security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-07-02 22:46:30 +02:00
Code Activity

gpg: Do not allow old cipher algorithms for encryption.

Browse source 
* g10/gpg.c: New option --allow-old-cipher-algos.
(set_compliance_option): Set --rfc4880bis explictly to SHA256 and
AES256.  Allow old cipher algos for OpenPGP, rfc4880, and rfc2440.
* g10/options.h (opt): Add flags.allow_old_cipher_algos.
* g10/misc.c (print_sha1_keysig_rejected_note): Always print the note
unless in --quiet mode.
* g10/encrypt.c (setup_symkey): Disallow by default algos with a
blocklengt < 128.
(encrypt_crypt): Ditto.  Fallback by default to AES instead of 3DES.
* g10/pkclist.c (algo_available): Take care of old cipher also.
(select_algo_from_prefs): Use AES as implicit algorithm by default.

* tests/openpgp/defs.scm (create-gpghome): Set allow-old-cipher-algos.
--

GnuPG-bug-id: 3415
This commit is contained in:
Werner Koch 2021-02-10 14:31:34 +01:00
parent 6e730c1881
commit 825dd7220f
No known key found for this signature in database
GPG key ID: E3FDFF218E45B72B
7 changed files with 92 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

19
g10/pkclist.c
View file

@ -1397,6 +1397,10 @@ algo_available( preftype_t preftype, int algo, const struct pref_hint *hint)
{
if( preftype == PREFTYPE_SYM )
{
if (!opt.flags.allow_old_cipher_algos
&& openpgp_cipher_blocklen (algo) < 16)
return 0; /* We don't want this one. */
if(PGP7 && (algo != CIPHER_ALGO_IDEA
&& algo != CIPHER_ALGO_3DES
&& algo != CIPHER_ALGO_CAST5
@ -1494,12 +1498,15 @@ select_algo_from_prefs(PK_LIST pk_list, int preftype,
switch(preftype)
{
case PREFTYPE_SYM:
/* IDEA is implicitly there for v3 keys with v3 selfsigs if
--pgp2 mode is on. This was a 2440 thing that was
dropped from 4880 but is still relevant to GPG's 1991
support. All this doesn't mean IDEA is actually
available, of course. */
implicit=CIPHER_ALGO_3DES;
/* Historical note: IDEA is implicitly there for v3 keys
with v3 selfsigs if --pgp2 mode is on. This was a 2440
thing that was dropped from 4880 but is still relevant to
GPG's 1991 support. All this doesn't mean IDEA is
actually available, of course. */
if (opt.flags.allow_old_cipher_algos)
implicit = CIPHER_ALGO_3DES;
else
implicit = CIPHER_ALGO_AES;
break;
case PREFTYPE_AEAD: