def_cipher_algo = 0;
      opt.def_aead_algo = 0;
      opt.def_digest_algo = 0;
      opt.cert_digest_algo = 0;
      opt.compress_algo = -1;
@ -2273,7 +2250,6 @@ set_compliance_option (enum cmd_and_opt_values option)
      opt.escape_from = 1;
      opt.not_dash_escaped = 0;
      opt.def_cipher_algo = 0;
      opt.def_aead_algo = 0;
      opt.def_digest_algo = 0;
      opt.cert_digest_algo = 0;
      opt.compress_algo = -1;
@ -2291,7 +2267,6 @@ set_compliance_option (enum cmd_and_opt_values option)
      opt.escape_from = 0;
      opt.not_dash_escaped = 0;
      opt.def_cipher_algo = 0;
      opt.def_aead_algo = 0;
      opt.def_digest_algo = 0;
      opt.cert_digest_algo = 0;
      opt.compress_algo = -1;
@ -2310,7 +2285,6 @@ set_compliance_option (enum cmd_and_opt_values option)
    case oDE_VS:
      set_compliance_option (oOpenPGP);
      opt.compliance = CO_DE_VS;
      opt.def_aead_algo = 0;
      /* We divert here from the backward compatible rfc4880 algos.  */
      opt.s2k_digest_algo = DIGEST_ALGO_SHA256;
      opt.s2k_cipher_algo = CIPHER_ALGO_AES256;
@ -2391,14 +2365,12 @@ main (int argc, char **argv)
    const char *trustdb_name = NULL;
 #endif /*!NO_TRUST_MODELS*/
    char *def_cipher_string = NULL;
    char *def_aead_string = NULL;
    char *def_digest_string = NULL;
    char *compress_algo_string = NULL;
    char *cert_digest_string = NULL;
    char *s2k_cipher_string = NULL;
    char *s2k_digest_string = NULL;
    char *pers_cipher_list = NULL;
    char *pers_aead_list = NULL;
    char *pers_digest_list = NULL;
    char *pers_compress_list = NULL;
    int eyes_only=0;
@ -2464,7 +2436,6 @@ main (int argc, char **argv)
    opt.bz2_compress_level = -1; /* defaults to standard compress level */
    /* note: if you change these lines, look at oOpenPGP */
    opt.def_cipher_algo = 0;
    opt.def_aead_algo = 0;
    opt.def_digest_algo = 0;
    opt.cert_digest_algo = 0;
    opt.compress_algo = -1; /* defaults to DEFAULT_COMPRESS_ALGO */
@ -3287,9 +3258,6 @@ main (int argc, char **argv)
 	  case oCipherAlgo:
            def_cipher_string = xstrdup(pargs.r.ret_str);
            break;
 	  case oAEADAlgo:
            def_aead_string = xstrdup (pargs.r.ret_str);
            break;
 	  case oDigestAlgo:
            def_digest_string = xstrdup(pargs.r.ret_str);
            break;
@ -3571,9 +3539,6 @@ main (int argc, char **argv)
          case oPersonalCipherPreferences:
 	    pers_cipher_list=pargs.r.ret_str;
 	    break;
          case oPersonalAEADPreferences:
 	    pers_aead_list = pargs.r.ret_str;
 	    break;
          case oPersonalDigestPreferences:
 	    pers_digest_list=pargs.r.ret_str;
 	    break;
@ -3964,13 +3929,6 @@ main (int argc, char **argv)
 	if ( openpgp_cipher_test_algo (opt.def_cipher_algo) )
 	    log_error(_("selected cipher algorithm is invalid\n"));
    }
    if (def_aead_string)
      {
 	opt.def_aead_algo = string_to_aead_algo (def_aead_string);
 	xfree (def_aead_string); def_aead_string = NULL;
 	if (openpgp_aead_test_algo (opt.def_aead_algo))
          log_error(_("selected AEAD algorithm is invalid\n"));
      }
    if( def_digest_string ) {
 	opt.def_digest_algo = string_to_digest_algo (def_digest_string);
 	xfree(def_digest_string); def_digest_string = NULL;
@ -4031,9 +3989,6 @@ main (int argc, char **argv)
       keygen_set_std_prefs(pers_cipher_list,PREFTYPE_SYM))
      log_error(_("invalid personal cipher preferences\n"));
    if (pers_aead_list && keygen_set_std_prefs (pers_aead_list, PREFTYPE_AEAD))
      log_error(_("invalid personal AEAD preferences\n"));
    if(pers_digest_list &&
       keygen_set_std_prefs(pers_digest_list,PREFTYPE_HASH))
      log_error(_("invalid personal digest preferences\n"));
@ -4118,12 +4073,6 @@ main (int argc, char **argv)
 	    badalg = openpgp_cipher_algo_name (opt.def_cipher_algo);
 	    badtype = PREFTYPE_SYM;
 	  }
 	else if(opt.def_aead_algo
 	   && !algo_available(PREFTYPE_AEAD, opt.def_aead_algo, NULL))
 	  {
 	    badalg = openpgp_aead_algo_name (opt.def_aead_algo);
 	    badtype = PREFTYPE_AEAD;
 	  }
 	else if(opt.def_digest_algo
 		&& !algo_available(PREFTYPE_HASH,opt.def_digest_algo,NULL))
 	  {
@ -4153,12 +4102,6 @@ main (int argc, char **argv)
 			 badalg,
                          gnupg_compliance_option_string (opt.compliance));
 		break;
 	      case PREFTYPE_AEAD:
 		log_info (_("AEAD algorithm '%s'"
                            " may not be used in %s mode\n"),
                          badalg,
                          gnupg_compliance_option_string (opt.compliance));
 		break;
 	      case PREFTYPE_HASH:
 		log_info (_("digest algorithm '%s'"
                            " may not be used in %s mode\n"),
@ -4184,7 +4127,6 @@ main (int argc, char **argv)
     * is not.  This is us being nice to the user informing her early
     * that the chosen algorithms are not available.  We also check
     * and enforce this right before the actual operation.  */
    /* FIXME: We also need to check the AEAD algo. */
    if (opt.def_cipher_algo
 	&& ! gnupg_cipher_is_allowed (opt.compliance,
 				      cmd == aEncr
--- a/g10/keygen.c
+++ b/g10/keygen.c
@ -564,29 +564,6 @@ keygen_set_std_prefs (const char *string,int personal)
 		    opt.personal_cipher_prefs[i].value = 0;
 		  }
 	      }
 	    else if (personal == PREFTYPE_AEAD)
 	      {
 		xfree(opt.personal_aead_prefs);
 		if (!naead)
 		  opt.personal_aead_prefs = NULL;
 		else
 		  {
 		    int i;
 		    opt.personal_aead_prefs=
 		      xmalloc(sizeof(prefitem_t *)*(naead+1));
 		    for (i=0; i<naead; i++)
 		      {
 			opt.personal_aead_prefs[i].type = PREFTYPE_AEAD;
 			opt.personal_aead_prefs[i].value = aead[i];
 		      }
 		    opt.personal_aead_prefs[i].type = PREFTYPE_NONE;
 		    opt.personal_aead_prefs[i].value = 0;
 		  }
 	      }
 	    else if(personal==PREFTYPE_HASH)
 	      {
 		xfree(opt.personal_digest_prefs);
--- a/g10/main.h
+++ b/g10/main.h
@ -41,8 +41,6 @@
 # define DEFAULT_CIPHER_ALGO     CIPHER_ALGO_3DES
 #endif
 #define DEFAULT_AEAD_ALGO  AEAD_ALGO_OCB
 #define DEFAULT_DIGEST_ALGO     ((GNUPG)? DIGEST_ALGO_SHA256:DIGEST_ALGO_SHA1)
 #define DEFAULT_S2K_DIGEST_ALGO DIGEST_ALGO_SHA1
 #ifdef HAVE_ZIP
@ -169,7 +167,6 @@ const char *compress_algo_to_string(int algo);
 int string_to_compress_algo(const char *string);
 int check_compress_algo(int algo);
 int default_cipher_algo(void);
 aead_algo_t default_aead_algo(void);
 int default_compress_algo(void);
 void compliance_failure(void);
@ -240,8 +237,6 @@ void display_online_help( const char *keyword );
 /*-- encode.c --*/
 gpg_error_t setup_symkey (STRING2KEY **symkey_s2k,DEK **symkey_dek);
 gpg_error_t encrypt_seskey (DEK *dek, aead_algo_t aead_algo, DEK **r_seskey,
                            void **r_enckey, size_t *r_enckeylen);
 aead_algo_t use_aead (pk_list_t pk_list, int algo);
 int use_mdc (pk_list_t pk_list,int algo);
 int encrypt_symmetric (const char *filename );
--- a/g10/misc.c
+++ b/g10/misc.c
@ -1387,17 +1387,6 @@ default_cipher_algo(void)
 }
 aead_algo_t
 default_aead_algo(void)
 {
  if(opt.def_aead_algo)
    return opt.def_aead_algo;
  else if(opt.personal_aead_prefs)
    return opt.personal_aead_prefs[0].value;
  else
    return DEFAULT_AEAD_ALGO;
 }
 /* There is no default_digest_algo function, but see
   sign.c:hash_for() */
--- a/g10/options.h
+++ b/g10/options.h
@ -92,7 +92,6 @@ struct
  int no_armor;
  int list_packets; /* Option --list-packets active.  */
  int def_cipher_algo;
  int def_aead_algo;
  int force_mdc;
  int disable_mdc;
  int force_aead;
@ -180,7 +179,6 @@ struct
  const char *def_preference_list;
  const char *def_keyserver_url;
  prefitem_t *personal_cipher_prefs;
  prefitem_t *personal_aead_prefs;
  prefitem_t *personal_digest_prefs;
  prefitem_t *personal_compress_prefs;
  struct weakhash *weak_digests;
--- a/g10/pkclist.c
+++ b/g10/pkclist.c
@ -1603,8 +1603,6 @@ select_algo_from_prefs(PK_LIST pk_list, int preftype,
      prefs=NULL;
      if(preftype==PREFTYPE_SYM && opt.personal_cipher_prefs)
 	prefs=opt.personal_cipher_prefs;
      else if(preftype==PREFTYPE_AEAD && opt.personal_aead_prefs)
 	prefs=opt.personal_aead_prefs;
      else if(preftype==PREFTYPE_HASH && opt.personal_digest_prefs)
 	prefs=opt.personal_digest_prefs;
      else if(preftype==PREFTYPE_ZIP && opt.personal_compress_prefs)
@ -1720,7 +1718,7 @@ select_aead_from_pklist (PK_LIST pk_list)
        return 0;  /* At least one recipient does not support it. */
    }
-  return default_aead_algo (); /* Yes, AEAD can be used. */
+  return AEAD_ALGO_OCB; /* Yes, AEAD can be used. */
 }